Cambium Networks XI-N300 802.11abgn 2x2 Module User Manual xirrus PDF

Xirrus, Inc. 802.11abgn 2x2 Module xirrus PDF

Manual part 2

Download: Cambium Networks XI-N300 802.11abgn 2x2 Module User Manual xirrus PDF
Mirror Download [FCC.gov]Cambium Networks XI-N300 802.11abgn 2x2 Module User Manual xirrus PDF
Document ID1529607
Application IDUYqzIPmt6C4TVizQHTtKxg==
Document DescriptionManual part 2
Short Term ConfidentialNo
Permanent ConfidentialNo
SupercedeNo
Document TypeUser Manual
Display FormatAdobe Acrobat PDF - pdf
Filesize381.16kB (4764508 bits)
Date Submitted2011-08-25 00:00:00
Date Available2011-09-29 00:00:00
Creation Date2011-08-23 17:28:10
Producing SoftwareAcrobat Distiller 10.1.0 (Windows)
Document Lastmod2011-08-23 17:28:22
Document Titlexirrus_PDF.book
Document CreatorFrameMaker 10.0.1
Document Author: Shelly

Wi-Fi Array
WDS Statistics
The main WDS Statistics window provides statistical data for all WDS client and
host links. To access data about a specific WDS client or host link, simply click on
the desired link in the left frame to access the appropriate window. You may also
choose to view a sum of the statistics for all client links, all host links, or all links
(both client and host links).
Figure 81. WDS Statistics
See Also
SSID Management
WDS
Viewing Status on the Wi-Fi Array
131
Wi-Fi Array
Filter Statistics
The Filter Statistics window provides statistical data for all configured filters. The
name, state (enabled — on or off), and type (allow or deny) of each filter is shown.
For enabled filters, this window shows the number of packets and bytes that met
the filter criteria. Click on a column header to sort the rows based on that column.
Click on a filter name to edit the filter settings.
Figure 82. Filter Statistics
See Also
Filters
Station Statistics
This status-only window provides an overview of statistical data for all stations.
Stations are listed by MAC address, and Receive and Transmit statistics are
summarized for each. For detailed statistics for a specific station, click the desired
MAC address in the Station column and see “Per-Station Statistics” on page 133.
Figure 83. Station Statistics
Note that you can clear the data for an individual station (see Per-Station
Statistics), but you cannot clear the data for all stations using this window.
132
Viewing Status on the Wi-Fi Array
Wi-Fi Array
You can Refresh the data (update the window with the latest information) at any
time by clicking on the appropriate button. You can also click in the Auto Refresh
check box to instruct the Array to refresh this window automatically.
See Also
Per-Station Statistics
Per-Station Statistics
This window provides detailed statistics for the selected station. This window is
accessed from the Station Statistics window — click the MAC address of the
desired entry in the Station column to display its Per-Station Statistics window.
Receive and Transmit statistics are listed by Rate — this is the data rate in Mbps.
For a summary of statistics for all stations, see “Station Statistics” on page 132.
You can Refresh the data (update the window with the latest information) or
Clear the data (reset all content to zero and begin counting again) at any time by
clicking on the appropriate button. You can also click in the Auto Refresh check
box to instruct the Array to refresh this window automatically.
Figure 84. Individual Station Statistics Page
See Also
Station Statistics
Viewing Status on the Wi-Fi Array
133
Wi-Fi Array
System Log Window
This is a status only window that allows you to review the system log, where
system alerts and messages are displayed. Although there are no configuration
options available in this window, you do have the usual choice of deciding how
the event messages are sorted by clicking in the column header for the desired
field (Time Stamp, Priority, or Message).

Time Stamp — sorts the list based on the time the event occurred.

Priority — sorts the list based on the priority assigned to the message.

Message — sorts the list based on the message category
The displayed messages may be filtered by using the Filter Priority option, which
allows control of the minimum priority level displayed. For example, you may
choose (under Services >System Log) to log messages at or above Debug level
but use Filter Priority to display only those at Information level and above.
Figure 85. System Log (Alert Level Highlighted)
Use the Highlight Priority field if you wish to highlight messages at the selected
priority level. Click on the Refresh button to refresh the message list, or click on
the Clear All button at the upper left to delete all messages. You can also click in
the Auto Refresh check box to instruct the Array to refresh this window
automatically.
Note that there is a shortcut way to view system log messages. If you click Log
Messages near the bottom of the left hand frame, WMI displays counts of log
messages at different severity levels. Click a count to display just those messages
in the System Log window. See Figure 38 on page 79 for more information.
134
Viewing Status on the Wi-Fi Array
Wi-Fi Array
IDS Event Log Window
This status only window displays the Intrusion Detection System (IDS) Event log,
listing any detected attacks on your network. For descriptions of the types of
attacks detected, as well as the settings to fine-tune IDS on the Array, please see
“Intrusion Detection” on page 270.
The displayed messages may be filtered by using the Filter Event setting, which
allows you to select just one type of intrusion to display. For example, you may
choose to display only beacon flood attacks.
Figure 86. IDS Event Log
Use the Highlight Event field if you wish to highlight all events of one particular
type in the list. Click on the Refresh button to refresh the message list, or click the
Auto Refresh check box to instruct the Array to refresh this window
automatically.
Although there are no configuration options available in this window, you do
have the usual choice of deciding how the event messages are sorted by clicking
in the column header for the desired field.

Time Stamp — the time that the event occurred.

IAP — the affected radio.

Channel — the affected channel.

Event — the type of attack, as described in Intrusion Detection.

SSID — the SSID that was attacked.

MAC Address — the MAC address of the attacker.

Period — the length of the window used to determine whether the count
of this type of event exceeded the threshold.
Viewing Status on the Wi-Fi Array
135
Wi-Fi Array
136

Current — the count of this type of event for the current period.

Average — the average count per period of this type of event.

Maximum — the maximum count per period of this type of event.
Viewing Status on the Wi-Fi Array
Wi-Fi Array
Configuring the Wi-Fi Array
The following topics include procedures for configuring the Array using the
product’s embedded Web Management Interface (WMI). Procedures have been
organized into functional areas that reflect the flow and content of the WMI.
The following WMI windows allow you to establish configuration parameters for
your Array, and include:

“Express Setup” on page 139

“Network” on page 146

“Services” on page 156

“VLANs” on page 171

“Security” on page 175

“SSIDs” on page 208

“Groups” on page 228

“IAPs” on page 234

“WDS” on page 278

“Filters” on page 283

“Clusters” on page 289
After making changes to the configuration settings of an Array you must click on
the Save changes to flash button at the top of the configuration window,
otherwise the changes you make will not be applied the next time the Array is
rebooted.

Some settings are only available if the Array’s license includes appropriate
Xirrus Advanced Feature Sets. If a setting is unavailable (grayed out),
then your license does not support the feature. See “About Licensing and
Upgrades” on page 297.
Note that the Configuration menu section may be collapsed down to hide the
headings under it by clicking it. Click again to display the headings. (See
Figure 39 on page 80.)
Configuring the Wi-Fi Array
137
Wi-Fi Array
This chapter only discusses using the configuration windows on the Array. To
view status or use system tools on the Array, please see:
138

“Viewing Status on the Wi-Fi Array” on page 85

“Using Tools on the Wi-Fi Array” on page 295
Configuring the Wi-Fi Array
Wi-Fi Array
Express Setup
Use the Express Setup page to establish global configuration settings that enable
basic Array functionality. Any changes you make in this window will affect all
radios. When finished, click Save changes to flash if you wish to make your
changes permanent.
Figure 87. WMI: Express Setup
Configuring the Wi-Fi Array
139
Wi-Fi Array
Procedure for Performing an Express Setup
1.
Host Name: Specify a unique host name for this Array. The host name is
used to identify the Array on the network. Use a name that will be
meaningful within your network environment, up to 64 alphanumeric
characters. The default is Xirrus-WiFi-Array.
2.
Location Information: Enter a brief but meaningful description that
accurately defines the physical location of the Array. In an environment
where multiple units are installed, clear definitions for their locations are
important if you want to identify a specific unit.
3.
Admin Contact: Enter the name and contact information of the person
who is responsible for administering the Array at the designated location.
4.
Admin Email: Enter the email address of the admin contact you entered
in Step 3.
5.
Admin Phone: Enter the telephone number of the admin contact you
entered in Step 3.
6.
Configure SNMP: Select whether to Enable SNMPv2 on the Array, and
set the SNMPv2 community strings. The factory default value for the
Read-Only Community String is xirrus_read_only. The factory default
value for the Read-Write Community String is xirrus. If you are using
the Xirrus Management System (XMS), the read-write string must match
the string used by XMS. XMS also uses the default value xirrus.
7.
Configure the Gigabit Ethernet 1 and Gigabit Ethernet 2 network
interface settings. Please see “Network Interfaces” on page 147 for more
information.
The fields for each of these interfaces are similar, and include:
a.
Enable Interface: Choose Yes to enable this network interface, or
choose No to disable the interface.
b. Allow Management on Interface: Choose Yes to allow management
of the Array via this Gigabit interface, or choose No to deny all
management privileges for this interface.
140
Configuring the Wi-Fi Array
Wi-Fi Array
c.
8.
Configuration Server Protocol: Choose DHCP to instruct the Array
to use DHCP to assign IP addresses to the Array’s Ethernet interfaces,
or choose Static if you intend to enter IP addresses manually. If you
choose the Static IP option, you must enter the following information:
•
IP Address: Enter a valid IP address for this Array. To use a
remote connection (Web, SNMP, or SSH), a valid IP address must
be used.
•
IP Subnet Mask: Enter a valid IP address for the subnet mask
(the default is 255.255.255.0). The subnet mask defines the
number of IP addresses that are available on the routed subnet
where the Array is located.
•
Default Gateway: Enter a valid IP address for the default
gateway. This is the IP address of the router that the Array uses
to forward data to other networks.
SSID Settings: This section specifies the wireless network name and
security settings.
a.
The SSID (Wireless Network Name) is a unique name that identifies
a wireless network (SSID stands for Service Set Identifier). All devices
attempting to connect to a specific WLAN must use the same SSID.
The default SSID is xirrus. Entering a value in this field will replace
the default SSID with the new name.
For additional information about SSIDs, go to the Multiple SSIDs
section of “Frequently Asked Questions” on page 404.
b. Wireless Security: Select the desired wireless security scheme (Open,
WEP or WPA). Make your selection from the choices available in the
pull-down list.
•
Open — This option offers no data encryption and is not
recommended, though you might choose this option if clients are
required to use a VPN connection through a secure SSH utility,
like PuTTy.
•
WEP (Wired Equivalent Privacy) — An optional IEEE 802.11
function that offers frame transmission privacy similar to a wired
Configuring the Wi-Fi Array
141
Wi-Fi Array
network. WEP generates secret shared encryption keys that both
source and destination stations can use to alter frame bits to
avoid disclosure to eavesdroppers.
•
WPA (Wi-Fi Protected Access) — A Wi-Fi Alliance standard that
contains a subset of the IEEE 802.11i standard, using TKIP or AES
as an encryption method and 802.1x for authentication. WPA is
the stronger of the two wireless security schemes.
•
WPA2 (Wi-Fi Protected Access 2) — WPA2 is the follow-on
security method to WPA for wireless networks and provides
stronger data protection and network access control. It offers
Enterprise and consumer Wi-Fi users with a high level of
assurance that only authorized users can access their wireless
networks. Like WPA, WPA2 is designed to secure all versions of
802.11 devices, including 802.11a, 802.11b, 802.11g, and 802.11n,
multi-band and multi-mode.
•
WPA-Both (WPA and WPA2) — This option makes use of both
WPA and WPA2.
For more information about security, including a full review of all
security options and settings, go to “Understanding Security” on
page 176.
c.
WEP Encryption Key/Passphrase: Depending on the wireless
security scheme you selected, enter a unique WEP key or WPA
passphrase. This field and the one below only appear if you select a
Wireless Security option other than Open.
d. Confirm Encryption Key/Passphrase: If you entered a WEP key or
WPA passphrase, confirm it here.
e.
142
Click Apply SSID Settings when done.
Configuring the Wi-Fi Array
Wi-Fi Array
9.
Admin Settings: This section allows you to change the default admin
username, password, and privileges for the Array. You may change the
password and leave the user name as is, but we suggest that you change
both to improve Array security.
a.
New Admin User (Replaces user “admin”): Enter the name of a new
administrator user account. Be sure to record the new account name
and password, because the default admin user will be deleted! Note
that the Array also offers the option of authenticating administrators
using a RADIUS server (see “Admin Management” on page 181)).
b. New Admin Privilege Level: By default, the new administrator will
have read/write privileges on the Array (i.e., the new user will be
able to change the configuration of the Array). If you wish the new
account to have different privileges, select the desired level from the
drop-down list. For more information about user privileges, please
see “Admin Privileges” on page 183. Take care to make sure to leave
yourself enough read/write privileges on at least one account to be
able to administer the Array.
c.
New Admin Password: Enter a new administration password for
managing this Array. If you forget this password, you must reset the
Array to its factory defaults so that the password is reset to admin (its
default setting).
d. Confirm Admin Password: If you entered a new administration
password, confirm the new password here.
e.
Click Apply Admin Settings when done.
10. Time and Date Settings: This section specifies an optional time (NTP Network Time Protocol) server or modifies the system time if you’re not
using a server.
a.
Current Array Date and Time: This read-only field shows the current
time for your convenience.
b. Time Zone: Select your time zone from the choices available in the
pull-down list.
Configuring the Wi-Fi Array
143
Wi-Fi Array
c.
Auto Adjust Daylight Savings: If you are not using NTP, check this
box if you want the system to adjust for daylight savings
automatically, otherwise leave this box unchecked (default).
d. Use Network Time Protocol: Check this box if you want to use an
NTP server to synchronize the Array’s clock. Use of NTP is
mandatory for Arrays to be managed with XMS (the Xirrus
Management System), and ensures that Syslog time-stamping is
maintained across all units. Without using an NTP server (no
universal clock), each Array will use its own internal clock and stamp
times accordingly, which may result in discrepancies. If you select
Yes, the NTP server fields are displayed. If you don’t want to use an
NTP server, select No (default) and set the system time on the Array
manually.
e.
NTP Primary Server: If you are using NTP, enter the IP address or
domain name of the NTP server.
f.
NTP Primary Authentication: (optional) If you are using
authentication with NTP, select the type of key: MD5 or SHA1. Select
None if you are not using authentication (this is the default). For
more information on authenticated NTP, see “Time Settings (NTP)”
on page 157.
g.
NTP Primary Authentication Key ID: Enter the key ID, which is a
decimal integer.
h. NTP Primary Authentication Key: Enter your key, which is a string
of characters.
144
i.
NTP Secondary Server: Enter the IP address or domain name of an
optional secondary NTP server to be used in case the Array is unable
to contact the primary server. You may use the authentication fields
as described above if you wish to set up authentication for the
secondary server.
j.
Adjust Time (hrs:min:sec): If you are not using NTP, check this box if
you want to adjust the current system time. When the box is checked,
the time fields become active. Enter the revised time (hours, minutes,
Configuring the Wi-Fi Array
Wi-Fi Array
seconds, am/pm) in the corresponding fields. If you don’t want to
adjust the current time, this box should be left unchecked (default).
k. Adjust Date (month/day/year): If you are not using NTP, check this
box if you want to adjust the current system date. When the box is
checked, the date fields become active. Enter the revised date (month,
day and year) in the corresponding fields. If you don’t want to adjust
the current date, this box should be left unchecked (default).
11. IAP Settings:
Enable/Configure All IAPs: Click on the Execute button to enable and
auto configure all IAPs (a message displays the countdown time — in
seconds — to complete the auto-configuration task). When an IAP is
enabled, its LED is switched on.
12. Click Save changes to flash to make your changes permanent, i.e., these
settings will still be in effect after a reboot.
Configuring the Wi-Fi Array
145
Wi-Fi Array
Network
This is a status-only window that provides a snapshot of the configuration
settings currently established for the Gigabit 1 and Gigabit 2 interfaces. DNS
Settings and CDP Settings (Cisco Discovery Protocol) are summarized as well.
You must go to the appropriate configuration window to make changes to any of
the settings displayed here (configuration changes cannot be made from this
window). You can click on any item in the Interface column to “jump” to the
associated configuration window.
Figure 88. Network Interfaces
WMI windows that allow you to change or view configuration settings associated
with the network interfaces include:

“Network Interfaces” on page 147

“DNS Settings” on page 153

“CDP Settings” on page 154
See Also
DNS Settings
Network Interfaces
Network Status Windows
Spanning Tree Status
Network Statistics
146
Configuring the Wi-Fi Array
Wi-Fi Array
Network Interfaces
This window allows you to establish configuration settings for the Gigabit 1 and
Gigabit 2 interfaces.
Figure 89. Network Settings
When finished making changes, click Save changes to flash if you wish to make
your changes permanent. When the status of a port changes, a Syslog entry is
created describing the change.
Procedure for Configuring the Network Interfaces
Configure the Gigabit network interfaces. The fields for each of these interfaces
are the same, and include:
Configuring the Wi-Fi Array
147
Wi-Fi Array
1.
Enable Interface: Choose Yes to enable this network interface, or choose
No to disable the interface.
2.
LED Indicator: Choose Enabled to allow the LED for this interface to
blink with traffic on the port, or choose Disabled to turn the LED off.
The LED will still light during the boot sequence, then turn off. This
option is only available for the Gigabit interfaces.
3.
Allow Management on Interface: Choose Yes to allow management of
this Array via the selected network interface, or choose No to deny all
management privileges for this interface.
4.
Auto Negotiate: This feature allows the Array to negotiate the best
transmission rates automatically. Choose Yes to enable this feature, or
choose No to disable this feature — the default is enabled. If you disable
the Auto Negotiate feature, you must define the Duplex and Speed
options manually (otherwise these options are not available).
a.
Duplex: Full-duplex mode transmits data in two directions
simultaneously (for example, a telephone is a full-duplex device
because both parties can talk and be heard at the same time). Halfduplex allows data transmission in one direction at a time only (for
example, a walkie-talkie is a half-duplex device). If the AutoNegotiate feature is disabled, you can manually choose Half or Full
duplex for your data transmission preference.!
b. Speed: If the Auto-Negotiate feature is disabled, you must manually
choose the desired data transmission speed from the pull-down list. If
configuring the Fast Ethernet interface the options are 10 Megabit or
100 Megabit. If configuring the Gigabit 1 or Gigabit 2 interfaces the
options are 100 Megabit or Gigabit.
5.
Port mode: Select the desired behavior for the gigabit Ethernet ports from
the following options. For a more detailed discussion of the use of the
Gigabit ports and the options below, please see the Xirrus Gigabit Ethernet
Port Modes Application Note in the Xirrus Library.
a.
148
Active Backup (gig1/gig2 failover to each other) — This mode
provides fault tolerance and is the default mode. Gigabit 1 acts as the
Configuring the Wi-Fi Array
Wi-Fi Array
primary link. Gigabit2 is the backup link and is passive. Gigabit2
assumes the IP properties of Gigabit1. If Gigabit 1 fails the Array
automatically fails over to Gigabit2. When a failover occurs in this
mode, Gigabit2 issues gratuitous ARPs to allow it to substitute for
Gigabit1 at Layer 3 as well as Layer 2. See Figure 90 (a).
b. Aggregate Traffic from gig1 & gig2 using 802.3ad — The Array sends
network traffic across both gigabit ports to increase link speed to the
network. Both ports act as a single logical interface (trunk), using a
load balancing algorithm to balance traffic across the ports. For nonIP traffic (such as ARP), the last byte of the destination MAC address
is used to do the calculation. If the packet is a fragment or not TCP or
UDP, the source and destination IP addresses are used to do the
calculation. If the packet is TCP or UDP over IP then the source IP
address, destination IP address, source port number and destination
port number are all used to do the calculation. The network switch
must also support 802.3ad. If a port fails, the trunk degrades
gracefully — the other port still transmits. See Figure 90 (b).
(a) Active backup
Gig1
Primary Link
Gig2
Secondary Link :
carries all traffic
if primary fails
Switch
(b) Aggregate using 802.3ad
Gig1
Gig2
Links split traffic based on
destination address , using
802.3ad link aggregation
Destinations
Switch
Figure 90. Port Modes (a-b)
Configuring the Wi-Fi Array
149
Wi-Fi Array
c.
Bridge traffic between gig1 & gig2 — Traffic received on Gigabit1 is
transmitted by Gigabit2; similarly, traffic received on Gigabit2 is
transmitted by Gigabit1. This allows the Array to act as a wired
bridge and allows Arrays to be daisy-chained and still maintain
wired connectivity. See Figure 91 (c).
d. Transmit Traffic on both gig1 & gig2 — Transmits incoming traffic on
both Gigabit1 and Gigabit2. Any traffic received on Gigabit1 or
Gigabit2 is sent to the onboard processor. This mode provides fault
tolerance. See Figure 91 (d).
(c) Bridge traffic
Gig1
Gig2
Gig1
(d) Transmit on both ports
Gig2
Gig1 and Gig2 are bridged.
Traffic received on either link
is repeated to the other
Gig1
Gig2
Received wireless traffic is
sent to both links
Traffic from either link is
processed for transmission
Switch
Switch
Figure 91. Port Modes (c-d)
e.
150
Load balance traffic between gig1 & gig2 — This option provides
trunking, similar to option (b) — Aggregate Traffic from gig1 & gig2
using 802.3ad, but it uses a different load balancing algorithm to
determine the outgoing gigabit port. The outgoing port used is based
on an exclusive OR of the source and destination MAC address. Like
option (b), this mode also provides load balancing and fault
tolerance. See Figure 92 (e).
Configuring the Wi-Fi Array
Wi-Fi Array
(e) Load balance traffic
Gig1
Gig2
Destinations
Array load balances outgoing
traffic based on source and
destination address
Switch
(f) Mirror traffic
Gig1
Gig2
Received wireless traffic is
sent to both links
Network
Analyzer
Switch
Gig1
Gig2
Traffic from Gig 1 is processed
for wireless transmission and
copied to Gig 2
Switch
Network
Analyzer
Gig1
Gig2
Traffic from Gig 2 is processed
for wireless transmission and
copied to Gig 1
Network
Analyzer
Switch
Figure 92. Port Modes (e-f)
f.
Mirror traffic on both gig1 & gig2 — all traffic received on the Array
is transmitted out both Gigabit1 and Gigabit2. All traffic received on
Gigabit1 is passed on to the onboard processor as well as out
Gigabit2. All traffic received on Gigabit2 is passed on to the onboard
Configuring the Wi-Fi Array
151
Wi-Fi Array
processor as well as out Gigabit1. This allows a network analyzer to
be plugged into one port to capture traffic for troubleshooting, while
the other port provides network connectivity for data traffic. See
Figure 92 (f).
6.
Configuration Server Protocol: Choose DHCP to instruct the Array to
use DHCP when assigning IP addresses to the Array, or choose Static IP
if you intend to enter IP addresses manually. If you select the Static IP
option you must specify the IP address, IP subnet mask and default
gateway.
a.
IP Address: If you selected the Static IP option, enter a valid IP
address for the Array. To use any of the remote connections (Web,
SNMP, or SSH), a valid IP address must be established.
b. IP Subnet Mask: If you selected the Static IP option, enter a valid IP
address for the subnet mask (the default for Class C is 255.255.255.0).
The subnet mask defines the number of IP addresses that are
available on the routed subnet where the Array is located.
c.
7.
Default Gateway: If you selected the Static IP option, enter a valid IP
address for the default gateway. This is the IP address of the router
that the Array uses to transmit data to other networks.
When done configuring all interfaces as desired, click Save changes to
flash if you wish to make your changes permanent.
See Also
DNS Settings
Network
Network Statistics
Spanning Tree Status
152
Configuring the Wi-Fi Array
Wi-Fi Array
DNS Settings
This window allows you to establish your DNS (Domain Name System) settings.
The Array uses these DNS servers to resolve host names into IP addresses. The
Array also registers its own Host Name with these DNS servers, so that others
may address the Array using its name rather than its IP address. An option allows
you to specify that the Array’s DNS servers will be assigned via a DHCP server
on the wired network.
Note that the DNS servers defined here are not used by wireless clients — servers
for stations associated to the Array are defined along with DHCP pools. See
“DHCP Server” on page 168. At least one DNS server must be set up if you want
to offer clients associating with the Array the ability to use meaningful host
names instead of numerical IP addresses. When finished, click Save changes to
flash if you wish to make your changes permanent.
Figure 93. DNS Settings
Procedure for Configuring DNS Servers
1.
DNS Host Name: Enter a valid DNS host name.
2.
DNS Domain: Enter the DNS domain name.
3.
DNS Server 1: Enter the IP address of the primary DNS server.
4.
DNS Server 2 and DNS Server 3: Enter the IP address of the secondary
and tertiary DNS servers (if required).
Configuring the Wi-Fi Array
153
Wi-Fi Array
5.
Use DNS settings assigned by DHCP: If you are using DHCP to assign
the Array’s IP address, you may turn this option On. The Array will then
obtain its DNS domain and server settings from the network DHCP
server that assigns an IP address to the Array, rather than using the DNS
Server fields above. You may also configure that DHCP server to assign a
host name to the Array.
6.
Click Save changes to flash if you wish to make your changes
permanent.
See Also
DHCP Server
Network
Network Interfaces
Network Statistics
Spanning Tree Status
CDP Settings
CDP (Cisco Discovery Protocol) is a layer 2 network protocol used to share
information (such as the device manufacturer and model, network capabilities,
and IP address) with other directly connected network devices. Wi-Fi Arrays can
both advertise their presence by sending CDP announcements, and gather and
display information sent by neighbors (see “CDP Neighbors” on page 100).
This window allows you to establish your CDP settings. When finished, Save
changes to flash if you wish to make your changes permanent.
Figure 94. CDP Settings
154
Configuring the Wi-Fi Array
Wi-Fi Array
Procedure for Configuring CDP Settings
1.
Enable CDP: When CDP is enabled, the Array sends out CDP
announcements of the Array’s presence, and gathers CDP data sent by
neighbors. When disabled, it does neither. CDP is enabled by default.
2.
CDP Interval: The Array sends out CDP announcements advertising its
presence at this interval. The default is 60 seconds.
3.
CDP Hold Time: CDP information received from neighbors is retained
for this period of time before aging out of the Array’s neighbor list. Thus,
if a neighbor stops sending announcements, it will no longer appear on
the CDP Neighbors window after CDP Hold Time seconds from its last
announcement. The default is 180 seconds.
See Also
CDP Neighbors
Network
Network Interfaces
Network Statistics
Configuring the Wi-Fi Array
155
Wi-Fi Array
Services
This is a status-only window that allows you to review the current settings and
status for services on the Array, including DHCP, SNMP, Syslog, and Network
Time Protocol (NTP) services. For example, for the DHCP server, it shows each
DHCP pool name, whether the pool is enabled, the IP address range, the gateway
address, lease times, and the DNS domain being used. There are no configuration
options available in this window, but if you are experiencing issues with network
services, you may want to print this window for your records.
Figure 95. Services
The following sections discuss configuring services on the Array:
156

“Time Settings (NTP)” on page 157

“NetFlow” on page 159

“Wi-Fi Tag” on page 161

“System Log” on page 162

“SNMP” on page 165

“DHCP Server” on page 168
Configuring the Wi-Fi Array
Wi-Fi Array
Time Settings (NTP)
This window allows you to manage the Array’s time settings, including
synchronizing the Array’s clock with a universal clock from an NTP (Network
Time Protocol) server. We recommend that you use NTP for proper operation of
SNMP in XMS (the Xirrus Management System), since a lack of synchronization
will cause errors to be detected. Synchronizing the Array’s clock with an NTP
server also ensures that Syslog time-stamping is maintained across all units.
It is possible to use authentication with NTP to ensure that you are receiving
synchronization from a known source. For example, the instructions for
requesting a key for the NIST Authenticated NTP server are available at 
http://www.nist.gov/pml/div688/grp00/upload/ntp_instructions.pdf.
The Array allows you to enter optional authentication information.
Figure 96. Time Settings (Manual Time)
Procedure for Managing the Time Settings
1.
Current Array Date and Time: Shows the current time for your
convenience.
2.
Time Zone: Select the time zone you want to use (normally your local
time zone) from the pull-down list.
3.
Auto Adjust Daylight Savings: Check this box if you want the system to
adjust for daylight savings automatically, otherwise leave this box
unchecked (default).
Configuring the Wi-Fi Array
157
Wi-Fi Array
4.
Use Network Time Protocol: select whether to set time manually or use
NTP to manage system time.
5.
Setting Time Manually
a.
Adjust Time (hrs:min:sec): If you are not using NTP, check this box if
you want to adjust the current system time. When the box is checked,
you may enter a revised time (hours, minutes, seconds, am/pm) in
the corresponding fields. If you don’t want to adjust the current time,
this box should be left unchecked (default).
b. Adjust Date (month/day/year): If you are not using NTP, check this
box if you want to adjust the current system date. When the box is
checked, you may enter a revised date (month, day and year) in the
corresponding fields. If you don’t want to adjust the current date, this
box should be left unchecked (default).
6.
Using an NTP Server
a.
NTP Primary Server: If you are using NTP, enter the IP address or
domain name of the NTP server.
Figure 97. Time Settings (NTP Time Enabled)
b. NTP Primary Authentication: (optional) If you are using
authentication with NTP, select the type of key: MD5 or SHA1. Select
None if you are not using authentication (this is the default).
158
Configuring the Wi-Fi Array
Wi-Fi Array
c.
NTP Primary Authentication Key ID: Enter the key ID, which is a
decimal integer.
d. NTP Primary Authentication Key: Enter your key, which is a string
of characters.
e.
NTP Secondary Server: Enter the IP address or domain name of an
optional secondary NTP server to be used in case the Array is unable
to contact the primary server. You may use the authentication fields
as described above if you wish to set up authentication for the
secondary server.
See Also
Express Setup
Services
SNMP
System Log
NetFlow
This window allows you to enable or disable the sending of NetFlow information
to a designated collector. NetFlow is a proprietary but open network protocol
developed by Cisco Systems for collecting IP traffic information. When NetFlow
is enabled, the Array will send IP flow information (traffic statistics) to the
designated collector.
NetFlow sends per-flow network traffic information from the Array. Network
managers can use a NetFlow collector to view the statistics on a per-flow basis
and use this information to make key decisions. Knowing how many packets and
bytes are sent to and from certain IP addresses or across specific network
interfaces allows administrators to track usage by various areas. Traffic flow
information may be used to engineer networks for better performance.
Configuring the Wi-Fi Array
159
Wi-Fi Array
Figure 98. NetFlow

Some features, such as Netflow, are only available if the Array’s license
includes the Xirrus Advanced RF Analysis Manager (RAM). If a setting
is unavailable (grayed out), then your license does not support the feature.
See “About Licensing and Upgrades” on page 297.
Procedure for Configuring NetFlow
160
1.
Enable NetFlow: Choose Yes to enable NetFlow functionality, or choose
No to disable this feature.
2.
NetFlow Collector Host (Domain or IP): If you enabled NetFlow, enter
the domain name or IP address of the collector.
3.
NetFlow Collector Port: If you enabled NetFlow, enter the port on the
collector host to which to send data.
Configuring the Wi-Fi Array
Wi-Fi Array
Wi-Fi Tag
This window allows you to enable or disable Wi-Fi tag capabilities. When
enabled, the Array listens for and collects information about Wi-Fi RFID tags sent
on the designated channel. These tags are transmitted by specialized tag devices
(for example, AeroScout Tags). A Wi-Fi tagging server (such as AeroScout) then
queries the Array for a report on the tags that it has received. The Wi-Fi tagging
server uses proprietary algorithms to determine locations for devices sending tag
signals.
Figure 99. Wi-Fi Tag
Procedure for Configuring Wi-Fi Tag
1.
Enable Wi-Fi Tag: Choose Yes to enable Wi-Fi tag functionality, or choose
No to disable this feature.
2.
Wi-Fi Tag UDP Port: If you enabled Wi-Fi tagging, enter the port on the
Array which the Wi-Fi tagging server will use to query the Array for
tagging data. When queried, the Array will send back information on the
tags it has observed. For each, the Array sends information such as the
MAC address of the tag transmitting device, and the RSSI and noise floor
observed.
3.
Wi-Fi Tag Channel: If you enabled Wi-Fi tagging, enter the 802.11
channel on which the Array will listen for tags. The tag devices must be
set up to transmit on this channel. Only one channel may be configured,
and it must be an 802.11b/g channel in the range of Channel 1 to 11.
Configuring the Wi-Fi Array
161
Wi-Fi Array
System Log
This window allows you to enable or disable the Syslog server, define primary,
secondary, and tertiary servers, set up email notification, and set the level for
Syslog reporting for each of the servers and for email notification — the Syslog
service will send Syslog messages that are at the selected severity or above to the
defined Syslog servers and email address.
Figure 100. System Log
Procedure for Configuring Syslog
162
1.
Enable Syslog Server: Choose Yes to enable Syslog functionality, or
choose No to disable this feature.
2.
Console Logging: If you enabled Syslog, select whether or not to echo
Syslog messages to the console as they occur. If you enable console
logging, be sure to set the Console Logging level (see Step 7 below).
3.
Local File Size (1-500): Enter a value in this field to define how many
Syslog records are retained locally on the Array’s internal Syslog file. The
default is 500.
Configuring the Wi-Fi Array
Wi-Fi Array
4.
Primary Server Address (Domain or IP): If you enabled Syslog, enter the
domain name or IP address of the primary Syslog server.
5.
Secondary/Tertiary Server Address (Domain or IP): If you enabled
Syslog, you may enter the domain name or IP address of one or two
additional Syslog servers to which messages will also be sent. (Optional)
6.
Email Notification: The following parameters allow you to send an email
to a designated address each time a Syslog message is generated. The
email will include the text of the Syslog message.
a.
Email SMTP Address (Domain or IP): The domain name or the IP
address of the SMTP server to be used for sending the email. Note
that this specifies the mail server, not the email recipient.
b. Email SMTP User/Email SMTP Password: Specify a user name and
password for logging in to an account on the mail server designated
in Step a.
c.
Email SMTP From: Specify the “From” email address to be displayed
in the email.
d. Email SMTP To: Specify the entire email address of the recipient of
the email notification.
7.
Syslog Levels: For each of the Syslog destinations, choose your preferred
level of Syslog reporting from the pull-down list. Messages with
criticality at the selected level and above will be shown. The default level
varies depending on the destination.
a.
Console Logging: For messages to be echoed to the console, the
default level is Critical and more serious. This prevents large
numbers of non-critical messages from being displayed on the
console. If you set this level too low, the volume of messages may
make it very difficult to work with the CLI or view other output on
the console.
b. Local File: For records to be stored on the Array’s internal Syslog file,
choose your preferred level of Syslog reporting from the pull-down
list. The default level is Debugging and more serious.
Configuring the Wi-Fi Array
163
Wi-Fi Array
c.
Primary Server: Choose the preferred level of Syslog reporting for the
primary server. The default level is Debugging and more serious.
d. Secondary/Tertiary Server: Choose the preferred level of reporting
for the secondary/tertiary server. The default level is Information
and more serious. (Optional)
e.
8.
Email SMTP Server: Choose the preferred level of Syslog reporting
for the email notifications. The default level is Warning and more
serious. This prevents your mailbox from being filled up with a large
number of less severe messages such as informational messages.
Click Save changes to flash if you wish to make your changes
permanent.
See Also
System Log Window
Services
SNMP
Time Settings (NTP)
164
Configuring the Wi-Fi Array
Wi-Fi Array
SNMP
This window allows you to enable or disable SNMP v2 and SNMP v3 and define
the SNMP parameters. SNMP allows remote management of the Array by the
Xirrus Management System (XMS) and other SNMP management tools. SNMP v3
was designed to offer much stronger security. You may enable either SNMP
version, neither, or both.
Complete SNMP details for the Array, including trap descriptions, are found in
the Xirrus MIB, available at support.xirrus.com, in the Downloads section (login
is required to download the MIB).
NOTE: If you are managing your Arrays with XMS (the Xirrus Management System),
it is very important to make sure that your SNMP settings match those that you have
configured for XMS. XMS uses both SNMP v2 and v3, with v3 given preference.
Figure 101. SNMP
Configuring the Wi-Fi Array
165
Wi-Fi Array
Procedure for Configuring SNMP
SNMPv2 Settings
1.
Enable SNMPv2: Choose Yes to enable SNMP v2 functionality, or choose
No to disable this feature. When used in conjunction with the Xirrus
Management System, SNMP v2 (not SNMP v3) must be enabled on each
Array to be managed with XMS. The default for this feature is Yes
(enabled).
2.
SNMP Read-Write Community String: Enter the read-write community
string. The default is xirrus.
3.
SNMP Read-Only Community String: Enter the read-only community
string. The default is xirrus_read_only.
SNMPv3 Settings
166
4.
Enable SNMPv3: Choose Yes to enable SNMP v3 functionality, or choose
No to disable this feature. The default for this feature is Yes (enabled).
5.
Authentication: Select the desired method for authenticating SNMPv3
packets: SHA (Secure Hash Algorithm) or MD5 (Message Digest
Algorithm 5).
6.
Privacy: Select the desired method for encrypting data: DES (Data
Encryption Standard) or the stronger AES (Advanced Encryption
Standard).
7.
Context Engine ID: The unique identifier for this SNMP server. We
recommend that you do not change this value. The Context Engine ID
must be set if data collection is to be done via a proxy agent. This ID helps
the proxy agent to identify the target agent from which data is to be
collected.
8.
SNMP Read-Write Username: Enter the read-write user name. This
username and password allow configuration changes to be made on the
Array. The default is xirrus-rw.
9.
SNMP Read-Write Authentication Password: Enter the read-write
password for authentication (i.e., logging in). The default is xirrus-rw.
Configuring the Wi-Fi Array
Wi-Fi Array
10. SNMP Read-Write Privacy Password: Enter the read-write password for
privacy (i.e., a key for encryption). The default is xirrus-rw.
11. SNMP Read-Only Username: Enter the read-only user name. This
username and password do not allow configuration changes to be made
on the Array. The default is xirrus-ro.
12. SNMP Read-Only Authentication Password: Enter the read-only
password for authentication (i.e., logging in). The default is xirrus-ro.
13. SNMP Read-Only Privacy Password: Enter the read-only password for
privacy (i.e., a key for encryption). The default is xirrus-ro.
SNMP Trap Settings
14. SNMP Trap Host IP Address: Enter the IP Address or domain name, as
well as the Port number, of an SNMP management station that is to
receive SNMP traps. You may specify up to four hosts that are to receive
traps. Note that by default, Trap Host 1 sends traps to Xirrus-XMS. Thus,
the Array will automatically communicate its presence to XMS (as long as
the network is configured correctly to allow this host name to be
resolved — note that DNS is not normally case-sensitive).
For a definition of the traps sent by Xirrus Wi-Fi Arrays, you may
download the Xirrus MIB from support.xirrus.com (login required).
Search for the string TRAP in the MIB file.
15. Send Auth Failure Traps: Choose Yes to log authentication failure traps
or No to disable this feature.
16. Keepalive Trap Interval (minutes): Traps are sent out at this interval to
indicate the presence of the Array on the network. Keepalive traps are
required for proper operation with XMS. To disable keepalive traps, set
the value to 0.
17. Click Save changes to flash if you wish to make your changes
permanent.
See Also
Services
Configuring the Wi-Fi Array
167
Wi-Fi Array
System Log
Time Settings (NTP)
DHCP Server
This window allows you to create, enable, modify and delete DHCP (Dynamic
Host Configuration Protocol) address pools. DHCP allows the Array to provide
wireless clients with IP addresses and other networking information. The DHCP
server will not provide DHCP services to the wired side of the network. If you do
not use the DHCP server on the Array, then your wired network must be
configured to supply DHCP addresses and gateway and DNS server addresses to
wireless clients.
When you create a DHCP pool, you must define the DHCP lease time (default
and maximum), the IP address ranges (pools) that the DHCP server can assign,
and the gateway address and DNS servers to be used by clients.
Figure 102. DHCP Management
DHCP usage is determined in several windows — see SSID Management, Group
Management, and VLAN Management.
168
Configuring the Wi-Fi Array
Wi-Fi Array
Procedure for Configuring the DHCP Server
1.
New Internal DHCP Pool: Enter a name for the new DHCP pool, then
click on the Create button. The new pool ID is added to the list of
available DHCP pools.
2.
On: Click this checkbox to make this pool of addresses available, or clear
it to disable the pool.
3.
Lease Time — Default: This field defines the default DHCP lease time (in
seconds). The factory default is 300 seconds, but you can change the
default at any time.
4.
Lease Time — Max: Enter a value (in seconds) to define the maximum
allowable DHCP lease time. The default is 300 seconds.
5.
Network Address Translation (NAT): Check this box to enable the
Network Address Translation feature.
6.
Lease IP Range — Start: Enter an IP address to define the start of the IP
range that will be used by the DHCP server. The default is 192.168.1.100.
7.
Lease IP Range — End: Enter an IP address to define the end of the IP
range that will be used by the DHCP server. The DHCP server will only
use IP addresses that fall between the start and end range that you define
on this page. The default is 192.168.1.200.
8.
Subnet Mask: Enter the subnet mask for this IP range for the DHCP
server. The default is 255.255.255.0.
9.
Gateway: If necessary, enter the IP address of the gateway.
10. Domain: Enter the DNS domain name. See “DNS Settings” on page 153.
11. DNS Servers (1 to 3): Enter the IP address of the primary DNS server,
secondary DNS server and tertiary DNS server. These DNS server
addresses will be passed to stations when they associate, along with the
assigned IP address. Note that if you leave these blank, no DNS
information is sent to the stations. DHCP will not default to sending the
DNS servers that are configured in DNS Settings. See also, “DNS
Settings” on page 153.
Configuring the Wi-Fi Array
169
Wi-Fi Array
12. Click Save changes to flash if you wish to make your changes
permanent.
See Also
DHCP Leases
DNS Settings
Network Map
170
Configuring the Wi-Fi Array
Wi-Fi Array
VLANs
This is a status-only window that allows you to review the current status of
assigned VLANs. A VLAN (Virtual LAN) is comprised of a group of devices that
communicate as a single network, even though they are physically located on
different LAN segments. Because VLANs are based on logical rather than
physical connections, they are extremely flexible. A device that is moved to
another location can remain on the same VLAN without any hardware
reconfiguration.
In addition to listing all VLANs, this window shows your settings for the Default
Route VLAN and the Native (Untagged) VLAN (Step 1 page 173).
Figure 103. VLANs

For a complete discussion of implementing Voice over Wi-Fi on the Array,
see the Xirrus Voice over Wi-Fi Application Note in the Xirrus Library.
Understanding Virtual Tunnels
Xirrus Arrays support Layer 2 tunneling with Virtual Tunnels. This allows an
Array to use tunnels to transport traffic for one or more SSID-VLAN pairs onto a
single destination network through the Layer 3 core network.
The Array has low overhead and latency for virtual tunnel connections, with high
resilience. The Array performs all encryption and decryption in hardware,
maintaining wire-rate encryption performance on the tunnel.
Configuring the Wi-Fi Array
171
Wi-Fi Array
Virtual Tunnel Server (VTS)
Tunneling capability is provided by a Virtual Tunnel Server. You supply the server
and deploy it in your network using open-source VTun software, available from
vtun.sourceforge.net. To enable the Array to use tunneling for a VLAN, simply
enter the IP address, port and secret for the tunnel server as described in Step 10
on page 174.
VTun may be configured for a number of different tunnel types, protocols, and
encryption types. For use with Arrays, we recommend the following
configuration choices:

Tunnel Type: Ether (Ethernet tunnel)

Protocol: UDP

Encryption Type: select one of the encryption types supported by VTun
(AES and Blowfish options are available)

Keepalive: yes
Client-Server Interaction
The Array is a client of the Virtual Tunnel Server. When you specify a VTS for a an
active VLAN-SSID pair, the Array contacts the VTS. The server then creates a
tunnel session to the Array. VTun encapsulated packets will cross the Layer 3
network from the Array to the VTS. When packets arrive at the VTS, they will be
de-encapsulated and the resultant packets will be passed to your switch with
802.1q VLAN tags for final Layer 2 processing. The process occurs in reverse for
packets traveling in the other direction.
We recommend that you enable the VTun keep-alive option. This will send a
keep-alive packet once per second to ensure that the tunnel remains active.
Tunnels can be configured to come up on demand but this is a poor choice for
Wi-Fi, since tunnel setup can take roughly 5-20 seconds and present a problem for
authentication.
172
Configuring the Wi-Fi Array
Wi-Fi Array
VLAN Management
This window allows you to assign and configure VLANs. After creating a new
VLAN (added to the list of VLANs), you can modify the configuration
parameters of an existing VLAN or delete a selected VLAN. You may create up to
32 VLANs.
Figure 104. VLAN Management

The Wi-Fi Array supports dynamic VLAN assignments specified by
RADIUS policy settings. When RADIUS sends these assignments, the
Array dynamically assigns wireless stations to VLANs as requested.
VLAN tags on traffic are passed through the Array (i.e., VLAN tags are
not stripped). Once a station has been dynamically moved to a new
VLAN, it will be shown in the Stations window as a member of the new
VLAN. (Figure 65 on page 112)
It is critical to configure all VLANs to be used on the Array, even those
that will be dynamically assigned.
Procedure for Managing VLANs
1.
Default route: This option allows you to choose a default VLAN route
from the pull-down list. The VLAN you chose will appear in the
corresponding VLAN Number field. The IP Gateway must be established
for this function to work.
2.
Native VLAN: This option allows you to choose the Native VLAN from
the pull-down list. The VLAN you chose will appear in the corresponding
VLAN Number field.
Configuring the Wi-Fi Array
173
Wi-Fi Array
3.
New VLAN Name/Number: Enter a name and number for the new
VLAN in this field, then click on the Create button. The new VLAN is
added to the list.
4.
VLAN Number: Enter a number for this VLAN (1-4094).
5.
Management: Check this box to allow management over this VLAN.
6.
DHCP: Check this box if you want the DHCP server to assign the IP
address, subnet mask and gateway address to the VLAN automatically,
otherwise you must go to the next step and assign these parameters
manually.
7.
IP Address: If the DHCP option is disabled, enter a valid IP address for
this VLAN association.
8.
Subnet Mask: If the DHCP option is disabled, enter the subnet mask IP
address for this VLAN association.
9.
Gateway: If the DHCP option is disabled, enter the IP gateway address
for this VLAN association.
10. Tunnel Server: If this VLAN is to be tunneled, enter the IP address or
host name of the tunnel server that will perform the tunneling. For more
information on virtual tunnels, please see “Understanding Virtual
Tunnels” on page 171.
11. Port: If this VLAN is to be tunneled, enter the port number of the tunnel
server.
12. New Secret: Enter the password expected by the tunnel server.
13. Delete: To delete the selected VLAN, simply click the Delete button to
remove the VLAN from the list.
14. Click Save changes to flash if you wish to make your changes
permanent.
See Also
VLAN Statistics
VLANs
174
Configuring the Wi-Fi Array
Wi-Fi Array
Security
This status- only window allows you to review the Array’s security parameters. It
includes the assigned network administration accounts, Access Control List
(ACL) values, management settings, encryption and authentication protocol
settings, and RADIUS configuration settings. There are no configuration options
available in this window, but if you are experiencing issues with security, you
may want to print this window for your records.
Figure 105. Security
For additional information about wireless network security, refer to:

“Security Planning” on page 45

“Understanding Security” on page 176

The Security section of “Frequently Asked Questions” on page 404.
For information about secure use of the WMI, refer to:

“Certificates and Connecting Securely to the WMI” on page 179

“Using the Array’s Default Certificate” on page 180
Configuring the Wi-Fi Array
175
Wi-Fi Array

“Using an External Certificate Authority” on page 181

“About Creating Admin Accounts on the RADIUS Server” on page 185

“About Creating User Accounts on the RADIUS Server” on page 201
Security settings are configured with the following windows:

“Admin Management” on page 181

“Admin Privileges” on page 183

“Admin RADIUS” on page 185

“Management Control” on page 188

“Access Control List” on page 195

“Global Settings” on page 197

“External Radius” on page 200

“Internal Radius” on page 204

“Rogue Control List” on page 206
Understanding Security
The Xirrus Wi-Fi Array incorporates many configurable security features. After
initially installing an Array, always change the default administrator password
(the default is admin), and choose a strong replacement password (containing
letters, numbers and special characters). When appropriate, issue read-only
administrator accounts.
Other security considerations include:
176

SSH versus Telnet: Be aware that Telnet is not secure over network
connections and should be used only with a direct serial port connection.
When connecting to the unit’s Command Line Interface over a network
connection, you must use a Secure SHell version 2 (SSH-2) utility. SSH-2
provides stronger security than SSH-1. The most commonly used
freeware providing SSH tools is PuTTY.

Configuration auditing: The optional Xirrus Management System (XMS)
offers powerful management features for small or large Xirrus Wi-Fi
deployments, and can audit your configuration settings automatically. In
addition, using the XMS eliminates the need for an FTP server.
Configuring the Wi-Fi Array
Wi-Fi Array

Choosing an encryption method: Wireless data encryption prevents
eavesdropping on data being transmitted or received over the airwaves.
The Array allows you to establish the following data encryption
configuration options:
•
Open — this option offers no data encryption and is not
recommended, though you might choose this option if clients are
required to use a VPN connection through a secure SSH utility,
like PuTTy.
•
WEP (Wired Equivalent Privacy) — this option provides minimal
protection (though much better than using an open network). An
early standard for wireless data encryption and supported by all
Wi-Fi certified equipment, WEP is vulnerable to hacking and is
therefore not recommended for use by Enterprise networks.
•
WPA (Wi-Fi Protected Access) and WPA2 — these are much
stronger encryption modes than WEP, using TKIP (Temporal Key
Integrity Protocol) or AES (Advanced Encryption Standard) to
encrypt data.
WPA solves security issues with WEP. It also allows you to
establish encryption keys on a per-user-basis, with key rotation
for added security. In addition, TKIP provides Message Integrity
Check (MIC) functionality and prevents active attacks on the
wireless network.
AES is the strongest encryption standard and is used by
government agencies; however, old legacy hardware may not be
capable of supporting the AES mode (it probably won’t work on
older wireless clients). Because AES is the strongest encryption
standard currently available, WPA2 with AES is highly
recommended for Enterprise networks.
Any of the above encryption methods can be used and an Array can
support multiple encryption methods simultaneously, but only one
method may be selected per SSID (except that selecting WPA-Both allows
WPA and WPA2 to be used at the same time on the same SSID).
Configuring the Wi-Fi Array
177
Wi-Fi Array
Otherwise, if multiple security methods are needed, you must define
multiple SSIDs.
The encryption mode (WEP, WPA, etc.) is selected in the SSIDs >SSID
Management window (see “SSID Management” on page 213).
The encryption standard used with WPA or WPA2 (AES or TKIP) is
selected in the Security>Global Settings window under WPA Settings
(see “Global Settings” on page 197).

Choosing an authentication method: User authentication ensures that
users are who they say they are. For this purpose, the Array allows you to
choose between the following user authentication methods:
•
Pre-Shared Key — users must manually enter a key (passphrase)
on the client side of the wireless network that matches the key
stored by the administrator in the Array.
This method should be used only for smaller networks when a
RADIUS server is unavailable. If PSK must be used, choose a
strong passphrase containing between 8 and 63 characters (20 is
preferred). Always use a combination of letters, numbers and
special characters. Never use English words separated by spaces.
178
•
RADIUS 802.1x with EAP — 802.1x uses a RADIUS server to
authenticate large numbers of clients, and can handle different
EAP (Extensible Authentication Protocol) authentication
methods, including EAP-TLS, EAP-TTLS, EAP-PEAP, and LEAPPassthrough. The RADIUS server can be internal (provided by
the Wi-Fi Array) or external. An external RADIUS server offers
more functionality and security, and is recommended for large
deployments. When using this method, user names and
passwords must be entered into the RADIUS server for user
authentication.
•
MAC Address ACLs (Access Control Lists) — MAC address
ACLs provide a list of client adapter MAC addresses that are
allowed or denied access to the wireless network. Access Control
Lists work well when there are a limited number of users — in
this case, enter the MAC address of each user in the Allow list. In
Configuring the Wi-Fi Array
Wi-Fi Array
the event of a lost or stolen MAC adapter, enter the affected MAC
address in the Deny list.
The Wi-Fi Array will accept up to 1,000 ACL entries.

PCI DSS or FIPS 140-2 Security — to implement the requirements of
these security standards on the Wi-Fi Array, please see Appendix D:
Implementing PCI DSS or Appendix E: Implementing FIPS Security.
Certificates and Connecting Securely to the WMI
When you point your browser to the Array to connect to the WMI, the Array
presents an X.509 security certificate to the browser to establish a secure channel.
One significant piece of information in the certificate is the Array’s host name.
This ties the certificate to a particular Array and ensures the client that it is
connecting to that host.
Certificate Authorities (CAs) are entities that digitally sign certificates, using their
own certificates (for example, VeriSign is a well-known CA). When the Array
presents its certificate to the client’s browser, the browser looks up the CA that
signed the certificate to decide whether to trust it. Browsers ship with a small set
of trusted CAs already installed. If the browser trusts the certificate’s CA, it
checks to ensure the host name (and IP address) match those on the certificate. If
any of these checks fail, you get a security warning when connecting to the WMI.
The Array ships with a default certificate that is signed by the Xirrus CA. You
may choose to use this certificate, or to use a certificate issued by the CA of your
choice, as described in the following sections:

Using the Array’s Default Certificate

Using an External Certificate Authority
Configuring the Wi-Fi Array
179
Wi-Fi Array
Using the Array’s Default Certificate
Figure 106. Import Xirrus Certificate Authority
The Array’s certificate is signed by a Xirrus CA that is customized for your Array
and its current host name. By default, browsers will not trust the Array’s
certificate. You may import the Xirrus certificate to instruct the browser to trust
the Xirrus CA on all future connections to Arrays. The certificate for the Xirrus
CA is available on the Array, so that you can import it into your browser’s cache
of trusted CAs (right alongside VeriSign, for example). On the Management
Control window of the WMI you will see the xirrus-ca.crt file. (Figure 106)
By clicking and opening this file, you can follow your browser’s instructions and
import the Xirrus CA into your CA cache (see page 192 for more information).
This instructs your browser to trust any of the certificates signed by the Xirrus
CA, so that when you connect to any of our Arrays you should no longer see the
warning about an untrusted site. Note however, that this only works if you use
the host name when connecting to the Array. If you use the IP address to connect,
you get a lesser warning saying that the certificate was only meant for ‘hostname’.
Since an Array’s certificate is based on the Array’s host name, any time you
change the host name the Array’s CA will regenerate and sign a new certificate.
This happens automatically the next time you reboot after changing the host
name. If you have already installed the Xirrus CA on a browser, this new Array
certificate should automatically be trusted.
When you install the Xirrus CA in your browser, it will trust a certificate signed
by any Xirrus Array, as long as you connect using the Array’s host name.
180
Configuring the Wi-Fi Array
Wi-Fi Array
Using an External Certificate Authority
If you prefer, you may install a certificate on your Array signed by an outside CA.
Why use a certificate from an external CA? The Array’s certificate is used for
security when stations attempt to associate to an SSID that has Web Page Redirect
enabled. In this case, it is preferable for the Array to present a certificate from an
external CA that is likely to be trusted by most browsers. When a WPR login page
is presented, the user will not see a security error if the Array’s certificate was
obtained from an external CA that is already trusted by the user’s browser.
WMI provides options for creating a Certificate Signing Request that you can
send to an external CA, and for uploading the signed certificate to the Array after
you obtain it from the CA. This certificate will be tied to the Array’s host name
and private key. See “External Certification Authority” on page 193 for more
details.
Admin Management
This window allows you to manage network administrator accounts (create,
modify and delete). It also allows you to limit account access to a read only status.
When finished, click on the Save changes to flash if you wish to make your
changes permanent.
Figure 107. Admin Management
Configuring the Wi-Fi Array
181
Wi-Fi Array
Procedure for Creating or Modifying Network Administrator Accounts
1.
Admin ID: Enter the login name for a new network administrator ID.
The length of the ID must be between 5 and 50 characters, inclusive.
2.
Read/Write: Choose Read/Write if you want to give this administrator ID
full read/write privileges, or choose Read to restrict this user to read only
status. In the read only mode, administrators cannot save changes to
configurations.
3.
User Password: Enter a password for this ID. The length of the password
must be between 5 and 50 characters, inclusive.
4.
Verify Password: Re-enter the password in this field to verify that you
typed the password correctly. If you do not re-enter the correct password,
an error message is displayed).
5.
Click on the Create button to add this administrator ID to the list.
6.
Click Save changes to flash if you wish to make your changes
permanent.
See Also
Admin Privileges
External Radius
Global Settings (IAP)
Internal Radius
Management Control
182
Configuring the Wi-Fi Array
Wi-Fi Array
Admin Privileges
This window provides a detailed level of control over the privileges of Array
administrators. Administrators may be assigned one of eight Privilege Levels.
You may define the privilege level of each major feature (Configuration Section)
that may be configured on the Array. For example, say that you set the privilege
level to 4 for Reboot Array, Security, Radius Server, and SNMP, and you leave all
other configuration sections at the default privilege level of 1. In this case, any
administrator with a privilege level of 4 or higher may perform any operation on
the Array, while an administrator with a privilege level lower than 4 but at least 1
may perform any operation except those whose level was set to 4. An error
message will be displayed if an operation is attempted without a sufficient
privilege level.
Figure 108. Admin Privileges
Privilege level 0 is read-only. As a minimum, all administrators have permission
for read access to all areas of Array configuration. Higher privilege levels may be
used to define additional privileges for specific configuration sections.
Configuring the Wi-Fi Array
183
Wi-Fi Array
If you are using an Admin RADIUS server to define administrator accounts,
please see “RADIUS Vendor Specific Attributes (VSAs) for Xirrus” on page 415 to
set the privilege level for each administrator.
Procedure for Configuring Admin Privileges
1.
Privilege Level Names (optional): You may assign a Name to each
Privilege Level. The name may be used to describe the access granted by
this level. By default, levels 0 and 1 are named read-only and read-write,
respectively, and levels 2 through 7 have the same name as their level
number.
2.
Privilege Levels: Use this section to assign a Minimum Privilege Level
to selected Configuration Sections as desired. By default, all sections are
assigned level 1. When you select a higher privilege level for a
configuration section, then only administrators who have at least that
privilege level will be able to make configuration changes to that section.
3.
You may click ^ at the bottom of any row to toggle the values in the entire
column to either on or off.
4.
Click Save changes to flash if you wish to make your changes
permanent.
See Also
External Radius
Groups
Admin Management
Admin RADIUS
Security
184
Configuring the Wi-Fi Array
Wi-Fi Array
Admin RADIUS
This window allows you to set up authentication of network administrators via
RADIUS. Using RADIUS to control administrator accounts for logging in to
Arrays has these benefits:

Centralized control of administrator accounts.

Less effort — you don't have to set up user names and passwords on each
Array; just enter them once on the RADIUS server and then all of the
Arrays can pull from the RADIUS server.

Enforced policies — you may set password rules (e.g., passwords must
contain at least one number and be at least 12 characters in length), and
you may set expiration times for passwords.
Admin RADIUS settings override any local administrator accounts configured on
the Admin Management window. If you have Admin RADIUS enabled, all
administrator authentication is done via the configured RADIUS servers. The
only exception to this is when you are connected via the Console port (using CLI).
If you are using the Console port, the Array will authenticate administrators
using accounts configured on the Admin Management window first, and then use
the RADIUS servers. This provides a safety net to be ensure that you are not
completely locked out of an Array if the RADIUS server is down.
About Creating Admin Accounts on the RADIUS Server
Permissions for RADIUS administrator accounts are controlled by the RADIUS
Xirrus-Admin-Role attribute. This is a Vendor Specific Attribute (VSA). To define
the privileges permitted to an administrator account, set the value of its XirrusAdmin-Role attribute to the desired Privilege Level Name string, as defined in
“Admin Privileges” on page 183. For more information about the RADIUS VSAs
used by Xirrus, see “RADIUS Vendor Specific Attributes (VSAs) for Xirrus” on
page 415.
When configuring administrator accounts on the RADIUS server, you must
observe the same restrictions for length and legal characters as when creating
these accounts on the Array using the Admin Management window: the user
name and password must be between 5 and 50 characters, inclusive.
Configuring the Wi-Fi Array
185
Wi-Fi Array
Figure 109. Admin RADIUS
Procedure for Configuring Admin RADIUS
Use this window to enable/disable administrator authentication via RADIUS,
and to set up primary and secondary servers to use for authentication of
administrators attempting to log in to the Array.
1.
Admin RADIUS Settings:
a.
Enable Admin RADIUS: Click Yes to enable the use of RADIUS to
authenticate administrators logging in to the Array. You will need to
specify the RADIUS server(s) to be used.
b. Authentication Type: Select the protocol used for authentication of
administrators, CHAP or PAP (the default).
c.
186
•
PAP (Password Authentication Protocol), is a simple protocol.
PAP transmits ASCII passwords over the network “in the clear”
(unencrypted) and is therefore considered insecure.
•
CHAP (Challenge-Handshake Authentication Protocol) is a more
secure protocol. The login request is sent using a one-way hash
function.
Timeout (seconds): Define the maximum idle time (in seconds)
before the RADIUS server’s session times out. The default is 600
seconds.
Configuring the Wi-Fi Array
Wi-Fi Array
2.
Admin RADIUS Primary Server: This is the RADIUS server that you
intend to use as your primary server.
a.
Host Name / IP Address: Enter the IP address or domain name of this
external RADIUS server.
b. Port Number: Enter the port number of this RADIUS server. The
default is 1812.
c.
Shared Secret / Verify Secret: Enter the shared secret that this
RADIUS server will be using, then re-enter the shared secret to verify
that you typed it correctly.

3.
The shared secret that you define must match the secret used by the
RADIUS server.
Admin RADIUS Secondary Server (optional): If desired, enter an
alternative external RADIUS server. If the primary RADIUS server
becomes unreachable, the Array will “failover” to the secondary RADIUS
server (defined here).
a.
Host Name / IP Address: Enter the IP address or domain name of this
RADIUS server.
b. Port Number: Enter the port number of this RADIUS server.
The default is 1812.
c.
Shared Secret / Verify Secret: Enter the shared secret that this
RADIUS server will be using, then re-enter the shared secret to verify
that you typed it correctly.
Configuring the Wi-Fi Array
187
Wi-Fi Array
Management Control
This window allows you to enable or disable the Array management interfaces
and set their inactivity time-outs. The supported range is 300 (default) to 100,000
seconds.
Figure 110. Management Control
188
Configuring the Wi-Fi Array
Wi-Fi Array
Procedure for Configuring Management Control
1.
Management Settings:
a.
Maximum login attempts allowed (1-255): After this number of
consecutive failing administrator login attempts via ssh or telnet, the
Failed login retry period is enforced. The default is 3.
b. Failed login retry period (0-65535 seconds): After the maximum
number (defined above) of consecutive failing administrator login
attempts via ssh or telnet, the administrator’s IP address is denied
access to the array for the specified period of time (in seconds). The
default is 0.
c.
Pre-login Banner: Text that you enter here will be displayed above
the WMI login prompt. (Figure 111)
Figure 111. Pre-login Banner
d. Post-login Banner: Text that you enter here will be displayed in a
message box after a user logs in to the WMI.
2.
SSH:
a.
On/Off: Choose On to enable management of the Array over a Secure
Shell (SSH-2) connection, or Off to disable this feature. Be aware that
only SSH-2 connections are supported by the Array. SSH clients used
for connecting to the Array must be configured to use SSH-2.
b. Connection Timeout 30-100000 (Seconds): Enter a value in this field
to define the timeout (in seconds) before your SSH connection is
disconnected. The value you enter here must be between 30 seconds
and 100,000 seconds.
Configuring the Wi-Fi Array
189
Wi-Fi Array
c.
3.
Port: Enter a value in this field to define the port used by SSH.
The default port is 22.
Telnet:
a.
On/Off: Choose On to enable Array management over a Telnet
connection, or Off to disable this feature. SSH offers a more secure
connection than Telnet, and is recommended over Telnet.
b. Connection Timeout 30-100000 (Seconds): Enter a value in this field
to define the timeout (in seconds) before your Telnet connection is
disconnected. The value you enter here must be between 30 seconds
and 100,000 seconds.
c.
4.
Port: Enter a value in this field to define the port used by Telnet.
The default port is 23.
Serial
a.
On/Off: Choose On to enable management of the Array via a serial
connection, or choose Off to disable this feature.
b. Connection Timeout 30-100000 (Seconds): Enter a value in this field
to define the timeout (in seconds) before your serial connection is
disconnected. The value you enter here must be between 30 seconds
and 100,000 seconds.
5.
HTTPS
a.
Connection Timeout 30-100000 (Seconds): Enter a value in this field
to define the timeout (in seconds) before your HTTPS connection is
disconnected. The value you enter here must be between 30 seconds
and 100,000 seconds. Management via HTTPS (i.e., the Web
Management Interface) cannot be disabled on this window. To
disable management over HTTPS, you must use the Command Line
Interface.
b. Port: Enter a value in this field to define the port used by SSH.
The default port is 443.
190
Configuring the Wi-Fi Array
Wi-Fi Array
6.
Management Modes
a.
Network Assurance: Click the On button to enable this mode.
Network assurance checks network connectivity to each server that
you configure, such as the NTP server, RADIUS servers, SNMP trap
hosts, etc. By proactively identifying network resources that are
unavailable, the network manager can be alerted of problems
potentially before end-users notice an issue. The distributed
intelligence of Arrays provides this monitoring at multiple points
across the network, adding to the ability to isolate the problem and
expedite the resolution
Connectivity is checked when you configure a server. If a newly
configured server is unreachable, you will be notified directly and a
Syslog entry is created. Also, the Array cycles through all configured
servers on an ongoing basis, checking one per second, so that each
server is checked approximately every four or five minutes. Servers
are checked regardless of whether they are configured as IP addresses
or host names.
If a server becomes unreachable, a Syslog message is generated.
When the server again becomes reachable, another Syslog message is
generated.
To view the status of all configured servers checked by this feature,
please see “Network Assurance” on page 101.
b. PCI Audit Mode: Click the On button to enable this mode. In PCI
Audit Mode, the Array checks whether its configuration satisfies PCI
DSS wireless requirements. This mode does not change any other
settings, but will inform you of any violations that exist. Furthermore,
the Array will monitor changes that you make to its configuration in
CLI or the WMI. PCI Mode will warn you (and issue a Syslog
message) if the change violates PCI DSS requirements. A warning is
issued when a non-compliant change is first applied to the Array, and
also if you attempt to save a configuration that is non-compliant. Use
this command in conjunction with “The Xirrus Array PCI
Compliance Configuration” on page 427 to ensure that you are using
Configuring the Wi-Fi Array
191
Wi-Fi Array
the Array in accordance with the PCI DSS requirements. For more
information, see “Appendix D: Implementing PCI DSS” on page 425.
The pci-audit command checks items such as:
c.
•
Telnet is disabled.
•
Admin RADIUS is enabled (admin login authentication is via
RADIUS server).
•
An external Syslog server is in use.
•
All SSIDs must set encryption to WPA or better (which also
enforces 802.1x authentication)
FIPS 140-2, Level 2 Security: Please see “Appendix E: Implementing
FIPS Security” on page 431 for more information, including step-bystep instructions for proceeding to implement FIPS Level 2 Security
requirements on an Array.
Click the On button to enable FIPS. This will perform all of the setting
changes required to make the Array comply with FIPS requirements.
A message is displayed showing the changes that were performed.
The Array continues to enforce FIPS requirements by preventing you
from making non-compliant configuration changes. Click the Off
button to stop enforcing FIPS requirements.
Note that when you enable FIPS, the Array does not save your
previous settings, and it will not restore them if you click the Off
button. If you think you may wish to disable FIPS and restore your
previous configuration at some later time, use Set Restore Point to
save a copy of your configuration before enabling FIPS (see Step 9 on
page 301).
7.
HTTPS (X.509) Certificate
a.
192
Import Xirrus Authority into Browser: This feature imports the
Xirrus Certificate Authority (CA) into your browser (for a discussion,
please see “Certificates and Connecting Securely to the WMI” on
page 179). Click the link (xirrus-ca.crt), and then click Open to view
or install the current Xirrus CA certificate. Click Install Certificate to
Configuring the Wi-Fi Array
Wi-Fi Array
start your browser’s Certificate Install Wizard. We recommend that
you use this process to install Xirrus as a root authority in your
browser.
When you assign a Host Name to your Array using the Express
Setup window, then the next time you reboot the Array it
automatically creates a security certificate for that host name. That
certificate uses Xirrus as the signing authority. Thus, in order to avoid
having certificate errors on your browser when using WMI:
•
You must have assigned a host name to the Array and rebooted at
some time after that.
•
Use Import Xirrus Authority into Browser
•
Access WMI by using the host name of the Array rather than its
IP address.
b. HTTPS (X.509) Certificate Signed By: This read-only field shows the
signing authority for the current certificate.
8.
External Certification Authority
This Step and Step 9 allow you to obtain a certificate from an external
authority and install it on an Array. “Using an External Certificate
Authority” on page 181 discusses reasons for using an external CA.
For example, to obtain and install a certificate from VeriSign on the Array,
follow these steps:
•
If you don’t already have the certificate from the external (nonXirrus) Certificate Authority, see Step 9 to create a request for a
certificate.
•
Use Step 8a to review the request and copy its text to send to
VeriSign.
•
When you receive the new certificate from VeriSign, upload it to the
Array using Step 8b.
External Certification Authority has the following fields:
Configuring the Wi-Fi Array
193
Wi-Fi Array
a.
Download Certificate Signing Request: After creating a certificate
signing request (.csr file — Step 9), click the View button to review it.
If it is satisfactory, click the name of the .csr file to display the text of
the request. You can then copy this text and use it as required by the
CA. You may also click on the filename of the .csr file to download it
to your local computer.
b. Upload Signed Certificate: To use a custom certificate signed by an
authority other than Xirrus, use the Browse button to locate the
certificate file, then click Upload to copy it to the Array. The Array’s
web server will be restarted and will pick up the new certificate. This
will terminate any current web sessions, and you will need to
reconnect and re-login to the Array.
9.
To create a Certificate Signing Request
a.
Fill in the fields in this section: Common Name, Organization Name,
Organizational Unit Name, Locality (City), State or Province,
Country Name, and Email Address. Spaces may be used in any of
the fields, except for Common Name, Country Name, or Email
Address. Click the Create button to create the certificate signing
request. See Step 8 above to use this request.
10. Click Save changes to flash if you wish to make your changes
permanent.
See Also
Network Interfaces - to enable/disable management over an Ethernet interface
Global Settings (IAP) - to enable/disable management over IAPs
Admin Management
External Radius
Global Settings (IAP)
Internal Radius
Access Control List
Security
194
Configuring the Wi-Fi Array
Wi-Fi Array
Access Control List
This window allows you to enable or disable the use of the global Access Control
List (ACL), which controls whether a station with a particular MAC address may
associate to the Array. You may create station access control list entries and delete
existing entries, and control the type of list.
There is only one global ACL, and you may select whether its type is an Allow
List or a Deny List, or whether use of the list is disabled.
There is also a per-SSID ACL (see “Per-SSID Access Control List” on page 226). If
the same MAC address is listed in both the global ACL and in an SSID’s ACL, and
if either ACL would deny that station access to that SSID, then access will be
denied.
Figure 112. Access Control List
Procedure for Configuring Access Control Lists
1.
Access Control List Type: Select Disabled to disable use of the Access
Control List, or select the ACL type — either Allow List or Deny List.
•
Allow List: Only allows the listed MAC addresses to associate to
the Array. All others are denied.
Configuring the Wi-Fi Array
195
Wi-Fi Array
•
Deny List: Denies the listed MAC addresses permission to
associate to the Array. All others are allowed.

In addition to these lists, other authentication methods (for
example, RADIUS) are still enforced for users.
2.
MAC Address: If you want to add a MAC address to the ACL, enter the
new MAC address here, then click on the Add button. The MAC address
is added to the ACL. You may use a wildcard (*) for one or more digits to
match a range of addresses.
3.
Delete: You can delete selected MAC addresses from this list by clicking
their Delete buttons.
4.
Click Save changes to flash if you wish to make your changes
permanent.
See Also
External Radius
Global Settings (IAP)
Internal Radius
Management Control
Security
Station Status Windows (list of stations that have been detected by the Array)
196
Configuring the Wi-Fi Array
Wi-Fi Array
Global Settings
This window allows you to establish the security parameters for your wireless
network, including WEP, WPA, WPA2 and RADIUS authentication. When
finished, click Save changes to flash if you wish to make your changes
permanent.
For additional information about wireless network security, refer to “Security
Planning” on page 45 and “Understanding Security” on page 176.
Figure 113. Global Settings (Security)
Configuring the Wi-Fi Array
197
Wi-Fi Array
Procedure for Configuring Network Security
1.
RADIUS Server Mode: Choose the RADIUS server mode you want to
use, either Internal or External. Parameters for these modes are
configured in “External Radius” on page 200 and “Internal Radius” on
page 204.
WPA Settings
These settings are used if the WPA or WPA2 encryption type is selected on the
SSIDs >SSID Management window or the Express Setup window (on this
window, encryption type is set in the SSID Settings: Wireless Security field).
2.

TKIP Enabled: Choose Yes to enable TKIP (Temporal Key Integrity
Protocol), or choose No to disable TKIP.
TKIP encryption does not support high throughput rates (see Improved
MAC Throughput), per the IEEE 802.11n specification.
TKIP should never be used for WDS links on XR arrays.
198
3.
AES Enabled: Choose Yes to enable AES (Advanced Encryption
Standard), or choose No to disable AES. If both AES and TKIP are
enabled, the station determines which will be used.
4.
WPA Group Rekey Time (seconds): Enter a value to specify the group
rekey time (in seconds). The default is Never.
5.
PSK Authentication: Choose Yes to enable PSK (Pre-Shared Key)
authentication, or choose No to disable PSK.
6.
WPA Preshared Key / Verify Key: If you enabled PSK, enter a passphrase
here, then re-enter the passphrase to verify that you typed it correctly.
7.
EAP Authentication: Choose Yes to enable EAP
Authentication Protocol) or choose No to disable EAP.
(Extensible
Configuring the Wi-Fi Array
Wi-Fi Array
WEP Settings
These settings are used if the WEP encryption type is selected on the SSIDs >
SSID Management window or the Express Setup window (on this window,
encryption type is set in the SSID Settings: Wireless Security field).

WEP encryption does not support high throughput rates or features like
frame aggregation or block acknowledgements (see Improved MAC
Throughput), per the IEEE 802.11n specification.
WEP should never be used for WDS links on XN arrays.
8.
Key Mode / Length: If you enabled WEP, choose the mode (either ASCII
or Hex) and the desired key length (either 40 or 104) from the pull-down
lists.
Encryption Key 1 / Verify Key 1: Enter an encryption key of the length
and type selected (to the right of the key fields):
•
10 hex/5 ASCII characters for 40 bits (WEP-64)
•
26 hex/13 ASCII characters for 104 bits (WEP-128)
Re-enter the key to verify that you typed it correctly. Hexadecimal
characters are defined as ABCDEF and 0-9. For ASCII mode, you may
include special characters, except for the double quote symbol (“).
9.
Encryption Key 2 to 4/ Verify Key 2 to 4/ Key Mode/Length (optional): If
desired, enter up to four encryption keys, in the same way that you
entered the first key.
10. Default Key: Choose which key you want to assign as the default key.
Make your selection from the pull-down list.
11. Click Save changes to flash if you wish to make your changes
permanent.

After configuring network security, the configuration must be
applied to an SSID for the new functionality to take effect.
Configuring the Wi-Fi Array
199
Wi-Fi Array
See Also
Admin Management
External Radius
Internal Radius
Access Control List
Management Control
Security
Security Planning
SSID Management
External Radius
This window allows you to define the parameters of an external RADIUS server
for user authentication. To set up an external RADIUS server, you must choose
External as the RADIUS server mode in Global Settings. Refer to “Global
Settings” on page 197.
Figure 114. External RADIUS Server
200
Configuring the Wi-Fi Array
Wi-Fi Array
If you want to include user group membership in the RADIUS account
information for users, see “Understanding Groups” on page 228. User groups
allow you to easily apply a uniform configuration to a user on the Array.
About Creating User Accounts on the RADIUS Server
A number of attributes of user (Wi-Fi client) accounts are controlled by RADIUS
Vendor Specific Attributes (VSAs) defined by Xirrus. For example, you would use
the VSA named Xirrus-User-VLAN if you wish to set the VLAN for a user
account in RADIUS. For more information about the RADIUS VSAs used by
Xirrus, see “RADIUS Vendor Specific Attributes (VSAs) for Xirrus” on page 415.
Procedure for Configuring an External RADIUS Server
1.
Primary Server: This is the external RADIUS server that you intend to
use as your primary server.
a.
Host Name / IP Address: Enter the IP address or domain name of this
external RADIUS server.
b. Port Number: Enter the port number of this external RADIUS server.
The default is 1812.
c.
Shared Secret / Verify Secret: Enter the shared secret that this
external RADIUS server will be using, then re-enter the shared secret
to verify that you typed it correctly.

2.
The shared secret that you define must match the secret used by the
external RADIUS server.
Secondary Server (optional): If desired, enter an alternative external
RADIUS server. If the primary RADIUS server becomes unreachable, the
Array will “failover” to the secondary RADIUS server (defined here).
a.
Host Name / IP Address: Enter the IP address or domain name of this
external RADIUS server.
b. Port Number: Enter the port number of this external RADIUS server.
The default is 1812.
Configuring the Wi-Fi Array
201
Wi-Fi Array
c.
3.
Shared Secret / Verify Secret: Enter the shared secret that this
external RADIUS server will be using, then re-enter the shared secret
to verify that you typed it correctly.
Settings: Define the session timeout, the NAS Identifier, and whether
accounting will be used.
a.
Timeout (seconds): Define the maximum idle time (in seconds)
before the external RADIUS server’s session times out. The default is
600 seconds.
b. NAS Identifier: From the point of view of a RADIUS server, the
Array is a client, also called a network access server (NAS). Enter the
NAS Identifier (IP address) that the RADIUS servers expect the Array
to use — this is normally the IP address of the Array’s Gigabit1 port.
c.
4.
Accounting: If you would like the Array to send RADIUS Start, Stop,
and Interim records to a RADIUS accounting server, click the On
button. The account settings appear, and must be configured.
Accounting Settings:
Note that RADIUS accounting start packets sent by the Array will include
the client station's Framed-IP-Address attribute.
a.
Accounting Interval (seconds): Specify how often Interim records are
to be sent to the server. The default is 300 seconds.
b. Primary Server Host Name / IP Address: Enter the IP address or
domain name of the primary RADIUS accounting server that you
intend to use.
c.
Primary Port Number: Enter the port number of the primary
RADIUS accounting server. The default is 1813.
d. Primary Shared Secret / Verify Secret: Enter the shared secret that
the primary RADIUS accounting server will be using, then re-enter
the shared secret to verify that you typed it correctly.
e.
202
Secondary Server Host Name / IP Address (optional): If desired,
enter an IP address or domain name for an alternative RADIUS
Configuring the Wi-Fi Array
Wi-Fi Array
accounting server. If the primary server becomes unreachable, the
Array will “failover” to this secondary server (defined here).
5.
f.
Secondary Port Number: If using a secondary accounting server,
enter its port number. The default is 1813.
g.
Secondary Shared Secret / Verify Secret: If using a secondary
accounting server, enter the shared secret that it will be using, then reenter the shared secret to verify that you typed it correctly.
Click Save changes to flash if you wish to make your changes
permanent.
See Also
Admin Management
Global Settings (IAP)
Internal Radius
Access Control List
Management Control
Security
Understanding Groups
Configuring the Wi-Fi Array
203
Wi-Fi Array
Internal Radius
This window allows you to define the parameters for the Array’s internal
RADIUS server for user authentication. However, the internal RADIUS server
will only authenticate wireless clients that want to associate to the Array. This can
be useful if an external RADIUS server is not available. To set up the internal
RADIUS server, you must choose Internal as the RADIUS server mode in Global
Settings. Refer to “Global Settings” on page 197.
Figure 115. Internal RADIUS Server

204
Clients using PEAP may have difficulty authenticating to the Array using
the Internal RADIUS server due to invalid security certificate errors. To
prevent this problem, the user may disable the Validate Server Certificate
option on the station. Do this by displaying the station’s wireless devices and
then displaying the properties of the desired wireless interface. In the
security properties, disable Validate server certificate. In some systems,
this may be found by setting the authentication method to PEAP and
changing the associated settings.
Configuring the Wi-Fi Array
Wi-Fi Array
Procedure for Creating a New User
1.
User Name: Enter the name of the user that you want to authenticate to
the internal RADIUS server.
2.
SSID Restriction: (Optional) If you want to restrict this user to
associating to a particular SSID, choose an SSID from the pull-down list.
3.
User Group: (Optional) If you want to make this user a member of a
previously defined user group, choose a group from the pull-down list.
This will apply all of the user group’s settings to the user. See
“Understanding Groups” on page 228.
4.
Password: (Optional) Enter a password for the user.
5.
Verify: (Optional) Retype the user password to verify that you typed it
correctly.
6.
Click on the Create button to add the new user to the list.
Procedure for Managing Existing Users
1.
SSID Restriction: (Optional) If you want to restrict a user to associating
to a particular SSID, choose an SSID from its pull-down list.
2.
User Group: (Optional) If you want to change the user’s group, choose a
group from the pull-down list. This will apply all of the user group’s
settings to the user. See “Understanding Groups” on page 228.
3.
Password: (Optional) Enter a new password for the selected user.
4.
Verify Password: (Optional) Retype the user password to verify that you
typed it correctly.
5.
If you want to delete one or more users, click their Delete buttons.
6.
Click Save changes to flash if you wish to make your changes
permanent.
See Also
Admin Management
External Radius
Global Settings (IAP)
Configuring the Wi-Fi Array
205
Wi-Fi Array
Access Control List
Management Control
Security
Understanding Groups
Rogue Control List
This window allows you to set up a control list for rogue APs, based on a type
that you define. You may classify rogue APs as blocked, so that the Array will
take steps to prevent stations from associating with the blocked AP. See “About
Blocking Rogue APs” on page 273. The Array can keep up to 5000 entries in this
list.

The RF Monitor > Intrusion Detection window provides an alternate
method for classifying rogues. You can list all Unknown stations and select
all the rogues that you’d like to set to Known or Approved, rather than
entering the SSID/BSSID as described below. See “Intrusion Detection”
on page 107.
Figure 116. Rogue Control List
206
Configuring the Wi-Fi Array
Wi-Fi Array
Procedure for Establishing Rogue AP Control
1.
Rogue BSSID/SSID: Enter the BSSID, SSID, or manufacturer string to
match for the new rogue control entry. The Match Only radio buttons
specify what to match (e.g., the MAC address, SSID, or manufacturer).
You may use the “*” character as a wildcard to match any string at this
position. For example, 00:0f:7d:* matches any string that starts with
00:0f:7d:. Since Xirrus Arrays start with 00:0f:7d:, this applies the Rogue
Control Type to all Xirrus Arrays.
2.
Rogue Control Classification: Enter the classification for the specified
rogue AP(s), either Blocked, Known or Approved.
3.
Match Only: Select the match criterion to compare the Rogue BSSID/
SSID string against: BSSID, Manufacturer, or SSID. The BSSID field
contains the MAC address.
4.
Click Create to add this rogue AP to the Rogue Control List.
5.
Rogue Control List: If you want to edit the control type for a rogue AP,
just click the radio button for the new type for the entry: Blocked, Known
or Approved.
6.
To delete rogue APs from the list, click their Delete buttons.
7.
Click Save changes to flash if you wish to make your changes
permanent.
See Also
Network Map
Intrusion Detection
SSIDs
SSID Management
Configuring the Wi-Fi Array
207
Wi-Fi Array
SSIDs
This status-only window allows you to review SSID (Service Set IDentifier)
assignments. It includes the SSID name, whether or not an SSID is visible on the
network, any security and QoS parameters defined for each SSID, associated
VLAN IDs, radio availability, and DHCP pools defined per SSID. Click on an
SSID’s name to jump to the edit page for the SSID. There are no configuration
options available on this page, but if you are experiencing problems or reviewing
SSID management parameters, you may want to print this page for your records.

For a complete discussion of implementing Voice over Wi-Fi on the Array,
see the Xirrus Voice over Wi-Fi Application Note in the Xirrus Library.
Figure 117. SSIDs
The read-only Limits section of the SSIDs window allows you to review any
limitations associated with your defined SSIDs. For example, this window shows
the current state of an SSID (enabled or not), how much SSID and station traffic is
allowed, time on and time off, days on and off, and whether each SSID is
currently active or inactive.
For information to help you understand SSIDs and how multiple SSIDs are
managed by the Wi-Fi Array, go to “Understanding SSIDs” on page 209 and the
Multiple SSIDs section of “Frequently Asked Questions” on page 404. For a
description of how QoS operates on the Array, see “Understanding QoS Priority
on the Wi-Fi Array” on page 210.
SSIDs are managed with the following windows:
208
Configuring the Wi-Fi Array
Wi-Fi Array

“SSID Management” on page 213

“Active IAPs” on page 225
Understanding SSIDs
The SSID (Service Set Identifier) is a unique identifier that wireless networking
devices use to establish and maintain wireless connectivity. Multiple access points
on a network or sub-network can use the same SSIDs. SSIDs are case-sensitive
and can contain up to 32 alphanumeric characters (do not include spaces when
defining SSIDs).
Multiple SSIDs
A BSSID (Basic SSID) refers to an individual access point radio and its associated
clients. The identifier is the MAC address of the access point radio that forms the
BSS. A group of BSSs can be formed to allow stations in one BSS to communicate
to stations in another BSS via a backbone that interconnects each access point.
The Extended Service Set (ESS) refers to the group of BSSIDs that are grouped
together to form one ESS. The ESSID (often referred to as SSID or “wireless
network name”) identifies the Extended Service Set. Clients must associate to a
single ESS at any given time. Clients ignore traffic from other Extended Service
Sets that do not have the same SSID.
Legacy access points typically support one SSID per access point. Wi-Fi Arrays
support the ability to define and use multiple SSIDs simultaneously.
Using SSIDs
The creation of different wireless network names allows system administrators to
separate types of users with different requirements. The following policies can be
tied to an SSID:

The wireless security mode needed to join this SSID.

The wireless Quality of Service (QoS) desired for this SSID.

The wired VLAN associated with this SSID.
As an example, one SSID named accounting might require the highest level of
security, while another named guests might have low security requirements.
Configuring the Wi-Fi Array
209
Wi-Fi Array
Another example may define an SSID named voice that supports voice over
Wireless LAN phones with the highest Quality of Service (QoS) definition. This
SSID might also forward traffic to specific VLANs on the wired network.
See Also
SSID Management
SSIDs
Understanding SSIDs
Understanding QoS Priority on the Wi-Fi Array

For a complete discussion of implementing Voice over Wi-Fi on the Array,
see the Xirrus Voice over Wi-Fi Application Note in the Xirrus Library.
The Wi-Fi Array’s Quality of Service Priority feature (QoS) allows traffic to be
prioritized according to your requirements. For example, you typically assign the
highest priority to voice traffic, since this type of traffic requires delay to be under
10 ms. The Array has four separate queues for handling wireless traffic at
different priorities, and thus it supports four traffic classes (QoS levels).
Application Data
Voice
Data
Video
Data
Background
Data
Best Effort
Data
Mapping to
Traffic Class
Four Transmit
Queues
Per queue
channel access
IAP (Transmit)
Highest
Priority
Lowest
Priority
Figure 118. Four Traffic Classes
IEEE802.1p defines eight priority levels for wired networks. Each data packet
may be tagged with a priority level, i.e., a user priority tag. Since there are eight
210
Configuring the Wi-Fi Array
Wi-Fi Array
possible user priority levels and the Array implements four wireless QoS levels,
user priorities are mapped to QoS as described below.
End-to-End QoS Handling

Wired QoS - Ethernet Port:
Ingress: Incoming wired packets are assigned QoS priority based on their
SSID and 802.1p tag (if any), as shown in the table below. This table
follows the mapping recommended by IEEE802.11e.
FROM
Priority Tag
802.1p (Wired)
TO
Array QoS
(Wireless)
Typical Use
0 (Lowest
priority)
Background — explicitly designated as
low-priority and non-delay sensitive
Spare
Excellent Effort
Controlled Load
Video
Voice - requires delay <10ms
7 (Highest
priority)
3 (Highest
priority)
Configuring the Wi-Fi Array
Best Effort
Network control
211
Wi-Fi Array

Egress: Outgoing wired packets are IEEE 802.1p tagged at the Ethernet
port for upstream traffic, thus enabling QoS at the edge of the network.
FROM
Array QoS (Wireless)
TO
Priority Tag 802.1p (Wired)
0 (Lowest priority)
2 (Default)
3 (Highest priority)
Wireless QoS - Radios:

Each SSID can be assigned a separate QoS priority (i.e., traffic class) from
0 to 3, where 3 is highest priority and 2 is the default. See “SSID
Management” on page 213. If multiple SSIDs are used, packets from the
SSID with higher priority are transmitted first.

The Array supports IEEE802.11e Wireless QoS for downstream traffic.
Higher priority packets wait a shorter time before gaining access to the
air and contend less with all other 802.11 devices on a channel.

How QoS is set for a packet in case of conflicting values:
a.
If an SSID has a QoS setting, and an incoming wired packet’s user
priority tag is mapped to a higher QoS value, then the higher QoS
value is used.
b. If a group or filter has a QoS setting, this overrides the QoS value
above. See “Groups” on page 228, and “Filters” on page 283.
c.
Voice packets have the highest priority, as described below (Voice
Support).
Packet Filtering QoS classification

212
Filter rules can be used to redefine the QoS priority level to override
defaults. See “Filter Management” on page 286. This allows the QoS
priority level to be assigned based on protocol, source, or destination.
Configuring the Wi-Fi Array
Wi-Fi Array
Voice Support

The QoS priority implementation on the Array supports voice
applications.
SSID Management
This window allows you to manage SSIDs (create, edit and delete), assign security
parameters and VLANs on a per SSID basis, and configure the Web Page Redirect
functionality.
Create new SSID 
Configure parameters
Set traffic limits / usage schedule
Configure WPR
Configure RADIUS server
Figure 119. SSID Management
Configuring the Wi-Fi Array
213
Wi-Fi Array
Procedure for Managing SSIDs
1.
New SSID Name: To create a new SSID, enter a new SSID name to the left
of the Create button (Figure 119), then click Create. The SSID name may
only consist of the characters A-Z, a-z, 0-9, dash, and underscore. You
may create up to 16 SSIDs.
SSID List (top of page)
214
2.
SSID: Shows all currently assigned SSIDs. When you create a new SSID,
the SSID name appears in this table. Click any SSID in this list to select it.
3.
On: Check this box to activate this SSID or clear it to deactivate it.
4.
Brdcast: Check this box to make the selected SSID visible to all clients on
the network. Although the Wi-Fi Array will not broadcast SSIDs that are
hidden, clients can still associate to a hidden SSID if they know the SSID
name to connect to it. Clear this box if you do not want this SSID to be
visible on the network.
5.
Band: Choose which wireless band the SSID will be beaconed on. Select
either 5 GHz — 802.11a(n), 2.4 GHz — 802.11bg(n) or Both.
6.
VLAN ID / Number: From the pull-down list, select a VLAN that you
want this traffic to be forwarded to on the wired network. Select numeric
to enter the number of a previously defined VLAN in the Number field
(see “VLANs” on page 171). This step is optional.
7.
QoS: (Optional) Select a value in this field for QoS (Quality of Service)
priority filtering. The QoS value must be one of the following:
•
0 — The lowest QoS priority setting, where QoS makes its best effort
at filtering and prioritizing data, video and voice traffic without
compromising the performance of the network. Use this setting in
environments where traffic prioritization is not a concern.
•
1 — Medium, with QoS prioritization aggregated across all traffic
types.
•
2 — High, normally used to give priority to video traffic.
Configuring the Wi-Fi Array
Wi-Fi Array
•
3 — The highest QoS priority setting, normally used to give priority to
voice traffic.
The QoS setting you define here will prioritize wireless traffic for this
SSID over other SSID traffic, as described in “Understanding QoS Priority
on the Wi-Fi Array” on page 210. The default value for this field is 2.
8.
DHCP Pool: If you want to associate an internal DHCP pool to this SSID,
choose the pool from the pull--down list. An internal DHCP pool must be
created before it can be assigned. To create an internal DHCP pool, go to
“DHCP Server” on page 168.
9.
Filter List: If you wish to apply a set a filters to this SSID’s traffic, select
the desired Filter List. See “Filters” on page 283.
10. Authentication: The following authentication options are available:
•
Open: This option provides no authentication and is not
recommended.
•
RADIUS MAC: Uses an external RADIUS server to authenticate
stations onto the Wi-Fi network, based on the user’s MAC address.
Accounting for these stations is performed according to the
accounting options that you have configured specifically for this SSID
or globally (see Step 12 below).

If this SSID is on a VLAN, the VLAN must have management turned on in
order to pass CHAP authentication challenges from the client station to the
RADIUS server.
•
802.1x: Authenticates stations onto the Wi-Fi network via a RADIUS
server using 802.1x with EAP. The RADIUS server can be internal
(provided by the Wi-Fi Array) or external.
11. Encryption: From the pull-down list, choose the encryption that will be
required — specific to this SSID — either None, WEP, WPA, WPA2 or
WPA-Both. The None option provides no security and is not
recommended; WPA2 provides the best practice Wi-Fi security.
Configuring the Wi-Fi Array
215
Wi-Fi Array
Each SSID supports only one encryption type at a time (except that WPA
and WPA2 are both supported on an SSID if you select WPA-Both). If you
need to support other encryption types, you must define additional
SSIDs. The encryption standard used with WPA or WPA2 is selected in
the Security>Global Settings window (page 197). For an overview of the
security options, see “Security Planning” on page 45 and “Understanding
Security” on page 176.

XN model Arrays cannot use the SSID-specific WEP keys specified in this
step. They can only use the global WEP keys specified in the Global
Settings window.
12. Global: Check the checkbox if you want this SSID to use the security
settings established at the global level (refer to “Global Settings” on
page 197). Clear the checkbox if you want the settings established here to
take precedence. Additional sections will be displayed to allow you to
configure encryption, RADIUS, and RADIUS accounting settings. The
WPA Configuration encryption settings have the same parameters as
those described in “Procedure for Configuring Network Security” on
page 198. The external RADIUS and accounting settings are configured in
the same way as for an external RADIUS server (see “Procedure for
Configuring an External RADIUS Server” on page 201). Note that
external RADIUS servers may be specified using IP addresses or domain
names.
216
Configuring the Wi-Fi Array
Wi-Fi Array
Set Encryption
Configure Radius, Accounting
Figure 120. SSID Management
13. Roaming: For this SSID, select whether to enable fast roaming between
IAPs or Arrays at L2&L3 (Layer 2 and Layer 3), at L2 (Layer 2 only), or
disable roaming (Off). You may only select fast roaming at Layers 2 and 3
if this has been selected in Global Settings (IAP). See “Understanding Fast
Roaming” on page 235.
14. WPR (Web Page Redirect): Check the checkbox to enable the Web Page
Redirect functionality, or clear it to disable this option. If enabled, WPR
configuration fields will be displayed under the SSID Limits section. This
feature may be used to provide an alternate mode of authentication, or to
simply display a splash screen when a user first associates to the wireless
network. After that, it can (optionally) redirect the user to an alternate
URL. For example, some wireless devices and users may not have a
correctly configured 802.1x (RADIUS) supplicant. Utilizing WPR’s Web-
Configuring the Wi-Fi Array
217
Wi-Fi Array
based login, users may be authenticated without using an 802.1x
supplicant. See “Web Page Redirect Configuration Settings” on page 219
for details of WPR usage and configuration.

When using WPR, it is particularly important to adhere to the SSID
naming restrictions detailed in Step 1.
15. Fallback: Network Assurance checks network connectivity for the Array.
When Network Assurance detects a failure, perhaps due to a bad link or
WDS failure, if Fallback is set to Disable the Array will automatically
disable this SSID. This will disassociate current clients, and prevent new
clients from associating. Since the Array’s network connectivity has
failed, this gives clients a chance to connect to other, operational parts of
the Wi-Fi network. No changes are made to WDS configuration. See Step
a on page 191 for more information on Network Assurance.
The lower part of the window contains a few sections of additional settings to
configure for the currently selected SSID, depending on the values chosen for the
settings described above.

“SSID Limits” on page 218

“Web Page Redirect Configuration Settings” on page 219

“WPA Configuration Settings” on page 223

“RADIUS Configuration Settings” on page 224
SSID Limits
See “Group Limits” on page 232 for a discussion of the interaction of SSID limits
and group limits. To eliminate confusion, we recommend that you configure one
set of limits or the other, but not both.
16. Stations: Enter the maximum number of stations allowed on this SSID.
The default is 1536. This step is optional. Note that the IAPs - Global
Settings window also has a station limit option — Max Station
Association per IAP. If both station limits are set, both will be enforced.
As soon as either limit is reached, no new stations can associate until
some other station has terminated its association.
218
Configuring the Wi-Fi Array
Wi-Fi Array
17. Overall Traffic: Choose Unlimited if you do not want to place a
restriction on the traffic for this SSID, or enter a value in the Packets/Sec
field to force a traffic restriction.
18. Traffic per Station: Choose Unlimited if you do not want to place a
restriction on the traffic per station for this SSID, or enter a value in the
Packets/Sec field to force a traffic restriction.
19. Days Active: Choose Everyday if you want this SSID to be active every
day of the week, or select only the specific days that you want this SSID to
be active. Days that are not checked are considered to be the inactive
days.
20. Time Active: Choose Always if you want this SSID active without
interruption, or enter values in the Time On and Time Off fields to limit
the time that this SSID is active.
21. To delete SSIDs, click their Delete buttons.
22. Click Save changes to flash if you wish to make your changes
permanent.
Web Page Redirect Configuration Settings
If you enable WPR, the SSID Management window displays additional fields that
must be configured. For example configurations and complete examples, please
see the Xirrus Web Page Redirect Application Note in the Xirrus Library.
If enabled, WPR displays a splash or login page when a user associates to the
wireless network and opens a browser to any URL (provided the URL does not
point to a resource directly on the user’s machine). The user-requested URL is
captured, the user’s browser is redirected to the splash or login page, and then the
browser is redirected either to your specified landing page, if any, or else back to
the captured URL. The landing page may be specified for a user group as well.
See “Group Management” on page 230. Note that if you change the management
HTTPS port, WPR uses that port, too. See “HTTPS” on page 190.
Configuring the Wi-Fi Array
219
Wi-Fi Array
Figure 121. WPR Internal Splash Page Fields (SSID Management)
Note that when users roam between Arrays, their WPR Authentication will
follow them so that re-authentication is not required.
You may select among five different modes for use of the Web Page Redirect
feature, each displaying a different set of parameters that must be entered:

Internal Login page
This option displays a login page (residing on the Array) instead of the
first user-requested URL. There is an upload function that allows you to
replace the default login page, if you wish. Please see “Web Page
Redirect” on page 304 for more information.
To set up internal login, set Server to Internal Login. Set HTTPS to On
for a secure login, or select Off to use HTTP. You may also customize the
login page with logo and background images and header and footer text.
See “Customizing an Internal Login or Splash page” on page 222.
The user name and password are obtained by the login page, and
authentication occurs according to your configured authentication
information (starting with Step 10 on page 215 above). These
authentication parameters are configured as described in “Procedure for
Configuring Network Security” on page 198.
220
Configuring the Wi-Fi Array
Wi-Fi Array
After authentication, the browser is redirected back to the captured URL.
If you want the user redirected to a specific landing page instead, enter its
address in Landing Page URL.


Both the Internal Login and External Login options of WPR perform
authentication using your configured RADIUS servers.
Internal Splash page
This option displays a splash page instead of the first user-requested
URL. The splash page files reside on the Array. Note that there is an
upload function that allows you to replace the default splash page, if you
wish. Please see “Web Page Redirect” on page 304 for more information.
You may also customize the splash page with logo and background
images and header and footer text. See “Customizing an Internal Login or
Splash page” on page 222.
To use an internal splash page, set Server to Internal Splash. Enter a
value in the Timeout field to define how many seconds the splash screen
is displayed before timing out, or select Never to prevent the page from
timing out automatically. After the splash page, the user is redirected to
the captured URL. If you want the user redirected to a specific landing
page instead, enter its address in Landing Page URL.

External Login page
This option redirects the user to a login page on an external web server
for authentication, instead of the first user-requested URL. Login
information (user name and password) must be obtained by that page,
and returned to the Array for authentication.
Authentication occurs according to your configured RADIUS
information. These parameters are configured as described in “Procedure
for Configuring Network Security” on page 198, except that the RADIUS
Authentication Type is selected here, as described below. After
authentication, the browser is redirected back to the captured URL. If you
want the user redirected to a specific landing page instead, enter its
address in Landing Page URL.
Configuring the Wi-Fi Array
221
Wi-Fi Array
To set up external login page usage, set Server to External Login. Enter
the URL of the external web server in Redirect URL, and enter that
server’s shared secret in Redirect Secret.
Select the RADIUS Authentication Type. This is the protocol used for
authentication of users, CHAP or PAP (the default).

•
PAP (Password Authentication Protocol), is a simple protocol. PAP
transmits ASCII passwords over the network “in the clear”
(unencrypted) and is therefore considered insecure.
•
CHAP (Challenge-Handshake Authentication Protocol) is a more
secure Protocol. The login request is sent using a one-way hash
function.
External Splash page
This option displays a splash page instead of the first user-requested
URL. The splash page files reside on an external web server.
To set up external splash page usage, set Server to External Splash. Enter
the URL of the external web server in Redirect URL, and enter that
server’s shared secret in Redirect Secret.
After the splash page, the user is redirected to the captured URL. If you
want the user redirected to a specific landing page instead, enter its
address in Landing Page URL.

Landing Page Only
This option redirects the user to a specific landing page. If you select this
option, enter the desired address in Landing Page URL.
Customizing an Internal Login or Splash page
You may customize these pages with a logo and/or background image, and
header and/or footer text, as shown below in Figure 122.
222
Configuring the Wi-Fi Array
Wi-Fi Array
Logo
Header
Internal
Login Page
Background
Footer
Figure 122. Customizing an Internal Login or Splash Page

Background Image — specify an optional jpg, gif, or png file to display in
the background of the page. Other customizations (logo, header, footer)
will overlay the background, so that it will not be visible in those areas.

Logo Image — specify an optional jpg, gif, or png file to display at the top
of the page.

Header Text File — specify an optional .txt file to display at the top of the
page (beneath the logo, if any).

Footer Text File — specify an optional .txt file to display at the bottom of
the page.
WPA Configuration Settings
If you set Encryption for this SSID to one of the WPA selections (Step 11 on
page 215) and you did not check the Global checkbox (Step 12), this section will
be displayed. The WPA Configuration encryption settings have the same
Configuring the Wi-Fi Array
223
Wi-Fi Array
parameters as those described in “Procedure for Configuring Network Security”
on page 198
RADIUS Configuration Settings
The RADIUS settings section will be displayed if you set Authentication (Step 10
on page 215) to RADIUS MAC and you did not check the Global checkbox (Step
12). This means that you wish to set up a RADIUS server to be used for this
particular SSID. If Global is checked, then the security settings (including the
RADIUS server, if any) established at the global level are used instead (see
“Global Settings” on page 197).
The RADIUS and accounting settings are configured in the same way as for an
external RADIUS server (see “Procedure for Configuring an External RADIUS
Server” on page 201).
See Also
DHCP Server
External Radius
Global Settings (IAP)
Internal Radius
Security Planning
SSIDs
Understanding QoS Priority on the Wi-Fi Array
224
Configuring the Wi-Fi Array
Wi-Fi Array
Active IAPs
By default, when a new SSID is created, that SSID is active on all IAPs. This
window allows you to specify which IAPs will offer that SSID. Put differently,
you can specify which SSIDs are active on each IAP.
This feature is useful in conjunction with WDS. You may use this window to
configure the WDS link IAPs so that only the WDS link SSIDs are active on them.
Figure 123. Setting Active IAPs per SSID
Procedure for Specifying Active IAPs
1.
SSID: For a given SSID row, check off the IAPs on which that SSID is to
be active. Uncheck any IAPs which should not offer that SSID.
2.
All IAPs: This button, in the last column, may be used to deny this SSID
on all IAPs. Click again to activate the SSID on all IAPs.
3.
All SSIDs: This button, in the bottom row, may be used to activate all
SSIDs on this IAP. Click again to deny all SSIDs on this IAP.
4.
Toggle All: This button, on the lower left, may be used to deny all SSIDs
on all IAPs. Click again to activate all SSIDs on all IAPs.
5.
Click Save changes to flash if you wish to make your changes
permanent.
Configuring the Wi-Fi Array
225
Wi-Fi Array
Per-SSID Access Control List
This window allows you to enable or disable the use of the per-SSID Access
Control List (ACL), which controls whether a station with a particular MAC
address may associate to this SSID. You may create access control list entries and
delete existing entries, and control the type of list.
There is one ACL per SSID, and you may select whether its type is an Allow List
or a Deny List, or whether use of this list is disabled.
There is also a global ACL (see “Access Control List” on page 195). If the same
MAC address is listed in both the global ACL and in an SSID’s ACL, and if either
ACL would deny that station access to that SSID, then access will be denied.
Figure 124. Per-SSID Access Control List
Procedure for Configuring Access Control Lists
1.
SSID: Select the SSID whose ACL you wish to manage.
2.
Access Control List Type: Select Disabled to disable use of the Access
Control List for this SSID, or select the ACL type — either Allow List or
Deny List.
•
Allow List: Only allows the listed MAC addresses to associate to
the Array. All others are denied.
•
Deny List: Denies the listed MAC addresses permission to
associate to the Array. All others are allowed.

226
In addition to these lists, other authentication methods (for
example, RADIUS) are still enforced for users.
Configuring the Wi-Fi Array
Wi-Fi Array
3.
MAC Address: If you want to add a MAC address to the ACL, enter the
new MAC address here, then click the Add button. The MAC address is
added to the ACL. You may use a wildcard (*) for one or more digits to
match a range of addresses.
4.
Delete: You may delete selected MAC addresses from this list by clicking
their Delete buttons.
5.
Delete All: This button, on the upper left, may be used to delete all the
MAC entries in an ACL.
6.
Click Save changes to flash if you wish to make your changes
permanent.
Configuring the Wi-Fi Array
227
Wi-Fi Array
Groups
This is a status-only window that allows you to review user (i.e., wireless client)
Group assignments. It includes the group name, Radius ID, VLAN IDs and QoS
parameters and roaming layer defined for each group, and DHCP pools and web
page redirect information defined for the group. You may click on a group’s name
to jump to the edit page for the group. There are no configuration options
available on this page, but if you are experiencing problems or reviewing group
management parameters, you may want to print this page for your records.
The Limits section of this window shows any limitations configured for your
defined groups. For example, this window shows the current state of a group
(enabled or disabled), how much group and per-station traffic is allowed, time on
and time off, and days on and off.
For information to help you understand groups, see Understanding Groups
below. For an in-depth discussion, please see the Xirrus User Groups Application
Note in the Xirrus Library.
Figure 125. Groups
Understanding Groups
User groups allow administrators to assign specific network parameters to users
(wireless clients) through RADIUS privileges rather than having to map users to a
specific SSID. Groups provide flexible control over user privileges without the
need to create large numbers of SSIDs.
228
Configuring the Wi-Fi Array
Wi-Fi Array
A group allows you to define a set of parameter values to be applied to selected
users. For example, you might define the user group Students, and set its VLAN,
security parameters, web page redirect (WPR), and traffic limits. When a new user
is created, you can apply all of these settings just by making the user a member of
the group. The group allows you to apply a uniform configuration to a set of users
in one step.
Almost all of the parameters that can be set for a group are the same as SSID
parameters. This allows you to configure features at the user group level, rather
than for an entire SSID. If you set parameter values for an SSID, and then enter
different values for the same parameters for a user group, the user group values
have priority (i.e., group settings will override SSID settings).
Group names are case-sensitive and can contain up to 32 alphanumeric characters
(do not include spaces when defining Groups).
Using Groups
User accounts are used to authenticate wireless clients that want to associate to
the Array. These accounts are established in one of two ways, using the Security>
Internal Radius window or the Security> External Radius window. In either
case, you may select a user group for the user, and that user group’s settings will
apply to the user:

Internal Radius — when you add or modify a user entry, select a user
group to which the user will belong.

External Radius — when you add or modify a user account, specify the
Radius ID for the user group to which the user will belong. This must be
the same Radius ID that was entered in the Group Management window.
When the user is authenticated, the external Radius server will send the
Radius ID to the Array. This will allow the Array to identify the group to
which the user belongs.
See Also
External Radius
Internal Radius
SSIDs
Configuring the Wi-Fi Array
229
Wi-Fi Array
Understanding QoS Priority on the Wi-Fi Array
Web Page Redirect Configuration Settings
Understanding Fast Roaming
Group Management
This window allows you to manage groups (create, edit and delete), assign usage
limits and other parameters on a per group basis, and configure the Web Page
Redirect functionality.
Figure 126. Group Management
Procedure for Managing Groups
1.
New Group Name: To create a new group, enter a new group name next
to the Create button, then click Create. You may create up to 16 groups.
To configure and enable this group, proceed with the following steps.
230
2.
Group: This column lists currently defined groups. When you create a
new group, the group name appears in this list. Click on any group to
select it, and then proceed to modify it as desired.
3.
On: Check this box to enable this group or leave it blank to disable it.
When a group is disabled, users that are members of the group will
behave as if the group did not exist. In other words, the options
configured for the SSID will apply to the users, rather than the options
configured for the group.
Configuring the Wi-Fi Array
Wi-Fi Array
4.
Radius ID: Enter a unique Radius ID for the group, to be used on an
external Radius server. When adding a user account to the external
server, this Radius ID value should be entered for the user. When the user
is authenticated, Radius sends this value to the Array. This tells the Array
that the user is a member of the group having this Radius ID.
5.
VLAN ID: (Optional) From the pull-down list, select a VLAN for this
user’s traffic to use. Select numeric and enter the number of a previously
defined VLAN (see “VLANs” on page 171). This user group’s VLAN
settings supersede Dynamic VLAN settings (which are passed to the
Array by the Radius server). To avoid confusion, we recommend that you
avoid specifying the VLAN for a user in two places.
6.
QoS Priority: (Optional) Select a value in this field for QoS (Quality of
Service) priority filtering. The QoS value must be one of the following:
•
0 — The lowest QoS priority setting, where QoS makes its best effort
at filtering and prioritizing data, video and voice traffic without
compromising the performance of the network. Use this setting in
environments where traffic prioritization is not a concern.
•
1 — Medium; QoS prioritization is aggregated across all traffic types.
•
2 — High, normally used to give priority to video traffic.
•
3 — The highest QoS priority setting, normally used to give priority to
voice traffic.
The QoS setting you define here will prioritize wireless traffic for this
group versus other traffic, as described in “Understanding QoS Priority
on the Wi-Fi Array” on page 210. The default value for this field is 2.
7.
Internal DHCP Pool Assigned: (Optional) To associate an internal DHCP
pool to this group, select it from the pull--down list. Only one pool may
be assigned. An internal DHCP pool must be created before it can be
assigned. To create a DHCP pool, go to “DHCP Server” on page 168.
8.
Filter List: (Optional) If you wish to apply a set of filters to this user
group’s traffic, select the desired Filter List. See “Filters” on page 283.
Configuring the Wi-Fi Array
231
Wi-Fi Array
9.
L3: (Optional) For this group, check this box to enable fast roaming
between IAPs or Arrays at Layer 2 and Layer 3. If the box is not checked,
then roaming uses Layer 2 only. You may only select fast roaming at
Layers 2 and 3 if this has been selected in Global Settings (IAP). See
“Understanding Fast Roaming” on page 235.
10. WPR (Web Page Redirect): (Optional) Check this box if you wish to
enable the Web Page Redirect functionality. This will open a Web Page
Redirect details section in the window, where your WPR parameters may
be entered. This feature may be used to display a splash screen when a
user first associates to the wireless network. After that, it can (optionally)
redirect the user to an alternate URL. See “Web Page Redirect
Configuration Settings” on page 219 for details of WPR usage and
configuration. Note that the Group Management window only allows
you to set up an Internal Splash page and a Landing Page URL. The
authentication options that are offered on the SSID Management page are
not offered here. Since the group membership of a user is provided to the
Array by a Radius server, this means the user has already been
authenticated.
Group Limits
The Limits section allows you to limit the traffic or connection times allowed for
this user group. Note that the IAPs — Global Settings window and the SSID
management windows also have options to limit the number of stations, limit
traffic, and/or limit connection times. If limits are set in more than one place, all
limits will be enforced:

As soon as any station limit is reached, no new stations can associate until
some other station has terminated its association.

As soon as any traffic limit is reached, it is enforced.

If any connection date/time restriction applies, it is enforced.
You can picture this as a logical AND of all restrictions. For example, suppose that
a station’s SSID is available MTWTF between 8:00am and 5:00pm, and the User
Group is available MWF between 6:00am and 8:00pm, then the station will be
allowed on MWF between 8:00am and 5:00pm.
232
Configuring the Wi-Fi Array
Wi-Fi Array
To eliminate confusion, we recommend that you configure one set of limits or the
other, but not both.
11. Stations: Enter the maximum number of stations allowed on this group.
The default is 1536.
12. Overall Traffic: Check the Unlimited checkbox if you do not want to
place a restriction on the traffic for this group, or enter a value in the
Packets/Sec field and make sure that the Unlimited box is unchecked to
force a traffic restriction.
13. Traffic per Station: Check the Unlimited checkbox if you do not want to
place a restriction on the traffic per station for this group, or enter a value
in the Packets/Sec field and make sure that the Unlimited box is
unchecked to force a traffic restriction.
14. Days Active: Choose Everyday if you want this group to be active every
day of the week, or select only the specific days that you want this group
to be active. Days that are not checked are considered to be the inactive
days.
15. Time Active: Choose Always if you want this group active without
interruption, or enter values in the Time On and Time Off fields to limit
the time that group members may associate.
16. To delete an entry, click its Delete button.
17. Click Save changes to flash if you wish to make your changes
permanent.
See Also
DHCP Server
External Radius
Internal Radius
Security Planning
SSIDs
Configuring the Wi-Fi Array
233
Wi-Fi Array
IAPs
This status-only window summarizes the status of the Integrated Access Points
(radios). For each IAP, it shows whether it is up or down, the channel and Wi-Fi
mode, the antenna that it is currently using, its cell size and transmit and receive
power, how many users (stations) are currently associated to it, whether it is part
of a WDS link, and its MAC address.
Figure 127. IAPs
The Channel column displays some status information that is not found
elsewhere: the source of a channel setting. (Figure 128) If you set a channel
manually (via IAP Settings), it will be labeled as manual next to the channel
number (Figure 128). If an autochannel operation changed a channel, then it is
labeled as auto. If the channel is set to the current factory default setting, the
source will be default. This column also shows whether the channel selection is
locked, or whether the IAP was automatically switched to this channel because
the Array detected the signature of military radar in operation on a conflicting
channel.
234
Configuring the Wi-Fi Array
Wi-Fi Array
Figure 128. Source of Channel Setting
There are no configuration options in this window, but if you are experiencing
problems or simply reviewing the IAP assignments, you may print this window
for your records. Click any IAP name to open the associated configuration page.
Arrays have a fast roaming feature, allowing them to maintain sessions for
applications such as voice, even while users cross boundaries between Arrays.
Fast roaming is set up in the Global Settings (IAP) window and is discussed in:

“Understanding Fast Roaming” on page 235
IAPs are configured using the following windows:

“IAP Settings” on page 237

“Global Settings (IAP)” on page 243

“Global Settings .11a” on page 250

“Global Settings .11bg” on page 254

“Global Settings .11n” on page 259

“Advanced RF Settings” on page 262

“LED Settings” on page 276
See Also
IAP Statistics Summary
Understanding Fast Roaming
To maintain sessions for real-time data traffic, such as voice and video, users must
be able to maintain the same IP address through the entire session. With
Configuring the Wi-Fi Array
235
Wi-Fi Array
traditional networks, if a user crosses VLAN or subnet boundaries (i.e., roaming
between domains), a new IP address must be obtained.
Mobile Wi-Fi users are likely to cross multiple roaming domains during a single
session (especially wireless users of VoIP phones). Layer 3 roaming allows a user
to maintain the same IP address through an entire real-time data session. The user
may be associated to any of the VLANs defined on the Array. The Layer 3 session
is maintained by establishing a tunnel back to the originating Array. You should
decide whether or not to use Layer 3 roaming based on your wired network
design. Layer 3 roaming incurs extra overhead and may result in additional traffic
delays.
Fast Roaming is configured on two pages. To enable the fast roaming options that
you want to make available on your Array, see Step 21 to Step 23 in “Global
Settings (IAP)” on page 243. To choose which of the enabled options are used by
an SSID or Group, see “Procedure for Managing SSIDs” on page 214 (Step 13) or
“Procedure for Managing Groups” on page 230.
236
Configuring the Wi-Fi Array
Wi-Fi Array
IAP Settings
This window allows you to enable/disable IAPs, define the wireless mode for
each IAP, specify the channel to be used and the cell size for each IAP, lock the
channel selection, establish transmit/receive parameters, select antennas, and
reset channels. Buttons at the bottom of the list allow you to Reset Channels,
Enable All IAPs, or Disable All IAPs. When finished, click Save changes to flash
if you wish to make your changes permanent.
Figure 129. IAP Settings
You may also access this window by clicking on the Array image at the lower left
of the WMI window — click the orange Xirrus logo in the center of the Array. See
“User Interface” on page 79.
Procedure for Auto Configuring IAPs
You can auto-configure channel and cell size of radios by clicking on the Auto
Configure buttons on the relevant WMI page (auto configuration only applies to
enabled radios):

For all radios, go to “Advanced RF Settings” on page 262.

For all 802.11a settings, go to “Global Settings .11a” on page 250.

For all 802.11bg settings, go to “Global Settings .11bg” on page 254.
Configuring the Wi-Fi Array
237
Wi-Fi Array

For all 802.11n settings, go to “Global Settings .11n” on page 259.
Procedure for Manually Configuring IAPs
1.
In the Enabled column, check the box for an IAP to enable it, or uncheck
the box if you want to disable the IAP.
In the Band column, select the wireless band for this IAP from the choices
available in the pull-down menu, either 2.4GHz or 5 GHz. Choosing the
5GHz band will automatically select an adjacent channel for bonding. If
the band displayed is auto, the Band is about to be changed based on a
new Channel selection that you made that requires the change.
One of the IAPs must be set to monitor mode to support Spectrum
Analyzer, Radio Assurance (loopback testing), and Intrusion Detection
features.
2.
In the WiFi Mode column, select the IEEE 802.11 wireless mode (or
combination) that you want to allow on this IAP. When you select a WiFi
Mode for an IAP, your selection in the Channel column will be checked to
ensure that it is a valid choice for that WiFi Mode.
By selecting appropriate WiFi Modes for the radios on your Arrays, you
can greatly improve wireless network performance. For example, if you
have 802.11b and 802.11n stations using the same IAP, throughput on that
radio is reduced greatly for the 802.11n stations. By supporting 802.11b
stations only on selected radios in your network, the rest of your 802.11a
or 11n radios will have greatly improved performance. Take care to
ensure that your network provides adequate coverage for the types of
stations that you need to support.
3.
In the Channel column, select the channel you want this IAP to use from
the channels available in the pull-down list. The list shows the channels
available for the IAP selected (depending on which band the IAP is
using). Channels that are shown in color indicate conditions that you
need to keep in mind:
•
238
RED — Usage is not recommended, for example, because of overlap
with neighboring radios.
Configuring the Wi-Fi Array
Wi-Fi Array
•
YELLOW — The channel has less than optimum separation (some
degree of overlap with neighboring radios).
•
GRAY — The channel is already in use.
The channels that are available for assignment to an IAP will differ,
depending on the country of operation. If Country is set to United States
in the Global Settings (IAP) window, then 24 channels are available to
802.11a(n) radios.
If you have enabled Public Safety in the Advanced RF Settings window
(Step 14), then the public safety band channels (191 and 195) in the
4.9GHz spectrum range will be listed. Operating these channels requires
a license — using these channels without a license violates FCC rules.
Warning notices are displayed when you select these channels.


4.
As mandated by FCC law, Array channels 100 - 140 are restricted to indoor
use only.
As mandated by FCC law, Arrays continually scan for signatures of military
radar. If such a signature is detected, the Array will switch operation from
conflicting channels to new ones. The Array will switch back to the original
channel after 30 minutes if the channel is clear. If a radio was turned off
because there were no available channels not affected by radar, the Array will
now bring that radio back up after 30 minutes if that channel is clear. The 30
minute time frame complies with FCC regulations.
The Bond column only appears for XN Array models. It works together
with the channel bonding options selected on the Global Settings .11n
page. Also see the discussion of 802.11n bonding in “Channel Bonding”
on page 38.
•
Channel number — If a channel number appears, then this channel is
already bonded to the listed channel.
•
Off — Do not bond his channel to another channel.
•
On — Bond this channel to an adjacent channel. The bonded channel
is selected automatically by the Array based on the Channel (Step 3).
Configuring the Wi-Fi Array
239
Wi-Fi Array
The choice of banded channel is static — fixed once the selection is
made.
•
+1 — Bond this channel to the next higher channel number. Auto
Channel bonding does not apply. This option is only available for
some of the channels.
•
-1 — Bond this channel to the next lower channel number. Auto
Channel bonding does not apply. This option is only available for
some of the channels.
5.
Click the Lock check box if you want to lock in your channel selection so
that the autochannel operation (see Advanced RF Settings) cannot change
it.
6.
In the Cell Size column, select auto to allow the optimal cell size to be
automatically computed (see also, Step 5 on page 265). To set the cell size
yourself, choose either small, medium, large, or max to use the desired
pre-configured cell size, or choose manual to define the wireless cell size
manually. If you choose Manual, you must specify the transmit and
receive power — in dB — in the Tx dBm (transmit) and Rx dBm (receive)
fields. The default is max. If you select a value other than auto, the cell
size will not be affected by cell size auto configuration.
When other Arrays are within listening range of this one, setting cell sizes
to Auto allows the Array to change cell sizes so that coverage between
cells is maintained. Each cell size is optimized to limit interference
between sectors of other Arrays on the same channel. This eliminates the
need for a network administrator to manually tune the size of each cell
when installing multiple Arrays. In the event that an Array or a radio
goes offline, an adjacent Array can increase its cell size to help
compensate.
The number of users and their applications are major drivers of
bandwidth requirements. The network architect must account for the
number of users within the Array’s cell diameter. In a large office, or if
multiple Arrays are in use, you may choose Small cells to achieve a
higher data rate, since walls and other objects will not define the cells
naturally.
240
Configuring the Wi-Fi Array
Wi-Fi Array
For additional information about cell sizes, go to “Coverage and Capacity
Planning” on page 24.
7.
If you are using WDS with an external antenna to provide backhaul over
an extended distance, use WDS Dist. (Miles) to prevent timeout
problems associated with long transmission times. Set the approximate
distance in miles between this IAP and the connected Array in this
column. This increases the wait time for frame transmission accordingly.
8.
In the Antenna Select column, choose the antenna you want this radio to
use from the pull-down list. The list of available antennas will be different
(or no choices will be available), depending on the wireless mode you
selected for the IAP.
9.
If desired, enter a description for this IAP in the Description field.
10. You may reset all of the enabled IAPs by clicking the Reset Channels
button at the bottom of the list. A message will inform you that all
enabled radios have been taken down and brought back up.
11. Buttons at the bottom of the list allow you to Enable All IAPs or Disable
All IAPs.
12. Click Save changes to flash if you wish to make your changes
permanent.
See Also
Coverage and Capacity Planning
Global Settings (IAP)
Configuring the Wi-Fi Array
241
Wi-Fi Array
Global Settings .11a
Global Settings .11bg
Global Settings .11n
IAPs
IAP Statistics Summary
LED Settings
242
Configuring the Wi-Fi Array
Wi-Fi Array
Global Settings (IAP)
This window allows you to establish global IAP settings. Global IAP settings
include enabling or disabling all IAPs (regardless of their operating mode), and
changing settings for beacons, station management, and advanced traffic
optimization — including multicast processing, load balancing, and roaming.
Changes you make on this page are applied to all IAPs, without exception.
Figure 130. Global Settings (IAPs)
Configuring the Wi-Fi Array
243
Wi-Fi Array
Procedure for Configuring Global IAP Settings

1.
Some of the features below, such as Load Balancing, are only available if the
Array’s license includes the Xirrus Advanced RF Performance Manager
(RPM). If a setting is unavailable (grayed out), then your license does not
support the feature. See “About Licensing and Upgrades” on page 297.
Country: If no country is set, you may choose from the pull-down list.
Once a country has been chosen, it may not be changed. You are
responsible for choosing the correct country and conforming to the
regulatory laws for wireless transmissions within your country. Please
contact Xirrus Customer Support if you need to change the operating
country after a country has already been set (see “Contact Information”
on page 423).
The channels that are available for assignment to an IAP will differ,
depending on the country of operation. If you set Country to United
States, then 24 channels are available for 802.11a/n.
Until you have chosen a country, the channel set defaults to channels and
power levels that are legal worldwide — this set only includes the lower
eight 5 GHz channels.
244
2.
IAP Control: Click on the Enable All IAPs button to enable all IAPs for
this Array, or click on the Disable All IAPs button to disable all IAPs.
3.
Short Retries: This sets the maximum number of transmission attempts
for a frame, the length of which is less than or equal to the RTS Threshold,
before a failure condition is indicated. The default value is 7. Enter a new
value (1 to 128) in the Short Retry Limit field if you want to increase or
decrease this attribute.
4.
Long Retries: This sets the maximum number of transmission attempts
for a frame, the length of which is greater than the RTS Threshold, before
a failure condition is indicated. The default value is 4. Enter a new value
(1 to 128) in the Long Retry Limit field if you want to increase or decrease
this attribute.
Configuring the Wi-Fi Array
Wi-Fi Array
5.
Wi-Fi Alliance Mode: Set this On if you need Array behavior to conform
completely to Wi-Fi Alliance standards. This mode is normally set to Off.
Beacon Configuration
6.
Beacon Interval: When the Array sends a beacon, it includes with it a
beacon interval, which specifies the period of time before it will send the
beacon again. Enter the desired value in the Beacon Interval field,
between 20 and 1000 Kusecs. A Kusec is 1000 microseconds =
1 millisecond. The value you enter here is applied to all IAPs.
7.
DTIM Period: A DTIM (Delivery Traffic Indication Message) is a signal
sent as part of a beacon by the Array to a client device in sleep mode,
alerting the device to broadcast traffic awaiting delivery. The DTIM
Period is a multiple of the Beacon Interval, and it determines how often
DTIMs are sent out. By default, the DTIM period is 1, which means that it
is the same as the beacon interval. Enter the desired multiple, between 1
and 255. The value you enter here is applied to all IAPs.
8.
802.11h Beacon Support: This option enables beacons on all of the
Array’s radios to conform to 802.11h requirements, supporting dynamic
frequency selection (DFS) and transmit power control (TPC) to satisfy
regulatory requirements for operation in Europe.
9.
WMM Power Save: Click On to enable Wi-Fi Multimedia Power Save
support, as defined in IEEE802.11e. This option saves power and
increases battery life by allowing the client device to doze between
packets to save power, while the Array buffers downlink frames.
Station Management
10. Station Re-Authentication Period: This specifies an interval (in seconds)
for station reauthentications. This is the minimum time period between
station authentication attempts, enforced by the Array. This feature is part
of the Xirrus Advanced RF Security Manager (RSM).
11. Station Timeout Period: Specify a time (in seconds) in this field to define
the timeout period for station associations.
Configuring the Wi-Fi Array
245
Wi-Fi Array
12. Max Station Association per Array: This option allows you to define
how many station associations are allowed per Array (up to 1920 stations
per Array). Note that the Max Station Association per IAP limit (below)
may not be exceeded. If you have an unlicensed Array, this value is set to
1, which simply allows you to test the ability to connect to the Array.
13. Max Station Association per IAP: This defines how many station
associations are allowed per IAP (up to 96 stations per IAP). Note that the
SSIDs — SSID Management window also has a station limit option —
Station Limit (page 218). If both station limits are set, both will be
enforced. As soon as either limit is reached, no new stations can associate
until some other station has terminated its association.
14. Max Phones per IAP: This option allows you to control the maximum
number of phones that are allowed per IAP. The default is set to a
maximum of 16 but you can reduce this number, as desired. Enter a value
in this field between 0 (no phones allowed) and 16.

This admission control feature applies only to Spectralink phones. It does not
apply to all VoIP phones in general.
15. Block Inter-Station Traffic: This option allows you to block or allow
traffic between wireless clients that are associated to the Array. Choose
either Yes (to block traffic) or No (to allow traffic).
16. Allow Over Air Management: Choose Yes to enable management of the
Array via the IAPs, or choose No (recommended) to disable this feature.
Advanced Traffic Optimization
17. Multicast Processing: This sets how multicast traffic is handled.
Multicast traffic can be received by a number of subscribing stations at
the same time, thus saving a great deal of bandwidth. In some of the
options below, the Array uses IGMP snooping to determine the stations
that are subscribed to the multicast traffic. IGMP (Internet Group
Management Protocol) is used to establish and manage the membership
of multicast groups.
Select one of the following options:
246
Configuring the Wi-Fi Array
Wi-Fi Array
•
Send multicasts unmodified.
•
Convert to unicast and send unicast packets to all stations.
•
Convert to unicast, snoop IGMP, and only send to stations
subscribed (send as multicast if no subscription).
•
Convert to unicast, snoop IGMP, and only send to stations
subscribed (don't send packet if no subscription).
18. Broadcast Rates: This changes the rates of broadcast traffic sent by the
Array (including beacons). When set to Optimized, each broadcast or
multicast packet that is transmitted on each radio is sent at the lowest
transmit rate used by any client associated to that radio at that time. This
results in each IAP broadcasting at the highest Array TX data rate that can
be heard by all associated stations, improving system performance. The
rate is determined dynamically to ensure the best broadcast/multicast
performance possible. The benefit is dramatic. Consider a properly
designed network (having -70db or better everywhere), where virtually
every client should have a 54Mbps connection. In this case, broadcasts
and multicasts will all go out at 54Mbps vs. the standard rate. Thus, with
broadcast rate optimization on, broadcasts and multicasts use between
2% and 10% of the bandwidth that they would in Standard mode.
When set to Standard (the default), broadcasts are sent out at the lowest
basic rate only — 6 Mbps for 5GHz clients, or 1 Mbps for 2.4GHz clients.
The option you select here is applied to all IAPs.
19. Load Balancing: The Xirrus Wi-Fi Array supports an automatic load
balancing feature designed to distribute Wi-Fi stations across multiple
radios rather than having stations associate to the closest radios with the
strongest signal strength, as they normally would. In Wi-Fi networks, the
station decides to which radio it will associate. The Array cannot actually
force load balancing, however the Array can “encourage” stations to
associate in a more uniform fashion across all of the radios of the Array.
This option enables or disables active load balancing between the Array
IAPs. For an in-depth discussion, see the Xirrus Station Load Balancing
Application Note in the Xirrus Library.
Configuring the Wi-Fi Array
247
Wi-Fi Array
If you select On and an IAP is overloaded, that IAP will send an “AP
Full” message in response to Probe, Association, or Authentication
requests. This prevents determined clients from forcing their way onto
overloaded IAPs. Note that some clients are so determined to associate to
a particular IAP that they will not try to associate to another IAP, and thus
they never get on the network.
Choose Off to disable load balancing.
20. ARP Filtering: Address Resolution Protocol finds the MAC address of a
device with a given IP address by sending out a broadcast message
requesting this information. ARP filtering allows you to reduce the
proliferation of ARP messages by restricting how they are forwarded
across the network.
You may select from the following options for handling ARP requests:
•
Off: ARP filtering is disabled. ARP requests are broadcast to radios
that have stations associated to them.
•
Pass-thru: The Array forwards the ARP request. It passes along only
ARP messages that target the stations that are associated to it. This is
the default value.
•
Proxy: The Array replies on behalf of the stations that are associated
to it. The ARP request is not broadcast to the stations.
Note that the Array has a broadcast optimization feature that is always on
(it is not configurable). Broadcast optimization restricts all broadcast
packets (not just ARP broadcasts) to only those radios that need to
forward them. For instance, if a broadcast comes in from VLAN 10, and
there are no VLAN 10 users on a radio, then that radio will not send out
that broadcast. This increases available air time for other traffic.
21. Xirrus Roaming Layer: Select whether to enable roaming capabilities
between IAPs or Arrays at Layer 2 and 3, or at Layer 2 only. Depending
on your wired network, you may wish to allow fast roaming at Layer 3.
This may result in delayed traffic.
248
Configuring the Wi-Fi Array
Wi-Fi Array
22. Xirrus Roaming Mode: This feature utilizes the Xirrus Roaming Protocol
(XRP) ensuring fast and seamless roaming capabilities between IAPs or
Arrays at Layer 2 and Layer 3 (as specified in Step 23), while maintaining
security. Fast roaming eliminates long delays for re-authentication, thus
supporting time-sensitive applications such as Voice over Wi-Fi (see
“Understanding Fast Roaming” on page 235 for a discussion of this
feature). XRP uses a discovery process to identify other Xirrus Arrays as
fast roaming targets. This process has two modes:
•
Broadcast — the Array uses a broadcast technique to discover other
Arrays that may be targets for fast roaming.
•
Tunneled — in this Layer 3 technique, fast roaming target Arrays
must be explicitly specified.
To enable fast roaming, choose Broadcast or Tunneled, and set additional
fast roaming attributes (Step 23). To disable fast roaming, choose Off. If
you enable Fast Roaming, the following ports cannot be blocked:
•
Port 22610 — reserved for Layer 2 roaming using UDP to share PMK
information between Arrays.
•
Ports 15000 to 17999 — reserved for Layer 3 roaming (tunneling
between subnets).
23. Share Roaming Info With: Three options allow your Array to share
roaming information with all Arrays; just with those that are within
range; or with specifically targeted Arrays. Choose either All, In Range
or Target Only, respectively.
a.
Xirrus Roaming Targets: If you chose Target Only, use this option to
add target MAC addresses. Enter the MAC address of each target
Array, then click on Add (add as many targets as you like). To find a
target’s MAC address, open the Array Info window on the target
Array and look for IAP MAC Range, then use the starting address of
this range.
To delete a target, select it from the list, then click Delete.
Configuring the Wi-Fi Array
249
Wi-Fi Array
See Also
Coverage and Capacity Planning
Global Settings .11a
Global Settings .11bg
Global Settings .11n
Advanced RF Settings
IAPs
IAP Statistics Summary
LED Settings
IAP Settings
Global Settings .11a
This window allows you to establish global 802.11a IAP settings. These settings
include defining which 802.11a data rates are supported, enabling or disabling all
802.11a IAPs, auto-configuration of channel allocations for all 802.11a IAPs, and
specifying the fragmentation and RTS thresholds for all 802.11a IAPs.
Figure 131. Global Settings .11a
250
Configuring the Wi-Fi Array
Wi-Fi Array
Procedure for Configuring Global 802.11a IAP Settings

1.
Some of the features below, such as Auto Configure for Cell Size and
Channel Configuration, are only available if the Array’s license includes the
Xirrus Advanced RF Performance Manager (RPM). If a setting is
unavailable (grayed out), then your license does not support the feature.
Please see “About Licensing and Upgrades” on page 297.
802.11a Data Rates: The Array allows you to define which data rates are
supported for all 802.11a radios. Select (or deselect) data rates by clicking
in the corresponding Supported and Basic data rate check boxes.
•
Basic Rate — a wireless station (client) must support this rate in
order to associate.
•
Supported Rate — data rates that can be used to transmit to
clients.
2.
Data Rate Presets: The Wi-Fi Array can optimize your 802.11a data rates
automatically, based on range or throughput. Click Optimize Range to
optimize data rates based on range, or click Optimize Throughput to
optimize data rates based on throughput. The Restore Defaults button
will take you back to the factory default rate settings.
3.
802.11a IAP Control: Click Enable 802.11a IAPs to enable all 802.11a IAPs
for this Array, or click Disable 802.11a IAPs to disable all 802.11a IAPs.
4.
Channel Configuration: Click Auto Configure to instruct the Array to
determine the best channel allocation settings for each 802.11a IAP and
select the channel automatically, based on changes in the environment.
This is the recommended method for 802.11a channel allocation. Use
Factory Defaults to take you back to the factory default channel settings.
Configuring the Wi-Fi Array
251
Wi-Fi Array

To use the Auto Cell Size feature, the following additional settings are
required:
RF Monitor Mode must be turned On. See “RF Monitor” on page 263
One of the radios must be in monitor mode with the default RxdBm setting
of -95, and all other IAPs that will use Auto Cell must have Cell Size set to
auto. See “Procedure for Manually Configuring IAPs” on page 238.
5.
Set Cell Size/ Autoconfigure: Cell Size may be set globally for all 802.11a
IAPs to auto, large, medium, small, or max using the drop down menu.
Auto Configure: Click Auto Configure to instruct the Array to determine
and set the best cell size for each 802.11a IAP whose Cell Size is auto on
the IAP Settings window, based on changes in the environment. This is
the recommended method for setting cell size. You may look at the Tx
and Rx values on the IAP Settings window to view the cell size settings
that were applied.
For an overview of RF power and cell size settings, please see “Capacity
and Cell Sizes” on page 27 and “Fine Tuning Cell Sizes” on page 28.
252
6.
Auto Cell Period (seconds): You may set up auto-configuration to run
periodically, readjusting optimal cell sizes for the current conditions.
Enter a number of seconds to specify how often auto-configuration will
run. If you select None, then auto-configuration of cell sizing will not be
run periodically. You do not need to run Auto Cell often unless there are a
lot of changes in the environment. If the RF environment is changing
often, running Auto Cell every twenty-four hours (86400 seconds) should
be sufficient). The default value is None.
7.
Auto Cell Size Overlap (%): Enter the percentage of cell overlap that will
be allowed when the Array is determining automatic cell sizes. For 100%
overlap, the power is adjusted such that neighboring Arrays that hear
each other best will hear each other at -70dB. For 0% overlap, that number
is -90dB. The default value is 50%.
Configuring the Wi-Fi Array
Wi-Fi Array
8.
Auto Cell Min Tx Power (dBm): Enter the minimum transmit power that
the Array can assign to a radio when adjusting automatic cell sizes. The
default value is 10.
9.
Fragmentation Threshold: This is the maximum size for directed data
packets transmitted over the 802.11a radio. Larger frames fragment into
several packets, their maximum size defined by the value you enter here.
Smaller fragmentation numbers can help to “squeeze” packets through in
noisy environments. Enter the desired Fragmentation Threshold value in
this field, between 256 and 2346.
10. RTS Threshold: The RTS (Request To Send) Threshold specifies the
packet size. Packets larger than the RTS threshold will use CTS/RTS prior
to transmitting the packet — useful for larger packets to help ensure the
success of their transmission. Enter a value between 1 and 2347.
11. Click Save changes to flash if you wish to make your changes
permanent.
See Also
Coverage and Capacity Planning
Global Settings (IAP)
Global Settings .11bg
Global Settings .11n
IAPs
IAP Statistics Summary
Advanced RF Settings
IAP Settings
Configuring the Wi-Fi Array
253
Wi-Fi Array
Global Settings .11bg
This window allows you to establish global 802.11b/g IAP settings. These settings
include defining which 802.11b and 802.11g data rates are supported, enabling or
disabling all 802.11b/g IAPs, auto-configuring 802.11b/g IAP channel allocations,
and specifying the fragmentation and RTS thresholds for all 802.11b/g IAPs.
Figure 132. Global Settings .11bg

254
Some of the features below, such as Auto Configure for Cell Size and
Channel Configuration, are only available if the Array’s license includes the
Xirrus Advanced RF Performance Manager (RPM). If a setting is
unavailable (grayed out), then your license does not support the feature.
Please see “About Licensing and Upgrades” on page 297.
Configuring the Wi-Fi Array
Wi-Fi Array
Procedure for Configuring Global 802.11b/g IAP Settings
1.
802.11g Data Rates: The Array allows you to define which data rates are
supported for all 802.11g radios. Select (or deselect) 11g data rates by
clicking in the corresponding Supported and Basic data rate check boxes.
•
Basic Rate — a wireless station (client) must support this rate in
order to associate.
•
Supported Rate — data rates that can be used to transmit to
clients.
2.
802.11b Data Rates: This task is similar to Step 1, but these data rates
apply only to 802.11b IAPs.
3.
Data Rate Presets: The Wi-Fi Array can optimize your 802.11b/g data
rates automatically, based on range or throughput. Click Optimize Range
button to optimize data rates based on range, or click on the Optimize
Throughput to optimize data rates based on throughput. Restore
Defaults will take you back to the factory default rate settings.
4.
802.11b/g IAP Status: Click Enable All 802.11b/g IAPs to enable all
802.11b/g IAPs for this Array, or click Disable All 802.11b/g IAPs to
disable them.
5.
Channel Configuration: Click Auto Configure to instruct the Array to
determine the best channel allocation settings for each 802.11b/g IAP and
select the channel automatically, based on changes in the environment.
This is the recommended method for 802.11b/g channel allocations.
Factory Defaults will take you back to the factory default channel
settings.
Configuring the Wi-Fi Array
255
Wi-Fi Array

To use the Auto Cell Size feature, the following additional settings are
required:
RF Monitor Mode must be turned On. See “RF Monitor” on page 263
One of the radios must be in monitor mode with the default RxdBm setting
of -95, and all other IAPs that will use Auto Cell must have Cell Size set to
auto. See “Procedure for Manually Configuring IAPs” on page 238.
6.
Set Cell Size/ Autoconfigure: Cell Size may be set globally for all
802.11b/g IAPs to auto, large, medium, small, or max using the drop
down menu.
Auto Configure: Click Auto Configure to instruct the Array to determine
and set the best cell size for each enabled 802.11b/g IAP whose Cell Size
is auto on the IAP Settings window, based on changes in the
environment. This is the recommended method for setting cell size. You
may look at the Tx and Rx values on the IAP Settings window to view the
cell size settings that were applied.
For an overview of RF power and cell size settings, please see “Capacity
and Cell Sizes” on page 27 and “Fine Tuning Cell Sizes” on page 28.
256
7.
Auto Cell Period (seconds): You may set up auto-configuration to run
periodically, readjusting optimal cell sizes for the current conditions.
Enter a number of seconds to specify how often auto-configuration will
run. If you select None, then auto-configuration of cell sizing will not be
run periodically. You do not need to run Auto Cell often unless there are a
lot of changes in the environment. If the RF environment is changing
often, running Auto Cell every twenty-four hours (86400 seconds) should
be sufficient). The default value is None.
8.
Auto Cell Size Overlap (%): Enter the percentage of cell overlap that will
be allowed when the Array is determining automatic cell sizes. For 100%
overlap, the power is adjusted such that neighboring Arrays that hear
each other best will hear each other at -70dB. For 0% overlap, that number
is -90dB. The default value is 50%.
Configuring the Wi-Fi Array
Wi-Fi Array
9.
Auto Cell Min Tx Power (dBm): Enter the minimum transmit power that
the Array can assign to a radio when adjusting automatic cell sizes. The
default value is 10.
10. 802.11g Only: Choose On to restrict use to 802.11g mode only. In this
mode, no 802.11b rates are transmitted. Stations that only support 802.11b
will not be able to associate.
11. 802.11g Protection: You should select Auto CTS or Auto RTS to provide
automatic protection for all 802.11g radios in mixed networks (802.11
b and g). You may select Off to disable this feature, but this is not
recommended. Protection allows 802.11g stations to share an IAP with
older, slower 802.11b stations. Protection avoids collisions by preventing
802.11b and 802.11g stations from transmitting simultaneously. When
Auto CTS or Auto RTS is enabled and any 802.11b station is associated to
the IAP, additional frames are sent to gain access to the wireless network.
•
Auto CTS requires 802.11g stations to send a slow Clear To Send
frame that locks out other stations. Automatic protection reduces
802.11g throughput when 802.11b stations are present — Auto CTS
adds less overhead than Auto RTS. The default value is Auto CTS.
•
With Auto RTS, 802.11g stations reserve the wireless media using a
Request To Send/Clear To Send cycle. This mode is useful when you
have dispersed nodes. It was originally used in 802.11b only
networks to avoid collisions from “hidden nodes” — nodes that are so
widely dispersed that they can hear the Array, but not each other.
When there are no 11b stations associated and an auto-protection mode is
enabled, the Array will not send the extra frames, thus avoiding
unnecessary overhead.
12. 802.11g Slot: Choose Auto to instruct the Array to manage the 802.11g
slot times automatically, or choose Short Only. Xirrus recommends using
Auto for this setting, especially if 802.11b devices are present.
13. 802.11b Preamble: The preamble contains information that the Array and
client devices need when sending and receiving packets. All compliant
802.11b systems have to support the long preamble. A short preamble
Configuring the Wi-Fi Array
257
Wi-Fi Array
improves the efficiency of a network's throughput when transmitting
special data, such as voice, VoIP (Voice-over IP) and streaming video.
Select Auto to instruct the Array to manage the preamble (long and short)
automatically, or choose Long Only.
14. Fragmentation Threshold: This is the maximum size for directed data
packets transmitted over the 802.11b/g IAP. Larger frames fragment into
several packets, their maximum size defined by the value you enter here.
Enter the desired Fragmentation Threshold value, between 256 and 2346.
15. RTS Threshold: The RTS (Request To Send) Threshold specifies the
packet size. Packets larger than the RTS threshold will use CTS/RTS prior
to transmitting the packet — useful for larger packets to help ensure the
success of their transmission. Enter a value between 1 and 2347.
16. Click Save changes to flash if you wish to make your changes
permanent.
See Also
Coverage and Capacity Planning
Global Settings (IAP)
Global Settings .11a
Global Settings .11n
Advanced RF Settings
LED Settings
IAP Settings
IAP Statistics Summary
258
Configuring the Wi-Fi Array
Wi-Fi Array
Global Settings .11n
This window is displayed only for XN Array models. It allows you to establish
global 802.11n IAP settings. These settings include enabling or disabling 802.11n
mode for the entire Array, specifying the number of transmit and receive chains
(data stream) used for spatial multiplexing, setting a short or standard guard
interval, auto-configuring channel bonding, and specifying whether autoconfigured channel bonding will be static or dynamic.
Before changing your settings for 802.11n, please read the discussion in “IEEE
802.11n Deployment Considerations” on page 34.
Figure 133. Global Settings .11n
Configuring the Wi-Fi Array
259
Wi-Fi Array
Procedure for Configuring Global 802.11n IAP Settings

1.
260
802.11n operation is allowed only if the Array’s license includes this feature.
Please see “About Licensing and Upgrades” on page 297.
802.11n Data Rates: The Array allows you to define which data rates are
supported for all 802.11n radios. Select (or deselect) 11n data rates by
clicking in the corresponding Supported and Basic data rate check boxes.
•
Basic Rate — a wireless station (client) must support this rate in
order to associate.
•
Supported Rate — data rates that can be used to transmit to
clients.
2.
802.11n Mode: Select Enabled to operate in 802.11n mode, with four
802.11b/g/n mode ports and the remaining IAPs operating in 802.11a/n
mode. Use of this mode is controlled by the Array’s license key. The key
must include 802.11n capability, or you will not be able to enable this
mode. See “License” on page 95 to view the features supported by your
license key. Contact Xirrus Customer support for questions about your
license.
3.
If you select Disabled, then 802.11n operation is disabled on the Array.
TX Chains: Select the number of separate data streams transmitted by the
antennas of each IAP. The default is 3. See “Multiple Data Streams —
Spatial Multiplexing” on page 37.
4.
RX Chains: Select the number of separate data streams received by the
antennas of each IAP. This number should be greater than or equal to TX
Chains. The default is 3. See “Multiple Data Streams — Spatial
Multiplexing” on page 37.
5.
Guard interval: Select Short to increase the data transmission rate by
decreasing wait intervals in signal transmission. Select Long to use the
standard interval. The default is Short. See “Short Guard Interval” on
page 39.
Configuring the Wi-Fi Array
Wi-Fi Array
6.
Auto bond 5 GHz channels: Select Enabled to use Channel Bonding on
5 GHz channels and automatically select the best channels for bonding.
The default is Enabled. See “Channel Bonding” on page 38.
7.
5 GHz channel bonding: Select Dynamic to have auto-configuration for
bonded 5 GHz channels be automatically updated as conditions change.
For example, if there are too many clients to be supported by a bonded
channel, dynamic mode will automatically break the bonded channel into
two channels. Select Static to have the bonded channels remain the same
once they are selected. The Dynamic option is only available when Auto
bond 5 GHz channels is enabled. The default is Dynamic. See “Channel
Bonding” on page 38.
8.
2.4 GHz channel bonding: Select Dynamic to have auto-configuration
for bonded 2.4 GHz channels be automatically updated as conditions
change. Select Static to have the bonded channels remain the same once
they are selected. The default is Dynamic. See “Channel Bonding” on
page 38.
9.
Global channel bonding: These buttons allow you to turn channel
bonding on or off for all IAPs in one step. The effect of using one of these
buttons will be shown if you go to the IAP Settings window and look at
the Bond column. Clicking Enable bonding on all IAPs causes all IAPs
to be bonded to their auto-bonding channel immediately, if appropriate.
For example, an IAP will not be bonded if it is set to monitor mode, and
2.4 GHz radios will not be bonded. Click Disable bonding on all IAPs to
turn off bonding on all IAPs immediately. See “Channel Bonding” on
page 38. Settings in Step 7 and Step 8 are independent of global channel
bonding.
Configuring the Wi-Fi Array
261
Wi-Fi Array
Advanced RF Settings
This window allows you to establish RF settings, including automatically
configuring channel allocation and cell size, and configuring radio assurance and
standby modes. Changes you make on this page are applied to all IAPs, without
exception.
Figure 134. Advanced RF Settings
About Standby Mode
Standby Mode supports the Array-to-Array fail-over capability. When you enable
Standby Mode, the Array functions as a backup unit, and it enables its radios if it
detects that its designated target Array has failed. The use of redundant Arrays to
provide this fail-over capability allows Arrays to be used in mission-critical
262
Configuring the Wi-Fi Array
Wi-Fi Array
applications. In Standby Mode, an Array monitors beacons from the target Array.
When the target has not been heard from for 40 seconds, the standby Array
enables its radios until it detects that the target Array has come back online.
Standby Mode is off by default. Note that you must ensure that the configuration
of the standby Array is correct. This window allows you to enable or disable
Standby Mode and specify the primary Array that is the target of the backup unit.
See also, “Failover Planning” on page 42.
Procedure for Configuring Advanced RF Settings

Some of the features below, such as Auto Configure for Cell Size and
Channel Configuration, are only available if the Array’s license includes the
Xirrus Advanced RF Performance Manager (RPM). If a setting is
unavailable (grayed out), then your license does not support the feature.
Please see “About Licensing and Upgrades” on page 297.
Other features below, such as RF Intrusion Detection, are only available if
the Array’s license includes the Xirrus Advanced RF Security Manager
(RSM).
RF Monitor
1.
RF Monitor Mode: Turning this mode On enables RF monitoring
functionality, permitting the operation of features like intrusion detection.
RF Resilience
2.
Radio Assurance Mode: When this mode is enabled, the monitor radio
performs loopback tests on the Array. This mode requires RF Monitor
Mode to be enabled (Step 1) to enable self-monitoring functions. It also
requires a radio to be set to monitoring mode (see “Enabling Monitoring
on the Array” on page 412).
Operation of Radio Assurance mode is described in detail in “Array
Monitor and Radio Assurance Capabilities” on page 412.
The Radio Assurance mode scans and sends out probe requests on each
channel, in turn. It listens for all probe responses and beacons. These tests
Configuring the Wi-Fi Array
263
Wi-Fi Array
are performed continuously (24/7). If no beacons or probe responses are
observed from a radio for a predetermined period, Radio Assurance
mode will take action according to the preference that you have specified:
•
Failure alerts only — The Array will issue alerts in the Syslog, but
will not initiate repairs or reboots.
•
Failure alerts & repairs, but no reboots — The Array will issue alerts
and perform resets of one or all of the radios if needed.
•
Failure alerts & repairs & reboots if needed — The Array will issue
alerts, perform resets, and schedule reboots if needed.
•
Disabled — Disable IAP radio assurance tests (no self-monitoring
occurs). Loopback tests are disabled by default.
3.
Enable Standby Mode: Choose Yes to enable this Array to function as a
backup unit for the target Array, or choose No to disable this feature. See
“About Standby Mode” on page 262.
4.
Standby Target Address: If you enabled the Standby Mode, enter the
MAC address of the target Array (i.e., the address of the primary Array
that is being monitored and backed up by this Array). To find this MAC
address, open the Array Info window on the target Array, and use the
Gigabit1 MAC Address.
RF Power & Sensitivity
For an overview of RF power and cell size settings, please see “Capacity and Cell
Sizes” on page 27 and “Fine Tuning Cell Sizes” on page 28.

To use the Auto Cell Size feature, the following additional settings are
required:
RF Monitor Mode must be turned On. See “RF Monitor” on page 263
One of the radios must be in monitor mode, and all other IAPs that will use
Auto Cell must have Cell Size set to auto. See “Procedure for Manually
Configuring IAPs” on page 238.
264
Configuring the Wi-Fi Array
Wi-Fi Array
5.
Cell Size Configuration: Click on the Auto Configure button to instruct
the Array to determine and set the best cell size for each enabled IAP,
based on changes in the environment. This is the recommended method
for setting cell size. On the IAP Settings window, each enabled IAP will
have its cell size set to Auto.
6.
Sharp Cell: This feature reduces interference between neighboring
Arrays or other Access Points by limiting to a defined boundary (cell size)
the trailing edge bleed of RF energy. Choose On to enable the Sharp Cell
functionality, or choose Off to disable this feature. See also, “Fine Tuning
Cell Sizes” on page 28.
The Sharp Cell feature only works when the cell size is Small, Medium, or
Large (or Auto) — but not Max. If an IAP cell size is set to Max, the Sharp
Cell feature will be disabled for that radio.
RF Spectrum Management
7.
Configuration Status: Shows the status of auto channel configuration. If
an operation is in progress, the approximate time remaining until
completion is displayed; otherwise Idle is displayed.
8.
Band Configuration: Automatic band configuration is the recommended
method for assigning bands to the abg(n) IAPs. It runs only on command,
assigning IAPs to the 2.4GHz or 5GHz band when you click the Auto
Configure button. The Array uses its radios to listen for other APs on the
same channel, and it assigns bands based on where it finds the least
interference. Auto band always assigns at least one radio to the 2.4GHz
band. Auto band runs separately from auto channel configuration. If the
band is changed for an IAP, associated stations will be disconnected and
will then reconnect.
9.
Channel Configuration: Automatic channel configuration is the
recommended method for channel allocation. When the Array performs
auto channel configuration, it first negotiates with any other nearby
Arrays that have been detected, to determine whether to stagger the start
Configuring the Wi-Fi Array
265
Wi-Fi Array
time for the procedure slightly. Thus, nearby Arrays will not run auto
channel at the same time. This prevents Arrays from interfering with each
other’s channel assignments.
Click Auto Configure to perform auto channel configuration
immediately, without first negotiating with any nearby Arrays. This
option is faster than Auto Negotiate and Configure. This allows you to
manually perform auto channel without waiting, and may be used when
you know that no other nearby Arrays are configuring their channels. If
multiple Arrays are configuring channels at the same time, use the Auto
Negotiate option to be ensure that multiple Arrays don't select the same
channels.
Click Auto Negotiate & Configure to instruct the Array to determine the
best channel allocation settings for each IAP and select the channel
automatically, based on changes in the environment. The Array will first
negotiate with other nearby Arrays to see if the start time needs to be
staggered slightly.
Click Factory Defaults to instruct the Array to return all IAPs to their
factory preset channels.
10. Auto Channel Configuration Mode: This option allows you to instruct
the Array to auto-configure channel selection for each enabled IAP when
the Array is powered up. Choose On Array PowerUp to enable this
feature, or choose Disabled to disable this feature.
11. Auto Channel Configure on Time: This option allows you to instruct the
Array to auto-configure channel selection for each enabled IAP at a time
you specify here. Leave this field blank unless you want to specify a time
at which the auto-configuration utility is initiated. Time is specified in
hours and minutes, using the format: [day]hh:mm [am|pm]. If you omit
the optional day specification, channel configuration will run daily at the
specified time. If you do not specify am or pm, time is interpreted in 24hour military time. For example, Sat 11:00 pm and Saturday 23:00 are
both acceptable and specify the same time.
266
Configuring the Wi-Fi Array
Wi-Fi Array
12. Channel List Selection: This list selects which channels are available to
the auto channel algorithm. Channels that are not checked are left out of
the auto channel selection process. Note that channels that have been
locked by the user are also not available to the auto channel algorithm.
13. Auto Channel List: Use All Channels selects all available channels (this
does not include locked channels). Use Defaults sets the auto channel list
back to the defaults. This omits newer channels (100-140) — many
wireless NICs don’t support these channels.

As mandated by FCC law, Array channels 100 - 140 are restricted to indoor
use only.
14. Public Safety: This option adds two additional channels (191 and 195) in
the 4.9GHz spectrum range for public safety usage by qualified
organizations. Operating these channels requires a license, and so they
are not for general purpose use. Using these channels without a license
violates FCC rules. Warning notices are displayed when you enable this
feature and select these channels.
Station Assurance
Station assurance monitors the quality of the connections that users are
experiencing on the Wi-Fi network. You can quickly detect stations that are
having problems and take steps to correct them. Use these settings to establish
threshold values for errors and other problems. Station assurance is enabled by
default, with a set of useful default thresholds that you may adjust as desired.
When a connection is experiencing problems and reaches one of these thresholds
in the specified period of time, the Array responds with several actions: an event
is triggered, a trap is generated, and a Syslog message is logged. For example, if a
client falls below the threshold for Min Average Associated Time, this
“bouncing” behavior might indicate roaming problems with the network’s RF
design, causing the client to bounce between multiple arrays and not stay
connected longer than the time to re-associate and then jump again. This can be
corrected with RF adjustments. Station assurance alerts you to the fact that this
station is encountering problems.
Configuring the Wi-Fi Array
267
Wi-Fi Array
Figure 135. Station Assurance (Advanced RF Settings)
15. Enable Station Assurance: This is enabled by default. Click No if you
wish to disable it, and click Yes to re-enable it. When station assurance is
enabled, the Array will monitor connection quality indicators listed
below and will display associated information on the Station Assurance
Status page. When a threshold is reached, an event is triggered, a trap is
generated, and a Syslog message is logged.
16. Period: In seconds, the period of time for a threshold to be reached. For
example, the Array will check whether Max Authentication Failures has
been reached in this number of seconds. The default value is 60 seconds.
17. Min Average Associated Time: (seconds) Station assurance detects
whether the average length of station associations falls below this
threshold during a period. The default value is 30 seconds.
18. Max Authentication Failures: Station assurance detects whether the
number of failed login attempts reaches this threshold during a period.
The default value is 3 failures.
19. Max Packet Error Rate: (%) Station assurance detects whether the packet
error rate percentage reaches this threshold during a period. The default
value is 25%.
268
Configuring the Wi-Fi Array
Wi-Fi Array
20. Max Packet Retry Rate: (%) Station assurance detects whether the packet
retry rate percentage reaches this threshold during a period. The default
value is 25%.
21. Min Packet Data Rate: (Mbps) Station assurance detects whether the
packet data rate falls below this threshold during a period. The default
value is 10 Mbps.
22. Min Received Signal Strength: (dB) Station assurance detects whether
the strength of the signal received from the station falls below this
threshold during a period. The default value is -85 dB.
23. Min Signal to Noise Ratio: (dB) Station assurance detects whether the
ratio of signal to noise received from the station falls below this threshold
during a period. The default value is 10 dB.
24. Max Distance from Array: Min Received Signal Strength: (feet) Station
assurance detects whether the distance of the station from the Array
reaches this threshold during a period. The default value is 500 feet.
See Also
Coverage and Capacity Planning
Global Settings .11a
Global Settings .11bg
Global Settings .11n
IAPs
IAP Settings
Configuring the Wi-Fi Array
269
Wi-Fi Array
Intrusion Detection
The Xirrus Array employs a number of IDS/IPS (Intrusion Detection System/
Intrusion Prevention System) strategies to detect and prevent malicious attacks on
the Wi-Fi network. This window allows you to adjust intrusion detection settings.
Figure 136. Intrusion Detection Settings
The Array provides a suite of intrusion detection and prevention options to
improve network security. You can separately enable detection of the following
types of problems:

Rogue Access Point Detection and Blocking
Unknown access points are detected, and may be automatically blocked
based on a number of criteria. See “About Blocking Rogue APs” on
page 273.
270
Configuring the Wi-Fi Array
Wi-Fi Array

Denial of Service (DoS) or Availability Attack Detection
A DoS attack attempts to flood an Array with communications requests
so that it cannot respond to legitimate traffic, or responds so slowly that it
becomes effectively unavailable. The Array can detect a number of types
of DoS attacks, as described in the table below.

Impersonation Detection
These malicious attacks use various techniques to impersonate a
legitimate AP or station, often in order to eavesdrop on wireless
communications. The Array detects a number of types of impersonation
attacks, as described in the table below.
Type of Attack
Description
DoS Attacks
Beacon Flood
Generating thousands of counterfeit 802.11 beacons to
make it hard for stations to find a legitimate AP.
Probe Request
Flood
Generating thousands of counterfeit 802.11 probe requests
to overburden the Array.
Authentication
Flood
Sending forged Authenticates from random MAC
addresses to fill the Array's association table.
Association
Flood
Sending forged Associates from random MAC addresses
to fill the Array's association table.
Disassociation
Flood
Flooding the Array with forged Disassociation packets.
Deauthentication
Flood
Flooding the Array with forged Deauthenticates.
EAP Handshake
Flood
Flooding an AP with EAP-Start messages to consume
resources or crash the target.
Null Probe
Response
Answering a station probe-request frame with a null SSID.
Many types of popular NIC cards cannot handle this
situation, and will freeze up.
Configuring the Wi-Fi Array
271
Wi-Fi Array
Type of Attack
Description
MIC Error Attack
Generating invalid TKIP data to exceed the Array's MIC
error threshold, suspending WLAN service.
Disassociation
Attack (Omerta)
Sending forged disassociation frames to all stations on a
channel in response to data frames.
Deauthentication
Attack
Sending forged deauthentication frames to all stations on
a channel in response to data frames.
Duration Attack
(Duration Field
Spoofing)
Injecting packets into the WLAN with huge duration
values. This forces the other nodes in the WLAN to keep
quiet, since they cannot send any packet until this value
counts down to zero. If the attacker sends such frames
continuously it silences other nodes in the WLAN for long
periods, thereby disrupting the entire wireless service.
Impersonation Attacks
AP
impersonation
Reconfiguring an attacker's MAC address to pose as an
authorized AP. Administrators should take immediate
steps to prevent the attacker from entering the WLAN.
Station
impersonation
Reconfiguring an attacker's MAC address to pose as an
authorized station. Administrators should take immediate
steps to prevent the attacker from entering the WLAN.
Evil twin attack
Masquerading as an authorized AP by beaconing the
WLAN's service set identifier (SSID) to lure users.
Sequence
number anomaly
A sender may use an Add Block Address request (ADDBA
- part of the Block ACK mechanism) to specify a sequence
number range for packets that the receiver can accept.
An attacker spoofs an ADDBA request, asking the receiver
to reset its sequence number window to a new range. This
causes the receiver to drop legitimate frames, since their
sequence numbers will not fall in that range.
272
Configuring the Wi-Fi Array
Wi-Fi Array
About Blocking Rogue APs
If you classify a rogue AP as blocked (see “Rogue Control List” on page 206), then
the Array will take measures to prevent stations from staying associated to the
rogue. When the monitor radio is scanning, any time it hears a beacon from a
blocked rogue it sends out a broadcast “deauth” signal using the rogue's BSSID
and source address. This has the effect of disconnecting all of a rogue AP’s clients
approximately every 5 to 10 seconds, which is enough to make the rogue
frustratingly unusable.
The Advanced RF Settings window allows you to set up Auto Block parameters
so that unknown APs get the same treatment as explicitly blocked APs. This is
basically a “shoot first and ask questions later” mode. By default, auto blocking is
turned off. Auto blocking provides two parameters for qualifying blocking so that
APs must meet certain criteria before being blocked. This keeps the Array from
blocking every AP that it detects. You may:

Set a minimum RSSI value for the AP — for example, if an AP has an RSSI
value of -90, it is probably a harmless AP belonging to a neighbor and not
in your building.

Block based on encryption level.

Block based on whether the AP is part of an ad hoc network or
infrastructure network.
Procedure for Configuring Intrusion Detection
RF Intrusion Detection and Auto Block Mode
1.
Intrusion Detection Mode: This option allows you to choose the
Standard intrusion detection method, or you can choose Off to disable
this feature. See “Array Monitor and Radio Assurance Capabilities” on
page 412 for more information.
•
Standard — enables the monitor radio to collect Rogue AP
information.
•
Off — intrusion detection is disabled.
Configuring the Wi-Fi Array
273
Wi-Fi Array
2.
Auto Block Unknown Rogue APs: Enable or disable auto blocking (see
“About Blocking Rogue APs” on page 273). Note that in order to set Auto
Block RSSI and Auto Block Level, you must set Auto Block Unknown
Rogue APs to On. Then the remaining Auto Block fields will be active.
3.
Auto Block RSSI: Set the minimum RSSI for rogue APs to be blocked.
APs with lower RSSI values will not be blocked. They are assumed to be
farther away, and probably belonging to neighbors and posing a minimal
threat.
4.
Auto Block Level: Select rogue APs to block based on the level of
encryption that they are using. The choices are:
5.
•
Automatically block unknown rogue APs regardless of encryption.
•
Automatically block unknown rogue APs with no encryption.
•
Automatically block unknown rogue APs with WEP or no
encryption.
Auto Block Network Types: Select rogues to automatically block by
applying the criteria above only to networks of the type specified below.
The choices are:
•
All — the unknown rogues may be part of any wireless network.
•
IBSS/AD Hoc only — only consider auto blocking rogues if they
belong to an ad hoc wireless network (a network of client devices
without a controlling Access Point, also called an Independent Basic
Service Set — IBSS).
•
ESS/Infrastructure only — only consider auto blocking rogue APs if
they are in infrastructure mode rather than ad hoc mode.
DoS Attack Detection Settings
6.
274
Attack/Event: The types of DoS attack that you may detect are described
in the Type of Attack Table on page 271. Detection of each attack type
may be separately enabled or disabled. For each attack, a default
Threshold and Period (seconds) are specified. If the number of
occurrences of the type of packet being detected exceeds the threshold in
Configuring the Wi-Fi Array
Wi-Fi Array
the specified number of seconds, then the Array declares that an attack
has been detected. You may modify the Threshold and Period.
For the Flood attack settings, you also have a choice of Auto or Manual.
7.
•
Manual mode — threshold and period settings are used to detect a
flood. Packets received are simply counted for the specified time
period and compared against the flood threshold. The default for all
of the floods is Manual mode.
•
Auto mode — the Array analyzes current traffic for packets of a given
type versus traffic over the past hour to determine whether a packet
flood should be detected. In this mode, threshold and period settings
are ignored. This mode is useful for floods like beacon or probe
floods, where the numbers of such packets detected in the air can
vary greatly from installation to installation.
Duration Attack NAV (ms): For the duration attack, you may also modify
the default duration value that is used to determine whether a packet
may be part of an attack. If the number of packets having at least this
duration value exceeds the Threshold number in the specified Period, an
attack is detected.
Impersonation Detection Settings
8.
Attack/Event: The types of impersonation attack that you may detect are
described in Impersonation Attacks on page 272. Detection of each attack
type may be turned On or Off separately. For AP or Station
Impersonation attacks, a default Threshold and Period (seconds) are
specified. If the number of occurrences of the type of packet being
detected exceeds the threshold in the specified number of seconds, then
the Array declares that an attack has been detected. You may modify the
Threshold and Period.
9.
Sequence number anomaly: You may specify whether to detect this type
of attack in Data traffic or in Management traffic, or turn Off this type of
detection.
Configuring the Wi-Fi Array
275
Wi-Fi Array
LED Settings
This window assigns behavior preferences for the Array’s IAP LEDs.
Figure 137. LED Settings
Procedure for Configuring the IAP LEDs
1.
LED State: This option determines which event triggers the LEDs, either
when an IAP is enabled or when an IAP first associates with the network.
Choose On Radio Enabled or On First Association, as desired. You may
also choose Disabled to keep the LEDs from being lit. The LEDs will still
light during the boot sequence, then turn off.
2.
LED Blink Behavior: This option allows you to select when the IAP LEDs
blink, based on the activities you check here. From the choices available,
select one or more activities to trigger when the LEDs blink. For default
behavior, see “Array LED Operating Sequences” on page 63.
3.
Click Save changes to flash if you wish to make your changes
permanent.
See Also
Global Settings (IAP)
Global Settings .11a
276
Configuring the Wi-Fi Array
Wi-Fi Array
Global Settings .11bg
IAPs
LED Boot Sequence
Configuring the Wi-Fi Array
277
Wi-Fi Array
WDS
This is a status-only window that provides an overview of all WDS links that have
been defined. WDS (Wireless Distribution System) is a system that enables the
interconnection of access points wirelessly, allowing your wireless network to be
expanded using multiple access points without the need for a wired backbone to
link them. The Summary of WDS Client Links shows the WDS links that you
have defined on this Array and identifies the target Array for each by its base
MAC address. The Summary of WDS Host Links shows the WDS links that have
been established on this Array as a result of client Arrays associating to this Array
(i.e., the client Arrays have this Array as their target). The summary identifies the
source (client) Array for each link. Both summaries identify the IAPs that are part
of the link and whether the connection for each is up or down. See “WDS
Planning” on page 52 for an overview.
Figure 138. WDS
About Configuring WDS Links
A WDS link connects a client Array and a host Array (see Figure 139 on page 279).
The host must be the Array that has a wired connection to the LAN. Client links
from one or more Arrays may be connected to the host, and the host may also
have client links. See “WDS Planning” on page 52 for more illustrations.
The configuration for WDS is performed on the client Array only, as described in
“WDS Client Links” on page 280. No WDS configuration is performed on the host
278
Configuring the Wi-Fi Array
Wi-Fi Array
Array. First you will set up a client link, defining the target (host) Array and SSID,
and the maximum number of IAPs in the link. Then you will select the IAPs to be
used in the link. When the client link is created, each member IAP will associate to
an IAP on the host Array.
You may wish to consider configuring the WDS link IAPs so that only the WDS
link SSIDs are active on them. See “Active IAPs” on page 225.
Client
Link
a2(52)
a10(52)
a3(149)
a9(149)
a4(40)
a8(40)
Wired LAN
HOST
CLIENT
Figure 139. .Configuring a WDS Link

Once an IAP has been selected to act as a WDS client link, you will not be
allowed to use auto-configured cell sizing on that IAP (since the cell must
extend all the way to the other Array).

When configuring WDS, if you use WPA-PSK (Pre-Shared Key) as a
security mechanism, ensure that EAP is disabled. Communication between
two Arrays in WDS mode will not succeed if the client Array has both PSK
and EAP enabled on the SSID used by WDS. See SSID Management.

TKIP encryption does not support high throughput rates, per IEEE 802.11n.
TKIP should never be used for WDS links on XR arrays.
Long Distance Links
If you are using WDS with an external antenna to provide backhaul over an
extended distance, use the WDS Dist. (Miles) setting to prevent timeout
Configuring the Wi-Fi Array
279
Wi-Fi Array
problems associated with long transmission times. (See “IAP Settings” on
page 237) Set the approximate distance in miles between this IAP and the
connected Array in the WDS Dist. (Miles) column. This will increase the wait
time for frame transmission accordingly.
See Also
SSID Management
Active IAPs
WDS Client Link IAP Assignments:
WDS Client Links
WDS Statistics
WDS Client Links
This window allows you to set up a maximum of four WDS client links.
Figure 140. WDS Client Links
Procedure for Setting Up WDS Client Links
WDS Client Link Settings:
280
1.
Client Link: Shows the ID (1 to 4) of each of the four possible WDS links.
2.
Enabled: Check this box if you want to enable this WDS link, or uncheck
the box to disable the link.
Configuring the Wi-Fi Array
Wi-Fi Array
3.
Max IAPs Allowed (1-3): Enter the maximum number of IAPs for this
link, between 1 and 3.
4.
Target Array Base MAC Address: Enter the base MAC address of the
target Array (the host Array at the other side of this link). To find this
MAC address, open the WDS window on the target Array, and use This
Array Address located on the right under the Summary of WDS Host
Links.
5.
Target SSID: Enter the SSID that the target Array is using.
6.
Username: Enter a username for this WDS link. A username and
password is required if the SSID is using PEAP for WDS authentication
from the internal RADIUS server.
7.
Password: Enter a password for this WDS link.
8.
Clear Settings: Click on the Clear button to reset all of the fields on this
line.
9.
Click on the Save changes to flash if you wish to make your changes
permanent.
WDS Client Link IAP Assignments:
10. For each desired client link, select the IAPs that are part of that link. The
IAP channel assignments are shown in the column headers.

Once an IAP has been selected to act as a WDS client link, no other
association will be allowed on that IAP. However, wireless associations will
be allowed on the WDS host side of the WDS session.
11. IAP Channel Assignment: Click Auto Configure to instruct the Array to
automatically determine the best channel allocation settings for each IAP
that participates in a WDS link, based on changes in the environment.
These changes are executed immediately, and are automatically applied.
Configuring the Wi-Fi Array
281
Wi-Fi Array
12. Allow Concurrent Stations: Click Yes to instruct the Array to allow
stations to associate to IAPs on a host Array that participate in a WDS
link. The WDS host IAP will send beacons announcing its availability to
wireless clients.
13. Reset All Links: this command tears down all links configured on the
Array and sets them back to their factory defaults, effective immediately.
See Also
SSID Management
WDS Planning
WDS
WDS Statistics
282
Configuring the Wi-Fi Array
Wi-Fi Array
Filters

This feature is only available if the Array’s license includes the Xirrus
Advanced RF Security Manager (RSM). If a setting is unavailable
(grayed out), then your license does not support the feature. Please see
“About Licensing and Upgrades” on page 297.
The Wi-Fi Array’s integrated firewall uses stateful inspection to speed the
decision of whether to allow or deny traffic. Filters are used to define the rules
used for blocking or passing traffic. Filters can also set the VLAN and QoS level
for selected traffic.
User connections managed by the firewall are maintained statefully — once a user
flow is established through the Array, it is recognized and passed through
without application of all defined filtering rules. Stateful inspection runs
automatically on the Array. The rest of this section describes how to view and
manage filters.
Filters are organized in groups, called Filter Lists. A filter list allows you to apply
a uniform set of filters to SSIDs or Groups very easily.
Orange arrow 
expands/collapses display
Figure 141. Filters
The read-only Filters window provides you with an overview of all filter lists that
have been defined for this Array, and the filters that have been created in each list.
Configuring the Wi-Fi Array
283
Wi-Fi Array
Filters are listed in the left side column by name under the filter list to which they
belong. Each filter entry includes information about the type of filter, the protocol
it is filtering, which port it applies to, source and destination addresses, and QoS
and VLAN assignments.
Filter Lists
This window allows you to create filter lists. The Array comes with one
predefined list, named Global, which cannot be deleted. Filter lists (including
Global) may be applied to SSIDs or to Groups. Only one filter list at a time may be
applied to a group or SSID (although the filter list may contain a number of
filters). All filters are created within filter lists.
Figure 142. Filter Lists
Procedure for Managing Filter Lists
1.
284
Stateful Filtering: Stateful operation of the integrated firewall can be
Enabled or Disabled. If you have a large number of filters and you don’t
want to apply them in a stateful manner, you may use this option to turn
the firewall off.
Configuring the Wi-Fi Array
Wi-Fi Array
2.
New Filter List Name: Enter a name for the new filter list in this field,
then click on the Create button to create the list. All new filters are
disabled when they are created. The new filter list is added to the Filter
List table in the window. Click on the filter list name, and you will be
taken to the Filter Management window for that filter list.
3.
On: Check this box to enable this filter list, or leave it blank to disable the
list. If the list is disabled, you may still add filters to it or modify it, but
none of the filters will be applied to data traffic.
4.
Filters: This read-only field displays the number of filters that belong to
this filter list.
5.
SSIDs: This read-only field lists the SSIDs that use this filter list.
6.
User Groups: This read-only field lists the Groups that use this filter list.
7.
Delete: Click this button to delete this filter list.
8.
Click Save changes to flash if you wish to make your changes
permanent.
9.
Click a filter list to go to the Filter Management window to create and
manage the filters that belong to this list.
Configuring the Wi-Fi Array
285
Wi-Fi Array
Filter Management
This window allows you to create and manage filters that belong to a selected
filter list, based on the filter criteria you specify.
Filters are applied in order, from top to bottom.
Click here to change the order.
Figure 143. Filter Management
Note that filtering is secondary to the stateful inspection performed by the
integrated firewall. Traffic for established connections is passed through without
the application of these filtering rules.
Procedure for Managing Filters
286
1.
Filter List: Select the filter list to display and manage on this window. All
of the filters already defined for this list are shown, and you may create
additional filters for this list.
2.
New Filter Name: Enter a name for the new filter in the field next to the
Create button, then click on the Create button to create the filter. All new
filters are added to the table of filters at the top of the window. The filter
name must be unique within the list, but it may have the same name as a
Configuring the Wi-Fi Array
Wi-Fi Array
filter in a different filter list. Two filters with the same name in different
filter lists will be completely unrelated to each other — they may be
defined with different parameter values.
3.
Filter: Choose a filter entry to modify from the list at the top of the
window.
4.
On: Use this field to enable or disable this filter.
5.
Deny: Choose whether this filter will be an Allow filter or a Deny filter. If
you define the filter as an Allow filter, then any associations that meet the
filter criteria will be allowed. If you define the filter as a Deny filter, any
associations that meet the filter criteria will be denied.
6.
Protocol: Choose a specific filter protocol from the pull-down list, or
choose numeric and enter a Number, or choose any to instruct the Array
to use the best filter. This is a match criterion.
7.
Port: This is a match criterion. From the pull-down list, choose the target
port type for this filter. Choose any to instruct the Array to apply the filter
to any port, or choose 1-65534 and enter a Number.
To enter a Range of port numbers,
separate the start and end numbers with
a colon as shown: Start # : End #.
8.
QoS: (Optional) Set packets that match the filter criteria to this QoS level
(0 to 3), selected from the pull-down list. Level 0 has the lowest priority;
level 3 has the highest priority. By default, this field is blank and the filter
does not modify QoS level. See “Understanding QoS Priority on the Wi-Fi
Array” on page 210.
9.
VLAN ID: (Optional) Set packets that match the filter criteria to this
VLAN. Select a VLAN from the pull-down list, or select numeric and
enter the number of a previously defined VLAN (see “VLANs” on
page 171).
10. Move Up/Down: The filters are applied in the order in which they are
displayed in the list, with filters on the top applied first. To change an
entry’s position in the list, just click its Up or Down button.
Configuring the Wi-Fi Array
287
Wi-Fi Array
11. Source Address: Define a source address to match as a filter criterion.
Click the radio button for the desired type of address (or other attribute)
to match. Then specify the value to match in the field to the right of the
button. Choose Any to use any source address. Check Not to match any
address except for the specified address.
12. Destination Address: Define a destination address to match as a filter
criterion. Click the radio button for the desired type of address (or other
attribute) to match. Then specify the value to match in the field to the
right of the button. Choose Any to use any source address. Check Not to
match any address except for the specified address.
13. To delete a filter, click its Delete button.
14. Click Save changes to flash if you wish to make your changes
permanent.
See Also
Filters
Filter Statistics
Understanding QoS Priority on the Wi-Fi Array
VLANs
288
Configuring the Wi-Fi Array
Wi-Fi Array
Clusters
Clusters allow you to configure multiple Arrays at the same time. Using WMI (or
CLI), you may define a set of Arrays that are members of the cluster. Then you
may enter Cluster mode for a selected cluster, which sends all successive
configuration commands issued via CLI or WMI to all of the member Arrays.
When you exit cluster mode, configuration commands revert to applying only to
the Array to which you are connected.
The read-only Clusters window provides you with an overview of all clusters that
have been defined for this Array, and the Arrays that have been added to each.
Arrays are listed in the left hand column by name under the cluster to which they
belong. Each Array entry displays its IP Address, Username, and Password.
Figure 144. Clusters
Clusters are discussed in the following topics:

Cluster Definition

Cluster Management

Cluster Operation
Configuring the Wi-Fi Array
289
Wi-Fi Array
Cluster Definition
This window allows you to create clusters. All existing clusters are shown, along
with the number of Arrays currently in each. Up to 16 clusters may be created,
with up to 50 Arrays in each.
Figure 145. Cluster Definition
Procedure for Managing Cluster Definition
290
1.
New Cluster Name: Enter a name for the new cluster in the field to the
left of the Create button, then click Create to add this entry. The new
cluster is added to the list in the window. Click on the cluster name, and
you will be taken to the Cluster Management window for that cluster.
2.
Delete: To delete a cluster, click its Delete button.
3.
Click Save changes to flash if you wish to make your changes
permanent.
4.
Click a cluster to go to the Cluster Management window to add or
remove Arrays in the cluster.
Configuring the Wi-Fi Array
Wi-Fi Array
Cluster Management
This window allows you to add Arrays to or delete them from a selected cluster.
A cluster may include a maximum of 50 Arrays.
Note that the Array on which you are currently running WMI is not automatically
a member of the cluster. If you would like it to be a member, you must add it
explicitly.
Figure 146. Cluster Management
Procedure for Managing Clusters
1.
Edit Cluster: Select the cluster to display and manage on this window. All
of the Arrays already defined for this cluster are shown, and you may
add additional Arrays to this list.
2.
Array: Enter the hostname or IP address of the Array that you wish to
add to this cluster.
3.
Username/Password: In these columns, enter the administrator name
and password for access to the Array.
4.
Click the Add Array button to enter the Array.
5.
To delete an Array, click its Delete button.
6.
Click Save changes to flash if you wish to make your changes
permanent.
Configuring the Wi-Fi Array
291
Wi-Fi Array
Cluster Operation
This window puts WMI into Cluster Mode. In this mode, all configuration
operations that you execute in WMI or CLI are performed on the members of the
cluster. They are not performed on the Array where you are running WMI, unless
it is a member of the cluster.
You must use the Save changes to flash button at the top of configuration
windows to permanently save your changes in Cluster Mode, just as you would
in normal operation. When you are done configuring Arrays in the cluster, return
to this window and click the Exit button to leave Cluster Mode.
Figure 147. Cluster Mode Operation
Procedure for Operating in Cluster Mode
1.
Operate: Click the Operate button to the right of the desired cluster. A
message informs you that you are operating in cluster mode. Click OK.
The Operate button is replaced with an Exit button.
Figure 148. Cluster Mode Activation
292
2.
Select a WMI window for settings that you wish to configure for the
cluster, and proceed to make the desired changes.
3.
Proceed to any additional pages where you wish to make changes.
Configuring the Wi-Fi Array
Wi-Fi Array
4.
Some Status and Statistics windows will present information for all
Arrays in the cluster.
5.
Click the Save button when done if you wish to save changes on the
cluster member Arrays.
6.
Exit: Click the Exit button to the right of the operating cluster to terminate
Cluster Mode. The WMI returns to normal operation — managing only
the Array to which it is connected.
Status and Statistics Windows in Cluster Mode
In Cluster Mode, many of the Status and Statistics windows will display
information for all of the members of the cluster. You can tell whether a window
displays cluster information — if so, it will display the Cluster Name near the top,
as shown in Figure 149.
Cluster Name
Specify Grouping
Exit Cluster Mode
Figure 149. Viewing Statistics in Cluster Mode
You have the option to show aggregate information for the cluster members, or
click the Group by Array check box to separate it out for each Array.
You may terminate cluster mode operation by clicking the Exit button to the right
of the Group by Array check box.
Configuring the Wi-Fi Array
293
Wi-Fi Array
294
Configuring the Wi-Fi Array
Wi-Fi Array
Using Tools on the Wi-Fi Array
These WMI windows allow you to perform administrative tasks on your Array,
such as upgrading software, rebooting, uploading and downloading
configuration files, and other utility tasks. Tools are described in the following
sections:

“System Tools” on page 296

“CLI” on page 308

“Options” on page 309

“Logout” on page 312
Note that the Tools menu section may be collapsed down to hide the headings
under it by clicking it. Click again to display the headings. (See Figure 39 on
page 80)
This section does not discuss using status or configuration windows. For
information on those windows, please see:

“Viewing Status on the Wi-Fi Array” on page 85

“Configuring the Wi-Fi Array” on page 137
Using Tools on the Wi-Fi Array
295
Wi-Fi Array
System Tools
This window allows you to manage files for software images, configuration, and
Web Page Redirect (WPR), manage the system’s configuration parameters, reboot
the system, and use diagnostic tools.
Status is
shown here
Progress is
shown here
Figure 150. System Tools
296
Using Tools on the Wi-Fi Array
Wi-Fi Array

Some tools, such as Network Tools and Diagnostics, are only available if the
Array’s license includes the Xirrus Advanced RF Analysis Manager
(RAM). If a tool is unavailable (grayed out), then your license does not
support the feature. See “About Licensing and Upgrades” on page 297.
About Licensing and Upgrades
The Array’s license determines many of the features that are available on the
Array. For example, automatic cell sizing and channel allocation require a license
that includes the Xirrus Advanced RF Performance Manager (RPM). Also, IEEE
802.11n operation on XN model Arrays is a licensed feature. To check the features
supported by your license, see “Array Information” on page 90.
If you are upgrading the Array to add new features that are not supported by
your existing license, you must enter the new license key that includes the
upgrade’s features before upgrading.
Similarly, if you are upgrading the Array for a new release, you must enter the
new license key that enables the operation of that release before upgrading. If you
do not enter the new license first, the Array will display a message and revert to
the previous software image, rather than trying to run new software for which it
is not licensed. Major releases will need a new license key, but minor releases will
not. For example, to upgrade from ArrayOS Release 5.0.5 to Release 5.1, you must
enter a new license key. To upgrade from ArrayOS Release 5.0.5 to Release 5.0.6,
use your existing license key.
If you will be entering license keys and performing upgrades on many Arrays, the
effort will be streamlined by using the Xirrus Management System (XMS).
Procedure for Configuring System Tools
These tools are broken down into the following sections:

System

Configuration

Diagnostics

Web Page Redirect
Using Tools on the Wi-Fi Array
297
Wi-Fi Array

Network Tools

Progress and Status Frames
System
1.
Save & Reboot or Reboot: Use Save & Reboot to save the current
configuration and then reboot the Array. The LEDs on the Array indicate
the progress of the reboot, as described in “Powering Up the Wi-Fi Array”
on page 62. Alternatively, use the Reboot button to discard any
configuration changes which have not been saved since the last reboot.
2.
Software Upgrade: This feature upgrades the ArrayOS to a newer
version provided by Xirrus. Please note that you typically will need to
enter a new license key to cover the upgrade’s features before clicking
the Upgrade button. See “About Licensing and Upgrades” on page 297
for details.
Enter the filename and directory location (or click on the Browse button
to locate the software upgrade file), then click on the Upgrade button to
upload the new file to the Array. Progress of the operation will be
displayed below, in the Progress section. Completion status of the
operation is shown in the Status section.
This operation does not run the new software or change any configured
values. The existing software continues to run on the Array until you
reboot, at which time the uploaded software will be used.

If you have difficulty upgrading the Array using the WMI, see “Upgrading
the Array via CLI” on page 418 for a lower-level procedure you may use.
Software Upgrade always uploads the file in binary mode. If you transfer
any image file to your computer to have it available for the Software Upgrade
command, it is critical to remember to transfer it (ftp, tftp) in binary mode!
298
Using Tools on the Wi-Fi Array
Wi-Fi Array
3.
License Key: If Xirrus provides you with a new license key for your
Array, use this field to enter it, then click the Upgrade button to the right.
A valid license is required for Array operation, and it controls the features
available on the Array. If you upgrade your Array for additional features,
you will be provided with a license key to activate those capabilities.
If you attempt to enter an invalid key, you will receive an error message
and the current key will not be replaced.
Automatic Updates from Remote Image or Configuration File
The Array software image or configuration file can be downloaded from an
external server. In large deployments, all Arrays can be pointed to one TFTP
server instead of explicitly initiating software image uploads to all Arrays. When
the Array boots, the Array will download the software image from the specified
TFTP server. Similarly, if you decide to change a setting in the Arrays, you can
simply modify a single configuration file. After the Arrays are rebooted, they will
automatically download the new configuration file from a single location on the
specified TFTP server.
4.
Remote TFTP Server: This field defines the path to a TFTP server to be
used for automated remote update of software image and configuration
files when rebooting. You may specify the server using an IP address or
host name.
5.
Remote Boot Image: When the Array boots up, it fetches the software
image file specified here from the TFTP server defined above, and
upgrades to this image before booting. This must be an Array image file
with a .bin extension.
Make sure to place the file on the TFTP server. If you disable the remote
boot image (by blanking out this field) or if the image can't be transferred,
the Array will fall back to booting whatever image is on the compact
flash.
Using Tools on the Wi-Fi Array
299
Wi-Fi Array

6.
The Remote Boot Image or Configuration update happens every time that the
Array reboots. If you only want to fetch the remote image or configuration
file one time, be sure to turn off the remote option (blank out the field on the
System Tools page) after the initial download. When a remote boot image is
used, the image is transferred directly into memory and is never written to
the compact flash.
Remote Configuration: When the Array boots up, it fetches the specified
configuration file from the TFTP server defined above, and applies this
configuration after the local configuration is applied. The remote
configuration must be an Array configuration file with a .conf extension.
Make sure to place the file on the TFTP server.
A partial configuration file may be used. For instance, if you wish to use a
single configuration file for all of your Arrays but don't want to have the
same IP address for each Array, you may remove the ipaddr line from the
file. You can then load the file on each Array and the local IP addresses
will not change.
A remote configuration is never saved to the compact flash unless you
issue a Save command.
Configuration
300
7.
Update from Remote File: This field allows you to define the path to a
configuration file (one that you previously saved — see Step 9 and Step 10
below). Click on the Browse button if you need to browse for the location
of the file, then click Update to update your configuration settings.
8.
Update from Local File: This field updates Array settings from a local
configuration file on the Array. Select one of the following files from the
drop-down list:
•
factory.conf: The factory default settings.
•
lastboot.conf: The setting values from just before the last reboot.
•
saved.conf: The last settings that were explicitly saved using the Save
changes to flash button at the top of each window.
Using Tools on the Wi-Fi Array
Wi-Fi Array
•
history/saved-yyyymmdd-pre-update.conf:
history/saved-yyyymmdd-post-update.conf:
Two files are saved for an upgrade: the setting values from just before
an upgrade was performed, and the initial values afterward.
The filename includes the upgrade date.
•
history/saved-yyyymmdd-auto.conf: Each time you use the Save
changes to flash button, an “auto” file is saved with the settings
current at that time.
•
history/saved-yyyymmdd-pre-reset.conf: 
history/saved-yyyymmdd-post-reset.conf:
Each time you use one of the Reset to Factory Default buttons, two
files are saved: the setting values from just before the reset, and the
initial values afterward. The filename includes the reset date.
•
history/saved-yyyymmdd-hhmm.conf: The setting values that were
explicitly saved using the Set Restore Point button (see Step 9
below).
Click Update to update your configuration settings. Note that the History
folder allows a maximum of 16 files. The oldest file is automatically
deleted to make room for each new file.
9.
Save to Local File: There are a few options for explicitly requesting the
Array to save your current configuration to a file on the Array:
•
To view the list of configuration files currently on the Array, click the
down arrow to the right of this field. If you wish to replace one of
these files (i.e., save the current configuration under an existing file
name), select the file, then click Save. Note that you cannot save to
the file names factory.conf, lastboot.conf, and saved.conf - these files
are write-protected.
•
You may enter the desired file name, then click Save.
•
Click Set Restore Point to save a copy of the current configuration,
basing the file name on the current date and time. For example:
history/saved-20100318-1842.conf
Using Tools on the Wi-Fi Array
301
Wi-Fi Array
Note that the configuration is automatically saved to a file in a few
situations, as described in Step 8 above.

Important! When you have initially configured your Array, or have made
significant changes to its configuration, we strongly recommend that you
save the configuration to a file in order to have a safe backup of your working
configuration.
10. Download Current Configuration: Click on the link titled
xs_current.conf to download the Array’s current configuration settings to
a file (that you can upload back to the Array at a later date). The system
will prompt you for a destination for the file. The file will contain the
Array’s current configuration values.
11. Reset to Factory Defaults: Click on the Reset/Preserve IP Settings button
to reset the system’s current configuration settings to the factory default
values, except for the Array’s management IP address which is left unchanged.
This function allows you to maintain management connectivity to the
Array even after the reset. This will retain the Gigabit Ethernet port’s IP
address (see “Network Interfaces” on page 147), or if you have
configured management over a VLAN it will maintain the management
VLAN’s IP address (see “VLAN Management” on page 173). All other
previous configuration settings will be lost.
Click Reset to reset all of the system’s current configuration settings to
the factory default values, including the management IP address — all
previous configuration settings will be lost. The Array’s Gigabit Ethernet
ports default to using DHCP to obtain an IP address.

If the IP settings change, the connection to the WMI may be lost.
Diagnostics
12. Diagnostic Log: Click the Create button to save a snapshot of Array
information for use by Xirrus Customer Support personnel. The Progress
and Status Frames show the progress of this operation. When the process
302
Using Tools on the Wi-Fi Array
Wi-Fi Array
is complete, the filename xs_diagnostic.log will be displayed in blue
and provides a link to the newly created log file. Click the link to
download this file to the C:\ folder on your local computer. (Figure 151)
Click Update to create log
Then click this link to save
log file to local computer
Figure 151. Saving the Diagnostic Log
This feature is only used at the request of Customer Support. It saves all
of the information regarding your Array, including status, configuration,
statistics, log files, and recently performed actions.
The diagnostic log is always saved as a file named xs_diagnostic.log
on your C:\ drive, so you should immediately rename the file to save it.
This way, it will not be lost the next time you save a diagnostic log. Often,
Customer Support will instruct you to save two diagnostic logs about ten
minutes apart so that they can examine the difference in statistics
between the two snapshots (for example, to see traffic and error statistics
for the interval). Thus, you must rename the first diagnostic log file.

All passwords are stored on the array in an encrypted form and will not be
exposed in the diagnostic log.
Using Tools on the Wi-Fi Array
303
Wi-Fi Array
Web Page Redirect
The Array uses a Perl script and a cascading style sheet to define the default
splash/login Web page that the Array delivers for WPR. You may replace
these files with files for one or more custom pages of your own. See Step 15
below to view the default files. See Step 14 on page 217 for more information
about WPR and how the splash/login page is used.
Each SSID that has WPR enabled may have its own page. Custom files for a
specific SSID must be named based on the SSID name. For example, if the
SSID is named Public, the default wpr.pl and hs.css files should be
modified as desired and renamed to wpr-Public.pl and hs-Public.css
before uploading to the Array. If you modify and upload files named wpr.pl
and hs.css, they will replace the factory default files and will be used for any
SSID that does not have its own custom files, per the naming convention just
described. Be careful not to replace the default files unintentionally.
Figure 152. Managing WPR Splash/Login page files
13. Upload File: Use this to install files for your own custom WPR splash/
login page (as described above) on the Array. Note that uploaded files are
not immediately used - you must reboot the Array first. At that time, the
Array looks for and uses these files, if found.
Enter the filename and directory location (or click Browse to locate the
splash/login page files), then click on the Upload button to upload the
new files to the Array. You must reboot to make your changes take effect.
304
Using Tools on the Wi-Fi Array
Wi-Fi Array
14. Remove File: Enter the name of the WPR file you want to remove, then
click on the Delete button. You can use the List Files button to show you
a list of files that have been saved on the Array for WPR. The list is
displayed in the Status section at the bottom of the WMI window. You
must reboot to make your changes take effect.
15. Download Sample Files: Click on a link to access the corresponding
sample WPR files:
•
wpr.pl — a sample Perl script.
•
hs.css — a sample cascading style sheet.
Network Tools
Figure 153. System Command (Ping)
16. System Command: Choose Trace Route, Ping., or RADIUS Ping. For
Trace Route and Ping, fill in IP Address and Timeout. Then click the
Execute button to run the command.
Figure 154. Radius Ping Command
Using Tools on the Wi-Fi Array
305
Wi-Fi Array
The RADIUS Ping command is a simple utility that tests connectivity to a
RADIUS server by attempting to log in with the specified Username and
Password. When using a RADIUS server, this command allows you to
verify that the server configuration is correct and whether a particular
Username and Password are set up properly. If a client is having trouble
accessing the network, you can quickly determine if there is a basic
RADIUS problem by using the RADIUS Ping tool. For example, in
Figure 155 (A), RADIUS Ping is unable to contact the server. In Figure 155
(B), RADIUS Ping verifies that the host information and secret for a
RADIUS server are correct, but that the user account information is not.
Select RADIUS allows you to select a RADIUS server that you have
already configured. When you make a choice in this field, additional
fields will be displayed. Set Select RADIUS to External Radius, Internal
Radius, or a server specified for a particular SSID, or select Other Server
to specify another server by entering its Host name or IP address, Port,
and shared Secret.
Enter the RADIUS Credentials: Username and Password. Select the
Authentication Type, PAP or CHAP. Click the Execute button to run the
command. The message Testing RADIUS connection appears. Click OK
to proceed.
Figure 155. Radius Ping Output
306
Using Tools on the Wi-Fi Array
Wi-Fi Array
17. IP Address: For Ping or Trace Route, enter the IP address of the target
device.
18. Timeout: For Ping or Trace Route, enter a value (in seconds) before the
action times out.
19. Execute System Command: Click Execute to start the specified
command. Progress of command execution is displayed in the Progress
frame. Results are displayed in the Status frame.
Progress and Status Frames
The Progress frame displays a progress bar for commands such as Software
Upgrade and Ping. The Status frame presents the output from system
commands (Ping and Trace Route), as well as other information, such as the
results of software upgrade.
20. If you want to save the parameters you established in this window for
future sessions, click on the Save changes to flash button.
Using Tools on the Wi-Fi Array
307
Wi-Fi Array
CLI
The WMI provides this window to allow you to use the Array’s Command Line
Interface (CLI). You can enter commands to configure the Array, or display
information using show commands. You will not need to log in - you already
logged in to the Array when you started the WMI.
Figure 156. CLI Window
To enter a command, simply type it in. The command is echoed and output is
shown in the normal way — that is, the same way it would be if you were using
the CLI directly. You may use the extra scroll bar inside the right edge of the
window to scroll through your output.
This window has some minor differences, compared to direct use of the CLI via
the console or an SSH connection:

308
The CLI starts in config mode. All configuration and show commands are
available in this mode. You can “drill down” the mode further in the
usual way. For example, you can type interface iap to change the mode to
Using Tools on the Wi-Fi Array
Wi-Fi Array
config-iap. The prompt will indicate the current command mode, for
example:
My-Array(config-iap) # 

You can abbreviate a command and it will be executed if you have typed
enough of the command to be unambiguous. The command will not
auto-complete, however. Only the abbreviated command that you
actually typed will be shown. You can type a partial command and press
Tab to have the command auto-complete. If the partial command is
ambiguous a list of legal endings is displayed.

Entering quit will return you to the previously viewed WMI page.

Most, but not all, CLI commands can be run in this window. Specifically
the run-test menu of commands is not available in this window. To use
the run-test command, please connect using SSH and use CLI directly, or
use the System Tools described in this chapter, such as Trace Route, Ping,
and RADIUS Ping.
Help commands (the ? character) are available, either at the prompt or after you
have typed part of a command.
Options
This window allows you to customize the behavior and appearance of the WMI.
Figure 157. WMI Display Options
Procedure for Configuring Options
1.
Style: This option allows you to change the appearance and operation of
the user interface. Select one of the available styles from the drop-down
list. Click the Apply button to view the WMI with the selected style.
Using Tools on the Wi-Fi Array
309
Wi-Fi Array
Note that some styles just change the display appearance (the skin) of
WMI, in much the same way as changing the display theme used in
Windows 7. Other styles include more extensive changes to the interface.
Figure 158. iPhone Style Option
For example, the iPhone style option (Figure 158) has a more compact
display, suitable for use on smart phones. It shows the main menu in the
orange bar at the top, rather than as a tree in its own frame on the left.
Clicking one of the menu choices at the top in Figure 158 will display a
drop-down menu with the options for that menu choice. Menus may be
toggled on and off by clicking on the headers (Status, Configuration, etc.).
310
Using Tools on the Wi-Fi Array
Wi-Fi Array
2.
Refresh Interval in Seconds: Many of the windows in the Status section
of the WMI have an Auto Refresh option. You may use this setting to
change how often a status or statistics window is refreshed, if its auto
refresh option is enabled. Enter the desired number of seconds between
refreshes. The default refresh interval is 30 seconds.
3.
Close Menu Section when Deselected: When you click a main section
such as SSIDs in the left frame of the WMI (the navigation tree), the
section is expanded to show submenu choices. Click Yes to automatically
close any open submenus when you select a different section. If you click
No, all menu sections will remain expanded once opened. No is the
default. Note that if you enable this feature and you expand a section by
clicking its orange arrow, the section will stay open as you select
windows in other menu sections.
4.
Clear Screen When Loading New Page: When this option is enabled and
you click on a page that takes a long time to load for any reason, the main
area of the screen is blanked out and displays a Loading… message. If
this option is disabled, WMI simply shows the page you were viewing
until the new page loads.
Using Tools on the Wi-Fi Array
311
Wi-Fi Array
Logout
Click on the Logout button to terminate your session. When the session is
terminated, you are presented with the Array’s login window.
Figure 159. Login Window
312
Using Tools on the Wi-Fi Array
Wi-Fi Array
The Command Line Interface
This section covers the commands and the command structure used by the Wi-Fi
Array’s Command Line Interface (CLI), and provides a procedure for establishing
an SSH connection to the Array. Topics discussed include:

“Establishing a Secure Shell (SSH) Connection” on page 313.

“Getting Started with the CLI” on page 315.

“Top Level Commands” on page 317.

“Configuration Commands” on page 326.

“Sample Configuration Tasks” on page 360.

Some commands are only available if the Array’s license includes
appropriate Xirrus Advanced Feature Sets. If a command is unavailable,
an error message will notify you that your license does not support the
feature. See “About Licensing and Upgrades” on page 297.
See Also
Establishing Communication with the Array
Network Map
System Tools
Establishing a Secure Shell (SSH) Connection
Use this procedure to initialize the system and log in to the Command Line
Interface (CLI) via a Secure Shell (SSH) utility, such as PuTTY. When connecting to
the unit’s Command Line Interface over a network connection, you must use a
Secure SHell version 2 (SSH-2) utility. Make sure that your SSH utility is set up to
use SSH-2.
1.
Start your SSH session and communicate with the Array via its IP
address.
•
If the Array is connected to a network that uses DHCP, use the
address assigned by DHCP. We recommend that you have the
The Command Line Interface
313
Wi-Fi Array
network administrator assign a reserved address to the Array for ease
of access in the future.
•
2.
If the network does not use DHCP, use the factory default address
10.0.2.1 to access either the Gigabit 1 or Gigabit 2 Ethernet port. You
may need to change the IP address of the port on your computer that
is connected to the Array — change that port’s IP address so that it is
on the same 10.0.2.xx subnet as the Array port.
At the login prompt, enter your user name and password (the default for
both is admin). Login names and passwords are case-sensitive. You are
now logged in to the Array’s Command Line Interface.
Figure 160. Logging In
314
The Command Line Interface
Wi-Fi Array
Getting Started with the CLI
The root command prompt (Root Command Prompt) is the first prompt you see
after logging in to the CLI. If you are at a level other than the root command
prompt you can return to this prompt at any time by using the exit command to
step back through each command prompt level. The root command prompt you
see in the CLI window is determined by the host name you assigned to your
Array. The prompt Xirrus_Wi-Fi_Array is displayed throughout this document
simply because this is the host name assigned to the Array used for development.
To terminate your session at any time, use the quit command.
Inputting Commands
When inputting commands you need only type as many characters as the system
requires before it recognizes your input. For example, you can type the
abbreviated term config to access the configure prompt.
Getting Help
The CLI offers the following two levels of assistance:

help Command
The help command is only available at the root command prompt.
Initiating this command generates a window that provides information
about the types of help that are available with the CLI.
Figure 161. Help Window
The Command Line Interface
315
Wi-Fi Array

? Command
This command is available at any prompt and provides either FULL or
PARTIAL help. Using the ? (question mark) command when you are
ready to enter an argument will display all the possible arguments (full
help). Partial help is provided when you enter an abbreviated argument
and you want to know what arguments will match your input.
Figure 162. Full Help
Figure 163 shows an example of how the Help system can provide the
argument and format when specifying the time zone under the date-time
command.
Figure 163. Partial Help
316
The Command Line Interface
Wi-Fi Array
Top Level Commands
This section offers an at-a-glance view of all top level commands — organized
alphabetically. Top level commands are defined here as commands that are
directly accessible from the root command prompt (Xirrus_Wi-Fi_Array#). The
root command prompt is based on the host name assigned to your Array. When
inputting commands, be aware that all commands are case-sensitive.
All other commands are considered second level configuration commands —
these are the commands you use to configure specific elements of the Array’s
features and functionality. For a listing of these commands with examples of
command formats and structure, go to “Configuration Commands” on page 326.
Root Command Prompt
The following table shows the top level commands that are available from the
root command prompt [Xirrus_Wi-Fi_Array].
Command
Description
Type @n to execute command n (as shown by the
history command).
configure
Enter the configuration mode. See “Configuration
Commands” on page 326.
exit
Exit the CLI and terminate your session — if this
command is used at any level other than the root
command prompt you will simply exit the current
level (step back) and return to the previous level.
help
Show a description of the interactive help system.
See also, “Getting Help” on page 315.
history
List history of commands that have been
executed.
more
Turn terminal pagination ON or OFF.
quit
Exit the Command Line Interface (from any level).
search
Search for pattern in show command output.
The Command Line Interface
317
Wi-Fi Array
Command
show
Description
Display information about the selected item. See
“show Commands” on page 321.
statistics
Display statistical data about the Array. See
“statistics Commands” on page 324.
uptime
Display the elapsed time since the last boot.
configure Commands
The following table shows the second level commands that are available with the
top level configure command [Xirrus_Wi-Fi_Array(config)#].
Command
Description
Type @n to execute command n (as shown by the
history command).
acl
Configure the Access Control List.
admin
cdp
clear
Configure Cisco Discovery Protocol settings.
Remove/clear the requested elements.
cluster
Make configuration changes to multiple Arrays.
contact-info
Contact information for assistance on this Array.
date-time
318
Define administrator access parameters.
Configure date and time settings.
dhcp-server
Configure the DHCP Server.
dns
Configure the DNS settings.
end
Exit the configuration mode.
exit
Go UP one mode level.
file
Manage the file system.
The Command Line Interface
Wi-Fi Array
Command
Description
filter
Define protocol filter parameters.
group
Define user groups with parameter settings
help
Description of the interactive Help system.
history
List history of commands that have been
executed.
hostname
Host name for this Array.
interface
Select the interface to configure.
load
location
management
more
netflow
no
quit
radius-server
reboot
Load running configuration from flash
Location name for this Array.
Configure array management parameters
Turn ON or OFF terminal pagination.
Configure NetFlow data collector.
Disable (if enabled) or set to default value.
Exit the Command Line Interface.
Configure the RADIUS server parameters.
Reboot the Array.
reset
Reset all settings to their factory default values
and reboot.
restore
Reset all settings to their factory default values
and reboot.
run-tests
save
search
security
Run selective tests.
Save the running configuration to FLASH.
Search for pattern in show command output.
Set the security parameters for the Array.
The Command Line Interface
319
Wi-Fi Array
Command
show
Display current information about the selected
item.
snmp
Enable, disable or configure SNMP.
ssid
statistics
320
Description
Configure the SSID parameters.
Display statistics.
syslog
Enable, disable or configure the Syslog Server.
uptime
Display time since the last boot.
vlan
Configure VLAN parameters.
wifi-tag
Configure VLAN parameters.
The Command Line Interface
Wi-Fi Array
show Commands
The following table shows the second level commands that are available with the
top level show command [Xirrus_Wi-Fi_Array# show].
Command
acl
admin
Description
Display the Access Control List.
Display the administrator list or login
information.
array-info
Display system information.
associatedstations
Display stations that have associated to the Array.
boot-env
capabilities
Display Boot loader environment variables.
Display detailed station capabilities.
cdp
Display Cisco Discovery Protocol settings.
channel-list
Display list of Array’s 802.11a(n) and bg(n)
channels.
clear-text
Display and enter passwords and secrets in the
clear.
conntrack
Display the Connection Tracking table.
console
Display terminal settings.
contact-info
Display contact information.
country-list
Display countries that the Array can be set to
support.
date-time
Display date and time settings summary.
dhcp-leases
Display IP addresses (leases) assigned to stations
by the DHCP server.
dhcp-pool
Display internal DHCP server settings summary
information.
The Command Line Interface
321
Wi-Fi Array
Command
diff
Display the difference between configurations.
dns
Display DNS summary information.
env-ctrl
error-numbers
ethernet
Display the environmental controller status for the
outdoor enclosure.
Display the detailed error number in error
messages.
Display Ethernet interface summary information.
external-radius
Display summary information for the external
RADIUS server settings.
factory-config
Display the Array factory configuration
information.
filters
iap
Display filter information.
Display IAP configuration information.
internal-radius
Display the users defined for the embedded
RADIUS server.
lastboot-config
Display Array configuration at the time of the last
boot-up.
management
Display settings for managing the Array, plus
Standby, FIPS, and other information.
network-map
Display network map information.
realtime-monitor
rogue-ap
route
rssi-map
running-config
322
Description
Display realtime statistics for all IAPs.
Display rogue AP information.
Display the routing table.
Display RSSI map by IAP for station.
Display configuration information for the Array
currently running.
The Command Line Interface
Wi-Fi Array
Command
saved-config
Description
Display the last saved Array configuration.
security
Display security settings summary information.
self-test
Display self test results.
snmp
spanning-tree
spectrumanalyzer
ssid
Display SNMP summary information.
Display spanning tree information.
Display spectrum analyzer measurements.
Display SSID summary information.
stations
Display station information.
statistics
Display statistics.
syslog
Display the system log.
syslog-settings
Display the system log (Syslog) settings.
temperature
Display the current board temperatures.
unassociatedstations
Display unassociated station information.
vlan
Display VLAN information.
wds
Display WDS information.

Display configuration or status information.
The Command Line Interface
323
Wi-Fi Array
statistics Commands
The following table shows the second level commands that are available with the
top level statistics command [Xirrus_Wi-Fi_Array# statistics].
Command
ethernet
Ethernet Name
eth0, gig1, gig2
filter
filter-list
iap
324
Description
Display statistical data for all Ethernet interfaces.
Display statistical data for the defined Ethernet
interface (either eth0, gig1 or gig2).
FORMAT:
statistics gig1
Display statistics for defined filters (if any).
FORMAT:
statistics filter [detail]
Display statistics for defined filter list (if any).
FORMAT:
statistics filter 
Display statistical data for the defined IAP.
FORMAT:
statistics iap iap2
station
Display statistical data about associated stations.
FORMAT:
statistics station billw
vlan
Display statistical data for the defined VLAN. You
must use the VLAN number (not its name) when
defining a VLAN.
FORMAT:
statistics vlan 1
The Command Line Interface
Wi-Fi Array
Command
Description
wds
Display statistical data for the defined active WDS
(Wireless Distribution System) links.
FORMAT:
statistics wds 1

Display configuration or status information.
The Command Line Interface
325
Wi-Fi Array
Configuration Commands
All configuration commands are accessed by using the configure command at the
root command prompt (Xirrus_Wi-Fi_Array#). This section provides a brief
description of each command and presents sample formats where deemed
necessary. The commands are organized alphabetically. When inputting
commands, be aware that all commands are case-sensitive.
To see examples of some of the key configuration tasks and their associated
commands, go to “Sample Configuration Tasks” on page 360.
acl
The acl command [Xirrus_Wi-Fi_Array(config)# acl] is used to configure the
Access Control List.
Command
add
Add a MAC address to the list.
FORMAT:
acl add AA:BB:CC:DD:EE:FF
del
Delete a MAC address from the list.
FORMAT:
acl del AA:BB:CC:DD:EE:FF
disable
Disable the Access Control List
FORMAT:
acl disable
enable
Enable the Access Control List
FORMAT:
acl enable
reset
326
Description
Delete all MAC addresses from the list.
FORMAT:
acl reset
The Command Line Interface
Wi-Fi Array
admin
The admin command [Xirrus_Wi-Fi_Array(config-admin)#] is used to configure
the Administrator List.
Command
Description
add
Add a user to the Administrator List.
FORMAT:
admin add [userID]
del
Delete a user to the Administrator List.
FORMAT:
admin del [userID]
edit
Modify user in the Administrator List.
FORMAT:
admin edit [userID]
radius
reset
Define a RADIUS server to be used for
authenticating administrators.
FORMAT:
admin radius [disable | enable | off | on |
timeout  | auth-type [PAP | CHAP]]
admin radius [primary |secondary] 
port  server [ | ]
secret 
Delete all users and restore the default user.
FORMAT:
admin reset
The Command Line Interface
327
Wi-Fi Array
cdp
The cdp command [Xirrus_Wi-Fi_Array(config)# cdp] is used to configure the
Cisco Discovery Protocol.
Command
328
Description
disable
Disable the Cisco Discovery Protocol
FORMAT:
cdp disable
enable
Enable the Cisco Discovery Protocol
FORMAT:
cdp enable
hold-time
Select CDP message hold time before messages
received from neighbors expire.
FORMAT:
cdp hold-time [# seconds]
interval
The Array sends out CDP announcements at this
interval.
FORMAT:
cdp interval [# seconds]
off
Disable the Cisco Discovery Protocol
FORMAT:
cdp off
on
Enable the Cisco Discovery Protocol
FORMAT:
cdp on
The Command Line Interface
Wi-Fi Array
clear
The clear command [Xirrus_Wi-Fi_Array(config)# clear] is used to clear
requested elements.
Command
authentication
Description
Deauthenticate a station.
FORMAT:
clear station [authenticated station]
history
Clear the history of CLI commands executed.
FORMAT:
clear history
screen
Clear the screen where you’re viewing CLI
output.
FORMAT:
clear syslog
statistics
Clear the statistics for a requested interface.
FORMAT:
clear statistics [eth0]
syslog
Clear all Syslog messages, but continue to log new
messages.
FORMAT:
clear syslog
The Command Line Interface
329
Wi-Fi Array
cluster
The cluster command [Xirrus_Wi-Fi_Array(config)# cluster] is used to create and
operate clusters. Clusters allow you to configure multiple Arrays at the same
time. Using CLI (or WMI), you may define a set of Arrays that are members of the
cluster. Then you may switch the Array to Cluster operating mode for a selected
cluster, which sends all successive configuration commands issued via CLI or
WMI to all of the member Arrays. When you exit cluster mode, configuration
commands revert to applying only to the Array to which you are connected.
For more information, see “Clusters” on page 289.
330
Command
Description
add
Create a new Array cluster. Enters edit mode for
that cluster to allow you to specify the Arrays that
belong to the cluster.
FORMAT:
cluster add [cluster-name]
del
Delete an Array cluster. Type del ? to list the
existing clusters.
FORMAT:
cluster del [cluster-name]
edit
Enter edit mode for selected cluster to add or
delete Arrays that belong to the cluster.
FORMAT:
cluster edit [cluster-name]
end
Exit Cluster configuration mode. Configuration
returns to normal operation, affecting this Array
only.
FORMAT:
cluster end
The Command Line Interface
Wi-Fi Array
Command
operate
reset
Description
Enter Cluster operation mode. All configuration
commands are applied to all of the selected
cluster’s member Arrays until you give the end
command (see above).
FORMAT:
cluster operate [cluster-name]
Delete all clusters.
FORMAT:
cluster reset
contact-info
The contact-info command [Xirrus_Wi-Fi_Array(config)# contact-info] is used
for managing administrator contact information.
Command
Description
email
Add an email address for the contact (must be in
quotation marks).
FORMAT:
contact-info email [“contact@mail.com”]
name
Add a contact name (must be in quotation marks).
FORMAT:
contact-info name [“Contact Name”]
phone
Add a telephone number for the contact (must be
in quotation marks).
FORMAT:
contact-info phone [“8185550101”]
The Command Line Interface
331
Wi-Fi Array
date-time
The date-time command [Xirrus_Wi-Fi_Array(config-date-time)#] is used to
configure the date and time parameters. Your Array supports the Network Time
Protocol (NTP) in order to ensure that the Array’s internal time is accurate. NTP is
set to UTC time by default; however, you can set the time zone so that your Array
will display local time. This is done by defining an offset from the UTC value. For
example, Pacific Standard Time is 8 hours behind UTC time, so the offset from
UTC time would be -8.
Command
dst_adjust
Enable adjustment for daylight savings.
FORMAT:
date-time dst_adjust
no
Disable daylight savings adjustment.
FORMAT:
date-time no dst_adjust
ntp
Enable the NTP server.
FORMAT:
date-time ntp on (or off to disable)
offset
set
timezone
332
Description
Set an offset from Greenwich Mean Time.
FORMAT:
date-time no dst_adjust
Set the date and time for the Array.
FORMAT:
date-time set [10:24 10/23/2007]
Configure the time zone.
FORMAT:
date-time timezone [-8]
The Command Line Interface
Wi-Fi Array
dhcp-server
The dhcp-server command [Xirrus_Wi-Fi_Array(config-dhcp-server)#] is used to
add, delete and modify DHCP pools.
Command
Description
add
Add a DHCP pool.
FORMAT:
dhcp-server add [dhcp pool]
del
Delete a DHCP pool.
FORMAT:
dhcp-server del [dhcp pool]
edit
Edit a DHCP pool
FORMAT:
dhcp-server edit [dhcp pool]
reset
Delete all DHCP pools.
FORMAT:
dhcp-server reset
The Command Line Interface
333
Wi-Fi Array
dns
The dns command [Xirrus_Wi-Fi_Array(config-dns)#] is used to configure your
DNS parameters.
Command
334
Description
domain
Enter your domain name.
FORMAT:
dns domain [www.mydomain.com]
server1
Enter the IP address of the primary DNS server.
FORMAT:
dns server1 [1.2.3.4]
server2
Enter the IP address of the secondary DNS server.
FORMAT:
dns server1 [2.3.4.5]
server3
Enter the IP address of the tertiary DNS server.
FORMAT:
dns server1 [3.4.5.6]
The Command Line Interface
Wi-Fi Array
file
The file command [Xirrus_Wi-Fi_Array(config-file)#] is used to manage files.
Command
active-image
backup-image
check-image
chkdsk
copy
cp
dir
erase
format
Description
Validate and commit a new array software image.
Validate and commit a new backup software image.
Validate a new array software image.
Check flash file system.
Copy a file to another file.
FORMAT:
file copy [sourcefile destinationfile]
List the contents of a directory.
FORMAT:
file dir [directory]
Delete a file from the FLASH file system.
FORMAT:
file erase [filename]
Format flash file system.
ftp
Open an FTP connection with a remote server. Files
will be transferred in binary mode.
FORMAT:
file ftp host { |} [port ] 
[user {anonymous |  password
 } ] { put  [] |
get  [] }
Note: Any time you transfer any kind of software
image file for the Array, it must be transferred in
binary mode, or the file may be corrupted.
list
List the contents of a file.
FORMAT:
file list [filename]
The Command Line Interface
335
Wi-Fi Array
Command
Description
remote-config
When the Array boots up, it fetches the specified
configuration file from the TFTP server defined in
the file remote-server command, and uses this
configuration. This must be an Array configuration
file with a .conf extension.
A partial configuration file may be used. For
instance, if you wish to use a single configuration file
for all of your Arrays but don't want to have the
same IP address for each Array, you may remove the
ipaddr line from the file. You can then load the file on
each array and the local IP addresses will not change.
FORMAT:
file remote-config 
Note: If you enter file remote-config ?, the help
response suggests possibilities by listing all of the
configuration files that are currently in the Array’s
flash.
remote-image
When the Array boots up, it fetches the named image
file from the TFTP server defined in the file remoteserver command, and upgrades to this file before
booting. This must be an Array image file with a .bin
extension.
FORMAT:
file remote-image 
Note: This will happen every time that the Array
reboots. If you only want to fetch the remote-image
one time be sure to turn off the remote image option
after the initial download.
remote-server
Sets up a TFTP server to be used for automated
remote update of software image and configuration
files when rebooting.
FORMAT:
file remote-server A.B.C.D
rename
336
Rename a file.
The Command Line Interface
Wi-Fi Array
Command
Description
scp
Copy a file to or from a remote system. You may
specify the port to use.
tftp
Open a TFTP connection with a remote server.
FORMAT:
file tftp host { |} [port ] 
[user {anonymous |  password
 } ] { put  [] |
get  [] }
Note: Any time you transfer any kind of software
image file for the Array, it must be transferred in
binary mode, or the file may be corrupted.
The Command Line Interface
337
Wi-Fi Array
filter
The filter command [Xirrus_Wi-Fi_Array(config-filter)#] is used to manage
protocol filters and filter lists.
Command
add
add-list
del
del-list
edit
338
Description
Add a filter.
FORMAT:
filter add [name]
Add a filter list.
FORMAT:
filter add-list [name]
Delete a filter.
FORMAT:
filter del [name]
Delete a filter list.
FORMAT:
filter del-list [name]
Edit a filter.
FORMAT:
filter edit [name type]
edit-list
Edit a filter list
FORMAT:
filter edit-list [name type]
enable
Enable a filter list.
FORMAT:
filter enable
move
Change a filter priority.
FORMAT:
filter move [name priority]
The Command Line Interface
Wi-Fi Array
Command
Description
off
Disable a filter list.
FORMAT:
filter off
on
Enable a filter list.
FORMAT:
filter on
reset
stateful
Delete all protocol filters and filter lists.
FORMAT:
filter reset
Enable or disable stateful filtering (firewall).
FORMAT:
Stateful [enable | disable | on |off]
The Command Line Interface
339
Wi-Fi Array
group
The group command [Xirrus_Wi-Fi_Array(config)# group] is used to create and
configure user groups. User groups allow administrators to assign specific
network parameters to users through RADIUS privileges rather than having to
map users to a specific SSID. Groups provide flexible control over user privileges
without the need to create large numbers of SSIDs. For more information, see
“Groups” on page 228.
Command
Description
add
Create a new user group.
FORMAT:
group add [group-name]
del
Delete a user group.
FORMAT:
group del [group-name]
edit
Set parameters values for a group.
FORMAT:
group edit [group-name]
reset
Reset the group.
FORMAT:
group reset
hostname
The hostname command [Xirrus_Wi-Fi_Array(config)# hostname] is used to
change the hostname used by the Array.
Command
hostname
340
Description
Change the hostname of the Array.
FORMAT:
hostname [name]
The Command Line Interface
Wi-Fi Array
interface
The interface command [Xirrus_Wi-Fi_Array(config)# interface] is used to select
the interface that you want to configure. To see a listing of the commands that are
available for each interface, use the ? command at the selected interface prompt.
For example, using the ? command at the Xirrus_Wi-Fi_Array(config-gig1}#
prompt displays a listing of all commands for the gig1 interface.
Command
Description
console
Select the console interface. The console interface
is used for management purposes only.
FORMAT:
interface console
eth0
Select the Fast Ethernet interface. The Fast
Ethernet interface is used for management
purposes only.
FORMAT:
interface eth0
Note: To configure a static route for management
traffic, next enter:
static-route addr [ip-addr]
static-route mask [subnet-mask]
gig1
Select the Gigabit 1 interface.
FORMAT:
interface gig1
gig2
Select the Gigabit 2 interface.
FORMAT:
interface gig2
iap
Select an IAP.
FORMAT:
interface iap
The Command Line Interface
341
Wi-Fi Array
load
The load command [Xirrus_Wi-Fi_Array(config)# load] loads a configuration
file.
Command
Description
factory.conf
Load the factory settings configuration file.
FORMAT:
load [factory.conf]
lastboot.conf
Load the configuration file from the last boot-up.
FORMAT:
load [lastboot.conf]
[myfile].conf
If you have saved a configuration, enter its name
to load it.
FORMAT:
load [myfile.conf]
saved.conf
Load the configuration file with the last saved
settings.
FORMAT:
load [saved.conf]
location
The location command [Xirrus_Wi-Fi_Array(config)# location] is used to set the
location for the Array.
Command

342
Description
Set the location for the Array.
FORMAT:
location [newlocation]
The Command Line Interface
Wi-Fi Array
management
The management command [Xirrus_Wi-Fi_Array(config)# management] enters
management mode, where you may configure management parameters.
Command

Description
Enter management mode.
FORMAT:
management 
The following types of settings may be configured in management mode:

console
Configure console management parameters

fips
Enable/disable FIPS 140-2, Level 2 Security. 
See Appendix E: Implementing FIPS Security

https
Enable/disable HTTPS access

license
Set array software license key

load
Load running configuration from flash

network-assurance
Enable/disable network assurance

pci-audit
Enable/disable PCI (Payment Card Industry)
audit mode. 
See “The pci-audit Command” on page 428.

restore
Restore to previous saved config

save
Save running configuration to flash

ssh
Enable/disable SSH access

standby
Configure standby parameters

telnet
Enable/disable telnet access
The Command Line Interface
343
Wi-Fi Array
more
The more command [Xirrus_Wi-Fi_Array(config)# more] is used to turn terminal
pagination ON or OFF.
Command
344
Description
off
Turn OFF terminal pagination.
FORMAT:
more off
on
Turn ON terminal pagination.
FORMAT:
more on
The Command Line Interface
Wi-Fi Array
netflow
The netflow command [Xirrus_Wi-Fi_Array(config-netflow)#] is used to enable
or disable, or configure sending IP flow information (traffic statistics) to the
collector you specify.
Command
Description
disable
Disable netflow.
FORMAT:
netflow disable
enable
Enable netflow.
FORMAT:
netflow enable
off
Disable netflow.
FORMAT:
netflow off
on
Enable netflow.
FORMAT:
netflow on
collector
Set the netflow collector IP address or fully
qualified domain name (host.domain). Only one
collector may be set. If port is not specified, the
default is 2055.
FORMAT:
netflow collector host { | }
[port ]
The Command Line Interface
345
Wi-Fi Array
no
The no command [Xirrus_Wi-Fi_Array(config)# no] is used to disable a selected
element or set the element to its default value.
Command
acl
dot11a
dot11bg
https
Disable the Access Control List.
FORMAT:
no acl
Disable all 802.11a(n) IAPs (radios).
FORMAT:
no dot11a
Disable all 802.11bg(n) IAPs (radios).
FORMAT:
no dot11bg
Disable https access.
FORMAT:
no https
intrude-detect
Disable intrusion detection.
FORMAT:
no intrude-detect
management
Disable management on all Ethernet interfaces.
FORMAT:
no management
more
ntp
346
Description
Disable terminal pagination.
FORMAT:
no more
Disable the NTP server.
FORMAT:
no ntp
The Command Line Interface
Wi-Fi Array
Command
snmp
ssh
Description
Disable SNMP features.
FORMAT:
no snmp
Disable ssh access.
FORMAT:
no ssh
syslog
Disable the Syslog services.
FORMAT:
no syslog
telnet
Disable Telnet access.
FORMAT:
no telnet
ETH-NAME
Disable the selected Ethernet interface (eth0, gig1
or gig2). You cannot disable the console interface.
with this command.
FORMAT:
no eth0 (gig1 or gig2)
The Command Line Interface
347
Wi-Fi Array
quit
The quit command [Xirrus_Wi-Fi_Array(config)# quit] is used to exit the
Command Line Interface.
Command

Description
Exit the Command Line Interface.
FORMAT:
quit
If you have made any configuration changes and
your changes have not been saved, you are
prompted to save your changes to Flash.
At the prompt, answer Yes to save your changes,
or answer No to discard your changes.
radius-server
The radius-server command [Xirrus_Wi-Fi_Array(config-radius-server)#] is
used to configure the external and internal RADIUS server parameters.
Command
external
Configure an external RADIUS server.
FORMAT:
radius-server external
To configure a RADIUS server (primary,
secondary, or accounting server, by IP address or
host name), and the reporting interval use:
radius-server external accounting
internal
Configure the external RADIUS server.
FORMAT:
radius-server internal
use
348
Description
Choose the active RADIUS server (either external
or internal).
FORMAT:
use external (or internal)
The Command Line Interface
Wi-Fi Array
reboot
The reboot command [Xirrus_Wi-Fi_Array(config)# reboot] is used to reboot the
Array. If you have unsaved changes, the command will notify you and give you a
chance to cancel the reboot.
Command
Description

Reboot the Array.
FORMAT:
reboot
delay
Reboot the Array after a delay of 1 to 60 seconds.
FORMAT:
reboot delay [n]
reset
The reset command [Xirrus_Wi-Fi_Array(config)# reset] is used to reset all
settings to their default values then reboot the Array.
Command
Description

Reset all configuration parameters to their factory
default values.
FORMAT:
reset
The Array is rebooted automatically.
preserve-ipsettings
Preserve all ethernet and VLAN settings and reset
all other configuration parameters to their factory
default values.
FORMAT:
reset preserve-ip-settings
The Array is rebooted automatically.
The Command Line Interface
349
Wi-Fi Array
restore
The restore command [Xirrus_Wi-Fi_Array(config)# restore] is used to restore
configuration to a version that was previously saved locally.
350
Command
Description
Use this to display the list of available config files.
FORMAT:
restore ?

Enter the name of the locally saved configuration
to restore.
FORMAT:
restore 
The Command Line Interface
Wi-Fi Array
run-tests
The run-tests command [Xirrus_Wi-Fi_Array(run-tests)#] is used to enter runtests mode, which allows you to perform a range of tests on the Array.
Command
Description

Enter run-tests mode.
FORMAT:
run-tests
iperf
Execute iperf utility.
FORMAT:
run-tests iperf
kill-beacons
Turn off beacons for selected single IAP.
FORMAT:
run-tests kill-beacons [off | iap-name]
kill-proberesponses
led
Turn off probe responses for selected single IAP.
FORMAT:
run-tests kill-probe-responses [off | iap-name]
LED test.
FORMAT:
run-tests led [flash | rotate]
memtest
Execute memory tests.
FORMAT:
run-tests memtest
ping
Execute ping utility.
FORMAT:
run-tests ping [host-name | ip-addr]
The Command Line Interface
351
Wi-Fi Array
Command
radius-ping
Description
Special ping utility to test the connection to a
RADIUS server.
FORMAT:
run-tests radius-ping [external | ssid ]
[primary | secondary] user  password
 auth-type [CHAP | PAP]
run-tests radius-ping [internal | server
 port  secret  ]
user  password  
auth-type [CHAP | PAP]
You may select a RADIUS server that you have
already configured (ssid or external or internal) or
specify another server.
rlb
Run manufacturing radio loopback test.
FORMAT:
run-tests rlb {optional command line switches}
self-test
Execute self-test.
FORMAT:
run-tests self-test {logfile-name (optional)]
site-survey
Enable or disable site survey mode.
FORMAT:
run-tests site-survey [on | off | enable | disable]
ssh
Execute ssh utility.
FORMAT:
run-tests ssh [hostname | ip-addr]
[command-line-switches (optional)]
tcpdump
Execute tcpdump utility to dump traffic for selected
interface or VLAN. Supports 802.11 headers.
FORMAT:
run-tests tcpdump
352
The Command Line Interface
Wi-Fi Array
Command
telnet
Description
Execute telnet utility.
FORMAT:
run-tests telnet [hostname | ip-addr]
[command-line-switches (optional)]
traceroute
Execute traceroute utility.
FORMAT:
run-tests traceroute [host-name | ip-addr]
security
The security command [Xirrus_Wi-Fi_Array(config-security)#] is used to
establish the security parameters for the Array.
Command
Description
wep
Set the WEP encryption parameters.
FORMAT:
security wep
wpa
Set the WEP encryption parameters.
FORMAT:
security wpa
The Command Line Interface
353
Wi-Fi Array
snmp
The snmp command [Xirrus_Wi-Fi_Array(config-snmp)#] is used to enable,
disable, or configure SNMP.
Command
v2
Enable SNMP v2.
FORMAT:
snmp v2
v3
Enable SNMP v3.
FORMAT:
snmp v3
trap
354
Description
Configure traps for SNMP. Up to four trap
destinations may be configured, and you may
specify whether to send traps for authentication
failure.
FORMAT:
snmp trap
The Command Line Interface
Wi-Fi Array
ssid
The ssid command [Xirrus_Wi-Fi_Array(config-ssid)#] is used to establish your
SSID parameters.
Command
Description
add
Add an SSID.
FORMAT:
ssid add [newssid]
del
Delete an SSID.
FORMAT:
ssid del [oldssid]
edit
Edit an existing SSID.
FORMAT:
ssid edit [existingssid]
reset
Delete all SSIDs and restore the default SSID.
FORMAT:
ssid reset
The Command Line Interface
355
Wi-Fi Array
syslog
The syslog command [Xirrus_Wi-Fi_Array(config-syslog)#] is used to enable,
disable, or configure the Syslog server.
Command
console
Enable or disable the display of Syslog messages
on the console, and set the level to be displayed.
All messages at this level and lower (i.e., more
severe) will be displayed.
FORMAT:
syslog console [on/off] level [0-7]
disable
Disable the Syslog server.
FORMAT:
syslog disable
email
Disable the Syslog server.
FORMAT:
syslog email from [email-from-address] 
level [0-7]
password [email-acct-password]
server [email-server-IPaddr] 
test [test-msg-text]
to-list [recipient-email-addresses]
user [email-acct-username]
enable
Enable the Syslog server.
FORMAT:
syslog enable
local-file
no
356
Description
Set the size and/or severity level (all messages at
this level and lower will be logged).
FORMAT:
syslog local-file size [1-500] level [0-7]
Disable the selected feature.
FORMAT:
syslog no [feature]
The Command Line Interface
Wi-Fi Array
Command
Description
off
Disable the Syslog server.
FORMAT:
syslog off
on
Enable the Syslog server.
FORMAT:
syslog on
primary
secondary
Set the IP address of the primary Syslog server
and/or the severity level of messages to be
logged.
FORMAT:
syslog primary [1.2.3.4] level [0-7]
Set the IP address of the secondary (backup)
Syslog server and/or the severity level of
messages to be logged.
FORMAT:
syslog primary [1.2.3.4] level [0-7]
uptime
The uptime command [Xirrus_Wi-Fi_Array(config)# uptime] is used to display
the elapsed time since you last rebooted the Array.
Command

Description
Display time since last reboot.
FORMAT:
uptime
The Command Line Interface
357
Wi-Fi Array
vlan
The vlan command [Xirrus_Wi-Fi_Array(config-vlan)#] is used to establish your
VLAN parameters.
Command
add
default-route
delete
edit
native-vlan
358
Description
Add a VLAN.
FORMAT:
vlan add [newvlan]
Assign a VLAN for the default route (for
outbound management traffic).
FORMAT:
vlan default-route [defaultroute]
Delete a VLAN.
FORMAT:
vlan delete [oldvlan]
Modify an existing VLAN.
FORMAT:
vlan edit [existingvlan]
Assign a native VLAN (traffic is untagged).
FORMAT:
vlan native-vlan [nativevlan]
no
Disable the selected feature.
FORMAT:
vlan no [feature]
reset
Delete all existing VLANs.
FORMAT:
vlan reset
The Command Line Interface
Wi-Fi Array
wifi-tag
The wifi-tag command [Xirrus_Wi-Fi_Array(config-wifi-tag)#] is used to enable
or disable Wi-Fi tag capabilities. When enabled, the Array listens for and collects
information about Wi-Fi RFID tags sent on the designated channels. See also “WiFi Tag” on page 161.
Command
Description
disable
Disable wifi-tag.
FORMAT:
wifi-tag disable
enable
Enable wifi-tag.
FORMAT:
wifi-tag enable
off
Disable wifi-tag.
FORMAT:
wifi-tag off
on
Enable wifi-tag.
FORMAT:
wifi-tag on
tag-channel-bg
Set an 802.11b or g channel for listening for tags.
FORMAT:
wifi-tag tag-channel-bg <1-255>
udp-port
Set the UDP port which a tagging server will use
to query the Array for tagging information.
FORMAT:
wifi-tag udp-port <1025-65535>
The Command Line Interface
359
Wi-Fi Array
Sample Configuration Tasks
This section provides examples of some of the common configuration tasks used
with the Wi-Fi Array, including:

“Configuring a Simple Open Global SSID” on page 361.

“Configuring a Global SSID using WPA-PEAP” on page 362.

“Configuring an SSID-Specific SSID using WPA-PEAP” on page 363.

“Enabling Global IAPs” on page 364.

“Disabling Global IAPs” on page 365.

“Enabling a Specific IAP” on page 366.

“Disabling a Specific IAP” on page 367.

“Setting Cell Size Auto-Configuration for All IAPs” on page 368

“Setting the Cell Size for All IAPs” on page 369.

“Setting the Cell Size for a Specific IAP” on page 370.

“Configuring VLANs on an Open SSID” on page 371.

“Configuring Radio Assurance Mode (Loopback Tests)” on page 372.
To facilitate the accurate and timely management of revisions to this section, the
examples shown here are presented as screen images taken from a Secure Shell
(SSH) session (in this case, PuTTY). Depending on the application you are using
to access the Command Line Interface, and how your session is set up (for
example, font and screen size), the images presented on your screen may be
different than the images shown in this section. However, the data displayed will
be the same.
Some of the screen images shown in this section have been modified for clarity.
For example, the image may have been “elongated” to show all data without the
need for additional images or scrolling. We recommend that you use the Adobe
PDF version of this User’s Guide when reviewing these examples — a hard copy
document may be difficult to read.
As mentioned previously, the root command prompt is determined by the host
name assigned to your Array.
360
The Command Line Interface
Wi-Fi Array
Configuring a Simple Open Global SSID
This example shows you how to configure a simple open global SSID.
Figure 164. Configuring a Simple Open Global SSID
The Command Line Interface
361
Wi-Fi Array
Configuring a Global SSID using WPA-PEAP
This example shows you how to configure a global SSID using WPA-PEAP
encryption in conjunction with the Array’s Internal RADIUS server.
Figure 165. Configuring a Global SSID using WPA-PEAP
362
The Command Line Interface
Wi-Fi Array
Configuring an SSID-Specific SSID using WPA-PEAP
This example shows you how to configure an SSID-specific SSID using WPAPEAP encryption in conjunction with the Array’s Internal RADIUS server.
Figure 166. Configuring an SSID-Specific SSID using WPA-PEAP
The Command Line Interface
363
Wi-Fi Array
Enabling Global IAPs
This example shows you how to enable all IAPs (radios), regardless of the
wireless technology they use.
Figure 167. Enabling Global IAPs
364
The Command Line Interface
Wi-Fi Array
Disabling Global IAPs
This example shows you how to disable all IAPs (radios), regardless of the
wireless technology they use.
Figure 168. Disabling Global IAPs
The Command Line Interface
365
Wi-Fi Array
Enabling a Specific IAP
This example shows you how to enable a specific IAP (radio). In this example, the
IAP that is being enabled is a1 (the first IAP in the summary list).
Figure 169. Enabling a Specific IAP
366
The Command Line Interface
Wi-Fi Array
Disabling a Specific IAP
This example shows you how to disable a specific IAP (radio). In this example,
the IAP that is being disabled is a2 (the second IAP in the summary list).
Figure 170. Disabling a Specific IAP
The Command Line Interface
367
Wi-Fi Array
Setting Cell Size Auto-Configuration for All IAPs
This example shows how to set the cell size for all enabled IAPs to be autoconfigured (auto). (See “Fine Tuning Cell Sizes” on page 28.) The auto_cell option
may be used with global_settings, global_a_settings, or global_bg_settings. It
sets the cell size of the specified IAPs to auto, and it launches an autoconfiguration to adjust the sizes. Be aware that if the intrude-detect feature is
enabled on the monitor radio, its cell size is unaffected by this command. Also,
any IAPs used in WDS links are unaffected.
Auto-configuration may be set to run periodically at intervals specified by
auto_cell period (in seconds) if period is non-zero. The percentage of overlap
allowed between cells in the cell size computation is specified by auto_cell
overlap (0 to 100). This example sets auto-configuration to run every 1200 seconds
with an allowed overlap of 5%. It sets the cell size of all IAPs to auto, and runs a
cell size auto-configure operation which completes successfully.
Figure 171. Setting the Cell Size for All IAPs
368
The Command Line Interface
Wi-Fi Array
Setting the Cell Size for All IAPs
This example shows you how to establish the cell size for all IAPs (radios),
regardless of the wireless technology they use. Be aware that if the intrude-detect
feature is enabled on the monitor radio the cell size cannot be set globally — you
must first disable the intrude-detect feature on the monitor radio.
In this example, the cell size is being set to small for all IAPs. You have the option
of setting IAP cell sizes to small, medium, large, or max. See also, “Fine Tuning
Cell Sizes” on page 28.
Figure 172. Setting the Cell Size for All IAPs
The Command Line Interface
369
Wi-Fi Array
Setting the Cell Size for a Specific IAP
This example shows you how to establish the cell size for a specific IAP (radio). In
this example, the cell size for a2 is being set to medium. You have the option of
setting IAP cell sizes to small, medium, large, or max (the default is max). See
also, “Fine Tuning Cell Sizes” on page 28.
Figure 173. Setting the Cell Size for a Specific IAP
370
The Command Line Interface
Wi-Fi Array
Configuring VLANs on an Open SSID
This example shows you how to configure VLANs on an Open SSID.

Setting the default route
enables the Array to send
management traffic, such as
Syslog messages and SNMP
information to a destination
behind a router.
Figure 174. Configuring VLANs on an Open SSID
The Command Line Interface
371
Wi-Fi Array
Configuring Radio Assurance Mode (Loopback Tests)
The Array uses its built-in monitor radio to monitor other radios in the Array.
Tests include sending probes on all channels and checking for a response, and
checking whether beacons are received from the other radio. If a problem is
detected, corrective actions are taken to recover. Loopback mode operation is
described in detail in “Array Monitor and Radio Assurance Capabilities” on
page 412.
The following actions may be configured:

alert-only — the Array will issue an alert in the Syslog.

repair-without-reboot — the Array will issue an alert and reset radios at
the Physical Layer (Layer 1) and possibly at the MAC layer. The reset
should not be noticed by users, and they will not need to reassociate.

reboot-allowed — the Array will issue an alert, reset the radios, and
schedule the Array to reboot at midnight (per local Array time) if
necessary. All stations will need to reassociate to the Array.

off — Disable IAP loopback tests (no self-monitoring occurs). Radio
Assurance mode is off by default.
This is a global IAPs setting — the monitor radio will monitor all other radios
according to the settings above, and it cannot be set up to monitor particular
radios. Radio assurance mode requires Intrusion Detection to be set to Standard.
The following example shows you how to configure a loopback test.
372
The Command Line Interface
Wi-Fi Array
Figure 175. Configuring Radio Assurance Mode (Loopback Testing)
The Command Line Interface
373
Wi-Fi Array
374
The Command Line Interface
Wi-Fi Array
Appendices
Appendices
375
Wi-Fi Array
Page is intentionally blank
376
Appendices
Wi-Fi Array
Appendix A: Servicing the Wi-Fi Array
This appendix contains procedures for servicing the Xirrus Wi-Fi Array, including
the removal and reinstallation of major hardware components. Topics include:

“Removing the Access Panel” on page 379.

“Reinstalling the Access Panel” on page 382.

“Replacing the FLASH Memory Module” on page 384.

“Replacing the Main System Memory” on page 386.

“Replacing the Integrated Access Point Radio Module” on page 388.

“Replacing the Power Supply Module” on page 391.
Always disconnect the power source from the Array before attempting to
remove or replace components. Never work on the unit with the power
connected.
You must be grounded and the work surface must be static-free.
Caution! The Array contains a battery which is not to be replaced by the
customer. Danger of Explosion exists if the battery is incorrectly replaced.
Power switch
AC power cord receptacle
Figure 176. Disconnecting Power from the Array

Appendices
Most service activities are performed with the Array placed face-down on a
flat work surface. To avoid damaging the finished enclosure, we recommend
using a protective material between the work surface and the unit (a clean
sheet of paper will do the trick).
377
Wi-Fi Array
See Also
Reinstalling the Access Panel
Removing the Access Panel
Replacing the FLASH Memory Module
Replacing the Integrated Access Point Radio Module
Replacing the Main System Memory
Replacing the Power Supply Module
378
Appendices
Wi-Fi Array
Removing the Access Panel
Use this procedure when you want to remove the system’s access panel. You must
remove this panel whenever you need to service the internal components of the
Array.
1.
Disconnect the AC power cord or Ethernet cable supplying power from
the Array.
2.
Place the Array face-down on a flat surface. Avoid moving the unit to
reduce the risk of damage (scratching) to the finished enclosure.
3.
Remove the screws (3 places) that secure the access panel to the main
body of the Array.
Screw
Screw
Screw
Figure 177. Removing the Access Panel Screws
Appendices
379
Wi-Fi Array
4.
Lift up the access panel to reveal the main system board.
Lift up the access panel
Figure 178. Removing the Access Panel
5.
Disconnect the connectors to the power supply and the fan.
Fan connector
Power supply connector
Figure 179. Disconnecting the Power Supply and Fan
6.
380
The access panel can now be safely removed.
Appendices
Wi-Fi Array
See Also
Reinstalling the Access Panel
Replacing the FLASH Memory Module
Replacing the Integrated Access Point Radio Module
Replacing the Main System Memory
Replacing the Power Supply Module
Appendix A: Servicing the Wi-Fi Array
Appendices
381
Wi-Fi Array
Reinstalling the Access Panel
Use this procedure when you need to reinstall the access panel after servicing the
Array’s internal components.
1.
Reconnect the fan and power supply.
Fan connector
Power supply connector
Figure 180. Reconnecting the Fan and Power Supply
2.
Reinstall the access panel and secure the panel with the three screws.
Screw
! Do not
overtighten
Screw
! Do not
overtighten
Screw
! Do not
overtighten
Figure 181. Reinstalling the Access Panel
382
Appendices
Wi-Fi Array
3.
Reconnect the power source and turn ON the main power switch (if
applicable).
See Also
Removing the Access Panel
Replacing the FLASH Memory Module
Replacing the Integrated Access Point Radio Module
Replacing the Main System Memory
Replacing the Power Supply Module
Appendix A: Servicing the Wi-Fi Array
Appendices
383
Wi-Fi Array
Replacing the FLASH Memory Module
Use this procedure when you want to replace the system’s FLASH memory
module.
1.
Remove the system’s access panel. Refer to “Removing the Access Panel”
on page 379.
2.
Remove the FLASH memory module, taking care not to “wiggle” the
module and risk damaging the connection points.
FLASH memory module
Figure 182. Removing the FLASH Memory Module
3.
384
The removal procedure is complete. You can now reinstall the FLASH
memory module (or install a new module).
Appendices
Wi-Fi Array
4.
Reinstall the access panel (refer to “Reinstalling the Access Panel” on
page 382).
See Also
Reinstalling the Access Panel
Removing the Access Panel
Replacing the Integrated Access Point Radio Module
Replacing the Main System Memory
Replacing the Power Supply Module
Appendix A: Servicing the Wi-Fi Array
Appendices
385
Wi-Fi Array
Replacing the Main System Memory
Use this procedure when you want to replace the main system memory.
1.
Remove the access panel (refer to “Removing the Access Panel” on
page 379).
2.
Remove the DIMM memory module, taking care not to “wiggle” the
module and risk damaging the connection points.
DIMM memory module
Push down on
the two locking
tabs to release
the DIMM
memory module
Figure 183. Removing the DIMM Memory Module
3.
The removal procedure is complete. You can now reinstall the DIMM
memory module (or install a new module). Ensure that the DIMM
memory module is seated evenly and the locking tabs are in the upright
position. The DIMM memory module is keyed to fit in its socket in one
direction only.
4.
Reinstall the access panel (refer to “Reinstalling the Access Panel” on
page 382).
See Also
Reinstalling the Access Panel
Removing the Access Panel
Replacing the FLASH Memory Module
386
Appendices
Wi-Fi Array
Replacing the Integrated Access Point Radio Module
Replacing the Power Supply Module
Appendix A: Servicing the Wi-Fi Array
Appendices
387
Wi-Fi Array
Replacing the Integrated Access Point Radio Module
Use this procedure when you want to replace the integrated access point radio
module.
1.
Remove the access panel (refer to “Removing the Access Panel” on
page 379).
2.
Remove the locking screws (8 places) that secure the chassis cover to the
main body of the Wi-Fi Array.
Screws (8 places)
Figure 184. Removing the Chassis Cover Screws
3.
Lift and remove the chassis cover.
Remove the chassis cover
Figure 185. Removing the Chassis Cover
388
Appendices
Wi-Fi Array
4.
Lift the edge of the integrated access point module.
Lift here (do not force)
Figure 186. Lifting the Integrated Access Point Module
5.
Slide the integrated access point module away from the unit to disconnect
it from the main system board.
Disconnect the module
Figure 187. Disconnect the Integrated Access Point Module
6.
The removal procedure is complete. You can now reinstall the integrated
access point module (or install a new module).
Appendices
389
Wi-Fi Array
7.
Reinstall the chassis cover (see warnings).
When reinstalling the chassis cover, take care to align the cover correctly to
avoid damaging the antenna modules. Do not force the chassis cover onto the
body of the unit.
Do not overtighten the locking screws.
8.
Reinstall the locking screws (8 places) to secure the chassis cover in
place — do not overtighten.
9.
Reinstall the access panel (refer to “Reinstalling the Access Panel” on
page 382).
See Also
Reinstalling the Access Panel
Removing the Access Panel
Replacing the FLASH Memory Module
Replacing the Main System Memory
Replacing the Power Supply Module
Appendix A: Servicing the Wi-Fi Array
390
Appendices
Wi-Fi Array
Replacing the Power Supply Module
Use this procedure when you want to replace the power supply module.
1.
Remove the access panel (refer to “Removing the Access Panel” on
page 379).
2.
Because the power supply unit is molded into the access panel, you must
install a new access panel assembly (with the power supply attached).
Refer to “Reinstalling the Access Panel” on page 382.
Access panel (with power supply and fan)
Figure 188. Installing a New Access Panel (with Power Supply)
See Also
Reinstalling the Access Panel
Removing the Access Panel
Replacing the FLASH Memory Module
Replacing the Integrated Access Point Radio Module
Replacing the Main System Memory
Appendix A: Servicing the Wi-Fi Array
Appendices
391
Wi-Fi Array
Use this Space for Your Notes
392
Appendices
Wi-Fi Array
Appendix B: Quick Reference Guide
This section contains product reference information. Use this section to locate the
information you need quickly and efficiently. Topics include:

“Factory Default Settings” on page 393.

“Keyboard Shortcuts” on page 399.
Factory Default Settings
The following tables show the Wi-Fi Array’s factory default settings.
Host Name
Setting
Host name
Default Value
Xirrus-WiFi-Array
Network Interfaces
Serial
Setting
Default Value
Baud Rate
115200
Word Size
8 bits
Stop Bits
Parity
No parity
Time Out
10 seconds
393
Wi-Fi Array
Gigabit 1 and Gigabit 2
Setting
Default Value
Enabled
Yes
DHCP Bind
Yes
Default IP Address
10.0.2.1
Default IP Mask
255.255.255.0
Default Gateway
None
Auto Negotiate
On
Duplex
Full
Speed
1000 Mbps
MTU Size
1504
Management Enabled
Yes
Fast Ethernet
Setting
Enabled
Yes
DHCP Bind
Yes
Default IP Address
394
Default Value
10.0.1.1
Default IP Mask
255.255.255.0
Default Gateway
None
Auto Negotiate
On
Duplex
Full
Speed
100 Mbps
Wi-Fi Array
Setting
Default Value
MTU Size
1500
Management Enabled
Yes
Server Settings
NTP
Setting
Default Value
Enabled
No
Primary
time.nist.gov
Secondary
pool.ntp.org
Syslog
Setting
Enabled
Local Syslog Level
Maximum Internal Records
Primary Server
Primary Syslog Level
Secondary Server
Secondary Syslog Level
Default Value
Yes
Information
500
None
Information
None
Information
395
Wi-Fi Array
SNMP
Setting
Enabled
Default Value
Yes
Read-Only Community String
xirrus_read_only
Read-Write Community String
xirrus
Trap Host
null (no setting)
Trap Port
162
Authorization Fail Port
On
DHCP
Setting
Enabled
No
Maximum Lease Time
300 minutes
Default Lease Time
300 minutes
IP Start Range
192.168.1.2
IP End Range
192.168.1.254
NAT
396
Default Value
Disabled
IP Gateway
None
DNS Domain
None
DNS Server (1 to 3)
None
Wi-Fi Array
Default SSID
Setting
Default Value
ID
xirrus
VLAN
None
Encryption
Off
Encryption Type
QoS
None
Enabled
Yes
Broadcast
On
Security
Global Settings - Encryption
Setting
Enabled
Default Value
Yes
WEP Keys
null (all 4 keys)
WEP Key Length
null (all 4 keys)
Default Key ID
WPA Enabled
No
TKIP Enabled
Yes
AES Enabled
Yes
EAP Enabled
Yes
PSK Enabled
No
Pass Phrase
null
397
Wi-Fi Array
Setting
Group Rekey
Default Value
Disabled
External RADIUS (Global)
Setting
Enabled
Yes
Primary Server
None
Primary Port
1812
Primary Secret
Secondary Server
Secondary Port
Secondary Secret
Time Out (before primary server is
retired)
Accounting
Interval
xirrus
null (no IP address)
1812
null (no secret)
600 seconds
Disabled
300 seconds
Primary Server
None
Primary Port
1813
Primary Secret
xirrus
Secondary Server
None
Secondary Port
1813
Secondary Secret
398
Default Value
null (no secret)
Wi-Fi Array
Internal RADIUS
Setting
Enabled
Default Value
No
The user database is cleared upon reset to the factory defaults. For the
Internal RADIUS Server you have a maximum of 1,000 entries.
Administrator Account and Password
Setting
Default Value
ID
admin
Password
admin
Management
Setting
SSH
SSH timeout
Telnet
Telnet timeout
Serial
Serial timeout
Management over IAPs
http timeout
Default Value
On
300 seconds
Off
300 seconds
On
300 seconds
Off
300 seconds
Keyboard Shortcuts
399
Wi-Fi Array
The following table shows the most common keyboard shortcuts used by the
Command Line Interface.
Action
Cut selected data and place it on the
clipboard.
Ctrl + X
Copy selected data to the clipboard.
Ctrl + C
Paste data from the clipboard into a
document (at the insertion point).
Ctrl + V
Go to top of screen.
Ctrl + Z
Copy the active window to the
clipboard.
Copy the entire desktop image to the
clipboard.
Abort an action at any time.
Alt + Print Screen
Print Screen
Esc
Go back to the previous screen.
Access the Help screen.
See Also
An Overview
400
Shortcut
Wi-Fi Array
Use this Space for Your Notes
401
Wi-Fi Array
402
Wi-Fi Array
Appendix C: Technical Support
This appendix provides valuable support information that can help you resolve
technical difficulties. Before contacting Xirrus, review all topics below and try to
determine if your problem resides with the Wi-Fi Array or your network
infrastructure. Topics include:

“General Hints and Tips” on page 403

“Frequently Asked Questions” on page 404

“Array Monitor and Radio Assurance Capabilities” on page 412

“RADIUS Vendor Specific Attributes (VSAs) for Xirrus” on page 415

“Upgrading the Array via CLI” on page 418

“Contact Information” on page 423
General Hints and Tips
This section provides some useful tips that will optimize the reliability and
performance of your Wi-Fi Arrays.

The Wi-Fi Array requires careful handling. For best performance, units
should be mounted in a dust-free and temperature-controlled
environment.

If using multiple Arrays in the same area, maintain a distance of at least
100 feet (30m) between Arrays if there is direct line-of-sight between the
units, or at least 50 feet (15 m) if a wall or other barrier exists between the
units.

Keep the Wi-Fi Array away from electrical devices or appliances that
generate RF noise. Because the Array is generally mounted on ceilings, be
aware of its position relative to lighting (especially fluorescent lighting).

If using AC power, each Wi-Fi Array requires its own dedicated AC
power outlet. Do not attempt to “piggy-back” AC power to multiple
units. To avoid needing to run separate power cables to one or more
Arrays, consider using Power over Gigabit Ethernet.
403
Wi-Fi Array

If you are deploying multiple units, the Array should be oriented so that
the monitor radio is oriented in the direction of the least required
coverage, because when in monitor mode the radio does not function as
an AP servicing stations.

The Wi-Fi Array should only be used with Wi-Fi certified client devices.
See Also
Contact Information
Multiple SSIDs
Security
VLAN Support
Frequently Asked Questions
This section answers some of the most frequently asked questions, organized by
functional area.
Multiple SSIDs
Q. What Are BSSIDs and SSIDs?
A. BSSID (Basic Service Set Identifier) refers to an individual access point
radio and its associated clients. The identifier is the MAC address of the
access point radio that forms the BSS.
A group of BSSs can be formed to allow stations in one BSS to
communicate to stations in another BSS by way of a backbone that
interconnects each access point.
The Extended Service Set (ESS) refers to the group of BSSIDs that are
grouped together to form one ESS. The ESSID (often referred to as SSID or
“wireless network name”) identifies the Extended Service Set. Clients
must associate to a single ESS at any given time. Clients ignore traffic
from other Extended Service Sets that do not have the same SSID.
Legacy access points typically support one SSID per access point. Xirrus
Wi-Fi Arrays support the ability for multiple SSIDs to be defined and
used simultaneously.
404
Wi-Fi Array
Q. What would I use SSIDs for?
A. The creation of different wireless network names allows system
administrators to separate types of users with different requirements. The
following policies can be tied to an SSID:

Minimum security required to join this SSID.

The wireless Quality of Service (QoS) desired for this SSID.

The wired VLAN associated with this SSID.
As an example, one SSID named accounting might require the highest
level of security, while another SSID named guests might have low
security requirements.
Another example may define an SSID named voice that supports voice
over Wireless LAN phones with the highest possible Quality of Service
(QoS) definition. This type of SSID might also forward traffic to specific
VLANs on the wired network.
Q. How do I set up SSIDs?
A. Use the following procedure as a guideline. For more detailed
information, go to “SSIDs” on page 208.
1.
From the Web Management Interface, go to the SSID
Management page.
2.
Select Yes to make the SSID visible to all clients on the network.
Although the Wi-Fi Array will not broadcast SSIDs that are
hidden, clients can still associate to a hidden SSID if they know
the SSID name to connect to it.
3.
Select the minimum security that will be required by users for
this SSID.
4.
If desired (optional), select a Quality of Service (QoS) setting for
this SSID. The QoS setting you define here will prioritize wireless
traffic for this SSID over other SSID wireless traffic.
5.
If desired (optional), select a VLAN that you want this traffic to
be forwarded to on the wired network.
405
Wi-Fi Array
6.
If desired (optional), you can select which radios this SSID will
not be available on — the default is to make this SSID available on
all radios.
7.
Click on the Save changes to flash if you wish to make your
changes permanent.
8.
If you need to edit any of the SSID settings, you can do so from
the SSID Management page.
See Also
Contact Information
General Hints and Tips
Security
SSIDs
SSID Management
VLAN Support
Security
Q. How do I ensure that an Array meets FIPS requirements?
A. To meet the Level 2 security requirements of FIPS 140-2, follow the
instructions in Appendix E: Implementing FIPS Security.
Q. How do I ensure that an Array meets PCI DSS requirements?
A. To meet PCI DSS requirements, follow the instructions in Appendix D:
Implementing PCI DSS.
Q. How do I know my management session is secure?
A. Follow these guidelines:

406
Administrator passwords
Always change the default administrator password (the default
is admin), and choose a strong replacement password. When
appropriate, issue read only administrator accounts.
Wi-Fi Array

SSH versus Telnet
Be aware that Telnet is not secure over network connections and
should be used only with a direct serial port connection. When
connecting to the unit’s Command Line Interface over a network
connection, you must use a Secure SHell (SSH) utility. The most
commonly used freeware providing SSH tools is PuTTY. The
Array only allows SSH-2 connections, so your SSH utility must
be set up to use SSH-2.

Configuration auditing
Do not change approved configuration settings. The optional
Xirrus Management System (XMS) offers powerful management
features for small or large Wi-Fi Array deployments, and can
audit your configuration settings automatically. In addition,
using the XMS eliminates the need for an FTP server.
Q. Which wireless data encryption method should I use?
A. Wireless data encryption prevents eavesdropping on data being
transmitted or received over the airwaves. The Wi-Fi Array allows you to
establish the following data encryption configuration options:

Open
This option offers no data encryption and is not recommended,
though you might choose this option if clients are required to use
a VPN connection through a secure SSH utility, like PuTTy.

WEP (Wired Equivalent Privacy)
This option provides minimal protection (though much better
than using an open network). An early standard for wireless data
encryption and supported by all Wi-Fi certified equipment, WEP
is vulnerable to hacking and is therefore not recommended for
use by Enterprise networks.

WPA (Wi-Fi Protected Access)
This is a much stronger encryption model than WEP and uses
TKIP (Temporal Key Integrity Protocol) with AES (Advanced
Encryption Standard) to prevent WEP cracks.
407
Wi-Fi Array
TKIP solves security issues with WEP. It also allows you to
establish encryption keys on a per-user-basis, with key rotation
for added security. In addition, TKIP provides Message Integrity
Check (MIC) functionality and prevents active attacks on the
wireless network.
AES is the strongest encryption standard and is used by
government agencies; however, old legacy hardware may not be
capable of supporting the AES mode (it probably won’t work on
older wireless clients). Because AES is the strongest encryption
standard currently available, it is highly recommended for
Enterprise networks.
Any of the above encryption modes can be used (and can be used at
the same time).

TKIP encryption does not support high throughput rates, per the
IEEE 802.11n.
TKIP should never be used for WDS links on XN arrays.
Q. Which user authentication method should I use?
A. User authentication ensures that users are who they say they are. For
example, the most obvious example of authentication is logging in with a
user name and password. The Wi-Fi Array allows you to choose between
the following user authentication methods:
408

Pre-Shared Key
Users must manually enter a key (pass phrase) on the client side
of the wireless network that matches the key stored by the
administrator in your Wi-Fi Arrays.

RADIUS 802.1x with EAP
802.1x uses a RADIUS server to authenticate large numbers of
clients, and can handle different EAP (Extensible Authentication
Protocol) authentication methods, including EAP-TLS, EAPTTLS and EAP-PEAP. The RADIUS server can be internal
Wi-Fi Array
(provided by the Wi-Fi Array) or external. An external RADIUS
server offers more functionality and is recommended for large
Enterprise deployments.
When using this method, user names and passwords must be
entered into the RADIUS server for user authentication.

MAC Address ACLs (Access Control Lists)
MAC address ACLs provide a list of client adapter MAC
addresses that are allowed or denied access to the wireless
network. Access Control Lists work well when there are a limited
number of users — in this case, enter the MAC addresses of each
user in the Allow list. In the event of a lost or stolen MAC
adapter, enter the affected MAC address in the Deny list.
Q. Why do I need to authenticate my Wi-Fi Array units?
A. When deploying multiple Wi-Fi Arrays, you may need to define which
units are part of which wireless network (for example, if you are
establishing more than one network). In this case, you need to employ the
Xirrus Management System (XMS) which can authenticate your Arrays
automatically and ensure that only authorized units are associated with
the defined wireless network.
Q. What is rogue AP (Access Point) detection?
A. The Wi-Fi Array has integrated monitor capabilities, which can
constantly scan the local wireless environment for rogue APs (non-Xirrus
devices that are not part of your wireless network), unencrypted
transmissions, and other security issues. Administrators can then classify
each rogue AP and ensure that these devices do not interrupt or interfere
with the network.
See Also
Contact Information
General Hints and Tips
Multiple SSIDs
VLAN Support
409
Wi-Fi Array
VLAN Support
Q. What Are VLANs?
A. VLANs (Virtual Local Area Networks) are a logical grouping of network
devices that share a common network broadcast domain. Members of a
particular VLAN can be on any segment of the physical network but
logically only members of a particular VLAN can see each other.
VLANs are defined and implemented using the wired network switches
that are VLAN capable. Packets are tagged for transmission on a
particular VLAN according to the IEEE 802.1Q standard, with VLAN
switches processing packets according to the tag.
Q. What would I use VLANs for?
A. Logically separating different types of users, systems, applications, or
other logical division aids in performance and management of different
network devices. Different VLANs can also be assigned with different
packet priorities to prioritize packets from one VLAN over packets from
another VLAN.
VLANs are managed by software settings — instead of physically
plugging in and moving network cables and users — which helps to ease
network management tasks.
Q. What are Wireless VLANs?
A. Wireless VLANs allow similar functionality to the wired VLAN
definitions and extend the operation of wired VLANs to the wireless side
of the network.
Wireless VLANs can be mapped to wireless SSIDs so that traffic from
wired VLANs can be sent to wireless users of a particular SSID. The
reverse is also true, where wireless traffic originating from a particular
SSID can be tagged for transmission on a particular wired VLAN.
Sixteen SSIDs can be defined on your Wi-Fi Array, allowing a total of
sixteen VLANs to be accessed (one per SSID).
410
Wi-Fi Array
As an example, to provide guest user access an SSID of guest might be
created. This SSID could be mapped to a wired VLAN that segregates
unknown users from the rest of the wired network and restricts them to
Internet access only. Wireless users could then associate to the wireless
network via the guest SSID and obtain access to the Internet through the
selected VLAN, but would be unable to access other privileged network
resources.
See Also
Contact Information
General Hints and Tips
Multiple SSIDs
Security
411
Wi-Fi Array
Array Monitor and Radio Assurance Capabilities
All models of the Wi-Fi Array have integrated monitoring capabilities to check
that the Array’s radios are functioning correctly, and act as a threat sensor to
detect and prevent intrusion from rogue access points.
Enabling Monitoring on the Array
Any radio may be set to monitor the Array or to be a normal IAP radio. In order to
enable the functions required for intrusion detection and for monitoring the other
Array radios, you must configure one monitor radio on the IAP Settings window
as follows:

Check the Enabled checkbox.

Set Mode to Monitor.

Set Channel to Monitor.
The settings above will automatically set the Antenna selection to
Internal-Omni., also required for monitoring. See the “IAP Settings” on page 237
for more details. The values above are the factory default settings for the Array.
How Monitoring Works
When the monitor radio has been configured as just described, it performs these
steps continuously (24/7) to check the other radios on the Array and detect
possible intrusions:
1.
The monitor radio scans all channels with a 200ms dwell time, hitting all
channels about once every 10 seconds.
2.
Each time it tunes to a new channel it sends out a probe request in an
attempt to smoke out rogues.
3.
It then listens for all probe responses and beacons to detect any rogues
within earshot.
4.
Array radios respond to that probe request with a probe response.
Intrusion Detection is enabled or disabled separately from monitoring. See Step 1
in “Advanced RF Settings” on page 262.
412
Wi-Fi Array
Radio Assurance
The Array is capable of performing continuous, comprehensive tests on its radios
to assure that they are operating properly. Testing is enabled using the Radio
Assurance Mode setting on the Advanced RF Settings window (Step 2 in
“Advanced RF Settings” on page 262). When this mode is enabled, the monitor
radio performs loopback tests on the Array. Radio Assurance Mode requires
Intrusion Detection to be set to Standard (See Step 1 in “Advanced RF Settings”
on page 262).
When Radio Assurance Mode is enabled:
1.
The Array keeps track of whether or not it hears beacons and probe
responses from the Array’s radios.
2.
After 10 minutes (roughly 60 passes on a particular channel by the
monitor radio), if it has not heard beacons or probe responses from one of
the Array’s radios it issues an alert in the Syslog. If repair is allowed (see
“Radio Assurance Options” on page 414), the Array will reset and
reprogram that particular radio at the Physical Layer (PHY — Layer 1).
This action takes under 100ms and stations are not deauthenticated, thus
users should not be impacted.
3.
After another 10 minutes (roughly another 60 passes), if the monitor still
has not heard beacons or probe responses from the malfunctioning radio
it will again issue an alert in the Syslog. If repair is allowed, the Array will
reset and reprogram the MAC (the lower sublayer of the Data Link Layer)
and then all of the PHYs. This is a global action that affects all radios. This
action takes roughly 300ms and stations are not deauthenticated, thus
users should not be impacted.
4.
After another 10 minutes, if the monitor still has not heard beacons or
probe responses from that radio, it will again syslog the issue. If reboot is
allowed (see “Radio Assurance Options” on page 414), the Array will
schedule a reboot. This reboot will occur at one of the following times,
whichever occurs first:
•
When no stations are associated to the Array
•
Midnight
413
Wi-Fi Array
Radio Assurance Options
If the monitor detects a problem with an Array radio as described above, it will
take action according to the preference that you have specified in the Radio
Assurance Mode setting on the Advanced RF Settings window (see Step 2
page 263):
414

Failure alerts only — The Array will issue alerts in the Syslog, but will not
initiate repairs or reboots.

Failure alerts & repairs, but no reboots — The Array will issue alerts and
perform resets of the PHY and MAC as described above.

Failure alerts & repairs & reboots if needed — The Array will issue
alerts, perform resets of the PHY and MAC, and schedule reboots as
described above.

Disabled — Disable IAP loopback tests (no self-monitoring occurs).
Loopback tests are disabled by default.
Wi-Fi Array
RADIUS Vendor Specific Attributes (VSAs) for Xirrus
A number of RADIUS VSAs are defined for Xirrus Arrays. These control
administrator privileges and a number of settings for user accounts, such as QoS,
roaming, VLAN, etc.
The RADIUS VSAs are used by Arrays to define selected attributes for the
following account types:

Array administrators — the Xirrus-Admin-Role attribute sets the
privilege level for this account. Set the value to the string defined in
Privilege Level Name as described in “About Creating Admin Accounts
on the RADIUS Server” on page 185.

Array users — all of the VSAs whose names start with Xirrus-User set
attributes of WiFi client accounts. As you can see in the dictionary.xirrus
file listed below, attribute types may be integer or string. For integer -type
attributes, the possible integer values that you may set are listed and
described in dictionary.xirrus. For string-type attributes, set the value to
an entry name that you have configured on the Array. For example, set
Xirrus-User-VLAN to a VLAN Name that you created in “VLAN
Management” on page 173. Most of the Xirrus-User attributes are
described in “Group Management” on page 230.
The following Xirrus RADIUS VSA dictionary is provided here as a sample for
your convenience. These definitions may be updated from time to time. Always
check the Xirrus Customer Support website for the latest version:
support.xirrus.com.
VENDOR
Xirrus
BEGIN-VENDOR Xirrus
ATTRIBUTE
ATTRIBUTE
ATTRIBUTE
ATTRIBUTE
ATTRIBUTE
ATTRIBUTE
Xirrus-Admin-Role
Xirrus-User-VLAN
Xirrus-User-Qos-WiFi
Xirrus-User-Qos-L2
Xirrus-User-Qos-L3-TOS
Xirrus-User-Qos-L3-DSCP
21013
string
string
integer
integer
integer
integer
415
Wi-Fi Array
416
ATTRIBUTE
ATTRIBUTE
ATTRIBUTE
ATTRIBUTE
ATTRIBUTE
ATTRIBUTE
ATTRIBUTE
Xirrus-User-Roaming-Layer
Xirrus-User-Traffic-Limit
Xirrus-User-DHCP-Pool
Xirrus-User-Filter-List
Xirrus-User-Group
Xirrus-User-Interface
Xirrus-User-Location
10
11
12
13
integer
integer
string
string
string
string
string
VALUE
VALUE
VALUE
VALUE
Xirrus-User-Qos-Wifi
Xirrus-User-Qos-Wifi
Xirrus-User-Qos-Wifi
Xirrus-User-Qos-Wifi
Best-Effort
Background
Video
Voice
VALUE
VALUE
VALUE
VALUE
VALUE
VALUE
VALUE
VALUE
Xirrus-User-Qos-L2
Xirrus-User-Qos-L2
Xirrus-User-Qos-L2
Xirrus-User-Qos-L2
Xirrus-User-Qos-L2
Xirrus-User-Qos-L2
Xirrus-User-Qos-L2
Xirrus-User-Qos-L2
Best-Effort
Background
Standard
Excellent-Effort
Controlled
Video
Voice
Network-Control
VALUE
VALUE
VALUE
VALUE
VALUE
VALUE
VALUE
VALUE
Xirrus-User-Qos-L3-TOS
Xirrus-User-Qos-L3-TOS
Xirrus-User-Qos-L3-TOS
Xirrus-User-Qos-L3-TOS
Xirrus-User-Qos-L3-TOS
Xirrus-User-Qos-L3-TOS
Xirrus-User-Qos-L3-TOS
Xirrus-User-Qos-L3-TOS
Routine
Priority
Immediate
Flash
Flash-Override
Critical-ECP
Internetwork-Control
Network-Control
VALUE
VALUE
VALUE
Xirrus-User-Qos-L3-TOS
Xirrus-User-Qos-L3-TOS
Xirrus-User-Qos-L3-TOS
Low-Delay.
High-Throughput
High-Reliability
16
32
VALUE
VALUE
Xirrus-User-Roaming-Layer
Xirrus-User-Roaming-Layer
L2-only
L2-and-L3
Wi-Fi Array
VALUE
Xirrus-User-Roaming-Layer
END-VENDOR
Xirrus
None
417
Wi-Fi Array
Upgrading the Array via CLI
If you are experiencing difficulties communicating with the Array using the Web
Management Interface, the Array provides lower-level facilities that may be used
to accomplish an upgrade via the CLI and the Xirrus Boot Loader (XBL).
1.
Download the latest software update from the Xirrus FTP site using your
Enhanced Care FTP username and password. If you do not have an FTP
username and password, contact Xirrus Customer Service for assistance
(support@xirrus.com). The software update is provided as a zip file.
Unzip the contents to a local temp directory. Take note of the extracted file
name in case you need it later on — you may also need to copy this file
elsewhere on the network depending on your situation.
2.
Install a TFTP server software package if you don't have one running. It
may be installed on any PC on your network, including your desktop or
laptop. The Solar Winds version is freeware and works well.
http://support.solarwinds.net/updates/New-customerFree.cfm?ProdId=52
The TFTP install process creates the TFTP-Root directory on your C:
drive, which is the default target for sending and receiving files. This may
be changed if desired. This directory is where you will place the extracted
Xirrus software update file(s). If you install the TFTP server on the same
computer to which you extracted the file, you may change the TFTP
directory to C:\xirrus if desired.
You must make the following change to the default configuration of the
Solar Winds TFTP server. In the File/Configure menu, select Security,
then select Transmit only and click OK.
418
3.
Determine the IP address of the computer hosting the TFTP server. (To
display the IP address, open a command prompt and type ipconfig)
4.
Connect your Array to the computer running TFTP using a serial cable,
and open a terminal program if you haven't already. Attach a network
cable to the Array’s GIG1 port, if it is not already part of your network.
Wi-Fi Array
Boot your Array and watch the progress messages. When Press space bar
to exit to bootloader: is displayed, press the space bar. The rest of this
procedure is performed using the bootloader.
The following steps assume that you are running DHCP on your local
network.
5.
Type dhcp and hit return. This instructs the Array to obtain a DHCP
address and use it during this boot in the bootloader environment.
6.
Type dir and hit return to see what's currently in the compact flash.
7.
Type del and hit return to delete the contents of the compact flash.
8.
Type update server  XS-5.x-xxxx.bin (the actual
Xirrus file name will vary depending on Array model number and
software version — use the file name from your software update) and hit
return. The software update will be transferred to the Array's memory
and will be written to the compact flash card. (See output below.)
9.
Type reset and hit return. Your Array will reboot, running your new
version of software.
Sample Output for the Upgrade Procedure:
The user actions are highlighted in the output below, for clarity.
Username: admin
Password: *****
Xirrus-WiFi-Array# configure
Xirrus-WiFi-Array(config)# reboot
Are you sure you want to reboot? [yes/no]: yes
Array is being rebooted.
Xirrus Boot Loader 1.0.0 (Oct 17 2006 - 13:11:42), Build: 2725
Processor | Motorola PowerPC, PVR=80200020 SVR=80300020
Board | Xirrus MPC8540 CPU Board
Clocks | CPU : 825 MHz DDR : 330 MHz Local Bus: 41 MHz
419
Wi-Fi Array
L1 cache | Data: 32 KB Inst: 32 KB Status : Enabled
Watchdog | Enabled (5 secs)
I2C Bus | 400 KHz
DTT
| CPU:34C RF0:34C RF1:34C RF2:27C RF3:29C
RTC
| Wed 2007-Nov-05 6:43:14 GMT
System DDR | 256 MB, Unbuffered Non-ECC (2T)
L2 cache | 256 KB, Enabled
FLASH | 4 MB, CRC: OK
FPGA
| 2 Devices programmed
Packet DDR | 256 MB, Unbuffered Non-ECC, Enabled
Network | Mot FEC Mot TSEC1 [Primary] Mot TSEC2
IDE Bus 0 | OK
CFCard | 122 MB, Model: Hitachi XXM2.3.0
Environment| 4 KB, Initialized
In: serial
Out: serial
Err: serial
Press space bar to exit to bootloader:
XBL>dhcp
[DHCP ] Device : Mot TSEC1 1000BT Full Duplex
[DHCP ] IP Addr : 192.168.39.195
XBL>dir
[CFCard] Directory of /
Date Time Size File or Directory name
----------- -------- -------- --------------------------2007-Nov-05 6:01:56
29 lastboot
2007-Apr-05 15:47:46 28210390 xs-3.1-0433.bak
2007-Mar-01 16:39:42
storage/
2007-Apr-05 15:56:38 28210430 xs-3.1-0440.bin
2007-Mar-03 0:56:28
wpr/
3 file(s), 2 dir(s)
420
Wi-Fi Array
XBL>del *
[CFCard] Delete : 2 file(s) deleted
XBL>update server 192.168.39.102 xs-3.0-0425.bin
[TFTP ] Device : Mot TSEC1 1000BT Full Duplex
[TFTP ] Client : 192.168.39.195
[TFTP ] Server : 192.168.39.102
[TFTP ] File : xs-3.0-0425.bin
[TFTP ] Address : 0x1000000
[TFTP ] Loading : ##################################################
[TFTP ] Loading : ##################################################
[TFTP ] Loading : ###### done
[TFTP ] Complete: 12.9 sec, 2.1 MB/sec
[TFTP ] Bytes : 27752465 (1a77811 hex)
[CFCard] File : xs-3.0-0425.bin
[CFCard] Address : 0x1000000
[CFCard] Saving : ############################################### done
[CFCard] Complete: 137.4 sec, 197.2 KB/sec
[CFCard] Bytes : 27752465 (1a77811 hex)
XBL>reset
[RESET ]
Xirrus Boot Loader 1.0.0 (Oct 17 2006 - 13:11:42), Build: 2725
Processor | Motorola PowerPC, PVR=80200020 SVR=80300020
Board | Xirrus MPC8540 CPU Board
Clocks | CPU : 825 MHz DDR : 330 MHz Local Bus: 41 MHz
L1 cache | Data: 32 KB Inst: 32 KB Status : Enabled
Watchdog | Enabled (5 secs)
I2C Bus | 400 KHz
DTT
| CPU:33C RF0:32C RF1:31C RF2:26C RF3:27C
RTC
| Wed 2007-Nov-05 6:48:44 GMT
System DDR | 256 MB, Unbuffered Non-ECC (2T)
421
Wi-Fi Array
L2 cache | 256 KB, Enabled
FLASH | 4 MB, CRC: OK
FPGA
| 2 Devices programmed
Packet DDR | 256 MB, Unbuffered Non-ECC, Enabled
Network | Mot FEC Mot TSEC1 [Primary] Mot TSEC2
IDE Bus 0 | OK
CFCard | 122 MB, Model: Hitachi XXM2.3.0
Environment| 4 KB, Initialized
In: serial
Out: serial
Err: serial
Press space bar to exit to bootloader:
[CFCard] File : xs*.bin
[CFCard] Address : 0x1000000
[CFCard] Loading : ############################################### done
[CFCard] Complete: 26.9 sec, 1.0 MB/sec
[CFCard] Bytes : 27752465 (1a77811 hex)
[Boot ] Address : 0x01000000
[Boot ] Image : Verifying checksum .... OK
[Boot ] Unzip : Multi-File Image .... OK
[Boot ] Initrd : Loading RAMDisk Image
[Boot ] Initrd : Verifying checksum .... OK
[Boot ] Execute : Transferring control to OS
Initializing hardware ........................................ OK
Xirrus Wi-Fi Array
ArrayOS Version 3.0-425
Copyright (c) 2005-2007 Xirrus, Inc.
http://www.xirrus.com
Username:
422
Wi-Fi Array
Contact Information
Xirrus, Inc. is located in Thousand Oaks, California, just 55 minutes northwest of
downtown Los Angeles and 40 minutes southeast of Santa Barbara.
Xirrus, Inc.
2101 Corporate Center Drive
Thousand Oaks, CA 91320
USA
Tel:
Fax:
1.805.262.1600
1.800.947.7871 Toll Free in the US
1.866.462.3980
www.xirrus.com
support.xirrus.com
423
Wi-Fi Array
424
Wi-Fi Array
Appendix D: Implementing PCI DSS
The Payment Card Industry (PCI) Data Security Standard (DSS) was developed
by major credit card companies to help those that process credit card transactions
(or cardholder information) in order to secure cardholder information and protect
it from unauthorized access, fraud and other security issues. The major
contributors to the standard are VISA, MasterCard, American Express, JCB, and
Discover. The standard also helps consolidate various individual standards that
were developed by each of the listed card companies. Merchants or others who
process credit card transactions are required to comply with the standard and to
prove their compliance by way of an audit from a Qualified Security Assessor.
PCI DSS lays out a set of requirements that must be met in order to provide
adequate security for sensitive data.
Payment Card Industry Data Security Standard Overview
The PCI Data Security Standard (PCI DSS) has 12 main requirements that are
grouped into six control objectives. The following table lists each control objective
and the specific requirements for each objective. For the latest updates to this list,
check the PCI Security Standards Web site: www.pcisecuritystandards.org.
PCI DSS Control Objectives and Associated Requirements
Objective: Build and Maintain a Secure Network

Requirement 1: Install and maintain a firewall configuration to protect
cardholder data.

Requirement 2: Do not use vendor-supplied defaults for system passwords
and other security parameters.
Objective: Protect Cardholder Data

Requirement 3: Protect stored cardholder data.

Requirement 4: Encrypt transmission of cardholder data across open,
public networks.
425
Wi-Fi Array
PCI DSS Control Objectives and Associated Requirements
Objective: Maintain a Vulnerability Management Program

Requirement 5: Use and regularly update anti-virus software.

Requirement 6: Develop and maintain secure systems and applications.
Objective: Implement Strong Access Control Measures

Requirement 7: Restrict access to cardholder data by business need-toknow.

Requirement 8: Assign a unique ID to each person with computer access.

Requirement 9: Restrict physical access to cardholder data.
Objective: Regularly Monitor and Test Networks

Requirement 10: Track and monitor all access to network resources and
cardholder data.

Requirement 11: Regularly test security systems and processes.
Objective: Maintain an Information Security Policy

Requirement 12: Maintain a policy that addresses information security.
PCI DSS and Wireless
The Xirrus Wi-Fi Array provides numerous security features that allow it to be a
component of a PCI DSS-compliant network. The following sections indicate the
specific features that allow the Xirrus Wi-Fi Array to operate in a PCI DSS mode.
426
Wi-Fi Array
The Xirrus Array PCI Compliance Configuration
The check list below is designed to help ensure that Xirrus Wi-Fi Arrays are
configured in a manner that is supportive of PCI Data Security Standards.
Detailed configuration steps for each item are found in the referenced section of
the User’s Guide.

Xirrus Wi-Fi Array Configuration for PCI DSS
( ) Register at the Xirrus Support Site to ensure
notification and access to software updates.
( ) Confirm that the latest version of the Array OS is
being used by checking the Xirrus web site.
( )
Enable PCI Mode after configuring the Array in a
PCI compliant state to ensure configuration
changes cannot be saved that would invalidate a
PCI compliant configuration. This item is covered
on the following pages.
( )
Allow only necessary protocols and networks to be
accessed by configuring your corporate firewall or
using the internal Array firewall.
See...

support.xirrus.com

The pci-audit
Command, p. 428

Filters, p. 283
( ) Change the default Admin account password.
( ) Remove any unnecessary admin or user accounts.
( ) Change the SNMP community string from the
default password.
( ) Use WPA2 and 802.1x authentication.
( ) Change default SSID from Xirrus to a user-defined
SSID.
( ) Disable SSID broadcast for all PCI compliant
SSIDs.
Express Setup, p. 139
Admin Management,
p. 181
SNMP, p. 165
Enable Secure Shell (ssh) for CLI (command line)
access.
Confirm telnet access is disabled (done by default).
Confirm management over the wireless network is
disabled.


Management Control,
p. 188
( )

( )
( )
SSIDs, p. 208 and
Global Settings, p. 197
SSIDs, p. 208
SSIDs, p. 208
Global Settings (IAP),
p. 243
427
Wi-Fi Array

Xirrus Wi-Fi Array Configuration for PCI DSS
See...
( ) Check that external RADIUS servers have been

configured for use with 802.1x and WPA/WPA2
wireless security.
( ) Ensure that Array Administration Accounts are
being validated by External RADIUS servers.

SSIDs, p. 208 and
Global Settings, p. 197

Admin RADIUS,
p. 185
( )
Dismounting the Array,
p. 61
See Indoor Enclosure
Ensure that each Xirrus Array is physically
inaccessible such that console ports and
management ports are not accessible.
( ) Enable Syslog messaging and define a Syslog
server on the wired network to receive Syslog
messages.

( ) Enable NTP and define an NTP server (optional).

System Log, p. 162


Time Settings (NTP),
p. 157
( )
IAP Settings, p. 237
Rogue Control List,
p. 206
Intrusion Detection,
p. 107
Enable the RF Monitor radio in the Xirrus Array.
Categorize known or approved devices as such.
Respond to any alert of unknown or unapproved
wireless devices discovered by the RF Monitor.

Additional information regarding implementation of PCI DSS on the Wi-Fi Array
is described in the Xirrus White Paper, PCI Data Security Standard, available on
the Xirrus web site.
The pci-audit Command
The Array provides a CLI command, pci-audit (part of the management
command), that checks whether the Array’s configuration satisfies PCI DSS
wireless requirements. This command does not change any parameters, but will
inform you of any violations that exist. Furthermore, the command pci-audit
enable will put the Array in PCI Mode and monitor changes that you make to the
Array’s configuration in CLI or the WMI. PCI Mode will warn you (and issue a
Syslog message) if the change violates PCI DSS requirements. A warning is issued
when a non-compliant change is first applied to the Array, and also if you attempt
to save a configuration that is non-compliant. Use this command in conjunction
428
Wi-Fi Array
with The Xirrus Array PCI Compliance Configuration above to ensure that you
are using the Array in accordance with the PCI DSS requirements.
The pci-audit command checks items such as:

Telnet is disabled.

Admin RADIUS is enabled (admin login authentication is via RADIUS
server).

An external Syslog server is in use.

All SSIDs must set encryption to WPA or better (which also enforces
802.1x authentication)
Sample output from this command is shown below.
SS-Array(config)# pci-audit
PCI audit failure: telnet enabled.
PCI audit failure: admin RADIUS authentication disabled.
PCI audit failure: SSID ssid2 encryption too weak.
PCI audit failure: SSID ssid3 encryption too weak.
PCI audit failure: SSID ssid4 encryption too weak.
PCI audit failure: SSID ssid5 encryption too weak.
PCI audit failure: SSID ssid6 encryption too weak.
Figure 189. Sample output of pci-audit command
Additional Resources

PCI Security Standards Web site: www.pcisecuritystandards.org

List of Qualified PCI Security Assessors: www.pcisecuritystandards.org/
pdfs/pci_qsa_list.pdf

For the latest version of the Xirrus White Paper, PCI Data Security
Standard, and the latest versions of Xirrus software, please check
www.xirrus.com
429
Wi-Fi Array
430
Wi-Fi Array
Appendix E: Implementing FIPS Security
Wi-Fi Arrays may be configured to satisfy the requirements for Level 2 of Federal
Information Processing Standard (FIPS) Publication 140-2. This appendix lists simple steps
that must be followed exactly to implement FIPS 140-2, Level 2. The procedures
include physical actions, and parameters that must be set in the Web Management
Interface (WMI) in the Security page and in other pages.
To satisfy FIPS 140-2, Level 2, perform the following procedures:

“Securing the Array Physically” on page 431

“To implement FIPS 140-2, Level 2 using WMI” on page 434

- or - “To implement FIPS 140-2, Level 2 using CLI:” on page 436

“To check if an Array is in FIPS mode:” on page 436
Securing the Array Physically
Operator Required Actions
1.
The Cryptographic Officer is required to configure and periodically
inspect the cryptographic module. Tamper evident seals and security
straps shall be in control of the Cryptographic Officer at all times.
2.
Apply supplied tamper-evident seals to the Array as indicated in the
figures below. The procedure is slightly different, depending on the
model.
IMPORTANT:
•
Before you apply the tamper-evident seal, clean the area of any
grease, dirt, or oil. We recommend using alcohol-based cleaning
pads for this.
•
Each seal must be applied to straddle both sides of an opening or
seam so that it will show if an attempt has been made to open or
tamper with the Array.
•
For 4-radio Arrays (XN4) — See Step 3.
•
For Arrays with 8 or more radios (XN8, XN12, XN16) — see Step 4.
431
Wi-Fi Array
XN4, XN8, XN12, XN16 - seam
location
XN8, XN12, XN16 Mounting plate
openings
Figure 190. Tamper-evident seal appearance
3.
For the XN4: Apply two seals, one on either side of the Array about 180°
apart from each other, as shown in Figure 191. IMPORTANT: Make sure
that each seal straddles a seam.
Continue to Step 5.
Tamper seal locations on seam:
Two (2) seals, placed straddling
seam on opposite sides.
Locations indicated by arrows
and colored blocks.
Figure 191. Tamper-evident seal locations for XN4 indicated by arrows
4.
432
For the XN8, XN12, XN16: Apply a total of eight (8) seals, as follows.
Wi-Fi Array
•
Apply two (2) seals, one on either side of the Array about 180° apart
from each other, as shown in Figure 192. IMPORTANT: Make sure
that each seal straddles a seam.
•
Apply tamper seals to the two (2) mounting plate openings, prior to
mounting the Array body on the plate. Place three (3) seals across
each opening as shown in Figure 193.
Continue to Step 5.
Tamper seal locations on seam:
Two (2) seals, placed straddling
seam on opposite sides.
Locations indicated by arrows
and colored blocks.
Figure 192. Two tamper-evident seals on seam of XN8/12/16
Tamper seal location covering
two (2) mounting plate openings. 
Six (6) seals placed - 
three (3) across each opening.
Place labels on mounting plate
prior to mounting Array body.
Locations indicated by arrows
and colored blocks.
Figure 193. Six tamper-evident seals on mounting plate - XN8/12/16
433
Wi-Fi Array
5.
Apply the supplied tamper-evident security strap to the unit as indicated
in Figure 194. Each mounting plate and Array contains a single locking
tab. The Array is mounted to the mounting plate and rotated until the
mounting plate clicks into place and the locking tabs are aligned. Thread
the security strap through the aligned locking tabs and then pull it
through the strap lock until firmly affixed. The security strap should be
pulled tight to prevent the mounting plate from turning. Tamper
evidence may be indicated by a broken strap or cracked locking tab.
Locking
Tab
Strap
Lock
Figure 194. Apply the security strap through locking tab as shown
To implement FIPS 140-2, Level 2 using WMI
You must enable FIPS 140-2, Level 2 Security on the Array. To do this using the
Web Management Interface (WMI - ArrayOS Rel. 5.0 and higher), follow the steps
below. (To do this using the CLI, please see “To implement FIPS 140-2, Level 2
using CLI:” on page 436.)
1.
Enable HTTPS using the CLI if it is not already enabled, using the
following command:
Xirrus_Wi-Fi_Array(config)# https on
This allows the Web Management Interface to be used for the rest of this
procedure. HTTPS is enabled on Arrays by default.
434
Wi-Fi Array

2.
The following steps must be performed in the order shown — you must
enable FIPS 140-2 before you create SSIDs. Otherwise, FIPS mode will
change the PSK keys of SSIDs, and you will not know what the keys are.
Click Security in the menu on the left of the WMI window. Then click
Management Control. In the Management Modes section, set FIPS 1402, Level 2 Security to On. (Figure 195) The WMI will display a message
showing the settings that it is changing to implement FIPS security. Click
Save, then OK.
Figure 195. Security - Management Control Window
435
Wi-Fi Array
3.
You may now proceed to define SSIDs, as described in “SSIDs” on
page 208.
To implement FIPS 140-2, Level 2 using CLI:
1.
The following CLI command will perform all of the settings required to
put the Array in FIPS mode (ArrayOS 4.1 and higher versions).
Xirrus_Wi-Fi_Array(config}# management
Xirrus_Wi-Fi_Array(config-mgmt}# fips on
This command remembers your previous settings for FIPS-related
attributes. They will be restored if you use the fips off command.
Use the save command to save these changes to flash memory.
2.
Use the fips off command if you wish to stop enforcing FIPS security
requirements on the Array.
Xirrus_Wi-Fi_Array(config-mgmt}# fips off
Use the save command to save these changes to flash memory.
To check if an Array is in FIPS mode:
You may determine whether or not the Array is running in FIPS mode by
verifying that the settings described in the previous procedures are in effect.
See Also
The Web Management Interface
The Command Line Interface
436
Wi-Fi Array
Appendix F: Notices
This appendix contains the following information:

“Notices” on page 437

“EU Directive 1999/5/EC Compliance Information” on page 440

“Compliance Information (Non-EU)” on page 447

“Safety Warnings” on page 448

“Translated Safety Warnings” on page 449

“Software License and Product Warranty Agreement” on page 450

“Hardware Warranty Agreement” on page 456
Notices
Wi-Fi Alliance Certification
www.wi-fi.org
FCC Notice
This device complies with Part 15 of the FCC Rules, with operation subject to the
following two conditions: (1) This device may not cause harmful interference, and
(2) this device must accept any interference received, including interference that
may cause unwanted operation.
This equipment has been tested and found to comply with the limits for a Class A
digital device, pursuant to Part 15 of the FCC rules. These limits are designed to
provide reasonable protection against harmful interference in a residential
installation. This equipment generates, uses and can radiate RF energy and, if not
installed and used in accordance with the instructions, may cause harmful
interference to radio communications. However, there is no guarantee that
interference will not occur in a particular installation. If this equipment does
cause harmful interference to radio or television reception, which can be
437
Wi-Fi Array
determined by turning the equipment off and on, the user is encouraged to try to
correct the interference by one or more of the following safety measures:

Reorient or relocate the receiving antenna.

Increase the separation between the equipment and the receiver.

Consult the dealer or an experienced wireless technician for help.
Use of a shielded twisted pair (STP) cable must be used for all Ethernet
connections in order to comply with EMC requirements.
RF Radiation Hazard Warning
To ensure compliance with FCC RF exposure requirements, this device must be
installed in a location where the antennas of the device will have a minimum
distance of at least 25 cm (9.84 inches) from all persons. Using higher gain
antennas and types of antennas not certified for use with this product is not
allowed. The device shall not be co-located with another transmitter.
Non-Modification Statement
Unauthorized changes or modifications to the device are not permitted. Use only
the supplied internal antenna, or external antennas supplied by the manufacturer.
Modifications to the device will void the warranty and may violate FCC
regulations. Please go to the Xirrus Web site for a list of all approved antennas.
Indoor Use
This product has been designed for indoor use. Operation of channels in the
5150MHz to 5250MHz band and in the 5470MHz to 5725MHz band is permitted
indoors only to reduce the potential for harmful interference to co-channel mobile
satellite systems.
Cable Runs for Power over Gigabit Ethernet (PoGE)
If using PoGE, the Array must be connected to PoGE networks without routing
cabling to the outside plant — this ensures that cabling is not exposed to lightning
strikes or possible cross over from high voltage.
Use of RP-TNC External Antenna Connectors
External RP-TNC antenna connectors are not for outside plant connection.
438
Wi-Fi Array
Battery Warning
Caution! The Array contains a battery which is not to be replaced by the customer.
Danger of Explosion exists if the battery is incorrectly replaced. Replace only with
the same or equivalent type recommended by the manufacturer. Dispose of used
batteries according to the manufacturer's instructions.
Power Cord
If you will be using the Array with a power cord, you must use a UL-Approved
cord (supplied with the unit). Order new power cords from the Xirrus product
list — Xirrus supplies only UL-approved power cords.
Maximum Antenna Gain
Currently, the maximum antenna gain for external antennas is limited to 5.2dBi
for operation in the 2400MHz to 2483.5MHz, 5150MHz to 5250MHz and
5725MHz to 5825MHz bands. The antenna gains must not exceed maximum EIRP
limits set by the FCC / Industry Canada.
High Power Radars
High power radars are allocated as primary users (meaning they have priority) in
the 5150MHz to 5250MHz and 5650MHz to 5850MHz bands. These radars could
cause interference and/or damage to LELAN devices used in Canada.
Industry Canada Notice and Marking
This Class A digital apparatus complies with Canadian ICES-003.
Cet appareil numérique de la classe A est conforme à la norme NMB-003 du Canada.
The term “IC:” before the radio certification number only signifies that Industry
Canada technical specifications were met.
To reduce potential radio interference to other users, the antenna type and its gain
should be so chosen that the equivalent isotropically radiated power (EIRP) is not
more than that required for successful communication.
439
Wi-Fi Array
EU Directive 1999/5/EC Compliance Information
This section contains compliance information for the Xirrus Wi-Fi Array family of
products, which includes the XN16, XN12, XN8, XN4, XS16, XS8 and XS4. The
compliance information contained in this section is relevant to the European
Union and other countries that have implemented the EU Directive 1999/5/EC.
Declaration of Conformity
Cesky [Czech] Toto zahzeni je v souladu se základnimi požadavky a
ostatnimi odpovidajcimi ustano veni mi Směrnice
1999/5/EC.
Dansk [Danish] Dette udstyr er i overensstemmelse med de
væsentlige krav og andre relevante bestemmelser i
Direktiv 1999/5/EF.
Deutsch [German] Dieses Gerat entspricht den grundlegenden
Anforderungen und den weiteren entsprechenden
Vorgaben der Richtinie 1999/5/EU.
Eesti [Estonian] See seande vastab direktiivi 1999/5/EU olulistele
nöuetele ja teistele as jakohastele sätetele.
English This equipment is in compliance with the essential
requirements and other relevant provisions of
Directive 1999/5/EC.
Español [Spain] Este equipo cump le con los requisitos esenciales asi
como con otras disposiciones de la Directiva 1999/5/
CE.
Ελληνυκη [Greek] Αυτόζ ο εξοπλτσμόζ είναι σε συμμόρφωση με τιζ
ουσιώδειζ απαιτήσειζ και ύλλεζ σχετικέζ διατάξειζ τηζ
Οδηγιαζ 1999/5/EC.
Français [French] Cet appareil est conforme aux exigences essentielles
et aux autres dispositions pertinentes de la Directive
1999/5/EC.
440
Wi-Fi Array
ĺslenska [Icelandic] Þetta tæki er samkvæmt grunnkröfum og öðrum
viðeigandi ákvæðum Tilskipunar 1999/5/EC.
Italiano [Italian] Questo apparato é conforme ai requisiti essenziali ed
agli altri principi sanciti dalla Direttiva 1999/5/CE.
Latviski [Latvian] Šī iekārta atbilst Direktīvas 1999/5/EK būtiskajā
prasībām un citiem ar to saistītajiem noteikumiem.
Lietuvių [Lithuanian] Šis įrenginys tenkina 1995/5/EB Direktyvos
esminius reikalavimus ir kitas šios direktyvos
nuostatas.
Nederlands [Dutch] Dit apparant voldoet aan de essentiele eisen en
andere van toepassing zijnde bepalingen van de
Richtlijn 1995/5/EC.
Malti [Maltese] Dan l-apparant huwa konformi mal-htigiet essenzjali
u l-provedimenti l-ohra rilevanti tad-Direttiva 1999/
5/EC.
Margyar [Hungarian] Ez a készülék teljesiti az alapvetö követelményeket
és más 1999/5/EK irányelvben meghatározott
vonatkozó rendelkezéseket.
Norsk [Norwegian] Dette utstyret er i samsvar med de grunnleggende
krav og andre relevante bestemmelser i EU-direktiv
1999/5/EF.
Polski [Polish] Urządzenie jest zgodne z ogólnymi wymaganiami
oraz sczególnymi mi warunkami określony mi
Dyrektywą. UE:1999/5/EC.
Portuguès [Portuguese] Este equipamento está em conformidade com os
requisitos essenciais e outras provisões relevantes da
Directiva 1999/5/EC.
Slovensko [Slovenian] Ta naprava je skladna z bistvenimi zahtevami in
ostalimi relevantnimi popoji Direktive 1999/5/EC.
441
Wi-Fi Array
Slovensky [Slovak] Toto zariadenie je v zhode so základnými
požadavkami a inými prislušnými nariadeniami
direktiv: 1999/5/EC.
Suomi [Finnish] Tämä laite täyttää direktiivin 1999/5//EY olennaiset
vaatimukset ja on siinä asetettujen muiden laitetta
koskevien määräysten mukainen.
Svenska [Swedish] Denna utrustning är i överensstämmelse med de
väsentliga kraven och andra relevanta bestämmelser
i Direktiv 1999/5/EC.
Assessment Criteria
The following standards were applied during the assessment of the product
against the requirements of the Directive 1999/5/EC:

Radio: EN 301 893 and EN 300 328 (if applicable)

EMC: EN 301 489-1 and EN 301 489-17

Safety: EN 50371 to EN 50385 and EN 60601
CE Marking
For the Xirrus Wi-Fi Array (XN16, XN12, XN8, XN4, XS16, XS8 and XS4), the CE
mark and Class-2 identifier opposite are affixed to the equipment and its
packaging:
442
Wi-Fi Array
WEEE Compliance

Natural resources were used in the production
of this equipment.

This equipment may contain hazardous
substances that could impact the health of the
environment.

In order to avoid harm to the environment and
consumption of natural resources, we
encourage you to use appropriate take-back
systems when disposing of this equipment.

The appropriate take-back systems will reuse
or recycle most of the materials of this
equipment in a way that will not harm the
environment.

The crossed-out wheeled bin symbol (in
accordance with European Standard EN 50419)
invites you to use those take-back systems and
advises you not to combine the material with
refuse destined for a land fill.

If you need more information on collection, reuse and recycling systems, please contact your
local or regional waste administration.

Please contact Xirrus for specific information
on the environmental performance of our
443
Wi-Fi Array
National Restrictions
In the majority of the EU and other European countries, the 2.4 GHz and 5 GHz
bands have been made available for the use of Wireless LANs. The following table
provides an overview of the regulatory requirements in general that are
applicable for the 2.4 GHz and 5 GHz bands.
Frequency
Band (MHz)
Max Power Level
(EIRP) (mW)
Indoor
Outdoor
2400–2483.5
100
X**
5150–5350*
200
N/A
5470–5725*
1000
*Dynamic frequency selection and Transmit Power Control is required in these
frequency bands.
**France is indoor use only in the upper end of the band.
The requirements for any country may change at any time. Xirrus recommends
that you check with local authorities for the current status of their national
regulations for both 2.4 GHz and 5 GHz wireless LANs.
The following countries have additional requirements or restrictions than those
listed in the above table:
Belgium
The Belgian Institute for Postal Services and Telecommunications (BIPT) must
be notified of any outdoor wireless link having a range exceeding 300 meters.
Xirrus recommends checking at www.bipt.be for more details.
Draadloze verbindingen voor buitengebruik en met een reikwijdte van meer dan 300
meter dienen aangemeld te worden bij het Belgisch Instituut voor postdiensten en
telecommunicatie (BIPT). Zie www.bipt.be voor meer gegevens.
444
Wi-Fi Array
Les liasons sans fil pour une utilisation en extérieur d’une distance supérieure à 300
mèters doivent être notifiées à l’Institut Belge des services Postaux et des
Télécommunications (IBPT). Visitez www.bipt.be pour de plus amples détails.
Greece
A license from EETT is required for the outdoor operation in the 5470 MHz to
5725 MHz band. Xirrus recommends checking www.eett.gr for more details.
Η δη ιουργβάικτ ωνεξωτερικο ρουστη ζ νησυ νοτ των 5470–5725 ΜΗz ε ιτρ ετάιωνο
ετάά όάδειά της ΕΕΤΤ, ου ορηγεβτάι στερά ά ό σ φωνη γν η του ΓΕΕΘΑ. ερισσότερες
λε τομ ρειεωστο www.eett.gr
Italy
This product meets the National Radio Interface and the requirements
specified in the National Frequency Allocation Table for Italy. Unless this
wireless LAN product is operating within the boundaries of the owner’s
property, its use requires a “general authorization.” Please check with
www.communicazioni.it/it/ for more details.
Questo prodotto é conforme alla specifiche di Interfaccia Radio Nazionali e rispetta il
Piano Nazionale di ripartizione delle frequenze in Italia. Se non viene installato
all’interno del proprio fondo, l’utilizzo di prodotti wireless LAN richiede una
“autorizzazione Generale.” Consultare www.communicazioni.it/it/ per maggiori
dettagli.
Norway, Switzerland and Liechtenstein
Although Norway, Switzerland and Liechtenstein are not EU member states,
the EU Directive 1999/5/EC has also been implemented in those countries.
Calculating the Maximum Output Power
The regulatory limits for maximum output power are specified in EIRP (radiated
power). The EIRP level of a device can be calculated by adding the gain of the
antenna used (specified in dBi) to the output power available at the connector
(specified in dBm).
445
Wi-Fi Array
Antennas
The Xirrus Wi-Fi Array employs integrated antennas that cannot be removed and
which are not user accessible. Nevertheless, as regulatory limits are not the same
throughout the EU, users may need to adjust the conducted power setting for the
radio to meet the EIRP limits applicable in their country or region. Adjustments
can be made from the product’s management interface — either Web Management
Interface (WMI) or Command Line Interface (CLI).
Operating Frequency
The operating frequency in a wireless LAN is determined by the access point. As
such, it is important that the access point is correctly configured to meet the local
regulations. See National Restrictions in this section for more information.
If you still have questions regarding the compliance of Xirrus products or you
cannot find the information you are looking for, please contact us at:
Xirrus, Inc.
2101 Corporate Center Drive
Thousand Oaks, CA 91320
USA
Tel:
Fax:
1.805.262.1600
1.800.947.7871 Toll Free in the US
1.866.462.3980
www.xirrus.com
446
Wi-Fi Array
Compliance Information (Non-EU)
This section contains compliance information for the Xirrus Wi-Fi Array family of
products, which includes the XN16, XN12, XN8, and XN4. The compliance
information contained in this section is relevant to the listed countries (outside of
the European Union and other countries that have implemented the EU Directive
1999/5/EC).
Declaration of Conformity
Mexico XN16: Cofetel Cert #: RCPXIXN10-1052 
XN12: Cofetel Cert #: RCPXIXN10-1052-A1 
XN8: Cofetel Cert #: RCPXIXN10-1052-A2
XN4: Cofetel Cert #: RCPXIXN10-1052-A3
Thailand This telecommunication equipment conforms to
NTC technical requirement.
447
Wi-Fi Array
Safety Warnings
Safety Warnings
Explosive Device Proximity Warning
Lightning Activity Warning
Circuit Breaker Warning
Read all user documentation before powering this device. All Xirrus
interconnected equipment should be contained indoors. This product is
not suitable for outdoor operation. Please verify the integrity of the
system ground prior to installing Xirrus equipment. Additionally,
verify that the ambient operating temperature does not exceed 50°C.
Do not operate the XN16/XN12/XN8/XN4/XS16/XS8/XS4 unit near
unshielded blasting caps or in an explosive environment unless the
device has been modified to be especially qualified for such use.
Do not work on the XN16/XN12/XN8/XN4/XS16/XS8/XS4 or
connect or disconnect cables during periods of lightning activity.
The XN16/XN12/XN8/XN4/XS16/XS8/XS4 relies on the building’s
installation for over current protection. Ensure that a fuse or circuit
breaker no larger than 120 VAC, 15A (U.S.) or 240 VAC, 10A
(International) is used on all current-carrying conductors.
Translated safety warnings appear on the following page.
448
Wi-Fi Array
Translated Safety Warnings
Avertissements de Sécurité
Sécurité
Proximité d'appareils explosifs
Foudre
Disjoncteur
Lisez l'ensemble de la documentation utilisateur avant de mettre cet
appareil sous tension. Tous les équipements Xirrus interconnectés
doivent être installés en intérieur. Ce produit n'est pas conçu pour être
utilisé en extérieur. Veuillez vérifier l'intégrité de la terre du système
avant d'installer des équipements Xirrus. Vérifiez également que la
température de fonctionnement ambiante n'excède pas 50°C.
N'utilisez pas l'unité XN16/XN12/XN8/XN4/XS16/XS8/XS4 à
proximité d'amorces non blindées ou dans un environnement explosif,
à moins que l'appareil n'ait été spécifiquement modifié pour un tel
usage.
N'utilisez pas l'unité XN16/XN12/XN8/XN4/XS16/XS8/XS4 et ne
branchez pas ou ne débranchez pas de câbles en cas de foudre.
L'unité
XN16/XN12/XN8/XN4/XS16/XS8/XS4
dépend
de
l'installation du bâtiment pour ce qui est de la protection contre les
surintensités. Assurez-vous qu'un fusible ou qu'un disjoncteur de 120
Vca, 15 A (États-Unis) ou de 240 Vca, 10 A (International) maximum est
utilisé sur tous les conducteurs de courant.
449
Wi-Fi Array
Software License and Product Warranty Agreement
THIS SOFTWARE LICENSE AGREEMENT (THE “AGREEMENT”) IS A LEGAL
AGREEMENT BETWEEN YOU (“CUSTOMER”) AND LICENSOR (AS DEFINED
BELOW) AND GOVERNS THE USE OF THE SOFTWARE INSTALLED ON THE
PRODUCT (AS DEFINED BELOW). IF YOU ARE AN EMPLOYEE OR AGENT
OF CUSTOMER, YOU HEREBY REPRESENT AND WARRANT TO LICENSOR
THAT YOU HAVE THE POWER AND AUTHORITY TO ACCEPT AND TO
BIND CUSTOMER TO THE TERMS AND CONDITIONS OF THIS AGREEMENT
(INCLUDING ANY THIRD PARTY TERMS SET FORTH HEREIN). IF YOU DO
NOT AGREE TO ALL OF THE TERMS OF THIS AGREEMENT RETURN THE
PRODUCT AND ALL ACCOMPANYING MATERIALS (INCLUDING ALL
DOCUMENTATION) TO THE RELEVANT VENDOR FOR A FULL REFUND OF
THE PURCHASE PRICE THEREFORE.
CUSTOMER UNDERSTANDS AND AGREES THAT USE OF THE PRODUCT
AND SOFTWARE SHALL BE DEEMED AN AGREEMENT TO THE TERMS
AND CONDITIONS GOVERNING SUCH SOFTWARE AND THAT CUSTOMER
IS BOUND BY AND BECOMES A PARTY TO THIS AGREEMENT.
1.0 DEFINITIONS
1.1 “Documentation” means the user manuals and all other all documentation,
instructions or other similar materials accompanying the Software covering
the installation, application, and use thereof.
1.2 “Licensor” means XIRRUS and its suppliers.
1.3 “Product” means a multi-radio access point containing four or more distinct
radios capable of simultaneous operation on four or more non-overlapping
channels.
1.4 “Software” means, collectively, each of the application and embedded
software programs delivered to Customer in connection with this Agreement.
For purposes of this Agreement, the term Software shall be deemed to include
any and all Documentation and Updates provided with or for the Software.
1.5 “Updates” means any bug-fix, maintenance or version release to the Software
that may be provided to Customer from Licensor pursuant to this Agreement
or pursuant to any separate maintenance and support agreement entered into
by and between Licensor and Customer.
2.0 GRANT OF RIGHTS
2.1 Software. Subject to the terms and conditions of this Agreement, Licensor
hereby grants to Customer a perpetual, non-exclusive, non-sublicenseable,
non-transferable right and license to use the Software solely as installed on
450
Wi-Fi Array
the Product in accordance with the accompanying Documentation and for no
other purpose.
2.2 Ownership. The license granted under Sections 2.1 above with respect to the
Software does not constitute a transfer or sale of Licensor's or its suppliers'
ownership interest in or to the Software, which is solely licensed to Customer.
The Software is protected by both national and international intellectual
property laws and treaties. Except for the express licenses granted to the
Software, Licensor and its suppliers retain all rights, title and interest in and
to the Software, including (i) any and all trade secrets, copyrights, patents and
other proprietary rights therein or thereto or (ii) any Marks (as defined in
Section 2.3 below) used in connection therewith. In no event shall Customer
remove, efface or otherwise obscure any Marks contained on or in the
Software. All rights not expressly granted herein are reserved by Licensor.
2.3 Copies. Customer shall not make any copies of the Software but shall be
permitted to make a reasonable number of copies of the related
Documentation. Whenever Customer copies or reproduces all or any part of
the Documentation, Customer shall reproduce all and not efface any titles,
trademark symbols, copyright symbols and legends, and other proprietary
markings or similar indicia of origin (“Marks”) on or in the Documentation.
2.4 Restrictions. Customer shall not itself, or through any parent, subsidiary,
affiliate, agent or other third party (i) sell, rent, lease, license or sublicense,
assign or otherwise transfer the Software, or any of Customer's rights and
obligations under this Agreement except as expressly permitted herein; (ii)
decompile, disassemble, or reverse engineer the Software, in whole or in part,
provided that in those jurisdictions in which a total prohibition on any
reverse engineering is prohibited as a matter of law and such prohibition is
not cured by the fact that this Agreement is subject to the laws of the State of
California, Licensor agrees to grant Customer, upon Customer's written
request to Licensor, a limited reverse engineering license to permit
interoperability of the Software with other software or code used by
Customer; (iii) allow access to the Software by any user other than by
Customer's employees and contractors who are bound in writing to
confidentiality and non-use restrictions at least as protective as those set forth
herein; (iv) except as expressly set forth herein, write or develop any
derivative software or any other software program based upon the Software;
(v) use any computer software or hardware which is designated to defeat any
copy protection or other use limiting device, including any device intended to
limit the number of users or devices accessing the Product; (vi) disclose
information about the performance or operation of the Product or Software to
any third party without the prior written consent of Licensor; or (vii) engage a
third party to perform benchmark or functionality testing of the Product or
Software.
451
Wi-Fi Array
3.0 LIMITED WARRANTY AND LIMITATION OF LIABILITY
3.1 Limited Warranty & Exclusions. Licensor warrants that the Software will
perform in substantial accordance with the specifications therefore set forth in
the Documentation for a period of ninety [90] days after Customer's
acceptance of the terms of this Agreement with respect to the Software
(“Warranty Period”). If during the Warranty Period the Software or Product
does not perform as warranted, Licensor shall, at its option, correct the
relevant Product and/or Software giving rise to such breach of performance
or replace such Product and/or Software free of charge. THE FOREGOING
ARE CUSTOMER'S SOLE AND EXCLUSIVE REMEDIES FOR BREACH OF
THE FOREGOING WARRANTY. THE WARRANTY SET FORTH ABOVE IS
MADE TO AND FOR THE BENEFIT OF CUSTOMER ONLY. The warranty
will apply only if (i) the Software has been used at all times and in accordance
with the instructions for use set forth in the Documentation and this
Agreement; (ii) no modification, alteration or addition has been made to the
Software by persons other than Licensor or Licensor's authorized
representative; and (iii) the Software or Product on which the Software is
installed has not been subject to any unusual electrical charge.
3.2 DISCLAIMER. EXCEPT AS EXPRESSLY STATED IN THIS SECTION 3, ALL
ADDITIONAL CONDITIONS, REPRESENTATIONS, AND WARRANTIES,
WHETHER IMPLIED, STATUTORY OR OTHERWISE, INCLUDING,
WITHOUT LIMITATION, ANY IMPLIED WARRANTIES OR CONDITIONS
OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE,
SATISFACTORY QUALITY, ACCURACY, AGAINST INFRINGEMENT OR
ARISING FROM A COURSE OF DEALING, USAGE, OR TRADE
PRACTICE, ARE HEREBY DISCLAIMED BY LICENSOR AND ITS
SUPPLIERS. THIS DISCLAIMER SHALL APPLY EVEN IF ANY EXPRESS
WARRANTY AND LIMITED REMEDY OFFERED BY LICENSOR FAILS OF
ITS ESSENTIAL PURPOSE. ALL WARRANTIES PROVIDED BY LICENSOR
ARE SUBJECT TO THE LIMITATIONS OF LIABILITY SET FORTH IN THIS
AGREEMENT.
3.3 HAZARDOUS APPLICATIONS. THE SOFTWARE IS NOT DESIGNED OR
INTENDED FOR USE IN HAZARDOUS ENVIRONMENTS REQUIRING
FAIL SAFE PERFORMANCE, SUCH AS IN THE OPERATION OF A
NUCLEAR FACILITY, AIRCRAFT NAVIGATION OR COMMUNICATIONS
SYSTEMS, AIR TRAFFIC CONTROLS OR OTHER DEVICES OR SYSTEMS
IN WHICH A MALFUNCTION OF THE SOFTWARE WOULD RESULT IN
FORSEEABLE RISK OF INJURY OR DEATH TO THE OPERATOR OF THE
DEVICE OR SYSTEM OR TO OTHERS (“HAZARDOUS APPLICATIONS”).
CUSTOMER ASSUMES ANY AND ALL RISKS, INJURIES, LOSSES, CLAIMS
AND ANY OTHER LIABILITIES ARISING OUT OF THE USE OF THE
SOFTWARE IN ANY HAZARDOUS APPLICATIONS.
452
Wi-Fi Array
3.4 Limitation of Liability.
(a) TOTAL LIABILITY. NOTWITHSTANDING ANYTHING ELSE HEREIN,
ALL LIABILITY OF LICENSOR AND ITS SUPPLIERS UNDER THIS
AGREEMENT SHALL BE LIMITED TO THE AMOUNT PAID BY
CUSTOMER FOR THE RELEVANT SOFTWARE, OR PORTION
THEREOF, THAT GAVE RISE TO SUCH LIABILITY OR ONE
HUNDRED UNITED STATES DOLLARS (US$100), WHICHEVER IS
GREATER. THE LIABILITY OF LICENSOR AND ITS SUPPLIERS
UNDER THIS SECTION SHALL BE CUMULATIVE AND NOT PER
INCIDENT.
(b) DAMAGES. IN NO EVENT SHALL LICENSOR, ITS SUPPLIERS OR
THEIR RELEVANT SUBCONTRACTORS BE LIABLE FOR (A) ANY
INCIDENTAL,
SPECIAL,
PUNITIVE
OR
CONSEQUENTIAL
DAMAGES, LOST PROFITS OR LOST OR DAMAGED DATA, OR ANY
INDIRECT DAMAGES, WHETHER ARISING IN CONTRACT, TORT
(INCLUDING NEGLIGENCE AND STRICT LIABILITY) OR
OTHERWISE OR (B) ANY COSTS OR EXPENSES FOR THE
PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES IN EACH
CASE, EVEN IF LICENSOR OR ITS SUPPLIERS HAVE BEEN
INFORMED OF THE POSSIBILITY OF SUCH DAMAGES.
3.5 Exclusions. SOME JURISDICTIONS DO NOT PERMIT THE LIMITATIONS
OF LIABILITY AND LIMITED WARRANTIES SET FORTH UNDER THIS
AGREEMENT. IN THE EVENT YOU ARE LOCATED IN ANY SUCH
JURISDICTION, THE FOREGOING LIMITATIONS SHALL APPLY ONLY
TO THE MAXIMUM EXTENT PERMITTED IN SUCH JURISDICTIONS. IN
NO EVENT SHALL THE FOREGOING EXCLUSIONS AND LIMITATIONS
ON DAMAGES BE DEEMED TO APPLY TO ANY LIABILITY BASED ON
FRAUD, WILLFUL MISCONDUCT, GROSS NEGLIGENCE OR PERSONAL
INJURY OR DEATH.
4.0 CONFIDENTIAL INFORMATION
4.1 Generally. The Software (and its accompanying Documentation) constitutes
Licensor's and its suppliers' proprietary and confidential information and
contains valuable trade secrets of Licensor and its suppliers (“Confidential
Information”). Customer shall protect the secrecy of the Confidential
Information to the same extent it protects its other valuable, proprietary and
confidential information of a similar nature but in no event shall Customer
use less than reasonable care to maintain the secrecy of the Confidential
Information. Customer shall not use the Confidential Information except to
exercise its rights or perform its obligations as set forth under this Agreement.
Customer shall not disclose such Confidential Information to any third party
other than subject to non-use and non-disclosure obligations at least as
453
Wi-Fi Array
protective of a party's right in such Confidential Information as those set forth
herein.
4.2 Return of Materials. Customer agrees to (i) destroy all Confidential
Information (including deleting any and all copies contained on any of
Customer's Designated Hardware or the Product) within fifteen (15) days of
the date of termination of this Agreement or (ii) if requested by Licensor,
return, any Confidential Information to Licensor within thirty (30) days of
Licensor's written request.
5.0 TERM AND TERMINATION
5.1 Term. Subject to Section 5.2 below, this Agreement will take effect on the
Effective Date and will remain in force until terminated in accordance with
this Agreement.
5.2 Termination Events. This Agreement may be terminated immediately upon
written notice by either party under any of the following conditions:
(a) If the other party has failed to cure a breach of any material term or
condition under the Agreement within thirty (30) days after receipt of
notice from the other party; or
(b) Either party ceases to carry on business as a going concern, either party
becomes the object of the institution of voluntary or involuntary
proceedings in bankruptcy or liquidation, which proceeding is not
dismissed within ninety (90) days, or a receiver is appointed with respect
to a substantial part of its assets.
5.3 Effect of Termination.
(a) Upon termination of this Agreement, in whole or in part, Customer shall
pay Licensor for all amounts owed up to the effective date of termination.
Termination of this Agreement shall not constitute a waiver for any
amounts due.
(b) The following Sections shall survive the termination of this Agreement
for any reason: Sections 1, 2.2, 2.4, 3, 4, 5.3, and 6.
(c) No later than thirty (30) days after the date of termination of this
Agreement by Licensor, Customer shall upon Licensor's instructions
either return the Software and all copies thereof; all Documentation
relating thereto in its possession that is in tangible form or destroy the
same (including any copies thereof contained on Customer's Designated
Hardware). Customer shall furnish Licensor with a certificate signed by
an executive officer of Customer verifying that the same has been done.
454
Wi-Fi Array
6. MISCELLANEOUS
If Customer is a corporation, partnership or similar entity, then the license to the
Software and Documentation that is granted under this Agreement is expressly
conditioned upon and Customer represents and warrants to Licensor that the
person accepting the terms of this Agreement is authorized to bind such entity to
the terms and conditions herein. If any provision of this Agreement is held to be
invalid or unenforceable, it will be enforced to the extent permissible and the
remainder of this Agreement will remain in full force and effect. During the
course of use of the Software, Licensor may collect information on your use
thereof; you hereby authorize Licensor to use such information to improve its
products and services, and to disclose the same to third parties provided it does
not contain any personally identifiable information. The express waiver by either
party of any provision, condition or requirement of this Agreement does not
constitute a waiver of any future obligation to comply with such provision,
condition or requirement. Customer and Licensor are independent parties.
Customer may not export or re-export the Software or Documentation (or other
materials) without appropriate United States, European Union and foreign
government licenses or in violation of the United State's Export Administration
Act or foreign equivalents and Customer shall comply with all national and
international laws governing the Software. This Agreement will be governed by
and construed under the laws of the State of California and the United States as
applied to agreements entered into and to be performed entirely within
California, without regard to conflicts of laws provisions thereof and the parties
expressly exclude the application of the United Nations Convention on Contracts
for the International Sales of Goods and the Uniform Computer Information
Transactions Act (as promulgated by any State) to this Agreement. Suits or
enforcement actions must be brought within, and each party irrevocably commits
to the exclusive jurisdiction of, the state and federal courts located in Ventura
County, California. Customer may not assign this Agreement by operation of law
or otherwise, without the prior written consent of Licensor and any attempted
assignment in violation of the foregoing shall be null and void. This Agreement
cancels and supersedes all prior agreements between the parties. This Agreement
may not be varied except through a document agreed to and signed by both
parties. Any printed terms and conditions contained in any Customer purchase
order or in any Licensor acknowledgment, invoice or other documentation
relating to the Software shall be deemed deleted and of no force or effect and any
additional typed and/or written terms and conditions contained shall be for
administrative purposes only, i.e. to identify the types and quantities of Software
to be supplied, line item prices and total price, delivery schedule, and other
similar ordering data, all in accordance with the provisions of this Agreement.
455
Wi-Fi Array
Hardware Warranty Agreement
PLEASE READ THIS AGREEMENT CAREFULLY BEFORE USING THIS
PRODUCT
BY USING THIS PRODUCT, YOU ACKNOWLEDGE THAT YOU HAVE READ
AND UNDERSTOOD ALL THE TERMS AND CONDITIONS OF THIS
AGREEMENT AND THAT YOU ARE CONSENTING TO BE BOUND BY THIS
AGREEMENT. IF YOU DO NOT AGREE TO ALL OF THE TERMS OF THIS
AGREEMENT, RETURN THE UNUSED PRODUCT TO THE PLACE OF
PURCHASE FOR A FULL REFUND.
LIMITED WARRANTY. Xirrus warrants that for a period of one year from the
date of purchase by the original purchaser (“Customer”): (i) the Xirrus Equipment
(“Equipment”) will be free of defects in materials and workmanship under
normal use; and (ii) the Equipment substantially conforms to its published
specifications. Except for the foregoing, the Equipment is provided AS IS. This
limited warranty extends only to Customer as the original purchaser. Customer's
exclusive remedy and the entire liability of Xirrus and its suppliers under this
limited warranty will be, at Xirrus' option, repair, replacement, or refund of the
Equipment if reported (or, upon request, returned) to the party supplying the
Equipment to Customer. In no event does Xirrus warrant that the Equipment is
error free or that Customer will be able to operate the Equipment without
problems or interruptions.
This warranty does not apply if the Equipment (a) has been altered, except by
Xirrus, (b) has not been installed, operated, repaired, or maintained in accordance
with instructions supplied by Xirrus, (c) has been subjected to abnormal physical
or electrical stress, misuse, negligence, or accident, or (d) is used in ultrahazardous activities.
DISCLAIMER. EXCEPT AS SPECIFIED IN THIS WARRANTY, ALL EXPRESS OR
IMPLIED
CONDITIONS,
REPRESENTATIONS,
AND
WARRANTIES
INCLUDING, WITHOUT LIMITATION, ANY IMPLIED WARRANTY OF
MERCHANTABILITY,
FITNESS
FOR
PARTICULAR
PURPOSE,
NONINFRINGEMENT OR ARISING FROM A COURSE OF DEALING, USAGE,
OR TRADE PRACTICE, ARE HEREBY EXCLUDED TO THE EXTENT
ALLOWED BY APPLICABLE LAW.
IN NO EVENT WILL XIRRUS OR ITS SUPPLIERS BE LIABLE FOR ANY LOST
REVENUE, PROFIT, OR DATA, OR FOR SPECIAL, INDIRECT,
CONSEQUENTIAL, INCIDENTAL, OR PUNITIVE DAMAGES HOWEVER
CAUSED AND REGARDLESS OF THE THEORY OF LIABILITY ARISING OUT
OF THE USE OF OR INABILITY TO USE THE EQUIPMENT EVEN IF XIRRUS
OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH
DAMAGES. In no event shall Xirrus' or its suppliers' liability to Customer,
456
Wi-Fi Array
whether in contract, tort (including negligence), or otherwise, exceed the price
paid by Customer.
The foregoing limitations shall apply even if the above-stated warranty fails of its
essential purpose. SOME STATES DO NOT ALLOW LIMITATION OR
EXCLUSION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL
DAMAGES.
The above warranty DOES NOT apply to any evaluation Equipment made
available for testing or demonstration purposes. All such Equipment is provided
AS IS without any warranty whatsoever.
Customer agrees the Equipment and related documentation shall not be used in
life support systems, human implantation, nuclear facilities or systems or any
other application where failure could lead to a loss of life or catastrophic property
damage, or cause or permit any third party to do any of the foregoing.
All information or feedback provided by Customer to Xirrus with respect to the
Product shall be Xirrus' property and deemed confidential information of Xirrus.
Equipment including technical data, is subject to U.S. export control laws,
including the U.S. Export Administration Act and its associated regulations, and
may be subject to export or import regulations in other countries. Customer
agrees to comply strictly with all such regulations and acknowledges that it has
the responsibility to obtain licenses to export, re-export, or import Equipment.
This Agreement shall be governed by and construed in accordance with the laws
of the State of California, United States of America, as if performed wholly within
the state and without giving effect to the principles of conflict of law. If any
portion hereof is found to be void or unenforceable, the remaining provisions of
this Warranty shall remain in full force and effect. This Warranty constitutes the
entire agreement between the parties with respect to the use of the Equipment.
Manufacturer is Xirrus, Inc. 2101 Corporate Center Drive Thousand Oaks, CA
91320
457
Wi-Fi Array
458
Wi-Fi Array
Glossary of Terms
802.11a
A supplement to the IEEE 802.11 WLAN specification that describes radio
transmissions at a frequency of 5 GHz and data rates of up to 54 Mbps.
802.11b
A supplement to the IEEE 802.11 WLAN specification that describes radio
transmissions at a frequency of 2.4 GHz and data rates of up to 11 Mbps.
802.11d
A supplement to the Media Access Control (MAC) layer in 802.11 to promote
worldwide use of 802.11 WLANs. It allows Access Points to communicate
information on the permissible radio channels with acceptable power levels for
user devices. Because the 802.11 standards cannot legally operate in some
countries, 802.11d adds features and restrictions to allow WLANs to operate
within the rules of these countries.
802.11g
A supplement to the IEEE 802.11 WLAN specification that describes radio
transmissions at a frequency of 2.4 GHz and data rates of up to 54 Mbps.
802.11n
A supplement to the IEEE 802.11 WLAN specification that describes
enhancements to 802.11a/b/g to greatly enhance reach, speed, and capacity.
802.1Q
An IEEE standard for MAC layer frame tagging (also known as encapsulation).
Frame tagging uniquely assigns a user-defined ID to each frame. It also enables a
switch to communicate VLAN membership information across multiple (and
multi-vendor) devices by frame tagging.
AES
(Advanced Encryption Standard) A data encryption scheme that uses three
different key sizes (128-bit, 192-bit, and 256-bit). AES was adopted by the U.S.
government in 2002 as the encryption standard for protecting sensitive but
unclassified electronic data.
Glossary of Terms
459
Wi-Fi Array
authentication
The process that a station, device, or user employs to announce its identify to
the network which validates it. IEEE 802.11 specifies two forms of authentication,
open system and shared key.
bandwidth
Specifies the amount of the frequency spectrum that is usable for data transfer. In
other words, it identifies the maximum data rate a signal can attain on
the medium without encountering significant attenuation (loss of power).
beacon interval
When a device in a wireless network sends a beacon, it includes with it a beacon
interval, which specifies the period of time before it will send the beacon again.
The interval tells receiving devices on the network how long they can wait in low
power mode before waking up to handle the beacon. Network administrators can
adjust the beacon interval — usually measured in milliseconds (ms) or its
equivalent, kilo-microseconds (Kmsec).
bit rate
The transmission rate of binary symbols ('0' and '1'), equal to the total number of
bits transmitted in one second.
BSS
(Basic Service Set) When a WLAN is operating in infrastructure mode, each access
point and its connected devices are called the Basic Service Set.
BSSID
The unique identifier for an access point in a BSS network. See also, SSID.
CDP
(Cisco Discovery Protocol) CDP is a layer 2 network protocol which runs on most
Cisco equipment and some other network equipment. It is used to share
information with other directly connected network devices. Information such as
the model, network capabilities, and IP address is shared. Wi-Fi Arrays can both
advertise their presence by sending CDP announcements, and gather and display
information sent by neighbors.
460
Glossary of Terms
Wi-Fi Array
cell
The basic geographical unit of a cellular communications system. Service
coverage of a given area is based on an interlocking network of cells, each with a
radio base station (transmitter/receiver) at its center. The size of each cell is
determined by the terrain and forecasted number of users.
channel
A specific portion of the radio spectrum — the channels allotted to one of
the wireless networking protocols. For example, 802.11b and 802.11g use 14
channels in the 2.4 GHz band, only 3 of which don't overlap (1, 6, and 11). In the 5
GHz band, 802.11a uses 8 channels for indoor use and 4 for outdoor use, none of
which overlap. In the U.S., additional channels are available, to bring the total to
24 channels.
CoS
(Class of Service) A category based on the type of user, type of application,
or some other criteria that QoS systems can use to provide differentiated classes of
service.
default gateway
The gateway in a network that a computer will use to access another network if
a gateway is not specified for use. In a network using subnets, a default gateway
is the router that forwards traffic to a destination outside of the subnet of
the transmitting device.
DHCP
(Dynamic Host Configuration Protocol) A method for dynamically assigning IP
addresses to devices on a network. DHCP issues IP addresses automatically
within a specified range to client devices when they are first powered up.
DHCP lease
The DHCP lease is the amount of time that the DHCP server grants to the DHCP
client for permission to use a particular IP address. A typical DHCP server allows
its administrator to set the lease time.
Glossary of Terms
461
Wi-Fi Array
DNS
(Domain Name System) A system that maps meaningful domain names with
complex numeric IP addresses. DNS is actually a separate network — if one DNS
server cannot translate a domain name, it will ask a second or third until a server
is found with the correct IP address.
domain
The main name/Internet address of a user's Internet site as registered with
the InterNIC organization, which handles domain registration on the Internet. For
example, the “domain” address for Xirrus is: http://www.xirrus.com, broken
down as follows:
 http:// represents the Hyper Text Teleprocessing Protocol used by all Web
pages.

www is a reference to the World Wide Web.

xirrus refers to the company.

com specifies that the domain belongs to a commercial enterprise.
DTIM
(Delivery Traffic Indication Message) A DTIM is a signal sent as part of a beacon
by an access point to a client device in sleep mode, alerting the device to a packet
awaiting delivery.
EAP
(Extensible Authentication Protocol) When you log on to the Internet, you're most
likely establishing a PPP connection via a remote access server. The password,
key, or other device you use to prove that you are authorized to do so is controlled
via PPP’s Link Control Protocol (LCP). However, LCP is somewhat inflexible
because it has to specify an authentication device early in the process. EAP allows
the system to gather more information from the user before deciding which
authenticator to use. It is called extensible because it allows more authenticator
types than LCP (for example, passwords and public keys).
462
Glossary of Terms
Wi-Fi Array
EDCF
(Enhanced Distributed Coordinator Function) A QoS extension which uses
the same contention-based access mechanism as current devices but adds “offset
contention windows” that separate high priority packets from low priority
packets (by assigning a larger random backoff window to lower priorities than to
higher priorities). The result is “statistical priority,” where high-priority packets
usually are transmitted before low-priority packets.
encapsulation
A way of wrapping protocols such as TCP/IP, AppleTalk, and NetBEUI in
Ethernet frames so they can traverse an Ethernet network and be unwrapped
when they reach the destination computer.
encryption
Any procedure used in cryptography to translate data into a form that can be
decrypted and read only by its intended receiver.
Fast Ethernet
A version of standard Ethernet that runs at 100 Mbps rather than 10 Mbps.
FCC
(Federal Communications Commission) US wireless regulatory authority.
The FCC was established by the Communications Act of 1934 and is charged with
regulating Interstate and International communications by radio, television, wire,
satellite and cable.
FIPS
The Federal Information Processing Standard (FIPS) Publication 140-2 establishes
a computer security standard used to accredit cryptographic modules.
The standard is a joint effort by the U.S. and Canadian governments.
frame
A packet encapsulated to travel on a physical medium, like Ethernet or Wi-Fi. If a
packet is like a shipping container, a frame is the boat on which the shipping
container is loaded.
Gigabit 1
The primary Gigabit Ethernet interface. See also, Gigabit Ethernet.
Glossary of Terms
463
Wi-Fi Array
Gigabit 2
The secondary Gigabit Ethernet interface. See also, Gigabit Ethernet.
Gigabit Ethernet
The newest version of Ethernet, with data transfer rates of 1 Gigabit (1,000 Mbps).
Group
A user group, created to define a set of attributes (such as VLAN, traffic limits,
and Web Page Redirect) and privileges (such as fast roaming) that apply to all
users that are members of the group. This allows a uniform configuration to be
easily applied to multiple user accounts. The attributes that can be configured for
user groups are almost identical to those that can be configured for SSIDs.
host name
The unique name that identifies a computer on a network. On the Internet,
the host name is in the form comp.xyz.net. If there is only one Internet site
the host name is the same as the domain name. One computer can have more than
one host name if it hosts more than one Internet site (for example, home.xyz.net
and comp.xyz.net). In this case, comp and home are the host names and xyz.net is
the domain name.
IPsec
A Layer 3 authentication and encryption protocol. Used to secure VPNs.
MAC address
(Media Access Control Address) A 6-byte hexadecimal address assigned by a
manufacturer to a device.
Mbps
(Megabits per second) A standard measure for data transmission speeds (for
example, the rate at which information travels over the Internet). 1 Mbps denotes
one million bits per second.
464
Glossary of Terms
Wi-Fi Array
MTU
(Maximum Transmission Unit) The largest physical packet size — measured in
bytes — that a network can transmit. Any messages larger than the MTU are
divided into smaller packets before being sent. Every network has a different
MTU, which is set by the network administrator. Ideally, you want the MTU to be
the same as the smallest MTU of all the networks between your machine and
a message's final destination. Otherwise, if your messages are larger than one of
the intervening MTUs, they will get broken up (fragmented), which slows down
transmission speeds.
NTP
(Network Time Protocol) An Internet standard protocol (built on top of TCP/IP)
that ensures the accurate synchronization (to the millisecond) of computer clock
times in a network of computers. Running as a continuous background client
program on a computer, NTP sends periodic time requests to servers, obtaining
server time stamps and using them to adjust the client's clock.
packet
Data sent over a network is broken down into many small pieces — packets — by
the Transmission Control Protocol layer of TCP/IP. Each packet contains the
address of its destination as well the data. Packets may be sent on any number of
routes to their destination, where they are reassembled into the original data. This
system is optimal for connectionless networks, such as the Internet, where there
are no fixed connections between two locations.
PLCP
(Physical Layer Convergence Protocol) Defined by IEEE 802.6, a protocol
specified within the Transmission Convergence layer that defines exactly how
cells are formatted within a data stream for a particular type of transmission
facility.
PoGE
This refers to the optional Xirrus XP1 Power over Gigabit Ethernet modules that
provide DC power to Arrays. Power is supplied over the same Cat 5e or Cat 6
cable that supplies the data connection to your gigabit Ethernet switch, thus
eliminating the need to run a power cable.
Glossary of Terms
465
Wi-Fi Array
preamble
Preamble (sometimes called a header) is a section of data at the head of a packet
that contains information that the access point and client devices need when
sending and receiving packets. PLCP Has two structures, a long and a short
preamble. All compliant 802.11b systems have to support the long preamble.
The short preamble option is provided in the standard to improve the efficiency
of a network's throughput when transmitting special data, such as voice, VoIP
(Voice-over IP) and streaming video.
private key
In cryptography, one of a pair of keys (one public and one private) that are created
with the same algorithm for encrypting and decrypting messages and digital
signatures. The private key is provided only to the requestor and never shared.
The requestor uses the private key to decrypt text that has been encrypted with
the public key by someone else.
PSK
(Pre-Shared Key) A TKIP passphrase used to protect your network traffic in WPA.
public key
In cryptography, one of a pair of keys (one public and one private) that are created
with the same algorithm for encrypting and decrypting messages and digital
signatures. The public key is made publicly available for encryption and
decryption.
QoS
(Quality of Service) QoS can be used to describe any number of ways in which
a network provider prioritizes or guarantees a service's performance.
RADIUS
(Remote Authentication Dial-In User Service) A client-server security protocol,
developed to authenticate, authorize, and account for dial-up users. The RADIUS
server stores user profiles, which include passwords and authorization attributes.
RSSI
(Received Signal Strength Indicator) A measure of the energy observed by an
antenna when receiving a signal.
466
Glossary of Terms
Wi-Fi Array
SDMA
(Spatial Division Multiple Access) A wireless communications mode that
optimizes the use of the radio spectrum and minimizes cost by taking advantage
of the directional properties of antennas. The antennas are highly directional,
allowing duplicate frequencies to be used for multiple zones.
SNMP
(Simple Network Management Protocol) A standard protocol that regulates
network management over the Internet.
SNTP
(Simple Network Time Protocol) A simplified version of NTP. SNTP can be used
when the ultimate performance of the full NTP implementation described in RFC
1305 is not needed or justified.
SSH
(Secure SHell) Developed by SSH Communications Security, Secure Shell is a
program to log into another computer over a network, to execute commands in a
remote machine, and to move files from one machine to another. The Array only
allows SSH-2 connections. SSH-2 provides strong authentication and secure
communications over insecure channels. SSH-2 protects a network from attacks,
such as IP spoofing, IP source routing, and DNS spoofing. Attackers who has
managed to take over a network can only force SSH to disconnect — they cannot
“play back” the traffic or hijack the connection when encryption is enabled. When
using SSH-2's slogin (instead of rlogin) the entire login session, including
transmission of password, is encrypted making it almost impossible for an
outsider to collect passwords. Be aware that your SSH utility must be set up to use
SSH-2.
SSID
(Service Set IDentifier) Every wireless network or network subset (such as a BSS)
has a unique identifier called an SSID. Every device connected to that part of the
network uses the same SSID to identify itself as part of the family — when it wants
to gain access to the network or verify the origin of a data packet it is sending over
the network. In short, it is the unique name shared among all devices in a WLAN.
Glossary of Terms
467
Wi-Fi Array
subnet mask
A mask used to determine what subnet an IP address belongs to. An IP address
has two components: (1) the network address and (2) the host address. For
example, consider the IP address 150.215.017.009. Assuming this is part of a Class
B network, the first two numbers (150.215) represent the Class B network address,
and the second two numbers (017.009) identify a particular host on this network.
TKIP
(Temporal Key Integrity Protocol) Provides improved data encryption by
scrambling the keys using a hashing algorithm and, by adding an integritychecking feature, ensures that the encryption keys haven’t been tampered with.
transmit power
The amount of power used by a radio transceiver to send the signal out. Transmit
power is generally measured in milliwatts, which you can convert to dBm.
User group
See Group.
VLAN
(Virtual LAN) A group of devices that communicate as a single network, even
though they are physically located on different LAN segments. Because VLANs
are based on logical rather than physical connections, they are extremely flexible.
A device that is moved to another location can remain on the same VLAN
without any hardware reconfiguration.
VLAN tagging
(Virtual LAN tagging) Static port-based VLANs were originally the only way to
segment a network without using routing, but these port-based VLANs could
only be implemented on a single switch (or switches) cabled together. Routing
was required to transfer traffic between unconnected switches. As an alternative
to routing, some vendors created proprietary schemes for sharing VLAN
information across switches. These methods would only operate on that vendor's
equipment and were not an acceptable way to implement VLANs. With the
adoption of the 802.11n standard, traffic can be confined to VLANs that exist on
468
Glossary of Terms
Wi-Fi Array
multiple switches from different vendors. This interoperability and traffic
containment across different switches is the result of a switch's ability to use and
recognize 802.1Q tag headers — called VLAN tagging. Switches that implement
802.1Q tagging add this tag header to the frame directly after the destination and
source MAC addresses. The tag header indicates:
1. That the packet has a tag.
2.
Whether the packet should have priority over other packets.
3.
Which VLAN it belongs to, so that the switch can forward or filter it
correctly.
WDS (Wireless Distribution System)
WDS creates wireless backhauls between arrays. These links between arrays may
be used rather than having to install data cabling to each array.
WEP
(Wired Equivalent Privacy) An optional IEEE 802.11 function that offers frame
transmission privacy similar to a wired network. The Wired Equivalent Privacy
generates secret shared encryption keys that both source and destination stations
can use to alter frame bits to avoid disclosure to eavesdroppers.
Wi-Fi Alliance
A nonprofit international association formed in 1999 to certify interoperability of
wireless Local Area Network products based on IEEE 802.11 specification. The
goal of the Wi-Fi Alliance's members is to enhance the user experience through
product interoperability.
Wi-Fi Array
A high capacity Wi-Fi networking device consisting of multiple radios arranged
in a circular array.
WPA
(Wi-Fi Protected Access) A Wi-Fi Alliance standard that contains a subset of the
IEEE 802.11i standard, using TKIP as an encryption method and 802.1x for
authentication.
Glossary of Terms
469
Wi-Fi Array
WPA2
(Wi-Fi Protected Access 2) WPA2 is the follow-on security method to WPA for
wireless networks and provides stronger data protection and network access
control. It offers Enterprise and consumer Wi-Fi users with a high level of
assurance that only authorized users can access their wireless networks. Like
WPA, WPA2 is designed to secure all versions of 802.11 devices, including
802.11a, 802.11b, 802.11g, and 802.11n, multi-band and multi-mode.
Xirrus Management System (XMS)
A Xirrus product used for managing large Wi-Fi Array deployments from a
centralized Web-based interface.
XP1 and XP8 — Power over Gigabit Ethernet modules
See PoGE.
XPS — Xirrus Power System
A family of optional Xirrus products that provides power over Gigabit Ethernet.
See PoGE.
470
Glossary of Terms
Wi-Fi Array
Index
Numerics
11n
see IEEE 802.11n 34
4.9 GHz Public Safety Band 267
802.11a 6, 7, 237, 250
802.11a/b/g 22
802.11a/b/g/n 12
802.11a/n 12, 62, 213
802.11b 6, 7, 254
802.11b/g 237, 254
802.11b/g/n 12, 62, 213
802.11e 14
802.11g 6, 7, 254
802.11i 7, 68, 139
802.11n 7
see IEEE 802.11n 34
WMI page 259
802.11p 14
802.11q 14
802.1x 7, 45, 55, 68, 139, 406
abg(n)
nomenclature 3
abg(n)2
intrusion detection 273
self-monitoring
radio assurance (loopback
mode) 263
AC power 44, 58, 379, 382
Access Control List 175
Access Control Lists 406
access control lists (ACLs) 195, 226
Access Panel 379, 382, 391
access panel
reinstalling 382
Index
removing 379
ACLs 45, 175, 406
active IAPs
per SSID 225
Address Resolution Protocol
window 98
Address Resolution Protocol (ARP)
248
Admin 406
Admin ID 181
admin ID
authentication via RADIUS 185
Admin Management 181
admin privileges
setting in admin RADIUS account
185
admin RADIUS account
if using Console port 185
admin RADIUS authentication 185
administration 68, 139, 175
Administrator Account 399
Advanced Encryption Standard 45,
406
Advanced RF Analysis Manager
see RAM 16
Advanced RF Performance Manager
see RPM 14
Advanced RF Security Manager
see RSM 15
AeroScout
see WiFi tag 161
AES 7, 13, 45, 55, 68, 139, 397, 406
allow traffic
see filters 283
Analysis Manager
see RAM 16
appearance
WMI options 309
WMI, changing 309
approved
471
Wi-Fi Array
setting rogues 108
APs 55, 107, 206, 406
rogues, blocking 273
APs, rogue
see rogue APs 262, 273
ARP filtering 248
ARP table window 98
Array 24, 61, 62, 76, 139, 147
connecting 61
dismounting 61
management 295
mounting 61
powering up 62
securing 61
Web Management Interface 76
ArrayOS
upgrade 298
Arrays
managing in clusters 289
associated users 24
assurance
network server connectivity 101,
191
assurance (radio loopback testing) 262
assurance, station
see station assurance 267
attack (DoS)
see DoS attack 274
attack (impersonation)
see impersonation attack 275
authentication 13
of admin via RADIUS 185
authority
certificate 179, 192
auto block
rogue APs, settings 273
auto negotiate 147
auto-blocking
rogue APs 273
auto-configuration 68, 243, 250, 254
472
channel and cell size 262
automatic refresh
setting interval 311
automatic update from remote server
configuration files, boot image 299
backhaul
see WDS 52
backup unit
see standby mode 262
band association 213
beacon interval 243
Beacon World Mode 243
beam distribution 12
benefits 12
block
rogue APs, settings 270
block (rogue APs)
see auto block 273
blocking
rogue APs 273
blocking rogue APs 262
boot 298
broadcast 248
fast roaming 249
browser
certificate error 179, 192
BSS 404
BSSID 107, 404
buttons 81
capacity
of 802.11n 41
cascading style sheet
sample for web page redirect 305
cdp 328
CDP (Cisco Discovery Protocol)
settings 154
Index
Wi-Fi Array
cdp CLI command 328
CDP neighbors 100
cell
sharp cell 262
cell size 24, 237
auto-configuration 262
cell size configuration 262
certificate
about 179, 192
authority 179, 192
error 179, 192
install Xirrus authority 192
X.509 179, 192
channel
auto-configuration 262
configuration 262
list selection 262
public safety 262
channels 24, 107, 237, 243, 250, 254
non-overlapping 13
CHAP (Challenge-Handshake Authentication Protocol)
Admin RADIUS settings 186
web page redirect 222
CHAP Challenge Handshake Authentication Protocol)
RADIUS ping 306
character restrictions 84
Chassis Cover 388
chassis cover 388
Cisco Discovery Protocol
see cdp 328
Cisco Discovery Protocol (CDP) 154
CLI 7, 55, 58, 65, 313
executing from WMI 308
using to upgrade software image
418
CLI commands
see commands 328
client
Index
web page redirect 304
cluster
CLI command 330
clusters 289
defining 290
management 291
operating in cluster mode 292
command
wifi-tag 359
Command Line Interface 7, 51, 58, 62,
65, 313, 406
configuration commands 326
getting help 315
getting started 315
inputting commands 315
sample configuration tasks 360
SSH 313
top level commands 317
command, utilities
ping, traceroute, RADIUS ping 305
commands
acl 326
admin 327
cdp 328
clear 329
cluster 330
configure 318
contact-info 331
date-time 332
dhcp-server 333
dns 334
file 335
filter 338
group 330, 340
hostname 340
interface 341
load 342
location 342
management 343
more 344
473
Wi-Fi Array
netflow 345
no 346
quit 348
radius-server 348
reboot 349, 357
reset 349
restore 350
run-tests 351
security 353
show 321
snmp 354
ssid 355
statistics 324
syslog 356
vlan 358
Community String 396
configuration 137, 406
express setup 139
reset to factory defaults 302
configuration changes
applying 83
configuration files
automatic update from remote
server 299
download 300
update from local file 300
update from remote file 300
connection
tracking window 99
connectivity
servers, see network assurance
101, 191
Console port
login via 185
Contact Information 423
contact information 423
coverage 24, 58
extended 12
coverage patterns 7
critical messages 79
474
CTS/RTS 250, 254
data rate 250, 254
data rates
increased by 802.11n 40
date/time restrictions
and interactions 232
DC power 44, 58
default gateway 68, 147
default settings 393
Default Value 397
DHCP 396
defaults
reset configuration to factory defaults 302
Delivery Traffic Indication Message
243
denial of service
see DoS attack 274
deny traffic
see filters 283
deployment 22, 32, 51, 55, 58, 406
ease of 13
examples 32
scenarios 32
detection
intrusion 273
see DoS attack 274
see impersonation attack 275
see impersonation detection 274
see intrusion detection 274, 275
DHCP 24, 65, 68, 139, 147, 395
default settings 396
leases window 99
DHCP Server 156
diagnostics
log, create file 302
DIMM 386
DIMM Memory Module 386
Index
Wi-Fi Array
DIMM module
replacing 386
display
WMI options 309
DNS 68, 139, 153
DNS domain 153
DNS server 153
Domain Name System 153
DoS attack detection
settings 274
DTIM 243
DTIM period 243
duplex 147
dynamic VLAN
overridden by group 231
EAP 397, 406
EAP-MDS 13
EAP-PEAP 406
EAP-TLS 13, 45, 406
EAP-TTLS 13, 45, 406
EDCF 243
Encryption 397, 406
encryption 13
encryption method
recommended (WPA2 with AES)
177
setting 178
support of multiple methods 177
encryption method (encryption mode)
Open, WEP, WPA, WPA2, WPABoth 177
encryption standard
AES, TKIP, both 177
setting 178
Enterprise 1, 6, 406
WLAN 6
Enterprise Class Management 7
Enterprise Class Security 7
Index
ESS 404
ESSID 404
Ethernet 58, 61, 62, 65, 68, 139
event log
IDS (intrusion detection) 135
see system log 134
event messages 79
Express Setup 61, 68, 139
express setup 68, 139
Extended Service Set 404
Extensible Authentication Protocol 406
external RADIUS server 802.1x 21
factory default settings 393
factory defaults 395, 396, 397, 399
DHCP 396
reset configuration to 300
factory.conf 300
fail-over
standby mode 262
failover 42, 55
Fan 379, 382
FAQs 404
Fast Ethernet 58, 65, 139, 147, 393
fast roaming 13, 95, 249
about 235
and VLANs 236
features 12, 51, 147, 159, 162, 243, 406
and license key 299
Federal Information Processing Standard (FIPS)
see FIPS 431
feedback 81
filter list 284
filter name 286
filters 283, 284, 286
stateful filtering, disabling 284
statistics 132
FIPS 140-2 Security 431
475
Wi-Fi Array
firewall 283
and port usage 48
stateful filtering, disabling 284
FLASH 384
FLASH memory
replacing 384
FLASH Memory Module 384
fragmentation threshold 250, 254
frequently asked questions 404
FTP 406
FTP server 21
General Hints 403
getting started
express setup 139
Gigabit 58, 65, 68, 139, 147, 393
global settings 243, 250, 254
glossary of terms 459
Group
management 230
group 228
CLI command 330, 340
VLAN overrides dynamic VLAN
231
group limits and interactions 232
Group Rekey 397
guard interval
short, for IEEE 802.11n 39
GUI
see WMI 309
help
button, bottom of page 82
button, left frame 79
Help button 76
help button 81
host name 68, 76, 139, 153
hs.css 305
476
HTTPS
certificate, see certificate 192
HTTPS port
web page redirect 219, 223, 224
HyperTerminal 20, 58
IAP 24, 62, 68, 139, 237, 250, 254, 276
active SSIDs 225
fast roaming 235
Intrusion Detection (IDS/IPS) 270
naming 3
settings 237
IAP LED 62, 276
IAP LED settings 276
IAPs
auto block rogues 273
intrusion detection 273
IDS
see Intrusion Detection 270
IDS event log
viewing window 135
IEEE 6, 68, 139
IEEE 802.11n
capacity, increased 41
deployment considerations 34
guard interval, short 39
improved MAC throughput 39
increased data rates 40
MIMO 35
multiple data streams 37
spatial multiplexing 37
WMI page 259
IEEE 802.1Q 410
image
upgrade software image 298
impersonation attack detection
settings 275
implementing Voice over Wi-Fi 22,
171, 210
Index
Wi-Fi Array
installation 19, 56, 61, 375
installing the MCAP-3616 58
mounting the unit 61
requirements 19
workflow 56
installation workflow 56
Integrated Access Point Module 388
integrated radio module
replacing 388
interfaces 139
Web 75
internal login page
web page redirect 220
web page redirect, customize 222
internal splash page
web page redirect 221
web page redirect, customize 222
Internet Explorer 20
interval
automatic WMI refresh 311
intrusion detection 107, 273
and auto block settings 273
configuration 262
setting as approved or known 108
intrusion detection (IDS)
viewing event log 135
Intrusion Detection (IDS/IPS) 270
IP Address 24, 68, 76, 83, 107, 139, 147,
153, 162, 165, 295, 395
IP Subnet Mask 68
IPS
see Intrusion Detection 270
key
upgrade 299
key features 12
Keyboard Shortcuts 399
keyboard shortcuts 399
known
Index
setting rogues 108
lastboot.conf 300
Layer 3
fast roaming 235
lease 395
Lease Time 395
leases, DHCP
viewing 99
LEDs 62
sequence 62
settings 276
license Key
upgrading 299
limits
group 232
interactions 232
station 232
traffic 232
list, access control
see access control list 195, 226
list, MAC access
see access control list 195
list, SSID access
see access control list 226
location information 68, 76, 139
log
diagnostics, create file 302
log messages
counters 80
log, IDS(intrusion detection)
viewing window 135
log, system (event)
viewing window 134
logging in 65, 83
Login 83
login
via Console port 185
login page
477
Wi-Fi Array
web page redirect 220, 304
web page redirect, customize 222
logout 312
long retry limit 243
loopback
see radio assurance 372
loopback testing
radio assurance mode 262
MAC 45, 65, 404, 406
MAC Access Control Lists 45
MAC Access List 195
MAC address 195, 404, 406
MAC throughput
improved by IEEE 802.11n 39
Main System Memory 386
Management 399, 406
management 85, 137, 295
Array clusters 289
of Arrays 295
Web Management Interface (WMI)
75
maximum lease 395
Maximum Lease Time 395
Megabit 68
menu behavior
WMI 311
Message Integrity Check 406
messages
syslog counters 80
MIC 13, 406
MIMO (Multiple-In Multiple-Out) 35
mode
cluster operating mode 292
monitoring
intrusion detection 107
see intrusion detection 273
mounting 61
mounting plate 61
478
mounting the unit 61
MTU 147
size 147
multiple data streams 37
NAT
table - see connection tracking 99
neighbors, CDP 100
Netflow 159
netflow
CLI command 345
Netscape Navigator 19, 20
network
interfaces 146
settings 147
network assurance 101, 191
network connections 58, 83, 406
network installation 19, 375
network interface ports 65
network interfaces 147, 393
network status
ARP table window 98
connection
tracking window 99
routing table window 98
viewing leases 99
Network Time Protocol 68, 139, 157
network tools
ping, traceroute, RADIUS ping 305
nomenclature 3
non-overlapping channels 13
NTP 68, 139, 157, 395
NTP Server 157
Open (encryption method) 177
optimization, VLAN 248
options
WMI 309
Index
Wi-Fi Array
overview 7
page loading
WMI 311
PAP (Password Authentication Protocol)
Admin RADIUS settings 186
RADIUS ping 306
web page redirect 222
passphrase 45, 68, 139
Password 399, 406
password 83
Payment Card Industry Data Security
Standard
see PCI DSS 425
PCI DSS 425
PEAP 13, 280
performance 12
Performance Manager
see RPM 14
Ping 295
ping 305
planning 42, 44, 45, 51
failover 42
network management 51
port failover 42
power 44
security 45
switch failover 42
WDS 52
PoGE 19
see Power over Gigabit Ethernet 10
PoGE Power Injectors 1
port failover 42
port requirements 48
power cord 379
power outlet 19
Power over Gigabit Ethernet 3, 19, 44,
59
Index
Power over Gigabit Ethernet (PoGE) 10
power planning 44
Power Supply 379, 382, 391
power supply
replacing 391
pre-shared key 45, 55, 406
Print button 76
print button 81
probe
see Netflow 159
product installation 19, 375
product overview 7
PSK 55, 397
public safety band 267
public safety channels 262
PuTTY 19, 51, 68, 139, 406
PuTTy 20
QoS 14, 213, 397, 404, 466
conflicting values 212
levels defined 214, 231
priority 213
SSID 209, 214
about setting QoS 405
default QoS 397
user group 231
quality
of user experience 267
Quality of Service 14
see QoS 214, 231
quick reference guide 393
quick start
express setup 139
radio
assurance (self-test) 263
radio assurance (loopback testing) 262
radio assurance (loopback) mode 263
479
Wi-Fi Array
radio distribution 12
radios
naming 3
RADIUS 7, 19, 45, 55, 175, 195, 226,
395, 406
admin authentication 185
setting admin privileges 185
setting user VSAs 201
Vendor Specific Attributes (VSAs)
415
RADIUS ping
CHAP Challenge Handshake Authentication Protocol) 306
PAP (Password Authentication
Protocol) 306
RADIUS Ping command 306
RADIUS Server 395
RADIUS server 21
RADIUS settings
web page redirect 222
RAM (RF Analysis Manager) 16
reauthentication 243
reboot 298
redirect (WPR) 304
refresh interval
WMI 311
remote boot image
automatic update from remote
TFTP server 299
remote configuration
automatic update from remote
server 299
remote TFTP server
automatic update of boot image,
configuration 299
Reset 295, 395
reset configuration
to factory defaults 302
restore command 350
restrictions
480
date/time 232
stations 232
traffic 232
RF
intrusion detection 262
spectrum management 262
RF Analysis Manager
see RAM 16
RF configuration 262
RF management
see channel 262
RF Performance Manager
see RPM 14
RF resilience 262
RF Security Manager
see RSM 15
roaming 13, 95, 249
see fast roaming 235
Rogue AP 7, 51, 107, 206, 406
rogue AP
blocking 273
settings for blocking 270
Rogue AP List 107
rogue APs
auto block settings 273
blocking 262
Rogue Control List 206
rogue detection 12
rogues
setting as known or approved 108
root command prompt 317
route
trace route utility 305
routing table window 98
RPM (RF Performance Manager) 14
RSM (RF Security Manager) 15
RSSI 107
RTS 250, 254
RTS threshold 250, 254
Index
Wi-Fi Array
sample Perl and CSS files for 304
save
with reboot 298
Save button 76
saved.conf 300
scalability 6
schedule
auto channel configuration 262
Secondary Port 395
Secondary Server 395
secret 395
Secure Shell 20
secure Shell 19
Security
FIPS 431
PCI DSS 425
security 7, 13, 175, 404, 406
certificate, see certificate 192
Security Manager
see RSM 15
see group 228
self-monitoring 273
radio assurance 372
radio assurance options 263
self-test
radio assurance mode 263
serial port 20, 65, 406
server, VTun
see VTun 174
servers
connectivity, see network assurance 101, 191
Service Set Identifier 68
Services 156, 379, 382, 404
servicing 377
servicing the unit 375
settings 139
setup, express 139
sharp cell 262
Index
setting in WMI 265
short retry limit 243
signal processing
MIMO 36
skin
changing WMI appearance 309
SNMP 7, 10, 68, 139, 147, 156, 165, 396
required for XMS 165, 166
software
upgrade license key 299
software image
upgrading via CLI 418
Software Upgrade 295
software upgrade 298
spatial multiplexing 37
spectrum (RF) management 262
speed 6, 65, 147
11 Mbps 6
54 Mbps 6
splash page
web page redirect 221, 304
web page redirect, customize 222
SSH 19, 20, 51, 68, 139, 147, 176, 399,
406
SSH-2 176
SSID 7, 68, 76, 107, 139, 206, 213, 397,
404, 410
about usage 405
active IAPs 225
QoS 209, 214
about using 405
QoS, about usage 405
web page redirect settings 217
web page redirect settings, about
219, 223, 224
SSID Access List 226
SSID address 226
SSID Management 213, 397, 404
standby mode 262
stateful filtering
481
Wi-Fi Array
disabling 284
static IP 68, 139, 147
station
assurance 267
station assurance 267
station timeout period 243
Stations 404
stations
limits and interactions 232
rogues 108
statistics 132
statistics per station 133
statistics 139
filters 132
netflow 159
per-station 133
stations 132
WDS 131
status bar 76, 81
style
WMI appearance 309
submitting comments 81
subnet 19, 42, 68, 147
switch failover 42
synchronize 68, 139, 157
Syslog 68, 76, 139, 156, 162, 395
time-stamping 68
syslog messages
counters 80
Syslog reporting 162
Syslog Server 162
system commands
ping, trace route, RADIUS ping
305
System Configuration Reset 295
System Log 162
system log
viewing window 134
system memory
replacing 386
482
System Reboot 295
System Tools 295
system tools 296
tag, WiFi 161
T-bar 61
T-bar clips 61
TCP
port requirements 48
technical support
contact information 423
frequently asked questions 404
Telnet 176, 399, 406
Temporal Key Integrity Protocol 406
TFTP server
automatic update of boot image,
configuration 299
Time Out 395
time zone 68, 139, 157
timeout 243, 295
Tips 403
TKIP 13, 45, 55, 68, 139, 397, 406
TKIP encryption
and XN Arrays 198
tool
ping, trace route, RADIUS ping
305
Tools 295, 406
tools, network 305
tools, system 296
trace route utility 305
traffic
filtering 283
limits and interactions 232
transmit power 24
Trap Host 396
trap port 165, 396
tunneled
fast roaming 249
Index
Wi-Fi Array
tunnels
see VTun 171, 174
UDP
port requirements 48
Unit 61
attaching 61
mounting 61
unknown
setting rogues 108
upgrade
license key 299
software image 298
upgrading software image
via CLI 418
UPS 19, 55
user accounts
setting RADIUS VSAs 201
user group 228
QoS 231
user group limits and interactions 232
user interface 75
utilities
ping, trace route, RADIUS ping
305
utility buttons 81
Vendor Specific Attributes (VSAs)
RADIUS, for Xirrus 415
virtual tunnels
see VTun 174
VLAN 7, 55, 213, 397, 404, 410
broadcast optimization 248
dynamic
overridden by group 231
group (vs. dynamic VLAN) 231
vlan
CLI command 358
Index
VLAN ID 213
VLANs 171
and fast roaming 236
voice
fast roaming 235
implementing on Array 22, 171,
210
Voice-over IP 254
VoIP 254
VoWLAN 14
VPN 68, 139, 406
VTS
Virtual Tunnel Server 171, 174
VTun
specifying tunnel server 171, 174
understanding 171
wall thickness considerations 22
warning messages 79
WDS 278, 280
about 52
long distance 241, 279
planning 52
statistics 131
timeouts 241, 279
WDS Client Links 280
Web interface
structure and navigation 79
web interface 75
Web Management Interface 51, 61, 62,
65, 83, 404
Web Management Interface (WMI) 75
web page redirect 304
also called WPR 304
CHAP (Challenge-Handshake Authentication Protocol) 222
customize internal login/splash
page 222
HTTPS port 219, 223, 224
483
Wi-Fi Array
install files for 304
internal login page 220
internal splash page 221
PAP, CHAP 222
RADIUS settings 222
remove files for 305
sample WPR files 305
SSID settings 217
SSID settings, about 219, 223, 224
WEP 13, 45, 68, 139, 175, 213, 397, 406
WEP (Wired Equivalent Privacy)
encryption method 177
WEP encryption
and XN Arrays 199
Wi-Fi Protected Access 7, 45, 68, 139,
406
WiFi tag 161
wifi-tag
CLI command 359
window loading
WMI 311
Wired Equivalent Privacy 68, 406
Wireless Distribution System 278
wireless LAN 6
wireless security 139
WLAN 139
WMI 7, 51, 55, 65, 75, 237
appearance options 309
appearance, changing 309
certificate error 179, 192
executing CLI commands 308
menu behavior 311
options 309
page loading 311
refresh interval 311
workflow 56
WPA 7, 55, 68, 139, 175, 213, 397, 406
WPA (Wi-Fi Protected Access) and
WPA2
encryption method 177
484
WPA2 7
WPR
see web page redirect 304
wpr.pl 304, 305
X.509
certificate 179, 192
XA-3300 1, 7
Xirrus
certificate authority 192
Xirrus Advanced RF Analysis Manager
see RAM 16
Xirrus Advanced RF Performance
Manager
see RPM 14
Xirrus Advanced RF Security Manager
see RSM 15
Xirrus Management System 8, 10, 13,
21
SNMP required 165, 166
Xirrus Management System (XMS) 1
Xirrus PoGE Power Injectors 1
Xirrus Power over Gigabit Ethernet 19
Xirrus Remote DC Power System 19,
58
Xirrus Roaming Protocol 13, 95, 249
Xirrus Wireless Management System
19, 51, 406
XM-3300 1, 7, 19, 51, 55, 165, 406
XMS 8, 10, 13, 21
port requirements 48
setting IP address of 165
SNMP required 165, 166
XN Arrays
see also IEEE 802.11n 34
XN12 1, 7
XN16 1, 7
management 295
Index
Wi-Fi Array
XN4 1, 7
XN8 1, 7
XP PoGE Power Injectors 1
XP1, XP8
see Power over Gigabit Ethernet 10
XP-3100 19, 55, 58
XPS 19
XRP 13, 95, 249
xs_current.conf 300
xs_diagnostic.log 303
XS16 1, 7
management 137, 295
XS4 1, 7
XS8 1, 7
Index
485
Wi-Fi Array
486
Index
Source Exif Data: 
File Type                       : PDF
File Type Extension             : pdf
MIME Type                       : application/pdf
PDF Version                     : 1.6
Linearized                      : Yes
Tagged PDF                      : Yes
XMP Toolkit                     : Adobe XMP Core 4.0-c321 44.398116, Tue Aug 04 2009 14:24:39
Modify Date                     : 2011:08:23 17:28:22-07:00
Create Date                     : 2011:08:23 17:28:10-07:00
Metadata Date                   : 2011:08:23 17:28:22-07:00
Creator Tool                    : FrameMaker 10.0.1
Format                          : application/pdf
Title                           : xirrus_PDF.book
Creator                         : Shelly
Document ID                     : uuid:17a3269a-c69b-4209-96e9-172925d0d9f6
Instance ID                     : uuid:d978c1ee-693c-49e6-b904-54b4d4286036
Producer                        : Acrobat Distiller 10.1.0 (Windows)
Page Count                      : 358
Author                          : Shelly
EXIF Metadata provided by EXIF.tools
FCC ID Filing: SK6XI-N300

Navigation menu