Cambium Networks XN12 WIRELESS LAN ARRAY User Manual

Xirrus, Inc. WIRELESS LAN ARRAY

C Pages 226 to 350 from ArrayGuide Rel4 SS Dec02 2008

Wi-Fi Array206 Configuring the Wi-Fi Array3. New VLAN Name/Number: Enter a name and number for the newVLAN in this field, then click on the Create button. The new VLAN isadded to the list.4. VLAN Number: Enter a number for this VLAN (1-4094).5. Management: Check this box to allow management over this VLAN.6. DHCP: Check this box if you want the DHCP server to assign the IPaddress, subnet mask and gateway address to the VLAN automatically,otherwise you must go to the next step and assign these parametersmanually.7. IP Address: If the DHCP option is disabled, enter a valid IP address forthis VLAN association.8. Subnet Mask: If the DHCP option is disabled, enter the subnet mask IPaddress for this VLAN association.9. Gateway: If the DHCP option is disabled, enter the IP gateway addressfor this VLAN association.10. Tunnel Server: If this VLAN is to be tunneled, enter the IP address orhost name of the tunnel server that will perform the tunneling. For moreinformation on virtual tunnels, please see “Understanding VirtualTunnels” on page 203. 11. Port: If this VLAN is to be tunneled, enter the port number of the tunnelserver. 12. New Secret: Enter the password expected by the tunnel server.13. Delete: To delete the selected VLAN, simply click the Delete button toremove the VLAN from the list.14. Click Apply to apply the new settings to this session, or click Save toapply your changes and make them permanent.See AlsoVLAN StatisticsVLANs
Wi-Fi ArrayConfiguring the Wi-Fi Array 207SecurityThis status- only window allows you to review the Array’s security parameters. Itincludes the assigned network administration accounts, Access Control List(ACL) values, management settings, encryption and authentication protocolsettings, and RADIUS configuration settings. There are no configuration optionsavailable in this window, but if you are experiencing issues with security, youmay want to print this window for your records.Figure 122. Security For additional information about wireless network security, refer to:z“Security Planning” on page 70z“Understanding Security” on page 208zThe Security section of “Frequently Asked Questions” on page 400.For information about secure use of the WMI, refer to:z“Certificates and Connecting Securely to the WMI” on page 211Security settings are configured with the following windows:z“Admin Management” on page 213
Wi-Fi Array208 Configuring the Wi-Fi Arrayz“Admin RADIUS” on page 214z“Management Control” on page 217z“Access Control List” on page 221z“Global Settings” on page 223z“External Radius” on page 226z“Internal Radius” on page 229z“Rogue Control List” on page 231 Understanding SecurityThe Xirrus Wi-Fi Array incorporates many configurable security features. Afterinitially installing an Array, always change the default administrator password(the default is admin), and choose a strong replacement password (containingletters, numbers and special characters). See also, “Character Restrictions” onpage 126. When appropriate, issue read only administrator accounts.Other security considerations include:zSSH versus Telnet: Be aware that Telnet is not secure over networkconnections and should be used only with a direct serial port connection.When connecting to the unit’s Command Line Interface over a networkconnection, you must use a Secure SHell version 2 (SSH-2) utility. SSH-2provides stronger security than SSH-1. The most commonly usedfreeware providing SSH tools is PuTTY.zConfiguration auditing: The optional Xirrus Management System (XMS)offers powerful management features for small or large Xirrus Wi-Fideployments, and can audit your configuration settings automatically. Inaddition, using the XMS eliminates the need for an FTP server.zChoosing an encryption method: Wireless data encryption preventseavesdropping on data being transmitted or received over the airwaves.The Array allows you to establish the following data encryptionconfiguration options:•Open—this option offers no data encryption and is notrecommended, though you might choose this option if clients are
Wi-Fi ArrayConfiguring the Wi-Fi Array 209required to use a VPN connection through a secure SSH utility,like PuTTy.•WEP (Wired Equivalent Privacy)—this option provides minimalprotection (though much better than using an open network). Anearly standard for wireless data encryption and supported by allWi-Fi certified equipment, WEP is vulnerable to hacking and istherefore not recommended for use by Enterprise networks.•WPA (Wi-Fi Protected Access) and WPA2—these are muchstronger encryption modes than WEP, using TKIP (Temporal KeyIntegrity Protocol) or AES (Advanced Encryption Standard) toencrypt data.WPA solves security issues with WEP. It also allows you toestablish encryption keys on a per-user-basis, with key rotationfor added security. In addition, TKIP provides Message IntegrityCheck (MIC) functionality and prevents active attacks on thewireless network.AES is the strongest encryption standard and is used bygovernment agencies; however, old legacy hardware may not becapable of supporting the AES mode (it probably won’t work onolder wireless clients). Because AES is the strongest encryptionstandard currently available, WPA2 with AES is highlyrecommended for Enterprise networks. Any of the above encryption methods can be used and an Array cansupport multiple encryption methods simultaneously, but only onemethod may be selected per SSID (except that selecting WPA-Both allowsWPA and WPA2 to be used at the same time on the same SSID).Otherwise, if multiple security methods are needed, you must definemultiple SSIDs.The encryption mode (WEP, WPA, etc.) is selected in the SSIDs >SSIDManagement window (see “SSID Management” on page 238).Theencryption standard used with WPA or WPA2 (AES or TKIP) isselected in the Security>Global Settings window under WPA Settings(see “Global Settings” on page 223).
Wi-Fi Array210 Configuring the Wi-Fi ArrayzChoosing an authentication method: User authentication ensures thatusers are who they say they are. For this purpose, the Array allows you tochoose between the following user authentication methods:•Pre-Shared Key—users must manually enter a key (passphrase)on the client side of the wireless network that matches the keystored by the administrator in the Array.This method should be used only for smaller networks when aRADIUS server is unavailable. If PSK must be used, choose astrong passphrase containing between 8 and 63 characters (20 ispreferred). Always use a combination of letters, numbers andspecial characters. Never use English words separated by spaces.•RADIUS 802.1x with EAP—802.1x uses a RADIUS server toauthenticate large numbers of clients, and can handle differentEAP (Extensible Authentication Protocol) authenticationmethods, including EAP-TLS, EAP-TTLS, EAP-PEAP, and LEAP-Passthrough. The RADIUS server can be internal (provided bythe Wi-Fi Array) or external. An external RADIUS server offersmore functionality and security, and is recommended for largedeployments. When using this method, user names andpasswords must be entered into the RADIUS server for userauthentication.•MAC Address ACLs (Access Control Lists)—MAC addressACLs provide a list of client adapter MAC addresses that areallowed or denied access to the wireless network. Access ControlLists work well when there are a limited number of users—in thiscase, enter the MAC address of each user in the Allow list. In theevent of a lost or stolen MAC adapter, enter the affected MACaddress in the Deny list.The Wi-Fi Array will accept up to 1,000 ACL entries.zPCI DSS or FIPS 140-2 Security—to implement the requirements of thesesecurity standards on the Wi-Fi Array, please see Appendix D:Implementing Security Standards.
Wi-Fi ArrayConfiguring the Wi-Fi Array 211Certificates and Connecting Securely to the WMIWhen you point your browser to the Array to connect to the WMI, the Arraypresents an X.509 security certificate to the browser to establish a secure channel.One significant piece of information in the certificate is the Array’s host name.This ties the certificate to a particular Array and ensures the client that it isconnecting to that host.Certificate Authorities (CAs) are entities that digitally sign certificates, using theirown certificates (for example, VeriSign is a well-known CA). When the Arraypresents its certificate to the browser, the browser looks up the CA that signed thecertificate to decide whether to trust it. Browsers ship with a small set of trustedCAs already installed. If the browser trusts the certificate’s CA, it checks to ensurethe host name (and IP address) match those on the certificate. If any of thesechecks fail, you get a security warning when connecting to the WMI. The Array ships with a default certificate that is signed by the Xirrus CA. Youmay choose to use this certificate, or to use a certificate issued by the CA of yourchoice, as described in the following sections:zUsing the Array’s Default CertificatezUsing an External Certificate AuthorityUsing the Array’s Default CertificateThe Array’s certificate is signed by a Xirrus CA that is customized for your Arrayand its current host name. By default, browsers will not trust the Array’scertificate. You may import the Xirrus certificate to instruct the browser to trustthe Xirrus CA on all future connections to Arrays. The certificate for the XirrusCA is available on the Array, so that you can import it into your browser’s cacheof trusted CAs (right alongside VeriSign, for example). On the ManagementControl window of the WMI you will see the xirrus-ca.crt file. (Figure 123)
Wi-Fi Array212 Configuring the Wi-Fi ArrayFigure 123. Import Xirrus Certificate AuthorityBy clicking and opening this file, you can follow your browser’s instructions andimport the Xirrus CA into your CA cache (see page 219 for more information).This instructs your browser to trust any of the certificates signed by the XirrusCA, so that when you connect to any of our Arrays you should no longer see thewarning about an untrusted site. Note however, that this only works if you usethe host name when connecting to the Array. If you use the IP address to connect,you get a lesser warning saying that the certificate was only meant for ‘hostname’.Since an Array’s certificate is based on the Array’s host name, any time youchange the host name the Array’s CA will regenerate and resign a new certificate.This happens automatically the next time you reboot after changing the hostname. If you have already installed the Xirrus CA on a browser, this new Arraycertificate should automatically be trusted. When you install the Xirrus CA in your browser, it will trust a certificate signedby any Xirrus Array, as long as you connect using the Array’s host name. Using an External Certificate AuthorityIf you prefer, you may install a certificate on your Array signed by an outside CA. Why use a certificate from an external CA? The Array’s certificate is used forsecurity when stations attempt to associate to an SSID that has Web Page Redirectenabled. In this case, it is preferable for the Array to present a certificate from anexternal CA that is likely to be trusted by most browsers. When a WPR login page
Wi-Fi ArrayConfiguring the Wi-Fi Array 213is presented, the user will not see a security error if the Array’s certificate wasobtained from an external CA that is already trusted by the user’s browser. WMI provides options for creating a Certificate Signing Request that you cansend to an external CA, and for uploading the signed certificate to the Array afteryou obtain it from the CA. This certificate will be tied to the Array’s host nameand private key. See “External Certification Authority” on page 220 for moredetails. Admin ManagementThis window allows you to manage network administrator accounts (create,modify and delete). It also allows you to limit account access to a read only status.When finished, click on the Save button to save your changes.Figure 124. Admin Management Procedure for Creating or Modifying Network Administrator Accounts1. Admin ID: Enter the login name for a new network administrator ID.The length of the ID must be between 5 and 50 characters, inclusive. Forspecial characters that may be used, see “Character Restrictions” onpage 126. 2. Read/Write: Choose Read/Write if you want to give this administrator IDfull read/write privileges, or choose Read to restrict this user to read onlystatus. In the read only mode, administrators cannot save changes toconfigurations.
Wi-Fi Array214 Configuring the Wi-Fi Array3. User Password: Enter a password for this ID. The length of the passwordmust be between 5 and 50 characters, inclusive. For special characters thatmay be used, see “Character Restrictions” on page 126.4. Verify Password: Re-enter the password in this field to verify that youtyped the password correctly. If you do not re-enter the correct password,an error message is displayed).5. Click on the Create button to add this administrator ID to the list.6. Click Apply to apply modified settings to this session, or click Save toapply your changes and make them permanent.See AlsoExternal RadiusGlobal Settings (IAP)Internal RadiusManagement ControlSecurityAdmin RADIUSThis window allows you to set up authentication of network administrators viaRADIUS. Using RADIUS to control administrator accounts for logging in toArrays has these benefits: zCentralized control of administrator accounts. zLess effort—you don't have to set up user names and passwords on eachArray; just enter them once on the RADIUS server and then all of theArrays can pull from the RADIUS server. zEnforced policies—you may set password rules (e.g., passwords mustcontain at least one number and be at least 12 characters in length), andyou may set expiration times for passwords. Admin RADIUS settings override any local administrator accounts configured onthe  Admin Management window. If you have Admin RADIUS enabled, alladministrator authentication is done via the configured RADIUS servers. Theonly exception to this is when you are connected via the Console port (using CLI).
Wi-Fi ArrayConfiguring the Wi-Fi Array 215If you are using the Console port, the Array will authenticate administratorsusing accounts configured on the Admin Management window first, and then usethe RADIUS servers. This provides a safety net to be ensure that you are notcompletely locked out of an Array if the RADIUS server is down.Permissions for RADIUS administrator accounts are controlled by the RADIUSService-Type attribute. To grant read-write permission, configure the RADIUSserver to send back the Service-Type attribute with a value of Administrative. Togrant read-only permission, the RADIUS server should send the Service-Typeattribute with a value of NAS Prompt. When configuring administrator accounts on the RADIUS server, you mustobserve the same restrictions for length and legal characters as when creatingthese accounts on the Array using the Admin Management window: the username and password must be between 5 and 50 characters, inclusive. For specialcharacters that may be used, see “Character Restrictions” on page 126. Use this window to enable/disable administrator authentication via RADIUS,and to set up primary and secondary servers to use for authentication ofadministrators attempting to log in to the Array. When finished, click on the Savebutton to save your changes.Figure 125. Admin RADIUS
Wi-Fi Array216 Configuring the Wi-Fi ArrayProcedure for Configuring Admin RADIUS 1. Admin RADIUS Settings: a. Enable Admin RADIUS: Click Yes to enable the use of RADIUS toauthenticate administrators logging in to the Array. You will need tospecify the RADIUS server(s) to be used. b. Timeout (seconds): Define the maximum idle time (in seconds)before the RADIUS server’s session times out. The default is 600seconds.2. Admin RADIUS Primary Server: This is the RADIUS server that youintend to use as your primary server.a. Host Name / IP Address: Enter the IP address or domain name of thisexternal RADIUS server.b. Port Number: Enter the port number of this RADIUS server. Thedefault is 1812.c. Shared Secret / Verify Secret: Enter the shared secret that thisRADIUS server will be using, then re-enter the shared secret to verifythat you typed it correctly.3. Admin RADIUS Secondary Server (optional): If desired, enter analternative external RADIUS server. If the primary RADIUS serverbecomes unreachable, the Array will “failover” to the secondary RADIUSserver (defined here).a. Host Name / IP Address: Enter the IP address or domain name of thisRADIUS server.b. Port Number: Enter the port number of this RADIUS server.The default is 1812.#The shared secret that you define must match the secret used by theRADIUS server.
Wi-Fi ArrayConfiguring the Wi-Fi Array 217c. Shared Secret / Verify Secret: Enter the shared secret that thisRADIUS server will be using, then re-enter the shared secret to verifythat you typed it correctly.Management ControlThis window allows the Array management interfaces to be enabled and disabledand their inactivity time-outs set. The supported range is 300 (default) to 100,000seconds.Figure 126. Management Control
Wi-Fi Array218 Configuring the Wi-Fi ArrayProcedure for Configuring Management Control1. SSH:a. Enable Management: Choose Yes to enable management of theArray over a Secure Shell (SSH-2) connection, or No to disable thisfeature. Be aware that only SSH-2 connections are supported by theArray. SSH clients used for connecting to the Array must beconfigured to use SSH-2. b. Connection Timeout 30-100000 (Seconds): Enter a value in this fieldto define the timeout (in seconds) before your SSH connection isdisconnected. The value you enter here must be between 30 secondsand 100,000 seconds.c. Port: Enter a value in this field to define the port used by SSH.The default port is 22.2. Telnet:a. Enable Management: Choose Yes to enable Array management overa Telnet connection, or No to disable this feature. SSH offers a moresecure connection than Telnet, and is recommended over Telnet. b. Connection Timeout 30-100000 (Seconds): Enter a value in this fieldto define the timeout (in seconds) before your Telnet connection isdisconnected. The value you enter here must be between 30 secondsand 100,000 seconds.c. Port: Enter a value in this field to define the port used by Telnet.The default port is 23.3. Seriala. Enable Management: Choose Yes to enable management of theArray via a serial connection, or choose No to disable this feature.b. Connection Timeout 30-100000 (Seconds): Enter a value in this fieldto define the timeout (in seconds) before your serial connection isdisconnected. The value you enter here must be between 30 secondsand 100,000 seconds.
Wi-Fi ArrayConfiguring the Wi-Fi Array 2194. HTTPSa. Connection Timeout 30-100000 (Seconds): Enter a value in this fieldto define the timeout (in seconds) before your HTTPS connection isdisconnected. The value you enter here must be between 30 secondsand 100,000 seconds. Management via HTTPS (i.e., the WebManagement Interface) cannot be disabled on this window. Todisable management over HTTPS, you must use the Command LineInterface. b. Port: Enter a value in this field to define the port used by SSH.The default port is 443.c. Import Xirrus Authority into Browser: This feature imports theXirrus Certificate Authority (CA) into your browser (for a discussion,please see “Certificates and Connecting Securely to the WMI” onpage 211). Click the link (xirrus-ca.crt), and then click Open to viewor install the current Xirrus CA certificate. Click Install Certificate tostart your browser’s Certificate Install Wizard. We recommend thatyou use this process to install Xirrus as a root authority in yourbrowser. When you assign a Host Name to your Array using the ExpressSetup window, then the next time you reboot the Array itautomatically creates a security certificate for that host name. Thatcertificate uses Xirrus as the signing authority. Thus, in order to avoidhaving certificate errors on your browser when using WMI:•You must have assigned a host name to the Array and rebooted atsome time after that.•Use Import Xirrus Authority into Browser•Access WMI by using the host name of the Array rather than itsIP address. d. HTTPS (X.509) Certificate Signed By: This read-only field shows thesigning authority for the current certificate.
Wi-Fi Array220 Configuring the Wi-Fi Array5. External Certification AuthorityThis Step and Step 6 allow you to obtain a certificate from an externalauthority and install it on an Array. “Using an External CertificateAuthority” on page 212 discusses reasons for using an external CA. For example, to obtain and install a certificate from VeriSign on the Array,follow these steps:•If you don’t already have the certificate from the external (non-Xirrus) Certificate Authority, see Step 6 to create a request for acertificate. •Use  Step 5a to review the request and copy its text to send toVer iS ign.  •When you receive the new certificate from VeriSign, upload it to theArray using Step 5b. External Certification Authority has the following fields:a. Download Certificate Signing Request: After creating a certificatesigning request (.csr file—Step 6), click the View button to review it.If it is satisfactory, click the name of the .csr file to display the text ofthe request. You can then copy this text and use it as required by theCA. You may also click on the filename of the .csr file to download itto your local computer. b. Upload Signed Certificate: To use a custom certificate signed by anauthority other than Xirrus, use the Browse button to locate thecertificate file, then click Upload to copy it to the Array. The Array’sweb server will be restarted and will pick up the new certificate. Thiswill terminate any current web sessions, and you will need toreconnect and re-login to the Array. 6. To create a Certificate Signing Request a. Fill in the fields in this section: Common Name, Organization Name,Organizational Unit Name, Locality (City), State or Province,Country Name, and Email Address. Spaces may be used in any ofthe fields, except for Common Name, Country Name, or Email
Wi-Fi ArrayConfiguring the Wi-Fi Array 221Address. Click the Create button to create the certificate signingrequest. See Step 5 above to use this request. 7. Click on the Apply button to apply the new settings to this session, orclick Save to apply your changes and make them permanent.See AlsoNetwork Interfaces - to enable/disable management over an Ethernet interfaceGlobal Settings (IAP) - to enable/disable management over IAPs Admin ManagementExternal RadiusGlobal Settings (IAP)Internal RadiusAccess Control ListSecurityAccess Control ListThis window allows you to create new station access lists, delete existing lists,and add/remove MAC addresses. When finished, click on the Save button tosave your changes.Figure 127. Access Control List
Wi-Fi Array222 Configuring the Wi-Fi ArrayProcedure for Configuring Access Control Lists1. Access Control List Type: Select Disabled to disable the Access ControlList, or select the Access Control List type—either Allow List or DenyList. Then click Apply to apply your changes.•Allow List: Only allows these MAC addresses to associate to theArray.•Deny List: Allows all MAC addresses except the addressesdefined in this list.2. MAC Address: If you want to add a MAC address to the ACL, enter thenew MAC address here, then click on the Create button. The MACaddress is added to the ACL.3. Delete: You can delete selected MAC addresses from this list by checkingtheir Delete buttons, then clicking Apply or Save.4. Click on the Apply button to apply the new settings to this session, orclick Save to apply your changes and make them permanent.See AlsoExternal RadiusGlobal Settings (IAP)Internal RadiusManagement ControlSecurityStation Status Windows (list of stations that have been detected by the Array) #In addition to these lists, other authentication methods (forexample, RADIUS) are still enforced for users.
Wi-Fi ArrayConfiguring the Wi-Fi Array 223Global SettingsThis window allows you to establish the security parameters for your wirelessnetwork, including WEP, WPA, WPA2 and RADIUS authentication. Whenfinished, click on the Apply button to apply the new settings to this session, orclick Save to apply your changes and make them permanent.For additional information about wireless network security, refer to “SecurityPlanning” on page 70 and “Understanding Security” on page 208.Figure 128. Global Settings (Security)
Wi-Fi Array224 Configuring the Wi-Fi ArrayProcedure for Configuring Network Security1. RADIUS Server Mode: Choose the RADIUS server mode you want touse, either Internal or External. Parameters for these modes areconfigured in “External Radius” on page 226 and “Internal Radius” onpage 229. WPA Settings These settings are used if the WPA or WPA2 encryption type is selected on the SSIDs >SSID Management window or the Express Setup window (on this window, encryption type is set in the SSID Settings: Wireless Security field). 2. TKIP Enabled: Choose Yes to enable TKIP (Temporal Key IntegrityProtocol), or choose No to disable TKIP.3. AES Enabled: Choose Yes to enable AES (Advanced EncryptionStandard), or choose No to disable AES. If both AES and TKIP areenabled, the station determines which will be used. 4. WPA Group Rekey Time (seconds): Enter a value to specify the grouprekey time (in seconds). The default is Never.5. PSK Authentication: Choose Yes to enable PSK (Pre-Shared Key)authentication, or choose No to disable PSK.6. WPA Preshared Key / Verify Key: If you enabled PSK, enter a passphrasehere, then re-enter the passphrase to verify that you typed it correctly.7. EAP Authentication: Choose Yes to enable EAP (ExtensibleAuthentication Protocol) or choose No to disable EAP.
Wi-Fi ArrayConfiguring the Wi-Fi Array 225WEP SettingsThese settings are used if the WEP encryption type is selected on the SSIDs >SSID Management window or the Express Setup window (on this window, encryption type is set in the SSID Settings: Wireless Security field). 8. Key Mode / Length: If you enabled WEP, choose the mode (either ASCIIor Hex) and the desired key length (either 40 or 128) from the pull-downlists. Encryption Key 1 / Verify Key 1: Enter an encryption key of the lengthand type selected (to the right of the key fields):•10 hex/5 ASCII characters for 40 bits (WEP-64)•26 hex/13 ASCII characters for 104 bits (WEP-128)Re-enter the key to verify that you typed it correctly. Hexadecimalcharacters are defined as ABCDEF and 0-9. For ASCII mode, you mayinclude special characters, except for the double quote symbol (“). 9. Encryption Key 2 to 4/ Verify Key 2 to 4/ Key Mode/Length (optional): Ifdesired, enter up to four encryption keys, in the same way that youentered the first key.10. Default Key: Choose which key you want to assign as the default key.Make your selection from the pull-down list.11. Click on the Apply button to apply the new settings to this session, orclick Save to apply your changes and make them permanent.See AlsoAdmin ManagementExternal RadiusInternal RadiusAccess Control ListManagement ControlSecurity#After configuring network security, the configuration must beapplied to an SSID for the new functionality to take effect.
Wi-Fi Array226 Configuring the Wi-Fi ArraySecurity PlanningSSID ManagementExternal Radius This window allows you to define the parameters of an external RADIUS serverfor user authentication. To set up an external RADIUS server, you must chooseExternal as the RADIUS server mode in Global Settings. Refer to “GlobalSettings” on page 223.Figure 129. External RADIUS ServerIf you want to include user group membership in the RADIUS accountinformation for users, see “Understanding Groups” on page 245. User groupsallow you to easily apply a uniform configuration to a user on the Array.
Wi-Fi ArrayConfiguring the Wi-Fi Array 227Procedure for Configuring an External RADIUS Server1. Primary Server: This is the external RADIUS server that you intend touse as your primary server.a. Address: Enter the IP address or domain name of this externalRADIUS server.b. Port Number: Enter the port number of this external RADIUS server.The default is 1812.c. Shared Secret / Verify Secret: Enter the shared secret that thisexternal RADIUS server will be using, then re-enter the shared secretto verify that you typed it correctly.2. Secondary Server (optional): If desired, enter an alternative externalRADIUS server. If the primary RADIUS server becomes unreachable, theArray will “failover” to the secondary RADIUS server (defined here).a. Address: Enter the IP address or domain name of this externalRADIUS server.b. Port Number: Enter the port number of this external RADIUS server.The default is 1812.c. Shared Secret / Verify Secret: Enter the shared secret that thisexternal RADIUS server will be using, then re-enter the shared secretto verify that you typed it correctly.3. Settings: Define the session timeout, the NAS Identifier, and whetheraccounting will be used. a. Timeout (seconds): Define the maximum idle time (in seconds)before the external RADIUS server’s session times out. The default is600 seconds.b. NAS Identifier: From the point of view of a RADIUS server, theArray is a client, also called a network access server (NAS). Enter the#The shared secret that you define must match the secret used by theexternal RADIUS server.
Wi-Fi Array228 Configuring the Wi-Fi ArrayNAS Identifier (IP address) that the RADIUS servers expect the Arrayto use—this is normally the IP address of the Array’s Gigabit1 port. c. Accounting: If you would like the Array to send RADIUS Start, Stop,and Interim records to a RADIUS accounting server, click the Onbutton and click Apply. The account settings appear, and must beconfigured. 4. Accounting Settings: a. Accounting Interval (seconds): Specify how often Interim records areto be sent to the server. The default is 300 seconds.b. Primary Server Address: Enter the IP address or domain name of theprimary RADIUS accounting server that you intend to use.c. Primary Port Number: Enter the port number of the primaryRADIUS accounting server. The default is 1813.d. Primary Shared Secret / Verify Secret: Enter the shared secret thatthe primary RADIUS accounting server will be using, then re-enterthe shared secret to verify that you typed it correctly.e. Secondary Server Address (optional): If desired, enter an IP addressor domain name for an alternative RADIUS accounting server. If theprimary server becomes unreachable, the Array will “failover” to thissecondary server (defined here).f. Secondary Port Number: If using a secondary accounting server,enter its port number. The default is 1813.g. Secondary Shared Secret / Verify Secret: If using a secondaryaccounting server, enter the shared secret that it will be using, then re-enter the shared secret to verify that you typed it correctly.5. Click on the Apply button to apply the new settings to this session, orclick Save to apply your changes and make them permanent.See AlsoAdmin Management
Wi-Fi ArrayConfiguring the Wi-Fi Array 229Global Settings (IAP)Internal RadiusAccess Control ListManagement ControlSecurityUnderstanding GroupsInternal Radius This window allows you to define the parameters for the Array’s internalRADIUS server for user authentication. However, the internal RADIUS serverwill only authenticate wireless clients that want to associate to the Array. This canbe useful if an external RADIUS server is not available. To set up the internalRADIUS server, you must choose Internal as the RADIUS server mode in GlobalSettings. Refer to “Global Settings” on page 223.Figure 130. Internal RADIUS Server
Wi-Fi Array230 Configuring the Wi-Fi ArrayProcedure for Creating a New User1. User Name: Enter the name of the user that you want to authenticate tothe internal RADIUS server.2. SSID Restriction: (Optional) If you want to restrict this user toassociating to a particular SSID, choose an SSID from the pull-down list.3. User Group: (Optional) If you want to make this user a member of apreviously defined user group, choose a group from the pull-down list.This will apply all of the user group’s settings to the user. See“Understanding Groups” on page 245. 4. Password: (Optional) Enter a password for the user.5. Verify: (Optional) Retype the user password to verify that you typed itcorrectly.6. Click on the Create button to add the new user to the list.Procedure for Managing Existing Users1. SSID Restriction: (Optional) If you want to restrict a user to associatingto a particular SSID, choose an SSID from its pull-down list.2. User Group: (Optional) If you want to change the user’s group, choose agroup from the pull-down list. This will apply all of the user group’ssettings to the user. See “Understanding Groups” on page 245. 3. Password: (Optional) Enter a new password for the selected user.4. Verify Password: (Optional) Retype the user password to verify that youtyped it correctly.5. If you want to delete one or more users, check their Delete check boxes,then click Apply or Save.6. Click on the Apply button to apply the new settings to this session, orclick Save to apply your changes and make them permanent.See AlsoAdmin ManagementExternal Radius
Wi-Fi ArrayConfiguring the Wi-Fi Array 231Global Settings (IAP)Access Control ListManagement ControlSecurityUnderstanding GroupsRogue Control ListThis window allows you to set up a control list for rogue APs, based on a typethat you define. You may classify rogue APs as blocked., so that the Array willtake steps to prevent stations from associating with the blocked AP. See “AboutBlocking Rogue APs” on page 276. The Array can keep up to 5000 entries in thislist. When finished, click on the Save button to save your changes. Figure 131. Rogue Control List#The RF Monitor > Intrusion Detection window provides an alternatemethod for classifying rogues. You can list all Unknown stations and selectall the rogues that you’d like to set to Known or Approved, rather thanentering the SSID/BSSID as described below. See “Intrusion Detection” onpage 147.
Wi-Fi Array232 Configuring the Wi-Fi ArrayProcedure for Establishing Rogue AP Control1. Rogue BSSID/SSID: Enter the BSSID or SSID for the new rogue AP.2. Rogue Control Type: Define a type for the new rogue AP, either Blocked,Known or Approved.3. Click Create to add this rogue AP to the Rogue Control List.4. Rogue Control List: If you want to edit the control type for a rogue AP,just click the radio button for the new type for the entry: Blocked, Knownor Approved, then click Apply or Save to apply your change.5. To delete rogue APs from the list, click their Delete checkboxes, then clickApply or Save.6. Click Apply to apply the new settings to this session, or click Save toapply your changes and make them permanent.See AlsoNetwork MapIntrusion DetectionSSIDsSSID Management
Wi-Fi ArrayConfiguring the Wi-Fi Array 233SSIDsThis is a status only window that allows you to review SSID (Service SetIDentifier) assignments. It includes the SSID name, whether or not an SSID isvisible on the network, any security and QoS parameters defined for each SSID,associated VLAN IDs, radio availability, and DHCP pools defined per SSID. Youmay click on an SSID’s name to jump to the edit page for the SSID. There are noconfiguration options available on this page, but if you are experiencing problemsor reviewing SSID management parameters, you may want to print this page foryour records.For information to help you understand SSIDs and how multiple SSIDs aremanaged by the Wi-Fi Array, go to “Understanding SSIDs” on page 234 and theMultiple SSIDs section of “Frequently Asked Questions” on page 400. For adescription of how QoS operates on the Array, see “Understanding QoS Priorityon the Wi-Fi Array” on page 235. Figure 132. SSIDs The read-only Limits section of the SSIDs window allows you to review anylimitations associated with your defined SSIDs. For example, this window showsthe current state of an SSID (enabled or not), how much SSID and station traffic is#For a complete discussion of implementing Voice over Wi-Fi on the Array,see the Xirrus Voice over Wi-Fi Application Note in the Xirrus Library.
Wi-Fi Array234 Configuring the Wi-Fi Arrayallowed, time on and time off, days on and off, and whether each SSID iscurrently active or inactive.Understanding SSIDsThe SSID (Service Set Identifier) is a unique identifier that wireless networkingdevices use to establish and maintain wireless connectivity. Multiple access pointson a network or sub-network can use the same SSIDs. SSIDs are case-sensitiveand can contain up to 32 alphanumeric characters (do not include spaces whendefining SSIDs).Multiple SSIDsA BSSID (Basic SSID) refers to an individual access point radio and its associatedclients. The identifier is the MAC address of the access point radio that forms theBSS. A group of BSSs can be formed to allow stations in one BSS to communicateto stations in another BSS via a backbone that interconnects each access point.The Extended Service Set (ESS) refers to the group of BSSIDs that are groupedtogether to form one ESS. The ESSID (often referred to as SSID or “wirelessnetwork name”) identifies the Extended Service Set. Clients must associate to asingle ESS at any given time. Clients ignore traffic from other Extended ServiceSets that do not have the same SSID.Legacy access points typically support one SSID per access point. Wi-Fi Arrayssupport the ability to define and use multiple SSIDs simultaneously.Using SSIDsThe creation of different wireless network names allows system administrators toseparate types of users with different requirements. The following policies can betied to an SSID:zThe wireless security mode needed to join this SSID.zThe wireless Quality of Service (QoS) desired for this SSID.zThe wired VLAN associated with this SSID.As an example, one SSID named accounting might require the highest level ofsecurity, while another SSID named guests might have low security requirements.
Wi-Fi ArrayConfiguring the Wi-Fi Array 235Another example may define an SSID named voice that supports voice overWireless LAN phones with the highest Quality of Service (QoS) definition. ThisSSID might also forward traffic to specific VLANs on the wired network.See AlsoSSID ManagementSSIDsUnderstanding SSIDsUnderstanding QoS Priority on the Wi-Fi Array The Wi-Fi Array’s Quality of Service Priority feature (QoS) allows traffic to beprioritized according to your requirements. For example, you typically assign thehighest priority to voice traffic, since this type of traffic requires delay to be under10 ms. The Array has four separate queues for handling wireless traffic atdifferent priorities, and thus it supports four traffic classes (QoS levels). Figure 133. Four Traffic ClassesIEEE802.1p defines eight priority levels for wired networks. Each data packetmay be tagged with a priority level, i.e., a user priority tag. Since there are eight#For a complete discussion of implementing Voice over Wi-Fi on the Array,see the Xirrus Voice over Wi-Fi Application Note in the Xirrus Library. Mapping to Traffic ClassFour Transmit QueuesPer queue channel access Application DataVoiceData VideoData Background Data Best Effort  DataIAP (Transmit)Highest Priority Lowest Priority
Wi-Fi Array236 Configuring the Wi-Fi Arraypossible user priority levels and the Array implements four wireless QoS levels,user priorities are mapped to QoS as described below. End-to-End QoS HandlingzWired QoS - Ethernet Port:Ingress: Incoming wired packets are assigned QoS priority based on theirSSID and 802.1p tag (if any), as shown in the table below. This tablefollows the mapping recommended by IEEE802.11e. FROMPriority Tag 802.1p (Wired)TOArray QoS (Wireless)Typical Use0 (Default) 0 (Lowest priority) Best Effort 1 1 Background—explicitly designated as low-priority and non-delay sensitive21Spare 3 0 Excellent Effort42Controlled Load52Video6 3 Voice - requires delay <10ms7 (Highest priority) 3 (Highest priority) Network control
Wi-Fi ArrayConfiguring the Wi-Fi Array 237zEgress: Outgoing wired packets are IEEE 802.1p tagged at the Ethernetport for upstream traffic, thus enabling QoS at the edge of the network.  Wireless QoS - Radios:zEach SSID can be assigned a separate QoS priority (i.e., traffic class) from0 to 3, where 3 is highest priority and 0 is the default. See “SSIDManagement” on page 238. If multiple SSIDs are used, packets from theSSID with higher priority are transmitted first. zThe Array supports IEEE802.11e Wireless QoS for downstream traffic.Higher priority packets wait a shorter time before gaining access to theair and contend less with all other 802.11 devices on a channel. zHow QoS is set for a packet in case of conflicting values:a. If an SSID has a QoS setting, and an incoming wired packet’s userpriority tag is mapped to a higher QoS value, then the higher QoSvalue is used.b. If a group or filter has a QoS setting, this overrides the QoS valueabove. See “Groups” on page 245, and “Filters” on page 289. c. Voice packets have the highest priority, as described below (VoiceSupport). Packet Filtering QoS classification zFilter rules can be used to redefine the QoS priority level to overridedefaults. See “Filter Management” on page 291. This allows the QoSpriority level to be assigned based on protocol, source, or destination. FROMArray QoS (Wireless)TOPriority Tag 802.1p (Wired)0 (Lowest priority) 0 (Default)11253 (Highest priority) 6
Wi-Fi Array238 Configuring the Wi-Fi ArrayVoice SupportzThe QoS priority implementation on the Array supports voiceapplications, as certified by Spectralink’s Voice Interoperability forEnterprise Wireless (VIEW) Certification Program. In particular,Spectralink voice packets are automatically classified and set to thehighest priority level. SSID ManagementThis window allows you to manage SSIDs (create, edit and delete), assign securityparameters and VLANs on a per SSID basis, and configure the Web Page Redirectfunctionality. When finished, click on the Save button to save your changes.Figure 134. SSID Management Create new SSID Configure parameters Set traffic limits / usage scheduleConfigure WPR
Wi-Fi ArrayConfiguring the Wi-Fi Array 239Procedure for Managing SSIDs 1. New SSID Name: To create a new SSID, enter a new SSID name to the leftof the Create button (Figure 134), then click Create. You may create up to16 SSIDs.SSID List (top of page)2. SSID: Shows all currently assigned SSIDs. When you create a new SSID,the SSID name appears in this table. Click any SSID in this list to select it.3. On: Check this box to activate this SSID or clear it to deactivate it.4. Brdcast: Check this box to make the selected SSID visible to all clients onthe network. Although the Wi-Fi Array will not broadcast SSIDs that arehidden, clients can still associate to a hidden SSID if they know the SSIDname to connect to it. Clear this box if you do not want this SSID to bevisible on the network.5. Band: Choose which wireless band the SSID will be beaconed on. Selecteither 5 GHz—802.11a(n), 2.4 GHz—802.11bg(n) or Both.6. VLAN ID / Number: From the pull-down list, select a VLAN that youwant this traffic to be forwarded to on the wired network. Select numericto enter the number of a previously defined VLAN in the Number field(see “VLANs” on page 203). This step is optional.7. QoS: (Optional) Select a value in this field for QoS (Quality of Service)priority filtering. The QoS value must be one of the following: •0—The lowest QoS priority setting, where QoS makes its best effort atfiltering and prioritizing data, video and voice traffic withoutcompromising the performance of the network. Use this setting inenvironments where traffic prioritization is not a concern.•1—Medium, with QoS prioritization aggregated across all traffictypes.•2—High, normally used to give priority to video traffic.•3—The highest QoS priority setting, normally used to give priority tovoice traffic.
Wi-Fi Array240 Configuring the Wi-Fi ArrayThe QoS setting you define here will prioritize wireless traffic for thisSSID over other SSID traffic, as described in “Understanding QoS Priorityon the Wi-Fi Array” on page 235. The default value for this field is 2. 8. DHCP Pool: If you want to associate an internal DHCP pool to this SSID,choose the pool from the pull--down list. An internal DHCP pool must becreated before it can be assigned. To create an internal DHCP pool, go to“DHCP Server” on page 201.9. Filter List: If you wish to apply a set a filters to this SSID’s traffic, selectthe desired Filter List. See “Filters” on page 289. 10. Authentication: The following authentication options are available: •Open: This option provides no authentication and is notrecommended. •RADIUS MAC: Authenticates stations onto the Wi-Fi network via anexternal RADIUS server based on the user’s MAC address.Accounting for these stations is performed according to theaccounting options that you have configured specifically for this SSIDor globally (see Step 12 below).•802.1x: Authenticates stations onto the Wi-Fi network via a RADIUSserver using 802.1x with EAP. The RADIUS server can be internal(provided by the Wi-Fi Array) or external. 11. Encryption: From the pull-down list, choose the encryption that will berequired—specific to this SSID—either None, WEP, WPA, WPA2 or WPA-Both. The None option provides no security and is not recommended;WPA2 provides the best practice Wi-Fi security. Each SSID supports only one encryption type at a time (except that WPAand WPA2 are both supported on an SSID if you select WPA-Both). If youneed to support other encryption types, you must define additionalSSIDs. The encryption standard used with WPA or WPA2 is selected inthe Security>Global Settings window (page 223). For an overview of thesecurity options, see “Security Planning” on page 70 and “UnderstandingSecurity” on page 208.
Wi-Fi ArrayConfiguring the Wi-Fi Array 24112. Global: Check the checkbox if you want this SSID to use the securitysettings established at the global level (refer to “Global Settings” onpage 223). Clear the checkbox if you want the settings established here totake precedence. Additional sections will be displayed to allow you toconfigure encryption settings, and RADIUS and RADIUS accountingsettings. The encryption settings are described in “Procedure forConfiguring Network Security” on page 224. The external RADIUS andaccounting settings are configured in the same way as for an externalRADIUS server (see “Procedure for Configuring an External RADIUSServer” on page 227).13. L3: For this SSID, Check the checkbox to enable fast roaming betweenIAPs or Arrays at Layer 2 and Layer 3, or clear the checkbox to allowroaming at Layer 2 only. You may only select fast roaming at Layers 2 and3 if this has been selected in Global Settings (IAP). See “UnderstandingFast Roaming” on page 253. 14. WPR (Web Page Redirect): Check the checkbox to enable the Web PageRedirect functionality, or clear it to disable this option. If enabled, WPRconfiguration fields will be displayed under the SSID Limits section. Thisfeature may be used to provide an alternate mode of authentication, or tosimply display a splash screen when a user first associates to the wirelessnetwork. After that, it can (optionally) redirect the user to an alternateURL. For example, some wireless devices and users may not have acorrectly configured 802.1x (RADIUS) supplicant. Utilizing WPR’s Web-based login, users may be authenticated without using an 802.1xsupplicant. See “Web Page Redirect Configuration Settings” on page 243for details of WPR usage and configuration. SSID LimitsSee “Group Limits” on page 249 for a discussion of the interaction of SSID limitsand group limits. To eliminate confusion, we recommend that you configure oneset of limits or the other, but not both.
Wi-Fi Array242 Configuring the Wi-Fi Array15. Stations: Enter the maximum number of stations allowed on this SSID.The default is 1024. This step is optional. Note that the IAPs - GlobalSettings window also has a station limit option—Max StationAssociation per IAP. If both station limits are set, both will be enforced.As soon as either limit is reached, no new stations can associate untilsome other station has terminated its association. 16. Overall Traffic: Choose Unlimited if you do not want to place arestriction on the traffic for this SSID, or enter a value in the Packets/Secfield to force a traffic restriction.17. Traffic per Station: Choose Unlimited if you do not want to place arestriction on the traffic per station for this SSID, or enter a value in thePackets/Sec field to force a traffic restriction.18. Days Active: Choose Everyday if you want this SSID to be active everyday of the week, or select only the specific days that you want this SSID tobe active. Days that are not checked are considered to be the inactivedays.19. Time Active: Choose Always if you want this SSID active withoutinterruption, or enter values in the Time On and Time Off fields to limitthe time that this SSID is active. 20. To delete SSIDs, click their Delete checkboxes, then click Apply or Save.21. Click Apply to apply the changes to the selected SSID, or click Save toapply your changes and make them permanent. See AlsoDHCP ServerExternal RadiusGlobal Settings (IAP)Internal RadiusSecurity PlanningSSIDsUnderstanding QoS Priority on the Wi-Fi Array
Wi-Fi ArrayConfiguring the Wi-Fi Array 243Web Page Redirect Configuration Settings If you enable WPR, the SSID Management window displays additional fields thatmust be configured. For example configurations and complete examples, pleaseFor an in-depth discussion, please see the Xirrus Web Page Redirect Application Notein the Xirrus Library. If enabled, WPR displays a splash or login page when a user associates to thewireless network and opens a browser to any URL (provided the URL does notpoint to a resource directly on the user’s machine). The user-requested URL iscaptured, the user’s browser is redirected to the splash or login page, and then thebrowser is redirected either to your specified landing page, if any, or else back tothe captured URL.Figure 135. WPR Internal Splash Page Fields (SSID Management) You may select among three different modes for use of the Web Page Redirectfeature, each displaying a different set of parameters that must be entered:zInternal Splash pageThis option displays a splash page instead of the first user-requestedURL. The splash page files reside on the Array. Note that there is anupload function that allows you to replace the default splash page, if youwish. Please see “Web Page Redirect” on page 300 for more information. To set up use of a splash page, set Server to Internal Splash. Enter a valuein the Timeout field to define how many seconds the splash screen isdisplayed before timing out, or select Never to prevent the page fromtiming out automatically. After the splash page, the user is redirected tothe captured URL. If you want the user redirected to a specific landingpage instead, enter its address in Landing Page URL.
Wi-Fi Array244 Configuring the Wi-Fi ArrayzInternal Login pageThis option displays a login page (residing on the Array) instead of thefirst user-requested URL. Note that there is an upload function thatallows you to replace the default login page, if you wish. Please see “WebPage Redirect” on page 300 for more information. To set up internal login, set Server to Internal Login. The user name and password are obtained by the login page, andauthentication occurs according to your configured authenticationinformation (starting with Step 10 above). These parameters areconfigured as described in “Procedure for Configuring NetworkSecurity” on page 224.After authentication, the browser is redirected back to the captured URL.If you want the user redirected to a specific landing page instead, enter itsaddress in Landing Page URL. zExternal Login pageThis option redirects the user to a login page on an external web serverfor authentication, instead of the first user-requested URL. Logininformation (user name and password) must be obtained by that page,and returned to the Array for authentication. Authentication occurs according to your configured RADIUSinformation. These parameters are configured as described in “Procedurefor Configuring Network Security” on page 224. After authentication, thebrowser is redirected back to the captured URL. If you want the userredirected to a specific landing page instead, enter its address in LandingPage URL. To set up external login page usage, set Server to External. Enter the URLof the external web server in Redirect URL, and enter that server’s sharedsecret in Redirect Password. #Both the Internal Login and External Login options of WPR performauthentication using your configured RADIUS servers.
Wi-Fi ArrayConfiguring the Wi-Fi Array 245GroupsThis is a status only window that allows you to review user Group assignments. Itincludes the group name, Radius ID, VLAN IDs and QoS parameters androaming layer defined for each group, and DHCP pools and web page redirectinformation defined for the group. You may click on a group’s name to jump tothe edit page for the group. There are no configuration options available on thispage, but if you are experiencing problems or reviewing group managementparameters, you may want to print this page for your records.The Limits section of this window shows any limitations configured for yourdefined groups. For example, this window shows the current state of a group(enabled or disabled), how much group and per-station traffic is allowed, time onand time off, and days on and off.For information to help you understand groups, see Understanding Groupsbelow. For an in-depth discussion, please see the Xirrus User Groups ApplicationNote in the Xirrus Library. Figure 136. GroupsUnderstanding GroupsUser groups allow administrators to assign specific network parameters to usersthrough RADIUS privileges rather than having to map users to a specific SSID.
Wi-Fi Array246 Configuring the Wi-Fi ArrayGroups provide flexible control over user privileges without the need to createlarge numbers of SSIDs.A group allows you to define a set of parameter values to be applied to selectedusers. For example, you might define the user group Students, and set its VLAN,security parameters, web page redirect (WPR), and traffic limits. When a new useris created, you can apply all of these settings just by making the user a member ofthe group. The group allows you to apply a uniform configuration to a set of usersin one step.Almost all of the parameters that can be set for a group are the same as SSIDparameters. This allows you to configure features at the user group level, ratherthan for an entire SSID. If you set parameter values for an SSID, and then enterdifferent values for the same parameters for a user group, the user group valueshave priority (i.e., group settings will override SSID settings). Group names are case-sensitive and can contain up to 32 alphanumeric characters(do not include spaces when defining Groups).Using GroupsUser accounts are used to authenticate wireless clients that want to associate tothe Array. These accounts are established in one of two ways, using the Security>Internal Radius window or the Security> External Radius window. In eithercase, you may select a user group for the user, and that user group’s settings willapply to the user:zInternal Radius—when you add or modify a user entry, select a usergroup to which the user will belong.zExternal Radius—when you add or modify a user account, specify theRadius ID for the user group to which the user will belong. This must bethe same Radius ID that was entered in the Group Management window.When the user is authenticated, the external Radius server will send theRadius ID to the Array. This will allow the Array to identify the group towhich the user belongs. See Also External Radius
Wi-Fi ArrayConfiguring the Wi-Fi Array 247Internal RadiusSSIDsUnderstanding QoS Priority on the Wi-Fi ArrayWeb Page Redirect Configuration SettingsUnderstanding Fast RoamingGroup ManagementThis window allows you to manage groups (create, edit and delete), assign usagelimits and other parameters on a per group basis, and configure the Web PageRedirect functionality. When finished, click the Save button to save your changes.Figure 137. Group Management Procedure for Managing Groups1. New Group Name: To create a new group, enter a new group name nextto the Create button, then click Create. You may create up to 16 groups. To configure and enable this group, proceed with the following steps.2. Group: This column lists currently defined groups. When you create anew group, the group name appears in this list. Click on any group toselect it, and then proceed to modify it as desired.
Wi-Fi Array248 Configuring the Wi-Fi Array3. On: Check this box to enable this group or leave it blank to disable it.When a group is disabled, users that are members of the group willbehave as if the group did not exist. In other words, the optionsconfigured for the SSID will apply to the users, rather than the optionsconfigured for the group. 4. Radius ID: Enter a unique Radius ID for the group, to be used on anexternal Radius server. When adding a user account to the externalserver, this Radius ID value should be entered for the user. When the useris authenticated, Radius sends this value to the Array. This tells the Arraythat the user is a member of the group having this Radius ID. 5. VLAN ID: (Optional) From the pull-down list, select a VLAN for thisuser’s traffic to use. Select numeric and enter the number of a previouslydefined VLAN (see “VLANs” on page 203). This user group’s VLANsettings supersede Dynamic VLAN settings (which are passed to theArray by the Radius server). To avoid confusion, we recommend that youavoid specifying the VLAN for a user in two places. 6. QoS Priority: (Optional) Select a value in this field for QoS (Quality ofService) priority filtering. The QoS value must be one of the following: •0—The lowest QoS priority setting, where QoS makes its best effort atfiltering and prioritizing data, video and voice traffic withoutcompromising the performance of the network. Use this setting inenvironments where traffic prioritization is not a concern.•1—Medium; QoS prioritization is aggregated across all traffic types.•2—High, normally used to give priority to video traffic.•3—The highest QoS priority setting, normally used to give priority tovoice traffic.The QoS setting you define here will prioritize wireless traffic for thisgroup versus other traffic, as described in “Understanding QoS Priorityon the Wi-Fi Array” on page 235. The default value for this field is 2.
Wi-Fi ArrayConfiguring the Wi-Fi Array 2497. Internal DHCP Pool Assigned: (Optional) To associate an internal DHCPpool to this group, select it from the pull--down list. Only one pool maybe assigned. An internal DHCP pool must be created before it can beassigned. To create a DHCP pool, go to “DHCP Server” on page 201.8. Filter List: (Optional) If you wish to apply a set a filters to this usergroup’s traffic, select the desired Filter List. See “Filters” on page 289. 9. L3: (Optional) For this group, check this box to enable fast roamingbetween IAPs or Arrays at Layer 2 and Layer 3. If the box is not checked,then roaming uses Layer 2 only. You may only select fast roaming atLayers 2 and 3 if this has been selected in Global Settings (IAP). See“Understanding Fast Roaming” on page 253. 10. WPR (Web Page Redirect): (Optional) Check this box if you wish toenable the Web Page Redirect functionality. This will open a Web PageRedirect details section in the window, where your WPR parameters maybe entered. This feature may be used to display a splash screen when auser first associates to the wireless network. After that, it can (optionally)redirect the user to an alternate URL. See “Web Page RedirectConfiguration Settings” on page 243 for details of WPR usage andconfiguration. Note that the Group Management window only allowsyou to set up and Internal Splash page. The authentication options thatare offered on the SSID Management page are not offered here. Since thegroup membership of a user is provided to the Array by a Radius server,this means the user has already been authenticated. Group LimitsThe Limits section allows you to limit the traffic or connection times allowed forthis user group. Note that the IAPs—Global Settings window and the SSIDmanagement windows also have options to limit the number of stations, limittraffic, and/or limit connection times. If limits are set in more than one place, alllimits will be enforced:zAs soon as any station limit is reached, no new stations can associate untilsome other station has terminated its association. zAs soon as any traffic limit is reached, it is enforced.
Wi-Fi Array250 Configuring the Wi-Fi ArrayzIf any connection date/time restriction applies, it is enforced. You can picture this as a logical AND of all restrictions. For example, suppose thata station’s SSID is available MTWTF between 8:00am and 5:00pm, and the UserGroup is available MWF between 6:00am and 8:00pm, then the station will beallowed on MWF between 8:00am and 5:00pm.To eliminate confusion, we recommend that you configure one set of limits or theother, but not both.11. Stations: Enter the maximum number of stations allowed on this group.The default is 1024. 12. Overall Traffic: Check the Unlimited checkbox if you do not want toplace a restriction on the traffic for this group, or enter a value in thePackets/Sec field and make sure that the Unlimited box is unchecked toforce a traffic restriction.13. Traffic per Station: Check the Unlimited checkbox if you do not want toplace a restriction on the traffic per station for this group, or enter a valuein the Packets/Sec field and make sure that the Unlimited box isunchecked to force a traffic restriction.14. Days Active: Choose Everyday if you want this group to be active everyday of the week, or select only the specific days that you want this groupto be active. Days that are not checked are considered to be the inactivedays. 15. Time Active: Choose Always if you want this group active withoutinterruption, or enter values in the Time On and Time Off fields to limitthe time that group members may associate. 16. Click on the Apply button to apply the changes to the selected group, orclick Save to apply your changes and make them permanent. 17. To delete an entry, check its Delete checkbox, then click the Save button topermanently remove the entry. See Also
Wi-Fi ArrayConfiguring the Wi-Fi Array 251DHCP ServerExternal RadiusInternal RadiusSecurity PlanningSSIDs
Wi-Fi Array252 Configuring the Wi-Fi ArrayIAPsThis status-only window summarizes the status of the Integrated Access Points(radios). For each IAP, it shows whether it is up or down, the channel and antennathat it is currently using, its cell size and transmit and receive power, how manyusers (stations) are currently associated to it, whether it is part of a WDS link, andits MAC address. Figure 138. IAPsThere are no configuration options in this window, but if you are experiencingproblems or simply reviewing the IAP assignments, you may print this windowfor your records. Click any IAP name to open the associated configuration page.Arrays have a fast roaming feature, allowing them to maintain sessions forapplications such as voice, even while users cross boundaries between Arrays.Fast roaming is set up in the Global Settings (IAP) window and is discussed in:z“Understanding Fast Roaming” on page 253IAPs are configured using the following windows:z“IAP Settings” on page 254z“Global Settings (IAP)” on page 259
Wi-Fi ArrayConfiguring the Wi-Fi Array 253z“Global Settings .11a” on page 266z“Global Settings .11bg” on page 269z“Global Settings .11n” on page 273z“Advanced RF Settings” on page 275z“LED Settings” on page 283See AlsoIAP Statistics SummaryUnderstanding Fast Roaming To maintain sessions for real-time data traffic, such as voice and video, users mustbe able to maintain the same IP address through the entire session. Withtraditional networks, if a user crosses VLAN or subnet boundaries (i.e., roamingbetween domains), a new IP address must be obtained.Mobile Wi-Fi users are likely to cross multiple roaming domains during a singlesession (especially wireless users of VoIP phones). Layer 3 roaming allows a userto maintain the same IP address through an entire real-time data session.The Layer 3 session is maintained by establishing a tunnel back to the originatingArray. You should decide whether or not to use Layer 3 roaming based on yourwired network design. Layer 3 roaming incurs extra overhead and may result inadditional traffic delays. Fast Roaming is configured on two pages. To enable the fast roaming options thatyou want to make available on your Array, see Step 17 to Step 19 in “GlobalSettings (IAP)” on page 259. To choose which of the enabled options are used byan SSID or Group, see “Procedure for Managing SSIDs” on page 239 (Step 13) or“Procedure for Managing Groups” on page 247.
Wi-Fi Array254 Configuring the Wi-Fi ArrayIAP SettingsThis window allows you to enable/disable IAPs, define the wireless mode foreach IAP, specify the channel to be used and the cell size for each IAP, lock thechannel selection, establish transmit/receive parameters, select antennas, andreset channels. Buttons at the bottom of the list allow you to Reset Channels,Enable All IAPs, or Disable All IAPs. When finished, click on the Apply buttonto apply the new settings to this session, or click Save to apply your changes andmake them permanent. To see a diagram of the layout and naming of IAPs, go toFigure 7 on page 16. Figure 139. IAP SettingsYou may also access this window by clicking on the Array image at the lower leftof the WMI window—click the orange Xirrus logo in the center of the Array. See“User Interface” on page 123.
Wi-Fi ArrayConfiguring the Wi-Fi Array 255Procedure for Auto Configuring IAPs You can auto-configure channel and cell size of radios by clicking on the AutoConfigure buttons on the relevant WMI page (auto configuration only applies toenabled radios):zFor all radios, go to “Advanced RF Settings” on page 275.zFor all 802.11a settings, go to “Global Settings .11a” on page 266.zFor all 802.11bg settings, go to “Global Settings .11bg” on page 269.zFor all 802.11n settings, go to “Global Settings .11n” on page 273.Procedure for Manually Configuring IAPs1. In the Enabled column, check the box for a corresponding IAP to enablethe IAP, or uncheck the box if you want to disable the IAP.2. In the Band column for 802.11abg(n) radios, select the wireless band forthis IAP from the choices available in the pull-down menu, either 2.4GHzor 5 GHz. If the mode displayed is Auto, the mode has been set by theauto-channel feature based on the Channel selected. Note that IAPabg(n)2 has an additional option—monitor mode. IAP abg(n)2 shouldnormally be set to monitor mode to enable Spectrum Analyzer and RadioAssurance (loopback testing) features. 3. In the Channel column, select the channel you want this IAP to use fromthe channels available in the pull-down list. The list shows the channelsavailable for the IAP selected (depending on which band the IAP isusing). Channels that are shown in color indicate conditions that youneed to keep in mind:•RED—Usage is not recommended, for example, because of overlapwith neighboring radios. #The XN16, XS16, and XS-3900 allow up to 12 IAPs to operate as 5 GHz —802.11a(n) radios concurrently. Do not set Mode to 5 GHz for more than 12IAPs. If you need additional 5 GHz radios, please contact Xirrus CustomerSupport. See “Contact Information” on page 419.
Wi-Fi Array256 Configuring the Wi-Fi Array•YELLOW—The channel has less than optimum separation (somedegree of overlap with neighboring radios). •GRAY—The channel is already in use. Select Auto to have the Array dynamically select a channel automatically,based on changes in the Wi-Fi environment. See “Allocating Channels”on page 54. After you click Apply, this window and the IAPs windowwill show the channel that was assigned, rather than Auto. The channels that are available for assignment to an IAP will differ,depending on the country of operation. If Country is set to United Statesin the Global Settings (IAP) window, then 24 channels are available to802.11a(n) radios. If you have enabled Public Safety in the Advanced RF Settings window(Step 18), then the public safety band channels (191 and 195) in the4.9GHz spectrum range will be listed. Operating these channels requiresa license—using these channels without a license violates FCC rules.Warning notices are displayed when you select these channels. 4. The  Bonding column only appears for XN Array models. It workstogether with the Auto Channel Bonding and Dynamic/Static optionsselected on the Global Settings .11n page. Also see the discussion of802.11n bonding in “Channel Bonding” on page 63.•Off—This channel is not bonded to another channel. •On—This channel is bonded to an adjacent channel. The bondedchannel is selected automatically by the Array based on currentconditions. The choice of banded channel may be dynamic, changingas needed; or it may be static—fixed once the selection is made. •+1—This channel is bonded to the next higher channel number. AutoChannel bonding does not apply.#As mandated by FCC law, Arrays continually scan for signatures of militaryradar. If such a signature is detected, the Array will switch operation fromconflicting channels to new ones.
Wi-Fi ArrayConfiguring the Wi-Fi Array 257•-1—This channel is bonded to the next lower channel number. AutoChannel bonding does not apply.5. Click the Lock check box if you want to lock in your channel selection sothat the autochannel operation (see Advanced RF Settings) cannot changeit. 6. In the Cell Size column, select Auto to allow the optimal cell size to beautomatically computed (see also, Step 8 on page 279). To set the cell sizeyourself, choose either Small, Medium, Large, or Max to use the desiredpre-configured cell size, or choose Manual to define the wireless cell sizemanually. If you choose Manual, you must specify the transmit andreceive power—in dB—in the Tx dBm (transmit) and Rx dBm (receive)fields. The default is Max. When other Arrays are within listening range of this one, setting cell sizesto Auto allows the Array to change cell sizes so that coverage betweencells is maintained. Each cell size is optimized to limit interferencebetween sectors of other Arrays on the same channel. This eliminates theneed for a network administrator to manually tune the size of each cellwhen installing multiple Arrays. In the event that an Array or a radiogoes offline, an adjacent Array can increase its cell size to helpcompensate. The number of users and their applications are major drivers ofbandwidth requirements. The network architect must account for thenumber of users within the Array’s cell diameter. In a large office, or ifmultiple Arrays are in use, you may choose Small cells to achieve ahigher data rate, since walls and other objects will not define the cellsnaturally. For additional information about cell sizes, go to “Coverage and CapacityPlanning” on page 50.7. In the Antenna Select column, choose the antenna you want this radio touse from the pull-down list. The list of available antennas will be different(or no choices will be available), depending on the wireless mode youselected for the IAP.
Wi-Fi Array258 Configuring the Wi-Fi Array8. If desired, enter a description for this IAP in the Description field. 9. You may reset all of the enabled IAPs by clicking the Reset Channelsbutton at the bottom of the list. A message will inform you that allenabled radios have been taken down and brought back up.10. Buttons at the bottom of the list allow you to Enable All IAPs or DisableAll IAPs. 11. Click on the Apply button to apply the new settings to this session, orclick Save to apply your changes and make them permanent.See AlsoCoverage and Capacity PlanningGlobal Settings (IAP)Global Settings .11aGlobal Settings .11bgIAPsIAP Statistics SummaryLED Settings
Wi-Fi ArrayConfiguring the Wi-Fi Array 259Global Settings (IAP) This window allows you to establish global IAP settings. Global IAP settingsinclude enabling or disabling all IAPs (regardless of their operating mode),enabling or disabling the Beacon World Mode, specifying the short and long retrylimits, and defining the beacon interval and DTIM period. Changes you make onthis page are applied to all IAPs, without exception. Figure 140. Global Settings (IAPs)
Wi-Fi Array260 Configuring the Wi-Fi ArrayProcedure for Configuring Global IAP Settings1. Country: If no country is set, you may choose from the pull-down list.Once a country has been chosen, it may not be changed. You areresponsible for choosing the correct country and conforming to theregulatory laws for wireless transmissions within your country. Pleasecontact Xirrus Customer Support if you need to change the operatingcountry after a country has already been set (see “Contact Information”on page 419). The channels that are available for assignment to an IAP will differ,depending on the country of operation. If you set Country to UnitedStates, then 24 channels are available to 802.11a(n) radios. Until you have chosen a country, the channel set defaults to channels andpower levels that are legal worldwide—this set only includes the lowereight 5 GHz channels. 2. IAP Status: Click on the Enable All IAPs button to enable all IAPs forthis Array, or click on the Disable All IAPs button to disable all IAPs.3. Short Retry Limit: This attribute indicates the maximum number oftransmission attempts for a frame, the length of which is less than orequal to the RTS Threshold, before a failure condition is indicated. Thedefault value is 7. Enter a new value (1 to 128) in the Short Retry Limitfield if you want to increase or decrease this attribute.4. Long Retry Limit: This attribute indicates the maximum number oftransmission attempts for a frame, the length of which is greater than theRTS Threshold, before a failure condition is indicated. The default valueis 4. Enter a new value (1 to 128) in the Long Retry Limit field if you wantto increase or decrease this attribute.
Wi-Fi ArrayConfiguring the Wi-Fi Array 261Beacon Configuration5. Beacon Interval: When the Array sends a beacon, it includes with it abeacon interval, which specifies the period of time before it will send thebeacon again. Enter the desired value in the Beacon Interval field,between 20 and 1000. The value you enter here is applied to all IAPs.6. DTIM Period: A DTIM (Delivery Traffic Indication Message) is a signalsent as part of a beacon by the Array to a client device in sleep mode,alerting the device to broadcast traffic awaiting delivery. The DTIMPeriod is a multiple of the Beacon Interval, and it determines how oftenDTIMs are sent out. By default, the DTIM period is 1, which means that itis the same as the beacon interval. Enter the desired multiple, between 1and 255. The value you enter here is applied to all IAPs.7. 802.11h Beacon Support: This option enables beacons on all of theArray’s radios to conform to 802.11h requirements, supporting dynamicfrequency selection (DFS) and transmit power control (TPC) to satisfyregulatory requirements for operation in Europe. Station Management8. Station Re-Authentication Period: This option allows you to specify atime (in seconds) for the duration of station reauthentications.9. Station Timeout Period: Specify a time (in seconds) in this field to definethe timeout period for station associations.10. Max Station Association per IAP: This option allows you to define howmany station associations are allowed per IAP (up to 64 stations per IAP).Note that the SSIDs —SSID Management window also has a station limitoption— Station Limit (page 242). If both station limits are set, both willbe enforced. As soon as either limit is reached, no new stations canassociate until some other station has terminated its association.
Wi-Fi Array262 Configuring the Wi-Fi Array11. Max Phones per IAP: This option allows you to control the maximumnumber of phones that are allowed per IAP. The default is set to amaximum of 16 but you can reduce this number, as desired. Enter a valuein this field between 0 (no phones allowed) and 16.12. Block Intra-Station Traffic: This option allows you to block or allowtraffic between wireless clients that are associated to the Array. Chooseeither Yes (to block traffic) or No (to allow traffic).13. Allow Over Air Management: Choose Yes to enable management of theArray via the IAPs, or choose No (recommended) to disable this feature. Advanced Traffic Optimization14. Broadcast Rates: This option changes the rates of broadcast traffic sent bythe Array (including beacons). When set to Optimized, each broadcast ormulticast packet that is transmitted on each radio is sent at the lowesttransmit rate used by any client associated to that radio at that time. Thisresults in each IAP broadcasting at the highest Array TX data rate that canbe heard by all associated stations, thus improving system performance.The rate is determined dynamically to ensure the best broadcast/multicast performance possible. The benefit is dramatic. Consider aproperly designed network (one that has -70db or better everywhere),where virtually every client should have a 54Mbps connection. In thiscase, broadcasts and multicasts will all go out at 54Mbps vs. the standardrate. This means that with broadcast rate optimization on, broadcasts andmulticasts use between 2% and 10% of the bandwidth that they would inStandard mode.When set to Standard (the default), broadcasts are sent out at the lowestbasic rate only—6 Mbps for 5GHz clients, or 1 Mbps for 2.4GHz clients.The option you select here is applied to all IAPs.#This admission control feature applies only to Spectralink phones. It does notapply to all VoIP phones in general.
Wi-Fi ArrayConfiguring the Wi-Fi Array 26315. Load Balancing: The Xirrus Wi-Fi Array supports an automatic load balancing featuredesigned to distribute Wi-Fi stations across multiple radios rather thanhaving stations associate to the closest radios with the strongest signalstrength, as they normally would. In Wi-Fi networks, the station decidesto which radio it will associate. The Array cannot actually force loadbalancing, however the Array can “encourage” stations to associate in amore uniform fashion across all of the radios of the Array. This optionenables or disables active load balancing between the Array IAPs. For anin-depth discussion, see the Xirrus Station Load Balancing Application Notein the Xirrus Library. Choose On to enable Standard Load Balancing. If the Array decides thatan IAP is overloaded, that IAP will not respond immediately to a client’sProbe request. After a few seconds, if the client has still not associated theIAP will respond, assuming that this client is determined to associate tothe overloaded IAP. Overloaded IAPs will always respond to Associationand Authentication requests.If you select Aggressive Load Balancing and an IAP is overloaded, thatIAP will never respond to Probe, Association, or Authentication requests.This mode is useful because it prevents determined clients from forcingtheir way onto overloaded IAPs. Note that some clients are so determinedto associate to a particular IAP that they will not try to associate toanother IAP, and thus they never get on the network.Choose Off to disable load balancing. 16. ARP Filtering: Address Resolution Protocol finds the MAC address of adevice with a given IP address by sending out a broadcast messagerequesting this information. ARP filtering allows you to reduce theproliferation of ARP messages by restricting how they are forwardedacross the network. You may select the following options for handling ARP requests:•Off: ARP filtering is disabled. ARP requests are broadcast to stations.This is the default value.
Wi-Fi Array264 Configuring the Wi-Fi Array•Pass-thru: The Array forwards the ARP request. It passes along onlyARP messages that target the stations that are associated to it. •Proxy: The Array replies on behalf of the stations that are associatedto it. The ARP request is not broadcast to the stations. Note that the Array has a broadcast optimization feature that is always on(it is not configurable). Broadcast optimization restricts all broadcastpackets (not just ARP broadcasts) to only those radios that need toforward them. For instance, if a broadcast comes in from VLAN 10, andthere are no VLAN 10 users on a radio, then that radio will not send outthat broadcast. This increases available air time for other traffic.17. Fast Roaming Mode: This feature utilizes the Xirrus Roaming Protocol(XRP) ensuring fast and seamless roaming capabilities between IAPs orArrays at Layer 2 and Layer 3 (as specified in Step 18), while maintainingsecurity. Fast roaming eliminates long delays for re-authentication, thussupporting time-sensitive applications such as Voice over Wi-Fi (see“Understanding Fast Roaming” on page 253 for a discussion of thisfeature). XRP uses a discovery process to identify other Xirrus Arrays asfast roaming targets. This process has two modes:•Broadcast—the Array uses a broadcast technique to discover otherArrays that may be targets for fast roaming. •Tunneled—in this Layer 3 technique, fast roaming target Arraysmust be explicitly specified. To enable fast roaming, choose Broadcast or Tunneled, and set additionalfast roaming attributes (Step 19). To disable fast roaming, choose Off. Ifyou enable Fast Roaming, the following ports cannot be blocked:•Port 22610—reserved for Layer 2 roaming using UDP to share PMKinformation between Arrays.•Ports 15000 to 17999—reserved for Layer 3 roaming (tunnelingbetween subnets).
Wi-Fi ArrayConfiguring the Wi-Fi Array 26518. Fast Roaming Layer: Select whether to enable roaming capabilitiesbetween IAPs or Arrays at Layer 2 and 3, or at Layer 2 only. Dependingon your wired network, you may wish to allow fast roaming at Layer 3.This may result in delayed traffic. 19. Share Roaming Info With: Three options allow your Array to shareroaming information with all Arrays; just with those that are withinrange; or with specifically targeted Arrays. Choose either All, In Rangeor Target Only, respectively.a. Fast Roaming Targets: If you chose Target Only, use this option toadd target MAC addresses. Enter the MAC address of each targetArray, then click on Add (add as many targets as you like). To find atarget’s MAC address, open the Array Info window on the targetArray and look for IAP MAC Range, then use the starting address ofthis range. To delete a target, select it from the list, then click Delete.20. Click on the Apply button to apply the new settings to this session, orclick Save to apply your changes and make them permanent.See AlsoCoverage and Capacity PlanningGlobal Settings .11aGlobal Settings .11bgAdvanced RF SettingsIAPsIAP Statistics SummaryLED SettingsIAP Settings
Wi-Fi Array266 Configuring the Wi-Fi ArrayGlobal Settings .11aThis window allows you to establish global 802.11a IAP settings. These settingsinclude defining which 802.11a data rates are supported, enabling or disabling all802.11a IAPs, auto-configuration of channel allocations for all 802.11a IAPs, andspecifying the fragmentation and RTS thresholds for all 802.11a IAPs.Figure 141. Global Settings .11aProcedure for Configuring Global 802.11a IAP Settings1. 802.11a Data Rates: The Array allows you to define which data rates aresupported for all 802.11a radios. Select (or deselect) data rates by clickingin the corresponding Supported and Basic data rate check boxes. •Basic Rate—a wireless station (client) must support this rate inorder to associate.•Supported Rate—the Array will use this data rate fortransmissions to clients.2. Data Rate Presets: The Wi-Fi Array can optimize your 802.11a data ratesautomatically, based on range or throughput. Click on the OptimizeRange button to optimize data rates based on range, or click on the
Wi-Fi ArrayConfiguring the Wi-Fi Array 267Optimize Throughput button to optimize data rates based onthroughput. The Restore Defaults button will take you back to thefactory default rate settings.3. 802.11a IAP Status: Click Enable 802.11a IAPs to enable all 802.11a IAPsfor this Array, or click Disable 802.11a IAPs to disable all 802.11a IAPs.4. Channel Configuration: Click Auto Configure to instruct the Array todetermine the best channel allocation settings for each 802.11a IAP andselect the channel automatically, based on changes in the environment.This is the recommended method for 802.11a channel allocations. Use theFactory Defaults button to take you back to the factory default channelsettings.5. Cell Size Configuration: Click Auto Configure to instruct the Array todetermine and set the best cell size for each enabled 802.11a IAP, based onchanges in the environment. This is the recommended method for settingcell size. On the IAP Settings window, each enabled 802.11a IAP will haveits cell size set to auto. 6. Set Cell Size: The Cell Size may be set globally for all 802.11a IAPs toauto, large, medium, small, or max using the drop down menu. 7. Fragmentation Threshold: This is the maximum size for directed datapackets transmitted over the 802.11a radio. Larger frames fragment intoseveral packets, their maximum size defined by the value you enter here.Smaller fragmentation numbers can help to “squeeze” packets through innoisy environments. Enter the desired Fragmentation Threshold value inthis field, between 256 and 2346.8. RTS Threshold: The RTS (Request To Send) Threshold specifies thepacket size. Packets larger than the RTS threshold will use CTS/RTS priorto transmitting the packet—useful for larger packets to help ensure thesuccess of their transmission. Enter a value between 1 and 2347.9. Click on the Apply button to apply the new settings to this session, orclick Save to apply your changes and make them permanent.
Wi-Fi Array268 Configuring the Wi-Fi ArraySee AlsoCoverage and Capacity PlanningGlobal Settings (IAP)Global Settings .11bgIAPsIAP Statistics SummaryAdvanced RF SettingsIAP Settings
Wi-Fi ArrayConfiguring the Wi-Fi Array 269Global Settings .11bgThis window allows you to establish global 802.11b/g IAP settings. These settingsinclude defining which 802.11b and 802.11g data rates are supported, enabling ordisabling all 802.11b/g IAPs, auto-configuring 802.11b/g IAP channel allocations,and specifying the fragmentation and RTS thresholds for all 802.11b/g IAPs.Figure 142. Global Settings .11bgProcedure for Configuring Global 802.11b/g IAP Settings1. 802.11g Data Rates: The Array allows you to define which data rates aresupported for all 802.11g radios. Select (or deselect) 11g data rates byclicking in the corresponding Supported and Basic data rate check boxes.•Basic Rate—a wireless station (client) must support this rate inorder to associate.
Wi-Fi Array270 Configuring the Wi-Fi Array•Supported Rate—data rate used to transmit to clients.2. 802.11b Data Rates: This task is similar to Step 1, but these data ratesapply only to 802.11b IAPs.3. Data Rate Presets: The Wi-Fi Array can optimize your 802.11b/g datarates automatically, based on range or throughput. Click Optimize Rangebutton to optimize data rates based on range, or click on the OptimizeThroughput to optimize data rates based on throughput. RestoreDefaults will take you back to the factory default rate settings.4. 802.11b/g IAP Status: Click Enable All 802.11b/g IAPs to enable all802.11b/g IAPs for this Array, or click Disable All 802.11b/g IAPs todisable them. 5. Channel Configuration: Click Auto Configure to instruct the Array todetermine the best channel allocation settings for each 802.11b/g IAP andselect the channel automatically, based on changes in the environment.This is the recommended method for 802.11b/g channel allocations.Factory Defaults will take you back to the factory default channelsettings. 6. Cell Size Configuration: Click Auto Configure to instruct the Array todetermine and set the best cell size for each enabled 802.11b/g IAP, basedon changes in the environment. This is the recommended method forsetting cell size. On the IAP Settings window, the cell size of each enabled802.11b/g IAP will be set to auto. 7. Set Cell Size: The Cell Size may be set globally for all 802.11bg IAPs toauto, large, medium, small, or max using the drop down menu.8. 802.11g Only: Choose On to restrict use to 802.11g mode only. In thismode, no 802.11b rates are transmitted. Stations that only support 802.11bwill not be able to associate.9. 802.11g Protection: You should select Auto CTS or Auto RTS to provideautomatic protection for all 802.11g radios in mixed networks (802.11b and g). You may select Off to disable this feature, but this is notrecommended. Protection allows 802.11g stations to share an IAP with
Wi-Fi ArrayConfiguring the Wi-Fi Array 271older, slower 802.11b stations. Protection avoids collisions by preventing802.11b and 802.11g stations from transmitting simultaneously. WhenAuto CTS or Auto RTS is enabled and any 802.11b station is associated tothe IAP, additional frames are sent to gain access to the wireless network. •Auto CTS requires 802.11g stations to send a slow Clear To Sendframe that locks out other stations. Automatic protection reduces802.11g throughput when 802.11b stations are present—Auto CTSadds less overhead than Auto RTS. The default value is Auto CTS. •With Auto RTS, 802.11g stations reserve the wireless media using aRequest To Send/Clear To Send cycle. This mode is useful when youhave dispersed nodes. It was originally used in 802.11b onlynetworks to avoid collisions from “hidden nodes”—nodes that are sowidely dispersed that they can hear the Array, but not each other. When there are no 11b stations associated and an auto-protection mode isenabled, the Array will not send the extra frames, thus avoidingunnecessary overhead. 10. 802.11g Slot: Choose Auto to instruct the Array to manage the 802.11gslot times automatically, or choose Short Only. Xirrus recommends usingAuto for this setting, especially if 802.11b devices are present.11. 802.11b Preamble: The preamble contains information that the Array andclient devices need when sending and receiving packets. All compliant802.11b systems have to support the long preamble. A short preambleimproves the efficiency of a network's throughput when transmittingspecial data, such as voice, VoIP (Voice-over IP) and streaming video.Select Auto to instruct the Array to manage the preamble (long and short)automatically, or choose Long Only.12. Fragmentation Threshold: This is the maximum size for directed datapackets transmitted over the 802.11b/g IAP. Larger frames fragment intoseveral packets, their maximum size defined by the value you enter here.Enter the desired Fragmentation Threshold value, between 256 and 2346.
Wi-Fi Array272 Configuring the Wi-Fi Array13. RTS Threshold: The RTS (Request To Send) Threshold specifies thepacket size. Packets larger than the RTS threshold will use CTS/RTS priorto transmitting the packet—useful for larger packets to help ensure thesuccess of their transmission. Enter a value between 1 and 2347.14. Click on the Apply button to apply the new settings to this session, orclick Save to apply your changes and make them permanent.See AlsoCoverage and Capacity PlanningGlobal Settings (IAP)Global Settings .11aAdvanced RF SettingsLED SettingsIAP SettingsIAP Statistics Summary
Wi-Fi ArrayConfiguring the Wi-Fi Array 273Global Settings .11nThis window is displayed only for XN Array models. It allows you to establishglobal 802.11n IAP settings. These settings include enabling or disabling 802.11nmode for the entire Array, specifying the number of transmit and receive chains(data stream) used for spatial multiplexing, setting a short or standard guardinterval, auto-configuring channel bonding, and specifying whether auto-configured channel bonding will be static or dynamic.Before changing your settings for 802.11n, please read the discussion in “IEEE802.11n Deployment Considerations” on page 59. Figure 143. Global Settings .11n xxx Replace!!Procedure for Configuring Global 802.11n IAP Settings1. 802.11n Mode: Select Enabled to operate in 802.11n mode, with four802.11b/g/n mode ports and the remaining IAPs operating in 802.11a/nmode. If you select Disabled, then 802.11n operation is disabled on the Array.IAPs abgn1 though abgn4 will behave in the same way as IAPs abg1 toabg4 on the XS Arrays; the 802.11a/n IAPs will operate in 802.11a mode.
Wi-Fi Array274 Configuring the Wi-Fi Array2. TX Chains: Select the number of separate data streams transmitted by theantennas of each IAP. The data rate of the IAP is multiplied by thenumber of streams. The default is 3.See “Multiple Data Streams—SpatialMultiplexing” on page 61.3. RX Chains: Select the number of separate data streams received by theantennas of each IAP. This number must be greater than or equal to TXChains.The data rate of the IAP is multiplied by the number of streams.The default is 3.See “Multiple Data Streams—Spatial Multiplexing” onpage 61.4. Guard Interval: Select Short to increase the data transmission rate bydecreasing wait intervals in signal transmission. Select Long to use thestandard interval. The default is Short.See “Short Guard Interval” onpage 64.5. Auto-configure Channel Bonding: Select Enabled to use ChannelBonding and automatically select the best channels for bonding. Thedefault is Disabled.See “Channel Bonding” on page 63.6. 5 GHz Channel Bonding: Select Dynamic to have auto-configuration forbonded 5 GHz channels be automatically updated as conditions change.Select Static to have the bonded channels remain the same once they areselected. The Dynamic option is only available when Auto-ConfigureChannel Bonding is enabled, and the default is Dynamic.See “ChannelBonding” on page 63.7. 2.4 GHz Channel Bonding: Select Dynamic to have auto-configurationfor bonded 2.4 GHz channels be automatically updated as conditionschange. Select Static to have the bonded channels remain the same oncethey are selected. The Dynamic option is only available when Auto-Configure Channel Bonding is enabled, and the default is Dynamic. See“Channel Bonding” on page 63.
Wi-Fi ArrayConfiguring the Wi-Fi Array 275Advanced RF SettingsThis window allows you to establish RF settings, including automaticallyconfiguring channel allocation and cell size, specifying intrusion detection andblocking of rogue APs, and configuring radio assurance and standby modes.Changes you make on this page are applied to all IAPs, without exception. Figure 144. Advanced RF Settings About Standby ModeStandby Mode supports the Array-to-Array fail-over capability. When you enableStandby Mode, the Array functions as a backup unit, and it enables its radios if itdetects that its designated target Array has failed. The use of redundant Arrays toprovide this fail-over capability allows Arrays to be used in mission-criticalapplications. In Standby Mode, an Array monitors beacons from the target Array.When the target has not been heard from for 40 seconds, the standby Array
Wi-Fi Array276 Configuring the Wi-Fi Arrayenables its radios until it detects that the target Array has come back online.Standby Mode is off by default. Note that you must ensure that the configurationof the standby Array is correct. This window allows you to enable or disableStandby Mode and specify the primary Array that is the target of the backup unit.See also, “Failover Planning” on page 67. About Blocking Rogue APsIf you classify a rogue AP as blocked (see “Rogue Control List” on page 231), thenthe Array will take measures to prevent stations from staying associated to therogue. When the monitor radio abg(n)2 is scanning, any time it hears a beaconfrom a blocked rogue abg(n)2 sends out a broadcast “deauth” signal using therogue's BSSID and source address.   This has the effect of tossing off all of a rogueAP’s clients approximately every 5 to 10 seconds, which is enough to make therogue frustratingly unusable.The Advanced RF Settings window allows you to set up Auto Block parametersso that unknown APs get the same treatment as explicitly blocked APs. This isbasically a “shoot first and ask questions later” mode. By default auto blocking isturned off. Auto blocking provides two parameters for qualifying blocking so thatAPs must meet certain criteria before being blocked. This keeps the Array fromblocking every AP that it detects. You may:zSet a minimum RSSI value for the AP—for example, if an AP has an RSSIvalue of -90, it is probably a harmless AP belonging to a neighbor and notin your building.zBlock based on encryption level.
Wi-Fi ArrayConfiguring the Wi-Fi Array 277Procedure for Configuring Advanced RF SettingsRF Intrusion Detection1. Intrusion Detection: This option allows you to establish the intrusiondetection method, either Standard or Advanced, or you can choose Off todisable this feature. See “Array Monitor and Radio AssuranceCapabilities” on page 408 for more information. •Standard—enables the abg(n)2 radio as a monitor which collectsRogue AP information. •Advanced—this option works in conjunction with the Xirrus DefenseModule intrusion detection software (XDM). In this mode, the built-in monitor radio (IAP abg(n)2) functions as an RF threat sensor. Self-monitoring is not enabled.•Off—IAP abg(n)2 does not function as a monitor. 2. Auto Block Unknown Rogue APs: Enable or disable auto blocking (see“About Blocking Rogue APs” on page 276). Note that in order to set AutoBlock RSSI and Auto Block Level, you must set Auto Block to On, andclick Apply. Then the remaining Auto Block fields will be active.3. Auto Block RSSI: Set the minimum RSSI for rogue APs to be blocked.APs with lower RSSI values will not be blocked. They are assumed to befarther away, and probably belonging to neighbors and posing a minimalthreat. 4. Auto Block Level: Select rogue APs to block based on the level ofencryption that they are using. The choices are: •Automatically block unknown rogue APs regardless of encryption.•Automatically block unknown rogue APs with no encryption.•Automatically block unknown rogue APs with WEP or noencryption.
Wi-Fi Array278 Configuring the Wi-Fi ArrayRF Resilience5. Radio Assurance Mode: When this mode is enabled, IAP abg(n)2performs loopback tests on the Array. This mode requires IntrusionDetection to be set to Standard (Step 1) to enable abg(n)2’s self-monitoring functions. It also requires abg(n)2 to be set to monitoringmode (see “Enabling Monitoring on the Array” on page 408). Operation of Radio Assurance mode is described in detail in “ArrayMonitor and Radio Assurance Capabilities” on page 408. The Radio Assurance mode scans and sends out probe requests on eachchannel, in turn. It listens for all probe responses and beacons. These testsare performed continuously (24/7). If no beacons or probe responses areobserved from a radio for a predetermined period, Radio Assurancemode will take action according to the preference that you have specified: •Failure alerts only—The Array will issue alerts in the Syslog, but willnot initiate repairs or reboots.•Failure alerts & repairs, but no reboots—The Array will issue alertsand perform resets of one or all of the radios if needed. •Failure alerts & repairs & reboots if needed—The Array will issuealerts, perform resets, and schedule reboots if needed. •Disabled—Disable IAP radio assurance tests (no self-monitoringoccurs). Loopback tests are disabled by default.6. Enable Standby Mode: Choose Yes to enable this Array to function as abackup unit for the target Array, or choose No to disable this feature. See“About Standby Mode” on page 275. 7. Standby Target Address: If you enabled the Standby Mode, enter theMAC address of the target Array (i.e., the address of the primary Arraythat is being monitored and backed up by this Array). To find this MACaddress, open the Array Info window on the target Array, and use theGigabit1 MAC Address.
Wi-Fi ArrayConfiguring the Wi-Fi Array 279RF Power & SensitivityFor an overview of RF power and cell size settings, please see “Capacity and CellSizes” on page 52 and “Fine Tuning Cell Sizes” on page 53. 8. Cell Size Configuration: Click on the Auto Configure button to instructthe Array to determine and set the best cell size for each enabled IAP,based on changes in the environment. This is the recommended methodfor setting cell size. On the IAP settings window, each enabled IAP willhave its cell size set to Auto. 9. Auto Cell Size Period: You may set up auto-configuration to runperiodically, readjusting optimal cell sizes for the current conditions.Enter a number of seconds to specify how often auto-configuration willrun. If you select None, then auto-configuration of cell sizing will not berun periodically. You do not need to run Auto Cell often unless there are alot of changes in the environment. If the RF environment is changingoften, running Auto Cell every twenty-four hours (86400 seconds) shouldbe sufficient). 10. Auto Cell Size Overlap (%): Enter the percentage of cell overlap that willbe allowed when the Array is determining automatic cell sizes. For 100%overlap, the power is adjusted such that neighboring Arrays that heareach other best will hear each other at -70dB. For 0% overlap, that numberis -90dB. 11. Auto Cell Min Tx Power (dBm): Enter the minimum transmit power thatthe Array can assign to a radio when adjusting automatic cell sizes. #To use the Auto Cell feature, the following additional settings are required: The abg(n)2 radio must be in monitor mode, and all other IAPs that willuse Auto Cell must have Cell Size set to auto. See “Procedure forManually Configuring IAPs” on page 255.The Intrusion Detection Mode must not be set to Advanced. See “RFIntrusion Detection” on page 277.
Wi-Fi Array280 Configuring the Wi-Fi Array12. Sharp Cell: This feature reduces interference between neighboringArrays or other Access Points by limiting to a defined boundary (cell size)the trailing edge bleed of RF energy. Choose On to enable the Sharp Cellfunctionality, or choose Off to disable this feature. See also, “Fine TuningCell Sizes” on page 53.The Sharp Cell feature only works when the cell size is Small, Medium, orLarge (or Auto)—but not Max. If an IAP cell size is set to Max, the SharpCell feature will be disabled for that radio. RF Spectrum Management13. Channel Configuration: Automatic channel configuration is therecommended method for channel allocation. When the Array performsauto channel configuration, it first negotiates with any other nearbyArrays that have been detected, to determine whether to stagger the starttime for the procedure slightly. Thus, nearby Arrays will not run autochannel at the same time. This prevents Arrays from interfering with eachother’s channel assignments. Click Auto Negotiate & Configure to instruct the Array to determine thebest channel allocation settings for each IAP and select the channelautomatically, based on changes in the environment. The Array will firstnegotiate with other nearby Arrays to see if the start time needs to bestaggered slightly. Click  Auto Configure to perform auto channel configurationimmediately, without first negotiating with any nearby Arrays. Thisoption is faster than Auto Negotiate and Configure. This allows you tomanually perform auto channel without waiting, and may be used whenyou know that no other nearby Arrays are configuring their channels. Ifmultiple Arrays are configuring channels at the same time, use the AutoNegotiate option to be ensure that multiple Arrays don't select the samechannels. Click Factory Defaults to instruct the Array to return all IAPs to theirfactory preset channels, as shown in the table below.
Wi-Fi ArrayConfiguring the Wi-Fi Array 281 14. Auto Channel Configuration Mode: This option allows you to instructthe Array to auto-configure channel selection for each enabled IAP whenthe Array is powered up. Choose On Array PowerUp to enable thisfeature, or choose Disabled to disable this feature.Factory Preset Channels (US)for both XN and XS models IAP 16-Radio Models12-Radio Models8-Radio Models4-Radio Modelsabg(n)11111abg(n)2 mon mon mon monabg(n)311111111abg(n)46666a(n)1363640 -a(n)2525256 -a(n)3 149 40 48 -a(n)4405664 -a(n)5 56 44 - -a(n)6 157 60 - -a(n)7 44 48 - -a(n)8 60 64 - -a(n)9 153 - - -a(n)10 48 - - -a(n)11 64 - - -a(n)12 161 - - -
Wi-Fi Array282 Configuring the Wi-Fi Array15. Auto Channel Configure on Time: This option allows you to instruct theArray to auto-configure channel selection for each enabled IAP at a timeyou specify here (in hours and minutes, using the format: hh:mm). Leavethis field blank unless you want to specify a time at which the auto-configuration utility is initiated.16. Channel List Selection: This list selects which channels are available tothe auto channel algorithm. Channels that are not checked are left out ofthe auto channel selection process. Note that channels that have beenlocked by the user are also not available to the auto channel algorithm.17. Auto Channel List: Use All Channels selects all available channels (thisdoes not include locked channels). Use Defaults sets the auto channel listback to the defaults. This omits newer channels (100-140) because manywireless NICs don’t support these channels. 18. Public Safety: This option adds two additional channels (191 and 195) inthe 4.9GHz spectrum range for public safety usage by qualifiedorganizations. Operating these channels requires a license, and so theyare not for general purpose use. Using these channels without a licenseviolates FCC rules. Warning notices are displayed when you enable thisfeature and select these channels. All 802.11a(n) and 802.11a/b/g(/n)radios may be set to these channels. 19. Click on the Apply button to apply the new settings to this session, orclick Save to apply your changes and make them permanent.See AlsoCoverage and Capacity PlanningGlobal Settings .11aGlobal Settings .11bgIAPsIAP Statistics SummaryLED SettingsIAP Settings
Wi-Fi ArrayConfiguring the Wi-Fi Array 283LED SettingsThis window assigns behavior preferences for the Array’s IAP LEDs.Figure 145. LED SettingsProcedure for Configuring the IAP LEDs1. LED State: This option determines which event triggers the LEDs, eitherwhen an IAP is enabled or when an IAP first associates with the network.Choose On Radio Enabled or On First Association, as desired. You mayalso choose Disabled to keep the LEDs from being lit. The LEDs will stilllight during the boot sequence, then turn off. 2. LED Blink Behavior: This option allows you to select when the IAP LEDsblink, based on the activities you check here. From the choices available,select one or more activities to trigger when the LEDs blink.See also, “Array LED Operating Sequences” on page 108.3. Click on the Apply button to apply the new settings to this session, orclick Save to apply your changes and make them permanent.See Also
Wi-Fi Array284 Configuring the Wi-Fi ArrayGlobal Settings (IAP)Global Settings .11aGlobal Settings .11bgIAPsLED Boot Sequence
Wi-Fi ArrayConfiguring the Wi-Fi Array 285WDSThis is a status only window that provides an overview of all WDS links that havebeen defined. WDS (Wireless Distribution System) is a system that enables theinterconnection of access points wirelessly, allowing your wireless network to beexpanded using multiple access points without the need for a wired backbone tolink them. The Summary of WDS Client Links shows the WDS links that youhave defined on this Array and identifies the target Array for each by its baseMAC address. The Summary of WDS Host Links shows the WDS links that havebeen established on this Array as a result of client Arrays associating to this Array(i.e., the client Arrays have this Array as their target). The summary identifies thesource (client) Array for each link. Both summaries identify the IAPs that are partof the link and whether the connection for each is up or down. See “WDSPlanning” on page 76 for an overview. Figure 146. WDS About Configuring WDS LinksA WDS link connects a client Array and a host Array (see Figure 147 on page 286).The host must be the Array that has a wired connection to the LAN. Client linksfrom one or more Arrays may be connected to the host, and the host may alsohave client links. See “WDS Planning” on page 76 for more illustrations.
Wi-Fi Array286 Configuring the Wi-Fi ArrayThe configuration for WDS is performed on the client Array only, as described in“WDS Client Links” on page 287. No WDS configuration is performed on the hostArray. First you will set up a client link, defining the target (host) Array and SSID,and the maximum number of IAPs in the link. Then you will select the IAPs to beused in the link. When the client link is created, each member IAP will associate toan IAP on the host Array. Figure 147. .Configuring a WDS LinkSee AlsoSSID ManagementWDS Client Link IAP Assignments:WDS Client LinksWDS Statistics#Once an IAP has been selected to act as a WDS client link, you will not beallowed to use auto-configured cell sizing on that IAP (since the cell mustextend all the way to the other Array). a2(52)a3(149)a4(40)a10(52)a9(149)a8(40)CLIENT HOSTWired LANClientLink
Wi-Fi ArrayConfiguring the Wi-Fi Array 287WDS Client LinksThis window allows you to set up a maximum of four WDS client links.Figure 148. WDS Client Links Procedure for Setting Up WDS Client LinksWDS Client Link Settings: 1. Client Link: Shows the ID (1 to 4) of each of the four possible WDS links. 2. Enabled: Check this box if you want to enable this WDS link, or uncheckthe box to disable the link. 3. Max IAPs Allowed (1-3): Enter the maximum number of IAPs for thislink, between 1 and 3.4. Target Array Base MAC Address: Enter the base MAC address of thetarget Array (the host Array at the other side of this link). To find thisMAC address, open the WDS window on the target Array, and use ThisArray Address located on the right under the Summary of WDS HostLinks.
Wi-Fi Array288 Configuring the Wi-Fi Array5. Target SSID: Enter the SSID that the target Array is using. 6. Username: Enter a username for this WDS link. A username andpassword is required if the SSID is using PEAP for WDS authenticationfrom the internal RADIUS server.7. Password: Enter a password for this WDS link.8. Clear Settings: Click on the Clear button to reset all of the fields on thisline. 9. Click on the Apply button to apply your changes to this session, or clickSave to apply your changes and make them permanent.WDS Client Link IAP Assignments: 10. For each desired client link, select the IAPs that are part of that link. 11. Auto Configure: Click this button to instruct the Array to automaticallydetermine the best channel allocation settings for each IAP thatparticipates in a WDS link, based on changes in the environment. Thesechanges are executed immediately, and are automatically applied. 12. Reset All Links: this command tears down all links configured on theArray and sets them back to their factory defaults, effective immediately.See AlsoSSID ManagementWDS PlanningWDSWDS Statistics#Once an IAP has been selected to act as a WDS client link, no otherassociation will be allowed on that IAP. However, wireless associations willbe allowed on the WDS host side of the WDS session.
Wi-Fi ArrayConfiguring the Wi-Fi Array 289FiltersThe Wi-Fi Array’s integrated firewall uses stateful inspection to speed thedecision of whether to allow or deny traffic. Filters are also used to define therules used for blocking or passing traffic. Filters can also set the VLAN and QoSlevel for selected traffic. User connections managed by the firewall are maintained statefully—once a userflow is established through the Array, it is recognized and passed throughwithout application of all defined filtering rules. Stateful inspection runsautomatically on the Array. The rest of this section describes how to view andmanage filters.Filters are organized in groups, called Filter Lists. A filter list allows you to applya uniform set of filters to SSIDs or Groups very easily. The read-only Filters window provides you with an overview of all filter lists thathave been defined for this Array, and the filters that have been created in each list.Filters are listed in the left side column by name under the filter list to which theybelong. Each filter entry includes information about the type of filter, the protocolit is filtering, which port it applies to, source and destination addresses, and QoSand VLAN assignments.Figure 149. FiltersOrange arrow expands/collapses display
Wi-Fi Array290 Configuring the Wi-Fi ArrayFilter Lists This window allows you to create filter lists. The Array comes with onepredefined list, named Global, which cannot be deleted. Filter lists (includingGlobal) may be applied to SSIDs or to Groups. Only one filter list at a time may beapplied to a group or SSID (although the filter list may contain a number offilters). All filters are created within filter lists. Figure 150. Filter ListsProcedure for Managing Filter Lists1. New Filter List Name: Enter a name for the new filter list in this field,then click on the Create button to create the list. All new filters aredisabled when they are created. The new filter list is added to the FilterList table in the window. Click on the filter list name, and you will betaken to the Filter Management window for that filter list.2. On: Check this box to enable this filter list, or leave it blank to disable thelist. If the list is disabled, you may still add filters to it or modify it, butnone of the filters will be applied to data traffic. 3. Filters: This read-only field displays the number of filters that belong tothis filter list.
Wi-Fi ArrayConfiguring the Wi-Fi Array 2914. SSIDs: This read-only field lists the SSIDs that use this filter list.5. User Groups: This read-only field lists the Groups that use this filter list.6. Delete: Click this checkbox and then click the Apply or Save button todelete this filter list.7. Click on the Apply button to apply your changes to the selected filter, orclick Save to apply your changes and make them permanent.8. Click a filter list to go to the Filter Management window to create andmanage the filters that belong to this list. Filter Management This window allows you to create and manage filters that belong to a selectedfilter list, based on the filter criteria you specify. Figure 151. Filter ManagementFilters are applied in order, from top to bottom.Click here to change the order.
Wi-Fi Array292 Configuring the Wi-Fi ArrayNote that filtering is secondary to the stateful inspection performed by theintegrated firewall. Traffic for established connections is passed through withoutthe application of these filtering rules.Procedure for Managing Filters1. Filter List: Select the filter list to display and manage on this window. Allof the filters already defined for this list are shown, and you may createadditional filters for this list.2. New Filter Name: Enter a name for the new filter in the field next to theCreate button, then click on the Create button to create the filter. All newfilters are added to the table of filters at the top of the window. The filtername must be unique within the list, but it may have the same name as afilter in a different filter list. Two filters with the same name in differentfilter lists will be completely unrelated to each other—they may bedefined with different parameter values. 3. Filter: Choose a filter entry to modify from the list at the top of thewindow. 4. On: Use this field to enable or disable this filter.5. Deny: Choose whether this filter will be an Allow filter or a Deny filter. Ifyou define the filter as an Allow filter, then any associations that meet thefilter criteria will be allowed. If you define the filter as a Deny filter, anyassociations that meet the filter criteria will be denied.6. Protocol: Choose a specific filter protocol from the pull-down list, orchoose numeric and enter a Number, or choose any to instruct the Arrayto use the best filter. This is a match criterion.7. Port: From the pull-down list, choose the type of port on which you wantthis filter to be active, or choose 1-65534 and enter a Number, or chooseany to instruct the Array to apply the filter to any port. This is a matchcriterion.
Wi-Fi ArrayConfiguring the Wi-Fi Array 2938. QoS: (Optional) Set packets that match the filter criteria to this QoS level(0 to 3) from the pull-down list. Level 0 has the lowest priority; level 3 hasthe highest priority. By default, this field is blank and the filter does notmodify QoS level. See “Understanding QoS Priority on the Wi-Fi Array”on page 235. 9. VLAN ID: (Optional) Set packets that match the filter criteria to thisVLAN. Select a VLAN from the pull-down list, or select numeric andenter the number of a previously defined VLAN (see “VLANs” onpage 203). 10. Move Up/Down: The filters are applied in the order in which they aredisplayed in the list, with filters on the top applied first. To change anentry’s position in the list, just click its Up or Down button. 11. Source Address: Define a source address to match as a filter criterion.Click the radio button for the desired type of address (or other attribute)to match. Then specify the value to match in the field to the right of thebutton. Choose Any to use any source address. Check Not to match anyaddress except for the specified address.12. Destination Address: Define a destination address to match as a filtercriterion. Click the radio button for the desired type of address (or otherattribute) to match. Then specify the value to match in the field to theright of the button. Choose Any to use any source address. Check Not tomatch any address except for the specified address.13. To delete a filter, check its Delete checkbox, then click the Apply or Savebutton. 14. Click on the Apply button to apply your changes to the selected filter, orclick Save to apply your changes and make them permanent.See AlsoFiltersFilter StatisticsUnderstanding QoS Priority on the Wi-Fi ArrayVLANs
Wi-Fi Array294 Configuring the Wi-Fi Array
Wi-Fi ArrayUsing Tools on the Wi-Fi Array 295Using Tools on the Wi-Fi ArrayThese WMI windows allow you to perform administrative tasks on your Array,such as upgrading software, rebooting, uploading and downloadingconfiguration files, and other utility tasks. Tools are described in the followingsections: z“System Tools” on page 296z“CLI” on page 303z“Logout” on page 305This section does not discuss using status or configuration windows. Forinformation on those windows, please see: z“Viewing Status on the Wi-Fi Array” on page 127z“Configuring the Wi-Fi Array” on page 173
Wi-Fi Array296 Using Tools on the Wi-Fi ArraySystem ToolsThis window allows you to manage files for software images, configuration, andWeb Page Redirect (WPR), manage the system’s configuration parameters, rebootthe system, and use diagnostic tools.Figure 152. System ToolsStatus is shown hereProgress is shown here
Wi-Fi ArrayUsing Tools on the Wi-Fi Array 297Procedure for Configuring System ToolsThese tools are broken down into the following sections:zSystemzConfigurationzDiagnosticszWeb Page RedirectzToolszProgress and Status FramesSystem1. Save & Reboot or Reboot: Use Save & Reboot to save the currentconfiguration and then reboot the Array. The LEDs on the Array indicatethe progress of the reboot, as described in “Powering Up the Wi-Fi Array”on page 107. Alternatively, you can click on the Reboot button to discardany configuration changes which have not been saved since the lastreboot. 2. Software Upgrade: This feature upgrades the ArrayOS to a newerversion provided by Xirrus. Enter the filename and directory location (orclick on the Browse button to locate the software upgrade file), then clickon the Upgrade button to upload the new file to the Array. Progress of theoperation will be displayed below, in the Progress section. Completionstatus of the operation is shown in the Status section. This operation does not run the new software or change any configuredvalues. The existing software continues to run on the Array until youreboot, at which time the uploaded software will be used. #If you have difficulty upgrading the Array using the WMI, see “Upgradingthe Array via CLI” on page 411 for a lower-level procedure you may use. Software Upgrade always uploads the file in binary mode. If you transferany image file to your computer to have it available for the Software Upgradecommand, it is critical to remember to transfer it (ftp, tftp) in binary mode!
Wi-Fi Array298 Using Tools on the Wi-Fi ArrayConfiguration3. Update from Remote File: This field allows you to define the path to aconfiguration file (one that you previously saved—see Step 5 below).Click on the Browse button if you need to browse for the location of thefile, then click Update to update your configuration settings.4. Update from Local File: This field updates Array settings from a localconfiguration file on the Array. Select one of the following files from thedrop-down list: •factory.conf: The factory default settings•lastboot.conf: The setting values from just before the last reboot•saved.conf: The last settings that were explicitly savedClick Update to update your configuration settings.5. Download Current Configuration: Click on the link titledxs_current.conf to download the Array’s current configuration settings toa file (that you can upload back to the Array at a later date). The systemwill prompt you for a destination for the file. The file will contain theArray’s current configuration values. 6. Reset to Factory Defaults: Click on the Reset/Preserve IP Settings buttonto reset the system’s current configuration settings to the factory defaultvalues, except for the Array’s management IP address which is left unchanged.This function allows you to maintain management connectivity to theArray even after the reset. This will retain the Gigabit Ethernet port’s IPaddress (see “Network Interfaces” on page 181), or if you haveconfigured management over a VLAN it will maintain the managementVLAN’s IP address (see “VLAN Management” on page 205). All otherprevious configuration settings will be lost.#Important! When you have initially configured your Array, or have madesignificant changes to its configuration, we strongly recommend that yousave the configuration to a file in order to have a safe backup of your workingconfiguration.
Wi-Fi ArrayUsing Tools on the Wi-Fi Array 299Click Reset to reset all of the system’s current configuration settings tothe factory default values, including the management IP address—allprevious configuration settings will be lost. The Array’s Gigabit Ethernetports default to using DHCP to obtain an IP address.  Diagnostics7. Diagnostic Log: Click the Create button to save a snapshot of Arrayinformation for use by Xirrus Customer Support personnel. The filenamexs_diagnostic.log will be displayed in blue and it becomes a link to thenewly created log file. Click the link to download this file to the C:\folder on your local computer. (Figure 153) Figure 153. Saving the Diagnostic LogThis feature is only used at the request of Customer Support. It saves allof the information regarding your Array, including status, configuration,statistics, log files, and recently performed actions. The diagnostic log is always saved as a file named xs_diagnostic.logon your C:\ drive, so you should immediately rename the file to save it.This way, it will not be lost the next time you save a diagnostic log. Often,Customer Support will instruct you to save two diagnostic logs about tenminutes apart so that they can examine the difference in statisticsbetween the two snapshots (for example, to see traffic and error statisticsfor the interval). Thus, you must rename the first diagnostic log file.#If the IP settings change, the connection to the WMI may be lost.Click Update to create logThen click this link to savelog file to local computer
Wi-Fi Array300 Using Tools on the Wi-Fi Array Web Page RedirectThe Array uses a Perl script and a cascading style sheet to define the default splash/login Web page that the Array delivers for WPR. You may replace these files with files for one or more custom pages of your own. See Step 10 below to view the default files. See Step 14 on page 241 for more information about WPR and how the splash/login page is used.Each SSID that has WPR enabled may have its own page. Custom files for a specific SSID must be named based on the SSID name. For example, if the SSID is named Public, the default wpr.pl and hs.css files should be modified as desired and renamed to wpr-Public.pl and hs-Public.css before uploading to the Array. If you modify and upload files named wpr.pl and hs.css, they will replace the factory default files and will be used for any SSID that does not have its own custom files, per the naming convention just described. Be careful not to replace the default files unintentionally. Figure 154. Managing WPR Splash/Login page files8. Upload File: Use this to install files for your own custom WPR splash/login page (as described above) on the Array. Note that uploaded files arenot immediately used - you must reboot the Array first. At that time, theArray looks for and uses these files, if found. Enter the filename and directory location (or click Browse to locate thesplash/login page files), then click on the Upload button to upload thenew files to the Array. You must reboot to make your changes take effect. #All passwords are stored on the array in an encrypted form and will not beexposed in the diagnostic log.
Wi-Fi ArrayUsing Tools on the Wi-Fi Array 3019. Remove File: Enter the name of the WPR file you want to remove, thenclick on the Delete button. You can use the List Files button to show youa list of files that have been saved on the Array for WPR. The list isdisplayed in the Status section at the bottom of the WMI window. Youmust reboot to make your changes take effect. 10. Download Sample Files: Click on a link to access the correspondingsample WPR files:•wpr.pl—a sample Perl script. •hs.css—a sample cascading style sheet.ToolsFigure 155. System Command (Ping) 11. System Command: Choose Trace Route, Ping., or RADIUS Ping. ForTrace Route and Ping, fill in IP Address and Timeout. Then click theExecute button to run the command. The RADIUS Ping command is a simple utility that tests connectivity to aRADIUS server by attempting to log in with the specified Username andPassword. When using a RADIUS server, this command allows you toverify that the server configuration is correct and whether a particular
Wi-Fi Array302 Using Tools on the Wi-Fi ArrayUsername and Password are set up properly. If a client is having troubleaccessing the network, you can quickly determine if there is a basicRADIUS problem by using the RADIUS Ping tool. For example, inFigure 156 (A), RADIUS Ping is unable to contact the server. In Figure 156(B), RADIUS Ping verifies that the host information and secret for aRADIUS server are correct, but that the user account information is not. Select RADIUS allows you to select a RADIUS server that you havealready configured (External Radius,  Internal Radius, or a serverspecified for a particular SSID), or select Other Server to specify anotherserver by entering its Host name or IP address, Port, and shared Secret.Enter the RADIUS Credentials: Username and Password, then click theExecute button to run the command. The message Testing RADIUSconnection appears. Click OK to proceed. Figure 156. Radius Ping Output12. IP Address: For Ping or Trace Route, enter the IP address of the targetdevice.13. Timeout: For Ping or Trace Route, enter a value (in seconds) before theaction times out.14. Execute System Command: Click Execute to start the specifiedcommand. Progress of command execution is displayed in the Progressframe. Results are displayed in the Status frame.AB
Wi-Fi ArrayUsing Tools on the Wi-Fi Array 303Progress and Status FramesThe Progress frame displays a progress bar for commands such as Software Upgrade and Ping. The Status frame presents the output from system commands (Ping and Trace Route), as well as other information, such as the results of software upgrade.15. If you want to save the parameters you established in this window forfuture sessions, click on the Save button.CLI The WMI provides this window to allow you to use the Array’s Command LineInterface (CLI). You can enter commands to configure the Array, or displayinformation using show commands. You will not need to log in - you alreadylogged in to the Array when you started the WMI.Figure 157. CLI WindowTo enter a command, simply type it in. The command is echoed and output isshown in the normal way—that is, the same way it would be if you were using
Wi-Fi Array304 Using Tools on the Wi-Fi Arraythe CLI directly. You may use the extra scroll bar inside the right edge of thewindow to scroll through your output. This window has some minor differences, compared to direct use of the CLI viathe console or an SSH connection:zThe CLI starts in config mode. All configuration and show commands areavailable in this mode. You can “drill down” the mode further in theusual way. For example, you can type interface iap to change the mode toconfig-iap. The prompt will indicate the current command mode, forexample:My-Array(config-iap) # zYou can abbreviate a command and it will be executed if you have typedenough of the command to be unambiguous. The command will notauto-complete, however. Only the abbreviated command that youactually typed will be shown. You can type a partial command and pressTab to have the command auto-complete. If the partial command isambiguous a list of legal endings is displayed. zEntering quit will log you out of the current WMI session.zMost, but not all, CLI commands can be run in this window. Specificallythe run-test menu of commands is not available in this window. To usethe run-test command, please connect using SSH and use CLI directly, oruse the System Tools described in this chapter, such as Trace Route, Ping,and RADIUS Ping. Help commands (the ? character) are available, either at the prompt or after youhave typed part of a command.
Wi-Fi ArrayUsing Tools on the Wi-Fi Array 305LogoutClick on the Logout button to terminate your session. When the session isterminated, you are presented with the Array’s login window.Figure 158. Login Window
Wi-Fi Array306 Using Tools on the Wi-Fi Array
Wi-Fi ArrayThe Command Line Interface 307The Command Line InterfaceThis section covers the commands and the command structure used by the Wi-FiArray’s Command Line Interface (CLI), and provides a procedure for establishinga Telnet connection to the Array. Topics discussed include: z“Establishing a Secure Shell (SSH) Connection” on page 308.z“Getting Started with the CLI” on page 309.z“Top Level Commands” on page 311.z“Configuration Commands” on page 320.z“Sample Configuration Tasks” on page 356.See AlsoEstablishing Communication with the ArrayNetwork MapSystem Tools
Wi-Fi Array308 The Command Line InterfaceEstablishing a Secure Shell (SSH) ConnectionUse this procedure to initialize the system and log in to the Command LineInterface (CLI) via a Secure Shell (SSH) utility, such as PuTTY. When connecting tothe unit’s Command Line Interface over a network connection, you must use aSecure SHell version 2 (SSH-2) utility. Make sure that your SSH utility is set up touse SSH-2. 1. Start your SSH session and communicate with the Array via its default IPaddress (10.0.2.1 for both the Gigabit 1 and Gigabit 2 Ethernet ports).2. At the login prompt, enter your user name and password (the default forboth is admin). Login names and passwords are case-sensitive. You arenow logged in to the Array’s Command Line Interface.Figure 159. Logging In
Wi-Fi ArrayThe Command Line Interface 309Getting Started with the CLIThe root command prompt (Root Command Prompt) is the first prompt you seeafter logging in to the CLI. If you are at a level other than the root commandprompt you can return to this prompt at any time by using the exit command tostep back through each command prompt level. The root command prompt yousee in the CLI window is determined by the host name you assigned to yourArray. The prompt Xirrus_Wi-Fi_Array is displayed throughout this documentsimply because this is the host name assigned to the Array used for development.To terminate your session at any time, use the quit command.Note: If you terminate your session, with either the quit or exit command, your WMIsession will also be terminated. Inputting CommandsWhen inputting commands you need only type as many characters as the systemrequires before it recognizes your input. For example, you can type theabbreviated term config to access the configure prompt.Getting HelpThe CLI offers the following two levels of assistance:zhelp CommandThe  help command is only available at the root command prompt.Initiating this command generates a window that provides informationabout the types of help that are available with the CLI.Figure 160. Help Window
Wi-Fi Array310 The Command Line Interfacez? CommandThis command is available at any prompt and provides either FULL orPARTIAL help. Using the ? (question mark) command when you areready to enter an argument will display all the possible arguments (fullhelp). Partial help is provided when you enter an abbreviated argumentand you want to know what arguments will match your input.Figure 161. Full HelpFigure 162  shows an example of how the Help system can provide theargument and format when specifying the time zone under the date-timecommand.Figure 162. Partial Help
Wi-Fi ArrayThe Command Line Interface 311Top Level CommandsThis section offers an at-a-glance view of all top level commands—organizedalphabetically. Top level commands are defined here as commands that aredirectly accessible from the root command prompt (Xirrus_Wi-Fi_Array#). Theroot command prompt is based on the host name assigned to your Array. Wheninputting commands, be aware that all commands are case-sensitive.All other commands are considered second level configuration commands—theseare the commands you use to configure specific elements of the Array’s featuresand functionality. For a listing of these commands with examples of commandformats and structure, go to “Configuration Commands” on page 320.Root Command PromptThe following table shows the top level commands that are available from theroot command prompt [Xirrus_Wi-Fi_Array].Command Description@ Type @n to execute command n (as shown by the history command).configure  Enter the configuration mode. See “Configuration Commands” on page 320. exit Exit the CLI and terminate your session—if this command is used at any level other than the root command prompt you will simply exit the current level (step back) and return to the previous level.help Show a description of the interactive help system. See also, “Getting Help” on page 309. history List history of commands that have been executed.more Turn terminal pagination ON or OFF.quit Exit the Command Line Interface (from any level).search Search for pattern in show command output.
Wi-Fi Array312 The Command Line Interfaceconfigure CommandsThe following table shows the second level commands that are available with thetop level configure command [Xirrus_Wi-Fi_Array(config)#].show Display information about the selected item. See “show Commands” on page 315. statistics Display statistical data about the Array. See “statistics Commands” on page 318. uptime Display the elapsed time since the last boot.Command Description@  Type @n to execute command n (as shown by the history command).acl Configure the Access Control List.admin Define administrator access parameters. cdp   Configure Cisco Discovery Protocol settings. clear Remove/clear the requested elements.contact-info Contact information for assistance on this Array.date-time Configure date and time settings.dhcp-server Configure the DHCP Server.dns Configure the DNS settings.end Exit the configuration mode.exit Go UP one mode level.file Manage the file system.filter Define protocol filter parameters.fips Enable/disable FIPS 140-2, Level 2 Security.Command Description
Wi-Fi ArrayThe Command Line Interface 313group Define user groups with parameter settingshelp Description of the interactive Help system.history List history of commands that have been executed.hostname Host name for this Array.https Enable/disable HTTPS.interface Select the interface to configure.load Load running configuration from flashlocation Location name for this Array.management Configure array management parametersmore Turn ON or OFF terminal pagination.netflow Configure NetFlow data collector. no Disable (if enabled) or set to default value.quit Exit the Command Line Interface.radius-server Configure the RADIUS server parameters.reboot Reboot the Array.reset Reset all settings to their factory default values and reboot.run-tests Run selective tests.save Save the running configuration to FLASH.search Search for pattern in show command output.security Set the security parameters for the Array.show Display current information about the selected item.Command Description
Wi-Fi Array314 The Command Line Interfacesnmp Enable, disable or configure SNMP.ssh Enable/disable SSH.ssid Configure the SSID parameters.standby Configure the standby parameters.statistics Display statistics.syslog Enable, disable or configure the Syslog Server.telnet Enable/disable Telnet.uptime Display time since the last boot.vlan Configure VLAN parameters.Command Description
Wi-Fi ArrayThe Command Line Interface 315show CommandsThe following table shows the second level commands that are available with thetop level show command [Xirrus_Wi-Fi_Array# show].Command Descriptionacl  Display the Access Control List.admin Display the administrator list or login information.array-info Display system information.associated-stations Display stations that have associated to the Array.boot-env Display Boot loader environment variables. capabilities Display detailed station capabilities. cdp Display Cisco Discovery Protocol settings.channel-list Display list of Array’s 802.11a(n) and bg(n) channels. clear-text Display and enter passwords and secrets in the clear. conntrack Display the Connection Tracking table. console Display terminal settings.contact-info Display contact information.country-list Display countries that the Array can be set to support. date-time Display date and time settings summary.dhcp-leases Display IP addresses (leases) assigned to stations by the DHCP server. dhcp-pool Display internal DHCP server settings summary information.
Wi-Fi Array316 The Command Line Interfacediff Display the difference between configurations.dns Display DNS summary information.env-ctrl Display the environmental controller status for the outdoor enclosure.error-numbers Display the detailed error number in error messages.ethernet Display Ethernet interface summary information.external-radius Display summary information for the external RADIUS server settings.factory-config Display the Array factory configuration information.filters Display filter information.iap Display IAP configuration information.internal-radius Display the users defined for the embedded RADIUS server.lastboot-config Display Array configuration at the time of the last boot-up.management Display settings for managing the Array, plus Standby, FIPS, and other information. network-map Display network map information.realtime-monitor  Display realtime statistics for all IAPs. rogue-ap Display rogue AP information.route  Display the routing table. rssi-map Display RSSI map by IAP for station.running-config Display configuration information for the Array currently running.Command Description
Wi-Fi ArrayThe Command Line Interface 317saved-config Display the last saved Array configuration.security Display security settings summary information.self-test  Display self test results.snmp Display SNMP summary information.spanning-tree Display spanning tree information. spectrum-analyzer Display spectrum analyzer measurements. ssid Display SSID summary information.stations Display station information.statistics Display statistics.syslog Display the system log.syslog-settings Display the system log (Syslog) settings.temperature Display the current board temperatures.unassociated-stations  Display unassociated station information. vlan Display VLAN information.wds Display WDS information.<cr> Display configuration or status information.Command Description
Wi-Fi Array318 The Command Line Interfacestatistics CommandsThe following table shows the second level commands that are available with thetop level statistics command [Xirrus_Wi-Fi_Array# statistics].Command Descriptionethernet  Display statistical data for all Ethernet interfaces.Ethernet Nameeth0, gig1, gig2Display statistical data for the defined Ethernet interface (either eth0, gig1 or gig2).FORMAT:statistics gig1 filter Display statistics for defined filters (if any).FORMAT:statistics filter [detail]  filter-list Display statistics for defined filter list (if any).FORMAT:statistics filter <filter-list> iap Display statistical data for the defined IAP.FORMAT:statistics iap abgn4station Display statistical data about associated stations.FORMAT:statistics station billwvlan Display statistical data for the defined VLAN. You must use the VLAN number (not its name) when defining a VLAN.FORMAT:statistics vlan 1wds Display statistical data for the defined active WDS (Wireless Distribution System) links.FORMAT:statistics wds 1
Wi-Fi ArrayThe Command Line Interface 319<cr> Display configuration or status information.Command Description
Wi-Fi Array320 The Command Line InterfaceConfiguration CommandsAll configuration commands are accessed by using the configure command at theroot command prompt (Xirrus_Wi-Fi_Array#). This section provides a briefdescription of each command and presents sample formats where deemednecessary. The commands are organized alphabetically. When inputtingcommands, be aware that all commands are case-sensitive.To see examples of some of the key configuration tasks and their associatedcommands, go to “Sample Configuration Tasks” on page 356.acl The  acl command [Xirrus_Wi-Fi_Array(config)# acl] is used to configure theAccess Control List.Command Descriptionadd  Add a MAC address to the list.FORMAT:acl add AA:BB:CC:DD:EE:FFdel Delete a MAC address from the list.FORMAT:acl del AA:BB:CC:DD:EE:FFdisable Disable the Access Control ListFORMAT:acl disableenable Enable the Access Control ListFORMAT:acl enablereset Delete all MAC addresses from the list.FORMAT:acl reset
Wi-Fi ArrayThe Command Line Interface 321admin The admin command [Xirrus_Wi-Fi_Array(config-admin)#] is used to configurethe Administrator List.Command Descriptionadd  Add a user to the Administrator List.FORMAT:admin add [userID]del Delete a user to the Administrator List.FORMAT:admin del [userID]edit Modify user in the Administrator List.FORMAT:admin edit [userID]radius Define a RADIUS server to be used for authenticating administrators.FORMAT:admin radius [disable | enable | off | on | timeout <seconds> | auth-type [PAP | CHAP]] admin radius [primary |secondary] port <portid> server [<ip-addr> | <host>] secret <shared-secret>reset Delete all users and restore the default user.FORMAT:admin reset
Wi-Fi Array322 The Command Line Interfacecdp The cdp command [Xirrus_Wi-Fi_Array(config)# cdp] is used to configure theCisco Discovery Protocol.Command Descriptiondisable Disable the Cisco Discovery ProtocolFORMAT:cdp disableenable Enable the Cisco Discovery ProtocolFORMAT:cdp enablehold-time  Select CDP message hold time before messages received from neighbors expire.FORMAT:cdp hold-time [# seconds]interval The Array sends out CDP announcements at this interval. FORMAT:cdp interval [# seconds] off Disable the Cisco Discovery ProtocolFORMAT:cdp offon Enable the Cisco Discovery ProtocolFORMAT:cdp on
Wi-Fi ArrayThe Command Line Interface 323clear The  clear command [Xirrus_Wi-Fi_Array(config)# clear] is used to clearrequested elements.Command Descriptionauthentication Deauthenticate a station.FORMAT:clear station [authenticated station]history Clear the history of CLI commands executed.FORMAT:clear history screen Clear the screen where you’re viewing CLI output.FORMAT:clear syslogstatistics Clear the statistics for a requested interface.FORMAT:clear statistics [eth0]syslog Clear all Syslog messages, but continue to log new messages.FORMAT:clear syslog
Wi-Fi Array324 The Command Line Interfacecontact-info The contact-info command [Xirrus_Wi-Fi_Array(config)# contact-info] is usedfor managing administrator contact information.Command Descriptionemail Add an email address for the contact (must be in quotation marks).FORMAT:contact-info email [“contact@mail.com”]name Add a contact name (must be in quotation marks).FORMAT:contact-info name [“Contact Name”]phone Add a telephone number for the contact (must be in quotation marks).FORMAT:contact-info phone [“8185550101”]
Wi-Fi ArrayThe Command Line Interface 325date-time The  date-time command [Xirrus_Wi-Fi_Array(config-date-time)#] is used toconfigure the date and time parameters. Your Array supports the Network TimeProtocol (NTP) in order to ensure that the Array’s internal time is accurate. NTP isset to UTC time by default; however, you can set the time zone so that your Arraywill display local time. This is done by defining an offset from the UTC value. Forexample, Pacific Standard Time is 8 hours behind UTC time, so the offset fromUTC time would be -8.Command Descriptiondst_adjust Enable adjustment for daylight savings.FORMAT:date-time dst_adjustno Disable daylight savings adjustment.FORMAT:date-time no dst_adjustntp Enable the NTP server.FORMAT:date-time ntp on (or off to disable)offset Set an offset from Greenwich Mean Time.FORMAT:date-time no dst_adjustset Set the date and time for the Array.FORMAT:date-time set [10:24 10/23/2007]timezone Configure the time zone.FORMAT:date-time timezone [-8]
Wi-Fi Array326 The Command Line Interfacedhcp-server The dhcp-server command [Xirrus_Wi-Fi_Array(config-dhcp-server)#] is used toadd, delete and modify DHCP pools.Command Descriptionadd Add a DHCP pool.FORMAT:dhcp-server add [dhcp pool]del Delete a DHCP pool.FORMAT:dhcp-server del [dhcp pool]edit Edit a DHCP poolFORMAT:dhcp-server edit [dhcp pool]reset Delete all DHCP pools.FORMAT:dhcp-server reset
Wi-Fi ArrayThe Command Line Interface 327dns The dns command [Xirrus_Wi-Fi_Array(config-dns)#] is used to configure yourDNS parameters.Command Descriptiondomain Enter your domain name.FORMAT:dns domain [www.mydomain.com]server1 Enter the IP address of the primary DNS server.FORMAT:dns server1 [1.2.3.4]server2 Enter the IP address of the secondary DNS server.FORMAT:dns server1 [2.3.4.5]server3 Enter the IP address of the tertiary DNS server.FORMAT:dns server1 [3.4.5.6]
Wi-Fi Array328 The Command Line Interfacefile The file command [Xirrus_Wi-Fi_Array(config-file)#] is used to manage files.Command Descriptionactive-image  Validate and commit a new array software image. backup-image  Validate and commit a new backup software image. check-image    Validate a new array software image. chkdsk         Check flash file system.copy Copy a file to another file.FORMAT:file copy [sourcefile destinationfile]dir List the contents of a directory.FORMAT:file dir [directory]erase Delete a file from the FLASH file system.FORMAT:file erase [filename]format         Format flash file system.ftp Open an FTP connection with a remote server. Files will be transferred in binary mode. FORMAT:file ftp host {<hostname> |<ip>} [port <port_#>] [user {anonymous | <username> password <passwd> } ] { put <source_file> [<dest_file>] | get <source_file> [<dest_file>] }Note: Any time you transfer any kind of software image file for the Array, it must be transferred in binary mode, or the file may be corrupted. list List the contents of a file.FORMAT:file list [filename]
Wi-Fi ArrayThe Command Line Interface 329remote-config When the Array boots up, it fetches the specified configuration file from the TFTP server defined in the file remote-server command, and uses this configuration. This must be an Array configuration file with a .conf extension. A partial configuration file may be used. For instance, if you wish to use a single configuration file for all of your Arrays but don't want to have the same IP address for each Array, you may remove the ipaddr line from the file. You can then load the file on each array and the local IP addresses will not change.FORMAT:file remote-config <config-file.conf> Note: If you enter file remote-config ?, the help response suggests possibilities by listing all of the configuration files that are currently in the Array’s flash.remote-image When the Array boots up, it fetches the named image file from the TFTP server defined in the file remote-server command, and upgrades to this file before booting. This must be an Array image file with a .bin extension.FORMAT:file remote-image <image-file.bin> Note: This will happen every time that the Array reboots. If you only want to fetch the remote-image one time be sure to turn off the remote image option after the initial download.remote-server Sets up a TFTP server to be used for automated remote update of software image and configuration files when rebooting. FORMAT:file remote-server A.B.C.D rename         Rename a file.scp            Copy a file to or from a remote system.Command Description
Wi-Fi Array330 The Command Line Interfacetftp Open a TFTP connection with a remote server.FORMAT:file tftp host {<hostname> |<ip>} [port <port_#>] [user {anonymous | <username> password <passwd> } ] { put <source_file> [<dest_file>] | get <source_file> [<dest_file>] }Note: Any time you transfer any kind of software image file for the Array, it must be transferred in binary mode, or the file may be corrupted. Command Description

Navigation menu