Cambium Networks XN12 Wireless LAN Array User Manual XN PDF
Xirrus, Inc. Wireless LAN Array XN PDF
Contents
- 1. Users Manual 1of5
- 2. Users Manual 2of5
- 3. Users Manual 3of5
- 4. Users Manual 4of5
- 5. Users Manual 5of5
- 6. A Pages 1 to 125 from ArrayGuide Rel4 SS Dec02 2008
- 7. B Pages 126 to 225 from ArrayGuide Rel 4 SS Dec02 2008
- 8. C Pages 226 to 350 from ArrayGuide Rel4 SS Dec02 2008
- 9. D Pages 351 to 496 from ArrayGuide Rel4 SS Dec02 2008 Small 5
- 10. XN Guide small 1 of 5 revised
Users Manual 3of5
Wi-Fi Array write privileges on the Array (i.e., the new user will be able to change the configuration of the Array). The default admin user is deleted. b. New Admin Password: If desired, enter a new administration password for managing this Array. Choose a password that is not obvious, and one that you can remember. If you forget your password, you must reset the Array to its factory defaults so that the password is reset to admin (its default setting). c. Confirm Admin Password: If you entered a new administration password, confirm the new password here. 10. Time and Date Settings: This section specifies an optional time (NTP Network Time Protocol) server or modifies the system time if you’re not using a server. a. Time Zone: Select your time zone from the choices available in the pull-down list. b. Auto Adjust Daylight Savings: If you are not using NTP, check this box if you want the system to adjust for daylight savings automatically, otherwise leave this box unchecked (default). c. Use Network Time Protocol: Check this box if you want to use an NTP server to synchronize the Array’s clock. This ensures that Syslog time-stamping is maintained across all units. Without an NTP server assigned (no universal clock), each Array will use its own internal clock and stamp times accordingly, which may result in discrepancies. If you check Yes, the NTP server fields are displayed. If you don’t want to use an NTP server, leave this box unchecked (default) and set the system time on the Array manually. d. NTP Primary Server: If you are using NTP, enter the IP address or domain name of the NTP server. e. 138 NTP Secondary Server: Enter the IP address or domain name of an optional secondary NTP server to be used in case the Array is unable to contact the primary server. Configuring the Wi-Fi Array Wi-Fi Array f. Set Time (hrs:min:sec): If you are not using NTP, check this box if you want to adjust the current system time. When the box is checked, the time fields become active. Enter the revised time (hours, minutes, seconds, am/pm) in the corresponding fields. If you don’t want to adjust the current time, this box should be left unchecked (default). g. Set Date (month/day/year): If you are not using NTP, check this box if you want to adjust the current system date. When the box is checked, the date fields become active. Enter the revised date (month, day and year) in the corresponding fields. If you don’t want to adjust the current date, this box should be left unchecked (default). 11. IAP Settings: Enable/Configure All IAPs: Click on the Execute button to enable and auto configure all IAPs (a message displays the countdown time—in seconds—to complete the auto-configuration task). When an IAP is enabled, its LED is switched on. LED on Figure 88. LEDs are Switched On 12. Click on the Apply button to apply the new settings to this session, or click Save to apply your changes and make them permanent. This ends the Express Setup procedure. Configuring the Wi-Fi Array 139 Wi-Fi Array Network This is a status only window that provides a snapshot of the configuration settings currently established for the 10/100 Ethernet 0 interface and the Gigabit 1 and Gigabit 2 interfaces. DNS Settings and CDP Settings (Cisco Discovery Protocol) are summarized as well. You must go to the appropriate configuration window to make changes to any of the settings displayed here (configuration changes cannot be made from this window). You can click on any item in the Interface column to “jump” to the associated configuration window. Figure 89. Network Interfaces WMI windows that allow you to change or view configuration settings associated with the network interfaces include: “Network Interfaces” on page 141 “DNS Settings” on page 148 “CDP Settings” on page 149 See Also DNS Settings Network Interfaces Network Status Windows Spanning Tree Status Network Statistics 140 Configuring the Wi-Fi Array Wi-Fi Array Network Interfaces This window allows you to establish configuration settings for the 10/100 Fast Ethernet interface and the Gigabit 1 and Gigabit 2 interfaces. Figure 90. Network Settings Gigabit 2 settings will “mirror” Gigabit 1 settings (except for MAC addresses) and cannot be configured separately. Configuring the Wi-Fi Array 141 Wi-Fi Array When finished making changes, click on the Apply button to apply the new settings to this session, or click Save to apply your changes and make them permanent. Network Interface Ports The following diagram shows the location of each network interface port on the underside of the Array. Serial Fast Ethernet Gigabit 1 Gigabit 2 Figure 91. Network Interface Ports Procedure for Configuring the Network Interfaces Configure the Fast Ethernet and Gigabit 1 network interfaces (some Gigabit 2 settings cannot be configured separately and will mirror Gigabit 1). The fields for each of these interfaces are the same, and include: 1. 142 Enable Interface: Choose Yes to enable this network interface (Fast Ethernet, Gigabit 1 or Gigabit 2), or choose No to disable the interface. Configuring the Wi-Fi Array Wi-Fi Array 2. LED Indicator: Choose Enabled to allow the LED for this interface to blink with traffic on the port, or choose Disabled to turn the LED off. The LED will still light during the boot sequence, then turn off. This option is only available for the Gigabit interfaces. 3. Allow Management on Interface: Choose Yes to allow management of this Array via the selected network interface, or choose No to deny all management privileges for this interface. This option is only available for the Gigabit interfaces—management is always enabled on the 10/100 interface (sometimes called the Management Port). 4. Auto Negotiate: This feature allows the Array to negotiate the best transmission rates automatically. Choose Yes to enable this feature, or choose No to disable this feature—the default is enabled. If you disable the Auto Negotiate feature, you must define the Duplex and Speed options manually (otherwise these options are not available). a. Duplex: Data is transmitted in two directions simultaneously (for example, a telephone is a full-duplex device because both parties can talk and be heard at the same time). Half-duplex allows data transmission in one direction at a time only (for example, a walkietalkie is a half-duplex device. If the Auto-Negotiate feature is disabled, you can manually choose Half or Full duplex for your data transmission preference. b. Speed: If the Auto-Negotiate feature is disabled, you can manually choose the desired data transmission speed from the pull-down list. If configuring the Fast Ethernet interface the options are 10 Megabit or 100 Megabit. If configuring the Gigabit 1 or Gigabit 2 interfaces the options are 100 Megabit or Gigabit. 5. Port mode: Select the desired behavior for the gigabit Ethernet ports from the following options: a. Active Backup (gig1/gig2 failover to each other)—This mode provides fault tolerance and is the default mode. Gigabit 1 acts as the primary link. Gigabit2 is the backup link and is passive. Gigabit2 assumes the IP properties of Gigabit1. If Gigabit 1 fails the Array Configuring the Wi-Fi Array 143 Wi-Fi Array automatically fails over to Gigabit2. When a failover occurs in this mode, Gigabit2 issues gratuitous ARPs to allow it to substitute for Gigabit1 at Layer 3 as well as Layer 2. See Figure 92 (a). b. Aggregate Traffic from gig1 & gig2 using 802.3ad—The Array sends network traffic across both gigabit ports to increase link speed to the network. Both ports act as a single logical interface (trunk), using a load balancing algorithm to balance traffic across the ports. The destination IP address of a packet is used to determine its outgoing adapter. For non-IP traffic (such as ARP), the last byte of the destination MAC address is used to do the calculation. The network switch must also support 802.3ad. If a port fails, the trunk degrades gracefully—the other port still transmits. See Figure 92 (b). (a) Active backup Gig1 Gig2 Primary Link Secondary Link : carries all traffic if primary fails Switch (b) Aggregate using 802.3ad Gig1 Gig2 Links split traffic based on destination address , using 802.3ad link aggregation Destinations Switch Figure 92. Port Modes (a-b) c. 144 Bridge traffic between gig1 & gig2—Traffic received on Gigabit1 is transmitted by Gigabit2; similarly, traffic received on Gigabit2 is transmitted by Gigabit1. This allows the Array to act as a wired bridge and allows Arrays to be daisy-chained and still maintain wired connectivity. See Figure 93 (c). Configuring the Wi-Fi Array Wi-Fi Array d. Transmit Traffic on both gig1 & gig2—Transmits incoming traffic on both Gigabit1 and Gigabit2. Any traffic received on Gigabit1 or Gigabit2 is sent to the onboard processor. This mode provides fault tolerance. See Figure 93 (d). (c) Bridge traffic Gig1 Gig2 Gig1 (d) Transmit on both ports Gig2 Gig1 and Gig2 are bridged. Traffic received on either link is repeated to the other Gig1 Gig2 Received wireless traffic is sent to both links Traffic from either link is processed for transmission Switch Switch Figure 93. Port Modes (c-d) e. Load balance traffic between gig1 & gig2—This option provides trunking, similar to option (b)—Aggregate Traffic from gig1 & gig2 using 802.3ad, but it uses a different load balancing algorithm to determine the outgoing gigabit port. The outgoing port used is based on an exclusive OR of the source and destination MAC address. Like option (b), this mode also provides load balancing and fault tolerance. See Figure 94 (e). f. Mirror traffic on both gig1 & gig2—all traffic received on the Array is transmitted out both Gigabit1 and Gigabit2. All traffic received on Gigabit1 is passed on to the onboard processor as well as out Gigabit2. All traffic received on Gigabit2 is passed on to the onboard processor as well as out Gigabit1. This allows a network analyzer to be plugged into one port to capture traffic for troubleshooting, while Configuring the Wi-Fi Array 145 Wi-Fi Array the other port provides network connectivity for data traffic. See Figure 94 (f). (e) Load balance traffic Gig1 Gig2 Destinations Array load balances outgoing traffic based on source and destination address Switch (f) Mirror traffic Gig1 Gig2 Received wireless traffic is sent to both links Switch Network Analyzer Gig1 Gig2 Traffic from Gig 1 is processed for wireless transmission and copied to Gig 2 Switch Network Analyzer Gig1 Gig2 Traffic from Gig 2 is processed for wireless transmission and copied to Gig 1 Network Analyzer Switch Figure 94. Port Modes (e-f) 146 Configuring the Wi-Fi Array Wi-Fi Array 6. Configuration Server Protocol: Choose DHCP to instruct the Array to use DHCP when assigning IP addresses to the Array, or choose Static IP if you intend to enter IP addresses manually. If you select the Static IP option you must specify the IP address, IP subnet mask and default gateway. a. IP Address: If you selected the Static IP option, enter a valid IP address for the Array. To use any of the remote connections (Web, SNMP, or SSH), a valid IP address must be established. b. IP Subnet Mask: If you selected the Static IP option, enter a valid IP address for the subnet mask (the default for Class C is 255.255.255.0). The subnet mask defines the number of IP addresses that are available on the routed subnet where the Array is located. c. Default Gateway: If you selected the Static IP option, enter a valid IP address for the default gateway. This is the IP address of the router that the Array uses to transmit data to other networks. 7. Static Route (IP Address/Mask): (Fast Ethernet port only) The 10⁄100 Ethernet Port may be used for managing the Array out of band from the Gigabit Ethernet ports. The 10⁄100 port will route only management traffic, using a static route that may be configured using this field. 8. When done configuring all interfaces as desired, click on the Apply button to apply the new settings to this session, or click Save to apply your changes and make them permanent. See Also DNS Settings Network Network Statistics Spanning Tree Status Configuring the Wi-Fi Array 147 Wi-Fi Array DNS Settings This window allows you to establish your DNS (Domain Name System) settings. At least one DNS server must be set up if you want to offer clients associating with the Array the ability to use meaningful host names instead of numerical IP addresses. When finished, click on the Apply button to apply the new settings to this session, or click Save to apply your changes and make them permanent. Figure 95. DNS Settings Procedure for Configuring DNS Servers 1. DNS Host Name: Enter a valid DNS host name. 2. DNS Domain: Enter the DNS domain name. 3. DNS Server 1: Enter the IP address of the primary DNS server. 4. DNS Server 2 and DNS Server 3: Enter the IP address of the secondary and tertiary DNS servers (if required). 5. Click on the Apply button to apply the new settings to this session, or click Save to apply your changes and make them permanent. See Also Network Network Interfaces Network Statistics Spanning Tree Status 148 Configuring the Wi-Fi Array Wi-Fi Array CDP Settings CDP (Cisco Discovery Protocol) is a layer 2 network protocol used to share information (such as the device manufacturer and model, network capabilities, and IP address) with other directly connected network devices. Wi-Fi Arrays can both advertise their presence by sending CDP announcements, and gather and display information sent by neighbors (see “CDP Neighbors” on page 103). This window allows you to establish your CDP settings. When finished, click on the Apply button to apply the new settings to this session, or click Save to apply your changes and make them permanent. Figure 96. CDP Settings Procedure for Configuring CDP Settings 1. Enable CDP: When CDP is enabled, the Array sends out CDP announcements of the Array’s presence, and gathers CDP data sent by neighbors. When disabled, it does neither. CDP is enabled by default. 2. CDP Interval: The Array sends out CDP announcements advertising its presence at this interval. The default is 60 seconds. 3. CDP Hold Time: CDP information received from neighbors is retained for this period of time before aging out of the Array’s neighbor list. Thus, if a neighbor stops sending announcements, it will no longer appear on the CDP Neighbors window after CDP Hold Time seconds from its last announcement. The default is 180 seconds. Configuring the Wi-Fi Array 149 Wi-Fi Array See Also CDP Neighbors Network Network Interfaces Network Statistics 150 Configuring the Wi-Fi Array Wi-Fi Array Services This is a status only window that allows you to review the current settings and status for services on the Array, including DHCP, SNMP, Syslog, and Network Time Protocol (NTP) services. For example, for the DHCP server, it shows each DHCP pool name, whether the pool is enabled, the IP address range, the gateway address, lease times, and the DNS domain being used. There are no configuration options available in this window, but if you are experiencing issues with network services, you may want to print this window for your records. Figure 97. Services The following sections discuss configuring services on the Array: “Time Settings (NTP)” on page 152 “System Log” on page 154 “SNMP” on page 157 “DHCP Server” on page 158 Configuring the Wi-Fi Array 151 Wi-Fi Array Time Settings (NTP) This window allows you to manage the Array’s time settings, including synchronizing the Array’s clock with a universal clock from an NTP (Network Time Protocol) server. Synchronizing the Array’s clock with an NTP server ensures that Syslog time-stamping is maintained across all units. Figure 98. Time Settings (Manual Time) Procedure for Managing the Time Settings 1. Time Zone: Select the time zone you want to use (normally your local time zone) from the pull-down list. 2. Auto Adjust Daylight Savings: Check this box if you want the system to adjust for daylight savings automatically, otherwise leave this box unchecked (default). 3. Use Network Time Protocol: select whether to set time manually or use NTP to manage system time. 4. Setting Time Manually a. 152 Adjust Time (hrs:min:sec): If you are not using NTP, check this box if you want to adjust the current system time. When the box is checked, the time fields become active. Enter the revised time (hours, minutes, seconds, am/pm) in the corresponding fields. If you don’t want to adjust the current time, this box should be left unchecked (default). Configuring the Wi-Fi Array Wi-Fi Array b. Adjust Date (month/day/year): If you are not using NTP, check this box if you want to adjust the current system date. When the box is checked, the date fields become active. Enter the revised date (month, day and year) in the corresponding fields. If you don’t want to adjust the current date, this box should be left unchecked (default). 5. Using an NTP Server a. NTP Primary Server: If you are using NTP, enter the IP address or domain name of the NTP server. Figure 99. Time Settings (NTP Time Enabled) b. NTP Secondary Server: Enter the IP address or domain name of an optional secondary NTP server to be used in case the Array is unable to contact the primary server. 6. Click on the Apply button to apply the new settings to this session, or click Save to apply your changes and make them permanent. See Also Services SNMP System Log Configuring the Wi-Fi Array 153 Wi-Fi Array System Log This window allows you to enable or disable the Syslog server, define a primary and secondary server, set up email notification, and set the level for Syslog reporting for each of the servers and for email notification—the Syslog service will send Syslog messages that are at the selected severity or above to the defined Syslog servers and email address. Figure 100. System Log Procedure for Configuring Syslog 154 1. Enable Syslog Server: Choose Yes to enable Syslog functionality, or choose No to disable this feature. 2. Console Logging: If you enabled Syslog, select whether or not to echo Syslog messages to the console as they occur. If you enable console logging, be sure to set the Console Logging level (see Step 7 below). 3. Local File Size (1-500): Enter a value in this field to define how many Syslog records are retained locally on the Array’s internal Syslog file. The default is 500. Configuring the Wi-Fi Array Wi-Fi Array 4. Primary Server Address (Domain or IP): If you enabled Syslog, enter the domain name or IP address of the primary Syslog server. 5. Secondary Server Address (Domain or IP): If you enabled Syslog, you may enter the domain name or IP address of another Syslog server to which messages will also be sent. (Optional) 6. Email Notification: The following parameters allow you to send an email to a designated address each time a Syslog message is generated. The email will include the text of the Syslog message. a. Email SMTP Address (Domain or IP): The domain name or the IP address of the SMTP server to be used for sending the email. Note that this specifies the mail server, not the email recipient. b. Email SMTP User/Email SMTP Password: Specify a user name and password for logging in to an account on the mail server designated in Step a. c. Email SMTP From: Specify the “From” email address to be displayed in the email. d. Email SMTP To: Specify the entire email address of the recipient of the email notification. 7. Syslog Levels: For each of the Syslog destinations, choose your preferred level of Syslog reporting from the pull-down list. Messages with criticality at the selected level and above will be shown. The default level varies depending on the destination. a. Console Logging: For messages to be echoed to the console, the default level is Critical and more serious. This prevents large numbers of non-critical messages from being displayed on the console. If you set this level too low, the volume of messages may make it very difficult to work with the CLI or view other output on the console. b. Local File: For records to be stored on the Array’s internal Syslog file, choose your preferred level of Syslog reporting from the pull-down list. The default level is Debugging and more serious. Configuring the Wi-Fi Array 155 Wi-Fi Array c. Primary Server: Choose the preferred level of Syslog reporting for the primary server. The default level is Debugging and more serious. d. Secondary Server: Choose the preferred level of reporting for the secondary server. The default level is Information and more serious. (Optional) e. 8. Email SMTP Server: Choose the preferred level of Syslog reporting for the email notifications. The default level is Warning and more serious. This prevents you mailbox from being filed up with a large number of less severe messages such as informational messages. Click on the Apply button to apply the new settings to this session, or click Save to apply your changes and make them permanent. See Also System Log Window Services SNMP Time Settings (NTP) 156 Configuring the Wi-Fi Array Wi-Fi Array SNMP This window allows you to enable or disable SNMP and define the SNMP parameters. SNMP allows remote management of the Array by the Xirrus Management System (XMS). NOTE: If you are managing your Arrays with XMS (the Xirrus Management System), it is very important to use the correct Read-Write Community String for proper operation of XMS with the Array. Both XMS and the Array must have the same value for this string. Figure 101. SNMP Procedure for Configuring SNMP 1. Enable SNMP: Choose Yes to enable SNMP functionality, or choose No to disable this feature. When used in conjunction with the Xirrus Management System, SNMP must be enabled on each Array. The default for this feature is Yes (enabled). 2. SNMP Read-Only Community String: Enter the read-only community string. The default is xirrus_read_only. 3. SNMP Read-Write Community String: Enter the read-write community string. The default is xirrus. 4. SNMP Trap Host IP Address: Enter the IP address of an SNMP management station that is to receive SNMP traps. You may specify up to four hosts that are to receive traps. Configuring the Wi-Fi Array 157 Wi-Fi Array 5. SNMP Trap Port: Enter the trap port for each trap host that you entered. The default is port 162. 6. Send Auth Failure Traps: Choose Yes to log authentication failure traps or No to disable this feature. 7. Click on the Apply button to apply the new settings to this session, or click Save to apply your changes and make them permanent. See Also Services System Log Time Settings (NTP) DHCP Server This window allows you to create, modify and delete DHCP (Dynamic Host Configuration Protocol) pools and enable or disable DHCP server functionality. DHCP allows the Array to provide wireless clients with IP addresses and other networking information. The DHCP server will not provide DHCP services to the wired side of the network. If you enable the DHCP server, you need to define the DHCP lease time (default and maximum) and establish the IP address range that the DHCP server can use. Figure 102. DHCP Management 158 Configuring the Wi-Fi Array Wi-Fi Array Procedure for Configuring the DHCP Server 1. New Internal DHCP Pool: Enter a name for the new DHCP pool, then click on the Create button. The new pool ID is added to the list of available DHCP pools. 2. On: Click this checkbox to make this pool of addresses available, or clear it to disable the pool. 3. Lease Time—Default: This field defines the default DHCP lease time (in seconds). The factory default is 300 seconds, but you can change the default at any time. 4. Lease Time—Max: Enter a value (in seconds) to define the maximum allowable DHCP lease time. The default is 300 seconds. 5. Network Address Translation (NAT): Check this box to enable the Network Address Translation feature. 6. Lease IP Range—Start: Enter an IP address to define the start of the IP range that will be used by the DHCP server. The default is 192.168.1.100. 7. Lease IP Range—End: Enter an IP address to define the end of the IP range that will be used by the DHCP server. The DHCP server will only use IP addresses that fall between the start and end range that you define on this page. The default is 192.168.1.200. 8. Subnet Mask: Enter the subnet mask for this IP range for the DHCP server. The default is 255.255.255.0. 9. Gateway: If necessary, enter the IP address of the gateway. 10. Domain: Enter the DNS domain name. See also, “DNS Settings” on page 148. 11. DNS Servers (1 to 3): Enter the IP address of the primary DNS server, secondary DNS server and tertiary DNS server. See also, “DNS Settings” on page 148. 12. Click Apply to apply the new settings to this session, or click Save to apply your changes and make them permanent. Configuring the Wi-Fi Array 159 Wi-Fi Array See Also DHCP Leases DNS Settings Network Map 160 Configuring the Wi-Fi Array Wi-Fi Array VLANs This is a status only window that allows you to review the current status of assigned VLANs. A VLAN (Virtual LAN) is comprised of a group of devices that communicate as a single network, even though they are physically located on different LAN segments. Because VLANs are based on logical rather than physical connections, they are extremely flexible. A device that is moved to another location can remain on the same VLAN without any hardware reconfiguration. In addition to listing all VLANs, this window shows your settings for the Default Route VLAN and the Native (Untagged) VLAN (Step 1 page 162). Figure 103. VLANs Configuring the Wi-Fi Array 161 Wi-Fi Array VLAN Management This window allows you to assign and configure VLANs. After creating a new VLAN (added to the list of VLANs), you can modify the configuration parameters of an existing VLAN or delete a selected VLAN. Figure 104. VLAN Management The Wi-Fi Array supports dynamic VLAN assignments specified by RADIUS policy settings. When RADIUS sends these assignments, the Array dynamically assigns wireless stations to VLANs as requested. VLAN tags on traffic are passed through the Array (i.e., VLAN tags are not stripped). Once a station has been dynamically moved to a new VLAN, it will be shown in the Stations window as a member of the new VLAN. (Figure 67 on page 112) It is critical to configure all VLANs to be used on the Array, even those that will be dynamically assigned. Procedure for Managing VLANs 1. 162 Default route: This option allows you to choose a default VLAN route from the pull-down list. When you click Apply the VLAN you choose will appear in the corresponding VLAN Number field. The IP Gateway must be established for this function to work. Configuring the Wi-Fi Array Wi-Fi Array 2. Native VLAN: This option allows you to choose the Native VLAN from the pull-down list. When you click Apply the VLAN you choose will appear in the corresponding VLAN Number field. 3. New VLAN Name/Number: Enter a name and number for the new VLAN in this field, then click on the Create button. The new VLAN is added to the list. 4. VLAN Number: Enter a number for this VLAN (1-4095). 5. Management: Check this box if you want to allow management over this VLAN. 6. DHCP: Check this box if you want the DHCP server to assign the IP address, subnet mask and gateway address to the VLAN automatically, otherwise you must go to the next step and assign these parameters manually. 7. IP Address: If the DHCP option is disabled, enter a valid IP address for this VLAN association. 8. Subnet Mask: If the DHCP option is disabled, enter the subnet mask IP address for this VLAN association. 9. Gateway: If the DHCP option is disabled, enter the IP gateway address for this VLAN association. 10. Delete: To delete the selected VLAN, simply click the Delete button to remove the VLAN from the list. 11. Click Apply to apply the new settings to this session, or click Save to apply your changes and make them permanent. See Also VLAN Statistics VLANs Configuring the Wi-Fi Array 163 Wi-Fi Array Security This status- only window allows you to review the Array’s security parameters. It includes the assigned network administration accounts, Access Control List (ACL) values, management settings, encryption and authentication protocol settings, and RADIUS configuration settings. There are no configuration options available in this window, but if you are experiencing issues with security, you may want to print this window for your records. Figure 105. Security For additional information about wireless network security, refer to: “Security Planning” on page 42 “Understanding Security” on page 165 The Security section of “Frequently Asked Questions” on page 334. Security settings are configured with the following windows: 164 “Admin Management” on page 168 “Management Control” on page 169 “Access Control List” on page 172 “Global Settings” on page 174 Configuring the Wi-Fi Array Wi-Fi Array “External Radius” on page 177 “Internal Radius” on page 180 “Rogue Control List” on page 182 Understanding Security The Xirrus Wi-Fi Array incorporates many configurable security features. After initially installing an Array, always change the default administrator password (the default is admin), and choose a strong replacement password (containing letters, numbers and special characters). See also, “Character Restrictions” on page 89. When appropriate, issue read only administrator accounts. Other security considerations include: SSH versus Telnet: Be aware that Telnet is not secure over network connections and should be used only with a direct serial port connection. When connecting to the unit’s Command Line Interface over a network connection, you must use a Secure SHell (SSH) utility. The most commonly used freeware providing SSH tools is PuTTY. Configuration auditing: The optional Xirrus Management System (XMS) offers powerful management features for small or large Xirrus Wi-Fi deployments, and can audit your configuration settings automatically. In addition, using the XMS eliminates the need for an FTP server. Choosing an encryption method: Wireless data encryption prevents eavesdropping on data being transmitted or received over the airwaves. The Array allows you to establish the following data encryption configuration options: • Open—this option offers no data encryption and is not recommended, though you might choose this option if clients are required to use a VPN connection through a secure SSH utility, like PuTTy. • WEP (Wired Equivalent Privacy)—this option provides minimal protection (though much better than using an open network). An early standard for wireless data encryption and supported by all Configuring the Wi-Fi Array 165 Wi-Fi Array Wi-Fi certified equipment, WEP is vulnerable to hacking and is therefore not recommended for use by Enterprise networks. • WPA (Wi-Fi Protected Access) and WPA2—these are much stronger encryption modes than WEP, using TKIP (Temporal Key Integrity Protocol) or AES (Advanced Encryption Standard) to encrypt data. WPA solves security issues with WEP. It also allows you to establish encryption keys on a per-user-basis, with key rotation for added security. In addition, TKIP provides Message Integrity Check (MIC) functionality and prevents active attacks on the wireless network. AES is the strongest encryption standard and is used by government agencies; however, old legacy hardware may not be capable of supporting the AES mode (it probably won’t work on older wireless clients). Because AES is the strongest encryption standard currently available, WPA2 with AES is highly recommended for Enterprise networks. Any of the above encryption methods can be used and an Array can support multiple encryption methods simultaneously, but only one method may be selected per SSID (except that selecting WPA-Both allows WPA and WPA2 to be used at the same time on the same SSID). Otherwise, if multiple security methods are needed, you must define multiple SSIDs. The encryption mode (WEP, WPA, etc.) is selected in the SSIDs >SSID Management window (see “SSID Management” on page 189). The encryption standard used with WPA or WPA2 (AES or TKIP) is selected in the Security>Global Settings window under WPA Settings (see “Global Settings” on page 174). 166 Choosing an authentication method: User authentication ensures that users are who they say they are. For this purpose, the Array allows you to choose between the following user authentication methods: Configuring the Wi-Fi Array
Source Exif Data:
File Type : PDF File Type Extension : pdf MIME Type : application/pdf PDF Version : 1.7 Linearized : No Tagged PDF : Yes XMP Toolkit : Adobe XMP Core 4.0-c316 44.253921, Sun Oct 01 2006 17:14:39 Modify Date : 2008:06:18 10:56:26-07:00 Create Date : 2008:06:18 10:56:09-07:00 Metadata Date : 2008:06:18 10:56:26-07:00 Creator Tool : FrameMaker 7.1 Format : application/pdf Title : XN_PDF.book Creator : daves Document ID : uuid:c8c8890e-6e6a-49a7-91f5-97cd5d3a8bd5 Instance ID : uuid:7f2ae08c-a4c3-4554-9ebe-8bb97dab9f83 Producer : Acrobat Distiller 8.1.0 (Windows) Has XFA : No Page Count : 29 Author : davesEXIF Metadata provided by EXIF.tools