Chantry Networks APXXX1 HiPATH WIRELESS ACCESS POINT (AP) User Manual USERS MANUAL 1

Chantry Networks Inc. (a Siemens Company) HiPATH WIRELESS ACCESS POINT (AP) USERS MANUAL 1

USERS MANUAL 1

HiPath Wireless
Controller, Access Points and
Convergence Software, V4
C2400 User Guide
*1PA31003-W1040-U103-1-7619*
1P A31003-W1040-U103-1-7619
The information provided in this document contains merely general descriptions or
characteristics of performance which in case of actual use do not always apply as
described or which may change as a result of further development of the products.
An obligation to provide the respective characteristics shall only exist if expressly
agreed in the terms of contract. The trademarks used are owned by
Siemens Enterprise Communications GmbH & Co. KG or their respective owners.
Warning
Hackers who unlawfully gain access to customer telecommunications systems are criminals.
Currently, we do not know of any telecommunications system that is immune to this type of
criminal activity. Siemens Enterprise Communications GmbH & Co. KG will not accept liability
for any damages which result from unauthorized use. Although Siemens has designed
security features into its products, it is your sole responsibility to use the security features and
to establish security practices within your company, including training, security awareness,
and call auditing.
Siemens sales and service personnel, as well as Siemens business partners, are available
to work with you to help you guard against this unauthorized use of your telecommunications
system.
December 2006
No part of this publication may be reproduced, stored in a retrieval system, or transmitted, in
any form or by any means, mechanical, electronic, photocopying, recording, or otherwise,
without prior written permission of Siemens. The software described in this publication is
furnished under a license agreement and may be used only in accordance with the terms of
that agreement.
Request Siemens publications from your Siemens representative or the Siemens branch
serving you.
Copyright © 2006 Siemens Enterprise Communications GmbH & Co. KG. All rights reserved.
© 2006 Siemens Enterprise Communications GmbH & Co. KG,
Hofmannstraße 51, D-81359 München, Germany
Reference No.: A31003-W1040-U103-1-7619
Subject to availability. Right of modification reserved.
hwc1000_user_guidetoc.fm
A31003-W1040-U103-1-7619, Draft February 2007
HiPath Wireless Controller, Access Points and Convergence Software V4, C2400 User Guide 3
Nur für den internen Gebrauch Content
Content 0
1 About this Guide. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
1.1 Who should use this guide. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
1.2 What is in this guide. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
1.3 Formatting conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
1.4 Documentation feedback . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
1.5 Safety Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
1.6 Sicherheitshinweise . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
1.7 Consignes de sécurité . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
2 Regulatory information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
2.1 HiPath Wireless Controller C2400 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
2.2 AP2610 Internal Antenna AP, AP2620 External Antenna AP . . . . . . . . . . . . . . . . . . . . 19
2.2.1 United States - FCC Declaration of Conformity Statement . . . . . . . . . . . . . . . . . . . 20
2.2.1.1 FCC RF Radiation Exposure Statement. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
2.2.1.2 Optional 3rd Party External Antennas . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22
2.2.2 Canada - Department of Communications Compliance Statement. . . . . . . . . . . . . 28
2.2.2.1 Optional 3rd Party External Antennas . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30
2.2.3 European Community . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35
2.2.3.1 Declaration of Conformity in Languages of the European Community. . . . . . . 36
2.2.3.2 Optional 3rd Party External Antennas . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39
2.2.3.3 Conditions of Use in the European Community . . . . . . . . . . . . . . . . . . . . . . . . 44
2.2.4 Certifications of Other Countries . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47
2.3 Country support list . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48
3 Overview of the Controller, Access Points and Convergence Software solution . . 53
3.1 Conventional wireless LANS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53
3.2 Elements of the Controller, Access Points and Convergence Software solution. . . . . . 55
3.3 Controller, Access Points and Convergence Software and your network . . . . . . . . . . . 59
3.3.1 Network traffic flow . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61
3.3.2 Network security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62
3.3.2.1 Authentication. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63
3.3.2.2 Privacy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63
3.3.3 Virtual Network Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64
3.3.4 Static routing and routing protocols. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64
3.3.5 Packet filtering policy. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65
3.3.6 Mobility and roaming . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65
3.3.7 Network availability . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66
3.3.8 Quality of Service (QoS) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66
3.4 System Configuration Overview. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67
4 Configuring the HiPath Wireless Controller. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69
4.1 System configuration overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70
Content Nur für den internen Gebrauch
A31003-W1040-U103-1-7619, Draft February 2007
4HiPath Wireless Controller, Access Points and Convergence Software V4, C2400 User Guide
hwc1000_user_guidetoc.fm
4.2 Performing the first-time setup of the HiPath Wireless Controller. . . . . . . . . . . . . . . . . 72
4.2.1 Accessing the HiPath Wireless Controller . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73
4.2.1.1 Changing the administrator password . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77
4.2.2 Connecting the HiPath Wireless Controller to your enterprise network . . . . . . . . . 77
4.2.3 Applying the product license key . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77
4.2.4 Setting up the data ports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 78
4.2.5 Setting up static routes. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 82
4.2.6 Setting up OSPF Routing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85
4.2.7 Filtering at the interface level . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 88
4.2.8 Built-in port-based exception filters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 88
4.2.9 User defined port-based exception filters. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 90
4.3 Completing the system configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 92
4.4 Ongoing Operations of the Controller, Access Points and Convergence Software . . . 92
5 Configuring the Wireless AP. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93
5.1 Wireless AP overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93
5.2 Discovery and registration overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95
5.2.1 Wireless AP discovery . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95
5.2.2 Registration after discovery . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 97
5.2.2.1 Default Wireless AP configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 97
5.2.3 Understanding the Wireless AP LED status. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 97
5.3 Configuring the Wireless APs for the first time . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 99
5.3.1 Defining properties for the discovery process . . . . . . . . . . . . . . . . . . . . . . . . . . . 100
5.3.2 Connecting the Wireless AP to a power source and initiating the discovery and regis-
tration process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 103
5.4 Adding and registering a Wireless AP manually . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 103
5.5 Modifying Wireless AP settings. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 104
5.5.1 Modifying a Wireless AP’s status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 104
5.5.2 Configuring the default AP settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 106
5.5.3 Modifying a Wireless AP’s properties. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 110
5.5.4 Modifying the Wireless AP’s radio properties. . . . . . . . . . . . . . . . . . . . . . . . . . . . 114
5.5.5 Setting up the Wireless AP using static configuration . . . . . . . . . . . . . . . . . . . . . 120
5.6 Configuring Dynamic Radio Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 123
5.7 Modifying a Wireless AP’s properties based on a default AP configuration . . . . . . . . 125
5.8 Modifying the Wireless AP’s default setting using the Copy to Defaults feature. . . . . 126
5.9 Configuring APs simultaneously . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 126
5.10 Configuring an AP as a sensor . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 128
5.11 Performing Wireless AP software maintenance . . . . . . . . . . . . . . . . . . . . . . . . . . . . 130
6 Virtual Network Services. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 135
6.1 VNS overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 135
6.2 Setting up a VNS checklist . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 136
6.3 Topology of a VNS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 138
6.4 RF assignment for a VNS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 139
6.5 Authentication for a VNS. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 139
hwc1000_user_guidetoc.fm
A31003-W1040-U103-1-7619, Draft February 2007
HiPath Wireless Controller, Access Points and Convergence Software V4, C2400 User Guide 5
Nur für den internen Gebrauch Content
6.5.1 Authentication with SSID network assignment . . . . . . . . . . . . . . . . . . . . . . . . . . . 139
6.5.2 Authentication with AAA (802.1x) network assignment. . . . . . . . . . . . . . . . . . . . . 140
6.6 Filtering for a VNS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 141
6.6.1 Final filter rule . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 142
6.6.2 Filtering sequence. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 142
6.7 Data protection on a VNS—WEP and WPA . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 144
6.8 VNS global settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 144
6.9 Setting up a new VNS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 148
7 Virtual Network configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 149
7.1 Topology for a VNS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 150
7.1.1 Configuring topology for a VNS for Captive Portal . . . . . . . . . . . . . . . . . . . . . . . . 151
7.1.1.1 Defining session timeout parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 151
7.1.1.2 Enabling management traffic . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 152
7.1.1.3 Enabling third-party APs on a VNS. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 153
7.1.1.4 Defining a next hop route and OSPF advertisement for a VNS . . . . . . . . . . . 154
7.1.1.5 Defining the IP address for the VNS (for the DHCP server on the controller) 154
7.1.1.6 Modifying time limits for IP assignments. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 156
7.1.1.7 Setting the name server configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 157
7.1.1.8 Using a DHCP relay for the VNS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 157
7.1.2 Configuring topology for a VNS for AAA . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 158
7.1.3 Saving your topology properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 159
7.2 Assigning Wireless AP radios to a VNS. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 159
7.3 Authentication for a VNS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 161
7.3.1 Vendor Specific Attributes. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 162
7.3.2 Defining authentication for a VNS for Captive Portal . . . . . . . . . . . . . . . . . . . . . . 163
7.3.2.1 Defining the RADIUS server priority for RADIUS redundancy . . . . . . . . . . . . 166
7.3.2.2 Configuring Captive Portal for internal or external authentication . . . . . . . . . 168
7.3.3 Defining authentication for a VNS for AAA . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 171
7.3.4 Defining MAC-based authentication for a VNS . . . . . . . . . . . . . . . . . . . . . . . . . . . 174
7.4 Defining accounting methods for a VNS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 176
7.5 Defining RADIUS filter policy for VNSs and VNS groups . . . . . . . . . . . . . . . . . . . . . . 177
7.6 Configuring filtering rules for a VNS. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 179
7.6.1 Filtering rules for an exception filter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 179
7.6.2 Defining non-authenticated filters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 182
7.6.2.1 Non-authenticated filter examples . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 184
7.6.3 Filtering rules for a filter ID group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 185
7.6.3.1 Filtering rules by filter ID examples. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 187
7.6.4 Filtering rules for a default filter. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 188
7.6.4.1 Default filter examples . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 189
7.6.4.2 Filtering rules for an AAA child group VNS. . . . . . . . . . . . . . . . . . . . . . . . . . . 190
7.6.4.3 Filtering rules between two wireless devices . . . . . . . . . . . . . . . . . . . . . . . . . 190
7.7 Enabling multicast for a VNS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 191
7.8 Configuring privacy for a VNS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 193
7.8.1 Privacy for a VNS for Captive Portal . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 193
Content Nur für den internen Gebrauch
A31003-W1040-U103-1-7619, Draft February 2007
6HiPath Wireless Controller, Access Points and Convergence Software V4, C2400 User Guide
hwc1000_user_guidetoc.fm
7.8.2 Privacy for a VNS for AAA . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 197
7.8.2.1 Dynamic WEP privacy for an AAA VNS. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 198
7.8.2.2 Wi-Fi Protected Access (WPA v1 and WPA v2) Privacy for an AAA VNS. . . 198
7.9 Defining a VNS with no authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 201
7.10 Defining priority level and service class for VNS traffic. . . . . . . . . . . . . . . . . . . . . . . 202
7.10.1 Defining the service class for the VNS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 203
7.10.2 Configuring the priority override . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 204
7.11 Working with Quality of Service (QoS) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 204
7.11.1 QoS modes. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 204
7.12 Configuring the QoS policy on a VNS. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 206
7.13 Bridging traffic locally . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 210
8 Availability, mobility, and controller functionality . . . . . . . . . . . . . . . . . . . . . . . . . . 213
8.1 Availability overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 213
8.1.1 Availability prerequisites. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 214
8.1.2 Viewing the Wireless AP availability display. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 217
8.1.3 Viewing SLP activity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 218
8.1.4 Events and actions during a failover. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 218
8.2 Mobility manager. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 220
8.2.1 Displays for the mobility manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 226
8.3 Defining management users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 226
8.4 Configuring network time . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 228
8.5 Configuring Check Point event logging. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 229
8.5.1 ELA Management Station events. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 231
8.6 Enabling SNMP. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 232
8.6.1 MIB support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 232
8.6.2 Enabling SNMP on the HiPath Wireless Controller . . . . . . . . . . . . . . . . . . . . . . . 233
8.7 Using controller utilities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 234
8.8 Configuring Web session timeouts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 235
9 Working with third-party APs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 237
10 Working with the Mitigator . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 241
10.1 Mitigator overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 241
10.2 Enabling the Analysis and data collector engines. . . . . . . . . . . . . . . . . . . . . . . . . . . 242
10.3 Running Mitigator scans . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 243
10.4 Analysis engine overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 246
10.5 Working with Mitigator scan results. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 246
10.6 Working with friendly APs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 249
10.7 Viewing the Mitigator list of third-party APs. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 250
10.8 Maintaining the Mitigator list of APs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 251
10.9 Viewing the Scanner Status report . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 253
11 Working with reports and displays . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 255
11.1 Viewing the displays . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 255
11.1.1 Viewing the Wireless AP availability display. . . . . . . . . . . . . . . . . . . . . . . . . . . . 257
11.1.2 Viewing statistics for Wireless APs. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 257
hwc1000_user_guidetoc.fm
A31003-W1040-U103-1-7619, Draft February 2007
HiPath Wireless Controller, Access Points and Convergence Software V4, C2400 User Guide 7
Nur für den internen Gebrauch Content
11.1.3 Viewing displays for the mobility manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 260
11.2 Viewing reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 263
12 Performing system maintenance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 269
12.1 Performing Wireless AP client management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 269
12.1.1 Disassociating a client. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 269
12.1.2 Blacklisting a client . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 270
12.2 Resetting the AP to its factory default settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 274
12.3 Performing system maintenance tasks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 274
12.4 Performing HiPath Wireless Controller software maintenance . . . . . . . . . . . . . . . . . 278
12.4.1 Updating HiPath Wireless Controller software . . . . . . . . . . . . . . . . . . . . . . . . . . 278
12.4.2 Updating operating system software. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 280
12.4.3 Backing up HiPath Wireless Controller software. . . . . . . . . . . . . . . . . . . . . . . . . 282
12.4.4 Restoring HiPath Wireless Controller software . . . . . . . . . . . . . . . . . . . . . . . . . . 286
12.4.5 Upgrading a HiPath Wireless Controller using SFTP . . . . . . . . . . . . . . . . . . . . . 288
12.4.6 Configuring the HiPath Wireless Controller for interaction with the HiPath Wireless
Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 289
12.4.7 Configuring Controller, Access Points and Convergence Software logs and traces. .
291
12.4.8 Viewing log, alarm and trace messages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 291
12.4.8.1 Logs including alarms. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 291
13 Glossary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 297
13.1 Networking terms and abbreviations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 297
13.2 Controller, Access Points and Convergence Software terms and abbreviations. . . . 318
A System states and LEDs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .321
Content Nur für den internen Gebrauch
A31003-W1040-U103-1-7619, Draft February 2007
8HiPath Wireless Controller, Access Points and Convergence Software V4, C2400 User Guide
hwc1000_user_guidetoc.fm
hwc_pref.fm
A31003-W1040-U103-1-7619, Draft February 2007
HiPath Wireless Controller, Access Points and Convergence Software V4, C2400 User Guide 9
About this Guide
Who should use this guide
1 About this Guide
This guide describes how to install, configure, and manage the Controller, Access Points and
Convergence Software software. This guide is also available as an online help system.
To access the online help system:
1. In the HiPath Wireless Assistant Main Menu bar, click Help. The About HiPath Wireless
Assistant screen is displayed.
2. In the left pane, click Controller Documentation. The online help system is launched.
1.1 Who should use this guide
This guide is a reference for system administrators who install and manage the HiPath Wireless
Controller, Access Points and Convergence Software system.
Any administrator performing tasks described in this guide must have an account with full
administrative privileges.
1.2 What is in this guide
This guide contains the following:
Chapter 1, “About this Guide”, describes the target audience and content of the guide, the
formatting conventions used in it, and how to provide feedback on the guide.
Chapter 2, “Regulatory information”, provides the regulatory information for the HiPath
C2400 Wireless LAN Controllers and the AP2610 and AP2620 Wireless Access Points
(APs).
Chapter 3, “Overview of the Controller, Access Points and Convergence Software
solution”, provides an overview of the product, its features and functionality.
Chapter 4, “Configuring the HiPath Wireless Controller”, describes how to perform the
installation, first-time setup and configuration of the HiPath Wireless Controller, as well as
configuring the data ports and defining routing.
Chapter 5, “Configuring the Wireless AP”, describes how to install the Wireless AP, how it
discovers and registers with the HiPath Wireless Controller, how to view and modify the
radio configuration, and how to enable Dynamic Radio Frequency Management.
Chapter 6, “Virtual Network Services”, provides an overview of Virtual Network Services
(VNS), the mechanism by which the HiPath Wireless Controller, Access Points and
Convergence Software controls and manages network access.
About this Guide
A31003-W1040-U103-1-7619, Draft February 2007
10 HiPath Wireless Controller, Access Points and Convergence Software V4, C2400 User Guide
hwc_pref.fm
Formatting conventions
Chapter 7, “Virtual Network configuration”, provides detailed instructions in how to
configure a VNS, its topology, authentication, accounting, RADIUS policy, multicast,
filtering and privacy. Both Captive Portal and AAA types of VNS are described.
Chapter 8, “Availability, mobility, and controller functionality”, describes how to set up the
features that provide availability in the event of a controller failover, and mobility for a
wireless device user.
Chapter 9, “Working with third-party APs”, describes how to use the Controller, Access
Points and Convergence Software features with third-party wireless access points.
Chapter 10, “Working with the Mitigator”, explains the security tool that scans for, detects
and reports on rogue APs.
Chapter 12, “Performing system maintenance”, describes maintenance activities, such as
software upgrades on both the HiPath Wireless Controller and the Wireless AP. This
chapter also includes information on the logs, traces, reports and displays available.
Chapter 13, “Glossary”, contains a list of terms and definitions for the HiPath Wireless
Controller and the Wireless AP as well as standard industry terms used in this guide.
Appendix A, “System states and LEDs”, provides a reference on the LED displays and their
significance.
1.3 Formatting conventions
The HiPath Wireless Controller, Access Points and Convergence Software documentation uses
the following formatting conventions to make it easier to find information and follow procedures:
Bold text is used to identify components of the management interface, such as menu items
and section of pages, as well as the names of buttons and text boxes.
For example: Click Logout.
Monospace font is used in code examples and to indicate text that you type.
For example: Type https://<hwc-address>[:mgmt-port>]
The following symbols are used to draw your attention to additional information:
>Notes identify useful information that is not essential, such as reminders, tips, or
other ways to perform a task.
7Warnings identify information that is essential. Ignoring a warning can adversely
affect the operation of your equipment or software.
hwc_pref.fm
A31003-W1040-U103-1-7619, Draft February 2007
HiPath Wireless Controller, Access Points and Convergence Software V4, C2400 User Guide 11
About this Guide
Documentation feedback
1.4 Documentation feedback
If you have any problems using this document, please contact your next level of support:
Siemens employees should contact the interactive Customer Engagement Team (i-CET).
Customers should contact the Siemens Customer Support Center.
When you call, please have the following information ready. This will help us to identify the
document that you are referring to.
Title: HiPath Wireless Controller, Access Points and Convergence Software V4 C2400
User Guide
Part Number: A31003-W1040-U103-1-7619
1.5 Safety Information
Dangers
Replace the power cable immediately if it shows any sign of damage.
Replace any damaged safety equipment (covers, labels and protective cables)
immediately.
Use only original accessories or components approved for the system. Failure to observe
these instructions may damage the equipment or even violate safety and EMC regulations.
Only authorized Siemens service personnel are permitted to service the system.
Warnings
This device must not be connected to a LAN segment with outdoor wiring.
Ensure that all cables are run correctly to avoid strain.
Replace the power supply adapter immediately if it shows any sign of damage.
Disconnect all power before working near power supplies unless otherwise instructed by a
maintenance procedure.
Exercise caution when servicing hot swappable HiPath Wireless Controller components:
power supplies or fans. Rotating fans can cause serious personal injury.
This unit may have more than one power supply cord. To avoid electrical shock, disconnect
all power supply cords before servicing. In the case of unit failure of one of the power
supply modules, the module can be replaced without interruption of power to the HiPath
Wireless Controller. However, this procedure must be carried out with caution. Wear gloves
to avoid contact with the module, which will be extremely hot.
About this Guide
A31003-W1040-U103-1-7619, Draft February 2007
12 HiPath Wireless Controller, Access Points and Convergence Software V4, C2400 User Guide
hwc_pref.fm
Sicherheitshinweise
There is a risk of explosion if a lithium battery is not correctly replaced. The lithium battery
must be replaced only by an identical battery or one recommended by the manufacturer.
Always dispose of lithium batteries properly.
Do not attempt to lift objects that you think are too heavy for you.
Cautions
Check the nominal voltage set for the equipment (operating instructions and type plate).
High voltages capable of causing shock are used in this equipment. Exercise caution when
measuring high voltages and when servicing cards, panels, and boards while the system
is powered on.
Only use tools and equipment that are in perfect condition. Do not use equipment with
visible damage.
To protect electrostatic sensitive devices (ESD), wear a wristband before carrying out any
work on hardware.
Lay cables so as to prevent any risk of them being damaged or causing accidents, such as
tripping.
1.6 Sicherheitshinweise
Gefahrenhinweise
Sollte das Netzkabel Anzeichen von Beschädigungen aufweisen, tauschen Sie es sofort
aus.
Tauschen Sie beschädigte Sicherheitsausrüstungen (Abdeckungen, Typenschilder und
Schutzkabel) sofort aus.
Verwenden Sie ausschließlich Originalzubehör oder systemspezifisch zugelassene
Komponenten. Die Nichtbeachtung dieser Hinweise kann zur Beschädigung der
Ausrüstung oder zur Verletzung von Sicherheits- und EMV-Vorschriften führen.
Das System darf nur von autorisiertem Siemens-Servicepersonal gewartet werden.
Warnhinweise
Dieses Gerät darf nicht über Außenverdrahtung an ein LAN-Segment angeschlossen
werden.
Stellen Sie sicher, dass alle Kabel korrekt geführt werden, um Zugbelastung zu vermeiden.
Sollte das Netzteil Anzeichen von Beschädigung aufweisen, tauschen Sie es sofort aus.
hwc_pref.fm
A31003-W1040-U103-1-7619, Draft February 2007
HiPath Wireless Controller, Access Points and Convergence Software V4, C2400 User Guide 13
About this Guide
Consignes de sécurité
Trennen Sie alle Stromverbindungen, bevor Sie Arbeiten im Bereich der Stromversorgung
vornehmen, sofern dies nicht für eine Wartungsprozedur anders verlangt wird.
Gehen Sie vorsichtig vor, wenn Sie an Hotswap-fähigen HiPath Wireless Controller-
Komponenten (Stromversorgungen oder Lüftern) Servicearbeiten durchführen.
Rotierende Lüfter können ernsthafte Verletzungen verursachen.
Dieses Gerät ist möglicherweise über mehr als ein Netzkabel angeschlossen. Um die
Gefahr eines elektrischen Schlages zu vermeiden, sollten Sie vor Durchführung von
Servicearbeiten alle Netzkabel trennen. Falls eines der Stromversorgungsmodule ausfällt,
kann es ausgetauscht werden, ohne die Stromversorgung zum HiPath Wireless Controller
zu unterbrechen. Bei dieser Prozedur ist jedoch mit Vorsicht vorzugehen. Das Modul kann
extrem heiß sein. Tragen Sie Handschuhe, um Verbrennungen zu vermeiden.
Bei unsachgemäßem Austausch der Lithium-Batterie besteht Explosionsgefahr. Die
Lithium-Batterie darf nur durch identische oder vom Händler empfohlene Typen ersetzt
werden.
Achten Sie bei Lithium-Batterien auf die ordnungsgemäße Entsorgung.
Versuchen Sie niemals, ohne Hilfe schwere Gegenstände zu heben.
Vorsichtshinweise
Überprüfen Sie die für die Ausrüstung festgelegte Nennspannung (Bedienungsanleitung
und Typenschild). Diese Ausrüstung arbeitet mit Hochspannung, die mit der Gefahr eines
elektrischen Schlages verbunden ist. Gehen Sie mit großer Vorsicht vor, wenn Sie bei
eingeschaltetem System Hochspannungen messen oder Karten, Schalttafeln und
Baugruppen warten.
Verwenden Sie nur Werkzeuge und Ausrüstung in einwandfreiem Zustand. Verwenden Sie
keine Ausrüstung mit sichtbaren Beschädigungen.
Tragen Sie bei Arbeiten an Hardwarekomponenten ein Armband, um elektrostatisch
gefährdete Bauelemente (EGB) vor Beschädigungen zu schützen.
Verlegen Sie Leitungen so, dass sie keine Unfallquelle (Stolpergefahr) bilden und nicht
beschädigt werden.
1.7 Consignes de sécurité
Dangers
Si le cordon de raccordement au secteur est endommagé, remplacez-le immédiatement.
Remplacez sans délai les équipements de sécurité endommagés (caches, étiquettes et
conducteurs de protection).
About this Guide
A31003-W1040-U103-1-7619, Draft February 2007
14 HiPath Wireless Controller, Access Points and Convergence Software V4, C2400 User Guide
hwc_pref.fm
Consignes de sécurité
Utilisez uniquement les accessoires d'origine ou les modules agréés spécifiques au
système. Dans le cas contraire, vous risquez d'endommager l'installation ou d'enfreindre
les consignes en matière de sécurité et de compatibilité électromagnétique.
Seul le personnel de service Siemens est autorisé à maintenir/réparer le système.
Avertissements
Cet appareil ne doit pas être connecté à un segment de LAN à l'aide d'un câblage
extérieur.
Vérifiez que tous les câbles fonctionnent correctement pour éviter une contrainte
excessive.
Si l'adaptateur d'alimentation présente des dommages, remplacez-le immédiatement.
Coupez toujours l'alimentation avant de travailler sur les alimentations électriques, sauf si
la procédure de maintenance mentionne le contraire.
Prenez toutes les précautions nécessaires lors de l'entretien/réparations des modules du
HiPath Wireless Controller pouvant être branchés à chaud : alimentations électriques ou
ventilateurs.Les ventilateurs rotatifs peuvent provoquer des blessures graves.
Cette unité peut avoir plusieurs cordons d'alimentation.Pour éviter tout choc électrique,
débranchez tous les cordons d'alimentation avant de procéder à la maintenance.En cas de
panne d'un des modules d'alimentation, le module défectueux peut être changé sans
éteindre le HiPath Wireless Controller. Toutefois, ce remplacement doit être effectué avec
précautions. Portez des gants pour éviter de toucher le module qui peut être très chaud.
Le remplacement non conforme de la batterie au lithium peut provoquer une explosion.
Remplacez la batterie au lithium par un modèle identique ou par un modèle recommandé
par le revendeur.
Sa mise au rebut doit être conforme aux prescriptions en vigueur.
N'essayez jamais de soulever des objets qui risquent d'être trop lourds pour vous.
Précautions
Contrôlez la tension nominale paramétrée sur l'installation (voir le mode d'emploi et la
plaque signalétique). Des tensions élevées pouvant entraîner des chocs électriques sont
utilisées dans cet équipement. Lorsque le système est sous tension, prenez toutes les
précautions nécessaires lors de la mesure des hautes tensions et de l'entretien/réparation
des cartes, des panneaux, des plaques.
N'utilisez que des appareils et des outils en parfait état. Ne mettez jamais en service des
appareils présentant des dommages visibles.
Pour protéger les dispositifs sensibles à l'électricité statique, portez un bracelet
antistatique lors du travail sur le matériel.
hwc_pref.fm
A31003-W1040-U103-1-7619, Draft February 2007
HiPath Wireless Controller, Access Points and Convergence Software V4, C2400 User Guide 15
About this Guide
Consignes de sécurité
Acheminez les câbles de manière à ce qu'ils ne puissent pas être endommagés et qu'ils
ne constituent pas une source de danger (par exemple, en provoquant la chute de
personnes).
About this Guide
A31003-W1040-U103-1-7619, Draft February 2007
16 HiPath Wireless Controller, Access Points and Convergence Software V4, C2400 User Guide
hwc_pref.fm
Consignes de sécurité
hwc_regulatory_information.fm
A31003-W1040-U103-1-7619, Draft February 2007
HiPath Wireless Controller, Access Points and Convergence Software V4, C2400 User Guide 17
Regulatory information
2 Regulatory information
This chapter provides the regulatory information for the HiPath Wireless Controller
C2400 and the AP2610 and AP2620 (AP26XX series) Wireless APs.
Configuration of the AP26XX frequencies and power output are controlled by the regional
software license and proper selection of the country during initial installation and set-up.
Customers are only allowed to select the proper country from their licenced regulatory domain
related to that customer’s geographic location, thus allowing the proper set-up of access points
in accordance with local laws and regulations. The AP26XX must not be operated until properly
configured with the correct country setting or it may be in violation of the local laws and
regulations.
7Warnings identify essential information. Ignoring a warning can lead to problems
with the application.
7Changes or modifications made to the HiPath Wireless Controller or the Wireless
APs which are not expressly approved by Siemens could void the user's authority to
operate the equipment.
Only authorized Siemens service personnel are permitted to service the system.
Procedures that should be performed only by Siemens personnel are clearly
identified in this guide.
7The HiPath Wireless Controllers and the Wireless APs are in compliance with the
European Directive 2002/95/EC on the restriction of the use of certain hazardous
substances (RoHS) in electrical and electronic equipment.
Regulatory information
A31003-W1040-U103-1-7619, Draft February 2007
18 HiPath Wireless Controller, Access Points and Convergence Software V4, C2400 User Guide
hwc_regulatory_information.fm
HiPath Wireless Controller C2400
2.1 HiPath Wireless Controller C2400
Conformance Standards and Directives
Safety
UL 60950-1 (U.S)
CSA C22.2 No.60950-01-03 (Canada)
73/23/EEC Low Voltage Directive (LVD)
EN 60950-1:2001 (Europe)
IEC 60950-1 CB Certification with applicable National Differences
AS/NZS 60950.1 (Australia/New Zealand)
EMC (Emissions / Immunity)
FCC Part 15, Subpart B, Class A (North America)
ICES-003, Class A (Canadian Emissions)
89/336/EEC EMC Directive
EN 55022:1998 A2:2003 Class A (European Emissions)
EN 55024:1998 A2:2003 includes EN 61000-2,3,4,5,6,11 (European Immunity)
EN 61000-3-2:2000 Class A (Harmonics)
EN 61000-3-3:1995 A1:2001 (Flicker)
IEC/CISPR 22:1997 Class A (International Emissions)
IEC/CISPR 24:1998 includes IEC/EN 61000-4-2,3,4,5,6,11 (International Immunity)
Australia/New Zealand AS/NZS 3548 via EU standards (ACMA)
RoHS
European Directive 2002/95/EC
hwc_regulatory_information.fm
A31003-W1040-U103-1-7619, Draft February 2007
HiPath Wireless Controller, Access Points and Convergence Software V4, C2400 User Guide 19
Regulatory information
AP2610 Internal Antenna AP, AP2620 External Antenna AP
2.2 AP2610 Internal Antenna AP, AP2620 External Antenna AP
The AP26XX is Wi-Fi certified under Certification ID # WFA4279 for operation in accordance
with IEEE 802.11a/b/g. The AP26XX Wireless APs with Internal and External antennas are
designed and intended to be used indoors.
Optional Approved 3rd Party External Antennas
The AP2620 Extrenal Antenna APs can also be used with optional certified external antennas.
Antenna Diversity
There are some limitations for using different antennas and Tx/Rx diversity:
If Best antenna diversity is used for Tx or Rx, then the same antenna model must be used
as left and right antennas. In addition, if cables are used to connect external antennas, the
cables must be of the same length and similar attenuation. If these rules are not respected,
antenna diversity will not function properly and there will be degradation in the link budget
in both directions.
You can choose to install only one antenna provided that both Tx and Rx diversity are
configured to use that antenna and only that antenna. You can choose to install one
antenna for 11b/g band and one antenna for 11a band, provided that the antenna diversity
is configured appropriately on both radios.
Sensor Support
Changing the antenna on sensors is not supported (at this stage) for the following reasons:
The sensor factors the antenna gain and pattern in its calculations and therefore it needs
to know the antenna type and gain.
The sensor operating in mitigation mode becomes a transmitter and must obey the same
CTLs as the normal AP software.
Neither the sensor nor the HiPath Wireless Manager HiGuard support configuring the
antenna.
>Operation in the European Community and rest of the world may be dependant on
securing local licenses, certifications, and regulatory approvals.
Regulatory information
A31003-W1040-U103-1-7619, Draft February 2007
20 HiPath Wireless Controller, Access Points and Convergence Software V4, C2400 User Guide
hwc_regulatory_information.fm
AP2610 Internal Antenna AP, AP2620 External Antenna AP
2.2.1 United States - FCC Declaration of Conformity Statement
This device complies with Part 15 of the FCC Rules. Operation is subject to the following two
conditions:
This device may not cause harmful interference.
This device must accept any interference received, including interference that may cause
undesired operation.
This equipment has been tested and found to comply with the limits for a Class B digital device,
pursuant to Part 15 of the FCC Rules. These limits are designed to provide reasonable
protection against harmful interference when the equipment is operated in a residential and
business environment. This equipment generates, uses, and radiates radio frequency energy,
and if not installed and used in accordance with instructions, may cause harmful interference.
However, there is no guarantee that interference will not occur. If this equipment does cause
harmful interference, which can be determined by turning the equipment off and on, the user is
encouraged to try to correct the interference by one or more of the following measures:
Reorient or relocate the receiving antenna.
Increase the separation between the equipment or devices.
Connect the equipment to an outlet other than the receiver's.
Consult a dealer or an experienced radio/TV technician for suggestions.
This equipment meets the following conformance standards:
USA Conformance Standards
Safety
UL 60950-1
UL 2043 Plenum Rated as part of UL 60950-1. Suitable for use in environmental air space
in accordance with Section 300.22.C of the National Electrical Code.
EMC
FCC CFR 47 Part 15, Class B
Radio Transceiver
FCC ID: REB-APXXX1
CFR 47 Part 15.247, Subpart C (2.4 GHz)
CFR 47 Part 15.407, Subpart E (5 GHz)
hwc_regulatory_information.fm
A31003-W1040-U103-1-7619, Draft February 2007
HiPath Wireless Controller, Access Points and Convergence Software V4, C2400 User Guide 21
Regulatory information
AP2610 Internal Antenna AP, AP2620 External Antenna AP
Other
IEEE 802.11a (5 Ghz)
IEEE 802.11b/g (2.4 GHz)
IEEE 802.3af (PoE)
2.2.1.1 FCC RF Radiation Exposure Statement
The AP26XX access point complies with FCC RF radiated exposure limits set forth for an
uncontrolled environment. End users must follow the specific operating instructions for
satisfying RF exposure compliance. This device has been tested and has demonstrated
compliance when simultaneously operated in the 2.4 GHz and 5 GHz frequency ranges. This
device must not be co-located or operated in conjunction with any other antenna or transmitter.
>The AP26XX must be installed and used in strict accordance with the manufacturer's
instructions as described in this guide and related documentation for the device to
which AP26XX is connected. Any other installation or use of the product violates
FCC Part 15 regulations.
Operation of the AP26XX is restricted for indoor use only, specifically in the UNII
5.15 - 5.25 GHz band in accordance with 47 CFR 15.407(e).
This Part 15 radio device operates on a non-interference basis with other devices
operating at the same frequency when using antennas provided or other Siemens
certified antennas. Any changes or modification to the product not expressly
approved by Siemens could void the user's authority to operate this device.
>The radiated output power of the AP26XX is far below the FCC radio frequency
exposure limits as specified in "Guidelines for Human Exposure to Radio Frequency
Electromagnetic Fields" (OET Bullet 65, Supplement C). This equipment should be
installed and operated with a minimum distance of 20 centimeters (8 inches)
between the radiator and your body or other co-located operating antennas.
Regulatory information
A31003-W1040-U103-1-7619, Draft February 2007
22 HiPath Wireless Controller, Access Points and Convergence Software V4, C2400 User Guide
hwc_regulatory_information.fm
AP2610 Internal Antenna AP, AP2620 External Antenna AP
2.2.1.2 Optional 3rd Party External Antennas
The AP2620 Extrenal Antenna APs can also be used with optional certified 3rd party antennas.
However, in order to comply with the local laws and regulations, an approval may be required
by the local regulatory authorities. The following optional antennas have been tested and
approved for use with the External Antenna model.
>When using an approved 3rd party external antenna (other than the default), the
power must be adjusted according to these tables.
This device must be professionally installed. The following are the requirements
of professional installation:
Equipment marketing
The device cannot be sold retail to the general public or by mail order. It must be
sold to dealers.
Professional installation:
Installation must be controlled.
Installed by licensed professionals (equipment sold to dealers who hire
installers)
Installation requires special training (special programming and antenna and
cable installations)
Application
The intended use is generally not for the general public. Instead, it is generally
for industry/commercial use.
hwc_regulatory_information.fm
A31003-W1040-U103-1-7619, Draft February 2007
HiPath Wireless Controller, Access Points and Convergence Software V4, C2400 User Guide 23
Regulatory information
AP2610 Internal Antenna AP, AP2620 External Antenna AP
# Model Application Shape Gain
(dBi)
Frequency
(MHz)
Coax Cable
Length/Type
Connector
Type
Cushcraft
#1 SR240513
5Dxxxxxx
indoor Directional 5 2400-2500 3 feet /
19AWG
CMP(ETL)
C(ETL)
9700851
RPSMA
#2 S24493DS
xxxxxx
indoor Omni,
2 inputs
3 2400-2500
4900-5990
3 feet /
19AWG
CMP(ETL)
C(ETL)
9700851
RPSMA,
2ea.
#3 SL24513P
xxxxxx
indoor Omni 3 2400-2500
5150-5350
3 feet /
19AWG
CMP(ETL)
C(ETL)
9700851
RPSMA
#4 S24497Px
xxxxx
indoor Directional 7 2400-2500
4900-5990
3 feet /
19AWG
CMP(ETL)
C(ETL)
9700851
RPSMA
Hyperlink Tech
#5 HG2458C
Uxxx
indoor Omni 3 2300-2600
4900-6000
1 foot /
20AWG
Coleman
Cable
921021
N-female
Maxrad
#6 MDO2400
5PTxxxxxx
indoor Omni,
2 inputs
5.2 2400-2485 3 feet /
19AWG
CMP(ETL)
C(ETL)
9700851
RPSMA,
2ea.
Table 1 List of FCC approved antennas
Regulatory information
A31003-W1040-U103-1-7619, Draft February 2007
24 HiPath Wireless Controller, Access Points and Convergence Software V4, C2400 User Guide
hwc_regulatory_information.fm
AP2610 Internal Antenna AP, AP2620 External Antenna AP
>The qualification testing and results are based on above described antennas, cable
types, lengths, and connector types. Other cable lengths and connector types are
also available which are specified by the suffix part of the part numbers (for example,
SR2405135Dxxxxxx, where the xxxxxx suffix represents cable length and/or
connector type). The antenna feedline used in testing are the mininum cable length.
Longer cable may be used with losses greater than or equal to the cables used for
testing. The maximum power settings must be adjusted according to these tables.
>If one of the following antenna is used, you must select an operating channel (on the
Wireless APs configuration screens) and the corresponding allowed max power
from the values listed in Table 2. DO NOT select a higher power than the value listed
in Table 2.
Antenna
Antenna
#1
Cushcraft
SR2405135
Dxxxxxx
Antenna
#2
Cushcraft
S24493DSx
xxxxx
Antenna
#3
Cushcraft
SL24513Px
xxxxx
Antenna
#4
Cushcraft
S24497Pxx
xxxx
Antenna
#5 Hyperlink
Tech
HG2458CUxx
x
Antenna
#6
Maxrad
MDO24005PT
xxxxxx
Frequency
(MHz)
Ch. No. Power limit
(dBm)
Power limit
(dBm)
Power limit
(dBm)
Power limit
(dBm)
Power limit
(dBm)
Power limit
(dBm)
11b
2412 1 16 18 17 16 17 17
2417 2 17 17 17 16 17 17
2422 3 18 18 18 18 18 18
2427 4 18 18 18 18 18 18
2432 5 18 18 18 18 18 18
2437 6 18 18 18 18 18 18
2442 7 18 18 18 18 18 18
2447 8 18 18 18 18 18 18
2452 9 18 18 18 18 18 18
2457 10 18 18 18 18 18 18
2462 11 18 18 18 18 18 18
Table 2 FCC Antenna channel-power information
hwc_regulatory_information.fm
A31003-W1040-U103-1-7619, Draft February 2007
HiPath Wireless Controller, Access Points and Convergence Software V4, C2400 User Guide 25
Regulatory information
AP2610 Internal Antenna AP, AP2620 External Antenna AP
11g
241211013 131012 13
241721415 151415 14
242231516 161516 16
242741618 181617 17
243251618 181718 18
243761618 181718 18
244271818 181818 18
244781818 181818 18
245291818 181818 18
2457 10 17 17 17 17 17 18
2462 11 14 14 14 14 14 14
Antenna
Antenna
#1
Cushcraft
SR2405135
Dxxxxxx
Antenna
#2
Cushcraft
S24493DSx
xxxxx
Antenna
#3
Cushcraft
SL24513Px
xxxxx
Antenna
#4
Cushcraft
S24497Pxx
xxxx
Antenna
#5 Hyperlink
Tech
HG2458CUxx
x
Antenna
#6
Maxrad
MDO24005PT
xxxxxx
Frequency
(MHz)
Ch. No. Power limit
(dBm)
Power limit
(dBm)
Power limit
(dBm)
Power limit
(dBm)
Power limit
(dBm)
Power limit
(dBm)
Table 2 FCC Antenna channel-power information
Regulatory information
A31003-W1040-U103-1-7619, Draft February 2007
26 HiPath Wireless Controller, Access Points and Convergence Software V4, C2400 User Guide
hwc_regulatory_information.fm
AP2610 Internal Antenna AP, AP2620 External Antenna AP
11a
5180 36 N/S 17 17 17 17 N/S
5200 40 N/S 17 17 17 17 N/S
5220 44 N/S 17 17 17 17 N/S
5240 48 N/S 17 17 17 17 N/S
5260 52 N/S 18 18 18 18 N/S
5280 56 N/S 18 18 18 18 N/S
5300 60 N/S 18 18 18 18 N/S
5320 64 N/S 18 18 18 18 N/S
5745 149 N/S 15 N/S 15 15 N/S
5765 153 N/S 15 N/S 15 15 N/S
5785 157 N/S 14 N/S 14 14 N/S
5805 161 N/S 14 N/S 14 14 N/S
5825 165 N/S 14 N/S 14 14 N/S
>Channels designated as N/S are not supported by the antenna and must not be
selected from the Wireless APs configuration screens.
7For antenna #3 (Cushcraft SL24513Pxxxxxx), do not select the Auto channel
selection (on the Wireless APs configuration screens) for the 11a radio. Instead,
only select a channel from the listed supported channels in Table 2.
Operating on a channel that is NOT supported (N/S) is in violation of the law.
>If you select the Auto channel selection (on the Wireless APs configuration
screens), you must also select the power values listed in Table 3. DO NOT select a
higher power than the value listed in Table 3.
Antenna
Antenna
#1
Cushcraft
SR2405135
Dxxxxxx
Antenna
#2
Cushcraft
S24493DSx
xxxxx
Antenna
#3
Cushcraft
SL24513Px
xxxxx
Antenna
#4
Cushcraft
S24497Pxx
xxxx
Antenna
#5 Hyperlink
Tech
HG2458CUxx
x
Antenna
#6
Maxrad
MDO24005PT
xxxxxx
Frequency
(MHz)
Ch. No. Power limit
(dBm)
Power limit
(dBm)
Power limit
(dBm)
Power limit
(dBm)
Power limit
(dBm)
Power limit
(dBm)
Table 2 FCC Antenna channel-power information
hwc_regulatory_information.fm
A31003-W1040-U103-1-7619, Draft February 2007
HiPath Wireless Controller, Access Points and Convergence Software V4, C2400 User Guide 27
Regulatory information
AP2610 Internal Antenna AP, AP2620 External Antenna AP
RF Safety Distance
The antennas used for this transmitter must be installed to provide a separation distance of at
least 20 cm from all persons and must not be co-located or operating in conjunction with
another antenna or transmitter.
Antenna 11a (dBm) 11b/g (dBm)
#1 N/S 10
#2 14 13
#3 17 13
#4 14 10
#5 14 12
#6 N/S 13
Table 3 Auto channel selection
Regulatory information
A31003-W1040-U103-1-7619, Draft February 2007
28 HiPath Wireless Controller, Access Points and Convergence Software V4, C2400 User Guide
hwc_regulatory_information.fm
AP2610 Internal Antenna AP, AP2620 External Antenna AP
2.2.2 Canada - Department of Communications Compliance Statement
This digital apparatus does not exceed the Class B limits for radio noise emissions from digital
apparatus as set out in the interference-causing equipment standard entitled "Digital
Apparatus," ICES-003 of the Department of Communications.
Cet appareil numerique respecte les limites de bruits radioelectriques applicables aux
appareils numeriques de Classe B prescrites dans la norme sur le materiel brouilleur:
"Appareils Numeriques," NMB-003 edictee par le ministere des Communications.
This device complies with Part 15 of the FCC Rules and Canadian Standard RSS-210.
Operation is subject to the following conditions:
This device may not cause harmful interference.
This device must accept any interference received, including interference that may cause
undesired operation.
This Class B digital apparatus complies with Canadian ICES-003.
Operation in the 5150-5250 MHz band is only for indoor usage to reduce potential for
harmful interference to co-channel mobile satellite systems.
The maximum antenna gain permitted for operation in the 5250-5350 MHz band to comply
with the e.i.r.p. limit is 4.3 dBi for the internal antenna and 5 dBi for the default external
antenna that is shipped with the unit. To comply with the e.i.r.p. limit with the optional
external antennas, refer to Table 5.
The maximum antenna gain permitted for operation in the 5725-5825 MHz band to comply
with the e.i.r.p. limit is 4.3 dBi for the internal antenna and 5 dBi for the default external
antenna that is shipped with the unit. To comply with the e.i.r.p. limit with the optional
external antennas, refer to Table 5.
Please note that high power radars are allocated as primary users (meaning they have
priority) of 5250-5350 MHz and 5650-5850 MHz and these radars could cause interference
to LE-LAN devices.
hwc_regulatory_information.fm
A31003-W1040-U103-1-7619, Draft February 2007
HiPath Wireless Controller, Access Points and Convergence Software V4, C2400 User Guide 29
Regulatory information
AP2610 Internal Antenna AP, AP2620 External Antenna AP
This equipment meets the following conformance standards:
Canada Conformance Standards
Safety
C22.2 No.60950-1-03
UL 2043 Plenum Rated as part of UL 60950-1. Suitable for use in environmental air space
in accordance with Sections 2-128, 12-010(3) and 12-100 of the Canadian Electrical Code,
Part 1, C22.1
EMC
ICES-003, Class B
Radio Transceiver
IC: 4702A-APXXXX
RSS-210 (2.4 GHz and 5GHz)
Other
IEEE 802.11a (5 GHz)
IEEE 802.11b/g (2.4 GHz)
IEEE 802.3af (PoE)
Regulatory information
A31003-W1040-U103-1-7619, Draft February 2007
30 HiPath Wireless Controller, Access Points and Convergence Software V4, C2400 User Guide
hwc_regulatory_information.fm
AP2610 Internal Antenna AP, AP2620 External Antenna AP
2.2.2.1 Optional 3rd Party External Antennas
The AP2620 Extrenal Antenna APs can also be used with optional certified 3rd party antennas.
However, in order to comply with the local laws and regulations, an approval may be required
by the local regulatory authorities. The following optional antennas have been tested with and
approved for use with the External Antenna model.
>When using an approved 3rd party external antenna (other than the default), the
power must be adjusted according to these tables.
This device must be professionally installed. The following are the requirements
of professional installation:
Equipment marketing
The device cannot be sold retail to the general public or by mail order. It must be
sold to dealers.
Professional installation:
Installation must be controlled.
Installed by licensed professionals (equipment sold to dealers who hire
installers)
Installation requires special training (special programming and antenna and
cable installations)
Application
The intended use is generally not for the general public. Instead, it is generally
for industry/commercial use.
hwc_regulatory_information.fm
A31003-W1040-U103-1-7619, Draft February 2007
HiPath Wireless Controller, Access Points and Convergence Software V4, C2400 User Guide 31
Regulatory information
AP2610 Internal Antenna AP, AP2620 External Antenna AP
# Model Application Shape Gain (dBi) Frequency
(MHz)
Coax Cable
Length/Type
Connector
Type
Cushcraft
#1 SR240513
5Dxxxxxx
indoor Directional 5 2400-2500 3 feet /
19AWG
CMP(ETL)
C(ETL)
9700851
RPSMA
#2 S24493DS
xxxxxx
indoor Omni,
2 inputs
3 2400-2500
4900-5990
3 feet /
19AWG
CMP(ETL)
C(ETL)
9700851
RPSMA,
2ea.
#3 SL24513P
xxxxxx
indoor Omni 3 2400-2500
5150-5350
3 feet /
19AWG
CMP(ETL)
C(ETL)
9700851
RPSMA
#4 S24497Px
xxxxx
indoor Directional 7 2400-2500
4900-5990
3 feet /
19AWG
CMP(ETL)
C(ETL)
9700851
RPSMA
Hyperlink Tech
#5 HG2458C
Uxxx
indoor Omni 3 2300-2600
4900-6000
1 foot /
20AWG
Coleman
Cable
921021
N-female
Maxrad
#6 MDO2400
5PTxxxxxx
indoor Omni,
2 inputs
5.2 2400-2485 3 feet /
19AWG
CMP(ETL)
C(ETL)
9700851
RPSMA,
2ea.
Table 4 List of IC (Industry Canada) approved antennas
Regulatory information
A31003-W1040-U103-1-7619, Draft February 2007
32 HiPath Wireless Controller, Access Points and Convergence Software V4, C2400 User Guide
hwc_regulatory_information.fm
AP2610 Internal Antenna AP, AP2620 External Antenna AP
>The qualification testing and results are based on above described antennas, cable
types, lengths, and connector types. Other cable lengths and connector types are
also available which are specified by the suffix part of the part numbers (ex.
SR2405135Dxxxxxx, where the xxxxxx suffix represents cable length and/or
connector type). The antenna feedline used in testing are the mininum cable length.
Longer cable may be used with losses greater than or equal to the cables used for
testing. The maximum power settings must be adjusted according to these tables.
>If one of the following antenna is used, you must select an operating channel (on the
Wireless APs configuration screens) and the corresponding allowed max power
from the values listed in Table 5. DO NOT select a higher power than the value listed
in Table 5.
Antenna
Antenna
#1
Cushcraft
SR2405135D
xxxxxx
Antenna
#2
Cushcraft
S24493DSxx
xxxx
Antenna
#3
Cushcraft
SL24513Pxx
xxxx
Antenna
#4
Cushcraft
S24497Pxx
xxxx
Antenna
#5 Hyperlink
Tech
HG2458CUxxx
Antenna
#6
Maxrad
MDO24005P
Txxxxxx
Frequency
(MHz)
Ch.
No.
Power limit
(dBm)
Power limit
(dBm)
Power limit
(dBm)
Power limit
(dBm)
Power limit
(dBm)
Power limit
(dBm)
11b 2412 1 16 18 17 16 17 17
2417 2 17 17 17 16 17 17
2422 3 18 18 18 18 18 18
2427 4 18 18 18 18 18 18
2432 5 18 18 18 18 18 18
2437 6 18 18 18 18 18 18
2442 7 18 18 18 18 18 18
2447 8 18 18 18 18 18 18
2452 9 18 18 18 18 18 18
2457 10 18 18 18 18 18 18
2462 11 18 18 18 18 18 18
Table 5 IC Antenna channel-power information
hwc_regulatory_information.fm
A31003-W1040-U103-1-7619, Draft February 2007
HiPath Wireless Controller, Access Points and Convergence Software V4, C2400 User Guide 33
Regulatory information
AP2610 Internal Antenna AP, AP2620 External Antenna AP
11g
241211013131012 13
241721415151415 14
242231516161516 16
242741618181617 17
243251618181718 18
243761618181718 18
244271818181818 18
244781818181818 18
245291818181818 18
2457 10 17 17 17 17 17 18
2462 11 14 14 14 14 14 14
11a
5180 36 N/S 17 17 17 17 N/S
5200 40 N/S 17 17 17 17 N/S
5220 44 N/S 17 17 17 17 N/S
5240 48 N/S 17 17 17 17 N/S
5260 52 N/S 18 18 18 18 N/S
5280 56 N/S 18 18 18 18 N/S
5300 60 N/S 18 18 18 18 N/S
5320 64 N/S 18 18 18 18 N/S
5745 149 N/S 15 N/S 15 15 N/S
5765 153 N/S 15 N/S 15 15 N/S
5785 157 N/S 14 N/S 14 14 N/S
5805 161 N/S 14 N/S 14 14 N/S
5825 165 N/S 14 N/S 14 14 N/S
Antenna
Antenna
#1
Cushcraft
SR2405135D
xxxxxx
Antenna
#2
Cushcraft
S24493DSxx
xxxx
Antenna
#3
Cushcraft
SL24513Pxx
xxxx
Antenna
#4
Cushcraft
S24497Pxx
xxxx
Antenna
#5 Hyperlink
Tech
HG2458CUxxx
Antenna
#6
Maxrad
MDO24005P
Txxxxxx
Frequency
(MHz)
Ch.
No.
Power limit
(dBm)
Power limit
(dBm)
Power limit
(dBm)
Power limit
(dBm)
Power limit
(dBm)
Power limit
(dBm)
Table 5 IC Antenna channel-power information
Regulatory information
A31003-W1040-U103-1-7619, Draft February 2007
34 HiPath Wireless Controller, Access Points and Convergence Software V4, C2400 User Guide
hwc_regulatory_information.fm
AP2610 Internal Antenna AP, AP2620 External Antenna AP
RF Safety Distance
The antennas used for this transmitter must be installed to provide a separation distance of at
least 20 cm from all persons and must not be co-located or operating in conjunction with
another antenna or transmitter.
>Channels designated as N/S are not supported by the antenna and must not be
selected from the Wireless APs configuration screens.
7For antenna #3 (Cushcraft SL24513Pxxxxxx), do not select the Auto channel
selection (on the Wireless APs configuration screens) for the 11a radio. Instead,
only select a channel from the listed supported channels in Table 2.
Operating on a channel that is NOT supported (N/S) is in violation of the law.
>If you select the Auto channel selection (on the Wireless APs configuration
screens), you must also select the power values listed in Table 6. DO NOT select a
higher power than the value listed in Table 6.
Antenna 11a (dBm) 11b/g (dBm)
#1 N/S 10
#2 14 13
#3 17 13
#4 14 10
#5 14 12
#6 N/S 13
Table 6 Auto channel selection
hwc_regulatory_information.fm
A31003-W1040-U103-1-7619, Draft February 2007
HiPath Wireless Controller, Access Points and Convergence Software V4, C2400 User Guide 35
Regulatory information
AP2610 Internal Antenna AP, AP2620 External Antenna AP
2.2.3 European Community
The AP26XX are Wireless APs designed for use in the European Union and other countries
with similar regulatory restrictions where the end user or installer is allowed to configure the
Wireless AP for operation by entry of a country code relative to a specific country. Upon
connection to the controller, the software will prompt the user to select a country code. After the
country code is selected, the controller will set up the Wireless AP with the proper frequencies
and power outputs for that country code.
Although outdoor use may be allowed and may be restricted to certain frequencies and/or may
require a license for operation, the AP26XX is intended for indoor use and must be installed in
a proper indoor location. Use the installation utility provided with the controller software to
ensure proper set-up in accordance with all European spectrum usage rules. Contact local
Authority for procedure to follow and regulatory information. For more details on legal
combinations of frequencies, power levels and antennas, contact Siemens.
Declaration of Conformity with R&TTE Directive of the European Union 1999/5/EC
The following symbol indicates compliance with the Essential Requirements of the R&TTE
Directive of the European Union (1999/5/EC).
Regulatory information
A31003-W1040-U103-1-7619, Draft February 2007
36 HiPath Wireless Controller, Access Points and Convergence Software V4, C2400 User Guide
hwc_regulatory_information.fm
AP2610 Internal Antenna AP, AP2620 External Antenna AP
2.2.3.1 Declaration of Conformity in Languages of the European Community
English Hereby, Siemens, declares that this Radio LAN device is in compliance with the
essential requirements and other relevant provisions of Directive 1999/5/EC.
Finnish Valmistaja Siemens vakuuttaa täten että Radio LAN device tyyppinen laite on
direktiivin 1999/5/EY oleellisten vaatimusten ja sitä koskevien direktiivin muiden
ehtojen mukainen.
Dutch Hierbij verklaart Siemens dat het toestel Radio LAN device in overeenstemming
is met de essentiële eisen en de andere relevante bepalingen van richtlijn 1999/
5/EG.
Bij deze verklaart Siemens dat deze Radio LAN device voldoet aan de
essentiële eisen en aan de overige relevante bepalingen van Richtlijn 1999/5/
EC.
French Par la présente Siemens déclare que l'appareil Radio LAN device est conforme
aux exigences essentielles et aux autres dispositions pertinentes de la directive
1999/5/CE.
Par la présente, Siemens déclare que ce Radio LAN device est conforme aux
exigences essentielles et aux autres dispositions de la directive 1999/5/CE qui
lui sont applicables.
Swedish Härmed intygar Siemens att denna Radio LAN device står I överensstämmelse
med de väsentliga egenskapskrav och övriga relevanta bestämmelser som
framgår av direktiv 1999/5/EG.
Danish Undertegnede Siemens erklærer herved, at følgende udstyr Radio LAN device
overholder de væsentlige krav og øvrige relevante krav i direktiv 1999/5/EF.
German Hiermit erklärt Siemens die Übereinstimmung des "WLAN Wireless Controller
bzw. Access Points" mit den grundlegenden Anforderungen und den anderen
relevanten Festlegungen der Richtlinie 1999/5/EG.
Greek ΜΕ ΤΗΝ ΠΑΡΟΥΣΑ Siemens ΔΗΛΩΝΕΙ ΟΤΙ Radio LAN device
ΣΥΜΜΟΡΦΩΝΕΤΑΙ ΠΡΟΣ ΤΙΣ ΟΥΣΙΔΕΙΣ ΑΠΑΙΤΗΣΕΙΣ ΚΑΙ ΤΙΣ ΛΟΙΠΕΣ
ΣΧΕΤΙΚΕΣ ΔΙΑΤΑΞΕΙΣ ΤΗΣ ΟΔΗΓΙΑΣ 1999/5/ΕΚ.
Icelandic Siemens lysir her med yfir að thessi bunadur, Radio LAN device, uppfyllir allar
grunnkrofur, sem gerdar eru i R&TTE tilskipun ESB nr 1999/5/EC.
Italian Con la presente Siemens dichiara che questo Radio LAN device è conforme ai
requisiti essenziali ed alle altre disposizioni pertinenti stabilite dalla direttiva
1999/5/CE.
Spanish Por medio de la presente Siemens declara que el Radio LAN device cumple con
los requisitos esenciales y cualesquiera otras disposiciones aplicables o
exigibles de la Directiva 1999/5/CE.
hwc_regulatory_information.fm
A31003-W1040-U103-1-7619, Draft February 2007
HiPath Wireless Controller, Access Points and Convergence Software V4, C2400 User Guide 37
Regulatory information
AP2610 Internal Antenna AP, AP2620 External Antenna AP
New Member States requirements of Declaration of Conformity
Portuguese Siemens declara que este Radio LAN device está conforme com os requisitos
essenciais e outras disposições da Directiva 1999/5/CE.
Malti Hawnhekk, Siemens, jiddikjara li dan Radio LAN device jikkonforma mal-htigijiet
essenzjali u ma provvedimenti ohrajn relevanti li hemm fid-Dirrettiva 1999/5/EC.
Estonian Käesolevaga kinnitab Siemens seadme Radio LAN device vastavust direktiivi
1999/5/EÜ põhinõuetele ja nimetatud direktiivist tulenevatele teistele
asjakohastele sätetele.
Hungary Alulírott, Siemens nyilatkozom, hogy a Radio LAN device megfelel a vonatkozó
alapvetõ követelményeknek és az 1999/5/EC irányelv egyéb elõírásainak.
Slovak Siemens týmto vyhlasuje, že Radio LAN device spĺňa základné požiadavky a
všetky príslušné ustanovenia Smernice 1999/5/ES.
Czech Siemens tímto prohlašuje, že tento Radio LAN device je ve shodě se základními
požadavky a dalšími příslušnými ustanoveními směrnice 1999/5/ES."
Slovenian Šiuo Siemens deklaruoja, kad šis Radio LAN device atitinka esminius
reikalavimus ir kitas 1999/5/EB Direktyvos nuostatas.
Latvian Ar šo Siemens deklarē, ka Radio LAN device atbilst Direktīvas 1999/5/EK
būtiskajām prasībām un citiem ar to saistītajiem noteikumiem
Lithuanian Siemens deklaruoja, kad Radio LAN device atitinka 1999/5/EC Direktyvos
esminius reikalavimus ir kitas nuostatas".
Polish Niniejszym, Siemens, deklaruję, że Radio LAN device spełnia wymagania
zasadnicze oraz stosowne postanowienia zawarte Dyrektywie 1999/5/EC.
Regulatory information
A31003-W1040-U103-1-7619, Draft February 2007
38 HiPath Wireless Controller, Access Points and Convergence Software V4, C2400 User Guide
hwc_regulatory_information.fm
AP2610 Internal Antenna AP, AP2620 External Antenna AP
European Conformance Standards
Safety
73/23/EEC Low Voltage Directive (LVD)
EN 60950-1
EMC (Emissions / Immunity)
89/336/EEC EMC Directive
EN 55011/CISPR 11, Class B, Group 1 ISM
EN 55022/CISPR 22, Class B
EN 55024:1998 Class A, includes IEC/EN 61000-4-2,3,4,5,6,11
EN 61000-3-2 and -3-3 (Harmonics and Flicker)
EN 60601-1-2 (EMC immunity for medical equipment)
EN 50385 (EMF)
EN/ETSI 301 489-1 & -17
Radio Transceiver
R&TTE Directive 1999/5/EC
ETSI/EN 300 328-2 2003-04 (2.4 GHz)
ETSI/EN 301 893-1 2002-07 (5 GHz)
Other
IEEE 802.11a (5 Ghz)
IEEE 802.11b/g (2.4 GHz)
IEEE 802.3af (PoE)
RoHS
European Directive 2002/95/EC
hwc_regulatory_information.fm
A31003-W1040-U103-1-7619, Draft February 2007
HiPath Wireless Controller, Access Points and Convergence Software V4, C2400 User Guide 39
Regulatory information
AP2610 Internal Antenna AP, AP2620 External Antenna AP
2.2.3.2 Optional 3rd Party External Antennas
The AP2620 Extrenal Antenna APs can also be used with optional certified 3rd party antennas.
However, in order to comply with the local laws and regulations, an approval may be required
by the local regulatory authorities. The following optional antennas have been tested with and
approved for use with the External Antenna model.
>When using an approved 3rd party external antenna (other than the default), the
power must be adjusted according to these tables.
This device must be professionally installed. The following are the requirements
of professional installation:
Equipment marketing
The device cannot be sold retail to the general public or by mail order. It must be
sold to dealers.
Professional installation:
Installation must be controlled.
Installed by licensed professionals (equipment sold to dealers who hire
installers)
Installation requires special training (special programming and antenna and
cable installations)
Application
The intended use is generally not for the general public. Instead, it is generally
for industry/commercial use.
Regulatory information
A31003-W1040-U103-1-7619, Draft February 2007
40 HiPath Wireless Controller, Access Points and Convergence Software V4, C2400 User Guide
hwc_regulatory_information.fm
AP2610 Internal Antenna AP, AP2620 External Antenna AP
# Model Location Type Gain
(dBi)
Frequency
(MHz)
Huber+Suhner
#1 SOA
2454/360/7/20/DF
outdoor-
capable
Omni 6
8
2400-2500
4900-5875
#2 SPA
2456/75/9/0/DF
outdoor-
capable
Planar
2 or 1 inputs
9 2400-2500
5150-5875
#3 SPA
2400/80/9/0/DS
outdoor-
capable
Planar
2 inputs
8.5 2300-2500
#4 SWA
0859/360/4/10/V
outdoor-
capable
Omni 7 2400-5875
#5 SOA
2400/360/4/0/DS
outdoor-
capable
Omni 3.5 2400-2500
#6 SPA
2400/40/14/0/DS
outdoor-
capable
Planar
2 inputs
13.5 2400-2500
#7 SWA
2459/360/4/45/V
outdoor-
capable
Omni >4 2400-5875
Table 7 Approved antenna list for Europe
>If one of the following antenna is used, you must select an operating channel (on the
Wireless APs configuration screens) and the corresponding allowed max power
from the values listed in Table 8. DO NOT select a higher power than the value listed
in Table 8.
hwc_regulatory_information.fm
A31003-W1040-U103-1-7619, Draft February 2007
HiPath Wireless Controller, Access Points and Convergence Software V4, C2400 User Guide 41
Regulatory information
AP2610 Internal Antenna AP, AP2620 External Antenna AP
Antenna
Antenna
#1
Huber
+Suhner
SOA 2454/
360/7/20/
DF
Antenna
#2
Huber
+Suhner
SPA 2456/
75/9/0/DF
Antenna
#3
Huber
+Suhner
SPA 2400/
80/9/0/DS
Antenna
#4
Huber
+Suhner
SWA 0859/
360/4/10/V
Antenna
#5
Huber
+Suhner
SOA 2400/
360/4/0/DS
Antenna
#6
Huber
+Suhner
SPA 2400/
40/14/0/DS
Antenna
#7
Huber
+Suhner
SWA 2459/
360/4/45/V
Frequency
(MHz)
Ch.
No.
Power
limit
(dBm)
Power
limit
(dBm)
Power
limit
(dBm)
Power
limit
(dBm)
Power
limit
(dBm)
Power
limit
(dBm)
Power
limit
(dBm)
11b
2412 1 15 14 14 15 15 9 15
2417 2 15 14 14 15 15 9 15
2422 3 15 14 14 15 15 9 15
2427 4 15 14 14 15 15 9 15
2432 5 15 14 14 15 15 9 15
2437 6 15 14 14 15 15 9 15
2442 7 15 14 14 15 15 9 15
2447 8 15 14 14 15 15 9 15
2452 9 15 14 14 15 15 9 15
2457 10 15 14 14 15 15 9 15
2462 11 15 14 14 15 15 9 15
2467 12 15 14 14 15 15 9 15
2472 13 15 14 15 15 15 10 15
Table 8 ETSI Antenna channel-power information
Regulatory information
A31003-W1040-U103-1-7619, Draft February 2007
42 HiPath Wireless Controller, Access Points and Convergence Software V4, C2400 User Guide
hwc_regulatory_information.fm
AP2610 Internal Antenna AP, AP2620 External Antenna AP
11g
2412 1 15 13 14 15 15 9 15
2417 2 15 13 14 15 15 9 15
2422 3 15 13 14 15 15 9 15
2427 4 15 13 14 15 15 9 15
2432 5 15 13 14 15 15 9 15
2437 6 15 13 14 15 15 9 15
2442 7 15 14 14 15 15 10 15
2447 8 15 14 14 15 15 10 15
2452 9 15 14 14 15 15 10 15
2457 10 15 14 14 15 15 10 15
2462 11 15 14 14 15 15 10 15
2467 12 15 14 14 15 15 10 15
2472 13 15 13 13 15 15 9 15
Antenna
Antenna
#1
Huber
+Suhner
SOA 2454/
360/7/20/
DF
Antenna
#2
Huber
+Suhner
SPA 2456/
75/9/0/DF
Antenna
#3
Huber
+Suhner
SPA 2400/
80/9/0/DS
Antenna
#4
Huber
+Suhner
SWA 0859/
360/4/10/V
Antenna
#5
Huber
+Suhner
SOA 2400/
360/4/0/DS
Antenna
#6
Huber
+Suhner
SPA 2400/
40/14/0/DS
Antenna
#7
Huber
+Suhner
SWA 2459/
360/4/45/V
Frequency
(MHz)
Ch.
No.
Power
limit
(dBm)
Power
limit
(dBm)
Power
limit
(dBm)
Power
limit
(dBm)
Power
limit
(dBm)
Power
limit
(dBm)
Power
limit
(dBm)
Table 8 ETSI Antenna channel-power information
hwc_regulatory_information.fm
A31003-W1040-U103-1-7619, Draft February 2007
HiPath Wireless Controller, Access Points and Convergence Software V4, C2400 User Guide 43
Regulatory information
AP2610 Internal Antenna AP, AP2620 External Antenna AP
11a
5180 36 16 16 N/S 16 N/S N/S 16
5200 40 16 16 N/S 16 N/S N/S 16
5200 44 16 16 N/S 16 N/S N/S 16
5240 48 16 16 N/S 16 N/S N/S 16
5260 52 16 16 N/S 16 N/S N/S 16
5280 56 16 16 N/S 16 N/S N/S 16
5300 60 16 16 N/S 16 N/S N/S 16
5320 64 16 16 N/S 16 N/S N/S 16
5500 100 20 19 N/S 20 N/S N/S 20
5520 104 20 19 N/S 20 N/S N/S 20
5540 108 20 19 N/S 20 N/S N/S 20
5560 112 20 19 N/S 20 N/S N/S 20
5580 116 20 19 N/S 20 N/S N/S 20
5600 120 20 19 N/S 20 N/S N/S 20
5620 124 20 19 N/S 20 N/S N/S 20
5640 128 20 19 N/S 20 N/S N/S 20
5660 132 20 19 N/S 20 N/S N/S 20
5680 136 20 19 N/S 20 N/S N/S 20
5700 140 20 19 N/S 20 N/S N/S 20
>Channels designated as N/S are not supported by the antenna and must not be
selected from the Wireless APs configuration screens.
Antenna
Antenna
#1
Huber
+Suhner
SOA 2454/
360/7/20/
DF
Antenna
#2
Huber
+Suhner
SPA 2456/
75/9/0/DF
Antenna
#3
Huber
+Suhner
SPA 2400/
80/9/0/DS
Antenna
#4
Huber
+Suhner
SWA 0859/
360/4/10/V
Antenna
#5
Huber
+Suhner
SOA 2400/
360/4/0/DS
Antenna
#6
Huber
+Suhner
SPA 2400/
40/14/0/DS
Antenna
#7
Huber
+Suhner
SWA 2459/
360/4/45/V
Frequency
(MHz)
Ch.
No.
Power
limit
(dBm)
Power
limit
(dBm)
Power
limit
(dBm)
Power
limit
(dBm)
Power
limit
(dBm)
Power
limit
(dBm)
Power
limit
(dBm)
Table 8 ETSI Antenna channel-power information
Regulatory information
A31003-W1040-U103-1-7619, Draft February 2007
44 HiPath Wireless Controller, Access Points and Convergence Software V4, C2400 User Guide
hwc_regulatory_information.fm
AP2610 Internal Antenna AP, AP2620 External Antenna AP
RF Safety Distance
The antennas used for this transmitter must be installed to provide a separation distance of at
least 20 cm from all persons and must not be co-located or operating in conjunction with
another antenna or transmitter.
2.2.3.3 Conditions of Use in the European Community
The AP26XX Wireless APs with Internal and External antennas are designed and intended to
be used indoors. Some EU countries allow outdoor operation with limitations and restrictions,
which are described in this section. It is the responsibility of the end user to ensure operation
in accordance with these rules, frequencies, and transmitter power output. The AP26XX must
not be operated until properly configured for the customer’s geographic location.
>If you select the Auto channel selection (on the Wireless APs configuration
screens), you must also select the power values listed in Table 9. DO NOT select a
higher power than the value listed in Table 9.
Antenna 11a (dBm) 11b/g (dBm)
#1 16 15
#2 16 13
#3 N/S 13
#4 16 15
#5 N/S 15
#6 N/S 9
#7 16 15
Table 9 Auto channel selection
hwc_regulatory_information.fm
A31003-W1040-U103-1-7619, Draft February 2007
HiPath Wireless Controller, Access Points and Convergence Software V4, C2400 User Guide 45
Regulatory information
AP2610 Internal Antenna AP, AP2620 External Antenna AP
7The user or installer is responsible to ensure that the AP26XX is operated according
to channel limitations, indoor / outdoor restrictions, license requirements, and within
power level limits for the current country of operation. A configuration utility has been
provided with the HiPath Wireless Controller to allow the end user to check the
configuration and make necessary configuration changes to ensure proper
operation in accordance with the spectrum usage rules for compliance with the
European R&TTE directive 1999/5/EC.
The AP26XX Wireless APs with Internal and External antennas are designed to be
operated only indoors within all countries of the European Community. Some
countries require limited channels of operation. These restrictions are described in
this section.
>The AP26XX is completely configured and managed by the HiPath Wireless
Controller connected to the network. Please follow the instructions in this user guide
to properly configure the AP26XX.
The AP2610 and AP2620 Wireless APs require the end user or installer to
ensure that they have a valid license prior to operating the AP26XX. The license
contains the region and the region exposes the country codes which allow for
proper configuration in conformance with European National spectrum usage
laws.
There is a default group of settings that each AP26XX receives when it connects
to the controller. There is the ability to change these settings. The user or
installer is responsible to ensure that each Wireless AP is properly configured.
The software within the controller will automatically limit the allowable channels
and output power determined by the selected country code. Selecting the
incorrect country of operation or identifying the proper antenna used, may result
in illegal operation and may cause harmful interference to other systems.
This device employs a radar detection feature required for European
Community operation in the 5 GHz band. This feature is automatically enabled
when the country of operation is correctly configured for any European
Community country. The presence of nearby radar operation may result in
temporary interruption of operation of this device. The radar detection feature
will automatically restart operation on a channel free of radar.
The 5 GHz Turbo Mode feature is not enabled for use on the AP2610 and
AP2620 access points.
The Auto channel setting of the 5 GHz described in this user guide must always
remain enabled to ensure that automatic 5 GHz channel selection complies with
European requirements.
Regulatory information
A31003-W1040-U103-1-7619, Draft February 2007
46 HiPath Wireless Controller, Access Points and Convergence Software V4, C2400 User Guide
hwc_regulatory_information.fm
AP2610 Internal Antenna AP, AP2620 External Antenna AP
The 5150- 5350 MHz band, channels 36, 40, 44, 48, 52, 56, 60, or 64, are
restricted to indoor use only.
The AP2620 with external antenna must be used only with the antennas that are
certified by Siemens.
The 2.4 GHz band, channels 1 - 13, may be used for indoor or outdoor use but
there may be some channel restrictions.
In Italy, the end user must apply for a license from the national spectrum
authority to operate outdoors.
In Belgium, outdoor operation is only permitted using the 2.46 - 2.4835 GHz
band: Channel 13.
In France, outdoor operation is only permitted using the 2.4 - 2.454 GHz band:
Channels 1 - 7.
hwc_regulatory_information.fm
A31003-W1040-U103-1-7619, Draft February 2007
HiPath Wireless Controller, Access Points and Convergence Software V4, C2400 User Guide 47
Regulatory information
AP2610 Internal Antenna AP, AP2620 External Antenna AP
2.2.4 Certifications of Other Countries
The AP2610 and AP2620 Wireless APs have been certified for use in the countries listed in the
table below. When the AP26XX is connected to the Siemens controller, the user is prompted to
select a country code. Once the correct country code is selected, the controller automatically
sets up the AP26XX with the proper frequencies and power outputs for that country code.
Optional 3rd Party External Antennas
The AP2620 External Antenna APs can also be used with optional certified 3rd party antennas.
However, in order to comply with the local laws and regulations, an approval may be required
by the local regulatory authorities.
Other Country Specific Compliance Standards, Approvals and Declarations
Australia and New Zealand
AS/NZS 4288 (Radio via EU standards)
AS/NZS 60950.1 (Safety)
AS/NZS 3548 (Emissions via EU standards – ACMA)
IEEE 802.11a/b/g
IEEE 802.3af (PoE)
EN 300 328-2:2003-04 (2.4 GHz)
EN 301 893-1:2003-08 (5 GHz)
EN 301 489-17:2002-08 (RLAN)
>It is the responsibility of the end user to select the proper country code for the
country the device will be operated within or run the risk violating local laws and
regulations.
Regulatory information
A31003-W1040-U103-1-7619, Draft February 2007
48 HiPath Wireless Controller, Access Points and Convergence Software V4, C2400 User Guide
hwc_regulatory_information.fm
Country support list
2.3 Country support list
Spectrum 11b/g Band 1
2.4-2.472/
2.4835 GHz
11a Band 1
5.15-5.25
GHz
11a Band 2
5.25-5.35
GHz
11a Band 3
5.47-5.725
GHz
11a Band 4
5.725-5.825/
5.850 GHz
Channel # 1-11/13 36, 40, 44, 48 52, 56, 60, 64 100, 104,
108, 112,
116, 120,
124, 128,
132, 136,
140
149, 153,
157, 161
(165)
Argentina 11b & g
11 channels
Not supported 4 channels Not supported 4 channels
Australia 11b & g
13 channels
4 channels 4 channels Not supported 4 channels
Austria 11b & g
13 channels
4 channels 4 channels 11 channels Not supported
Belgium 11b & g
13 channels
4 channels 4 channels 11 channels Not supported
Bosnia &
Herzegovina
11b & g
13 channels
4 channels 4 channels 11 channels Not supported
Brazil 11b & g
13 channels
4 channels 4 channels 11 channels 5 channels
Bulgaria 11b & g
|13 channels
4 channels 2 channels 11 channels Not supported
Canada 11b & g
11 channels
4 channels 4 channels Not supported 5 channels
Chile 11b & g
13 channels
4 channels 4 channels Not supported 5 channels
China 11b & g
13 channels
Not supported Not supported Not supported 5 channels
Croatia 11b & g
13 channels
4 channels 4 channels 11 channels Not supported
Cyprus 11b & g
13 channels
4 channels 4 channels 11 channels Not supported
Czech Rep. 11b & g
13 channels
4 channels 4 channels 11 channels Not supported
Table 10 Country support list
hwc_regulatory_information.fm
A31003-W1040-U103-1-7619, Draft February 2007
HiPath Wireless Controller, Access Points and Convergence Software V4, C2400 User Guide 49
Regulatory information
Country support list
Denmark 11b & g
13 channels
4 channels 4 channels 11 channels Not supported
Estonia 11b & g
13 channels
4 channels 4 channels 11 channels Not supported
Finland 11b & g
13 channels
4 channels 4 channels 11 channels Not supported
France 11b & g
13 channels
4 channels 4 channels Not supported Not supported
Germany 11b & g
13 channels
4 channels 4 channels 11 channels Not supported
Greece 11b & g
13 channels
4 channels 4 channels 11 channels Not supported
Hong Kong 11b & g
13 channels
4 channels 4 channels Not supported 5 channels
Hungary 11b & g
13 channels
4 channels 4 channels 11 channels Not supported
Iceland 11b & g
13 channels
4 channels 4 channels 11 channels Not supported
India 11b & g
13 channels
4 channels 4 channels Not supported 5 channels
Ireland 11b & g
13 channels
4 channels 4 channels 11 channels Not supported
Israel 11b & g
13 channels
4 channels 4 channels Not supported Not supported
Italy 11b & g
13 channels
4 channels 4 channels 11 channels Not supported
Japan 11b 14 channels
11g 13 channels
4 channels 4 channels Not supported Not supported
Korea
(South)
11b & g
13 channels
4 channels 4 channels 5 channels 4 channels
Spectrum 11b/g Band 1
2.4-2.472/
2.4835 GHz
11a Band 1
5.15-5.25
GHz
11a Band 2
5.25-5.35
GHz
11a Band 3
5.47-5.725
GHz
11a Band 4
5.725-5.825/
5.850 GHz
Channel # 1-11/13 36, 40, 44, 48 52, 56, 60, 64 100, 104,
108, 112,
116, 120,
124, 128,
132, 136,
140
149, 153,
157, 161
(165)
Table 10 Country support list
Regulatory information
A31003-W1040-U103-1-7619, Draft February 2007
50 HiPath Wireless Controller, Access Points and Convergence Software V4, C2400 User Guide
hwc_regulatory_information.fm
Country support list
Kuwait 11b & g
13 channels
Not supported Not supported Not supported Not supported
Latvia 11b & g
13 channels
4 channels 4 channels 11 channels Not supported
Lithuania 11b & g
13 channels
4 channels 4 channels 11 channels Not supported
Luxembourg 11b & g
13 channels
4 channels 4 channels 11 channels Not supported
Macau 11b & g
13 channels
Not supported Not supported Not supported 5 channels
Malaysia 11b & g
13 channels
Not supported 4 channels Not supported 5 channels
Malta 11b & g
13 channels
4 channels 4 channels 11 channels Not supported
Mexico 11b & g
13 channels
4 channels 4 channels Not supported Not supported
Netherlands 11b & g
13 channels
4 channels 4 channels 11 channels Not supported
New Zealand 11b & g
13 channels
4 channels 4 channels Not supported 5 channels
Norway 11b & g
13 channels
4 channels 4 channels 11 channels Not supported
Pakistan 11b
13 channels
Not supported Not supported Not supported Not supported
Poland 11b & g
13 channels
4 channels 4 channels 11 channels Not supported
Portugal 11b & g
13 channels
4 channels 4 channels 11 channels Not supported
Puerto Rico
(USA)
11b & g
11 channels
4 channels 4 channels Not supported 5 channels
Spectrum 11b/g Band 1
2.4-2.472/
2.4835 GHz
11a Band 1
5.15-5.25
GHz
11a Band 2
5.25-5.35
GHz
11a Band 3
5.47-5.725
GHz
11a Band 4
5.725-5.825/
5.850 GHz
Channel # 1-11/13 36, 40, 44, 48 52, 56, 60, 64 100, 104,
108, 112,
116, 120,
124, 128,
132, 136,
140
149, 153,
157, 161
(165)
Table 10 Country support list
hwc_regulatory_information.fm
A31003-W1040-U103-1-7619, Draft February 2007
HiPath Wireless Controller, Access Points and Convergence Software V4, C2400 User Guide 51
Regulatory information
Country support list
Qatar 11b
13 channels
Not supported Not supported Not supported Not supported
Romania 11b & g
13 channels
4 channels 4 channels 11 channels Not supported
Russia 11b
13 channels
Not supported Not supported Not supported Not supported
Serbia &
Montenegro
11b & g
13 channels
4 channels 4 channels 11 channels Not supported
Singapore 11b & g
13 channels
4 channels 4 channels Not supported 5 channels
Slovakia 11b & g
13 channels
4 channels 4 channels 11 channels Not supported
Slovenia 11b & g
13 channels
4 channels 4 channels 11 channels Not supported
South Africa 11b & g
13 channels
4 channels 4 channels 11 channels Not supported
Spain 11b & g
13 channels
4 channels 4 channels 11 channels Not supported
Sweden 11b & g
13 channels
4 channels 4 channels 11 channels Not supported
Switzerland
&
Liechtenstein
11b & g
13 channels
4 channels 4 channels 11 channels Not supported
Taiwan 11b & g
11 channels
Not supported 3 channels 11 channels 4 channels
Thailand 11b & g
13 channels
Not supported Not supported Not supported Not supported
Turkey 11b & g
13 channels
4 channels 4 channels Not supported Not supported
Spectrum 11b/g Band 1
2.4-2.472/
2.4835 GHz
11a Band 1
5.15-5.25
GHz
11a Band 2
5.25-5.35
GHz
11a Band 3
5.47-5.725
GHz
11a Band 4
5.725-5.825/
5.850 GHz
Channel # 1-11/13 36, 40, 44, 48 52, 56, 60, 64 100, 104,
108, 112,
116, 120,
124, 128,
132, 136,
140
149, 153,
157, 161
(165)
Table 10 Country support list
Regulatory information
A31003-W1040-U103-1-7619, Draft February 2007
52 HiPath Wireless Controller, Access Points and Convergence Software V4, C2400 User Guide
hwc_regulatory_information.fm
Country support list
UAE 11b
13 channels
Not supported Not supported Not supported Not supported
UK 11b & g
13 channels
4 channels 4 channels 11 channels Not supported
USA 11b & g
11 channels
4 channels 4 channels Not supported 5 channels
Venezuela 11b & g
13 channels
Not supported Not supported Not supported Not supported
Vietnam 11b & g
13 channels
Not supported Not supported Not supported Not supported
Spectrum 11b/g Band 1
2.4-2.472/
2.4835 GHz
11a Band 1
5.15-5.25
GHz
11a Band 2
5.25-5.35
GHz
11a Band 3
5.47-5.725
GHz
11a Band 4
5.725-5.825/
5.850 GHz
Channel # 1-11/13 36, 40, 44, 48 52, 56, 60, 64 100, 104,
108, 112,
116, 120,
124, 128,
132, 136,
140
149, 153,
157, 161
(165)
Table 10 Country support list
hwc_intro.fm
A31003-W1040-U103-1-7619, Draft February 2007
HiPath Wireless Controller, Access Points and Convergence Software V4, C2400 User Guide 53
Overview of the Controller, Access Points and Convergence Software solution
Conventional wireless LANS
3 Overview of the Controller, Access Points and
Convergence Software solution
This chapter describes HiPath Controller, Access Points and Convergence Software concepts,
including:
Conventional wireless LANS
Elements of the Controller, Access Points and Convergence Software solution
Controller, Access Points and Convergence Software and your network
System Configuration Overview
The next generation of Siemens wireless networking devices provides a truly scalable WLAN
solution. Siemens Wireless APs are fit access points controlled through a sophisticated
network device, the HiPath Wireless Controller. This solution provides the security and
manageability required by enterprises and service providers.
The Controller, Access Points and Convergence Software system is a highly scalable Wireless
Local Area Network (WLAN) solution developed by Siemens. Based on a third generation
WLAN topology, the Controller, Access Points and Convergence Software system makes
wireless practical for service providers as well as medium and large-scale enterprises.
The Controller, Access Points and Convergence Software system provides a secure, highly
scalable, cost-effective solution based on the IEEE 802.11 standard. The system is intended
for enterprise networks operating on multiple floors in more than one building, and is ideal for
public environments, such as airports and convention centers that require multiple access
points.
This chapter provides an overview of the fundamental principles of the Controller, Access
Points and Convergence Software system.
3.1 Conventional wireless LANS
Wireless communication between multiple computers requires that each computer is equipped
with a receiver/transmitter—a WLAN Network Interface Card (NIC)—capable of exchanging
digital information over a common radio frequency. This is called an ad hoc network
configuration. An ad hoc network configuration allows wireless devices to communicate
together. This setup is defined as an independent basic service set (IBSS).
An alternative to the ad hoc configuration is the use of an access point. This may be a dedicated
hardware bridge or a computer running special software. Computers and other wireless
devices communicate with each other through this access point. The 802.11 standard defines
access point communications as devices that allow wireless devices to communicate with a
distribution system. This setup is defined as a basic service set (BSS) or infrastructure network.
Overview of the Controller, Access Points and Convergence Software solution
A31003-W1040-U103-1-7619, Draft February 2007
54 HiPath Wireless Controller, Access Points and Convergence Software V4, C2400 User Guide
hwc_intro.fm
Conventional wireless LANS
To allow the wireless devices to communicate with computers on a wired network, the access
points must be connected to the wired network providing access to the networked computers.
This topology is called bridging. With bridging, security and management scalability is often a
concern.
Figure 1 Standard wireless network solution example
The wireless devices and the wired networks communicate with each other using standard
networking protocols and addressing schemes. Most commonly, Internet Protocol (IP)
addressing is used.
RADIUS
Authentication
Server
DHCP
Server
Router
Access
Point
Access
Point
Wireless
Device
Wireless
Device
Ethernet Ethernet
Ethernet
hwc_intro.fm
A31003-W1040-U103-1-7619, Draft February 2007
HiPath Wireless Controller, Access Points and Convergence Software V4, C2400 User Guide 55
Overview of the Controller, Access Points and Convergence Software solution
Elements of the Controller, Access Points and Convergence Software solution
3.2 Elements of the Controller, Access Points and Convergence
Software solution
The Controller, Access Points and Convergence Software solution consists of two devices:
HiPath Wireless Controller
Wireless APs
This architecture allows a single HiPath Wireless Controller to control many Wireless APs,
making the administration and management of large networks much easier.
There can be several HiPath Wireless Controllers in the network, each with a set of registered
Wireless APs. The HiPath Wireless Controllers can also act as backups to each other, providing
stable network availability.
In addition to the HiPath Wireless Controllers and Wireless APs, the solution requires three
other components, all of which are standard for enterprise and service provider networks:
RADIUS Server (Remote Access Dial-In User Service) or other authentication server
DHCP Server (Dynamic Host Configuration Protocol)
SLP (Service Location Protocol)
Overview of the Controller, Access Points and Convergence Software solution
A31003-W1040-U103-1-7619, Draft February 2007
56 HiPath Wireless Controller, Access Points and Convergence Software V4, C2400 User Guide
hwc_intro.fm
Elements of the Controller, Access Points and Convergence Software solution
Figure 2 Siemens solution
As illustrated in Figure 2, the HiPath Wireless Controller appears to the existing network as if it
were an access point, but in fact one HiPath Wireless Controller controls many Wireless APs.
The HiPath Wireless Controller has built-in capabilities to recognize and manage the Wireless
APs. The HiPath Wireless Controller:
Activates the Wireless APs
Enables Wireless APs to receive wireless traffic from wireless devices
Processes the data traffic from the Wireless APs
Forwards or routes the processed data traffic out to the network
Authenticates requests and applies access policies
RADIUS
Authentication
Server
DCHP
Server
HiPath Wireless Controller
Ethernet
Router
Ethernet EthernetWireless Access
Point
Wireless Access
Point
Wireless
Device
Wireless
Device
hwc_intro.fm
A31003-W1040-U103-1-7619, Draft February 2007
HiPath Wireless Controller, Access Points and Convergence Software V4, C2400 User Guide 57
Overview of the Controller, Access Points and Convergence Software solution
Elements of the Controller, Access Points and Convergence Software solution
Simplifying the Wireless APs makes them cost-effective, easy to manage, and easy to deploy.
Putting control on an intelligent centralized HiPath Wireless Controller enables:
Centralized configuration, management, reporting, and maintenance
High security
Flexibility to suit enterprise
Scalable and resilient deployments with a few HiPath Wireless Controllers controlling
hundreds of Wireless APs
Overview of the Controller, Access Points and Convergence Software solution
A31003-W1040-U103-1-7619, Draft February 2007
58 HiPath Wireless Controller, Access Points and Convergence Software V4, C2400 User Guide
hwc_intro.fm
Elements of the Controller, Access Points and Convergence Software solution
The Controller, Access Points and Convergence Software system:
Scales up to Enterprise capacity – One HiPath Wireless Controller C2400 controls as
many as 200 Wireless APs. In turn each Wireless AP can handle up to 254 wireless
devices, with each radio supporting a maximum of 128. With additional HiPath Wireless
Controllers, the number of wireless devices the solution can support can reach into the
thousands.
Integrates with existing network – A HiPath Wireless Controller can be added to an
existing enterprise network as a new network device, greatly enhancing its capability
without interfering with existing functionality. Integration of the HiPath Wireless Controllers
and Wireless APs does not require any reconfiguration of the existing infrastructure (for
example, VLANs).
Offers centralized management and control – An administrator accesses the HiPath
Wireless Controller in its centralized location to monitor and administer the entire wireless
network. From the HiPath Wireless Controller the administrator can recognize, configure,
and manage the Wireless APs and distribute new software releases.
Provides easy deployment of Wireless APs – The initial configuration of the Wireless
APs on the centralized HiPath Wireless Controller can be done with an automatic
“discovery” technique. For more information, see Section 5.2, “Discovery and registration
overview”, on page 95.
Provides security via user authentication – Uses existing authentication (AAA) servers
to authenticate and authorize users.
Provides security via filters and privileges – Uses virtual networking techniques to
create separate virtual networks with defined authentication and billing services, access
policies, and privileges.
Supports seamless mobility and roaming – Supports seamless roaming of a wireless
device from one Wireless AP to another on the same HiPath Wireless Controller or on a
different HiPath Wireless Controller.
Integrates third-party access points – Uses a combination of network routing and
authentication techniques.
Prevents rogue devices – Unauthorized access points are detected and identified as
harmless or dangerous rogue APs.
Provides accounting services – Logs wireless user sessions, user group activity, and
other activity reporting, enabling the generation of consolidated billing records.
Offers troubleshooting capability – Logs system and session activity and provides
reports to aid in troubleshooting analysis.
Offers dynamic RF management – Automatically selects channels and adjusts Radio
Frequency (RF) signal propagation and power levels without user intervention.
hwc_intro.fm
A31003-W1040-U103-1-7619, Draft February 2007
HiPath Wireless Controller, Access Points and Convergence Software V4, C2400 User Guide 59
Overview of the Controller, Access Points and Convergence Software solution
Controller, Access Points and Convergence Software and your network
3.3 Controller, Access Points and Convergence Software and your
network
This section is a summary of the components of the Controller, Access Points and
Convergence Software solution on your enterprise network. The following are described in
detail in this guide, unless otherwise stated:
HiPath Wireless Controller – A rack-mountable network device that provides centralized
control over all access points (both Wireless APs and third-party access points) and
manages the network assignment of wireless device clients associating through access
points.
Wireless AP – A wireless LAN fit access point (IEEE 802.11) that communicates only with
a HiPath Wireless Controller. A Wireless AP can also be configured as a sensor, which
monitors and interdicts intrusions by rogue APs and rogue clients.
HiPath Wireless Manager – An optional component of the solution, the HiPath Wireless
Manager monitors the performance and health of the wireless network. The HiPath
Wireless Manager is particularly valuable for installations that incorporate more than one
HiPath Wireless Controller. For more information, see the HiPath Wireless Manager User
Guide.
RADIUS Server (Remote Access Dial-In User Service) (RFC2865), or other
authentication server – An authentication server that assigns and manages ID and
Password protection throughout the network. Used for authentication of the wireless users
in either 802.1x or Captive Portal security modes. The RADIUS Server system can be set
up for certain standard attributes, such as filter ID, and for the Vendor Specific Attributes
(VSAs). In addition, Radius Disconnect (RFC3576) which permits dynamic adjustment of
user policy (user disconnect) is supported.
DHCP Server (Dynamic Host Configuration Protocol) (RFC2131) – A server that assigns
IP addresses, gateways, and subnet masks dynamically. IP address assignment for clients
can be done by the DHCP server internal to the HiPath Wireless Controller, or by existing
servers using DHCP relay. It is also used by the Wireless APs to discover the location of
the HiPath Wireless Controller during the initial registration process. For SLP, DHCP
should have Option 78 enabled. Option 78 specifies the location of one or more SLP
Directory Agents.
Service Location Protocol (SLP) (SLP RFC2608) – Client applications are User Agents
and services that are advertised by a Service Agent. In larger installations, a Directory
Agent collects information from Service Agents and creates a central repository. The
Siemens solution relies on registering “siemens” as an SLP Service Agent.
Overview of the Controller, Access Points and Convergence Software solution
A31003-W1040-U103-1-7619, Draft February 2007
60 HiPath Wireless Controller, Access Points and Convergence Software V4, C2400 User Guide
hwc_intro.fm
Controller, Access Points and Convergence Software and your network
Domain Name Server (DNS) A server used as an alternate mechanism (if present on
the enterprise network) for the automatic discovery process. Controller, Access Points and
Convergence Software relies on the DNS for Layer 3 deployments and for static
configuration of Wireless APs. The controller can be registered in DNS, to provide DNS
assisted AP discovery.
Web Authentication Server – A server that can be used for external Captive Portal and
external authentication. The HiPath Wireless Controller has an internal Captive portal
presentation page, which allows Web authentication (Web redirection) to take place
without the need for an external Captive Portal server.
RADIUS Accounting Server (Remote Access Dial-In User Service) (RFC2866) – A
server that is required if RADIUS Accounting is enabled.
Simple Network Management Protocol (SNMP) – A Manager Server that is required if
forwarding SNMP messages is enabled.
Check Point Server (Check Point Event Logging API) – A server for security event logging
that is required if a firewall application is enabled. Checkpoint ELA certification for OPSEC
is provided.
Network infrastructure The Ethernet switches and routers must be configured to allow
routing between the various services noted above. Routing must also be enabled between
multiple HiPath Wireless Controllers for the following features to operate successfully:
Availability
Mobility
Mitigator for detection of rogue access points
Some features also require the definition of static routes.
Web Browser A browser provides access to the HiPath Wireless Controller Management
user interface to configure the Controller, Access Points and Convergence Software.
SSH Enabled Device – A device that supports Secure Shell (SSH) is used for remote (IP)
shell access to the system.
Zone Integrity – The Zone integrity server enhances network security by ensuring clients
accessing your network are compliant with your security policies before gaining access.
Zone Integrity Release 5 is supported.
HiPath HiGuard – Provides continuous active intrusion detection and prevention
capabilities. For more information, see the HiPath HiGuard documentation.
hwc_intro.fm
A31003-W1040-U103-1-7619, Draft February 2007
HiPath Wireless Controller, Access Points and Convergence Software V4, C2400 User Guide 61
Overview of the Controller, Access Points and Convergence Software solution
Controller, Access Points and Convergence Software and your network
3.3.1 Network traffic flow
Figure 3 illustrates a simple configuration with a single HiPath Wireless Controller and two
Wireless APs, each supporting a wireless device. A RADIUS server on the network provides
authentication, and a DHCP server is used by the Wireless APs to discover the location of the
HiPath Wireless Controller during the initial registration process. Network inter-connectivity is
provided by the infrastructure routing and switching devices.
Figure 3 Traffic Flow diagram
Each wireless device sends IP packets in the 802.11 standard to the Wireless AP. The Wireless
AP uses a UDP (User Datagram Protocol) based tunnelling protocol to encapsulate the packets
and forward them to the HiPath Wireless Controller. In a typical configuration, access points
RADIUS
Authentication
Server
DHCP
Server
External
CP Server
External Web
Authentication
Server
HiPath Wireless Controller
Router
Wireless Access Point
Wireless Access Point
Wireless Device
Wireless Device
Packet transmission
Control and routing
>HWC authenticatess wireless user
>HWC forwards IP packet
to wired network
Tunnelling
> AP sends data traffic to
HWC through UDP tunnel called CTP
> HWC controls Wireless AP through
CTP tunnel
>Using WASSP tunnels, HWC
allows wireless clients to roam to
Wireless APs on different HWCs
802.11 packet transmission
802.11 beacon and probe,
wireless device associates
with a Wireless AP
by its SSID
Overview of the Controller, Access Points and Convergence Software solution
A31003-W1040-U103-1-7619, Draft February 2007
62 HiPath Wireless Controller, Access Points and Convergence Software V4, C2400 User Guide
hwc_intro.fm
Controller, Access Points and Convergence Software and your network
can be configured to locally bridge traffic (to a configured VLAN) directly at their network point
of attachment. The HiPath Wireless Controller decapsulates the packets and routes these to
destinations on the network.
The HiPath Wireless Controller functions like a standard router, except that it is configured to
route only network traffic associated with wireless connected users. The HiPath Wireless
Controller can also be configured to simply forward traffic to a default or static route if dynamic
routing is not preferred.
3.3.2 Network security
The Controller, Access Points and Convergence Software system provides features and
functionality to control network access. These are based on standard wireless network security
practices.
Current wireless network security methods provide protection. These methods include:
Shared Key authentication that relies on Wired Equivalent Privacy (WEP) keys
Open System that relies on Service Set Identifiers (SSIDs)
802.1x that is compliant with Wi-Fi Protected Access (WPA)
Captive Portal based on Secure Sockets Layer (SSL) protocol
The Controller, Access Points and Convergence Software system provides the centralized
mechanism by which the corresponding security parameters are configured for a group of APs.
Wired Equivalent Privacy (WEP) is a security protocol for wireless local area networks
defined in the 802.11b standard
Wi-Fi Protected Access version 1 (WPA1™) with Temporal Key Integrity Protocol (TKIP)
Wi-Fi Protected Access version 2 (WPA2™) with Advanced Encryption Standard (AES)
and Counter Mode with Cipher Block Chaining Message Authentication Code (CCMP)
HiPath HiGuard
The HiPath HiGuard solution provides network security, including:
Monitoring – 2.4 GHz and 5 GHz, all channels association activity
Identifying – Detect all Wi-Fi activity and correlate information from multiple sensors
Auto-Classifying – Limit user intervention to maximize the protection of all devices from
all threats
Preventing – Automatically block threats through dedicated sensors to prevent any impact
on the service level
Visualizing – Visualize measured coverage for service, detection, and prevention
hwc_intro.fm
A31003-W1040-U103-1-7619, Draft February 2007
HiPath Wireless Controller, Access Points and Convergence Software V4, C2400 User Guide 63
Overview of the Controller, Access Points and Convergence Software solution
Controller, Access Points and Convergence Software and your network
Locating – Position rogue APs and clients on the floor-plan for permanent removal
3.3.2.1 Authentication
The HiPath Wireless Controller relies on a RADIUS server, or authentication server, on the
enterprise network to provide the authentication information (whether the user is to be allowed
or denied access to the network). A RADIUS client is implemented to interact with infrastructure
RADIUS servers.
The HiPath Wireless Controller provides authentication using:
Captive Portal – a browser-based mechanism that forces users to a Web page
RADIUS (using IEEE 802.1x)
The 802.1x mechanism is a standard for authentication developed within the 802.11 standard.
This mechanism is implemented at the wireless Port, blocking all data traffic between the
wireless device and the network until authentication is complete. Authentication by 802.1x
standard uses Extensible Authentication Protocol (EAP) for the message exchange between
the HiPath Wireless Controller and the RADIUS server.
When 802.1x is used for authentication, the HiPath Wireless Controller provides the capability
to dynamically assign per-wireless-device WEP keys (called per-station WEP keys in 802.11).
Or in the case of WPA, the HiPath Wireless Controller is not involved in key assignment.
Instead, the controller is involved in the path between RADIUS server and the user to negotiate
the appropriate set of keys. With WPA2 the material exchange produces a Pairwise Master Key
which is used by the AP and the user to derive their temporal keys. (The keys change over
time.)
In the Controller, Access Points and Convergence Software, a RADIUS redundancy feature is
provided, where you can define a failover RADIUS server (up to 2 servers) in the event that the
active RADIUS server fails.
3.3.2.2 Privacy
Privacy is a mechanism that protects data over wireless and wired networks, usually by
encryption techniques.
Controller, Access Points and Convergence Software supports the Wired Equivalent Privacy
(WEP) standard common to conventional access points.
It also provides Wi-Fi Protected Access version 1 (WPA v.1) encryption, based on Pairwise
Master Key (PMK) and Temporal Key Integrity Protocol (TKIP). The most secure encryption
mechanism is WPA version 2, using Advanced Encryption Standard (AES).
Overview of the Controller, Access Points and Convergence Software solution
A31003-W1040-U103-1-7619, Draft February 2007
64 HiPath Wireless Controller, Access Points and Convergence Software V4, C2400 User Guide
hwc_intro.fm
Controller, Access Points and Convergence Software and your network
3.3.3 Virtual Network Services
Virtual Network Services (VNS) provide a versatile method of mapping wireless networks to the
topology of an existing wired network.
When you set up VNS on the HiPath Wireless Controller you are defining subnets for groups of
wireless users. The VNS definition provides the binding between VNS IP topology configuration
(Routing, DHCP policy) and the RF configuration parameters that advertise and control
network access (SSID, Privacy policy: WEP and WPA). This technique enables policies and
authentication to be applied to the groups of wireless users on a VNS, as well as the collecting
of accounting information on user sessions that can be used for billing.
When a VNS is set up on the HiPath Wireless Controller:
One or more Wireless APs (by radio) are associated with it
A range of IP addresses is set aside for the HiPath Wireless Controller’s DHCP server to
assign to wireless devices
If routing protocol is enabled, the HiPath Wireless Controller advertises the VNS as a routable
network segment to the wired network and routes traffic between the wireless devices and the
wired network. The HiPath Wireless Controller C2400 also supports VLAN-bridged assignment
for VNSs. This allows the controller to directly bridge the set of wireless devices associated with
a VNS directly to a specified core VLAN. The HiPath Wireless Controller C2400 can support
up to 64 VNSs.The AP radios can be assigned to each of the configured VNSs in a system.
Each AP can be the subject of 8 VNS assignments (corresponding to the number of SSIDs it
can support). Once a radio has all 8 slots assigned, it is no longer eligible for further
assignment.
3.3.4 Static routing and routing protocols
Routing can be used on the HiPath Wireless Controller to support the VNS definitions. Through
the user interface you can configure routing on the HiPath Wireless Controller to use one of the
following routing techniques:
Static routes – Use static routes to set the default route of a HiPath Wireless Controller so
that legitimate wireless device traffic can be forwarded to the default gateway.
Open Shortest Path First (OSPF, version 2) (RFC2328) – Use OSPF to allow the HiPath
Wireless Controller to participate in dynamic route selection. OSPF is a protocol designed
for medium and large IP networks with the ability to segment routes into different areas by
routing information summarization and propagation. Static Route definition and OSPF
dynamic learning can be combined, but a static route definition will take precedence over
dynamic rules.
hwc_intro.fm
A31003-W1040-U103-1-7619, Draft February 2007
HiPath Wireless Controller, Access Points and Convergence Software V4, C2400 User Guide 65
Overview of the Controller, Access Points and Convergence Software solution
Controller, Access Points and Convergence Software and your network
Next-hop routing – Use next-hop routing to specify a unique gateway to which traffic on
a VNS is forwarded. Defining a next-hop for a VNS forces all the traffic in the VNS to be
forwarded to the indicated network device, bypassing any routing definitions of the
controller's route table.
3.3.5 Packet filtering policy
Policy refers to the rules that allow different groups of users access to the network. The
Controller, Access Points and Convergence Software system can link authorized users to user
groups. These user groups then can be confined to predefined portions of the network.
In the Controller, Access Points and Convergence Software system, network access policy is
carried out by means of packet filtering within a VNS.
In the HiPath Wireless Controller user interface, you set up a packet filtering policy by defining
a set of hierarchical rules that allow or deny traffic to specific IP addresses, IP address ranges,
or service ports. The sequence and hierarchy of these filtering rules must be carefully designed
based on your enterprise user access plan.
The authentication technique selected determines how filtering is carried out:
If authentication is by SSID and Captive Portal, a non-authenticated filter allows all users
to get as far as the Captive Portal Web page, where logon authentication occurs. When
authentication is returned, then filters are applied, based on user ID and permissions.
If authentication is by AAA (802.1x), users have logged on and have been authenticated
before being assigned an IP address. When authentication is completed, the authenticated
filter is assigned by default unless a more user-specific filter is returned or indicated by the
authentication mechanism. The characteristics and level of access for a filter are controlled
and defined by the system administrator.
3.3.6 Mobility and roaming
In typical configurations that are not HiPath Wireless, APs are setup as bridges that bridge
wireless traffic to the local subnet. In bridging configurations, the user obtains an IP address
from the same subnet as the AP. If the user roams within APs on the same subnet, it is able to
keep using the same IP address. However, if the user roams to another AP outside of that
subnet, its IP address is no longer valid. The user's client device must recognize that the IP
address it has is no longer valid and re-negotiate a new one on the new subnet. The protocol
does not mandate any action on the user. The recovery procedure is entirely client dependent.
Some clients automatically attempt to obtain a new address on roam (which affects roaming
latency), while others will hold on to their IP address. This loss of IP address continuity seriously
affects the client's experience in the network, because in some cases it can take minutes for a
new address to be negotiated.
Overview of the Controller, Access Points and Convergence Software solution
A31003-W1040-U103-1-7619, Draft February 2007
66 HiPath Wireless Controller, Access Points and Convergence Software V4, C2400 User Guide
hwc_intro.fm
Controller, Access Points and Convergence Software and your network
The Controller, Access Points and Convergence Software solution centralizes the user's
network point of presence, therefore abstracting and decoupling the user's IP address
assignment from that of the APs location subnet. That means that the user is able to roam
across any AP without loosing its own IP address, regardless of the subnet on which the
serving APs are deployed.
In addition, a HiPath Wireless Controller can learn about other HiPath Wireless Controllers on
the network and then exchange client session information. This enables a wireless device user
to roam seamlessly between different Wireless APs on different HiPath Wireless Controllers.
3.3.7 Network availability
Controller, Access Points and Convergence Software provides availability against Wireless AP
outages, HiPath Wireless Controller outages, and even network outages. The HiPath Wireless
Controller (C2400 model) in a VLAN bridged VNS can potentially allow the user to retain the IP
address in a failover scenario, if the VNS/VLAN is common to both controllers. For example,
availability is provided by defining a paired controller configuration by which each peer can act
as the backup controller for the other's APs. APs in one controller are allowed to failover and
register with the alternate controller.
If a HiPath Wireless Controller fails, all of its associated Wireless APs can automatically switch
over to another HiPath Wireless Controller that has been defined as the secondary or backup
HiPath Wireless Controller. If the AP reboots, the original HiPath Wireless Controller is
restored. The original HiPath Wireless Controller is restored if it is active. However, active APs
will continue to be attached to the failover controller until the administrator releases them back
to the original home controller.
3.3.8 Quality of Service (QoS)
Controller, Access Points and Convergence Software provides advanced Quality of Service
(QoS) management to provide better network traffic flow. Such techniques include:
WMM (Wi-Fi Multimedia) – WMM is enabled per VNS. The HiPath Wireless Controller
provides centralized management of these AP features. For devices with WMM enabled,
the standard provides multimedia enhancements for audio, video, and voice applications.
WMM shortens the time between transmitting packets for higher priority traffic. WMM is
part of the 802.11e standard for QoS.
IP ToS (Type of Service) or DSCP (Diffserv Codepoint) – The ToS/DSCP field in the IP
header of a frame indicates the priority and QoS for each frame. The IP TOS and/or DSCP
is maintained within CTP (CAPWAP Tunneling Protocol) by copying the user IP QoS
information to the CTP header—this is referred to as Adaptive QoS.
Quality of Service (QoS) management is also provided by:
Assigning high priority to an SSID (configurable)
hwc_intro.fm
A31003-W1040-U103-1-7619, Draft February 2007
HiPath Wireless Controller, Access Points and Convergence Software V4, C2400 User Guide 67
Overview of the Controller, Access Points and Convergence Software solution
System Configuration Overview
Adaptive QoS (automatic)
Support for legacy devices that use SpectraLink Voice Protocol (SVP) for prioritizing voice
traffic (configurable)
3.4 System Configuration Overview
To set up and configure the HiPath Wireless Controller and Wireless APs, follow these steps:
1. First-time Setup – Perform “First-Time Setup” of the HiPath Wireless Controller on the
physical network to modify the Management Port IP address for the enterprise network.
2. Product Key – Apply a Product Key file, for licensing purposes. If no Product Key is
enabled, the HiPath Wireless Controller functions with some features enabled in
demonstration mode. Not all features are enabled in this mode. For example, mobility is not
enabled and cannot be used.
3. Data Port Setup – Set up the HiPath Wireless Controller on the network by configuring the
physical data ports and their function as “host port”, “router port”, or “3rd party AP port”.
4. Routing Setup – Configure static routes and OSPF parameters for any port defined as a
router port, if appropriate to the network.
5. Wireless AP Initial Setup – Connect the Wireless APs to the HiPath Wireless Controller.
They will automatically begin the Discovery of the HiPath Wireless Controller, based on
factors that include:
Their Registration mode (in the Wireless AP Registration screen)
The enterprise network services that will support the discovery process
A new feature of the 4.0 release is a default AP configuration. The default AP configuration
allows for a definition of a default configuration template, whereby APs automatically
receive complete configuration. For typical deployments where all APs are to all have the
same configuration, this feature will expedite deployment, as an AP will automatically
receive full configuration (including VNS assignment) upon initial registration with the
HiPath Wireless Controller.
6. Wireless AP Configuration – Modify properties or settings of the Wireless AP, if applicable.
7. Virtual Network Services (VNS) Setup – Set up one or more virtual subnetworks on the
HiPath Wireless Controller. For each VNS, configure the following:
Topology – Configure the VNS.
RF – Assign the Wireless APs’ radios to the VNS.
Authentication and Accounting – Configure the authentication method for the
wireless device user and enable the accounting method.
Overview of the Controller, Access Points and Convergence Software solution
A31003-W1040-U103-1-7619, Draft February 2007
68 HiPath Wireless Controller, Access Points and Convergence Software V4, C2400 User Guide
hwc_intro.fm
System Configuration Overview
RAD Policy – Define filter ID values and VNS Groups
Filtering – Define filtering rules to control network access
Multicast – Define groups of IP addresses for multicast traffic
Privacy – Select and configure the wireless security method on the VNS.
QoS Policy – Configure the Qos Policy.
hwc_startup.fm
A31003-W1040-U103-1-7619, Draft February 2007
HiPath Wireless Controller, Access Points and Convergence Software V4, C2400 User Guide 69
Configuring the HiPath Wireless Controller
4 Configuring the HiPath Wireless Controller
This chapter introduces the HiPath Wireless Controller and describes the steps involved in its
initial configuration and setup, including:
System configuration overview
Performing the first-time setup of the HiPath Wireless Controller
Completing the system configuration
Ongoing Operations of the Controller, Access Points and Convergence Software
The HiPath Wireless Controller is a network device designed to integrate with an existing wired
Local Area Network (LAN). The rack-mountable HiPath Wireless Controller provides
centralized management, network access, and routing to wireless devices that use Wireless
APs to access the network. It can also be configured to handle data traffic from third-party
access points.
The HiPath Wireless Controller provides the following functionality:
Controls and configures Wireless APs, providing centralized management
Authenticates wireless devices that contact a Wireless AP
Assigns each wireless device to a VNS when it connects
Routes traffic from wireless devices, using VNS, to the wired network
Applies filtering policies to the wireless device session
Provides session logging and accounting capability
The HiPath Wireless Controller is available in the following product families:
HiPath Wireless Controller
Model Number
Specifications
C2400 (Enterprise license) Four GigE ports supporting up to 200 Wireless APs
One management port (10/100 BaseT)
One console port (DB9 serial)
Power supply standard (R)
C2400 (Campus license) Four GigE ports supporting up to 100 Wireless APs
One management port (10/100 BaseT)
One console port (DB9 serial)
Power supply standard (R)
Table 11 HiPath Wireless Controller product families
Configuring the HiPath Wireless Controller
A31003-W1040-U103-1-7619, Draft February 2007
70 HiPath Wireless Controller, Access Points and Convergence Software V4, C2400 User Guide
hwc_startup.fm
System configuration overview
4.1 System configuration overview
The following section provides a high-level overview of the steps involved in the initial
configuration of your system:
Step 1 – Before you begin configuration
Research the type of WLAN deployment that is required.
Step 2 – Preparing the network
Ensure relevant DHCP servers and RADIUS servers (if applicable) are available and
configured.
Step 3 – Installing the hardware
Install the HiPath Wireless Controller C2400. For more information, see the HiPath Wireless
Controller, Access Points and Convergence Software Controller C2400 Installation
Instructions.
Step 4 – Performing the first-time setup
Perform the first-time Setup of the HiPath Wireless Controller on the physical network, which
includes configuring the physical port IP:
Configure the default IP address to be the relevant subnet point of attachment to the
existing network. The default IP address is 10.0.#.1.
Setup the routing protocol table.
Configure the time zone, and then restart the HiPath Wireless Controller. Because
changing the time zone requires restarting the HiPath Wireless Controller, it is
recommended that you configure the time zone during the initial installation and
configuration of the HiPath Wireless Controller to avoid network interruptions. For more
information, see Section 8.4, “Configuring network time”, on page 228.
To configure a physical port to attach to a VLAN, define the VLAN as part of the IP address
assignment.
Applying the product license key
Apply a product license key file. If a product license key is not applied, the HiPath Wireless
Controller functions with some features enabled in demonstration mode. Not all features are
enabled in demonstration mode. For example, mobility is not enabled and cannot be used.
hwc_startup.fm
A31003-W1040-U103-1-7619, Draft February 2007
HiPath Wireless Controller, Access Points and Convergence Software V4, C2400 User Guide 71
Configuring the HiPath Wireless Controller
System configuration overview
Configuring for remote access
In addition, the first-time setup also involves configuring for remote access, which includes:
Setting up an administration station (laptop) on subnet 192.168.10.0/24. By default, the
controller's interface is configured with static IP 192.168.10.1.
Configuring the system management interface.
Configuring the data interfaces.
Set up the HiPath Wireless Controller on the network by configuring the physical data ports
and their function as “host port”, “router port”, or “3rd party AP port”.
Configure the routing table.
Configure static routes or OSPF parameters for any port defined as a router port, if
appropriate to the network.
For more information, see Section 4.2, “Performing the first-time setup of the HiPath Wireless
Controller”, on page 72.
Step 5 – Configuring the VNS
Research and then configure the traffic topologies your network must support. Set up one or
more virtual subnetworks on the HiPath Wireless Controller. For each VNS, configure the
following:
Topology – Configure the VNS.
RF – Assign the Wireless APs’ radios to the VNS.
Authentication and Accounting – Configure the authentication method for the wireless
device user and enable the accounting method. The authentication and accounting
configuration is optional. It only applies to Captive Portal or AAA VNSs.
RAD Policy – Define filter ID values and VNS Groups. This configuration is optional.
7Whenever the licensed region changes on the HiPath Wireless Controller, all
Wireless APs are changed to Auto Channel Select to prevent possible infractions
to local RF regulatory requirements. If this occurs, all manually configured radio
channel settings will be lost.
Installing the new license key before upgrading will prevent the HiPath Wireless
Controller from changing the licensed region, and in addition, manually configured
channel settings will be maintained. For more information, see Section 12.4,
“Performing HiPath Wireless Controller software maintenance”, on page 278.
Configuring the HiPath Wireless Controller
A31003-W1040-U103-1-7619, Draft February 2007
72 HiPath Wireless Controller, Access Points and Convergence Software V4, C2400 User Guide
hwc_startup.fm
Performing the first-time setup of the HiPath Wireless Controller
Filtering – Define filtering rules to control network access
Multicast – Define groups of IP addresses for multicast traffic. This configuration is
optional. By default, the multicast feature is disabled.
Privacy – Select and configure the wireless security method on the VNS.
QoS Policy – Configure the Qos Policy.
For more information, see Chapter 6, “Virtual Network Services”.
Step 6 – Registering and assigning APs to the VNS
Deploy Wireless APs to their corresponding network locations. Connect the Wireless APs to
the HiPath Wireless Controller. Once the Wireless APs are powered on, they automatically
begin the Discovery process of the HiPath Wireless Controller, based on factors that include:
Their Registration mode (in the Wireless AP Registration screen)
The enterprise network services that will support the discovery process
A new feature available in the 4.0 release is a default AP configuration. The default AP
configuration allows for a definition of a default configuration template, whereby APs
automatically receive complete configuration. For typical deployments where all APs are to all
have same configuration, this feature will expedite deployment, as an AP will automatically
receive full configuration (including VNS assignment) upon initial registration with the HiPath
Wireless Controller. If applicable, modify the properties or settings of the Wireless APs.
For more information, see Chapter 5, “Configuring the Wireless AP”.
Step 7 – Confirming the AP firmware version
Confirm the latest firmware version is loaded. For more information, see Section 5.11,
“Performing Wireless AP software maintenance”, on page 130.
4.2 Performing the first-time setup of the HiPath Wireless Controller
Before you can connect the HiPath Wireless Controller to the enterprise network, you must
change the IP address of the HiPath Wireless Controller management port from its factory
default to the IP address suitable for your enterprise network. Access the HiPath Wireless
Controller by one of two methods:
Use a device supporting VT100 emulation, attached to the DB9 serial port (COM1 port) of
the HiPath Wireless Controller via a cross-over (null modem) cable. Use the Command
Line Interface (CLI) commands. For more information, see the HiPath Wireless Controller,
Access Points and Convergence Software CLI Reference Guide.
hwc_startup.fm
A31003-W1040-U103-1-7619, Draft February 2007
HiPath Wireless Controller, Access Points and Convergence Software V4, C2400 User Guide 73
Configuring the HiPath Wireless Controller
Performing the first-time setup of the HiPath Wireless Controller
Use a laptop computer with a Web browser. Connect the supplied cross-over Ethernet
cable between the laptop and management Ethernet port of the HiPath Wireless
Controller. Follow the steps below.
4.2.1 Accessing the HiPath Wireless Controller
1. Statically assign an unused IP address in the 192.168.10.0/24 subnet for the Ethernet port
of the computer. For example, 192.168.10.205.
2. Launch your Web browser (Internet Explorer version 6.0 or higher, or FireFox).
3. In the browser address bar, type the following:
https://192.168.10.1:5825
This launches the HiPath Wireless Assistant. The logon screen is displayed.
4. In the User Name box, type your user name. The default is admin.
5. In the Password box, type your password. The default is abc123.
Configuring the HiPath Wireless Controller
A31003-W1040-U103-1-7619, Draft February 2007
74 HiPath Wireless Controller, Access Points and Convergence Software V4, C2400 User Guide
hwc_startup.fm
Performing the first-time setup of the HiPath Wireless Controller
6. Click Login. The HiPath Wireless Assistant main menu screen is displayed.
7. From the main menu, click Wireless Controller Configuration. The HiPath Wireless
Controller Configuration screen is displayed.
8. In the left pane, click IP Addresses. The factory default settings for the HiPath Wireless
Controller are displayed.
>In the footer of the HiPath Wireless Assistant, the following is displayed:
[host name | product name | up time]
For example, [c2000 | C2400 | 2 days, 23:24]. If there is no key (unlicensed),
the product name will not be displayed.
User is the user id you used to login in. For example, admin.
Port Status is the connectivity state of the port. M is for the Management
interface, which is on eth0 and the numbered lights reflect the esa ports on
the system. Green indicates the interface is up and running. Red indicates
the interface is down.
hwc_startup.fm
A31003-W1040-U103-1-7619, Draft February 2007
HiPath Wireless Controller, Access Points and Convergence Software V4, C2400 User Guide 75
Configuring the HiPath Wireless Controller
Performing the first-time setup of the HiPath Wireless Controller
9. In the Management Port Settings section, click Modify. The System Port Configuration
screen is displayed.
Configuring the HiPath Wireless Controller
A31003-W1040-U103-1-7619, Draft February 2007
76 HiPath Wireless Controller, Access Points and Convergence Software V4, C2400 User Guide
hwc_startup.fm
Performing the first-time setup of the HiPath Wireless Controller
10. Type the following information:
Hostname – Specifies the name of the HiPath Wireless Controller
Domain – Specifies the IP domain name of the enterprise network
Management IP Address – Specifies the new IP address for the HiPath Wireless
Controller’s management port. Change this as appropriate for the enterprise network.
Subnet mask – Specifies the appropriate subnet mask for the IP address to separate
the network portion from the host portion of the address (typically 255.255.255.0)
Management Gateway – Specifies the default gateway of the network
Primary DNS – Specifies the primary DNS server used by the network
Secondary DNS – Specifies the secondary DNS server used by the network
11. To save your changes, click OK.
>The Web connection between the computer and the HiPath Wireless Controller
is now lost. The IP addresses are now set to the network you defined.
hwc_startup.fm
A31003-W1040-U103-1-7619, Draft February 2007
HiPath Wireless Controller, Access Points and Convergence Software V4, C2400 User Guide 77
Configuring the HiPath Wireless Controller
Performing the first-time setup of the HiPath Wireless Controller
4.2.1.1 Changing the administrator password
It is recommended to change your default administrator password once your system is
installed.
To change the administrator password:
1. From the main menu, click Wireless Controller Configuration. The HiPath Wireless
Controller Configuration screen is displayed.
2. In the left pane, click Management Users.
3. In the user_admin table, click admin.
4. In the Modify User Password box, type the new administrator password.
5. In the Modify User Confirm Password box, type the new administrator password again.
6. Click Change Password.
4.2.2 Connecting the HiPath Wireless Controller to your enterprise
network
Once you have modified the management port configuration settings, the next step is to
connect the HiPath Wireless Controller to your enterprise network.
To connect the HiPath Wireless Controller to your enterprise network:
1. Disconnect your computer from the HiPath Wireless Controller management port.
2. Connect the HiPath Wireless Controller management port to the enterprise Ethernet LAN.
The HiPath Wireless Controller resets automatically.
3. Log on to the HiPath Wireless Assistant. The system is visible to the enterprise network.
4.2.3 Applying the product license key
To ensure all available system functionality is enabled, your product license key must be
applied.
To apply the product license key:
1. From the main menu, click Wireless Controller Configuration. The HiPath Wireless
Controller Configuration screen is displayed.
2. In the left pane, click Software Maintenance.
3. Click the HWC Product Keys tab.
Configuring the HiPath Wireless Controller
A31003-W1040-U103-1-7619, Draft February 2007
78 HiPath Wireless Controller, Access Points and Convergence Software V4, C2400 User Guide
hwc_startup.fm
Performing the first-time setup of the HiPath Wireless Controller
4. In the Apply Product Key section, click Browse to navigate to the location of the product
key file and select the file.
5. Click Apply Now. The product license key is applied.
4.2.4 Setting up the data ports
The next step in the initial setup of the HiPath Wireless Controller is to configure the physical
data ports.
A new HiPath Wireless Controller is shipped from the factory with all its data ports set up as
host ports. Support of management traffic is disabled on all data ports. Port configuration
allows for the explicit state of the administration state for each interface. By default, data
interface states will be disabled. You can then enable each of the data interfaces individually. A
disabled interface does not allow data to flow (receive/transmit).
hwc_startup.fm
A31003-W1040-U103-1-7619, Draft February 2007
HiPath Wireless Controller, Access Points and Convergence Software V4, C2400 User Guide 79
Configuring the HiPath Wireless Controller
Performing the first-time setup of the HiPath Wireless Controller
VLAN ID parameter
You can define a specific VLAN tag to be applied to a particular interface. All packets associated
with that port will be tagged with the corresponding VLAN. This allows the HiPath Wireless
Controller to directly attach to a VLAN network without the need to remove VLAN tags at the
connection port.
You can redefine the data ports to function as one of three types:
Host Port
Use a host port definition for connecting Wireless APs with no dynamic routing. A host port
has dynamic routing disabled to ensure that the port does not participate in dynamic
routing operations, such as OSPF, to advertise the availability of Virtual Network Segments
(VNS) hosted by the HiPath Wireless Controller. Host ports may still be used as the target
for static route definitions.
Third-Party AP Port
Use a third-party AP port definition for a port to which you will connect third-party APs. Only
one port can be configured for third-party APs.
Selecting this option prepares the port to support a third-party AP setup allowing the
mapping of a VNS to the physical port. The VNS settings permit the definition of policy,
such as filters and Captive Portal, which manage the traffic flow for wireless users
connected to these APs.
The third-party APs must operate as layer-2 bridges. The third-party AP VNS is isolated
from the rest of the network. The HiPath Wireless Controller assumes control over the
layer-3 functions including DHCP.
Router Port
Use a router port definition for a port that you want to connect to an upstream, next-hop
router in the network. Dynamic routing protocol, such as OSPF, can be turned on for this
port type.
Wireless APs can be attached to a router port. The HiPath Wireless Controller will create
a virtual VNS port and handle wireless device traffic in the same manner as a host port.
>Third-party access points must not be directly connected to a router port.
Configuring the HiPath Wireless Controller
A31003-W1040-U103-1-7619, Draft February 2007
80 HiPath Wireless Controller, Access Points and Convergence Software V4, C2400 User Guide
hwc_startup.fm
Performing the first-time setup of the HiPath Wireless Controller
There is a fourth port type that is not configurable in the HiPath Wireless Assistant:
Virtual Network Services (VNS) interface
A VNS port is a virtual port created automatically on the HiPath Wireless Controller when
a new VNS is defined. The VNS port becomes the default gateway for wireless devices on
this VNS. No Wireless APs can be associated with a VNS port and no routing is permitted
on this port.
The chart below summarizes the port types and their functions:
To configure the data port interfaces on the HiPath Wireless Controller:
1. From the main menu, click Wireless Controller Configuration. The HiPath Wireless
Controller Configuration screen is displayed.
2. In the left pane, click IP Addresses. The Management Port Settings and Interfaces
screen is displayed.
Port Type Host 3rd-Party AP Router VNS
IP Forwarding No No Selectable.
Route wireless
device traffic only.
No
Wireless AP support Yes No Ye s No
Mgmt traffic support
(SNMP, HTTP, TELNET, SLP,
RADIUS, DHCP)
Selectable Selectable Selectable Selectable
Routing protocol support
(IP, OSPF and PIM)
No No Selectable No
Table 12 Port types and functions
hwc_startup.fm
A31003-W1040-U103-1-7619, Draft February 2007
HiPath Wireless Controller, Access Points and Convergence Software V4, C2400 User Guide 81
Configuring the HiPath Wireless Controller
Performing the first-time setup of the HiPath Wireless Controller
The lower portion of the HiPath Wireless Controller Configuration screen displays the
four Ethernet ports. For each port, the MAC address is displayed automatically.
3. To select a port, click it.
Port configuration allows for the explicit state of the administration state for each interface.
By default, data interface states will be disabled. You can then enable each of the data
interfaces individually. A disabled interface does not allow data to flow (receive/transmit).
4. Type the following:
IP address The IP Address of the physical Ethernet port.
Subnet mask – The appropriate subnet mask for the IP address, which separates the
network portion from the host portion of the address (typically 255.255.255.0).
MTU – The Maximum Transmission Unit or maximum packet size for this port. The
default setting is 1500. If you change this setting and are using OSPF, be sure that the
MTU of each port in the OSPF link matches.
Configuring the HiPath Wireless Controller
A31003-W1040-U103-1-7619, Draft February 2007
82 HiPath Wireless Controller, Access Points and Convergence Software V4, C2400 User Guide
hwc_startup.fm
Performing the first-time setup of the HiPath Wireless Controller
5. Select a Function from the drop-down list:
Host Port – Specifies a port for connecting Wireless APs with no dynamic routing.
Third-Party AP Port – Specifies a port to which you will connect third-party access
points.
Router Port – Specifies a port that you want to connect to an upstream, next-hop
router in the network.
6. To enable management traffic, select the Mgmt checkbox. Enabling management provides
access to SNMP (v2, get), SSH, and HTTPs management interfaces.
7. To enable the SLP protocol, select the SLP checkbox.
Wireless APs use this port for discovery and registration. Other controllers can use this
port to enable inter-controller device mobility if this port is configured to use SLP or the
HiPath Wireless Controller is running as a manager and SLP is the discovery protocol used
by the agents.
8. To allow Multicast Support, select Enabled from the drop-down list.
9. To save your changes, click Save.
4.2.5 Setting up static routes
It is recommended that you define a default route to your enterprise network, either with a static
route or by using OSPF protocol. A default route enables the HiPath Wireless Controller to
forward packets to destinations that do not match a more specific route definition.
>If the routed connection to an AP traverses a link that imposes a lower MTU than
the default 1500 bytes, the HiPath Wireless Controller and AP both participate
in MTU discovery to automatically learn the correct MTU and adjust their
settings accordingly. At the HiPath Wireless Controller, MTU adjustments are
tracked on a per AP basis.
>For OSPF routing on a port, the port must be configured as a router port.
>This option does not override the built-in protection filters on the port.
The built-in protection filters for the port, which are restrictive in the types of
packets that are allowed to reach the management plane, are extended with a
set of definitions that allow for access to system management services through
that interface (SSH, SNMP, HTTPS:5825).
hwc_startup.fm
A31003-W1040-U103-1-7619, Draft February 2007
HiPath Wireless Controller, Access Points and Convergence Software V4, C2400 User Guide 83
Configuring the HiPath Wireless Controller
Performing the first-time setup of the HiPath Wireless Controller
To set a static route on the HiPath Wireless Controller:
1. From the main menu, click Wireless Controller Configuration. The HiPath Wireless
Controller Configuration screen is displayed.
2. In the left pane, click Routing Protocols. The Static Routes tab is displayed.
3. To add a new route, in the Destination Address box type the destination IP address of a
packet. To define a default static route for any unknown address not in the routing table,
type 0.0.0.0.
4. In the Subnet Mask box, type the appropriate subnet mask to separate the network portion
from the host portion of the IP address (typically 255.255.255.0). To define the default static
route for any unknown address, type 0.0.0.0.
5. In the Gateway box, type the IP address of the specific router port or gateway on the same
subnet as the HiPath Wireless Controller to which to forward these packets. This is the IP
address of the next hop between the HiPath Wireless Controller and the packet’s ultimate
destination.
6. Click Add. The new route is added to the list of routes.
Configuring the HiPath Wireless Controller
A31003-W1040-U103-1-7619, Draft February 2007
84 HiPath Wireless Controller, Access Points and Convergence Software V4, C2400 User Guide
hwc_startup.fm
Performing the first-time setup of the HiPath Wireless Controller
7. Select the Override dynamic routes checkbox to give priority over the OSPF learned
routes, including the default route, which the HiPath Wireless Controller uses for routing.
This option is selected by default.
To remove this priority for static routes, so that routing is controlled dynamically at all times,
clear the Override dynamic routes checkbox.
8. To save your changes, click Save.
To view the forwarding table on the HiPath Wireless Controller:
1. From the main menu, click Reports & Displays. The HiPath Reports & Displays screen
is displayed.
2. To view the static routes that have been defined for the HiPath Wireless Controller, click
Forwarding Table. The Forwarding Table is displayed.
This report displays all defined routes, whether static or OSPF, and their current status.
>If you enable dynamic routing (OSPF), the dynamic routes will normally have
priority for outgoing routing. For internal routing on the HiPath Wireless
Controller, the static routes normally have priority.
hwc_startup.fm
A31003-W1040-U103-1-7619, Draft February 2007
HiPath Wireless Controller, Access Points and Convergence Software V4, C2400 User Guide 85
Configuring the HiPath Wireless Controller
Performing the first-time setup of the HiPath Wireless Controller
3. To update the display, click Refresh.
4.2.6 Setting up OSPF Routing
To enable OSPF (OSPF RFC2328) routing, you must:
Define one data port as a router port in the IP Addresses screen
Enable OSPF globally on the HiPath Wireless Controller
Define the global OSPF parameters
Enable (or disable) OSPF on the port that you defined as a router port
Ensure that the OSPF parameters defined here for the HiPath Wireless Controller are
consistent with the adjacent routers in the OSPF area. This consistency includes the following:
If the peer router has different timer settings, the protocol timer settings in the HiPath
Wireless Controller must be changed to match, in order to achieve OSPF adjacency.
The MTU of the ports on either end of an OSPF link must match. The MTU for ports on the
HiPath Wireless Controller is defined as 1500, in the IP Addresses screen, during data
port setup. This matches the default MTU in standard routers.
To set OSPF Routing Global Settings on the HiPath Wireless Controller:
1. From the main menu, click Wireless Controller Configuration. The HiPath Wireless
Controller Configuration screen is displayed.
2. In the left pane, click Routing Protocols. The Static Routes tab is displayed.
3. Click the OSPF tab.
Configuring the HiPath Wireless Controller
A31003-W1040-U103-1-7619, Draft February 2007
86 HiPath Wireless Controller, Access Points and Convergence Software V4, C2400 User Guide
hwc_startup.fm
Performing the first-time setup of the HiPath Wireless Controller
4. From the OSPF Status drop-down list, select ON to enable OSPF.
5. In the Router ID box, type the IP address of the HiPath Wireless Controller. This ID must
be unique across the OSPF area. If left blank, the OSPF daemon automatically picks a
router ID from one of the HiPath Wireless Controllers interface IP addresses.
6. In the Area ID box, type the area. 0.0.0.0 is the main area in OSPF.
7. From the Area Type drop-down list, select one of the following:
Default – The default acts as the backbone area (also known as area zero). It forms
the core of an OSPF network. All other areas are connected to it, and inter-area routing
happens via a router connected to the backbone area.
Stub – The stub area does not receive external routes. External routes are defined as
routes which were distributed in OSPF via another routing protocol. Therefor, stub
areas typically rely on a default route to send traffic routes outside the present domain.
Not-so-stubby – The not-so-stubby area is a type of stub area that can import
autonomous system (AS) external routes and send them to the default/backbone area,
but cannot receive AS external routes from the backbone or other areas.
8. To save your changes, click Save.
hwc_startup.fm
A31003-W1040-U103-1-7619, Draft February 2007
HiPath Wireless Controller, Access Points and Convergence Software V4, C2400 User Guide 87
Configuring the HiPath Wireless Controller
Performing the first-time setup of the HiPath Wireless Controller
To set OSPF Routing Port Settings on the HiPath Wireless Controller:
1. From the main menu, click Wireless Controller Configuration. The HiPath Wireless
Controller Configuration screen is displayed.
2. In the left pane, click Routing Protocols.
3. Click the OSPF tab. The OSPF Settings screen is displayed.
4. From the Port Status drop-down list, select Enabled to enable OSPF on the port. The
default setting is Disabled.
5. In the Link Cost box, type the OSPF standard for your network for this port. This is the cost
of sending a data packet on the interface. The lower the cost, the more likely the interface
is to be used to forward data traffic.
6. From the Authentication drop-down list, select the authentication type for OSPF on your
network: None or Password. The default setting is None.
7. If Password was selected as the authentication type, in the Password box, type the
password. If None was selected as the Authentication type, leave this box blank. This
password must match on either end of the OSPF connection.
8. Type the following:
Hello-Interval – Specifies the time in seconds (displays OSPF default).The default
setting is 10 seconds.
Dead-Interval – Specifies the time in seconds (displays OSPF default). The default
setting is 40 seconds.
Retransmit-Interval – Specifies the time in seconds (displays OSPF default). The
default setting is 5 seconds.
Transmit Delay– Specifies the time in seconds (displays OSPF default). The default
setting is 1 second.
9. To save your changes, click Save.
>If more than one port is enabled for OSPF, it is important to prevent the HiPath
Wireless Controller from serving as a router for other network traffic (other than
the traffic from wireless device users controlled by the HiPath Wireless
Controller). To ensure that the HiPath Wireless Controller is never the preferred
OSPF route, set the Link Cost to its maximum value of 65535. Filters should also
be defined that will drop routed packets. For more information, see Section 7.6,
“Configuring filtering rules for a VNS”, on page 179.
Configuring the HiPath Wireless Controller
A31003-W1040-U103-1-7619, Draft February 2007
88 HiPath Wireless Controller, Access Points and Convergence Software V4, C2400 User Guide
hwc_startup.fm
Performing the first-time setup of the HiPath Wireless Controller
To confirm that ports are set for OSPF:
1. To confirm that the ports are set up for OSPF, and that advertised routes from the upstream
router are recognized, click View Forwarding Table. The Forwarding Table is displayed.
The following additional reports display OSPF information when the protocol is in
operation:
OSPF Neighbor – Displays the current neighbors for OSPF (routers that have
interfaces to a common network)
OSPF Linkstate – Displays the Link State Advertisements (LSAs) received by the
currently running OSPF process. The LSAs describe the local state of a router or
network, including the state of the router’s interfaces and adjacencies.
2. To update the display, click Refresh.
4.2.7 Filtering at the interface level
The Controller, Access Points and Convergence Software has a number of built-in filters that
protect the system from unauthorized traffic. These filters are specific only to the HiPath
Wireless Controller. These filters are applied at the network interface level and are
automatically invoked. By default, these filters provide stringent-level rules to allow only access
to the system's externally visible services. In addition to these built-in filters, the administrator
can define specific exception filters at the interface-level to customize network access. These
filters do not depend on a VNS definition.
4.2.8 Built-in port-based exception filters
On the HiPath Wireless Controller, various port-based exception filters are built in and invoked
automatically. These filters protect the HiPath Wireless Controller from unauthorized access to
system management functions and services via the ports. Access to system management
functions is granted if the administrator selects the allow management option.
Allow management traffic is now specific to the interface being allowed. For example, if allow
management is allowed on a physical port (esa0), only users connected through ESA0 will be
able to get access to the system. Users connecting on any other interface such as a VNS (esa6)
will no longer be able to target ESA0 to gain management access to the system. In order to
allow access for users connected on a VNS, the VNS configuration itself must have allow
management enabled and users will only be able to target the VNS interface specifically.
>You can also enable management traffic in the VNS definition.
hwc_startup.fm
A31003-W1040-U103-1-7619, Draft February 2007
HiPath Wireless Controller, Access Points and Convergence Software V4, C2400 User Guide 89
Configuring the HiPath Wireless Controller
Performing the first-time setup of the HiPath Wireless Controller
For example, on the HiPath Wireless Controller’s data interfaces (both physical interfaces and
VNS virtual interfaces), the built-in exception filter prohibits invoking SSH, HTTPS, or SNMP.
However, such traffic is allowed, by default, on the management port.
If management traffic is explicitly enabled for any interface (physical port or VNS), access is
implicitly extended to that interface through any of the other interfaces (VNS). Only traffic
specifically allowed by the interface’s exception filter is allowed to reach the HiPath Wireless
Controller itself. All other traffic is dropped. Exception filters are dynamically configured and
regenerated whenever the system's interface topology changes (for example, a change of IP
address for any interface).
Enabling management traffic on an interface adds additional rules to the exception filter, which
opens up the well-known IP(TCP/UDP) ports, corresponding to the HTTPS, SSH, and SNMP
applications.
The port-based built-in exception filtering rules, in the case of traffic from VNS users, are
applicable to traffic targeted directly for the VNSs interface. For example, a VNS filter may be
generic enough to allow traffic access to the HiPath Wireless Controller's management (for
example, Allow All [*.*.*.*]). Exception filter rules are evaluated after the user's VNS assigned
filter policy, as such, it is possible that the VNS policy allow the access to management
functions that the exception filter denies. These packets are dropped.
To enable SSH, HTTPS, or SNMP access through a data interface:
1. From the main menu, click Wireless Controller Configuration. The HiPath Wireless
Controller Configuration screen is displayed.
2. In the left pane, click IP Addresses. The Management Port Settings screen is displayed.
Configuring the HiPath Wireless Controller
A31003-W1040-U103-1-7619, Draft February 2007
90 HiPath Wireless Controller, Access Points and Convergence Software V4, C2400 User Guide
hwc_startup.fm
Performing the first-time setup of the HiPath Wireless Controller
3. Select the appropriate interface in the IP Addresses screen.
4. Select the corresponding Management checkbox.
5. To save your changes, click Save.
4.2.9 User defined port-based exception filters
You can add specific filtering rules at the port level in addition to the built-in rules. Such rules
give you the capability of restricting access to a port, for specific reasons, such as a Denial of
Service (DoS) attack.
The filtering rules are set up in the same manner as filtering rules defined for a VNS — specify
an IP address and then either allow or deny traffic to that address. For more information, see
Section 7.6, “Configuring filtering rules for a VNS”, on page 179.
The rules defined for port exception filters are prepended to the normal set of restrictive
exception filters and have precedence over the system's normal protection enforcement.
hwc_startup.fm
A31003-W1040-U103-1-7619, Draft February 2007
HiPath Wireless Controller, Access Points and Convergence Software V4, C2400 User Guide 91
Configuring the HiPath Wireless Controller
Performing the first-time setup of the HiPath Wireless Controller
To define port exception filters:
1. From the main menu, click Wireless Controller Configuration. The HiPath Wireless
Controller Configuration screen is displayed.
2. In the left pane, click Port Exception Filters. The Port Exception Filters screen is
displayed.
3. Select the applicable data port from the Port drop-down list.
4. In the IP / subnet: port box, type the destination IP address. You can also specify an IP
range, a port designation or a port range on that IP address.
5. From the Protocol drop-down list, select the protocol you want to specify for the filter. This
list may include UDP, TCP, IPsec-ESP, IPsec-AH, ICMP. The default is N/A.
7If defined improperly, user exception rules may seriously compromise the systems
normal security enforcement rules. They may also disrupt the system's normal
operation and even prevent system functionality altogether. It is advised to only
augment the exception-filtering mechanism if absolutely necessary.
Configuring the HiPath Wireless Controller
A31003-W1040-U103-1-7619, Draft February 2007
92 HiPath Wireless Controller, Access Points and Convergence Software V4, C2400 User Guide
hwc_startup.fm
Completing the system configuration
6. Click Add. The new filter is displayed in the Filter section of the screen.
7. To select the new filter, click it.
8. To allow traffic, select the Allow checkbox.
9. To adjust the order of the filtering rules, click Up or Down to position the rule. The filtering
rules are executed in the order defined here.
10. To save your changes, click Save.
4.3 Completing the system configuration
Once you have performed the initial configuration of the HiPath Wireless Controller, you are
now ready to do the following:
Configuring the VNS – For more information, see Chapter 6, “Virtual Network Services”.
Registering and assigning APs to the VNS – For more information, see Chapter 5,
“Configuring the Wireless AP”.
4.4 Ongoing Operations of the Controller, Access Points and
Convergence Software
Once you have configured the VNS and registered and assigned APs to the VNS, the
Controller, Access Points and Convergence Software system configuration is complete.
Ongoing operations of the Controller, Access Points and Convergence Software system can
include the following:
HiPath Wireless Controller System Maintenance
Wireless AP Maintenance
Client Disassociate
Logs and Traces
Reports and Displays
For more information, see Chapter 12, “Performing system maintenance”.
hwc_apstartup.fm
A31003-W1040-U103-1-7619, Draft February 2007
HiPath Wireless Controller, Access Points and Convergence Software V4, C2400 User Guide 93
Configuring the Wireless AP
Wireless AP overview
5 Configuring the Wireless AP
This chapter discusses the Wireless AP and its role in the Controller, Access Points and
Convergence Software solution, including:
Wireless AP overview
Discovery and registration overview
Configuring the Wireless APs for the first time
Adding and registering a Wireless AP manually
Modifying Wireless AP settings
Configuring Dynamic Radio Management
Modifying a Wireless AP’s properties based on a default AP configuration
Modifying the Wireless AP’s default setting using the Copy to Defaults feature
Configuring APs simultaneously
Configuring an AP as a sensor
Performing Wireless AP software maintenance
5.1 Wireless AP overview
The Wireless AP is a wireless LAN access point that uses the 802.11 wireless standards
(802.11a+b/g) for network communications. The Wireless AP bridges network traffic to an
Ethernet LAN. The Wireless AP is provided with proprietary software that allows it to
communicate only with the HiPath Wireless Controller.
The Wireless AP physically connects to a LAN infrastructure and establishes an IP connection
to the HiPath Wireless Controller. The Wireless AP has no user interface—instead the Wireless
AP is managed through the HiPath Wireless Assistant. The Wireless AP’s configuration is
centrally managed and applied from the HiPath Wireless Controller. In addition, the HiPath
Wireless Controller provides centralized management (verification and upgrade) of the
Wireless AP firmware image.
All communication with the HiPath Wireless Controller is carried out using a UDP-based
protocol, which encapsulates IP traffic from the Wireless AP and directs it to the HiPath
Wireless Controller. The HiPath Wireless Controller decapsulates the packets and routes them
to the appropriate destinations, while managing sessions and applying policy.
Configuring the Wireless AP
A31003-W1040-U103-1-7619, Draft February 2007
94 HiPath Wireless Controller, Access Points and Convergence Software V4, C2400 User Guide
hwc_apstartup.fm
Wireless AP overview
Wireless AP models
The Wireless AP has two models:
Model AP2610 – Internal antenna, internal dual (multimode) diversity antennas
Model AP2620 – External antenna (dual external antennas), RP-SMA connectors
Wireless AP radios
The Wireless AP has two radios:
5 GHz radio supporting the 802.11a standard – The 802.11a standard is an extension
to 802.11 that applies to wireless LANs and provides up to 54 Mbps in the 5-GHz band.
The 802.11a standard uses an orthogonal frequency division multiplexing encoding
scheme, rather than Frequency-Hopping Spread Spectrum (FHSS) or Direct-Sequence
Spread Spectrum (DSSS).
2.4 GHz radio supporting the 802.11b/g standards – The 802.11g standard applies to
wireless LANs and specifies a transmission rate of 54 Mbps. The 802.11b (High Rate)
standard is an extension to 802.11 that specifies a transmission rate of 11 Mbps. Since
802.11g uses the same communication frequency range as 802.11b (2.4 GHz), 802.11g
devices can co-exist with 802.11b devices on the same network.
The radios on the Wireless AP are enabled or disabled through the HiPath Wireless Assistant.
Both radios can be enabled to offer service simultaneously. For more information, see Section
7.1, “Topology for a VNS”, on page 150.
The Unlicensed National Information Infrastructure (U-NII) bands are three frequency bands of
100 MHz each in the 5 GHz band, designated for short-range, high-speed, wireless networking
communication.
The Wireless AP supports the full range of 802.11a:
5.15 to 5.25 GHz – U-NII Low Band
5.25 to 5.35 GHz – U-NII Middle Band
5.725 to 5.825 GHz – U-NII High Band
New 5.470 GHz to 5.725 GHz Band (when approved by FCC)
>In order to comply with FCC regulations in North America, the U-NII Low Band (5.15
to 5.25 GHz band) is disabled for the Model AP2620.
hwc_apstartup.fm
A31003-W1040-U103-1-7619, Draft February 2007
HiPath Wireless Controller, Access Points and Convergence Software V4, C2400 User Guide 95
Configuring the Wireless AP
Discovery and registration overview
Wireless AP international licensing
Wireless APs are licensed to operate in North America, Japan (Wireless APs support 802.11j),
the European Union countries, and European Union free trade countries. Each European
Union country is assigned a particular radio band. The Wireless AP must be configured to
operate on the appropriate radio band according to each European Union country. For more
information, see Section 2.2.3, “European Community”, on page 35.
To configure the appropriate radio band according to each European Union country, use the
HiPath Wireless Assistant. For more information, see Section 5.5.3, “Modifying a Wireless AP’s
properties”, on page 110.
5.2 Discovery and registration overview
When the Wireless AP is powered on, it automatically begins a discovery process to determine
its own IP address and the IP address of the HiPath Wireless Controller. When the discovery
process is successful, the Wireless AP registers with the HiPath Wireless Controller.
5.2.1 Wireless AP discovery
Wireless APs discover the IP address of a HiPath Wireless Controller using a sequence of
mechanisms that allow for the possible services available on the enterprise network. The
discovery process is successful when the Wireless AP successfully locates a HiPath Wireless
Controller to which it can register.
You must ensure that the appropriate services on your enterprise network are prepared to
support the discovery process. The following five steps summarize the discovery process:
Step 1 – Use the IP address of the last successful connection to a HiPath Wireless
Controller.
Once a Wireless AP has successfully registered with a HiPath Wireless Controller, it
recalls that controller's IP address, and uses that address on subsequent reboots. The AP
bypasses discovery and goes straight to registration. If this discovery method fails, it cycles
through the remaining steps until successful.
Step 2 – Use the predefined static IP addresses for the HiPath Wireless Controllers
on the network (if configured).
You can specify a list of static IP addresses of the HiPath Wireless Controllers on your
network. On the Static Configuration tab, add the addresses to the Wireless Controller
Search List.
Configuring the Wireless AP
A31003-W1040-U103-1-7619, Draft February 2007
96 HiPath Wireless Controller, Access Points and Convergence Software V4, C2400 User Guide
hwc_apstartup.fm
Discovery and registration overview
Step 3 – Use Dynamic Host Configuration Protocol (DHCP) Option 78 to locate a
Service Location Protocol (SLP) Directory Agent (DA), followed by a unicast SLP
request to the Directory Agent.
To use the DHCP and unicast SLP discovery method, you must ensure that the DHCP
server on your network supports Option 78 (DHCP for SLP RFC2610). The Wireless APs
use this method to discover the HiPath Wireless Controller.
This solution takes advantage of two services that are present on most networks:
DHCP (Dynamic Host Configuration Protocol) – The standard means of providing
IP addresses dynamically to devices on a network.
SLP (Service Location Protocol) – A means of allowing client applications to
discover network services without knowing their location beforehand. Devices
advertise their services using a Service Agent (SA). In larger installations, a Directory
Agent (DA) collects information from SAs and creates a central repository (SLP
RFC2608).
The HiPath Wireless Controller contains an SLP SA that, when started, queries the DHCP
server for Option 78 and if found, registers itself with the DA as service type Siemens. The
HiPath Wireless Controller contains a DA (slpd).
The Wireless AP queries DHCP servers for Option 78 in order to locate any DAs. The
Wireless APs SLP User Agent then queries the DAs for a list of Siemens SAs.
Option 78 must be set for the subnets connected to the ports of the HiPath Wireless
Controller and the subnets connected to the Wireless APs. These subnets must contain an
identical list of DA IP addresses.
Step 4 – Use a Domain Name Server (DNS) lookup for the host name
Controller.domain-name.
If no DA is found, or if it has no Siemens SAs registered, the Wireless AP attempts to locate
a HiPath Wireless Controller via DNS.
If you use this method for discovery, place an A record in the DNS server for
Controller.<domain-name>. The <domain-name> is optional, but if used, ensure it is listed
with the DHCP server.
7Wireless APs configured with a static Wireless Controller Search List can only
connect to HiPath Wireless Controllers in the list. Improperly configured Wireless
APs cannot connect to a non-existent HiPath Wireless Controller address, and
therefore cannot receive a corrected configuration.
hwc_apstartup.fm
A31003-W1040-U103-1-7619, Draft February 2007
HiPath Wireless Controller, Access Points and Convergence Software V4, C2400 User Guide 97
Configuring the Wireless AP
Discovery and registration overview
Step 5 – Use a multicast SLP request to find SLP SAs
If all of the preceding methods fail to locate a HiPath Wireless Controller, the Wireless AP
sends a multicast SLP request, looking for any SLP Service Agents providing the Siemens
service.
5.2.2 Registration after discovery
Any of the discovery steps 2 through 5 can inform the Wireless AP of a list of multiple IP
addresses to which the Wireless AP may attempt to connect. Once the Wireless AP has
discovered these addresses, it sends out connection requests to each of them. These requests
are sent simultaneously. The Wireless AP will attempt to register only with the first which
responds to its request.
When the Wireless AP obtains the IP address of the HiPath Wireless Controller, it connects and
registers, sending its serial number identifier to the HiPath Wireless Controller, and receiving
from the HiPath Wireless Controller a port IP address and binding key.
Once the Wireless AP is registered with a HiPath Wireless Controller, the Wireless AP must be
configured. After the Wireless AP is registered and configured, it can be assigned to a Virtual
Network Segment (VNS) to handle wireless traffic.
5.2.2.1 Default Wireless AP configuration
Default AP configuration simplifies the registration after discovery process. Default Wireless AP
configuration acts as a configuration template that can be automatically assigned to new
registering APs. The default Wireless AP configuration allows you to specify common sets of
radio configuration parameters and VNS assignments for APs. For more information, see
Section 5.5.2, “Configuring the default AP settings”, on page 106.
5.2.3 Understanding the Wireless AP LED status
When the Wireless AP is powered on and boots, you can follow its progress through the
registration process by observing the LED sequence described below.
The Status LED (center) also indicates power—unlit when unit is off, and green (solid) when
the AP has completed discovery and is operational.
Figure 4 Wireless AP LED
Configuring the Wireless AP
A31003-W1040-U103-1-7619, Draft February 2007
98 HiPath Wireless Controller, Access Points and Convergence Software V4, C2400 User Guide
hwc_apstartup.fm
Discovery and registration overview
The table below assumes the software uses a timer and multiple phases to simulate LED
blinking on all three LEDs. For example, an LED status of Red indicates the LED is solid colored
Red, an LED status of Off/Green/Off indicates that the LED is Off for the first phase, Green for
the second phase, and Off for the third phase.
7Never disconnect a Wireless AP from its power supply during a firmware upgrade.
Disconnecting a Wireless AP from its power supply during a firmware upgrade may
cause firmware corruption rendering the AP unusable.
Left LED
Status
Center LED
Status
Right LED
Status
AP Status
Off Off Off Powered-off
Off Green Off Beginning of Power-On-Self-Test
(POST) (0.5 seconds)
Off Off Off POST
Off Red Off Failure during POST
Green Off Green Random delay – State displayed only
after a vulnerable reset
Green/Off Off/Green Green/Off Vulnerable time interval – The Wireless
AP resets to factory default if powered-
off for three consecutive times during
this state. No vulnerable period when
AP is resetting to factory defaults.
Green/Off/
Off
Off/Green/Off Off/Off/Green Resetting to factory defaults
announcement – Replaces vulnerable
period. This pattern is repeated twice
to notify the operator when the factory
configuration is restored.
Off Orange
(Green + Red)
Off Attempting to obtain an IP address via
DHCP.
Off Red/Orange Off No DHCP reply has been received.
Off Green/
Orange
Off Failed discovery (SLP).
Off Off/Orange Off HiPath Wireless Controller has been
discovered. Registering the AP.
Off Off/Red Off Registration of the AP has failed.
hwc_apstartup.fm
A31003-W1040-U103-1-7619, Draft February 2007
HiPath Wireless Controller, Access Points and Convergence Software V4, C2400 User Guide 99
Configuring the Wireless AP
Configuring the Wireless APs for the first time
Table 13 Wireless AP LED status
5.3 Configuring the Wireless APs for the first time
Before the Wireless AP is configured for the first time, you must first confirm that the following
has already occurred:
The HiPath Wireless Controller has been set up. For more information, see Chapter 4,
“Configuring the HiPath Wireless Controller”.
The Controller, Access Points and Convergence Software has been configured. For more
information, see Chapter 4, “Configuring the HiPath Wireless Controller”.
The Wireless APs have been installed. For more information, see the HiPath Wireless
Controller, Access Points and Convergence Software AP Installation Instructions.
Once the above processes are complete, you can then continue with the Wireless AP initial
configuration. The Wireless AP initial configuration involves two steps:
Step One – Define parameters for the discovery process. For more information, see
Section 5.3.1, “Defining properties for the discovery process”, on page 100.
Step Two – Connect the Wireless AP to a power source to initiate the discovery and
registration process. For more information, see Section 5.3.2, “Connecting the Wireless AP
to a power source and initiating the discovery and registration process”, on page 103.
Off Off/Green Off Standby, registered with a HiPath
Wireless Controller, waiting for
configuration.
Green when
802.11b/g
enabled
Off
otherwise
Green Green when 802.11a
enabled
Off otherwise
Radios enabled per user settings
Off Red/Green Off Upgrading firmware.
>Random delays do not occur during normal reboot. A random delay only occurs after
vulnerable period power-down.
The Wireless AP can be reset to its factory default settings. For more information,
see Section 12.2, “Resetting the AP to its factory default settings”, on page 274.
Left LED
Status
Center LED
Status
Right LED
Status
AP Status
Configuring the Wireless AP
A31003-W1040-U103-1-7619, Draft February 2007
100 HiPath Wireless Controller, Access Points and Convergence Software V4, C2400 User Guide
hwc_apstartup.fm
Configuring the Wireless APs for the first time
Adding a Wireless AP manually option
An alternative to the automatic discovery and registration process of the Wireless AP is to
manually add and register a Wireless AP to the HiPath Wireless Controller. For more
information, see Section 5.4, “Adding and registering a Wireless AP manually”, on page 103.
5.3.1 Defining properties for the discovery process
Before a Wireless AP is configured, you must define properties for the discovery process. The
discovery process is the process by which the Wireless APs determine the IP address of the
HiPath Wireless Controller.
The properties that need to be defined are:
Security mode
Discovery timers
Security mode
Security mode is a HiPath Wireless Controller property. It defines how the controller behaves
when registering new, unknown devices. During the registration process, the HiPath Wireless
Controller’s approval of the Wireless AP’s serial number depends on the security mode that has
been set:
Allow all Wireless APs to connect
If the HiPath Wireless Controller does not recognize the registering serial number, a
new registration record is automatically created for the AP (if within MDL license limit).
The AP receives a default configuration. The default configuration can be the default
template assignment.
If the HiPath Wireless Controller recognizes the serial number, it indicates that the
registering device is pre-registered with the controller. The controller uses the existing
registration record to authenticate the AP and the existing configuration record to
configure the AP.
Allow only approved Wireless APs to connect (this is also known as secure mode)
If HiPath Wireless Controller does not recognize the AP, the AP's registration record is
created in pending state (if within MDL limits). The administrator is required to
manually approve a pending AP for it to provide active service. The pending AP
receives minimum configuration, which only allows it to maintain an active link with the
controller for future state change. The AP's radios are not configured or enabled.
Pending APs are not eligible for configuration operations (VNS Assignment, default
template, Radio parameters) until approved.
hwc_apstartup.fm
A31003-W1040-U103-1-7619, Draft February 2007
HiPath Wireless Controller, Access Points and Convergence Software V4, C2400 User Guide 101
Configuring the Wireless AP
Configuring the Wireless APs for the first time
If the HiPath Wireless Controller recognizes the serial number, the controller uses the
existing registration record to authenticate the AP. Following successful authentication,
the AP is configured according to its stored configuration record.
Discovery timers
The discovery timer parameters dictate the number of retry attempts and the time delay
between each attempt.
To define the discovery process parameters:
1. From the main menu, click Wireless AP Configuration. The HiPath Wireless AP screen
is displayed.
2. In the left pane, click AP Registration. The Wireless AP Registration screen is
displayed.
>During the initial setup of the network, it is recommended to select the Allow all
Wireless APs to connect option. This option is the most efficient way to get a
large number of Wireless APs registered with the HiPath Wireless Controller.
Once the initial setup is complete, it is recommended that the security mode is
reset to the Allow only approved Wireless APs to connect option. This option
ensures that no unapproved Wireless APs are allowed to connect. For more
information, see Section 5.5, “Modifying Wireless AP settings”, on page 104.
Configuring the Wireless AP
A31003-W1040-U103-1-7619, Draft February 2007
102 HiPath Wireless Controller, Access Points and Convergence Software V4, C2400 User Guide
hwc_apstartup.fm
Configuring the Wireless APs for the first time
3. In the Security Mode section, select one of the following:
Allow all Wireless APs to connect
Allow only approved Wireless APs to connect
The Allow all Wireless APs to connect option is selected by default. For more
information, see Section 5.3.1, “Security mode”, on page 100.
4. In the Discovery Timers section, type the discovery timer values in the following boxes:
Number of retries
Delay between retries
The number of retries is limited to 255 in a five minutes discovery period. The default
number of retries is 3, and the default delay between retries is 1 second.
5. To save your changes, click Save.
Once the discovery parameters are defined, you can connect the Wireless AP to a power
source.
hwc_apstartup.fm
A31003-W1040-U103-1-7619, Draft February 2007
HiPath Wireless Controller, Access Points and Convergence Software V4, C2400 User Guide 103
Configuring the Wireless AP
Adding and registering a Wireless AP manually
5.3.2 Connecting the Wireless AP to a power source and initiating the
discovery and registration process
When a Wireless AP is powered on, it automatically begins the discovery and registration
process with the HiPath Wireless Controller. A Wireless AP can be connected and powered in
the following ways:
Power over Ethernet (802.3af):
PoE enabled switch port
PoE Injector
Power by AC adaptor
For more information, see the AP Install Guide.
5.4 Adding and registering a Wireless AP manually
An alternative to the automatic discovery and registration process of the Wireless AP is to
manually add and register a Wireless AP to the HiPath Wireless Controller. The Wireless AP
is added with default settings. For more information, see Section 5.5, “Modifying Wireless AP
settings”, on page 104.
To add and register a Wireless AP manually:
1. From the main menu, click Wireless AP Configuration. The HiPath Wireless AP screen
is displayed.
2. Click Add Wireless AP. The Add Wireless AP screen is displayed.
Configuring the Wireless AP
A31003-W1040-U103-1-7619, Draft February 2007
104 HiPath Wireless Controller, Access Points and Convergence Software V4, C2400 User Guide
hwc_apstartup.fm
Modifying Wireless AP settings
3. In the Serial # box, type the unique identifier.
4. From the Hardware Type drop-down list, select the hardware type of the Wireless AP.
5. In the Name box, type a unique name for the Wireless AP.
6. In the Description box, type descriptive comments for the Wireless AP.
7. In the Port # drop-down list, select the Ethernet port through which the Wireless AP can
be reached.
8. Click Add Wireless AP. The Wireless AP is added and registered.
When a Wireless AP is added manually, it is added to the controller database only and
does not get assigned.
9. Click Close.
5.5 Modifying Wireless AP settings
Wireless APs are added with default settings, which you can adjust and configure according to
your network requirements. In addition, you can modify the properties and the settings for each
radio on the Wireless AP.
You can also locate and select Wireless APs in specific registration states to modify their
settings. For example, this feature is useful when approving pending Wireless APs when there
are a large number of other Wireless APs that are already registered. From the Access
Approval screen, click Pending to select all pending Wireless APs, then click Approve to
approve all selected Wireless APs.
5.5.1 Modifying a Wireless AP’s status
If during the discovery process, the HiPath Wireless Controller security mode was Allow only
approved Wireless APs to connect, then the status of the Wireless AP is Pending. You must
modify the security mode to Allow all Wireless APs to connect. For more information, see
Section 5.3.1, “Security mode”, on page 100.
To modify a Wireless AP's registration status:
1. From the main menu, click Wireless AP Configuration. The HiPath Wireless AP screen
is displayed.
2. In the left pane, click Access Approval. The Access Approval screen is displayed, along
with the registered Wireless APs and their status.
hwc_apstartup.fm
A31003-W1040-U103-1-7619, Draft February 2007
HiPath Wireless Controller, Access Points and Convergence Software V4, C2400 User Guide 105
Configuring the Wireless AP
Modifying Wireless AP settings
3. To select the Wireless APs for status change, do one of the following:
For a specific Wireless AP, select the corresponding checkbox.
For Wireless APs by category, click one of the Select Wireless APs options.
To deselect your Wireless AP selections, click Clear All.
4. Click the appropriate Perform action on selected Wireless APs option:
Approved – Change a Wireless AP's status from Pending to Approved, if the AP
Registration screen was set to register only approved Wireless APs.
Approved as Sensor – AP ceases performing RF services and begins performing
scanning services. For more information, see Section 5.10, “Configuring an AP as a
sensor”, on page 128.
Pending – AP is removed from the Active list, and is forced into discovery.
>Only approve an AP as a sensor if HiPath HiGuard has been installed on your
HiPath Wireless Manager. For more information, see the HiPath Wireless
Manager User Guide.
Configuring the Wireless AP
A31003-W1040-U103-1-7619, Draft February 2007
106 HiPath Wireless Controller, Access Points and Convergence Software V4, C2400 User Guide
hwc_apstartup.fm
Modifying Wireless AP settings
Release – Release foreign Wireless APs after recovery from a failover. Releasing an
AP corresponds to the Availability functionality. For more information, see Chapter 8,
“Availability, mobility, and controller functionality”.
Delete – Delete this Wireless AP from the VNS.
5.5.2 Configuring the default AP settings
Wireless APs are added with default settings. You can modify the system’s Wireless AP default
settings accordingly, and then use these default settings to configure newly added Wireless
APs. In addition, you can base the system’s Wireless AP default settings on an existing
Wireless AP configuration or have configured Wireless APs inherit the properties of the default
Wireless AP configuration when they register with the system.
To configure the default AP settings:
1. From the main menu, click Wireless AP Configuration. The HiPath Wireless AP screen
is displayed.
2. In the left pane, click AP Default Settings.
3. Modify the following AP default settings as required:
AP Properties
Radio Settings
Static Configuration
Dynamic Radio Management
VNS Assignments
4. In the AP Properties section, modify the following:
Poll Timeout * Interval – Type the timeout and interval values, in seconds, for polling
the controller. The default values are 10 seconds and 2 seconds, respectively.
Telnet Access – Select whether Telnet Access to the Wireless AP is enabled or
disabled.
Maintain client sessions – Select whether the AP should remain active if a link loss
with the controller occurs.This option is enabled by default.
>Only APs that are in Pending state can be approved as a sensor or as an AP. To
change the role of an approved AP, use the Role drop-down list on the AP
Properties tab or the AP Multi-edit screen.
hwc_apstartup.fm
A31003-W1040-U103-1-7619, Draft February 2007
HiPath Wireless Controller, Access Points and Convergence Software V4, C2400 User Guide 107
Configuring the Wireless AP
Modifying Wireless AP settings
Broadcast for disassoc. – Select if you want the Wireless AP to use broadcast
disassociation when disconnecting all clients, instead of disassociating each client one
by one. This will affect the behavior of the AP under the following conditions:
If the Wireless AP is preparing to reboot or to enter one of the special modes
(DRM initial channel selection).
If a BSSID is deactivated or removed on the Wireless AP.
This option is enabled by default.
Country – Select the country of operation. This option is only available with some
licenses.
5. In the Radio Settings section, modify the following:
Enable Radio – Select the radios you want to enable.
DTIM * Beacon Period – For each radio, type the desired DTIM (Delivery Traffic
Indication Message) period—the number of beacon intervals between two DTIM
beacons. To ensure the best client power savings, use a large number. For example,
5. Use a small number for broadcast and multicast delay. The default value is 1.
RTS/CTS * Frag. Threshold – For each radio, type the packet size threshold, in bytes,
above which the packet will be preceded by an RTS/CTS (Request to Send/Clear to
Send) handshake. The default value is 2346, which means all packets are sent without
RTS/CTS. Reduce this value only if necessary. Also, type the fragment size threshold,
in bytes, above which the packets will be fragmented by the AP prior to transmission.
The default value is 2346, which means all packets are sent unfragmented. Reduce
this value only if necessary.
Channel – For each radio, select the wireless channel that the Wireless AP will use to
communicate with wireless devices. Depending on the regulatory domain (based on
country), some channels may be restricted. The default value is based on North
America. The Auto selection allows the Wireless AP to select the appropriate channel
automatically. For more information, see Chapter 2, “Regulatory information”.
If DRM is enabled (DRM is enabled by default), it scans automatically for a channel,
using a channel selection algorithm. For more information, see Section 5.6,
“Configuring Dynamic Radio Management”, on page 123.
TX Power Level – For each radio, select the Tx power level: Min, 13%, 25%, 50%, or
Max. If Dynamic Radio Management (DRM) was enabled on the DRM screen, this
option is read-only.
Configuring the Wireless AP
A31003-W1040-U103-1-7619, Draft February 2007
108 HiPath Wireless Controller, Access Points and Convergence Software V4, C2400 User Guide
hwc_apstartup.fm
Modifying Wireless AP settings
RX Diversity – For each radio, select Best for the best signal from both antennas, or
Left or Right to choose either of the two diversity antennas. The default and
recommended selection is Best. If only one antenna is connected, use the
corresponding Left or Right diversity setting. Do not use Best if two identical antennas
are not used.
TX Diversity – For each radio, select Best for the best signal from both antennas, or
Left or Right to choose either of the two diversity antennas. The default selection is
Best, which maximizes performance for most clients. However, some clients may
behave oddly with Tx Diversity set to Best. Under those circumstances, it is
recommended to use either Left or Right for Tx Diversity. If only one antenna is
connected, use the corresponding Left or Right diversity setting. Do not use Best if
two identical antennas are not used.
Operational Rate Set – For each radio, select the data rate that clients can operate
at while associated with the AP: 1, 2, 5.5, 6, 9, 11, 12, 18, 24, 36, 48, or 54 Mbps. The
Best data rate allows the Wireless AP to select the best data rate automatically.
Basic Rates – Select the data rates that must be supported by all stations in a BSS:
1, 2 or 1, 2, 5.5, and 11 Mbps.
Preamble – Select a preamble type for 11b-specific (CCK) rates: Short, Long, or
Auto. The recommended value is Auto. Select Short if you are sure that there is no
pre-11b AP or a client in the vicinity of this AP. Select Long if compatibility with pre-
11b clients is required.
Protection Mode – Select a protection mode: None, Auto, or Always. The default and
recommended setting is Auto. Select None if 11b APs and clients are not expected.
Select Always if you expect many 11b-only clients.
Protection Rate – Select a protection rate: 1, 2, 5.5, or 11 Mbps. The default and
recommended setting is 11. Only reduce the rate if there are many 11b clients in the
environment or if the deployment has areas with poor coverage. For example, rates
lower than 11 Mbps are required to ensure coverage.
Protection Type – Select a protection type: CTS Only or RTS CTS. The default and
recommended setting is CTS Only. Select RTS CTS only if an 11b AP that operates
on the same channel is detected in the neighborhood, or if there are many 11b-only
clients in the environment.
Min Basic Rate – For both radios, select the minimum data rate that must be
supported by all stations in a BSS: 1, 2, 5.5, or 11 Mbps for 11b and 11b+11g modes.
Select 1, 2, 5.5, 6, 11, 12, or 24 Mbps for 11g-only mode. If necessary, the Max Basic
Rate choices adjust automatically to be higher or equal to the Min Basic Rate. If both
Min Basic Rate and Max Basic Rate are set to an 11g-specific (OFDM) rate, (for
example, 6, 12, or 24 Mbps) all basic rates will be 11g-specific.
hwc_apstartup.fm
A31003-W1040-U103-1-7619, Draft February 2007
HiPath Wireless Controller, Access Points and Convergence Software V4, C2400 User Guide 109
Configuring the Wireless AP
Modifying Wireless AP settings
Max Basic Rate – For both radios, Select the maximum data rate that must be
supported by all stations in a BSS: 1, 2, 5.5, or 11 Mbps for 11b and 11b+11g modes.
Select 1, 2, 5.5, 6, 11, 12, or 24 Mbps for 11g-only mode. If necessary, the Max Basic
Rate choices adjust automatically to be higher or equal to the Min Basic Rate. If both
Min Basic Rate and Max Basic Rate are set to an 11g-specific (OFDM) rate, (for
example, 6, 12, or 24 Mbps) all basic rates will be 11g-specific.
Max Operational Rate – Select the maximum data rate that clients can operate at
while associated with the AP: 1, 2, 5.5, or 11 Mbps for 11b-only mode. Select 1, 2, 5.5,
6, 9, 11, 12, 18, 24, 36, 28, or 54 Mbps for 11b+11g or 11g-only modes. If necessary,
the Max Operational Rate choices adjust automatically to be higher or equal to the
Min Basic Rate.
6. In the Static Configuration section, modify the following:
In the Add box, type the IP address of the HiPath Wireless Controller that will control
this Wireless AP.
Click Add. The IP address is added to the list.
Repeat to add additional HiPath Wireless Controllers.
Click Up and Down to modify the order of the controllers. The maximum is three
controllers.
The Wireless AP attempts to connect to the IP addresses in the order in which they
are listed. The Wireless AP is successful when it finds a HiPath Wireless Controller
that will allow it to register.
This feature allows the Wireless AP to bypass the discovery process. If the Wireless
Controller Search List box is not populated, the Wireless AP will use SLP to discover
a HiPath Wireless Controller.
The DHCP function for wireless clients must be provided locally by a local DHCP
server, unless each wireless client has a static IP address.
7. In the Dynamic Radio Management section, modify the following:
Enable – Select Enable or Disable. DRM is enabled by default.
Coverage – Select Shaped or Standard. Shaped coverage adjusts the range based
on neighboring Wireless APs and standard coverage adjusts the range to the client
that is the most distant, as indicated by its signal strength.
Avoid WLAN – For each radio, select On or Off.
Minimum TX – For each radio, select the minimum power level that the range of
transmit power can be adjusted dynamically.
Maximum TX – For each radio, select the maximum power level that the range of
transmit power can be adjusted dynamically.
Configuring the Wireless AP
A31003-W1040-U103-1-7619, Draft February 2007
110 HiPath Wireless Controller, Access Points and Convergence Software V4, C2400 User Guide
hwc_apstartup.fm
Modifying Wireless AP settings
8. In the VNS Assignments section, assign the radios for each VNS in the list by selecting
or clearing the radio checkboxes.
9. To save your changes, click Save.
5.5.3 Modifying a Wireless AP’s properties
Once a Wireless AP has successfully registered, you can then modify its properties. Modifying
an AP’s properties can include modifying properties on the following tabs:
AP properties
802.11b/g
802.11a
Static Configuration
Modifying an AP’s properties is similar to modifying the system’s default AP settings, only now
you are modifying an individual Wireless AP.
You can modify a Wireless AP’s properties based on its role either as an access point or as a
sensor. For more information, see Section 5.10, “Configuring an AP as a sensor”, on page 128.
To modify a Wireless AP’s properties as an access point:
1. From the main menu, click Wireless AP Configuration. The HiPath Wireless AP screen
is displayed.
2. In the Wireless AP list, click the Wireless AP whose properties you want to modify. The
AP Properties tab displays Wireless AP information.
hwc_apstartup.fm
A31003-W1040-U103-1-7619, Draft February 2007
HiPath Wireless Controller, Access Points and Convergence Software V4, C2400 User Guide 111
Configuring the Wireless AP
Modifying Wireless AP settings
3. Modify the Wireless AP’s information:
Name – Type a unique name for the Wireless AP that identifies the AP. The default
value is the Wireless AP’s serial number.
Description – Type comments for the Wireless AP.
Port # – Select the Ethernet port of the controller the Wireless AP is connected to.
Role – Select the role for the AP, either Access Point or Sensor. Once the AP is
configured as a Sensor, the AP no longer performs RF services and is no longer
managed by the HiPath Wireless Controller. For more information, see Section 5.10,
“Configuring an AP as a sensor”, on page 128.
Poll Timeout – Type the timeout value, in seconds, for polling the controller. The
default value is 10 seconds.
Poll Interval – Type the interval value, in seconds, for polling the controller. The default
value is 2 seconds.
>Only assign APs to the sensor role if HiPath HiGuard has been installed on your
HiPath Wireless Manager. For more information, see the HiPath Wireless
Manager User Guide.
Configuring the Wireless AP
A31003-W1040-U103-1-7619, Draft February 2007
112 HiPath Wireless Controller, Access Points and Convergence Software V4, C2400 User Guide
hwc_apstartup.fm
Modifying Wireless AP settings
Telnet Access – Select whether Telnet Access to the Wireless AP is enabled or
disabled.
Maintain client session in event of poll failure – Select this option if the AP should
remain active if a link loss with the controller occurs.This option is enabled by default.
Use broadcast for disassociation – Select if you want the Wireless AP to use
broadcast disassociation when disconnecting all clients, instead of disassociating
each client one by one. This will affect the behavior of the AP under the following
conditions:
If the Wireless AP is preparing to reboot or to enter one of the special modes
(DRM initial channel selection).
If a BSSID is deactivated or removed on the Wireless AP.
This option is disabled by default.
Country – Select the country of operation. This option is only available with some
licenses.
The following on the AP Properties tab are view only:
Serial # – Displays a unique identifier that is assigned during the manufacturing
process.
Hardware Version – Displays the current version of the Wireless AP hardware.
Application Version – Displays the current version of the Wireless AP software.
Status:
Approved – Indicates that the Wireless AP has received its binding key from the
HiPath Wireless Controller after the discovery process.
Pending – Indicates that the Wireless AP has not yet successfully been approved
for access with the secure controller.
You can modify the status of a Wireless AP on the Access Approval screen. For more
information, see Section 5.5.1, “Modifying a Wireless AP’s status”, on page 104
Active Clients – Displays the number of wireless devices currently active on the
Wireless AP.
4. To save your changes, click Save.
hwc_apstartup.fm
A31003-W1040-U103-1-7619, Draft February 2007
HiPath Wireless Controller, Access Points and Convergence Software V4, C2400 User Guide 113
Configuring the Wireless AP
Modifying Wireless AP settings
To modify a Wireless AP’s properties as a sensor:
1. From the main menu, click Wireless AP Configuration. The HiPath Wireless AP screen
is displayed.
2. In the Wireless AP list, click the Wireless AP whose properties you want to modify. The
AP Properties tab displays Wireless AP information.
3. Modify the Wireless AP’s information:
Name – Type a unique name for the Wireless AP that identifies the AP. The default
value is the Wireless AP’s serial number.
Description – Type comments for the Wireless AP.
Role – Select the role for the AP, either Access Point or Sensor. Once the AP is
configured as a Sensor, the AP no longer performs RF services and is no longer
managed by the HiPath Wireless Controller. For more information, see Section 5.10,
“Configuring an AP as a sensor”, on page 128.
4. To save your changes, click Save.
Configuring the Wireless AP
A31003-W1040-U103-1-7619, Draft February 2007
114 HiPath Wireless Controller, Access Points and Convergence Software V4, C2400 User Guide
hwc_apstartup.fm
Modifying Wireless AP settings
5.5.4 Modifying the Wireless AP’s radio properties
Most properties of the Wireless AP’s radios can be modified without requiring a reboot of the
Wireless AP. However, modifying the following will require a reboot of the Wireless AP:
Enabling or disabling either radio
Changing the radio channel between Auto and any fixed channel number
If the Wireless AP does require a reboot, a warning message is displayed to the user in the
HiPath Wireless Assistant.
To modify the Wireless AP’s radio properties:
1. From the main menu, click Wireless AP Configuration. The HiPath Wireless AP screen
is displayed.
2. Click the appropriate Wireless AP in the list.
3. Click the radio tab you want to modify.
Each tab displays the radio settings for each radio on the Wireless AP. If the radio has been
assigned to a VNS, the VNS names and MAC addresses appear in the Base Settings
section. The HiPath Wireless Controller C2400 can support up to 64 VNSs.The AP radios
can be assigned to each of the configured VNSs in a system. Each AP can be the subject
of 8 VNS assignments (corresponding to the number of SSIDs it can support). Once a radio
has all 8 slots assigned, it is no longer eligible for further assignment.
The BSS Info section is view only. After VNS configuration, the Basic Service Set (BSS)
section displays the MAC address on the Wireless AP for each VNS and the SSIDs of the
VNSs to which this radio has been assigned.
If applicable, click the 802.11b/g tab to modify the radio properties.
>When an AP is assigned to the sensor role, its configuration data is preserved on the
controller. The configuration data can only be modified when the AP is switched back
to the AP role.
If an AP is assigned to the sensor role, the 802.11b/g, 802.11a, and Static
Configuration tabs are not visible.
hwc_apstartup.fm
A31003-W1040-U103-1-7619, Draft February 2007
HiPath Wireless Controller, Access Points and Convergence Software V4, C2400 User Guide 115
Configuring the Wireless AP
Modifying Wireless AP settings
DTIM Period – Type the desired DTIM (Delivery Traffic Indication Message)
period—the number of beacon intervals between two DTIM beacons. To ensure
the best client power savings, use a large number. For example, 5. Use a small
number for broadcast and multicast delay. The default value is 1.
Beacon Period – Type the desired time, in milliseconds, between beacon
transmissions. The default value is 100 milliseconds.
RTS/CTS Threshold – Type the packet size threshold, in bytes, above which the
packet will be preceded by an RTS/CTS (Request to Send/Clear to Send)
handshake. The default value is 2346, which means all packets are sent without
RTS/CTS. Reduce this value only if necessary.
Frag. Threshold – Type the fragment size threshold, in bytes, above which the
packets will be fragmented by the AP prior to transmission. The default value is
2346, which means all packets are sent unfragmented. Reduce this value only if
necessary.
802.11b – Select to enable the 802.11b mode of the 802.11b/g radio. If disabled,
the AP will not accept associations from 11b clients.
Configuring the Wireless AP
A31003-W1040-U103-1-7619, Draft February 2007
116 HiPath Wireless Controller, Access Points and Convergence Software V4, C2400 User Guide
hwc_apstartup.fm
Modifying Wireless AP settings
802.11g – Select to enable the 802.11g mode of the 802.11b/g radio. If disabled,
the AP will use 11g-specific (OFDM) rates with all of the associated clients.
Channel – Select the wireless channel that the Wireless AP will use to
communicate with wireless devices. Depending on the regulatory domain (based
on country), some channels may be restricted. The default value is based on
North America. The Auto selection allows the Wireless AP to select the
appropriate channel automatically. For more information, see Chapter 2,
“Regulatory information”.
If DRM is enabled (DRM is enabled by default), it scans automatically for a
channel, using a channel selection algorithm. For more information, see Section
5.6, “Configuring Dynamic Radio Management”, on page 123.
Tx Power Level – Select the Tx power level: Min, 13%, 25%, 50%, or Max. If
Dynamic Radio Management (DRM) was enabled on the DRM screen, this option
is read-only.
Rx Diversity – Select Best for the best signal from both antennas, or Left or
Right to choose either of the two diversity antennas. The default and
recommended selection is Best. If only one antennae is connected, use the
corresponding Left or Right diversity setting. Do not use Best if two identical
antennas are not used.
Tx Diversity – Select Best for the best signal from both antennas, or Left or Right
to choose either of the two diversity antennas. The default selection is Best, which
maximizes performance for most clients. However, some clients may behave
oddly with Tx Diversity set to Best. Under those circumstances, it is
recommended to use either Left or Right for Tx Diversity. If only one antennae is
connected, use the corresponding Left or Right diversity setting. Do not use Best
if two identical antennas are not used.
Min Basic Rate – Select the minimum data rate that must be supported by all
stations in a BSS: 1, 2, 5.5, or 11 Mbps for 11b and 11b+11g modes. Select 1, 2,
5.5, 6, 11, 12, or 24 Mbps for 11g-only mode. If necessary, the Max Basic Rate
choices adjust automatically to be higher or equal to the Min Basic Rate. If both
Min Basic Rate and Max Basic Rate are set to an 11g-specific (OFDM) rate, (for
example, 6, 12, or 24 Mbps) all basic rates will be 11g-specific.
Max Basic Rate – Select the maximum data rate that must be supported by all
stations in a BSS: 1, 2, 5.5, or 11 Mbps for 11b and 11b+11g modes. Select 1, 2,
5.5, 6, 11, 12, or 24 Mbps for 11g-only mode. If necessary, the Max Basic Rate
choices adjust automatically to be higher or equal to the Min Basic Rate. If both
Min Basic Rate and Max Basic Rate are set to an 11g-specific (OFDM) rate, (for
example, 6, 12, or 24 Mbps) all basic rates will be 11g-specific.
hwc_apstartup.fm
A31003-W1040-U103-1-7619, Draft February 2007
HiPath Wireless Controller, Access Points and Convergence Software V4, C2400 User Guide 117
Configuring the Wireless AP
Modifying Wireless AP settings
Max Operational Rate – Select the maximum data rate that clients can operate
at while associated with the AP: 1, 2, 5.5, or 11 Mbps for 11b-only mode. Select
1, 2, 5.5, 6, 9, 11, 12, 18, 24, 36, 28, or 54 Mbps for 11b+11g or 11g-only modes.
If necessary, the Max Operational Rate choices adjust automatically to be higher
or equal to the Min Basic Rate.
No of Retries for Background BK – Select the number of retries for the
Background transmission queue. The default value is 4. The recommended
setting is adaptive (multi-rate).
No of Retries for Best Effort BE – Select the number of retries for the Best Effort
transmission queue. The default value is 4. The recommended setting is adaptive
(multi-rate).
No of Retries for Video VI – Select the number of retries for the Video
transmission queue. The default value is 4. The recommended setting is adaptive
(multi-rate).
No of Retries for Voice VO – Select the number of retries for the Voice
transmission queue. The default value is 1. The recommended setting is adaptive
(multi-rate).
No of Retries for Turbo Voice TVO – Select the number of retries for the Turbo
Voice transmission queue. The default value is 1. The recommended setting is
adaptive (multi-rate).
Preamble – Select a preamble type for 11b-specific (CCK) rates: Short, Long, or
Auto. The recommended value is Auto. Select Short if you are sure that there is
no pre-11b AP or a client in the vicinity of this AP. Select Long if compatibility with
pre-11b clients is required.
Protection Mode – Select a protection mode: None, Auto, or Always. The default
and recommended setting is Auto. Select None if 11b APs and clients are not
expected. Select Always if you expect many 11b-only clients.
Protection Rate – Select a protection rate: 1, 2, 5.5, or 11 Mbps. The default and
recommended setting is 11. Only reduce the rate if there are many 11b clients in
the environment or if the deployment has areas with poor coverage. For example,
rates lower than 11 Mbps are required to ensure coverage.
Protection Type – Select a protection type: CTS Only or RTS CTS. The default
and recommended setting is CTS Only. Select RTS CTS only if an 11b AP that
operates on the same channel is detected in the neighborhood, or if there are
many 11b-only clients in the environment.
Configuring the Wireless AP
A31003-W1040-U103-1-7619, Draft February 2007
118 HiPath Wireless Controller, Access Points and Convergence Software V4, C2400 User Guide
hwc_apstartup.fm
Modifying Wireless AP settings
If applicable, click the 802.11a tab to modify the radio properties.
DTIM Period – Type the desired DTIM (Delivery Traffic Indication Message) period—
the number of beacon intervals between two DTIM beacons. To ensure the best client
power savings, use a large number. For example, 5. Use a small number for broadcast
and multicast delay. The default value is 1.
Beacon Period – Type the desired time, in milliseconds, between beacon
transmissions. The default value is 100 milliseconds.
>The overall throughput is reduced when Protection Mode is enabled, due to the
additional overhead caused by the RTS/CTS. The overhead is minimized by
setting Protection Type to CTS Only and Protection Rate to 11 Mbps.
Although, the overhead causes the overall throughput to be sometimes lower
than if just 11b mode is used. If there are many 11b clients, it is recommended
to disable 11g support (11g clients are backward compatible with 11b APs).
An alternate approach, although a more expensive method, is to dedicate all
APs on a channel for 11b (for example, disable 11g on these APs) and disable
11b on all other APs. The difficulty with this method is that the number of APs
must be increased to ensure coverage separately for 11b and 11g clients.
hwc_apstartup.fm
A31003-W1040-U103-1-7619, Draft February 2007
HiPath Wireless Controller, Access Points and Convergence Software V4, C2400 User Guide 119
Configuring the Wireless AP
Modifying Wireless AP settings
RTS/CTS Threshold – Type the packet size threshold, in bytes, above which the
packet will be preceded by an RTS/CTS (Request to Send/Clear to Send) handshake.
The default value is 2346, which means all packets are sent without RTS/CTS. Reduce
this value only if necessary.
Frag. Threshold – Type the fragment size threshold, in bytes, above which the
packets will be fragmented by the AP prior to transmission. The default value is 2346,
which means all packets are sent unfragmented. Reduce this value only if necessary.
802.11a – Select to enable the 802.11a radio.
802.11j – Select to enable the 802.11j mode for the 802.11a radio. This option is
available only in Japan. When enabled, it allows access to the 4.9Ghz and 5.0Ghz
wireless bands.
Channel – Select the wireless channel that the Wireless AP will use to communicate
with wireless devices. Depending on the regulatory domain (based on country), some
channels may be restricted. The default value is based on North America. The Auto
selection allows the Wireless AP to select the appropriate channel automatically. For
more information, see Chapter 2, “Regulatory information”.
If DRM is enabled (DRM is enabled by default), it scans automatically for a channel,
using a channel selection algorithm. For more information, see Section 5.6,
“Configuring Dynamic Radio Management”, on page 123.
Tx Power Level – Select the Tx power level: Min, 13%, 25%, 50%, or Max. If Dynamic
Radio Management (DRM) was enabled on the DRM screen, this option is read-only.
Rx Diversity – Select Best for the best signal from both antennas, or Left or Right to
choose either of the two diversity antennas. The default and recommended selection
is Best. If only one antennae is connected, use the corresponding Left or Right
diversity setting. Do not use Best if two identical antennas are not used.
Tx Diversity – Select Best for the best signal from both antennas, or Left or Right to
choose either of the two diversity antennas. The default selection is Best, which
maximizes performance for most clients. However, some clients may behave oddly
with Tx Diversity set to Best. Under those circumstances, it is recommended to use
either Left or Right for Tx Diversity. If only one antennae is connected, use the
corresponding Left or Right diversity setting. Do not use Best if two identical antennas
are not used.
Min Basic Rate – Select the minimum data rate that must be supported by all stations
in a BSS: 6, 12, or 24 Mbps. If necessary, the Max Basic Rate choices adjust
automatically to be higher or equal to the Min Basic Rate.
Max Basic Rate – Select the maximum data rate that must be supported by all
stations in a BSS: 6, 12, or 24 Mbps. If necessary, the Max Basic Rate choices adjust
automatically to be higher or equal to the Min Basic Rate.
Configuring the Wireless AP
A31003-W1040-U103-1-7619, Draft February 2007
120 HiPath Wireless Controller, Access Points and Convergence Software V4, C2400 User Guide
hwc_apstartup.fm
Modifying Wireless AP settings
Max Operational Rate – Select the maximum data rate that clients can operate at
while associated with the AP: 6, 9, 12, 18, 24, 36, 48, or 54 Mbps. If necessary, the
Max Operational Rate choices adjust automatically to be higher or equal to the Max
Basic Rate.
No of Retries for Background BK – Select the number of retries for the Background
transmission queue. The default value is 4. The recommended setting is adaptive
(multi-rate).
No of Retries for Best Effort BE – Select the number of retries for the Best Effort
transmission queue. The default value is 4. The recommended setting is adaptive
(multi-rate).
No of Retries for Video VI – Select the number of retries for the Video transmission
queue. The default value is 4. The recommended setting is adaptive (multi-rate).
No of Retries for Voice VO – Select the number of retries for the Voice transmission
queue. The default value is 1. The recommended setting is adaptive (multi-rate).
No of Retries for Turbo Voice TVO – Select the number of retries for the Turbo Voice
transmission queue. The default value is 1. The recommended setting is adaptive
(multi-rate).
4. To save your changes, click Save.
5.5.5 Setting up the Wireless AP using static configuration
The Wireless AP static configuration feature provides the HiPath Wireless Controller, Access
Points and Convergence Software solution with the capability for a network with either a central
office or a branch office model. The static configuration settings assist in the setup of branch
office support. These settings are not dependent of branch topology, but instead can be
employed at any time if required. In the branch office model, Wireless APs are installed in
remote sites, while the HiPath Wireless Controller is in the central office. The Wireless APs
require the capability to interact in both the local site network and the central network. To
achieve this model, a static configuration is used.
>Radio a channels 100 to 140 occupy the 5470-5725 MHz band in the regulatory
domains of the European Union and European Union free trade countries.
Radio B/G Channels 12 to 14 are not available in North America.
>If a Wireless AP with a statically configured IP address (without a statically
configured Wireless Controller Search List) cannot register with the HiPath Wireless
Controller within the specified number of retries, the Wireless AP will use SLP, DNS,
and SLP multicast as a backup mechanism.
hwc_apstartup.fm
A31003-W1040-U103-1-7619, Draft February 2007
HiPath Wireless Controller, Access Points and Convergence Software V4, C2400 User Guide 121
Configuring the Wireless AP
Modifying Wireless AP settings
To set up a Wireless AP using static configuration:
1. From the main menu, click Wireless AP Configuration. The HiPath Wireless AP screen
is displayed.
2. Click the appropriate Wireless AP in the list.
3. Click the Static Configuration tab.
4. Select one of the VLAN settings for the Wireless AP:
Tagged - VLAN ID – Select if you want to assign this AP to a specific VLAN and type
the value in the box.
Untagged – Select if you want this AP to be untagged. This option is selected by
default.
Configuring the Wireless AP
A31003-W1040-U103-1-7619, Draft February 2007
122 HiPath Wireless Controller, Access Points and Convergence Software V4, C2400 User Guide
hwc_apstartup.fm
Modifying Wireless AP settings
5. Select one of the two methods of IP address assignment for the Wireless AP:
Use DHCP – Select this option to enable Dynamic Host Configuration Protocol
(DHCP). This option is enabled by default.
Static Values – Select this option to specify the IP address of the Wireless AP.
IP Address – Type the IP address of the AP.
Subnet Mask – Type the appropriate subnet mask to separate the network portion
from the host portion of the address.
Gateway – Type the default gateway of the network.
7Caution should be exercised when using this feature. If a VLAN tag is not
configured properly, the connectivity with the AP will be lost. To configure the AP
VLAN, do the following:
Connect the AP to the HiPath Wireless Controller or to the network point that
does not require AP VLAN tagging.
Use Static Configuration to enable VLAN and define the VLAN ID.
Save the configuration on the AP. The AP reboots and looses connectivity to the
HiPath Wireless Controller.
Disconnect the AP and attach it to its final network location.
If the VLAN settings match the network configuration, the AP registers with the
HiPath Wireless Controller successfully. If the AP VLAN is not configured
properly (wrong tag), connecting to the AP may not be possible. To recover from
this situation, you will need to reset the AP to its factory default settings. For
more information, see Section 12.2, “Resetting the AP to its factory default
settings”, on page 274.
>For first-time deployment of the Wireless AP for static IP assignment, (a branch
office scenario is an example of a setup that may require static IP assignment),
it is recommended to use DHCP initially on the central office network to obtain
an IP address for the Wireless AP. Then enter these values in the Static
Configuration tab for this Wireless AP and save the configuration. Since APs
ship from the factory with DHCP mode enabled by default, the APs require the
assistance of a local DHCP server to obtain its initial IP address. The AP can
then register with the controller, at which point it can receive the proper static
definition parameters and be moved to its target location if necessary.
If the AP IP address is not configured properly, connecting to the AP may not be
possible. To recover from this situation, you will need to reset the AP to its
factory default settings. For more information, see Section 12.2, “Resetting the
AP to its factory default settings”, on page 274.
hwc_apstartup.fm
A31003-W1040-U103-1-7619, Draft February 2007
HiPath Wireless Controller, Access Points and Convergence Software V4, C2400 User Guide 123
Configuring the Wireless AP
Configuring Dynamic Radio Management
6. In the Add box, type the IP address of the HiPath Wireless Controller that will control this
Wireless AP.
7. Click Add. The IP address is added to the list.
8. Repeat steps 5 and 6 to add additional HiPath Wireless Controllers.
9. Use the Up and Down buttons to modify the order of the controllers. The maximum is three
controllers.
The Wireless AP attempts to connect to the IP addresses in the order in which they are
listed. The Wireless AP is successful when it finds a HiPath Wireless Controller that will
allow it to register.
This feature allows the Wireless AP to bypass the discovery process. If the Wireless
Controller Search List box is not populated, the Wireless AP will use SLP to discover a
HiPath Wireless Controller.
The DHCP function for wireless clients must be provided locally by a local DHCP server,
unless each wireless client has a static IP address.
10. To save your changes, click Save.
5.6 Configuring Dynamic Radio Management
The Dynamic Radio Management (DRM) feature for the Wireless AP is enabled by default. The
DRM feature:
Adjusts power levels to balance coverage if another Wireless AP, which is assigned to the
same SSID and is on the same channel, is added to or leaves the network.
Allows wireless clients to be moved to another Wireless AP if the load is too high.
Scans automatically for a channel, using a channel selection algorithm.
Avoids other WLANs by reducing transmit power whenever other APs with the same
channel, but different SSIDs are detected.
To configure the DRM software:
1. From the main menu, click Wireless AP Configuration. The HiPath Wireless AP screen
is displayed.
2. In the left pane, click DRM.
3. Confirm the Enable DRM checkbox is selected.
4. To refresh the Wireless APs list, click Save. The list is populated with the Wireless APs.
Configuring the Wireless AP
A31003-W1040-U103-1-7619, Draft February 2007
124 HiPath Wireless Controller, Access Points and Convergence Software V4, C2400 User Guide
hwc_apstartup.fm
Configuring Dynamic Radio Management
5. From the list of registered Wireless APs, select the checkbox corresponding to the Wireless
AP you want to configure for DRM. The DRM properties are populated with default values
when DRM is enabled.
6. In the Coverage drop-down list, select:
Std – (Standard Coverage) Adjusts the range to the client that is the most distant, as
indicated by its signal strength.
Shpd – (Shaped Coverage) Adjusts the range based on neighboring Wireless APs.
7. If applicable, from the Avoid WLAN drop-down list, select on.
hwc_apstartup.fm
A31003-W1040-U103-1-7619, Draft February 2007
HiPath Wireless Controller, Access Points and Convergence Software V4, C2400 User Guide 125
Configuring the Wireless AP
Modifying a Wireless AP’s properties based on a default AP configuration
8. In the RF Domain ID box, type a string that uniquely identifies a group of APs that
cooperate in managing RF channels and power levels. The maximum length of the string
is 15 characters.
9. From the Minimum drop-down list, select the minimum power level below which the power
cannot be further reduced by the DRM.
10. From the Maximum drop-down list, select the maximum power level above which the
power cannot be further increased by the DRM.
11. Click Apply to selected APs.
12. To save your changes, click Save.
13. To re-establish baseline settings, forcing the APs to go through the auto-channel selection
process, click Reset DRM. This will cause all APs using DRM to reboot and rerun the
auto-channel selection algorithm.
5.7 Modifying a Wireless AP’s properties based on a default AP
configuration
If you have a Wireless AP that is already configured with its own settings, but would like the
Wireless AP to be reset to use the system’s default AP settings, use the Reset to Defaults
feature on the AP Properties tab.
To configure a Wireless AP with the system’s default AP settings:
1. From the main menu, click Wireless AP Configuration. The HiPath Wireless AP screen
is displayed.
2. In the Wireless AP list, click the Wireless AP whose properties you want to modify. The
AP Properties tab displays Wireless AP information.
3. Click Reset to Defaults to have the Wireless AP inherit the system’s default AP settings.
A pop-up window asking you to confirm the configuration change is displayed.
4. Click OK to confirm resetting the AP to the default settings.
>If SSID Broadcast is disabled and DRM is enabled, you must provide an RF
Domain ID.
>Due to limited power control resolution, the actual power limits may differ slightly
from the settings you define.
Configuring the Wireless AP
A31003-W1040-U103-1-7619, Draft February 2007
126 HiPath Wireless Controller, Access Points and Convergence Software V4, C2400 User Guide
hwc_apstartup.fm
Modifying the Wireless AP’s default setting using the Copy to Defaults feature
5.8 Modifying the Wireless AP’s default setting using the Copy to
Defaults feature
You can modify the system’s default AP settings by using the Copy to Defaults feature on the
AP Properties tab. This feature allows the properties of an already configured AP to become
the system’s default AP settings.
To modify the system’s default AP settings based on an already configured AP:
1. From the main menu, click Wireless AP Configuration. The HiPath Wireless AP screen
is displayed.
2. In the Wireless AP list, click the Wireless AP whose properties you want to become the
system’s default AP settings. The AP Properties tab displays Wireless AP information.
3. If applicable, modify the Wireless AP’s properties. For more information, see Section 5.5.3,
“Modifying a Wireless AP’s properties”, on page 110.
4. Click Copy to Defaults to make this AP’s configuration be the system’s default AP settings.
A pop-up window asking you to confirm the configuration change is displayed.
5. Click OK to confirm resetting the system’s default AP settings.
5.9 Configuring APs simultaneously
In addition to configuring APs individually, you can also configure multiple APs simultaneously
by using the AP Multi-edit functionality.
To configure APs simultaneously:
1. From the main menu, click Wireless AP Configuration. The HiPath Wireless AP screen
is displayed.
2. In the left pane, click AP Multi-edit.
hwc_apstartup.fm
A31003-W1040-U103-1-7619, Draft February 2007
HiPath Wireless Controller, Access Points and Convergence Software V4, C2400 User Guide 127
Configuring the Wireless AP
Configuring APs simultaneously
3. In the Wireless APs list, select one or more APs to edit. To select multiple APs, select the
appropriate APs from the list while pressing the CTRL key. The Channel drop-down list is
not available if using the multi-edit feature.
>When using multi-edit configuration, any box or option that is not explicitly
modified will not be changed by the update.
The Wireless APs shown in the Wireless APs list can be from any version of
the software. Attributes that are common between software versions are set on
all Wireless APs. Attributes that are not common, are only sent to the AP
versions to which the attributes apply. Attempting to set an attribute that does
not apply for an AP will not abort the multi-edit operation.
Configuring the Wireless AP
A31003-W1040-U103-1-7619, Draft February 2007
128 HiPath Wireless Controller, Access Points and Convergence Software V4, C2400 User Guide
hwc_apstartup.fm
Configuring an AP as a sensor
4. Modify the configuration of the selected Wireless APs:
AP Properties – For more information, see Section 5.5.3, “Modifying a Wireless AP’s
properties”, on page 110.
Radio Settings – For more information, see Section 5.5.4, “Modifying the Wireless
AP’s radio properties”, on page 114.
Static Configuration – For more information, see Section 5.5.5, “Setting up the
Wireless AP using static configuration”, on page 120.
5. In the AP Properties, Radio Settings, and Static Configuration sections of the screen,
select and enter the attributes you want to edit for all selected APs.
6. To save your changes, click Save.
5.10 Configuring an AP as a sensor
An AP that is configured as a sensor performs scanning services and relays information to the
HWMA (HiPath Wireless Manager Advanced). When an AP is Approved as Sensor, the AP
does the following:
Connection to the HiPath Wireless Controller is severed
AP registers with the HWMA
The AP performs scanning services (the AP no longer performs RF services for the HiPath
Wireless Controller)
When an AP is operating as a sensor, it has no interaction with the HiPath Wireless Controller,
and it does not perform like an AP: it does not allow devices to associate to it and traffic is not
forwarded through it. An AP operating as a sensor is managed by the HWMA. The HWMA’s
sensor domain license (SDL) limit governs the number of sensors the customer can have.
When an AP is configured as a sensor, the AP’s current configuration data is retained in the
controller database. If the sensor is later configured back to perform RF services, its previous
configuration data is reassigned to it. For more information, see the HiPath Wireless Manager
User Guide.
In order for APs configured as sensors to connect with the HWMA, you must configure the
Sensor Management values for the HiPath Wireless Controller:
TFTP server IP address
Path to sensor image
hwc_apstartup.fm
A31003-W1040-U103-1-7619, Draft February 2007
HiPath Wireless Controller, Access Points and Convergence Software V4, C2400 User Guide 129
Configuring the Wireless AP
Configuring an AP as a sensor
To configure Sensor Management values for the HiPath Wireless Controller:
1. From the main menu, click Wireless AP Configuration. The HiPath Wireless AP screen
is displayed.
2. In the left pane, click Sensor Management. The Wireless AP Sensor Management
screen is displayed.
3. Type the following:
TFTP Server – The IP of the TFTP server the AP is to retrieve the sensor image file
from.
Path to Image – The filename and location of the sensor image.
4. To save your changes, click Save.
Configuring the Wireless AP
A31003-W1040-U103-1-7619, Draft February 2007
130 HiPath Wireless Controller, Access Points and Convergence Software V4, C2400 User Guide
hwc_apstartup.fm
Performing Wireless AP software maintenance
5.11 Performing Wireless AP software maintenance
Periodically, the software used by the Wireless APs is altered for reasons of upgrade or security.
The new version of the AP software is installed from the HiPath Wireless Controller.
The software for each Wireless AP can be uploaded either immediately, or the next time the
Wireless AP connects. Part of the Wireless AP boot sequence is to seek and install its software
from the HiPath Wireless Controller.
Although a number of the properties of each radio on a Wireless AP can be modified without
requiring a reboot of the AP, a reboot is required after:
Enabling or disabling either radio, or changing the radio channel between Auto and any
fixed channel number
Adding the Wireless AP to a VNS, or changing its radio assignment in a VNS
The Wireless AP keeps a backup copy of its software image. When a software upgrade is sent
to the Wireless AP, the upgrade becomes the Wireless AP's current image and the previous
image becomes the backup. In the event of failure of the current image, the Wireless AP will
run the backup image.
To maintain the list of current Wireless AP software images:
1. From the main menu, click Wireless AP Configuration. The Wireless AP Configuration
screen is displayed.
2. From the left pane, click AP Maintenance. The AP Software Maintenance tab is
displayed.
>The HiPath Wireless Controller does not ship with sensor software. Sensor software
must be installed on a TFTP server.
hwc_apstartup.fm
A31003-W1040-U103-1-7619, Draft February 2007
HiPath Wireless Controller, Access Points and Convergence Software V4, C2400 User Guide 131
Configuring the Wireless AP
Performing Wireless AP software maintenance
3. From the AP Images for Platform drop-down list select the appropriate platform.
4. To select an image to be the default image for a software upgrade, select it in the list, and
then click Set as default.
5. In the Upgrade Behavior section, select one of the following:
Upgrade when AP connects using settings from Controlled Upgrade – The
Controlled Upgrade tab is displayed. Controlled upgrade allows you to individually
select and control the state of an AP image upgrade: which APs to upgrade, when to
upgrade, how to upgrade, and to which image the upgrade or downgrade should be
done. Administrators decide on the levels of software releases that the equipment
should be running.
Always upgrade AP to default image (overrides Controlled Upgrade settings)
Selected by default. Allows for the selection of a default revision level (firmware image)
for all APs in the domain. As the AP registers with the controller, the firmware version
is verified. If it does not match the same value as defined for the default-image, the AP
is automatically requested to upgrade to the default-image.
6. Select the Do not upgrade AP images if current image version = upgrade version
checkbox to prevent an upgrade if current image version is the same as the upgrade
version. Selecting this option overrides upgrade behavior.
Configuring the Wireless AP
A31003-W1040-U103-1-7619, Draft February 2007
132 HiPath Wireless Controller, Access Points and Convergence Software V4, C2400 User Guide
hwc_apstartup.fm
Performing Wireless AP software maintenance
7. Select the Automatically downgrade the AP to the default image if AP is at later
release number (major/minor rev) checkbox to allow an older image to be installed if
selected.
8. To save your changes, click Save.
To delete a Wireless AP software image:
1. From the main menu, click Wireless AP Configuration. The Wireless AP Configuration
screen is displayed.
2. From the left pane, click AP Maintenance. The AP Software Maintenance tab is
displayed.
3. From the AP Images for Platform drop-down list, select the appropriate platform.
4. To select an image in the AP Images list to delete, click it.
5. Click the Delete button. The image is removed from the list.
To download a new Wireless AP software image:
1. From the main menu, click Wireless AP Configuration. The Wireless AP Configuration
screen is displayed.
2. From the left pane, click AP Maintenance. The AP Software Maintenance tab is
displayed.
3. In the Download AP Images list, type the following:
FTP Server – The IP of the FTP server to retrieve the image file from.
User ID – The user ID that the controller should use when it attempts to log in to the
FTP server.
Password – The corresponding password for the user ID.
Confirm – The corresponding password for the user ID to confirm it was typed
correctly.
Directory – The directory on the server in which the image file that is to be retrieved
is stored.
Filename – The name of the image file to retrieve.
Platform – The AP hardware type to which the image applies. The are several types
of AP and they require different images.
4. Click Download. The new software image is downloaded.
hwc_apstartup.fm
A31003-W1040-U103-1-7619, Draft February 2007
HiPath Wireless Controller, Access Points and Convergence Software V4, C2400 User Guide 133
Configuring the Wireless AP
Performing Wireless AP software maintenance
To define parameters for a Wireless AP controlled software upgrade:
1. From the main menu, click Wireless AP Configuration. The Wireless AP Configuration
screen is displayed.
2. From the left pane, click AP Maintenance. The AP Software Maintenance tab is
displayed.
3. Click the Controlled Upgrade tab.
.
4. From the Select AP Platform drop-down list, select the type of AP you want to upgrade.
5. From the Select an image to use drop-down list, select the software image you want to
use for the upgrade.
6. In the list of registered Wireless APs, select the checkbox for each Wireless AP to be
upgraded with the selected software image.
>The Controlled Upgrade tab will appear only when the Upgrade Behavior is set to
Upgrade when AP connects using settings from Controlled Upgrade on the AP
Software Maintenance tab.
Configuring the Wireless AP
A31003-W1040-U103-1-7619, Draft February 2007
134 HiPath Wireless Controller, Access Points and Convergence Software V4, C2400 User Guide
hwc_apstartup.fm
Performing Wireless AP software maintenance
7. Click Apply AP image version. The selected software image is displayed in the Upgrade
To column of the list.
8. To save the software upgrade strategy to be run later, click Save for later.
9. To run the software upgrade immediately, click Upgrade Now. The selected Wireless AP
reboots, and the new software version is loaded.
>The Always upgrade AP to default image checkbox on the AP Software
Maintenance tab overrides the Controlled Upgrade settings.
hwc_vnsintro.fm
A31003-W1040-U103-1-7619, Draft February 2007
HiPath Wireless Controller, Access Points and Convergence Software V4, C2400 User Guide 135
Virtual Network Services
VNS overview
6 Virtual Network Services
This chapter describes Virtual Network Services (VNS) concepts, including:
VNS overview
Setting up a VNS checklist
Topology of a VNS
RF assignment for a VNS
Authentication for a VNS
Filtering for a VNS
Data protection on a VNS—WEP and WPA
VNS global settings
Setting up a new VNS
6.1 VNS overview
A VNS is an IP subnet designed to enable Wireless APs to interact with wireless devices. A
VNS is similar to a regular IP subnet. A VNS has the following properties:
Each VNS is assigned a unique identifier.
Each VNS is assigned a Service Set Identifier (SSID). The SSID does not have to be
unique.
Each VNS is assigned a range of IP addresses for wireless devices. All of the wireless
devices share the same IP address prefix—the part of the IP address that identifies the
network and subnet.
The IP addresses of the wireless devices are assigned dynamically by the HiPath Wireless
Controller's Dynamic Host Configuration Protocol (DHCP) server within the assigned
range.
>If the VNS is in branch mode, the HiPath Wireless Controller's DHCP server will
not assign IP addresses to the wireless devices. For a routed VNS, you can
allow the enterprise network's DHCP server to provide the IP addresses for the
VNS by enabling DHCP Relay.
The assigned addresses must be within range of the VNS definition and the
controller must be defined in the network as the path for traffic delivery to the
mobile units. For more information, see Section 7.1.1.8, “Using a DHCP relay
for the VNS”, on page 157.
Virtual Network Services
A31003-W1040-U103-1-7619, Draft February 2007
136 HiPath Wireless Controller, Access Points and Convergence Software V4, C2400 User Guide
hwc_vnsintro.fm
Setting up a VNS checklist
These IP addresses are not virtual IP addresses. They are regular IP addresses and are
unique over the network. These IP addresses are advertised to other hosts on the network
to exchange traffic with the wireless devices in the VNS.
A single overall filtering policy applies to all the wireless devices within the VNS. Additional
filtering can be applied when the wireless user is authenticated by the Remote
Authentication Dial-In User Service (RADIUS) server. This does not apply for a bridged
VNS.
When the HiPath Wireless Controller creates a VNS, it also creates a virtual IP subnet for
that VNS. This does not apply for a bridged VNS.
Each VNS represents a mobility group that, when configured, can be carried across
multiple HiPath Wireless Controllers. This does not apply for a bridged VNS.
Each VNS also offers unique Authentication, Authorization and Accounting (AAA) services.
6.2 Setting up a VNS checklist
VNS provides a versatile means of mapping wireless networks to the topology of an existing
wired network. When you set up a VNS on the HiPath Wireless Controller, you are defining a
subnet for a group of wireless device users. The VNS definition creates a virtual IP subnet
where the HiPath Wireless Controller acts as a default gateway to wireless devices.
In addition you can determine if the VNS is to apply for traffic bridging at the AP. This type of
VNS requires specification of RF parameters and authentication parameters (if AAA type),
although filtering specifications and topology specifications do not apply.
The HiPath Wireless Controller C2400 provides the option to define a VNS as locally bridged
to a VLAN at the controller. To support that configuration, you must define which VLAN the VNS
should bride to. With this configuration, it is possible that the controller is not involved in the IP
address assignment for user addresses. Instead, the IP addresses for users are assigned
directly by the DHCP infrastructure that services the VLAN.
Before defining a VNS, the following properties must be determined:
A user access plan for both individual users and user groups
The RADIUS attribute values that support the user access plan
The location and identity of the Wireless APs that will be used on the VNS
The routing mechanism to be used on the VNS
>In a VLAN-bridged VNS, the default configuration dictates that the controller is not
the DHCP server for that segment. However, DHCP services can selectively be
enabled, including DHCP Relay, allowing you to use the controller to become the
default DHCP server for the VLAN, if applicable.
hwc_vnsintro.fm
A31003-W1040-U103-1-7619, Draft February 2007
HiPath Wireless Controller, Access Points and Convergence Software V4, C2400 User Guide 137
Virtual Network Services
Setting up a VNS checklist
For tunneled configurations mostly, the network addresses that the VNS will use
A VLAN bridged VNS (at the controller) requires the specification of the IP address for the
controller's own interface point (Port) on that VLAN. In addition, if the you elect to have the
controller operate as the default DHCP server for the VLAN, the corresponding IP topology
for that subnet must also be specified.
The type of authentication for wireless device users on the VNS
The specific filters to be applied to the defined users and user groups to control network
access
The quality of service (QoS) requirements
What privacy mechanisms should be employed between the Wireless APs and the
wireless devices
Classification list for traffic priority. For example, whether the VNS is to be used for voice
traffic and if voice traffic is to be given priority.
Whether the VNS traffic is to be bridged directly to the network at the AP or tunneled to the
controller for forwarding. Bridging at the AP is useful in branch office deployments in which
APs must provide service even when the connection to the controller is unavailable.
User access plan
The user access plan should analyze the enterprise network and identify which users should
have access to which areas of the network. What areas of the network should be separated?
Which users can go out to the World Wide Web?
The Controller, Access Points and Convergence Software system relies on authenticating
users via a RADIUS server (or other authentication server). To make use of this feature, an
authentication server on the network is required. Make sure that the server's database of
registered users, with login identification and passwords, is current.
In the case of certificate-based installations, you must ensure that the proper user certificate
profiles are setup on the RADIUS server.
The user access plan should also identify the user groups in your enterprise, and the business
structure of the enterprise network, such as:
Department (such as Engineering, Sales, Finance)
>To deploy Controller, Access Points and Convergence Software without a RADIUS
server (and without authentication of users on the network), select SSID for network
assignment (in the Topology screen). In the Authentication - Configure Captive
Portal screen, select the No Captive Portal radio button. There will be no
authentication of users, but Controller, Access Points and Convergence Software is
otherwise operational.
Virtual Network Services
A31003-W1040-U103-1-7619, Draft February 2007
138 HiPath Wireless Controller, Access Points and Convergence Software V4, C2400 User Guide
hwc_vnsintro.fm
Topology of a VNS
Role (such as student, teacher, library user)
Status (such as guest, administration, technician)
For each user group, you should set up a filter ID attribute in the RADIUS server, and then
associate each user in the RADIUS server to at least one filter ID name. You can define specific
filtering rules, by filter ID attribute, that will be applied to user groups to control network access.
Filtering is applied by the controller. Filter ID assignments is a configuration option, and not a
requirement to setup per user filter ID definitions. If a filter is not returned by the Access-Accept
confirmation for a particular user, the controller uses the default filter profile for the VNS as the
applicable filter set.
6.3 Topology of a VNS
Before you decide if a VNS will participate in a VLAN and configure a VNS, define the global
settings that will apply to all VNS definitions. For example, global settings can include
identifying the location of the RADIUS servers and enabling priority traffic handling for voice-
over-internet traffic and dynamic authorization server support.
The type of network assignment determines all the other factors of the VNS. There are two
options for network assignment:
SSID:
Has Captive Portal authentication, or no authentication
Requires restricted filtering rules before authentication
Requires filtering rules for group filter IDs after authentication. A default filter applies if
a more specific filter is not indicated by the RADIUS Access-Accept response.
Used for a VNS supporting wireless voice traffic (QoS)
Used for a VNS supporting third-party APs
Has WEP and WPA-PSK privacy
AAA:
Has 802.1x authentication
Requires filtering rules for group filter IDs and default filter. A definition of group filter
IDs is optional. If a filter is not specified or not returned by the Access-Accept
response, the default filter group is applied.
Has WEP and WPA privacy
Controller is involved in authenticating users. 802.1x packets for AAA assignment are
forwarded by the AP to the controller, through to the RADIUS server.
hwc_vnsintro.fm
A31003-W1040-U103-1-7619, Draft February 2007
HiPath Wireless Controller, Access Points and Convergence Software V4, C2400 User Guide 139
Virtual Network Services
RF assignment for a VNS
Traffic behavior types
There are 3 traffic types available when setting up your VNS:
Tunneled to controller
Bridged at AP
Bridged to VLAN at controller
You assign available Wireless APs, by radio, to the VNS. A Wireless AP radio is available for
VNS assignment until it has been assigned to a maximum eight VNSs. The HiPath Wireless
Controller C2400 can support up to 64 VNSs. Each AP's radio can be assigned to any of the
VNSs defined in the system, with up to 8 assignments per radio.
Once a VNS definition is saved, the HiPath Wireless Controller updates this information on the
Wireless AP. The VNS broadcasts the updates during beacon transmission, unless the SSID
beacon is suppressed on the Topology tab.
The Wireless AP Configuration screen lists defined VNSs and which radio each has been
assigned to.
On the Topology tab, define parameters for DHCP for IP address assignment. DHCP IP
assignment is not applicable to Bridged at AP mode. DHCP assignment is disabled by default
for Bridged to VLAN mode. However, you can enable DHCP server/relay functionality to have
the controller service the IP addresses for the VLAN (and wireless users).
You can also configure this VNS for management traffic or for third-party APs.
6.4 RF assignment for a VNS
The second step in setting up a VNS is to configure the RF assignment for the VNS. From the
RF tab you assign APs to a VNS and SSID definitions.
6.5 Authentication for a VNS
The third step in setting up a VNS is to configure the authentication mechanism for the VNS.
The authentication mechanism depends on the network assignment. In addition, all VNS
definitions can include authentication by Media Access Control (MAC) address. Authentication
by MAC address provides a method of access control for a user as it associates with the AP
based on the device's MAC address.
6.5.1 Authentication with SSID network assignment
If network assignment is SSID, there are two authentication options:
Virtual Network Services
A31003-W1040-U103-1-7619, Draft February 2007
140 HiPath Wireless Controller, Access Points and Convergence Software V4, C2400 User Guide
hwc_vnsintro.fm
Authentication for a VNS
None – This authentication method is the default for a new SSID assignment VNS.
Authentication VNS, unless MAC-based authorization is used, the default filter is applied,
not the non-authentication filter. For more information, see Section 6.6, “Filtering for a
VNS”, on page 141.
Captive Portal – This authentication method employs a Web redirection which directs a
user's Web session to an authentication server. Typically, the user must provide their
credentials (userID, password) to be authenticated. The Captive Portal redirection
operation will redirect any Web page requests corresponding to targets not explicitly
allowed by the non-authenticated filter. The redirection will instruct the user's Web page to
contact the defined authentication Web server. You must ensure that the authentication
Web server is explicitly listed as an allow destination in order for traffic to access it.
The HiPath Wireless Controller supports two modes of Captive Portal authentication:
Internal Captive Portal – The controller's own Captive Portal authentication page
(configured as an editable form) is used to request user credentials.
External Captive Portal – An entity outside of the HiPath Wireless Controller is
responsible for handling the user authentication process, presenting the credentials
request forms and performing user authentication procedures. The controller is then
informed of the authentication results via its Business Echosystem's interfaces.
Four authentication types are supported for Captive Portal authentication:
Password Authentication Protocol (PAP)
Challenge Handshake Authentication Protocol (CHAP)
Windows-specific version of CHAP (MS CHAP)
MS CHAP v2 (Windows-specific version of CHAP, version 2)
For Captive Portal authentication, the RADIUS server must support the selected
authentication type: PAP, CHAP (RFC2484), MS-CHAP (RFC2433), or MS-CHAPv2
(RFC2759).
6.5.2 Authentication with AAA (802.1x) network assignment
If network assignment is AAA with 802.1x authentication, the wireless device user requesting
network access must first be authenticated. The wireless device's client utility must support
802.1x. The user's request for network access along with login identification or a user profile is
forwarded by the HiPath Wireless Controller to a RADIUS server. Controller, Access Points and
Convergence Software supports the following authentication types:
Extensible Authentication Protocol - Transport Layer Security (EAP-TLS) – Relies on
client-side and server-side certificates to perform authentication. Can be used to
dynamically generate a Pairwise Master Key for encryption.
hwc_vnsintro.fm
A31003-W1040-U103-1-7619, Draft February 2007
HiPath Wireless Controller, Access Points and Convergence Software V4, C2400 User Guide 141
Virtual Network Services
Filtering for a VNS
Extensible Authentication Protocol with Tunneled Transport Layer Security
(EAP-TTLS) – Relies on mutual authentication of client and server through an encrypted
tunnel. Unlike EAP-TLS, it requires only server-side certificates. The client uses PAP,
CHAP, or MS-CHAPv2 for authentication.
Protected Extensible Authentication Protocol (PEAP) – Is an authentication protocol
similar to TTLS in its use of server side certificates for server authentication and privacy
and its support for a variety of user authentication mechanisms.
For 802.1x, the RADIUS server must support RADIUS extensions (RFC2869).
Until the access-accept is received from the RADIUS server for a specific user, the user is kept
in an unauthenticated state. 802.1x rules dictate no other packets other than EAP are allowed
to traverse between the AP and the HiPath Wireless Controller until authentication completes.
Once authentication is completed (access-accept is received), the user's client is then allowed
to proceed with IP services, which typically implies the request of an IP address via DHCP. In
addition, the definition of a specific filter ID is optional configuration. If a specific filter ID is not
defined or returned by the access-accept operation, the HiPath Wireless Controller assigns the
VNS' default filter for authenticated users.
Both Captive Portal and AAA (802.1x) authentication mechanisms in Controller, Access Points
and Convergence Software rely on a RADIUS server on the enterprise network. You can
identify and prioritize up to three RADIUS servers on the HiPath Wireless Controller—in the
event of a failover of the active RADIUS server, the HiPath Wireless Controller will poll the other
servers in the list for a response. Once an alternate RADIUS server is found, it becomes the
active RADIUS server, until it either also fails, or the administrator redefines another.
6.6 Filtering for a VNS
The VNS capability provides a technique to apply policy, to allow different network access to
different groups of users. This is accomplished by packet filtering.
After setting authentication, define the filtering rules for the filters that apply to your network and
the VNS you are setting up. Several filter types are applied by the HiPath Wireless Controller:
Exception filter – Protect access to a system's own interfaces, including the VNS' own
interface. VNS exception filters are applied to user traffic intended for the HiPath Wireless
Controller's own interface point on the VNS. These filters are applied after the user's
specific VNS state assigned filters.
Non-authenticated filter with filtering rules that apply before authentication
Controls network access and to direct users to a Captive Portal Web page for login.
>The HiPath Wireless Controller only assigns the device's IP after the client requests
one.
Virtual Network Services
A31003-W1040-U103-1-7619, Draft February 2007
142 HiPath Wireless Controller, Access Points and Convergence Software V4, C2400 User Guide
hwc_vnsintro.fm
Filtering for a VNS
Group filters, by filter ID, for designated user groups – Controls access to certain areas
of the network, with values that match the values defined for the RADIUS filter ID attribute.
Default filter – Controls access if there is no matching filter ID for a user.
Within each type of filter, define a sequence of filtering rules. The filtering rule sequence must
be arranged in the order that you want them to take effect. Each rule is defined to allow or deny
traffic in either direction:
In – From a wireless device in to the network
Out – From the network out to a wireless device
6.6.1 Final filter rule
The final rule in any filter should act as a catch-all for any traffic that did not match a filter. This
final rule should either allow all or deny all traffic, depending on the requirements for network
access. For example, the final rule in a non-authenticated filter for Captive Portal is typically
deny all. A final allow all rule in a default filter will ensure that a packet is not dropped entirely
if no other match can be found.
A default rule of deny all is automatically created by the system for initial filter definitions. The
administrator can change the action to allow all. However, a default filter rule cannot be
removed. Since a default filter rule provides a catch-all default behavior for packet handling, all
applicable user defined filter rules must be defined prior to this rule.
Each rule can be based on any one of the following:
Destination IP address or any IP address within a specified range that is on the network
subnet (as a wildcard)
Destination ports, by number and range
Protocols (UDP, TCP, etc.)
6.6.2 Filtering sequence
The filtering sequence depends on the type of authentication used:
No authentication (network assignment by SSID)
Only the default filter will apply. Specific network access can be defined.
Authentication by captive portal (network assignment by SSID)
The non-authenticated filter will apply before authentication. Specific network access can
be defined. The filter should also include a rule to allow all users to get as far as the Captive
Portal Web page where the user can enter login identification for authentication. When
authentication is returned, the filter ID group filters are applied. If no filter ID matches are
hwc_vnsintro.fm
A31003-W1040-U103-1-7619, Draft February 2007
HiPath Wireless Controller, Access Points and Convergence Software V4, C2400 User Guide 143
Virtual Network Services
Filtering for a VNS
found, then the default filter is applied. The filter ID group is an optional behavior
specification. If a filter ID is not returned, or an invalid one is returned, the default filter
group is applied.
Authentication by AAA (802.1x)
AAA assignment requires that user authentication is completed using the 802.1x/EAP
protocol before a user is granted access to a network resource. Therefor, the enforcement
of non-authenticated traffic rules is not applicable. When authentication is returned, then
the filter ID group filters are applied. A VNS can have a subgoup with Login-LAT-Group ID
that has its own filtering rules. The Login-LAT-Group indicates that a user session should
be associated with a more specific VNS (a child VNS). The sub-VNS provides a different
topology definition than the parent VNS, as well as having its own set of filter definitions.
Filter IDs returned in association with a Login-LAT-Group definition are applied to the user,
in relation to the sub-VNS indicated by the Login-LAT-Group specification. If no filter ID
matches are found, then the default filter is applied.
The following is a high-level description of how HiPath Wireless Controller filters traffic:
Step One – The HiPath Wireless Controller attempts to match each packet of a VNS to the
filtering rules that apply to the wireless device user.
Step Two – If a filtering rule is matched, the operation to allow or deny is executed.
Step Three – The next packet is fetched for filtering.
Virtual Network Services
A31003-W1040-U103-1-7619, Draft February 2007
144 HiPath Wireless Controller, Access Points and Convergence Software V4, C2400 User Guide
hwc_vnsintro.fm
Data protection on a VNS—WEP and WPA
6.7 Data protection on a VNS—WEP and WPA
On wireless and wired networks, data is protected by encryption techniques. The type of data
protection that is available depends on the VNS assignment mode:
SSID – Only WEP and WPA (1or 2)-PSK privacy types are available
AAA – WEP, Dynamic WEP, and WPA (1 or 2) privacy types are available
Data protection encryption techniques
Wired Equivalent Privacy (WEP) – WEP encrypts data sent between wireless nodes.
Each node must use the same encryption key.
Wi-Fi Protected Access Privacy (WPA v.1 and v.2) – Encryption is by Advanced
Encryption Standard (AES) or by Temporal Key Integrity Protocol (TKIP). Two modes are
available:
Enterprise – Specifies 802.1x authentication and requires an authentication server
Pre-Shared Key (PSK) – Relies on a shared secret. The PSK is a shared secret
(pass-phrase) that must be entered in both the Wireless AP or router and the WPA
clients.
6.8 VNS global settings
Before defining a specific VNS, define the global settings that will apply to all VNS definitions.
These global settings include:
Identify the location and password of RADIUS servers on the enterprise network. The
defined servers appear as available choices when you set up the authentication
mechanism for each VNS.
Define the shared secret used to encrypt the Pairwise Master Key (PMK) for WPA2 v.2 pre-
authentication between HiPath Wireless Controllers on the network.
Enable Dynamic Authorization Server (DAS) configuration support.
Adjust admission control thresholds. Admission control thresholds protect admitted traffic
against overloads, provides distinct thresholds for VO and VI, and distinct thresholds for
roaming and new streams.
To define RADIUS servers for VNS global settings:
1. From the main menu, click Virtual Network Configuration. The Virtual Network list is
displayed.
2. In the left pane, click Global Settings. The Authentication tab is displayed.
hwc_vnsintro.fm
A31003-W1040-U103-1-7619, Draft February 2007
HiPath Wireless Controller, Access Points and Convergence Software V4, C2400 User Guide 145
Virtual Network Services
VNS global settings
3. To define a RADIUS server available on the network, do the following:
In the Server Name box, type a name.
In the Server Address box, type the IP address.
In the Shared Secret box, type the password that is required in both directions. This
password is used to validate the connection between controller and the RADIUS
server.
4. In order to proofread your password before saving the configuration, click Unmask. The
password is displayed. To mask the password, click Mask.
This precautionary step is highly recommended in order to avoid an error, later, when the
HiPath Wireless Controller attempts to communicate with the RADIUS server.
5. To add the server to the list, click Add.
6. To remove a server, select the server in the list and click Remove selected server.
7. To save your changes, click Save.
Virtual Network Services
A31003-W1040-U103-1-7619, Draft February 2007
146 HiPath Wireless Controller, Access Points and Convergence Software V4, C2400 User Guide
hwc_vnsintro.fm
VNS global settings
To define admission control thresholds for VNS global settings:
1. From the main menu, click Virtual Network Configuration. The Virtual Network list is
displayed.
2. In the left pane, click Global Settings. The Authentication tab is displayed.
3. Click the Wireless QoS tab.
4. Using the percentage drop-down lists, define the thresholds for the following:
Max Voice (VO) BW for roaming streams – The maximum allowed overall bandwidth
on the new AP when a client with an active voice stream roams to a new AP and
requests admission for the voice stream.
Max Voice (VO) BW for new streams – The maximum allowed overall bandwidth on
an AP when an already associated client requests admission for a new voice stream.
Max Video (VI) BW for roaming streams – The maximum allowed overall bandwidth
on the new AP when a client with an active video stream roams to a new AP and
requests admission for the video stream.
Max Video (VI) BW for new streams – The maximum allowed overall bandwidth on
an AP when an already associated client requests admission for a new video stream.
hwc_vnsintro.fm
A31003-W1040-U103-1-7619, Draft February 2007
HiPath Wireless Controller, Access Points and Convergence Software V4, C2400 User Guide 147
Virtual Network Services
VNS global settings
These global QoS settings apply to all APs that serve QoS enabled VNSs with admission
control.
5. To save your changes, click Save.
To define inter-HiPath Wireless Controller shared secret for VNS global settings:
1. From the main menu, click Virtual Network Configuration. The Virtual Network list is
displayed.
2. In the left pane, click Global Settings.
3. Click the General tab.
4. In the Inter-HWC Shared Secret box, type a password between 8 and 63 characters long,
to be used between HiPath Wireless Controllers. The shared secret is to encrypt pre-
shared keys that have to be moved between controllers for mobility. The same shared
secret must also be defined on the other HiPath Wireless Controllers on the network.
5. In order to proofread your password before saving the configuration, click Unmask. The
password is displayed. To mask the password, click Mask.
Virtual Network Services
A31003-W1040-U103-1-7619, Draft February 2007
148 HiPath Wireless Controller, Access Points and Convergence Software V4, C2400 User Guide
hwc_vnsintro.fm
Setting up a new VNS
This precautionary step is highly recommended in order to avoid an error, later, when the
HiPath Wireless Controller attempts to communicate with the RADIUS server.
6. To save your changes, click Save.
6.9 Setting up a new VNS
Now that you are familiar with the VNS concepts, you can now set up a new VNS. Setting up a
new VNS involves the following general steps:
Step one – Create a VNS name
Step two – Define the topology parameters
Step three – Configure the VNS
For information on setting up a new VNS, see Chapter 7, “Virtual Network configuration”.
hwc_vnsconfiguration.fm
A31003-W1040-U103-1-7619, Draft February 2007
HiPath Wireless Controller, Access Points and Convergence Software V4, C2400 User Guide 149
Virtual Network configuration
7 Virtual Network configuration
This chapter discusses VNS (Virtual Network Services) configuration, including:
Topology for a VNS
Assigning Wireless AP radios to a VNS
Authentication for a VNS
Defining accounting methods for a VNS
Defining RADIUS filter policy for VNSs and VNS groups
Configuring filtering rules for a VNS
Enabling multicast for a VNS
Configuring privacy for a VNS
Defining a VNS with no authentication
Defining priority level and service class for VNS traffic
Working with Quality of Service (QoS)
Configuring the QoS policy on a VNS
Bridging traffic locally
Setting up a VNS defines a virtual IP subnet for a group of wireless device users, where the
HiPath Wireless Controller acts as a default gateway to wireless devices. For each VNS, you
define its topology, authentication, accounting, RADIUS servers, filtering, multicast parameters,
privacy and policy mechanism. When you set up a new VNS, additional tabs appear only after
you save the topology.
A critical topology option to define for a VNS is the VNS type:
Routed VNS – User traffic is tunneled to the HiPath Wireless Controller. (This is the default
setup.)
Bridged at the AP VNS – User traffic is directly bridged to a VLAN at the AP network point
of access (switch port).
VLAN bridged VNS – User traffic is tunneled to the HiPath Wireless Controller and is
directly bridged at the controller to a specific VLAN. WIth this VNS type, mobile users
become a natural extension of a VLAN subnet.
Setting up a new VNS involves the following general steps:
Step one – Create a VNS name
Step two – Define the topology parameters
Virtual Network configuration
A31003-W1040-U103-1-7619, Draft February 2007
150 HiPath Wireless Controller, Access Points and Convergence Software V4, C2400 User Guide
hwc_vnsconfiguration.fm
Topology for a VNS
Step three – Configure the VNS
Before you can define the VNS topology parameters and configure the VNS, you must first
create a new VNS name.
To create a new VNS name:
1. From the main menu, click Virtual Network Configuration. The Virtual Network
Configuration screen is displayed.
2. In the left pane, type a name that will identify the new VNS in the Add subnet box, and
then click Add subnet. The name is displayed in the Virtual Networks list. The Topology
screen is displayed.
The following sections describe in detail how to define the VNS topology parameters and
configure the VNS.
7.1 Topology for a VNS
In the Topology screen, the key choice for a VNS is the type of network assignment, which
determines all the other factors of the VNS. When you have completed defining the topology
for your VNS, save the topology settings. Once your topology is saved, you can then access the
remaining VNS tabs and continue configuring your VNS.
There are two options for network assignment:
SSID – The SSID determines the VNS to which a user profile will be assigned (user
topology/IP, filters):
Has Captive Portal authentication, or no authentication (as well as MAC-based
authentication).
Requires restricted filtering rules before authentication and, after authentication,
filtering rules for group filter IDs.
Is used for a VNS supporting wireless voice traffic (QoS).
Is used for a VNS supporting third-party APs.
Has WEP and WPA-PSK privacy.
AAA (Authentication, Authorization and Accounting):
has 802.1x authentication (as well as MAC-based authentication).
requires filtering rules for group filter IDs and default filter.
has Dynamic WEP and WPA (WPA v.1 and WPA v.2) privacy.
hwc_vnsconfiguration.fm
A31003-W1040-U103-1-7619, Draft February 2007
HiPath Wireless Controller, Access Points and Convergence Software V4, C2400 User Guide 151
Virtual Network configuration
To p ol o gy fo r a V NS
7.1.1 Configuring topology for a VNS for Captive Portal
The section describes how to set up a VNS for Captive Portal. The RF tab, where you assign
APs to VNSs, is not accessible until the topology for the VNS has been configured and saved.
To create an SSID for Captive Portal VNS:
1. From the main menu, click Virtual Network Configuration. The Virtual Network
Configuration screen is displayed.
2. In the left pane Virtual Networks list, click the VNS you want to create an SSID for. The
Topology tab is displayed.
3. From the Assignment by drop-down list, select SSID.
7.1.1.1 Defining session timeout parameters
The HiPath Wireless Controller allows a client to associate to the AP and exist on the network
without having authentication. Every associated user has a user session tracked by the HiPath
Wireless Controller from the time of association with the AP. Users can be temporarily (or
longer for SSID assigned VNSs) be in the non-authenticated state. Pre timeout is the maximum
amount of time allowed to elapse from the last time any traffic was received by the system for
Virtual Network configuration
A31003-W1040-U103-1-7619, Draft February 2007
152 HiPath Wireless Controller, Access Points and Convergence Software V4, C2400 User Guide
hwc_vnsconfiguration.fm
Topology for a VNS
an un-authenticated user. For example, a user may have disconnected from the system
(shutdown the device, moved out of range, etc.). A pre timeout expires and cleans up the
session.
The post timeout is the max amount of time that is allowed to elapse from the last time any
traffic was received for an authenticated user. For example, a user may have disconnected from
the system and is no longer be connected. A post timeout expires and cleans up the session.
A client that exceeds either the pre or post timeout value will be forced to disassociate.
The session timer defines the maximum amount of time a session is allowed to be connected
to the system. The session timer is particularly useful in pay-per-use models. When the lifetime
of the session reaches the defined limit, the session is expired and cleaned up. A user would
have to re-authenticate with the system to continue to receive network services.
To define the session timeout parameters for a VNS:
1. From the main menu, click Virtual Network Configuration. The Virtual Network
Configuration screen is displayed.
2. In the left pane Virtual Networks list, click the VNS you want to define the session timeout
parameters for. The Topology tab is displayed.
3. In the Idle (pre) box, type the number of minutes that a client is allowed to be idle on the
VNS before authentication.
4. In the Idle (post) box, type the number of minutes that a client is allowed to be idle on the
VNS after authentication.
5. In the Session box, type the maximum time limit of a session. If you do not provide a
Session value, there is no time limit.
7.1.1.2 Enabling management traffic
If management traffic is enabled for a VNS, it overrides the built-in exception filters that prohibit
traffic on the HiPath Wireless Controller data interfaces. For more information, see Section 7.6,
“Configuring filtering rules for a VNS”, on page 179.
>The VNS timeout parameters define the default timers applicable to session
management within the VNS. However, RADIUS authentication (access-accept)
may return specific timers applicable to the particular user. A RADIUS returned
value overwrites the VNS default values for the specific user.
In addition, a zero (0) value for any of the timers indicates a non-applicable value.
Therefor, the corresponding timer is not enforced.
hwc_vnsconfiguration.fm
A31003-W1040-U103-1-7619, Draft February 2007
HiPath Wireless Controller, Access Points and Convergence Software V4, C2400 User Guide 153
Virtual Network configuration
To p ol o gy fo r a V NS
To enable management traffic on a VNS:
1. From the main menu, click Virtual Network Configuration. The Virtual Network
Configuration screen is displayed.
2. In the left pane Virtual Networks list, click the VNS you want to enable management traffic
for. The Topology tab is displayed.
3. Select the Allow mgmt traffic checkbox.
7.1.1.3 Enabling third-party APs on a VNS
Configuring a VNS for third-party APs is only available with SSID network assignment. Use this
function as part of the process defined in Chapter 9, “Working with third-party APs”.
A third-party AP VNS allows for the specification of a segregated subnet by which non-HiPath
Wireless APs are used to provide RF services to users while still utilizing the HiPath Wireless
Controller for user authentication and user policy enforcement.
To enable third-party APs on a VNS:
1. From the main menu, click Virtual Network Configuration. The Virtual Network
Configuration screen is displayed.
2. In the left pane Virtual Networks list, click the VNS you want to enable third-party APs for.
The Topology tab is displayed.
3. Select the Use 3rd Party AP checkbox.
The definition of third-party AP identification parameters allows the system to be able to
differentiate the third-party AP device (and corresponding traffic) from user devices on that
segment. Devices identified as third-party APs are considered pre-authenticated, and are
not required to complete the corresponding authentication verification stages defined for
users in that segment (typically Captive Portal enforcement).
In addition, third-party APs have a specific set of filters (third-party) applied to them by
default, which allows the administrator to provide different traffic access restrictions to the
third-party AP devices for the users that use those resources. The third-party filters could
be used to allow access to third-party APs management operations (for example, HTTP,
SNMP).
4. To save your changes, click Save.
>Third-party AP devices are not fully integrated with the system and therefore must
be managed individually to provide the correct user access characteristics. Also,
third-party AP devices must be defined in bridge mode so that user traffic is directly
transposed to the third-party AP subnet and picked up by the HiPath Wireless
Controller for forwarding and policy enforcement.
Virtual Network configuration
A31003-W1040-U103-1-7619, Draft February 2007
154 HiPath Wireless Controller, Access Points and Convergence Software V4, C2400 User Guide
hwc_vnsconfiguration.fm
Topology for a VNS
7.1.1.4 Defining a next hop route and OSPF advertisement for a VNS
The next hop definition allows the administrator to define a specific host as the target for all
non-VNS targeted traffic for users in a VNS. The next hop IP identifies the target device to which
all VNS (user traffic) will be forwarded to. Next-hop definition supersedes any other possible
definition in the routing table.
If the traffic destination from a wireless device on a VNS is outside of the VNS, it is forwarded
to the next hop IP address, where this router applies policy and forwards the traffic. This feature
applies to unicast traffic only. In addition, you can also modify the Open Shortest Path First
(OSPF) route cost.
OSPF is an interior gateway routing protocol developed for IP networks based on the shortest
path first or link-state algorithm. Using OSPF, a host that obtains a change to a routing table or
detects a change in the network immediately distributes the information to all other hosts in the
network so that all will have the same routing table information. The host using OSPF sends
only the part that has changed, and only when a change has taken place.
To define a next hop route and OSPF advertisement:
1. From the main menu, click Virtual Network Configuration. The Virtual Network
Configuration screen is displayed.
2. In the left pane Virtual Networks list, click the VNS you want to define a next-hop route
for. The Topology tab is displayed.
3. In the Next Hop Address box, type the IP address of the next hop router on the network
through which you wish all traffic on this VNS to be directed.
4. In the OSPF Route Cost box, type the OSPF cost of reaching the VNS subnet.
The OSPF cost value provides a relative cost indication to allow upstream routers to
calculate whether or not to use the controller as a better fit or lowest cost path to reach
devices in a particular network. The higher the cost, the less likely of the possibility that the
controller will be chosen as a route for traffic, unless that controller is the only possible
route for that traffic.
5. To disable OSPF advertisement on this VNS, select the disable OSPF Advertisement
checkbox.
7.1.1.5 Defining the IP address for the VNS (for the DHCP server on the controller)
Bridged at the AP VNSs do not require the definition of a corresponding IP address definition
for the VNS since all traffic for users in that VNS will be directly bridged by the AP at the local
network point of attachment (VLAN at AP port).
The IP address definition is only required for a routed VNS or VLAN bridged VNS.
hwc_vnsconfiguration.fm
A31003-W1040-U103-1-7619, Draft February 2007
HiPath Wireless Controller, Access Points and Convergence Software V4, C2400 User Guide 155
Virtual Network configuration
To p ol o gy fo r a V NS
To define the IP address for the VNS:
1. From the main menu, click Virtual Network Configuration. The Virtual Network
Configuration screen is displayed.
2. In the left pane Virtual Networks list, click the VNS you want to define the IP address for.
The Topology tab is displayed.
3. In the Gateway box, type the HiPath Wireless Controller's own IP address in that VNS.
This IP address is the default gateway for the VNS. The HiPath Wireless Controller
advertises this address to the wireless devices when they sign on. For routed VNSs, it
corresponds to the IP address that is communicated to MUs (in the VNS) as the default
gateway for the VNS subnet. (MUs target the HiPath Wireless Controller's interface in their
effort to route packets to an external host).
For a VLAN bridged VNS, the IP address corresponds to the HiPath Wireless Controller's
own point of presence on the VLAN. In this case, the controller's interface is typically not
the gateway for the subnet. The gateway for the subnet is the infrastructure router defined
to handle the VLAN.
4. In the Mask box, type the appropriate subnet mask for this IP address to separate the
network portion from the host portion of the address (typically 255.255.255.0).
The following values to DHCP configuration are only applicable for configurations if the
controller is the DHCP server for users in the VNS—a routed VNS or a VLAN bridged VNS
with DHCP enabled (by default, DHCP is disabled). These values are not visible for a
bridged at AP VNS or a VLAN bridged VNS with DHCP disabled (by default, DHCP is
disabled).
The Address Range boxes (from and to) populate automatically with the range of IP
addresses to be assigned to wireless devices using this VNS, based on the IP address you
provided.
To modify the address in the Address Range from box, type the first available
address.
To modify the address in the Address Range to box, type the last available address.
If there are specific IP addresses to be excluded from this range, click Exclusion(s).
The DHCP Address Exclusion subscreen is displayed.
Virtual Network configuration
A31003-W1040-U103-1-7619, Draft February 2007
156 HiPath Wireless Controller, Access Points and Convergence Software V4, C2400 User Guide
hwc_vnsconfiguration.fm
Topology for a VNS
In the DHCP Address Exclusion subscreen, do one of the following:
To specify an IP range, type the first available address in the From box and type
the last available address in the to box. Click Add for each IP range you provide.
To specify a IP address, select the Single Address option and type the IP address
in the box. Click Add for each IP address you provide.
To save your changes, click Save. The DHCP Address Exclusion subscreen closes.
5. The Broadcast Address box populates automatically based on the Gateway IP address
and subnet mask of the VNS.
6. In the Domain Name box, type the external enterprise domain name.
7.1.1.6 Modifying time limits for IP assignments
The following procedure is only applicable for configurations if the controller is the DHCP server
for users in the VNS—a routed VNS or a VLAN bridged VNS with DHCP enabled (by default,
DHCP is local). These values are not visible for a bridged at AP VNS or a VLAN bridged VNS
with DHCP disabled (by default, DHCP is disabled).
Time limits for IP assignments dictate the default and the maximum time limits a wireless device
can keep the DHCP server-assigned IP address.
hwc_vnsconfiguration.fm
A31003-W1040-U103-1-7619, Draft February 2007
HiPath Wireless Controller, Access Points and Convergence Software V4, C2400 User Guide 157
Virtual Network configuration
To p ol o gy fo r a V NS
To modify time limits for IP assignments:
1. From the main menu, click Virtual Network Configuration. The Virtual Network
Configuration screen is displayed.
2. In the left pane Virtual Networks list, click the VNS you want to set time limits for. The
Topology tab is displayed.
3. In the Lease default box, type the default time limit. The default time limit dictates how long
a wireless device can keep the DHCP server assigned IP address. The default value is
36000 seconds (10 hours).
4. In the Lease max box, type the maximum time limit. The default time limit is 2539000
seconds (approximately 705 hours or 29 days).
7.1.1.7 Setting the name server configuration
Although this procedure could also apply to any VNS type, normally these settings are defined
in the context of DHCP definitions and therefor these values are not available for configurations
if DHCP service is not defined.
A VLAN bridged VNS has an option to define the DHCP behavior for the VNS. By default, the
DHCP service is disable although the administrator can elect to have the controller's VNS
interface on the VLAN become either the actual DHCP server (enable DHCP) or become the
relay agent for DHCP requests.
To set the name server configuration:
1. From the main menu, click Virtual Network Configuration. The Virtual Network
Configuration screen is displayed.
2. In the left pane Virtual Networks list, click the VNS you want to set the name server
configuration for. The Topology tab is displayed.
3. In the DNS Servers box, type the IP Address of the Domain Name Servers to be used.
4. If applicable, in the WINS box, type the IP address if the DHCP server uses Windows
Internet Naming Service (WINS).
7.1.1.8 Using a DHCP relay for the VNS
Although this procedure could also apply to any VNS type, normally these settings are defined
in the context of DHCP definitions and therefor these values are not available for configurations
if DHCP service is not defined.
Virtual Network configuration
A31003-W1040-U103-1-7619, Draft February 2007
158 HiPath Wireless Controller, Access Points and Convergence Software V4, C2400 User Guide
hwc_vnsconfiguration.fm
Topology for a VNS
Using a DHCP relay forces the HiPath Wireless Controller to forward DHCP requests to an
external DHCP server on the enterprise network. This function bypasses the local DHCP
server for the HiPath Wireless Controller and allows the enterprise to manage IP address
allocation to a VNS from its existing infrastructure.
The range of IP addresses assigned to the wireless device users on this VNS should also be
designated on the external DHCP server.
To use an external DHCP server for the VNS:
1. From the main menu, click Virtual Network Configuration. The Virtual Network
Configuration screen is displayed.
2. In the left pane Virtual Networks list, click the VNS you want to use DHCP relay for. The
Topology tab is displayed.
3. From the DHCP Option drop-down list, select Use DHCP Relay.
4. In the Gateway box, type the IP address for the VNS.
5. In the Mask box, type the appropriate subnet mask for this IP address.
6. In the DHCP Server box, type the IP address of the DHCP server to which DHCP discover
and request messages will be forwarded for clients on this VNS. In the case of relay, the
HiPath Wireless Controller does not handle DHCP requests from users, but instead
forwards the requests to the indicated DHCP server.
7.1.2 Configuring topology for a VNS for AAA
The following sections describe how to configure the topology for a VNS for AAA.
To create an AAA topology:
1. From the main menu, click Virtual Network Configuration. The Virtual Network
Configuration screen is displayed.
2. In the left pane Virtual Networks list, click the VNS you want to create an AAA topology
for. The Topology tab is displayed.
3. From the Assignment by drop-down list, select AAA.
>The DHCP Server must be configured to match the VNS settings. In particular
for Routed VNS', the DHCP server must identify the HiPath Wireless Controller's
interface IP as the default Gateway (router) for the subnet. (Users intending to
reach devices outside of the subnet will forward the packets to the default
gateway (controller) for delivery upstream.)
hwc_vnsconfiguration.fm
A31003-W1040-U103-1-7619, Draft February 2007
HiPath Wireless Controller, Access Points and Convergence Software V4, C2400 User Guide 159
Virtual Network configuration
Assigning Wireless AP radios to a VNS
4. Configure the topology for your VNS accordingly. For more information, see Section 7.1,
“Topology for a VNS”, on page 150.
5. To save your changes, click Save.
7.1.3 Saving your topology properties
Once your topology is defined, you can then save your topology properties to continue
configuring your VNS. To save your topology properties, click Save.
7.2 Assigning Wireless AP radios to a VNS
If two HiPath Wireless Controllers have been paired for availability (for more information, see
Section 8.1, “Availability overview”, on page 213), each HiPath Wireless Controller's registered
Wireless APs will appear as foreign in the list of available Wireless APs on the other HiPath
Wireless Controller.
Virtual Network configuration
A31003-W1040-U103-1-7619, Draft February 2007
160 HiPath Wireless Controller, Access Points and Convergence Software V4, C2400 User Guide
hwc_vnsconfiguration.fm
Assigning Wireless AP radios to a VNS
Once you have assigned a Wireless AP radio to eight VNSs, it will not appear in the list for
another VNS setup. Each radio can support up to eight SSIDs (16 per AP). Each AP can be
assigned to any of the VNSs defined within the system. The HiPath Wireless Controller C2400
can support up to 64 VNSs.
To assign Wireless APs to a VNS:
1. From the main menu, click Virtual Network Configuration. The Virtual Network
Configuration screen is displayed.
2. In the left pane Virtual Networks list, click the VNS you want to assign Wireless APs to.
The Topology tab is displayed.
3. Click the RF tab.
4. In the SSID box, type the SSID that wireless devices will use to access the Wireless AP.
5. In the Advanced RF Settings, select the following:
Suppress SSID – Select to prevent this SSID from appearing in the beacon message
sent by the Wireless AP. The wireless device user seeking network access will not see
this SSID as an available choice, and will need to specify it.
Enable proprietary IE – Select to enable radio channel reports to be sent to the
Wireless AP for improving roaming time and reliability, as well as improving client
power consumption. The AP channel report lists all channels on which the VNS can
be found—all channels used by all APs that have been assigned to the VNS. The AP
will provide this list in a proprietary information element to be included in Beacon and
Probe response packets. By default this option is disabled. It is recommended to
enable this option.
Enable 11h support – Select to enable TPC (Transmission Power Control) reports.
By default this option is disabled. It is recommended to enable this option.
Apply power back-off – Select to enable the AP to use reduced power (as does
the 11h client). By default this option is disabled. It is recommended to enable this
option.
Process client IE requests – Select to enable the AP to accept IE requests sent by
clients via Probe Request frames and responds by including the requested IE’s in the
corresponding Probe Response frames. By default this option is disabled. It is
recommended to enable this option.
6. From the Wireless APs list, select the APs and their radios that you want to assign to the
VNS. You can also use the Select APs list, to select APs and their radios by grouping:
All radios – Select to assign all of the APs’ radios.
a radios – Select to assign only the APs’ a radios.
hwc_vnsconfiguration.fm
A31003-W1040-U103-1-7619, Draft February 2007
HiPath Wireless Controller, Access Points and Convergence Software V4, C2400 User Guide 161
Virtual Network configuration
Authentication for a VNS
b/g radios – Select to assign only the APs’ b/g radios.
local APs - all radios – Select to assign only the local APs.
local APs - a radios – Select to assign only the local APs’ a radios.
local APs - b/g radios – Select to assign only the local APs’ b/g radios.
foreign APs - all radios – Select to assign only the foreign APs.
foreign APs - a radios – Select to assign only the foreign APs’ a radios.
foreign APs - b/g radios – Select to assign only the foreign APs’ b/g radios.
clear all selections – Select to clear all of the AP radio assignments.
original selections – Select to return to the AP radio selections prior to the most
recent save.
7. To save your changes, click Save.
You can view the VNSs that each radio is assigned to by clicking on each radio tab in the
Wireless AP Configuration screen.
7.3 Authentication for a VNS
The next step in configuring a VNS is to set up the authentication mechanism. There are
various authentication combinations available:
If network assignment is by SSID, authentication can be:
none
by Captive Portal using internal Captive Portal
by Captive Portal using external Captive Portal
by MAC-based authentication
If network assignment is by AAA (802.1x), authentication can be:
by 802.1x authentication, the wireless device user must be authenticated before
gaining network access
by MAC-based authentication
The first step for any type of authentication is to select RADIUS servers for:
Authentication
Accounting
MAC-based authentication
Virtual Network configuration
A31003-W1040-U103-1-7619, Draft February 2007
162 HiPath Wireless Controller, Access Points and Convergence Software V4, C2400 User Guide
hwc_vnsconfiguration.fm
Authentication for a VNS
MAC-based authentication enables network access to be restricted to specific devices by MAC
address. In addition to the other types of authentication, when MAC-based authentication is
employed the HiPath Wireless Controller queries a RADIUS server to determine if the wireless
client's MAC address is authorized to access the network.
7.3.1 Vendor Specific Attributes
In addition to the standard RADIUS message, you can include Vendor Specific Attributes
(VSAs). The Controller, Access Points and Convergence Software authentication mechanism
provides six VSAs for RADIUS and other authentication mechanisms.
The first five of these VSAs provide information on the identity of the specific Wireless AP that
is handling the wireless device, enabling the provision of location-based services.
The RADIUS message also includes RADIUS attributes Called-Station-Id and Calling-Station-
Id in order to include the MAC address of the wireless device.
Attribute Name ID Type Messages Description
Siemens-URL-
Redirection
1 string Returned from
RADIUS server
A URL that can be returned to redirect a
session to a specific Web page.
Siemens-AP-
Name
2 string Sent to
RADIUS server
The name of the AP the client is associating
to. It can be used to assign policy based on
AP name or location.
Siemens-AP-
Serial
3 string Sent to
RADIUS server
The AP serial number. It can be used
instead of (or in addition to) the AP name.
Siemens-VNS-
Name
4 string Sent to
RADIUS server
The name of the Virtual Network the client
has been assigned to. It is used in assigning
policy and billing options, based on service
selection.
Siemens-SSID 5 string Sent to
RADIUS server
The name of the SSID the client is
associating to. It is used in assigning policy
and billing options, based on service
selection.
Siemens-BSS-
MAC
6 string Sent to
RADIUS server
The name of the BSS-ID the client is
associating to. It is used in assigning policy
and billing options, based on service
selection and location.
Table 14 Vendor Specific Attributes
>Siemens-URL-Redirection is supported by MAC-based authentication.
hwc_vnsconfiguration.fm
A31003-W1040-U103-1-7619, Draft February 2007
HiPath Wireless Controller, Access Points and Convergence Software V4, C2400 User Guide 163
Virtual Network configuration
Authentication for a VNS
7.3.2 Defining authentication for a VNS for Captive Portal
For Captive Portal authentication, the wireless device connects to the network, but can only
access the specific network destinations defined in the non-authenticated filter. For more
information, see Section 7.6.2, “Defining non-authenticated filters”, on page 182. One of these
destinations should be a server, either internal or external, which presents a Web page login
screen—the Captive Portal. The wireless device user must input an ID and a password. This
request for authentication is sent by the HiPath Wireless Controller to a RADIUS server or other
authentication server. Based on the permissions returned from the authentication server, the
HiPath Wireless Controller implements policy and allows the appropriate network access.
Captive Portal authentication relies on a RADIUS server on the enterprise network. There are
three mechanisms by which Captive Portal authentication can be carried out:
Internal Captive Portal – The HiPath Wireless Controller presents the Captive Portal Web
page, carries out the authentication, and implements policy.
External Captive Portal – After an external server presents the Captive Portal Web page
and carries out the authentication, the HiPath Wireless Controller implements policy.
External Captive Portal with internal authentication – After an external server presents
the Captive Portal Web page, the HiPath Wireless Controller carries out the authentication
and implements policy.
To define authentication by Captive Portal:
1. From the main menu, click Virtual Network Configuration. The Virtual Network
Configuration screen is displayed.
2. In the left pane Virtual Networks list, click the VNS you want to set up authentication by
Captive Portal for. The Topology tab is displayed.
3. Click the Auth & Acct tab. On the Auth & Acct tab, there are three options:
Auth – Use to define authentication servers.
MAC – Use to define servers for MAC-based authentication.
Acct – Use to define accounting servers.
Virtual Network configuration
A31003-W1040-U103-1-7619, Draft February 2007
164 HiPath Wireless Controller, Access Points and Convergence Software V4, C2400 User Guide
hwc_vnsconfiguration.fm
Authentication for a VNS
4. Click Auth. The Authentication fields are displayed.
5. From the RADIUS drop-down list, select the server you want to use for Captive Portal
authentication, and then click Use. The server’s default information is displayed.
The RADIUS servers are defined in the Global Settings screen. For more information, see
Section 6.8, “VNS global settings”, on page 144.
hwc_vnsconfiguration.fm
A31003-W1040-U103-1-7619, Draft February 2007
HiPath Wireless Controller, Access Points and Convergence Software V4, C2400 User Guide 165
Virtual Network configuration
Authentication for a VNS
The selected server is no longer available in the RADIUS drop-down list.
The server name is now displayed in the list of configured servers, next to the Up and
Down buttons, where it can be prioritized for RADIUS redundancy. The server can also be
assigned again for MAC-based authentication or accounting purposes.
A red asterisk is displayed next to Auth, indicating that a server has been assigned.
6. In the Port box, type the port used to access the RADIUS server. The default is 1812.
7. In the # of Retries box, type the number of times the HiPath Wireless Controller will
attempt to access the RADIUS server.
8. In the Timeout box, type the maximum time that a HiPath Wireless Controller will wait for
a response from the RADIUS server before attempting again.
9. In the NAS Identifier box, type the Network Access Server (NAS) identifier. The NAS
identifier is a RADIUS attribute that identifies the server responsible for passing information
to designated RADIUS servers and then acting on the response returned. This is an
optional step.
Virtual Network configuration
A31003-W1040-U103-1-7619, Draft February 2007
166 HiPath Wireless Controller, Access Points and Convergence Software V4, C2400 User Guide
hwc_vnsconfiguration.fm
Authentication for a VNS
10. In the Auth. Type drop-down list, select the authentication protocol to be used by the
RADIUS server to authenticate the wireless device users. The authentication protocol
applies to a VNS with Captive Portal authentication:
PAP – Password Authentication Protocol
CHAP – Challenge Handshake Authentication Protocol
MS-CHAP – Windows-specific version of CHAP
MS-CHAP2 – Windows-specific version of CHAP, version 2
11. In the Include VSA Attributes section, click the appropriate checkboxes to include the
Vendor Specific Attributes in the message to the RADIUS server:
AP’s
VNS’s
SSID
The Vendor Specific Attributes must be defined on the RADIUS server.
12. If appropriate, click the Reset to Primary checkbox. This checkbox is visible when a
RADIUS server has not yet been selected as a primary server, or if the server you are
configuring has already been selected as the primary server, the Reset to Primary
checkbox is selected.
RADIUS redundancy defines additional backup RADIUS servers that the system will
attempt to communicate with in case a connection with the identified primary server fails.
If connection to an active primary server fails, the system automatically attempts to connect
to one of the alternate servers in sequence. If the system succeeds in registering with a
defined alternate server, it becomes the active primary server, which is identified by the A
on the list. You can subsequently reset or change the identification of the primary server
by clicking the applicable Reset to Primary checkbox.
13. To save your changes, click Save.
7.3.2.1 Defining the RADIUS server priority for RADIUS redundancy
If more than one server has been defined for any type of authentication, you can define the
priority of the servers in the case of failover.
>If you have already assigned a server to either MAC-based authentication or
accounting, and you want to use it again for authentication, highlight its name in
the list next to the Up and Down buttons and select the Use server for
Authentication checkbox. The server’s default information is displayed.
hwc_vnsconfiguration.fm
A31003-W1040-U103-1-7619, Draft February 2007
HiPath Wireless Controller, Access Points and Convergence Software V4, C2400 User Guide 167
Virtual Network configuration
Authentication for a VNS
In the event of a failover of the main RADIUS server—if there is no response after the set
number of retries—then the other servers in the list will be polled on a round-robin basis until a
server responds.
If one of the other servers becomes the active server during a failover, when the new active
server properties are displayed the Set as primary server checkbox is selected.
If all defined RADIUS servers fail to respond, a critical message is generated in the logs.
To define the RADIUS server priority for RADIUS redundancy:
1. From the main menu, click Virtual Network Configuration. The Virtual Network
Configuration screen is displayed.
2. In the left pane Virtual Networks list, click the VNS you want to define the RADIUS server
priority for. The Topology tab is displayed.
3. Click the Auth & Acct tab.
4. From the drop-down list, select the servers group you want to prioritize:
Configured Servers
Authentication Servers
MAC Servers
Accounting Servers
5. In the server list, select the RADIUS server and click Up or Down to arrange the order. The
first server in the list is the active one.
6. To test the HiPath Wireless Controller’s connection to all configured RADIUS servers, click
Test. The Test RADIUS servers screen displays the message transaction with the RADIUS
server, which allows you to visually verify the state of the server connection and user
authentication.
The RADIUS test is a test of connectivity to the RADIUS server, not of full RADIUS
functionality. AAA VNSs use EAP over RADIUS for authentication. The HiPath Wireless
Controller’s EAP RADIUS connectivity test initiates an Access-Request, to which the
RADIUS server will respond with a challenge. If the challenge is received then the test is
deemed to have succeeded. If the challenge is not received then the test is deemed to have
failed. In either case, the test ends at this point; for AAA VNSs, there is no need for a client
password below.
7. In the User ID box, type the user ID that you know can be authenticated.
8. In the Password box, type the corresponding password.
9. Click Test. The Test Result screen is displayed.
Virtual Network configuration
A31003-W1040-U103-1-7619, Draft February 2007
168 HiPath Wireless Controller, Access Points and Convergence Software V4, C2400 User Guide
hwc_vnsconfiguration.fm
Authentication for a VNS
10. To view a summary of the RADIUS configuration, click View Summary. The RADIUS
summary screen is displayed.
11. To save your changes, click Save.
7.3.2.2 Configuring Captive Portal for internal or external authentication
There are three Captive Portal options:
No Captive Portal Support
Internal Captive Portal – Define the parameters of the internal Captive Portal page
presented by the HiPath Wireless Controller, and the authentication request from the
HiPath Wireless Controller to the RADIUS server.
External Captive Portal – Define the parameters of the external Captive Portal page
presented by an external server. The authentication can be carried out by an external
authentication server or by the HiPath Wireless Controller request to a RADIUS server.
For more information, see Section 7.3.2.2, “To configure the Captive Portal settings for internal
Captive Portal:”, on page 169 or Section 7.3.2.2, “To configure the Captive Portal Settings for
external Captive Portal:”, on page 170.
hwc_vnsconfiguration.fm
A31003-W1040-U103-1-7619, Draft February 2007
HiPath Wireless Controller, Access Points and Convergence Software V4, C2400 User Guide 169
Virtual Network configuration
Authentication for a VNS
To configure the Captive Portal settings for internal Captive Portal:
1. From the main menu, click Virtual Network Configuration. The Virtual Network
Configuration screen is displayed.
2. In the left pane Virtual Networks list, click the VNS you want to configure the Captive
Portal settings for. The Topology tab is displayed.
3. Click the Auth & Acct tab.
4. Click Configure Captive Portal Settings. The Captive Portal Configurations screen is
displayed.
5. Select the Internal Captive Portal option.
6. In the Login Label box, type the text that will appear as a label for the user login field.
7. In the Password Label box, type the text that will appear as a label for the user password
field.
8. In the Header URL box, type the location of the file to be displayed in the Header portion
of the Captive Portal screen. This page can be customized to suit your organization, with
logos or other graphics.
9. In the Footer URL box, type the location of the file to be displayed in the Footer portion of
the Captive Portal screen.
10. In the Message box, type the message that will appear above the Login box to greet the
user. For example, the message could explain why the Captive Portal page is appearing,
and instructions for the user.
11. In the Replace Gateway IP with FQDN box, type the appropriate name if a Fully Qualified
Domain Name (FQDN) is used as the gateway address.
12. In the Default Redirection URL box, type the URL to which the wireless device user will
be directed to before authentication.
13. In the right pane, select the appropriate checkboxes to include the following VSA Attributes
in the message to the authentication server:
AP Serial number
AP Name
VNS Name
SSID
7If you use logos or graphics, ensure that the graphics or logos are appropriately
sized. Large graphics or logos may force the login section out of view.
Virtual Network configuration
A31003-W1040-U103-1-7619, Draft February 2007
170 HiPath Wireless Controller, Access Points and Convergence Software V4, C2400 User Guide
hwc_vnsconfiguration.fm
Authentication for a VNS
MAC Address
14. In the right pane, select whether these VSA attributes apply to the header or footer of the
Captive Portal page.
The selections influence what URL is returned in either section. For example, wireless
users can be identified by which Wireless AP or which VNS they are associated with, and
can be presented with a Captive Portal Web page that is customized for those identifiers.
15. To provide users with a logoff button, select Logoff. The Logoff button launches a pop-up
logoff screen, allowing users to control their logoff.
16. To provide users with a status check button, select Status check. The Status check button
launches a pop-up window, which allows users to monitor session statistics such as
system usage and time left in a session.
17. To save your changes, click Save.
18. To see how the Captive Portal page you have designed will look, click View Sample Portal
Page.
To configure the Captive Portal Settings for external Captive Portal:
1. From the main menu, click Virtual Network Configuration. The Virtual Network
Configuration screen is displayed.
2. In the left pane Virtual Networks list, click the VNS you want to configure the Captive
Portal settings for. The Topology tab is displayed.
3. Click the Auth & Acct tab.
4. Click Configure Captive Portal Settings. The Captive Portal Configurations screen is
displayed.
5. Select the External Captive Portal option.
6. In the HWC Connection drop-down list, select the IP address.
7. Type the port of the HiPath Wireless Controller.
If there is an authentication server configured for this VNS, the external Captive Portal
page on the external authentication server will send the request back to the HiPath
Wireless Controller to allow the HiPath Wireless Controller to continue with the RADIUS
authentication and filtering.
>In order for Captive Portal authentication to be successful, all the URLs
referenced in the Captive Portal setup must also be specifically identified and
allowed in the non-authenticated filter. For more information, see Section 7.6.2,
“Defining non-authenticated filters”, on page 182.
hwc_vnsconfiguration.fm
A31003-W1040-U103-1-7619, Draft February 2007
HiPath Wireless Controller, Access Points and Convergence Software V4, C2400 User Guide 171
Virtual Network configuration
Authentication for a VNS
In the Shared Secret box, type the password common to both the HiPath Wireless
Controller and the external Web server if you want to encrypt the information passed
between the HiPath Wireless Controller and the external Web server.
8. In the Redirection URL box, type the URL to which the wireless device user will be
directed to before authentication.
9. To save your changes, click Save.
7.3.3 Defining authentication for a VNS for AAA
If network assignment is AAA with 802.1x authentication, the wireless device must successfully
complete the user authentication verification prior to being granted network access. This
enforcement is performed by both the user's client and the AP. The wireless device's client utility
must support 802.1x. The user's EAP packets request for network access along with login
identification or a user profile is forwarded by the HiPath Wireless Controller to a RADIUS
server.
To define authentication by AAA (802.1x):
1. From the main menu, click Virtual Network Configuration. The Virtual Network
Configuration screen is displayed.
2. In the left pane Virtual Networks list, click the VNS you want to set up authentication by
AAA for. The Topology tab is displayed.
3. Click the Auth & Acct tab. On the Auth & Acct tab, there are three options:
Auth – Use to define authentication servers.
MAC – Use to define servers for MAC-based authentication.
Acct – Use to define accounting servers.
>You must add a filtering rule to the non-authenticated filter that allows access to
the External Captive Portal site. For more information, see Section 6.6, “Filtering
for a VNS”, on page 141.
Virtual Network configuration
A31003-W1040-U103-1-7619, Draft February 2007
172 HiPath Wireless Controller, Access Points and Convergence Software V4, C2400 User Guide
hwc_vnsconfiguration.fm
Authentication for a VNS
4. Click Auth. The Authentication fields are displayed.
5. From the RADIUS drop-down list, select the server you want to use for Captive Portal
authentication, and then click Use. The server’s default information is displayed.
The RADIUS servers are defined in the Global Settings screen. For more information, see
Section 6.8, “VNS global settings”, on page 144.
hwc_vnsconfiguration.fm
A31003-W1040-U103-1-7619, Draft February 2007
HiPath Wireless Controller, Access Points and Convergence Software V4, C2400 User Guide 173
Virtual Network configuration
Authentication for a VNS
The selected server is no longer available in the RADIUS drop-down list.
The server name is now displayed in the list of configured servers, next to the Up and
Down buttons, where it can be prioritized for RADIUS redundancy. The server can also be
assigned again for MAC-based authentication or accounting purposes.
A red asterisk is displayed next to Auth, indicating that a server has been assigned.
6. In the Port box, type the port used to access the RADIUS server. The default is 1812.
7. In the # of Retries box, type the number of times the HiPath Wireless Controller will
attempt to access the RADIUS server.
8. In the Timeout box, type the maximum time that a HiPath Wireless Controller will wait for
a response from the RADIUS server before attempting again.
9. In the NAS Identifier box, type the Network Access Server (NAS) identifier. The NAS
identifier is a RADIUS attribute that identifies the server responsible for passing information
to designated RADIUS servers and then acting on the response returned. This is an
optional step.
10. In the Include VSA Attributes section, click the appropriate checkboxes to include the
Vendor Specific Attributes in the message to the RADIUS server:
Virtual Network configuration
A31003-W1040-U103-1-7619, Draft February 2007
174 HiPath Wireless Controller, Access Points and Convergence Software V4, C2400 User Guide
hwc_vnsconfiguration.fm
Authentication for a VNS
AP’s
VNS’s
SSID
The Vendor Specific Attributes must be defined on the RADIUS server.
11. If applicable, select Set as primary server.
12. To save your changes, click Save.
7.3.4 Defining MAC-based authentication for a VNS
MAC-based authentication enables network access to be restricted to specific devices by MAC
address. The HiPath Wireless Controller queries a RADIUS server for a MAC address when a
wireless client attempts to connect to the network.
MAC-based authentication can be set up on any type of VNS, in addition to the Captive Portal
or AAA authentication. To set up a RADIUS server for MAC-based authentication, you must set
up a user account with UserID=MAC and Password=MAC for each user. Specifying a MAC
address format and policy depends on which RADIUS server is being used.
If MAC-based authentication is to be used in conjunction with the 802.1x or Captive Portal
authentication, an additional account with a real UserID and Password must also be set up on
the RADIUS server.
MAC-based authentication responses may indicate to the HiPath Wireless Controller what VNS
a user should be assigned to. Authentication (if enabled) can apply on every roam.
To define MAC-based authentication for a VNS:
1. From the main menu, click Virtual Network Configuration. The Virtual Network
Configuration screen is displayed.
2. In the left pane Virtual Networks list, click the VNS you want to set up MAC-based
authentication for. The Topology tab is displayed.
3. Click the Auth & Acct tab. On the Auth & Acct tab, there are three options:
Auth – Use to define authentication servers.
MAC – Use to define servers for MAC-based authentication.
>If you have already assigned a server to either MAC-based authentication or
accounting, and you want to use it again for authentication, highlight its name in
the list next to the Up and Down buttons and select the Use server for
Authentication checkbox. The server’s default information is displayed.
hwc_vnsconfiguration.fm
A31003-W1040-U103-1-7619, Draft February 2007
HiPath Wireless Controller, Access Points and Convergence Software V4, C2400 User Guide 175
Virtual Network configuration
Authentication for a VNS
Acct – Use to define accounting servers.
4. Click MAC. The MAC fields are displayed.
5. From the RADIUS drop-down list, select the server you want to use for MAC authentication,
and then click Use. The server’s default information is displayed and a red asterisk is
displayed next to MAC, indicating that a server has been assigned.
The RADIUS servers are defined in the Global Settings screen. For more information, see
Section 6.8, “VNS global settings”, on page 144.
6. If applicable, to use a server that has already been used for another type of authentication
or accounting, select the server you want to use for MAC authentication, and then select
User server for MAC Authentication.
7. In the Port box, type the port used to access the RADIUS server. The default is 1812.
8. In the # of Retries box, type the number of times the HiPath Wireless Controller will
attempt to access the RADIUS server.
9. In the Timeout box, type the maximum time, in seconds, that a HiPath Wireless Controller
will wait for a response from the RADIUS server before attempting again.
10. In the NAS IP Address box, type the Network Access Server (NAS) IP address.
Virtual Network configuration
A31003-W1040-U103-1-7619, Draft February 2007
176 HiPath Wireless Controller, Access Points and Convergence Software V4, C2400 User Guide
hwc_vnsconfiguration.fm
Defining accounting methods for a VNS
11. In the NAS Identifier box, type the Network Access Server (NAS) identifier. The NAS
identifier is a RADIUS attribute that identifies the server responsible for passing information
to designated RADIUS servers and then acting on the response returned. This is an
optional step.
12. In the Auth. Type field, select the authentication protocol to be used by the RADIUS server
to authenticate the wireless device users for a Captive Portal VNS.
13. In the Include VSA Attributes section, click the appropriate checkboxes to include the
Vendor Specific Attributes in the message to the RADIUS server:
AP’s
VNS’s
SSID
The Vendor Specific Attributes must be defined on the RADIUS server.
14. If applicable, select Set as primary server.
15. To enable MAC-based authentication on roam, select the MAC-based authentication on
roam checkbox.
16. To save your changes, click Save.
7.4 Defining accounting methods for a VNS
The next step in configuring a VNS is to define the methods of accounting. Accounting tracks
the activity of a wireless device users. There are two types of accounting available:
HiPath Wireless Controller accounting – Enables the HiPath Wireless Controller to
generate Call Data Records (CDRs) in a flat file on the HiPath Wireless Controller.
RADIUS accounting – Enables the HiPath Wireless Controller to generate an accounting
request packet with an accounting start record after successful login by the wireless device
user, and an accounting stop record based on session termination. The HiPath Wireless
Controller sends the accounting requests to a remote RADIUS server.
HiPath Wireless Controller accounting creates Call Data Records (CDRs) in a standard format
of authenticated user sessions, such as start time and duration of session. The CDRs are
stored in flat files that can be downloaded via the Command Line Interface (CLI).
If RADIUS accounting is enabled, a RADIUS accounting server needs to be specified.
>Only select this checkbox if you are using MAC based authentication and if you
want your clients to be authorized every time they roam to another AP. If this
feature is not enabled, and MAC-based authentication is in use, the client is
authenticated only at the start of a session.
hwc_vnsconfiguration.fm
A31003-W1040-U103-1-7619, Draft February 2007
HiPath Wireless Controller, Access Points and Convergence Software V4, C2400 User Guide 177
Virtual Network configuration
Defining RADIUS filter policy for VNSs and VNS groups
To define accounting methods for a VNS:
1. From the main menu, click Virtual Network Configuration. The Virtual Network
Configuration screen is displayed.
2. In the left pane Virtual Networks list, click the VNS you want to define accounting methods
for. The Topology tab is displayed.
3. Click the Auth & Acct tab.
4. To enable HiPath Wireless Controller accounting, select Collect Accounting Information
of Wireless Controller.
5. From the RADIUS drop-down list, select the server you want to use for RADIUS
accounting, and then click Use. The server’s default information is displayed and a red
asterisk is displayed next to Acct, indicating that a server has been assigned.
The RADIUS servers are defined in the Global Settings screen. For more information, see
Section 6.8, “VNS global settings”, on page 144.
6. Select Use server for RADIUS Accounting.
7. In the Port box, type the port used to access the RADIUS server. The default is 1812.
8. In the # of Retries box, type the number of times the HiPath Wireless Controller will
attempt to access the RADIUS server.
9. In the Timeout box, type the maximum time that a HiPath Wireless Controller will wait for
a response from the RADIUS server before attempting again.
10. In the Interim Interval box, type the time interval when accounting records are sent.
Interim accounting records are sent if the interim time interval is reached before the
session ends. The default is 60 minutes.
11. To save your changes, click Save.
7.5 Defining RADIUS filter policy for VNSs and VNS groups
The next step in configuring a VNS is to define the filter ID values for a VNS. These filter ID
values must match those set up on the RADIUS servers.
>This configuration step is optional. If filter ID values are not defined, the system uses
the default filter as the applicable filter group for authenticated users within a VNS.
However, if more user-specific filter definitions are required, for example filters based
on a user’s department, then the filter ID configuration is used to overwrite the
default assignment.
Virtual Network configuration
A31003-W1040-U103-1-7619, Draft February 2007
178 HiPath Wireless Controller, Access Points and Convergence Software V4, C2400 User Guide
hwc_vnsconfiguration.fm
Defining RADIUS filter policy for VNSs and VNS groups
In addition to the filter ID values, you can also set up a group ID for a VNS with AAA
authentication. You can set up a group within a VNS that relies on the RADIUS attribute Login-
LAT-Group (RFC2865). For each group, you can define filtering rules to control access to the
network.
If you define a group within an AAA VNS, the group (or child) definition acquires the same
authentication and privacy parameters as the parent VNS. However, you need to define a
different topology and filtering rules for this group.
All the filters are exposed. For the Assignment by SSID with no authentication, the filter that is
applied to the client session is the default filter.
To define the filter ID values on a VNS:
1. From the main menu, click Virtual Network Configuration. The Virtual Network
Configuration screen is displayed.
2. In the left pane Virtual Networks list, click the VNS you want to define filter ID values for.
The Topology tab is displayed.
3. Click the RAD Policy tab.
hwc_vnsconfiguration.fm
A31003-W1040-U103-1-7619, Draft February 2007
HiPath Wireless Controller, Access Points and Convergence Software V4, C2400 User Guide 179
Virtual Network configuration
Configuring filtering rules for a VNS
4. In the Filter ID Values box, type the name of a group that you want to define specific
filtering rules for to control network access.
5. Click the corresponding Add button. The filter ID value is displayed in the list. These filter
ID values will appear in the Filter ID list on the Filtering tab. These filter ID values must
match those set up for the filter ID attribute in the RADIUS server.
6. If applicable, repeat steps 4 and 5 to add additional filtering ID values.
7. In the VNS Group Name box, type the name of a VNS group you want to create and define
within the selected parent VNS.
8. Click the corresponding Add button. The Group Name will appear as a child of the parent
VNS in the left pane Virtual Networks list.
9. To your changes, click Save.
7.6 Configuring filtering rules for a VNS
The next step in configuring a VNS is to configure the filtering rules for a VNS.
In an AAA VNS, a non-authenticated filter is unnecessary because users have already been
authenticated. When authentication is returned, the filter ID group filters are applied. For AAA,
a VNS can have a sub-group with Login-LAT-group ID that has its own filtering rules. If no filter
ID matches are found, then the default filter is applied. VNS Policy is also applicable for Captive
Portal and MAC-based authorization.
7.6.1 Filtering rules for an exception filter
The exception filter provides a set of rules aimed at restricting the type of traffic that is delivered
to the controller. By default, your system is shipped with a set of restrictive filtering rules that
help control access through the interfaces to only absolutely necessary services.
By configuring to allow management on an interface, an additional set of rules is added to the
shipped filter rules that provide access to the system's management configuration framework
(SSH, HTTPS, SNMPAgent). Most of this functionality is handled directly behind the scenes by
the system, rolling and un-rolling canned filters as the system's topology and defined access
privileges for an interface change.
The visible exception filters definitions, both in physical ports and VNS definitions, allow
administrators to define a set of rules to be prepended to the system's dynamically updated
exception filter protection rules. Rule evaluation is performed top to bottom, until an exact
>An interface for which Allow Management is enabled, can be reached by any other
interface. By default, Allow Management is disabled and shipped interface filters
will only permit the interface to be visible directly from it's own subnet.
Virtual Network configuration
A31003-W1040-U103-1-7619, Draft February 2007
180 HiPath Wireless Controller, Access Points and Convergence Software V4, C2400 User Guide
hwc_vnsconfiguration.fm
Configuring filtering rules for a VNS
match is determined. Therefor, these user-defined rules are evaluated before the system’s own
generated rules. As such, these user-defined rules may inadvertently create security lapses in
the system's protection mechanism or create a scenario that filters out packets that are
required by the system.
The exception rules are evaluated in the context of referring to the specific controller's interface.
The destination address for the filter rule definition is typically defined as the interface's own IP
address. The port number for the filter definition corresponds to the target (destination) port
number for the applicable service running on the controller's management plane.
The exception filter on an VNS applies only to the destination portion of the packet. Traffic to a
specified IP address and IP port is either allowed or denied. Adding exception filtering rules
allows network administrators to either tighten or relax the built-in filtering that automatically
drops packets not specifically allowed by filtering rule definitions. The exception filtering rules
can deny access in the event of a DoS attack, or can allow certain types of management traffic
that would otherwise be denied. Typically, Allow Management is enabled
To define filtering rules for an exception filter:
1. From the main menu, click Virtual Network Configuration. The Virtual Network
Configuration screen is displayed.
2. In the left pane Virtual Networks list, click the VNS you want to define filter ID values for.
The Topology tab is displayed.
3. Click the Filtering tab.
4. From the Filter ID drop-down list, select Exception.
>Use exception filters only if absolutely necessary. It is recommended to avoid
defining general allow all or deny all rule definitions since those definitions can easily
be too liberal or too restrictive to all types of traffic.
hwc_vnsconfiguration.fm
A31003-W1040-U103-1-7619, Draft February 2007
HiPath Wireless Controller, Access Points and Convergence Software V4, C2400 User Guide 181
Virtual Network configuration
Configuring filtering rules for a VNS
5. For each filtering rule you are defining, do the following:
In the IP/subnet:port box, type the destination IP address. You can also specify an IP
range, a port designation, or a port range on that IP address.
In the Protocol drop-down list, select the applicable protocol. The default is N/A.
6. Define a rule to allow access to the default gateway for this VNS:
Select IP/Port.
Type the default gateway IP address (VNS' IP address) that you defined in the
Topology tab for this VNS.
7. Click Add. The information is displayed in the Filter Rules section of the tab.
8. Select the new filter, then select the Allow checkbox applicable to the rule you defined.
9. Edit the order of a filter by selecting the filter and clicking the Up and Down buttons. The
filtering rules are executed in the order you define here.
Virtual Network configuration
A31003-W1040-U103-1-7619, Draft February 2007
182 HiPath Wireless Controller, Access Points and Convergence Software V4, C2400 User Guide
hwc_vnsconfiguration.fm
Configuring filtering rules for a VNS
10. To save your changes, click Save.
7.6.2 Defining non-authenticated filters
Defining non-authenticated filters allows administrators to identify destinations to which a user
is allowed to access without incurring an authentication redirection. Typically, the
recommended default rule is to deny all. Administrators should define a rule set that will permit
users to access essential services:
DNS (IP of DNS server)
Default Gateway (VNS Interface IP)
Any HTTP streams requested by the client for denied targets will be redirected to the specified
location.
The non-authenticated filter should allow access to the Captive Portal page IP address, as well
as to any URLs for the header and footer of the Captive Portal page. This filter should also allow
network access to the IP address of the DNS server and to the network address—the gateway
of the VNS. The VNS gateway is used as the IP for an internal Captive Portal page. An external
Captive Portal will provide a specific IP definition of a server outside the HiPath Wireless
Controller.
Redirection and Captive Portal credentials apply to HTTP traffic only. A wireless device user
attempting to reach Websites other than those specifically allowed in the non-authenticated
filter will be redirected to the allowed destinations. Most HTTP traffic outside of those defined
in the non-authenticated filter will be redirected.
The non-authenticated filter is applied by the HiPath Wireless Controller to sessions until they
successfully complete authentication. The authentication procedure results in an adjustment to
the user's applicable filters for access policy. The authentication procedure may result in the
specification of a specific filter ID or the application of the default filter for the VNS.
Typically, default filter ID access is less restrictive than a non-authenticated profile. It is the
administrator’s responsibility to define the correct set of access privileges.
>For external Captive Portal, you need to add an external server to a
non-authentication filter.
>Although non-authenticated filters definitions are used to assist in the redirection of
HTTP traffic for restricted or denied destinations, the non-authenticated filter is not
restricted to HTTP operations. The filter definition is general. Any traffic other than
HTTP that the filter does not explicitly allow will be discarded by the controller.
hwc_vnsconfiguration.fm
A31003-W1040-U103-1-7619, Draft February 2007
HiPath Wireless Controller, Access Points and Convergence Software V4, C2400 User Guide 183
Virtual Network configuration
Configuring filtering rules for a VNS
To define filtering rules for a non-authenticated filter:
1. From the main menu, click Virtual Network Configuration. The Virtual Network
Configuration screen is displayed.
2. In the left pane Virtual Networks list, click the VNS you want to define filter ID values for.
The Topology tab is displayed.
3. Click the Filtering tab.
4. From the Filter ID drop-down list, select Non-Authenticated.
The Filtering tab automatically provides a Deny All rule already in place. Use this rule as
the final rule in the non-authenticated filter for Captive Portal.
5. For each filtering rule you are defining, do the following:
In the IP/subnet:port box, type the destination IP address. You can also specify an IP
range, a port designation, or a port range on that IP address.
In the Protocol drop-down list, select the applicable protocol. The default is N/A.
6. For Captive Portal assignment, define a rule to allow access to the default gateway for this
VNS:
Virtual Network configuration
A31003-W1040-U103-1-7619, Draft February 2007
184 HiPath Wireless Controller, Access Points and Convergence Software V4, C2400 User Guide
hwc_vnsconfiguration.fm
Configuring filtering rules for a VNS
Select IP/Port.
Type the default gateway IP address that you defined in the Topology tab for this VNS.
7. Click Add. The information is displayed in the Filter Rules section of the tab.
8. Select the new filter, then do the following:
If applicable, select In to refer to traffic from the wireless device that is trying to get on
the network.
If applicable, select Out to refer to traffic from the network host that is trying to get to
a wireless device.
Select the Allow checkbox applicable to the rule you defined.
9. Edit the order of a filter by selecting the filter and clicking the Up and Down buttons. The
filtering rules are executed in the order you define here.
10. To save your changes, click Save.
7.6.2.1 Non-authenticated filter examples
A basic non-authenticated filter for internal Captive Portal should have three rules, in the
following order:
>Administrators must ensure that the non-authenticated filter allows access to the
corresponding authentication server:
Internal Captive Portal – IP address of the VNS interface
External Captive Portal – IP address of external Captive Portal server
In Out Allow IP / Port Description
x x x IP address of default
gateway (VNS Interface
IP)
Allow all incoming wireless devices access
to the default gateway of the VNS.
x x x IP address of the DNS
Server
Allow all incoming wireless devices access
to the DNS server of the VNS.
x x *.*.*.* Deny everything else.
Table 15 Non-authenticated filter example A
>For external Captive Portal, an additional rule to Allow (in/out) access to the external
Captive Portal authentication/Web server is required.
hwc_vnsconfiguration.fm
A31003-W1040-U103-1-7619, Draft February 2007
HiPath Wireless Controller, Access Points and Convergence Software V4, C2400 User Guide 185
Virtual Network configuration
Configuring filtering rules for a VNS
If you place URLs in the header and footer of the Captive Portal page, you must explicitly allow
access to any URLs mentioned in the authentication's server page, such as:
Internal Captive Portal – URLs referenced in a header or footer
External Captive Portal – URLs mentioned in the page definition
Here is another example of a non-authenticated filter that adds two more filtering rules. The two
additional rules do the following:
Deny access to a specific IP address.
Allows only HTTP traffic.
Once a wireless device user has logged in on the Captive Portal page, and has been
authenticated by the RADIUS server, then the following filters will apply:
Filter ID – If a filter ID associated with this user was returned by the authentication server.
Default filter – If no matching filter ID was returned from the authentication server
7.6.3 Filtering rules for a filter ID group
When the wireless device user provides the identification credentials, identification is sent by
the HiPath Wireless Controller to the RADIUS server, or other authentication server, through a
sequence of exchanges depending on the type of authentication protocol used.
When the server allows this request for authentication—the server sends an access-accept
message, the RADIUS server may also send back to the HiPath Wireless Controller a filter ID
attribute value associated with the user. For an AAA VNS, a Login-LAT-Group identifier for the
user may also be returned. VNS Policy is also applicable for Captive Portal and MAC-based
authorization.
In Out Allow IP / Port Description
x x x IP address of the default
gateway
Allow all incoming wireless devices access
to the default gateway of the VNS.
x x x IP address of the DNS
Server
Allow all incoming wireless devices access
to the DNS server of the VNS.
x x [a specific IP address, or
address plus range]
Deny all traffic to a specific IP address, or to
a specific IP address range (such as:0/24).
x x *.*.*.*:80 Deny all port 80 (HTTP) traffic.
x x *.*.*.* Deny everything else.
Table 16 Non-authenticated filter example B
Virtual Network configuration
A31003-W1040-U103-1-7619, Draft February 2007
186 HiPath Wireless Controller, Access Points and Convergence Software V4, C2400 User Guide
hwc_vnsconfiguration.fm
Configuring filtering rules for a VNS
If the filter ID attribute value (or Login-LAT-Group attribute value) from the RADIUS server
matches a filter ID value that you have set up on the HiPath Wireless Controller, the HiPath
Wireless Controller applies the filtering rules that you defined for that filter ID value to the
wireless device user.
If no filter ID is returned by the authentication server, or no match is found on the HiPath
Wireless Controller, the filtering rules in the default filter will apply to the wireless device user.
To define filtering rules for a filter ID group:
1. From the main menu, click Virtual Network Configuration. The Virtual Network
Configuration screen is displayed.
2. In the left pane Virtual Networks list, click the VNS you want to define filtering rules for a
filter ID group. The Topology tab is displayed.
3. Click the Filtering tab.
4. From the Filter ID drop-down list, select one of the names you defined in the Filter ID
Values field on the RAD Policy tab. For example, select one of your organization’s user
groups, such as Sales, Engineering, Teacher, Guest, etc.
The Filtering tab automatically provides a Deny All rule already in place. This rule can be
modified to Allow All, if appropriate to the network access needs for this VNS.
hwc_vnsconfiguration.fm
A31003-W1040-U103-1-7619, Draft February 2007
HiPath Wireless Controller, Access Points and Convergence Software V4, C2400 User Guide 187
Virtual Network configuration
Configuring filtering rules for a VNS
5. For each filtering rule you are defining, do the following:
In the IP/subnet:port box, type the destination IP address. You can also specify an IP
range, a port designation, or a port range on that IP address.
In the Protocol drop-down list, select the applicable protocol. The default is N/A.
6. Click Add. The information is displayed in the Filter Rules section of the tab.
7. Select the new filter, then do the following:
If applicable, select In to refer to traffic from the wireless device that is trying to get on
the network.
If applicable, select Out to refer to traffic from the network host that is trying to get to
a wireless device.
Select the Allow checkbox applicable to the rule you defined.
8. Edit the order of a filter by selecting the filter and clicking the Up and Down buttons. The
filtering rules are executed in the order you define here.
9. To save your changes, click Save.
7.6.3.1 Filtering rules by filter ID examples
Below are two examples of possible filtering rules for a filter ID. The first example disallows
some specific access before allowing everything else.
The second example does the opposite of the first example. It allows some specific access and
denies everything else.
In Out Allow IP / Port Description
x x *.*.*.*:22-23 SSH and telnet sessions
x x [specific IP address, range] Deny all traffic to a specific IP address or
address range
x x x *.*.*.*. Allow everything else
Table 17 Filtering rules by filter ID example A
In Out Allow IP / Port Description
x x x [specific IP address, range] Allow traffic to a specific IP address or
address range.
x x *.*.*.*. Deny everything else.
Table 18 Filtering rules by filter ID example B
Virtual Network configuration
A31003-W1040-U103-1-7619, Draft February 2007
188 HiPath Wireless Controller, Access Points and Convergence Software V4, C2400 User Guide
hwc_vnsconfiguration.fm
Configuring filtering rules for a VNS
7.6.4 Filtering rules for a default filter
After authentication of the wireless device user, the default filter will apply only after:
No match is found for the Exception filter rules.
No filter ID attribute value is returned by the authentication server for this user.
No match is found on the HiPath Wireless Controller for a filter ID value.
The final rule in the default filter should be a catch-all rule for any traffic that did not match a
filter. A final Allow All rule in a default filter will ensure that a packet is not dropped entirely if no
other match can be found. VNS Policy is also applicable for Captive Portal and MAC-based
authorization.
To define the filtering rules for a default filter:
1. From the main menu, click Virtual Network Configuration. The Virtual Network
Configuration screen is displayed.
2. In the left pane Virtual Networks list, click the VNS you want to define the filtering rules
for a default filter. The Topology tab is displayed.
3. Click the Filtering tab.
4. From the Filter ID drop-down list, select Default.
hwc_vnsconfiguration.fm
A31003-W1040-U103-1-7619, Draft February 2007
HiPath Wireless Controller, Access Points and Convergence Software V4, C2400 User Guide 189
Virtual Network configuration
Configuring filtering rules for a VNS
The Filtering tab automatically provides a Deny All rule already in place. This rule can be
modified to Allow All, if appropriate to the network access needs for this VNS.
7.6.4.1 Default filter examples
The following are examples of filtering rules for a default filter:
In Out Allow IP / Port Description
x x Intranet IP, range Deny all access to an IP range
x x Port 80 (HTTP) Deny all access to Web browsing
x x Intranet IP Deny all access to a specific IP
x x x *.*.*.*. Allow everything else
Table 19 Default filter example A
Virtual Network configuration
A31003-W1040-U103-1-7619, Draft February 2007
190 HiPath Wireless Controller, Access Points and Convergence Software V4, C2400 User Guide
hwc_vnsconfiguration.fm
Configuring filtering rules for a VNS
7.6.4.2 Filtering rules for an AAA child group VNS
If you defined a child group for an AAA VNS, it will have the same authentication parameters
and filter IDs as the parent VNS. However, you can define different filtering rules for the filters
IDs in the child configuration from those in the parent configuration.
7.6.4.3 Filtering rules between two wireless devices
Traffic from two wireless devices that are on the same VNS and are connected to the same
Wireless AP will pass through the HiPath Wireless Controller and therefore be subject to
filtering policy. You can set up filtering rules that allow each wireless device access to the
default gateway, but also prevent each device from communicating with each other.
Add the following two rules to a filter ID filter, before allowing everything else:
In Out Allow IP / Port Description
x Port 80 (HTTP) on host IP Deny all incoming wireless devices
access to Web browsing the host
x Intranet IP 10.3.0.20, ports
10-30
Deny all traffic from the network to the
wireless devices on the port range, such
as TELNET (port 23) or FTP (port 21)
x x Intranet IP 10.3.0.20 Allow all other traffic from the wireless
devices to the Intranet network
x x Intranet IP 10.3.0.20 Allow all other traffic from Intranet network
to wireless devices
x x x *.*.*.*. Allow everything else
Table 20 Default filter example B
In Out Allow IP / Port Description
x x x [Intranet IP] Allow access to the Gateway IP address of the
VNS only
x x [Intranet IP, range] Deny all access to the VNS subnet range (such as
0/24)
x x x *.*.*.*. Allow everything else
Table 21 Rules between two wireless devices
hwc_vnsconfiguration.fm
A31003-W1040-U103-1-7619, Draft February 2007
HiPath Wireless Controller, Access Points and Convergence Software V4, C2400 User Guide 191
Virtual Network configuration
Enabling multicast for a VNS
7.7 Enabling multicast for a VNS
A mechanism that supports multicast traffic can be enabled as part of a VNS definition. This
mechanism is provided to support the demands of VoIP and IPTV network traffic, while still
providing the network access control.
Define a list of multicast groups whose traffic is allowed to be forwarded to and from the VNS.
The default behavior is to drop the packets. For each group defined, you can enable Multicast
Replication by group.
To enable multicast for a VNS:
1. From the main menu, click Virtual Network Configuration. The Virtual Network
Configuration screen is displayed.
2. In the left pane Virtual Networks list, click the VNS you want to enable Multicast for. The
Topology tab is displayed.
3. Click the Multicast tab.
>Before enabling multicast filters and depending on the topology of the VNS, you may
need to define which physical interface to use for multicast relay. Define the multicast
port on the IP Addresses screen. For more information, see Section 4.2.4, “Setting
up the data ports”, on page 78.
Virtual Network configuration
A31003-W1040-U103-1-7619, Draft February 2007
192 HiPath Wireless Controller, Access Points and Convergence Software V4, C2400 User Guide
hwc_vnsconfiguration.fm
Enabling multicast for a VNS
4. To enable the multicast function, click Enable Multicast Support.
5. Define the multicast groups by selecting one of the radio buttons:
IP Group – Type the IP address range.
Defined groups – Select from the drop-down list.
6. Click Add. The group is added to the list above.
7. To enable the wireless multicast replication for this group, select the corresponding
Wireless Replication checkbox.
8. To modify the priority of the multicast groups, select the group row and click the Up or
Down buttons.
A Deny All rule is automatically added as the last rule, IP = *.*.*.* and the Wireless
Replication checkbox is not selected. This rule ensures that all other traffic is dropped.
9. To save your changes, click Save.
>The multicast packet size should not exceed 1450 bytes.
hwc_vnsconfiguration.fm
A31003-W1040-U103-1-7619, Draft February 2007
HiPath Wireless Controller, Access Points and Convergence Software V4, C2400 User Guide 193
Virtual Network configuration
Configuring privacy for a VNS
7.8 Configuring privacy for a VNS
Privacy is a mechanism that protects data over wireless and wired networks, usually by
encryption techniques. The following section describes how the Privacy mechanism is handled
for a Captive Portal VNS and an AAA VNS.
7.8.1 Privacy for a VNS for Captive Portal
For the Captive Portal VNS, there are three options for the privacy mechanism:
None
Static Wired Equivalent Privacy (WEP) – Keys for a selected VNS, so that it matches the
WEP mechanism used on the rest of the network. Each radio can support up to eight
SSIDs (16 per AP). Each AP can participate in up to 50 VNSs. For each VNS, only one
WEP key can be specified. It is treated as the first key in a list of WEP keys.
Wi-Fi Protected Access (WPA) Pre-Shared key (PSK) – Privacy in PSK mode, using a
Pre-Shared Key (PSK), or shared secret for authentication. WPA-PSK is a security solution
that adds authentication to enhanced WEP encryption and key management. WPA-PSK
mode does not require an authentication server. It is suitable for home or small office.
To configure privacy by static WEP for a Captive Portal VNS:
1. From the main menu, click Virtual Network Configuration. The Virtual Network
Configuration screen is displayed.
2. In the left pane Virtual Networks list, click the VNS you want to configure privacy by static
WEP for a Captive Portal. The Topology tab is displayed.
3. Click the Privacy tab.
4. Select Static Keys (WEP).
Virtual Network configuration
A31003-W1040-U103-1-7619, Draft February 2007
194 HiPath Wireless Controller, Access Points and Convergence Software V4, C2400 User Guide
hwc_vnsconfiguration.fm
Configuring privacy for a VNS
5. From the WEP Key Length drop-down list, select the WEP encryption key length:
40-bit
104-bit
128-bit
6. Select one of the following input methods:
Input Hex – If you select Input Hex, type the WEP key input in the WEP Key box. The
key is generated automatically, based on the input.
Input String – If you select Input String, type the secret WEP key string used for
encrypting and decrypting in the WEP Key String box. The WEP Key box is
automatically filled by the corresponding Hex code.
7. To save your changes, click Save.
hwc_vnsconfiguration.fm
A31003-W1040-U103-1-7619, Draft February 2007
HiPath Wireless Controller, Access Points and Convergence Software V4, C2400 User Guide 195
Virtual Network configuration
Configuring privacy for a VNS
To configure privacy by WPA-PSK for a Captive Portal VNS:
1. From the main menu, click Virtual Network Configuration. The Virtual Network
Configuration screen is displayed.
2. In the left pane Virtual Networks list, click the VNS you want to configure privacy by WPA-
PSK for a Captive Portal. The Topology tab is displayed.
3. Click the Privacy tab.
4. Select WPA-PSK.
5. To enable WPA v1 encryption, select WPA v.1.
6. If WPA v.1 is enabled, select one of the following encryption types from the Encryption
drop-down list:
Auto – The AP will advertise both TKIP and CCMP (Counter Mode with Cipher Block
Chaining Message Authentication Code Protocol) for WPAv1. CCMP is an IEEE
802.11i encryption protocol that uses the encryption cipher AES (Advanced
Encryption Standard). Auto is the default.
TKIP only – The AP will advertise TKIP as an available encryption protocol for WPAv1.
It will not advertise CCMP.
7. To enable WPA v2-type encryption, select WPA v.2.
Virtual Network configuration
A31003-W1040-U103-1-7619, Draft February 2007
196 HiPath Wireless Controller, Access Points and Convergence Software V4, C2400 User Guide
hwc_vnsconfiguration.fm
Configuring privacy for a VNS
8. To enable re-keying after a time interval, select Broadcast re-key interval.
If this checkbox is not selected, the Broadcast encryption key is never changed and the
Wireless AP will always use the same broadcast key for Broadcast/Multicast
transmissions. This will reduce the level of security for wireless communications.
9. In the Broadcast re-key interval box, type the time interval after which the broadcast
encryption key is changed automatically. The default is 3600.
10. In the Pre-Shared Key box, type the shared secret key to be used between the wireless
device and Wireless AP. The shared secret key is used to generate the 256-bit key.
11. In order to proofread your entry before saving the configuration, click Unmask to display
the Pre-Shared Key. To mask the key, click Mask.
12. To save your changes, click Save.
hwc_vnsconfiguration.fm
A31003-W1040-U103-1-7619, Draft February 2007
HiPath Wireless Controller, Access Points and Convergence Software V4, C2400 User Guide 197
Virtual Network configuration
Configuring privacy for a VNS
7.8.2 Privacy for a VNS for AAA
For a VNS with authentication by 802.1x (AAA), there are four Privacy options:
Static keys (WEP)
Dynamic keys
Wi-Fi Protected Access (WPA) version 1, with encryption by Temporal Key Integrity
Protocol (TKIP)
Wi-Fi Protected Access (WPA) version 2, with encryption by Advanced Encryption
Standard with Counter-Mode/CBC-MAC Protocol (AES-CCMP)
To set up static WEP privacy for an AAA VNS:
1. From the main menu, click Virtual Network Configuration. The Virtual Network
Configuration screen is displayed.
2. In the left pane Virtual Networks list, click the AAA VNS you want to configure privacy by
WPA-PSK for a Captive Portal. The Topology tab is displayed.
3. Click the Privacy tab.
Virtual Network configuration
A31003-W1040-U103-1-7619, Draft February 2007
198 HiPath Wireless Controller, Access Points and Convergence Software V4, C2400 User Guide
hwc_vnsconfiguration.fm
Configuring privacy for a VNS
4. Select Static Keys (WEP).
5. From the WEP Key Length drop-down list, select the WEP encryption key length:
40-bit
104-bit
128-bit
6. Select one of the following input methods:
Input Hex – If you select Input Hex, type the WEP key input in the WEP Key box. The
key is generated automatically, based on the input.
Input String – If you select Input String, type the secret WEP key string used for
encrypting and decrypting in the WEP Key String box. The WEP Key box is
automatically filled by the corresponding Hex code.
7. To save your changes, click Save.
7.8.2.1 Dynamic WEP privacy for an AAA VNS
The dynamic key WEP mechanism changes the key for each user and each session.
To set up dynamic WEP privacy for a selected AAA VNS:
1. From the main menu, click Virtual Network Configuration. The Virtual Network
Configuration screen is displayed.
2. In the left pane Virtual Networks list, click the AAA VNS you want to set up dynamic WEP
privacy for. The Topology tab is displayed.
3. Click the Privacy tab.
4. Select Dynamic Keys.
5. To save your changes, click Save.
7.8.2.2 Wi-Fi Protected Access (WPA v1 and WPA v2) Privacy for an AAA VNS
The VNS Privacy feature supports Wi-Fi Protected Access (WPA v1 and WPA v2), a security
solution that adds authentication to enhanced WEP encryption and key management.
The authentication portion of WPA for AAA is in Enterprise Mode:
Specifies 802.1x with Extensible Authentication Protocol (EAP)
Requires a RADIUS or other authentication server
Uses RADIUS protocols for authentication and key distribution
hwc_vnsconfiguration.fm
A31003-W1040-U103-1-7619, Draft February 2007
HiPath Wireless Controller, Access Points and Convergence Software V4, C2400 User Guide 199
Virtual Network configuration
Configuring privacy for a VNS
Centralizes management of user credentials
The encryption portion of WPA v1 is Temporal Key Integrity Protocol (TKIP). TKIP includes:
A per-packet key mixing function that shares a starting key between devices, and then
changes their encryption key for every packet (unicast key) or after the specified re-key
time interval (broadcast key) expires
An extended WEP key length of 256-bits
An enhanced Initialization Vector (IV) of 48 bits, instead of 24 bits, making it more difficult
to compromise
A Message Integrity Check or Code (MIC), an additional 8-byte code that is inserted before
the standard WEP 4-byte Integrity Check Value (ICV). These integrity codes are used to
calculate and compare, between sender and receiver, the value of all bits in a message,
which ensures that the message has not been tampered with.
The encryption portion of WPA v2 is Advanced Encryption Standard (AES). AES includes:
A 128 bit key length, for the WPA2/802.11i implementation of AES
Four stages that make up one round. Each round is iterated 10 times.
A per-packet key mixing function that shares a starting key between devices, and then
changes their encryption key for every packet or after the specified re-key time interval
expires.
The Counter-Mode/CBC-MAC Protocol (CCMP), a new mode of operation for a block
cipher that enables a single key to be used for both encryption and authentication. The two
underlying modes employed in CCM include:
Counter mode (CTR) that achieves data encryption
Cipher Block Chaining Message Authentication Code (CBC-MAC) to provide data
integrity
The following is an overview of the WPA authentication and encryption process:
Step one – The wireless device client associates with Wireless AP.
Step two – Wireless AP blocks the client's network access while the authentication
process is carried out (the HiPath Wireless Controller sends the authentication request to
the RADIUS authentication server).
Step three – The wireless client provides credentials that are forwarded by the HiPath
Wireless Controller to the authentication server.
Step four – If the wireless device client is not authenticated, the wireless client stays
blocked from network access.
Virtual Network configuration
A31003-W1040-U103-1-7619, Draft February 2007
200 HiPath Wireless Controller, Access Points and Convergence Software V4, C2400 User Guide
hwc_vnsconfiguration.fm
Configuring privacy for a VNS
Step five – If the wireless device client is authenticated, the HiPath Wireless Controller
distributes encryption keys to the Wireless AP and the wireless client.
Step six – The wireless device client gains network access via the Wireless AP, sending
and receiving encrypted data. The traffic is controlled with permissions and policy applied
by the HiPath Wireless Controller.
To set up Wi-Fi Protected Access privacy (WPA) for an AAA VNS:
1. From the main menu, click Virtual Network Configuration. The Virtual Network
Configuration screen is displayed.
2. In the left pane Virtual Networks list, click the AAA VNS you want to configure privacy by
WPA-PSK for a Captive Portal. The Topology tab is displayed.
3. Click the Privacy tab.
4. Select WPA.
5. To enable WPA v1 encryption, select WPA v.1.
6. From the Encryption drop-down list, select one of the following encryption types:
hwc_vnsconfiguration.fm
A31003-W1040-U103-1-7619, Draft February 2007
HiPath Wireless Controller, Access Points and Convergence Software V4, C2400 User Guide 201
Virtual Network configuration
Defining a VNS with no authentication
Auto – The AP will advertise both TKIP and CCMP (Counter Mode with Cipher Block
Chaining Message Authentication Code Protocol) for WPAv1. CCMP is an IEEE
802.11i encryption protocol that uses the encryption cipher AES (Advanced
Encryption Standard). Auto is the default.
TKIP only – The AP will advertise TKIP as an available encryption protocol for WPAv1.
It will not advertise CCMP.
7. To enable re-keying after a time interval, select Broadcast re-key interval.
If this checkbox is not selected, the Broadcast encryption key is never changed and the
Wireless AP will always use the same broadcast key for Broadcast/Multicast
transmissions. This will reduce the level of security for wireless communications.
8. In the Broadcast re-key interval box, type the time interval after which the broadcast
encryption key is changed automatically. The default is 3600.
9. To save your changes, click Save.
7.9 Defining a VNS with no authentication
You can set up a VNS that will bypass all authentication mechanisms and run Controller,
Access Points and Convergence Software with no authentication of a wireless device user.
A VNS with no authentication can still control network access using filtering rules. For more
information on how to set up filtering rules that allow access only to specified IP addresses and
ports, see Section 7.6.2, “Defining non-authenticated filters”, on page 182.
To define a VNS with no authentication:
1. From the main menu, click Virtual Network Configuration. The Virtual Network
Configuration screen is displayed.
2. In the left pane Virtual Networks list, click the VNS you want to configure with no
authentication. The Topology tab is displayed.
3. From the Assignment by drop-down list, select SSID.
4. Configure the topology for this VNS, then click Save. For more information, see Section
7.1.1, “Configuring topology for a VNS for Captive Portal”, on page 151. You must save your
changes before moving to the next tab.
5. Click the Auth & Acct tab.
6. Click Configure Captive Portal Settings. The Captive Portal Configurations subscreen
is displayed.
7. Select No Captive Portal Support. You must save your changes before moving to the next
tab.
Virtual Network configuration
A31003-W1040-U103-1-7619, Draft February 2007
202 HiPath Wireless Controller, Access Points and Convergence Software V4, C2400 User Guide
hwc_vnsconfiguration.fm
Defining priority level and service class for VNS traffic
8. Click the Filtering tab.
9. Define a default filter that will control specific network access for any wireless device users
on this VNS. For more information, see Section 7.6, “Configuring filtering rules for a VNS”,
on page 179.
These rules should be very restrictive and the final rule should be a Deny All rule. The
non-authenticated filter for a VNS with no authentication will not have a Captive Portal page
for login.
10. To save your changes, click Save.
7.10 Defining priority level and service class for VNS traffic
Voice over Internet Protocol (VoIP) using 802.11 wireless local area networks are enabling the
integration of internet telephony technology on wireless networks. Various issues including
Quality-of-Service (QoS), call control, network capacity, and network architecture are factors in
VoIP over 802.11 WLANs.
Wireless voice data requires a constant transmission rate and must be delivered within a time
limit. This type of data is called isochronous data. This requirement for isochronous data is in
contradiction to the concepts in the 802.11 standard that allow for data packets to wait their
turn, in order to avoid data collisions. Regular traffic on a wireless network is an asynchronous
process in which data streams are broken up by random intervals.
To reconcile the needs of isochronous data, mechanisms are added to the network that give
voice data traffic or another traffic type priority over all other traffic, and allow for continuous
transmission of data.
In order to provide better network traffic flow, the Controller, Access Points and Convergence
Software provides advanced Quality of Service (QoS) management. These management
techniques include:
WMM (Wi-Fi Multimedia) – Enabled globally on the Wireless AP, the standard provides
multimedia enhancements that improve the user experience for audio, video, and voice
applications. WMM is part of the 802.11e standard for QoS.
IP ToS (Type of Service) or DSCP (Diffserv Codepoint) – The ToS/DSCP field in the IP
header of a frame is used to indicate the priority and Quality of Service for each frame. The
IP TOS and/or DSCP is maintained within CTP (CAPWAP Tunneling Protocol) by copying
the user IP QoS information to the CTP header—this is referred to as Adaptive QoS.
hwc_vnsconfiguration.fm
A31003-W1040-U103-1-7619, Draft February 2007
HiPath Wireless Controller, Access Points and Convergence Software V4, C2400 User Guide 203
Virtual Network configuration
Defining priority level and service class for VNS traffic
7.10.1 Defining the service class for the VNS
Service class is determined by the combination of the following operations:
The class of treatment given to a packet. For example, queuing or per hop behavior (PHB).
The packet marking of the output packets (user traffic and/or transport).
Table 22 Service classes
The service class is equivalent to the 802.1D UP (user priority) with the exception that its scale
is linear:
Table 23 Relationship between service class and 802.1D UP.
Service class name (number) Priority level
Network Control (7) 7 (highest priority)
Premium (Voice) (6) 6
Platinum (video) (5) 5
Gold (4) 4
Silver (3) 3
Bronze (2) 2
Best Effort (1) 1
Background (0) 0 (lowest priority)
SC name SC Value 802.1d UP AC Queue
Network Control 7 7 VO VO or TVO
Premium (voice) 6 6 VO VO or TVO
Platinum (video) 5 5 VI VI
Gold 4 4 VI VI
Silver 3 3 BE BE
Bronze 2 0 BE BE
Best Effort 1 2 BK BK
Background 0 1 BK BK
Virtual Network configuration
A31003-W1040-U103-1-7619, Draft February 2007
204 HiPath Wireless Controller, Access Points and Convergence Software V4, C2400 User Guide
hwc_vnsconfiguration.fm
Working with Quality of Service (QoS)
7.10.2 Configuring the priority override
Priority override allows you to define the desired priority level. Priority override can be used with
any combination, as shown in Table 24. You can user is allowed to configure the service class
(L2 override) and the DSCP values (L3 override values).
When Priority Override is enabled, the configured service class overrides the queue selection
in the downlink direction, the 802.1P UP for the VLAN tagged Ethernet packets, and the UP for
the wireless QoS packets (WMM or 802.11e) according to the mapping in Table 23. If Priority
Override is enabled and the VNS is not locally bridged, the configured DSCP value is used to
tag the IP header of the encapsulated packets. The AP does not override the DSCP in the IP
header of the user packet.
7.11 Working with Quality of Service (QoS)
QoS policy is configured for each VNS and applies to routed, bridged at AP, and bridged at
controller VNSs.
Each VNS has a configurable policy for the QoS characteristics of the VNS. For every user
associated with the VNS there will be a different behavior on the wireless traffic.
7.11.1 QoS modes
You can enable the following Qos modes for a VNS:
Legacy – If enabled, the AP will classify and prioritize the downlink traffic for all clients
according to the same rules used for the WMM and 802.11e.
WMM – If enabled, the AP will accept WMM client associations, and will classify and
prioritize the downlink traffic for all WMM clients. WMM clients will also classify and
prioritize the uplink traffic.
802.11e – If enabled, the AP will accept WMM client associations, and will classify and
prioritize the downlink traffic for all 802.11e clients. The 802.11e clients will also classify
and prioritize the uplink traffic.
Turbo Voice – If any of the above QoS modes are enabled, the Turbo Voice mode is
available. If enabled, all the downlink traffic that is classified to the Voice (VO) AC and
belongs to that VNS is transmitted by the AP via a queue called Turbo Voice (TVO) instead
of the normal Voice (VO) queue. The TVO queue is tailored in terms of contention
parameters and number of retries to maximize voice quality and voice capacity.
>Active QoS is only applied on the wireless/802.11 domain, not on the wired domain.
hwc_vnsconfiguration.fm
A31003-W1040-U103-1-7619, Draft February 2007
HiPath Wireless Controller, Access Points and Convergence Software V4, C2400 User Guide 205
Virtual Network configuration
Working with Quality of Service (QoS)
All combinations of the three modes are valid. The following table summarizes all possible
combinations:
Table 24 QoS mode combinations
The APs are capable of supporting 5 queues. The queues are implemented per radio. For
example, 5 queues per radio. The queues are:
Table 25 Queues
The HiPath Wireless Controller supports the definition of 8 levels of user priority (UP). These
priority levels are mapped at the AP to the best appropriate access class. Of the 8 levels of user
priority, 6 are considered low priority levels and 2 are considered high priority levels.
WMM clients have the same 5 AC queues. WMM clients will classify the traffic and use these
queues when they are associated with a WMM-enabled AP. WMM clients will behave like
non-WMM clients—map all traffic to the Best Effort (BE) queue—when not associated with
WMM-enabled AP.
The prioritization of the traffic on the downstream (for example, from wired to wireless) and on
the upstream (for example, from wireless to wired) is dictated by the configuration of the VNS
and the QoS tagging within the packets, as set by the wireless devices and the host devices on
the wired network.
Configuration
Legacy mode x x x x
WMM mode xx xx
802.11e mode x x x x
Traffic that is
classified and
prioritized
To legacy client x x x x
From legacy client
To WMM client x x x x x x
From WMM client xx xx
To 802.11e client x x x x x x
From 802.11e client x x x x
Queue Name Purpose
AC_VO Voice
AC_VI Video
AC_BK Background
AC_BE Best Effort
AC_TVO Turbo Voice
Virtual Network configuration
A31003-W1040-U103-1-7619, Draft February 2007
206 HiPath Wireless Controller, Access Points and Convergence Software V4, C2400 User Guide
hwc_vnsconfiguration.fm
Configuring the QoS policy on a VNS
Both Layer 3 tagging (DSCP) and Layer 2 (802.1d) tagging are supported, and the mapping is
conformant with the WMM specification. If both L2 and L3 priority tags are available, then both
are taken into account and the chosen AC is the highest resulting from L2 and L3. If only one
of the priority tags is present, it is used to select the queue. If none is present, the default queue
AC_BE is chosen.
Table 26 Traffic prioritization
7.12 Configuring the QoS policy on a VNS
The following is an overview of the steps involved in configuring the QoS on a VNS.
Step one – Define the QoS mode to employ on the VNS:
Legacy – Enables DL (downlink) classification for all clients
WMM:
Enables WMM support
Enables DL classification for WMM clients
Enables UL (uplink) classification in WMM clients
802.11e:
Enables 802.11e support
Enables DL classification for 802.11e clients
Enables UL classification in 802.11e clients
WMM and 802.11e are similar but, they use different signaling (same as WPA and WPA2).
>If the wireless packets to be transmitted must include the L2 priority (send to a WMM
client from a WMM-enabled AP), the outbound L2 priority is copied from the inbound
L2 priority if available, or it is inferred from the L3 priority using the above table if the
L2 inbound priority is missing.
VNS type Packet Source Packet type L2 L3
Tunneled Wired Untagged No Yes
Branch Wired VLAN tagged Yes Yes
Branch Wired Untagged No Yes
Branch or Tunneled Wireless WMM Yes Yes
Branch or Tunneled Wireless non-WMM No Yes
hwc_vnsconfiguration.fm
A31003-W1040-U103-1-7619, Draft February 2007
HiPath Wireless Controller, Access Points and Convergence Software V4, C2400 User Guide 207
Virtual Network configuration
Configuring the QoS policy on a VNS
Step two – Enabling Turbo Voice:
Ensures VNS is optimized for voice performance and capacity
Can be enabled or disabled on individual VNSs
If Turbo Voice is enabled, together with QoS modes Legacy, WMM, or 802.11e, DL
voice traffic is sent via Turbo Voice queue instead of voice queue. A separate turbo
voice queue allows for some VNSs to use the Turbo Voice parameters for voice traffic,
while other VNSs use the voice parameters for voice traffic.
If WMM mode is also enabled, WMM clients use Turbo Voice-like contention
parameters for UL voice traffic.
If 802.11e mode is also enabled, 802.11e clients use Turbo Voice-like contention
parameters for UL voice traffic.
Step 3 – Defining the DSCP and service class classifications:
All 64 DSCP code-points are supported. The IETF defined codes are listed by name and code.
Un-defined codes are listed by code. The following is the default DSCP service class
classification:
Step 4 – Enable Priority override:
Select the applicable service class and implicitly desired UP
Updates UP in user packet
Updates UP for WASSP frame (if field exists) sent by AP
Select the desired DSCP
Updates DSCP for WASSP frames sent by AP
Does not change DSCP in user packet
DSCP SC/UP DSCP SC/UP DSCP SC/UP
CS0/DE 2/0 AF11 2/0 AF33 4/4
CS1 0/1 AF12 2/0 AF41 5/5
CS2 1/2 AF13 2/0 AF42 5/5
CS3 3/3 AF21 3/3 AF43 5/5
CS4 4/4 AF22 3/3 EF 6/6
CS5 5/5 AF23 3/3 Others 0/1
CS6 6/6 AF31 4/4
CS7 7/7 AF32 4/4
Virtual Network configuration
A31003-W1040-U103-1-7619, Draft February 2007
208 HiPath Wireless Controller, Access Points and Convergence Software V4, C2400 User Guide
hwc_vnsconfiguration.fm
Configuring the QoS policy on a VNS
Step 5 – Configure the advanced wireless QoS:
Enable the Unscheduled Automatic Power Save Delivery (U-APSD) feature
Works in conjunction with WMM and/or 802.11e, and it is automatically disabled if both
WMM and 802.11e are disabled
Step 5 – Configure Global Admission Control:
Enable admission control. Admission control protects admitted traffic against new
bandwidth demands.
Available for Voice and Video.
To configure QoS Policy on a VNS:
1. From the main menu, click Virtual Network Configuration. The Virtual Network
Configuration screen is displayed.
2. In the left pane Virtual Networks list, click the VNS you want to configure for QoS.
3. Click the QoS Policy tab.
4. From the Wireless QoS list, select the following:
hwc_vnsconfiguration.fm
A31003-W1040-U103-1-7619, Draft February 2007
HiPath Wireless Controller, Access Points and Convergence Software V4, C2400 User Guide 209
Virtual Network configuration
Configuring the QoS policy on a VNS
Legacy – Select if your VNS will support legacy devices that use SpectraLink Voice
Protocol (SVP) for prioritizing voice traffic. If selected, the Turbo Voice option is
displayed.
WMM – Select to enable the AP to accept WMM client associations, and classify and
prioritize the downlink traffic for all WMM clients. Note that WMM clients will also
classify and prioritize the uplink traffic. WMM is part of the 802.11e standard for QoS.
If selected, the Turbo Voice and the Advanced Wireless QoS options are displayed.
802.11e – Select to enable the AP to accept WMM client associations, and classify
and prioritize the downlink traffic for all 802.11e clients. The 802.11e clients will also
classify and prioritize the uplink traffic. If selected, the Turbo Voice and the Advanced
Wireless QoS options are displayed:
Turbo Voice – Select to enable all downlink traffic that is classified to the Voice (VO)
AC and belongs to that VNS to be transmitted by the AP via a queue called Turbo Voice
(TVO) instead of the normal Voice (VO) queue. When Turbo Voice is enabled together
with WMM or 802.11e, the WMM and/or 802.11e clients in that VNS are instructed by
the AP to transmit all traffic classified to VO AC with special contention parameters
tailored to maximize voice performance and capacity.
5. To define the service class and DSCP marking for the VNS, select the Priority Override
checkbox. For each DSCP you can select one of the eight service classes.
Service class – From the drop-down list, select the appropriate priority level:
Network control (7) – The highest priority level.
Premium (Voice) (6)
Platinum (5)
Gold (4)
Silver (3)
Bronze (2)
Best Effort (1)
Background (0) – The lowest priority level
DSCP marking – From the drop-down list, select the DSCP value used to tag the IP
header of the encapsulated packets.
6. If you want to assign a service class to each DSCP marking, clear the Priority Override
checkbox and define the DSCP service class priorities in the DSCP classification table.
When Priority Override is enabled, the configured service class overrides queue
selection in the downlink direction, the 802.1P user priority for the VLAN tagged Ethernet
packets and the user priority for the wireless QoS packets (WMM or 802.11e), according
Virtual Network configuration
A31003-W1040-U103-1-7619, Draft February 2007
210 HiPath Wireless Controller, Access Points and Convergence Software V4, C2400 User Guide
hwc_vnsconfiguration.fm
Bridging traffic locally
to the mapping between service class and user priority. If Priority Override is enabled and
the VNS is not locally bridged, the configured DSCP value is used to tag the IP header of
the encapsulated packets. The AP does not override the DSCP in the IP header of the user
packet.
7. The Advanced Wireless QoS options are only displayed if the WMM or 802.11e
checkboxes are selected:
Enable U-APSD – Select to enable the Unscheduled Automatic Power Save Delivery
(U-APSD) feature. This feature can be used by mobile devices to efficiently sustain
one or more real-time streams while being in power-save mode. This feature works in
conjunction with WMM and/or 802.11e, and it is automatically disabled if both WMM
and 802.11e are disabled.
Use Global Admission Control for Voice (VO) – Select to enable admission control
for Voice. With admission control, clients are forced to request admission in order to
use the high priority access categories in both downlink and uplink direction.
Admission control protects admitted traffic against new bandwidth demands.
Use Global Admission Control for Video (VI) – This feature is only available If
admission control is enabled for Voice. Select to enable admission control for Video.
With admission control, clients are forced to request admission in order to use the high
priority access categories in both downlink and uplink direction. Admission control
protects admitted traffic against new bandwidth demands.
8. To save your changes, click Save.
7.13 Bridging traffic locally
A VNS must first be setup before traffic can be bridged locally. For more information, see
Chapter 6, “Virtual Network Services”.
To bridge traffic locally:
1. From the main menu, click Virtual Network Configuration. The Virtual Network
Configuration screen is displayed.
2. In the left pane Virtual Networks list, click the VNS that you want to define topology
parameters for.
3. Click the Topology tab.
4. In the VNS Mode drop-down list, click Bridge Traffic Locally at AP to enable branch office
mode.
5. To define the VLAN Setting, select one of the following:
Tagged
hwc_vnsconfiguration.fm
A31003-W1040-U103-1-7619, Draft February 2007
HiPath Wireless Controller, Access Points and Convergence Software V4, C2400 User Guide 211
Virtual Network configuration
Bridging traffic locally
Untagged
If you select Tagged, type the VLAN ID in the VLAN ID box. The default value is 1.
6. To save your changes, click Save.
>The VLAN IDs are assigned by the branch office network administrator. The AP
will operate correctly only if the VLAN ID is unique per AP.
Configuring two untagged branch VNSs to the same AP on different radios is
permitted. This is similar to having two untagged branch VNSs with the same
VLAN ID assigned to the same AP on different radios. In both cases, the AP will
connect the two VNSs. That type of configuration can be viewed as a single
VNS/VLAN with different SSIDs on different radios.
An effective scenario of the configuration described above, in which the same
subnet is used with different SSIDs on radio a and b/g, is when this configuration
is defined consistently on all APs. It would allow dual band a+b/g clients to
associate to one of the radios by specifying the correct SSID. This is particularly
effective with Microsoft clients, which do not allow defining a preferred radio.
Virtual Network configuration
A31003-W1040-U103-1-7619, Draft February 2007
212 HiPath Wireless Controller, Access Points and Convergence Software V4, C2400 User Guide
hwc_vnsconfiguration.fm
Bridging traffic locally
>In previous releases, an entire AP had to be put into branch mode. In the current
release, an individual VNS can be put into bridging mode. An AP can have bridged
and non-bridged VNSs.
If it has more then one branch mode VNS, only one bridged VNS can be untagged
per AP. The other branch mode VNSs need to have unique VLAN ID. You must have
VLAN aware L2 switches to support this feature.
>When a VNS is setup for bridged mode, it cannot be switched to tunneled mode. The
administrator must delete and re-add the VNS.
hwc_controlleravailmobility.fm
A31003-W1040-U103-1-7619, Draft February 2007
HiPath Wireless Controller, Access Points and Convergence Software V4, C2400 User Guide 213
Availability, mobility, and controller functionality
Availability overview
8 Availability, mobility, and controller functionality
This chapter describes the availability and mobility concepts, including:
Availability overview
Mobility manager
Defining management users
Configuring network time
Configuring Check Point event logging
Enabling SNMP
Using controller utilities
Configuring Web session timeouts
The HiPath Wireless Controller provides additional functionality including:
Availability – Maintains service availability in the event of a HiPath Wireless Controller
outage
Mobility – Allows multiple HiPath Wireless Controllers on a network discover each other
and exchange information about a client session. A maximum of up to 8 controllers can be
linked to allow users to transparently roam across controllers in the mobility domain.
8.1 Availability overview
The HiPath Wireless Controller, Access Points and Convergence Software system provides
this feature to maintain service availability in the event of a HiPath Wireless Controller outage.
The availability feature links two HiPath Wireless Controllers as a pair, to share information
about their Wireless APs. If one controller fails, its Wireless APs are allowed to connect to the
backup controller. The second HiPath Wireless Controller provides the wireless network and a
pre-assigned VNS for the Wireless AP.
>The HiPath Wireless Controller's mobility domain licence (MDL) limits the number of
APs that are allowed to connect to the controller. During a failover event, the
maximum number of failover APs a backup controller can accommodate is equal to
the number of MDLs that are purchased for that system.
Availability, mobility, and controller functionality
A31003-W1040-U103-1-7619, Draft February 2007
214 HiPath Wireless Controller, Access Points and Convergence Software V4, C2400 User Guide
hwc_controlleravailmobility.fm
Availability overview
From the viewpoint of a Wireless AP, if a HiPath Wireless Controller or the connection to it fails,
the Wireless AP begins its discovery process. The Wireless AP is directed to the appropriate
backup controller of the pair. This connection may require the Wireless AP to reboot. Users on
the Wireless AP must log in again and be authenticated on the second HiPath Wireless
Controller.
8.1.1 Availability prerequisites
Before you begin, ensure you have completed the following:
Choose the primary and secondary HiPath Wireless Controllers.
Verify the network accessibility for the TCP/IP connection between the two controllers. The
availability link is established as a TCP session on port 13907.
Set up a DHCP server for AP subnets to support Option 78 for SLP, so that it points to the
IP addresses of the physical interfaces on both HiPath Wireless Controllers.
>Wireless APs that attempt to connect to a backup controller during a failover event
are assigned to the VNS that is defined in the systems default AP configuration. If
a system default AP configuration does not exist for the controller, the failover AP
will not be assigned to any VNS.
Also, the default AP configuration assignment is only applicable to new APs that
failover to the backup controller. Any AP that has previously failed-over and is
already known to the backup system will receive the configuration already present
on that system.
For more information, see Section 5.5.2, “Configuring the default AP settings”, on
page 106.
>The availability feature provides APs with a list of interfaces to which the AP should
attempt to automatically connect to when a connection with an active controller link
is lost. The provided list identifies the local active interfaces (enabled on the primary
and backup controllers) for the active controller as well as the active interfaces for
the backup controller. The list is sorted by top-down priority. If the active link is lost
(poll failure), the AP automatically scans (pings) all addresses in its availability
interface list. The AP will then connect to the highest priority interface that responds
to its probe.
hwc_controlleravailmobility.fm
A31003-W1040-U103-1-7619, Draft February 2007
HiPath Wireless Controller, Access Points and Convergence Software V4, C2400 User Guide 215
Availability, mobility, and controller functionality
Availability overview
Now set up each HiPath Wireless Controller separately. One method is as follows:
1. In the AP Registration screen, set up each HiPath Wireless Controller in Stand-alone
Mode and Secure Mode (allow only approved Wireless APs to connect).
2. In the Topology tab, define a VNS on each HiPath Wireless Controller with the same SSID.
The IP addresses must be unique. For more information, Section 7.1, “Topology for a VNS”,
on page 150. A HiPath Wireless Controller C2400 VLAN Bridged VNS can permit two
controllers to share the same subnet (different IP addresses). This setup provides support
for mobility users in a VLAN Bridged VNS.
3. On both HiPath Wireless Controllers, set the Registration Mode to Allow only approved so
that no more Wireless APs can register unless they are approved by the administrator.
4. In the AP Registration screen, enable the two HiPath Wireless Controllers as an
availability pair.
5. On each HiPath Wireless Controller, in the Access Approval screen, check the status of
the Wireless APs and approve any APs that should be connected to that controller.
System AP defaults can be used to assign a group of VNSs to the foreign APs:
If the APs are not yet known to the system, the AP will be initially configured according
to AP default settings. To ensure better transition in availability, it is recommended that
the AP default settings match the desired VNS assignment for failover APs.
AP assignment to VNSs according to the AP default settings can be overwritten by
manually modifying the AP VNS assignment. (For example, select and assign each
VNS that the AP should connect to.)
If specific foreign APs have been assigned to a VNS, those specific foreign AP
assignments are used.
An alternate method to setting up APs includes:
1. Add each Wireless AP manually to each HiPath Wireless Controller.
2. From the AP Properties screen, click Add Wireless AP.
3. Define the Wireless AP and click Add Wireless AP.
Manually defined APs will inherit the default AP configuration settings.
7If two HiPath Wireless Controllers are paired and one has the Allow All option
set for Wireless AP registration, all Wireless APs will register with that HiPath
Wireless Controller.
Availability, mobility, and controller functionality
A31003-W1040-U103-1-7619, Draft February 2007
216 HiPath Wireless Controller, Access Points and Convergence Software V4, C2400 User Guide
hwc_controlleravailmobility.fm
Availability overview
To set the primary or secondary HiPath Wireless Controllers for availability:
1. From the main menu, click Wireless AP Configuration. The Wireless APs screen is
displayed.
2. In the left pane, click AP Registration. The Wireless AP Registration screen is
displayed.
3. To enable availability, select the Paired option.
4. Do one of the following:
For a primary controller, in the Wireless Controller IP Address box, type the IP
address of the physical port of the secondary HiPath Wireless Controller. This IP
address must be on a routable subnet between the two HiPath Wireless Controllers.
For a secondary controller, in the Wireless Controller IP Address box, type the IP
address of the Management port or physical port of the primary HiPath Wireless
Controller.
5. Do one of the following:
To set this HiPath Wireless Controller as the primary connection point, select the
Current Wireless Controller is primary connect point checkbox.
hwc_controlleravailmobility.fm
A31003-W1040-U103-1-7619, Draft February 2007
HiPath Wireless Controller, Access Points and Convergence Software V4, C2400 User Guide 217
Availability, mobility, and controller functionality
Availability overview
To set this HiPath Wireless Controller as the secondary connection point, clear the
Current Wireless Controller is primary connect point checkbox.
If the Current Wireless Controller is primary connect point checkbox is selected, the
specified controller waits for a request. If the Current Wireless Controller is primary
connect point checkbox is cleared, the specified controller sends a connection request.
Confirm that one controller has this checkbox selected, and the second controller has tthis
checkbox cleared, since improper configuration of this option will result in incorrect network
configuration.
6. To set the security mode for the HiPath Wireless Controller, select one of the following
options:
Allow all Wireless APs to connect – If the HiPath Wireless Controller does not
recognize the serial number, it sends a default configuration to the Wireless AP. Or, if
the HiPath Wireless Controller recognizes the serial number, it sends the specific
configuration (port and binding key) set for that Wireless AP.
Allow only approved Wireless APs to connect – If the HiPath Wireless Controller
does not recognize the serial number, the operator is prompted to create a
configuration. Or, if the HiPath Wireless Controller recognizes the serial number, it
sends the configuration for that Wireless AP.
7. To save your changes, click Save.
8.1.2 Viewing the Wireless AP availability display
For more information, see Section 11.1.1, “Viewing the Wireless AP availability display”, on
page 257.
>During the initial setup of the network, it is recommended to select the Allow all
Wireless APs to connect option. This option is the most efficient way to get a
large number of Wireless APs registered with the HiPath Wireless Controller.
Once the initial setup is complete, it is recommended that the security mode is
reset to the Allow only approved Wireless APs to connect option. This option
ensures that no unapproved Wireless APs are allowed to connect. For more
information, see Section 5.5, “Modifying Wireless AP settings”, on page 104.
>When two HiPath Wireless Controllers have been paired as described above, each
HiPath Wireless Controller's registered Wireless APs will appear as foreign on the
other controller in the list of available Wireless APs when configuring a VNS
topology.
Availability, mobility, and controller functionality
A31003-W1040-U103-1-7619, Draft February 2007
218 HiPath Wireless Controller, Access Points and Convergence Software V4, C2400 User Guide
hwc_controlleravailmobility.fm
Availability overview
8.1.3 Viewing SLP activity
In normal operations, the primary HiPath Wireless Controller registers as an SLP service called
ac_manager. The controller service directs the Wireless APs to the appropriate HiPath
Wireless Controller. During an outage, if the remaining HiPath Wireless Controller is the
secondary controller, It registers as the SLP service ru_manager.
To view SLP activity:
1. From the main menu, click Wireless AP Configuration. The Wireless APs screen is
displayed.
2. In the left pane, click AP Registration. The Wireless AP Registration screen is
displayed.
3. To confirm SLP registration, click the View SLP Registration button. A pop-up screen
displays the results of the diagnostic slpdump tool, to confirm SLP registration.
8.1.4 Events and actions during a failover
If one of the HiPath Wireless Controllers in a pair fails, the connection between the two HiPath
Wireless Controllers is lost. This triggers a failover mode condition, and a critical message is
displayed in the information log of the remaining HiPath Wireless Controller.
hwc_controlleravailmobility.fm
A31003-W1040-U103-1-7619, Draft February 2007
HiPath Wireless Controller, Access Points and Convergence Software V4, C2400 User Guide 219
Availability, mobility, and controller functionality
Availability overview
After the Wireless AP on the failed HiPath Wireless Controller loses its connection, it will try to
connect to all enabled interfaces on both controllers without rebooting. If the Wireless AP is
unsuccessful, it will begin the discovery process. If the Wireless AP is not successful in
connecting to the HiPath Wireless Controller after five minutes of attempting, the Wireless AP
will reboot.
If the AP is assigned to different VNSs on the two controllers, it will reboot. Because of the
pairing of the two HiPath Wireless Controllers, the Wireless AP will then register with the other
HiPath Wireless Controller.
All user sessions using the AP that fails over will terminate unless the Maintain client
sessions in event of poll failure option is enabled on the AP Properties tab or AP Default
Settings screen.
>A Wireless AP connects first to a HiPath Wireless Controller registered as
ac_manager and, if not found, then seeks an ru_manager. If the primary HiPath
Wireless Controller fails, the secondary one registers as ru_manager. This enables
the secondary HiPath Wireless Controller to be found by Wireless APs after they
reboot.
Availability, mobility, and controller functionality
A31003-W1040-U103-1-7619, Draft February 2007
220 HiPath Wireless Controller, Access Points and Convergence Software V4, C2400 User Guide
hwc_controlleravailmobility.fm
Mobility manager
When the Wireless APs connect to the second HiPath Wireless Controller, they will be
assigned to the VNS that is defined in the system’s default AP configuration. The wireless
device users will log in again and be authenticated on the second HiPath Wireless Controller.
When the failed HiPath Wireless Controller recovers, each HiPath Wireless Controller in the
pair goes back to normal mode. They exchange information that includes the latest lists of
registered Wireless APs. The administrator must release the Wireless APs manually on the
second HiPath Wireless Controller, so that they may re-register with their home HiPath
Wireless Controller. Foreign APs can now all be released at once by using the Foreign button
on the Access Approval screen to select all foreign APs, and then clicking Released.
To support the availability feature during a failover event, administrators need to do the
following:
1. Monitor the critical messages for the failover mode message, in the information log of the
remaining HiPath Wireless Controller (in the Reports and Displays section of the HiPath
Wireless Controller).
2. After recovery, on the HiPath Wireless Controller that did not fail, select the foreign
Wireless APs and click on the Release button on the Access Approval screen.
8.2 Mobility manager
The Controller, Access Points and Convergence Software system allows multiple HiPath
Wireless Controllers (up to 8) on a network discover each other and exchange information
about a client session. This technique enables a wireless device user to roam seamlessly
between different Wireless APs on different HiPath Wireless Controllers.
The solution introduces the concept of a mobility manager, where one HiPath Wireless
Controller on the network is designated as the mobility manager and all others are designated
as mobility agents.
The wireless device keeps the IP address, VNS assignment, and filtering rules it received from
its home HiPath Wireless Controller—the HiPath Wireless Controller that it first connected to.
The VNS on each HiPath Wireless Controller must have the same SSID and RF privacy
parameter settings.
>For the mobility manager you have two options:
Rely on SLP with DHCP Option 78
Define at the agent the IP address of the mobility manager. By explicitly defining
the IP address, the agent and the mobility manager are able to find each other
directly without using the SLP discovery mechanisms. Direct IP definition is
recommended in order to provide tighter control of the registration steps for
multi-domain installations.
hwc_controlleravailmobility.fm
A31003-W1040-U103-1-7619, Draft February 2007
HiPath Wireless Controller, Access Points and Convergence Software V4, C2400 User Guide 221
Availability, mobility, and controller functionality
Mobility manager
The HiPath Wireless Controller designated as the mobility manager:
The mobility manager is explicitly identified as the manager for a specific mobility domain.
Agents will connect to this manager to establish a mobility domain.
Defines at the agent the IP address of the mobility manager, which allows for the bypass
of SLP. Agents directly find and attempt to register with the mobility manager.
Uses SLP, if this method is preferred, to register itself with the SLP Directory Agent as
SiemensNet
Defines the registration behavior for a multi-controller mobility domain set:
Open mode – A new agent is automatically able to register itself with the mobility
manager and immediately becomes part of the mobility domain
Secure mode – The mobility manager does not allow a new agent to automatically
register. Instead, the connection with the new agent is placed in pending state until the
administrator approves the new device.
Listens for connection attempts from mobility agents
Establishes connection and sends a message to the mobility agent specifying the
Heartbeat interval, and the mobility manager's IP address if it receives a connection
attempt from the agent
Sends regular Heartbeat messages containing wireless device session changes and agent
changes to the mobility agents and waits for a returned update message
The HiPath Wireless Controller designated as a mobility agent:
Uses SLP or a statically configured IP address to locate the mobility manager
Defines at the agent the IP address of the mobility manager, which allows for the bypass
of SLP. Agents directly find and attempt to register with the mobility manager.
Attempts to establish a TCP/IP connection with the mobility manager
Updates its tables, and sets up data tunnels to and between all HiPath Wireless Controllers
it has been informed of when it receives the connection-established message
Uses the information from every Heartbeat message received to update its own tables and
updates the mobility manager with information on the wireless device users and data
tunnels it is managing
If a controller configured as the mobility manager is lost, the following occurs:
Agent to agent connections will remain active.
Mobility agents will continue to operate based on the mobility information last coordinated
before the manager link was lost. The mobility location list remains relatively unaffected by
the controller failure. Only entries associated with the failed controller are cleared from the
Availability, mobility, and controller functionality
A31003-W1040-U103-1-7619, Draft February 2007
222 HiPath Wireless Controller, Access Points and Convergence Software V4, C2400 User Guide
hwc_controlleravailmobility.fm
Mobility manager
registration list, and users that have roamed from the manager controller to other agents
are terminated and required to re-register as local users with the agent where they are
currently located.
Participant controllers are reset to nodal operation
Any user sessions that roamed away from their home AP are terminated and must
reconnect
Users need to reconnect to network, re-authenticate, and obtain new IP address
The data link between active controllers remains active after the loss of a mobility manager
Mobility agents continue to use the last set of mobility location list to service known users
Existing users:
Existing users remain in mobility scenario, and if the users are known to mobility
domain, they continue to be able to roam between connected controllers
New users:
New users become local at attaching controller
Roaming to another controller resets session
To designate a mobility manager:
1. From the main menu, click Wireless Controller Configuration. The Wireless Controller
Configuration screen is displayed.
2. In the left pane, click Mobility Manager. The Mobility Manager Settings screen is
displayed.
hwc_controlleravailmobility.fm
A31003-W1040-U103-1-7619, Draft February 2007
HiPath Wireless Controller, Access Points and Convergence Software V4, C2400 User Guide 223
Availability, mobility, and controller functionality
Mobility manager
3. To enable mobility for this controller, select the Enable Mobility checkbox. The controller
mobility options appear.
4. Select the This Wireless Controller is a Mobility Manager option. The mobility manager
options appear.
5. In the Port drop-down list, select the interface on the HiPath Wireless Controller to be used
for the mobility manager process. Ensure that the selected interface is routable on the
network.
6. In the Heartbeat box, type the time interval (in seconds) at which the mobility manager
sends a Heartbeat message to a mobility agent. The default is 5 seconds.
7. In the SLP Registration drop-down list, select whether to enable or disable SLP
registration.
8. In the Permission list, select the agent IP addresses you want to approve that are in
pending state, by selecting the agent and clicking Approve. New agents are only added to
the domain if they are approved.
You can also add or delete controllers that you want to be part of the mobility domain. To
add a controller, type the agent IP address in the box, and then click Add. To delete a
controller, select the controller in the list, and then click Delete.
Availability, mobility, and controller functionality
A31003-W1040-U103-1-7619, Draft February 2007
224 HiPath Wireless Controller, Access Points and Convergence Software V4, C2400 User Guide
hwc_controlleravailmobility.fm
Mobility manager
9. Select the Security Mode option:
Allow all mobility agents to connect – All mobility agents can connect to the mobility
manager.
Allow only approved mobility agents to connect – Only approved mobility agents
can connect to the mobility manager.
10. To save your changes, click Save.
To designate a mobility agent:
1. From the main menu, click Wireless Controller Configuration. The Wireless Controller
Configuration screen is displayed.
2. In the left pane, click Mobility Manager. The Mobility Manager Settings screen is
displayed.
3. To enable mobility for this controller, select the Enable Mobility checkbox. The controller
mobility options are displayed,
4. Select the This Wireless Controller is a Mobility Agent option. The mobility agent
options are displayed.
>If you set up one HiPath Wireless Controller on the network as a mobility
manager, all other HiPath Wireless Controllers must be set up as mobility
agents.
hwc_controlleravailmobility.fm
A31003-W1040-U103-1-7619, Draft February 2007
HiPath Wireless Controller, Access Points and Convergence Software V4, C2400 User Guide 225
Availability, mobility, and controller functionality
Mobility manager
5. From the Port drop-down list, select the port on the HiPath Wireless Controller to be used
for the mobility agent process. Ensure that the port selected is routable on the network.
6. In the Heartbeat box, type the time interval (in seconds) to wait for a connection
establishment response before trying again. The default is 60 seconds.
7. From the Discovery Method drop-down list, select one of the following:
SLPD – Service Location Protocol Daemon is a background process acting as a SLP
server. It provides the functionality of the Directory Agent and Service Agent for SLP.
Use SLP to support the discovery of siemensNET service to attempt to locate the area
mobility manager controller.
Static Configuration – Select Static Configuration if you want to enter the IP address
of the mobility manager manually. Defining a static configuration for a mobility
manager IP address bypasses SLP discovery.
8. In the Mobility Manager Address box, type the IP address for the designated mobility
manager.
9. To save your changes, click Save.
Availability, mobility, and controller functionality
A31003-W1040-U103-1-7619, Draft February 2007
226 HiPath Wireless Controller, Access Points and Convergence Software V4, C2400 User Guide
hwc_controlleravailmobility.fm
Defining management users
8.2.1 Displays for the mobility manager
For more information, see Section 11.1.3, “Viewing displays for the mobility manager”, on page
260.
8.3 Defining management users
In this screen you define the login user names that have access to the HiPath Wireless
Assistant, either for HiPath Controller, Access Points and Convergence Software
administrators with read/write privileges, or users with read only privileges. For each user
added, you can also define and modify a user ID and password.
To add a HiPath Wireless Controller management user:
1. From the main menu, click Wireless Controller Configuration. The Wireless Controller
Configuration screen is displayed.
2. In the left pane, click the Management Users option. The Management Users screen is
displayed.
hwc_controlleravailmobility.fm
A31003-W1040-U103-1-7619, Draft February 2007
HiPath Wireless Controller, Access Points and Convergence Software V4, C2400 User Guide 227
Availability, mobility, and controller functionality
Defining management users
The user_admin list displays Admin users who have read/write privileges. The user_read
list is for users who have read only privileges.
3. From the Group pull-down list, select Admin or Read only.
4. In the User ID box, type the user ID for the new user. A User ID can only be used once, in
only one category.
5. In the Password box, type the password for the new user.
6. In the Confirm Password, retype the password. The $ character is not permitted.
7. Click on the Add User button. The new user is added to the appropriate user list.
To modify a HiPath Wireless Controller management user:
1. From the main menu, click Wireless Controller Configuration. The Wireless Controller
Configuration screen is displayed.
2. In the left pane, click the Management Users option. The Management Users screen is
displayed.
3. To select a user to be modified, click it.
4. In the Password box, type the new password for the user.
5. In the Confirm Password, retype the new password.
6. To change the password, click Change Password.
To remove a HiPath Wireless Controller management user:
1. From the main menu, click Wireless Controller Configuration. The Wireless Controller
Configuration screen is displayed.
2. In the left pane, click the Management Users option. The Management Users screen is
displayed.
3. To select a user to be removed, click it.
4. To remove the user, click Remove user. The user if removed from the list.
Availability, mobility, and controller functionality
A31003-W1040-U103-1-7619, Draft February 2007
228 HiPath Wireless Controller, Access Points and Convergence Software V4, C2400 User Guide
hwc_controlleravailmobility.fm
Configuring network time
8.4 Configuring network time
You can synchronize the elements on the network to a universal clock. This ensures accuracy
in usage logs. Network time is synchronized in one of two ways:
using system time
using Network Time Protocol (NTP), an Internet standard protocol that synchronizes client
workstation clocks.
To apply time zone settings:
1. From the main menu, click Wireless Controller Configuration. The Wireless Controller
Configuration screen is displayed.
2. In the left pane, click Network Time. The Network Time screen is displayed.
3. From the Continent or Ocean drop-down list, select the appropriate large-scale
geographic grouping for the time zone.
4. From the Country drop-down list, select the appropriate country for the time zone. The
contents of the drop-down list change based on the selection in the Continent or Ocean
drop-down list.
hwc_controlleravailmobility.fm
A31003-W1040-U103-1-7619, Draft February 2007
HiPath Wireless Controller, Access Points and Convergence Software V4, C2400 User Guide 229
Availability, mobility, and controller functionality
Configuring Check Point event logging
5. From the Time Zone Region drop-down list, select the appropriate time zone region for
the selected country.
6. To apply your changes, click Apply Time Zone.
To set system time parameters:
1. From the main menu, click Wireless Controller Configuration. The Wireless Controller
Configuration screen is displayed.
2. In the left pane, click Network Time. The Network Time screen is displayed.
3. To use system time, select the Use System Time radio button.
4. Type the time setting in the Use System TIme box, using the mm-dd-yyyy hh:mm format.
5. To apply your changes, click Apply.
To set Network Time Protocol:
1. From the main menu, click Wireless Controller Configuration. The Wireless Controller
Configuration screen is displayed.
2. In the left pane, click Network Time. The Network Time screen is displayed.
3. To use Network Time Protocol, select the Use NTP radio button.
4. In the Use System TIme box, type the time setting using the mm-dd-yyyy hh:mm format.
5. In the Time Server 1 box, type the IP address or FQDN of a standard NTP Time Server.
You can repeat this step for the Time Server 2 and Time Server 3 boxes.
6. To apply your changes, click Apply.
8.5 Configuring Check Point event logging
The HiPath Wireless Controller can forward specified event messages to an ELA server using
the OPSEC ELA protocol - Event Logging API (Application Program Interface). On the ELA
server, the event messages are tracked and analyzed, so suspicious messages can be
forwarded to a firewall application that can take corrective action.
Check Point created the OPSEC (Open Platform for Security) alliance program for security
application and appliance vendors to enable an open industry-wide framework for inter
operability.
When ELA is enabled on the HiPath Wireless Controller, it forwards the specified event
messages from its internal event server to the designated ELA Management Station on the
enterprise network.
Availability, mobility, and controller functionality
A31003-W1040-U103-1-7619, Draft February 2007
230 HiPath Wireless Controller, Access Points and Convergence Software V4, C2400 User Guide
hwc_controlleravailmobility.fm
Configuring Check Point event logging
To enable and configure Check Point:
1. From the main menu, click Wireless Controller Configuration. The Wireless Controller
Configuration screen is displayed.
2. In the left pane, click Check Point. The Check Point Configuration screen is displayed.
3. To enable check point logging, select the Enable Check Point Logging checkbox.
4. Type the following information:
Check Point Server IP – Specifies the IP address of the ELA Management Station
ELA Port – Specifies the port to use for ELA. The default port is 18187.
>Before you set up the HiPath Wireless Controller, you must first create OPSEC
objects for HiPath Wireless Controller in the Check Point management software. The
name and password you define must also be entered into the HiPath Wireless
Controller Check Point configuration screen.
hwc_controlleravailmobility.fm
A31003-W1040-U103-1-7619, Draft February 2007
HiPath Wireless Controller, Access Points and Convergence Software V4, C2400 User Guide 231
Availability, mobility, and controller functionality
Configuring Check Point event logging
ELA Log Interval – Specifies the amount of time (in milliseconds) you want the system
to wait before attempting to log once there is a connection between HiPath Wireless
Controller and the Check Point gateway. The default is 100 milliseconds.
ELA Retry Interval – Specifies the amount of time (in milliseconds) you want the
system to wait before attempting a re-connection between HiPath Wireless Controller
and the Check Point gateway. The default is 2000 milliseconds.
ELA Message Queue Size – Specifies the number of messages the log queue holds
if the HiPath Wireless Controller and the Check Point gateway become disconnected.
The default is 1000 log entries.
SIC Name – Specifies the Secure Internal Communication (SIC) Name, your security-
based ID.
SIC Password – Specifies your Secure Internal Communication (SIC) password. You
can use the Unmask button to display the password.
5. To save your changes, click Save.
6. To create the certificate to be sent to the ELA Management Station, click Generate
Certificate button.
If the certificate is properly generated and the connection with the ELA Management
Station is made, the Connection Status section displays the following message:
OPSEC Connection OK
If there is an error in generating the certificate or establishing the connection, the
Connection Status section displays the following message:
OPSEC Connection Error
8.5.1 ELA Management Station events
The events for the ELA Management Station are grouped under Siemens and are mapped as
info events and alert events. The alerts include:
Wireless AP registration and/or authentication failed
Authentication User Request unsuccessful
RADIUS server rejected login (Access Rejected)
An unknown AP has attempted to connect. AP authentication failure.
A connection request failed to authenticate with the CM messaging server. This may
indicate port-scanning of the HiPath Wireless Controller, or a back-door access attempt.
Unauthorized client attempting to connect
Availability, mobility, and controller functionality
A31003-W1040-U103-1-7619, Draft February 2007
232 HiPath Wireless Controller, Access Points and Convergence Software V4, C2400 User Guide
hwc_controlleravailmobility.fm
Enabling SNMP
8.6 Enabling SNMP
The Controller, Access Points and Convergence Software system supports Simple Network
Management Protocol (SNMP), Version 1 and 2c. SNMP, a set of protocols for managing
complex networks, is used to retrieve HiPath Wireless Controller statistics and configuration
information.
SNMP sends messages, called protocol data units (PDUs), to different parts of a network.
Devices on the network that are SNMP-compliant, called agents, store data about themselves
in Management Information Bases (MIBs) and return this data to the SNMP requesters.
8.6.1 MIB support
The Controller, Access Points and Convergence Software system accepts SNMP Get
commands and generates Trap messages. Support is provided for the retrieval information
from the router MIB-II (SNMP_GET) as well as SNMP traps. The supported MIBs include:
SNMPv2-MIB
IF-MIB
IEEE802dot11-MIB
RFC1213-MIB
The Siemens Enterprise MIB includes:
HIPATH-WIRELESS-HWC-MIB
HIPATH-WIRELESS-PRODUCTS-MIB
HIPATH-WIRELESS-SMI.my
HIPATH-WIRELESS-DOT11-EXTNS-MIB
HIPATH-WIRELESS-BRANCH-OFFICE-MIB
The MIB is provided for compilation into an external NMS. No support has been provided for
automatic device discovery by an external NMS.
The HiPath Wireless Controller is the only point of SNMP access for the entire system. In effect,
the HiPath Wireless Controller proxies sets, gets, and alarms from the associated Wireless
APs.
>The HiPath Wireless Controller is not fully compliant with MIB II. For example, esa/
IXP ports only provide interface statistics.
hwc_controlleravailmobility.fm
A31003-W1040-U103-1-7619, Draft February 2007
HiPath Wireless Controller, Access Points and Convergence Software V4, C2400 User Guide 233
Availability, mobility, and controller functionality
Enabling SNMP
8.6.2 Enabling SNMP on the HiPath Wireless Controller
You can enable SNMP on the HiPath Wireless Controller to retrieve statistics and configuration
information.
To enable SNMP Parameters:
1. From the main menu, click Wireless Controller Configuration. The Wireless Controller
Configuration screen is displayed.
2. In the left pane, click SNMP. The Simple Network Management Protocol screen is
displayed.
3. Type: the following information:
Contact Name – Specifies the name of SNMP administrator.
Location – Specifies the location of the SNMP administration machine.
Read Community Name – Specifies the community name for users with read
privileges.
Availability, mobility, and controller functionality
A31003-W1040-U103-1-7619, Draft February 2007
234 HiPath Wireless Controller, Access Points and Convergence Software V4, C2400 User Guide
hwc_controlleravailmobility.fm
Using controller utilities
Read/Write Community Name – Specifies the community name for users with read
and write privileges.
SNMP Trap Port – Specifies the destination port for SNMP traps. The industry
standard is 162. If left blank, no traps are generated.
Forward Traps – Specifies the security level of the traps to be forwarded. From the
drop-down list, select Informational, Minor, Major, or Critical.
Manager A – Specifies the IP address of the specific machine on the network where
the SNMP traps are monitored.
Manager B – Specifies the IP address of a second machine on the network where the
SNMP traps are monitored, if Manager A is not available.
8.7 Using controller utilities
You can use HiPath Wireless Controller utilities to test a connection to the target IP address or
to record the route through the Internet between your computer and the target IP address.
To test or record IP address connections:
1. From the main menu, click Wireless Controller Configuration. The Wireless Controller
Configuration screen is displayed.
2. In the left pane, click Utilities. The Wireless Controller Utilities screen is displayed.
3. In the Target IP Address box, type the IP address of the destination computer.
4. To test a connection to the target IP address, click Ping.
5. To record the route through the Internet between your computer and the target IP address,
click Trace Route.
The following is an example of a screen after clicking the Trace Route button.
>For security purposes, it is recommended that you immediately change the Read
Community Name (public) and the Read/Write Community Name (private) to names
that are less obvious and more secure.
hwc_controlleravailmobility.fm
A31003-W1040-U103-1-7619, Draft February 2007
HiPath Wireless Controller, Access Points and Convergence Software V4, C2400 User Guide 235
Availability, mobility, and controller functionality
Configuring Web session timeouts
8.8 Configuring Web session timeouts
You can configure the time period to allow Web sessions to remain inactive before timing out.
To configure Web session timeouts:
1. From the main menu, click Wireless Controller Configuration. The Wireless Controller
Configuration screen is displayed.
2. In the left pane, click Web Settings The Wireless Controller Web Management Settings
screen is displayed.
Availability, mobility, and controller functionality
A31003-W1040-U103-1-7619, Draft February 2007
236 HiPath Wireless Controller, Access Points and Convergence Software V4, C2400 User Guide
hwc_controlleravailmobility.fm
Configuring Web session timeouts
3. In the Web Session Timeout box, type the time period to allow the Web session to remain
inactive before it times out. This can be entered as hour:minutes, or as minutes. The range
is 1 minute to 168 hours.
4. Select the Show VNS names on the Wireless AP SSID list checkbox to allow the names
of the VNSs to appear in the SSID list for Wireless APs.
5. To save your settings, click Save.
>Screens that auto-refresh will time out, unless a manual action takes place prior to
the end of the timeout period.
hwc_3rdpartyaps.fm
A31003-W1040-U103-1-7619, Draft February 2007
HiPath Wireless Controller, Access Points and Convergence Software V4, C2400 User Guide 237
Working with third-party APs
9 Working with third-party APs
You can set up the HiPath Wireless Controller to handle wireless device traffic from third-party
access points, providing the same policy and network access control. This process requires the
following steps:
Step 1 – Define a data port as a third party AP port:
Step 2 – Define a VNS for the third-party AP port:
Step 3 – Define authentication by Captive Portal and RAD policy for the third-party AP
VNS:
Step 4 – Define filtering rules for the third-party APs:
To set up third-party APs:
Step 1 – Define a data port as a third party AP port:
1. From the main menu, click Wireless Controller Configuration. The Wireless Controller
Configuration screen is displayed.
2. From the left pane, click IP Address. The Management Port Settings and Interfaces
screen is displayed.
Working with third-party APs
A31003-W1040-U103-1-7619, Draft February 2007
238 HiPath Wireless Controller, Access Points and Convergence Software V4, C2400 User Guide
hwc_3rdpartyaps.fm
3. Highlight the appropriate port, and in the Function box, select 3rd-party AP from the
drop-down list. Make sure that Management Traffic and SLP are disabled for this port.
4. Connect the third-party access point to this port, via a switch.
Step 2 – Define a VNS for the third-party AP port:
1. From the main menu, click Virtual Network Configuration. The Virtual Network
Configuration screen is displayed.
2. In the left pane, type a name that will identify the new VNS in the Add subnet box, and
then click Add subnet. The name is displayed in the Virtual Networks list. The Topology
tab is displayed.
hwc_3rdpartyaps.fm
A31003-W1040-U103-1-7619, Draft February 2007
HiPath Wireless Controller, Access Points and Convergence Software V4, C2400 User Guide 239
Working with third-party APs
3. In the Assignment by drop-down list, click SSID.
4. To define a VNS for a third-party AP, select the Use 3rd Party AP checkbox.
5. Continue configuring your VNS as described in Section 7.1.1, “Configuring topology for a
VNS for Captive Portal”, on page 151.
Step 3 – Define authentication by Captive Portal and RAD policy for the third-party AP
VNS:
1. Click the Auth & Acct tab.
2. In the Authentication Configuration screen, click Configure Captive Portal Settings.
3. In the Captive Portal Settings screen, define the Captive Portal configuration.
4. Click the RAD Policy tab.
5. Define the the filter IDs to match those in RADIUS server.
>Bridge Traffic at AP and MAC-based authentication are not available for Third Party
VNSs.
Working with third-party APs
A31003-W1040-U103-1-7619, Draft February 2007
240 HiPath Wireless Controller, Access Points and Convergence Software V4, C2400 User Guide
hwc_3rdpartyaps.fm
Step 4 – Define filtering rules for the third-party APs:
1. Because the third-party APs are mapped to a physical port, you must define the Exception
filters on the physical port, using the Port Exception Filters screen. For more information,
see Section 7.6, “Configuring filtering rules for a VNS”, on page 179.
2. Define filtering rules that allow access to other services and protocols on the network such
as HTTP, FTP, Telnet, SNMP.
In addition, modify the following functions on the third-party access point:
Disable the access point's DHCP server, so that the IP address assignment for any
wireless device on the AP is from the DHCP server at the HiPath Wireless Controller with
VNS information.
Disable the third-party access point's layer-3 IP routing capability and set the access point
to work as a layer-2 bridge.
Here are the differences between third-party access points and Wireless APs on the HiPath
Wireless Controller, Access Points and Convergence Software system:
A third-party access point exchanges data with the HiPath Wireless Controller's data port
using standard IP over Ethernet protocol. The third-party access points do not support the
tunnelling protocol for encapsulation.
For third-party access points, the VNS is mapped to the physical data port and this is the
default gateway for mobile units supported by the third-party access points.
A HiPath Wireless Controller cannot directly control or manage the configuration of a third-
party access point.
Third-party access points are required to broadcast an SSID unique to their segment. This
SSID cannot be used by any other VNS.
Roaming from third-party access points to Wireless APs and vice versa is not supported.
hwc_mitigator.fm
A31003-W1040-U103-1-7619, Draft February 2007
HiPath Wireless Controller, Access Points and Convergence Software V4, C2400 User Guide 241
Working with the Mitigator
Mitigator overview
10 Working with the Mitigator
This chapter describes Mitigator concepts, including:
Mitigator overview
Enabling the Analysis and data collector engines
Running Mitigator scans
Analysis engine overview
Working with Mitigator scan results
Working with friendly APs
Viewing the Mitigator list of third-party APs
Maintaining the Mitigator list of APs
Viewing the Scanner Status report
10.1 Mitigator overview
The Mitigator is a mechanism that assists in the detection of rogue APs. Mitigator functionality
does the following:
Wireless AP:
Runs a radio frequency (RF) scanning task.
Alternating between scan functions, providing its regular service to the wireless devices on
the network.
HiPath Wireless Controller:
Runs a data collector application that receives and manages the RF scan messages sent
by the Wireless AP. RF data collector data includes lists of all connected Wireless APs,
third-party APs, and the RF scan information that has been collected from the Wireless
APs selected to perform the scan.
Runs an Analysis Engine that processes the scan data from the data collector through
algorithms that make decisions about whether any of the detected APs or clients are rogue
APs or are running in an unsecure environment (for example, ad-hoc mode).
Working with the Mitigator
A31003-W1040-U103-1-7619, Draft February 2007
242 HiPath Wireless Controller, Access Points and Convergence Software V4, C2400 User Guide
hwc_mitigator.fm
Enabling the Analysis and data collector engines
10.2 Enabling the Analysis and data collector engines
Before using the Mitigator, you must enable and define the Analysis and data collector engines.
To enable the Analysis engine:
1. From the main menu, click Wireless Controller Configuration. The Wireless Controller
Configuration screen is displayed.
2. In the left pane, click Mitigator. The Mitigator Configuration screen is displayed.
3. To enable the Mitigator Analysis Engine, select the Mitigator Analysis Engine checkbox.
>In a network with more than one HiPath Wireless Controller, it is not necessary for
the data collector to be running on the same controller as the Analysis Engine. One
controller can be a dedicated Analysis Engine while the other controllers run data
collector functionality. No more than one Analysis Engine can be running at a time.
You must ensure that the controllers are all routable.
hwc_mitigator.fm
A31003-W1040-U103-1-7619, Draft February 2007
HiPath Wireless Controller, Access Points and Convergence Software V4, C2400 User Guide 243
Working with the Mitigator
Running Mitigator scans
4. To enable the Mitigator Data Collection Engine on this HiPath Wireless Controller, select
the Enable Local Mitigator Data Collection Engine checkbox.
5. To identify the remote RF Data Collector Engine that the Analysis Engine will poll for data,
type the IP address of the HiPath Wireless Controller on which the remote Data Collector
resides in the IP Address box.
6. For the data collection engine:
In the Poll interval box, type (in seconds) the interval that the Analysis Engine will poll
the RF Data Collector to maintain connection status. The default is 30 seconds.
In the Poll retry count box, type the number of times the Analysis Engine will attempt
to poll the RF Data Collector to maintain connection status, before it stops sending
requests. The default is 2 attempts.
7. Click Add. The IP address of the Data Collection Engine, with its Poll Interval and Poll
Retry parameters is displayed in the list.
8. To add a new collection engine, click Add Collection Engine.
9. Repeat steps 4 to 7.
10. To save your changes, click Apply.
10.3 Running Mitigator scans
The Mitigator feature allows you to view the following:
Scan Groups
Friendly APs
Third-party APs
AP Maintenance
>For each remote RF Data Collection Engine defined here, you must:
Enable it by selecting the Enable Mitigator Analysis Engine checkbox on
the remote HiPath Wireless Controller
Ensure that the controllers are routable by whatever means you use (for
example, static routes, or OSPF).
>A scan will not run on an inactive AP, even though it is displayed as part of the
Scan Group. If it becomes active, it will be sent a scan request during the next
periodic scan.
Working with the Mitigator
A31003-W1040-U103-1-7619, Draft February 2007
244 HiPath Wireless Controller, Access Points and Convergence Software V4, C2400 User Guide
hwc_mitigator.fm
Running Mitigator scans
To run the Mitigator scan task mechanism:
1. From the main menu, click Mitigator. The Mitigator screen is displayed.
2. Click the Scan Groups tab.
3. In the Scan Group Name box, type a unique name for this scan group.
4. In the Wireless APs list, select the checkbox corresponding to the Wireless APs you want
included in the new scan group, which will perform the scan function.
5. In the Radio drop-down list, select one of the following:
Both – The a and b/g radios both perform the scan function.
a – Only the a radio performs the scan function.
b/g – Only the b/g radio performs the scan function.
6. In the Channel List drop-down list, select one of the following:
>A Wireless AP can participate in only one Scan Group at a time. It is
recommended that the Scan Groups represent geographical groupings of
Wireless APs.
hwc_mitigator.fm
A31003-W1040-U103-1-7619, Draft February 2007
HiPath Wireless Controller, Access Points and Convergence Software V4, C2400 User Guide 245
Working with the Mitigator
Running Mitigator scans
All Scanning is performed on all channels.
Current – Scanning is performed on only the current channel.
7. In the Scan Type drop-down list, select one of the following:
Active – The Wireless AP sends out ProbeRequests and waits for ProbeResponse
messages from any access points.
Passive – The Wireless AP listens for 802.11 beacons.
8. In the Channel Dwell Time box, type the time (in milliseconds) for the scanner to wait for
a response from either 802.11 beacons in passive scanning, or ProbeResponse in active
scanning.
9. In the Scan Time Interval box, type the time (in minutes) to define the frequency at which
a Wireless AP within the Scan Group will initiate a scan of the RF space. The range is from
one minute to 120 minutes.
10. To initiate a scan using the periodic scanning parameters defined above, click Start Scan.
11. To initiate an immediate scan that will run only once, click Run Now.
12. The Scan Activity box displays the current state of the scan engine.
13. To view a pop-up report showing the timeline of scan activity and scan results, click Show
Details.
14. To save your changes, click Save.
>If necessary, you can stop a scan by clicking Stop Scan.
A scan must be stopped before modifying any parameters of the Scan Group,
or before adding or removing a Wireless AP from a Scan Group.
Working with the Mitigator
A31003-W1040-U103-1-7619, Draft February 2007
246 HiPath Wireless Controller, Access Points and Convergence Software V4, C2400 User Guide
hwc_mitigator.fm
Analysis engine overview
10.4 Analysis engine overview
The Analysis engine relies on a database of known devices on the Controller, Access Points
and Convergence Software system. The Analysis engine compares the data from the RF Data
Collector with the database of known devices.
This database includes the following:
Wireless APs – Registered with any HiPath Wireless Controller with its RF Data Collector
enabled and associated with the Analysis Engine on this HiPath Wireless Controller.
Third-party APs – Defined and assigned to a VNS.
Friendly APs – A list created in the Mitigator user interface as potential rogue access
points are designated by the administrator as Friendly.
Wireless devices – Registered with any HiPath Wireless Controller that has its RF Data
Collector enabled and has been associated with the Analysis Engine on this HiPath
Wireless Controller.
The Analysis Engine looks for access points with one or more of the following conditions:
Unknown MAC address and unknown SSID (critical alarm)
Unknown MAC, with a valid SSID - a known SSID is being broadcast by the unknown
access point (critical alarm)
Known MAC, with an unknown SSID - a rogue may be spoofing a MAC address (critical
alarm)
Inactive Wireless AP with valid SSID (critical alarm)
Inactive Wireless AP with unknown SSID (critical alarm)
Known Wireless AP with an unknown SSID (major alarm)
In ad-hoc mode (major alarm)
10.5 Working with Mitigator scan results
When viewing the Mitigator scan results you can delete all or selected Access Points from the
scan results. You can also add Access Points from the scan results to the Friendly AP list.
>In the current release, there is no capability to initiate a DoS attack on the detected
rogue access point. Containment of a detected rogue requires an inspection of the
geographical location of its Scan Group area, where its RF activity has been found.
hwc_mitigator.fm
A31003-W1040-U103-1-7619, Draft February 2007
HiPath Wireless Controller, Access Points and Convergence Software V4, C2400 User Guide 247
Working with the Mitigator
Working with Mitigator scan results
To view Mitigator scan results:
1. From the main menu, click Mitigator. The Mitigator screen is displayed.
2. Click the Rogue Detection tab.
3. To modify the screen’s refresh rate, type a time (in seconds) in the Refresh every __
seconds box.
4. Click Apply. The new refresh rate is applied.
5. To view the Rogue Summary report, click Rogue Summary. The Rogue Summary report
is displayed in a pop-up window.
6. To clear all detected rogue devices from the list, click Clear Detected Rogues.
Working with the Mitigator
A31003-W1040-U103-1-7619, Draft February 2007
248 HiPath Wireless Controller, Access Points and Convergence Software V4, C2400 User Guide
hwc_mitigator.fm
Working with Mitigator scan results
To add an AP from the Mitigator scan results to the list of friendly APs:
1. From the main menu, click Mitigator. The Mitigator screen is displayed.
2. Click the Rogue Detection tab.
3. To add a Wireless AP to the Friendly APs list, click Add to Friendly List. The AP is
removed from this list and is displayed in the Friendly AP Definitions section of the
Friendly AP’s tab.
To delete an AP from the Mitigator scan results:
1. From the main menu, click Mitigator. The Mitigator screen is displayed.
2. Click the Rogue Detection tab.
3. To delete a specific AP from the Mitigator scan results, click the corresponding Delete
button. The AP is removed from the list.
4. To clear all rogue access points from the Mitigator scan results, click Clear Detected
Rogues. All APs are removed from the list.
>To avoid the Mitigator's database becoming too large, it is recommended that you
either delete Rogue APs or add them to the Friendly APs list, rather than leaving
them in the Rogue list.
hwc_mitigator.fm
A31003-W1040-U103-1-7619, Draft February 2007
HiPath Wireless Controller, Access Points and Convergence Software V4, C2400 User Guide 249
Working with the Mitigator
Working with friendly APs
10.6 Working with friendly APs
To view the friendly APs:
1. From the main menu, click Mitigator. The Mitigator screen is displayed.
2. Click the Friendly AP’s tab.
To add friendly APs manually:
1. From the main menu, click Mitigator. The Mitigator screen is displayed.
2. Click the Friendly AP’s tab.
3. To add friendly access points manually to the Friendly AP Definitions list, type the
following:
MAC Address – Specifies the MAC address for the friendly AP
SSID – Specifies the SSID for the friendly AP
Channel – Specifies the current operating channel for the friendly AP
Description – Specifies a brief description for the friendly AP
Working with the Mitigator
A31003-W1040-U103-1-7619, Draft February 2007
250 HiPath Wireless Controller, Access Points and Convergence Software V4, C2400 User Guide
hwc_mitigator.fm
Viewing the Mitigator list of third-party APs
4. Click Add. The new access point is displayed in the list above.
To delete a friendly AP:
1. From the main menu, click Mitigator. The Mitigator screen is displayed.
2. Click the Friendly AP’s tab.
3. To select an access point from the Friendly AP Definitions list to delete, click it.
4. Click Delete. The selected access point is removed from the Friendly AP Definitions list.
5. To save your changes, click Save.
To modify a friendly AP:
1. From the main menu, click Mitigator. The Mitigator screen is displayed.
2. Click the Friendly AP’s tab.
3. To select an access point from the Friendly AP Definitions list to modify, click it.
4. Modify the access point by making the appropriate changes.
5. To save your changes, click Save.
10.7 Viewing the Mitigator list of third-party APs
To view known third-party access points connected to local/remote RF data collectors:
1. From the main menu, click Mitigator. The Mitigator screen is displayed.
2. Click the 3rd Party AP’s tab.
hwc_mitigator.fm
A31003-W1040-U103-1-7619, Draft February 2007
HiPath Wireless Controller, Access Points and Convergence Software V4, C2400 User Guide 251
Working with the Mitigator
Maintaining the Mitigator list of APs
10.8 Maintaining the Mitigator list of APs
To maintain the Wireless APs:
1. From the main menu, click Mitigator. The Mitigator screen is displayed.
2. Click the AP Maintenance tab. Inactive APs and known third-party APs are displayed.
3. Select the applicable APs.
Working with the Mitigator
A31003-W1040-U103-1-7619, Draft February 2007
252 HiPath Wireless Controller, Access Points and Convergence Software V4, C2400 User Guide
hwc_mitigator.fm
Maintaining the Mitigator list of APs
4. To delete the selected APs, click Delete marked APs.
>The selected APs are deleted from the Mitigator database, not from the HiPath
Wireless Controller database. You can delete the APs from the HiPath Wireless
Controller database after you delete them from the Wireless AP Configuration
Access Approval screen of the corresponding RF Data Collector Engine. You
can also delete the selected third-party APs if they are removed from the
corresponding VNS in the RF Collector Engine, or if that VNS has been deleted
from the VNS list.
hwc_mitigator.fm
A31003-W1040-U103-1-7619, Draft February 2007
HiPath Wireless Controller, Access Points and Convergence Software V4, C2400 User Guide 253
Working with the Mitigator
Viewing the Scanner Status report
10.9 Viewing the Scanner Status report
When the Mitigator is enabled, you can view a report on the connection status of the RF Data
Collector Engines with the Analysis Engine.
To view the Mitigator scanner engine status display:
1. From the main menu, click Mitigator. The Mitigator screen is displayed.
2. Click the Scanner Status link. The Scanner Status report is displayed, as shown in the
example below.
The boxes display the IP address of the Data Collector engine. The status of the Data Collector
engine is indicated by one of the following colors:
Green – The Analysis Engine has connection with the Data Collector on that HiPath
Wireless Controller.
Yellow – The Analysis Engine has connected to the communication system of the other
controller, but has not synchronized with the Data Collector. Ensure that the Data Collector
is running on the remote controller.
Red – The Analysis Engine is aware of the Data Collector and attempting connection.
If no box is displayed, the Analysis Engine is not attempting to connect with that Data Collector
Engine.
>If the box is displayed red and remains red, ensure your IP address is correctly
set up to point to an active controller. If the box remains yellow, ensure the Data
Collector is running on the remote controller.
Working with the Mitigator
A31003-W1040-U103-1-7619, Draft February 2007
254 HiPath Wireless Controller, Access Points and Convergence Software V4, C2400 User Guide
hwc_mitigator.fm
Viewing the Scanner Status report
hwc_reports.fm
A31003-W1040-U103-1-7619, Draft February 2007
HiPath Wireless Controller, Access Points and Convergence Software V4, C2400 User Guide 255
Working with reports and displays
Viewing the displays
11 Working with reports and displays
This chapter describes the various reports and displays available in the HiPath Wireless
Controller, Access Points and Convergence Software system.
11.1 Viewing the displays
The following displays are available in the HiPath Wireless Controller, Access Points and
Convergence Software system:
Active Wireless APs
Active Clients by Wireless AP
Active Clients by VNS
Port & VNS Filter Statistics
VNS Interface Statistics
Wireless Controller Port Statistics
Wireless AP Availability
Wired Ethernet Statistics by Wireless AP
Wireless Statistics by Wireless AP
Client Location in Mobility Zone
Mobility Tunnel Matrix
Working with reports and displays
A31003-W1040-U103-1-7619, Draft February 2007
256 HiPath Wireless Controller, Access Points and Convergence Software V4, C2400 User Guide
hwc_reports.fm
Viewing the displays
To view reports and displays:
1. From the main menu, click Reports & Displays. The HiPath Reports & Displays screen
is displayed.
2. In the List of Displays, click the display you want to view (some examples will follow):
>The two displays on the right-hand side of the screen only appear if the mobility
manager function has been enabled for the controller.
hwc_reports.fm
A31003-W1040-U103-1-7619, Draft February 2007
HiPath Wireless Controller, Access Points and Convergence Software V4, C2400 User Guide 257
Working with reports and displays
Viewing the displays
11.1.1 Viewing the Wireless AP availability display
This display reports the active connection state of a Wireless AP (availability to the HiPath
Wireless Controller for service). Depending on the state of the Wireless AP, the following is
displayed:
Green – Wireless AP is configured on the HiPath Wireless Controller and is presently
connected.
Red – Wireless AP is configured on the HiPath Wireless Controller but is presently not
connected (not available to service this HiPath Wireless Controller).
In normal operations, when the HiPath Wireless Controller Availability feature is enabled, the
local Wireless APs are green, and the foreign Wireless APs are red. If the other HiPath Wireless
Controller fails, and the foreign Wireless APs connect to the current HiPath Wireless Controller,
the display will show all Wireless APs as green. If the Wireless APs are not connected they
show up as red.
11.1.2 Viewing statistics for Wireless APs
Two displays are snapshots of activity at that point in time on a selected Wireless AP:
Wired Ethernet Statistics by Wireless AP
Wireless Statistics by Wireless AP
The statistics displayed are those defined in the 802.11 MIB, in the IEEE 802.11 standard.
>Statistics are expressed in relation to the AP. Therefore, Packets Sent means the
AP has sent that data to a client and Packets Rec’d means the AP has received
packets from a client.
Working with reports and displays
A31003-W1040-U103-1-7619, Draft February 2007
258 HiPath Wireless Controller, Access Points and Convergence Software V4, C2400 User Guide
hwc_reports.fm
Viewing the displays
To view wired Ethernet statistics by Wireless AP:
1. From the main menu, click Reports & Displays. The HiPath Reports & Displays screen
is displayed.
2. Click the Wired Ethernet Statistics by Wireless AP display option. The Wired Ethernet
Statistics by Wireless APs display opens in a new browser window.
3. In the Wired Ethernet Statistics by Wireless APs display, click a registered Wireless AP
to display its information.
To view Wireless Statistics by Wireless AP:
1. From the main menu, click Reports & Displays. The HiPath Reports & Displays screen
is displayed.
2. Click the Wireless Statistics by Wireless AP display option. The Wireless Statistics by
Wireless APs display opens in a new browser window.
hwc_reports.fm
A31003-W1040-U103-1-7619, Draft February 2007
HiPath Wireless Controller, Access Points and Convergence Software V4, C2400 User Guide 259
Working with reports and displays
Viewing the displays
3. In the Wired Statistics by Wireless APs display, click a registered Wireless AP to display
its information.
4. Click the appropriate tab to display information for each radio on the Wireless AP.
5. To view information on selected associated clients, click View Client. The Associated
Clients display opens in a new browser window.
To view Active Clients by Wireless AP statistics:
1. From the main menu, click Reports & Displays. The HiPath Reports & Displays screen
is displayed.
2. Click the Active Clients by Wireless APs display option. The Active Clients by Wireless
APs display opens in a new browser window.
Working with reports and displays
A31003-W1040-U103-1-7619, Draft February 2007
260 HiPath Wireless Controller, Access Points and Convergence Software V4, C2400 User Guide
hwc_reports.fm
Viewing the displays
Statistics are expressed in respect of the AP. Therefore, Packets Sent means the AP has
sent that data to a client and Packets Rec’d means the AP has received packets from a
client.
If the client is authenticated, a green check mark icon is displayed in the first column of the
display.
Time Conn is the length of time that a client has been on the system, not just on an AP. If
the client roams from one AP to another, the session stays, therefore Time Conn does not
reset.
A client is displayed as soon as the client connects (or after refresh of screen). The client
disappears as soon as it times out.
11.1.3 Viewing displays for the mobility manager
When a HiPath Wireless Controller has been configured as a mobility manager, two additional
displays appear as options in the HiPath Reports & Displays screen:
Client Location in Mobility Zone – Displays the active wireless clients and their status
Mobility Tunnel Matrix – Displays a cross-connection view of the state of inter-controller
tunnels, as well as relative loading for user distribution across the mobility domain
hwc_reports.fm
A31003-W1040-U103-1-7619, Draft February 2007
HiPath Wireless Controller, Access Points and Convergence Software V4, C2400 User Guide 261
Working with reports and displays
Viewing the displays
To view mobility manager displays:
1. From the main menu, click Reports & Displays. The HiPath Reports & Displays screen
is displayed.
2. Click the appropriate mobility manager display:
Client Location in Mobility Zone
Mobility Tunnel Matrix
The colored status indicates the following:
Green – The mobility manager is in communication with an agent and the data tunnel has
been successfully established.
Yellow – The mobility manager is in communication with an agent but the data tunnel is
not yet successfully established.
Red – The mobility manager is not in communication with an agent and there is no data
tunnel.
Working with reports and displays
A31003-W1040-U103-1-7619, Draft February 2007
262 HiPath Wireless Controller, Access Points and Convergence Software V4, C2400 User Guide
hwc_reports.fm
Viewing the displays
Client Location in Mobility Zone
You can do the following:
Sort this display by home or foreign controller
Search for a client by MAC address, user name, or IP address, and typing the search
criteria in the box
Define the refresh rates for this display
Export this information as an xml file
Mobility Tunnel Matrix
Provides connectivity matrix of mobility state
Provides a view of:
Tunnel state
If a tunnel between controllers is reported down, it is highlighted in red
If only a control tunnel is present, it is highlighted in yellow
If data and control tunnels are fully established, it is highlighted in green
Tunnel Uptime
Number of clients roamed (Mobility loading)
Local controller loading
Mobility membership list
A HiPath Wireless Controller is only removed from the mobility matrix if it is explicitly removed
by the administrator from the Mobility permission list. If a particular link between controllers, or
the controller is down, the corresponding matrix connections are identified in red color to
identify the link.
The Active Clients by VNS report for the controller on which the user is home (home controller)
will display the known user characteristics (IP, statistics, etc.). On the foreign controller, the
Clients by VNS report does not show users that have roamed from other controllers, since the
users remain associated with the home controller's VNS.
The Active Clients by AP report on each controller will show both the loading of local and foreign
users (users roamed from other controllers) that are taking resources on the AP.
>The statistics from the mobility manager are updated every thirty seconds,
regardless of the refresh period for the displays.
hwc_reports.fm
A31003-W1040-U103-1-7619, Draft February 2007
HiPath Wireless Controller, Access Points and Convergence Software V4, C2400 User Guide 263
Working with reports and displays
Viewing reports
11.2 Viewing reports
The following reports are available in the HiPath Wireless Controller, Access Points and
Convergence Software system:
Forwarding Table (routes defined in the HiPath Wireless Controller Routing Protocols
screen)
OSPF Neighbor (if OSPF is enabled in the Routing Protocols screen)
OSPF Linkstate (if OSPF is enabled in the Routing Protocols screen)
AP Inventory (a consolidated summary of Wireless AP setup)
To view reports:
1. From the main menu, click Reports & Displays. The HiPath Reports & Displays screen
is displayed.
2. In the Reports list, click the report you want to view:
Forwarding Table
OSPF Neighbor
OSPF Linkstate
AP Inventory
The following is an example of a Forwarding Table report:
>The AP Inventory report opens in a new browser window. All other reports appear
in the current browser window.
Working with reports and displays
A31003-W1040-U103-1-7619, Draft February 2007
264 HiPath Wireless Controller, Access Points and Convergence Software V4, C2400 User Guide
hwc_reports.fm
Viewing reports
The following is an example of the AP Inventory report:
The following is a description of the column names and abbreviations found in the AP
Inventory report:
>If you open only automatically refreshed reports, the Web management session
timer will not be updated or reset. Your session will eventually timeout.
hwc_reports.fm
A31003-W1040-U103-1-7619, Draft February 2007
HiPath Wireless Controller, Access Points and Convergence Software V4, C2400 User Guide 265
Working with reports and displays
Viewing reports
Rdo – Radio
Ra – 802.11a radio. The data entry for an Wireless AP indicates whether the a radio is on
or off.
Rb – 802.11b protocol enabled. Possible values are on or off.
Rg – 802.11g protocol enabled. Possible values are on or off.
DP – DTIM period
BP – Beacon Period
SRL – Short Retry Limit
LRL – Long Retry Limit
RT – RTS Threshold
FT – Fragmentation Threshold
Ch – Channel served by the corresponding radio.
PL – Power Level (Defined in the Wireless AP radio properties pages.)
BR – Basic Rate (Only applies to Wireless APs running 3.1 or earlier.)
ORS – Operational Rate Set (Only applies to Wireless APs running 3.1 or earlier.)
MnBR – Minimum Basic Rate (For more information, see the Wireless AP radio
configuration tabs.)
MxBR – Maximum Basic Rate
MxOR – Maximum Operational Rate
RxDV – Receive Diversity
TxDV – Tx Diversity
Pmb – Preamble (long, short)
PM – Protection Mode
PR – Protection Rate
PT – Protection Type
BSS – Basic Service Set
MAC – MAC address
BSS: MAC – Also called BSSID, this is the MAC address of a (virtual) wireless interface
on which the Wireless AP serves a BSS/VNS. There could be 8 per radio.
Working with reports and displays
A31003-W1040-U103-1-7619, Draft February 2007
266 HiPath Wireless Controller, Access Points and Convergence Software V4, C2400 User Guide
hwc_reports.fm
Viewing reports
Port – Ethernet Port and associated IP address of the interface on the HiPath Wireless
Controller through which the Wireless AP communicates.
HW – Hardware version of the Wireless AP.
SW – Software version executing on theWireless AP.
TA – Telnet access (enabled or disabled).
BD – Broadcast disassociation (enabled or disabled). If enabled, whenever the Wireless
AP is going offline in a controlled fashion it will send the disassociation frame to all its
clients as a broadcast.
DV – Diversity
P/To – Poll timeout. If polling is enabled, a numeric value.
P/I – Poll interval. If polling is enabled, a numeric value.
Wired MAC – The physical address of the Wireless AP's wired Ethernet interface.
Description – As defined on the AP Properties screen.
Failure Maintn. – Maintain MU sessions on Wireless AP when the Wireless AP loses the
connection to the HiPath Wireless Controller.
Assn – Assignment (address assignment method)
Static Cfg – Wireless AP's IP address if statically configured (same as the Static Values
radio button on the AP Static Configuration screen).
Static Cfg IP – Statically Configured IP. If the Wireless AP's IP address is configured
statically, the IP address is displayed.
Netmask – If the Wireless AP's IP address is configured statically, the netmask that is
statically configured for the Wireless AP.
Gateway – If the Wireless AP's IP address is configured statically, the IP address of the
gateway router that the Wireless AP will use.
HWC Search List – The list of IP addresses that the Wireless AP is configured to try to
connect to in the event that the current connection to the HiPath Wireless Controller is lost.
To export and save a report in XML:
1. On the report screen, click Export. A Windows File Download dialog is displayed.
2. Click the Save button. A Windows Save As dialog is displayed.
hwc_reports.fm
A31003-W1040-U103-1-7619, Draft February 2007
HiPath Wireless Controller, Access Points and Convergence Software V4, C2400 User Guide 267
Working with reports and displays
Viewing reports
3. Browse to the location where you want to save the exported XML data file, and in the File
name box enter an appropriate name for the file.
4. Click Save. The XML data file is saved in the specified location.
>If your default XML viewer is Internet Explorer or Netscape, clicking Open will
open the exported data to your display screen. You must right-click to go back
to the export display. The XML data file will not be saved to your local drive.
Working with reports and displays
A31003-W1040-U103-1-7619, Draft February 2007
268 HiPath Wireless Controller, Access Points and Convergence Software V4, C2400 User Guide
hwc_reports.fm
Viewing reports
hwc_ongoing.fm
A31003-W1040-U103-1-7619, Draft February 2007
HiPath Wireless Controller, Access Points and Convergence Software V4, C2400 User Guide 269
Performing system maintenance
Performing Wireless AP client management
12 Performing system maintenance
This chapter describes system maintenance processes, including:
Performing Wireless AP client management
Resetting the AP to its factory default settings
Performing system maintenance tasks
Performing HiPath Wireless Controller software maintenance
Configuring Controller, Access Points and Convergence Software logs and traces
12.1 Performing Wireless AP client management
There are times when for service reasons or security issues, you want to cut the connection
with a particular wireless device. You can view all the associated wireless devices, by MAC
address, on a selected Wireless AP. You can do the following:
Disassociate a selected wireless device from its Wireless AP.
Add a selected wireless device's MAC address to a blacklist of wireless clients that will not
be allowed to associate with the Wireless AP.
Backup and restore the HiPath Wireless Controller database. For more information, see
Section 12.4, “Performing HiPath Wireless Controller software maintenance”, on page 278.
12.1.1 Disassociating a client
In addition to the following procedure below, you can also disassociate wireless users directly
from the Active Clients by VNS screen. For more information, see Chapter 11, “Working with
reports and displays”.
To disassociate a wireless device client:
1. From the main menu, click Wireless AP Configuration. The Wireless AP Configuration
screen is displayed.
2. From the left pane, click Client Management. The Disassociate tab is displayed.
Performing system maintenance
A31003-W1040-U103-1-7619, Draft February 2007
270 HiPath Wireless Controller, Access Points and Convergence Software V4, C2400 User Guide
hwc_ongoing.fm
Performing Wireless AP client management
3. In the Select AP list, click the AP you want to disassociate.
4. In the Select Client(s) list, select the checkbox next to the client you want to disassociate,
if applicable.
5. Click Disassociate. The client's session terminates immediately.
12.1.2 Blacklisting a client
The Blacklist tab displays the current list of MAC addresses that are not allowed to associate.
A client is added to the blacklist by selecting it from a list of associated APs or by entering its
MAC address.
>You can search for a client by MAC Address, IP Address or User ID, by selecting
the search parameters from the drop-down lists and typing a search string in the
Search box and clicking Search. You can also use the Select All or Clear All
buttons to help you select multiple clients.
hwc_ongoing.fm
A31003-W1040-U103-1-7619, Draft February 2007
HiPath Wireless Controller, Access Points and Convergence Software V4, C2400 User Guide 271
Performing system maintenance
Performing Wireless AP client management
To blacklist a wireless device client:
1. From the main menu, click Wireless AP Configuration. The Wireless AP Configuration
screen is displayed.
2. From the left pane, click Client Management. The Disassociate tab is displayed.
3. In the Select AP list, click the AP you want to disassociate.
4. In the Select Client(s) list, select the checkbox next to the client you want to disassociate,
if applicable.
5. Click Add to Blacklist. The selected wireless client's MAC address is added to the
blacklist.
>You can search for a client by MAC Address, IP Address or User ID, by selecting
the search parameters from the drop-down lists and typing a search string in the
Search box and clicking Search. You can also use the Select All or Clear All
buttons to help you select multiple clients.
Performing system maintenance
A31003-W1040-U103-1-7619, Draft February 2007
272 HiPath Wireless Controller, Access Points and Convergence Software V4, C2400 User Guide
hwc_ongoing.fm
Performing Wireless AP client management
To blacklist a wireless device client using its MAC address:
1. From the main menu, click Wireless AP Configuration. The Wireless AP Configuration
screen is displayed.
2. From the left pane, click Client Management. The Disassociate tab is displayed.
3. Click the Blacklist tab.
4. To add a new MAC address to the blacklist, in the MAC Address box enter the client’s MAC
address.
5. Click Add. The client is displayed in the MAC Addresses list.
6. To save your changes, click Save.
>You can use the Select All or Clear All buttons to help you select multiple
clients.
hwc_ongoing.fm
A31003-W1040-U103-1-7619, Draft February 2007
HiPath Wireless Controller, Access Points and Convergence Software V4, C2400 User Guide 273
Performing system maintenance
Performing Wireless AP client management
To clear an address from the blacklist:
1. From the main menu, click Wireless AP Configuration. The Wireless AP Configuration
screen is displayed.
2. From the left pane, click Client Management. The Disassociate tab is displayed.
3. Click the Blacklist tab.
4. To clear an address from the blacklist, select the corresponding checkbox in the MAC
Addresses list.
5. Click Remove Selected. The selected client is removed from the list.
6. To save your changes, click Save.
To import a list of MAC addresses for the blacklist:
1. From the main menu, click Wireless AP Configuration. The Wireless AP Configuration
screen is displayed.
2. From the left pane, click Client Management. The Disassociate tab is displayed.
3. Click the Blacklist tab.
4. Click Browse and navigate to the file of MAC addresses you want to import and add to the
blacklist.
5. Select the file, and then click Import. The list of MAC addresses is imported.
To export a list of MAC addresses for the blacklist:
1. From the main menu, click Wireless AP Configuration. The Wireless AP Configuration
screen is displayed.
2. From the left pane, click Client Management. The Disassociate tab is displayed.
3. Click the Blacklist tab.
4. To export the current blacklist, use the browser’s save option to save the file as a text (.txt)
file. It is recommend that a descriptive file name is used.
5. Click Export. The saved blacklist file is exported.
>You can use the Select All or Clear All buttons to help you select multiple
clients.
Performing system maintenance
A31003-W1040-U103-1-7619, Draft February 2007
274 HiPath Wireless Controller, Access Points and Convergence Software V4, C2400 User Guide
hwc_ongoing.fm
Resetting the AP to its factory default settings
12.2 Resetting the AP to its factory default settings
You can reset the Wireless AP to its factory default settings. The AP boot-up sequence includes
a random delay interval, followed by a vulnerable time interval. During the vulnerable time
interval (2 seconds), the LEDs flash in a particular sequence to indicate that the HiPath
Wireless Controller is in the vulnerable time interval. For more information, see Section 5.2.3,
“Understanding the Wireless AP LED status”, on page 97.
If you power up the AP and interrupt the power during the vulnerable time interval three
consecutive times, the next time the AP reboots, it will restore its factory defaults including the
user password and the default IP settings.
To reset the AP to its factory default settings:
1. Reboot the AP.
2. Depower and repower the AP during the vulnerable time interval.
3. Repeat Step 2 two more times.
When the AP reboots for the fourth time, after having its power supply interrupted three
consecutive times, it restores its factory default settings. The AP then reboots again to put
the default settings into effect.
12.3 Performing system maintenance tasks
You can perform various maintenance tasks, including:
Changing the log level
Setting a poll interval for checking the status of the Wireless APs (Health Checking)
Enabling and defining parameters for Syslog event reporting
Forcing an immediate system shutdown, with or without reboot
Syslog event reporting uses the syslog protocol to relay event messages to a centralized event
server on your enterprise network. In the protocol a device generates messages, a relay
receives and forwards the messages, and a collector (a syslog server) receives the messages
without relaying them.
7The restoration of factory default settings does not erase the non-volatile log.
hwc_ongoing.fm
A31003-W1040-U103-1-7619, Draft February 2007
HiPath Wireless Controller, Access Points and Convergence Software V4, C2400 User Guide 275
Performing system maintenance
Performing system maintenance tasks
To change the log levels:
1. From the main menu, click Wireless Controller Configuration. The Wireless Controller
Configuration screen is displayed.
2. In the System Log Level section, from the Wireless Controller Log Level drop-down list,
select the least severe log level for the Controller that you want to receive: Information,
Minor, Major, Critical. For example, if you select Minor, you receive all Minor, Major and
Critical messages. If you select Major you receive all Major and Critical messages. The
default is Information.
3. Click Apply.
4. From the Wireless AP Log Level drop-down list, select the least severe log level for the
AP that you want to receive: Information, Minor, Major, Critical. The default is Critical.
5. Click Apply.
Performing system maintenance
A31003-W1040-U103-1-7619, Draft February 2007
276 HiPath Wireless Controller, Access Points and Convergence Software V4, C2400 User Guide
hwc_ongoing.fm
Performing system maintenance tasks
To set a poll interval:
1. From the main menu, click Wireless Controller Configuration. The Wireless Controller
Configuration screen is displayed.
2. From the left pane, click System Maintenance. The System Maintenance screen is
displayed.
3. In the Health Checking section, in the Poll Timer box, type the time interval (in seconds)
for the HiPath Wireless Controller to check that each Wireless AP is connected. The default
is 60 seconds.
4. Click Apply.
To enable and define parameters for Syslog:
1. From the main menu, click Wireless Controller Configuration. The Wireless Controller
Configuration screen is displayed.
2. From the left pane, click System Maintenance. The System Maintenance screen is
displayed.
3. In the Syslog section, to enable the Syslog function for up to three syslog servers, select
the appropriate checkboxes.
4. For each enabled syslog server, in the IP box, type a valid IP address for the server on the
network.
5. For each enabled syslog server, in the Port # box, type a valid port number to connect on.
The default port for syslog is 514.
6. To include all system messages, select the Include all service messages checkbox. If the
box is not selected, only component messages (logs and traces) are relayed. This setting
applies to all three servers. The additional service messages are:
DHCP messages reporting users receiving IP addresses
Startup Manager Task messages reporting component startup and failure
7. To include audit messages, select the Include audit messages checkbox.
8. From the Application Logs drop-down list, select the log level (local.0 - local.6) to be sent
to the syslog server. This setting applies all three servers.
9. If the Include all service messages checkbox is selected, the Service Logs drop-down
list becomes selectable. Select the log level (local.0 - local.6) to be sent to the syslog
server. This setting applies all three servers.
10. If you selected the Include audit messages checkbox, the Audit Logs drop-down list
becomes available. Select the log level (local.0 - local.6) to be sent to the syslog server.
This setting applies all three servers.
hwc_ongoing.fm
A31003-W1040-U103-1-7619, Draft February 2007
HiPath Wireless Controller, Access Points and Convergence Software V4, C2400 User Guide 277
Performing system maintenance
Performing system maintenance tasks
11. To apply your changes, click on the Apply button.
Table 27shows Syslog and Controller, Access Points and Convergence Software event log
mapping.
To force an immediate system shutdown:
1. From the main menu, click Wireless Controller Configuration. The Wireless Controller
Configuration screen is displayed.
2. From the left pane, click System Maintenance. The System Maintenance screen is
displayed.
3. To shut down the system, including associated Wireless APs, select the appropriate shut
down option:
Halt system: reboot
Halt system: reset database to factory default and reboot – Restores all aspects
of the system configuration to the initial settings. However, the Management IP
address and license key are preserved. This permits the user to remain connected
through the Management interface.
Halt system: reset to factory default and reboot – Resets the entire system
configuration to the factory shipping state. The Management IP address reverts to
192.168.10.1 and the license key is removed.
Halt system The system enters the halted state, which stops all functional services
and the application. To restart the system, the power to the system must be reset.
4. Click Apply Now. The system is immediately halted.
>The syslog daemon must be running on both the HiPath Wireless Controller and on
the remote syslog server before the logs can be synchronized. If you change the log
level on the HiPath Wireless Controller, you must also modify the appropriate setting
in the syslog configuration on remote syslog server.
Syslog Event Controller, Access Points and
Convergence Software Event
LOG_CRIT Critical
LOG_ERR Major
LOG_WARNING Minor
LOG_INFO Information
LOG_DEBUG Trace
Table 27 Syslog and Controller, Access Points and Convergence Software event log mapping
Performing system maintenance
A31003-W1040-U103-1-7619, Draft February 2007
278 HiPath Wireless Controller, Access Points and Convergence Software V4, C2400 User Guide
hwc_ongoing.fm
Performing HiPath Wireless Controller software maintenance
12.4 Performing HiPath Wireless Controller software maintenance
You can update the core HiPath Wireless Controller software files, and the Operating System
(OS) software using the Software Maintenance function. A facility to backup and restore the
HiPath Wireless Controller database is also available. The maintenance interface also includes
the product key maintenance, for first-time setup and upgrades, if appropriate. For more
information, see Section 4.2.3, “Applying the product license key”, on page 77.
12.4.1 Updating HiPath Wireless Controller software
You can update the core HiPath Wireless Controller software files using the Software
Maintenance function.
To upgrade HiPath Wireless Controller software:
1. From the main menu, click Wireless Controller Configuration. The Wireless Controller
Configuration screen is displayed.
2. From the left pane, click Software Maintenance. The HWC Software tab is displayed.
7During a system upgrade from v3.1 to v4 R0.x.x, it is recommended that you install
your new v4 license key BEFORE upgrading the software if you have manually
configured radio channels.
If your HiPath Wireless Controller has a v3.1 license key when it is upgraded, the key
will be rejected and the HiPath Wireless Controller will revert to a factory default
DEMO region setting. Whenever the licensed region changes on the HiPath
Wireless Controller, all Wireless APs are changed to Auto Channel Select to
prevent possible infractions to local RF regulatory requirements. If this occurs, all
manually configured radio channel settings will be lost.
Installing the new license key before upgrading will prevent the HiPath Wireless
Controller from changing the licensed region, and in addition, manually configured
channel settings will be maintained.
hwc_ongoing.fm
A31003-W1040-U103-1-7619, Draft February 2007
HiPath Wireless Controller, Access Points and Convergence Software V4, C2400 User Guide 279
Performing system maintenance
Performing HiPath Wireless Controller software maintenance
The Available HWC Images section displays the list of software versions that have been
downloaded and are available.
3. In the Upgrade section, select an image from the Select an image to use drop-down list.
4. To launch the upgrade with the selected image, click on the Upgrade Now button.
5. In the dialog box that is displayed, confirm the upgrade.
At this point, all sessions are closed. The previous software is uninstalled automatically.
The new software is installed. The HiPath Wireless Controller reboots automatically. The
database is updated and migrated.
>It is recommended that the Bypass checks for compatible upgrade RPM and
OS patch and the Skip backup during RPM un-install options remain
disabled.
Performing system maintenance
A31003-W1040-U103-1-7619, Draft February 2007
280 HiPath Wireless Controller, Access Points and Convergence Software V4, C2400 User Guide
hwc_ongoing.fm
Performing HiPath Wireless Controller software maintenance
To download a new HiPath Wireless Controller software image:
1. From the main menu, click Wireless Controller Configuration. The Wireless Controller
Configuration screen is displayed.
2. From the left pane, click Software Maintenance. The HWC Software tab is displayed.
3. To download a new image to be added to the list, in the Download Image section type the
following:
FTP Server – The IP of the FTP server to retrieve the image file from.
User ID – The user ID that the controller should use when it attempts to log in to the
FTP server.
Password – The corresponding password for the user ID.
Confirm – The corresponding password for the user ID to confirm it was typed
correctly.
Directory – The directory on the server in which the image file that is to be retrieved
is stored.
Filename – The name of the image file to retrieve.
Platform – The AP hardware type to which the image applies. The are several types
of AP and they require different images.
4. Click Download. The image is downloaded and added to the list.
To delete a HiPath Wireless Controller software image:
1. From the main menu, click Wireless Controller Configuration. The Wireless Controller
Configuration screen is displayed.
2. From the left pane, click Software Maintenance. The HWC Software tab is displayed.
3. To delete a software image from the list, in the Available HWC Images list, click the image.
4. Click Delete. The image is removed from the list.
12.4.2 Updating operating system software
You can update the Operating System (OS) software using the Software Maintenance function.
To upgrade operating system software:
1. From the main menu, click Wireless Controller Configuration. The Wireless Controller
Configuration screen is displayed.
2. From the left pane, click Software Maintenance. The HWC Software tab is displayed.
hwc_ongoing.fm
A31003-W1040-U103-1-7619, Draft February 2007
HiPath Wireless Controller, Access Points and Convergence Software V4, C2400 User Guide 281
Performing system maintenance
Performing HiPath Wireless Controller software maintenance
3. Click the OS Software tab.
The Available OS Images section displays the list of software versions that have been
downloaded and are available.
4. In the Upgrade section, select an image from the Select an image to use drop-down list.
5. To launch the upgrade with the selected image, click Upgrade Now.
6. In the dialog box that is displayed, confirm the upgrade.
At this point, all sessions are closed. The previous software is uninstalled automatically.
The new software is installed. The HiPath Wireless Controller reboots automatically.
To download a new operating system software image:
1. From the main menu, click Wireless Controller Configuration. The Wireless Controller
Configuration screen is displayed.
2. From the left pane, click Software Maintenance. The HWC Software tab is displayed.
3. Click the OS Software tab.
4. To download a new image to be added to the list, in the Download Image section type the
following:
Performing system maintenance
A31003-W1040-U103-1-7619, Draft February 2007
282 HiPath Wireless Controller, Access Points and Convergence Software V4, C2400 User Guide
hwc_ongoing.fm
Performing HiPath Wireless Controller software maintenance
FTP Server – The IP of the FTP server to retrieve the image file from.
User ID – The user ID that the controller should use when it attempts to log in to the
FTP server.
Password – The corresponding password for the user ID.
Confirm – The corresponding password for the user ID to confirm it was typed
correctly.
Directory – The directory on the server in which the image file that is to be retrieved
is stored.
Filename – The name of the image file to retrieve.
Platform – The AP hardware type to which the image applies. The are several types
of AP and they require different images.
5. Click Download. The image is downloaded and added to the list.
To delete a HiPath Wireless Controller software image:
1. From the main menu, click Wireless Controller Configuration. The Wireless Controller
Configuration screen is displayed.
2. From the left pane, click Software Maintenance. The HWC Software tab is displayed.
3. Click the OS Software tab.
4. To delete a software image from the list, in the Available OS Images list, click the image.
5. Click Delete. The image is removed from the list.
12.4.3 Backing up HiPath Wireless Controller software
You can backup the HiPath Wireless Controller database. You can also schedule the backups
to occur. When a scheduled backup is defined, you can configure to have the scheduled backup
copied to an FTP server when the backup is complete.
To back up the HiPath Wireless Controller software:
1. From the main menu, click Wireless Controller Configuration. The Wireless Controller
Configuration screen is displayed.
2. From the left pane, click Software Maintenance. The HWC Software tab is displayed.
3. Click the Backup tab.
hwc_ongoing.fm
A31003-W1040-U103-1-7619, Draft February 2007
HiPath Wireless Controller, Access Points and Convergence Software V4, C2400 User Guide 283
Performing system maintenance
Performing HiPath Wireless Controller software maintenance
The Available Backups section displays the list items that have been backed up and are
available.
4. In the Backup section, select an item from the Select what to backup drop-down list.
5. To launch the backup with the selected items, click on the Backup Now button.
6. In the dialog box that is displayed, confirm the backup. The items are backed up.
To upload a new backup:
1. From the main menu, click Wireless Controller Configuration. The Wireless Controller
Configuration screen is displayed.
2. From the left pane, click Software Maintenance. The HWC Software tab is displayed.
3. Click the Backup tab.
4. To upload a new backup, which will be added to the list, in the Upload Backup section type
the following:
FTP Server – The IP of the FTP server to retrieve the image file from.
Performing system maintenance
A31003-W1040-U103-1-7619, Draft February 2007
284 HiPath Wireless Controller, Access Points and Convergence Software V4, C2400 User Guide
hwc_ongoing.fm
Performing HiPath Wireless Controller software maintenance
User ID – The user ID that the controller should use when it attempts to log in to the
FTP server.
Password – The corresponding password for the user ID.
Confirm – The corresponding password for the user ID to confirm it was typed
correctly.
Directory – The directory on the server where the image file will be stored.
Filename – The name that will be given to the image file when it is stored on the FTP
server.
Platform – The AP hardware type to which the image applies. The are several types
of AP and they require different images.
5. Click Upload. The backup is uploaded and added to the list.
To delete a backup:
1. From the main menu, click Wireless Controller Configuration. The Wireless Controller
Configuration screen is displayed.
2. From the left pane, click Software Maintenance. The HWC Software tab is displayed.
3. Click the Backup tab.
4. To delete a backup from the list, in the Available Backups list, click the backup.
5. Click Delete. The backup is removed from the list.
To schedule a backup:
1. From the main menu, click Wireless Controller Configuration. The Wireless Controller
Configuration screen is displayed.
2. From the left pane, click Software Maintenance. The HWC Software tab is displayed.
3. Click the Backup tab.
4. Click Schedule Backup. The Schedule Backups screen is displayed.
hwc_ongoing.fm
A31003-W1040-U103-1-7619, Draft February 2007
HiPath Wireless Controller, Access Points and Convergence Software V4, C2400 User Guide 285
Performing system maintenance
Performing HiPath Wireless Controller software maintenance
5. In the What to backup drop-down list, select what you want to backup:
Config’s, CDRs, Logs, Audit and Rogue
Configurations only
CDRs only
Logs only
Audit only
Rogue only
6. In the Schedule task drop-down list, select the frequency of the backup:
Daily
Weekly
Monthly
Never
7. In the FTP settings section, type the following:
FTP Server – The IP of the FTP server to where the scheduled backup will be copied
to.
User ID – The user ID that the controller should use when it attempts to log in to the
FTP server.
Password – The corresponding password for the user ID
Confirm – The corresponding password for the user ID to confirm it was typed
correctly.
Performing system maintenance
A31003-W1040-U103-1-7619, Draft February 2007
286 HiPath Wireless Controller, Access Points and Convergence Software V4, C2400 User Guide
hwc_ongoing.fm
Performing HiPath Wireless Controller software maintenance
Directory – The directory on the server where the image file will be stored.
8. To save your changes, click Save.
12.4.4 Restoring HiPath Wireless Controller software
You can restore the HiPath Wireless Controller database.
To restore the HiPath Wireless Controller software:
1. From the main menu, click Wireless Controller Configuration. The Wireless Controller
Configuration screen is displayed.
2. From the left pane, click Software Maintenance. The HWC Software tab is displayed.
3. Click the Restore tab.
The Available Backups section displays the list items that have been backed up and are
available.
4. In the Restore section, select an item from the Select an image to use drop-down list.
5. To launch the backup with the selected items, click on the Restore Now button.
hwc_ongoing.fm
A31003-W1040-U103-1-7619, Draft February 2007
HiPath Wireless Controller, Access Points and Convergence Software V4, C2400 User Guide 287
Performing system maintenance
Performing HiPath Wireless Controller software maintenance
6. In the dialog box that is displayed, confirm the restore. The image is restored.
To download for restore:
1. From the main menu, click Wireless Controller Configuration. The Wireless Controller
Configuration screen is displayed.
2. From the left pane, click Software Maintenance. The System Maintenance screen is
displayed.
3. Click the Restore tab.
4. To download an image for restore, which will be added to the list, in the Download for
Restore section type the following:
FTP Server –The FTP server to retrieve the image file from.
User ID – The user ID that the controller should use when it attempts to log in to the
FTP server.
Password – The corresponding password for the user ID.
Confirm – The corresponding password for the user ID to confirm it was typed
correctly.
Directory – The directory on the server in which the image file that is to be retrieved
is stored.
Filename – The name of the image file to retrieve.
Platform – The AP hardware type to which the image applies. The are several types
of AP and they require different images.
5. Click Download. The image is downloaded and added to the list.
To delete a backup available for restore:
1. From the main menu, click Wireless Controller Configuration. The Wireless Controller
Configuration screen is displayed.
2. From the left pane, click Software Maintenance. The System Maintenance screen is
displayed.
3. Click the Restore tab.
4. To delete a backup from the list, in the Available Backups list, click the backup.
5. Click Delete. The backup is removed from the list.
Performing system maintenance
A31003-W1040-U103-1-7619, Draft February 2007
288 HiPath Wireless Controller, Access Points and Convergence Software V4, C2400 User Guide
hwc_ongoing.fm
Performing HiPath Wireless Controller software maintenance
12.4.5 Upgrading a HiPath Wireless Controller using SFTP
You can upload an image file to the HiPath Wireless Controller using Secure FTP (SFTP). The
HiPath Wireless Controller supports any SFTP client.
To upload an image file:
1. Launch the SFTP client, point it to the HiPath Wireless Controller and login in. The exact
details of how to do this will depend on the client used. The following uses putty as an
example:
2. Change to the directory to receive the uploaded file:
For AP images change to: /var/tftp/chantry
For HiPath Wireless Controller images change to: /var/controller/upgrade
For OS archives change to: /var/controller/osupgrade
3. Upload the image file using the SFTP client upload feature.
4. To complete a HiPath Wireless Controller upgrade or an AP upgrade go to the appropriate
Software Maintenance screen. For more information, see Section 12.4.1, “Updating
HiPath Wireless Controller software”, on page 278 or Section 12.4.2, “Updating operating
system software”, on page 280.
>You must enable management traffic before you try to connect with a SFTP client.
Specify the exact image path for the corresponding SW package (see directory
information below). Otherwise, the HiPath Wireless Controller cannot locate them for
SW upgrades/updates.
mp
hwc_ongoing.fm
A31003-W1040-U103-1-7619, Draft February 2007
HiPath Wireless Controller, Access Points and Convergence Software V4, C2400 User Guide 289
Performing system maintenance
Performing HiPath Wireless Controller software maintenance
12.4.6 Configuring the HiPath Wireless Controller for interaction with
the HiPath Wireless Manager
The HiPath Wireless Manager application provides administrators with a graphical overview of
the entire HiPath wireless network, including real time wireless event monitoring. You must
configure each HiPath Wireless Controller in order to interact with the HiPath Wireless
Manager. To configure the HiPath Wireless Controller to interact with the HiPath Wireless
Manager, a shared secret must be defined for both. For more information, see the HiPath
Wireless Manager User Guide.
To configure a shared secret for interaction with the HiPath Wireless Manager:
1. From the main menu, click Wireless Controller Configuration. The Wireless Controller
Configuration screen is displayed.
2. From the left pane, click Secure Connections. The Shared Secret for Remote
Connections screen is displayed.
3. In the first box, type the controller’s IP address.
Performing system maintenance
A31003-W1040-U103-1-7619, Draft February 2007
290 HiPath Wireless Controller, Access Points and Convergence Software V4, C2400 User Guide
hwc_ongoing.fm
Performing HiPath Wireless Controller software maintenance
4. In the second box, type the shared secret to be used by both the HiPath Wireless Controller
and the HiPath Wireless Manager. The shared secret can be a maximum of 16 (232 ASCII)
characters. Each IP connection can have a different secret.
5. Click Add/Update. The table is updated with the IP address and shared secret.
6. To hide the shared secrets, click Hide Shared Secrets. To show the shared secrets, click
Show Shared Secrets.
7. To remove a connections, select the IP address in the table and then click Remove
Selected Peer.
8. To save your changes, click Save.
hwc_ongoing.fm
A31003-W1040-U103-1-7619, Draft February 2007
HiPath Wireless Controller, Access Points and Convergence Software V4, C2400 User Guide 291
Performing system maintenance
Performing HiPath Wireless Controller software maintenance
12.4.7 Configuring Controller, Access Points and Convergence
Software logs and traces
The system stores configuration data and log files. These files include:
event and alarm logs (triggered by events)
trace logs (triggered by component activity)
accounting files (created every 30 minutes, to a maximum of six files)
The files are stored in the operating system and have a maximum size of one GB. The
accounting files are stored in flat files in a directory that is created every day. Eight directories
are maintained in a circular buffer (when all are full, the most recent replaces the earliest).
12.4.8 Viewing log, alarm and trace messages
The HiPath Wireless Controller generates three types of messages:
Logs (including alarms) – Messages that are triggered by events
Audits – Files that record administrative changes made to the system (the GUI Audit
displays changes to the Graphical User Interface on the HiPath Wireless Controller)
Traces – Messages that display activity by component, for system debugging,
troubleshooting and internal monitoring of software
12.4.8.1 Logs including alarms
The log messages contain the time of event, severity, source component and any details
generated by the source component. The messages are classified at four levels of severity:
Informational, the activity of normal operation
Minor (alarm)
>In order for the Debug Info option on the Wireless AP Traces screen to return
Trace messages, this option must enabled while Wireless AP debug commands
are running. To do so, you need to run a Wireless AP CLI command to turn on
a specific Wireless AP debug. Once the CLI command is run, select the Debug
Info option, and then click Retrieve Traces. For more information, see the
HiPath Wireless Controller, Access Points and Convergence Software CLI
Reference Guide.
Because Wireless AP debugging can affect the normal operation of Wireless AP
service, enabling debugging is not recommended, unless specific instructions
are provided.
Performing system maintenance
A31003-W1040-U103-1-7619, Draft February 2007
292 HiPath Wireless Controller, Access Points and Convergence Software V4, C2400 User Guide
hwc_ongoing.fm
Performing HiPath Wireless Controller software maintenance
Major (alarm)
Critical (alarm)
The alarm messages (minor, major or critical log messages) are triggered by activities that
meet certain conditions that should be known and dealt with.
Examples of events on the HiPath Wireless Controller that generate an alarm message:
Reboot due to failure
Software upgrade failure on the HiPath Wireless Controller
Software upgrade failure on the Wireless AP
Detection of rogue access point activity without valid ID
If SNMP is enabled on the HiPath Wireless Controller, alarm conditions will trigger a trap in
SNMP (Simple Network Management Protocol). An SNMP trap is an event notification sent by
the managed agent (a network device) to the management system to identify the occurrence
of conditions.
To view logs:
1. From the main menu, click Logs & Traces. The Logs & Traces screen is displayed.
2. Click one of the Log tabs. The following is an example of the HiPath Wireless Controller
logs:
hwc_ongoing.fm
A31003-W1040-U103-1-7619, Draft February 2007
HiPath Wireless Controller, Access Points and Convergence Software V4, C2400 User Guide 293
Performing system maintenance
Performing HiPath Wireless Controller software maintenance
The events are displayed in chronological order, sorted by the Timestamp column.
3. To sort the display by Type or Component, click the appropriate column heading.
4. To filter the logs by severity, in order to display only Info, Minor, Major, or Critical logs,
click the appropriate Log tab at the top of the screen.
5. To refresh the information in any display, click Refresh.
6. To export information from a display as an HTML file, click the Export button.
The component called "Langley" is the term for the inter-process messaging infrastructure on
the HiPath Wireless Controller.
To view traces:
1. From the main menu, click Logs & Traces. The Logs & Traces screen is displayed.
2. Click one of the Traces tabs. The following is an example of the HiPath Wireless Controller
traces:
Performing system maintenance
A31003-W1040-U103-1-7619, Draft February 2007
294 HiPath Wireless Controller, Access Points and Convergence Software V4, C2400 User Guide
hwc_ongoing.fm
Performing HiPath Wireless Controller software maintenance
The events are displayed in chronological order, sorted by the Timestamp column.
3. To sort the display by Type or Component, click the appropriate column heading.
4. To filter the traces by severity, in order to display only Info, Minor, Major, or Critical traces,
click the appropriate Traces tab at the top of the screen.
5. To refresh the information in any display, click Refresh.
6. To export information from a display as an HTML file, click the Export button.
To view audits:
1. From the main menu, click Logs & Traces. The Logs & Traces screen is displayed.
2. Click the Audit: GUI tab. The Audit screen is displayed.
hwc_ongoing.fm
A31003-W1040-U103-1-7619, Draft February 2007
HiPath Wireless Controller, Access Points and Convergence Software V4, C2400 User Guide 295
Performing system maintenance
Performing HiPath Wireless Controller software maintenance
The events are displayed in chronological order, sorted by the Timestamp column.
3. To sort the display by User, Section, Page, or Audit Message, click the appropriate
column heading.
4. To clear the audits from the list, click Clear Audits.
5. To refresh the information in any display, click Refresh.
6. To export information from a display as an HTML file, click the Export button.
To clear logs:
1. From the main menu, click Logs & Traces. The Logs & Traces screen is displayed.
2. Click one of the Log tabs. The following is an example of the HiPath Wireless Controller
logs:
Performing system maintenance
A31003-W1040-U103-1-7619, Draft February 2007
296 HiPath Wireless Controller, Access Points and Convergence Software V4, C2400 User Guide
hwc_ongoing.fm
Performing HiPath Wireless Controller software maintenance
The events are displayed in chronological order, sorted by the Timestamp column.
3. To clear the logs, click Clear Log Messages.
hwc_glossary.fm
A31003-W1040-U103-1-7619, Draft February 2007
HiPath Wireless Controller, Access Points and Convergence Software V4, C2400 User Guide 297
Glossary
Networking terms and abbreviations
13 Glossary
13.1 Networking terms and abbreviations
Term Explanation
AAA Authentication, Authorization and Accounting. A system in IP-based
networking to control what computer resources users have access to
and to keep track of the activity of users over a network.
Access Point (AP) A wireless LAN transceiver or "base station" that can connect a wired
LAN to one or many wireless devices.
Ad-hoc mode An 802.11 networking framework in which devices or stations
communicate directly with each other, without the use of an access
point (AP). (Compare Infrastructure Mode)
AES Advanced Encryption Standard (AES) is an algorithm for encryption
that works at multiple network layers simultaneously. As a block cipher,
AES encrypts data in fixed-size blocks of 128 bits. AES was created
by the National Institute of Standards and Technology (NIST). AES is
a privacy transform for IPSec and Internet Key Exchange (IKE). AES
has a variable key length - the algorithm can specify a 128-bit key (the
default), a 192-bit key, or a 256-bit key.
For the WPA2/802.11i implementation of AES, a 128 bit key length is
used. AES encryption includes 4 stages that make up one round. Each
round is then iterated 10, 12 or 14 times depending upon the bit-key
size. For the WPA2/802.11i implementation of AES, each round is
iterated 10 times.
AES-CCMP AES uses the Counter-Mode/CBC-MAC Protocol (CCMP). CCM is a
new mode of operation for a block cipher that enables a single key to
be used for both encryption and authentication. The two underlying
modes employed in CCM include Counter mode (CTR) that achieves
data encryption and Cipher Block Chaining Message Authentication
Code (CBC-MAC) to provide data integrity.
ARP Address Resolution Protocol. A protocol used to obtain the physical
addresses (such as MAC addresses) of hardware units in a network
environment. A host obtains such a physical address by broadcasting
an ARP request, which contains the IP address of the target hardware
unit. If the request finds a unit with that IP address, the unit replies with
its physical hardware address.
Association A connection between a wireless device and an Access Point.
Table 28
Glossary
A31003-W1040-U103-1-7619, Draft February 2007
298 HiPath Wireless Controller, Access Points and Convergence Software V4, C2400 User Guide
hwc_glossary.fm
Networking terms and abbreviations
asynchronous Asynchronous transmission mode (ATM). A start/stop transmission in
which each character is preceded by a start signal and followed by one
or more stop signals. A variable time interval can exist between
characters. ATM is the preferred technology for the transfer of images.
BSS Basic Service Set. A wireless topology consisting of one Access Point
connected to a wired network and a set of wireless devices. Also called
an infrastructure network. See also IBSS.
Captive Portal A browser-based authentication mechanism that forces
unauthenticated users to a Web page. Sometimes called a "reverse
firewall".
CDR Call Data (Detail) Record
In Internet telephony, a call detail record is a data record that contains
information related to a telephone call, such as the origination and
destination addresses of the call, the time the call started and ended,
the duration of the call, the time of day the call was made and any toll
charges that were added through the network or charges for operator
services, among other details of the call.
In essence, call accounting is a database application that processes
call data from your switch (PBX, iPBX, or key system) via a CDR (call
detail record) or SMDR (station message detail record) port. The call
data record details your system's incoming and outgoing calls by
thresholds, including time of call, duration of call, dialing extension,
and number dialed. Call data is stored in a PC database
CHAP Challenge-Handshake Authentication Protocol. One of the two main
authentication protocols used to verify a user's name and password for
PPP Internet connections. CHAP is more secure than PAP because it
performs a three-way handshake during the initial link establishment
between the home and remote machines. It can also repeat the
authentication anytime after the link has been established.
CLI Command Line Interface.
Collision Two Ethernet packets attempting to use the medium simultaneously.
Ethernet is a shared media, so there are rules for sending packets of
data to avoid conflicts and protect data integrity. When two nodes at
different locations attempt to send data at the same time, a collision
will result. Segmenting the network with bridges or switches is one way
of reducing collisions in an overcrowded network.
Term Explanation
Table 28
hwc_glossary.fm
A31003-W1040-U103-1-7619, Draft February 2007
HiPath Wireless Controller, Access Points and Convergence Software V4, C2400 User Guide 299
Glossary
Networking terms and abbreviations
Datagram A datagram is "a self-contained, independent entity of data carrying
sufficient information to be routed from the source to the destination
computer without reliance on earlier exchanges between this source
and destination computer and the transporting network." (RFC1594).
The term has been generally replaced by the term packet. Datagrams
or packets are the message units that the Internet Protocol deals with
and that the Internet transports.
Decapsulation See tunnelling.
Device Server A specialized, network-based hardware device designed to perform a
single or specialized set of server functions. Print servers, terminal
servers, remote access servers and network time servers are
examples of device servers.
DHCP Dynamic Host Configuration Protocol. A protocol for assigning
dynamic IP addresses to devices on a network. With dynamic
addressing, a device can have a different IP address every time it
connects to the network. In some systems, the device's IP address can
even change while it is still connected. DHCP also supports a mix of
static and dynamic IP addresses.
DHCP consists of two components: a protocol for delivering host-
specific configuration parameters from a DHCP server to a host and a
mechanism for allocation of network addresses to hosts. (IETF
RFC1531.)
Option 78 specifies the location of one or more SLP Directory Agents.
Option 79 specifies the list of scopes that a SLP Agent is configured to
use.(RFC2610 - DHCP Options for Service Location Protocol)
Directory Agent (DA) A method of organizing and locating the resources (such as printers,
disk drives, databases, e-mail directories, and schedulers) in a
network. Using SLP, networking applications can discover the
existence, location and configuration of networked devices.
With Service Location Protocol, client applications are 'User Agents'
and services are advertised by 'Service Agents'. The User Agent
issues a multicast 'Service Request' (SrvRqst) on behalf of the client
application, specifying the services required. The User Agent will
receive a Service Reply (SrvRply) specifying the location of all
services in the network which satisfy the request.
For larger networks, a third entity, called a 'Directory Agent', receives
registrations from all available Service Agents. A User Agent sends a
unicast request for services to a Directory Agent (if there is one) rather
than to a Service Agent.
(SLP version 2, RFC2608, updating RFC2165)
Term Explanation
Table 28
Glossary
A31003-W1040-U103-1-7619, Draft February 2007
300 HiPath Wireless Controller, Access Points and Convergence Software V4, C2400 User Guide
hwc_glossary.fm
Networking terms and abbreviations
Diversity antenna and
receiver
The AP has two antennae. Receive diversity refers to the ability of the
AP to provide better service to a device by receiving from the user on
which ever of the two antennae is receiving the cleanest signal.
Transmit diversity refers to the ability of the AP to use its two antenna
to transmit on a specific antenna only, or on a alternate antennae. The
antennae are called diversity antennae because of this capability of
the pair.
DNS Domain Name Server
DSSS Direct-Sequence Spread Spectrum. A transmission technology used
in Local Area Wireless Network (LAWN) transmissions where a data
signal at the sending station is combined with a higher data rate bit
sequence, or chipping code, that divides the user data according to a
spreading ratio. The chipping code is a redundant bit pattern for each
bit that is transmitted, which increases the signal's resistance to
interference. If one or more bits in the pattern are damaged during
transmission, the original data can be recovered due to the
redundancy of the transmission. (Compare FHSS)
DTIM DTIM delivery traffic indication message (in 802.11 standard)
Dynamic WEP The IEEE introduced the concept of user-based authentication using
per-user encryption keys to solve the scalability issues that
surrounded static WEP. This resulted in the 802.1X standard, which
makes use of the IETF's Extensible Authentication Protocol (EAP),
which was originally designed for user authentication in dial-up
networks. The 802.1X standard supplemented the EAP protocol with
a mechanism to send an encryption key to a Wireless AP. These
encryption keys are used as dynamic WEP keys, allowing traffic to
each individual user to be encrypted using a separate key.
Term Explanation
Table 28
hwc_glossary.fm
A31003-W1040-U103-1-7619, Draft February 2007
HiPath Wireless Controller, Access Points and Convergence Software V4, C2400 User Guide 301
Glossary
Networking terms and abbreviations
EAP-TLS
EAP-TTLS
EAP-TLS Extensible Authentication Protocol - Transport Layer
Security. A general protocol for authentication that also supports
multiple authentication methods, such as token cards, Kerberos, one-
time passwords, certificates, public key authentication and smart
cards. IEEE 802.1x specifies how EAP should be encapsulated in LAN
frames.
In wireless communications using EAP, a user requests connection to
a WLAN through an access point, which then requests the identity of
the user and transmits that identity to an authentication server such as
RADIUS. The server asks the access point for proof of identity, which
the access point gets from the user and then sends back to the server
to complete the authentication.
EAP-TLS provides for certificate-based and mutual authentication of
the client and the network. It relies on client-side and server-side
certificates to perform authentication and can be used to dynamically
generate user-based and session-based WEP keys.
EAP-TTLS (Tunneled Transport Layer Security) is an extension of
EAP-TLS to provide certificate-based, mutual authentication of the
client and network through an encrypted tunnel, as well as to generate
dynamic, per-user, per-session WEP keys. Unlike EAP-TLS, EAP-
TTLS requires only server-side certificates.
(See also PEAP)
ELA (OPSEC) Event Logging API (Application Program Interface) for OPSEC, a
module in Check Point used to enable third-party applications to log
events into the Check Point VPN-1/FireWall-1 management system.
Encapsulation See tunnelling.
ESS Extended Service Set (ESS). Several Basic Service Sets (BSSs) can
be joined together to form one logical WLAN segment, referred to as
an extended service set (ESS). The SSID is used to identify the ESS.
(See BSS and SSID.)
FHSS Frequency-Hopping Spread Spectrum. A transmission technology
used in Local Area Wireless Network (LAWN) transmissions where the
data signal is modulated with a narrowband carrier signal that "hops"
in a random but predictable sequence from frequency to frequency as
a function of time over a wide band of frequencies. This technique
reduces interference. If synchronized properly, a single logical channel
is maintained. (Compare DSSS)
Term Explanation
Table 28
Glossary
A31003-W1040-U103-1-7619, Draft February 2007
302 HiPath Wireless Controller, Access Points and Convergence Software V4, C2400 User Guide
hwc_glossary.fm
Networking terms and abbreviations
Fit, thin and fat APs A thin AP architecture uses two components: an access point that is
essentially a stripped-down radio and a centralized management
controller that handles the other WLAN system functions. Wired
network switches are also required.
A fit AP, a variation of the thin AP, handles the RF and encryption, while
the central management controller, aware of the wireless users'
identities and locations, handles secure roaming, quality of service,
and user authentication. The central management controller also
handles AP configuration and management.
A fat (or thick) AP architecture concentrates all the WLAN intelligence
in the access point. The AP handles the radio frequency (RF)
communication, as well as authenticating users, encrypting
communications, secure roaming, WLAN management, and in some
cases, network routing.
FQDN Fully Qualified Domain Name. A "friendly" designation of a computer,
of the general form computer.[subnetwork.].organization.domain. The
FQDN names must be translated into an IP address in order for the
resource to be found on a network, usually performed by a Domain
Name Server.
FTM Forwarding Table Manager
FTP File Transfer Protocol
Gateway In the wireless world, an access point with additional software
capabilities such as providing NAT and DHCP. Gateways may also
provide VPN support, roaming, firewalls, various levels of security, etc.
Gigabit Ethernet The high data rate of the Ethernet standard, supporting data rates of
1 gigabit (1,000 megabits) per second.
GUI Graphical User Interface
Heartbeat message A heartbeat message is a UDP data packet used to monitor a data
connection, polling to see if the connection is still alive.
In general terms, a heartbeat is a signal emitted at regular intervals by
software to demonstrate that it is still alive. In networking, a heartbeat
is the signal emitted by a Level 2 Ethernet transceiver at the end of
every packet to show that the collision-detection circuit is still
connected.
Term Explanation
Table 28
hwc_glossary.fm
A31003-W1040-U103-1-7619, Draft February 2007
HiPath Wireless Controller, Access Points and Convergence Software V4, C2400 User Guide 303
Glossary
Networking terms and abbreviations
Host (1) A computer (usually containing data) that is accessed by a user
working on a remote terminal, connected by modems and telephone
lines.
(2) A computer that is connected to a TCP/IP network, including the
Internet. Each host has a unique IP address.
HTTP Hypertext Transfer Protocol is the set of rules for transferring files (text,
graphic images, sound, video, and other multimedia files) on the World
Wide Web. A Web browser makes use of HTTP. HTTP is an application
protocol that runs on top of the TCP/IP suite of protocols. (RFC2616:
Hypertext Transfer Protocol -- HTTP/1.1)
HTTPS Hypertext Transfer Protocol over Secure Socket Layer, or HTTP over
SSL, is a Web protocol that encrypts and decrypts user page requests
as well as the pages that are returned by the Web server. HTTPS uses
Secure Socket Layer (SSL) as a sublayer under its regular HTTP
application layering. (HTTPS uses port 443 instead of HTTP port 80 in
its interactions with the lower layer, TCP/IP.) SSL uses a 40-bit key size
for the RC4 stream encryption algorithm, which is considered an
adequate degree of encryption for commercial exchange.
IBSS Independent Basic Service Set. See BSS. An IBSS is the 802.11 term
for an adhoc network. See adhoc network.
ICMP Internet Control Message Protocol, an extension to the Internet
Protocol (IP) defined by RFC792. ICMP supports packets containing
error, control, and informational messages. The PING command, for
example, uses ICMP to test an Internet connection.
ICV ICV (Integrity Check Value) is a 4-byte code appended in standard
WEP to the 802.11 message. Enhanced WPA inserts an 8-byte MIC
just before the ICV. (See WPA and MIC)
IE Internet Explorer.
IEEE Institute of Electrical and Electronics Engineers, a technical
professional association, involved in standards activities.
IETF Internet Engineering Task Force, the main standards organization for
the Internet.
Infrastructure Mode An 802.11 networking framework in which devices communicate with
each other by first going through an Access Point (AP). In
infrastructure mode, wireless devices can communicate with each
other or can communicate with a wired network. (See ad-hoc mode
and BSS.)
Term Explanation
Table 28
Glossary
A31003-W1040-U103-1-7619, Draft February 2007
304 HiPath Wireless Controller, Access Points and Convergence Software V4, C2400 User Guide
hwc_glossary.fm
Networking terms and abbreviations
Internet or IP
telephony
IP or Internet telephony are communications, such as voice, facsimile,
voice-messaging applications, that are transported over the Internet,
rather than the public switched telephone network (PSTN). IP
telephony is the two-way transmission of audio over a packet-switched
IP network (TCP/IP network).
An Internet telephone call has two steps: (1) converting the analog
voice signal to digital format, (2) translating the signal into Internet
protocol (IP) packets for transmission over the Internet. At the
receiving end, the steps are reversed. Over the public Internet, voice
quality varies considerably. Protocols that support Quality of Service
(QoS) are being implemented to improve this.
IP Internet Protocol is the method or protocol by which data is sent from
one computer to another on the Internet. Each computer (host) on the
Internet has at least one IP address that uniquely identifies it. Internet
Protocol specifies the format of packets, also called datagrams, and
the addressing scheme. Most networks combine IP with a higher-level
protocol called Transmission Control Protocol (TCP), which
establishes a virtual connection between a destination and a source.
IPC Interprocess Communication. A capability supported by some
operating systems that allows one process to communicate with
another process. The processes can be running on the same
computer or on different computers connected through a network.
Term Explanation
Table 28
hwc_glossary.fm
A31003-W1040-U103-1-7619, Draft February 2007
HiPath Wireless Controller, Access Points and Convergence Software V4, C2400 User Guide 305
Glossary
Networking terms and abbreviations
IPsec
IPsec-ESP
IPsec-AH
Internet Protocol security (IPSec)
Internet Protocol security Encapsulating Security Payload (IPsec-
ESP). The encapsulating security payload (ESP) encapsulates its
data, enabling it to protect data that follows in the datagram.Internet
Protocol security Authentication Header (IPsec-AH). AH protects the
parts of the IP datagram that can be predicted by the sender as it will
be received by the receiver.IPsec is a set of protocols developed by the
IETF to support secure exchange of packets at the IP layer. IPsec has
been deployed widely to implement Virtual Private Networks (VPNs).
IPsec supports two encryption modes: Transport and Tunnel.
Transport mode encrypts only the data portion (payload) of each
packet, but leaves the header untouched. The more secure Tunnel
mode encrypts both the header and the payload. On the receiving
side, an IPSec-compliant device decrypts each packet. For IPsec to
work, the sending and receiving devices must share a public key. This
is accomplished through a protocol known as Internet Security
Association and Key Management Protocol/Oakley (ISAKMP/Oakley),
which allows the receiver to obtain a public key and authenticate the
sender using digital certificates.
isochronous Isochronous data is data (such as voice or video) that requires a
constant transmission rate, where data must be delivered within
certain time constraints. For example, multimedia streams require an
isochronous transport mechanism to ensure that data is delivered as
fast as it is displayed and to ensure that the audio is synchronized with
the video. Compare: asynchronous processes in which data streams
can be broken by random intervals, and synchronous processes, in
which data streams can be delivered only at specific intervals.
ISP Internet Service Provider.
IV IV (Initialization Vector), part of the standard WEP encryption
mechanism that concatenates a shared secret key with a randomly
generated 24-bit initialization vector. WPA with TKIP uses 48-bit IVs,
an enhancement that significantly increases the difficulty in cracking
the encryption. (See WPA and TKIP)
LAN Local Area Network.
License installation
LSA Link State Advertisements received by the currently running OSPF
process. The LSAs describe the local state of a router or network,
including the state of the router's interfaces and adjacencies. See also
OSPF.
Term Explanation
Table 28
Glossary
A31003-W1040-U103-1-7619, Draft February 2007
306 HiPath Wireless Controller, Access Points and Convergence Software V4, C2400 User Guide
hwc_glossary.fm
Networking terms and abbreviations
MAC Media Access Control layer. One of two sublayers that make up the
Data Link Layer of the OSI model. The MAC layer is responsible for
moving data packets to and from one Network Interface Card (NIC) to
another across a shared channel.
MAC address Media Access Control address. A hardware address that uniquely
identifies each node of a network.
MIB Management Information Base is a formal description of a set of
network objects that can be managed using the Simple Network
Management Protocol (SNMP). The format of the MIB is defined as
part of the SNMP. A MIB is a collection of definitions defining the
properties of a managed object within a device. Every managed
device keeps a database of values for each of the definitions written in
the MIB. Definition of the MIB conforms to RFC1155 (Structure of
Management Information).
MIC Message Integrity Check or Code (MIC), also called "Michael", is part
of WPA and TKIP. The MIC is an additional 8-byte code inserted before
the standard 4-byte integrity check value (ICV) that is appended in by
standard WEP to the 802.11 message. This greatly increases the
difficulty in carrying out forgery attacks.
Both integrity check mechanisms are calculated by the receiver and
compared against the values sent by the sender in the frame. If the
values match, there is assurance that the message has not been
tampered with. (See WPA, TKIP and ICV).
MTU Maximum Transmission Unit. The largest packet size, measured in
bytes, that a network interface is configured to accept. Any messages
larger than the MTU are divided into smaller packets before being
sent.
MU Mobile Unit, a wireless device such as a PC laptop.
multicast, broadcast,
unicast
Multicast: transmitting a single message to a select group of
recipients. Broadcast: sending a message to everyone connected to a
network. Unicast: communication over a network between a single
sender and a single receiver.
NAS Network Access Server, a server responsible for passing information
to designated RADIUS servers and then acting on the response
returned. A NAS-Identifier is a RADIUS attribute identifying the NAS
server. (RFC2138)
Term Explanation
Table 28
hwc_glossary.fm
A31003-W1040-U103-1-7619, Draft February 2007
HiPath Wireless Controller, Access Points and Convergence Software V4, C2400 User Guide 307
Glossary
Networking terms and abbreviations
NAT Network Address Translator. A network capability that enables a group
of computers to dynamically share a single incoming IP address. NAT
takes the single incoming IP address and creates new IP address for
each client computer on the network.
Netmask In administering Internet sites, a netmask is a string of 0's and 1's that
mask or screen out the network part of an IP address, so that only the
host computer part of the address remains. A frequently-used
netmask is 255.255.255.0, used for a Class C subnet (one with up to
255 host computers). The ".0" in the "255.255.255.0" netmask allows
the specific host computer address to be visible.
NIC Network Interface Card. An expansion board in a computer that
connects the computer to a network.
NMS Network Management System. The system responsible for managing
a network or a portion of a network. The NMS talks to network
management agents, which reside in the managed nodes.
NTP Network Time Protocol, an Internet standard protocol (built on top of
TCP/IP) that assures accurate synchronization to the millisecond of
computer clock times in a network of computers. Based on UTC, NTP
synchronizes client workstation clocks to the U.S. Naval Observatory
Master Clocks in Washington, DC and Colorado Springs CO. Running
as a continuous background client program on a computer, NTP sends
periodic time requests to servers, obtaining server time stamps and
using them to adjust the client's clock. (RFC1305)
OFDM Orthogonal frequency division multiplexing, a method of digital
modulation in which a signal is split into several narrowband channels
at different frequencies. OFDM is similar to conventional frequency
division multiplexing (FDM). The difference lies in the way in which the
signals are modulated and demodulated. Priority is given to
minimizing the interference, or crosstalk, among the channels and
symbols comprising the data stream. Less importance is placed on
perfecting individual channels.
OFDM is used in European digital audio broadcast services. It is also
used in wireless local area networks.
OID Object Identifier.
OPSEC OPSEC (Open Platform for Security) is a security alliance program
created by Check Point to enable an open industry-wide framework for
interoperability of security products and applications. Products
carrying the "Secured by Check Point" seal have been tested to
guarantee integration and interoperability.
Term Explanation
Table 28
Glossary
A31003-W1040-U103-1-7619, Draft February 2007
308 HiPath Wireless Controller, Access Points and Convergence Software V4, C2400 User Guide
hwc_glossary.fm
Networking terms and abbreviations
OS Operating system.
OSI Open System Interconnection. An ISO standard for worldwide
communications that defines a networking framework for
implementing protocols in seven layers. Control is passed from one
layer to the next, starting at the application layer in one station, down
through the presentation, session, transport, network, data link layer
to the physical layer at the bottom, over the channel to the next station
and back up the hierarchy.
OSI Layer 2 At the Data Link layer (OSI Layer 2), data packets are encoded and
decoded into bits. The data link layer has two sublayers:
the Logical Link Control (LLC) layer controls frame
synchronization, flow control and error checking
The Media Access Control (MAC) layer controls how a computer
on the network gains access to the data and permission to
transmit it.
OSI Layer 3 The Network layer (OSI Layer 3) provides switching and routing
technologies, creating logical paths, known as virtual circuits, for
transmitting data from node to node. Routing and forwarding are
functions of this layer, as well as addressing, internetworking, error
handling, congestion control and packet sequencing.
OSPF Open Shortest Path First, an interior gateway routing protocol
developed for IP networks based on the shortest path first or link-state
algorithm. Routers use link-state algorithms to send routing
information to all nodes in an internetwork by calculating the shortest
path to each node based on a topography of the Internet constructed
by each node. Each router sends that portion of the routing table
(keeps track of routes to particular network destinations) that
describes the state of its own links, and it also sends the complete
routing structure (topography). Using OSPF, a host that obtains a
change to a routing table or detects a change in the network
immediately multicasts the information to all other hosts in the network
so that all will have the same routing table information. The host using
OSPF sends only the part that has changed, and only when a change
has taken place. (RFC2328)
OUI Organizationally Unique Identifier (used in MAC addressing).
Term Explanation
Table 28
hwc_glossary.fm
A31003-W1040-U103-1-7619, Draft February 2007
HiPath Wireless Controller, Access Points and Convergence Software V4, C2400 User Guide 309
Glossary
Networking terms and abbreviations
Packet The unit of data that is routed between an origin and a destination on
the Internet or any other packet-switched network. When any file is
sent from one place to another on the Internet, the Transmission
Control Protocol (TCP) layer of TCP/IP divides the file into packets.
Each packet is separately numbered and includes the Internet address
of the destination. The individual packets for a given file may travel
different routes through the Internet. When they have all arrived, they
are reassembled into the original file (by the TCP layer at the receiving
end).
PAP Password Authentication Protocol is the most basic form of
authentication, in which a user's name and password are transmitted
over a network and compared to a table of name-password pairs.
Typically, the passwords stored in the table are encrypted. (See
CHAP).
PDU Protocol Data Unit. A data object exchanged by protocol machines
(such as management stations, SMUX peers, and SNMP agents) and
consisting of both protocol control information and user data. PDU is
sometimes used as a synonym for “packet''.
PEAP PEAP (Protected Extensible Authentication Protocol) is an IETF draft
standard to authenticate wireless LAN clients without requiring them
to have certificates. In PEAP authentication, first the user
authenticates the authentication server, then the authentication server
authenticates the user. If the first phase is successful, the user is then
authenticated over the SSL tunnel created in phase one using EAP-
Generic Token Card (EAP-GTC) or Microsoft Challenged Handshake
Protocol Version 2 (MSCHAP V2). (See also EAP-TLS).
PHP server Hypertext Preprocessor
PKI Public Key Infrastructure
PoE Power over Ethernet. The Power over Ethernet standard (802.3af)
defines how power can be provided to network devices over existing
Ethernet connection, eliminating the need for additional external
power supplies.
POST Power On Self Test, a diagnostic testing sequence performed by a
computer to determine if its hardware elements are present and
powered on. If so, the computer begins its boot sequence.
Term Explanation
Table 28
Glossary
A31003-W1040-U103-1-7619, Draft February 2007
310 HiPath Wireless Controller, Access Points and Convergence Software V4, C2400 User Guide
hwc_glossary.fm
Networking terms and abbreviations
push-to-talk (PTT) The push-to-talk (PTT) is feature on wireless telephones that allows
them to operate like a walkie-talkie in a group, instead of standard
telephone operation. The PTT feature requires that the network be
configured to allow multicast traffic.
A PTT call is initiated by selecting a channel and pressing the "talk"
key on the wireless telephone. All wireless telephones on the same
network that are monitoring the channel will hear the transmission. On
a PTT call you hold the button to talk and release it to listen.
QoS Quality of Service. A term for a number of techniques that intelligently
match the needs of specific applications to the network resources
available, using such technologies as Frame Relay, Asynchronous
Transfer Mode (ATM), Ethernet and 802.1 networks, SONET, and
IP-routed networks. QoS features provide better network service by
supporting dedicated bandwidth, improving loss characteristics,
avoiding and managing network congestion, shaping network traffic,
setting traffic priorities across the network.
Quality-of-Service (QoS): A set of service requirements to be met by
the network while transporting a flow. (RFC2386)
RADIUS Remote Authentication Dial-In User Service. An authentication and
accounting system that checks User Name and Password and
authorizes access to a network. The RADIUS specification is
maintained by a working group of the IETF (RFC2865 RADIUS,
RFC2866 RADIUS Accounting, RFC2868 RADIUS Attributes for
Tunnel Protocol Support).
RF Radio Frequency, a frequency in the electromagnetic spectrum
associated with radio wave propagation. When an RF current is
supplied to an antenna, an electromagnetic field is created that can
propagate through space. These frequencies in the electromagnetic
spectrum range from Ultra-low frequency (ULF) -- 0-3 Hz to Extremely
high frequency (EHF) -- 30GHz - 300 GHz. The middle ranges are:
Low frequency (LF) -- 30 kHz - 300 kHz, Medium frequency (MF) --
300 kHz - 3 MHz, High frequency (HF) -- 3MHz - 30 MHz, Very high
frequency (VHF) -- 30 MHz - 300 MHz, Ultra-high frequency (UHF)--
300MHz - 3 GHz.
RFC Request for Comments, a series of notes about the Internet, submitted
to the Internet Engineering Task Force (IETF) and designated by an
RFC number, that may evolve into an Internet standard. The RFCs are
catalogued and maintained on the IETF RFC website: www.ietf.org/
rfc.html.
Term Explanation
Table 28
hwc_glossary.fm
A31003-W1040-U103-1-7619, Draft February 2007
HiPath Wireless Controller, Access Points and Convergence Software V4, C2400 User Guide 311
Glossary
Networking terms and abbreviations
Roaming In 802.11, roaming occurs when a wireless device (a station) moves
from one Access Point to another (or BSS to another) in the same
Extended Service Set (ESS) -identified by its SSID.
RP-SMA Reverse Polarity-Subminiature version A, a type of connector used
with wireless antennas
RSN Robust Security Network. A new standard within IEEE 802.11 to
provide security and privacy mechanisms. The RSN (and related TSN)
both specify IEEE 802.1x authentication with Extensible
Authentication Protocol (EAP).
RSSI RSSI received signal strength indication (in 802.11 standard)
RTS / CTS RTS request to send, CTS clear to send (in 802.11 standard)
Segment In Ethernet networks, a section of a network that is bounded by
bridges, routers or switches. Dividing a LAN segment into multiple
smaller segments is one of the most common ways of increasing
available bandwidth on the LAN.
SLP Service Location Protocol. A method of organizing and locating the
resources (such as printers, disk drives, databases, e-mail directories,
and schedulers) in a network. Using SLP, networking applications can
discover the existence, location and configuration of networked
devices.
With Service Location Protocol, client applications are 'User Agents'
and services are advertised by 'Service Agents'. The User Agent
issues a multicast 'Service Request' (SrvRqst) on behalf of the client
application, specifying the services required. The User Agent will
receive a Service Reply (SrvRply) specifying the location of all
services in the network which satisfy the request.
For larger networks, a third entity, called a 'Directory Agent', receives
registrations from all available Service Agents. A User Agent sends a
unicast request for services to a Directory Agent (if there is one) rather
than to a Service Agent.
(SLP version 2, RFC2608, updating RFC2165)
SMI Structure of Management Information. A hierarchical tree structure for
information that underlies Management Information Bases (MIBs),
and is used by the SNMP protocol. Defined in RFC1155 and RFC1442
(SNMPv2).
Term Explanation
Table 28
Glossary
A31003-W1040-U103-1-7619, Draft February 2007
312 HiPath Wireless Controller, Access Points and Convergence Software V4, C2400 User Guide
hwc_glossary.fm
Networking terms and abbreviations
SMT (802.11) Station ManagemenT. The object class in the 802.11 MIB that
provides the necessary support at the station to manage the
processes in the station such that the station may work cooperatively
as a part of an IEEE 802.11 network. The four branches of the 802.11
MIB are:
dot11smt - objects related to station management and local
configuration
dot11mac - objects that report/configure on the status of various
MAC parameters
dot11res - Objects that describe available resources
dot11phy - Objects that report on various physical items.
SNMP Simple Network Management Protocol. A set of protocols for
managing complex networks. SNMP works by sending messages,
called protocol data units (PDUs), to different parts of a network.
SNMP-compliant devices, called agents, store data about themselves
in Management Information Bases (MIBs) and return this data to the
SNMP requesters.
SNMP includes a limited set of management commands and
responses. The management system issues Get, GetNext and Set
messages to retrieve single or multiple object variables or to establish
the value of a single variable. The managed agent sends a Response
message to complete the Get, GetNext or Set.
SNMP trap An event notification sent by the SNMP managed agent to the
management system to identify the occurrence of conditions (such as
a threshold that exceeds a predetermined value).
SSH Secure Shell, sometimes known as Secure Socket Shell, is a
Unix-based command interface and protocol for securely getting
access to a remote computer. SSH is a suite of three utilities - slogin,
ssh, and scp - secure versions of the earlier UNIX utilities, rlogin, rsh,
and rcp. With SSH commands, both ends of the client/server
connection are authenticated using a digital certificate, and passwords
are protected by being encrypted.
Term Explanation
Table 28
hwc_glossary.fm
A31003-W1040-U103-1-7619, Draft February 2007
HiPath Wireless Controller, Access Points and Convergence Software V4, C2400 User Guide 313
Glossary
Networking terms and abbreviations
SSID Service Set Identifier. A 32-character unique identifier attached to the
header of packets sent over a Wireless LAN that acts as a password
when a wireless device tries to connect to the Basic Service Set
(BSS). Several BSSs can be joined together to form one logical WLAN
segment, referred to as an extended service set (ESS). The SSID is
used to identify the ESS.
In 802.11 networks, each Access Point advertises its presence several
times per second by broadcasting beacon frames that carry the ESS
name (SSID). Stations discover APs by listening for beacons, or by
sending probe frames to search for an AP with a desired SSID. When
the station locates an appropriately-named Access Point, it sends an
associate request frame containing the desired SSID. The AP replies
with an associate response frame, also containing the SSID.
Some APs can be configured to send a zero-length broadcast SSID in
beacon frames instead of sending their actual SSID. The AP must
return its actual SSID in the probe response.
SSL Secure Sockets Layer. A protocol developed by Netscape for
transmitting private documents via the Internet. SSL works by using a
public key to encrypt data that's transferred over the SSL connection.
URLs that require an SSL connection start with https: instead of http.
SSL uses a program layer located between the Internet's Hypertext
Transfer Protocol (HTTP) and Transport Control Protocol (TCP) layers.
The "sockets" part of the term refers to the sockets method of passing
data back and forth between a client and a server program in a
network or between program layers in the same computer. SSL uses
the public-and-private key encryption system from RSA, which also
includes the use of a digital certificate.
SSL has recently been succeeded by Transport Layer Security (TLS),
which is based on SSL.
Subnet mask (See netmask)
Subnets Portions of networks that share the same common address format. A
subnet in a TCP/IP network uses the same first three sets of numbers
(such as 198.63.45.xxx), leaving the fourth set to identify devices on
the subnet. A subnet can be used to increase the bandwidth on the
network by breaking the network up into segments.
SVP SpectraLink Voice Protocol, a protocol developed by SpectraLink to be
implemented on access points in order to facilitate voice prioritization
over an 802.11 wireless LAN that will carry voice packets from
SpectraLink wireless telephones.
Term Explanation
Table 28
Glossary
A31003-W1040-U103-1-7619, Draft February 2007
314 HiPath Wireless Controller, Access Points and Convergence Software V4, C2400 User Guide
hwc_glossary.fm
Networking terms and abbreviations
Switch In networks, a device that filters and forwards packets between LAN
segments. Switches operate at the data link layer (layer 2) and
sometimes the network layer (layer 3) of the OSI Reference Model and
therefore support any packet protocol. LANs that use switches to join
segments are called switched LANs or, in the case of Ethernet
networks, switched Ethernet LANs.
syslog A protocol used for the transmission of event notification messages
across networks, originally developed on the University of California
Berkeley Software Distribution (BSD) TCP/IP system
implementations, and now embedded in many other operating
systems and networked devices. A device generates a messages, a
relay receives and forwards the messages, and a collector (a syslog
server) receives the messages without relaying them.
Syslog uses the user datagram protocol (UDP) as its underlying
transport layer mechanism. The UDP port that has been assigned to
syslog is 514. (RFC3164)
TCP / IP Transmission Control Protocol. TCP, together with IP (Internet
Protocol), is the basic communication language or protocol of the
Internet. Transmission Control Protocol manages the assembling of a
message or file into smaller packets that are transmitted over the
Internet and received by a TCP layer that reassembles the packets into
the original message. Internet Protocol handles the address part of
each packet so that it gets to the right destination.
TCP/IP uses the client/server model of communication in which a
computer user (a client) requests and is provided a service (such as
sending a Web page) by another computer (a server) in the network.
TFTP Trivial File Transfer Protocol. An Internet software utility for transferring
files that is simpler to use than the File Transfer Protocol (FTP) but less
capable. It is used where user authentication and directory visibility
are not required. TFTP uses the User Datagram Protocol (UDP) rather
than the Transmission Control Protocol (TCP). TFTP is described
formally in Request for Comments (RFC) 1350.
Term Explanation
Table 28
hwc_glossary.fm
A31003-W1040-U103-1-7619, Draft February 2007
HiPath Wireless Controller, Access Points and Convergence Software V4, C2400 User Guide 315
Glossary
Networking terms and abbreviations
TKIP Temporal Key Integrity Protocol (TKIP) is an enhancement to the WEP
encryption technique that uses a set of algorithms that rotates the
session keys. TKIPs’ enhanced encryption includes a per-packet key
mixing function, a message integrity check (MIC), an extended
initialization vector (IV) with sequencing rules, and a re-keying
mechanism. The encryption keys are changed (rekeyed) automatically
and authenticated between devices after the rekey interval (either a
specified period of time, or after a specified number of packets has
been transmitted).
TLS Transport Layer Security. (See EAP, Extensible Authentication
Protocol)
ToS / DSCP ToS (Type of Service) / DSCP (Diffserv Codepoint). The ToS/DSCP
box contained in the IP header of a frame is used by applications to
indicate the priority and Quality of Service (QoS) for each frame. The
level of service is determined by a set of service parameters which
provide a three way trade-off between low-delay, high-reliability, and
high-throughput. The use of service parameters may increase the cost
of service.
TSN Transition Security Network. A subset of Robust Security Network
(RSN), which provides an enhanced security solution for legacy
hardware. The Wi-Fi Alliance has adopted a solution called Wireless
Protected Access (WPA), based on TSN. RSN and TSN both specify
IEEE 802.1x authentication with Extensible Authentication Protocol
(EAP).
Tunnelling Tunnelling (or encapsulation) is a technology that enables one network
to send its data via another network's connections. Tunnelling works
by encapsulating packets of a network protocol within packets carried
by the second network. The receiving device then decapsulates the
packets and forwards them in their original format.
UDP User Datagram Protocol. A connectionless protocol that, like TCP,
runs on top of IP networks. Unlike TCP/IP, UDP/IP provides very few
error recovery services, offering instead a direct way to send and
receive packets over an IP network. It is used primarily for
broadcasting messages over a network.
Term Explanation
Table 28
Glossary
A31003-W1040-U103-1-7619, Draft February 2007
316 HiPath Wireless Controller, Access Points and Convergence Software V4, C2400 User Guide
hwc_glossary.fm
Networking terms and abbreviations
U-NII Unlicensed National Information Infrastructure. Designated to provide
short-range, high-speed wireless networking communication at low
cost, U-NII consists of three frequency bands of 100 MHz each in the
5 GHz band: 5.15-5.25GHz (for indoor use only), 5.25-5.35 GHz and
5.725-5.825GHz. The three frequency bands were set aside by the
FCC in 1997 initially to help schools connect to the Internet without the
need for hard wiring. U-NII devices do not require licensing.
URL Uniform Resource Locator. the unique global address of resources or
files on the World Wide Web. The URL contains the name of the
protocol to be used to access the file resource, the IP address or the
domain name of the computer where the resource is located, and a
pathname -- a hierarchical description that specifies the location of a
file in that computer.
VLAN Virtual Local Area Network. A network of computers that behave as if
they are connected to the same wire when they may be physically
located on different segments of a LAN. VLANs are configured through
software rather than hardware, which makes them extremely flexible.
When a computer is physically moved to another location, it can stay
on the same VLAN without any hardware reconfiguration.
The standard is defined in IEEE 802.1Q - Virtual LANs, which states
that "IEEE 802 Local Area Networks (LANs) of all types may be
connected together with Media Access Control (MAC) Bridges, as
specified in ISO/IEC 15802-3. This standard defines the operation of
Virtual LAN (VLAN) Bridges that permit the definition, operation and
administration of Virtual LAN topologies within a Bridged LAN
infrastructure."
VNS Virtual Network Services (VNS). A Siemens specific technique that
provides a means of mapping wireless networks to a wired topology.
VoIP Voice Over Internet Protocol. An internet telephony technique. With
VoIP, a voice transmission is cut into multiple packets, takes the most
efficient path along the Internet and is reassembled when it reaches
the destination.
VPN Virtual Private Network. A private network that is constructed by using
public wires to connect nodes. These systems use encryption and
other security mechanisms to ensure that only authorized users can
access the network and that the data cannot be intercepted.
Term Explanation
Table 28
hwc_glossary.fm
A31003-W1040-U103-1-7619, Draft February 2007
HiPath Wireless Controller, Access Points and Convergence Software V4, C2400 User Guide 317
Glossary
Networking terms and abbreviations
VSA Vendor Specific Attribute, an attribute for a RADIUS server defined by
the manufacturer.(compared to the RADIUS attributes defined in the
original RADIUS protocol RFC2865). A VSA attribute is defined in
order that it can be returned from the RADIUS server in the Access
Granted packet to the Radius Client.
Walled Garden A restricted subset of network content that wireless devices can
access.
WEP Wired Equivalent Privacy. A security protocol for wireless local area
networks (WLANs) defined in the 802.11b standard. WEP aims to
provide security by encrypting data over radio waves so that it is
protected as it is transmitted from one end point to another.
Wi-Fi Wireless fidelity. A term referring to any type of 802.11 network,
whether 802.11b, 802.11a, dual-band, etc. Used in reference to the
Wi-Fi Alliance, a nonprofit international association formed in 1999 to
certify interoperability of wireless Local Area Network products based
on IEEE 802.11 specification.
WINS Windows Internet Naming Service. A system that determines the IP
address associated with a particular network computer, called name
resolution. WINS supports network client and server computers
running Windows and can provide name resolution for other
computers with special arrangements. WINS supports dynamic
addressing (DHCP) by maintaining a distributed database that is
automatically updated with the names of computers currently available
and the IP address assigned to each one.
DNS is an alternative system for name resolution suitable for network
computers with fixed IP addresses.
WLAN Wireless Local Area Network.
WMM Wi-Fi Multimedia (WMM), a Wi-Fi Alliance certified standard that
provides multimedia enhancements for Wi-Fi networks that improve
the user experience for audio, video, and voice applications. This
standard is compliant with the IEEE 802.11e Quality of Service (QoS)
extensions for 802.11 networks. WMM provides prioritized media
access by shortening the time between transmitting packets for higher
priority traffic. WMM is based on the Enhanced Distributed Channel
Access (EDCA) method.
Term Explanation
Table 28
Glossary
A31003-W1040-U103-1-7619, Draft February 2007
318 HiPath Wireless Controller, Access Points and Convergence Software V4, C2400 User Guide
hwc_glossary.fm
Controller, Access Points and Convergence Software terms and abbreviations
13.2 Controller, Access Points and Convergence Software terms and
abbreviations
WPA Wireless Protected Access, or Wi-Fi Protected Access is a security
solution adopted by the Wi-Fi Alliance that adds authentication to
WEPs’ basic encryption. For authentication, WPA specifies IEEE
802.1x authentication with Extensible Authentication Protocol (EAP).
For encryption, WPA uses the Temporal Key Integrity Protocol (TKIP)
mechanism, which shares a starting key between devices, and then
changes their encryption key for every packet. Certificate
Authentication (CA) can also be used. Also part of the encryption
mechanism are 802.1X for dynamic key distribution and Message
Integrity Check (MIC) a.k.a. Michael.
WPA requires that all computers and devices have WPA software.
WPA-PSK Wi-Fi Protected Access with Pre-Shared Key, a special mode of WPA
for users without an enterprise authentication server. Instead, for
authentication, a Pre-Shared Key is used. The PSK is a shared secret
(passphrase) that must be entered in both the Wireless AP or router
and the WPA clients.
This preshared key should be a random sequence of characters at
least 20 characters long or hexadecimal digits (numbers 0-9 and
letters A-F) at least 24 hexadecimal digits long. After the initial shared
secret, the Temporal Key Integrity Protocol (TKIP) handles the
encryption and automatic rekeying.
Term Explanation
CTP CAPWAP Tunnelling Protocol (CTP). The Wireless AP uses a UDP
(User Datagram Protocol) based tunnelling protocol called CAPWAP
Tunnelling Protocol (CTP) to encapsulate the 802.11 packets and
forward them to the HiPath Wireless Controller.
The CTP protocol defines a mechanism for the control and
provisioning of Wireless APs (CAPWAP) through centralized access
controllers. In addition, it provides a mechanism providing the option
to tunnel the mobile client data between the access point and the
access controller.
Table 29
Term Explanation
Table 28
hwc_glossary.fm
A31003-W1040-U103-1-7619, Draft February 2007
HiPath Wireless Controller, Access Points and Convergence Software V4, C2400 User Guide 319
Glossary
Controller, Access Points and Convergence Software terms and abbreviations
DRM (dynamic radio/
RF management)
The DRM feature consists of software on the Wireless AP that
provides dynamic radio frequency (RF) management. For Wireless
APs with the DRM feature enabled and on a common channel, the
power levels will be adjusted to balance coverage if a Wireless AP is
added to, or leaves, the network. The feature also allows wireless
clients to be moved to another Wireless AP if the load is too high. The
feature can also be set to scan automatically for a channel, using a
channel selection algorithm.
HiPath Wireless
Controller
The HiPath Wireless Controller is a rack-mountable network device
designed to be integrated into an existing wired Local Area Network
(LAN). It provides centralized control over all access points (both
Wireless APs and third-party access points) and manages the
network assignment of wireless device clients associating through
access points.
Langley Langley is a Controller, Access Points and Convergence Software
term for the inter-process messaging infrastructure on the HiPath
Wireless Controller.
Mitigator The Mitigator is a mechanism that assists in the detection of rogue
access points. The feature has three components: (1) a radio
frequency (RF) scanning task that runs on the Wireless AP, (2) an
application called the Data Collector on the HiPath Wireless
Controller that receives and manages the RF scan messages sent by
the Wireless AP, (3) an Analysis Engine on the HiPath Wireless
Controller that processes the scan data.
Mobility manager (and
mobility agent)
The technique in Controller, Access Points and Convergence
Software by which multiple HiPath Wireless Controllers on a network
can discover each other and exchange information about a client
session. This enables a wireless device user to roam seamlessly
between different Wireless APs on different HiPath Wireless
Controllers, to provide mobility to the wireless device user.
One HiPath Wireless Controller on the network must be designated
as the mobility manager. All other HiPath Wireless Controllers are
designated as mobility agents. Relying on SLP, the mobility manager
registers with the Directory Agent and the mobility agents discover
the location of the mobility manager.
Term Explanation
Table 29
Glossary
A31003-W1040-U103-1-7619, Draft February 2007
320 HiPath Wireless Controller, Access Points and Convergence Software V4, C2400 User Guide
hwc_glossary.fm
Controller, Access Points and Convergence Software terms and abbreviations
Data Collector The Data Collector is an application on the HiPath Wireless Controller
that receives and manages the Radio Frequency (RF) scan
messages sent by the Wireless AP. This application is part of the
Mitigator technique, working in conjunction with the scanner
mechanism and the Analysis Engine to assist in detecting rogue
access points.
Virtual Network
Services (VNS)
The Virtual Network Services (VNS) technique is Siemens's means
of mapping wireless networks to the topology of an existing wired
network. When you set up Virtual Network Services (VNS) on the
HiPath Wireless Controller, you are defining subnets for groups of
wireless users. This VNS definition creates a virtual IP subnet where
the HiPath Wireless Controller acts as a default gateway for wireless
devices. This technique enables policies and authentication to be
applied to the groups of wireless users on a VNS, as well as the
collecting of accounting information. When a VNS is set up on the
HiPath Wireless Controller, one or more Wireless APs (by radio) are
associated with it. A range of IP addresses is set aside for the HiPath
Wireless Controller's DHCP server to assign to wireless devices.
Wireless AP The Wireless AP is a wireless LAN thin access point (IEEE 802.11)
provided with unique software that allows it to communicate only with
a HiPath Wireless Controller. (A thin access point handles the radio
frequency (RF) communication but relies on a controller to handle
WLAN elements such as authentication.) The Wireless AP also
provides local processing such as encryption. The Wireless AP is a
dual-band access point, with both 802.11a and 802.11b/g radios.
Term Explanation
Table 29
hwc_appendixa.fm
A31003-W1040-U103-1-7619, Draft February 2007
HiPath Wireless Controller, Access Points and Convergence Software V4, C2400 User Guide 321
System states and LEDs
HiPath Wireless Controller system states and LEDs
A System states and LEDs
A.1 HiPath Wireless Controller system states and LEDs
The HiPath Wireless Controller has the two system states: Standby and Active.
It enters Standby state when shut down in the user interface. During this state, the HiPath
Wireless Controller:
sends a control message to Wireless APs to enter Standby state
does not handle any wireless traffic or sessions
disables DHCP, Policy Manager, Security Manager, Wireless AP Manager, and
Redirector
remains on the wired network
The HiPath Wireless Controller enters Active state on startup in the user interface. It responds
to the Wireless AP's discover message by returning a message indicating that the Wireless AP
can enter the active state.
A.1.1 Activity and traffic monitoring
The activity and traffic on the HiPath Wireless Controller is monitored via three LEDs on the
back of the HiPath Wireless Controller. These LEDs are Link, Status, and Activity.
The three LEDs perform the following functions:
Link LED: Displays the link status of management port Ethernet link as seen by the system
software. This LED is only visible at the back of the HiPath Wireless Controller
Status LED: Indicates the state of the controller from software point of view, normal
operation, whether processes have gone down, are restarting, and so on. This LED is
visible from both the front and the back of the HiPath Wireless Controller.
System states and LEDs
A31003-W1040-U103-1-7619, Draft February 2007
322 HiPath Wireless Controller, Access Points and Convergence Software V4, C2400 User Guide
hwc_appendixa.fm
Wireless AP system states
Activity LED: Indicates the amount of traffic carried to and from Wireless APs. This LED is
visible from both the front and the back of the HiPath Wireless Controller.
Table 30 shows the sequence of the Status and Activity LEDs.
A.2 Wireless AP system states
For the Wireless AP, the Status LED in the center also indicates power. The Status LED is dark
when unit is off and is green (solid) when the AP has completed discovery and is operational.
The chart below shows states and corresponding Status LED displays:
System State Status LED Activity LED
Power up Off Off
Services started: WDTSTAT installed (init.d starts
services)
Blinking
Amber
Off
Startup Manager Task started Solid Amber Blinking Amber
Startup Manager Task completes startup – all
components started
Solid Green Blinking green, if traffic
Blank, if no traffic
A component fails to start or needs restarting
(Startup Manager Task retrying that component)
Solid Amber Blinking green
HiPath Wireless Controller fails to boot Solid Red Off
A component fails (no more retries) Solid Red Off
System about to be reset by watchdog Blinking Red Off
Table 30 Status and Activity LED sequence
State / Process Description LEDs
Power Wireless AP not powered. Off
Power Start up: Power On Self Test (POST) Steady green
(briefly)
Power Power On Self Test (POST) successful Off (briefly)
Discovery If the POST self test is successful, the AP begins Discovery
process. Wireless AP is powered on and searching for an
active HiPath Wireless Controller. It sends a discover
message and waits for a response
Orange
(steady)
Fail to find
DHCP
Wireless AP failed to find DHCP (will stay in this state until
a route appears).
Red-orange
(alternate
blink)
Table 31 Wireless AP system states and status LED displays
hwc_appendixa.fm
A31003-W1040-U103-1-7619, Draft February 2007
HiPath Wireless Controller, Access Points and Convergence Software V4, C2400 User Guide 323
System states and LEDs
Wireless AP system states
Failed discovery If there are SLP issues in failed discovery, the LED display
changes.
Green-orange
(alternate
blink)
Registration Wireless AP learns the HiPath Wireless Controller's IP
address, and can begin the Registration process
Orange (blink)
Failed
Registration
Wireless AP fails to learn the HiPath Wireless Controller's
IP address.
Red (blink)
Standby 1. Wireless AP enters this state from Discovery when it
encounters an active HiPath Wireless Controller and
completes the Registration process.
2. Wireless AP enters this state from Active when it receives
a control message from the HiPath Wireless Controller to
enter this state. If the Wireless AP has any wireless device
traffic, it will drop the traffic.
Green (blink)
Wireless AP fails to register. It will wait 5 seconds and try
again.
Red (slow
blink)
Firmware download from the HiPath Wireless Controller is
in progress
Orange +
green (blink)
Active (Ready) Wireless AP has received a control message from an active
HiPath Wireless Controller to enter active or ready state. It
is ready to receive wireless traffic.
Note: The two Traffic LEDs on either side of the Status LED
display a green (blink) if there is active wireless traffic. The
left LED is for the 2.4 GHz radio. The right LED is for the 5
GHz radio.
Green (steady)
Vulnerable time
interval
Vulnerable time interval (the HiPath Wireless Controller
resets to factory default if powered-off for three consecutive
times during this state). No vulnerable period when access
point is resetting to factory defaults.
Left: Green/Off
Center: Off/
Green
Right: Green/
Off
Upgrading
firmware
Wireless AP is upgrading its firmware Center: Red/
Green
State / Process Description LEDs
Table 31 Wireless AP system states and status LED displays
System states and LEDs
A31003-W1040-U103-1-7619, Draft February 2007
324 HiPath Wireless Controller, Access Points and Convergence Software V4, C2400 User Guide
hwc_appendixa.fm
Wireless AP system states
hwc1000_user_guideix.fm
A31003-W1040-U103-1-7619, Draft February 2007
HiPath Wireless Controller, Access Points and Convergence Software V4, C2400 User Guide 325
Nur für den internen Gebrauch Index
Index Z
A
accounting
setup on a VNS 176
adding
Wireless AP manually 103
alarms
overview of log types and levels 291
allow all or approved APs
for availability setup 215
allow or deny in a filtering rule 142
Analysis engine
functions 246
antennae on the Wireless AP 94
authentication
MAC-based 174
no RADIUS server 137
none on a VNS 201
on a VNS for AAA 171
on a VNS for Captive Portal 163
overview of types 161
protocols supported 139, 166
Authentication, Authorization, Accounting
(AAA)
filter ID values (RADIUS policy), groups
178
set up 802.1x authentication 171
set up privacy on a VNS 197
availability 216
B
backup controller software configuration 282
branch office, static configuration of Wireless
AP 120
C
call data records (CDRs) 176
Captive Portal
authentication on a VNS 163
configuring internal, external Captive Por-
tal 169
defined 139
non-authenticated filtering rules 182
privacy mechanisms 193
set up a VNS topology 151
view sample page 170
Check Point event logging 229
configuring
Captive Portal, internal, external 169
software - overview steps 67
static routes 82
controller
availability overview 66
back up software configuration 282
define management user names, pass-
words 226
define network time synchronization 228
defined as mobility manager for mobility
220
enable ELA event logging (Check Point)
229
events during a failover 218
paired for availability 213
restore software configuration 286
set up third-party APs 237
system maintenance 274
system shutdown 274
D
default filter 188
default gateway on a VNS 155
disassociate a wireless client 269
discovery
steps 95
Wireless AP LED sequence 97
displays
client location by foreign HWC 226, 260
client location by home 226, 260
HWC tunnel traffic 226, 260
list of displays 255
Wireless AP availability 217, 257
Index Nur für den internen Gebrauch
A31003-W1040-U103-1-7619, Draft February 2007
326 HiPath Wireless Controller, Access Points and Convergence Software V4, C2400 User Guide
hwc1000_user_guideix.fm
Wireless AP wired and wireless statistics
257
documentation feedback 11
Domain Name Server (DNS)
in discovery 95
DSCP classifications 207
Dynamic Host Configuration Protocol (DHCP)
for availability 213
for mobility (VN Manager) 220
Option 78 in discovery 95
relay on a VNS 157
required as part of solution 55
E
event logging
in Check Point 229
in HWC software 291
exception filters
on a VNS 179
port-based 90
exclusions, IP address range on a VNS 155
F
failover of a controller
availability overview 66
events and recovery 218
failover of a RADIUS server 166
filtering
default filter 188
exception filter on a VNS 179
filtering rules, overview of set up 179
for an AAA group 190
for Captive Portal authentication 170
non-authenticated filter for Captive Portal
182
non-authenticated filtering rules, exam-
ples 184
on a VNS for third-party APs 240
overview of packet filtering 65
overview, four types 141
port-based 88
rules for filter ID values 185
set filter ID values (RADIUS policy) 177
formatting conventions 10
forwarding table report 84
G
gateway, default, on a VNS 155
global settings
for a VNS 144
RADIUS servers for authentication 164,
172, 175, 177
groups for Authentication, Authorization, Ac-
counting (AAA) 178
H
health checking status of Wireless APs 274
heartbeat messages, in VN Manager feature
221
HiPath Wireless Manager 59, 105, 111, 289
shared secret configuration 289
HiPath Wireless Manager Advanced (HWMA)
128
I
IP address range on a VNS 155
L
LED sequence
in discovery 97
login user name and password 73
Login-LAT-Group 185
for VNS AAA authentication 178
logs
changing log level 274
event logging in Check Point 229
overview of types and levels 291
M
MAC-based authentication 174
Management Information Bases (MIBs) sup-
ported 232
management port
management traffic on data port 82
modify management port settings 75
port-based filtering 88
management traffic
enabling on a VNS 153
mobility
mobility manager and mobility agent 220
overview 65
hwc1000_user_guideix.fm
A31003-W1040-U103-1-7619, Draft February 2007
HiPath Wireless Controller, Access Points and Convergence Software V4, C2400 User Guide 327
Nur für den internen Gebrauch Index
mobility manager
defining a controller for mobility 220
multicast
for a VNS 191
N
network assignment
by AAA 197
by SSID for Captive Portal 151
options for a VNS 138
VLAN 58, 62
network time synchronization 228
next hop route for a VNS 154
non-authenticated filter for Captive Portal
170, 182
O
operating system software upgrade 278
OSPF
configuring 85
linkstate report 88
neighbor report 88
on a VNS 154
overview 64
P
password, for management users 226
port
port exception filters 90
priority override 204
privacy
dynamic WEP on a VNS for AAA 198
encryption methods supported 62
on a VNS for AAA
AAA 197
overview on a VNS 144
setup on a VNS for Captive Portal 193
static WEP for an AAA VNS 197
WPA v1 and WPA v2 on a VNS for AAA
198
product key
system maintenance 278
protocols
for authentication by Captive Portal 166
Q
QoS (Quality of Service) 66, 138, 146, 147,
202, 204, 310, 315
admission control thresholds 146
advanced 208
modes 204
policy 206
R
radio
5 GHz (a) and 2.4 GHz (b/g) 94
channels 114, 120
radio settings
view and modify 114
RADIUS server
deployment with no server 137
filter ID values 185
for authentication 164, 172, 175, 177
for MAC-based authentication 174
priority for redundancy 166
RADIUS accounting 176
RADIUS policy for a VNS 177
required as part of solution 55
VSAs in RADIUS message 162
random delays 98
read/write privileges 226
reboot Wireless AP 130
registration
settings for availability setup 215
reports
AP inventory 263
forwarding table 84, 263
list of displays 255
OSPF linkstate 88, 263
OSPF neighbor 88, 263
restore controller software configuration 286
rogue detection, Mitigator feature 247
routing
configuring OSPF on data port 85
configuring static routes 82
next hop route on a VNS 154
overview 64
routing table
viewing 84
Index Nur für den internen Gebrauch
A31003-W1040-U103-1-7619, Draft February 2007
328 HiPath Wireless Controller, Access Points and Convergence Software V4, C2400 User Guide
hwc1000_user_guideix.fm
S
scan results, Mitigator feature 247
security of network, overview of methods 62
service class 202
Service Location Protocol (SLP)
for availability 213
for mobility (VN Manager) 220
in discovery 95
required as part of solution 55
traffic allowed on data port 82
view slpdump tool report 218
set up for a VNS 237
shut down system 274
Simple Network Management Protocol (SN-
MP)
MIBs supported 232
software
maintenance of Controller software 278
maintenance of Wireless AP software 130
SSID network assignment for Captive Portal
151
static configuration of Wireless AP 120
static routes
configuring 82
viewing forwarding table report 84
syslog event reporting
define parameters 274
T
third-party APs 237
defining a VNS for 153
in Mitigator feature 250
topology of a VNS
Captive Portal 151
traces
overview of log types and levels 291
Type of Service (ToS/DSCP)
on a VNS 202
Quality of Service 66
U
user name and password for login 73
user name and password, changing 226
V
vendor specific attributes (VSA)
in RADIUS message 162
RADIUS server
vendor specific attributes 166, 173
Virtual Network Services 64
Virtual Network Services (VNS)
authentication by AAA (802.1x) 171
authentication by Captive Portal 163
define filtering rules 179
defined 135
for third-party APs 238
global settings 144
multicast 191
network assignment overview 138
privacy for AAA 197
privacy overview 193
set up for VoIP 202
topology for Captive Portal 151
VLAN 316
configuration 121, 122, 149, 154, 204,
209, 211
IDs 211, 212
Voice-over-IP (VoIP)
define multicast groups on a VNS 191
set up a VNS for 202
vulnerable time interval 98
W
Wi-Fi Multimedia (WMM)
on a VNS 202
Quality of Service 66
Wi-Fi Protected Access (WPA)
overview on a VNS 144
PSK mode for Captive Portal 195
WPA v1 and v2 on a VNS for AAA 198
Wired Equivalent Privacy (WEP)
on a VNS for AAA 197
overview on a VNS 144
static for Captive Portal 193
Wireless AP
adding for availability setup 215
adding manually 103
assigning to a VNS 160
hwc1000_user_guideix.fm
A31003-W1040-U103-1-7619, Draft February 2007
HiPath Wireless Controller, Access Points and Convergence Software V4, C2400 User Guide 329
Nur für den internen Gebrauch Index
client disassociate 269
default configuration 67, 72, 97, 106, 110,
125, 126, 214, 215, 220
copy to defaults 126
international licensing 95
LED sequence in discovery 97
maintenance and reboot 130
radios 94, 114
sensor 59, 62, 105, 106, 110, 111, 113,
114, 128, 130
sensor management 129
static configuration 120
view statistics 257
Index Nur für den internen Gebrauch
A31003-W1040-U103-1-7619, Draft February 2007
330 HiPath Wireless Controller, Access Points and Convergence Software V4, C2400 User Guide
hwc1000_user_guideix.fm
© 2006 • Siemens Enterprise Communications GmbH & Co. KG
Hofmannstraße 51 • D-81359 München, Germany
Reference No.: A31003-W1040-U103-1-7619
Printed in Germany.
Subject to availability. Right of modification reserved.
Our strengths - Your advantages
Siemens is known worldwide as a trailblazer
in the advancement of information and
communication technologies. No other
company offers such a comprehensive and
innovative product portfolio.
With the one-of-a-kind Siemens conver-
gence architecture, HiPath, guide your cus-
tomers to a secure and flexible migration
into the world of innovative IP convergence
solutions.
www.siemens.com/hipath

Navigation menu