HP MSM7xx Controllers Management And Configuration Guide V5.5.0 Emr Na C02704528 2
User Manual: MSM7XX
Open the PDF directly: View PDF .
Page Count: 658
Download | |
Open PDF In Browser | View PDF |
HP MSM7xx Controllers Management and Configuration Guide 5400zl Switches HP MSM7xx Controllers Installation and Getting Started Guide Management and Configuration Guide HP MSM7xx Controllers Management and Configuration Guide Copyright and Disclaimer Notices © Copyright 2011 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. This guide contains proprietary information, which is protected by copyright. No part of this guide may be photocopied, reproduced, or translated into another language without the prior written consent of Hewlett-Packard. Publication Number 5998-1136 January 2011 Applicable Products See Products covered on page 1-2. Trademark Credits Windows NT®, Windows®, and MS Windows® are US registered trademarks of Microsoft Corporation. Disclaimer HEWLETT-PACKARD COMPANY MAKES NO WARRANTY OF ANY KIND WITH REGARD TO THIS MATERIAL, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. Hewlett-Packard shall not be liable for errors contained herein or for incidental or consequential damages in connection with the furnishing, performance, or use of this material. The only warranties for HP products and services are set forth in the express warranty statements accompanying such products and services. Nothing herein should be construed as constituting an additional warranty. HP shall not be liable for technical or editorial errors or omissions contained herein. Hewlett-Packard assumes no responsibility for the use or reliability of its software on equipment that is not furnished by Hewlett-Packard. Warranty See the warranty information included with the product. A copy of the specific warranty terms applicable to your Hewlett-Packard products and replacement parts can be obtained from your HP Sales and Service Office or authorized dealer. Open Source Software Acknowledgement Statement This software incorporates open source components that are governed by the GNU General Public License (GPL), version 2. In accordance with this license, HP will make available a complete, machine-readable copy of the source code components covered by the GNU GPL upon receipt of a written request. Send a request to: Hewlett-Packard Company, L.P. GNU GPL Source Code Attn: ProCurve Networking Support Roseville, CA 95747 USA Safety and regulatory information Before installing and operating this product, please read • Safety information on page 1-12. • Appendix A: Safety and EMC regulatory statements Hewlett-Packard Company 8000 Foothills Boulevard Roseville, California 95747 www.hp.com/networking/ Contents Contents 1 Introduction About this guide ...........................................................................................................1-2 Products covered...................................................................................................1-2 Important terms .....................................................................................................1-3 Conventions ...........................................................................................................1-4 New in this release ......................................................................................................1-6 Introducing the MSM7xx Controllers ........................................................................1-7 Simplified configuration, deployment, and operation ......................................1-7 Controller teaming ................................................................................................1-8 Seamless mobility..................................................................................................1-9 Best-in-class public/guest network access service .........................................1-11 Safety information......................................................................................................1-12 HP support ..................................................................................................................1-13 Getting started ............................................................................................................1-13 Online documentation ...............................................................................................1-13 2 Management Management tool..........................................................................................................2-2 Management scenarios .........................................................................................2-2 Management station ..............................................................................................2-2 Starting the management tool..............................................................................2-2 Customizing management tool settings..............................................................2-3 Password security policies...................................................................................2-7 Management tool security features .....................................................................2-8 Web server ..............................................................................................................2-8 Auto-refresh ...........................................................................................................2-9 Device discovery ..........................................................................................................2-9 Mobility controller discovery.............................................................................2-10 Controlled AP discovery.....................................................................................2-11 iii Contents SNMP ...........................................................................................................................2-13 Configuring the SNMP agent..............................................................................2-13 SOAP ............................................................................................................................2-16 Configuring the SOAP server .............................................................................2-16 CLI ................................................................................................................................2-17 Configuring CLI support .....................................................................................2-18 System time.................................................................................................................2-19 3 Network configuration Port configuration ........................................................................................................3-3 LAN port configuration.........................................................................................3-4 Internet port configuration...................................................................................3-5 PPPoE client ..........................................................................................................3-6 DHCP client............................................................................................................3-8 Static addressing....................................................................................................3-9 Network profiles ........................................................................................................3-12 About the default network profiles ...................................................................3-12 To define a network profile ................................................................................3-12 Address allocation......................................................................................................3-13 DHCP server.........................................................................................................3-14 DHCP relay agent ................................................................................................3-16 VLAN support .............................................................................................................3-19 GRE tunnels ................................................................................................................3-19 Bandwidth control .....................................................................................................3-21 Internet port data rate limits ..............................................................................3-22 Bandwidth levels .................................................................................................3-22 Example................................................................................................................3-23 Discovery protocols ...................................................................................................3-24 LLDP agents .........................................................................................................3-24 CDP .......................................................................................................................3-24 DNS ..............................................................................................................................3-25 DNS servers..........................................................................................................3-26 DNS advanced settings .......................................................................................3-26 iv Contents IP routes ......................................................................................................................3-27 Configuration .......................................................................................................3-28 Network address translation (NAT).........................................................................3-30 NAT security and static mappings.....................................................................3-30 VPN One-to-one NAT...........................................................................................3-33 RIP................................................................................................................................3-33 IP QoS ..........................................................................................................................3-34 Configuration .......................................................................................................3-34 Example................................................................................................................3-35 IGMP proxy .................................................................................................................3-37 4 Wireless configuration Wireless coverage.........................................................................................................4-2 Factors limiting wireless coverage......................................................................4-2 Configuring overlapping wireless cells...............................................................4-3 Supporting 802.11n and legacy wireless clients ................................................4-7 Radio configuration .....................................................................................................4-8 Radio configuration parameters ........................................................................4-18 Advanced wireless settings ................................................................................4-29 Wireless neighborhood ..............................................................................................4-34 Scanning modes ...................................................................................................4-34 Viewing wireless information ...................................................................................4-35 Viewing all wireless clients ................................................................................4-35 Viewing info for a specific wireless client........................................................4-36 Viewing wireless client data rates .....................................................................4-38 Wireless access points ........................................................................................4-39 5 Working with VSCs Key concepts.................................................................................................................5-3 Viewing and editing VSC profiles ........................................................................5-4 The default VSC .....................................................................................................5-4 VSC configuration options ..........................................................................................5-5 About access control and authentication...........................................................5-6 v Contents Summary of VSC configuration options .............................................................5-8 Access control........................................................................................................5-9 Virtual AP..............................................................................................................5-10 VSC ingress mapping...........................................................................................5-16 VSC egress mapping ............................................................................................5-17 Bandwidth control...............................................................................................5-17 Default user data rates........................................................................................5-18 Wireless mobility .................................................................................................5-18 Fast wireless roaming .........................................................................................5-20 Wireless security filters.......................................................................................5-20 Wireless protection..............................................................................................5-23 802.1X authentication .........................................................................................5-26 RADIUS authentication realms..........................................................................5-26 HTML-based user logins .....................................................................................5-27 VPN-based authentication ..................................................................................5-28 MAC-based authentication .................................................................................5-28 Location-aware ....................................................................................................5-29 Wireless MAC filter..............................................................................................5-29 Wireless IP filter...................................................................................................5-30 DHCP server.........................................................................................................5-30 DHCP relay agent ................................................................................................5-31 VSC data flow .............................................................................................................5-32 Access control enabled.......................................................................................5-32 Access control disabled......................................................................................5-34 Using multiple VSCs...................................................................................................5-36 About the default VSC ...............................................................................................5-36 Quality of service (QoS) ............................................................................................5-37 Priority mechanisms ...........................................................................................5-38 IP QoS profiles .....................................................................................................5-40 Upstream DiffServ tagging .................................................................................5-41 Upstream/downstream traffic marking ............................................................5-41 QoS example ........................................................................................................5-43 vi Contents Creating a new VSC....................................................................................................5-44 Assigning a VSC to a group .......................................................................................5-44 6 Working with controlled APs Key concepts.................................................................................................................6-3 Key controlled-mode events .......................................................................................6-4 Discovery of controllers by controlled APs..............................................................6-6 Discovery overview ...............................................................................................6-6 Discovery methods................................................................................................6-7 Discovery order .....................................................................................................6-9 Discovery recommendations .............................................................................6-10 Discovery priority................................................................................................6-11 Discovery considerations ...................................................................................6-13 Monitoring the discovery process .....................................................................6-13 Authentication of controlled APs.............................................................................6-19 Building the AP authentication list ...................................................................6-20 Configuring APs..........................................................................................................6-22 Overview...............................................................................................................6-22 Inheritance ...........................................................................................................6-23 Configuration strategy ........................................................................................6-24 Working with groups ...........................................................................................6-25 Working with APs ................................................................................................6-26 Assigning egress VLANs to a group...................................................................6-30 Assigning country settings to a group...............................................................6-30 Provisioning APs ........................................................................................................6-31 Provisioning methods .........................................................................................6-32 Displaying the provisioning pages.....................................................................6-33 Provisioning connectivity...................................................................................6-34 Provisioning discovery........................................................................................6-37 Provisioning summary ........................................................................................6-38 Provisioning example..........................................................................................6-39 vii Contents AeroScout RTLS .........................................................................................................6-40 Software retrieval/update..........................................................................................6-42 Monitoring...................................................................................................................6-42 7 Working with VLANs Key concepts.................................................................................................................7-2 VLAN usage ............................................................................................................7-2 Defining a VLAN ...........................................................................................................7-3 Creating a network profile ...................................................................................7-3 Defining a VLAN ....................................................................................................7-4 Defining a VLAN on a controller port .................................................................7-4 User-assigned VLANs ...................................................................................................7-6 Traffic flow for wireless users ....................................................................................7-6 Traffic flow examples ................................................................................................7-10 Example 1: Overriding the VSC egress on a controller with a user-assigned VLAN .....................................................................................................................7-10 Example 2: Overriding the egress network in a VSC binding with a userassigned VLAN .....................................................................................................7-12 8 Controller teaming Key concepts.................................................................................................................8-2 Centralized configuration management .............................................................8-2 Centralized monitoring and operation................................................................8-2 Redundancy and failover support .......................................................................8-3 Scalability ...............................................................................................................8-3 Deployment considerations .................................................................................8-3 Limitations..............................................................................................................8-5 Creating a team.............................................................................................................8-5 Configuration example .........................................................................................8-6 Controller discovery ..................................................................................................8-10 Monitoring the discovery process .....................................................................8-11 Viewing all discovered controllers ....................................................................8-14 viii Contents Viewing all team members ........................................................................................8-16 Team configuration ....................................................................................................8-17 Accessing the team manager..............................................................................8-18 Team configuration options ...............................................................................8-18 Removing a controller from a team ..................................................................8-19 Editing team member settings ...........................................................................8-20 Discovery of a controller team by controlled APs .................................................8-22 Failover........................................................................................................................8-22 Supporting N + N redundancy ...........................................................................8-22 Primary team manager failure ...........................................................................8-24 Mobility support .........................................................................................................8-26 Single controller team operating alone.............................................................8-27 Single controller team operating with non-teamed controllers.....................8-28 Multiple teamed and non-teamed controllers..................................................8-29 9 Mobility traffic manager Key concepts.................................................................................................................9-4 The mobility domain .............................................................................................9-6 Home networks......................................................................................................9-7 Local networks ......................................................................................................9-8 Configuring Mobility Traffic Manager .......................................................................9-9 Defining the mobility domain ..............................................................................9-9 Defining network profiles...................................................................................9-10 Assigning a home network to a user .................................................................9-11 Defining local networks on a controller ...........................................................9-12 Assigning local networks to an AP....................................................................9-13 Configuring the mobility settings for a VSC.....................................................9-14 Binding a VSC to an AP.......................................................................................9-15 Monitoring the mobility domain...............................................................................9-16 Controllers............................................................................................................9-16 Networks in the mobility domain......................................................................9-17 Mobility clients ....................................................................................................9-17 Forwarding table .................................................................................................9-18 Mobility client event log .....................................................................................9-19 ix Contents Scenario 1: Centralizing traffic on a controller ......................................................9-21 How it works ........................................................................................................9-21 Configuration overview ......................................................................................9-21 Scenario 2: Centralized traffic on a controller with VLAN egress .......................9-24 How it works ........................................................................................................9-24 Configuration overview ......................................................................................9-24 Scenario 3: Centralized traffic on a controller with per-user traffic routing ......9-28 How it works ........................................................................................................9-28 Configuration overview ......................................................................................9-28 Scenario 4: Assigning home networks on a per-user basis ..............................................................................................................9-38 How it works ........................................................................................................9-38 Configuration overview ......................................................................................9-39 Scenario 5: Traffic routing using VLANs .................................................................9-44 How it works ........................................................................................................9-44 Configuration overview ......................................................................................9-45 Scenario 6: Distributing traffic using VLAN ranges ...............................................9-52 How it works ........................................................................................................9-52 Configuration overview ......................................................................................9-53 Subnet-based mobility ...............................................................................................9-60 10 User authentication, accounts, and addressing Introduction ................................................................................................................10-3 Authentication support.......................................................................................10-3 Other access control methods ...........................................................................10-5 Using more than one authentication type at the same time ..........................10-6 User authentication limits ..................................................................................10-7 802.1X authentication ................................................................................................10-8 Supported 802.1X protocols ...............................................................................10-9 Configuring 802.1X support on a VSC.............................................................10-10 Configuring global 802.1X settings for wired users ......................................10-12 Configuring global 802.1X settings for wireless users ..................................10-13 Configuring 802.1X support on an MSM317 switch port ..............................10-14 MAC-based authentication......................................................................................10-14 Configuring global MAC-based authentication..............................................10-16 x Contents Configuring MAC-based authentication on a VSC.........................................10-17 Configuring MAC-based authentication on an MSM317 switch port ..........10-19 Configuring MAC-based filters on a VSC........................................................10-19 Configuring MAC-based filters on an MSM317 switch port .........................10-20 HTML-based authentication....................................................................................10-22 Configuring HTML-based authentication on a VSC ......................................10-22 VPN-based authentication.......................................................................................10-24 Configuring VPN-based authentication on a VSC..........................................10-24 No authentication.....................................................................................................10-26 Locally-defined user accounts ................................................................................10-26 Features ..............................................................................................................10-26 Defining a user account ....................................................................................10-30 Defining account profiles .................................................................................10-32 Defining subscription plans .............................................................................10-35 Accounting persistence ....................................................................................10-36 User addressing and related features ....................................................................10-36 11 Authentication services Introduction ................................................................................................................11-2 Using the integrated RADIUS server .......................................................................11-2 Server configuration............................................................................................11-3 User account configuration................................................................................11-5 Using a third-party RADIUS server ..........................................................................11-5 Configuring a RADIUS server profile on the controller .................................11-6 Using an Active Directory server ...........................................................................11-10 Active Directory configuration ........................................................................11-11 Configuring an Active Directory group...........................................................11-13 Configuring a VSC to use Active Directory ....................................................11-16 12 Security Firewall........................................................................................................................12-2 Firewall presets ...................................................................................................12-2 Firewall configuration ........................................................................................12-4 xi Contents Customizing the firewall.....................................................................................12-4 Working with certificates ..........................................................................................12-5 Trusted CA certificate store ...............................................................................12-5 Certificate and private key store .......................................................................12-7 Certificate usage ..................................................................................................12-9 About certificate warnings ...............................................................................12-10 IPSec certificates ...............................................................................................12-11 MAC lockout .............................................................................................................12-13 13 Local mesh Key concepts...............................................................................................................13-2 Simultaneous AP and local mesh support........................................................13-2 Using 802.11a/n for local mesh ..........................................................................13-3 Quality of service.................................................................................................13-3 Maximum range (ack timeout) ..........................................................................13-4 Local mesh terminology ............................................................................................13-5 Local mesh operational modes.................................................................................13-6 Node discovery ...........................................................................................................13-6 Operating channel ......................................................................................................13-6 Local mesh profiles ....................................................................................................13-7 Configuration guidelines ....................................................................................13-8 Configuring a local mesh profile .......................................................................13-9 Provisioning local mesh links .................................................................................13-12 Sample local mesh deployments ............................................................................13-15 RF extension ......................................................................................................13-15 Building-to-building connection ......................................................................13-15 Dynamic network ..............................................................................................13-16 14 Public/guest network access Introduction ................................................................................................................14-3 Key concepts...............................................................................................................14-4 Access control......................................................................................................14-4 Access lists ...........................................................................................................14-5 xii Contents The public access interface................................................................................14-5 Location-aware ....................................................................................................14-7 Configuring global access control options .............................................................14-8 User authentication .............................................................................................14-9 Client polling ......................................................................................................14-10 User agent filtering ............................................................................................14-10 Zero configuration .............................................................................................14-11 Location configuration......................................................................................14-12 Display advertisements.....................................................................................14-12 Public access interface control flow .....................................................................14-13 Customizing the public access interface...............................................................14-14 Sample public access pages .............................................................................14-15 Common configuration tasks...........................................................................14-15 Setting site configuration options ..........................................................................14-19 Allow subscription plan purchases .................................................................14-20 Display the Free Access option .......................................................................14-20 Support a local Welcome page.........................................................................14-21 Use frames when presenting ads.....................................................................14-22 Allow SSLv2 authentication .............................................................................14-23 Redirect users to the Login page via ...............................................................14-23 Customizing the public access Web pages............................................................14-24 Site file archive ..................................................................................................14-24 FTP server ..........................................................................................................14-24 Current site files ................................................................................................14-25 Configuring the public access Web server ............................................................14-32 Options................................................................................................................14-33 Ports ....................................................................................................................14-33 MIME types ........................................................................................................14-33 Security ...............................................................................................................14-34 Managing payment services ....................................................................................14-35 Payment services configuration ......................................................................14-35 Service settings ..................................................................................................14-35 Billing record logging...............................................................................................14-42 Settings ...............................................................................................................14-42 Persistence .........................................................................................................14-43 External billing records server profiles ..........................................................14-44 xiii Contents Billing records log .............................................................................................14-47 Location-aware authentication...............................................................................14-48 How it works ......................................................................................................14-48 Example..............................................................................................................14-50 Security ...............................................................................................................14-50 15 Working with RADIUS attributes Introduction ................................................................................................................15-3 Controller attributes overview .................................................................................15-4 Customizing the public access interface using the site attribute ..................15-4 Defining and retrieving site attributes ..............................................................15-5 Controller attribute definitions..........................................................................15-8 User attributes ..........................................................................................................15-13 Customizing user accounts with the user attribute ......................................15-13 Defining and retrieving user attributes...........................................................15-14 User attribute definitions .................................................................................15-20 Administrator attributes..........................................................................................15-31 Colubris AV-Pair - Site attribute values .................................................................15-33 Access list ...........................................................................................................15-34 Configuration file...............................................................................................15-44 Custom SSL certificate .....................................................................................15-44 Custom public access interface Web pages ...................................................15-45 Default user interim accounting update interval...........................................15-51 Default user bandwidth level ...........................................................................15-51 Default user idle timeout ..................................................................................15-52 Default user quotas ...........................................................................................15-52 Default user data rates......................................................................................15-53 Default user one-to-one NAT............................................................................15-53 Default user session timeout............................................................................15-54 Default user public IP address.........................................................................15-54 Default user SMTP server.................................................................................15-54 Default user URLs .............................................................................................15-55 HTTP proxy upstream.......................................................................................15-55 IPass login URL..................................................................................................15-56 Global MAC-based authentication...................................................................15-56 Multiple login servers........................................................................................15-57 xiv Contents Redirect URL......................................................................................................15-59 NOC authentication...........................................................................................15-62 HP WISPr support .............................................................................................15-62 Traffic forwarding (dnat-server)......................................................................15-63 Multiple DNAT servers......................................................................................15-64 Colubris AV-Pair - User attribute values................................................................15-67 Access list ...........................................................................................................15-67 Advertising .........................................................................................................15-68 Bandwidth level .................................................................................................15-68 Data rate .............................................................................................................15-69 One-to-one NAT .................................................................................................15-69 Public IP address ...............................................................................................15-70 Quotas .................................................................................................................15-70 Redirect URL......................................................................................................15-71 SMTP redirection...............................................................................................15-71 Station polling ....................................................................................................15-72 Custom public access interface Web pages ...................................................15-72 Colubris AV-Pair - Administrator attribute values................................................15-74 Administrative role............................................................................................15-74 Public access interface ASP functions and variables ..........................................15-75 Javascript syntax ...............................................................................................15-75 Forms ..................................................................................................................15-76 Form errors ........................................................................................................15-78 RADIUS...............................................................................................................15-79 Page URLs ..........................................................................................................15-81 Session status and properties ..........................................................................15-82 iPass support......................................................................................................15-85 Web......................................................................................................................15-87 Client information .............................................................................................15-87 Subscription plan information .........................................................................15-90 Other ...................................................................................................................15-91 Session information ..........................................................................................15-93 xv Contents 16 Working with VPNs Overview .....................................................................................................................16-2 Securing wireless client sessions with VPNs..........................................................16-3 Configure an IPSec profile for wireless client VPN ........................................16-4 Configure L2TP server for wireless client VPN ...............................................16-5 Configure PPTP server for wireless client VPN ..............................................16-5 VPN address pool ................................................................................................16-5 Securing controller communications to remote VPN servers ..............................16-6 Configure an IPSec policy for a remote VPN server .......................................16-7 Configure PPTP client for a remote VPN server .............................................16-8 Keeping user traffic out of the VPN tunnel ....................................................16-10 Additional IPSec configuration ..............................................................................16-11 IPSec VLAN mapping ........................................................................................16-11 Local group list ..................................................................................................16-11 IPSec security policy database ........................................................................16-11 17 LLDP Overview .....................................................................................................................17-2 LLDP-MED............................................................................................................17-2 Local mesh............................................................................................................17-3 SNMP support ......................................................................................................17-3 Configuring LLDP on the controller ........................................................................17-4 TLV settings ..........................................................................................................17-6 Configuring LLDP on an AP......................................................................................17-8 LLDP agent ...........................................................................................................17-8 Media endpoint discovery (MED) features ......................................................17-9 LLDP settings .....................................................................................................17-10 Application type profiles ..................................................................................17-11 18 sFlow Overview .....................................................................................................................18-2 sFlow proxy..........................................................................................................18-2 MIB support..........................................................................................................18-3 xvi Contents Configuring and activating sFlow ............................................................................18-3 Advanced sFlow configuration..........................................................................18-5 19 Working with autonomous APs Key concepts...............................................................................................................19-2 Autonomous AP detection .................................................................................19-3 Viewing autonomous AP information ...............................................................19-3 Switching a controlled AP to autonomous mode............................................19-4 Configuring autonomous APs...................................................................................19-5 VSC definitions ....................................................................................................19-5 Working with third-party autonomous APs ............................................................19-6 VSC selection .......................................................................................................19-6 20 Maintenance Config file management.............................................................................................20-2 Manual configuration file management ............................................................20-2 Scheduled operations..........................................................................................20-3 Software updates........................................................................................................20-4 Performing an immediate software update......................................................20-5 Performing a scheduled software update.........................................................20-5 Licenses .......................................................................................................................20-6 Factory reset considerations .............................................................................20-7 Generating and installing a feature license ......................................................20-7 xvii Contents A Safety and EMC regulatory statements Safety Information ...................................................................................................... A-2 Informations concernant la sécurité......................................................................... A-2 Hinweise zur Sicherheit.............................................................................................. A-3 Considerazioni sulla sicurezza .................................................................................. A-4 Consideraciones sobre seguridad ............................................................................. A-5 Safety Information (Japan) ........................................................................................ A-6 Safety Information (China) ........................................................................................ A-7 EMC Regulatory Statements...................................................................................... A-8 U.S.A....................................................................................................................... A-8 Japan ...................................................................................................................... A-8 Recycle Statements................................................................................................... A-10 Waste Electrical and Electronic Equipment (WEEE) Statements ............... A-10 B Console ports Overview ...................................................................................................................... B-2 MSM710 Console port .......................................................................................... B-2 MSM730 Console port .......................................................................................... B-2 MSM750 Console port .......................................................................................... B-3 Using the console port................................................................................................ B-3 C Resetting to factory defaults How it works................................................................................................................ C-2 Using the Reset button......................................................................................... C-2 Using the management tool................................................................................. C-2 Using the Console (serial) port........................................................................... C-3 xviii Contents D NOC authentication Main benefits ............................................................................................................... D-2 How it works................................................................................................................ D-2 Activating a remote login page with NOC authentication ..................................... D-4 Addressing security concerns.................................................................................... D-5 Securing the remote login page .......................................................................... D-5 Authenticating with the login application ......................................................... D-6 Authenticating the controller.............................................................................. D-6 NOC authentication list ....................................................................................... D-6 Setting up the certificates .......................................................................................... D-6 Install certificates on the Web server................................................................. D-7 Define attributes ................................................................................................... D-7 Install a certificate on controller ........................................................................ D-7 Authenticating users ................................................................................................... D-8 Returned values .................................................................................................... D-9 Examples of returned HTML code ................................................................... D-11 Simple NOC authentication example ..................................................................... D-12 Forcing user logouts ................................................................................................. D-13 E DHCP servers and Colubris vendor classes Overview ...................................................................................................................... E-2 Windows Server 2003 configuration ......................................................................... E-2 ISC DHCP server configuration.......................................................................... E-7 xix Contents xx Chapter 1: Introduction 1 Introduction Contents About this guide ...........................................................................................................1-2 Products covered...................................................................................................1-2 Important terms .....................................................................................................1-3 Conventions ...........................................................................................................1-4 New in this release .......................................................................................................1-6 Introducing the MSM7xx Controllers ........................................................................1-7 Simplified configuration, deployment, and operation ......................................1-7 Controller teaming ................................................................................................1-8 Seamless mobility..................................................................................................1-9 Best-in-class public/guest network access service .........................................1-11 Safety information......................................................................................................1-12 HP support ..................................................................................................................1-13 Getting started ............................................................................................................1-13 Online documentation ...............................................................................................1-13 Introduction About this guide About this guide This guide explains how to configure, and operate the MSM7xx Controllers. It also provides controlled-mode information for MSM3xx and MSM4xx Access Points, and the MSM317 Access Device. For information on the operation of access points that support autonomous mode, see the MSM3xx/MSM4xx Access Points Management and Configuration Guide. Products covered This guide applies to the following MSM7xx Controller products: Model Part MSM710 (E-MSM710) Access Controller J9328A MSM710 (E-MSM710) Mobility Controller J9325A MSM730 (E-MSM730) Access Controller J9329A MSM730 (E-MSM730) Mobility Controller J9326A MSM750 (E-MSM750) Access Controller J9330A MSM750 (E-MSM750) Mobility Controller J9327A MSM760 (E-MSM760) Access Controller J9421A MSM760 (E-MSM760) Mobility Controller J9420A MSM765zl (E-MSM765zl) Mobility Controller J9370A The product models in the above table include alternative product names in parenthesis. For example, the MSM710 is also known as the E-MSM710. Both names refer to the same product. The original product names (without “E-”) are used throughout this document. This guide provides controlled-mode information for the following MSM3xx and MSM4xx Access Points (“WW” identifies worldwide versions for the rest of the world): Model WW Americas Japan Israel E-MSM430 J9651A J9650A J9652A J9653A E-MSM460 J9591A J9590A J9589A J9618A E-MSM466 J9622A J9621A J9620A WW USA Japan MSM310 (E-MSM310) J9379A/B J9374A/B J9524A/B MSM310-R (E-MSM310-R) J9383A/B J9380A/B MSM320 (E-MSM320) J9364A/B J9360A/B Model 1-2 J9527A/B Introduction About this guide Model WW USA Japan MSM320-R (E-MSM320-R) J9368A/B J9365A/B J9528A/B MSM325 (E-MSM325) J9373A/B J9369A/B MSM335 (E-MSM335) J9357A/B J9356A/B MSM410 (E-MSM410) J9427A/B J9426A/B J9529A/B MSM422 (E-MSM422) J9359A/B J9358A/B J9530A/B MSM317 Access Device J9423A J9422A The product models in the table immediately above include alternative product names in parenthesis. For example, the MSM422 is also known as the E-MSM422. Both names refer to the same product. Except for E-MSM430, E-MSM460, and E-MSM466, the original MSM product names (without “E-”) are used throughout this document. Important terms The following terms are used in this guide. Term Description AP Refers to any HP MSM3xx or MSM4xx Access Point or the MSM317 Access Device which is an AP with integrated Ethernet switch. Specific model references are used where appropriate. Non-HP access points are identified as third-party APs. These APs do not support controlled-mode operation. controller Refers to any HP MSM7xx Controller, including both Access Controller and Mobility Controller variants. Controller teams Most of the concepts discussed in this guide apply equally to both teamed and non-teamed controllers. Any reference to the term controller, also implies controller team unless indicated otherwise. 1-3 Introduction About this guide Conventions Management tool This guide uses specific syntax when directing you to interact with the management tool user interface. Key user-interface elements are identified as follows: Main menu Sub-menu Network Tree Example directions in this guide What to do in the user interface Select Controller >> Security > Firewall. On a non-teamed MSM7xx controller In the Network Tree select the Controller element, then on the main menu select Security, and then select Firewall on the sub-menu. All elements to the left of the double angle brackets >> are found in the Network Tree. On an MSM7xx controller team In the Network Tree on the team manager, select the Team [team-name] element, then on the main menu select Security, and then select Firewall on the sub-menu. All elements to the left of the double angle brackets >> are found in the Network Tree. Select Controller > VSCs > [VSC-name] >> Configuration. On a non-teamed MSM7xx controller Expand the Controller branch (click its + symbol), expand the VSCs branch, select a [VSC-name], then select Configuration on the main menu. On an MSM7xx controller team In the Network Tree on the team manager, expand the Team: [team-name] branch (click its + symbol), expand the VSCs branch, select a [VSC-name], then select Configuration on the main menu. For Password specify secret22. 1-4 In the Password field enter the text secret22 exactly as shown. Introduction About this guide Commands and program listings Monospaced text identifies commands and program listings as follows: Example Description use-access-list Command name. Specify it as shown. ip_address Items in italics are parameters for which you must supply a value. ssl-certificate=URL [%s] Items enclosed in square brackets are optional. You can either include them or not. Do not include the brackets. In this example you can either include the “%s” or omit it. [ONE | TWO] Items separated by a vertical line indicate a choice. Specify only one of the items. Do not include the vertical line. Warnings and cautions Do not proceed beyond a WARNING or CAUTION notice until you fully understand the hazardous conditions and have taken appropriate steps. Warning Identifies a hazard that can cause physical injury or death. Caution Identifies a hazard that can cause the loss of data or configuration information, create a noncompliant condition, or hardware damage. 1-5 Introduction New in this release New in this release The following new features and enhancements have been added in releases 5.5.x: New feature or enhancement For information see... New APs This release supports the following new 802.11n dual-radio access points: E-MSM430, E-MSM460, and E-MSM466. For information, see the Quickstarts for these products. Band steering Band steering on page 5-11 Broadcast filtering Broadcast filtering on page 5-11 Transmission protection Tx protection on page 4-30 Beamforming Tx beamforming on page 4-29 Country configuration per group Assigning country settings to a group on page 6-30 Moving multiple APs between groups Moving multiple APs between groups on page 6-29 Identify RADIUS server by host name Primary/Secondary RADIUS server on page 11-9 User agent filtering User agent filtering on page 14-10 HTTPS proxy support Support applications that use on page 14-11 Improved mobility status pages Monitoring the mobility domain on page 9-16 Manager login credentials reset Manager username/password reset on page 2-6 PayPal support PayPal service on page 14-37 LEAP support Supported 802.1X protocols on page 10-9 MSM317 switch port enhancements See the MSM317 Installation and Getting Started Guide. Inheritance on a per port basis Port isolation Loop protection Network Policy TLV support Enhanced VLAN support 1-6 Introduction Introducing the MSM7xx Controllers Introducing the MSM7xx Controllers MSM7xx Controllers provide centralized management and control of intelligent HP MSM APs for a wide range of deployments, from small Internet cafes and businesses, to large corporations and institutions, and even entire towns. MSM controllers let you take advantage of both distributed and centralized approaches to deploying a wireless networking solution, letting you design a wireless infrastructure that perfectly meets the needs of your users. Simplified configuration, deployment, and operation For trouble-free deployment in geographically distributed networks, HP MSM controllers automate discovery, authentication and configuration for all installed APs. Using standard dynamic look-up procedures, APs identify the controller to which they are assigned. Authentication using digital certificates assures security and eliminates the risk of rogue AP connectivity. Once authenticated, the controller establishes a secure management tunnel for the exchange of configuration and control information with the AP. The controller provides centralized management for all APs. It eliminates time-consuming AP configuration, troubleshooting and maintenance tasks by providing a single management interface for the entire group of APs it manages. The controller automates installation of AP software updates and ensures a consistent set of services are delivered throughout the network. All security, quality of service (QoS), and other policies can be centrally defined through the controller's intuitive and secure Web-based management tool. Controller managing APs installed in different physical locations Network Operating Center Controller Secure management tunnels Site #1 Site #2 AP WLA N Site #3 AP WLA N AP WLA N 1-7 Introduction Introducing the MSM7xx Controllers Controller managing APs installed in different areas at a single location Controller Backbone Network Area #1 Secure management tunnels Area #2 Area #3 AP AP PU PU BLIC WL A N BLIC WL A N AP PU BLIC WL A N Controller teaming Controller teaming enables you to easily configure and monitor multiple controllers and their APs. Up to five controllers can be combined into a team providing support for up to 800 APs (four controllers x 200 APs per controller plus one additional controller for backup/ redundancy). For example: Controller team 5 Team manager sends configuration settings to all team members. 4 In this example, all controllers are connected to the network via their LAN ports. The Internet port can also be used. 3 Team members then update the APs that they are managing. 2 Team manager Controlled APs deployed across a layer 3 network 1 Router Key benefits of controller teaming include: 1-8 Scalability: Controller teaming enables you to scale up your wireless network as your needs increase. Simply add additional APs, controllers, and licenses to meet the required demand. Up to 800 APs are supported per controller team (four controllers x 200 APs per controller plus one additional controller reserved for backup/redundancy). Redundancy and failover support: A controller team provides for service redundancy in case of failure. If one of the controllers in a team becomes inoperative (due to network problems, hardware failure, etc.), its APs will automatically migrate to another controller in the team allowing for continuation of services. Centralized management and control: Configuration and monitoring of all team members and their APs is performed using the management tool on the team manager. The team manager is responsible for handling the addition and deletion of controlled Introduction Introducing the MSM7xx Controllers APs, including newly discovered APs. It also displays status information for all team members and their APs, as well as APs directly connected to the manager. The team manager is responsible for enforcing and updating the firmware of team members. An update to the team manager firmware triggers an update of all members and their controlled APs, ensuring that the entire network is running the same firmware. The synchronization of firmware between controllers and APs alleviates any potential issue regarding software compatibility between deployed devices. Seamless mobility The Mobility traffic manager (MTM) feature provides for seamless roaming of wireless users, while at the same time giving you complete control over how wireless user traffic is distributed onto the wired networking infrastructure. MTM enables you to implement a wireless networking solution using both centralized and distributed strategies. Some of the deployment strategies that you can use with MTM include: Centralized wireless traffic: All traffic from wireless users is tunneled back to a central controller where it is egressed onto the wired infrastructure. Wireless users can be connected to any AP within the layer 3 network serviced by MTM. The following diagram shows a deployment where all wireless traffic is egressed onto a specific network segment (192.168.30.0). LAN port 192.168.1.1 Internet port 192.168.30.1 User A User B Network 1 Network 2 Network 3 192.168.10.0 192.168.20.0 192.168.30.0 1 WLA N User A 2 WLA N User B MTM can also be used to send traffic to different networks or VLANs based on criteria such as username, network location, VSC, or AP group. Traffic distribution using home networks: A home network can be assigned to each wireless user (via RADIUS, local user accounts, or through a VSC egress). MTM can then be used to tunnel the user’s traffic to their home network, regardless of the AP to which a user connects within the mobility domain. 1-9 Introduction Introducing the MSM7xx Controllers The following diagram shows a deployment where the wireless traffic for each user is egressed onto a specific network segment by assigning a home network to each user. Traffic is sent to a different wired network based on the home network assigned to each user in their account profile. LAN port 192.168.1.1 Internet port 192.168.40.1 User B User A Network 1 Network 2 Network 3 Network 4 192.168.10.0 192.168.20.0 192.168.30.0 192.168.40.0 2 1 WLA N WLA N User A User B Home network = Network 4 Home network = Network 3 If a user roams between APs, MTM adjusts the tunnel to maintain the user’s connection to their home network. If User A roams from AP 1 to AP2, the tunnel is rerouted to ensure that the user stays connected to their home network. LAN port 192.168.1.1 Internet port 192.168.40.1 User A Network 1 Network 2 Network 3 Network 4 192.168.10.0 192.168.20.0 192.168.30.0 192.168.40.0 2 1 WLA N WLA N Roams User A Home network = Network 4 1-10 User A Introduction Introducing the MSM7xx Controllers Best-in-class public/guest network access service Designed to deliver the best possible user experience, the public/guest network access feature adapts to any client device IP address and Web proxy settings, enabling users to connect without reconfiguring their computers. The public access interface Web pages are fully customizable enabling service providers to create a centrally-managed hotspot network with customized look-and-feel. Controller Public network r Use log s in Access controlled VSC Protected network Ac ce ss to ne tw ork is gra nte d Corporate network AP Router 1-11 Introduction Safety information Safety information Warning Professional Installation Required Prior to installing or using a controller, consult with a professional installer trained in RF installation and knowledgeable in local regulations including building and wiring codes, safety, channel, power, indoor/outdoor restrictions, and license requirements for the intended country. It is the responsibility of the end user to ensure that installation and use comply with local safety and radio regulations. Cabling: You must use the appropriate cables, and where applicable, surge protection, for your given region. For compliance with EN55022 Class-B emissions requirements use shielded Ethernet cables. Country of use: In some regions, you are prompted to select the country of use during setup. Once the country has been set, the controller will automatically limit the available wireless channels, ensuring compliant operation in the selected country. Entering the incorrect country may result in illegal operation and may cause harmful interference to other systems. Safety: Take note of the following safety information during installation: If your network covers an area served by more than one power distribution system, be sure all safety grounds are securely interconnected. Network cables may occasionally be subject to hazardous transient voltages (caused by lightning or disturbances in the electrical power grid). Handle exposed metal components of the network with caution. The MSM7xx Controller and all directly-connected equipment must be installed indoors within the same building (except for outdoor models / antennas), including all PoEpowered network connections as described by Environment A of the IEEE 802.3af standard. Servicing There are no user-serviceable parts inside HP MSM7xx products. Any servicing, adjustment, maintenance, or repair must be performed only by trained service personnel. 1-12 Introduction HP support HP support For support information, visit www.hp.com/networking/support and for Product Brand, select ProCurve. Additionally, your HP-authorized networking products reseller can provide you with assistance. Before contacting support To make the support process most efficient, before calling your networking dealer or HP Support, you first should collect the following information: Collect this information Where to find it Product identification. On the rear of the product. Software version. The product management tool Login page. Network topology map, including the addresses assigned to all relevant devices. Your network administrator. Getting started Get started by following the directions in the relevant guide as follows: Product Guide to use MSM710, MSM730, MSM750 The provided Quickstart. MSM760, MSM765zl The provided Installation and Getting Started Guide. Then continue with the next chapter of this guide. Online documentation For the latest documentation, visit www.hp.com/networking/support and for Product Brand, select ProCurve. Note The MSM317 Access Device consists of both a controlled-mode-only access point and an integrated Ethernet switch. Where appropriate, this guide makes reference to the MSM317 Installation and Getting Started Guide which must be used in conjunction with this guide when working with the MSM317. 1-13 Introduction Online documentation 1-14 Chapter 2: Management 2 Management Contents Management tool..........................................................................................................2-2 Management scenarios .........................................................................................2-2 Management station ..............................................................................................2-2 Starting the management tool..............................................................................2-2 Customizing management tool settings..............................................................2-3 Password security policies...................................................................................2-7 Management tool security features .....................................................................2-8 Web server ..............................................................................................................2-8 Auto-refresh ...........................................................................................................2-9 Device discovery ..........................................................................................................2-9 Mobility controller discovery.............................................................................2-10 Controlled AP discovery.....................................................................................2-11 SNMP ...........................................................................................................................2-13 Configuring the SNMP agent..............................................................................2-13 SOAP ............................................................................................................................2-16 Configuring the SOAP server .............................................................................2-16 CLI ................................................................................................................................2-17 Configuring CLI support .....................................................................................2-18 System time.................................................................................................................2-19 Management Management tool Management tool The management tool is a Web-based interface to the controller that provides easy access to all configuration and monitoring functions. Management scenarios For complete flexibility, you can manage the controller both locally and remotely. The following management scenarios are supported: Local management using a computer that is connected to the LAN or Internet port on the controller. This may be a direct connection or through a switch. Remote management via the Internet with or without a VPN connection. See Securing controller communications to remote VPN servers on page 16-6 for more information on using the controller integrated VPN clients to create secure remote connections. Management station The management station refers to the computer that a manager or operator uses to connect to the management tool. To act as a management station, a computer must: Note Have at least Microsoft Internet Explorer 7/8 or Firefox 3.x. Be able to establish an IP connection with the controller. Before installation, ensure that TCP/IP is installed and configured on the management station. IP addressing can be either static or DHCP. Starting the management tool To launch the management tool, specify the following in the address bar of your browser: https://Controller_IP_address By default, the address 192.168.1.1 is assigned to the LAN port on the controller. For information on starting the management tool for the first time, see the relevant guide as described in Getting started on page 1-13. About passwords 2-2 The default username and password is admin. New passwords must be 6 to 16 printable ASCII characters in length with at least 4 different characters. Passwords are case sensitive. Space characters and double quotes ( “ ) cannot be used. Passwords must also conform to the selected security policy as described in Password security policies on page 2-7. Management Management tool Customizing management tool settings To customize management tool settings, select Controller >> Management > Management tool. 2-3 Management Management tool Administrative user authentication Login credentials for administrative users can be verified using local account settings and/or an external RADIUS sever. Local account settings: A single manager and operator account can be configured locally under Manager account and Operator account on this page. RADIUS server: Using a RADIUS server enables you to have multiple accounts, each with a unique login name and password. Identify manager accounts using the vendor specific attribute web-administrative-role. Valid values for this attribute are Manager and Operator. For attribute information, see Administrator attributes on page 15-31. To use a RADIUS server, you must define a RADIUS profile on the Controller >> Authentication > RADIUS profiles page. If both options are enabled, the RADIUS server is always checked first. Authenticating administrative credentials using an external RADIUS server Configure RADIUS authentication as follows: 1. Define an account for the administrator on the RADIUS server. See Administrator attributes on page 15-31. 2. On the controller, create a RADIUS profile that will connect the controller to the RADIUS server. See Configuring a RADIUS server profile on the controller on page 11-6. 3. Under Administrator authentication, set Authenticate via to the RADIUS profile you created. In this example, the profile is called Rad1. 4. Test the RADIUS account to make sure it is working before you save your changes. Specify the appropriate username and password and select Test. (As a backup measure you can choose to enable Local. This will allow you to log in using the local account if the connection to the RADIUS server is unavailable.) 2-4 Management Management tool Manager and Operator accounts Two types of administrative accounts are defined: manager and operator. The manager account provides full management tool rights. The operator account provides read-only rights plus the ability to disconnect wireless clients and perform troubleshooting. Only one administrator (manager or operator) can be logged in at any given time. Options are provided to control what happens when an administrator attempts to log in while another administrator (or the same administrator in a different session) in already logged in. In every case, the manager’s rights supersede those of an operator. The following options can be used to prevent the management tool from being locked by an idle manager or operator: Terminates the current manager session: When enabled, an active manager or operator session will be terminated by the login of another manager. This prevents the management tool from being locked by an idle session until the Account inactivity logout timeout expires. Is blocked until the current manager logs out: When enabled, access to the management tool is blocked until an existing manager logs out or is automatically logged out due to an idle session. An operator session is always terminated if a manager logs in. An active operator session cannot block a manager from logging in. Terminates the current operator session: When enabled, an active operator’s session will be terminated by the login of another operator. This prevents the management tool from being locked by an idle session until the Account inactivity logout timeout expires. Operator access to the management tool is blocked if a manager is logged in. An active manager session cannot be terminated by the login of an operator. An operator session is always terminated if a manager logs in. An active operator session cannot block a manager from logging in. Login control: If login to the management tool fails five times in a row (bad username and/or password), login privileges are blocked for five minutes. Once five minutes expires, login privileges are once again enabled. However, if the next login attempt fails, privileges are again suspended for five minutes. This cycle continues until a valid login occurs. You can configure the number of failures and the timeout. Account inactivity logout: By default, if a connection to the management tool remains idle for more than ten minutes, the controller automatically terminates the session. You can configure the timeout. 2-5 Management Management tool Passwords Passwords must be 6 to 16 printable ASCII characters in length with at least 4 different characters. Passwords are case sensitive. Space characters and double quotes ( “ ) cannot be used. Passwords must also conform to the selected security policy as described below. Manager username/password reset Not supported on the MSM-765. The Allow password reset via console port feature provides a secure way to reset the manager login username/password on a controller to factory default values (admin/admin), without having to reset the entire controller configuration to its factory default settings. To make use of this feature you must be able to access the controller through its console (serial) port. See Appendix B: Console ports. Important Caution This feature is automatically enabled after performing a reset to factory default settings. This feature is automatically disabled after performing a software (firmware) upgrade. If you disable this feature and then forget the manager username or password, the only way to gain access the management tool is to reset the controller to its factory default settings. See Appendix C: Resetting to factory defaults. To reset manager credentials on a controller 1. Connect a serial cable from the serial port on your computer to the console port on the controller. (See Appendix B: Console ports for information on building a serial cable to connect to your controller.) 2. Configure VT-100 terminal-emulation software on your computer as follows: VT-100 (ANSI) terminal Baud rate of 9600 8 data bits, 1 stop bit, no parity, and no flow control If on Windows, disable the Use Function, Arrow, and Ctrl Keys for Windows options. For the Hilgrave HyperTerminal program, select the Terminal keys option for the Function, arrow, and ctrl keys act as parameter. 3. Open an appropriately-configured terminal session. 4. Power on the controller and wait for the login prompt to appear. 5. Type emergency and press Enter. 6. Type 1 and press Enter to reset the manager username and password. 2-6 Management Management tool A typical session looks like this: 127.0.0.1 login: emergency -------------------------Emergency Menu -------------------------Device information Serial number: SG9603P004 IP address: 16.90.48.186 Select one of the following options: 1. Reset both the manager username and password to "admin" 0. Exit Selection: 1 Trying to reset manager login credentials.... Manager login credentials were successfully reset to: Username = admin Password = admin Press any key to continue. Password security policies Security policies affect both manager and operator accounts. Select from one of the following options: Follow FIPS 140-2 guidelines: When selected, implements the following requirements from the FIPS 140-2 guidelines: All administrator passwords must be at least six characters long. All administrator passwords must contain at least four different characters. For more information on these guidelines, refer to the Federal Information Processing Standards Publication (FIPS PUB) 140-2, Security Requirements for Cryptographic Modules. Follow PCI DSS 1.2 guidelines: When selected, implements the following requirements from the PCI DSS 1.2 guidelines: All administrator passwords must be at least seven characters long. All administrator passwords must contain both numeric and alphabetic characters. The settings under Login control must be configured as follows: Lock access after nn login failures must be set to 6 or less. Lock access for nn minutes must be set to 30 minutes or more. 2-7 Management Management tool The settings under Account inactivity logout must be configured as follows: Timeout must be set to 15 minutes or less. For more information on these guidelines, refer to the Payment Card Industry Data Security Standard v1.2 document. Management tool security features The management tool is protected by the following security features: Allowed addresses: You can configure a list of subnets from which access to the management tool is permitted. Active interfaces: You can enable or disable access to the management tool for each of the following: LAN port Internet port VPN VLAN/GRE. These settings also apply when SSH is used to access the command line interface. Note Changing the security settings may cause you to lose your connection to the management tool. Web server You can also configure the Web server ports from which access to the management tool is permitted. Note Changing the secure web server port will cause you to lose your connection to the management tool. To reconnect, you will need to specify the following address: https://Controller_IP_address:web_server_Port_number. 2-8 Secure web server port: Specify a port number for the controller to use to provide secure HTTPS access to the management tool. Default is 443. Before reaching the management tool login page, you must accept a security certificate. The default certificate provided with the controller will trigger a warning message on most browsers because it is self-signed. To remove this warning message, you must replace the default certificate. See About certificate warnings on page 12-10. Web server port: Specify a port number for the controller to use to provide standard HTTP access to the management tool. These connections are met with a warning, and the browser is redirected to the secure Web server port. Default is 80. Management Device discovery Auto-refresh This option controls how often the controller updates the information in group boxes that show the auto-refresh icon in their title bar. Under Interval, specify the number of seconds between refreshes. Auto-refresh icon Device discovery Use this page to define discovery options for: Inter-controller discovery when using the wireless mobility feature (Chapter 9: Mobility traffic manager) Controller discovery by controlled APs (Chapter 6: Working with controlled APs) Select Controller >> Management > Device discovery to open the Discovery configuration page. On a non-teamed controller 2-9 Management Device discovery On a controller team Mobility controller discovery The wireless mobility feature defines a mobility domain, which is an interconnection between multiple controllers for the purpose of exchanging mobility information on wireless users. For more information, see Chapter 9: Mobility traffic manager. For the controllers to interconnect, each must have the Mobility controller discovery option enabled. In addition, one controller must be defined as the primary mobility controller. It acts as the central site for distribution of mobility information. There can only be one primary controller for each mobility domain. On all other controllers set IP address of primary controller to the IP address of the primary controller. Note All controllers in the mobility domain must be running the same software version. This means that the first two numbers in the software revision must be the same. For example: All controllers running 5.4.x, or all controllers running 5.5.x. Discovery automatically takes place on both the LAN port and Internet port. VLANs are not supported. Network requirements The network that interconnects the controllers and APs that make up a mobility domain must not block any of the following ports/protocols: 2-10 UDP port 1194 UDP port 12141 UDP port 3000 UDP port 3001 UDP port 3518 TCP port 5432 Internet protocol number 47 (GRE) Management Device discovery Controller discovery and teaming When teaming is active, several configuration scenarios are possible: Teamed controllers operating in conjunction with one or more non-teamed controllers: Set the team as the primary mobility controller. On the other controllers, set the IP address of primary mobility controller parameter to the team IP address. A single team of controllers: Enable the This is the primary mobility controller option on the team manager. Multiple teamed and non-teamed controllers: Set one team as the primary mobility controller. On the other teams and controllers, set the IP address of primary mobility controller parameter to the team IP address of the primary mobility controller. This is the primary mobility controller Enable this option to designate this controller as the primary mobility controller. The primary controller is responsible for the coordination and discovery of all other controllers in the mobility domain. IP address of primary mobility controller Enter the IP address of the primary mobility controller. Controlled AP discovery Discovery priority of this controller Discovery priority of controller team Sets the priority for this controller or team when discovered by a controlled AP. A value of 1 indicates the highest priority. A value of 16 indicates the lowest priority. If multiple controllers or teams are discovered by a controlled AP, the AP will establish a control channel with the controller or team that has the highest priority setting first. If that controller or team is already managing the maximum number of controlled APs, the AP will choose the controller or team with the next highest priority. Each controller or team must have a different priority setting, otherwise AP discovery will fail with the diagnostic Priority conflict. See Viewing all discovered APs on page 6-14. See Discovery of controllers by controlled APs on page 6-6 for more detailed information on the discovery process. Important note when your network also contains controller teams Non-teamed controllers are always higher priority than controller teams. Therefore, if your network contains both controller teams and non-teamed controllers, APs first attempt to establish a secure management tunnel with discovered non-teamed controllers in order of their discovery priority. Only if all non-teamed controllers are already managing the maximum number of controlled APs will the AP then consider controller teams in the order of their priority. 2-11 Management Device discovery The following table shows how discovery would occur for several teamed and non-teamed controllers. Configured discovery priority setting Actual order of discovery by APs Controller 1 1 1 Controller 2 2 2 Controller 3 3 3 Team 1 1 4 Team 2 2 5 Team 3 3 6 Controller or Team Active interfaces Select the physical interfaces on which the controller or team manager will listen for discovery requests from controlled APs. The control channel to an AP is always established on the interface on which it is discovered. 2-12 Management SNMP SNMP The controller provides a SNMP implementation supporting both industry-standard and custom MIBs. For information on supported MIBs, see the MSM SNMP MIB Reference Guide. Configuring the SNMP agent Select Controller >> Management > SNMP to open the SNMP agent configuration page. By default, the SNMP agent is enabled (SNMP agent configuration in title bar is checked) and is active on the LAN port. If you disable the agent, the controller will not respond to SNMP requests. 2-13 Management SNMP Attributes System name Specify a name to identify the controller. By default, this is set to the serial number of the controller. Location Specify a descriptive name for the location where the controller is installed. Contact Contact information for the controller. Port Specify the UDP port and protocol the controller uses to respond to SNMP requests. Default port is 161. SNMP protocol Select the SNMP versions that the controller will support. Default is Version 1 and Version 2c. Notifications Select the SNMP versions that the AP will support. Default is Version 1 and Version 2c. Notifications When this feature is enabled, the controller sends notifications to the hosts that appear in the Notifications receivers list. The controller supports the following MIB II notifications: coldStart linkUp linkDown authenticationFailure In addition, the controller supports a number of custom notifications. Select Configure Notifications. For a descriptions of these notifications, see the online help. v1/v2 communities Community name Specify the password, also known as the read/write name, that controls read/write access to the SNMP agent. A network management program must supply this name when attempting to set or get SNMP information from the controller. By default, this is set to private. Read-only name This is the password that controls read-only access to the SNMP agent. A network management program must supply this name when attempting to get SNMP information from the controller. By default, this is set to public. 2-14 Management SNMP v3 users This table lists all defined SNMP v3 users. To add a new user, select Add New User. Up to five users are supported. To edit a user, select its link in the Username column. Username The SNMP v3 username. Security Security protocol defined for the user. Authentication type and encryption type are separated by a slash. For example, MD5/DES indicates MD5 authentication and DES encryption. Access level Type of access assigned to the user: Read-only: The user has read and notify access to all MIB objects. Read-write: The user has read, write, and notify access to all MIB objects. Notification receivers This table lists all defined SNMP notification receivers. SNMP notifications are sent to all receivers in this list. To add a new receiver, select Add New Receiver. Up to five receivers are supported. To edit a receiver, select its link in the Host column. Host The domain name or IP address of the SNMP notifications receiver to which the controller will send notifications. UDP port The port on which the controller will send notifications. Version The SNMP version (1, 2c, 3) for which this receiver is configured. Community/Username For SNMP v1 and v2c, the SNMP Community name of the receiver. For SNMP v3, the SNMP v3 Username of the receiver. Security Use these settings to control access to the SNMP interface. Allowed addresses: List of IP address from which access to the SNMP interface is permitted. To add an entry, specify the IP address and appropriate Mask, and then select Add. When the list is empty, access is permitted from any IP address. Active interfaces: Enable the checkboxes that correspond to the interfaces from which to allow access to the SNMP agent. For VLAN, GRE, or Mesh, select from the list. Use Ctrl-click to select multiple objects. 2-15 Management SOAP SOAP The controller provides a SOAP interface that can be used by SOAP-compliant client applications to perform configuration and management tasks. An MSM SOAP/XML SDK zip file is available at www.hp.com/networking/SOAP-XML-SDK. Look for the file corresponding to your MSM software version. Configuring the SOAP server Select Controller >> Management > SOAP to open the SOAP server configuration page. By default, the SOAP server is enabled (SOAP server configuration in title bar is checked). Server settings Secure HTTP (SSL/TLS) Enable this option to configure the SOAP server for SSL/TLS mode. When enabled, the Secure Sockets Layer (SSL) protocol must be used to access the SOAP interface. Using client certificate When enabled, the use of an X.509 client certificate is mandatory for SOAP clients. HTTP authentication When enabled, access to the SOAP interface is available via HTTP with the specified username and password. 2-16 Management CLI TCP port Specify the number of the TCP port that SOAP uses to communicate with remote applications. Default is 448. Security Use these settings to control access to the SOAP interface. Allowed addresses: List of IP address from which access to the SOAP interface is permitted. To add an entry, specify the IP address and appropriate Mask, and then select Add. When the list is empty, access is permitted from any IP address. Active interfaces: Enable the checkboxes that correspond to the interfaces from which to allow access to the SOAP interface. Security considerations The SOAP server is configured for SSL/TLS mode, and the use of an X.509 client certificate is mandatory for SOAP clients. The SOAP server is configured to trust all client certificates signed by the default SOAP CA installed on the controller. Users should generate and install their own SOAP CA private key/public key certificate to protect their devices from unauthorized access. This is important because the default SOAP CA and a valid client certificate are provided as an example to all customers. (See Working with certificates on page 12-5.) CLI The controller provides a command line interface that can be used to perform configuration and management tasks via the serial port or an IP connection on any of the controller interfaces, including the LAN port, Internet port, or VPN/GRE tunnel. For information on using the CLI, see the CLI Reference Guide. A maximum of three concurrent CLI sessions are supported regardless of the connection type. 2-17 Management CLI Configuring CLI support Select Controller >> Management > CLI to open the Command Line Interface (CLI) configuration page. Secure shell access Enable this option to allow access to the CLI via an SSH session. The CLI supports SSH on the standard TCP port (22). SSH connections to the CLI can be made on any active interface. Support for each interface must be explicitly enabled under Security. Lockout After 10 unsuccessful login attempts via SSH, login to the CLI is locked for 5 minutes. After the lockout expires, each subsequent unsuccessful login attempt re-activates the lockout period. This behavior repeats until a successful login is completed. Note Depending on your SSH configuration, your client may make several login attempts with each connection attempt. Supported clients The following SSH clients have been tested with the CLI. Others may work as well: OpenSSH Tectia SecureCRT Putty Authenticate CLI logins using The CLI validates login credentials (username and password) using the settings defined on the Controller >> Management > Management tool page. 2-18 Management System time Local manager account The login username and password are the same as those defined for the local manager account. If this account is disabled, the last known username and password for this account are used. Administrative user authentication settings The login username and password use the same settings (Local and/or RADIUS) as defined for the manager account under Administrative user authentication. System time Select Controller >> Management > System time to open the System time page. This page enables you to configure the time server and set time zone information. Note The system time page on the MSM765zl is a read-only page that displays the current time configured on the chassis. This may or may not be the current time. Note Setting the correct time is important when the controller is managing controlled APs, as the time configured on the controller is used on all controlled APs. Synchronization and certificate problems can occur if the controller time is not accurate. Note Correct time is also important when the controller is using Active Directory to authenticate users. 2-19 Management System time Set timezone Select the time zone in which the controller is located. If you change the time zone setting, the new value does not take effect until you restart the controller. Automatically adjust clock for daylight savings time changes Enable this option to automatically update the clock based on the specified daylight savings time (DST) rule. Default DST rule: This is the currently active daylight savings time rule. Customize DST rules: Select this button to define your own DST rule. Time server protocol Select the protocol that will be used to communicate with the time server. Set date and time (manually) Use this option to manually set the system date and time. Set date and time (time servers) Select this option to have the controller periodically contact a network time server to update its internal clock. By default, the list contains two ntp vendor zone pools that are reserved for HP devices. By using these pools, you will get better service and keep from overloading the standard ntp.org server. For more information refer to: pool.ntp.org. 2-20 Chapter 3: Network configuration 3 Network configuration Contents Port configuration ........................................................................................................3-3 LAN port configuration.........................................................................................3-4 Internet port configuration...................................................................................3-5 PPPoE client ..........................................................................................................3-6 DHCP client............................................................................................................3-8 Static addressing....................................................................................................3-9 Network profiles ........................................................................................................3-12 About the default network profiles ...................................................................3-12 To define a network profile ................................................................................3-12 Address allocation......................................................................................................3-13 DHCP server.........................................................................................................3-14 DHCP relay agent ................................................................................................3-16 VLAN support .............................................................................................................3-19 GRE tunnels ................................................................................................................3-19 Bandwidth control .....................................................................................................3-21 Internet port data rate limits ..............................................................................3-22 Bandwidth levels .................................................................................................3-22 Example................................................................................................................3-23 Discovery protocols ...................................................................................................3-24 LLDP agents .........................................................................................................3-24 CDP .......................................................................................................................3-24 DNS ..............................................................................................................................3-25 DNS servers..........................................................................................................3-26 DNS advanced settings .......................................................................................3-26 Network configuration IP routes ......................................................................................................................3-27 Configuration .......................................................................................................3-28 Network address translation (NAT).........................................................................3-30 NAT security and static mappings.....................................................................3-30 VPN One-to-one NAT...........................................................................................3-33 RIP................................................................................................................................3-33 IP QoS ..........................................................................................................................3-34 Configuration .......................................................................................................3-34 Example................................................................................................................3-35 IGMP proxy .................................................................................................................3-37 3-2 Network configuration Port configuration Port configuration The Port configuration page displays summary information about all ports, VLANs, and GRE tunnels. Open this page by selecting Controller >> Network > Ports. Port configuration information Status indicator: Operational state of each port, as follows: Green: Port is properly configured and ready to send and receive data. Red: Port is not properly configured or is disabled. Name: Identifier for the port. To configure a port, select its name. IP address: IP addresses assigned to the port. An address of 0.0.0.0 means that no address is assigned. Mask: Subnet mask for the IP address. MAC address: MAC address of the port. Default port settings By default, ports are configured as follows: Port Default IP address Default DHCP server status LAN 192.168.1.1 Disabled. Internet DHCP client This feature is not available on the Internet port. 3-3 Network configuration Port configuration LAN port configuration The LAN port is used to connect the controller to a wired network. To verify and possibly adjust LAN port configuration, select Controller >> Network > Ports > LAN port. Addressing options The LAN port must be configured with a static IP address, because the controller cannot function as a DHCP client on the LAN port. By default it is set to the address 192.168.1.1 For information on configuring address allocation on the LAN port via DHCP server or DHCP relay agent, see Address allocation on page 3-13. Management address Use this option to assign a second IP address to the LAN port. This address provides a simple way to separate management traffic from user traffic without using VLANs. For example, by default the LAN port is set to 192.168.1.1 and all client devices obtain an address on this subnet from the controller’s DHCP server. With this feature you can add another address, say 192.168.2.1/255.255.255.0. APs can then be assigned to this subnet using static IP addressing. Now all management traffic exchanged between the controller and the APs is on a separate subnet. Link settings By default, the controller automatically adjusts link settings based on the type of equipment the port is connected to. If needed, you can force the port to operate at a particular speed or duplex setting. 3-4 Network configuration Port configuration Internet port configuration To verify and possibly adjust Internet port configuration, select Controller >> Network > Ports > Internet port. Addressing options The Internet port supports the following addressing options: PPPoE client on page 3-6 DHCP client on page 3-8 (default setting) Static addressing on page 3-9 No address. By default, the Internet port operates as a DHCP client. Select the addressing option that is required by your ISP or network administrator and then select Configure. Link settings By default, the controller automatically adjusts link settings based on the type of equipment the port is connected to. If needed, you can force the port to operate at a particular speed or duplex setting. Network address translation Enable this option to permit all the computers on the network to simultaneously share the connection on the Internet port. See Network address translation (NAT) on page 3-30. Limit NAT port range When enabled, the controller reserves a range of TCP and UDP ports for each authenticated, access-controlled user starting at port 5000, and maps all outgoing traffic for the user within the range. 3-5 Network configuration Port configuration Note If you enable this feature you should not assign static NAT mappings in the range 5000 to 10000. Size of port range Sets the number of TCP and UDP ports reserved for each user. PPPoE client To configure the PPPoE client on the Internet port, select Controller >> Network > Ports and then select PPPoE and then Configure. Settings Username Specify the username assigned to you by your ISP. The controller will use this username to log on to your ISP when establishing a PPPoE connection. Password/Confirm password Specify the password assigned to you by your ISP. The controller will use this password to log on to your ISP when establishing a PPPoE connection. Maximum Receive Unit (MRU) Maximum size (in bytes) of a PPPoE packet when receiving. Changes to this parameter only should be made according to the recommendations of your ISP. Incorrectly setting this parameter can reduce the throughput of your Internet connection. Maximum Transmit Unit (MTU) Maximum size (in bytes) of a PPPoE packet when transmitting. Changes to this parameter should only be made according to the recommendations of your ISP. Incorrectly setting this parameter can reduce the throughput of your Internet connection. Auto-reconnect The controller will automatically attempt to reconnect if the connection is lost. 3-6 Network configuration Port configuration Un-numbered mode This feature is useful when the controller is connected to the Internet and NAT is not being used. Instead of assigning two IP addresses to the controller, one to the Internet port and one to the LAN port, both ports can share a single IP address. This is especially useful when a limited number of IP addresses are available to you. Assigned by PPPoE server These settings are assigned to the controller by your service provider PPPoE server. The Internet connection is not active until this occurs. Service provider Identifies your Internet service provider. Not all ISPs provide this information. Connection status Indicates the state of the PPPoE connection. If the connection is not active, a message indicates why. IP address Identifies the IP address assigned to the controller by the ISP. Mask Identifies the subnet mask that corresponds to the assigned IP address. Primary DNS address Identifies the IP address of the main DNS server the controller will use to resolve DNS requests. Secondary DNS address Identifies the IP address of the backup server the controller will use to resolve DNS requests. Default gateway Identifies the IP address of the gateway the controller will forward all outbound traffic to. Restart Connection Select this button to manually establish the PPPoE connection. During normal operation, you will not need to do this because the controller will automatically reconnect if the PPPoE connection is interrupted. However, for certain types of connection failures, the controller may not be able to re-establish the connection, even after several retries. When this occurs, the cause of the failure is shown in the Connection status field and you must select Restart Connection to manually establish the connection. 3-7 Network configuration Port configuration DHCP client To configure the PPPoE client on the Internet port, select Controller >> Network > Ports and then select DHCP Client and then Configure. Settings DHCP client ID Specify an ID to identify the controller to the DHCP server. Assigned by DHCP server These settings are assigned to the controller by your service provider DHCP server. The Internet connection is not active until this occurs. Domain name Identifies the domain the DHCP server is operating in. IP address Identifies the IP address assigned to the controller by the DHCP server. Mask Identifies the subnet mask that corresponds to the assigned IP address. Primary DNS address Identifies the IP address of the main DNS server the controller will use to resolve DNS requests. Secondary DNS address Identifies the IP address of the backup server the controller will use to resolve DNS requests. Default gateway Identifies the IP address of the gateway the controller will forward all outbound traffic to. Expiration time Indicates how long the address is valid. 3-8 Network configuration Port configuration Release Select to release the controller IP address. Renew Select to renew the controller IP address. Static addressing To configure the PPPoE client on the Internet port, select Controller >> Network > Ports and then select Static and then Configure. Port settings IP address Specify the static IP address you want to assign to the port. Address mask Select the appropriate mask for the IP address you specified. Additional IP addresses Use these options to define additional IP addresses for use by either the VPN one-to-one NAT feature or the public IP address feature. Only one of these features can be active. Type of addresses Select either the VPN one-to-one NAT or Public IP address option. VPN one-to-one NAT When this feature is enabled, the controller can assign a unique IP address to each IPSec or PPTP VPN connection made by a user to a remote server via the Internet port. Addresses are assigned as defined in the Address pool. This feature can only be used with authenticated, access-controlled users. 3-9 Network configuration Port configuration To reduce the number of addresses that need to be defined, the controller will use the same address for multiple users as long as they are establishing a connection with different VPN servers. Use this feature when all of the following conditions are true: Note Users intend to make IPSec or PPTP VPN connections with a remote site via the Internet port on the controller. NAT is enabled on the controller. (In its default configuration, NAT translates all IP address on the local network to a single public IP address; the address assigned to the Internet port on the controller. As a result, all user sessions to an external resource appear to originate from the same IP address. This can cause a problem with remote VPN servers that require a unique IP address for each user session.) The remote VPN server requires that each user have a unique IP address. External devices cannot initiate connections with users via the address assigned by this feature. Assigning addresses to users To make use of this feature, each user account must have the VPN one-to-one NAT option enabled. Do this as follows: If using the local user accounts (defined on the Controller >> Users menu), enable the VPN one-to-one NAT option in the account profile or subscription plan that is assigned to the user. See Defining account profiles on page 10-32 and Defining subscription plans on page 10-35. If using Active Directory, enable the VPN one-to-one NAT option in the account profile (see Defining account profiles on page 10-32) that is assigned to an Active Directory group (see Configuring an Active Directory group on page 11-13). If using a RADIUS server, add the following Colubris AV-Pair value to the user’s account: one-to-one-nat=1. For more information on setting attributes, see Default user oneto-one NAT on page 15-53 and One-to-one NAT on page 15-69. Address pool The address pool contains all the IP addresses that can be assigned to users. You can define up to 30 addresses. Addresses must be valid for the network to which the Internet port is connected. Specify a single address or an address range as follows: address1-address2. For example, the following defines a range of 20 addresses: 192.168.1.1-192.168.1.20 Public IP address This feature enables the integrated DHCP server on the controller to assign public IP addresses to users. A user with a public IP address is visible on the protected network connected to the Internet port, instead of being hidden by the controller’s NAT feature. This makes it possible for external devices to create connections with a user’s computer on the internal network. 3-10 Network configuration Port configuration Public IP addresses are assigned by the integrated DHCP server using the addresses specified in the Address pool. Whenever possible, this feature will assign the same public IP address to a user each time they connect. When you enable public IP address support in a subscription plan, an additional setting is available called Reserve public IP address. When this option is enabled, the public IP assigned to a user is reserved until the user’s subscription plan expires. This means that the address is reserved, even if the user is not logged in. When a public IP address is assigned to a user: Note The user cannot access any VLANs, VPNs, or GRE tunnels configured on the controller. The user cannot establish more than one concurrent session. If a user’s account is configured for public IP address support and there is no free public IP address in the pool when the user tries to login, the login is refused. Assigning public IP addresses to users To obtain a public IP address, a user’s account must have its Public IP address option enabled. Do this as follows: If using the local user accounts (defined on the Controller >> Users menu), enable the Public IP address option in the account profile or subscription plan that is assigned to the user. See Defining account profiles on page 10-32 and Defining subscription plans on page 10-35. If using Active Directory, enable the Public IP address option in the account profile (see Defining account profiles on page 10-32) that is assigned to an Active Directory group. To set up an Active Directory group, see Configuring an Active Directory group on page 11-13. If using a RADIUS server, add the following Colubris AV-Pair value to the user’s account: use-public-ip-subnet=1. For more information, see Default user public IP address on page 15-54 and Public IP address on page 15-70. DHCP server lease time Use this setting to define the amount of time the public IP address lease will be valid. This setting only applies to public IP addresses. It overrides the DHCP lease time set by selecting Controller >> Network > Address allocation > DHCP server. Address pool The address pool contains all the public IP addresses that can be assigned to users. You can define up to 30 addresses. Addresses must be valid for the network to which the Internet port is connected. Specify a single address or an address range as follows: address1-address2. For example, the following defines a range of 20 addresses: 192.168.1.1-192.168.1.20 3-11 Network configuration Network profiles Network profiles Network profiles let you define the characteristic of a network and assign a friendly name to it. Profiles make it easy to configure the same settings in multiple places on the controller. For example, if you define a profile with a VLAN ID of 10, you could use that profile to: Configure VLAN 10 on the controller’s Internet or LAN port using the Controller >> Network > Ports page. Configure VLAN 10 as the egress network for a group of APs when binding them to a VSC using the Controlled APs > [group] >> VSC bindings page. Configure VLAN 10 as the local network for an AP using the Controlled APs >> Configuration > Local network page. About the default network profiles Two network profiles are created by default: LAN port network and Internet port network. These profiles are associated with the two physical Ethernet ports on the controller. You can rename these profiles, but you cannot assign a VLAN to them or delete them. You can use these profiles to send untagged traffic to a specific port on the controller. Both ports are considered to be local networks on the controller, which means that they automatically map the network that is assigned to each physical port as a local network on the controller. However, the LAN and Internet port network profiles can also be assigned as a local network on an AP (for example, using the Controlled APs >> Configuration > Local networks page). When this is done, both profiles refer to the untagged Ethernet port on the AP. To define a network profile 1. Select Controller >> Network > Network profiles. 3-12 Network configuration Address allocation 2. Select Add New Profile. 3. Configure profile settings as follows: Under Settings, specify a Name for the profile. To assign a VLAN, select VLAN and then specify an ID. If the profile will be used on an Ethernet port, you can also define a range of VLANs. This enables a single VLAN definition to span a large number of contiguously assigned VLANs. Specify the range in the form X-Y, where X and Y can be 1 to 4094. For example: 50-60. An IP address cannot be assigned to a VLAN range. You can define more than one VLAN range by using multiple profiles. Each range must be distinct and contiguous. 4. Select Save. Address allocation The controller can operate as a DHCP server or DHCP relay agent on the LAN port. This enables it to assign IP addresses to downstream devices connected to the LAN port. By default, address allocation is disabled. To configure address allocation settings, select Controller >> Network > Address allocation. For information on VPN address pool, see Configure an IPSec profile for wireless client VPN on page 16-4. 3-13 Network configuration Address allocation DHCP server The DHCP server can be used to automatically assign IP addresses to devices that are connected to the controller via the LAN port or client data tunnel. Note Do not enable the DHCP server if the LAN port is connected to a network that already has an operational DHCP server. When the DHCP server is active, users can still connect using static IP addresses assigned on different subnets. To configure this feature, select Public access > Access control and under Client options, select Allow any IP address. The DHCP settings on this page are always used by the default VSC. For additional flexibility, separate DHCP servers can enabled on other access-controlled VSCs to assign addresses to users. See DHCP server on page 5-30. The DHCP server feature is not supported when controller teaming is active. To configure the internal DHCP server, select Controller >> Network > Address allocation, select DHCP server, and then Configure. 3-14 Network configuration Address allocation Addresses Start / End Specify the starting and ending IP addresses that define the range of addresses the DHCP server can assign to client stations. The address assigned to the controller is automatically excluded from the range. Gateway Specify the IP address of the default gateway the controller will assign to DHCP users. In most cases you will specify the IP address of the controller LAN port as the Gateway. DNS servers to assign to client stations Lists the IP addresses of the DNS servers that the controller will assign to users. You can define DNS options by selecting Network > DNS. Fixed leases Use this feature to permanently reserve an IP addresses lease for a specific device. This ensures that the device is always reachable at the same address on the network, but does not require a static address to be set directly on the device itself. This table lists all permanently reserved addresses. Up to 255 fixed leases can be defined. To assign a specific IP address to a client station specify the following and select Add: MAC address: MAC address of the client station in the format: nn:nn:nn:nn:nn:nn. IP address: IP address that will be assigned to the client station in the format: nnn.nnn.nnn.nnn. Unique identifier: A number that identifies the device. Must be unique to all DHCP clients on the network. Generally set to the MAC address of the client station. This parameter is optional unless MAC masquerading is being performed by the client station. Settings Domain name Specify the domain name the controller will return to DHCP users. Typically, this will be your corporate domain name. The host name in the currently installed SSL certificate is automatically assigned as the domain name of the controller. The factory default SSL certificate that is installed on the controller has the host name wireless.colubris.com. 3-15 Network configuration Address allocation You do not have to add this name to your server for it to be resolved. The controller intercepts all DNS requests it receives. It resolves any request that matches the certificate host name by returning the IP address assigned to the Internet port. All other DNS requests are forwarded to the appropriate DNS servers as configured on the Controller > Network > DNS page. To summarize, this means that by default, any DNS request by a user that matches wireless.colubris.com will return the IP address of the controller’s Internet port. Lease time Specify the lease time (in seconds) that the controller will assign to all assigned addresses. As long as a user remains connected their address is automatically renewed when the lease time expires. If a user disconnects without releasing their address, then the address remains reserved until the lease time expires. If you have a small address pool and a large user turnover, setting a long lease time may cause you to run out of addresses even though they are not really in use. Logout HTML user on discovery request When enabled, the controller will log out a client station if a DHCP discovery request is received from the client station while a DHCP address lease is currently assigned. This feature is useful when multiple users share the same client station. If a user forgets to log out before turning off the client station, the next user will have to wait until the lease expires before being able to log in. Listen for DHCP requests on Select the port on which the controller will listen for DHCP requests from client stations. LAN port: Listen for requests on the LAN port. Client data tunnel: Enable this option when the client data tunnel feature is active on one or more VSCs, and you want tunneled client stations to be able to receive an IP address from the controller’s DHCP server. Controller discovery Use this option to define controller discovery information for controlled APs. See DHCP discovery on page 6-8. Add the IP address for each controller that is active on the network. When working with a controller team you should add the IP address of each team member. This list is sent to all devices that request an IP address, encoded as DHCP option 43 (Vendorspecific information). However, this information is only interpreted by HP ProCurve APs that are operating in controlled mode. Controlled mode APs use these addresses to connect with the controllers in the order that they appear in the list. DHCP relay agent The controller provides a flexible DHCP relay implementation. It can listen for requests on the LAN port or client data tunnel and forward them to a DHCP via any of the controller’s physical or logical interfaces. 3-16 Network configuration Address allocation Note For additional flexibility, separate DHCP relay agents can be enabled on access-controlled VSCs. See DHCP relay agent on page 5-31. Use the following guidelines when configuring DHCP relay: Routes must be defined on the DHCP server, so that the DHCP server can successfully send DHCP response packets back to the DHCP relay agent running on the controller. These should be static and persistent HOST routes that must identify the IP address assigned to the controller’s LAN port or additional VSC relay IP address, (i.e. 192.168.1.1). On Windows, such a static route would look like this: route add 192.168.1.1 mask 255.255.255.255 10.10.10.22 metric 1 –p DHCP relay is not supported via the Internet port when it is operating as a PPPoE client. DHCP relay cannot work via the Internet port if the internal firewall is set to High and NAT is enabled on the Internet port. The DHCP server must be able to ping the assigned address to prevent duplicate assignments. To configure the internal DHCP server, select Controller >> Network > Address allocation, select DHCP relay agent, and then Configure. Settings Listen for DHCP requests on Select the port on which the controller will listen for DHCP requests from users. Listen for requests on LAN port: Listens for DHCP requests on the LAN port and relay them to the remote DHCP server. Client data tunnel: Enable this option when the client data tunnel feature is active on one or more VSCs, and you want tunneled users to be able to receive an IP address via the DHCP relay agent. See Client data tunnel on page 5-13. 3-17 Network configuration Address allocation The following two fields let you attach information to the DHCP request (as defined by DHCP relay agent information option 82) which lets the DHCP server identify the controller. Circuit ID: Use this field to identify the user that issued the DHCP request. Remote ID: Use this field to identify the controller. You can use regular text in combination with the following placeholders to create the information in each field. Placeholders are automatically expanded when the request is sent. The following placeholders can be used: %S: SSID to which the user is associated. %B: BSSID to which the user is associated. %V: VLAN to which the user is mapped. Server Primary DHCP server address Specify the IP address of the first DHCP server to which the controller should forward DHCP requests. Secondary DHCP server address Specify the IP address of the backup DHCP server to which the controller should forward DHCP requests. Note The DHCP servers must be reachable via one of the ports on the controller. Routes must be defined on the DHCP server so that the DHCP server can successfully send DHCP response packets back to the DHCP relay agent running on the controller. These should be static and persistent HOST routes that must identify the IP address assigned to the controller’s LAN port or an additional VSC relay IP address, (i.e. 192.168.1.1). On Windows, such a static route would look like this: route add 192.168.1.1 mask 255.255.255.255 10.10.10.22 metric 1 –p DHCP relay is not supported via the Internet port when it is operating as a PPPoE client. DHCP relay cannot work via the Internet port if the internal firewall is set to High and NAT is enabled on the Internet port. The DHCP server must be able to ping the assigned address to prevent duplicate assignments. Extend Internet port subnet to LAN port When enabled, the controller will alter the DHCP address requests from client stations so that they appear to originate from the network assigned to the Internet port on the controller. This will cause the DHCP server to assign IP addresses on this network to all client stations. The controller handles all mapping between the two subnets internally. 3-18 Network configuration VLAN support For L2 connected APs operating in controlled mode: Enable the Client data tunnel option under Settings. (If teaming is active, the client data tunnel is automatically used.) Enable the Always tunnel client traffic option on the VSC profile page under Virtual AP > Client data tunnel. VLAN support VLAN configuration is discussed in Chapter 7: Working with VLANs. GRE tunnels To view and configure GRE tunnel definitions, select Controller >> Network > Ports. Initially, no GRE tunnels are defined. 3-19 Network configuration GRE tunnels To add a tunnel, select Add New GRE Tunnel. The Add/Edit GRE tunnel page opens. Define tunnel settings as follows: 3-20 Name: Tunnel name. Local tunnel IP address: Specify the IP address of the controller inside the tunnel. Remote tunnel IP address: Specify the IP address of the remote device inside the tunnel. Tunnel IP mask: Specify the mask associated with the IP addresses inside the tunnel. GRE peer IP address: Specify the IP address of the remote device that terminates the tunnel. Network configuration Bandwidth control Bandwidth control The controller incorporates a bandwidth management feature that enables control of all user traffic flowing through the controller. To configure Bandwidth management, select Controller >> Network > Bandwidth Control. Bandwidth control has two separate components: Internet port data rate limits and bandwidth levels. They interact with the data stream as follows: Bandwidth Control Traffic from the site access list Level Management traffic User traffic Very High User Data Rate Limits High Normal Internet Port Data Rate Limit Internet Port Low 3-21 Network configuration Bandwidth control Internet port data rate limits These settings enable you to limit the total incoming or outgoing data rate on the Internet port. If traffic exceeds the rate you set for short bursts, it is buffered. Long overages will result in data being dropped. To utilize the full available bandwidth, the Maximum transmit rate and Maximum receive rate should be set to match the incoming and outgoing data rates supported by the connection established on the Internet port. Bandwidth levels The controller provides four levels of traffic priority that you can use to manage traffic flow: Very High, High, Normal, and Low. The settings for each level are customizable, allowing performance to be tailored to meet a wide variety of scenarios. Assigning traffic to a bandwidth level Traffic can be assigned to a specific bandwidth level for each VSC and for each user. For bandwidth control to be operational, you must first enable the Internet port data rate limits option. Once this is done, you can assign traffic to bandwidth levels as follows: In a VSC, select the default level for all user traffic in the Bandwidth control box. This level applies to users who do not have a specific assignment in their user account. In a user’s account profile, set the Bandwidth level in the Bandwidth limits box. Or if you are using a RADIUS server to validate user logins, set the bandwidth level using a Colubris AV-Pair value. See Bandwidth level on page 15-68. To control the default bandwidth level for all users, see Default user bandwidth level on page 15-51. 3-22 Network configuration Bandwidth control Note Management traffic (which includes RADIUS, SNMP, and administrative sessions) is assigned to bandwidth level Very High and cannot be changed. All traffic assigned to a particular bandwidth level shares the allocated bandwidth for that level across all VSCs. This means that if you have three VSCs all assigning user traffic to High, all users share the bandwidth allocated to the High level. Customizing bandwidth levels Bandwidth levels are arranged in order of priority from Very High to Low. Priority determines how free bandwidth is allocated once the minimum rate is met for each level. Free bandwidth is always assigned to the higher priority levels first. Bandwidth rates for each level are defined by taking a percentage of the maximum transmit and receive rates defined for the Internet port. Each bandwidth level has four rate settings: Transmit rate - guaranteed minimum: Minimum amount of bandwidth that will be assigned to a level as soon as outgoing traffic is present on the level. Transmit rate - maximum: Maximum amount of outgoing bandwidth that can be consumed by the level. Traffic in excess is buffered for short bursts, and dropped for sustained overages. Receive rate - guaranteed minimum: Minimum amount of bandwidth that will be assigned to a level as soon as incoming traffic is present on the level. Receive rate - maximum: Maximum amount of incoming bandwidth that can be consumed by the level. Traffic in excess is buffered for short bursts, and dropped for sustained overages. Example For example, assume that transmit bandwidth is configured as follows: Transmit rates Min Max Very High 20 20 High 40 100 Normal 20 100 Low 20 20 Next, assume the following bandwidth requirement occurs on transmitted user data: High requires 70%, which is 30% more than its minimum. Normal requires 50%, which is 30% more than its minimum. There is no traffic on Very High or Low. 3-23 Network configuration Discovery protocols Since both High and Normal require bandwidth in excess of their guaranteed minimum, each is allocated their guaranteed minimum. This leaves 40% of the bandwidth free to be assigned on a priority basis. High has more priority than Normal, so it takes as much bandwidth as needed. In this case it is 30%, which brings High up to 70%. This leaves 10% for Normal, which is not enough. Traffic is buffered for a short period, and then dropped. If at the same time Very High traffic is sent, this level immediately steals 20% from the lower levels. In this case, 10% is taken from Normal, returning it to its minimum guaranteed level, and 10% is taken from High. Discovery protocols The controller supports two protocols (LLDP and CDP) that provide a mechanism for devices on a network to exchange information with their neighbors. To these protocols, select Controller >> Network > Discovery protocols. LLDP agents For a complete discussion of all LLDP options, see Chapter 17: LLDP on page 17-1. CDP The controller can be configured to transmit CDP (Cisco Discovery Protocol) information on the LAN and Internet ports. This information is used to advertise controller information to third-party devices, such as CDP-aware switches. Network managers can retrieve this information allowing them to determine the switch ports to which different controllers are connected. 3-24 Network configuration DNS The controller always listens for CDP information on the LAN and Internet ports, even when this option is disabled, to build a list of autonomous APs. CDP information from third-party devices and controlled APs is ignored. Note Controlled APs always send CDP information. DNS The controller provides several options to customize DNS handling. To configure these options, select Controller >> Network > DNS. The configuration options on this page change depending on the address option that is active on the Internet port. When the Internet port is configured to obtain an IP address via PPPoE or DHCP When the Internet port is configured to use a static IP address 3-25 Network configuration DNS Note When using Active Directory for user authentication, set the DNS servers to be the Active Directory servers or the devices that provide SRV records. DNS servers Dynamically assigned servers Shows the DNS servers that are dynamically assigned to the controller when PPPoE or DHCP is used to obtain an IP address on the Internet port. Override dynamically assigned DNS servers Enable this checkbox to use the DNS servers that you specify on this page to replace those that are assigned to the controller. Server 1 Specify the IP address of the primary DNS server for the controller to use. Server 2 Specify the IP address of the secondary DNS server for the controller to use. Server 3 Specify the IP address of the tertiary DNS server for the controller to use. DNS advanced settings DNS cache Enable this checkbox to activate the DNS cache. Once a host name is successfully resolved to an IP address by a remote DNS server, it is stored in the cache. This speeds up network performance, because the remote DNS server does not have to be queried for subsequent requests for this host. An entry stays in the cache until one of the following is true: An error occurs when connecting to the remote host. The time to live (TTL) of the DNS request expires. The controller restarts. DNS switch on server failure Controls how the controller switches between servers: 3-26 When enabled, the controller switches servers if the current server replies with a DNS server failure message. When disabled, the controller switches servers if the current server does not reply to a DNS request. Network configuration IP routes DNS switch over Controls how the controller switches back to the primary server. When enabled, the controller switches back to the primary server once the primary server becomes available again. When disabled, the controller switches back to the primary server only when the secondary server becomes unavailable. DNS interception When enabled, the controller intercepts all DNS requests and relays them to the configured DNS servers. DNS interception must be enabled to support: Redirection of users to the public access interface login page when the controller cannot resolve the domain requested by the user. For example, if the user is using a private or local domain as the default home page in its browser. Users configured to use HTTP proxy. Users with static IP addresses when the Allow any IP address option is enabled on the Public access > Access control page. When disabled, the controller does not intercept any DNS requests, enabling devices to use a DNS server other than the controller. To support this option, you must set Network > Address allocation to DHCP relay agent or Static. Note When Network > Address allocation is set to DHCP Server the controller always returns its own address as the DNS server. IP routes The routing module on the controller provides the following features: Compliance with RFC 1812, except for multicast routing Supports Classless Inter Domain Routing (CIDR) Supports Routing Internet Protocol (RIP) versions 1 and 2 in active or passive mode. Output from the router is sent to the appropriate logical interface based on the target address of the traffic. Supported logical interfaces include: VLAN Untagged IPSec client PPTP client GRE tunnel 3-27 Network configuration IP routes Configuration To view and configure IP routes, select Controller >> Network > IP routes. Active routes This table shows all active routes on the controller. You can add routes by specifying the appropriate parameters and then selecting Add. The routing table is dynamic and is updated as needed. This means that during normal operation the controller adds routes to the table as required. You cannot delete these system routes. The following information is shown for each active route: Interface: The port through which traffic is routed. When you add a route, the controller automatically determines the interface to be used based on the Gateway address. Destination: Traffic addressed to this IP address or subnet is routed. Mask: Number of bits in the destination address that are checked for a match. Gateway: IP address of the gateway to which the controller forwards routed traffic (known as the next hop). An asterisk is used by system routes to indicate a directly connected network. Routes cannot be manually specified for IPSec. These routes are automatically added by the system based on the settings for the IPSec security association. Metric: Priority of a route. If two routes exist for a destination address, the controller chooses the one with the lower metric. Default routes The Default routes table shows all default routes on the controller. Default routes are used when traffic does not match any route in the Active routes table. You can add routes by specifying the appropriate parameters and then selecting Add. 3-28 Network configuration IP routes The routing table is dynamic and is updated as needed. If more than one default route exists, the first route in the table is used. The following information is shown for each default route: Interface: The port through which traffic is routed. When you add a route, the controller automatically determines the interface to be used based on the Gateway address. Gateway: IP address of the gateway to which the controller forwards routed traffic (known as the next hop). An asterisk is used by system routes to indicate a directly connected network. Metric: Priority of a route. If two routes exist for a destination address, the controller chooses the one with the lower metric. Persistent routes Persistent routes are automatically deleted and then restored each time the interface they are associated with is closed and opened. When the routes are active, they also appear in the Active routes table. PPTP client The controller provides an Auto-route discovery option to enable it to automatically discover and add routes for IP addresses on the other side of a Point-to-Point Tunnelling Protocol (PPTP) tunnel. The addresses must be part of the remote domain as specified on the Controller >> VPN > PPTP client page. Routes are added only when an attempt is made to access the target addresses. About PPTP client routes (Internet port) If you disabled the Auto-route discovery option (VPN > PPTP client), or if you need to access IP addresses that are not part of the specified domain, you must define the appropriate persistent routes. About PPTP server routes (Internet port) Activation of the route can be triggered by a specific username. When a user establishes a connection with the controller PPTP server, its username is checked against the persistent routes list and if a match is found, the route is enabled. 3-29 Network configuration Network address translation (NAT) Network address translation (NAT) Network address translation is an address mapping service that enables one set of IP addresses to be used on an internal network, and a second set to be used on an external network. NAT handles the mapping between the two sets of addresses. Generally NAT is used to map all addresses on an internal network to a single address for use on an external network like the Internet. The main benefits are that NAT: Enables several devices to share a single connection Effectively hides the IP addresses of all devices on the internal network from the external network. This is illustrated as follows: NAT Web Page Web Page Web server addressed to 202.125.11.26 addressed to 192.168.1.2 192.168.1.2 HTTP reques t ISP AP 192.168.1.3 Controller Internet 202.125.11.26 All traffic uses the same external IP address assigned by the ISP. Internal addresses are invisible to computers on the Internet. NAT can be useful in conjunction with virtual private network (VPN) connections. When two networks are connected through a VPN tunnel, it may be desirable to obscure the address of local computers for security reasons. NAT security and static mappings One of the benefits of NAT is that it effectively hides the IP addresses of all devices on the internal network an external network. In some cases, however, it is useful to make a computer on the internal network accessible externally. For example, a Web server or FTP server. Static NAT mapping addresses this problem. Static NAT mapping enables you to route specific incoming traffic to an IP address on the internal network. For example, to support a Web server, you can define a static NAT mapping to route traffic on TCP port 80 to an internal computer running a Web server. 3-30 Network configuration Network address translation (NAT) A static NAT mapping allows only one internal IP address to act as the destination for a particular protocol (unless you map the protocol to a nonstandard port). For example, you can run only one Web server on the internal network. Note If you use a NAT static mapping to enable a secure (HTTPS) Web server on the internal network on TCP port 443, remote access to the management tool is no longer possible, as all incoming HTTPS requests are routed to the internal Web server and not to the management tool. You can change the default management port (TCP 443) to an alternate unused TCP port in this case. If you create a static mapping, the firewall is automatically opened to accept the traffic. However, this firewall rule is not visible on the Firewall configuration page (it is maintained internally by the controller). Common applications are affected by NAT as follows: Application NAT FTP (passive mode) Requires a static mapping to function. FTP (active mode) Requires a static mapping to function. NetMeeting Requires a static mapping to function. Telnet Requires a static mapping to function. Windows networking No effect The controller provides pre-configured static mappings for most common applications, which you can enable as needed. Most Web browsers use FTP in active mode. Some browsers provide a configuration option that enables you to alter this. Use the following steps to change this behavior in Microsoft Internet Explorer. 1. Select Tools > Internet options to open the Internet options dialog. 2. Select the Advanced tab. 3. Under Browsing, enable the Use Passive FTP for compatibility with some firewalls and DSL modems checkbox. 3-31 Network configuration Network address translation (NAT) NAT example The following example shows you how to configure static NAT mappings to run a Web server and an FTP server on the internal network. This scenario might occur if you use the controller in an enterprise environment. Web server Web browser NAT 192.168.1.2 Web (HTTP) traffic AP Internet 192.168.1.1 FTP server FTP traffic Controller 202.125.11.26 192.168.1.3 FTP client By creating static NAT mappings, FTP and HTTP (Web) traffic can be routed to the proper user. Note that the addresses of these stations are still not visible externally. Remote computers send their requests to 202.125.11.26, and the controller routes them to the proper client. Use the following steps to configure the controller to support this example,. 1. Select Controller >> Network > NAT > Add New Static NAT Mapping. 2. On the NAT mappings page, select Add New Static NAT Mapping. 3. Under Requests for, select Standard Services, and then select http (TCP 80). 4. Under Translate to, specify the IP address of the Web server, for example 192.168.1.2. The Settings box should now look similar to this: 5. Select Add to save your changes and return to the NAT mappings page. The new mapping is added to the table. 3-32 Network configuration RIP 6. To support the FTP server, create two additional mappings with the following values: Set Standard Services to ftp-data (TCP 20) and set IP address to 192.168.1.3. Set Standard Services to ftp-control (TCP 21) and set IP address to 192.168.1.3. The NAT mappings table should now show all three mappings: VPN One-to-one NAT This feature can only be used with authenticated, access-controlled users. It is only supported when a static IP address is assigned to the Internet port. It is configured by selecting Network > Ports > Internet port > Static > Additional IP addresses. See VPN one-to-one NAT on page 3-9. RIP The controller supports Routing Information Protocol (RIP) versions 1 and 2. RIP can operate in one of two modes on the interfaces you select. Passive mode: The controller listens for routing broadcasts to update the routing table, but does not broadcast its own routes. Active mode: The controller listens for routing broadcasts to update the routing table, and also broadcast its own routes. For example: Note RIP is not supported if you are using PPPoE on the Internet port. 3-33 Network configuration IP QoS IP QoS To ensure that critical applications have access to the required amount of wireless bandwidth, you can classify packets destined for the wireless interface into priority queues based on a number of criteria. For example, you can use any of the following to place data packets in one of four priority queues for transmission onto the wireless interface: TCP source port UDP source port Destination port Port ranges You configure IP quality of service (QoS) by creating IP QoS profiles that you can then associate with VSCs or use for global wireless settings. You can configure as many as 32 IP QoS profiles on the controller. You can associate as many as 10 IP QoS profiles with each VSC. Configuration To view and configure IP QoS profiles, select Controller >> Network > IP QoS. Initially, no profiles are defined. To create an IP QoS profile select Add New Profile. 3-34 Network configuration IP QoS Settings Profile name: Specify a unique name to identify the profile. Protocol: Specify an IP protocol to use to classify traffic by specifying its Internet Assigned Numbers Authority (IANA) protocol number. Protocol numbers are pre-defined for a number of common protocols. If the protocol you require does not appear in the list, select Other and specify the appropriate number manually. You can find IANA-assigned protocol numbers on the Internet. Start port/ End port: Optionally specify the first and last port numbers in the range of ports to which this IP QoS profile applies. To specify a single port, specify the same port number for both Start port and End port. Port numbers are pre-defined for a number of common protocols. If the protocol you require does not appear in the list, select Other and specify the appropriate number manually. Note To accept traffic on all ports for a specified protocol, set Start port to Other and 0. Also set End port to 65535. Note Priority: Select the priority level that will be assigned to traffic that meets the criteria specified in this IP QoS profile. It is strongly recommended that you reserve Very high priority for voice applications. Example This example shows how to create two IP QoS profiles and associated them with a VSC. The two profiles are: Voice: Provides voice traffic with high priority. Web: Provides HTTP traffic with low priority. Create the profiles 1. Select Network > IP QoS, and then Add New Profile. The IP QoS Profile page opens. 2. Under Profile name, specify Voice. 3. Under Protocol, from the drop-down list select TCP. 4. Under Start port, from the drop-down list select SIP. Start port and End port are automatically populated with the correct value: 5060. 3-35 Network configuration IP QoS 5. Under Priority, from the drop-down list select Very High. 6. Select Save. Note You could also create another profile using the same parameters but for UDP to cope with any kind of SIP traffic. 7. On the IP QoS Profile page select Add New Profile. 8. Under Profile name, specify Web. 9. Under Protocol, from the drop-down list select TCP. 10. Under Start port, from the drop-down list select http. Start port and End port are automatically populated with the common HTTP port, 80. 11. Under Priority, from the drop-down list select Low. 12. Select Save. 3-36 Network configuration IGMP proxy Assign the profiles to a VSC 1. In the Network Tree select VSCs (if not visible, first select the + symbol to the left of Controller), and then select one of the VSC profiles in the Name column. Scroll down to the Quality of service section of the Virtual AP box. 2. Set Priority mechanism to IP QoS. 3. In IP QoS profiles, Ctrl-click each profile. 4. Select Save. IGMP proxy This feature provides support for multicast routing using IGMP (Internet Group Management Protocol), which is typically required by the controller. When enabled, the controller: Note Routes all multicast traffic received on the Upstream interface to the Downstream interface. Listens for IGMP host membership reports from authenticated users on the Downstream interface and forwards them to the Upstream interface. IGMP host membership reports from unauthenticated users are ignored. An access list definition must be created to accept the multicast traffic (video streams, etc.) Due to the nature of multicast traffic, once a user registers for a stream it automatically becomes visible to unauthenticated users as well. However, unauthenticated users are not able to register with the IGMP group. To view and configure IGMP proxy settings, select Controller >> Network > IGMP proxy. 3-37 Network configuration IGMP proxy 3-38 Chapter 4: Wireless configuration 4 Wireless configuration Contents Wireless coverage.........................................................................................................4-2 Factors limiting wireless coverage......................................................................4-2 Configuring overlapping wireless cells...............................................................4-3 Supporting 802.11n and legacy wireless clients ................................................4-7 Radio configuration .....................................................................................................4-8 Radio configuration parameters ........................................................................4-18 Advanced wireless settings ................................................................................4-29 Wireless neighborhood ..............................................................................................4-34 Scanning modes ...................................................................................................4-34 Viewing wireless information ...................................................................................4-35 Viewing all wireless clients ................................................................................4-35 Viewing info for a specific wireless client........................................................4-36 Viewing wireless client data rates .....................................................................4-38 Wireless access points ........................................................................................4-39 Wireless configuration Wireless coverage Wireless coverage As a starting point for planning your network, you can assume that when operating at high power, an AP radio provides a wireless networking area (also called a wireless cell) of up to 300 feet (100 meters) in diameter. Before creating a permanent installation however, you should always perform a site survey (see Wireless neighborhood on page 4-34) to determine the optimal settings and location for the AP. The following sections provide information on wireless coverage. A tool that can help simplify planning a secure wireless network is the HP ProCurve RF Planner. For more information, see the RF Planner Admin Guide. Note Supported wireless modes, operating channels, and power output vary according to the AP model, and are governed by the regulations of the country in which the AP is operating (called the regulatory domain). For a list of all operating modes, see Radio configuration on page 4-8. To set the regulatory domain, see Assigning country settings to a group on page 6-30. Factors limiting wireless coverage Wireless coverage is affected by the factors discussed in this section. Radio power More radio power means better signal quality and the ability to create bigger wireless cells. However, cell size should generally not exceed the range of transmission supported by wireless users. If it does, users will be able to receive signals from the AP but will not be able to reply, rendering the connection useless. Further, when more than one AP operates in an area, you must adjust wireless cell size to reduce interference between APs. An automatic power control feature is available to address this challenge. See Transmit power control on page 4-32. Antenna configuration Antennas play a large role in determining the shape of the wireless cell and transmission distance. See the specifications for the antennas you use to determine how they affect wireless coverage. Interference Interference is caused by other APs or devices that operate in the same frequency band as the AP and can substantially affect throughput. Advanced wireless configuration features are available to automatically eliminate this problem. See Radio configuration on page 4-8. In addition, the several tools are available to diagnose interference problems as they occur. 4-2 Select Controlled APs >> Wireless > Neighborhood to view a list of wireless APs operating in the immediate area so that you can effectively set the operating frequencies. See Wireless neighborhood on page 4-34. Wireless configuration Wireless coverage Caution Select Controlled APs >> Overview > Wireless rates to view information about data rates for all connected client stations. This makes it easy to determine if low-speed clients are affecting network performance. To prevent low-speed clients from connecting, you can use the Allowed wireless rates option when defining a VSC. See Virtual AP on page 5-10. Select Controlled APs >> Overview > Wireless clients to view information about each connected wireless client. Select Controlled APs > [group] > [AP] >> Status > Wireless to view detailed wireless information for an AP, including: packets sent and received, transmission errors, and other low-level events. APs that operate in the 2.4 GHz band may experience interference from 2.4 GHz cordless phones and microwave ovens. Physical characteristics of the location To maximize coverage of a wireless cell, wireless APs are best installed in an open area with as few obstructions as possible. Try to choose a location that is central to the area being served. Radio waves cannot penetrate metal; they are reflected instead. A wireless AP can transmit through wood or plaster walls and closed windows; however, the steel reinforcing found in concrete walls and floors may block transmissions or reduce signal quality by creating reflections. This can make it difficult or impossible for a single AP to serve users on different floors in a concrete building. Such installations require a separate wireless AP on each floor. Configuring overlapping wireless cells Overlapping wireless cells occur when two or more APs are operating within transmission range of each other. This may be under your control, (for example, when you use several cells to cover a large location), or out of your control (for example, when your neighbors set up their own wireless networks). When APs are operating in the 2.4 GHz band, overlapping wireless cells can cause performance degradation due to insufficient channel separation. Performance degradation and channel separation When two wireless cells operating on the same frequency overlap, throughput can be reduced in both cells. Reduced throughput occurs because a wireless user that is attempting to transmit data defers (delays) transmission if another station is transmitting. In a network with many users and much traffic, these delayed transmissions can severely affect performance, because wireless users may defer several times before the channel becomes available. If a wireless user is forced to delay transmission too many times, data can be lost. Delays and lost transmissions can severely reduce throughput on a network. To view this information about your network, select Controller > Controlled APs {group} > {AP} >> Status > Wireless. For recommendations on using this information to diagnose wireless problems, see the online help for this page. 4-3 Wireless configuration Wireless coverage The following example shows two overlapping wireless cells operating on the same channel (frequency). Since both APs are within range of each other, the number of deferred transmissions can be large. The solution to this problem is to configure the two AP to operate on different channels. Unfortunately, in the 2.4 GHz band, adjacent channels overlap. So even though APs are operating on different channels, interference can still our. This is not an issue in the 5 GHz band, as all channels are non-overlapping. Selecting channels in the 2.4 GHz band In the 2.4 GHz band, the center frequency of each channel is spaced 5 MHz apart (except for channel 14). Each 802.11 channel uses 20 MHz of bandwidth (10 MHz above and 10 MHz below the center frequency), which means that adjacent channels overlap and interfere with each other as follows: Channel Center frequency Overlaps channels 1 2 3 4 5 6 7 2412 2417 2422 2427 2432 2437 2442 2, 3 1, 3, 4 1, 2, 4, 5 2, 3, 5, 6 3, 4, 6, 7 4, 5, 7, 8 5, 6, 8, 9 Channel Center frequency Overlaps channels 8 9 10 11 12 13 14 2447 2452 2457 2462 2467 2472 2484 6, 7, 9, 10 7, 8, 10, 11 8, 9, 11, 12 9, 10, 12, 13 10, 11, 13 11, 12, To avoid interference, APs in the same area must use channels that are separated by at least 25 MHz (5 channels). For example, if an AP is operating on channel 3, and a second AP is operating on channel 7, interference occurs on channel 5. For optimal performance, the second AP should be moved to channel 8 (or higher). With the proliferation of wireless networks, it is possible that the wireless cells of APs outside your control overlap your intended area of coverage. To choose the best operating frequency, select Controlled APs >> Overview > Neighborhood to view a list of all APs that are operating nearby and their operating frequencies. 4-4 Wireless configuration Wireless coverage The number of channels available for use in a particular country are determined by the regulations defined by the local governing body and are automatically configured by the AP based on the Country setting you define. (See Assigning country settings to a group on page 6-30.) This means that the number of non-overlapping channels available to you varies by geographical location. The following table shows the number of channels that are available in North America, Japan, and Europe. Region Available channels North America 1 to 11 Japan 1 to 14 Europe 1 to 13 Since the minimum recommended separation between overlapping channels is 25 MHz (five channels) the recommended maximum number of overlapping cells you can have in most regions is three. The following table gives examples relevant to North America, Japan, and Europe (applies to 22 MHz channels in the 2.4 GHz band). North America Japan Europe cell 1 on channel 1 cell 1 on channel 1 cell 1 on channel 1 cell 2 on channel 6 cell 2 on channel 7 cell 2 on channel 7 cell 3 on channel 11 cell 3 on channel 14 cell 3 on channel 13 In North America you can create an installation as shown in the following figure. Reducing transmission delays by using different operating frequencies in North America. Alternatively, you can stagger cells to reduce overlap and increase channel separation, as shown in the following figure. 4-5 Wireless configuration Wireless coverage Using only three frequencies across multiple cells in North America. This strategy can be expanded to cover an even larger area using three channels, as shown in the following figure. Using three frequencies to cover a large area in North America. Gray areas indicate overlap between two cells that use the same frequency. Distance between APs Not supported on: E-MSM430, E-MSM460, E-MSM466 In environments where the number of wireless frequencies is limited, it can be beneficial to adjust the receiver sensitivity of the AP. To make the adjustment, select Controlled APS >> Configuration > Radio list > [radio] and set the Distance between access points option. For most installations, Distance between access points should be set to Large. However, if you are installing several wireless APs and the channels available to you do not provide enough separation, reducing receiver sensitivity can help you to reduce the amount of crosstalk between wireless APs. 4-6 Wireless configuration Wireless coverage Another benefit to using reduced settings is that it improves roaming performance. Wireless users switch between APs more frequently. Automatic transmit power control The automatic power control feature enables the AP to dynamically adjust its transmission power to avoid causing interference with neighboring HP ProCurve APs. For information see Transmit power control on page 4-32. Supporting 802.11n and legacy wireless clients The 802.11n standard is very similar to the 802.11g standard, in that both provide mechanisms to support older wireless standards. In the case of 802.11g, protection mechanisms were created to allow 802.11b and 802.11g wireless devices to co-exist on the same frequencies. The data rates of 802.11g (6, 9, 12, 18, 24, 36, 48 and 54 Mbps) are transmitted using Orthogonal Frequency Division Multiplexing (OFDM) modulation, while the data rates of 802.11b are transmitted using Direct Sequence Spread Spectrum (DSSS) modulation. Since older 802.11b-only clients cannot detect OFDM transmissions, 802.11g clients must “protect” their transmissions by first sending a frame using DSSS modulation. This frame – usually a CTS-to-self or RTS/CTS exchange – alerts 802.11b clients to not attempt to transmit for a specified period of time. If protection is not used, 802.11b clients may transmit a frame while an 802.11g frame is already being sent. This leads to a collision and both devices need to re-transmit. If there are enough devices in the network, the collision rate will grow exponentially and prevent any useful throughput from the wireless network. 802.11n clients face the same problem as described above – legacy 802.11b clients cannot detect the High Throughput (HT) rates that 802.11n uses. So to avoid causing excessive collisions, 802.11n clients must use the same protection mechanisms when a legacy client is present. Even the most efficient protection mechanism (CTS-to-self) causes a substantial decline in throughput; performance can decline by as much as 50 percent. For this reason, the protection behavior of the E-MSM430, E-MSM460, and E-MSM466 can be configured (see Tx protection on page 4-30) to allow network administrators greater flexibility over their deployments. Note 802.11n clients can only achieve maximum throughput when legacy clients are not present on the same radio. 4-7 Wireless configuration Radio configuration Radio configuration To define configuration settings for a radio, select Controller > Controlled APs >> Configuration > Radio list. This opens the Product radios page which lists all radios on all AP models. For example: To configure the radios for a product, select the product in the list. This opens the Radio(s) configuration page. The contents of this page varies depending on the product. The following screen shots show the Radio(s) configuration page for various products. In each case, Operating mode is set to Access Point and Local Mesh, and Advanced wireless settings has been expanded to show the complete set of configurable settings. 4-8 Wireless configuration Radio configuration E-MSM466 4-9 Wireless configuration Radio configuration E-MSM460 and E-MSM430 4-10 Wireless configuration Radio configuration MSM422 4-11 Wireless configuration Radio configuration MSM410 4-12 Wireless configuration Radio configuration MSM335 (radio 1 and 2) 4-13 Wireless configuration Radio configuration MSM335 (radio 3) 4-14 Wireless configuration Radio configuration MSM320 4-15 Wireless configuration Radio configuration MSM317 4-16 Wireless configuration Radio configuration MSM310 4-17 Wireless configuration Radio configuration Radio configuration parameters This section provides definitions for all configuration parameters that are present on all products. Regulatory domain Indicates the geographical region in which the AP is operating. To set the regulatory domain, see Assigning country settings to a group on page 6-30. Operating mode Select the operating mode for the radio. Available options are: Access point and Local mesh: Standard operating mode provides support for all wireless functions. (Not supported on radio 3 on the MSM335.) Access point only: Only provides AP functionality, local mesh links cannot be created. (Not supported on radio 3 on the MSM335.) Local mesh only: Only provides local mesh functionality. Wireless client stations cannot connect. Monitor: Disables AP and local mesh functions. Use this option for continuous scanning across all channels in all wireless modes. See the results of the scans by selecting Controlled APS >> Overview > Neighborhood. Sensor: Enables RF sensor functionality on the radio. HP APs are smart APs, and do not forward broadcast packets when no client stations are connected. Therefore, the RF sensor function will not be able to detect these APs unless they have at least one connected wireless client station. This feature requires that the appropriate license is installed on the AP. See Licenses on page 20-6. The following table shows the operating modes supported for each product. Access point and Local mesh Access point only Local mesh only Monitor Sensor MSM310 MSM310-R ✔ ✔ ✔ ✔ ✕ MSM320 MSM320-R ✔ ✔ ✔ ✔ ✔ MSM325 ✔ ✔ ✔ ✔ ✔ MSM335 (Radio 1 + 2) ✔ ✔ ✔ ✔ ✔ MSM335 (Radio 3) ✕ ✕ ✔ ✔ ✔ MSM410 ✔ ✔ ✔ ✔ ✕ Product 4-18 Wireless configuration Radio configuration Product Access point and Local mesh Access point only Local mesh only Monitor Sensor MSM422 ✔ ✔ ✔ ✔ ✕ MSM317 ✕ ✔ ✕ ✔ ✕ E-MSM430 ✔ ✔ ✔ ✔ ✕ E-MSM460 ✔ ✔ ✔ ✔ ✕ E-MSM466 ✔ ✔ ✔ ✔ ✕ The following table shows all radio parameters that are configurable for each operating mode. Access point Access and Local mesh point only Parameter Local mesh only Monitor Sensor Regulatory domain ✔ ✔ ✔ ✔ ✔ Wireless mode ✔ ✔ ✔ ✔ ✕ Channel width ✔ ✔ ✔ ✔ ✕ Channel extension ✔ ✔ ✔ ✔ ✕ Channel ✔ ✔ ✔ ✔ ✕ Interval ✔ ✔ ✔ ✕ ✕ Time of day ✔ ✔ ✔ ✕ ✕ Automatic channel exclusion list ✔ ✔ ✔ ✕ ✕ Antenna selection ✔ ✔ ✔ ✕ ✔ Antenna gain ✔ ✔ ✔ ✕ ✕ Max clients ✔ ✔ ✔ ✕ ✕ Collect statistics for wireless clients ✔ ✔ ✔ ✕ ✕ Tx beamforming ✔ ✔ ✔ ✕ ✕ RTS threshold ✔ ✔ ✔ ✕ ✕ Spectralink VIEW ✔ ✔ ✔ ✕ ✕ Tx protection ✔ ✔ ✔ ✕ ✕ Guard interval ✔ ✔ ✔ ✕ ✕ Maximum range (ack timeout) ✔ ✕ ✔ ✕ ✕ Distance between APs ✔ ✔ ✔ ✕ ✕ Beacon interval ✔ ✔ ✔ ✕ ✕ Multicast Tx rate ✔ ✔ ✔ ✕ ✕ Transmit power control ✔ ✔ ✔ ✕ ✕ Certain parameters are not supported on all radios. Refer to the parameter descriptions that follow for details. 4-19 Wireless configuration Radio configuration Wireless mode Supported wireless modes are determined by the regulations of the country in which the AP is operating, and are controlled by the country setting on the AP. To configure the country setting, see Assigning country settings to a group on page 6-30. E-MSM430, E-MSM460, and E-MSM466 These products support the following wireless modes. 802.11n/a Supported on Radio 1, Radio 2 Frequency band 5 GHz Data rates For 802.11n clients: Up to 450 Mbps on the E-MSM466 and E-MSM460, and up to 300 Mbps on the E-MSM430. For 802.11a clients: Up to 54 Mbps on the E-MSM430, E-MSM460, and E-MSM466. When operating in this mode, the AP allows both 802.11n and legacy 802.11a clients to associate. The AP advertises protection in the beacon when legacy clients are associated or operating on the same channel. This alerts associated 802.11n clients to use protection when transmitting. The AP also uses protection when necessary when sending 802.11n data. The type of protection is configurable by setting the Tx protection parameter. 802.11n/b/g Supported on Radio 2 Frequency band 2.4 GHz Data rates For 802.11n clients: Up to 450 Mbps on the E-MSM466 and E-MSM460 and up to 300 Mbps on the E-MSM430. These values are achievable when using a 40 MHz channel width, which is not recommended in the 2.4 GHz frequency band. For 802.11g clients: Up to 54 Mbps on the E-MSM430, E-MSM460, and E-MSM466. For 802.11b clients: Up to 11 Mbps on the E-MSM430, E-MSM460, and E-MSM466. When operating in this mode, the AP allows both 802.11n and legacy 802.11b/g clients to associate. The AP advertises protection in the beacon when legacy clients are associated or operating on the same channel. This alerts associated 802.11n clients to use protection when transmitting. The AP also uses protection when necessary when sending 802.11n data. The type of protection is configurable by setting the Tx protection parameter. 4-20 Wireless configuration Radio configuration MSM310, MSM317, MSM320, MSM335, MSM410, MSM422 These products support the following wireless modes. 802.11n (5 GHz) Supported on MSM422 (radio 1), MSM410 Frequency band 5 GHz Data rates Up to 300 Mbps. HP refers to this mode as Pure 802.11n. When operating in this mode, the AP does not permit non-802.11n clients to associate. Legacy clients can see the access point, and may attempt to associate, but they will be rejected. The AP makes this determination based on the supported rates that the client presents during its association request. If the rates do not include any of the 802.11n (HT) rates (MCS0-MCS15), the client is not allowed to associate. The AP also does not use protection mechanisms (RTS/CTS or CTS-to-self when operating in this mode). This can potentially cause problems with other APs/clients operating on the same channel in 802.11a mode, but provides the best throughput for the AP and its 802.11n clients. The AP will still signal associated clients to use protection when they send data. The AP does this via a field in the beacon that it sends. So clients sending data to the AP will use protection, but data sent from the AP will not be protected. Note This mode is sometimes incorrectly called Greenfield. Greenfield is an 802.11n-specific preamble that can be used by clients and APs. HP APs do not support this preamble and therefore do not support Greenfield mode. When to use this mode Use this mode when the AP is installed in an area where there is no legacy wireless traffic on the channel that the AP will use, and all potential wireless client devices support 802.11n. 802.11n (2.4 GHz) Supported on MSM422 (radio 1), MSM410 Frequency band 2.4 GHz Data rates Up to 300 Mbps. HP refers to this mode as Pure 802.11n. When operating in this mode, the AP does not permit non-802.11n clients to associate. Legacy clients can see the access point, and may attempt to associate, but they will be rejected. The AP makes this determination based on the supported rate set that the client presents during its association request. If the rate set does not include any of the 802.11n (HT) rates (MCS0-MCS15), it is not allowed to associate. 4-21 Wireless configuration Radio configuration The AP does not use protection mechanisms (RTS/CTS or CTS-to-self) when operating in this mode, which provides for the best throughput tor the AP and its 802.11n clients. However, if legacy clients are using the same channel, this can lead to collisions and potentially serious performance deterioration for all traffic (802.11n and legacy a/b/g) on the channel. The AP will still signal associated clients to use protection when they send data. The AP does this via a field in the beacons that it sends. So clients sending data to the AP will use protection, but data sent from the AP will not be protected. Note This mode is sometimes incorrectly called Greenfield. Greenfield is an 802.11n-specific preamble that can be used by clients and APs. HP APs do not support this preamble and therefore do not support Greenfield mode. When to use this mode Use this mode when the AP is installed in an area where there is no legacy wireless traffic on the channel that the AP will use, and all potential wireless client devices support 802.11n. 802.11n/a Supported on MSM410, MSM422 (radio 1) Frequency band 5 GHz Data rates For 802.11n clients: Up to 300 Mbps. For 802.11a clients: Up to 54 Mbps. HP refers to this mode as Compatibility mode because the AP allows both 802.11n and legacy clients to associate. The AP advertises protection in the beacon when legacy clients are associated or operating on the same channel. This alerts associated 802.11n clients to use protection when transmitting. The AP also uses protection mechanisms (RTS/CTS or CTS-to-self) when sending 802.11n data to prevent disruption to legacy clients associated on the same channel. 802.11n/g Supported on MSM410, MSM422 (radio 1) Frequency band 2.4 GHz Data rates For 802.11n clients: Up to 130 Mbps. (Up to 300 Mbps when using a 40 MHz channel width, which is not recommended in the 2.4 GHz frequency band.) For 802.11g clients: Up to 54 Mbps. This mode is the same as 802.11n/b/g except that 802.11b clients are prevented from associating. The AP does not advertise 1, 2, 5.5 and 11 Mbps as supported rates in its beacons or Probe-Responses. The AP does not tell 802.11g clients to use protection, and 4-22 Wireless configuration Radio configuration this can cause collisions with any 802.11b clients present on the same channel. However, the AP uses protection mechanisms (RTS/CTS or CTS-to-self) when sending 802.11n data to prevent disruption to legacy (802.11a/b/g) clients associated on the same channel. 802.11n/b/g Supported on MSM410, MSM422 (radio 1) Frequency band 2.4 GHz Data rates For 802.11n clients: Up to 130 Mbps. (Up to 300 Mbps when using a 40 MHz channel width, which is not recommended in the 2.4 GHz frequency band.) For 802.11g clients: Up to 54 Mbps. For 802.11b clients: Up to 11 Mbps. HP refers to this mode as Compatibility mode because the AP allows both 802.11n and legacy clients to associate. The AP advertises protection in the beacon when legacy clients are associated or operating on the same channel. This alerts associated 802.11n clients to use protection when transmitting. The AP also uses protection mechanisms (RTS/CTS or CTS-to-self) when sending 802.11n data to prevent disruption to legacy clients associated on the same channel. 802.11b Supported on MSM310, MSM317, MSM320, MSM335, MSM410, MSM422 Frequency band 2.4 GHz Data rates Up to 11 Mbps. This is a legacy mode that can be used to support older wireless client stations. 802.11b/g Supported on MSM310, MSM317, MSM320, MSM335, MSM410, MSM422 Frequency band 2.4 GHz Data rates For 802.11g clients: Up to 54 Mbps. For 802.11b clients: Up to 11 Mbps. This is a legacy mode that can be used to support older wireless client stations. 4-23 Wireless configuration Radio configuration 802.11g Supported on MSM310, MSM317, MSM320, MSM335, MSM410, MSM422 Frequency band 2.4 GHz Data rates Up to 54 Mbps. This is a legacy mode that can be used to support older wireless client stations. 802.11a Supported on MSM310, MSM317, MSM320, MSM335, MSM410, MSM422 Frequency band 5 GHz Data rates Up to 54 Mbps. This is a legacy mode that can be used to support older wireless client stations. 802.11a Turbo Supported on MSM310, MSM317, MSM320, MSM335, MSM410, MSM422 Frequency band 5 GHz Data rates Up to 108 Mbps. Provides channel bonding in the 5 GHz frequency band for enhanced performance. Useful to provide increased throughput when creating local mesh links between two APs. Channel width Supported on: MSM410, MSM422 (radio 1), E-MSM430, E-MSM460, E-MSM466 Not available in Monitor or Sensor modes. 802.11n allows for the use of the standard channel width of 20 MHz or a double width of 40 MHz. The double width is achieved by using two adjacent channels to send data simultaneously. This results in double the available bandwidth leading to much higher throughput. Select the Channel width that will be used for 802.11n traffic. Available options are: Note 4-24 20 MHz: Uses the standard channel width of 20 MHz. Recommended when the AP is operating in the 2.4 GHz band and multiple networks must co-exist in the same location. Auto 20/40 MHz: The AP will advertise 40 MHz support to clients, but will use 20 MHz for each client that does not support 40 MHz. On the E-MSM466, E-MSM460, and E-MSM430, when operating in the 2.4 GHz band, the AP will automatically switch to using a 20 MHz channel width if a legacy 802.11b/g client or AP is detected on the primary channel. When the legacy device is no longer present, the AP will revert back to using a 40 MHz channel width. Wireless configuration Radio configuration The channel selected on the radio page is the primary channel and the secondary (or extension) channel is located adjacent to it. The secondary channel is either above or below depending on which channel was selected as the primary. In the 5 GHz band, the channels are paired: 36 and 40 are always used together, 44 and 48 are always used together, etc. It works slightly differently in the 2.4 GHz band: there you choose whether the extension channel should be above or below the beacon using the Channel extension parameter. See the Channel parameter for more information. Channel extension Supported on: MSM410, MSM422 (radio 1), E-MSM430 (radio 2), E-MSM460 (radio 2), E-MSM466 (radio 2) Not available in Sensor mode. This setting only appears when Wireless mode is set to 802.11n (2.4 GHz), 802.11n/b/g, or 802.11 n/g and Channel width is set to Auto 20/40 MHz. This setting determines where the second 20 MHz channel is located. Above the beacon (+1): The secondary channel is located on a channel above the currently selected channel. Below the beacon (-1):The secondary channel is located on a channel below the currently selected channel. Channel Select channel (frequency) for wireless services. The channels that are available are determined by the radio installed in the AP and the regulations that apply in your country. Automatic channel selection Use the Automatic option to have the AP select the best available channel. Control how often the channel selection is re-evaluated by setting the Interval parameter. Caution On the E-MSM430, E-MSM460, E-MSM466: Scanning during the channel selection process can cause interruptions to voice calls. This only occurs each time the Interval expires. Therefore, configuring a short Interval is not recommended. On the MSM310, MSM320, MSM335, MSM410, MSM422: Scanning is continuously performed on all the channels in the currently selected Operating mode, even though the channel is only re-evaluated each time the Interval expires. (If Interval is set to Disabled, continuous scanning is not performed.) Continuous scanning can cause interruptions to voice calls. On dual-radio APs, you can avoid interruptions by setting one radio to operate in Monitor mode. For example, if radio 1 is set to Automatic and radio 2 is in Monitor mode, scanning occurs on radio 2 and interruptions on radio 1 do not occur. When using the Automatic option with an external antenna in the 2.4 GHz band, all channels must be set to the lowest acceptable value for your regulatory domain. See Transmit power control on page 4-32. 4-25 Wireless configuration Radio configuration Manual channel selection If setting the channel manually, for optimal performance when operating in 2.4 GHz modes, select a channel that differs from other wireless APs operating in neighboring cells by at least 25 MHz. For example, if another AP is operating on channel 1, set the AP to channel 6 or higher. See Wireless neighborhood on page 4-34 to view a list of APs currently operating in your area. For detailed information on selecting channels when operating at 2.4 GHz, see Selecting channels in the 2.4 GHz band on page 4-4. When operating in 802.11a or 802.11n (5 GHz) modes, channels do not interfere with each other, enabling APs to operate on two adjacent channels without interference. HP APs support Dynamic Frequency Selection (802.11h) and Transmit Power Control (802.11d) for 802.11a operation in European countries. These options are automatically enabled as required. Channels used by dynamic frequency selection (DFS) for radar avoidance, are identified with an asterisk “*”. On the MSM410, MSM422 (radio 1), E-MSM430, E-MSM460, E-MSM466: When Wireless mode is 802.11n (5 GHz) or 802.11n/a and Channel width is Auto 20/40 MHz, the channel numbers in the Channel list include either a “(1)” or “(-1)” to their right. A “(1)” indicates that the 40 MHz channel is formed from the indicated channel plus the next channel. A “-1” indicates that the 40 MHz channel is formed from the indicated channel plus the previous channel. With a 40 MHz Channel width in the 5 GHz band, channel selection and usage is as follows for the first four channels: Note Channels used 36(1) 36+40 40(-1) 40+36 44(1) 44+48 48(-1) 48+44 The channel selected is the primary channel and the channel above or below it becomes the secondary channel. The AP beacon is transmitted only on the primary channel and all legacy client traffic is carried on the primary channel. 4-26 Channel selected On the MSM410, MSM422 (radio 1): When Wireless mode is 802.11n (2.4 GHz) or 802.11n/g or 802.11n/b/g, and Channel width is Auto 20/40 MHz, the Channel extension parameter value affects which channels are shown in the Channel list. Although it is recommended that you use the 5 GHz band for all 802.11n activity, if you insist upon using 802.11n and a 40 MHz Channel width in the crowded 2.4 GHz band, it is Wireless configuration Radio configuration best to select channels as follows, according to the number of 2.4 GHz channels available in your region. Available 2.4 GHz channels Channel width Recommended non-overlapping channels 1 to 13 20 MHz 1, 7, 13 1 to 13 40 MHz 1, 13 (If both are used, there will be some performance degradation.) 1 to 11 20 MHz 1, 6, 11 1 to 11 40 MHz 1, 11 (If both are used, there will be some performance degradation.) Interval Not available in Monitor or Sensor modes. When the Automatic option is selected for Channel, this parameter determines how often the AP re-evaluates the channel setting. Select Time of day to have the channel setting reevaluated at a specific time of day. Select Time of day to have the channel setting re-evaluated at a specific time of day. Note that to prevent all APs from re-evaluating their channel at the same time, a random delay between 0 and 2 hours is added to the time of day for each AP. Select Disabled to have the scan performed once when you select Save, and then only when the AP is restarted. This also prevents continuous scanning from being performed on the MSM310, MSM320, MSM335, MSM410, and MSM422. Time of day Not available in Monitor or Sensor modes. When the Time of day option is selected for Interval, this parameter determines the time of day that the AP re-evaluates the channel setting. To prevent APs from re-evaluating their channel at the same time, a random delay between 0 and 2 hours is added to the time of day for each AP. For example, if 1AM is selected, the channel with be re-evaluated between 1AM and 3AM. Automatic channel exclusion list Not available in Monitor or Sensor modes. Used when Automatic is selected under Channel, this parameter determines the channels that are not available for automatic selection. To select more than one channel, hold down Ctrl as you select the channel names. 4-27 Wireless configuration Radio configuration Antenna selection Supported on: MSM310, MSM320, MSM335, MSM422 Not available in Monitor or Sensor modes. Select the antenna(s) to use for each radio. Antenna support varies on each AP. For a list of supported external antennas, see Connecting external antennas in the MSM3xx / MSM4xx Access Points Management and Configuration Guide. In most APs, antenna diversity is supported. Diversity provides improved signal quality by using multiple antennas on the same radio. Note When using an external antenna, it is your responsibility to make sure that the radio does not exceed the transmit power level for the country of use. See Transmit power control on page 4-32. When creating a point-to-point local mesh link, it is recommended that you use an external directional antenna. MSM310, MSM310-R, and MSM320 Select Diversity, Main, or Auxiliary according to the following guidelines: For a single antenna, connect one antenna to either Main or Aux and select the corresponding value. For maximum wireless coverage, install an omnidirectional antenna on the Main and Aux antenna connectors and select Diversity. When creating a point-to-point wireless bridge, it is recommended that a single directional antenna be used on either Main or Aux. MSM320-R Only two antenna connectors are available on the MSM320-R. To use both radios, connect an antenna to each connector. Diversity is not supported. MSM335 Select either Internal or External according to the following guidelines: The MSM335 features six internal antennas in its two flaps, providing two antennas for each of its three radios. Radios 1, 2, and 3, have corresponding external antenna connectors A, B, and C for optional external antennas. Diversity is supported on all three radios via the internal antennas. but not when using external antennas. MSM422 Select either Internal or External according to the following guidelines: 4-28 The MSM422 features three internal antennas in the lower flap for Radio 1 (802.11n/a/b/g) (corresponding to external connectors A, B, and C) and two internal antennas in the upper flap for Radio 2 (801.11a/b/g) (corresponding to external connector D). If desired, install optional antennas via the external connectors. Radio 1 supports diversity on its internal and external antennas (connectors A, B, and C). In 802.11n modes, a special form of diversity called MIMO is used. Wireless configuration Radio configuration For point-to-point local mesh links on Radio 1, install two directional antennas on connectors A and B. Installing a third directional antenna on connector C will increase performance only on the receive side. Radio 2 supports diversity via its two internal antennas. but not when using an external antenna. Antenna gain Supported on: MSM310. MSM310-R, MSM320, MSM320-R, E-MSM466 Not available in Monitor or Sensor modes. For optimum performance, this parameter must be set to the gain of the antenna at the selected frequency (DFS channel). Max clients Not available in Monitor or Sensor modes. Specify the maximum number of wireless client stations that can be supported on this radio across all VSCs. Advanced wireless settings Collect statistics for wireless clients Not available in Monitor or Sensor modes. When this option is enabled, the AP collects statistics for connected wireless client stations. The statistical information can be retrieved via SNMP from the following MIBs: MIB Table COLUBRIS-DEVICE-WIRELESS-MIB.my (controlled mode) COLUBRIS-IEEE802DOT11.my (autonomous mode) coDot11DetectedStationTable Tx beamforming Supported on: E-MSM430, E-MSM460, E-MSM466 Not available in Monitor or Sensor modes. Tx beamforming can be used to help increase throughput by improving the quality of the signal sent to wireless clients When this option is enabled, APs use beamforming techniques to optimize the signal strength for each individual wireless client station. Beamforming works by changing the characteristics of the transmitter to create a focused beam that can be more optimally received by a wireless station. 4-29 Wireless configuration Radio configuration HP APs support the following two explicit beamforming techniques: Non-compressed beamforming, in which the client station calculates and sends the steering matrix to the AP. Compressed beamforming, in which the client station sends a compressed steering matrix to the AP. Radio calibration is not required to use either of these two methods. Note Beamforming only works with wireless clients that are configured to support it. RTS threshold Not available in Monitor or Sensor modes. Use this parameter to control collisions on the link that can reduce throughput. If the Controlled APs > [group] > [AP] >> Status > Wireless page shows increasing values for Tx multiple retry frames or Tx single retry frames, adjust this value until the errors clear. Start with a value of 1024 and decrease to 512 until errors are reduced or eliminated. Note that using a small value for RTS threshold can affect throughput. Range: 128 to 1540. If a packet is larger than the threshold, the AP holds the packet and issues a request to send (RTS) message to the client station. The AP sends the packet only when the client station replies with a clear to send (CTS) message. Packets smaller than the threshold are transmitted without this handshake. Spectralink VIEW Supported on: MSMS310, MSM320, MSM335, MSM410, MSM422 Not available in Monitor or Sensor modes. Provides support for Spectralink phones using Spectralink Voice Interoperability for Enterprise Wireless (VIEW) extensions. Tx protection Supported on: E-MSM430, E-MSM460, E-MSM466 Not available in Monitor or Sensor modes. When an AP is operating in an 802.11n mode, and legacy (a/b/g) traffic is present on the same channel as 802.11n traffic, this feature can be used to ensure maximum 802.11n throughput. The following options are available: 4-30 CTS-to-self: 802.11n transmissions are protected by sending a Clear To Send (CTS) frame that blocks other wireless clients from accessing the wireless network. RTS/CTS: 802.11n transmissions are protected by sending a Request To Send (RTS) frame followed by a CTS frame. This is a more robust, but slower, solution than CTSto-self. However, this method resolves the hidden station problem (where certain legacy stations may not see only a CTS frame). Wireless configuration Radio configuration No MAC protection: This setting gives the best performance for 802.11n clients in the presence of 802.11g or 802.11a legacy clients or APs. No protection frames (CTSto-self or RTS/CTS) are sent at the MAC layer by the AP. PHY-based protection remains active, which alerts legacy clients to stay off the air while the AP is transmitting data to 802.11n clients. This method of protection is supported by most 802.11g or 802.11a clients, but is not supported for 802.11b-only clients and should not be used if such clients are expected on the network. Guard interval Supported on: MSM410, MSM422 (radio 1), E-MSM430, E-MSM460, E-MSM466 Not available in Monitor or Sensor modes. This parameter is only configurable when Wireless mode is set to support an 802.11n option. On the MSM410 and MSM422, Guard interval is automatically set to Long when Channel width is set to 20 MHz. To enhance performance in 802.11n modes, the guard interval can be reduced from its default of 800 nanoseconds to 400. The guard interval is the intersymbol time period that is used to prevent symbol interference when multiple data streams are used (MIMO). However, symbol interference reduces the effective SNR of the link, so reducing the guard interval may not improve performance under all conditions. The following settings are available: Short: Sets the guard interval to 400 nanoseconds which can provide improved throughput (up to 10%) in some environments. The AP remains compatible with clients that only support a long guard interval. Use this setting when Channel width is set to Auto 20/40 MHz to get the best throughput. Long: Sets the guard interval to the standard of 800 nanoseconds. Maximum range (ack timeout) Only available in modes that support Local Mesh. Fine tunes internal timeout settings to account for the distance that a link spans. For normal operation, timeout is optimized for links of less than 1 km. Note This is a global setting that applies to all wireless connection made with the radio. Therefore, adjusting this setting may lower the performance for users with marginal signal strength or when interference is present. (Essentially, it means that if a frame needs to be retransmitted it will take longer before the actual retransmit takes place.) 4-31 Wireless configuration Radio configuration Distance between APs Not supported on: E-MSM430, E-MSM460, E-MSM466 Not available in Monitor or Sensor modes. Use this parameter to adjust the receiver sensitivity of the AP only if: You have more than one wireless AP installed in your location. You are experiencing throughput problems. In all other cases use the default setting of Large. If you have installed multiple APs, reducing the receiver sensitivity helps to reduce the amount of cross-talk between the wireless stations to better support roaming clients. It also increases the probability that client stations connect with the nearest AP. Available settings Note Large: Accepts all clients. Medium: Accepts clients with an RSSI greater than 15 dB. Small: Accepts clients with an RSSI greater than 20 dB. RSSI (Received Signal Strength Indication) is the difference between the amount of noise in an environment and the wireless signal strength. It is expressed in decibels (dB). The higher the number the stronger the signal. Beacon interval Not available in Monitor or Sensor modes. Sets the number of time units (TUs) that the AP waits between transmissions of the wireless beacon. One TU equals 1024 microseconds. The default interval is 100 TU, which is equal to 102.4 milliseconds. Supported range is from 20 to 500 TU. Multicast Tx rate Not available in Monitor or Sensor modes. Use this parameter to set the transmit rate for multicast and broadcast traffic. This is a fixed rate, which means that if a station is too far away to receive traffic at this rate, the multicast is not be seen by the station. Transmit power control Not available in Monitor or Sensor modes. Use these parameters to control the transmission power of the wireless radio. Adjustments to the transmission power may be required for two reasons. First, when using an optional external antenna, it may be necessary to reduce power levels to remain in compliance with local regulations. Second, it may be necessary to reduce power levels to avoid interference between APs and other radio devices. 4-32 Wireless configuration Radio configuration Important For a list of supported external antennas, see Connecting external antennas in the MSM3xx / MSM4xx Access Points Management and Configuration Guide. When using antennas not originally supplied with the AP, it is your responsibility to ensure that the Transmit power control settings are configured so that the radio will not exceed permissible power levels for the regulatory domain in which the AP is operating. Depending on the regulatory domain, the specific antenna chosen, the wireless mode, channel width, band or channel selected, you may need to configure the radio with a reduced transmit power setting. When using Automatic channel selection with an external antenna in the 2.4 GHz band, all channels must be set to the lowest acceptable value for your regulatory domain. Caution For specific power limits according to your regulatory domain, consult the Antenna Power-Level Settings Guide available at www.hp.com/networking/support (for Product Brand, select ProCurve and search for your antenna). For example, if you install an external 8 dBi directional antenna, and the maximum allowed power level for your country is 15 dBm, you may have to reduce the transmit power level to be in compliance. If you change the antenna at a later time, you must get the latest version of the Antenna Power-Level Settings Guide, and again reassess and possibly adjust radio power settings according to the antenna used. When setting Transmit power control to comply with information in the Antenna Power-Level Settings Guide, always set radio power in dBm, and not as a percentage. Maximum output power Shows the maximum output power that can be supported by the radio based on the regulatory domain. Use maximum power Select this checkbox to use the maximum available output power. Set power to Specify the transmission power in dBm or as a percentage of the maximum output power. When you select Save, percentage values are rounded up or down so that the dBm value is always a whole number). Note that the actual transmit power used by the radio may be less than the specified value. The AP determines the maximum power to be used based on the regulatory domain. Automatic power control Select this checkbox to have the AP automatically determine the optimal power setting within the defined power limits (i.e., up to the specified percentage/dBm value). Interval Specify the interval at which the Automatic power control feature adjusts the optimal power setting. 4-33 Wireless configuration Wireless neighborhood Wireless neighborhood Select Controlled APs >> Overview > Neighborhood to view information on APs operating in your area. This page presents a list of all APs that have been detected by all of the controlled APs. For example: You can also view the list detected by a specific controlled AP by selecting in the Network Tree. Scanning modes The way in which the AP performs scanning depends on the configuration of the wireless radio (Wireless > Radio page). The following scanning modes are possible: Monitor mode: When a radio has its Operating mode set to Monitor, scanning occurs continuously. The scan switches to a new channel every 200 ms, sequentially covering all supported wireless modes and channels. Use this method to quickly obtain an overview of all APs in your area for site planning, or for initial configuration of the authorized access points list. Monitor mode scanning is temporarily disabled when a trace is active (Tools > Network trace page). Automatic channel selection: When the Automatic channel selection feature is enabled, scanning occurs as follows: 4-34 On the E-MSM430, E-MSM460, E-MSM466: Scanning only occurs when the channel selection interval expires. This may cause interruptions to voice calls. Therefore, configuring a short channel selection interval is not recommended. Wireless configuration Viewing wireless information On the MSM310, MSM320, MSM335, MSM410, MSM422: Scanning is continuously performed on all the channels in the currently selected Operating mode, even though the channel is only re-evaluated each time the channel selection interval expires. (If the interval is set to Disabled, continuous scanning is not performed.) Continuous scanning can cause interruptions to voice calls. On dualradio APs, you can avoid interruptions by setting one radio to operate in monitor mode. For example, if radio 1 is set to automatic channel scanning and radio 2 is in monitor mode, scanning occurs on radio 2 and interruptions on radio 1 do not occur. Viewing wireless information Viewing all wireless clients To view information on all wireless client stations, select Controlled APs >> Overview > Wireless clients. This page lists all wireless clients associated with all VSCs. AP name Name of the AP the with which the client station is associated. Radio Radio on the AP that the client station is using. MAC Address MAC address of the client station. Select the MAC address to view more detailed information on the client. IP address IP address assigned to the client station. SSID SSID assigned to the client station. Security Indicates if the client station has been authorized. 4-35 Wireless configuration Viewing wireless information Duration Indicates how long the client station has been authorized. Signal Indicates the strength of the radio signal received from client stations. Signal strength is expressed in decibel milliwatt (dBm). The higher the number the stronger the signal. Noise Indicates how much background noise exists in the signal path between client stations and the AP. Noise is expressed in decibel milliwatt (dBm). The lower (more negative) the value, the weaker the noise. SNR Indicates the relative strength of the client station radio signals versus the radio interference (noise) in the radio signal path. In most environments, SNR is a good indicator for the quality of the radio link between the client stations and the AP. A higher SNR value means a better quality radio link. Action Select Disassociate to disconnect a wireless client. Viewing info for a specific wireless client To view information on a specific wireless client station, select Controlled APs >> Overview > Wireless clients, and then in the table, select the MAC address of the client. 4-36 Wireless configuration Viewing wireless information The information you see will vary depending on the AP to which the client is connected. For example, the following shows the status page for a client connected to an MSM317. For a complete description of all fields see the online help. 4-37 Wireless configuration Viewing wireless information Viewing wireless client data rates To view information on all wireless client stations currently connected to the AP, select Controlled APs >> Overview > Wireless rates. This page shows the volume of traffic sent and received at each data rate for each client station. Headings in bold indicate the data rates that are currently active for the wireless mode being used. 4-38 Wireless configuration Viewing wireless information Wireless access points To view wireless information for an AP, select Controlled APs > [group] > [AP] >> Status > Wireless. The information you see will vary depending on the AP. For example, this is the status page for an MSM317: Access point status Wireless port UP: Port is operating normally. DOWN: Port is not operating. Frequency The current operating frequency. Protocol Identifies the wireless protocol used by the AP to communicate with client stations. Mode Current operation mode. 4-39 Wireless configuration Viewing wireless information Tx power Current transmission power. Transmit protection status Disabled: HT protection / G protection is disabled. B clients: G protection is enabled because a B client is connected to the AP. B APs: G protection is enabled because a B client is connected to another AP on the same channel used by the AP. AG clients: HT protection is enabled because a non-HT client is connected to the AP. AG APs: HT protection is enabled because a non-HT AP is present on the same channel used by the AP. Tx multicast octets The number of octets transmitted successfully as part of successfully transmitted multicast MSDUs. These octets include MAC Header and Frame Body of all associated fragments. Tx unicast octets The number of octets transmitted successfully as part of successfully transmitted unicast MSDUs. These octets include MAC Header and Frame Body of all associated fragments. Tx fragments The number of MPDUs of type Data or Management delivered successfully; i.e., directed MPDUs transmitted and being ACKed, as well as non-directed MPDUs transmitted. Tx multicast frames The number of MSDUs, of which the Destination Address is a multicast MAC address (including broadcast MAC address), transmitted successfully. Tx unicast frames The number of MSDUs, of which the Destination Address is a unicast MAC address, transmitted successfully. This implies having received an acknowledgment to all associated MPDUs. Tx discards wrong SA The number of transmit requests that were discarded because the source address is not equal to the MAC address. Tx discards The number of transmit requests that were discarded to free up buffer space on the AP. This can be caused by packets being queued too long in one of the transmit queues, or because too many retries and defers occurred, or otherwise not being able to transmit (for example, when scanning). 4-40 Wireless configuration Viewing wireless information Tx retry limit exceeded The number of times an MSDU is not transmitted successfully because the retry limit is reached, due to no acknowledgment or no CTS received. Tx multiple retry frames The number of MSDUs successfully transmitted after more than one retransmission (on the total of all associated fragments). May be due to collisions, noise, or interference. Excessive retries can indicate that too many computers are using the wireless network or that something is interfering with transmissions. Tx single retry frames The number of MSDUs successfully transmitted after one (and only one) retransmission (on the total of all associated fragments). May be due to collisions, noise, or interference. Large numbers of single retries can indicate that too many computers are using the wireless network or that something is interfering with transmissions. Tx deferred transmissions The number of MSDUs for which (one of) the (fragment) transmission attempt(s) was one or more times deferred to avoid a collision. Large numbers of deferred transmissions can indicate that too many computers are using the wireless network. QoS low priority tx Total number of QoS low priority packets that have been sent. QoS medium priority tx Total number of QoS medium priority packets that have been sent. QoS high priority tx Total number of QoS high priority packets that have been sent. QoS very high priority tx Total number of QoS very high priority packets that have been sent. Tx packets (Not shown on the E-MSM460) The total number of packets transmitted. Tx dropped (Not shown on the E-MSM460) The number of packets that could not be transmitted. This can occur when the wireless configuration is being changed. Tx errors (Not shown on the E-MSM460) The total number of packets that could not be sent due to the following errors: Rx retry limit exceeded and TX discards wrong SA. 4-41 Wireless configuration Viewing wireless information Rx packets (Not shown on the E-MSM460) The total number of packets received. Rx dropped (Not shown on the E-MSM460) The number of received packets that were dropped due to lack of resources on the AP. This should not occur under normal circumstances. A possible cause could be if many client stations are continuously transmitting small packets at a high data rate. Rx multicast octets The number of octets received successfully as part of multicast (including broadcast) MSDUs. These octets include MAC Header and Frame Body of all associated fragments. Rx unicast octets The number of octets received successfully as part of unicast MSDUs. These octets include MAC Header and Frame Body of all associated fragments. Rx fragments The number of MPDUs of type Data or Management received successfully. Rx multicast frames The number of MSDUs, with a multicast MAC address (including the broadcast MAC address), as the Destination Address, received successfully. Rx unicast frames The number of MSDUs, with a unicast MAC address as the Destination Address received successfully. Rx discards no buffer The number of received MPDUs that were discarded because of lack of buffer space. Rx discards WEP excluded The number of discarded packets, excluding WEP-related errors. Rx discards WEP ICV error The number of received MPDUs that were discarded due to malformed WEP packets. Rx MSG in bad msg fragments The number of MPDUs of type Data or Management received successfully, while there was another reception going on above the carrier detect threshold but with bad or incomplete PLCP Preamble and Header (the message-in-message path #2 in the modem). 4-42 Wireless configuration Viewing wireless information Rx MSG in msg fragments The number of MPDUs of type Data or Management received successfully, while there was another good reception going on above the carrier detect threshold (the message-in-message path #2 in the modem). Rx WEP undecryptable The number of received MPDUs, with the WEP subfield in the Frame Control field set to one, that were discarded because it should not have been encrypted or due to the receiving station not implementing the privacy option. Rx FCS errors The number of MPDUs, considered to be destined for this station (Address matches), received with an FCS error. Note that this does not include data received with an incorrect CRC in the PLCP header. These are not considered to be MPDUs. Clear counters Select this button to reset all counters to zero. 4-43 Wireless configuration Viewing wireless information 4-44 Chapter 5: Working with VSCs 5 Working with VSCs Contents Key concepts.................................................................................................................5-3 Viewing and editing VSC profiles ........................................................................5-4 The default VSC .....................................................................................................5-4 VSC configuration options ..........................................................................................5-5 About access control and authentication...........................................................5-6 Summary of VSC configuration options .............................................................5-8 Access control........................................................................................................5-9 Virtual AP..............................................................................................................5-10 VSC ingress mapping...........................................................................................5-16 VSC egress mapping ............................................................................................5-17 Bandwidth control...............................................................................................5-17 Default user data rates........................................................................................5-18 Wireless mobility .................................................................................................5-18 Fast wireless roaming .........................................................................................5-20 Wireless security filters.......................................................................................5-20 Wireless protection..............................................................................................5-23 802.1X authentication .........................................................................................5-26 RADIUS authentication realms..........................................................................5-26 HTML-based user logins .....................................................................................5-27 VPN-based authentication ..................................................................................5-28 MAC-based authentication .................................................................................5-28 Location-aware ....................................................................................................5-29 Wireless MAC filter..............................................................................................5-29 Wireless IP filter...................................................................................................5-30 DHCP server.........................................................................................................5-30 DHCP relay agent ................................................................................................5-31 Working with VSCs VSC data flow .............................................................................................................5-32 Access control enabled.......................................................................................5-32 Access control disabled......................................................................................5-34 Using multiple VSCs...................................................................................................5-36 About the default VSC ...............................................................................................5-36 Quality of service (QoS) ............................................................................................5-37 Priority mechanisms ...........................................................................................5-38 IP QoS profiles .....................................................................................................5-40 Upstream DiffServ tagging .................................................................................5-41 Upstream/downstream traffic marking ............................................................5-41 QoS example ........................................................................................................5-43 Creating a new VSC....................................................................................................5-44 Assigning a VSC to a group .......................................................................................5-44 5-2 Working with VSCs Key concepts Key concepts A VSC (virtual service community) is a collection of configuration settings that define key operating characteristics of the controller and controlled APs. In most cases, a VSC is used to define the characteristics of a wireless network and to control how wireless user traffic is distributed onto the wired network. Multiple VSCs can be active at the same time, allowing for great flexibility in the configuration of services. For example, in the following scenario four VSCs are used to support different types of wireless users. Each VSC is configured with a different wireless network name (SSID), and the quality of service (QoS) feature is used to classify user traffic priority. #1 #2 #1 AP #2 AP Controller #3 #4 #3 #4 Backbone Network VSC #1 VSC #2 SSID=Guest QoS=Low priority SSID=Phone QoS=Very High Priority AP VSC #3 VSC #4 SSID=Employee QoS=Normal priority SSID=Video QoS=High priority Binding VSCs to APs VSCs are defined on the controller, creating a global pool of services. From this pool, specific VSCs are then bound to one or more groups (and the APs in the groups), to provide a homogeneous wireless offering. See Binding VSCs to groups on page 6-23. Note The MSM760 and MSM765 controllers support up to 64 VSCs. Other controllers support up to 16 VSCs. Controlled APs support a maximum of 16 VSCs. 5-3 Working with VSCs Key concepts Viewing and editing VSC profiles The VSC profiles list shows all VSCs are that are currently defined on the controller. To open the list, select VSCs in the Network Tree. The HP VSC profile is defined by default. To add a VSC, select VSCs >> Overview > Add New VSC Profile. To edit a VSC, select its name in the VSC list, or in the Network Tree. In either case, the VSC profile page opens. In this page sample, only the top of the VSC profile page is shown. The default VSC The default VSC is used as a fallback for any traffic that goes through the controller and that cannot be identified as coming from an MSM AP. It is also used to handle all non-VLAN traffic from wired devices connected to the controller’s LAN port (i.e., traffic from 3rd-party APs or wired users on the network). See About the default VSC on page 5-36. 5-4 Working with VSCs VSC configuration options VSC configuration options This section provides an overview of all the configuration options available for a VSC. It will give you a good idea on how the features can be used. The default VSC is pre-configured as described in the following pages. Below, is an overview of the entire VSC configuration page. Continued from below left 5-5 Working with VSCs VSC configuration options About access control and authentication The availability of certain VSC features and their functionality is controlled by the settings of two important parameters in the Global box. These parameters determine how authentication and access control are handled by the VSC: Use Controller for: Authentication Determines if user authentication services (802.1X, WPA, WPA2, MAC-based) are provided by the controller. When enabled, APs forward user login requests to the controller. The controller resolves these requests using the local user accounts, or Active Directory, or acts as a RADIUS proxy for a third-party RADIUS server. Use Controller for: Access control This option can only be enabled if the Authentication option is enabled first. When enabled, this option creates an access-controlled VSC. This means that access to protected network resources via this VSC are restricted by the access control features on the controller. Access control features include the public/guest network access interface and access lists. The following diagrams provide an overview of how user authentication and data traffic are handled depending on how these options are configured. When both authentication and access control are enabled In this configuration, the controlled AP forwards authentication requests from users on the VSC to the controller. The controller resolves these requests using the local user list, or the services of a third-party authentication server (Active Directory or RADIUS server). The controller then manages access to the protected network using its access control features (public access, interface, access lists, etc.). r traffic Use ntication tra the ffic Au ment tra ffic nage Ma Protected network User Controlled AP 5-6 Controller Third-party authentication server Router Working with VSCs VSC configuration options When only authentication is enabled In this configuration, the controlled AP forwards authentication requests from users on the VSC to the controller. The controller resolves these requests using the local user list, or the services of a third-party authentication server (Active Directory or RADIUS server). The controlled AP forwards all authenticated user traffic from users on the VSC to the protected network (or another device performing access control) according to settings defined on the controlled AP. r traffic Use ntication tra the ffic Au ment tra ffic nage Ma Network User Controlled AP Controller Third-party authentication server Router When neither option is enabled In this configuration, the controlled AP can be configured to resolve authentication requests using a third-party RADIUS server and forward authenticated user traffic to the protected network (or another device performing access control). In this scenario, the controller is only used for management of the controlled AP. tication traffic Authen r traffic Use ment tra ffic nage Ma Protected network User Controlled AP Controller Third-party authentication server Router 5-7 Working with VSCs VSC configuration options Summary of VSC configuration options The following table lists the VSC configuration options that are available depending on how access control and authentication are configured. Use Controller for: Authentication and Access control Authentication only Neither Access control ✔ ✕ ✕ Virtual AP ✔ ✔ ✔ VSC ingress mapping ✔ ✔ ✕ VSC egress mapping ✔ ✕ ✕ Default user data rates ✔ ✕ ✕ Wireless mobility ✕ ✔ ✔ Fast wireless roaming ✕ ✔ ✔ Wireless security filters ✔ ✔ ✔ Wireless protection ✔ ✔ ✔ 802.1X authentication ✔ ✔ ✔ RADIUS authentication realms ✔ ✔ ✕ HTML-based user logins ✔ ✕ ✕ VPN-based authentication ✔ ✕ ✕ MAC-based authentication ✔ ✔ ✔ Location-aware ✔ ✕ ✕ Wireless MAC filter ✔ ✔ ✔ Wireless IP filter ✔ ✔ ✔ DHCP server ✔ ✕ ✕ DHCP relay ✔ ✕ ✕ VSC configuration option The sections that follow provide an overview and use of each VSC option. For complete descriptions of individual parameters see the online help in the management tool. 5-8 Working with VSCs VSC configuration options Access control The settings only apply to access-controlled VSCs. Present session and welcome page to 802.1X users Enable this option to have the public access interface present the Welcome, Transport, and Session pages to 802.1X users. When disabled, these pages are not sent to 802.1X users. Note Display of the Session page (and other pages that are part of the public access interface) may not work for all users. These pages will fail if the initial traffic from the user’s computer is sent by an application other than the user’s browser. For example: messaging software, automatic software update services, email applications. Identify stations based on IP address only This option only applies when the HTML-based user logins option is enabled. This option controls how client stations are identified once they are logged in. When enabled, the controller identifies client stations by their IP address only. This setting provides support for network configurations where the MAC address of wireless stations is not visible to the controller, or for configurations where the MAC address changes when a client station roams. When disabled (default setting), the controller identifies client stations by both IP address and MAC address. Both addresses must remain the same after login for the client station to remain authenticated. Local NAS ID Defines a NAS ID for this profile. This ID is used only when RADIUS authentication is not configured for the profile. 5-9 Working with VSCs VSC configuration options Virtual AP The virtual AP settings define the characteristics of the wireless network created by the VSC, including its name, the number of clients supported, and QoS settings. Access control enabled Access control disabled Select the Virtual AP checkbox to enable the wireless network defined by this VSC. WLAN Name (SSID) Specify a name to uniquely identify the wireless network associated with this VSC. The wireless network is created by the controlled APs and managed by the controller. Each wireless user that wants to connect to this VSC must use the WLAN name. The name is case-sensitive. 5-10 Working with VSCs VSC configuration options DTIM count Specify the DTIM period in the wireless beacon sent by controlled APs. Client stations use the DTIM to wake up from low-power mode to receive multicast traffic. APs transmit a beacon every 100 ms. The DTIM counts down with each beacon that is sent. Therefore if the DTIM is set to 5, then client stations in low-power mode will wake up every 500 ms (.5 second) to receive multicast traffic. Broadcast name (SSID) When this option is enabled, controlled APs will broadcast the wireless network name (SSID) to all client stations. Most wireless adapter cards have a setting that enables them to automatically discover APs that broadcast their names and connect to the one with the strongest signal. If you disable this option, client stations will have to specify the network name you enter for Name (SSID) when they connect. Advertise Tx power When this option is enabled, controlled APs broadcast their current transmit power setting in the wireless beacon. It also enables support for 802.1h and 802.11d. Broadcast filtering Use this option to conserve wireless bandwidth by filtering out non-essential broadcast traffic. When broadcast filtering is enabled: DHCP broadcast requests are never forwarded on the wireless port. DHCP broadcast offers are never forwarded on the wireless port unless the target of the offer is an associated client on the wireless interface. ARP broadcast requests are never forwarded out the wireless port unless the target of the ARP request is an associated client on the wireless interface. Broadcast filtering should be disabled in the following cases: An external DHCP server is connected to the wireless network. If a wireless client bridge is connected to the wireless network. Band steering Band steering is used to help solve dense client issues. When band steering is enabled, APs attempt to move wireless clients that are capable of 802.11a/n onto the 5 GHz band, thus reducing the load on the slower and more crowded 2.4 GHz band, leaving it for less capable legacy (802.11b/g) clients. An AP uses the following methods to encourage a wireless client to associate at 5 GHz instead of 2.4 GHz. The AP waits 200ms before responding to the first probe request sent by a client at 2.4 GHz. 5-11 Working with VSCs VSC configuration options Note If the AP has learned that a client is capable of transmitting at 5 GHz, the AP refuses the first association request sent by the client at 2.4 GHz. Once a client is associated at 5 GHz, the AP will not respond to any 2.4 GHz probes from the client as long as the client’s signal strength at 5 GHz is greater than -80 dBm (decibel milliwatt). If the client’s signal strength falls below -80 dBm, then the AP will respond to 2.4 GHz probes from the client without delay. To support band steering, the VSC must be bound to APs with two radios (MSM422, MSM430, MSM460, or MSM466). One radio must be configured for 2.4 GHz operation and the other for 5 GHz operation. Band steering is temporarily suspended on an AP when the radio configured for 5 GHz operation reaches its maximum number of supported clients. Wireless clients Max clients per radio Specify the maximum number of wireless client stations that can be associated with this SSID at the same time on each radio. Allow traffic between nn wireless clients Use this option to control how wireless clients that are connected to the same VSC can communicate with each other. The following settings are available: No: Blocks all inter-client communications. 802.1X: Only authenticated 802.1X clients can communicate. All: All authenticated and unauthenticated clients can communicate. Default setting. IPV6: Only authenticated clients using IP version 6 can communicate. Communicating between different VSCs Communications between client stations connected to different VSCs can only occur if the clients are both assigned to the same VLAN. The easiest way to do this is to assign the same VLAN to both VSCs using the Egress network option in the VSC binding. Another method, which only works with non-access-controlled VSCs, is to dynamically assign the same VLAN to two different users via RADIUS or the local user accounts. See Userassigned VLANs on page 7-6. In addition, the following rules govern how traffic is exchanged: 5-12 Unicast traffic exchanged between VSCs on the same radio is controlled by the setting of the receiver VSC. Working with VSCs VSC configuration options Unicast traffic exchanged between VSCs on different radios is controlled by the setting of the sender’s VSC. Multicast traffic exchanged between VSCs is always controlled by the setting of the sender’s VSC. Generally, most clients will be involved in the bidirectional exchange of unicast packets. In this case, the rules can be simplified by assuming that the most restrictive setting for this option takes precedence. For example: If VSC1 is set to No and VSC2 is set to All, no communication is permitted between clients on the two VSCs, or between clients on VSC1. However, all clients on VSC2 can communicate with each other. If VSC1 is set to 802.1X and VSC2 set to All, only 802.1X clients can communicate between the two VSCs. Client data tunnel (Only available when Access control is enabled.) When a VSC is access-controlled, client traffic that is sent between the AP and controller can be carried in the client data tunnel. This provides the following benefits: User traffic is segregated from the backbone network and can only travel to the controller. Underlying network topology is abstracted enabling full support for L2-connected users across routed networks. The client data tunnel is always used when the connection between a controlled AP and its controller traverses at least one router. The client data tunnel supports NAT traversal, so it can cross routers that implement NAT. Optionally, the client data tunnel can also be used when a controlled AP and its controller are on the same subnet. To do this, enable the Always tunnel client traffic option. Performance and security settings for the client data tunnel can be customized by selecting Controller >> Controlled APs > Client data tunnel. Less security/better performance: This option provides security using a secret key that is attached to each packet. The key is rotated every 200 seconds. 5-13 Working with VSCs VSC configuration options High security/less performance: This option uses HMAC (Hash based message authentication code) to ensure the data integrity and authenticity of each packet. Performance is reduced due to the overhead needed to calculate HMAC. Regardless of the security method used, the client tunnel does not encrypt the data stream. To protect client traffic with encryption requires that client stations use WPA or VPN software. Under Wireless protection, enable WPA with the Terminate WPA at the controller. This requires client stations that support WPA. Use VPN-based authentication. See Securing wireless client sessions with VPNs on page 16-3. Quality of service The quality of service (QoS) feature provides a number of different mechanisms to prioritize wireless traffic sent to wireless client stations. See Quality of service (QoS) on page 5-37. 5-14 Working with VSCs VSC configuration options Allowed wireless rates Select the wireless transmission speeds (in Mbps) that this VSC will support for each wireless mode. Clients will only be able to connect at the rates that you select. If a client does not support the selected rate and mode, it will not be able to connect to this VSC. Note that all APs do not support all wireless modes and rates. See Wireless mode on page 4-20 for details. To ensure a high quality of service for voice applications, disable all rates below 5.5. Also, ensure that the radio is configured as follows: Operating mode is set to Access point only. Channel is set to a fixed channel, or Automatic with interval set to Disabled. Automatic power control is disabled under Transmit power control. On the Wireless > Neighborhood page, do not enable the Repeat scan every nnn seconds option. 5-15 Working with VSCs VSC configuration options Notes on 802.11n 802.11n supports legacy rates (1 to 54), as well as high-throughput (HT) rates MCS 0 to MSC 23. MCS 0 to MCS 15 are supported by the MSM410, MSM422, E-MSM430, E-MSM460, and E-MSM466. MCS 16 to MCS 23 are supported by the E-MSM460 and E-MSM466. You must always enable at least one legacy rate for 802.11n. Notes regarding the E-MSM430, E-MSM460, and E-MSM466 On these products, the wireless rates shown for 802.11n apply to all wireless modes supported on both radios, which are 802.11a/b/g/n. If you remove a rate, it is removed for all wireless modes. VSC ingress mapping These settings apply to the controller only and define how ingress (incoming) user traffic is assigned to a VSC on the controller. The ingress lets you control what type of traffic the VSC will handle. When access control is enabled, available options are: The SSID option cannot be disabled. When enabled, the VSC accepts incoming traffic that has its SSID set to the WLAN name (SSID) defined under Virtual AP. If you enable the VLAN option, you can choose a single VLAN, or a VLAN range enabling the VSC to handle traffic from multiple sources. For example, if you define different Egress networks when binding VSCs to your APs, you could specify a range to have all traffic handled by one VSC. (Ingress VLANs are not supported when controller teaming is active.) When access control is disabled, available options are: When the SSID option is enabled, the VSC accepts incoming traffic that has its SSID set to the WLAN name (SSID) defined under Virtual AP. The Ethernet Switch option enables the VSC to be bound to the switch ports on an MSM317. See the MSM317 Access Device Installation and Getting Started Guide. 5-16 Working with VSCs VSC configuration options If a VSC is bound to the MSM317 Ethernet Switch, it cannot handle traffic from wireless clients on the MSM317 or other APs. For more information, see VSC data flow on page 5-32 and Traffic flow for wireless users on page 7-6. VSC egress mapping These options select the output interface on the controller on which an access-controlled VSC forwards user traffic. Different egress mappings can be defined depending on whether the user is unauthenticated, authenticated, or being intercepted. (To enable traffic interception for a specific user, you must specify the appropriate setting in the user’s RADIUS account. See Colubris-Intercept on page 15-25.) Different types of traffic can be forwarded to different output interfaces, which include: the routing table, VLAN ID, or an IP GRE tunnel. Before you can map traffic to an output interface, the interface must already be defined. For VLANs to appear in the selection list they must be assigned an IP address. (Define VLANs on the Controller >> Network > Ports page.) When the Default option is selected, the controller routing table is used for all egress traffic. Therefore, all traffic on this VSC is routed according to the routes defined on the Controller >> Network > IP routes page. For more information, see VSC data flow on page 5-32 and Traffic flow for wireless users on page 7-6. Note To set VSC egress options for controlled APs, see Binding VSCs to groups on page 6-23. On the MSM317, VSCs can also be bound directly to the switch ports. See the MSM317 Access Device Installation and Getting Started Guide. Bandwidth control This option is only available if the Internet port data rate limits option is enabled on the Controller >> Network > Bandwidth control page. See Bandwidth control on page 3-21. Select the bandwidth control level to regulate traffic flow for all user traffic handled by this VSC. Bandwidth levels are defined on the Controller >> Network > Bandwidth control page. This default setting applies to all users that do not have a bandwidth level assigned in their account (local or RADIUS). Local accounts are defined on the Users menu. 5-17 Working with VSCs VSC configuration options For more information on setting the appropriate RADIUS attributes to accomplish this, refer to the Management and Configuration Guide for this product. Default user data rates These options enable you to set the default data rates for authenticated users that do not have a data rate set in their RADIUS accounts, and for unauthenticated users. For details on setting user data rates using RADIUS attributes, see Chapter 14: Public/guest network access and Chapter 15: Working with RADIUS attributes. Max transmit Specify the maximum rate (in kbps) at which users can send data. Max receive Specify the maximum rate (in kbps) at which users can receive data. Note The Internet port data rate limits defined on the Controller >> Network > Bandwidth control page always take precedence over user data rates set in the VSC. This means if you set a data rate which exceeds the configured bandwidth for the port, the rate will be capped. Wireless mobility The wireless mobility feature provides for seamless roaming of wireless users, while at the same time giving you complete control over how wireless user traffic is distributed onto the wired networking infrastructure. This enables you to implement a wireless networking solution that is perfectly tailored to meet the needs of you users and the topology of your network. For detailed information on how to use and configure this feature, see Chapter 9: Mobility traffic manager. 5-18 Working with VSCs VSC configuration options To use wireless mobility, you must: Disable the Access control option under Global. Install a Mobility or Premium license on the controller. Bind the same VSC to all APs that will support roaming. Configure the Wireless security filters so that they do not interfere with roaming functionality. In most cases, these filters should be disabled. If you need to use them, note that: The Restrict wireless traffic to: Access point default gateway option is not supported. The Restrict wireless traffic to: MAC or Custom options can be used provided that they restrict traffic to destinations that are reachable from all subnets in the mobility domain. Mobility traffic manager Mobility Traffic Manager (MTM) enables you to take advantage of both distributed and centralized strategies when deploying a wireless networking solution. For a complete discussion of this feature and how to use it see, Chapter 9: Mobility traffic manager on page 9-1. If you are using MTM to tunnel the traffic from wireless users to their home networks, set the following parameter to determine how MTM routes traffic if no home network is assigned to a user (via their RADIUS account or local user account), or if the user’s home network is not found in the mobility domain. If no matching network is assigned: Block user: User access is blocked. Consider the user at home: The user’s home network is considered to be the subnet assigned to the AP. Subnet-based mobility This feature has been deprecated. If you are creating a new installation, use Mobility Traffic Manager. If you are upgrading from a previous release, your subnet-based configuration will still work. However, for added benefits and greater flexibility you should migrate your setup to Mobility Traffic Manager. When Subnet-based mobility is enabled, a user’s home subnet is determined based on the IPv4 address assigned to a user when they connect to the wireless network. If a user’s IPv4 address is not within the scope of any of the local subnets assigned to the AP, the user is considered foreign to the network and their traffic is tunnelled via the controller to their home subnet. If the user’s subnet does not match any subnets defined in the mobility domain, the user is blocked. 5-19 Working with VSCs VSC configuration options One issue with using this method to determine the home subnet is that a user’s IPv4 address is typically retrieved through DHCP. If a user connects to an AP in a new location (rather than roaming to the AP), the IP address assigned through DHCP may identify the user as local to the network, and not roaming. Fast wireless roaming WPA2 opportunistic key caching eliminates the delays associated with reauthentication when client stations roam between APs installed on the same subnet. The controller manages key distribution between the APs so that when wireless users roam between APs, reauthentication is not delayed by having to completely renegotiate key values. To support fast wireless roaming: Note Disable the Access control option under Global. Install a Mobility or Premium license on the controller. All APs must be on the same layer 2 network. All APs must have VSCs with the same name, SSID, and wireless protection settings. Wireless protection must be WPA, or 802.1X authentication must be enabled. RADIUS accounting is not supported when this option is enabled. Wireless security filters APs feature an intelligent bridge that can apply security filters to safeguard the flow of wireless traffic. These filters limit both incoming and outgoing traffic as defined below and force the APs to exchange traffic with a specific upstream device. When access control is enabled, available options are: The controlled AP will only allow user traffic that is addressed to the controller. All other traffic is blocked. Make sure that the controller is set as the default gateway for all users. If not, all user traffic will be blocked by the AP. The default wireless security filters defined below are active. 5-20 Working with VSCs VSC configuration options When access control is disabled, available options are: Configure security filter settings using the available options as described in the following section. Restrict wireless traffic to This setting defines the upstream device to which the AP will forward wireless traffic. If you are using multiple VLANs, each with a different gateway, use the MAC address option. Access point’s default gateway: This sends traffic to the default gateway assigned to the AP. The default wireless security filters are in effect for wireless traffic. MAC address: Specify the MAC address of the upstream device to which all traffic is to be forwarded. The default wireless security filters are in effect for wireless traffic. Custom: Use this option to define custom wireless security filters and a custom target address for the upstream device. Refer to the Custom section that follows for details. Default wireless security filter definitions The following filters are defined by default. Incoming wireless traffic filters Applies to traffic sent from wireless users to the AP. Accepted Any IP traffic addressed to the controller. PPPoE traffic (The PPPoe server must be the upstream device.) IP broadcast packets, except NetBIOS Certain address management protocols (ARP, DHCP) regardless of their source address. Any traffic addressed to the AP, including 802.1X. Blocked All traffic that is not accepted is blocked. This includes NetBIOS traffic regardless of its source/destination address. HTTPS traffic not addressed to the AP (or upstream device) is also blocked, which means wireless users cannot access the management tool on other HP ProCurve APs. Outgoing wireless traffic filters Applies to traffic sent from the AP to wireless users. 5-21 Working with VSCs VSC configuration options Accepted Any IP traffic coming from the upstream device, except NetBIOS packets. PPPoE traffic from the upstream device. IP broadcast packets, except NetBIOS ARP and DHCP Offer and ACK packets. Any traffic coming from the AP itself, including 802.1X. Blocked All other traffic is blocked. This includes NetBIOS traffic regardless of its source/ destination address. Custom wireless security filter definitions Use this option to define your own security filters to control incoming and outgoing wireless traffic. To use the default filters as a starting point, select Get Default Filters. Filters are specified using standard pcap syntax with the addition of a few HP ProCurvespecific placeholders. These placeholders can be used to refer to specific MAC addresses and are expanded by the AP when the filter is activated. Once expanded, the filter must respect the pcap syntax. The pcap syntax is documented in the tcpdump man page: http://www.tcpdump.org/tcpdump_man.html Placeholders MAC address of the controller. MAC address of the bridge. MAC address of the default gateway assigned to the AP. : MAC address of AP wireless port. Wireless mobility considerations If you enable the wireless mobility feature (to support roaming across different subnets), configuration of the wireless security filters must respect the following guidelines so as not to interfere with roaming functionality. 5-22 The Restrict wireless traffic to: Access point default gateway option is not supported. The Restrict wireless traffic to: MAC or Custom options can be used provided that they restrict traffic to destinations that are reachable from all subnets in the mobile domain. Working with VSCs VSC configuration options Wireless protection Two types of wireless protection are offered. WPA and WEP. On the MSM410 and MSM422 When using 802.11n, wireless protection settings are enforced as follows: WEP protection is never permitted. If selected, WPA or WPA2 protection is used instead. When using pure 802.11n in either the 2.4 or 5 GHz bands, WPA2 protection is used instead of WPA. On the E-MSM430, E-MSM460, and E-MSM466 When using 802.11n, wireless protection settings are enforced as follows: WEP protection is permitted. If selected, all 802.11n features of the radio are disabled for this VSC. The VSC will only support legacy a/b/g traffic. WPA is not supported on these products. WPA This option enables support for users with WPA / WPA2 client software. Mode Support is provided for: WPA (TKIP): WPA with TKIP encryption. (Not supported on the E-MSM430, E-MSM460, E-MSM466.) WPA2 (AES/CCMP): WPA2 (802.11i) with AES/CCMP encryption. WPA or WPA2: Mixed mode supports both WPA (version 1) and WPA2 (version 2) at the same time. Key source This option determines how the TKIP keys are generated. Dynamic: This is a dynamic key that changes each time the user logs in and is authenticated. The MPPE key is used to generate the TKIP keys that encrypt the wireless data stream. The key is generated via the configured 802.1X authentication method. Therefore, when you enable this option, the 802.1X authentication feature is automatically enabled. 5-23 Working with VSCs VSC configuration options Authentication can occur via the local user accounts and a remote authentication server (Active Directory, or third-party RADIUS server). If both options are enabled, the local accounts are checked first. Preshared Key: The controller uses the key you specify in the Key field to generate the TKIP keys that encrypt the wireless data stream. Since this is a static key, it is not as secure as the RADIUS option. Specify a key that is between 8 and 63 alphanumeric characters in length. It is recommended that the preshared key be at least 20 characters long, and be a mix of letters and numbers. The double quote character (”) should not be used. Terminate WPA at the controller This feature is intended for low throughput applications, such as supporting point of sale (POS) terminals. 5-24 When enabled, the controller acts as the termination point for all WPA/WPA2 sessions. This enables the network to meet PCI (Payment Card Industry) compliance supporting the connection of point of sale (POS) terminals. Working with VSCs VSC configuration options Note When disabled, WPA/WPA2 sessions are terminated at the AP. This means that wireless communication between the client station and AP is secure, but traffic between the AP and controller is not. This is normally sufficient since outsiders do not have access to your wired network. However, in a public venue such as a hotel, if the public has access to your wired network, it may be necessary to provide end-to-end security for certain client stations, such as POS terminals. This feature supports a maximum of 10 sessions on the MSM710, and 50 sessions on the MSM760 and MSM765. WEP This option provides support for users using WEP encryption. Key source This option determines how the WEP keys are generated: dynamic or static key. Dynamic: This is a dynamic key that changes each time the user logs in and is authenticated. The key is generated via the configured 802.1X authentication method. Therefore, when you enable this option, the 802.1X authentication feature is automatically enabled. Support static WEP: Enables support for users that are using the specified static WEP key. See the definitions below for information on how to define the key. Static key: This is a static key that you must define. Key: The number of characters you specify for the key determines the level of encryption. For 40-bit encryption, specify 5 ASCII characters or 10 HEX digits. For 128-bit encryption, specify 13 ASCII characters or 26 HEX digits. 5-25 Working with VSCs VSC configuration options When encryption is enabled, wireless stations that do not support encryption cannot communicate with the AP. The definition for each encryption key must be the same on the AP and all client stations. Key format: Select the format used to specify the encryption key: ASCII: ASCII keys are much weaker than carefully chosen HEX keys. You can include ASCII characters between 32 and 126, inclusive, in the key. However, note that not all client stations support non-alphanumeric characters such as spaces, punctuation, or special symbols in the key. HEX: Your keys should only include the following characters: 0-9, a-f, A-F 802.1X authentication This option enables you to use 802.1X to authenticate wireless and wireless users. For configuration details, see Configuring 802.1X support on a VSC on page 10-10. RADIUS authentication realms When realms are enabled for accounting or authentication, selection of the RADIUS server to use is based on the realm name. If no match is found, then the configured RADIUS profile name is used. This applies to any VSC authentication or accounting setting that uses a RADIUS server. Realm names are extracted from user names as follows: if the username is person1@mydomain.com then mydomain.com is the realm. The authentication request is sent to the RADIUS profile with the realm name mydomain.com. The username sent for authentication is still the complete person1@mydomain.com. 5-26 Working with VSCs VSC configuration options For added flexibility, regular expressions can be used in realm names, enabling a single realm name to match many users. For example, if a realm name is defined with the regular expression ^abc.* then all usernames beginning with abc followed by any number of characters will match. The following usernames would all match: abc123.biz abc321.lan abc1 Important Realms are not case sensitive. Realms have a maximum length of 64 characters. A maximum of 200 realms can be defined across all profiles. However, there is no limit per profile. Each RADIUS profile can be associated with one or more realms. However, a realm cannot be associated with more than one profile. A realm overrides the authentication RADIUS server only; the server used for accounting is not affected. A realm overrides the authentication RADIUS server only. The server used for accounting is not affected. When the realm configuration is changed in any way, all authenticated users are logged out. HTML-based user logins This option defines settings for users who log in to the public access interface using a Web browser. If you disable this option, the public access interface Login page is not shown to these users. However, login is still possible via other methods such as MAC authentication and 802.1X. For configuration details, see Configuring HTML-based authentication on a VSC on page 10-22. 5-27 Working with VSCs VSC configuration options Note The global MAC-based authentication feature only applies on VSCs that have HTML-based user logins enabled. See Configuring global MAC-based authentication on page 10-16. VPN-based authentication VPN-based authentication can be used to provide secure access for client stations on VSCs that do not have encryption enabled. For configuration details, see Configuring VPN-based authentication on a VSC on page 10-24. MAC-based authentication This option can be used to authenticate both wireless and wired users, depending on how the VSC is configured. To configure this options, see Configuring MAC-based authentication on a VSC on page 10-17. This option cannot be used at the same time as HTML-based authentication. If you want to use both MAC-based authentication and HTML-based authentication at the same time, use the global MAC-based authentication option See MAC-based authentication on page 10-14. 5-28 Working with VSCs VSC configuration options Location-aware This option enables you to control logins to the public access network based on the AP, or group of APs, to which a user is connected. It is automatically enabled when a VSC is set to Access control. Location-aware is always enabled when using the controller for authentication or accesscontrol with a remote RADIUS server. For each user login, location-aware sends the PHY Type, SSID, and VLAN to the remote RADIUS server. It also includes the specified Called-Station-Id content. Wireless MAC filter This option enables you to control access to the wireless network based on the MAC address of a device. You can either block access or allow access, depending on your requirements. To configure this option, see Configuring MAC-based filters on a VSC on page 10-19. Up to 64 MAC addresses can be defined per VSC. 5-29 Working with VSCs VSC configuration options Wireless IP filter When this option is enabled, the VSC only allows wireless traffic that is addressed to an IP address that is defined in the list. All other traffic is blocked, except for: DNS queries (i.e., TCP/UDP traffic on port 53) DHCP requests/responses A maximum of two addresses can be defined. Each address can target a specific device or a range of addresses. Examples To only allow traffic addressed to a gateway at the address 192.168.130.1, define the filter as follows: Address = 192.168.130.1 Mask = 255.255.255.255 To only allow traffic addressed to the network 192.168.130.0, define the filter as follows: Address = 192.168.130.0 Mask = 255.255.255.0 DHCP server This option is only available if the controller is configured as a DHCP server on the Controller >> Network > Address allocation page. See Address allocation on page 3-13. 5-30 Working with VSCs VSC configuration options A separate DHCP server can be enabled on each VSC to provide custom addressing that is different from the base DHCP subnet that is determined by the LAN port IP address. To receive traffic from users, the controller assigns the Gateway address you specify to its LAN port. Note These configuration options do not appear for the default VSC. The default VSC uses the same settings as defined on the Controller >> Network > Address allocation page. DHCP relay agent This option is only available if the controller is currently configured as a DHCP relay agent on the Controller >> Network > Address allocation page. See Address allocation on page 3-13. A separate DHCP relay agent can be enabled on each VSC to provide custom addressing to users. 5-31 Working with VSCs VSC data flow Note These DHCP relay agent options do not appear for the default VSC. The default VSC uses the same settings as defined on the Controller >> Network > Address allocation page. VSC data flow Each VSC provides a number of configurable options, some of which apply exclusively on controlled APs or the controller. The following diagrams illustrate how traffic from wireless users is handled by VSC definitions on a controlled AP and controller, and shows the options that apply on each device. For more on traffic flow, see Traffic flow for wireless users on page 7-6. Access control enabled This diagram shows traffic flow when an access-controlled VSC is bound to an AP. VSC on controlled AP Wireless traffic Ingress - SSID (from association) Features Egress - Wireless security filters - Wireless MAC filter - Wireless IP filter - Bridged onto port 1+2 (untagged) - Bridged onto port 1 (VLAN) - Client data tunnel VSC on controller Ingress - SSID (Centralized data tunnel) - SSID (LAN port via location-aware) - VLAN (LAN or Internet port) - Untagged (LAN port) 5-32 Features Egress - Authentication (MAC, 802.1X, HTML, VPN) - Access control features - Routing table - VLAN - IP GRE tunnel User and authentication traffic Working with VSCs VSC data flow VSC on controlled AP Ingress The AP only handles traffic from wireless users, except for the MSM317 which can handle traffic from both wireless and wired users. The SSID is the name of the wireless network with which the user associates. Features Wireless security filters: Enables the AP to block traffic unless it is addressed to a specific destination, such as the controller. See Wireless security filters on page 5-20. Wireless MAC filter: Enables the AP to allow or deny access to the wireless network based on for specific wireless user MAC addresses. Wireless IP filter: Enables the AP to only allow wireless-to-wired LAN traffic for specific destination IP addresses. Egress Bridged onto port 1+2 (untagged): Untagged user and authentication traffic is bridged onto ports 1 and 2. Bridged onto port 1 (VLAN): VLAN tagged traffic is bridged onto port 1 only. VLAN tags can be assigned on a per-user basis via RADIUS attributes (see Defining account profiles on page 10-32), or for all traffic on a VSC (see Assigning egress VLANs to a group on page 6-30). Client data tunnel: When this option is enabled, the AP creates a data tunnel to the controller to carry all user traffic. See Client data tunnel on page 5-13. For a more detailed explanation on how wireless traffic is routed between an AP and controller, see Traffic flow for wireless users on page 7-6. VSC on controller Ingress SSID (Client data tunnel): When a client data tunnel has been created between the AP and the controller, all user traffic comes in on it. See Client data tunnel on page 5-13. The tunnel is established using same interface on which the AP was discovered. (LAN or Internet port). SSID: SSID is retrieved using the location-aware function. VLAN (LAN or Internet port): Traffic with a VLAN ID is handled by the VSC with a matching VLAN definition. See Using multiple VSCs on page 5-36. Untagged (LAN port): Untagged traffic on the LAN port may originate from wired users, or MSM APs operating in autonomous mode. 5-33 Working with VSCs VSC data flow Features Authentication: The controller supports 802.1X, MAC, or HTML authentication. To validate user login credentials the controller can use the local user accounts or make use of third-party authentication servers (Active Directory and/or RADIUS). See Chapter 10: User authentication, accounts, and addressing. Access control features: The controller provides a number of features that can be applied to user sessions. Features can be enabled globally or on a per-account basis. See Account profiles on page 10-27. Egress The controller enables user traffic to be forwarded to different output interfaces, which include the routing table, VLAN ID, or GRE tunnel. See VSC egress mapping on page 5-17. Access control disabled This diagram shows traffic flow when a non-access-controlled VSC is bound to an AP. VSC on controlled AP Wireless traffic Ingress - SSID (from association) Features - Authentication (MAC, 802.1X) - Wireless security filters - Wireless MAC filter - Wireless IP filter Egress - Bridged onto port 1+2 - VLAN User traffic Authentication traffic VSC on controller Ingress - SSID (from RADIUS auth request) Features - Authentication (MAC, 802.1X) VSC on controlled AP Ingress The AP only handles traffic from wireless users, except for the MSM317 which can handle traffic from both wireless and wired users. The SSID is the name of the wireless network with which the user associates Features 5-34 Authentication: The AP supports 802.1X or MAC authentication. To validate user login credentials the AP makes use of a third-party authentication server (controller or thirdparty RADIUS server). See Chapter 10: User authentication, accounts, and addressing. Working with VSCs VSC data flow Wireless security filters: Enables the AP to block traffic unless it is addressed to a specific destination (like the controller). See Wireless security filters on page 5-20. Wireless MAC filter: Enables the AP to allow or deny access to the wireless network based on specific wireless user MAC addresses. Wireless IP filter: Enables the AP to only allow wireless-to-wired LAN traffic for specific destination IP addresses. Egress Bridged onto port 1+2: Unless a centralized mode tunnel has been established, user and authentication traffic is bridged onto ports 1 and 2. VLAN: VLAN tags can be assigned for all traffic on a VSC. See Assigning egress VLANs to a group on page 6-30. VSC on controller Ingress SSID (from RADIUS auth request): The controller determines the SSID from the RADIUS authentication request sent by the AP, and uses this SSID to determine the VSC to use for authentication. Features Authentication: The controller supports 802.1X or MAC authentication. To validate user login credentials the controller can use the local user accounts or make use of third-party authentication servers (Active Directory and/or RADIUS). See Chapter 10: User authentication, accounts, and addressing. 5-35 Working with VSCs Using multiple VSCs Using multiple VSCs When multiple VSCs are defined, it is important to know how user traffic is matched to a VSC definition. When VSCs have access control enabled, incoming traffic is handled on the controller as follows: Incoming traffic properties SSID and untagged SSID and VLAN or Port If ... Then ... LAN VSC with matching SSID exists. Traffic is sent on the egress mapping defined on the matching VSC. No VSC with matching SSID exists. Traffic is sent on the egress mapping defined on the default VSC. VSC with matching Ingress VLAN exists. Traffic is sent on the egress mapping defined on the matching VSC. VLAN exists in VLAN table (but is not assigned to a VSC ingress. Traffic is routed according to the global routing table. No VLAN exists. Traffic is blocked. LAN or Internet VLAN only Untagged LAN Traffic is sent on the egress mapping defined on the default VSC. About the default VSC The default VSC is automatically created by the controller. It is identified with the label (Default) in the VSC list. Initially, this VSC is named HP and has the following properties: 5-36 Wireless network name: HP Use Controller for Authentication is enabled. (If you disable this option, the controller will not provide user authentication services for 802.1X, WPA, or WPA2.) Use Controller for Access control is enabled. (If you disable this option, you disable the public access interface and all users gain access to the protected network.) HTML-based authentication is enabled. Working with VSCs Quality of service (QoS) This means that when a user connects to the default VSC: Unauthenticated users cannot access the protected network, except for: procurve.com (for product registration) and windowsupdate.com (for IE, which tries to get to a windows update on a fresh start). Authenticated users can access all protected network resources. Traffic from wired users is always handled by the default VSC as follows: When access control is disabled on the default VSC, traffic from wired users connected to the controller LAN port is blocked. When access control is enabled on the default VSC, traffic from authenticated wired users connected to the controller LAN port is sent on the egress mapping defined on the default VSC. If HTML and 802.1X based authentication methods are disabled, traffic from all users is sent on the egress mapping without the need for authentication. Quality of service (QoS) The quality of service (QoS) feature (under Virtual AP) provides a number of different mechanisms to prioritize wireless traffic sent to wireless client stations. This is useful when the controller handles wireless traffic from multiple devices (or multiple applications on a single device), that have different data flow requirements. 5-37 Working with VSCs Quality of service (QoS) The QoS feature defines four traffic queues based on the Wi-Fi Multimedia (WMM) access categories. In order of priority, these queues are: Queue WMM access category 1 AC_VO Voice traffic 2 AC_VI Video traffic 3 AC_BE Best effort data traffic 4 AC_BK Background data traffic Typically used for Outgoing wireless traffic on the VSC is assigned to a queue based on the selected priority mechanism. Traffic delivery is based on strict priority (per the WMM standard). Therefore, if excessive traffic is present on queues 1 or 2, it will reduce the flow of traffic on queue 3 and queue 4. Regardless of the priority mechanism that is selected: Traffic that cannot be classified by a priority mechanism is assigned to queue 3. SVP (SpectraLink Voice Protocol) traffic is always assigned to queue 1, except if you select the VSC-based priority mechanism, in which case SVP traffic is assigned to the configured queue. Priority mechanisms Priority mechanisms are used to classify traffic on the VSC and assign it to the appropriate queue. The following mechanisms are available: 802.1p This mechanism classifies traffic based on the value of the VLAN priority field present within the VLAN header. Queue 5-38 802.1p (VLAN priority field value) 1 6, 7 2 4, 5 3 0, 3 4 1, 2 Working with VSCs Quality of service (QoS) VSC-based priority This mechanism is unique to HP. It enables you to assign a single priority level to all traffic on a VSC. If you enable the VSC-based priority mechanism, it takes precedence regardless of the priority mechanism supported by associated client stations. For example, if you set VSCbased low priority, then all devices that connect to the VSC have their traffic set at this priority, including SVP clients. Queue VSC-based priority value 1 VSC-based Very High 2 VSC-based High 3 VSC-based Normal 4 VSC-based Low DiffServ (Differentiated Services) This mechanism classifies traffic based on the value of the Differentiated Services (DS) codepoint field in IPv4 and IPv6 packet headers (as defined in RFC2474). The codepoint is composed of the six most significant bits of the DS field. Queue DiffServ (DS codepoint value) 1 111000 (Network control) 110000 (Internetwork control) 2 101000 (Critical) 100000 (Flash override) 3 011000 (Flash) 000100 (Routine) 4 010000 (Immediate) 001000 (Priority) TOS This mechanism classifies traffic based on value of the TOS (Type of Service) field in an IP packet header. Queue TOS (Type of Service field value) 1 0x30, 0xE0, 0x88, 0xB8 2 0x28, 0xA0 3 0x08, 0x20 4 All other TOS traffic 5-39 Working with VSCs Quality of service (QoS) IP QoS This option lets you assign traffic to the queues based on the criteria in one or more IP QoS profiles. Each profile lets you target traffic on specific ports or using specific protocols. Disabled When QoS traffic prioritization is disabled, all traffic is sent to queue 3. IP QoS profiles This option is only available if you set the Priority mechanism to IP QoS. Select the IP QoS profiles to use for this profile. To add QoS profiles to the list, use the Network > IP QoS page. Up to 10 profiles can be selected. To select more than one profile, hold down the CTRL key as you select profile names in the list. To define an IP QoS profile 1. Select Controller >> Network > IP QoS. Initially, no profiles are defined. 2. Select Add New Profile. 3. Configure settings as follows: Settings Profile name Specify a unique name to identify the profile. 5-40 Working with VSCs Quality of service (QoS) Protocol Specify an IP protocol to use to classify traffic by specifying its Internet Assigned Numbers Authority (IANA) protocol number. Protocol numbers are pre-defined for a number of common protocols. If the protocol you require does not appear in the list, select Other and specify the appropriate number manually. You can find IANA-assigned protocol numbers on the Internet. Start port/ End port Optionally specify the first and last port numbers in the range of ports to which this IP QoS profile applies. To specify a single port, specify the same port number for both Start port and End port. Port numbers are pre-defined for a number of common protocols. If the protocol you require does not appear in the list, select Other and specify the appropriate number manually. Note To accept traffic on all ports for a specified protocol, set Start port to Other and 0. Priority Select the priority level that will be assigned to traffic that meets the criteria specified in this IP QoS profile. Note It is strongly recommended that you reserve Very high priority for voice applications. Upstream DiffServ tagging Enable this option to have the AP apply differentiated services marking to upstream traffic. Layer 3 upstream marking ensures end-to-end quality of service in your network. Data originating on the wireless network can now be carried throughout the network (wireless and wired) with a consistent quality of service and priority. This feature is enabled by default. When this feature is enabled, packets received on the wireless interface that include Wi-Fi Multimedia (WMM) QoS values are remarked using IP TOS/DiffServ values when transmitted to the wired network. Upstream/downstream traffic marking Depending on the priority mechanism that is active, upstream and downstream traffic is marked as described in this section. 5-41 Working with VSCs Quality of service (QoS) Upstream traffic marking This table describes the marking applied to wireless traffic sent by connected client stations to an AP and then forwarded onto the wired network by the AP. OUTGOING TRAFFIC Traffic sent by the AP to the network INCOMING TRAFFIC L3 marking Mechanism Wireless traffic sent from client stations to the AP Upstream Upstream DiffServ tagging DiffServ tagging is enabled is disabled 802.1p WMM 802.1p (Requires an egress VLAN to be defined for the VSC.) DiffServ DiffServ None TOS TOS None VSC-based WMM Non-WMM If an egress VLAN is defined for the VSC, then 802.1p and IP DSCP are set to reflect the VSC-based priority setting. L2 marking If no egress VLAN is defined for the VSC, then the 802.1p header is not added, and only IP DSCP is set to reflect the VSC-based priority setting. IP QoS 5-42 WMM None DiffServ Pass-through (Original layer 3 marking, if any, is preserved.) Working with VSCs Quality of service (QoS) Downstream traffic marking This table describes the marking applied to traffic received from the wired network by an AP and then sent to connected wireless client stations. OUTGOING TRAFFIC Wireless traffic sent from the controller to client stations INCOMING TRAFFIC Mechanism Traffic received from wired network 802.1p 802.1p DiffServ DiffServ TOS TOS VSC-based All traffic on the VSC. IP QoS All traffic that matches the ports/protocols specified in the selected IP QoS profiles. Note WMM Client WMM + HPQ (WMM marking done according to the rules for the mechanism.) Non-WMM Client HPQ (hardware priority queueing) Although the WMM specification refers to 802.1D and not 802.1p, this guide uses the term 802.1p because it is more widely recognized. (The updated IEEE 802.1D: ISO/IEC 15802-3 (MAC Bridges) standard covers all parts of the Traffic Class Expediting and Dynamic Multicast Filtering described in the IEEE 802.1p standard.) QoS example In this example, a single controller provides voice and data wireless support with different quality of service settings for guests and employees. #1 #2 #1 AP #2 AP Controller #3 #4 #3 #4 Backbone Network VSC #1 VSC #2 SSID=Guest QoS=Low priority SSID=Phone QoS=Very High Priority AP VSC #3 VSC #4 SSID=Employee QoS=Normal priority SSID=Video QoS=High priority 5-43 Working with VSCs Creating a new VSC Creating a new VSC To add a VSC, select Controller > VSCs >>VSC Profiles > Add New VSC Profile. Define VSC parameters and select Save. Familiarize yourself with sections of interest in VSC configuration options on page 5-5. See the online help for parameter descriptions. Assigning a VSC to a group When working with controlled APs, VSC definitions must be bound to a group so that they will automatically be activated on the APs in the group. For information on how to bind (assign) a VSC to a group, see Binding a VSC to a group on page 6-26. On the MSM317, VSCs can also be bound to a switch port. See the MSM317 Access Device Installation and Getting Started Guide. Note 5-44 When working with autonomous APs, the VSC definition you create on the controller must be manually configured on each autonomous AP. See Working with autonomous APs on page 19-1 and the MSM3xx/MSM4xx Management and Configuration Guide. Chapter 6: Working with controlled APs 6 Working with controlled APs Contents Key concepts.................................................................................................................6-3 Key controlled-mode events .......................................................................................6-4 Discovery of controllers by controlled APs..............................................................6-6 Discovery overview ...............................................................................................6-6 Discovery methods................................................................................................6-7 Discovery order .....................................................................................................6-9 Discovery recommendations .............................................................................6-10 Discovery priority................................................................................................6-11 Discovery considerations ...................................................................................6-13 Monitoring the discovery process .....................................................................6-13 Authentication of controlled APs.............................................................................6-19 Building the AP authentication list ...................................................................6-20 Configuring APs..........................................................................................................6-22 Overview...............................................................................................................6-22 Inheritance ...........................................................................................................6-23 Configuration strategy ........................................................................................6-24 Working with groups ...........................................................................................6-25 Working with APs ................................................................................................6-26 Assigning egress VLANs to a group...................................................................6-30 Assigning country settings to a group...............................................................6-30 Provisioning APs ........................................................................................................6-31 Provisioning methods .........................................................................................6-32 Displaying the provisioning pages.....................................................................6-33 Provisioning connectivity...................................................................................6-34 Working with controlled APs Provisioning discovery........................................................................................6-37 Provisioning summary ........................................................................................6-38 Provisioning example..........................................................................................6-39 AeroScout RTLS .........................................................................................................6-40 Software retrieval/update..........................................................................................6-42 Monitoring...................................................................................................................6-42 6-2 Working with controlled APs Key concepts Key concepts The controller provides centralized management of APs operating in controlled mode. Controlled mode greatly simplifies the set up and maintenance of a Wi-Fi infrastructure by centralizing the configuration and management of distributed APs. Note Starting with software version 5.x, APs operate in controlled mode by default. If you update an AP from an earlier release, the AP boots in autonomous mode. Subsequently resetting the AP to factory defaults switches it to controlled mode. For details on working with autonomous APs, see Working with autonomous APs on page 19-1, and Resetting to factory defaults on page C-1. Plug and play installation In most cases, initial configuration of an AP is not required. Simply power it up and plug it into a network that provides access to a controller. The AP will automatically discover and authenticate itself with the controller. The AP does not offer wireless services until it successfully connects and synchronizes with a controller. Layer 3 networks may require the APs first to be provisioned. Automatic software updates Once an AP establishes a management tunnel with a controller its software is automatically updated to match the version installed on the controller. Centralized configuration management All AP configuration settings are defined using the controller management tool and are automatically uploaded to all controlled APs with a single mouse select. For added flexibility, APs can be assigned to groups, enabling each group to have customized configuration settings. If needed, the individual settings for each AP in a group can also be customized. Manual provisioning By default, APs operating in controlled mode will automatically discover and connect with a controller on most network topologies. However, in certain cases it may be necessary to manually configure (provision) connectivity and discovery options. Manual provisioning can be done directly on the AP, or via the controller. When using the controller, provisioning can be applied to entire groups making it easy to customize many APs at once. When working with a controller team, APs must be provisioned to discover each team member to ensure that failover is supported. The APs must be able to migrate to a new team member if the current team member with which they are associated becomes unavailable. Secure management tunnel Once authenticated, a secure management tunnel is established between the AP and the controller to support the exchange of management traffic between the two devices. 6-3 Working with controlled APs Key controlled-mode events AP authentication The controller can be configured to authenticate APs by their MAC address before they are managed. The authentication can be defined locally on the controller, via a third-party RADIUS server, or using a remote text-based control file. Key controlled-mode events The following diagram provides an overview of key events that occur when working with APs in controlled mode. Controller AP Deploy the controller. Configure AP authentication. For security purposes, the controller can require that APs be authenticated before they can be managed. See Authentication of controlled APs on page 6-19. Set up groups. Groups allow you to apply the same configuration settings to many APs at the same time. You can create multiple groups, allowing you to maintain distinct settings for different types of APs. If no groups are created, all APs are assigned to a default group. See Configuring APs on page 6-22. Deploy an AP with its default configuration OR manually provision initial AP configuration. On most network topologies, if you deploy an AP with factory default settings it will automatically find and connect with a controller on the network. In some cases, it may be necessary or desirable to provision an AP before it is deployed to ensure that discovery is successful, or to force a specific discovery option. The AP does not offer wireless services until it discovers and connects with a controller. 6-4 See Provisioning APs on page 6-31. Working with controlled APs Key controlled-mode events Controller The controller receives a discovery request. AP When started, the AP attempts to discover all controllers that are operating on the local network. The controller sends a discovery reply. (If the AP authentication option is enabled, the AP needs to be authenticated first.) See Discovery of controllers by controlled APs on page 6-6. Controller adds the AP to a group. This will either be the default group (if the AP is new/ unknown) or an existing group (to which the AP was previously assigned). See Discovery of controllers by controlled APs on page 6-6 AP receives discovery reply. If more than one reply is received, the AP chooses the controller with the highest priority setting. See Controlled AP discovery on page 2-11. AP joins with the selected controller. See Configuring APs on page 6-22. If AP software is out of date, controller tells the AP to update its software. AP fetches the software from the controller, installs it, and then restarts itself. Discovery is performed again. Controller accepts the secure management tunnel. AP establishes secure management tunnel with the controller. The controller updates the AP configuration. AP receives new software and configuration. 6-5 Working with controlled APs Discovery of controllers by controlled APs Controller AP Discovery complete. Wireless services become available. For the MSM317, the switch ports also become active. Discovery of controllers by controlled APs This section describes how the discovery process works and how it can be customized. Discovery is the process by which a controlled AP finds a controller (or controller team) on a network and establishes a secure management tunnel with it. To see how the discovery process fits into overall controlled mode operations, see Key controlled-mode events on page 6-4. In most cases, the factory default configuration of an AP will result in automatic discovery of a controller with no configuration required. However, for some network topologies it may be necessary to configure the discovery process as described in this section. See Discovery recommendations on page 6-10 for examples of topologies that can use automatic discovery and those that require discovery to be configured. Note If you intend to manage controlled APs via local mesh, see Local mesh on page 13-1. Provisioning can limit the discovery of potential controllers. See Provisioning APs on page 6-31. Discovery overview Although the specifics of the discovery process vary depending on whether an AP is unprovisioned (in its factory default state) or provisioned (had its connectivity or discovery settings changed from their factory default settings), the discovery process can be summarized as follows: 1. The AP uses various methods to locate one or more controllers that are reachable on the network. The preferred way to monitor AP discovery is via the controller management tool (see Monitoring the discovery process on page 6-13). When in visual range of the APs, you can watch the status lights for an indication of discovery progress. See the status light information in the AP Quickstart (provided and available online). 6-6 Working with controlled APs Discovery of controllers by controlled APs 2. Discovered controllers send a discovery reply to the AP. If the controller is configured to require AP authentication, the reply is only sent after the AP is authenticated by the controller. 3. The controller adds the AP to a group. This will either be the default group (if the AP is new/unknown) or an existing group (to which the AP was previously assigned). 4. The AP is now managed by the controller, and it can be configured and monitored using the controller management tool. Note APs must be connected to the network via Port 1 (or the Uplink port on an MSM317) for discovery to work. Unprovisioned APs must obtain an IP address from a DHCP server before discovery can be initiated. When discovery occurs on a VLAN, the DHCP server must be active on the VLAN. Discovery is performed whenever an AP: Is restarted (or reset to factory defaults) Loses connectivity with its controller Is removed and rediscovered using an action on the Controlled APs >> Overview > Discovered APs page. Discovery methods Four discovery methods are available. The following table summaries their features and recommended applications. Method Description Supported by Suggested use UDP broadcast AP issues UDP broadcasts to discover controllers on the same subnet. Unprovisioned APs Both the controller and AP reside on the same subnet. DHCP AP obtains controller address from a specially configured DHCP server. Unprovisioned APs The AP is on a different subnet than the controller. DNS AP obtains controller address from a DNS server using predefined host names. Unprovisioned APs The AP is on a different subnet than the controller. AP connects to a specific controller using a preconfigured static IP address. Provisioned APs Specific IP addresses Provisioned APs DHCP and DNS are not used and the AP is on a different subnet than the controller. 6-7 Working with controlled APs Discovery of controllers by controlled APs Note A controller listens for discovery requests on its LAN port and/or Internet port as configured on the Controller >> Management > Device Discovery page. (See Device discovery on page 2-9). UDP broadcast discovery The AP sends a UDP broadcast to discover all controllers that are on the same subnet as the AP. DHCP discovery When configured as DHCP client (which is the factory default setting for all APs), an AP can obtain the IP addresses of controllers on the network from any DHCP server configured to support the Colubris Vendor Class (DHCP option 43). Vendor Class enables an administrator to define a list of up to five available controllers on the network to which APs can connect. If the controller is configured to operate as the DHCP server for the network, you can define the list of available controllers by selecting Controller >> Network > Address allocation > DHCP server and then configure the Controller discovery option. See Controller discovery on page 3-16. If an external DHCP server is used, it must have Option 43 configured. For examples on how to configure some popular third-party DHCP servers, see Appendix E: DHCP servers and Colubris vendor classes. DNS discovery DNS discovery is attempted using UDP unicast discovery requests which are issued by the AP to the following default controller names: cnsrv1 cnsrv2 cnsrv3 cnsrv4 cnsrv5 This method enables discovery across various network configurations. It requires that at least one controller name is resolvable via a DNS server. 6-8 Working with controlled APs Discovery of controllers by controlled APs The AP appends the default domain name returned by a DHCP server (when it assigns an IP address to the AP) to the controller name. For example, if the DHCP server returns mydomain.com, then the AP will search for the following controllers in this order: cnsrv1.mydomain.com cnsrv2.mydomain.com cnsrv3.mydomain.com cnsrv4.mydomain.com cnsrv5.mydomain.com Discovery using specific IP addresses Provisioned APs can be configured to connect with a controller at a specific IP address. A list of addresses can be defined, allowing the AP to search for multiple controllers. This can also be used to strengthen the security on a local network to make sure that the AP goes to a specific controller for management. Discovery order Discovery occurs differently for unprovisioned and provisioned APs. Unprovisioned APs Once an unprovisioned AP has received its IP address from a DHCP server, it attempts to discover a controller using the following methods, in order: UDP broadcast DHCP DNS These discovery methods are applied on the following interfaces, in order: Last interface on which a controller was discovered. (Only applies to APs that have previously discovered a controller) Untagged on the Port 1 All other detected VLANs (in sequence) on Port 1 Provisioned APs If discovery settings are provisioned on the AP, then the AP uses only the provisioned settings (see Provisioning discovery on page 6-37). The following discovery settings are available on provisioned APs: DNS discovery: Enables custom controller names and domains to be used for discovery. Discovery using specific IP addresses: Enables the AP to find controllers operating at specific IP addresses. 6-9 Working with controlled APs Discovery of controllers by controlled APs Discovery recommendations Note When controller teaming is active, controlled APs discover a team in the same way that they discover non-teaming controllers. If the AP is on the same subnet as the controller, then UDP discovery will work with no configuration required on either the AP or controller. This applies whether the controller is operating as the DHCP server for the network or if a third-party DHCP server is used. If VLANs are being used, then UDP discovery will also work with no configuration. However, to speed up the discovery process you can provision the AP with a specific VLAN ID. This will eliminate the need for the AP to find and attempt discovery on all available VLANs. If the AP is on a different subnet than the controller, UDP discovery will not work. Instead, DHCP or DNS discovery must be used, or direct IP address discovery must be provisioned. DHCP discovery: If you have control of the DHCP server, enable support for the Colubris Vendor Class as explained in DHCP discovery on page 6-8. DNS discovery: If you have control of the DNS server, you can configure it to resolve the default controller names that an AP will search for. To use custom names, you must provision discovery settings on the AP. For more information on using custom names, see Provisioning discovery on page 6-37. Specific IP discovery: This method needs to be used when you do not have control over the DHCP and DNS servers and no domain is registered to the controller. For example, if the connection to the controller is routed over the public Internet. 102.27.3.42 35.12.33.57 Internet port AP Controller Provisioned to discover the controller at the address 102.27.3.42 For discovery to succeed, the AP must be provisioned with the controller IP address. See Provisioning discovery on page 6-37. 6-10 When working with a controller team, APs should be provisioned to discover all controllers that make up the team, not just the team manager. This is required for proper fail-over operation. Working with controlled APs Discovery of controllers by controlled APs Discovery priority Each controller or controller team that receives a discovery request sends the requesting AP a discovery reply. If the AP authentication option is enabled, the AP needs to be authenticated first. Requests from unauthenticated APs are ignored. If an AP receives discovery replies from multiple controllers, the AP selects the controller that has the highest discovery priority setting. If that controller is already managing the maximum number of controlled APs, the AP will choose the controller with the next highest priority. Non-teamed controllers are always higher priority than controller teams. Therefore, if your network contains both controller teams and non-teamed controllers, APs first attempt to establish a secure management tunnel with discovered non-teamed controllers in order of their discovery priority. Only if all non-teamed controllers are already managing the maximum number of controlled APs will the AP then consider controller teams in the order of their priority. The following table shows how discovery would occur for several teamed and non-teamed controllers. Configured discovery priority setting Actual order of discovery by APs Controller 1 1 1 Controller 2 2 2 Controller 3 3 3 Team 1 1 4 Team 2 2 5 Team 3 3 6 Controller or Team If two controllers have the same priority setting, the AP will appear on the Overview > Discovered APs page of both controllers with a Diagnostic value of Priority Conflict (See Viewing all discovered APs on page 6-14). To resolve the conflict, change the priority setting of one of the controllers on its Discovery page. Discovery priority is set on a controller using the Discovery priority of this controller option on the Controller >> Management > Device Discovery page. 6-11 Working with controlled APs Discovery of controllers by controlled APs On a non-teamed controller On a controller team If only connectivity settings are provisioned, then the AP attempts to discover a controller using the same methods as for unprovisioned APs, namely: Tip 6-12 UDP broadcast DHCP (the AP must be configured as a DHCP client for this to work) DNS For more information on provisioning APs, see Provisioning APs on page 6-31. Working with controlled APs Discovery of controllers by controlled APs Discovery considerations If controlled APs are behind a firewall or NAT device, refer to the following sections. Firewall If the network path between an AP and a controller traverses a firewall the following ports must be opened for management and discovery to work: Protocol Open these ports Ports are used by UDP Source and destination = 38212 (9544 hex) Discovery protocol the AP uses to find a controller. UDP Destination = 1194 (4AA hex) Management tunnel that is established between an AP and a controller. TCP Source and destination = 1194 (4AA hex) Software updates and certificate exchanges (for the management tunnel). UDP Source and destination = 3001 (BB9 hex) Client data tunnel. UDP Source = 39064 (9898 hex) Destination = 1800 (708 hex), 1812 (714 hex), 1813 (715 hex), 30840 (7878 hex) Location aware. This is only necessary if autonomous APs are using the accesscontrolled (public access) interface. NAT If the network path between an AP and a controller implements NAT (network address translation), discovery will only work if NAT functions on outbound traffic sent from the AP to the controller. If NAT operates in the other direction, discovery will fail. Monitoring the discovery process This Summary menu lists the number of controlled APs discovered by the controller. APs are grouped according to their management state. For example: Synchronized, Detected, Configured, Pending. An AP may be active in more than one state at the same time. For example, an AP may be both Detected and Synchronized. Select the state name to display information about all APs in that state. 6-13 Working with controlled APs Discovery of controllers by controlled APs Viewing all discovered APs To display information about APs discovered by the controller, select Controlled APs >> Overview > Discovered APs. The Discovered APs page provides the following information: 6-14 Number of access points: Indicates the number of APs that were discovered. Select the action to apply to all listed APs: Lets you apply the selected action to all APs in the list. Select an action and then Apply. Status: Green: The AP is synchronized, meaning that the AP is connected, running, and has received its configuration from the controller. Orange: The AP is unsynchronized, meaning that the AP is operational but does not have the same configuration as the controller, yet. Red: The AP is not part of the controlled network and is not providing wireless services. See the Diagnostic column for details. Grey blinking: An action is pending. Grey: The AP is configured in a group, but has not been discovered on the network. AP name: Name assigned to the AP. Serial number: Unique serial number assigned to the AP at the factory. Cannot be changed. Wireless services: Indicates the status of wireless services on the AP. A separate icon appears for each radio on the AP. See the legend under the table for the meaning of each icon. Wireless clients: Indicates the number of wireless clients currently associated with the AP. Select the number to see more information. Working with controlled APs Discovery of controllers by controlled APs Diagnostic: Indicates the status of the AP with regards to management by the controller, as shown in the following table. Diagnostic Description Detected The AP was detected by the controller. Enabling VSC services The AP is enabling wireless services for all VSCs. Establishing tunnel A secure management connection is being established to the AP. Firmware failure New firmware failed to upload to the AP. The controller will retry soon. Incompatible settings Local mesh has been provisioned on the AP but: The APs radio is disabled. The AP radio operating mode does not support local mesh. The APs radio wireless mode does not match the one provisioned. The mesh ID is not uniquely assigned. Installing firmware New firmware has been successfully uploaded to the AP. Wait until the AP restarts to activate the new firmware. Not authorized The AP could not be authenticated by the controller. This may be due to invalid authentication credentials supplied by the AP. (Authentication settings used by the controller are defined on the Controller >> Security > Controlled APs page.) You should accept the AP unless it is an actual rogue. Not responding The AP has stopped sending management information to the controller. Rediscovery may re-establish the connection. If not the AP may have lost power or a network failure has occurred. Priority conflict More than one controller responded to the AP discovery request with the same priority. The AP is therefore unable to select a controller to function as its controller. The AP will retry its discovery request shortly. You must fix the priority conflict by changing the priority setting for one of the controllers (Controller >> Management > Device discovery). Waiting for manager When teaming is active, a newly discovered AP will temporarily be in this state while it waits for the team manager to add it to the network tree. 6-15 Working with controlled APs Discovery of controllers by controlled APs Diagnostic Description Rebooting The AP is restarting. Resetting configuration The AP configuration is being reset to factory defaults. This is normal and will occur when the firmware version on the controller is changed or if the AP is not synchronized. Restoring configuration The AP is currently restoring its previous configuration settings. Suspicious device The AP unexpectedly requested new authentication certificates from the controller. Possible causes are as follows: A previously synchronized AP was reset to factory defaults. An unauthorized AP may be using the same MAC address. This is a possible security breach that should be investigated before authorizing the AP again. Synchronized The AP is up and running, offers wireless services, and had its firmware and configuration settings successfully updated by the controller. Synchronized/License violation Although the AP is synchronized it is non-functional (quarantined) due to a license violation. You must change the configuration to omit the affected licensed feature or acquire and install a valid license. Unconfigurable This AP cannot be added because the maximum number of configured APs has been reached. To add this AP you must first remove one or more currently configured APs. Unsupported product No suitable firmware is available for this AP on the controller. You should upgrade the controller firmware so that the newly-introduced product can be recognized. Unsynchronized The AP is up and running and offers wireless services. However, its configuration settings do not match the settings defined on the controller (at the group or AP level). You should Synchronize the AP. 6-16 Working with controlled APs Discovery of controllers by controlled APs Diagnostic Description Unsynchronized/License violation The AP is not synchronized but can continue operation. However, if synchronized, it will become non-functional as described above for Synchronized/License violation. Before synchronizing, either change the configuration to omit the affected licensed feature or acquire and install a valid license. Uploading configuration Configuration settings are currently being sent to the AP. Uploading firmware The controller is uploading new firmware to the AP. Wait until the operation completes. Validating configuration The controller is waiting for the AP to send its configuration. Validating firmware The controller is waiting for the AP to send its firmware version number. Waiting for acceptance The AP has been authorized by the controller. However, the AP has not yet selected the controller to function as its controller. (If multiple controllers replied to the APs discovery request, the AP may choose to connect with another controller.) Wrong product The AP was created with a product type that does not match the detected product type. This can occur when an AP is manually added to a group with the wrong product type. You should verify and fix the product type. Validating capabilities The capabilities of the AP are being identified by the controller. Action: Indicates the recommended administrative action to be taken to resolve a diagnostic condition. 6-17 Working with controlled APs Discovery of controllers by controlled APs Viewing all configured APs To display information about APs configured by the controller, select Controlled APs >> Overview > Configured APs. The Configured APs page provides the following information: Number of displayed access points: Number of configured APs that were discovered. Filter APs by: To narrow down the list of APs in the table, select a category and enter text on which to filter the AP list. Select Apply to activate the filter. To deactivate the filter, clear the filter text and then select Apply. Move selected APs to group: Select a group from the list and select apply to move all selected APs in the table to that group. Table Select the title of a column to sort the entries according to the values in the column. 6-18 Check boxes: Use the check box to select an AP to move it to another group. Select the check box in the title bar to select all APs on this page. Detected: Yes: The AP has been discovered and is listed on the AP overview page, where more information is provided on the AP. No: The AP has not been discovered. AP name: Name assigned to the AP. Select the name to open its AP management page. Serial number: Serial number assigned to the AP. Select the serial number to open its AP management page. Group Name: Group that the AP is part of. Product: Product name of the MSM AP. Working with controlled APs Authentication of controlled APs Creation mode: Local: AP was added manually, or was manually authenticated after being discovered. RADIUS: AP was successfully authenticated via RADIUS and then created. External file: AP was successfully authenticated using the external file option. Discovered: Automatically detected by the controller based on discovery-time parameter exchange. Already Seen: The AP established a management tunnel to the controller at least once in the past. Authentication of controlled APs For security purposes, the controller can require that APs be authenticated before they are managed. Authentication is enabled by selecting Controller >> Controlled APs > Authentication. Note The AP authentication option is disabled by default, meaning that all discovered APs are authorized (no authentication is required). The controller authenticates APs using their MAC addresses. When an AP sends a discovery request to the controller, it includes its Ethernet Base MAC address. The controller validates this address against its AP address authentication list. If the address appears in the list, the AP is authenticated and gains access to the controller's service control features. 6-19 Working with controlled APs Authentication of controlled APs If authentication fails (for example, this is a new AP), and the Use the local authentication list option is enabled, then the AP is added to the Default Group and flagged as requiring authentication. The AP must then be manually authenticated by a manager using the Controlled APs >> Overview > Discovered APs page. Once authenticated, the AP can be managed. Note APs remain visible in this list as long as they have been detected and authorized at least once. If an AP is no longer part of the network then a manager must manually remove it. Building the AP authentication list The controller can retrieve authentication list entries from several sources: a RADIUS account, a file, or using the set of locally configured APs. All entries are merged to create a combined list. The controller retrieves authentication list entries when: The Authentication interval expires Authenticate Now is selected Save is selected Each time the controller starts up. Each time the authentication list entries are retrieved, all connected APs are checked against it. If an AP MAC address is no longer listed, its connection is terminated. Note Although the same RADIUS account can be shared between this option and the Public access > Attributes page, it is recommended that a separate RADIUS account be created for each option. General settings Authentication interval Specifies the interval at which the controller retrieves authentication list entries from the selected authentication sources. After the entries are retrieved all controlled APs are evaluated against the new list. Authenticate Now Causes the controller to retrieve authentication list entries from all selected sources. 6-20 Working with controlled APs Authentication of controlled APs Use file authentication list When this option is selected, the controller retrieves authentication list entries from a file. This must be an ASCII file with one or more MAC addresses in it. Each address must be entered on a separate line. For example: 00:03:52:00:00:01 00:03:52:00:00:02 00:03:52:00:00:03 A label affixed to each AP indicates its Ethernet Base MAC Address. This is the address to specify in the authentication list. File location Specify the location of the file to use for authentication of APs using either HTTP or FTP. For example: ftp://mydomain.com/auth_list ftp://username:password@mydomain.com/auth_list http://mydomain.com/auth_list Use RADIUS authentication list When this option is selected, the controller retrieves authentication list entries from a RADIUS server. List entries must be defined in the RADIUS account for the controller using the following Colubris-AVPair value string: managed-ap=MAC_address Where MAC_address is the Ethernet Base port MAC address of the controlled AP (which is printed on a sticker affixed to the AP case). Use colons to separate characters in the address. For example: 00:20:E0:6B:4B:44. To define multiple addresses, specify additional entries as needed. This attribute conforms to RADIUS RFC 2865. You may need to define this attribute on your RADIUS server if it is not already present as follows: SMI network management private enterprise code = 8744 Vendor-specific attribute type number = 0 Attribute type = string RADIUS profile When the Authentication source is RADIUS, this option specifies the name of the RADIUS profile to use. There is no default. To configure RADIUS profiles, select Controller >> Authentication > RADIUS profiles. RADIUS username When the Authentication source is RADIUS, specifies the RADIUS username assigned to the controller. RADIUS password / Confirm RADIUS password Specifies the password that corresponds with RADIUS username. 6-21 Working with controlled APs Configuring APs Use the local authentication list When this option is selected, the controller creates authentication list entries based on the set of APs that are currently defined on the controller. For reference purposes, the table shows the AP name, Serial number and MAC address of all APs that are defined and will be included in the authentication list. Note When the local authentication list is enabled, the first time an AP tries to connect to the controller, a manager must manually accept the AP on the Controlled APs >> Overview > Discovered APs page by selecting the Authorize in the Action column for the AP. Otherwise, the AP will not be able to connect to the controller. Configuring APs This section explains how to configure APs using the Controlled APs menu in the Network Tree. Overview To make the configuration of multiple APs easier to manage, parameters settings are managed using a hierarchal structure, where the configuration settings at lower levels are inherited from those at higher levels. There are three levels to the hierarchy: base group, group, and AP. For example: Base group Group AP Select the + symbol next to Controlled APs to expand the tree to see all groups. Select the + symbol next to each group to see its APs. The levels are defined as follows: 6-22 Base group: The base group is called Controlled APs. This name cannot be changed and you cannot create an additional base group. Settings made to the base group are inherited by groups and APs. Working with controlled APs Configuring APs Note Group: Group-level configuration enables you to define settings that are shared by APs with similar characteristics. For example, if you have several APs at a location that are all providing the same service, putting them in the same group makes them easier to manage. The Default Group is always present. All newly-discovered APs are initially placed into this group. You can create multiple groups. APs: AP-level configuration enables you to specify configuration settings for a particular AP that overrides corresponding group-level settings. Assignment of VSCs can only be done at the group level. This means that all APs in a group always have the same VSC settings. The only exception to this is the MSM317 which allows VSCs to be bound to individual ports on its integrated switch. See the MSM317 Access Device Installation and Getting Started Guide. Inheritance Configuration settings are inherited as follows: Settings made at the Controlled APs level are inherited by all groups. Settings made at the Group level are inherited by all the APs in a group. To change inherited configuration settings you must first clear the Inherited checkbox. For example, the following image shows the 802.1X page with the Inherited checkbox cleared, allowing all settings on this page to be customized. Binding VSCs to groups The controller defines a global pool of VSCs (see Working with VSCs on page 5-1) that represents all services that are available. From this pool, specific VSCs can be bound to one or more groups, to define the features that will be offered to users throughout the wireless network. Note VSCs cannot be bound to individual APs or to the base group. VSC can only be bound to a group. 6-23 Working with controlled APs Configuring APs Any changes to a bound VSC affect all groups (and APs) to which the VSC is bound, making it easy to manage configuration changes network-wide. A key setting when binding a VSC to a group is the Egress network. If you enable this option, it can alter where the APs send user traffic. See Traffic flow for wireless users on page 7-6 for detailed information on how the Egress network in a VSC binding can be affected by different configuration settings. Note On the MSM317, VSCs can also be bound directly to the switch ports. See the MSM317 Access Device Installation and Getting Started Guide. Synchronizing APs After making configuration changes to an AP or a group, you must update all affected controlled APs with the new settings by synchronizing them. See Synchronizing APs on page 6-29. Configuration strategy There are two ways to approach AP configuration: Discover APs and then configure groups This strategy works as follows: 1. Deploy the APs in their default configuration on the network. 2. Allow the discovery process to find the APs and place them in the default group. 3. Create group definitions and then move the APs to the appropriate group. Tip Configure the default group to disable all radios. In this way, the default group becomes a staging area to hold newly added APs. Once discovered, the new AP can be moved to its appropriate group where its radio is activated. Configure groups and then discover APs This strategy works as follows: 1. Create group definitions. 6-24 Working with controlled APs Configuring APs 2. Manually define each AP in the appropriate group. 3. Deploy the APs in their default configuration on the network. 4. Allow the discovery process to find the APs and place them in the pre-configured groups. Working with groups Adding a new group To create a new group, do the following: 1. Select Controlled APs >> Group management. 2. Select Add New Group. 3. Specify the name of the new group and select Save. Deleting a group Note You must remove all APs from a group before you delete it. To delete a group, do the following: 1. Select Controlled APs >> Group management. 2. Select the name of the group you want to delete. 3. Select Delete. 6-25 Working with controlled APs Configuring APs Binding a VSC to a group To bind a VSC to a group, do the following: 1. Select the target group under Controlled APs. 2. In the right pane, select VSC bindings, then select Add New Binding. 3. Select the VSC profile to which the group will be bound. 4. If you want to assign an egress mapping to the binding, select Egress network and select the required Network profile. The Egress network can be used to assign all traffic on the group to a specific VLAN. Other uses are also possible depending on the type of VSC to which the group is being bound. For more information, see Traffic flow for wireless users on page 7-6. 5. Select Save. Working with APs Manually adding a new AP You can manually add APs to the controller before connecting the APs to the network. This is useful, for example, when you want to pre-designate the group into which an AP will be placed. 1. Select Controlled APs >> Overview > Configured APs. 2. Select Add. 6-26 Working with controlled APs Configuring APs 3. In the Device box, identify the new AP, specifying at a minimum, Device Name, Ethernet BASE MAC (printed on the label affixed to each AP), and Group. Select Save. The AP is added to the selected group in the Network tree and will also be shown in the Configured APs list. Note When the AP is physically connected to the network, it will discover the controller and automatically be accepted into the selected group. Make sure you configure the correct MAC address, otherwise the AP will just be discovered as a new AP and will not be placed into the selected group. If an AP is created with the wrong product type it will go into the Wrong product state when discovered. (For example, if you specify MSM310 for an AP that is an MSM320.) To remedy this, select Overview > Discovered APs and select the Accept Products link in the Action column. (This action will override the pre-configured product setting by the information discovered from the actual physical AP.) 6-27 Working with controlled APs Configuring APs Deleting an AP Note When the AP authentication feature is disabled, a deleted AP may automatically rediscover the controller if the AP is left connected to the network. Therefore, before deleting, disconnect the AP unless you want it to rediscover the controller. 1. To delete an AP, select the AP in the Network tree, and then in the Configured APs list, select the AP name in the Link column. 2. On the AP management page, select Delete. The AP is deleted. Moving an AP to a different group Note Moving an AP to a different group causes it to be restarted. Using drag-and-drop The easiest way to move an AP to a different group is to drag-and-drop it from the old group to the new group. Both groups must be visible in the Network tree for this to work. The move to the different group does not actually occur until the AP is synchronized as described in the next section, Synchronizing APs on page 6-29. Using menus 1. In the Network tree select the AP and then on the main menu, select Device Management > AP management. 2. Under Access point settings, select the desired Group and select Save. This puts the AP into the unsynchronized state (it will be displayed in orange). The move does not occur until the AP is synchronized as described in the next section. 6-28 Working with controlled APs Configuring APs Moving multiple APs between groups To move one or more APs between groups, do the following: 1. Use the check boxes in the table to select one or more APs. Select the check box in the table header to select all the APs in the table. 2. Select the group into which to move the APs from the list next to Move selected APs to group. 3. Select Apply. Synchronizing APs Depending on the type of configuration changes that are being synchronized, wireless users may be forced to reassociate or log in again. After making configuration changes, you must synchronize the APs with the updated configuration as follows: 1. In the Network tree, select the group that contains the APs, and then in the right pane, select Discovered APs. For example, Secondary Group. APs requiring synchronization are displayed with an orange background and show Unsynchronized in the Diagnostic column. 6-29 Working with controlled APs Configuring APs 2. Select a Synch link in the Action column to synchronize a single AP. Or, to synchronize all unsynchronized APs in the group, select Synchronize Configuration in the Select the action to apply to all listed APs list, and select Apply. 3. Monitor synchronization progress by watching the Diagnostic column. Messages such as Resetting configuration and Restoring configuration will appear during the synchronization process. 4. As each synchronization completes, the Status light icon and background color of the synchronized AP changes to green. The status light icon next to the AP name under the pertinent group name in the Network tree also changes to green. This indicates that the AP is fully operational and using its new configuration. Assigning egress VLANs to a group When you bind an AP to a VSC, you are able to assign an egress network to the binding. The egress network can be used to assign all the traffic on the group to a specific VLAN. Other uses are also possible depending on the type of VSC to which the group is being bound. For more information, see Traffic flow for wireless users on page 7-6. Assigning country settings to a group The country of operation, also known as the regulatory domain, determines the availability of certain wireless settings on an AP. The country of operation is configured at the group level. To configure country settings, select either: Controlled APs >> Configuration > Country Controlled APs > [group] >> Configuration > Country 6-30 Working with controlled APs Provisioning APs The country configuration for the Base group looks like this: After changing the country setting, APs must be synchronized. Note In some regions, APs are delivered with a fixed country setting. If you place an AP with a fixed country setting into a group that has a different country configuration, the AP will fail to be synchronized. (The error Incompatible settings will be displayed on the Controlled APs >> Overview > Discovered APs page). Caution Incorrectly setting the country may result in illegal operation and may cause harmful interference to other systems. Please consult with a professional installer who is trained in RF installation and knowledgeable about local regulations to ensure that the AP is operating in accordance with channel, power, indoor/outdoor restrictions and license requirements for the intended country. If you fail to heed this caution, you may be held liable for violating the local regulatory compliance Provisioning APs Provisioning is the means by which you can change the factory default IP addressing method and controller discovery settings on controlled APs. Provisioning is generally not required when deploying controlled APs in simple network topologies. However, it is required as when: Controlled APs do not have layer 2 connectivity to a controller and where it is not possible to control the DNS or DHCP server configuration. See Discovery recommendations on page 6-10. Controlled APs need to be deployed with static IP addresses. Controlled APs use a local mesh to connect to the controller. See Provisioning local mesh links on page 13-12. This feature is not supported on the MSM317. To accelerate the discovery process on networks with a large number of VLANs, or when many VLANs are connected to many controllers. When multiple controllers are available to an AP and you want to make sure an AP always connects to the same controller. 6-31 Working with controlled APs Provisioning APs Provisioning methods Provisioning can be done in two ways: provision settings using the controller or provision settings directly on APs. Using the controller to provision APs On the controller, provisioning can be done at the group or AP level for added flexibility. Provisioning via the controller enables you to quickly provision many APs at once. In certain scenarios it may be practical to use one controller to provision APs, and then have the APs associate with another controller after being deployed. For example, provisioning could occur at the network operations center by connecting APs to the same subnet as a controller. Once provisioned, the APs can then be deployed in the field where they will discover a controller already in operation. To enable a controller to send provisioned settings to controlled APs, you must first activate the Enable provisioning of controlled APs option on the Controller >> Controlled APs > Provisioning page. Define provisioning settings as described in Displaying the provisioning pages on page 6-33. Note Until this option is enabled, provisioned settings defined on the controller are not sent to any controlled APs. After an AP has been updated with provisioned settings, these settings do not become active until the AP is restarted, or a Remove and rediscover action is executed on the Controlled APs >> Configured APs page. Directly provisioning an AP using its management tool In its factory default state, the AP provides a provisioning menu with the same options that are available on the controller. Use this method when there is no local controller on which to perform the provisioning. See Displaying the provisioning pages on page 6-33. Note Once an AP has established the secure management tunnel with a controller, the provisioning menu on the AP is no longer accessible. In both cases, the configuration settings that you have access to are the same. They are described in the following sections. 6-32 Working with controlled APs Provisioning APs Displaying the provisioning pages To display the provisioning pages, do the following: On a controller 1. Select one of the following in the Network tree: Controlled APs A group An AP 2. In the right pane, select Provisioning > Connectivity. 3. Configure provisioning settings as described in the sections that follow. On an AP in its factory-default state 1. Log in to its management tool. 2. Select Provision at the bottom of the home page. Note The Provision button is only available if the AP is in its factory-default state, meaning it has not yet been provisioned and that the AP has never discovered a controller (since last factory default). To force an AP into its factory-default state, press and hold its reset button until the status lights blink three times. 3. Configure provisioning settings as described in the sections that follow. 6-33 Working with controlled APs Provisioning APs Provisioning connectivity Use the Provisioning > Connectivity page to provision connectivity settings for a controlled AP. The following page will appear on all APs except for the MSM317. Enable provisioning here: 6-34 Working with controlled APs Provisioning APs The following page will appear on the MSM317. Enable provisioning here: Interface Select the interface you want to configure and then define its settings using the other options on this page. Set VLAN ID if applicable. Assign IP address via DHCP client: Address is assigned using a DHCP server. Enable this option to have the interface act as a DHCP client. The AP sends DHCP requests on the specified VLAN. If no VLAN is specified, the request is sent untagged. Static: Select this option to manually assign an IP address to the interface. Static IP settings When you select Static for Assign IP address via, configure settings in this box. IP address: Specify the IP address you want to assign to the interface. Address mask: Specify the appropriate subnet mask for the IP address you specified. Default gateway: Specify the IP address of the default gateway. Local mesh settings For information on provisioning these settings, see Local mesh on page 13-1. 6-35 Working with controlled APs Provisioning APs Country Select the country in which the AP is operating. Caution Selecting the wrong country may result in illegal operation and may cause harmful interference to other systems. Please consult with a professional installer who is trained in RF installation and knowledgeable about local regulations to ensure that the service controller is operating in accordance with channel, power, indoor/outdoor restrictions and license requirements for the intended country. The Country option is not available on APs delivered with a fixed country setting. 802.1X Enable this option when the AP is connected to a secured switch port that requires 802.1X authentication. Once the AP is authenticated, controller discovery proceeds as usual. Note If this option is enabled and the AP is connected to a unsecured switch port, 802.1X is ignored and discovery proceeds as usual. The switch port is expected to be multi-homed, so that once authentication is successful, tagged and untagged traffic for any MAC addresses (including wireless clients) will be accepted by the switch. In this type of environment. deployment can be a challenge, since the AP must already be configured with the correct 802.1X username and password before it is connected to the secured switch port. There are three solutions to this problem: During AP deployment, 802.1X is deactivated on the switch ports. The APs are connected and provisioned with the correct 802.1X settings by the controller. Once all APs are synchronized, 802.1X authentication can be enabled on the switch ports. Before being deployed, the APs are first connected to a controller via a non-secure switch. The APs are provisioned and synchronized with the correct 802.1X settings by the controller. Next, the APs are deployed to their final location. For small deployments, the administrator could connect each AP in turn to a computer and configure the appropriate 802.1X settings using the AP provisioning interface. This solution is time consuming and is not a realistic option for a large deployments. EAP method Select the extensible authentication protocol method to use: PEAP version 0: Authentication occurs using MS-CHAP V2. PEAP version 1: Authentication occurs using EAP-GTC. TTLS: The Tunneled Transport Layer Security protocol requires that the switch first authenticate itself to the AP by sending a PKI certificate. The AP authenticates itself to the switch by supplying a username and password over the secure tunnel. Username Username that the AP will use inside the TLS tunnel. 6-36 Working with controlled APs Provisioning APs Password / Confirm password Password assigned to the AP. Anonymous Name used outside the TLS tunnel by all three EAP methods. If this field is blank, then the value specified for Username is used instead. Provisioning discovery Use the Provisioning > Discovery page to provision the method a controlled AP uses to discover a controller. Two options can be provisioned: DNS discovery or discovery via IP address. The following page shows Discovery using DNS provisioned. Enable provisioning here: Discover using DNS The AP attempts to connect with a controller using the names in the order that they appear in this list. To discover the controller on the network, the AP appends each name with the specified Domain name. In the above example, the AP will search for controllers with the names: service-controller-1.mydomain.com service-controller-2.mydomain.com 6-37 Working with controlled APs Provisioning APs If you define a name that contains a dot, then the domain name is not appended . For example, if the name is controller.yourdomain.com, no domain name is appended. If the AP is operating as a DHCP client, the DHCP server will generally return a domain name when it assigns an IP address to the AP. If you leave the Domain name field on this page blank, then the DHCP domain name is appended to the specified names instead. Discover using IP address The AP attempts to connect with a controller using the IP addresses in the order that they appear in this list. Provisioning summary The following table defines the potential outcome for all provisioning scenarios. Connectivity Discovery provisioned provisioned Result No No Default behavior is used for connectivity and discovery. See Discovery of controllers by controlled APs on page 6-6. No Yes Discovery occurs using the provisioned methods on the following interfaces: Yes No Last interface on which a controller was discovered. (Only applies to APs that have previously discovered a controller.) Untagged on port 1 (Uplink port on the MSM317). All detected VLANs (in sequence) on port 1 (Uplink port on the MSM317). Discovery methods are used according to the provisioned connectivity settings. See Discovery of controllers by controlled APs on page 6-6. Note: DHCP discovery is not executed if a static IP address is provisioned. Yes 6-38 Yes Discovery occurs using the provisioned methods over the provisioned connectivity. The provisioned discovery method is retried indefinitely if it fails, however other discovery methods are not attempted. Working with controlled APs Provisioning APs Provisioning example The following example shows how to use the default group as a staging area, where APs are discovered and then provisioned before being moved into their actual production group. 1. Select Controller >> Controlled APs > Provisioning. 2. Select the Enable provisioning of controlled APs option. 3. Select Save. 4. Select Controller > Controlled APs > Default group >> Configuration > Radios. 5. Select each product in the table in turn, and disable its radio(s). 6. Select Controller > Controlled APs > Default group >> VSC bindings. 7. Disable any active VSC bindings. 8. Connect all APs that need to be provisioned. Wait until they are discovered and assigned to the default group. 9. Select Controller > Controlled APs > Default group >> Provisioning > Connectivity. Configure provisioning settings as required. For details, see Provisioning connectivity on page 6-34. 10. Select Controller > Controlled APs > Default group >> Provisioning > Discovery. Configure provisioning settings as required. For details, see Provisioning discovery on page 6-37. 11. If required, select individual APs and define provisioning settings accordingly. 12. Synchronize the APs. For details, see Synchronizing APs on page 6-29. The provisioned settings are not active at this point. 13. Move the APs from the default group to their actual production group. For details, see Moving an AP to a different group on page 6-28. This will force a restart of the APs and initiate the provisioned settings. 6-39 Working with controlled APs AeroScout RTLS AeroScout RTLS Controllers and their controlled APs can be used to provide the Wi-Fi infrastructure for an AeroScout Real-Time Location Tracking (RTLS) system. APs, AeroScout Wi-Fi RFID tags, and the AeroScout MobileView software work together for the purpose of wirelessly tracking the location of valuable assets in real time. The controller forwards AeroScout tag information from controlled APs to a computer running the AeroScout Engine and MobileView software. Aeroscout engine (AE) Controller AP Note Devices being tracked by their RFID tags The Aeroscout monitoring functions in the APs are managed from the Aeroscout engine. AP HP does not sell or promote AeroScout products. Contact AeroScout for information on obtaining its MobileView software, Wi-Fi RFID tags, and associated hardware. Consult the AeroScout documentation for deployment information. To work with MSM APs, the Wi-Fi RFID tags must be configured to send data in the WDS format (4 addresses). Channel allocation on the AP and tag must match as well. AeroScout MobileView should be configured with the team IP address of the team that is managing the controlled AP. To enable AeroScout support AeroScout support is only available for controlled APs, with radios configured as Access point only or Access point and Local mesh, and operating in the 2.4 GHz band. To configure the controller (and all its controlled APs) to work with AeroScout: 1. Select Controller >> Controlled APs > RTLS. 2. Select Enable support for AeroScout tags and MU. 3. Select Save. 6-40 Working with controlled APs AeroScout RTLS Viewing status information Basic AP and AeroScout tag status information is available by selecting Controller > Controlled APs >> Overview > RTLS. For example: All AeroScout management and monitoring is performed in the AeroScout software itself. Aeroscout documentation and AeroScout software must be used to operate and monitor the tags. AP name Name of the AP on which HP RTLS is enabled. AP MAC address MAC address of the AP. Radio Radio on the AP to which the AeroScout tag is connected. Engine IP address and port to which the controller sends the tag and Mu reports generated by the AP. Tag states Shows two values: admin state / operational state Admin state: Indicates if the AeroScout engine requested that the AP process frames generated by AeroScout tags. Oper state: Indicates if the radio is actually listening for frames generated by AeroScout tags. Mu states Shows two values: admin state / operational state Admin state: Indicates if the AeroScout engine requested that the AP process Mu (mobile unit) information. Oper state: Indicates if the radio is actually listening for Mu (mobile unit) information. Tag report Number of tag reports sent to the Aeroscout engine. Tag adj msg Number of tag messages that were dropped because they were received on the wrong channel. 6-41 Working with controlled APs Software retrieval/update Mu report Number of Mu reports sent to the Aeroscout engine. Software retrieval/update Software management of controlled APs is automatically performed by the controller after the AP is discovered (see Key controlled-mode events on page 6-4). If the software version on the AP does not match the version installed on the controller, new software is installed on the AP by the controller. For information on how to update the controller software see Software updates on page 20-4. Monitoring The controller provides a series of pages that present monitoring and status information for controlled APs. You can view these pages for all controlled APs, for all APs in a group, or for just a specific AP. All options appear on the Overview menu, which can be reached by selecting: Controlled APs >> Overview. Controlled APs > [group] >> Overview. Controlled APs > [group] > [AP] >> Overview. See the online help for details about the information provided on these status pages. 6-42 Chapter 7: Working with VLANs 7 Working with VLANs Contents Key concepts.................................................................................................................7-2 VLAN usage ............................................................................................................7-2 Defining a VLAN ...........................................................................................................7-3 Creating a network profile ...................................................................................7-3 Defining a VLAN ....................................................................................................7-4 Defining a VLAN on a controller port .................................................................7-4 User-assigned VLANs ...................................................................................................7-6 Traffic flow for wireless users ....................................................................................7-6 Traffic flow examples ................................................................................................7-10 Example 1: Overriding the VSC egress on a controller with a user-assigned VLAN............................................................................................ 7-10 Example 2: Overriding the egress network in a VSC binding with a user-assigned VLAN................................................................................ 7-12 Working with VLANs Key concepts Key concepts The controller provides a robust and flexible virtual local area network (VLAN) implementation that supports a wide variety of scenarios. Up to 80 VLAN definitions can be created on the controller. VLAN ranges are supported, enabling a single definition to span a range of VLAN IDs. The following controller features are supported on a VLAN: Network address translation (However, static NAT mappings are not supported.) Management tool access SNMP access SOAP access VPN traffic L3 mobility VLAN usage VLANs can be used in a number of different ways to affect traffic routing on a controller and its APs. The following is a list of the most common VLAN uses: 7-2 Controller VSC ingress: VLANs can be used to determine how incoming traffic is mapped to a VSC on a controller. Assigning a VLAN range enables a single VSC to handle incoming traffic on multiple VLANs. Controller VSC egress: VLANs can be used to control how traffic is forwarded onto the wired network by a VSC on the controller. Traffic can be sent to the LAN port or Internet port, either untagged (no VLAN), tagged with a specific VLAN ID, or distributed across a range of VLAN IDs (using a round-robin mechanism). VSC binding: When an AP group is bound to a VSC, an egress VLAN can be specified. This egress is used in several different ways to route traffic depending on the features that are active on the VSC. For example, when Mobility traffic manager is active, this VLAN becomes the user’s home network. See Traffic flow for wireless users on page 7-6. Switch port VLANs: The switch ports on the MSM317 can be bound to a specific VLAN. See the MSM317 Installation and Getting Started Guide. User account profile VLAN: A VLAN can be assigned in a user account profile, enabling you to configure VLAN usage for groups of users. VLAN assignment via RADIUS attributes: A VLAN can be assigned in a user’s RADIUS account, enabling you to customize VLANs on a per-user basis. For example, when Mobility traffic manager support is enabled on a VSC, RADIUS VLAN attributes can be used to define a user’s home network. Discovery VLAN: APs can be provisioned to discover controllers on a specific VLAN. See Provisioning APs on page 6-31. Working with VLANs Defining a VLAN Defining a VLAN To create a new VLAN definition, first you must define a network profile with the required VLAN ID. Next, you use the profile to define a VLAN on a port, VSC interface, or user account. Creating a network profile 1. Select Controller >> Network > Network profiles. By default the list contains two definitions: Internet port network and LAN port network. 2. Select Add New Profile. 3. Under Settings, specify a Name to identify the profile. 4. Select VLAN, and then set ID to the VLAN ID you want to assign. You can also define a range of VLANs in the form X-Y, where X and Y can be 1 to 4094. For example: 50-60. This enables a single VLAN definition to accept traffic for one or more VLAN IDs, making it easy to manage a large number of contiguously assigned VLANs. You can define more than one VLAN range, but each range must be distinct and contiguous. VLANS with ranges cannot be assigned an IP address. 5. Select Save. The definition is added to the Network profiles page. 7-3 Working with VLANs Defining a VLAN Defining a VLAN Once you have created a network profile with a VLAN ID, you can use the profile to define a VLAN on the controller and APs. Some of the more frequently defined VLANs are listed in the following table. To define a VLAN on ... See ... A controller port Defining a VLAN on a controller port on page 7-4 The ingress mapping in a VSC profile VSC ingress mapping on page 5-16 The egress mapping in a VSC profile VSC egress mapping on page 5-17 The egress network in a VSC binding Binding VSCs to groups on page 6-23 Defining a VLAN on a controller port Define a VLAN on a controller port as follows: 1. Select Controller >> Network > Ports. By default, no VLANs are defined. 7-4 Working with VLANs Defining a VLAN 2. Select Add New VLAN. The Add/Edit VLAN page opens. 3. Under General, select the port to which the VLAN will be bound. Once a VLAN has been defined on a port, the port assignment cannot be changed. To assign the VLAN to a different port, delete the VLAN definition and create a new one on the required port. 4. Under VLAN, select the VLAN ID to assign. The list contains all network profiles that are defined with a VLAN ID or range. 5. Specify how the VLAN obtains an IP address. An IP address cannot be assigned to a VLAN range. DHCP client: The VLAN obtains its IP address from a DHCP server on the same VLAN. Note: There is no support for obtaining a default gateway from the DHCP server. Static: Enables you to manually assign an IP address to the VLAN. If you select this option, you must specify a static IP address, Mask, and Gateway. None: Specifies that this VLAN has no IP address, so that you can use the VLAN for a VSC ingress mapping. 6. Enable NAT support if required. (Available only if addressing is DHCP client or Static.) By default NAT is disabled. See Network address translation (NAT) on page 3-30. 7. Select Save. 7-5 Working with VLANs User-assigned VLANs User-assigned VLANs VLANs can be assigned on a per-user basis using attributes defined in a user’s RADIUS account, or via VLAN definitions in a local user account profile. These user-assigned VLANs are also called dynamic VLANs because they are applied dynamically after a user is authenticated and override the static definitions on VSCs or VSC bindings. For a complete description on how VLANs affect traffic flow, see Traffic flow for wireless users on page 7-6. VLAN assignment via RADIUS To define a VLAN in a user’s RADIUS account, you need to set the RADIUS attributes TunnelMedium-Type, Tunnel-Private-Group-ID, and Tunnel-Type. The Tunnel-Private-Group-ID attribute should be set to the name of the VLAN. A VLAN number can also be specified, but this not recommended. See the Access Accept section under User attribute definitions on page 15-20 for more information on these attributes. VLAN assignment via the local user accounts VLANs can be assigned on a per-user basis by configuring a user account profile with the appropriate VLAN number. See Defining a user account on page 10-30 and Defining account profiles on page 10-32. Traffic flow for wireless users Due to the large number of features that can make use of VLANs, and the way in which these features interact, VLAN settings at different points in the configuration can affect traffic flow for wireless users in different ways. The following tables provide an overview of all possible configuration settings and how they affect data flow. The tables are organized according to the type of VSC that is being bound to an AP. 7-6 Working with VLANs Traffic flow for wireless users Binding to a VSC that has Wireless mobility disabled User-assigned VLAN is assigned via RADIUS or local user accounts VSC type Accesscontrolled Egress network in VSC binding Client data tunnel Defined Not defined User-assigned VLAN is not assigned via RADIUS or local user accounts User-assigned VLAN exists on AP or controller Active The Egress network setting in the VSC binding is ignored. Traffic is sent to the controller in the client data tunnel. It exits the controller on the egress mapping defined on the appropriate VSC. The Egress network setting in the VSC binding is ignored. Traffic is sent to the controller in the client data tunnel. It exits the controller on the user-assigned VLAN, which overrides any egress mapping defined on the controller’s VSC. Disabled Traffic is sent on the AP Ethernet port tagged with the VLAN specified by the Egress network in the VSC binding. The Egress network VLAN must match the ingress VLAN on the bound VSC (or be altered by a switch between the AP and the controller to do so) otherwise traffic from the AP will not reach the controller. Traffic exits the controller on the egress mapping defined on the appropriate VSC. Traffic is sent on the AP Ethernet port tagged with the VLAN specified by the Egress network in the VSC binding. The Egress network VLAN must match the ingress VLAN on the bound VSC (or be altered by a switch between the AP and the controller to do so) otherwise traffic from the AP will not reach the controller. Traffic exits the controller on the user-assigned VLAN, which overrides any egress mapping defined on the controller’s VSC. Active Traffic is sent to the controller in the client data tunnel and is mapped to a VSC on the controller by SSID. It exits the controller on the egress mapping defined on the appropriate VSC. Traffic is sent to the controller in the client data tunnel and is mapped to a VSC on the controller by SSID. It exits the controller on the user-assigned VLAN, which overrides any egress mapping defined on the controller’s VSC. Traffic is sent to the controller in the client data tunnel and is mapped to a VSC on the controller by SSID. It exits the controller on the egress mapping defined on the appropriate VSC. Disabled Traffic is sent to the controller untagged via the AP Ethernet port and is mapped to a VSC on the controller by SSID. It exits the controller on the egress mapping defined on the appropriate VSC. Traffic is sent to the controller untagged via the AP Ethernet port and is mapped to a VSC on the controller by SSID. It exits the controller on the userassigned VLAN, which overrides any egress mapping defined on the controller’s VSC. Traffic is sent to the controller untagged via the AP Ethernet port and is mapped to a VSC on the controller by SSID. It exits the controller on the egress mapping defined on the appropriate VSC. User-assigned VLAN does not exist on AP or controller VLAN ID VLAN name User traffic will never reach its destination because the userassigned VLAN does not match any VLAN IDs defined on the AP or controller. The Egress network setting in the VSC binding is ignored. Traffic is sent to the controller in the client data tunnel. It exits the controller on the egress mapping defined on the appropriate VSC. Traffic is sent on the AP Ethernet port tagged with the VLAN specified by the Egress network in the VSC binding. The Egress network VLAN must match the ingress VLAN on the bound VSC (or be altered by a switch between the AP and the controller to do so) otherwise traffic from the AP will not reach the controller. Traffic exits the controller on the egress mapping defined on the appropriate VSC. 7-7 Working with VLANs Traffic flow for wireless users User-assigned VLAN is assigned via RADIUS or local user accounts VSC type Nonaccesscontrolled Egress network in VSC binding Client data tunnel User-assigned VLAN is not assigned via RADIUS or local user accounts User-assigned VLAN does not exist on AP or controller User-assigned VLAN exists on AP or controller VLAN ID Defined Does not apply. Traffic is sent on the AP Ethernet port tagged with the VLAN specified by the Egress network in the VSC binding. The Egress network setting in the VSC binding is ignored. Traffic is sent on the AP Ethernet port tagged with the user-assigned VLAN. Not defined Does not apply. Traffic is sent on the AP Ethernet port untagged. Traffic is sent on the AP Ethernet port tagged with the user-assigned VLAN. VLAN name The user is disconnected. Binding to a VSC that has Wireless mobility and Mobility traffic manager enabled User-assigned VLAN is assigned via RADIUS or local user account Egress network in VSC binding User-assigned VLAN is not assigned via RADIUS or local user accounts User-assigned VLAN exists in the mobility domain VLAN ID VLAN name VLAN ID VLAN name Defined Assign the Egress network defined in the VSC binding as the user’s home network. The Egress network setting in the VSC binding is ignored. The first network that is found with the same VLAN ID specified in the userassigned VLAN is assigned as the user’s home network. The Egress network setting in the VSC binding is ignored. The VLAN name contained in the userassigned VLAN is assigned as the user’s home network. Use the fallback setting defined by the VSC option If no matching network is assigned (either block user or consider the user at home). The AP blocks the user from accessing the network. Not defined Use the fallback setting defined by the VSC option If no matching network is assigned (either block user or consider the user at home). The first network that is found with the same VLAN ID specified in the userassigned VLAN, is assigned as the user’s home network. The VLAN name contained in the userassigned VLAN is assigned as the user’s home network. 7-8 User-assigned VLAN does not exist in the mobility domain Working with VLANs Traffic flow for wireless users Binding to a VSC that has Wireless mobility and Subnet-based mobility enabled User-assigned VLAN is assigned via RADIUS or local user account Egress network in VSC binding User-assigned VLAN is not assigned via RADIUS or local user accounts User-assigned VLAN does not exist in the mobility domain User-assigned VLAN exists in the mobility domain VLAN ID VLAN name The user is disconnected. Defined. The IP address of the user is compared against the list of home subnets defined for the AP to determine if the user is at home or roaming. If the user is at home, traffic is sent on the AP Ethernet port tagged with the VLAN specified by the Egress network in the VSC binding. If the user is roaming, traffic is tunneled to the users home subnet within the mobility domain, where it egresses tagged with the VLAN specified by the Egress network in the VSC binding. The IP address of the user and the VLAN ID are compared against the list of home subnets defined for the AP to determine if the user is at home or roaming. (Both the IP and VLAN must match the home subnet.) If the user is at home, traffic is sent on the AP Ethernet port tagged with the userassigned VLAN. The Egress network in the VSC binding is ignored. If the user is roaming, traffic is tunneled to the users home network within the mobility domain, where it will egress tagged with the user-assigned VLAN. The Egress network setting in the VSC binding is is ignored. User is considered to be at home and traffic is sent on the AP's Ethernet port tagged with the userassigned VLAN. Not defined. The IP address of the user is compared to the IP address of the AP’s Ethernet port to determine if the user is at home or roaming. If the user is at home, traffic is sent on the AP Ethernet port untagged. If the user is roaming, traffic is tunneled to the users home network within the mobility domain, where it will egress untagged. The IP address of the user and the VLAN ID are compared against the list of home subnets defined for the AP to determine if the user is at home or roaming. (Both the IP and VLAN must match the home subnet.) If the user is at home, traffic is sent on the AP Ethernet port tagged with the userassigned VLAN. If the user is roaming, traffic is tunneled to the users home network within the mobility domain, where it will egress tagged with the user-assigned VLAN. User is considered to be at home and traffic is sent on the AP's ethernet port tagged with the userassigned VLAN. 7-9 Working with VLANs Traffic flow examples Terms used in the tables Egress network in VSC binding: This column refers to the Egress network option that can be configured when an AP group is bound to a VSC. The egress network can be used to assign a specific VLAN. How this VLAN is applied to the routing of traffic is illustrated by the tables. Client data tunnel: The client data tunnel can be used by an AP to transport wireless user traffic to the controller. The client data tunnel is automatically used if the network path between an AP and the controller traverses a router. In the case where the AP is on the same layer 2 subnet as the controller, the client data tunnel is not automatically used, but can be manually activated by enabling the Always tunnel client traffic option on the VSC configuration page. Available on access-controlled VSCs only. User-assigned VLAN is not assigned via RADIUS or local user accounts: This column indicates what happens when a user-assigned VLAN attribute is not assigned via RADIUS or via a local user account or account profile. User-assigned VLAN exists in the mobility domain: This column indicates what happens when a user-assigned VLAN attribute is assigned via RADIUS or via a local user account or account profile, and if that VLAN (or network) is defined within the mobility domain. In some cases the behavior is different if the VLAN attribute specifies a network profile name or an actual VLAN ID (number). User-assigned VLAN does not exist in the mobility domain: This column indicates what happens when a user-assigned VLAN attribute is assigned via RADIUS or via a local user account or account profile, and if that VLAN (or network) is not defined within the mobility domain. In some cases the behavior is different if the VLAN attribute specifies a network profile name or an actual VLAN ID (number). Traffic flow examples The following examples illustrate some typical VLAN scenarios using the information from the tables in section Traffic flow for wireless users on page 7-6. To help cross-reference with the tables, all configuration settings are shown using the headings and descriptions from the tables. Example 1: Overriding the VSC egress on a controller with a user-assigned VLAN This example illustrates how a user-assigned VLAN can override a VSC egress setting on the controller. Configuration summary 7-10 APs are bound to a VSC that has Wireless mobility disabled VSC type: Access controlled Working with VLANs Traffic flow examples Egress network in VSC binding: Defined VLAN = 10 Client data tunnel: Disabled User-assigned VLAN is assigned via RADIUS or local user accounts: Assigned VLAN = 30 User-assigned VLAN exists on AP or controller: VLAN 30 is defined on the controller’s Internet port Result: Traffic is sent on the APs Ethernet port tagged with the VLAN specified by the Egress network in the VSC binding. The Egress network VLAN must match the ingress VLAN on the bound VSC (or be altered by a switch between the AP and the controller to do so) otherwise traffic from the AP will not reach the controller. Because the is a nonaccess controlled VSC, the user-assigned VLAN applies only on the controller. Therefore, user traffic exits the controller on the user-assigned VLAN, which overrides the VSC egress mapping (no VLAN) defined for the VSC Guest. Au User traffic ation traff ic ntic the nt tr e a ffic m age an M ort net P Inter LAN 1 Port Switc Port h AP User US RADvIer r Se A User A Notebook -SSID=Guest roller Cont te Privaork w t e n 30) (VLAN Untagged VSC binding -VSC=Guest -Egress network=10 Private network Controller AP VLAN=10 Untagged VSC Guest -VSC ingress=VLAN 10 -VSC egress=No VLAN -WPA via RADIUS VLAN=30 User gains access to resources on the private network. Untagged RADIUS server Management -Default settings Untagged Management -Default settings User A -VLAN=30 In this example, the egress network in the AP’s VSC binding is set to 10. The AP sends user wireless traffic to the controller on VLAN 10. This traffic is picked up by the controller’s VSC with ingress set to 10. A VLAN of 30 is assigned to the user via their RADIUS account, which overrides the egress setting for the VSC on the controller. As a result, the user’s traffic exits the controller on VLAN 30, which is mapped to the controller’s Internet port. 7-11 Working with VLANs Traffic flow examples Example 2: Overriding the egress network in a VSC binding with a user-assigned VLAN In this scenario, a non-access-controller VSC is used to illustrate how a user-assigned VLAN can override the egress network defined for a VSC binding. Configuration summary 7-12 APs are bound to a VSC that has Wireless mobility disabled VSC type: Non-access-controlled Egress network in VSC binding: Defined VLAN = 10 Client data tunnel: Disabled User-assigned VLAN is assigned via RADIUS or local user accounts: No VLAN is assigned to User A. A VLAN of 20 is assign to User B. User-assigned VLAN exists on AP or controller: Not applicable Result: User A: The Egress network setting in the VSC binding is used. Traffic is sent on the APs Ethernet port tagged with VLAN 10. User B: The Egress network setting in the VSC binding is ignored. Traffic is sent on the APs Ethernet port tagged with the user-assigned VLAN (20). Working with VLANs Traffic flow examples Au User B traffic User A traffic ation traff ic ntic the nt tr e a f m fic age an M LAN User 1 Port A Switc Port roller Cont h US RADvIer Ser AP User B User A Notebook -SSID=Guest ork 1 Netw 10) (VLAN ork 2 Netw 20) N (VLA Network 1 AP Untagged VSC binding -VSC=Guest -Egress network=VLAN 10 User B VLAN=10 User gains access to resources on network 1. Network 2 User gains access to resources on network 2. VLAN=20 Notebook -SSID=Guest Controller Untagged Management -Default settings Untagged VSC: Guest -VSC ingress=SSID (Guest) -WPA via RADIUS Untagged Management -Default settings RADIUS server Untagged User B -VLAN=20 In this example, the AP is bound to an non-access-controlled VSC. User A illustrates default behavior. User B illustrates how to override the default behavior with an user-assigned VLAN. User A does not have a VLAN assigned via RADIUS, so traffic from this user exits the AP’s Ethernet port on the egress network (VLAN 10) defined in the VSC binding, allowing it to reach the network 1. User B has a VLAN of 20 assigned via their RADIUS account, which overrides the egress network defined in the VSC binding. As a result, traffic from User B is sent on the AP’s Ethernet port tagged with VLAN 30, allowing it to reach the network 2. 7-13 Working with VLANs Traffic flow examples 7-14 Chapter 8: Controller teaming 8 Controller teaming Contents Key concepts.................................................................................................................8-2 Centralized configuration management .............................................................8-2 Centralized monitoring and operation................................................................8-2 Redundancy and failover support .......................................................................8-3 Scalability ...............................................................................................................8-3 Deployment considerations .................................................................................8-3 Limitations..............................................................................................................8-5 Creating a team.............................................................................................................8-5 Configuration example .........................................................................................8-6 Controller discovery ..................................................................................................8-10 Monitoring the discovery process .....................................................................8-11 Viewing all discovered controllers ....................................................................8-14 Viewing all team members ........................................................................................8-16 Team configuration ....................................................................................................8-17 Accessing the team manager..............................................................................8-18 Team configuration options ...............................................................................8-18 Removing a controller from a team ..................................................................8-19 Editing team member settings ...........................................................................8-20 Discovery of a controller team by controlled APs .................................................8-22 Failover........................................................................................................................8-22 Supporting N + N redundancy ...........................................................................8-22 Primary team manager failure ...........................................................................8-24 Mobility support .........................................................................................................8-26 Single controller team operating alone.............................................................8-27 Single controller team operating with non-teamed controllers.....................8-28 Multiple teamed and non-teamed controllers..................................................8-29 Controller teaming Key concepts Key concepts Controller teaming enables you to easily configure and monitor multiple controllers and their access points, providing the following key benefits: centralized management and monitoring, service scalability, and redundancy in case of controller failure. Up to five controllers can be combined into a team enabling support for up to 800 APs (four controllers x 200 APs per controller plus one additional controller for backup/redundancy). For example: Controller team 5 Team manager sends configuration settings to all team members. 4 In this example, all controllers are connected to the network via their LAN ports. The Internet port can also be used. 3 Team members then update the APs that they are managing. 2 Team manager Controlled APs deployed across a layer 3 network 1 Router Centralized configuration management Each controller that is part of a team is called a team member. To centralize management and control of the team, one controller is designated as the team manager. Configuration and monitoring of team members and their APs is performed on the team manager using its management tool. For more information, see Team configuration on page 8-17. Team IP address To simplify access to the management tool on the team manager, an IP address is assigned to the team. This is called the team IP address. This address is independent of the address assigned to the manager’s LAN or Internet ports, and can therefore be transferred to another controller if the manager is unavailable and another team member must take over as manager. Firmware updates The team manager is responsible for enforcing and updating the firmware of team members. An update to the team manager firmware triggers an update of all members and their controlled APs, ensuring that the entire network is running the same firmware. The synchronization of firmware between controllers and APs alleviates any potential issue regarding compatibility. Centralized monitoring and operation The team manager is responsible for handling the addition and deletion of controlled APs, including newly discovered APs. It also displays status information for all team members and their APs, as well as APs directly connected to the manager. For more information, see Viewing all team members on page 8-16. 8-2 Controller teaming Key concepts Redundancy and failover support The team provides for service redundancy in case of failure. If one of the controllers in a team becomes inoperative (due to network problems, hardware failure, etc.), its APs will automatically migrate to another controller in the team allowing for continuation of services. For this to work, sufficient capacity must be available on the remaining controllers in the team to support the APs from the inoperative controller. For more information see, Failover on page 8-22. Important When a controller becomes inoperative and failover occurs, all services provided by the controller are temporarily interrupted. Once failover is complete and services return, users that were connected to an access-controlled VSC must login again. Scalability Controller teaming enables you to scale up your wireless network as your needs increase. Simply add additional APs, controllers, and licenses to meet the required demand. Up to 800 APs are supported per team in its maximum configuration (four controllers x 200 APs per controller plus one additional controller for backup/redundancy). Deployment considerations Controllers/APs Teaming is only supported on the MSM760 and MSM765 controllers. A controller can only be a member of one team at a time. Controllers must be the same model type as the team manager. Up to five controllers can be combined into a team supporting up to 800 APs (four controllers x 200 APs per controller + one controller reserved for backup purposes). Licensing MSM760 Controllers must have the Premium license installed to support teaming. (Licenses must be installed individually on each controller that is part of the team.) MSM765 Controllers come with this license preinstalled. You must install enough AP licenses to support all the APs you intend to manage with the team. When teaming is enabled, AP licenses are pooled across all controllers. See Failover on page 8-22 for more information on how AP licenses are managed. Networking The LAN and Internet ports on all team members must be configured with the same networking options (subnet, VLAN, etc.). For example, if you configure the LAN port on the manager to be on the 192.168.1.0 subnet, then all other team members must have their LAN ports on the same subnet. The LAN port and Internet port cannot be on the same subnet. 8-3 Controller teaming Key concepts IMPORTANT: All team members must have an IP address assigned to their LAN port. This must be done even if the LAN port is not connected or not used in your setup. The DHCP server feature is not supported when controller teaming is active, therefore an external DHCP server needs to be installed to support dynamic addresses assignment to controlled APs and their users. APs do not have to be located on the same subnet as the team, but can be connected to the team via an L3 network. However, all APs must reach the team on the same interface (port, VLAN, etc.). If the APs are provisioned for controller discovery, than the APs must be provisioned to discover all controllers in the team, not just the team manager, otherwise failover is not supported. Multiple teams can be installed on the same subnet. To successfully support controller teaming, the network that connects the controllers must not block TCP port 4999 and UDP ports 4999, 38215, 51936. The networking settings on each controller must match. If a VLAN is configured on the Internet port of one controller, it is automatically configured on the Internet port of every other team member. The switch ports to which controllers are connected must be configured identically. Public access Customization of the public access interface web content should be done via attributes retrieved from a third-party RADIUS server. If RADIUS is not available, you must manually configure each controller in the team with matching settings. Payment services are not supported. Users Wired users are only supported via the MSM317 switch ports. Wired users cannot connect directly to a team via the LAN or Internet ports. The local user accounts do not support subscription plans when teaming is enabled. Accounting persistence is not supported. Firmware 8-4 When a controller becomes a member of a team, its firmware and configuration will be updated by the team manager. This means that almost all configuration settings on the controller will be lost, including any VSC definitions. You can keep a record of the settings on the controller by backing up its configuration before enabling teaming. Controller teaming Creating a team Limitations The following features are not supported when teaming is enabled: DHCP server Billing records L2TP server PPTP server Ingress VLAN on a VSC and untagged traffic on the LAN port (All APs use the client data tunnel to send traffic to the team.) PPTP client Wired client connected to the LAN port on a controller Subscription plans sFlow Payment services LLDP dynamic naming Accounting persistence Creating a team The following list is an overview of the key steps you need to execute when creating a controller team. The Configuration example on page 8-6 shows how to apply these steps to actually create a team. Configure connectivity: Configure each controller that will be part of the team with a static IP address on the same subnet. Make sure to define a DNS server and default gateway on each controller. Configure DHCP services: Configure a third-party DHCP server to handle address assignment for APs and wireless users. (The DHCP server feature on all team members is automatically disabled when the teaming is enabled.) In addition, you may need to enable DHCP relay on the team, depending on your network topology, to forward DHCP requests to the third-party DHCP server Install licenses: Install the Premium licenses on each controller and the required number of AP licenses. (MSM765 controllers come with the Premium license preinstalled.) AP licenses are pooled when controllers are teamed. For more information, see Failover on page 8-22. Configure the team: Enable teaming on each controller by selecting Controller >> Management > Teaming. On the controller that will act as the team manager, set the Team name and Team IP address. Authorize discovered controllers: The first time that a controller is discovered by the team manager, it must be manually authorized by an administrator (unless the controller was manually added to the team). To authorize a discovered controller, select Controllers >> Overview > Discovered controllers and select Authorize in the Action column. 8-5 Controller teaming Creating a team Install APs: Connect all APs. The APs will automatically discover the team (if on the same subnet) and be synchronized with the firmware and configuration settings on the manager. If APs are installed on a different subnet than the controller, their discovery settings may need to be provisioned for them to successfully discovery the team. About the team IP address Once a team is operational, you should always use the team IP address to reach the management tool on the team manager, and not the physical address assigned to the manager. In case of failover, the team IP address will be assigned to the interim manager. This way, you will always be able to configure the team. Important notes about the team IP address. The team IP address cannot be used when provisioning AP for discovery. AP must be provisioned with the actual IP addresses assigned to each team member. When configuring RTLS, the team IP address should be used. See AeroScout RTLS on page 6-40. When mobility discovery is configured, the team IP address should be used to identify the controller team. See Mobility support on page 8-26. Configuration example The following example illustrates the team creation process in detail using a simple topology featuring three teamed controllers and four APs. The topology for this example looks like this: Controller 1 Team Manager Controller 2 Team Member Controller 3 Team Member DHCP server on subnet 192.168.1.0 1.10 LAN port Team IP= 1.99 LAN port LAN port 1.11 1.12 1.13 1.1 Management station Connected to management tool on stack manager at IP address 1.99. AP 1 WLA N 1.21 AP 2 1.22 WLA N AP 3 WLA N 1.23 AP 4 1.24 WLA N Controlled APs The controllers are connected to the network (192.168.1.0) via their LAN ports. Static addressing is used on each port. The APs are also connected to the 192.168.1.0 network. Address assignment for the APs and all wireless users is provided by the DHCP server at 192.168.1.1. 8-6 Controller teaming Creating a team Configure connectivity and licenses on each controller Use the management station to connect to each controller in turn and do the following: 1. Select Controller >> Maintenance > Licenses. Install the Premium license and any required AP licenses. For information on how to install licenses, see Licenses on page 20-6. 2. Select Controller >> Network > Ports. 3. Select LAN port. Set the static IP address as shown in the diagram. Configure the team On controller 2 and controller 3, do the following: 1. Select Controller >> Management > Teaming. 2. Select the Controller teaming checkbox. 3. Under Connectivity, set Communicate using to LAN port. 4. Select Save. 5. The Network Tree will no longer be visible. The Summary box will show Teaming with a blinking gray status light. This indicates that the controller is searching for a team. Once the controller successfully joins a team, the status light turns green. On controller 1, do the following: 1. Select Controller >> Management > Teaming. 8-7 Controller teaming Creating a team 2. Select the Controller teaming checkbox. 3. Under Connectivity, set Communicate using to LAN port. 4. Select the Team manager checkbox, and configure the following settings under it: Set Team name to a name that identifies the team. This example uses 1st Floor. The team name provides a convenient way to identify a team. Set Team IP address to the virtual IP address that will be used to provide access to the team manager. This example uses the address 192.168.1.99. Set Mask to 255.255.255.0. Note: If the Team IP address is on the same subnet as the physical address assigned to the selected Interface, then you must set Mask to match the IP mask set on the physical interface. This applies even if the physical interface is set to act as a DHCP client. Set Interface to LAN port. This makes the Team IP address available on the LAN port. 5. Select Save. 6. Controller 2 and 3 will now attempt to discover the manager. Monitor the Summary box until you see two Unauthorized controllers in the list. Indicates that the manager is synchronized. Shows that two new APs have been discovered. Indicates that manager and the two new APs were detected. Indicates that the manager is configured. 8-8 Controller teaming Creating a team 7. Under Network Tree, select Controllers to view more detailed information about the discovery process. The two new controllers should be listed in red. Select Authorize in the Action column for each controller. 8. The manager will now attempt to authorize and synchronize controllers 2 and 3. Once synchronized, their status will change to green. For more information on summary states and the network tree, see Monitoring the discovery process on page 8-11. Once all members are synchronized, the team is ready for further configuration. See Team configuration on page 8-17 for details. 8-9 Controller teaming Controller discovery Controller discovery The following is an overview of key events that occur when a controller attempts to discover and join a team for the first time. Manager Controller The team manager receives a discovery request. The controller sends a discovery request onto the local network. If this is the first time that the controller is discovered by the team, the controller must be manually authorized by an administrator before it can join the team and become an active member. The manager sends a discovery reply. The controller receives the discovery reply. If more than one reply is received, the controller chooses the manager that replied first. The manager adds the controller to the team. The controller joins the team associated with the selected manager. If controller has software that is out of date, the manager tells the controller to update its software. The controller retrieves new software from the manager, installs it, and then restarts. Discovery is performed again. The manager accepts the secure management tunnel. Once the manager has been discovered, the controller establishes a secure management tunnel with the manager. 8-10 Controller teaming Controller discovery Manager The manager updates the controller’s configuration. Controller The controller receives new configuration settings. Once this is done, the controller will always attempt to discover this team manager and will not join any other teams until it is manually removed from this team. The controller is now an active member of the team. Any APs managed by the controller are automatically updated with the settings on the manager. Monitoring the discovery process The Summary box and Network Tree on the team manager provide an overview of the discovery process. Summary box The summary box provides an overview of the status of controllers and controlled APs. Teaming light This light indicates how the team is being managed. Green: This controller is the primary team manager. Yellow: The primary team manager has become inoperative and an interim team manager has taken over. For details, see Failover on page 8-22 8-11 Controller teaming Controller discovery Controllers This section shows the number of controllers that are active in each management state. A controller may be active in more than one state at the same time. For example, a controller may be both Detected and Synchronized. Select the state name to display information about all controllers in that state. Configured: These controllers are configured as part of the team. Synchronized: These controllers had their software and configuration settings successfully updated by the team manager and are fully operational. Unsynchronized: This can occur if the primary manager becomes non-functional during the synchronization process leaving one or more team members with partially updated configurations. When the interim manager takes over, it cannot update these controllers. Therefore, the solution is to promote the interim manager to become the primary manager. It can fully synchronize the configuration settings on all controllers. Pending: An action is in progress. For example, firmware or configuration may be uploading to the controller or the controller is restarting. Unresponding: These controllers have stopped sending management information to the manager. Rediscovery may re-establish the connection. If not, a network failure may have occurred or the controllers may be inoperative. Unauthorized: These controllers have not yet been authorized to join the team. Authorization must be performed manually by an administrator by selecting Controllers >> Overview > Discovered controllers and then selecting Authorize in the Action column. Unconfigurable: These controllers cannot be added because the team already has the maximum number of supported members. To add these controllers you must first remove one or more team members by selecting Controllers >> Overview > Team members, then selecting the name of the controller you want to delete and then selecting Delete. Detected: These controllers have sent a discovery request to the team manager and the team manager has replied. Configured: These controllers are members of the team. They may have been automatically discovered or manually added. Controlled APs This section lists the number of controlled APs discovered by the team. APs are grouped according to their management state. For a complete description of all management states, see Monitoring the discovery process on page 6-13. 8-12 Controller teaming Controller discovery Network Tree The network tree provides access to configuration options for the team. And shows a status light for each controller. Team: team name Select Team: [name] to access configuration items that apply to all members of the team and their controlled APs. Configure these options using the main menu in the right pane. VSC Select the VSCs node to manage the virtual service communities that are defined on the team. Once you define a VSC it is automatically synchronized on all member controllers, and can be assigned (bound) to one or more controlled APs. Status lights A status is light is displayed for each VSC. Green: Indicates that the VSC is properly configured. Red: Indicates that the VSC has a configuration problem. Once you define a VSC it is automatically active on the controller. Controllers This section lists all controllers that are members of the team. Team members are controllers that fall into one of the following categories: The controller was discovered on the network, authorized by an administrator, and successfully joined the team at least once. or The controller was manually added to the team by selecting Add New Controller on the Overview > Configured controllers page. Each controller is identified by a name (which is initially set to the controller’s serial number for discovered controllers). Select a controller’s name to access configuration items that are specific to the controller. These configuration items are presented in the main menu in the right pane. 8-13 Controller teaming Controller discovery Status lights Controllers that are part of the team are listed under Controllers in the Network Tree. The status lights provide an indication of their state as follows: Green: The controller has joined the team and its configuration is synchronized with the settings defined on the team manager. It is fully operational. Red: The controller is not functioning normally. Select Overview > Discovered controllers and refer to the Diagnostic column for details. Grey flashing: An action is pending. Select Overview > Discovered controllers and refer to the Action column for details. Grey solid: The controller is configured as a member of the team, but is currently not active. Viewing all discovered controllers To display information about controllers discovered by the manager, select Controllers >> Overview > Discovered controllers. The Discovered controllers page provides the following: Select the action to apply to all listed controllers: Lets you apply the selected action to all controllers in the list. Select an action and then Apply. Status lights A status light is displayed for each controller as follows: 8-14 Green: The controller has joined the team and its configuration is synchronized with the settings defined on the team manager. It is fully operational. Red: The controller is not functioning normally. Select Overview > Discovered controllers and refer to the Diagnostic column for details. Grey flashing: An action is pending. Select Overview > Discovered controllers and refer to the Action column for details. Grey solid: The controller is configured as a member of the team, but is currently not active. Controller name: Name assigned to the controller. By default, this is the controller serial number. Controller teaming Controller discovery Serial number: Unique serial number assigned to the controller at the factory. Cannot be changed. Access points: Indicates number of APs connected to the controller. Diagnostic: Indicates the status of the controller as shown in the following table. Diagnostic Description Detected The controller sent a discovery request to the team manager and the team manager has replied. Establishing tunnel A secure management connection is being established between the team manager and the controller. Firmware failure New software failed to upload to the controller. The manager will retry soon. Installing firmware New software has been successfully uploaded to the controller. The controller will restart to activate the new software. Not authorized The controller has not yet been authorized to join the team. Authorization must be performed manually by an administrator by selecting Authorize in the Action column. Not responding The controller has stopped sending management information to the team manager. Rediscovery may reestablish the connection. If not, a network failure may have occurred or the controller may be inoperative. Resetting configuration The controller configuration is being reset to factory defaults. This is normal and will occur when the software version on the manager is changed or if the controller is not synchronized. Restoring configuration The controller is currently restoring its previous configuration settings. Synchronized The controller had its software and configuration settings successfully updated by the team manager and is fully operational. Unconfigurable The controller cannot be added because the team already has the maximum number of supported members. To add the controller you must first remove one or more team members. Unsupported product The product type of the controller is not supported on this team. All controllers must have the same product type as the team manager. 8-15 Controller teaming Viewing all team members Diagnostic Description Uploading configuration Configuration settings are currently being sent to the controller. Uploading firmware The team manager is uploading new software to the controller. Wait until the operation completes. Validating capabilities The capabilities of the controller are being identified by the team manager. Validating configuration The team manager is waiting for the controller to send its configuration. Validating firmware The team manager is waiting for the controller to send its software version number. Waiting for acceptance The controller has been authorized by the team manager. However, the controller has not yet decided to join this team. (If multiple managers replied to the controller discovery request, the controller may choose to connect with another team.) Action: Indicates the recommended administrative action to be taken to resolve a diagnostic condition. Viewing all team members To display information about controllers that are members of the team, select Controllers >> Overview > Team members. Team members are controllers that fall into one of the following categories: 8-16 The controller was discovered on the network, authorized by an administrator, and successfully joined the team at least once. The controller was manually added to the team by selecting Add New Controller on the Overview > Configured controllers page. Controller teaming Team configuration Select the title of a column to sort the table according to the values in the column. The Team members page provides the following information: Number of controllers: Number of controllers that are configured as members of the team. Detected: Status light icon indicating if the controller has been discovered on the network. Green: The controller has been discovered on the network and is listed on the Overview > Discovered controllers page, where more information is provided about the controller. Red: The controller was manually added to the team, but it has never been discovered and successfully joined the team. Controller name: Name assigned to the controller. Select the name to configure controller settings. Serial number: Serial number assigned to the controller. Select the name to configure controller settings. Product: Product name of the controller. Team configuration Once a team is operational, configuration and management of VSCs and controlled APs occurs via the team manager, using the VSC and Controlled APs options in the Network Tree. Configuration of these elements is the same as during non-teamed operation. Refer to Chapter 5: Working with VSCs and Chapter 6: Working with controlled APs for more information. Configuration settings for the team members however, can occur at three different levels: Team: These are global configuration settings that are defined using the management tool on the team manager and are synchronized on all team members. Most team configuration settings fall into this category. Controller: The team manager provides a separate configuration menu for each controller in a team, including the team manager. This allows individual settings specific to a controller to be defined. Local: The management tool on each controller can also be accessed directly to define any options that are not directly configurable using the team manager. For example, some connectivity settings must be defined locally on each controller. 8-17 Controller teaming Team configuration Accessing the team manager To reach the management tool on the team manager, you should always point your browser to the team IP address, and not the physical address assigned to the manager. In case of failover, the team IP address will be assigned to the interim manager. This way, you will always be able to configure the team. Team configuration options This section describes the configuration options available on the team manager. When you select Team in the Network Tree, the menu in the right pane presents all configuration options that are common to all team members. Any settings that you make using this menu are synchronized on all team members. The available options on this menu are identical to what you would see on a non-teamed controller, except for a few options that are not supported in teaming mode, or if supported, must be defined individually on each controller. On the team manager, these settings can be defined by selecting the manager under Controller. Settings for team members must be defined by directly accessing their management tools. The following table lists the configuration options that are affected when teaming is active. Configuration option Notes Network > Ports page The Port configuration option is not available at the team level. VLAN and GRE configuration options are available. Network > Address allocation The DHCP server option is not supported when teaming is enabled. The VPN address pool option is not supported when teaming is enabled. 8-18 Security > Certificate stores Not available at the team level. Security > Certificate usage Not available at the team level. VPN > IPSec Not available at the team level. VPN > L2TP server Not supported when teaming is enabled. VPN > PPTP server Not supported when teaming is enabled. VPN > PPTP client Not supported when teaming is enabled. Authentication > Active Directory The General and Join options are not available at the team level. Controller teaming Team configuration Configuration option Notes Public Access > Web content The Site file archive, FTP server, and Current site files options are not available at the team level. Public Access > Attributes New attributes cannot be added to the Configured attributes table at the team level. Users > Subscription plans Feature not supported when teaming is enabled. Users > Accounting persistence Feature not supported when teaming is enabled. Management > Teaming Not available at the team level. Status Not available at the team level. Tools > IPSec Not available at the team level. Tools > System tools Not available at the team level. Tools > Network trace Not available at the team level. Tools > sFlow Not supported when teaming is enabled. Maintenance > Registration Not available at the team level. Maintenance > Licenses Not available at the team level. Removing a controller from a team To remove a controller from a team, do the following: Remove the controller from the team 1. Under Controllers, select a team member. 2. In the right pane, select Device management. 3. Select Delete. 8-19 Controller teaming Team configuration 4. Select Save. Disable teaming on the controller 1. Open the management tool directly on the controller. 2. Select Management > Teaming. 3. Disable the Controller teaming option. 4. Select Save. Editing team member settings To change settings for a team member: 1. Under Controllers, select a team member. 2. In the right pane, select Device management. 3. Change settings as required. Note that the Ethernet base MAC address cannot be changed. To change the MAC address you must delete the controller and then add it again. 8-20 Controller teaming Team configuration 4. Select Save. Manually adding a controller to a team Instead of using the automatic discovery to find controllers and add controllers to the team, you can manually preconfigure one or more controllers as team members. The main advantages of doing this is that manually added controllers do not have to be manually authorized the first time they are discovered. Instead, they automatically become active team members. To manually add a controller: 1. Select Controllers >> Overview > Team members. 2. Select Add. 3. Define settings as follows: Controller name: Specify a name to identify the controller. Ethernet base MAC: Displays the MAC address of the controller. This value cannot be changed once the controller information is saved. Product: Select the product type of the controller. Contact: Specify contact information for the controller. Location: Specify the location where the controller is installed. 8-21 Controller teaming Discovery of a controller team by controlled APs 4. Select Save. 5. The new controller will appear in the team members list with a red status light until it is discovered on the network. Discovery of a controller team by controlled APs For a complete discussion of controller discovery, see Discovery of controllers by controlled APs. Failover During normal operation, the team manager and team members are in continuous contact to ensure the integrity of the team. This allows for quick detection of an inoperative or unreachable team member, and implementation of failover procedures to ensure continuity of network services. Note When a team member becomes inoperative and failover occurs, all services provided by the failed controller are temporarily interrupted. Once failover is complete and services return, users that were connected to an access-controlled VSC on this controller must login again. Supporting N + N redundancy A controller team can be configured to provide different levels of redundancy, from N + 1 up to N + 3. Use the following formula to calculate the number of team members you will need based on the number of APs that you want to deploy and the required level of redundancy. Required team members = ( APs / 200 ) + Redundancy_level (If there is a remainder after performing the division, round up.) 8-22 Controller teaming Failover Where: APs is the total number of APs you want to deploy. You must buy one license for each controlled AP. Although licenses are installed on individual team members, licenses are pooled across the entire team and are automatically re-allocated when a team member becomes inoperative. Redundancy_level: This is the number of redundant controllers that you want to support: 1, 2, or 3. For example: Number of APs you want to deploy APs / 200 Number of team members required to support redundancy N+1 N+2 N+3 120 .6 2 3 4 200 1 2 3 4 400 2 3 4 5 440 2.2 4 5 - 520 2.6 4 5 - 600 3 4 5 - 800 4 5 - - Another way to look at it is as follows: Number of team members Note Maximum AP licences that can be installed Maximum APs you can deploy to ensure redundancy N+1 N+2 N +3 2 400 200 - - 3 600 400 200 - 4 800 600 400 200 5 800 800 600 400 A team supports a maximum of 800 APs and 5 team members. 8-23 Controller teaming Failover Primary team manager failure The controller that is designated as the team manager on the Controllers > [teammanager] >> Management > Teaming page is called the primary team manager. If the primary team manager becomes inoperative, an interim team manager is automatically selected by the existing team members. The interim manager assumes the team IP address and all management functions until the primary team manager returns, with the following limitation: the interim manager cannot modify the configuration or update the firmware for members. This is done to avoid the situation where configuration changes made by interim manager are undone by the primary manager when it comes back online. When an interim manager is active, the Teaming status light in the Summary box will be yellow. All configurable settings on the menus in the right pane will be grayed out. Status information however, will be visible. Replacing the team manager If the primary team manager has failed and will not be returning, you can promote the interim manager to primary so that configuration options will be available. Important Once you promote the interim manager to primary manager, you cannot return the old team manager to the team without changing its configuration so that it becomes a team member. Only one manager is supported per team. 1. Under Controllers, select the team manager (which is now the interim manager). 2. In the right pane, select Management > Teaming. 8-24 Controller teaming Failover 3. Enable the Team manager option. The settings for this option should already be defined with the values that were set on the primary team manager. 4. Select Save. 8-25 Controller teaming Mobility support Mobility support Mobility support when controller teaming is active is very similar to mobility support on nonteamed controllers. This section discusses the differences and configuration issues involved. For an explanation of mobility concepts used in this section, see Chapter 9: Mobility traffic manager on page 9-1. The key benefit of using a team to provide a mobility solution is support for failover if the primary mobility controller becomes inoperative. The following diagram shows two identical setups, except that one is a team and the other is independent controllers. Controller team Primary mobility controller Primary mobility controller 2 1 L3 switch 1 WLA N Independent controllers 2 1 L3 switch 2 WLA N 1 WLA N 2 WLA N In the controller team, the primary mobility controller is also the team manager. If the team manager becomes inoperable, then controller 2 is automatically promoted to become the interim manager and assumes the role of primary mobility controller as well. If the primary mobility controller fails in the independent controllers setup, mobility services are interrupted until you manually reconfigure controller 2 as the primary mobility controller. 8-26 Controller teaming Mobility support Single controller team operating alone If you have a single controller team, the mobility domain is automatically created when you do the following: 1. Start the management tool on the team manager by pointing your browser to the team IP address. 2. Select Team: [name] >> Management > Device discovery. 3. Select Mobility controller discovery. 4. Select This is the primary mobility controller. 5. Select Save. You can now configure mobility options, such as home networks, as explained in Chapter 9: Mobility traffic manager. 8-27 Controller teaming Mobility support Single controller team operating with non-teamed controllers In this type of setup, the team is configured as the primary mobility controller and the nonteamed controllers set the IP address of primary controller parameter to the team IP address. (In this scenario, the team IP address is defined on the LAN port of the team manager.) Controller team Independent controllers Primary mobility controller 2 1 Team IP = 192.168.1.99 1.1 4 3 1.2 3.1 4.1 L3 switch Controlled APs Configure the team 1. Start the management tool on the team manager by pointing your browser to the team IP address. 2. Select Team: [name] >> Management > Device discovery. 3. Select Mobility controller discovery. 4. Select This is the primary mobility controller. 8-28 Controller teaming Mobility support 5. Select Save. Configure controller #3 and #4 1. Start the management tool each independent controller by pointing your browser to appropriate IP address. 2. Select Management > Device discovery. 3. Select Mobility controller discovery. 4. Set IP address of the primary mobility controller to 192.168.1.99. 5. Select Save. You can now configure wireless mobility options, as explained in Chapter 9: Mobility traffic manager. Multiple teamed and non-teamed controllers If you have multiple teams with or without multiple non-teamed controllers, mobility support is configured as follows: Choose one team as the primary mobility controller. On all other teams/non-teamed controllers set the IP address of primary mobility controller parameter to the team IP address of the primary mobility controller. 8-29 Controller teaming Mobility support 8-30 Chapter 9: Mobility traffic manager 9 Mobility traffic manager Contents Key concepts.................................................................................................................9-4 The mobility domain .............................................................................................9-6 Home networks......................................................................................................9-7 Local networks ......................................................................................................9-8 Configuring Mobility Traffic Manager .......................................................................9-9 Defining the mobility domain ..............................................................................9-9 Defining network profiles...................................................................................9-10 Assigning a home network to a user .................................................................9-11 Defining local networks on a controller ...........................................................9-12 Assigning local networks to an AP....................................................................9-13 Configuring the mobility settings for a VSC.....................................................9-14 Binding a VSC to an AP.......................................................................................9-15 Monitoring the mobility domain...............................................................................9-16 Controllers............................................................................................................9-16 Networks in the mobility domain......................................................................9-17 Mobility clients ....................................................................................................9-17 Forwarding table .................................................................................................9-18 Mobility client event log .....................................................................................9-19 Scenario 1: Centralizing traffic on a controller ......................................................9-21 How it works ........................................................................................................9-21 Configuration overview ......................................................................................9-21 Scenario 2: Centralized traffic on a controller with VLAN egress .......................9-24 How it works ........................................................................................................9-24 Configuration overview ......................................................................................9-24 Mobility traffic manager Scenario 3: Centralized traffic on a controller with per-user traffic routing ......9-28 How it works ........................................................................................................9-28 Configuration overview ......................................................................................9-28 Scenario 4: Assigning home networks on a per-user basis ...................................9-38 How it works ........................................................................................................9-38 Configuration overview ......................................................................................9-39 Scenario 5: Traffic routing using VLANs .................................................................9-44 How it works ........................................................................................................9-44 Configuration overview ......................................................................................9-45 Scenario 6: Distributing traffic using VLAN ranges ...............................................9-52 How it works ........................................................................................................9-52 Configuration overview ......................................................................................9-53 Subnet-based mobility ...............................................................................................9-60 9-2 Mobility traffic manager 9-3 Mobility traffic manager Key concepts Key concepts Note This chapter discusses how to use and configure Mobility traffic manager (MTM) with nonteamed controllers. If you are working with a controller team, most of the same information applies. Essentially, a controller team is treated the same way as a single non-teamed controller. For more information, see Mobility support on page 8-26. MTM provides for seamless roaming of wireless users, while at the same time giving you complete control over how wireless user traffic is distributed onto the wired networking infrastructure. MTM enables you to implement a wireless networking solution using both centralized and distributed strategies, allowing you to create a wireless network that is perfectly tailored to meet the needs of your users and the requirements of your network. Some of the deployment strategies that you can use with MTM include: Centralized wireless traffic: All traffic from wireless users is tunneled back to a central controller where it is egressed onto the wired infrastructure. Wireless users can be connected to any AP within the layer 3 network serviced by MTM. The following diagram shows a deployment where all wireless traffic is egressed onto a specific network segment (192.168.30.0). LAN port 192.168.1.1 Internet port 192.168.30.1 User A User B Network 1 Network 2 Network 3 192.168.10.0 192.168.20.0 192.168.30.0 1 WLA N User A 2 WLA N User B MTM can also be used to send traffic to different networks or VLANs based on criteria such as username, network location, VSC, or AP group. 9-4 Traffic distribution using home networks: A home network can be assigned to each wireless user (via RADIUS, local user accounts, or through a VSC egress). MTM can then be used to tunnel the user’s traffic to their home network, regardless of the AP to which a user connects within the mobility domain. Mobility traffic manager Key concepts The following diagram shows a deployment where the wireless traffic for each user is egressed onto a specific network segment by assigning a home network to each user. Traffic is sent to a different wired network based on the home network assigned to each user in their account profile. LAN port 192.168.1.1 Internet port 192.168.40.1 User B User A Network 1 Network 2 Network 3 Network 4 192.168.10.0 192.168.20.0 192.168.30.0 192.168.40.0 2 1 WLA N WLA N User A User B Home network = Network 4 Home network = Network 3 If a user roams between APs, MTM adjusts the tunnel to maintain the user’s connection to their home network. If User A roams from AP 1 to AP2, the tunnel is rerouted to ensure that the user stays connected to their home network. LAN port 192.168.1.1 Internet port 192.168.40.1 User A Network 1 Network 2 Network 3 Network 4 192.168.10.0 192.168.20.0 192.168.30.0 192.168.40.0 2 1 WLA N WLA N Roams User A User A Home network = Network 4 9-5 Mobility traffic manager Key concepts Important Automatic traffic distribution: VLAN ranges can be used to automatically spread wireless user traffic across multiple VLANs on the wired infrastructure. See Scenario 6: Distributing traffic using VLAN ranges. MTM is only available on non-access-controlled VSCs. The same VSCs must be defined on all controllers in the mobility domain, even on controllers that are not managing any APs. The mobility domain The mobility domain is an interconnection between controllers allowing for the exchange of information about wireless users and the home/local networks managed by controllers. The mobility domain can span multiple controllers and controller teams, whether they are installed on the same subnet or on different subnets, and includes all controlled APs managed by the controllers. In the following example the mobility domain spans three controllers and their APs operating on three different subnets. Primary mobility controller Mobility controller 2 1 192.168.10.0 WLA N WLA N LAN port 192.168.30.1/24 L3 switch L3 switch 2 3 LAN port 192.168.20.1/24 LAN port 192.168.10.1/24 1 Mobility controller L3 switch 192.168.20.0 3 WLA N 4 WLA N 192.168.30.0 5 WLA N 6 WLA N MTM makes use of the mobility domain to locate the home network for roaming users, or the target network when tunneling traffic to a specific network on the wired infrastructure. For each mobility domain, one controller is defined as the primary mobility controller. This controller acts as the central site for the distribution of mobility information to all other controllers. (When controller teaming is active, an entire team is defined as the primary mobility controller. See Mobility support on page 8-26.) 9-6 Mobility traffic manager Key concepts Note All controllers in the mobility domain must be running the same software version. This means that the first two numbers in the software revision must be the same. For example: All controllers running 5.4.x, or all controllers running 5.5.x. Discovery automatically takes place on both the LAN port and Internet port. VLANs are not supported. Network requirements The network that interconnects the controllers and APs that make up a mobility domain must not block any of the following ports/protocols: UDP port 1194 UDP port 12141 UDP port 3000 UDP port 3001 UDP port 3518 TCP port 5432 Internet protocol number 47 (GRE) Home networks A home network is the root network for a user within a mobility domain. The home network specifies the network on which a user’s wireless traffic is sent onto the wired infrastructure. A user’s connection is always local to their home network, regardless of where their wireless connection is made within the mobility domain. For example, if a user roams between an AP that is directly connected to their home network, to an AP on a different subnet, MTM creates a tunnel that connects the user back to their home network. When a user first connects to an AP, MTM must determine whether the user is at home (i.e., connected to the user’s home network) or roaming (connected to an AP on a different network). MTM does this by comparing the home network assigned to the user with the list of local networks associated with the AP. Note If a match is found, the user is considered to be at home and the user’s traffic is sent onto the wired network via the AP’s Ethernet port. If no match is found, MTM then tries to locate the user’s network within the mobility domain. If found, MTM creates a tunnel between the AP and the controller to carry the user’s traffic. If the network is not defined on any controller within the mobility domain, the user is blocked (or assigned to the network on which the AP discovered the controller, depending on how MTM support is configured on the VSC). Certain configuration settings on the controller may override the specific configuration settings that you define on a VSC to assign user traffic to a home network. For details, see Traffic flow for wireless users on page 7-6. 9-7 Mobility traffic manager Key concepts Example In following example, User A roams between AP # 1 and AP #2. When connected to AP #2, User A is identified as roaming and traffic is tunneled back to subnet 10.0 via controller 1 and controller 2. Primary mobility controller Mobility controller 1 2 LAN port 192.168.10.1/24 LAN port 192.168.20.1/24 Network 1 Network 2 192.168.10.0 192.168.20.0 L3 switch 10.2 20.2 2 1 WLA N User A WLA N User A roams from AP 1 to AP 2 User A Local networks In order for a wireless user’s traffic to be sent to the appropriate destination within the mobility network, local networks must be defined on controllers, and optionally APs. When a user is roaming, the path to the user’s home network cannot end at an AP. This means that each home network that is assigned to a user must be defined as the local network on at least one controller in the mobility domain. When an AP is directly connected to a user’s home network, the user’s data will only reach the wired network through the AP’s Ethernet port when the user is directly connected to the AP. When roaming, the user’s traffic is always tunneled to the controller that provides the data path to the user’s home network. In the previous example, when User A is directly connected to AP 1, traffic reaches Network 1 via the APs Ethernet port. When User A roams to AP 2, traffic reaches Network 1 via the LAN port on controller 1. 9-8 Mobility traffic manager Configuring Mobility Traffic Manager Configuring Mobility Traffic Manager MTM configuration can be separated into the following tasks: Define the mobility domain. Define network profiles. Assign home networks to users. Define local networks on controllers and APs. Configure mobility settings for each VSC. (The same VSCs must be defined on all controllers in the mobility domain, even on controllers that are not managing any APs.) Bind VSCs to the APs. Each task is described in more detail in the sections that follow. Defining the mobility domain When MTM will be used on more than one controller, or with a controller team, you must define a mobility domain. The following instructions apply to non-teamed controllers. If you are working with a controller team, see Mobility support on page 8-26. Connect to the management tool on the controller that will be the primary mobility controller, and do the following: 1. Select Controller >> Management > Device discovery. Select Mobility controller discovery. Select This is the primary mobility controller. 2. Select Save. 9-9 Mobility traffic manager Configuring Mobility Traffic Manager Connect to the management tool on all other controllers, that will be part of the mobility domain and do the following: 1. Select Controller >> Management > Device discovery. 2. Select Mobility controller discovery. 3. Specify the IP address of the primary mobility controller. This can be the address of its Internet port or LAN port as long as the port is reachable. For example, if the primary is at 192.168.5.1, you would configure the other controllers as follows: 4. Select Save. Defining network profiles Global definitions for all home networks and local networks are created using the network profiles feature which is found on the Controller >> Network > Network profiles page. Initially, two profiles are defined as shown. To create a new profile, select Add New Profile. For each network profile you can define a VLAN ID or just a name. 9-10 Mobility traffic manager Configuring Mobility Traffic Manager About the default profiles Two network profiles are created by default: LAN port network and Internet port network. These profiles are associated with the two physical Ethernet ports on the controller. You can rename these profiles, but you cannot assign a VLAN to them or delete them. You can use these profiles to send untagged traffic to a specific port on the controller. Both ports are considered to be local networks on the controller, which means that they automatically map the network that is assigned to each physical port as a local network on the controller. However, the LAN and Internet port network profiles can also be assigned as a local network on an AP (for example, using the Controlled APs >> Configuration > Local networks page). When this is done, both profiles refer to the untagged Ethernet port on the AP. Assigning a home network to a user When you activate MTM support for a VSC, a user’s home network is defined in one of the following ways: It can be configured in the user’s account on a third-party RADIUS server by setting the attributes Tunnel-Medium-Type, Tunnel-Private-Group-ID, and Tunnel-Type. For details on how to set these attributes, see User attributes on page 15-13. The Tunnel-Private-Group-ID attribute should be set to the name of the network profile that identifies the user’s home network (A VLAN number can also be specified, but is not recommended since two profiles could exist with the same VLAN ID but bound to different physical ports or VLAN ports.) Configured in a locally defined user account or user account profile. (User accounts are defined by selecting Controller >> Users.) Currently this method only supports VLAN ID. To specify a network profile name, Use the Custom attributes option in a network profile to specify the attributes Tunnel-Medium-Type, Tunnel-Private-Group-ID, and Tunnel-Type. Configured by setting the Egress network option when binding the VSC to an AP group. This lets you assign the same home network to a group of APs. Any user connected to one of these APs then gets the specified home network. Note that if both the Egress network and a RADIUS attribute are assigned, the Egress network is overwritten by the RADIUS attribute. A number of configuration settings on the controller can affect how user traffic is routed. Some of these settings may override the choices you make to assign user traffic to a home network. See Traffic flow for wireless users on page 7-6. Note At least one controller must be assigned to each home network defined in the mobility domain. See Local networks on page 9-8. 9-11 Mobility traffic manager Configuring Mobility Traffic Manager Defining local networks on a controller Local networks on a controller are composed of the following interfaces: The network connected to the LAN port. Identified by the network profile LAN port network. The network connected to the Internet port. Identified by the network profile Internet port network. Any VLAN definition created on the Controller >> Network > Ports page. To add additional VLANs on a controller, do the following: 1. Select Controller > Network > Ports. 2. Select Add New VLAN. 3. Under General, set Port to LAN port or Internet port. 4. Under VLAN, set VLAN ID to the appropriate network profile. 5. Under Assign IP address via, select an addressing method. 9-12 Mobility traffic manager Configuring Mobility Traffic Manager 6. Select Save. Assigning local networks to an AP Each AP can be configured to support one (or more) local networks. By comparing the home network assigned to a user with the list of local networks associated with an AP, MTM can determine if the user is at home or roaming. Local networks can be assigned by selecting one of the following (depending on whether you want to define local networks for all APs, a group of APs, or a single AP): Controller > Controlled APs >> Configuration > Local networks Controller > Controlled APs > [group] >> Configuration > Local networks Controller > Controlled APs > [AP] >> Configuration > Local networks In all cases you will see the Home networks configuration page. Local networks Select the local networks that are connected to the Ethernet port(s) on the AP. Available networks: This box lists all network profiles defined on the controller. Select a network profile and then select the right arrow to assign it as a local network on the AP. Local networks: This box lists all the networks that are local to the AP. These networks are used to determine if a user is roaming or at home when they connect to the AP. 9-13 Mobility traffic manager Configuring Mobility Traffic Manager Note If a user’s home network matches a local network on the AP, the user is considered to be at home, and their traffic is bridged onto the wired network via the Ethernet port on the AP. If a user’s home network does not match a local network on the AP, the user is considered to be roaming, and their traffic is tunneled to appropriate home network via the controllers that make up the mobility domain. This Subnets feature has been deprecated. See Subnet-based mobility for more information. Configuring the mobility settings for a VSC Once all home and local networks have been assigned, you can configure VSC definitions to support MTM. 1. Select the Controller > VSCs > [VSC-name]. 2. Disable the Access control option under General. 3. Select Wireless mobility, and under it, select Mobility traffic manager. If you are using MTM to tunnel the traffic from wireless users to their home networks, set the following parameter to determine how MTM routes traffic if no home network is assigned to a user (via their RADIUS account or local user account), or if the user’s home network is not found in the mobility domain. If no matching network is assigned Block user: User access is blocked. Consider the user at home: The user’s home network is considered to be the network assigned to the AP’s Ethernet port and traffic is bridged locally by the AP. 4. Select Save. 9-14 Mobility traffic manager Configuring Mobility Traffic Manager 5. Configure the Wireless security filters so that they do not interfere with roaming functionality. In most cases, these filters should be disabled. If you need to use them, note that: The Restrict wireless traffic to: Custom option can be used provided that it restricts traffic to destinations that are reachable from all subnets in the mobility domain. Neither the Restrict wireless traffic to: Access point’s default gateway nor Restrict wireless traffic to: MAC address options can be used. Binding a VSC to an AP After you have defined a VSC, you need to bind it to all the APs in the mobility domain. 1. Select Controller > Controlled APs > [group] >> VSC bindings and then the VSC configured for mobility. The VSC binding page opens. For VSC profile, select the VSC that you just configured for mobility. You have the option of assigning an Egress network to the binding. When mobility is active on the VSC, the Egress network is assigned as the user’s home network (unless a dynamic VLAN is assigned to the user). You also have the option of selecting any untagged interfaces, such as the default profiles for the LAN port and Internet port. A number of configuration settings on the controller can affect how user traffic is routed. Some of these settings may override the choices you make to assign user traffic to a home network. See Traffic flow for wireless users on page 7-6. 9-15 Mobility traffic manager Monitoring the mobility domain Monitoring the mobility domain The mobility overview page displays status information for the mobility domain. For example: To view this page: On a non-teamed controller, select Controller >> Status > Mobility. On a controller team, select Team:[Team-name] > Controllers [Team-manager] >> Status > Mobility. Controllers This table lists all controllers that are part of the mobility domain. 9-16 Name: Name assigned to the controller. IP address: IP address of the controller. MAC address: Medium access control address of the associated controller. Mobility traffic manager Monitoring the mobility domain Networks in the mobility domain This table lists all networks that are defined in the mobility domain and indicates the address of the Handler (AP or controller) that provides the data path to each network. This list should be identical on all controllers that are part of the mobility domain. The handler will differ on each controller, depending on whether the network is supported locally or not. IP subnet (This field does not apply when using Mobility Traffic Manager.) IP subnet assigned to the network, if applicable. For example, if the network is a VLAN, then no IP subnet/mask information is shown. Mask Network mask associated with the IP subnet, if applicable. VLAN ID VLAN ID associated with the network. Handler A handler is the AP or controller that provides the data path to a network. If the network is handled by an AP managed by this controller, then this column shows the names of controlled APs supporting the network. Up to five APs can be displayed (the first five APs registered by the controller for the specific network). If the network is local to this controller, then this column shows This controller. If the network is directly connected to another controller, then this column shows the name of the other controller. Network Name of the network. Mobility clients This table provides information on all roaming clients that are active in the mobility domain. MAC address Media access control (hardware) address of the client. Select the address to see a log of mobility-related events for the client. For details, see Mobility client event log on page 9-19. IP address IP address of the client. Data path Lists all the APs and controllers that are in the data path between a user and their home network. 9-17 Mobility traffic manager Monitoring the mobility domain Network The name of the user’s home network. Status Possible values are: Connected: The client is connected to their home network. Blocked: Client data transfer is blocked because the home network could not be found. Forwarding table Port Identifies the logical or physical port on which traffic is being forwarded. MAC address Identifies the MAC address to be matched. Traffic addressed to this address is forwarded on the corresponding port. VSC ID Identifies the VSC that a wireless client is connected to. VLAN Identifies the VLAN that the MAC address is associated with. Authorized Indicates if the wireless client is authorized to send traffic on the bridge. Local Yes: Indicates that the MAC address identifies an interface on the service controller. No: Indicates that the MAC address is learned (not on the service controller). Aging Indicates how long (in seconds) until the entry is deleted from the table. Once deleted the entry must be relearned. 9-18 Mobility traffic manager Monitoring the mobility domain Mobility client event log This page lists all events for a roaming client. Date and time Date and time that the even occurred. Category Always set to Mobility. Operation Possible values are: Client tunneling: Client tunneling events indicate activities related to establishing the data tunnel to a remote controller or AP for the purposes of transporting client data to its home network. Mobility setup: Mobility setup events indicate activities related to the detection and status of mobile clients, such as association, de-association, and state changes. Status Possible values are: Client Unicast Tunneling On: The unicast tunneling path to the indicated device (AP or another controller) has been established. Client Broadcast Tunneling On: The multicast/broadcast tunneling path to the indicated device (either AP or another controller) has been established. 9-19 Mobility traffic manager Monitoring the mobility domain 9-20 Client Unicast Tunneling Off: The unicast tunneling path to the indicated device (either AP or another controller) has been removed. This is normally done only when the client has disassociated or its home network has changed. Client Broadcast Tunneling Off: The multicast/broadcast tunneling path to the indicated device (either AP or another controller) has been removed. This is normally done only when the client has disassociated or its home network has changed. Mobile Client Connected from Local Network: The tunneling path for data sent from the wireless client has been established. Mobile Client Connected to Home Network: The tunneling path at the client’s home network egress point has been established. Mobility Initiated at Home Interface: A request to setup a client connection at its home network has been received. Mobile Terminated at Home Interface: A client connection at its home network has been terminated. This normally happens only when the client has disconnected or the network path to its connection point has been disrupted. Mobility Initiated at Client Interface: A request to setup a client connection at its connection point (the AP where the client is associated) has been received. Mobility Terminated at Client Interface: A client connection at its connection point has been terminated. This normally happens only when the client has disconnected or the network path to its home network has been disrupted. Client roamed to another BSSID: A client for which a tunneling path has been established has roamed to another AP. In this case, the tunneling path from its previous AP to its home network is disconnected, and a tunneling path from its new AP to its home network is established. Client updated VSC/VLAN/Network: A client for which a tunneling path has been established has re-connected to a network and as a result has a new home network assignment. In this case, the tunneling path to its previous home network is disconnected, and a tunneling path to its new home network is established. No AP available to terminate client traffic: A home network terminated by an AP is not currently available to egress the client traffic. In this case, data from the client will be blocked until the home network (i.e., the AP) becomes available. Mobility traffic manager Scenario 1: Centralizing traffic on a controller Scenario 1: Centralizing traffic on a controller This scenario illustrates how to centralize the traffic from a VSC that is deployed on several APs on different subnets. How it works In this scenario, a single controller manages several APs deployed on different subnets. The default VSC (named HP) is assigned to each AP and is used to provide wireless services for users. All traffic on this VSC is tunneled to the controller by MTM, where it is egressed onto the wired network. To accomplish this, the egress network in the VSC binding is set to the network profile that is assigned to the controller’s LAN port. LAN port 192.168.30.1 User A User B Network 1 Network 2 Network 3 192.168.10.0 192.168.20.0 192.168.30.0 1 WLA N User A 2 WLA N User B Configuration overview The following sections provide a summary of the configuration settings needed to enable MTM support only. It is assumed that installation and configuration of all controllers and APs so that they are fully operational on the network was performed as explained in the other chapters in this guide. 9-21 Mobility traffic manager Scenario 1: Centralizing traffic on a controller VSC configuration Enable MTM support on the VSC. 1. Select Controller > VSCs > HP. Under Global, clear Access control. (For complete screenshot see VSC configuration options on page 5-5.) Select Wireless mobility, then under it: Select Mobility traffic manager. Select Block user. (For complete screenshot see VSC configuration options on page 5-5.) 2. Either disable Wireless security filters or set it to Custom. 3. Select Save. Network profiles This scenario uses the default network profiles, so no configuration is necessary. 9-22 Mobility traffic manager Scenario 1: Centralizing traffic on a controller VSC binding This scenario assumes that all APs are part of the Default Group. Set the egress for the group to the Internet port on the controller. 1. Select Controller > Controlled APs > Default Group >> VSC bindings and then select HP. The VSC binding page appears. Under VSC Profile, set VSC profile to HP. Select Egress network, and under it, set Network profile to LAN port network. 2. Select Save. 9-23 Mobility traffic manager Scenario 2: Centralized traffic on a controller with VLAN egress Scenario 2: Centralized traffic on a controller with VLAN egress This scenario illustrates how to centralize the traffic from a VSC that is deployed on several APs on different subnets and send it to one or more VLANs via the controller. How it works In this scenario, a single controller manages several APs deployed on different subnets. The default VSC (named HP) is assigned to each AP and is used to provide wireless services for users. All traffic on this VSC is tunneled to the controller by MTM, where it is egressed onto the wired network on VLAN 40. To accomplish this, the egress network in the VSC binding is set to a network profile that defines a VLAN on the controller’s Internet port. LAN port 192.168.1.1 Internet port 192.168.40.1 VLAN 40 Network 1 Network 2 Network 3 Network 4 192.168.10.0 192.168.20.0 192.168.30.0 VLAN 40 1 WLA N User A 2 3 WLA N WLA N User B User C Configuration overview The following sections provide a summary of the configuration settings needed to enable MTM support only. It is assumed that installation and configuration of all controllers and APs so that they are fully operational on the network was performed as explained in the other chapters in this guide. 9-24 Mobility traffic manager Scenario 2: Centralized traffic on a controller with VLAN egress VSC configuration Enable MTM support on the VSC. 1. Select Controller > VSCs > HP. Under Global, clear Access control. (For complete screenshot see VSC configuration options on page 5-5.) Select Wireless mobility, then under it: Select Mobility traffic manager. Select Block user. (For complete screenshot see VSC configuration options on page 5-5.) 2. Either disable Wireless security filters or set it to Custom. 3. Select Save. Network profiles Define a network profile that maps VLAN 40 to the Internet port on the controller. 1. Select Controller > Network > Network profiles. 2. Select Add New Profile. 3. Under Settings, set Name to All-Traffic. 9-25 Mobility traffic manager Scenario 2: Centralized traffic on a controller with VLAN egress 4. Select VLAN, and under it, set ID to 40. 5. Select Save. Create the VLAN Create a VLAN on the Internet port using the network profile you just defined. 1. Select Controller > Network > Ports. Initially, the VLAN configuration list will be empty. 2. Select Add New VLAN. Under General, set Port to Internet port. Under VLAN, set VLAN ID to 40 (All-Traffic). Under Assign IP address via, let the setting None. An address is not needed. 3. Select Save. 9-26 Mobility traffic manager Scenario 2: Centralized traffic on a controller with VLAN egress VSC binding This scenario assumes that all APs are part of the Default Group. 1. Select Controller > Controlled APs > Default Group >> VSC bindings and then select HP. The VSC binding page appears. Under VSC Profile, set VSC profile to HP. Select Egress network, and under it set Network profile to Internet port network. 2. Select Save. 9-27 Mobility traffic manager Scenario 3: Centralized traffic on a controller with per-user traffic routing Scenario 3: Centralized traffic on a controller with per-user traffic routing This scenario illustrates how to centralize the traffic from a VSC that is deployed on several APs on different subnets and send it to different VLANs for different groups of users. How it works In this scenario, a single controller manages several APs deployed on different subnets. The default VSC (named HP) is assigned to each AP and is used to provide wireless services for users. All traffic on this VSC is tunneled to the controller by MTM, where it is egressed onto different VLANs for different user groups. An account profile is created for each user that define the egress VLAN for their traffic. This profile is then associated with the user’s account. WPA is enabled on the VSC to control user authentication. When the user logs in, the VLAN is retrieved from the account profile and is used by MTM to route the user’s traffic to the appropriate network via the Internet port. Traffic is sent to a different wired network based on the home network assigned to each user in their account profile. LAN port 192.168.1.1 Internet port 192.168.40.1 User B User A Network 1 Network 2 Network 3 Network 4 192.168.10.0 192.168.20.0 192.168.30.0 192.168.40.0 1 WLA N User A Home network = Network 4 2 WLA N User B Home network = Network 3 Configuration overview The following sections provide a summary of the configuration settings needed to enable mobility support only. It is assumed that installation and configuration of all controllers and APs so that they are fully operational on the network was performed as explained in the other chapters in this guide. 9-28 Mobility traffic manager Scenario 3: Centralized traffic on a controller with per-user traffic routing VSC configuration Enable MTM support on the VSC. 1. Select Controller > VSCs > HP. Under Global, clear Access control. (For complete screenshot see VSC configuration options on page 5-5.) Select Wireless mobility, then under it: Select Mobility traffic manager. Select Block user. Select Wireless protection, and then select WPA. Under it, do the following: Set Mode to WPA (TKIP). Set Key source to Dynamic. 9-29 Mobility traffic manager Scenario 3: Centralized traffic on a controller with per-user traffic routing This will automatically enable the 802.1X authentication option and set it to use the local user accounts. 2. Either disable Wireless security filters or set it to Custom. 3. Select Save. Network profiles Define network profiles that map VLAN 30 and 40 to the Internet port on the controller. 1. Select Controller > Network > Network profiles. 2. Select Add New Profile. 3. Under Settings, set Name to Network 3. 4. Select VLAN, and under it, set ID to 30. 5. Select Save. 6. Select Add New Profile. 7. Under Settings, set Name to Network 4. 9-30 Mobility traffic manager Scenario 3: Centralized traffic on a controller with per-user traffic routing 8. Select VLAN, and under it, set ID to 40. 9. Select Save. Create the VLANs Create VLANs on the Internet port using the network profiles you just defined. 1. Select Controller > Network > Ports. Initially, the VLAN configuration list will be empty. 2. Select Add New VLAN. Under General, set Port to Internet port. Under VLAN, set VLAN ID to 30 (Network 3). Under Assign IP address via, let the setting None. An address is not needed. 3. Select Save. 9-31 Mobility traffic manager Scenario 3: Centralized traffic on a controller with per-user traffic routing 4. Select Add New VLAN. Under General, set Port to Internet port. Under VLAN, set VLAN ID to 40 (Network 4). Under Assign IP address via, let the setting None. An address is not needed. 5. Select Save. User accounts Next you need to define user accounts and account profiles. 1. Select Controller >> Users > Account profiles. 2. Select Add New Profile. 3. Under General, set Profile name to Network 3 and disable Access-controlled profile. 9-32 Mobility traffic manager Scenario 3: Centralized traffic on a controller with per-user traffic routing 4. Select Egress interface, and under it select Egress VLAN ID and set it to 30. 5. Select Save. 6. Select Add New Profile. 7. Under General, set Profile name to Network 4 and disable Access-controlled profile. 9-33 Mobility traffic manager Scenario 3: Centralized traffic on a controller with per-user traffic routing 8. Select Egress interface, and under it select Egress VLAN ID and set it to 40. 9. Select Save. The profiles list should now look like this: 10. Select Controller >> Users > User accounts. Initially, no accounts are defined. 9-34 Mobility traffic manager Scenario 3: Centralized traffic on a controller with per-user traffic routing 11. Select Add New Account. 12. Under General: Set User name to User A. Set Password to a secure password. Clear Access-controlled account. 13. Select Account profiles, and under it move Network 3 to the box titled Set account attributes using these profiles. 14. Select Save. 9-35 Mobility traffic manager Scenario 3: Centralized traffic on a controller with per-user traffic routing 15. Select Add New Account. 16. Under General: Set User name to User B. Set Password to a secure password. Clear Access-controlled account. 17. Select Account profiles, and under it move Network 4 to the box titled Set account attributes using these profiles. 18. Select Save. 9-36 Mobility traffic manager Scenario 3: Centralized traffic on a controller with per-user traffic routing VSC binding This scenario assumes that all APs are part of the Default Group. 1. Select Controller > Controlled APs > Default Group >> VSC bindings and then select HP. The VSC binding page appears. Under VSC Profile, set VSC profile to HP. 2. Select Save. 9-37 Mobility traffic manager Scenario 4: Assigning home networks on a per-user basis Scenario 4: Assigning home networks on a per-user basis This scenario illustrates how to assign home networks on a per-user basis using RADIUS attributes. How it works In this scenario, wireless services have been added to two wired networks. A single controller and multiple APs are installed on each network. The two networks are connected with an L3 switch. The following diagram provides an overview of the setup. (A single AP is shown on each network for clarity). Primary mobility controller RADIUS server 1 2 LAN port 192.168.10.1/24 LAN port 192.168.20.1/24 Network 1 Network 2 192.168.10.0 192.168.20.0 L3 switch 10.2 20.2 2 1 WLA N User A WLA N User A roams from AP 1 to AP 2 User A Home network via RADIUS = Net1 Wireless clients receive their DHCP address from the controller on their network, or use a static IP addressing scheme. 9-38 Mobility traffic manager Scenario 4: Assigning home networks on a per-user basis A single VSC is used in this scenario. It is configured with the Wireless mobility, Mobility traffic manager option enabled. Home network assignment for users is done by setting RADIUS VLAN attributes which map users to one of two network profiles: Network profile name Assigned to Net1 Net2 Controller 1 LAN port All APs attached to network 10.0 use this as their home network Controller 2 LAN port All APs attached to network 20.0 use this as their home network Each profile must be assigned to an AP as well as a controller. This is done to ensure that when a user logs in on an AP installed on the same subnet as the home network, traffic is not routed through the controller, but is sent directly onto the network via the Ethernet port not the AP. For example: When User A logs onto AP 1, RADIUS returns the VLAN ID Net1. Since Net1 is defined as a home network on AP 1, traffic is sent directly onto network 1 via the Ethernet port on the AP. When User A roams to (or logs into) AP 2, RADIUS returns the VLAN ID Net1. Since Net1 is not defined as a home network on AP 2, MTM tunnels the user’s traffic back to network 1. A RADIUS account is defined for each user with attributes set as follows to identify the home network using a network profile name: RADIUS attribute Network 1 users Network 2 users Tunnel-Medium-Type 802 802 Tunnel-Private-Group-ID Net1 Net2 Tunnel-Type VLAN VLAN Configuration overview The following sections provide a summary of the configuration settings needed to enable mobility support only. It is assumed that installation and configuration of all controllers and APs so that they are fully operational on the network was performed as explained in the other chapters in this guide. 9-39 Mobility traffic manager Scenario 4: Assigning home networks on a per-user basis Controller 1 configuration Mobility domain 1. Select Controller >> Management > Device discovery. Select Mobility controller discovery. Select This is the primary mobility controller. (For complete screenshot see Defining the mobility domain on page 9-9.) 2. Select Save. VSC 1. Select Controller > VSCs > HP. Under Global Clear Access control. (For complete screenshot see VSC configuration options on page 5-5.) Select Wireless mobility, then under it: Select Mobility traffic manager. Select Block user. (For complete screenshot see VSC configuration options on page 5-5.) 2. Either disable Wireless security filters or set it to Custom. 3. Select Save. 9-40 Mobility traffic manager Scenario 4: Assigning home networks on a per-user basis Network profiles 1. Select Controller > Network > Network profiles. 2. Select LAN port network. 3. Under Settings, change Name to Net1. 4. Select Save. Controller 2 configuration Mobility domain 1. Select Controller >> Management > Device discovery. (For complete screenshot see Defining the mobility domain on page 9-9.) Select Mobility controller discovery. Clear This is the primary mobility controller. Specify the IP address of the primary mobility controller. In this example: 192.168.10.1. 2. Select Save. VSC VSC configuration is the same as for controller 1. 9-41 Mobility traffic manager Scenario 4: Assigning home networks on a per-user basis Network profiles 1. Select Controller >> Network > Network profiles. 2. Select LAN port network. 3. Under Settings, change Name to Net2. 4. Select Save. AP configuration VSC binding 1. Select Controller > Controlled APs > Default Group >> VSC bindings and then select HP. The VSC binding page appears. (For complete screenshot see VSC configuration options on page 5-5.) Set VSC profile to HP. 2. Select Save. 9-42 Mobility traffic manager Scenario 4: Assigning home networks on a per-user basis Local network assignment 1. Select Controller > Controlled APs > Default group >> Configuration > Home networks. For each AP on network 1, double-click Net1 to add it to the Local networks list. For each AP on network 2, double-click Net2 to add it to the Local networks list. 2. Select Save. 9-43 Mobility traffic manager Scenario 5: Traffic routing using VLANs Scenario 5: Traffic routing using VLANs This scenario explains how to route the traffic from users onto specific VLANs on the wired network. How it works In this scenario, traffic on a corporate network is routed using VLANs, creating several logical networks to isolate the network resources for each workgroup. A number of wireless APs are distributed throughout the company and are connected using VLAN 2. Network administrators use VLAN 1 for all equipment installed on the network and in the network operations center (NOC). The following diagram provides a logical overview of the setup. (Only two APs are shown for clarity). Primary mobility controller 2 1 LAN port 192.168.5.2/24 DHCP server RADIUS server 192.168.5.1/24 LAN port 192.168.5.3/24 NOC Network 1 VLAN 1 VLAN 10 Network 2 VLAN switch VLAN 20 1 APs Network 3 VLAN 2 VLAN 30 2 WLA N WLA N User A User B Home network via RADIUS = Net1 Home network via RADIUS = Net2 Wireless clients receive their DHCP address from the DHCP server on the network. 9-44 Mobility traffic manager Scenario 5: Traffic routing using VLANs A single VSC is used. It is configured with the Mobility traffic manager option enabled. Home networks for users are determined by setting RADIUS VLAN attributes, which map users to the following network profiles: Network profile name Assigned to LAN port on Assigned to VLAN ID Net1 Controller 1 10 Net2 Controller 2 20 Net3 Controller 2 30 NOC Controller 1 1 Since all traffic is routed to the VLANs through the LAN port on either controller 1 or 2, no home networks are assigned on the APs. By assigning different VLANs to different controller ports, traffic can be split between controllers. To reduce the amount of traffic that needs to be tunneled between controllers, APs are assigned to controllers based on their expected use: AP 1 is physically located in an area where most of the users as assigned to network 1, therefore it is managed by controller 1. AP 2 is physically located in an area where most of the users as assigned to network 2, therefore it is managed by controller 2. A RADIUS account is defined for each user with attributes set to identify their home network using one of the network profile names: RADIUS attribute Network 1 users Network 2 Network 3 Network users users administrators Tunnel-Medium-Type 802 802 802 802 Tunnel-Private-Group-ID Net1 Net2 Net3 NOC Tunnel-Type VLAN VLAN VLAN VLAN Configuration overview The following sections provide a summary of the configuration settings needed to enable mobility support only. It is assumed that installation and configuration of all controllers and APs so that they are fully operational on the network was performed as explained in the other chapters in this guide. 9-45 Mobility traffic manager Scenario 5: Traffic routing using VLANs Controller 1 configuration Mobility domain 1. Select Controller >> Management > Device discovery. Select Mobility controller discovery. Select This is the primary mobility controller. (For complete screenshot see Defining the mobility domain on page 9-9.) 2. Select Save. VSC 1. Select Controller >> VSCs > HP. Under Global, disable Access control. (For complete screenshot see VSC configuration options on page 5-5.) Select Wireless mobility, then under it: Select Mobility traffic manager. Select Block user. (For complete screenshot see VSC configuration options on page 5-5.) 2. Either disable Wireless security filters or set it to Custom. 3. Select Save. 9-46 Mobility traffic manager Scenario 5: Traffic routing using VLANs Network profiles 1. Select Controller >> Network > Network profiles. 2. Select Add New Profile. Under Settings, set Name to Net1. Select VLAN. Under VLAN, set ID to 10. 3. Select Save. 4. Repeat steps 2 and 3 to define the following profiles: Profile name = Net1, VLAN ID = 10 Profile name = NOC, VLAN ID = 1 Profile name = APs, VLAN ID = 2 5. When done, the list of network profiles should look like this: 9-47 Mobility traffic manager Scenario 5: Traffic routing using VLANs VLANs 1. Select Controller > Network > Ports. Initially, the VLAN configuration list will be empty. 2. Select Add New VLAN. Under General, set Port to LAN port. Under VLAN, set VLAN ID to 10 (Net1). 3. Select Save. 4. Repeat steps 2 and 3 to define the following VLANs: Port = LAN port, VLAN ID = 1 (NOC) Port = LAN port, VLAN ID = 2 (APs) 5. When done, the list of VLANs should look like this: 9-48 Mobility traffic manager Scenario 5: Traffic routing using VLANs Controller 2 configuration Mobility domain 1. Select Controller >> Management > Device discovery. (For complete screenshot see Defining the mobility domain on page 9-9.) Select Mobility controller discovery. Clear This is the primary mobility controller. Set the IP address of the primary mobility controller to 192.168.5.2. 2. Select Save. VSC Configuration is the same as for controller 1. Network profiles 1. Select Controller >> Network > Network profiles. 2. Select Add New Profile. Under Settings, set Name to Net1. Select VLAN. Under VLAN, set ID to 10. 3. Select Save. 9-49 Mobility traffic manager Scenario 5: Traffic routing using VLANs 4. Repeat steps 2 and 3 to define the following profiles: Profile name = Net2, VLAN ID = 20 Profile name = Net3, VLAN ID = 30 Profile name = APs, VLAN ID = 2 5. When done, the list of network profiles should look like this: VLANs 1. Select Controller > Network > Ports. Initially, the VLAN configuration list will be empty. 2. Select Add New VLAN. Under General, set Port to LAN port. Under VLAN, set VLAN ID to 10 (Net1). 3. Select Save. 9-50 Mobility traffic manager Scenario 5: Traffic routing using VLANs 4. Repeat steps 2 and 3 to define the following VLANs: Port = LAN port, VLAN ID = 20 (Net2) Port = LAN port, VLAN ID = 30 (Net3) Port = LAN port, VLAN ID = 2 (APs) 5. When done, the list of VLANs should look like this: AP configuration VSC binding 1. Select Controller > Controlled APs > Default Group >> VSC bindings and then select HP. The VSC binding page appears. (For complete screenshot see Binding a VSC to a group on page 6-26.) Set VSC profile to HP. 2. Select Save. 9-51 Mobility traffic manager Scenario 6: Distributing traffic using VLAN ranges Scenario 6: Distributing traffic using VLAN ranges This scenario explains how to automatically distribute wireless network traffic onto multiple VLANs on the wired network. How it works In this scenario, traffic on a corporate network is segmented onto multiple VLANs to address performance and scalability issues. Traffic from the users on wireless APs needs to be deployed in the same manner. Rather than manually assigning APs and/or groups of users to specific VLANs, MTM can be configured to automatically disperse traffic across a VLAN range. In fact, by defining multiple network profiles, traffic can be mapped to several different ranges, allowing groups of users or APs to be mapped to specific VLAN ranges. The following diagram provides a logical overview of the setup. (Only two APs are shown for clarity). Primary mobility controller 2 1 LAN port 192.168.5.2/24 DHCP server RADIUS server 192.168.5.1/24 LAN port 192.168.5.3/24 NOC VLAN 1 Corporate network VLAN switch VLANs 10-50 APs VLAN 2 1 2 WLA N WLA N User A User B Wireless clients receive their DHCP address from the DHCP server on the network. 9-52 Mobility traffic manager Scenario 6: Distributing traffic using VLAN ranges A single VSC is used. It is configured with the It is configured with the Wireless mobility, Mobility traffic manager option enabled. The home network for users is defined by setting the Egress network when the VSC is bound to the APs. The Egress network is mapped to a network profile that defines a range of VLANs on the LAN port on the controller. Network profile name Assigned to LAN port on Assigned to VLAN range Net1 Controller 1 10-30 Net2 Controller 2 31-50 By assigning a different profile name to AP groups, traffic can be split between controllers. In this example, the APs are split into two groups: Group 1: The VSC binding is configured with Egress network set to Net1, putting traffic from this group onto VLAN range 10-30. Group 2: The VSC binding is configured with Egress network set to Net2, putting traffic from this group onto VLAN range 11-51. MTM uses a round-robin mechanism to distribute traffic across the VLANs range. The first wireless user is assigned to the first VLAN in the range. Subsequent users are assigned to the next VLAN in the range. When the range is exhausted, assignment starts with the first VLAN again. For example, if the VLAN range is defined as VLAN IDs 1 to 20, the first user is assigned to VLAN 1. The second is assigned to VLAN 2. The 21st user is assigned to VLAN 1 again. Although VLAN assignment is sequential through the range, from the user’s point of view, VLAN assignment will appear to be random. Configuration overview The following sections provide a summary of the configuration settings needed to enable mobility support only. It is assumed that installation and configuration of all controllers and APs so that they are fully operational on the network was performed as explained in the other chapters in this guide. 9-53 Mobility traffic manager Scenario 6: Distributing traffic using VLAN ranges Controller 1 configuration Mobility domain 1. Select Controller >> Management > Device discovery. Select Mobility controller discovery. Select This is the primary mobility controller. (For complete screenshot see Defining the mobility domain on page 9-9.) 2. Select Save. VSC 1. Select Controller >> VSCs > HP. Under Global Clear Access control. (For complete screenshot see VSC configuration options on page 5-5.) Select Wireless mobility, then under it: Select Mobility traffic manager. Select Block user. (For complete screenshot see VSC configuration options on page 5-5.) 2. Either disable Wireless security filters or set it to Custom. 3. Select Save. 9-54 Mobility traffic manager Scenario 6: Distributing traffic using VLAN ranges Network profiles 1. Select Controller >> Network > Network profiles. 2. Select Add New Profile. Under Settings, set Name to Net1. Select VLAN. Under VLAN, set ID to 10-30. 3. Select Save. VLANs 1. Select Controller >> Network > Ports. Initially, the VLAN configuration list will be empty. 9-55 Mobility traffic manager Scenario 6: Distributing traffic using VLAN ranges 2. Select Add New VLAN. Under General, set Port to LAN port. Under VLAN, set VLAN ID to 10-30 (Net1). 3. Select Save. Controller 2 configuration Mobility domain 1. Select Controller >> Management > Device discovery. (For complete screenshot see Defining the mobility domain on page 9-9.) Select Mobility controller discovery. Clear This is the primary mobility controller. Set the IP address of the primary mobility controller to 192.168.5.2. 2. Select Save. VSC Configuration is the same as for controller 1. 9-56 Mobility traffic manager Scenario 6: Distributing traffic using VLAN ranges Network profiles 1. Select Controller >> Network > Network profiles. 2. Select Add New Profile. Under Settings, set Name to Net2. Select VLAN. Under VLAN, set ID to 31-50. 3. Select Save. VLANs 1. Select Controller >> Network > Ports. Initially, the VLAN configuration list will be empty. 9-57 Mobility traffic manager Scenario 6: Distributing traffic using VLAN ranges 2. Select Add New VLAN. Under General, set Port to LAN port. Under VLAN, set VLAN ID to 31-50 (Net2). 3. Select Save. AP configuration Split the APs into two groups as explained in Working with groups on page 6-25. Call them Group 1 and Group 2. VSC binding for Group 1 1. Select Controller > Controlled APs > Group 1 >> VSC bindings and then select HP. The VSC binding page appears. Set VSC profile to HP. Select Egress network, then for Network profile, select Net1 (10-30). 2. Select Save. 9-58 Mobility traffic manager Scenario 6: Distributing traffic using VLAN ranges VSC binding for Group 2 1. Select Controller > Controlled APs > Group 2 >> VSC bindings and then select HP. The VSC binding page appears. Set VSC profile, to HP. Select Egress network, then for Network profile, select Net2 (31-50). 2. Select Save. 9-59 Mobility traffic manager Subnet-based mobility Subnet-based mobility This feature has been deprecated. If you are creating a new installation, use Mobility Traffic Manager. If you are upgrading from a previous release, your subnet-based configuration will still work. However, for added benefits and greater flexibility you should migrate your setup to Mobility Traffic Manager. For reference, subnet-based mobility configuration options appear on the following pages: 9-60 Controller > Controlled APs >> Configuration > Local networks Controller > Controlled APs > [group] >> Configuration > Local networks Controller > Controlled APs > [AP] >> Configuration > Local networks Controller > VSCs >> [VSC-name] Chapter 10: User authentication, accounts, and addressing 10 User authentication, accounts, and addressing Contents Introduction ................................................................................................................10-3 Authentication support.......................................................................................10-3 Other access control methods ...........................................................................10-5 Using more than one authentication type at the same time ..........................10-6 User authentication limits ..................................................................................10-7 802.1X authentication ................................................................................................10-8 Supported 802.1X protocols ...............................................................................10-9 Configuring 802.1X support on a VSC.............................................................10-10 Configuring global 802.1X settings for wired users ......................................10-12 Configuring global 802.1X settings for wireless users ..................................10-13 Configuring 802.1X support on an MSM317 switch port ..............................10-14 MAC-based authentication......................................................................................10-14 Configuring global MAC-based authentication..............................................10-16 Configuring MAC-based authentication on a VSC.........................................10-17 Configuring MAC-based authentication on an MSM317 switch port ..........10-19 Configuring MAC-based filters on a VSC........................................................10-19 Configuring MAC-based filters on an MSM317 switch port .........................10-20 HTML-based authentication....................................................................................10-22 Configuring HTML-based authentication on a VSC ......................................10-22 VPN-based authentication.......................................................................................10-24 Configuring VPN-based authentication on a VSC..........................................10-24 No authentication.....................................................................................................10-26 User authentication, accounts, and addressing Locally-defined user accounts ................................................................................10-26 Features ..............................................................................................................10-26 Defining a user account ....................................................................................10-30 Defining account profiles .................................................................................10-32 Defining subscription plans .............................................................................10-35 Accounting persistence ....................................................................................10-36 User addressing and related features ....................................................................10-36 10-2 User authentication, accounts, and addressing Introduction Introduction Note This chapter discusses user authentication as it applies to the controller and controlled APs only. For information on authentication when working with autonomous APs, see Chapter 19: Working with autonomous APs. User authentication tasks can be handled either by the AP or by the controller. This is controlled by the settings of the access control and authentication options on the VSC to which a user is connected. See About access control and authentication on page 5-6. Authentication support The following table lists all authentication types that are supported for user authentication and indicates how they apply to wired and wireless users. The Use controller for option is set to: Auth type Authentication 802.1X (VSC) Authentication and Access control Neither For more information, see ... Wireless + wired* users Wireless + wired* users Wireless + wired users Configuring 802.1X support on a VSC on authenticated via: authenticated via: authenticated via: page 10-10. Local user accounts Local user accounts External RADIUS server External RADIUS External RADIUS server server Active Directory Active Directory 802.1X (Switch port) Only supported when the switch port is not bound to a VSC. Supports wired users only. Configuring 802.1X support on an MSM317 switch port on page 10-14. MAC-based (Global) Not supported Configuring global MAC-based authentication on page 10-16. Wireless + wired* users Not supported authenticated via: Local user accounts External RADIUS server Active Directory 10-3 User authentication, accounts, and addressing Introduction The Use controller for option is set to: Auth type Authentication MAC-based (VSC) Wireless users authenticated via: Authentication and Access control Neither For more information, see ... Wireless users authenticated via: Local user accounts External RADIUS server Active Directory Wireless + wired users Configuring MACbased authenticated via: authentication on a Local user accounts External RADIUS VSC on page 10-17. server External RADIUS server Active Directory MAC-based (Switch port) Only supported when the switch port is not bound to a VSC. Supports wired users only. Configuring MACbased authentication on an MSM317 switch port on page 10-19. HTML-based Not supported Configuring HTMLbased authentication on a VSC on page 10-22. VPN-based Not supported No Wireless + wired users* authentication Wireless users authenticated via: Local user accounts on the controller External RADIUS server Active Directory Not supported Wireless + wired* users Not supported authenticated via: Local user accounts on the controller External RADIUS server Active Directory Configuring global MAC-based authentication on page 10-16. No authentication on page 10-26. * Wired users are only supported on the default VSC, unless their traffic is on a VLAN that matches the VSC ingress defined on another VSC. (On a controller team, wired users are only supported via the MSM317 switch ports.) 10-4 User authentication, accounts, and addressing Introduction Other access control methods Although not authentication options, the following features can also be used to limit access to the wireless port. The Use controller for option is set to: Feature Authentication and Access control Authentication MAC lockout (Global) Not supported Wireless/wired users connected via: Wireless ports on controlled APs Wired ports (including switch ports) on controlled APs Local mesh ports on controlled APs The LAN port on the controller Neither For more information, see ... Not supported MAC lockout on page 12-13 Not supported MAC-based filtering on page 10-16 MAC lockout does not apply to the Internet port on the controller. MAC filtering (VSC) IP filtering (VSC) Not supported Wireless users authenticated via: Not supported Local user accounts on the controller External RADIUS server Active Directory Wireless users authenticated via: Local user accounts on the controller External RADIUS server Active Directory Configuring MACbased filters on a VSC on page 10-19. Configuring MACbased filters on an MSM317 switch port on page 10-20 Not supported Wireless IP filter on page 5-30. 10-5 User authentication, accounts, and addressing Introduction Using more than one authentication type at the same time For added flexibility, you can enable multiple authentication types on a VSC at the same time to support users with different needs. How this works depends on setting of the Use Controller for option in the VSC. The following table lists all possible combinations of authentication types (and other features) that can be activated, and shows the order in which they are applied. The Use controller for option is set to: Authentication and Access control Authentication MAC lockout + Wireless MAC filter + MAC-based (VSC) + 802.1X (VSC) MAC lockout + Wireless MAC filter + MAC-based (Global) + HTML-based Neither MAC lockout + Wireless MAC filter + MAC-based (VSC) + 802.1X (VSC) or MAC lockout + Wireless MAC filter + 802.1X + HTML-based or MAC lockout + Wireless MAC filter + 802.1X + MAC-based (VSC) or MAC lockout + VPN-based When MAC-based authentication and 802.1X authentication are enabled Clients stations only gain access when they are successfully authenticated by both methods. If one method fails, then access is denied. When MAC-based authentication and Wireless MAC filter are enabled The following table describes how the Wireless MAC filter option interacts with MAC-based authentication. 10-6 Wireless MAC filter setting Result Client address is in the list and the filter is set to block. Client access is denied. MAC-based authentication is not performed. User authentication, accounts, and addressing Introduction Wireless MAC filter setting Result Client address is in the list and the filter is set to allow. Client access is granted. MAC-based authentication is not performed. Client address not in the list. Client access is granted or denied based on result of MAC-based authentication. Switch port not bound to a VSC When a switch port is not bound to a VSC, the following authentication options are supported: 802.1X (Switch port) MAC-based (Switch port) If both options are enabled at the same time, then: 802.1X takes priority for client stations that are 802.1X enabled. If 802.1X authentication fails, MAC authentication is not checked and the client station fails to authenticate. MAC authentication takes priority for client stations that are not 802.1X enabled. If MAC authentication fails, then the client station fails to authenticate. User authentication limits The following limits apply: Controller Maximum Maximum number Maximum number number of of locally defined of active user controlled APs user accounts sessions 710 10 500 100 730 40 2000 500 750 200 2000 2000 760 200 2000 2000 765 200 2000 2000 Controller Team 800 2000 2000 10-7 User authentication, accounts, and addressing 802.1X authentication 802.1X authentication 802.1X is a popular protocol for user authentication that is natively supported on most client stations. 802.1X authentication can be configured at different levels as described in the following table. VSC Switch port Authentication tasks are managed by either the controller or the AP. (Depends on how the VSC is configured.) Authentication tasks are managed by the MSM317. Applies to wireless and wired users. Applies to wired users only. Settings are defined on a per-VSC basis. Settings are defined on a per-port basis. Can be used on access-controlled and nonaccess-controlled VSCs. Can only be used when a switch port is not bound to a VSC. Configured using the Add/Edit Virtual Service Community configuration page in the management tool. Configured by selecting Controlled APs > [MSM317-AP] >> Configuration > Switch ports > [switch-port] in the management tool. User credentials can be validated using: User credentials can be validated using: Local user accounts on the controller External RADIUS server Active Directory External RADIUS server (Depends on how the VSC is configured.) See: 10-8 Configuring 802.1X support on a VSC on page 10-10. Configuring global 802.1X settings for wired users on page 10-12. Configuring global 802.1X settings for wireless users on page 10-13. See Configuring 802.1X support on an MSM317 switch port on page 10-14. User authentication, accounts, and addressing 802.1X authentication Supported 802.1X protocols The following table lists the 802.1X protocols supported by the internal RADIUS server on the controller, and when using a third-party RADIUS server. Protocol Local user accounts (via Internal RADIUS server) Third-party RADIUS server Certificates required EAP-MD5 ✕ ✔ No EAP-TLS ✔ ✔ Client and Server EAP-TTLS ✔ ✔ Server LEAP ✕ ✔ No PEAPv0 ✔ ✔ Server PEAPv1 ✕ ✔ Server EAP-FAST ✕ ✔ Optional EAP-SIM ✕ ✔ Server EAP-AKA ✕ ✔ Server The EAP protocols in this table are known to work with the controller. Other EAP protocols may also work but have not been tested. Protocol definitions The following are brief definitions for the supported protocols. For more detailed information, see the appropriate RFC for each protocol. EAP-MD5: Extensible Authentication Protocol Message Digest 5. Offers minimum security. Not recommended. EAP-TLS: Extensible Authentication Protocol Transport Layer Security. Provides strong security based on mutual authentication. Requires both client and server-side certificates. EAP-TTLS: Extensible Authentication Protocol Tunnelled Transport Layer Security. Provides excellent security with less overhead than TLS as client-side certificates can be used, but are not required. LEAP: Lightweight Extensible Authentication Protocol. Provides mutual authentication between a wireless client and the RADIUS server. Supports WEP, TKIP, and WPA2 keys. Note LEAP is not supported on access-controlled VSCs. PEAPv0: Protected Extensible Authentication Protocol. One of the most supported implementations across all client platforms. Uses MSCHAPv2 as the inner protocol. PEAPv1: Protected Extensible Authentication Protocol. Alternative to PEAPv0 that permits other inner protocols to be used. 10-9 User authentication, accounts, and addressing 802.1X authentication EAP-FAST: Extensible Authentication Protocol Flexible Authentication via Secure Tunneling. Can use a pre-shared key instead of server-side certificate. Configuring 802.1X support on a VSC Each VSC can have unique settings for 802.1X authentication. These settings are defined on the VSC profile page. (To open this page, see Viewing and editing VSC profiles on page 5-4). 10-10 When the Use controller for Authentication option is enabled under General, 802.1X authentication tasks are handled by the controller. APs forward all authentication requests to the controller which validates user login credentials using the local user accounts or a third-party authentication server (RADIUS or Active Directory). When the Use controller for Authentication option is disabled under General, 802.1X authentication tasks are handled directly by the AP. The AP uses the services of a thirdparty RADIUS server (configured by defining a RADIUS profile on the Controller >> Authentication > RADIUS profiles page) to validate user login credentials. User authentication, accounts, and addressing 802.1X authentication Note When the Wireless protection option in a VSC is set to WPA with a Key source of Dynamic, 802.1X is automatically enabled. Authentication Local User logins are authenticated with the list defined on the Controller >> Users > User accounts page. Remote Active Directory: User logins are authenticated via Active Directory. To setup Active Directory support go to the Controller >> Security > Active Directory page. RADIUS: User logins are authenticated via an external RADIUS server. To setup the connection to an external RADIUS server, go to the Controller >> Authentication > RADIUS profiles page. Request RADIUS CUI: Enable this option to support the Chargeable User Identity (CUI) attribute as defined in RFC-4372. The CUI is used to associate a unique identifier with a user so that the user can be identified (for billing, authentication or other purposes) when roaming outside of their home network. General RADIUS accounting Enable this option to have the controller generate a RADIUS START/STOP and interim request for each user. The controller respects the RADIUS interim-update-interval attribute if present inside the RADIUS access accept of the authentication. 10-11 User authentication, accounts, and addressing 802.1X authentication Called-Station-ID content (Only available when Access control is disabled under Global) Select the value that the AP (with which the user has established a wireless connection) will return as the called station ID. Port 1: MAC address of the first Ethernet port on the AP. Port 2: MAC address of the second Ethernet port on the AP. (Not supported on all APs.) Wireless Radio: MAC address of the wireless radio on the AP on which this VSC is operating. BSSID: Basic service set ID of the wireless network defined for this VSC. macaddress:ssid: The MAC address of the AP radio, followed by a colon, followed by the SSID configured on this VSC. Configuring global 802.1X settings for wired users Global 802.1X settings selecting Controller >> Authentication > 802.1X. These settings only apply to: Wired clients connected to the service controller via the LAN port. Wireless clients using an access-controlled VSC with Wireless protection set to WPA and the Terminate WPA at the controller option enabled. See Terminate WPA at the controller on page 5-24. These settings do not apply to clients connected to the switch port on an MSM317. Supplicant timeout Specify the maximum length of time that the service controller will wait for a client station to respond to an EAPOL packet before resending it. If client stations are configured to manually enter the 802.1X username and/or the password, you must increase the value of the timeout to between 15 and 20 seconds. 10-12 User authentication, accounts, and addressing 802.1X authentication Reauthentication Enable this option to force 802.1X clients to re-authenticate after the specified Period. Period: Client stations must reauthenticate after this amount of time has passed since their last reauthentication. Terminate Disabled: Client stations remain connected during re-authentication and client traffic is blocked only when re-authentication fails. Enabled: Client traffic is blocked during re-authentication and is only activated again if authentication succeeds. Configuring global 802.1X settings for wireless users Global 802.1X settings for wireless users connected to controlled APs are defined by selecting Controlled APs >> Configuration > 802.1X. Supplicant timeout Specify the maximum length of time for the to wait for a client station to respond to an EAPOL packet before resending it. EAPOL (Extensible Authentication Protocol over LAN) is used for 802.1X port access control. 802.1X can be used to authenticate at "network connect time" when using either wired or wireless LAN adapters. If client stations are configured to manually enter the 802.1X username or password or both, increase the value of the timeout to 15 to 20 seconds. Group key update Enable this option to force updating of 802.1X group keys at the specified Key change interval. 10-13 User authentication, accounts, and addressing MAC-based authentication Reauthentication Enable this option to force 802.1X clients to reauthenticate. Period Specify the interval at which client stations must reauthenticate. Terminate Disabled: Client station remains connected during reauthentication. Client traffic is blocked only when reauthentication fails. Enabled: Client traffic is blocked during reauthentication and is only reactivated if authentication succeeds. Configuring 802.1X support on an MSM317 switch port If a switch on the MSM317 port is not bound to a VSC, then 802.11X can be enabled on it. 802.1X authentication tasks are handled by the MSM317. The MSM317 uses the services of a third-party RADIUS server (configured by defining a RADIUS profile on the Controller >> Authentication > RADIUS profiles page) to validate user login credentials. MAC-based authentication MAC-based authentication can be used to automatically authenticate wired or wireless devices as soon as they appear on the network, eliminating the need for manual login. This is useful for authenticating devices that do not have a Web browser and are permanently installed on a network (a printer or point-of-sale terminal, for example), but can also be used for regular users. 10-14 User authentication, accounts, and addressing MAC-based authentication MAC authentication can be configured at several different levels as described in the following table. Global VSC Authentication is handled by the controller. Authentication is handled by either Authentication is handled by the the controller or the AP. (Depends MSM317. on how the VSC is configured.) Applies to both wireless and wired users. Applies to wireless users if the VSC Applies to wired users only. is configured for either Authentication and/or Access control. If neither are configured, applies to both wireless and wired users. Settings apply globally to all VSCs, Settings are defined on a per-VSC except for the authentication server basis. which is defined on a per-VSC basis. Switch port Settings are defined on a per-port basis. Can only be used on accesscontrolled VSCs that have HTMLbased user logins enabled. Can be used on non-accesscontrolled VSCs, or on accesscontrolled VSCs that have HTMLbased user logins disabled. Can only be used when the switch port is not bound to a VSC. Configured using a RADIUS attribute or local public access attribute. Configured using the Add/Edit Virtual Service Community configuration page in the management tool. Configured by selecting Controlled APs > [MSM317-AP] >> Configuration > Switch ports > [switch-port] in the management tool. User credentials can be validated using: User credentials can be validated using: User credentials can be validated using: Local user accounts on the controller Local user accounts on the controller External RADIUS server External RADIUS server Active Directory External RADIUS server (Depends on how the VSC is configured.) See Configuring global MAC-based See Configuring MAC-based authentication on page 10-16. authentication on a VSC on page 10-17. See Configuring MAC-based authentication on an MSM317 switch port on page 10-19. 10-15 User authentication, accounts, and addressing MAC-based authentication MAC-based filtering In addition, MAC-based filters can also be used to manage access to the network. VSC Switch port Filtering occurs on the AP wireless interfaces. Filtering occurs individually on each MSM317 switch port. Applies to wireless client stations only. Applies to wired client stations only. Settings are defined on a per-VSC basis. Settings are defined on a per-port basis. Can be used on both access-controlled and non-access-controlled VSCs. Can only be used when the switch port is not bound to a VSC. Configured using the Add/Edit Virtual Service Community configuration page in the management tool. Configured by selecting Controlled APs > [MSM317-AP] >> Configuration > Switch ports > [switch-port] in the management tool. MAC addresses are validated against a custom list for each VSC. MAC addresses are validated against a global list that is defined on the controller and applies across all devices. See Configuring MAC-based filters on a VSC See Configuring MAC-based filters on an on page 10-19. MSM317 switch port on page 10-20. Note MAC-based filter are always applied before MAC-based authentication. Configuring global MAC-based authentication You define global MAC-based authentication settings using the Colubris-AVPair value string mac-address, which you must add to the RADIUS account for the controller. See Global MAC-based authentication on page 15-56. Although the global MAC-based authentication settings apply to all VSCs that have HTMLbased user logins enabled, each VSC can use a different authentication server to validate user credentials. To define an authentication server for a VSC, open the Add/Edit Virtual Service Community page and use the HTML-based user logins box to select the authentication method. See HTML-based user logins on page 5-27. MAC authentication is performed before HTML authentication. If MAC authentication fails, the user’s connection is terminated. If it succeeds, and HTML authentication is enabled, HTML authentication is performed next. 10-16 User authentication, accounts, and addressing MAC-based authentication Configuring MAC-based authentication on a VSC Each VSC can have unique settings for MAC authentication of wireless client stations. These settings are defined on the VSC profile page. (To open this page, see Viewing and editing VSC profiles on page 5-4). Note When the Use Controller for Authentication option is enabled under Global, MACbased authentication tasks are managed by the controller. APs forward all authentication requests to the controller which validates user login credentials using the local user accounts or a third-party RADIUS server. When the Use Controller for Authentication option is disabled under Global, MACbased authentication tasks are managed by the AP. The AP uses the services of a thirdparty RADIUS server (configured by defining a RADIUS profile on the Controller >> Authentication > RADIUS profiles page) to validate user login credentials. Reauthentication of client stations does not automatically occur upon session timeout. Authentication Local User logins are authenticated with the list defined on the Controller >> Users > User accounts page. Define both the username and password as the MAC address of the device. Use the following format: 12 hexadecimal numbers, with the values “a” to “f” in lowercase. For example: 0003520a0f01. 10-17 User authentication, accounts, and addressing MAC-based authentication Remote User logins are authenticated via an external RADIUS server. To define the connection to an external RADIUS server, go to the Controller >> Authentication > RADIUS profiles page. To successfully authenticate a client station, an account must be created on the RADIUS server with both username and password set to the MAC address of the client station. The MAC address sent by the controller or controlled AP in the RADIUS REQUEST packet for both username and password is 12 hexadecimal numbers, with the values “a” to “f” in lowercase. For example: 0003520a0f01. The RADIUS server will reply to the REQUEST with either an ACCEPT or REJECT RADIUS RESPONSE packet. In the case of an ACCEPT, the RADIUS server can return the sessiontimeout RADIUS attribute (if configured for the account). This attribute indicates the amount of time, in seconds, that the authentication is valid for. When this period expires, the controller or controlled AP will re-authenticate the wireless station. Request RADIUS CUI: Enable this option to support the Chargeable User Identity (CUI) attribute as defined in RFC-4372. The CUI is used to associate a unique identifier with a user so that the user can be identified (for billing, authentication or other purposes) when roaming outside of their home network. General RADIUS accounting Enable this option to have the controller generate a RADIUS START/STOP and interim request for each user. The controller respects the RADIUS interim-update-interval attribute if present inside the RADIUS access accept of the authentication. Called-Station-ID content (Only available when Access control is disabled under Global) Select the value that the AP (with which the user has established a wireless connection) will return as the called station ID. 10-18 Port 1: MAC address of the first Ethernet port on the AP. Port 2: MAC address of the second Ethernet port on the AP. (Not supported on all APs.) Wireless Radio: MAC address of the wireless radio on the AP on which this VSC is operating. BSSID: Basic service set ID of the wireless network defined for this VSC. macaddress:ssid: The MAC address of the AP radio, followed by a colon, followed by the SSID configured on this VSC. User authentication, accounts, and addressing MAC-based authentication Configuring MAC-based authentication on an MSM317 switch port If a switch port on the MSM317 is not bound to a VSC, then MAC-based authentication can be enabled on it. Select Controlled APs > [MSM317-AP] >> Configuration > Switch ports > [switch-port] in the management tool. MAC authentication tasks are handled by the MSM317. The MSM317 uses the services of a third-party RADIUS server (configured by defining a RADIUS profile on the Controller >> Authentication > RADIUS profiles page) to validate user login credentials. Configuring MAC-based filters on a VSC The Wireless MAC filter option enables you to control access to the wireless network based on the MAC address of a wireless device. You can either block access or allow access, depending on your requirements. This feature is configured on the VSC profile page. (To open this page, see Viewing and editing VSC profiles on page 5-4). Note When both this option and the MAC-based authentication option are enabled, MAC filtering occurs first. Address list Contains the list of MAC addresses that are checked when filtering is enabled. Up to 64 MAC addresses can be defined per VSC. MAC address Specify the MAC address as six pairs of hexadecimal digits separated by colons. For example: 00:00:00:0a:0f:01. 10-19 User authentication, accounts, and addressing MAC-based authentication Filter behavior Allow: Only devices whose MAC addresses appear in the Address list can connect to the wireless network. Block: Devices whose MAC addresses appear in the Address list are blocked from accessing the wireless network. Configuring MAC-based filters on an MSM317 switch port This option lets you control port access based on client station MAC addresses. Addresses are checked against one or more lists stored on the controller. If the MAC address of a connected device appears in any configured list, then the device is permitted to send and receive traffic on the port. To configure MAC-based filters on an MSM317 switch port, do the following: 1. Open the management tool on the MSM7xx Controller. 2. Select Controller >> Authentication > MAC lists. 3. Select Add New MAC List. The Add/Edit MAC list page opens. Each entry in the MAC list contains a MAC address and its associated mask. By varying the mask, an entry can be defined to match a single address or a range of addresses. 4. Under Global, specify a name to identify the MAC address list. 10-20 User authentication, accounts, and addressing MAC-based authentication 5. Under MAC list, specify the MAC address and mask that you want to match, then select Add. For example: The following definition matches a single MAC address: MAC address = 00:03:52:07:2B:43 Mask = FF:FF:FF:FF:FF:FF By changing the last digit of the mask, the definition now matches a range of MAC addresses from 00:03:52:07:2B:40 to 00:03:52:07:2B:4F: MAC address = 00:03:52:07:2B:43 Mask = FF:FF:FF:FF:FF:F0 The following definition matches all the devices with the MAC prefix (OUI) of 00:03:52: MAC address = 00:03:52:00:00:00 Mask = FF:FF:FF:00:00:00 6. Repeat step 5 until you have defined all needed entries. 7. Select Save. 8. Select Controlled APs > [MSM317-AP] >> Configuration > Switch ports > [switchport] in the management tool. 9. Select the MAC filter checkbox. 10. Select the MAC filter checkbox. 11. Under Available MAC lists, select each MAC list you want to use and select the right arrow icon. 12. Select Save. 10-21 User authentication, accounts, and addressing HTML-based authentication HTML-based authentication HTML-based authentication is used with the public/guest access feature described in Chapter 14: Public/guest network access. It enables users to login to the public access interface using a standard Web browser. HTML-based authentication has the following properties: Authentication is handled by the controller. Settings are defined on a per-VSC basis. Can only be used on access-controlled VSCs. Configured using the Add/Edit Virtual Service Community configuration page in the management tool. User credentials can be validated using: Local user accounts on the controller External RADIUS server Active Directory See Configuring global access control options on page 14-8 for more configuration settings that affect HTML-based users. Note The global MAC-based authentication feature only applies on VSCs that have HTML-based user logins enabled. Configuring HTML-based authentication on a VSC Each VSC can have unique settings for HTML-based user logins. These settings are defined on the VSC profile page. (To open this page, see Viewing and editing VSC profiles on page 5-4). When the Use controller for Authentication option is enabled under General, HTMLbased user login options can be defined. 10-22 User authentication, accounts, and addressing HTML-based authentication Authentication If both the Local and Remote options are active, the controller first checks the local user accounts (defined on the Controller >> Users > User accounts page). If the user does not appear in the list, then the controller queries the remote server (Active Directory or RADIUS). Local User logins are authenticated with the list defined on the Controller >> Users > User accounts page. Remote Active Directory: User logins are authenticated via Active Directory. To setup Active Directory support go to the Controller >> Security > Active Directory page. RADIUS: User logins are authenticated via an external RADIUS server. To setup the connection to an external RADIUS server, go to the Controller >> Authentication > RADIUS profiles page. Request RADIUS CUI: Enable this option to support the Chargeable User Identity (CUI) attribute as defined in RFC-4372. The CUI is used to associate a unique identifier with a user so that the user can be identified (for billing, authentication or other purposes) when roaming outside of their home network. Authentication timeout: Specify length of time (in seconds) that the controller will wait for the RADIUS server to respond to authentication requests. If the RADIUS server does not respond within this time period logins are refused. General RADIUS accounting: Enable this option to have the controller generate a RADIUS START/STOP and interim request for each user. The controller respects the RADIUS interim-update-interval attribute if present inside the RADIUS access accept of the authentication. 10-23 User authentication, accounts, and addressing VPN-based authentication VPN-based authentication VPN-based authentication can be used to provide secure access for client stations on VSCs that do not have encryption enabled. VPN-based authentication has the following properties: Authentication is managed by the controller. Applies to wireless and wired users. Settings are defined on a per-VSC basis. Can only be used on access-controlled VSCs. Configured using the Add/Edit Virtual Service Community configuration page in the management tool. User credentials can be validated using: Local user accounts on the controller External RADIUS server Active Directory If you enable this option for a VSC, all wireless users on the VSC must establish a VPN connection. No other authentication methods (HTML, MAC, 802.1X) can be used on the VSC. When users configure their VPN software, they must specify the controller’s LAN port address as the address of the VPN server. To use this option, one or more of the following VPN features must be enabled and configured on the Controller >> VPN menu: L2TP server, PPTP server, or IPSec. Once this is done, VPN support can be enabled on a per-VSC basis and users can connect to any active VPN server. On the MSM760 and MSM765 a maximum of 50 user sessions are supported across all VSCs. On the MSM710 the limit is 10 sessions. Configuring VPN-based authentication on a VSC Each VSC can have unique settings for VPN-based user logins. These settings are defined on the VSC profile page. (To open this page, see Viewing and editing VSC profiles on page 5-4). 10-24 User authentication, accounts, and addressing VPN-based authentication When the Use controller for Authentication and Access control options are enabled under General, VPN-based user login options can be defined. Authentication Local User logins are authenticated with the list defined on the Controller >> Users > User accounts page. Remote Active Directory: User logins are authenticated via Active Directory. To setup Active Directory support go to the Controller >> Security > Active Directory page. RADIUS: User logins are authenticated via an external RADIUS server. To setup the connection to an external RADIUS server, go to the Controller >> Authentication > RADIUS profiles page. Request RADIUS CUI: Enable this option to support the Chargeable User Identity (CUI) attribute as defined in RFC-4372. The CUI is used to associate a unique identifier with a user so that the user can be identified (for billing, authentication or other purposes) when roaming outside of their home network. General RADIUS accounting: Enable this option to have the controller generate a RADIUS START/STOP and interim request for each user. The controller respects the RADIUS interim-update-interval attribute if present inside the RADIUS access accept of the authentication. 10-25 User authentication, accounts, and addressing No authentication No authentication For applications where a remote device performs all authentication functions, it can be useful to disable authentication on the controller and instead, forward all traffic on a VSC into an egress GRE tunnel or egress VLAN for authentication by the remote device. Note Because the controller routes traffic to the VSC egress, L2 information from the user is lost and only L3 information is available to the remote authentication device. Locally-defined user accounts The controller provides support for locally-defined user accounts with a wide range of customizable options. Locally-defined user accounts use the integrated RADIUS server. Configuration of these accounts is done using the options on the Controller >> Users menu, which includes the following configuration pages: User accounts, Account profiles, Subscription plans, and Session persistence. Each user account: Obtains account properties from one or more account profiles. Obtains account durations from one or more subscription plans. Is restricted for use with one or more VSCs. Features Access control Two types of local user accounts are available: access-controlled and not access-controlled. Access-controlled accounts must be used with a VSC that is configured to provide access control. Non-access-controlled accounts must be used with a VSC that is not configured to provide access control. These accounts are used to handle authentication directly at the AP and cannot make use of the access control capabilities of the controller (the controller must not be in the traffic data path). Validity and subscription plans Each user account can be associated with a subscription plan that defines: 10-26 The time period during which the account is available. The total amount of time a user can be online when logged in with the account. User authentication, accounts, and addressing Locally-defined user accounts VSC usage User accounts can be restricted to specific VSCs. if a the specified VSC is not available, then the user will not be able to connect with the account. Account profiles An account profile is used to define a specific set of features for a user account. Multiple account profiles can be applied to a user account allowing the feature sets of each profile to be added to the account. Note Each profile that is applied to a user account must have a unique feature set. The same feature cannot be present in two different profiles. About the Default AC profile The Default AC profile is defined by default, and is always applied to all access-controlled user accounts. You can view the settings for the Default AC profile by selecting it in the profile list. However, you cannot edit any of its settings directly. All settings for this profile are defined by setting attributes on the Controller >> Public access > Attributes page. Supported attributes The Public access > Attributes page allows a wide variety of attributes to be defined. However, only attributes that pertain to user configuration are applied to the Default AC profile. This includes the following attributes: Attribute For more info see default-user-use-access-list Access list on page 15-34. default-user-welcome-url Default user URLs on page 15-55. default-user-goodbye-url Default user URLs on page 15-55. default-user-one-to-one-nat Default user one-to-one NAT on page 15-53. default-user-idle-timeout Default user idle timeout on page 15-52. default-user-session-timeout Default user session timeout on page 15-54. default-user-acct-interim-update Default user interim accounting update interval on page 15-51. default-user-max-output-packets Default user quotas on page 15-52. default-user-max-input-packets Default user quotas on page 15-52. default-user-max-total-packets Default user quotas on page 15-52. default-user-max-output-octets Default user quotas on page 15-52. default-user-max-input-octets Default user quotas on page 15-52. default-user-max-total-octets Default user quotas on page 15-52. default-user-max-input-rate Default user data rates on page 15-53. 10-27 User authentication, accounts, and addressing Locally-defined user accounts Attribute For more info see default-user-max-output-rate Default user data rates on page 15-53. default-user-bandwidth-level Default user bandwidth level on page 15-51. default-user-use-public-ip-subnet Default user bandwidth level on page 15-51 Example This example illustrates how to indirectly customize the Default AC profile by defining several attributes, and shows how these settings are then reflected in a the Default AC profile and the user account. The following sample page shows several attributes defined on the Public access > Attributes page under Configured attributes. The two of interest for this example are highlighted below. 10-28 User authentication, accounts, and addressing Locally-defined user accounts These two attributes appear in the Default AC profile under Session time attributes: 10-29 User authentication, accounts, and addressing Locally-defined user accounts And the attributes appear in access-controlled user accounts under Effective attributes: Defining a user account 1. Select Controller >> Users > User accounts. The User accounts page opens. It presents a list of all defined user accounts. Initially this list is empty. 10-30 User authentication, accounts, and addressing Locally-defined user accounts 2. Select Add New Account. The Add/Edit user account page opens. 10-31 User authentication, accounts, and addressing Locally-defined user accounts If you disable the Access-controlled account option, the page will look like this: 3. Configure account options as described in the online help. Defining account profiles 1. Select Controller >> Users > Account profiles. The Account profiles page opens. It presents a list of all defined profiles. Initially this list will contain the profile Default AC. 10-32 User authentication, accounts, and addressing Locally-defined user accounts 2. Select Add New Profile. The Add/Edit account profile page opens. 10-33 User authentication, accounts, and addressing Locally-defined user accounts If you disable the Access-controlled account option, the page will look like this: 3. Configure profile options as described in the online help. 10-34 User authentication, accounts, and addressing Locally-defined user accounts Defining subscription plans 1. Select Controller >> Users > Subscription plans. The Subscription plans page opens. It presents a list of all defined subscription plans. 2. Select Add New Plan. The Add/Edit subscription plan page opens. 3. Configure plan options as described in the online help. 10-35 User authentication, accounts, and addressing User addressing and related features Public IP address This feature enables a public IP address to be assigned to any client station. This makes the client station address visible to devices on the external network, allowing external devices to create connections with the client station. For more information, see Public IP address on page 3-10. Accounting persistence Enable this option to have the controller save accounting information to its internal flash memory so that can be recovered in case of abnormal system shutdown. Restarting the controller via its management tool (Controller >> Maintenance > System) saves before restarting. The minimum save time is 30 minutes. User addressing and related features The controller provides a number of features related to user addressing, including: 10-36 Feature Description For more information, see ... DHCP server Enables the controller to dynamically assign IP addresses to users. DHCP server on page 3-14 Fixed leases The controller assigns the same IP addresses to specific users each time they connect. Fixed leases on page 3-15 DHCP relay The controller to users a third-party DHCP server to dynamically assign IP addresses to users. DHCP relay agent on page 3-16 Static IP address support Allows users with a static IP address to connect to the network even if the user’s address is on a different subnet than the controller or AP. Support users that have a static IP address on page 14-11 User authentication, accounts, and addressing User addressing and related features Feature Description For more information, see ... NAT Hides the IP addresses of all users on the protected network from the public network. Network address translation (NAT) on page 3-30 Extend Internet port subnet to LAN port Enables a third-party DHCP server to assign an IP address to users that makes them visible on the controller’s Internet port. Extend Internet port subnet to LAN port on page 3-18 VPN one-to-one NAT Assigns a unique IP address to each IPSec VPN one-to-one NAT or PPTP VPN connection made by a user to on page 3-9 a remote server via the Internet port. Public IP address Assigns an IP address to users that makes them visible on the controller’s Internet port. Public IP address on page 3-10 10-37 User authentication, accounts, and addressing User addressing and related features 10-38 Chapter 11: Authentication services 11 Authentication services Contents Introduction ................................................................................................................11-2 Using the integrated RADIUS server .......................................................................11-2 Server configuration............................................................................................11-3 User account configuration................................................................................11-5 Using a third-party RADIUS server ..........................................................................11-5 Configuring a RADIUS server profile on the controller .................................11-6 Using an Active Directory server ...........................................................................11-10 Active Directory configuration ........................................................................11-11 Configuring an Active Directory group...........................................................11-13 Configuring a VSC to use Active Directory ....................................................11-16 Authentication services Introduction Introduction This chapter explains how to configure the different authentication services that the controller can use to authenticate user logins and administrator logins. The following table summarizes the services that are available and what they can be used for. Service Description For details, see ... Integrated RADIUS server User authentication via the local user Using the integrated RADIUS lists. server on page 11-2 Third-party RADIUS server User authentication via accounts on a Using a third-party RADIUS server on page 11-5 third-party RADIUS server. Administrator authentication via accounts on a third-party RADIUS server. Active Directory User authentication via an Active Directory server. Using an Active Directory server on page 11-10 All authentication services support the following authentication types: Service For details, see ... 802.1X (VSC) 802.1X authentication on page 10-8 MAC-based (Global) MAC-based authentication on page 10-14 MAC-based (VSC) MAC-based authentication on page 10-14 HTML-based HTML-based authentication on page 10-22 VPN-based VPN-based authentication on page 10-24 When configuring 802.1X or MAC-based authentication on an MSM317 switch port, authentication services must be provided by a third-party RADIUS server. (For more information on each authentication type, see Configuring 802.1X support on an MSM317 switch port on page 10-14 and Configuring MAC-based authentication on an MSM317 switch port on page 10-19.) Using the integrated RADIUS server The internal RADIUS server is not intended as a replacement for the high-end/highperformance RADIUS server required for large scale deployments. Rather, it is offered as a cost-effective solution for managing user authentication for small hotspots or enterprise networks. 11-2 Authentication services Using the integrated RADIUS server Primary features Provides termination of 802.1X sessions at the controller for clients using WPA/WPA2 with EAP-PEAP, EAP-TLS and EAP-TTLS. Support for other EAP protocols is available using proxy mode. Provides MAC-based authentication of wireless users connected to both controlled and autonomous APs. Can be used to validate login credentials for HTML-based users. All locally defined user account options (user accounts, account profiles, and subscription plans) presented on the Controller >> Users menu are handled by the internal RADIUS server. Allows RADIUS accounting data to be sent to an external RADIUS server. (The internal RADIUS server does not provide support for accounting.) Local user accounts and account profiles have been designed to match the same functionality and support as can be provided by an external RADIUS server. Most of the AVPairs supported on an external RADIUS server are also supported by the integrated RADIUS server. Server configuration Configuration of the integrated RADIUS server is done using the Controller >> Authentication > RADIUS server page. In most cases, the default settings on this page will not need to be changed. 11-3 Authentication services Using the integrated RADIUS server Configuration parameters RADIUS server Detect SSID from NAS-Id Enable this option when working with third-party APs to permit the controller to retrieve the SSID assigned to the AP, and therefore assign user traffic to the appropriate VSC. For this to work, the AP must be configured to send its SSID as the NAS ID in all authentication and accounting requests. See Working with third-party autonomous APs on page 19-6. Number of accounting sessions Specify the maximum number of sessions for which the controller will track accounting information. Maximum accounting sessions Specify the maximum number of accounting sessions that the controller supports. Authentication UDP port Indicates the port the controller uses for authentication. This port is always set to the standard value of 1812. Accounting UDP port Indicates the port the controller uses for accounting. This port is always set to the standard value of 1813. Server authentication support Select the authentication protocols that the internal RADIUS server will support: PAP: This protocol must be enabled if any VSCs are configured to use MAC-based authentication or HTML authentication. EAP-TTLS EAP-PEAP EAP-TLS RADIUS authorization Note Applies to autonomous and third-party APs. Requests from controlled APs are always accepted because they use the management tunnel. Enable this option to restrict access to the RADIUS server. The RADIUS server will only respond to requests from RADIUS clients that appear in the list, or that match the default shared secret, as described below. IP address Specify the IP address of the RADIUS client. Mask Specify the network mask. 11-4 Authentication services Using a third-party RADIUS server Shared secret Specify the secret (password) that RADIUS client must use to communicate with the RADIUS server. Default shared secret Note Applies to autonomous APs only. Requests from controlled APs are always accepted because they use the management tunnel. Enable this option to set a shared secret to safeguard communications between the internal RADIUS server and clients not in the RADIUS authorization list. Shared secret/Confirm shared secret Specify the secret (password) that controller will use when communicating with RADIUS clients that do not appear in the RADIUS authorization list. The shared secret must match on both the clients and the controller. User account configuration User accounts for the internal RADIUS server are defined using the Controller >> Users menu. See Chapter 10: User authentication, accounts, and addressing. Using a third-party RADIUS server A third-party RADIUS server can be used to perform a number of authentication and configuration tasks, as shown in the following table. Task For more information, see ... Validating administrative user credentials Administrative user authentication on page 2-4. Validating user credentials for 802.1X, MAC, and HTML authentication types Wireless protection on page 5-23. HTML-based user logins on page 5-27. MAC-based authentication on page 5-28. Storing custom configuration settings for the public access interface Chapter 15: Working with RADIUS attributes. Storing custom configuration settings for each user Storing accounting information for each user 11-5 Authentication services Using a third-party RADIUS server The following authetication types can make use of an external third-party RADIUS server: Service For details, see ... 802.1X (VSC) 802.1X authentication on page 10-8 MAC-based (Global) MAC-based authentication on page 10-14 MAC-based (VSC) MAC-based authentication on page 10-14 HTML-based HTML-based authentication on page 10-22 VPN-based VPN-based authentication on page 10-24 Configuring a RADIUS server profile on the controller The controller enables you to define a maximum of 16 RADIUS profiles. Each profile defines the settings for a RADIUS client connection. To support a client connection, you must create a client account on the RADIUS server. The settings for this account must match the profile settings you define on the controller. For backup redundancy, each profile supports a primary and secondary server. The controller can function with any RADIUS server that supports RFC 2865 and RFC 2866. Authentication occurs via authentication types such as: EAP-MD5, CHAP, MSCHAP v1/v2, PAP, EAP-TLS, EAP-TTLS, EAP-PEAP, EAP-SIM, EAP-AKA, EAP-FAST, and EAP-GTC. Caution To safeguard the integrity of RADIUS traffic it is important that you protect communications between the controller and the RADIUS server. The controller lets you use PPTP or IPSec to create a secure tunnel to the RADIUS server. For complete instructions on how to accomplish this, see Securing wireless client sessions with VPNs on page 16-3. Note If you change a RADIUS profile to connect to a different server while users are active, all RADIUS traffic for active user sessions is immediately sent to the new server. Configuration procedure 1. Select Controller >> Authentication > RADIUS profiles. The RADIUS profiles page opens. 11-6 Authentication services Using a third-party RADIUS server 2. Select Add New Profile. The Add/Edit RADIUS Profile page opens. 3. Configure the profile settings as described in the following section. 4. Select Save. Configuration parameters Profile name Specify a name to identify the profile. Settings Authentication port: Specify a port on the RADIUS server to use for authentication. By default RADIUS servers use port 1812. Accounting port: Specify a port on the RADIUS server to use for accounting. By default RADIUS servers use port 1813. Retry interval: Specify the number of seconds that the controller waits before access and accounting requests time out. If the controller does not receive a reply within this interval, the controller switches between the primary and secondary 11-7 Authentication services Using a third-party RADIUS server RADIUS servers, if a secondary server is defined. A reply that is received after the retry interval expires is ignored. Retry interval applies to access and accounting requests that are generated by the following: Manager or operator access to the management tool User authentication by way of HTML MAC-based authentication of devices Authentication of the controller Authentication of the controlled AP. You can determine the maximum number of retries as follows: HTML-based logins: Calculate the number of retries by taking the setting for the HTML-based logins Authentication Timeout parameter and dividing it by the value of this parameter. Default settings result in 4 retries (40 / 10). MAC-based and controller authentication: Number of retries is infinite. 802.1X authentication: Retries are controlled by the 802.1X client software. Authentication method: Select the default authentication method that the controller uses when exchanging authentication packets with the RADIUS server defined for this profile. For 802.1X users, the authentication method is always determined by the 802.1X client software and is not controlled by this setting. If traffic between the controller and the RADIUS server is not protected by a VPN, it is recommended that you use either EAP-MD5 or MSCHAP V2 (if supported by your RADIUS Server). PAP and MSCHAP V1 are less secure protocols. NAS ID: Specify the identifier for the network access server that you want to use for the controller. By default the serial number of the controller is used. The controller includes the NAS-ID attribute in all packets that it sends to the RADIUS server. Always try primary server first: Enable this option if you want to force the controller to contact the primary server first. Otherwise, the controller sends the first RADIUS access request to the last known RADIUS server that replied to any previous RADIUS access request. If the request times out, the next request is sent to the other RADIUS server if defined. For example, assume that the primary RADIUS server was not reachable and that the secondary server responded to the last RADIUS access request. When a new authentication request is received, the controller sends the first RADIUS access request to the secondary RADIUS server. If the secondary RADIUS server does not reply, the controller retransmits the RADIUS access request to the primary RADIUS server. When two servers are configured, the controller always alternates between the two. 11-8 Authentication services Using a third-party RADIUS server Primary/Secondary RADIUS server Server address: Specify the IP address or fully-qualified domain name of the RADIUS server. Secret/Confirm secret: Specify the password for the controller to use to communicate with the RADIUS server. The shared secret is used to authenticate all packets exchanged with the server, proving that the packets originate from a valid/ trusted source. Authentication realms When authentication realms are enabled for a profile, selection of the RADIUS server to use for authentication is based on the realm name, rather than the RADIUS profile name configured. This applies to any VSC authentication setting that uses the profile. Realm names are extracted from user names as follows: if the username is person1@mydomain.com then mydomain.com is the realm. The authentication request is sent to the RADIUS profile with the realm name mydomain.com. The username sent for authentication is still the complete person1@mydomain.com. For added flexibility, regular expressions can be used in realm names, enabling a single realm name to match many users. For example, if a realm name is defined with the regular expression ^per.* then all usernames beginning with per followed by any number of characters will match. The following usernames would all match: per123.biz per321.lan per1 Important Realms names are not case-sensitive and can be a maximum of 64 characters long. You can define a maximum of 200 realms across all RADIUS profiles. There is no limit to the number of realms that you can define for each RADIUS profile. Each RADIUS profile can be associated with one or more realms. However, a realm cannot be associated with more than one profile. A realm overrides the authentication RADIUS server only. The server used for accounting is not affected. When realm configuration is changed in any way, all active user sessions are terminated. 11-9 Authentication services Using an Active Directory server Support for regular expressions in realm names Standard regular expressions can be used in realm names. For example: Expression Matches mycompany[1-3].com mycompany1.com mycompany2.com mycompany3.com .*mycompany.com Matches mycompany.com with any number of characters in front of it. For example: headoffice.mycompany.com or server-mycompany.com. .*\.mycompany.com Matches with any number of characters in front of it. For example: headoffice.mycompany.com or server.mycompany.com, but not server-mycompany.com. Using an Active Directory server Active Directory is the Windows service that is used by many organizations for user authentication. The controller can communicate with an Active Directory server to authenticate user login credentials and retrieve configurations settings (attributes) that are applied to a user’s session. An active directory server can be used to support the following authentication types: Service For details, see ... 802.1X (VSC) 802.1X authentication on page 10-8 MAC-based (Global) MAC-based authentication on page 10-14 MAC-based (VSC) MAC-based authentication on page 10-14 HTML-based HTML-based authentication on page 10-22 VPN-based VPN-based authentication on page 10-24 Supported protocols 11-10 EAP-PEAP EAP-TLS EAP-TTLS: Requires that client stations are configured to use MS-CHAP or MS-CHAP-V2. Authentication services Using an Active Directory server Active Directory configuration To configure active directory support, select Controller >> Authentication > Active Directory. Note It is important that the system time on the controller is accurate when an Active Directory server is being used. To set the time select Controller >> Management > System time. Active directory settings General Device name Specify a name that identifies the controller to Active Directory. The controller uses this name to connect to the active directory server, just like any standard active directory client does. Windows domain Specify the Windows domain to which the controller belongs. The controller must be part of a Windows domain (mydomain.com, for example) to authenticate users that belong to that domain. Check Active Directory access with attribute Enable this option to have the controller only accept users with a specific setting in their account. Use Active Directory remote access permission: Use the standard attribute defined in Active Directory for remote access (MsNPAllowDIalin). If this attribute is set, then the user can be authenticated via Active Directory. 11-11 Authentication services Using an Active Directory server Use LDAP attribute: For non-standard implementation of Active Directory, set this according to the equivalent setting on the Active Directory server. Join Before the controller can process user authentication using Active Directory, you must join the controller with the Active Directory server. Fill in the required parameters and select Join Realm Now. This is usually a one-time event. Username Username the controller will use to join Active Directory. Password Password the controller will use to join Active Directory. Note For security reasons, Username and Password are not stored on the controller. Join Realm Now Select to join the realm immediately. Status Shows the status of the join operation as follows: Unknown: System is processing, no status to report. Refresh the page to update the status. DNS unavailable: DNS not working, cannot access Active Directory. Missing Config: No configuration, so join cannot proceed. Never Joined: Administrator never selected Join Realm Now. Not joined: Not joined: May be joined with the domain, but the join is not confirmed yet. Status will change to Joined once confirmed. If the Not Joined status persists, check connectivity between the controller and Active Directory or re-join. Joined: Active Directory reports that controller successfully joined. Active Directory groups attributes Displays all Active Directory groups that are defined on the controller. These groups are used to assign attributes to a user once they have been authenticated by Active Directory. Note Group names on the controller must be identical to existing Active Directory Organizational Units configured on the Active Directory Server. Once a user is authenticated by Active Directory, the controller retrieves the names of all the active directory groups of which the user is a member. 11-12 If the user is a member of only one Active Directory group, and that group name appears in the list, the controller applies the attributes from that group. If the user is a member of more than one Active Directory group, the controller applies the attributes from the matching group name with the highest priority (highest in the list). Authentication services Using an Active Directory server Note If no match is found, the attributes defined for one of the default groups are applied as follows: If the VSC the user logged in on is access-controlled then the Default AC Active Directory group is used. If the VSC the user logged in on is not access-controlled then the Default non AC Active Directory group is used. The default groups are disabled by default. You need to enable them before they can be used. Add New Group Select to add a new group. See Configuring an Active Directory group on page 11-13. Save Priority Settings After using the up/down arrows to change the priority of groups, save your changes by selecting this button. Configuring an Active Directory group An active directory group defines the characteristics of a user session. To make group configuration easy, account profiles (Account profiles on page 10-27) can be applied to set group attributes. 11-13 Authentication services Using an Active Directory server Configuration parameters General Group name Specify a name to identify the group. This name must match an existing Active Directory Organizational Unit configured on the Active Directory Server. Active Enable this option to activate the group. The group cannot be used until it is active. Access-controlled group Determines whether the group is access-controlled or not. Access-controlled groups can only be used to log in on VSCs that are accesscontrolled. Non access-controlled groups can only be used to log in on VSCs that are not accesscontrolled. VSC usage Enable this option to restrict this group to one or more VSCs. If the selected VSCs are not defined on an AP, users will not be able to log in on this account. The Available VSCs list shows all defined VSCs that you can select from. To move VSCs between the two lists: Double-click the profile you want to move. Or, select the profile you want to move and then select the left or right arrow. Account profiles Enable this option to set the attributes of this group using one or more account profiles. The Available profiles list shows all defined profiles that you can select from. To add a new profile, open the Controller >> Users > Account profiles page. To move profiles between the two lists, double-click the profile you want to move, or select the profile you want to move and then select the left or right arrow. Effective attributes This list shows all attributes that are active for this Active Directory group. Each time you add an account profile for use by this group, all attributes configured in the profile are added to the Effective attributes list. Note 11-14 Each profile that is applied to a group must have a unique set of attributes. The same attribute cannot be present in two different account profiles. Authentication services Using an Active Directory server About the Default AC profile The Default AC profile is always present and is always applied to all Active Directory groups. You can use this profile to add additional attributes that are not configurable in an account profile. Instead, these attributes are configured on the Controller >> Public access > Attributes page. Once added there, they will automatically appear in the Effective attributes list. The following attributes can be added using this method: Attribute For information, see default-user-use-access-list Access list on page 15-34 default-user-welcome-url Default user URLs on page 15-55. default-user-goodbye-url Default user URLs on page 15-55. default-user-one-to-one-nat Default user one-to-one NAT on page 15-53. default-user-idle-timeout Default user idle timeout on page 15-52. default-user-session-timeout Default user session timeout on page 15-54. default-user-acct-interim-update Default user interim accounting update interval on page 15-51. default-user-max-output-packets Default user quotas on page 15-52. default-user-max-input-packets Default user quotas on page 15-52. default-user-max-total-packets Default user quotas on page 15-52. default-user-max-output-octets Default user quotas on page 15-52. default-user-max-input-octets Default user quotas on page 15-52. default-user-max-total-octets Default user quotas on page 15-52. default-user-max-input-rate Default user data rates on page 15-53. default-user-max-output-rate Default user data rates on page 15-53 default-user-bandwidth-level Default user bandwidth level on page 15-51. default-user-use-public-ip-subnet Default user public IP address on page 15-54. 11-15 Authentication services Using an Active Directory server Configuring a VSC to use Active Directory Any VSC feature that can be configured to support remote authentication can be configured to use Active Directory. For example, with HTML logins. 11-16 Chapter 12: Security 12 Security Contents Firewall........................................................................................................................12-2 Firewall presets ...................................................................................................12-2 Firewall configuration ........................................................................................12-4 Customizing the firewall.....................................................................................12-4 Working with certificates ..........................................................................................12-5 Trusted CA certificate store ...............................................................................12-5 Certificate and private key store .......................................................................12-7 Certificate usage ..................................................................................................12-9 About certificate warnings ...............................................................................12-10 IPSec certificates ...............................................................................................12-11 MAC lockout .............................................................................................................12-13 Security Firewall Firewall To safeguard your network from intruders, the controller features a customizable stateful firewall. The firewall operates on the traffic streaming through the Internet port. It can be used to control both incoming and outgoing data. A number of predefined firewall rules let you achieve the security level you need without going to the trouble of designing your own rules. However, you can create a completely custom set of firewall rules to suit your particular networking requirements, if necessary. If the controller is connected to a wired LAN, the firewall protects the wired LAN as well. Integrated firewall AP AP Hacker telnet ftp PU BLIC WL A N PU BLIC WL A N syn attack Controller Ethernet LAN broadband modem Firewall presets The easiest way to use the firewall is to use one of the preset settings. Two levels of security are provided: 12-2 High: Permits all outgoing traffic, except NetBIOS (TCP and UDP). Blocks all externally initiated connections. Low: Permits all incoming and outgoing traffic, except for NetBIOS traffic. Use this option if you require active FTP sessions. Security Firewall The following tables indicate how some common applications are affected by the preset firewall settings. Outgoing traffic Firewall setting Application Low High FTP (passive mode) Passed FTP (active mode) Passed Web (HTTP, HTTPS) Passed SNMP Passed Telnet Passed Windows networking Blocked ping Passed PPTP from client station to remote server Passed NetMeeting (make call) Passed IPSec pass-through Passed NetBIOS Blocked Incoming traffic Firewall setting Application Low High FTP (passive mode) Passed Blocked FTP (active mode) Passed Blocked Web (HTTPS) Passed Blocked Web (HTTP) Passed Blocked Telnet Passed Blocked Windows networking Passed Blocked PPTP from remote client to a server on the local network Passed Blocked ping client on local network Passed Blocked IPSec pass-through Passed Blocked NetBIOS Passed Blocked NetMeeting (receive call) Passed Blocked 12-3 Security Firewall Firewall configuration To configure a firewall, select Controller >> Security > Firewall. The Firewall configuration page opens. Select Preset firewall to use a preconfigured firewall setting of High or Low. Select View to see the firewall rules for the selected setting. Select Custom firewall if you have specific security requirements. This setting enables you to target specific protocols or ports. Customizing the firewall To customize the firewall, you define one or more rules. A rule lets you target a specific type of data traffic. If the controller finds data traffic that matches the rule, the rule is triggered, and the traffic is rejected or accepted by the firewall. To add a rule, select Custom Firewall on page Security > Firewall, select Edit, and then select Add New Rule. 12-4 Security Working with certificates Rules operate on IP datagrams (sometimes called packets). Datagrams are the individual packages of data that travel on an IP network. Each datagram contains addressing and control information along with the data it is transporting. The firewall analyses the addressing and control information to apply the rules you define. The controller applies the firewall rules in the order that they appear in the list. An intelligent mechanism automatically adds the new rules to the list based on their scope. Rules that target a large amount of data are added at the bottom. Rules that target specific datagram attributes are added at the top. Working with certificates The certificate stores provide a repository for managing all certificates (except for those used by IPSec and NOC authentication). To view the certificate stores, select Controller >> Security > Certificate stores. Trusted CA certificate store This list displays all root CA (certificate authority) certificates installed on the controller. The controller uses these CA certificates to validate the certificates supplied by client stations during authentication. Multiple CA certificates can be installed to support validation of clients with certificates issued by different CAs. 12-5 Security Working with certificates The controller uses these certificates to validate certificates supplied by: Managers or operators accessing the controller’s management tool. HTML users accessing the public access interface. SOAP clients communicating with the controller’s SOAP server. RADIUS EAP The following information is presented for each certificate in the list: ID: A sequentially assigned number to help identify certificates with the same common name. Issued to: Name of the certificate holder. Select the name to view the contents of the certificate. Current usage: Lists the services that are currently using this certificate. CRL: Indicates if a certificate revocation list is bound to the certificate. An X.509 certificate revocation list is a document produced by a certificate authority (CA) that provides a list of serial numbers of certificate that have been signed by the CA but that should be rejected. Delete: Select to remove the certificate from the certificate store. Installing a new CA certificate 1. Specify the name of the certificate file or select Browse to choose from a list. CA certificates must be in X.509 or PKCS #7 format. 2. Select Install to install a new CA certificate. CA certificate import formats The import mechanism supports importing the ASN.1 DER encoded X.509 certificate directly or as part of two other formats: PKCS #7 (widely used by Microsoft products) PEM, defined by OpenSSL (popular in the Unix world) The CRL can be imported as an ASN.1 DER encoded X.509 certificate revocation list directly or as part of a PEM file. Content and file format 12-6 Items carried in the file Description ASN.1 DER encoded X.509 certificate One X.509 certificate This is the most basic format supported, the certificate without any envelope. X.509 certificate in PKCS #7 file One X.509 certificate Popular format with Microsoft products. Security Working with certificates Content and file format Items carried in the file Description X.509 certificate in PEM file One or more X.509 certificates Popular format in the Unix world. X.509 DER certificate is base64 encoded and placed between "-----BEGIN CERTIFICATE-----" and "-----END CERTIFICATE-----" lines. Multiple certificates can be repeated in the same file. ASN.1 DER encoded X.509 CRL One X.509 CRL Most basic format supported for CRL. X.509 CRL in PEM file One X.509 CRL Same format as X.509 certificate in PEM format, except that the lines contain BEGIN CRL and END CRL. Default CA certificates The following certificates are installed by default: Note SOAP API Certificate Authority: Before allowing a SOAP client to connect, the controller checks the certificate supplied by a SOAP client to ensure that it is issued by a trusted certificate authority (CA). Dummy Authority: Used by the internal RADIUS server. You should replace this with your own CA certificate. Entrust.net Secure Server Certification Authority: This is the Authorize.Net CA certificate. It is used to support credit card payments via Authorize.Net. Management Console Dummy Authority: Used when the management tool communicates with HP PCM/PMM software. For security reasons, you should replace the default certificates with your own. Certificate and private key store This list displays all certificates installed on the controller. The controller uses these certificates and private keys to authenticate itself to peers. Items provided in this list are as follows: ID A sequentially assigned number to help identify certificates with the same common name. Issued to Name of the certificate holder. Select the name to view the contents of the certificate. 12-7 Security Working with certificates Issued by Name of the CA that issued the certificate. Current usage Lists the services that are currently using this certificate. Delete Select to remove the certificate from the certificate store. Installing a new private key/public key certificate chain pair Note RADIUS EAP certificates must have the X.509 extensions. Information about this is available in the Microsoft knowledgebase at: http://support.microsoft.com/kb/814394/en-us The certificate you install must: Be in PKCS #12 format. Contain a private key (a password controls access to the private key). Not have a name that is an IP address. The name should be a domain name containing at least one dot. If you try to add a certificate with an invalid name, the default certificate is restored. The common name in the certificate is automatically assigned as the domain name of the controller. 1. Specify the name of the certificate file or select Browse to choose one from a list. Certificates must be in PKCS #7 format. 2. Specify the PKCS #12 password. 3. Select Install to install the certificate. Default installed private key/public key certificate chains The following private key/public key certificate chains are installed by default: 12-8 wireless.hp.internal: Default certificate used by the management tool, SOAP server, and HTML-based authentication. Dummy Server Certificate: Used by the internal RADIUS server. This certificate is present only to allow EAP-PEAP to work if the client chooses not to verify the server's certificate. You should replace this with your own certificate for maximum security. Management Default client certificate: This certificate is used to identify the management tool when it communicates with HP PCM/PMM software. Security Working with certificates Note When a Web browser connects to the controller using SSL/TLS, the controller sends only its own X.509 certificate to the browser. This means that if the certificate has been signed by an intermediate certificate authority, and if the Web browser only knows about the root certificate authority that signed the public key certificate of the intermediate certificate authority, the Web browser does not get the whole certificate chain it needs to validate the identity of the controller. Consequently, the Web browser issues security warnings. To avoid this problem, make sure that you install the entire certificate chain when you install a new certificate on the controller. Note An SNMP notification is sent to let you know when the controller SSL certificate is about to expire if you enable the Notifications option on the Controller >> Management > SNMP page and then select Configure Notifications and enable the Certificate about to expire notification under Maintenance. Certificate usage To see the services that are associated with each certificate, select Security > Certificate usage. With the factory default certificates installed, the page will look like this: Service Name of the service that is using the certificate. To view detailed information on the certificate select the service name. Authenticate to peer using Name of the certificate and private key. The controller is able to prove that it has the private key corresponding to the public key in the certificate. This is what establishes the controller as a legitimate user of the certificate. Number of associated CAs Number of CA certificates used by the service. 12-9 Security Working with certificates Changing the certificate assigned to a service. Select the service name to open the Certificate details page. For example, if you select Web management tool, you will see: Under Authentication to the peer, select a new Local certificate and then select Save. About certificate warnings Access to the management tool and the public access interface Login page occur through a secure connection (SSL/TLS). An X.509 certificate is used to validate this connection. The default X.509 certificate installed on the controller for SSL/TLS for access to the management tool and the public access interface is not registered with a certificate authority. It is a selfsigned certificate that is attached to the default IP address (192.168.1.1) for the controller’s LAN port. As a result, certificate warnings will appear at login until you install a valid, trusted certificate on the controller. The host name in the currently installed SSL certificate is automatically assigned as the domain name of the controller. You do not have to add this name to your DNS server for it to be resolved. The controller intercepts all DNS requests it receives on the wireless or LAN ports. It resolves any request that matches the certificate host name by returning the IP address assigned to the wireless port. All other DNS requests are forwarded to the appropriate DNS servers as configured on the Network > DNS page. This means that once a valid, trusted certificate is installed on the controller, users will no longer see a certificate warning message when logging in. 12-10 Security Working with certificates IPSec certificates IPSec certificates are managed on the lower portion of the Controller >> VPN > IPSec page. IPSec — Trusted CA certificates The controller uses the CA certificates to validate the certificates supplied by peers during the authentication process. Multiple CA certificates can be installed to support validation of peers with certificates issued by different CAs. Certificate file: Specify the name of the certificate file or select Browse to choose from a list. CA certificates must be in X.509 or PKCS #7 format. Install: Select to install the specified certificate. IPSec — Manage CA certificates Use this box to manage the root CA certificate. Certificate: Select from a list of installed certificates. Remove: Delete the item shown under Certificate. View: Open the item shown under Certificate for viewing. IPSec — Local certificate store This is the certificate that the controller uses to identify itself to IPSec peers. 12-11 Security Working with certificates Note If the local certificate includes a CA certificate, both certificates are installed. Certificate Request Wizard: Helps you to generate a certificate request that can be used to obtain a signed certificate from a certificate authority. Once you obtain the certificate, you can use the Certificate Request Wizard to install it on the controller. Certificate file: Specify the name of the certificate file or select Browse to choose from a list. Password: Specify the certificate password. Install: Select to install the certificate. IPSec — Manage local certificate Use this box to manage the local certificate. Certificate: Shows the common name of the installed certificate. Remove: Delete the item shown under Certificate. View: Open the item shown under Certificate for viewing. IPSec — X.509 certificate revocation list Use this box to update the certificate revocation list (CRL) that is issued by the certificate authority. The controller uses the CRL to determine if the certificates provided by clients during the authentication process have been revoked. The controller will not establish a security association with a client that submits a revoked certificate. The controller can obtain a CRL in two ways: You can manually install it. The controller can automatically install a CRL based on information contained in a client certificate. This occurs only if a CRL is not installed, or if the installed CRL is expired. CRL file: Specify the name of the CRL file or select Browse to choose from a list. Install: Select to install the specified CRL. LDAP server: A client certificate may contain a list of locations where the CRL can automatically be retrieved. This location may be specified as an HTTP URL, FTP URL, LDAP URL, or LDAP directory. If the LDAP URL or directory is incomplete, the controller uses the location you specify to resolve the request. Incomplete HTTP or FTP URLs fail. Port: Port on the LDAP server. Default is 389. IPSec — Manage certificate revocation list Use this box to manage the CRL. 12-12 CRLs: Shows a list of installed certificate revocation lists. Remove: Deletes the item shown under CRLs. View: Opens the item shown under CRLs for viewing. Security MAC lockout MAC lockout This feature lets you to block traffic from client stations based on their MAC address. MAC lockout applies to client stations connected to: Note Wireless ports on controlled APs Wired ports (including switch ports) on controlled APs Local mesh ports on controlled APs The LAN port on the controller MAC lockout does not apply to the Internet port on the controller. Adding a MAC lockout address 1. Select Controller >> Security > MAC lockout. 2. Select Add New MAC Address. 3. Specify the MAC address as six pairs of hexadecimal digits separated by colons. For example: 00:00:00:0a:0f:01. 4. Select Save. 12-13 Security MAC lockout 12-14 Chapter 13: Local mesh 13 Local mesh Contents Key concepts...............................................................................................................13-2 Simultaneous AP and local mesh support........................................................13-2 Using 802.11a/n for local mesh ..........................................................................13-3 Quality of service.................................................................................................13-3 Maximum range (ack timeout) ..........................................................................13-4 Local mesh terminology ............................................................................................13-5 Local mesh operational modes.................................................................................13-6 Node discovery ...........................................................................................................13-6 Operating channel ......................................................................................................13-6 Local mesh profiles ....................................................................................................13-7 Configuration guidelines ....................................................................................13-8 Configuring a local mesh profile .......................................................................13-9 Provisioning local mesh links .................................................................................13-12 Sample local mesh deployments ............................................................................13-15 RF extension ......................................................................................................13-15 Building-to-building connection ......................................................................13-15 Dynamic network ..............................................................................................13-16 Local mesh Key concepts Key concepts The local mesh feature enables you to create wireless links between two or more APs. These links provide a wireless bridge that interconnects the networks connected to the Ethernet port on each AP. The local mesh feature replaces the need for Ethernet cabling between APs, making it easy to extend your network in hard-to-wire locations or in outdoor areas. Key local mesh features include: Note Automatic link establishment: Nodes automatically establish wireless links to create a full-connected network. A dynamic network identifier (local mesh group ID) restricts connectivity to groups of nodes, enabling distinct groups to be created with nodes in the same physical area. Provides fall-back operation to recover from node failure. In a properly designed implementation, redundant paths can be provided. If a node fails, the mesh will automatically reconfigure itself to maintain connectivity. Maintains network integrity when using DFS channels. In accordance with the 802.11h standard, dynamic frequency selection (DFS) detects the presence of certain radar devices on a channel and automatically switches the network node to another channel if such signals are detected. 802.11h is intended to resolve interference issues with military radar systems and medical devices. Depending on the radio regulations of some countries, DFS channels are only available on the 802.11a/n bands, which are the preferred band for local mesh backhaul. If more than one node detects radar simultaneously and must switch channels, each node does not necessarily switch to the same channel, and the network might never reconverge. To avoid this problem, local mesh detects a change in channel and provides a means to reconnect on other channels by scanning on multiple channels. See Operating channel on page 13-6. Simultaneous AP and local mesh support APs can be configured to support both access point and local mesh functionality whether they have a single radio, or multiple radios. Single radio APs A single radio can be configured to simultaneously support wireless users and one or more local mesh links. Although this offers flexibility it does have the following limitations: 13-2 The total available bandwidth on the radio is shared between all local mesh links and wireless users. This can result in reduced throughput if lots of traffic is being sent by both wireless users and the local mesh links. You can use the QoS feature to prioritize traffic. It limits you to using the same radio options for both wireless clients and local meshes. Local mesh Key concepts Multiple radio APs On APs with more than one radio, one radio can be dedicated to support wireless users and another to provide local mesh links. Each radio can be configured optimally according to its application. Using 802.11a/n for local mesh It is recommended that 802.11a/n in the 5 GHz band be used for local mesh links whenever possible. This optimizes throughput and reduces the potential for interference because: Most Wi-Fi clients support 802.11b or b/g, therefore most APs are set to operate in the 2.4 GHz band. This frees the 5 GHz (802.11a/n) band for other applications such as local mesh. 802.11a/n channels in the 5 GHz band are non-overlapping. 802.11a/n provides increased data throughput, providing a fat pipe for traffic exchange. The main limitations in using the 5 GHz band are: Since the same radio options must be used for both wireless clients and local mesh links, support for 802.11b/g clients is not possible on APs with a single radio. The 5 GHZ band has a shorter reach when compared to the 2.4 GHz band. This could be a factor depending on the distance your links must span. Quality of service The local mesh feature enables you to define a quality of service (QoS) setting that will govern how traffic is sent on all wireless links. Note When traffic is forwarded onto a local mesh link from a VSC, the QoS settings on the VSC take priority. For example, if you define a VSC with a QoS setting of VSC-based High, then traffic from this VSC will traverse the local mesh on queue 2 even if the QoS setting on the local mesh is VSC-based Low (queue 4). 13-3 Local mesh Key concepts Maximum range (ack timeout) This is a global setting that is configurable on the Radio page when the Operating mode is set to support Local mesh. It fine tunes internal timeout settings to account for the distance that a link spans. For normal operation, it is set to less than 1 km. This is a global setting that applies to all wireless connections made with a radio, not just for local mesh links. Therefore, if you are also using a radio to access an AP, adjusting this setting may lower the performance for users with marginal signal strength or when interference is present. (Essentially, it means that if a frame needs to be retransmitted it will take longer before the actual retransmit takes place.) 13-4 Local mesh Local mesh terminology Local mesh terminology The following table defines terms that are used in this guide when discussing the local mesh feature. Root network Root node Up str ea m Do lin k wn str ea m lin k AP 1 AP 3 AP 2 Alternate master node Slave node Term Definition Node An AP that is configured to support local mesh connections. Root node The root node is configured in Master mode and provides access to the root network. Alternate master node A node that is configured in Alternate master mode which enables it to make upstream and downstream connections. Slave node A node that is configured in Slave mode which enables it to make upstream connections only. Root network Wired network to which the root node is connected. This is the network to which the local mesh provides access for all connected alternate master and slave nodes. Mesh A series of nodes that connect to form a network. Each mesh is identified by a unique mesh ID. Link The wireless connection between two nodes. Downstream link A link that transports data away from the root network. Upstream link A link that transports data towards the root network. Peer Any two connected nodes are peers. In the diagram, AP 1 is the peer of both AP 2 and AP 3. 13-5 Local mesh Local mesh operational modes Local mesh operational modes Three different roles can be assigned to a local mesh node: Master, Alternate Master, or Slave. Each role governs how upstream and downstream links are established by the node. Note Master: Root node that provides the upstream link to the ground network that the other nodes want to reach. The master never tries to connect to any other node. It waits for links from downstream alternate master or slave nodes. It is possible to have several masters for the same mesh ID connected to the ground network. This can be used to provide redundant paths to the ground network for downstream nodes. Alternate Master: First establishes an upstream link with a master or alternate master node. Next, operates as a master node waiting for links from downstream alternate master or slave nodes. Slave: Can only establish an upstream link with master or alternate master node. Slave nodes cannot establish downstream links with other nodes. Node discovery Discovery of another node to link with is limited to nodes with the same mesh ID. The link is established with the node that has the best score based on the following calculation: Score = SNR - (Number of hops x SNR cost of each hop) If a node looses its upstream link, it automatically discovers and connects to another available node. Note A master or alternate master must be seen with an SNR of 20 or higher before a slave will attempt to connect to it. Operating channel If a mesh operates on a dynamic frequency selection (DFS) channel, the master node selects the operating channel. If another node detects radar and switches channels, that node reports the channel switch to the master node, which initiates a channel switch for the nodes connected to it. This allows the local mesh to converge on a specific channel. A node that uses a DFS channel and that loses connection with its master, scans channels to find a master on another channel, which can be a new master or the same master. 13-6 Local mesh Local mesh profiles If the local mesh does not operate on a DFS channel, configure the radios in one of the following ways: Configure the radios on all nodes to use the same fixed channel. Configure the radios for automatic channel selection. In this case the master selects the least noisy channel. Slaves and alternate masters scan channels until they find the master, then tune to the master channel and link with the master. Local mesh profiles A local mesh profile defines the characteristics for the type of links that can be established with other nodes as follows: Role Upstream link Downstream link Master None. Up to nine links with alternate master or slave nodes per profile. Alternate master A single link to a master node or alternate master node. Up to eight links with alternate master or slave nodes. Slave A single link to a master node or alternate master node. None. Each node supports up to six profiles plus one provisioning profile. When a profile is active, a node constantly scans and tries to establish links as defined by the profile. The local mesh provisioning profile is used by the wireless link created on a provisioned AP to support discovery of the controller. Initially, this link operates in slave mode. If you configure this profile as an alternate master, then it can also be used to establish up to nine downstream links with alternate master or slave nodes. See Provisioning local mesh links on page 13-12 for more information. 13-7 Local mesh Local mesh profiles Local mesh profiles are configurable at the controlled APs, group, or AP level. To view all profiles select Controller > Controlled APs >> Configuration > Local mesh. Or you can expand Controlled APs and select a group or specific AP. The following is an example of the profile list displayed when selecting Controlled APs >> Configuration > Local mesh. Configuration guidelines 13-8 In addition to the provisioning profile, you can configure a total of six local mesh profiles on each node. Each local mesh profile (on a master or alternate master) can be used to establish up to nine links with other nodes. The same security settings must be used on all nodes in the same mesh. Any node that reaches the controller through the local mesh and uses local mesh itself, must be provisioned prior to discovery. Daisy-chaining of nodes using local mesh links dramatically reduces throughput (which is typically divided by two for each hop) especially when one or more of the following are true: Nodes provide both upstream and downstream links on the same radio. Nodes share a radio with AP functionality. IP traffic originating from a node can be sent on the link on which the controller was discovered. Local mesh Local mesh profiles Configuring a local mesh profile To configure profiles #1 to #6, select a name in the list. The Local mesh profile page opens. For Slave and Alternate Master, the Settings box shows the additional options, for example Alternate Master: General Enabled/Disabled Specify if the profile is enabled or disabled. The profile is only active when enabled. Name Name of the profile. On dual-radio products use Select the radio to use for this link. 13-9 Local mesh Local mesh profiles Settings Mode Three different roles can be assigned to a node: master, alternate master, or slave. Each role governs how links are established. Links are defined as either upstream or downstream. Master: The master is the root node that provides the upstream connection to the ground network that the other nodes want to reach. The master will only create downstream local mesh links to alternate master or slave nodes. Slave: Slave nodes can only establish upstream links with master or alternate master nodes. Slave nodes cannot establish downstream links with other nodes. Alternate Master: An alternate master node must first establish an upstream link with a master or alternate master node before it can establish downstream connections with an alternate master or slave node. Mesh ID Unique number that identifies a series of nodes that can connect together to form a local mesh network. Allowed downtime The maximum time (in seconds) that a link can remain idle before the link actually gets deleted. When a slave (or alternate master) looses its link to its master, the discovery phase is re-initiated. Minimum SNR (Alternate master or slave nodes) This node will only connect with other nodes whose SNR is above this setting (in dB). SNR cost per hop (Alternate master or slave nodes) This value is an estimate of the cost of a hop in terms of SNR. It indicates how much SNR a node is willing to sacrifice to connect to node one hop closer to the root node, because each hop has an impact on performance, especially when using a single radio. Initial discovery time (Alternate master or slave nodes) Amount of time that will be taken to discover the best available master node. The goal of this setting is to delay discovery until all the nodes in the surrounding area have had time to startup, making the identification of the best master more accurate. If this period is too short, a slave may connect to the first master it finds, not necessarily the best. Security Enable this option to secure data transmitted on the wireless link. The APs on both sides of the wireless link must be configured with the same security options. 13-10 Local mesh Local mesh profiles WEP This feature has been deprecated. If you are creating a new installation, use AES/ CCMP. If you are upgrading from a previous release, your existing configuration will still work. Enables WEP to secure traffic on the wireless link. Specify the encryption key the node will use to encrypt/decrypt all data it sends and receives. The key is 128 bits long and must be specified as 26 hexadecimal digits. TKIP This feature has been deprecated. If you are creating a new installation, use AES/CCMP instead. If you are upgrading from a previous release, your existing configuration will still work. Enables TKIP encryption to secure traffic on the wireless link. The node uses the key you specify in the PSK field to generate the TKIP keys that encrypt the wireless data stream. Specify a key that is between 8 and 63 ASCII characters in length. It is recommended that the key be at least 20 characters long, and be a mix of letters and numbers. AES/CCMP Enables AES with CCMP encryption to secure traffic on the wireless link. This is the most secure method. The node uses the key you specify in the PSK field to generate the keys that encrypt the wireless data stream. Specify a key that is between 8 and 63 ASCII characters in length. It is recommended that the key be at least 20 characters long and be a mix of letters and numbers. 13-11 Local mesh Provisioning local mesh links Provisioning local mesh links APs operating in controlled mode must be able to discover and connect with a controller. When operating as part of a local mesh, any AP that can only discover the controller via a wireless link must be provisioned before being deployed. In this example, AP 1, AP 2, AP 4, and AP 5 must be provisioned prior to deployment for discovery to be successful. (Since AP 3 is using a wired link, it does not need to be provisioned for this scenario.) Controller AP 1 AP 2 AP 3 AP 4 Slave Alternate master A Master Alternate master B AP 5 Provisioning is done before APs are deployed using either of the following methods: 13-12 Directly connect to each AP and use its management tool to define provisioning settings. Connect the APs to the controller (either directly via the LAN port or through a local area network). After the APs are discovered, use the controller management tool to define provisioning settings by opening the Provisioning > Connectivity page at either the group or AP level. Local mesh Provisioning local mesh links In the this example, AP 1, AP 2, and AP 4 are all provisioned with the same settings as follows: Use the Local mesh radio configuration table to define local mesh settings for each product type. Product: Indicates the product type. Radio: Select the radio that will be used for the local mesh. Wireless mode: Select the wireless mode that will be used for the local mesh. Antenna selection: Select the antenna(s) on which the radio transmits and receives. Internal: The internal antenna is used to transmit and receive. External: The external antenna is used to transmit and receive. 13-13 Local mesh Provisioning local mesh links Note All APs must all be configured for the same country so that the local mesh established respects local RF regulations. To define the country setting, see Assigning country settings to a group on page 6-30. The local mesh provisioning profile for AP 2 needs to be set to alternate master mode so that it can support a connection from AP 1. Select AP 2 in the Network Tree and then open the Configuration > Local mesh page and select Local mesh provisioning profile. Note To enable the controller to send provisioned settings to controlled APs, activate the Enable provisioning of controlled APs option on the Controller >> Controlled APs > Provisioning page. Until this option is enabled, provisioned settings defined on the controller are not sent to any controlled APs. Once provisioning settings have been defined you need to update all controlled APs with the new settings by synchronizing them as described in Synchronizing APs on page 6-24. After an AP has been updated with provisioned settings, the provisioned settings do not become active until the AP is restarted, or a Remove and rediscover action is executed on the Controlled APs >> Configured APs page. 13-14 Local mesh Sample local mesh deployments Sample local mesh deployments RF extension Local mesh provides an effective solution for extending wireless coverage in situations where it is impractical or expensive to run cabling to an AP. In this scenario, a wireless bridge is used to extend coverage of the wireless network. Both APs are equipped with omni-directional antennas, enabling them to deliver both AP capabilities and wireless bridging using local mesh capabilities. AP 1 Controller AP 2 wireless link WLA N WLA N Building-to-building connection You can also use local mesh to create point-to-point links over longer distances. in this scenario, two dual-radio APs create a wireless link between networks in two adjacent buildings. Each AP is equipped with a directional external antenna attached to radio 1 to provide the wireless link. Omnidirectional antennas are installed on radio 2 to provide AP capabilities. The two APs are placed within line of sight. Building A Building B directional antenna directional antenna wireless link AP 1 AP 4 PU BLIC WL A N PU BLIC WL A N AP 2 AP 5 PU BLIC WL A N PU BLIC WL A N AP 3 PU BLIC WL A N Controller Note In the above example, all APs must connect to the backbone network via port 1. 13-15 Local mesh Sample local mesh deployments Dynamic network In this scenario, a controller is deployed with several APs to provide wireless coverage of a large area. Instead of using a backbone LAN, wireless links are used to interconnect all APs. AP 1 is the master. It provides the connection to the wired network and a wireless link to the other APs. The other APs automatically established their links to the master based on a balance between SNR (signal to noise ratio) and hops, to provide the most efficient network topology. If a node becomes unavailable, the links dynamically adjust to find the optimum path to the master. Controller Controller MASTER AP 1 MASTER AP 1 ALTERNATE MASTER AP 2 ALTERNATE MASTER AP 3 ALTERNATE MASTER AP 2 ALTERNATE MASTER AP 4 ALTERNATE MASTER AP 4 ALTERNATE MASTER AP 5 ALTERNATE MASTER AP 6 Initial network configuration is automatically established. 13-16 ALTERNATE MASTER AP 3 ALTERNATE MASTER AP 5 ALTERNATE MASTER AP 6 When AP 4 is unavailable, the network dynamically reconfigures itself. Chapter 14: Public/guest network access 14 Public/guest network access Contents Introduction ................................................................................................................14-3 Key concepts...............................................................................................................14-4 Access control......................................................................................................14-4 Access lists ...........................................................................................................14-5 The public access interface................................................................................14-5 Location-aware ....................................................................................................14-7 Configuring global access control options .............................................................14-8 User authentication .............................................................................................14-9 Client polling ......................................................................................................14-10 User agent filtering ............................................................................................14-10 Zero configuration .............................................................................................14-11 Location configuration......................................................................................14-12 Display advertisements.....................................................................................14-12 Public access interface control flow .....................................................................14-13 Customizing the public access interface...............................................................14-14 Sample public access pages .............................................................................14-15 Common configuration tasks...........................................................................14-15 Setting site configuration options ..........................................................................14-19 Allow subscription plan purchases .................................................................14-20 Display the Free Access option .......................................................................14-20 Support a local Welcome page.........................................................................14-21 Use frames when presenting ads.....................................................................14-22 Allow SSLv2 authentication .............................................................................14-23 Redirect users to the Login page via ...............................................................14-23 Public/guest network access Customizing the public access Web pages............................................................14-24 Site file archive ..................................................................................................14-24 FTP server ..........................................................................................................14-24 Current site files ................................................................................................14-25 Configuring the public access Web server ............................................................14-32 Options................................................................................................................14-33 Ports ....................................................................................................................14-33 MIME types ........................................................................................................14-33 Security ...............................................................................................................14-34 Managing payment services ....................................................................................14-35 Payment services configuration ......................................................................14-35 Service settings ..................................................................................................14-35 Billing record logging...............................................................................................14-42 Settings ...............................................................................................................14-42 Persistence .........................................................................................................14-43 External billing records server profiles ..........................................................14-44 Billing records log .............................................................................................14-47 Location-aware authentication...............................................................................14-48 How it works ......................................................................................................14-48 Example..............................................................................................................14-50 Security ...............................................................................................................14-50 14-2 Public/guest network access Introduction Introduction The Public/Guest Network Access feature enables you to provide controlled network access for a variety of deployments. Some common applications of this feature are: Providing Internet access to wireless customers in airports, restaurants, train stations, conference halls, etc. Providing wireless and wired access to staff and guests in hospitals, corporations, and government buildings. Providing wireless and wired access to students, staff, and teachers in schools and universities. Providing outdoor wireless access for an entire town, enabling city workers, police, fire, public security, and the general public to connect. This chapter provides describes the public/guest network access feature and how it can be used. For detailed information on the RADIUS attributes that can be used to customize the public access interface, see Chapter 15: Working with RADIUS attributes on page 15-1. 14-3 Public/guest network access Key concepts Key concepts Access control When the Access control option is enabled on a VSC, it creates an access-controlled VSC. This means that for all traffic on the VSC, the controller acts as the gatekeeper between two distinct network segments: the public network and the protected network. Public network: Access to the public network and its resources is generally made available to all unauthenticated wireless users once they successfully connect to the wireless network. Access is also generally made available to unauthenticated wired users on any network that is connected to the controller’s LAN port. Protected network: Access to the protected network is restricted by the controller and typically requires that users be authenticated by the controller before they gain access. Various authentication methods are available (HTML-based, MAC-based, 802.1X). The most commonly used method is HTML-based, which enables users to login through their Web browsers via the public access interface Login page. The controller can validate user login credentials using locally defined user accounts or by using the services of a thirdparty authentication server (RADIUS or Active Directory). The following diagrams illustrates a basic setup in which a wireless user is authenticated by an access-controlled VSC and then gains access to a corporate network. Controller Public network r Use log s in Access controlled VSC Protected network Ac ce ss to ne tw ork is gra nte d Corporate network AP Router For more information on access control, see Configuring global access control options on page 14-8. Note 14-4 If authentication is not enabled on a VSC, all users connected to the VSC can access the protected network. Public/guest network access Key concepts Access lists An access list is a set of rules that governs how the controller manages access to the public and private network resources. You can create multiple access lists, each with multiple rules, enabling you to create public areas on your network that all users can browse, and protected areas that are restricted to specific user accounts or groups. For more information, see Access list on page 15-34. In the following example, access lists are defined to allow the following levels of access: Unauthenticated users can access Network 1. Authenticated employees can access Network 2 and the Internet. Authenticated guests can access the Network 3 and the Internet. Controller Public networks Access controlled VSC Protected networks Authenticated employee Network 2 AP Unauthenticated user Network 3 Network 1 Internet The public access interface The public access interface is the sequence of Web pages through which access-controlled users can log in, log out, and view the status of their wireless connections to the public access network. By default, these Web pages are hosted on the controller’s Web server. However, pages can also be hosted on external servers for added flexibility. The pages, error messages, images, and workflow are all customizable. Standard pages are provided for common tasks such as login, service purchase, and display of session information. As well, advertisements can be displayed if required. 14-5 Public/guest network access Key concepts When a wireless user attempts to browse a Web site that is on the protected network, the user is redirected to the public access interface Login page. The following screen shot shows the default login page provided with the controller. After the user successfully logs in, the session and welcome pages appear. The session page provides details on the user’s session, and a Logout button. The welcome page is the starting point for the user once logged in. You can customize this page to present important information about your network. If the user selects Continue browsing, they are redirected to the original Web site that they were attempting to reach after they associated with the wireless network. When done browsing, the user selects Logout on the session page to terminate their session. 14-6 Public/guest network access Key concepts For more information on the public access Web pages, see: Public access interface control flow on page 14-13 Customizing the public access interface on page 14-14 Location-aware The location-aware feature enables you to control logins to the public access network based on the wireless AP to which a user is connected. It is configured on a per-VSC basis. When enabled, the controller returns location-specific information for RADIUS-authenticated users. This information can be retrieved and processed by server side scripts to manage network access. For more information, see Location-aware authentication on page 14-48. 14-7 Public/guest network access Configuring global access control options Configuring global access control options Global access control settings are managed by selecting Controller >> Public access > access control. The access control mechanism is used by the controller to manage user access to network resources. Access control is applied on a per-VSC basis. When the Use Controller for Access control option is enabled on a VSC, the configuration options on this page take effect with regards to client station configuration, authentication, and authorization. Use the checkbox in the title bar to globally enable or disable the access control mechanism: When enabled, the controller provides access control functionality which can then be configured on a per-VSC basis. When disabled, the Public/Guest Network Access feature is disabled for all VSCs that are configured to use access control. The status light indicates the state of the authentication system. 14-8 Green: Access control is working and authentication requests can be processed. Red: Access control cannot process authentication requests at this time. Public/guest network access Configuring global access control options User authentication Allow access if authentication timed out Enable this option to give users free access to the protected network if authentication services configured for a VSC are unavailable. Once the authentication services are available again, free user sessions remain active until the user logs out. For example, if a user is connected to a VSC configured for HTML-based authentication using a RADIUS server, and the RADIUS server is not responding, the user will be granted free access to the network using the settings from the default user profile (Default AC). Note This feature does not work for users configured to use 802.1X or WPA when the encryption keys are provided by the RADIUS server. Add idle-timeout to RADIUS accounting session-time When enabled, the controller includes the idle time-out in the total session time for a user when the session is terminated due to idle time-out. To remove the idle time-out from the total session time, disable this option. Automatically reauthenticate HTML-based users for nn min When this option is enabled, you can specify the amount of time that the controller will remember the login credentials for an HTML-based user after they log out. If the user reconnects to the network before this timeout expires, they are automatically logged in, and instead of being redirected to the Login page, they are redirected to the Welcome-back page. For this feature to work, users must have successfully been logged in at least once via HTML and must have the same IP address and MAC address as their initial login when they return. Also, the session must have been terminated involuntarily. For example, by the user moving out of range, or their computer being restarted. If the user terminates their session, they will not be automatically reauthenticated. To support this functionality, the DHCP server on the controller needs to be enabled. It will attempt to reserve a user’s assigned DCHP addresses even after their lease time has expired. As long as free addresses remain in the DHCP address pool, the expired address will not be reassigned to a new user. Note The controller remembers login credentials even if the controller is restarted for administrative reasons. This feature may not work for users whose actual IP or MAC address is hidden by an intervening router or other network device. 14-9 Public/guest network access Configuring global access control options Reauthenticate users on location change When this option is enabled, the controller will automatically reauthenticate users when they switch to: Note a wireless cell with a different SSID a different VLAN ID on the same VSC an AP with a different MAC address an AP with a different group name a different wireless mode This feature is only supported when using an external RADIUS server for authentication tasks. Maximum concurrently authenticated public access users Specify the maximum number of users that can be authenticated and logged into the public access interface at the same time. Client polling The controller polls authenticated client stations to ensure that they are active. If no response is received and the number of specified retries is reached, the client station is disconnected. To use this feature, client stations must have L2 connectivity to the controller. This feature enables the controller to detect if two client stations are using the same IP address but have different MAC addresses. If this occurs, access is terminated for this IP address removing both stations from the network. Changing these values may have security implications. A large interval provides a greater opportunity for a session to be hijacked. The initial query is always done after the client station has been idle for 60 seconds. If there is no answer to this query, the settings for Interval and Retries are used to control additional retries. Polling interval Specify how long to wait between polls. Consecutive retries Specify how many consecutive polls to which a client station can fail to reply before it is disconnected. User agent filtering Enable this option to filter and stop redirection of HTTP login requests coming from unauthorized client applications. Filtering occurs via the user-agent string that web-based applications use to identify themselves to their peers. 14-10 Public/guest network access Configuring global access control options Blocked agents This is the list of user-agent strings that the controller will use to block client applications. If an application’s user-agent string appears in this list, it will be blocked. When the list is empty, all valid HTTP login requests are redirected. For example, add the word Torrent to the list to stop HTTP login requests coming from the BitTorrent 6.3 client application. A list of user agents strings can be found here: http://www.useragentstring.com/pages/useragentstring.php Zero configuration Support users that have a static IP address Enable this option to allow client stations with static IP addresses that are not on the same subnet as the controller to connect to the controller. This permits users to access the network without reconfiguring their network settings. For example, by default the controller creates a network on the subnet 192.168.1.0. A client station that is preconfigured with the address 10.10.4.99 can connect to the controller without changing addresses. Assign addresses on the Public Access subnet Enable this option to provide network address translation for client stations with static IP addresses. This permits the controller to assign an alias address to the client station that puts it on the same subnet as the VSC the client station is associated with. This subnet is defined by configuring the DHCP server option in the VSC. Note This option cannot be used if NAT is enabled on the Internet port. Support applications that use HTTP/HTTPS proxy: Enable this option to allow the controller to support client stations that use application software (such as a web browser) configured to use a proxy server for HTTP and HTTPS, without reconfiguration of the application software. When this feature is enabled, ensure that client stations: Do not use a proxy server on ports 21, 23, 25, 110, 443, 8080, or 8090. To support ports 8080 and 8090, change the port settings under Controller >> Public access > Web server > Ports. Use the same proxy server address and port number for both HTTP and HTTPS. Restrict proxy support to users authenticated via HTML: Enable this option to restrict proxy support to users who logged in via the public access login page. Proxy traffic from users authenticated via other methods is blocked. 14-11 Public/guest network access Configuring global access control options SMTP authentication: When the controller redirects user SMTP traffic, the server to which the traffic is redirected may need to authenticate the controller. Enable this option to allow the controller to supply a username and password to the server. You can define the username and password in the RADIUS account for the controller or for the user. Location configuration These values are returned to IPass clients, and are also sent in RADIUS Authentication Access Requests and Accounting Requests for all users authenticated by this controller. Location ID Specify the WISPr location ID assigned to the controller. Location name Specify the WISPr location name assigned to the controller. Display advertisements When this option is enabled, it causes users to be redirected to an ad content page while they are browsing. The ads page can be either ads.asp or ads-frameset.asp, depending on the setting of Use frames when presenting ads under Site options on the Public access > Web content page. Redirection occurs on TCP port 80. Display advertisements every nnn sec Specify the interval at which users are redirected to the ads page. Note 14-12 Once the Display advertisements option is enabled, advertisements are displayed for all users. You can selectively disable the display of advertising in user profiles (Controller >> Users > Account profiles), subscription plans (Controller >> Users > Subscription plan), or via attributes set in a user’s RADIUS account. Public/guest network access Public access interface control flow Public access interface control flow The two following diagrams provide an overview of the default public access interface Web page flow. All site Web pages are identified by their role: Login, Welcome, Logout, etc. This abstraction is used because the name of the actual page used for a particular role is configurable in many cases. (For reference, the page name used by the factory default configuration is provided in parenthesis.) For a description of the individual pages, see Current site files on page 14-25. A Wait for user to attempt browse User remembered? Welcome Back page (welcome-back.asp) Yes C1, D B Login page (index.asp) Subscribe P2 next page Login type? Free Access C, D Yes C, D Existing User Name / Password B No Authenticated? C D Transport page (transport.asp) Session page (session.asp) Public IP page (public-ip.asp) plan Welcome page (welcome.asp) Subscription Details page (subscription_ details.asp) Display until Close C1 Wait for user to attempt browse User still authorized? Action? No Logout Subscribe Goodbye page (goodbye.asp) P2 next page A B Yes Time to display ad? Yes (ads-frameset.asp or ads.asp) until user navigates C1 No Display web page C1 14-13 Public/guest network access Customizing the public access interface P2 Subscribe page (subscribe.asp) Credit Card (WorldPay *1) Payment method? Credit Card (Authorize.net *1) Account page (account.asp) Name / Password Account page (account.asp) Name / Password Payment page (payment.asp) Go to WorldPay Payment page (payment.asp) Credit card info. WorldPay server payment pages Review page (review.asp) Confirm payment Purchase result? User Cancel Authorize.net contacted for purchase approval Approved Failed WorldPay Cancel page (worldpaycancel.asp) WorldPay Error page (worldpayerror.asp) Purchase result? WorldPay Success page (worldpaysuccess.asp) Failed Approved A Purchase Approved page (purchase_ approved.asp) Purchase Failed page (purchase_ failed.asp) Previous page C, D A *1 Not a user choice. (WorldPay or Authorize.net is pre-configured.) Previous page Customizing the public access interface The public access interface can be customized using the methods described below. You might use one or more of these methods, depending on the type of customization that you want to perform. Setting site configuration options: The site configuration options on the Controller >> Public access > Web content page can be used to quickly enable/ disable certain public access features. See Setting site configuration options on page 14-19. 14-14 Public/guest network access Customizing the public access interface Customizing the public access interface Web pages: The Web pages hosted on the controller internal Web server can be modified, allowing the entire public access interface to be customized. Simple modifications can be made with basic knowledge of HTML. Users with advanced HTML skills and knowledge of ASP and Javascript will be able to fully-customize all site operations. See Customizing the public access Web pages on page 14-24. Setting public access attributes: Configuration of a number of public access features can be accomplished by setting various RADIUS attributes. There categories of attributes are available: Site attributes: These attributes are used to configure site-related options and global settings that apply to all user sessions. They can be defined in the RADIUS account for the controller or reside locally on the controller. See Controller attributes overview on page 15-4. User attributes: These attributes are used to customize settings on a per-user basis. These attributes can reside locally on the controller or be retrieved from a third-party RADIUS server. See Defining and retrieving user attributes on page 15-14. Sample public access pages Some of the examples in this chapter make use of files contained in the Public Access Examples zip file. This file is available at www.hp.com/networking/public-access-examples. Common configuration tasks Customizing the login, welcome, or goodbye page 1. Select Controller >> Public access > Web content. 2. Under Current site files, select one of the following files: Login page: index.asp Welcome page: welcome.asp Goodbye page: goodbye.asp 3. The file will appear in the built-in text editor. Change the file to meet the requirements of your site. 4. Select Save. Customizing the logo 1. Create a file called logo.gif that contains your logo (recommended size less than 20K). 2. Select Controller >> Public access > Web content. 14-15 Public/guest network access Customizing the public access interface 3. Under Current site files, select the garbage can icon to the right of logo.gif to delete it. 4. Select Add New File. 5. For Filename, specify logo.gif. 6. Next to Load content from file, select Browse. 7. Select the logo.gif file that you created in Step 1. 8. Select Load. Displaying custom welcome and goodbye pages This example shows how to display unique welcome and goodbye pages for specific users or groups of users. This example assumes that you are hosting the web pages are hosted on a remote server and that you are using a RADIUS server to authenticate users. For this example, assume that you have two sets of users: basic and premium. To distinguish the two groups, you have set up the user accounts on the RADIUS server accordingly. (Perhaps you are using access lists to restrict each group to a different section of the public network as described in Access list example on page 15-40). 1. Retrieve the Public Access Examples zip file at www.hp.com/networking/public-accessexamples. 2. Create the following two folders on your Web sever: basic and premium. 3. Copy the files welcome.html and goodbye.html from the Examples zip file into both the basic and premium folders on the web server. 4. Edit the pages to present customized welcome and goodbye content for each set of users. 5. Add the following entry to the RADIUS profile for the basic users: welcome-url=web_server_URL/basic/welcome.html goodbye-url=web_server_URL/basic/goodbye.html 6. Add the following entry to the RADIUS profile for the premium users: welcome-url=web_server_URL/premium/welcome.html goodbye-url=web_server_URL/premium/goodbye.html 7. Add the following entry to the RADIUS profile for the controller. This gives all unauthenticated users access to the Web server hosting the goodbye page. accesslist=loginserver,ACCEPT,tcp,web_server_IP_address,port_number 14-16 Public/guest network access Customizing the public access interface Delivering dynamically generated content Another way to generate custom pages is to add placeholders in the URLs for the custom external pages and then use server-side scripting to dynamically create the pages. This method provides a powerful mechanism to automatically generate completely customized pages on a per-user basis. Rather than designing one or more static pages, as in the previous example, the custom pages in this example can be built on-the-fly based on user preferences stored in a central database, or based on a user’s location within the network. For example, if you want to generate a custom welcome page for each user: 1. Add the following entry to the RADIUS profile for the controller. welcome-url=web_server_URL/custom/ welcome.html?loginname=%u&IPaddress=%i 2. Create a server-side script to retrieve the user’s login name (%u) and the controller IP address or domain name (%u). The script can use this information to then display a custom page based on user’s preferences (stored in the server database) and the user’s location within the wireless network. Supporting PDAs Users using PDAs that only support a single browser window will have difficulty using the public access interface in its standard configuration. Once a user logs in to the public access interface, two Web pages are sent to their browser: the Welcome page and the Session page. The Session page contains a logout button. Users who are unable to view this page will not be able to log out. To solve the problem, modify the Welcome page to include a logout button. 1. Create a folder called PDAusers on your Web sever. 2. See Sample public access pages on page 14-15. Copy public access sample files welcome.html and goodbye.html into the PDAusers folder. 3. Edit welcome.html to include a logout link with the target: http://controller_name:port/goform/HtmlLogout. For example: http://wireless.mycompany.com:8080/goform/HtmlLogout. Adds a warning to this page that tells PDA users to bookmark the Welcome page so that they can logout. 4. Add the following entry to the RADIUS profile for all PDA users: welcome-url=web_server_URL/PDAusers/welcome.html 14-17 Public/guest network access Customizing the public access interface Customizing error messages To customize the error messages, edit the appropriate messages in the files listed in the following table, using the Controller >> Public access > Web content page. If an error occurs on Messages are taken from Login page (index.asp) login_error_message.asp Subscription page (subscribe.asp), Account page (account.asp), Payment page (payment.asp), Review page (review.asp), Purchase failed page (purchase_failed.asp) subscription_error_message.asp Other pages Messages.txt Logout host name Logout IP address These two options enable easy logout from the public access network. Users can logout by pointing their browsers to a specific host name or its IP address. Host names must be fully-qualified, which means they must include the domain name suffix (.suffix). For example: mydomain.com is fully qualified, mydomain is not. If a user that is logged in via HTML sends an HTTP request to the specified host name or IP address, the controller will log the user out. To use this option you must define an access list with the DNAT option. For example, if the controller’s LAN port is at 192.168.1.1 and you want to logout users when they access network.logout (which has an IP address of 10.10.1.1) you would define the following: Logout host name = network.logout Logout IP address = 10.10.1.1 On the Controller >> Public access > Attributes page, add the following attributes under Configured attributes: dnat-server = logout, 192.168.1.1, 8081 The DNAT-SERVER has to point to the controller’s LAN port on TCP port 8081. This is where the logout service is located on the controller. access-list = logout,DNAT-SERVER,tcp,10.10.1.1,80 Indicates that TCP traffic on port 80 that is addressed to 10.10.1.1 will be forwarded to the DNAT-SERVER (192.168.1.1). use-access-list=logout Activates the access list for all user’s on the controller. 14-18 Public/guest network access Setting site configuration options How it works 1. When a user enters http://network.logout in their browser, the controller resolves it to to 10.10.1.1. 2. The controller then intercepts any TCP traffic destined for 10.10.1.1 on port 80 and redirects it to 192.168.1.1 on port 8081. 3. The logout service running on controller port 8081 then logs the user out. Setting site configuration options To view, edit, and manage site options, select Controller >> Public access > Web content and configure the settings under Site options. About ASP variables A number of ASP variables are defined for use by the public access interface pages. These variables are used to make configuration and status information available via ASP function calls, allowing for customization of the Web pages. Some of the site configuration options set the values of these variables. See Public access interface ASP functions and variables on page 15-75. 14-19 Public/guest network access Setting site configuration options Allow subscription plan purchases When enabled, the Subscribe to this service option is displayed on the default Login page (index.asp). This option provides a link to the default Subscription page (subscribe.asp), where users can choose one of the subscription plans defined on the Controller >> Users > Subscription plans page. Existing users must enter their username and password to update their current account. New users enter a username and password to create a new account. Pre-requisites To use this feature, the following items must be pre-configured: One or more subscription plans must be defined by selecting Controller >> Users > Subscription plans. To support credit card payments, the credit card payment service must be enabled and configured by selecting Controller >> Public access > Payment services. Display the Free Access option When enabled, the Free Access option is displayed on the default Login page (index.asp). This enables users to login to the public access interface without paying. 14-20 Public/guest network access Setting site configuration options A user account is automatically created for each user that selects the Free Access option. Each account has the following properties: The account name and password are set to the MAC address of the user’s device. The account is valid for up to 30 minutes from the time it is created. To change this time use the Free accounts are valid for nn minutes option. When a Free Access account expires, the user can choose Free Access again and continue browsing. Account settings are imported from the Default AC profile. See About the Default AC profile on page 10-27. Free accounts are valid for nn minutes Specify how many minutes a free account is valid, starting from the time the user logs in with the Free Access option. Support a local Welcome page Use this feature to host the Welcome page on the controller Web server. When enabled, users are redirected to welcome.asp on the controller Web server. When disabled, you can use the welcome-url attribute (see Default user URLs on page 15-55) to define a remotely hosted welcome page. 14-21 Public/guest network access Setting site configuration options Use frames when presenting ads This option controls how advertising is displayed: When this option is enabled, the logo and advertisement displayed in a frame at the top of the page. When this option is disabled, the logo and advertisement are displayed on a separate page. The user selects Continue browsing to return to the page they were viewing. For more information on how advertising works, see Display advertisements on page 14-12. 14-22 Public/guest network access Setting site configuration options Allow SSLv2 authentication Enable this option to support client stations that use SSL v2 for their HTTPS connections. When disabled, the controller only supports client stations that are using SSL v3 for HTTPS connections. SSL v2 clients are refused. Redirect users to the Login page via Select the protocol that will be used when redirecting users to the default Login page (index.asp). HTTP: This option does not provide any encryption for protecting user login credentials. HTTPS: Provides a secure connection to protect user login credentials. However, until the default SSL certificate that is installed on the controller is replaced with a certificate signed by a well-known certificate authority, users will see a certificate warning message each time they attempt to log in. See Working with certificates on page 12-5 for more information on replacing the SSL certificate. 14-23 Public/guest network access Customizing the public access Web pages Customizing the public access Web pages To view, edit, and customize the public access interface Web pages, select Controller >> Public access > Web content. Site file archive Use these options to manage the files on the Web server as a single archive file (zip format). Save current site files to archive Saves all the current site files to an archive file. Overwrite current site files from archive Select Load Archive to load all the site files from an archive, overwriting the currently installed site files. FTP server The FTP server provides an easy way to manage the public access interface files on the Web server, allowing you to use third-party Web site editing tools to customize content. 14-24 Public/guest network access Customizing the public access Web pages Select Configure to its define operational settings. Note For security reasons you should disable the FTP server once the controller is deployed. Or at minimum, define security filters to restrict FTP access. User Specify the username and password that will be required when connecting to the FTP server. Note When using FTP, the username and password are not encrypted. They are sent as clear text. Security Allowed addresses Enables you to define a list of IP address from which to permit access to the FTP server. To add an entry, specify the IP address and appropriate mask and select Add. When the list is empty, access is permitted from any IP address. Active interfaces Select the interfaces through which client stations can access the FTP server. To select multiple entries, hold down the shift or control key as you select each entry. Current site files These are the files that are currently installed on the Web server and make up the public access interface. You can edit and create text files using the built-in editor. Other files must be created offline and uploaded via FTP. For an overview of the default site structure and control flow, see Public access interface control flow on page 14-13. 14-25 Public/guest network access Customizing the public access Web pages Add New File Select this button to create a new text-based file on the server. Reset to Factory Default Content Select this button to reset the site files to factory default content. You should make a backup copy of the current content using the Site file archive options before restoring factory defaults. About ASP variables A number of ASP variables are defined for use by the public access interface pages. These variables are used to make configuration and status information available via ASP function calls, allowing for customization of Web page content. Some of the site configuration options set the values of these variables. See Public access interface ASP functions and variables on page 15-75. Site file descriptions account.asp text/html This page is launched by subscribe.asp when the user selects Next. It displays a summary of the subscription plan that was chosen and prompts for a username and password to create a new user account. Selecting Cancel launches index.asp. Selecting Next launches payment.asp. ads-frame.asp text/html This file contains the frame content for ads when using ads-frameset.asp. ads-frameset.asp text/html Page that is used to display advertisements using frames. Users see the ad in a frame and their original Web site in second frame. Users can select the Continue Browsing button to return to their original Web page, or continue browsing within the frame. ads.asp text/html Page that is used to display advertisements without frames. Users are redirected to this page while browsing and must select the Continue Browsing button to return to their original Web page. 14-26 Public/guest network access Customizing the public access Web pages ads.jpg image/jpeg This is the default advertisement that is displayed. fail.asp text/html This is a generic error reporting page that is called by various other pages to present an error message. goodbye.asp text/html When a user logs out (by selecting the Logout button on the session.asp page, for example), if no goodbye-url attribute is defined (which specifies the location of a goodbye page), the user is redirected to this page. If this page is missing, than fail.asp is presented. graceful_ending.js application/javascript Provides a graceful ending to subscription plans that are about to expire. When a subscription plan has only 10 minutes left or reaches 80% of its transfer quota (these limits are configurable in this script), a warning appears encouraging the user to purchase another plan before their existing one expires. index.asp text/html This is the Login page that users see when they are first redirected to the public access interface. The Login page contains a single graphic element suitable for a logo or other identifying element and two fields (username and password) that enable users with an existing account to log in. Additional choices may be visible on the Login page if the following features are enabled on the Controller >> Public access > Web content page under Site options: Allow subscription plan purchases Display the Free Access option. login_error_message.asp text/html Error messages and the code that is used to display them. Used by index.asp. logo.gif image/gif Re-usable image shared by a number of pages. 14-27 Public/guest network access Customizing the public access Web pages payment.asp text/html This page is called by account.asp when a user selects Next. It displays a summary of the user’s subscription selection. For the Authorize.Net payment service Credit card information is requested. Selecting Review, launches review.asp. Errors in payment information cause this page to be redisplayed. Selecting Cancel returns the user to the Login page (index.asp). For the WorldPay payment service Selecting Go to WorldPay launches the payment processing page on the WorldPay site. Selecting Cancel returns the user to the Login page (index.asp). See WorldPay-cancel.asp/ WorldPay-error.asp/ WorldPay-success.asp on page 14-32. For the PayPal payment service Selecting Checkout with PayPal redirects the user to the PayPal site. Selecting Cancel returns the user to the Login page (index.asp). See paypal-cancel.asp on page 14-28, paypal-return.asp on page 14-28, and paypal_error.asp on page 14-28. paypal-cancel.asp The user is redirected to this page if they cancel the PayPal transaction when on the PayPal site or on paypal-return.asp. paypal-return.asp Once a user has completed setting up payment details on the PayPal site, the PayPal server redirects the user to this page which then displays a summary of the transaction. Selecting Confirm finalizes the transaction. A request is sent to PayPal, and if approved, the user is redirected to purchase_approved.asp. If not approved, the user is sent to paypal-error.asp. Selecting Cancel redirects the user to paypal-cancel.asp. paypal_error.asp In the case where PayPal detects any error, the user is redirected to this page and PayPal error messages are displayed. Error messages are defined by PayPal here: https://cms.paypal.com/us/cgi-bin/?cmd=_render-content&content_ID=developer/ e_howto_api_nvp_errorcodes 14-28 Public/guest network access Customizing the public access Web pages prototype.js application/javascript Javascript library used to support AJAX for use in session_ajax.asp and subscription_details.asp. public-ip.asp text/html Message page that is displayed explaining the steps a user must follow to activate a public IP address. This page is only displayed if a public IP address is assigned in the user’s account or account profile. See Public IP address on page 3-10. purchase_approved.asp text/html This page is displayed as soon as payment is approved. The user selects Login on this page to open welcome.asp. purchase_failed.asp text/html This page is displayed if payment fails. redirect.asp text/html This is the page that is sent when the controller intercepts a connection from a nonauthenticated user. Its function is to redirect the browser to the Login page. review.asp text/html This page is called by payment.asp and applies to Authorize.Net payments only. It displays a summary of the user’s subscription selections and presents a Pay button. Selecting Pay completes the Authorize.Net transaction. If the transaction is approved, purchase_success.asp page is called, otherwise, purchase_failed.asp is called. session.asp text/html This page shows usage statistics for the session, as well as the logout button that the user selects to terminate the session. session.js application/javascript Included by session.asp. Provides smart updates for Javascript-based browsers. 14-29 Public/guest network access Customizing the public access Web pages session_ajax.asp text/html This page is specially designed for AJAX, and provides a JSON page format for use by session.js to provide the same content as session.asp but for Javascript-enabled browsers. This enables smart refresh of the session data; only changed data is updated, not the entire page, eliminating screen flickering. Session.asp includes session.js which calls session_ajax.asp. sessionwindow.js application/javascript Contains Javascript functions used to control opening and closing of the session page. setfocus.js application/javascript Contains Javascript functions used to set the focus to the first form on a page. style.css text/css Stylesheet for all public access interface Web pages. subscribe.asp text/html This page is called by index.asp and session.asp if Allow subscription plan purchases is enabled on the Controller >> Public access > Web content page under Site options. The page displays all defined subscription plans so that the user can choose one. The user can select Next to proceed to account.asp, or Cancel in which case they are redirected to index.asp. subscription_details.asp text/html This page is called by session.asp. it provides information on the subscription plan selected by a user, as well as running totals for data transfer and online time. subscription_details.js application/javascript Included by subscription_details.asp. Provides smart updates for Javascript-based browsers. 14-30 Public/guest network access Customizing the public access Web pages subscription_details_ajax.asp text/html Included by subscription_details.asp. Provides smart updates for Javascript-based browsers. This page is specially designed for AJAX, and provides a JSON page format for use by subscription_details.js to provide the same content as subscription_details.asp but for Javascript-enabled browsers. This enables smart refresh of the data; only changed data is updated, not the entire page, eliminating screen flickering. subscription_details.asp includes subscription_details.js which calls subscription_details _ajax.asp. Also, session.asp includes gracefulending.js which calls subscription_details_ajax.asp. subscription_details_window.js application/javascript Included by session.asp. Contains Javascript functions used to control opening and closing of the subscription details page. subscription_error_message.asp text/html Error messages and code to display them. Used by: subscribe.asp, account.asp, payment.asp, review.asp, and purchase_failed.asp. transport.asp text/html This page appears briefly after the login is approved and redirects the user to the local or external welcome page. utils.js application/javascript Contains Javascript utility functions used by various public access pages. welcome-back.asp text/html If the Automatically reauthenticate HTML-based users for nnn minutes option is enabled on the Controller >> Public access > Access control page under User authentication, this page is displayed for returning users instead of the Login page (index.asp). 14-31 Public/guest network access Configuring the public access Web server welcome.asp text/html This page is called after the login process is complete if Support a local Welcome page is enabled on the Controller >> Public access > Web content page under Site options. WorldPay-cancel.asp/ WorldPay-error.asp/ WorldPay-success.asp text/html These pages are retrieved by the WorldPay service during the payment process. This means that the Web server must be accessible to the WorldPay server. Generally this is done by assigning a public IP address to the Internet port. Modifications to these pages must follow WorldPay guidelines. Configuring the public access Web server The controller features an integrated Web server that, by default, is used to host the Web pages that make up the public access interface. Public access Web pages can also be hosted on third-party Web servers. Web server configuration settings are defined on the Controller >> Public access > Web server page. 14-32 Public/guest network access Configuring the public access Web server Options NOC-based authentication Enable this option to support NOC-based authentication. NOC-based authentication must be used in conjunction with the remote login page feature. The remote login page feature enables users to be redirected to a remote Web server to log in instead of using the internal login page on the controller. To validate user logins, a login application on the remote server must collect user login information and send it to the controller for authentication. See NOC authentication on page 15-62 and Appendix D: NOC authentication. Ports Specify the port number the Web server uses for each protocol. If you enable support for proxy settings under Controller >> Public access > Access control > Zero configuration, you must change the selected port to support client stations that are using proxy servers on the standard port (8080 or 8090). The following mappings are recommended: Map the unsecure port 8080 to port 81 Map the secure port 8090 to port 444 Make sure that you do not remap these ports to values already in use on your network. MIME types MIME (Multipurpose Internet Mail Extensions) is an Internet standard that is used to describe the type of information that a message or file contains. By default, the controller contains the definitions for a number of common MIME types. If you need to add your own definition, select Configure. 14-33 Public/guest network access Configuring the public access Web server This page lists all MIME types that are currently defined on the Web server. A number of common MIME types are defined by default. (Some of the default definitions cannot be changed.) Select Add New MIME Type to define your own MIME type. File extension Specify the file extension that identifies this MIME type. MIME type Specify the content-type string that identifies this MIME-type. This is the value that must appear in an HTTP Content-type header for the controller to recognize this MIME type. Types should be specified in the following format: type/subtype For example: text/xml MIME type is text-based Enable this option if the MIME type identifies files that are text-based. Security Use this option to control access to the Web server. Allowed addresses The Web server will only accept connections from devices whose IP addresses appear in this list. When the list is empty, authentication requests are accepted from any address. Active interfaces Select the interface(s) on which the controller will accept connections. When NOC authentication is active, this is the interface on which the remote login Web server application can be reached. For more information on NOC authentication, see NOC authentication on page 15-62 and Appendix D: NOC authentication. Note 14-34 Ingress interfaces configured inside VSCs (including the LAN port) always have access to the Web server when NOC-based authentication is disabled. Public/guest network access Managing payment services Managing payment services The controller can directly interact with payment processing services service such as Authorize.Net and WorldPay, so that users can pay for network access from within their Web browser. Payment services configuration To configure payment services, follow this procedure: 1. Select Controller >> Public access > Payment services. Use this page to define the type of payment options that the public access interface will support. 2. Enable Credit card. Specify the 3-letter Currency code (see online help for list of codes) and Tax rate. 3. For Credit card payment authorization, select either Authorize.NET or WorldPay, and specify the appropriate information. Merchant accounts must be set up to use these services (www.authorize.net or www.worldpay.com). Service settings Payment method: Credit card Enable this option to allow users to pay for services via credit card. The controller makes use of a third-party credit card processing service (either Authorize.Net or WorldPay) to handle credit card transactions. Communications with the credit card service occurs via an SSL connection. In the case of Worldpay, you must purchase the appropriate certificate as required and install it on the Controller >> Security > Certificates stores page. The other payment methods do not require installation of a certificate. The controller does not keep a record of the user’s credit card information. All information handled by the system is securely managed in accordance with the PCI DSS v1.2 standard. 14-35 Public/guest network access Managing payment services The controller maintains a billing log that provides a simple audit trail of all transactions. The log supports the buffering and retransmission of up to 2000 billing records to an external billing records server. You can configure log options on the Controller >> Public access > Records page. Currency code Specify the three-letter code for the currency in which all charges will be calculated. See the online help for a complete list of currency codes. Tax rate Specify the tax rate to use when calculating sales tax for all charges. Authorize.Net service Payment URL Specify the URL of the Authorize.Net server. Login ID Specify the login ID of the Authorize.Net account assigned to the controller. Transaction key Specify the transaction key for the Authorize.Net account assigned to the controller. WorldPay service Payment URL Specify the URL of the WorldPay server. Installation ID Specify your WorldPay installation ID. This informs WorldPay to which merchant all sales will be credited. Response password Specify your WorldPay installation response password. Other configuration issues To successfully make use of the WorldPay service you must also address the following issues: The Internet port of the controller must be reachable by the WorldPay servers. This is required so that the WorldPay pages stored on the controller can be retrieved, and that the controller can receive an HTTP/HTTPS post with payment details. (To support HTTPS, a certificate signed by a well-known certificate authority must be installed on the controller.) An access list must be defined on the controller that gives users access to the WorldPay site without being authenticated. For example: access-list=factory,ACCEPT,tcp,*worldpay.com,all If different, replace *worldpay.com with whatever is configured. 14-36 Public/guest network access Managing payment services You must configure the payment response URL in your Worldpay customer account to point to the public access web server on the controller. This tells Worldpay where to post information about transactions. The format for the URL is: https://host_name:port/goform/HtmlWorldpayPaymentResponse Where: host_name is the name of the public access web server as defined in the X.509 (SSL) certificate installed on the controller. port is the HTTPS port number of the public access web server as defined on the Controller >> Public access > Web server page. For complete configuration requirements, see the documentation on the WorldPay site. PayPal service Before you can configure and use the PayPal service you need to: Open a PayPal business account and obtain a PayPal user ID, user password, and signature. Become familiar with your responsibilities as a merchant. Obtain basic knowledge of the PayPal Express Checkout API (version 63.0 or higher) in order to successfully customize the PayPal public access web pages, which are: paypalcancel.asp, paypal-return.asp, and paypal-error.asp. To see the contents of these pages, select Controller >> Public access > Web server and look in the Current site files list. PayPal offers many different methods for deducting funds from a customer account. However, the controller only supports methods that provide immediate resolution. Any kind of deferred payment is not supported. As a result, when PayPal displays payment options to the user, only instant payment options are shown. If a user’s PayPal account does not support instant payment, then they will not be able to purchase services. In order to pay for service with PayPal, users must be able to reach the PayPal server before they are authenticated. Therefore, an access list must be created on the controller to give unauthenticated users access to the PayPal server. For example, you can add the following definition to the default access list called factory: access-list=factory,ACCEPT,tcp,*paypal.com,all Add this definition by selecting Controller >> Public access > Attributes, and then selecting Add New Attribute. User ID Specify the user ID assigned to your PayPal business account. User password Specify the password assigned to your PayPal business account. Signature Specify the signature assigned to your PayPal business account. 14-37 Public/guest network access Managing payment services Mode Test: Use this option to test your setup to make sure that everything is working properly. Requests are set to the PayPal test server at: https://api-3t.sandbox.paypal.com/nvp When users select the Checkout with PayPal button, they are redirected to: https://www.sandbox.paypal.com/ For more information on using the test server, see the PayPal developer network at https://www.x.com/community/ppx/testing Production: Requests are set to the PayPal server at: https://api-3t.paypal.com/nvp When users select the Checkout with PayPal button, they are redirected to: https://www.paypal.com/ Override default PayPal URLs Enable this option to override the default PayPal URLs for both Test and Production modes with a custom value. Paypal example The following steps illustrate the typical user experience when using the new PayPal feature. To save space the pages have been cropped to remove the browser window and any banners. The name of the public access interface web page is shown for each image. 1. On the Login page, the user selects the Subscribe to this service button and then selects Proceed. page name= index.asp 14-38 Public/guest network access Managing payment services 2. The user chooses a subscription plan and then selects Next. page name= subscribe.asp 3. The user reviews the subscription plan information, specifies a username and password for the new account, and then selects Next. page name= account.asp 4. The user selects the Checkout with PayPal button to pay. page name= payment.asp 14-39 Public/guest network access Managing payment services 5. The user is redirected to the PayPal site. A banner placed at the top of the page shows the merchant's name. The user enters their PayPal username and password and selects Log In to sign into PayPal. 6. PayPal presents billing information for the user to review. If satisfied, the user selects Continue to proceed. PayPal then sends the user’s transaction data back to the controller 14-40 Public/guest network access Managing payment services 7. The user is redirected back to the controller public access interface, which presents a summary of the transaction. To continue, the user selects Confirm. The controller queries the PayPal server to approve the transaction. page name= paypal-return.asp 8. If the transaction is approved, the user can login to the network by selecting Login. purchase_approved.asp 9. The user’s session starts. page name= welcome.asp 14-41 Public/guest network access Billing record logging Billing record logging The billings records logging system provides a simple audit trail of all billing transactions. The log supports the buffering and retransmission of up to 2000 billing records to one or more external billing records servers. Log transmission occurs using HTTP/1.1 POST method with a completely customizable data format. The system will retransmit a billing record until it is successfully acknowledged or until transmission is stopped because of too many failures. Multiple backup servers can be assigned to a primary server to increase the probability of successfully transmitting a billing record. To reduce the risk of billing records being lost, data can be mirrored by defining multiple primary servers. A copy of each record is sent to each primary server. Note Records are always added to the log, even when record transmission is disabled. If required, these records can be saved (exported) to a file, but cannot be transmitted to a billing server. To configure Billing record logging, select Controller >> Public access > Billing records. Settings Suspend payment system when log is full of queued records Use this option to halt the payment system if external billing servers are unable to receive records and the log is full of untransmitted records. (Records with a status of “Queued”). For more information on how the log entries are managed, see Billing records log on page 14-47. 14-42 Public/guest network access Billing record logging When this options is disabled, the oldest untransmitted record is removed from the log to make room for the new record. Configure Record Formats Select this button to edit the transmission, export, and acknowledgement formats for the billing records. See the online help for format descriptions. Persistence Enable this option to have the controller save queued (untransmitted) records in the log to its internal flash memory so that they can be recovered in case of abnormal system shutdown (power failure, for example). See Billing records log on page 14-47. Save queued records every nn minutes Specify the interval at which the log is saved. Save Queued Records Now Force the log to be saved immediately. 14-43 Public/guest network access Billing record logging External billing records server profiles This list displays all configured billing records server profiles. Billing records are sent to the servers defined in this list as follows: A copy of the current billing record is sent to each primary server. By adding multiple primary servers you create data mirroring and reduce the risk of a record being lost. If a primary server fails to acknowledge the record, the controller retries. Once the retry limit is reached, the record is transmitted to any defined backup servers. Once all retries are attempted for all backup servers, the record is either skipped, or the entire process starts again. For example, if you configure a primary server “Server A” with “Server B” as a backup, with 2 transmission attempts, the following sequence in used to transmit the billing record: A-[Delay]-A-[Delay]-B-[Delay]-B-[Delay]-A-[Delay]-A-[Delay]-B-[Delay]-B… To edit an existing profile, select its Name. To add a new profile, select Add New Profile. In either case you will see the Add/Edit external billing records server profile page. Settings Type Primary: Defines a primary server. The controller sends a copy of each billing record to all primary servers. See Record transmission overview on page 14-46. 14-44 Backup: Defines a backup server. Backup servers can be assigned to act as a backup to a primary server by using the Failover box. Public/guest network access Billing record logging Profile name Specify a name to identify the server profile. Hostname/IP address IP address or hostname of the server. Port Port on which to send the HTTP post. URL URL to which the HTTP post will be sent. Transmission timeout Amount of time that the controller waits for an HTTP response for a transmitted record. If the response is not received within this period, this is considered as a failed transmission. Failover Use this box to define one or more backup server profiles for the current primary server profile. Use these backup servers Lists all backup server profiles for this primary server profile. Backup profiles are used in the order that they appear in the list. Available backup servers Lists all server profiles of type backup. Retries per server Number of times that a record will be retransmitted before the next profile is tried. Note This parameter also sets the number of retries on the primary. Delay between retries Amount of time to wait between retransmitting a record. Security Encryption and authentication can be used to increase the transmission security of billing records. HTTP authentication and secure HTTP using SSLv3 are supported. Also, to make sure that a billing record has not been altered, a secret key, shared between the billing server and the controller, can be defined and used to produce a cryptographic signature of the billing record. Secret key Specify the secret key that will be used to generate an encryption signature using HMACSHA-1. The signature is generated using the entire contents of the billing record. (The signature field is empty when the signature is calculated.) Use HTTPS When enabled, secure HTTP using SSLv3 is used to transmit records to all servers. 14-45 Public/guest network access Billing record logging Validate server certificate When enabled, the controller will validate the external billing server certificate. For this to be successful, you must install the billing server CA certificate in the Trusted CA certificate store on the Security > Certificate stores page. Use HTTP authentication Enable this option if the billing server requires a username and password. Fault tolerance Fault tolerance settings control how many times each billing record is retransmitted. Retransmit until successful When enabled, the controller will never skip a record due to transmission failure. Retransmission is continuously retried on the primary server and all backup servers until successful. Enabling this option may cause log entries to be lost if a record fails to be transmitted before the log wraps around. To avoid losing records, enable the Suspend operation of payment system when log is full option under Log settings on the Controller >> Public access > Billing records page. Stop after failed nnn retransmissions Select this option to have the controller stop retransmitting a record when the total number of retransmissions on all servers (primary and backup) exceeds the specified number. When this occurs the record is flagged as Transmission Failed in the log. Record transmission overview Transmission of a billing record occurs as follows: Note 14-46 Billing record is transmitted to the primary server. If the primary server does not send an HTTP reply within the Transmission timeout, then the transmission is considered to have failed. If a response is received, but the status field does not match the value of Ack success value, then the transmission is considered to have failed. Failed transmissions are retried on the primary server until the Retries per server limit is met, after which each backup server is tried in order. Once all backups are tried, the sequence resumes again with the primary server. Retransmissions only stop if the selected condition under Fault tolerance is met: either the record is successfully transmitted or the total number of retires on all servers passes a predetermined limit. A billing record is considered to be successfully transmitted only when it has been successfully transmitted to every primary server (or one of its backups). Public/guest network access Billing record logging Billing records log This table displays the contents of the billing records log. The log can hold up to 2000 records. When full, records are deleted in the following order: 1. Records that have been successfully transmitted. 2. Records that do not have to be transmitted, because transmission is disabled. 3. Records for which transmission has failed. If transmissions to remote billing server(s) is interrupted, the log can become full of untransmitted records only. (Records with status set to “Queued”.) What happens next is controlled by the Suspend payment system when log is full of queued records when log is full setting under Settings. If enabled, payment services are suspended. If disabled, the oldest queued record is removed. Number of billing records Lists the total number of billing records in the log. Select the action to apply to all log records Clear log: Delete all records in the log. Save log: Save the log to a file using the export format defined by selecting Controller >> Public access > Billing records > Configure Records Format. Retransmit failed records: Force the retransmission of records that have transmission state set to Transmission Failed. This starts the complete transmit cycle all over again for the record. Cancel current transmission: Terminates the record transmission that is currently in progress. Table Record ID Unique number that identifies each record. Transaction ID Credit card transaction ID generated by the credit card service. Transaction time Date and time of the transaction. Charge Amount charged on the transaction. 14-47 Public/guest network access Location-aware authentication Billing method Identifies the billing method: CC_WORLDPAY CC_AUTHORIZE_NET CC_PAYPAL Transmission state Transmitting: The record is being transmitted. Queued: The record is queued for transmission. Transmission Disabled: Transmission of the record was disabled. Once records fall into this category they cannot be retransmitted. Successful: The record was successfully transmitted and acknowledged by all primary servers (or their backups). Transmission Failed: The record was not transmitted successfully and retransmission attempts have stopped due to the setting for Fault tolerance in the billing records server profile (Controller >> Public access > Billing records > External billing records server profiles). Location-aware authentication This feature enables you to control logins to the public access network based on the wireless access point with which a user is associated. Once authenticated, this feature is also used to monitor and control roaming to other access points in the network. How it works Location-aware is automatically enabled when a VSC is set to provide access control. When enabled, the location-aware feature causes the controller to return location-specific information for RADIUS-authenticated users. This information is returned: Note 14-48 When the user logs in Each time the user roams to a new access point or switches SSIDs on the same access point (which causes the user to be re-authenticated). Due to security constraints in 802.1X client software, users cannot automatically be reauthenticated when roaming to a new access point. Therefore, location-aware information cannot be returned when these users roam. Public/guest network access Location-aware authentication Returned information The controller can return the following attributes in the RADIUS access request for all user authentications (whether initial login or re-authentication due to roaming): Note Called-station-ID (Standard RADIUS attribute) HP-specific attribute: SSID HP-specific attribute: GROUP When re-authenticating users, the returned RADIUS attribute Service-Type is set to 8744 (decimal). Called-Station-ID value By default, this is the MAC address of the wireless port (radio) to which the user is associated. This is the MAC address of the wvlan0 or wvlan1 interface in IEEE format as displayed by Tools > System Tools > Interface info. If required, the controller can return other values for this attribute by setting the CalledStation-Id content on a per-VSC basis. The other available options are: SSID: SSID of the access point with which the user is associated. Group: Group name of the access point with which the user is associated. macaddress: Returns the MAC address of the wireless port (radio) the user is associated with. This is the MAC address of the wvlan0 or wvlan1 interface as shown by Controller >> Tools > System Tools > Interface info. If the user is connected via a wired connection, the value returned is the MAC address of the controller wireless/LAN port. To use the MAC address of the Internet port, you must edit the config file and change the setting of radius-called-station-id-port to WAN in thesection. macaddress:ssid: The MAC address of the wireless AP’s radio, followed by a colon, followed by the SSID configured on this VSC. HP-specific attribute: SSID The SSID of the access point with which the user is associated (wireless only). HP-specific attribute: GROUP The group name of the access point with which the user is associated (wireless only). 14-49 Public/guest network access Location-aware authentication Example Consider the following topology for a fictional small hotel. The restaurant and lounge are available to all hotel users who subscribe to the wireless service. However, the conference room is available only to a specific group of guests who book it in advance. Broadband modem Network Operating Center Service controller Web/FTP server 20.2 20.5 Management station RADIUS server 20.1 20.4 SMTP server 192.168.10.0 A 10.1 AP PU BLIC WL A N Conference Room AP PU BLIC WL A N B 10.2 AP PU BLIC WL A N C 10.3 AP PU BLIC WL A N AP Restaurant Lounge PU BLIC WL A N In this example, the access points in each area are assigned the following unique group names: conference_room restaurant lounge When a user logs in, server-side code can be used to determine the access point they are associated with by inspecting the Called-Station-ID. Then, using user’s account information, access can either be granted or denied. Security The controller accepts location-aware information only from MSM APs that have a matching shared secret to its own. 14-50 Chapter 15: Working with RADIUS attributes 15 Working with RADIUS attributes Contents Introduction ................................................................................................................15-3 Controller attributes overview .................................................................................15-4 Customizing the public access interface using the site attribute ..................15-4 Defining and retrieving site attributes ..............................................................15-5 Controller attribute definitions..........................................................................15-8 User attributes ..........................................................................................................15-13 Customizing user accounts with the user attribute ......................................15-13 Defining and retrieving user attributes...........................................................15-14 User attribute definitions .................................................................................15-20 Administrator attributes..........................................................................................15-31 Colubris AV-Pair - Site attribute values .................................................................15-33 Access list ...........................................................................................................15-34 Configuration file...............................................................................................15-44 Custom SSL certificate .....................................................................................15-44 Custom public access interface Web pages ...................................................15-45 Default user interim accounting update interval...........................................15-51 Default user bandwidth level ...........................................................................15-51 Default user idle timeout ..................................................................................15-52 Default user quotas ...........................................................................................15-52 Default user data rates......................................................................................15-53 Default user one-to-one NAT............................................................................15-53 Default user session timeout............................................................................15-54 Default user public IP address.........................................................................15-54 Default user SMTP server.................................................................................15-54 Default user URLs .............................................................................................15-55 HTTP proxy upstream.......................................................................................15-55 IPass login URL..................................................................................................15-56 Working with RADIUS attributes Global MAC-based authentication...................................................................15-56 Multiple login servers........................................................................................15-57 Redirect URL......................................................................................................15-59 NOC authentication...........................................................................................15-62 HP WISPr support .............................................................................................15-62 Traffic forwarding (dnat-server)......................................................................15-63 Multiple DNAT servers......................................................................................15-64 Colubris AV-Pair - User attribute values................................................................15-67 Access list ...........................................................................................................15-67 Advertising .........................................................................................................15-68 Bandwidth level .................................................................................................15-68 Data rate .............................................................................................................15-69 One-to-one NAT .................................................................................................15-69 Public IP address ...............................................................................................15-70 Quotas .................................................................................................................15-70 Redirect URL......................................................................................................15-71 SMTP redirection...............................................................................................15-71 Station polling ....................................................................................................15-72 Custom public access interface Web pages ...................................................15-72 Colubris AV-Pair - Administrator attribute values................................................15-74 Administrative role............................................................................................15-74 Public access interface ASP functions and variables ..........................................15-75 Javascript syntax ...............................................................................................15-75 Forms ..................................................................................................................15-76 Form errors ........................................................................................................15-78 RADIUS...............................................................................................................15-79 Page URLs ..........................................................................................................15-81 Session status and properties ..........................................................................15-82 iPass support......................................................................................................15-85 Web......................................................................................................................15-87 Client information .............................................................................................15-87 Subscription plan information .........................................................................15-90 Other ...................................................................................................................15-91 Session information ..........................................................................................15-93 15-2 Working with RADIUS attributes Introduction Introduction RADIUS attributes can be used to customize a wide range of configuration settings on the controller. This includes defining configuration settings for the public access interface, customizing the settings of access-controlled user accounts, or configuring credentials for the administrative accounts that are used to manage/operate the controller. Attributes can be defined both locally on the controller or retrieved from a third-party RADIUS server. In certain cases, values can be defined locally and then overwritten by values retrieved from a RADIUS server. This allows, for example, default values on the controller to be dynamically updated on a per-user basis. This chapter splits the supported RADIUS attributes into three categories: Category Description For information, see... Controller attributes Used to customize the operation of the public access interface (creating access lists for walled gardens, for example), and also to define default values that are applied to all user accounts. Controller attributes overview on page 15-4 Colubris AV-Pair - Site attribute values on page 15-33 User attributes Used to customize the settings of individual accesscontrolled user accounts. User attributes on page 15-13 Colubris AV-Pair - User attribute values on page 15-67 Administrator attributes Used to define login credentials for administrative users (mangers and operators). Administrator attributes on page 15-31 Colubris AV-Pair - Administrator attribute values on page 15-74 15-3 Working with RADIUS attributes Controller attributes overview Controller attributes overview The controller provides support for a number of standard RADIUS attributes, including those for authentication and accounting. See Controller attribute definitions on page 15-8 for a list of these attributes and a brief definition. For detailed information on these attributes, refer to RFC2865, or the documentation that came with your RADIUS server. The controller also supports several vendor-specific attributes, including the special HP attribute (known as the site attribute) that is used to customize the behavior of the public access interface and define global default values for user accounts. To find out more about the site attribute, see the following section. Customizing the public access interface using the site attribute HP has defined a vendor-specific RADIUS attribute to support configuration of the public access interface and user accounts. This attribute conforms to RADIUS RFC 2865 and is called the Colubris AV-Pair. Multiple instances of the Colubris AV-Pair attribute can be defined on the controller, each with a different AV-Pair value. For a complete list of all supported AV-Pair values, see Colubris AV-Pair - Site attribute values on page 15-33. In order for a third-party RADIUS server to support the Colubris AV-Pair attribute you need to define it as described under Colubris AV-Pair on page 15-11. Note The Colubris AV-Pair attribute can be used to define settings on the controller and for users and administrators. This section discuses controller settings only. Important The documentation for this product frequently uses the terms site attributes and user attributes to refer to the Colubris AV-Pair attribute values depending on whether the AV-Pair attribute values are set with a value that applies to the public access site or to an individual user. 15-4 Working with RADIUS attributes Controller attributes overview Defining and retrieving site attributes Site attributes can be retrieved from a third-party RADIUS server or specified directly on the controller. In both cases, configuration settings are defined on the Public Access > Attributes page. Retrieving site attributes from a RADIUS server To retrieve attributes form a RADIUS server, enable the Retrieve attributes using RADIUS option. To use this option, you must also configure a RADIUS profile (see Using a third-party RADIUS server on page 11-5) and define an account for the controller on the appropriate RADIUS server. This account must contain all site attributes that you want to retrieve. For a complete list of all supported site attributes and their syntax, see Colubris AVPair - Site attribute values on page 15-33. After the controller is authenticated by the RADIUS server it automatically retrieves the site attributes you defined in the controller’s RADIUS account. The retrieved attributes are then combined with the attributes defined in the Configured attributes list (if any) to build the complete list of attributes that are active on the controller. If the same attribute is defined on both the RADIUS server and in the Configured attributes list, the setting of Retrieved attributes override configured attributes determines which definition is used. 15-5 Working with RADIUS attributes Controller attributes overview Note A maximum of 128 attributes can be active at any one time (including both the RADIUS and the Configured attributes list). The maximum attribute size that the controller can receive in a single RADIUS request is 4096 bytes. However, some networks may limit RADIUS request size to around 1500 bytes because they discard UDP fragments. Configure the Retrieve attributes using RADIUS options as follows: RADIUS profile: Select a RADIUS profile. The profile is used to establish the connection to a RADIUS server. RADIUS profiles are defined by selecting Controller >> Authentication > RADIUS profiles. For details, see Using a third-party RADIUS server on page 11-5. RADIUS username: Specify the username of the RADIUS account assigned to the controller. RADIUS password / Confirm password: Specify the password of the RADIUS account assigned to the controller. Accounting: Enable this option to have the controller generate a RADIUS accounting request ON/OFF each time its authentication state changes. Retrieved attributes override configured attributes: Enable this option to have attributes retrieved from the RADIUS server overwrite settings defined in the Configured attributes table. Retrieval interval: Specify the number of minutes between attribute retrievals. The controller retrieves attributes from its RADIUS account each time this interval expires. To avoid potential service interruptions that may occur when new attributes are activated by the controller, it is strongly recommended that you use a large interval (12 hours or more). You can override the value configured on this page by using the RADIUS attribute Session-timeout, which enables the following strategy: Configure Retrieval interval to a small value (10 to 20 minutes) and set the RADIUS attribute Session-timeout to override it with a large value (12 hours) when authentication is successful. Since the Retrieval interval is also respected for Access Reject packets, this configuration results in a short reauthentication interval in the case of failure, and a long one in the case of success. 15-6 Last retrieved: Shows the amount of time that has passed since the controller last retrieved attributes. Retrieve Now: Select to force the controller to contact the RADIUS server and retrieve attributes. Working with RADIUS attributes Controller attributes overview Defining site attributes directly on the controller Site attributes can be defined directly on the controller eliminating the need to use a RADIUS server. If needed, both methods can be used at the same time. In this case, the retrieved attributes are combined with those attributes defined in the Configured attributes list to build the complete list of attributes that are active on the controller. If the same attribute is defined on both the RADIUS server and in the Configured attributes list, the setting of Retrieved attributes override configured attributes determines which definition is used. To add a new attribute: 1. Select Add New Attribute. The Public access attribute page opens. 2. Under Name, select an AV-Pair value, as shown in the following figure. 3. Once you select a Name, information appears regarding the correct syntax to specify under Value. Use the correct syntax to specify the desired Value. For a complete list of all supported site attributes and their syntax, see Colubris AV-Pair - Site attribute values on page 15-33, or consult the online help. 4. Select Add. 15-7 Working with RADIUS attributes Controller attributes overview Controller attribute definitions The following table lists all RADIUS attributes supported by the controller. A brief description of each attribute follows the table. For detailed information, refer to RFC2865, or the documentation that came with your RADIUS server. Access Request Access Accept Acct-Session-Id Class Called-Station-Id EAP-Message Calling-Station-Id Session-Timeout CHAP-Challenge Vendor-specific (Colubris) CHAP-Password Connect-Info Access Reject EAP-Message No attributes are supported. Framed-IP-Address Access Challenge Framed-MTU No attributes are supported. NAS-Identifier Accounting Request NAS-Ip-Address NAS-Port NAS-Port-Type Message-Authenticator Service-Type State User-Name User-Password Vendor-specific (Microsoft) MSCHAP-Challenge MSCHAP-Response MSCHAPv2-Response Vendor-specific (WISPr) Location-Name Location-ID Logoff-url Colubris AV-Pair Acct-Authentic Acct-Delay-Time Acct-Event-Timestamp Acct-Session-Id Acct-Status-Type Called-Station-Id Calling-Station-Id Class Framed-IP-Address NAS-Identifier NAS-Ip-Address NAS-Port NAS-Port-Type User-Name Accounting Response No attributes are supported. In the attribute descriptions, a string is defined as 1 to 253 characters. 15-8 Working with RADIUS attributes Controller attributes overview Access request Acct-Session-Id (32-bit unsigned integer) Random value generated per authentication by the controller. Called-Station-Id (string) By default, this is set to the MAC address of the controller wireless/LAN port in IEEE format. For example: 00-02-03-5E-32-1A. To use the MAC address of the Internet port, you must edit the config file and change the setting of radius-called-station-id-port to WAN in the section. Calling-Station-Id (string) The MAC address of the controller LAN port in IEEE format. For example: 00-02-03-5E-32-1A. CHAP-Challenge (string) Randomly generated by the product. As defined in RFC 2865. Only present when the authentication method for the RADIUS profile is set to CHAP. Length = 19 bytes. CHAP-Password (string) The password assigned to the controller on the Public access > Attributes page. Encoded as defined in RFC 2865. Only present when the authentication method for the RADIUS profile is set to CHAP. Connect-Info (string) The string “HTTPS”. EAP-Message (string) As defined in RFC 2869. Only present when the authentication method for the RADIUS profile is set to EAP-MD5. Framed-IP-Address (32-bit unsigned integer) IP Address of the controller LAN port. Framed-MTU (32-bit unsigned integer) Hard-coded to 1496 (802.1X). Hard-coded value of 1496. The value is always four bytes lower than the wireless MTU maximum which is 1500 bytes in order to support IEEE802dot1x authentication. NAS-Identifier (string) The NAS ID set on the Controller >> Authentication > RADIUS profiles > Add New Profile page for the RADIUS profile being used. 15-9 Working with RADIUS attributes Controller attributes overview NAS-Ip-Address (32-bit unsigned integer) The IP address of the port the controller is using to communicate with the RADIUS server. NAS-Port (32-bit unsigned integer) Always 0. NAS-Port-Type (32-bit unsigned integer) Always set to 19, which represents WIRELESS_802_11. Message-Authenticator (string) As defined in RFC 2869. Always present even when not doing an EAP authentication. length = 16 bytes. Service-Type (32-bit unsigned integer) RADIUS service type. State (string) As defined in RFC 2865. User-Name (string) The RADIUS username assigned to the controller on the Public access > Attributes page. User-Password (string) The password assigned to the controller on the Public access > Attributes page. Encoded as defined in RFC 2865. Only present when the authentication method for the RADIUS profile is set to PAP. Vendor-specific (Microsoft) HP supports the following Microsoft vendor-specific attributes. MSCHAP-Challenge (string) As defined in RFC 2433. Only present when the authentication method for the RADIUS profile is set to MSCHAPv1 or MSCHAPv2. Length = 8 bytes. MSCHAP-Response (string) As defined in RFC 2433. Only present when the authentication method for the RADIUS profile is set to MSCHAPv1. Length = 49 bytes. MSCHAPv2-Response (string) As defined in RFC 2759. Only present when the authentication method for the RADIUS profile is set to MSCHAPv2. Length = 49 bytes. 15-10 Working with RADIUS attributes Controller attributes overview Vendor-specific (WISPr) HP supports the following Wi-Fi Alliance vendor-specific attributes. Location-Name The WISPr location name assigned to the controller. SMI network management private enterprise code = 14122 Vendor-specific attribute type number = 2 Attribute type: A string in the format: wispr-location-name=location_name Location-ID The WISPr location identifier assigned to the controller. SMI network management private enterprise code = 14122 Vendor-specific attribute type number = 1 Attribute type: A string in the format: wispr-location-id=location_id Logoff-url The WISPr log-off URL that will be used. SMI network management private enterprise code = 14122 Vendor-specific attribute type number = 3 Attribute type: A string in the format: wispr-logoff-url=URL Access accept Class (string) As defined in RFC 2865. Multiple instances are supported. EAP-Message (string) Only supported when authentication is EAP-MD5. Note that the content will not be read as the RADIUS Access Accept overrides whatever indication is contained inside this packet. Session-Timeout (32-bit unsigned integer) The controller will retrieve RADIUS attributes when this timer expires. Omitting this attribute or specifying 0 disables the feature. (Note that this is configurable directly on the controller by setting Public access > Attributes > Retrieval interval. Vendor-specific (Colubris) Colubris AV-Pair (string) HP has defined this vendor-specific attribute to support configuration of special features on the controller, such as the customization of the public access interface and global user session settings. This attribute conforms to RADIUS RFC 2865. You may need to define this attribute on your RADIUS server (if it is not already present) using the following values: 15-11 Working with RADIUS attributes Controller attributes overview SMI network management private enterprise code = 8744 Vendor-specific attribute type number = 0 Attribute type: A string in the following format = Multiple instances of the Colubris AV-pair can be defined in a RADIUS account to configure a variety of settings. For a complete list of all supported attributes, see Colubris AV-Pair - Site attribute values on page 15-33. Access reject No attributes are supported. Access challenge No attributes are supported. Accounting request Acct-Authentic (32-bit unsigned integer) Always set to 1 which means RADIUS. Acct-Delay-Time (32-bit unsigned integer) As defined in RFC 2869. Acct-Event-Timestamp (32-bit unsigned integer) As defined in RFC 2869. Acct-Session-Id (32-bit unsigned integer) Random value generated by the controller. Acct-Status-Type (32-bit unsigned integer) Supported values are: Accounting-On (7) and Accounting-Off (8). Called-Station-Id (string) The MAC address of the controller LAN port in IEEE format. For example: 00-02-03-5E-32-1A. Calling-Station-Id (string) The MAC address of the controller LAN port in IEEE format. For example: 00-02-03-5E-32-1A. Class (string) As defined in RFC 2865. Multiple instances are supported. 15-12 Working with RADIUS attributes User attributes Framed-IP-Address (32-bit unsigned integer) IP Address of the controller LAN port. NAS-Identifier (string) The NAS ID for the RADIUS profile being used. NAS-Ip-Address (32-bit unsigned integer) The IP address of the port the controller is using to communicate with the RADIUS server. NAS-Port (32-bit unsigned integer) Always 0. NAS-Port-Type (32-bit unsigned integer) Always set to 19, which represents WIRELESS_802_11. User-Name (string) The RADIUS username assigned to the controller on the Public access > Attributes page. Accounting response No attributes are supported. User attributes The controller provides support for a number of standard RADIUS user attributes, including those for authentication and accounting. See User attribute definitions on page 15-20 for a list of these attributes and a brief definition. For detailed information on these attributes, refer to the documentation that came with your RADIUS server. The controller also supports several vendor-specific attributes, including the special HP attribute (known as the user attribute) that is used to customize the behavior of the public access interface and define values for user accounts. To find out more about the user attribute, see the following section. Customizing user accounts with the user attribute HP has defined a vendor-specific RADIUS attribute to support configuration of the public access interface and user accounts. This attribute conforms to RADIUS RFC 2865 and is called the Colubris AV-Pair. 15-13 Working with RADIUS attributes User attributes Multiple instances of the Colubris AV-Pair attribute can be defined for each user, each with a different AV-Pair value. For a complete list of all supported AV-Pair values, see Colubris AVPair - User attribute values on page 15-67. In order for a third-party RADIUS server to support the Colubris AV-Pair attribute you need to define it as described under Colubris AV-Pair on page 15-32. Note The Colubris AV-Pair attribute can be used to define settings on the controller and for users and administrators. This section discuses user settings only. Important The documentation for this product frequently uses the terms site attributes and user attributes to refer to the Colubris AV-Pair attribute values depending on whether the AV-Pair attribute values are set with a value that applies to the public access site or to an individual user. Defining and retrieving user attributes User attributes can be retrieved from a third-party RADIUS server or specified directly on the controller in user account profiles. Defining attributes locally in user accounts If you are using the local user accounts to authenticate users, then you can define account attributes locally via account profiles. Each user account can be associated with one or more account profiles. The attributes that are set in each profile are combined in the account to produce the full list of active attributes. If you are working with access-controlled user accounts, additional attributes can also be defined via the Default AC profile. The best way to understand how all this works is to look at an example. 15-14 Working with RADIUS attributes User attributes Example In this example, two user profiles (called Employee and Guest) are defined on the Controller >> Users > Account profiles page. The settings for each profile are shown below. Employee profile Sets the attributes that will be used to define employee accounts. 15-15 Working with RADIUS attributes User attributes Guest profile Sets the attributes that will be used to define guest accounts. Once account profiles have been defined, user accounts can be created. 15-16 Working with RADIUS attributes User attributes The following sample page shows the initial configuration of a user account for an employee named Bill. Notice that before any account profile is assigned, the Effective attributes box shows a couple of active attributes: Idle timeout, and Session timeout. These attributes come from the Default AC profile. Attributes from this profile are automatically assigned to all access-controlled user accounts. To customize the attributes for the Default AC profile you need to select Controller >> Public access > Attributes. (The default AC profile cannot be edited via the Controller >> Users > Account profiles page.) See About the Default AC profile on page 10-27. 15-17 Working with RADIUS attributes User attributes To complete the configuration of Bill’s account, the Employee account profile is assigned, which adds additional attributes to the Effective attributes list. Retrieving attributes from a RADIUS server When you are using a RADIUS server to authenticate users, attributes can be set in individual user accounts to define the same settings that are available via the local user profiles. These settings are accomplished by adding both standard RADIUS attributes (User attribute definitions on page 15-20) and one or more instances of the Colubris AV-Pair (user) attribute (Colubris AV-Pair - User attribute values on page 15-67) to the appropriate RADIUS user accounts. ProCurve Manager IDM support HP ProCurve Manager (PCM) is a network management solution for managing HP ProCurve devices. HP ProCurve Identity Driven Manager (IDM) is a plug-in to HP ProCurve Manager Plus that enables dynamic provisioning of network security and performance settings based on user, device, location, time, and endpoint posture. 15-18 Working with RADIUS attributes User attributes IDM can be used to define settings in a user’s RADIUS account that the controller will retrieve when the user is authenticated, and then apply to the user’s wireless session. The following PCM settings are supported. PCM setting Description Supported on VSCs that are ... Tagged VLAN Specifies a VLAN number only. Names are not supported. Access controlled and Non-access-controlled Sets the bandwidth level for the user’s account. PCM numerical values are mapped to the user account as follows: Access controlled and Non-access-controlled (The Untagged VLAN setting is not supported.) QoS 6, 7 = VERY-HIGH 4, 5 = HIGH 0, 3 = NORMAL 1, 2 = LOW Requires that the Bandwidth control feature is enabled on the controller (Controller >> Network > Bandwidth control) when accesscontrolled VSCs are used. Ingress/Egress rate limit Sets the user’s ingress and egress data rates in bytes. Access controlled Network resources access rule Sets a custom access control list for the user. Access controlled Important When using PCM to configure settings in a user’s RADIUS account, you should not use Colubris AV-Pair values to define other settings in the same account. Standard RADIUS attributes can be used however. 15-19 Working with RADIUS attributes User attributes User attribute definitions The following attributes are supported for user accounts. Access Request Access Accept Accounting Request Acct-Session-Id Acct-Interim-Interval Acct-Authentic Called-Station-Id Acct-Delay-Time Calling-Station-Id Chargeable User Identity (CUI) Acct-Event-Timestamp CHAP-Challenge Acct-Session-Id Acct-Status-Type Calling-Station-Id Called-Station-Id Chargeable User Identity (CUI) Class Framed-IP-Address NAS-Identifier NAS-Ip-Address NAS-Port NAS-Port-Type User-Name Vendor-specific (WISPr) CHAP-Password Chargeable User Identity (CUI) Connect-Info EAP-Message Framed-IP-Address Framed-MTU NAS-Identifier NAS-Ip-Address NAS-Port Message-Authenticator Service-Type User-Name User-Password Vendor-specific (Microsoft) EAP-Message Idle-Timeout Reply-Message Session-Timeout Termination-Action Tunnel-Medium-Type Tunnel-Private-Group-ID Tunnel-Type Vendor-specific (Microsoft) State Class NAS-Port-Type MSCHAP-Challenge Vendor-specific (WISPr) MS-MPPE-Recv-Key MS-MPPE-Send-Key Vendor-specific (Colubris) Colubris AV-Pair Colubris-Intercept Access Reject EAP-Message Vendor-specific (Microsoft) MSCHAP-Response MSCHAPv2-Response MSCHAP-Error Reply-Message Access Challenge EAP-Message State Location-Name Location-ID Logoff-url Accounting Response No attributes are supported. 15-20 Location-Name Location-ID Logoff-url Acct-Session-Time Acct-Input-Gigawords Acct-Input-Octets Acct-Input-Packets Acct-Output-Gigawords Acct-Output-Octets Acct-Output-Packets Acct-Terminate-Cause Working with RADIUS attributes User attributes Access request Acct-Session-Id (32-bit unsigned integer) Random value generated per authentication by the controller. Called-Station-Id (string) By default, this is set to the MAC address of the controller wireless/LAN port in IEEE format. For example: 00-02-03-5E-32-1A. To use the MAC address of the Internet port, you must edit the config file and change the setting of radius-called-station-id-port to WAN in the section. If location-aware authentication is enabled for the VSC the user is logged into, then this value is defined by the VSC. Calling-Station-Id (string) The MAC address of the user’s station in IEEE format. For example: 00-02-03-5E-32-1A. CHAP-Challenge (string) Randomly generated. As defined in RFC 2865. Only present when the authentication method for the RADIUS profile is set to CHAP. Length = 19 bytes. CHAP-Password (string) The user’s password. Encoded as defined in RFC 2865. Only present when the authentication method for the RADIUS profile is set to CHAP. Chargeable User Identity (CUI) (string) As defined in RFC-4372. The CUI is used to associate a unique identifier with a user so that the user can be identified (for billing, authentication or other purposes) when roaming outside of their home network. Connect-Info (string) The string “HTTPS” or “IEEE802.1X”. EAP-Message (string) As defined in RFC 2869. Only present when the authentication method for the RADIUS profile is set to EAP-MD5. Framed-IP-Address (32-bit unsigned integer) IP Address as configured on the client station (if known by the controller). Framed-MTU (32-bit unsigned integer) Hard-coded value of 1496. The value is always four bytes lower than the wireless MTU maximum which is 1500 bytes in order to support IEEE802dot1x authentication. 15-21 Working with RADIUS attributes User attributes NAS-Identifier (string) The NAS ID set on the Controller >> Authentication > RADIUS profiles > Add New Profile page for the RADIUS profile being used. NAS-Ip-Address (32-bit unsigned integer) The IP address of the port the controller is using to communicate with the RADIUS server. NAS-Port (32-bit unsigned integer) A port number, other than 0. NAS-Port-Type (32-bit unsigned integer) Always set to 19, which represents WIRELESS_802_11. Message-Authenticator (string) As defined in RFC 2869. Always present even when not doing an EAP authentication. length = 16 bytes. Service-Type (32-bit unsigned integer) RADIUS service type. State (string) As defined in RFC 2865. User-Name (string) The username assigned to the user or a device when using MAC authentication. User-Password (string) The password supplied by a user or device when logging in. Encoded as defined in RFC 2865. Only present when the authentication method for the RADIUS profile is set to PAP. Vendor-specific (Microsoft) HP supports the following Microsoft vendor-specific attributes. MSCHAP-Challenge (string) As defined in RFC 2433. Only present when the authentication method for the RADIUS profile is set to MSCHAPv1 or MSCHAPv2. Length = 8 bytes. MSCHAP-Response (string) As defined in RFC 2433. Only present when the authentication method for the RADIUS profile is set to MSCHAPv1. Length = 49 bytes. 15-22 Working with RADIUS attributes User attributes MSCHAPv2-Response (string) As defined in RFC 2759. Only present when the authentication method for the RADIUS profile is set to MSCHAPv2. Length = 49 bytes. Vendor-specific (WISPr) HP supports the following Wi-Fi Alliance vendor-specific attributes. Location-Name The WISPr location name assigned to the controller. SMI network management private enterprise code = 14122 Vendor-specific attribute type number = 2 Attribute type: A string in the format: wispr-location-name=location_name Location-ID The WISPr location identifier assigned to the controller. SMI network management private enterprise code = 14122 Vendor-specific attribute type number = 1 Attribute type: A string in the format: wispr-location-id=location_id Logoff-url The WISPr log-off URL that will be used. SMI network management private enterprise code = 14122 Vendor-specific attribute type number = 3 Attribute type: A string in the format: wispr-logoff-url=URL Access accept Acct-Interim-Interval (32-bit unsigned integer) When present, enables the transmission of RADIUS accounting requests of the Interim Update type. Specify the number of seconds between each transmission. Chargeable User Identity (CUI) (string) As defined in RFC-4372. The CUI is used to associate a unique identifier with a user so that the user can be identified (for billing, authentication or other purposes) when roaming outside of their home network. Class (string) As defined in RFC 2865. Multiple instances are supported. EAP-Message (string) Only supported when authentication is EAP-MD5. Note that the content will not be read as the RADIUS Access Accept overrides whatever indication is contained inside this packet. 15-23 Working with RADIUS attributes User attributes Idle-Timeout (32-bit unsigned integer) Maximum idle time in seconds allowed for the user. Once reached, the user session is terminated with termination-cause IDLE-TIMEOUT. Omitting the attribute or specifying 0 disables the feature. Reply-Message (string) This string (as defined in RFC 2865) is recorded and passed as is to the GetRadiusReplyMessage() asp function. Multiple string are supported to a maximum length of 252 bytes. Session-Timeout (32-bit unsigned integer) Maximum time a session can be active. The user must re-authenticate when this timer expires. Omitting this attribute or specifying 0 disables the feature. Termination-Action (32-bit unsigned integer) As defined by RFC 2865. If set to 1, a new Access Request is sent. If an Access Accept is returned, the controller then extends the user’s session timeout, and if applicable, session quota, according the value returned by the RADIUS server. Tunnel-Medium-Type (24-bit unsigned integer) Only used when assigning a specific VLAN number to a user. In this case it must be set to 802. The tag field for this attribute must be set to 0. Tunnel-Private-Group-ID (string) Only used when assigning a specific VLAN number to a user. In this case it must be set to the VLAN ID. The tag field for this attribute must be set to 0. Tunnel-Type (24-bit unsigned integer) Only used when assigning a specific VLAN number to a user. In this case it must be set to 13 (VLAN). The tag field for this attribute must be set to 0. Vendor-specific (Microsoft) HP supports the following Microsoft vendor-specific attributes. MS-MPPE-Recv-Key (string) Use to validate a PMKID inside a 802.11 association request, send EAPOL keys to a wireless station when a VSC has 802.1X WEP enabled, and to perform a four-way handshake. MS-MPPE-Send-Key (string) Use to validate a PMKID inside a 802.11 association request, send EAPOL keys to a wireless station when a VSC has 802.1X WEP enabled, and to perform a four-way handshake. 15-24 Working with RADIUS attributes User attributes Vendor-specific (Colubris) (string) Colubris AV-Pair The Colubris AV-Pair is a HP a vendor-specific attribute defined by HP to support configuration of user session settings. This attribute conforms to RADIUS RFC 2865. You may need to define this attribute on your RADIUS server (if it is not already present) using the following values: SMI network management private enterprise code = 8744 Vendor-specific attribute type number = 0 Attribute type: A string in the following format = Multiple instances of the Colubris AV-Pair can be defined in a RADIUS account to configure a variety of settings. For a complete list of all supported settings, see Colubris AV-Pair - Site attribute values on page 15-33. Colubris-Intercept This attribute is used to enable/disable the interception and redirection of traffic for individual users. The destination for intercepted traffic is defined separately for each VSC using the Interception option under VSC egress mapping. See VSC egress mapping on page 5-17. You may need to define the Colubris-Intercept attribute on your RADIUS server (if it is not already present) using the following values: SMI network management private enterprise code = 8744 Vendor-specific attribute type number = 1 Attribute type = integer with one of the following values: 0: Do not intercept user traffic. 1: Intercept user traffic and redirect it to the destination defined by the Intercepted option under VSC egress mapping in the VSC to which the user is connected. Access reject EAP-Message (string) Only supported when authentication is EAP-MD5. Note that the content will not be read as the RADIUS Access Reject overrides whatever indication is contained inside this packet. Vendor-specific (Microsoft) HP supports the following Microsoft vendor-specific attributes. MSCHAP-Error (string) A MSCHAP specific error as defined by RFC 2433. 15-25 Working with RADIUS attributes User attributes Reply-Message (string) This string (as defined in RFC 2865) is recorded and passed as is to the GetRadiusReplyMessage() asp function. Multiple string are supported to a maximum length of 252 bytes. Access challenge EAP-Message (string) One or more occurrences of this attribute is supported inside the same packet. All occurrences are concatenated and transmitted to the IEEE802dot1x client as is. As defined in RFC 2869. State (string) As defined in RFC 2865. Accounting request Accounting start, stop. and interim-update Acct-Authentic (32-bit unsigned integer) Always set to 1 which means RADIUS. Acct-Delay-Time (32-bit unsigned integer) As defined in RFC 2869. Acct-Event-Timestamp (32-bit unsigned integer) As defined in RFC 2869. Acct-Session-Id (32-bit unsigned integer) Random value generated by the controller. Acct-Status-Type (32-bit unsigned integer) Supported value are: Start (1), Interim Update (3), and Stop (2). Calling-Station-Id (string) The MAC address of the user’s computer in IEEE format. For example: 00-02-03-5E-32-1A. Called-Station-Id (string) The MAC address of the controller LAN port in IEEE format. For example: 00-02-03-5E-32-1A. 15-26 Working with RADIUS attributes User attributes Chargeable User Identity (CUI) (string) As defined in RFC-4372. The CUI is used to associate a unique identifier with a user so that the user can be identified (for billing, authentication or other purposes) when roaming outside of their home network. Class (string) As defined in RFC 2865. Multiple instances are supported. Framed-IP-Address (32-bit unsigned integer) IP Address of the user’s computer. NAS-Identifier (string) The NAS ID for the RADIUS profile being used. NAS-Ip-Address (32-bit unsigned integer) The IP address of the port the controller is using to communicate with the RADIUS server. NAS-Port (32-bit unsigned integer) A virtual port number starting at 1. Assigned by the controller. NAS-Port-Type (32-bit unsigned integer) Always set to 19, which represents WIRELESS_802_11. User-Name (string) The username assigned to the user or to a device when using MAC authentication. Vendor-specific (WISPr) HP supports the following Wi-Fi Alliance vendor-specific attributes. Location-Name The WISPr location name assigned to the controller. SMI network management private enterprise code = 14122 Vendor-specific attribute type number = 2 Attribute type: A string in the format: wispr-location-name=location_name Location-ID The WISPr location identifier assigned to the controller. SMI network management private enterprise code = 14122 Vendor-specific attribute type number = 1 Attribute type: A string in the format: wispr-location-id=location_id 15-27 Working with RADIUS attributes User attributes Logoff-url The WISPr log-off URL that will be used. SMI network management private enterprise code = 14122 Vendor-specific attribute type number = 3 Attribute type: A string in the format: wispr-logoff-url=URL Accounting stop. and interim-update Acct-Session-Time (32-bit unsigned integer) Number of seconds this session since this session was authenticated. Only present when Acct-Status-Type is Interim-Update or Stop. Acct-Input-Gigawords (32-bit unsigned integer) High 32-bit value of the number of octets/bytes received by the user. Only present when AcctStatus-Type is Interim-Update or Stop. Acct-Input-Octets (32-bit unsigned integer) Low 32-bit value of the number of octets/bytes received by the user. Only present when AcctStatus-Type is Interim-Update or Stop. Acct-Input-Packets (32-bit unsigned integer) Low 32-bit value of the number of packets/bytes received by the user. Only present when Acct-Status-Type is Interim-Update or Stop. Acct-Output-Gigawords (32-bit unsigned integer) High 32-bit value of the number of octets/bytes sent by the user. Only present when AcctStatus-Type is Interim-Update or Stop. As defined in 2869. Acct-Output-Octets (32-bit unsigned integer) Low 32-bit value of the number of octets/bytes sent by the user. Only present when AcctStatus-Type is Interim-Update or Stop. Acct-Output-Packets (32-bit unsigned integer) Low 32-bit value of the number of packets/bytes sent by the user. Only present when AcctStatus-Type is Interim-Update or Stop. 15-28 Working with RADIUS attributes User attributes Accounting stop only Acct-Terminate-Cause (32-bit unsigned integer) Termination cause for the session See RFC 2866 for possible values. Only present when AcctStatus-Type is Stop. ID Cause Notes 1 User Request Supported. Indicates that the user logged out. 2 Lost Carrier Supported. Indicates that the client station is no longer alive. 3 Lost Service Supported. When location-aware is enabled and a user switches access points, the controller re-authenticates the user. If authentication fails due to timeout, this code is returned. 4 Idle Timeout Supported. User exceeded the idle timeout value defined for the session. 5 Session Timeout Supported. User exceeded maximum time defined for the session. 6 Admin Reset Supported. User session was terminated by the controller administrator via SNMP or the management tool. 7 Admin Reboot Not Supported. (not applicable) 8 Port Error Supported. If two users are detected using the same IP address, both are logged out with this error. Another cause is if an error is encountered in an access list definition. For example, an invalid host was specified. 9 NAS Error Not Supported. (not applicable) 10 NAS Request Not Supported. (not applicable) 11 NAS Reboot Supported. User was logged out because the controller was restarted. 12 Port Unneeded Not Supported. (not applicable) 13 Port Preempted Supported. When a user switches AP or SSID with incompatible configurations (authentication type), they are logged out with this code. Also if the user changes authentication type of the same AP. 14 Port Suspended Not Supported. (not applicable) 15 Service Unavailable Not Supported. (not applicable) 16 Callback Not Supported. (not applicable) 15-29 Working with RADIUS attributes User attributes ID Cause Notes 17 User Error Supported. An 802.1X client initiated a second authentication request for a user, and this request was refused. 18 Host Request Not Supported. (not applicable) 0x8744 (34628 decimal) Termination HP-specific termination cause. Accounting response No attributes are supported. 15-30 Working with RADIUS attributes Administrator attributes Administrator attributes If you want to support multiple administrator names and passwords, you must use a RADIUS server to manage them. The controller only supports a single admin name and password internally (defined on the Controller >> Management > Management tool page). Note Improper configuration of the administrator profile could expose the controller to access by any user with a valid account. The only thing that distinguishes an administrative account from that of a standard user account is the setting of the service type. Make sure that a user is not granted access if service type is not Administrative, This is the reason why it may be prudent to use a different RADIUS server to handle administrator logins. This practice reduces the risk of a bad configuration on the RADIUS server side creating a security hole. The following attributes are supported for administrator accounts. Access Request Framed-MTU NAS-Identifier User-Name Service-Type Vendor-specific (Microsoft) MSCHAP-Challenge MSCHAP-Response Access Accept Vendor-specific (Colubris) Access Reject No attributes are supported. Access Challenge No attributes are supported. Accounting Request No attributes are supported. Accounting Response No attributes are supported. Access request Framed-MTU (32-bit unsigned integer) Hard-coded value of 1496. The value is always four bytes lower than the wireless MTU maximum which is 1500 bytes in order to support IEEE802dot1x authentication. NAS-Identifier (string) The NAS ID set on the Controller >> Authentication > RADIUS profiles > Add New Profile page for the RADIUS profile being used. User-Name (string) The username assigned to the administrator. 15-31 Working with RADIUS attributes Administrator attributes Service-Type (32-bit unsigned integer) As defined in RFC 2865. Set to a value of 6, which indicates SERVICE_TYPE_ADMINISTRATIVE. Vendor-specific (Microsoft) HP supports the following Microsoft vendor-specific attributes. MSCHAP-Challenge (string) As defined in RFC 2433. Only present when the authentication method for the RADIUS profile is set to MSCHAPv1 or MSCHAPv2. Length = 8 bytes. MSCHAP-Response (string) As defined in RFC 2433. Only present when the authentication method for the RADIUS profile is set to MSCHAPv1. Length = 49 bytes. Access accept Vendor-specific (Colubris) (string) Colubris AV-Pair HP has defined a vendor-specific attribute to support configuration of user session settings. This attribute conforms to RADIUS RFC 2865. You may need to define this attribute on your RADIUS server (if it is not already present) using the following values: SMI network management private enterprise code = 8744 Vendor-specific attribute type number = 0 Attribute type: A string in the following format = Multiple instances of the Colubris AV-Pair can be defined in a RADIUS account to configure a variety of settings. For a complete list of all supported attributes, see Colubris AV-Pair - Administrator attribute values on page 15-74. 15-32 Working with RADIUS attributes Colubris AV-Pair - Site attribute values Colubris AV-Pair - Site attribute values Site values let you define global settings that affect operation of the public access network and all user accounts. Each Colubris AV-Pair value is specified using the following format: = The following table lists all supported site value keywords and provides a link to complete descriptions for each one. Colubris AV-Pair keyword For more information see access-list use-access-list=uselistname use-access-list-unauth=uselistname default-user-access-list Access list on page 15-34 configuration-file Configuration file on page 15-44 ssl-certificate Custom SSL certificate on page 15-44 custom-pages Loading custom pages from an archive on page 15-45 login-page transport-page session-page fail-page logo Loading individual pages on page 15-46 These keywords have been deprecated. If you are creating a new installation, use the custom-pages keyword or the site file archive feature on the Controller >> Public access > Web content page. If you are upgrading from a previous release, your existing configuration will still work. welcome-url login-err goodbye-url Hosting pages on an external Web server on page 15-47 login-url Remote login page on page 15-47 messages Custom message file on page 15-51 default-user-acct-interim-update Default user interim accounting update interval on page 15-51 default-user-bandwidth-level Default user bandwidth level on page 15-51 default-user-idle-timeout Default user idle timeout on page 15-52 default-user-one-to-one-nat Default user one-to-one NAT on page 15-53 default-user-use-public-ip-subnet Default user public IP address on page 15-54 default-user-session-timeout Default user session timeout on page 15-54 default-user-smtp-redirect Default user SMTP server on page 15-54 15-33 Working with RADIUS attributes Colubris AV-Pair - Site attribute values Colubris AV-Pair keyword For more information see default-user-welcome-url default-user-goodbye-url Default user URLs on page 15-55 default-user-max-input-packets default-user-max-output-packets default-user-max-total-packets Default user quotas on page 15-52 default-user-max-input-octets default-user-max-output-octets default-user-max-total-octets default-user-max-input-rate=value default-user-max-output-rate=value Default user data rates on page 15-53 http-proxy-upstream HTTP proxy upstream on page 15-55 ipass-login-url IPass login URL on page 15-56 mac-address Global MAC-based authentication on page 15-56 primary-web-server-status-url secondary-web-server-status-url primary-web-server-status-url secondary-web-server-status-url Multiple login servers on page 15-57 redirect-url Redirect URL on page 15-59. ssl-noc-certificate ssl-noc-ca-certificate NOC authentication on page 15-62. wispr-login-url wispr-abort-login-url redirect-page access-procedure HP WISPr support on page 15-62. dnat-server primary-dnat-server-status-url secondary-dnat-server-status-url Traffic forwarding (dnat-server) on page 15-63. Access list Access lists enable you to create public areas on your network that all users can browse, and protected areas that are restricted to specific user accounts or groups. Each access list is a set of rules that governs how the controller controls access to network resources. You can create multiple access lists, each with multiple rules to manage the traffic on your public access network. 15-34 Working with RADIUS attributes Colubris AV-Pair - Site attribute values Default setting By default no access lists are defined. This means that: If authentication (802.1X, WPA, HTML, MAC) is not enabled on a VSC, all users that connect to the VSC have access to the protected network. If authentication (802.1X, WPA, HTML, MAC) is enabled on a VSC, then: Unauthenticated users only reach the public access login page. Access to the protected network is blocked, except for register.procurve.com which enables product registration. Authenticated users have access to the protected network. How the access lists work Access lists can be applied on the controller (site access lists), in which case they affect all user traffic, or individually for each user account (user access lists). Incoming traffic cascades through the currently active lists. Traffic that is accepted or denied by a list is not available to the list that follows it. Traffic that passes through all lists without being accepted or denied is dropped. Access list rules that accept traffic are: ACCEPT, ACCEPT-MORE, DNAT-SERVER, and REDIRECT. Access list rules that deny traffic are: DENY and WARN. The following diagram illustrates how incoming traffic from a user session is processed by the access list mechanism. Incoming user traffic Service Controller Access List NO MATCH DENY Unauthenticated Authenticated and a user access list exists ACCEPT Authenticated and no user access list exists User Access List DENY Dropped NO MATCH ACCEPT To protected network via the Internet port 15-35 Working with RADIUS attributes Colubris AV-Pair - Site attribute values Within each access list, traffic cascades through the list rules in a similar manner. Incoming traffic Rule 1 DENY NO MATCH ACCEPT NO MATCH ACCEPT NO MATCH ACCEPT Rule 2 DENY Rule 3 DENY DENY NO MATCH ACCEPT Access list rules are numbered according to the order in which they are specified. Only data that is not accepted or denied by a rule is available to the next rule in the list. Accounting support Each rule in an access list can be configured with an account name for billing purposes. The controller sends billing information based on the amount of traffic matched by the rule. This lets you create rules to track and bill traffic to particular destinations. Tips on using the access list With certificates If you replaced the default SSL certificate on the controller with one signed by a wellknown CA, you should define the access list to permit access to the CA certificate for all non-authenticated users. This enables the user’s browser to verify that the certificate is valid without displaying any warning messages. Users may have configured their Web browsers to check all SSL certificates against the Certificate Revocation List (CRL) maintained by the CA that issued the certificate. The location of the CRL may be configured in the browser, or embedded in the certificate. The access list should be configured to permit access to the CRL, otherwise the user’s browser times out before displaying the login page. Remote login page If you are using the remote login page feature, make sure that access to the Web server hosting the login page is granted to all unauthenticated users via the site access list. 15-36 Working with RADIUS attributes Colubris AV-Pair - Site attribute values SMTP redirect If an unauthenticated user establishes a connection to their email server, the SMTP redirect feature will not work once the user logs in. The user’s email is still sent to the original email server. To avoid this, do not use an access list to open TCP port 25 for unauthenticated users. Critical access list definitions (such as for a remote login page, certificates) should not use the OPTIONAL setting because if these definitions fail to initialize there is no indication in the log. Defining access lists Access lists are defined by adding the following Colubris AV-Pair value string to the RADIUS profile for a controller or to the local list (Public access > Attributes page). access-list=value Each value string defines one rule. Up to 99 rules can be defined for an access list. All rules that make up an access list must be initialized without error for the list to be active. (You can force the controller to ignore initialization errors on a rule-by-rule basis by using the OPTIONAL parameter.) You can define up to 32 access lists. Activating site access lists When an access list is activated on the controller, it applies to all access controlled user traffic handled by the controller. Access lists are activated by adding the following Colubris AV-Pair value string to the RADIUS profile for a controller or to the local list (Public access > Attributes page). use-access-list=uselistname Only one access list can be active on the controller. This list must be initialized without an error. It is possible to set an access list to apply only for unauthenticated users by specifying the following value string: use-access-list-unauth=uselistname User access lists Access lists can also be activated on a per-user basis by configuring the appropriate settings for each user account. See Access list on page 15-67 for more information. A default access list can defined by adding the following Colubris AV-Pair value string to the RADIUS profile for a controller or to the local list (Public access > Attributes page). This defines the access list to use for all users whose profiles do not contain an access list value. default-user-access-list=uselistname 15-37 Working with RADIUS attributes Colubris AV-Pair - Site attribute values Syntax access-list= listname[,OPTIONAL],action,protocol,address,port[,account[,interval]] use-access-list=uselistname default-user-access-list=uselistname use-access-list-unauth=uselistname Note You can use spaces as separators instead of commas. Where: Parameter Description listname Specify a name (up to 32 characters long) to identify the access list this rule applies to. If a list with this name does not exist, a new list is created. If a list with this name exists, the rule is added to it. uselistname Specify the name of an existing access list. This list is activated for the current profile. Lists are checked in the order they are activated. OPTIONAL Allows the access list to be activated even if this rule fails to initialize. For example, if you specify a rule that contains an address which cannot be resolved for some reason, the other rules that make up the access list will still be initialized. If you do not specify optional, a failed rule will cause the entire list to fail. Critical access list definitions (such as for a remote login page, certificates) should not use the OPTIONAL setting because if these definitions fail to initialize there will be no indication in the log. action Specify what action the rule takes when it matches incoming traffic. The options are: ACCEPT - Allow traffic matching this rule. ACCEPT-MORE - Allow traffic matching this rule and allocate extra connections (when required) to enable users to connect with the specified address. By default the controller allows up to 200 TCP or UDP connections per authenticated or unauthenticated user. If a user has exceeded this connection limit, this parameter allows the controller to permit extra connections from the user when connecting to the specified destination. Connections are assigned from a global pool of 100 connections. 15-38 Working with RADIUS attributes Colubris AV-Pair - Site attribute values Parameter Description This can be used to make sure that users can always reach an important resource on the network. For example, the following access list definition allows additional connections as needed to any user who is trying to reach my-web-server.com. action (continued) access-list=HP,ACCEPT-MORE,all,my-web-server.com,80 use-access-list=procurve DENY - Reject traffic matching this rule. DNAT-SERVER: Traffic matching this rule is forwarded to the destination defined by the dnat-server value. See Traffic forwarding (dnat-server) on page 15-63 for more information. Note: SSL traffic cannot be forwarded as this breaks SSL security during connection negotiation resulting in the connection not being established. protocol REDIRECT: Reject traffic matching this rule and redirect the user’s Web browser to the page specified by redirect-url, or login-url if redirect-url is not defined. See Redirect URL on page 15-59 for more information. For example, one use for this feature could be to block access to a popular protocol, then prompt the user for additional fees to activate support. WARN: Reject traffic matching this rule and return an HTTP error message (which is not customizable) indicating that access to the site is not allowed by the network. For example: Specify the protocol to check: tcp, udp, icmp, all 15-39 Working with RADIUS attributes Colubris AV-Pair - Site attribute values Parameter Description address Specify one of the following: IP address or domain name (up to 107 characters in length) Subnet address. Include the network mask as follows: address/subnet mask For example: 192.168.30.0/24 Use the keyword all to match any address. Use the wildcard symbol * to match any sequence of characters at the beginning or the end of a domain name. For example: *.mydomain matches any host on the domain .mydomain. myhost.* matches myhost at any domain. For example, myhost.com or myhost.ca port Use the keyword none if the protocol does not take an address range (ICMP for example). Specify a specific port to check or a port range as follows: none - Used with ICMP (since it has no ports). all - Check all ports. 1-65535[:1-65535] - Specify a specific port or port range. Note: If you choose all possible protocols for an access-list definition, then you must supply all ports as well. account Specify the name of the user account the controller will send billing information to for this rule. Account names must be unique and can be up to 32 characters in length. interval Specify time between interim accounting updates. If you do not enable this option, accounting information is only sent when a user connection is terminated. Range: 5 to 99999 seconds in 15 second increments. Access list example This example illustrates how access lists can be used to control access to network resources for different groups of users at a fictitious university campus. Topology The following two topologies show potential wireless deployments for the campus using different types of HP equipment. In both cases, a RADIUS server is used to store configuration attributes for the public access network. Although the topologies are slightly different, the same access list definitions are used for both installations. 15-40 Working with RADIUS attributes Colubris AV-Pair - Site attribute values Topology 1: Network Operating Center Router/Firewall 20.7 Faculty subnet SMTP server 20.3 20.6 DNS/DHCP server Web/FTP server 20.2 20.5 Management station 20.1 20.4 VPN server RADIUS server File server 30.2 Printer server 20.1 30.1 192.168.20.0 Student subnet Admin subnet File server 40.2 Printer server 40.1 Registration Web server 50.1 192.168.40.0 192.168.30.0 Public Web server 50.2 192.168.50.0 192.168.10.0 Building #1 Building #2 10.1 Service controller Building #3 10.2 Service controller Service controller 10.3 10.3 10.1 PU PU BLIC WL A N 192.168.1.0 1.2 PU BLIC WL A N PU BLIC WL A N 1.1 BLIC WL A N 1.1 192.168.1.0 192.168.1.0 AP AP PU BLIC WL A N 1.3 1.2 1.3 1.4 1.5 1.6 1.6 1.2 PU BLIC WL A N AP AP 1.3 PU BLIC WL A N 15-41 Working with RADIUS attributes Colubris AV-Pair - Site attribute values Topology 2: Network Operating Center Router/Firewall 20.7 Faculty subnet SMTP server 20.3 20.6 DNS/DHCP server Web/FTP server 20.2 20.5 Management station 20.1 20.4 VPN server RADIUS server File server 30.2 Printer server 30.1 20.1 192.168.20.0 192.168.30.0 Student subnet Admin subnet File server 40.2 Printer server 40.1 Public Web server 50.2 Registration Web server 50.1 192.168.40.0 192.168.50.0 192.168.10.0 Building #1 Building #2 Service controller Service controller 10.1 1.1 PU BLIC WL A N Service controller 10.2 1.1 192.168.1.0 1.2 Building #3 1.1 192.168.1.0 AP AP PU BLIC WL A N 1.3 10.3 192.168.1.0 1.2 1.3 1.4 1.5 1.6 1.6 1.2 PU BLIC WL A N AP AP 1.3 PU BLIC WL A N Access list definitions The RADIUS profile for the controller contains the following: access-list=everyone,ACCEPT,tcp,192.168.50.2,80 access-list=students,ACCEPT,tcp,192.168.50.1,80,students_reg,500 access-list=students,ACCEPT,all,192.168.40.0/24,all access-list=students,DENY,all,192.168.20.0/24,all access-list=students,DENY,all,192.168.30.0/24,all access-list=students,ACCEPT,all,all.all,student_internet_use,5000 access-list=faculty,ACCEPT,tcp,192.168.50.1,80,faculty_reg,500 access-list=faculty,ACCEPT,all,192.168.30.0/24,all access-list=faculty,DENY,all,192.168.20.0/24,all access-list=faculty,DENY,all,192.168.40.0/24,all access-list=faculty,ACCEPT,all,all.all,faculty_internet_use,5000 use-access-list=everyone 15-42 Working with RADIUS attributes Colubris AV-Pair - Site attribute values The RADIUS profile for every student contains the following: use-access-list=students The RADIUS profile for every faculty member contains the following: use-access-list=faculty This definitions create three access lists: everyone, students, and faculty. Everyone This list applies to all users (students, teachers, guests), whether they are authenticated or not. This is because the list is active on the controller, which is accomplished with the entry: use-access-list=everyone It enables everyone to access the public Web server. Students This list applies to authenticated students only. It is composed of the following entries: access-list=students,ACCEPT,tcp,192.168.50.1,80,students_reg,500 Enables Web traffic to the registration Web server. Accounting data is recorded in the account students_reg. access-list=students,ACCEPT,all,192.168.40.0/24,all Enables traffic to reach the student segment. access-list=students,DENY,all,192.168.20.0/24,all access-list=students,DENY,all,192.168.30.0/24,all These two entries deny access to the faculty subnet and the NOC. access-list=students,ACCEPT,all,all.all,student_internet_use,5000 Enables all other traffic to reach the Internet (via routers on the backbone LAN and the router in the NOC). If this last rule did not exist, this traffic would be dropped. Faculty This list applies to authenticated faculty members only. It is composed of the following entries: access-list=faculty,ACCEPT,tcp,192.168.50.1,80,faculty_reg,500 Enables Web traffic to the registration Web server. Accounting data is recorded in the account faculty_reg. access-list=faculty,ACCEPT,all,192.168.30.0/24,all Enables traffic to reach the faculty segment. access-list=faculty,DENY,all,192.168.20.0/24,all access-list=faculty,DENY,all,192.168.40.0/24,all These two entries deny access to the student subnet and the NOC. 15-43 Working with RADIUS attributes Colubris AV-Pair - Site attribute values access-list=faculty,ACCEPT,all,all.all,faculty_internet_use,5000 Enables all other traffic to reach the Internet (via routers on the backbone LAN and the router in the NOC). If this last rule did not exist, this traffic would be dropped. Configuration file The controller can retrieve and load a new configuration file automatically, based on the URL you specify. Syntax configuration-file=URL[placeholder] Where: Parameter Description URL Specify the URL that points to the new configuration file. By using the following placeholders, you can customize the URL for each controller. This is useful when you need to update multiple units. Placeholder Description %n Returns the NAS ID assigned to the controller. By default, this is the unit serial number. %s Returns the RADIUS login name assigned to the controller on the Public access > Attributes page. By default, this is the unit serial number. %i Returns the domain name assigned to the controller Internet port. %a Returns the IP address of the controller Internet port. Custom SSL certificate The controller can retrieve a custom SSL security certificate to replace the HP certificate that is included by default. Syntax ssl-certificate=URL[placeholder] Where: 15-44 Parameter Description URL Specify the URL that points to the new certificate. Working with RADIUS attributes Colubris AV-Pair - Site attribute values By using the following placeholders, you can customize the URL for each controller. This is useful when you need to update multiple units. Placeholder Description %n Returns the NAS ID assigned to the controller. By default, this is its serial number. %s Returns the RADIUS login name assigned to the controller. By default, this is its serial number. %i Returns the domain name assigned to the controller Internet port. %a Returns the IP address of the controller Internet port. The certificate is encoded using PKCS#12 format, and contains: the private key of the Web server the certificate of the Web server The file is locked using a password. Note The password with which the certificate was locked must be the same as the password specified on the Public access > Attributes page. This is the password the controller uses to login to the RADIUS server. Example ssl-certificate=http://www.mycompany.com/%s_certificate Custom public access interface Web pages Several options are available to define custom pages. Loading custom pages from an archive This option enables you load site files from an external file archive, allowing you to replace the entire public access Web site in one simple operation. The archive must be in .zip format. Note The contents of the existing public access site is deleted and replaced by the contents of the archive (.zip) file. If the archive does not contain a complete set of valid pages, the public access interface will not function correctly. Note When unzipped the total size of all files must be less than 1MB. Syntax custom-pages=ArchiveURL 15-45 Working with RADIUS attributes Colubris AV-Pair - Site attribute values Where: Parameter Description ArchiveURL URL of the .zip archive to be loaded. Loading individual pages These keywords have been deprecated. If you are creating a new installation, use the custom-pages keyword or the site file archive feature on the Controller >> Public access > Web content page. If you are upgrading from a previous release, your existing configuration will still work. Use the following values to retrieve pages from an external location and load them onto the controller. For descriptions of the individual pages, see Current site files on page 14-25. Note The maximum length of any page URL is 512 characters. If this is exceeded (when using placeholders for example), the URL is truncated. Therefore, it is recommended that you specify the most-important placeholders first. The pages can only be changed as a group. You cannot, for example, just specify the loginpage value. You must specify all of the following pages:. Login page login-page=URL_of_page [placeholder] Can be omitted if a remote login page is being used. See Remote login page on page 15-47. Transport page transport-page=URL_of_page [placeholder] Session page session-page=URL_of_page [placeholder] Fail page fail-page=URL_of_page [placeholder] Logo logo=URL_of_gif_file [placeholder] 15-46 Working with RADIUS attributes Colubris AV-Pair - Site attribute values Placeholder The following placeholder is only available when using a RADIUS server. If these values are specified under Controller >> Public access > Attributes > Configured attributes, the placeholder cannot be used. Placeholder Description %a Returns the IP address of the controller’s Internet port. Hosting pages on an external Web server Use the following values to reference pages that reside on an external Web server. Note The maximum length of any page URL is 512 characters. If this is exceeded (when using placeholders for example), the URL is truncated. Therefore, it is recommended that you specify the most-important placeholders first. Note The controller maintains a separate copy of the URLs for external pages for each user. This means it is possible to provide different pages for each user. See Displaying custom welcome and goodbye pages on page 14-16. Welcome page welcome-url=URL_of_page[placeholder] The user is authenticated, so the welcome page can be located on any URL reachable by the user. Login error page login-err-url=URL_of_page[placeholder] Access to the Web server hosting this page must be granted to all unauthenticated users. Do this with an appropriate access list definition. (Users can see this page before they are logged in.) if the radius server denies user authentication, this is used instead of an error being presented on the login page. Goodbye page goodbye-url=URL_of_page[placeholder] Access to the Web server hosting this page must be granted to all unauthenticated users. Do this with an appropriate access list definition. (Users see this page after they are logged out.) Remote login page Use this value to redirect users to a remote server to log in to the public access interface instead of using the internal login page. 15-47 Working with RADIUS attributes Colubris AV-Pair - Site attribute values Although the remote login page feature enables you to host the public access login page on a remote Web server, authentication of users is still performed by the controller through a RADIUS server or using the local user list. To accomplish this, the remote Web server must send user login information back to the controller. There are two ways this can be done: basic remote login (as described in this section), or by using the NOC-based authentication feature (described in Appendix D: NOC authentication). The following diagram shows the sequence of events for a typical user session when using a remote login page and a RADIUS server for authentication. User Controller Non-authenticated user attempts to browse a web site on the protected network. RADIUS server Web server hosting remote login page Request is intercepted. Web browser is redirected. Login page is sent. Login info is sent to the RADIUS server. User login info is sent. HTML redirect is sent to the user’s browser pointing it to the Welcome page Login approved. User configuration settings are returned. (This page could be hosted on a different web server.) User’s web browser is redirected to the Welcome page. Web server sends the Welcome page with URL of originally requested web site. Syntax login-url=URL_of_the_page [placeholder] Access to the Web server hosting this page must be granted to all unauthenticated users. Do this with an appropriate access list definition. (Users see this page before they are logged in.) 15-48 Working with RADIUS attributes Colubris AV-Pair - Site attribute values Placeholders An important feature of these pages is that they make it easy to deliver a unique experience for each user. By appending the following optional placeholders to the Colubris AV-Pair value strings, you can pass important information to the Web server. Server-side code can process this information to generate custom pages on-the-fly. Placeholder Description %d Returns the WISPr location-ID. Supported for login-url only. %e Returns the WISPr location-Name. Supported for login-url only. %l Returns the URL on the controller where user login information should be posted for authentication. This option is used with the remote login page feature. By default, this value is URL encoded. (To enable/disable URL encoding, set the value of url-encode in the section in the configuration file.) %n Returns the NAS ID assigned to the controller. By default, this is the unit serial number. Not supported in local mode. %s Returns the RADIUS login name assigned to the controller. By default, this is the unit serial number. %u Returns the login name of the user. %o Returns the original URL requested by the user. By default, this value is URL encoded. (To enable/disable URL encoding, set the value of url-encode in the section in the configuration file.) %i Returns the domain name assigned to the controller Internet port. %p Returns the IP port number on the controller where user login information should be posted for authentication. %a Returns the IP address of the controller Internet port. %E When the location-aware feature is enabled, returns the ESSID of the wireless AP the user is associated with. %P When the location-aware feature is enabled, returns the wireless mode “ieee802.11a”, “ieee802.11b”, “ieee802.11g”) the user is using to communicate with the AP. %G When the location-aware feature is enabled, returns the group name of the wireless AP the user is associated with. %C When the location-aware feature is enabled, returns the Calledstation-id content for the wireless AP the user is associated with. %r Returns the string sent by the RADIUS server when an authentication request fails. The RADIUS server must be configured to support this feature. The information contained in the returned string depends on the configuration of the RADIUS server. 15-49 Working with RADIUS attributes Colubris AV-Pair - Site attribute values Placeholder Description %m Returns the MAC address of the client station that is being authenticated. %v Returns the VLAN assigned to the client station at the controller ingress (LAN port). Security issues It is recommended that the Web server hosting the remote login page be secured with SSL (requires an SSL certificate from a well-known certificate authority), to ensure that user logins are secure. Without SSL security, logins are exposed and may be compromised, enabling fraudulent use of the network. Communications between the user’s browser and the controller is always SSL-based. The default certificate on the controller generates a warning on the user’s browser unless replaced with a certificate signed by a well-known certificate authority. Example 1. Create the following folder on your Web sever: newlogin. 2. See Sample public access pages on page 14-15. Copy the following sample pages into the newlogin folder: login.html transport.html session.html fail.html logo.gif 3. Add the following entries to the Configured attributes table on the Public access > Attributes page. (You can also define these attributes in the RADIUS profile for the controller if you are using a RADIUS server.) login-url=web_server_URL/newlogin/login.html?loginurl=%l transport-page=web_server_URL/newlogin/transport.html session-page=web_server_URL/newlogin/session.html fail-page=web_server_URL/newlogin/fail.html logo=web server URL/newlogin/logo.gif access-list=loginserver,ACCEPT,tcp,web_server_IP_address use-access-list=loginserver 4. Customize login.html to accept username and password information from users and then send it to the controller. You can use code similar to the following example to redirect the user’s Web browser to the login URL on the controller for authentication:
Source Exif Data:
File Type : PDF File Type Extension : pdf MIME Type : application/pdf PDF Version : 1.6 Linearized : Yes Author : Hewlett-Packard Development Company L.P. Copyright : Hewlett-Packard Development Company L.P. Create Date : 2011:01:26 11:45:21Z Modify Date : 2011:01:26 16:22:45-05:00 Subject : MSM7xx Controllers Management and Configuration XMP Toolkit : Adobe XMP Core 4.2.1-c043 52.372728, 2009/01/18-15:08:04 Producer : Acrobat Distiller 9.3.2 (Windows) Format : application/pdf Title : HP MSM7xx Controllers Management and Configuration Guide v5.5.0 Creator : Hewlett-Packard Development Company L.P. Description : MSM7xx Controllers Management and Configuration Creator Tool : FrameMaker 8.0 Metadata Date : 2011:01:26 16:22:45-05:00 Document ID : uuid:83af69a8-388b-43d8-a753-c5fcd5bc9d6d Instance ID : uuid:c71f26f6-0e91-4b09-9f61-4af55e003e95 Page Layout : SinglePage Page Mode : UseOutlines Page Count : 658EXIF Metadata provided by EXIF.tools