Extreme Networks A3502 ALTITUDE 350-2 ACCESS POINT User Manual SummitWM UserGuide

Extreme Networks ALTITUDE 350-2 ACCESS POINT SummitWM UserGuide

Contents

USERS MANUAL

Extreme Networks, Inc.3585 Monroe StreetSanta Clara, California 95051(888) 257-3000http://www.extremenetworks.comFCS Review Draft IISummit WM-Series WLAN Switch and Altitude Access Point Software Version 1.0 User GuidePublished: July 2005Part number: 100198-00 Rev 01
FCS Review Draft IISummit WM-Series WLAN Switch and Altitude Access Point Software Version 1.0 User Guide2Alpine, Altitude, BlackDiamond, EPICenter, Ethernet Everywhere, Extreme Ethernet Everywhere, Extreme Networks, Extreme Turbodrive, Extreme Velocity, ExtremeWare, ExtremeWorks, GlobalPx Content Director, the Go Purple Extreme Solution Partners Logo, ServiceWatch, Summit, the Summit7i Logo, and the Color Purple, among others, are trademarks or registered trademarks of Extreme Networks, Inc. or its subsidiaries in the United States and other countries. Other names and marks may be the property of their respective owners.© 2005 Extreme Networks, Inc. All Rights Reserved.Specifications are subject to change without notice.The ExtremeWare XOS operating system is based, in part, on the Linux operating system. The machine-readable copy of the corresponding source code is available for the cost of distribution. Please direct requests to Extreme Networks for more information at the following address:Software Licensing Department3585 Monroe StreetSanta Clara CA 95051<<DOES THIS PARAGRAPH NEED TO BE IN THIS BOOK? NetWare and Novell are registered trademarks of Novell, Inc. Merit is a registered trademark of Merit Network, Inc. Solaris and Java are trademarks of Sun Microsystems, Inc. F5, BIG/ip, and 3DNS are registered trademarks of F5 Networks, Inc. see/IT is a trademark of F5 Networks, Inc. >> sFlow® is a registered trademark of InMon Corporation. All other registered trademarks, trademarks and service marks are property of their respective owners.
FCS Review Draft IISummit WM-Series WLAN Switch and Altitude Access Point Software Version 1.0 User Guide 3Table of ContentsAbout this Guide.............................................................................................................................. 9Who should use this guide ...........................................................................................................9What is in this guide ...................................................................................................................9Formatting conventions..............................................................................................................10Documentation feedback ...........................................................................................................10Protocols and standards.............................................................................................................11Regulatory information ..............................................................................................................11Other Approvals<<this section new in FCS source -- keep or delete?>> ...........................................................11Chapter 1: The Summit WM-Series Switch Software solution ........................................................... 13What is the Summit WM-Series Switch Software system?..............................................................13Conventional wireless LANS .................................................................................................13The Summit WM-Series Switch Software solution...................................................................14Summit WM-Series Switch Software and your network ..................................................................17Components of the solution: a summary ................................................................................17Network traffic flow .............................................................................................................18Network security .................................................................................................................19Authentication ..............................................................................................................19Privacy .........................................................................................................................19Interaction with wired networks: Wireless Mobility Access Domain ...........................................20Static routing and routing protocols ......................................................................................20Policy: packet filtering .........................................................................................................21Mobility and roaming...........................................................................................................21Availability .........................................................................................................................22Quality of Service (QoS) .......................................................................................................22Chapter 2: Summit WM-Series Switch: Startup................................................................................ 23Summit WM-Series Switch features and installation .....................................................................23Installing the Summit WM-Series Switch ...............................................................................24First-time setup of Summit WM-Series Switch .............................................................................24Management port first-time setup .........................................................................................24Changing the Management Port IP address: web browser method.......................................25Adding the Summit WM-Series Switch to your enterprise network ......................................27The graphical user interface (GUI): overview ................................................................................28Chapter 3: Summit WM-Series Switch Software configuration.......................................................... 31Configuration steps: overview .....................................................................................................31Enabling the product key ...........................................................................................................31Setting up the data ports ...........................................................................................................32Setting up static routes..............................................................................................................35Setting up OSPF Routing ...........................................................................................................36Filtering at the interface level.....................................................................................................38
FCS Review Draft IITable of ContentsSummit WM-Series WLAN Switch and Altitude Access Point Software Version 1.0 User Guide4Port-based exception filters: built-in......................................................................................39Port-based exception filters: user defined ..............................................................................39Chapter 4: Altitude AP: startup ....................................................................................................... 41Altitude AP features ..................................................................................................................41Installing the Altitude APs .........................................................................................................43Connecting and powering the Altitude AP ....................................................................................44Discovery and registration: Altitude AP registration settings...........................................................44Discovery and registration ..........................................................................................................46Discovery steps ...................................................................................................................46Altitude AP access approval .......................................................................................................49Configuring properties and radios................................................................................................50View and modify properties of registered Altitude APs.............................................................51View and modify the radio settings of registered Altitude APs ..................................................52Adding a Altitude AP manually .......................................................................................56Altitude AP static configuration: branch office deployment......................................................57Auto Cell software .....................................................................................................................58Chapter 5: WM Access Domain Services (WM-AD): Introduction ...................................................... 61Overview ..................................................................................................................................61What is a WM-AD? ....................................................................................................................62Topology of a WM-AD ................................................................................................................62Network assignment and authentication for a WM-AD ...................................................................63Authentication with SSID network assignment........................................................................63Authentication with AAA (802.1x) network assignment ...........................................................64Filtering for a WM-AD ................................................................................................................64Privacy on a WM-AD: WEP and WPA ...........................................................................................66Setting up a new WM-AD ...........................................................................................................66Global Settings for a WM-AD ......................................................................................................68Chapter 6: WM Access Domain Configuration ................................................................................. 71Topology for a WM-AD ...............................................................................................................71Topology for a WM-AD for Captive Portal................................................................................71Topology for a WM-AD for AAA .............................................................................................75Authentication for a WM-AD.......................................................................................................76Authentication for a WM-AD for Captive Portal .......................................................................77Authentication for a WM-AD for AAA .....................................................................................82MAC-based authentication for a WM-AD ................................................................................82Accounting for a WM-AD............................................................................................................84RADIUS Policy for a WM-AD ......................................................................................................84RADIUS Policy for Captive Portal ..........................................................................................85RADIUS Policy for AAA and AAA groups ................................................................................85Filtering rules for a WM-AD ........................................................................................................86Filtering rules for an exception filter......................................................................................87The non-authenticated filter for Captive Portal .......................................................................87Filtering rules for a Filter ID group ........................................................................................90Filtering rules for a default filter ...........................................................................................92Filtering Rules for an AAA Group WM-AD.........................................................................94Filtering rules between two wireless devices.....................................................................94
Table of ContentsFCS Review Draft IISummit WM-Series WLAN Switch and Altitude Access Point Software Version 1.0 User Guide 5Multicast for a WM-AD ..............................................................................................................95Privacy for a WM-AD..................................................................................................................96Privacy for a WM-AD for Captive Portal ..................................................................................96Privacy for a WM-AD for AAA................................................................................................97A WM-AD with no authentication ..............................................................................................100A WM-AD for voice traffic.........................................................................................................101Chapter 7: Summit WM-Series Switch Configuration: Availability and Mobility ............................... 103Availability .............................................................................................................................103Mobility and the WM-AD Manager.............................................................................................107VW-AD Manager and VW-AD Agent: Background...................................................................107Chapter 8: Summit WM-Series Switch: configuring other functions ................................................ 111Management users ..................................................................................................................111Network time ..........................................................................................................................112Check Point event logging ........................................................................................................113Setting up SNMP ....................................................................................................................115MIB support .....................................................................................................................115Enabling SNMP on the Summit WM-Series Switch ...............................................................116Chapter 9: Setting up third-party access points............................................................................. 119Chapter 10: Summit Spy: detecting rogue access points................................................................ 123Overview ................................................................................................................................123Enabling the Analysis and RFDC Engines ..................................................................................124Summit Spy: running scans .....................................................................................................125The Analysis Engine ................................................................................................................126Viewing the Scanner Status report ............................................................................................130Chapter 11: Ongoing operation..................................................................................................... 131Altitude AP maintenance: software ...........................................................................................131Altitude AP client management ................................................................................................133Client disassociate ............................................................................................................134Client blacklist..................................................................................................................135Summit WM-Series Switch software maintenance ......................................................................137Summit WM-Series Switch Software logs and traces...................................................................140Viewing log, alarm and trace messages ................................................................................141Reports and displays ...............................................................................................................144View displays ....................................................................................................................144View reports......................................................................................................................146Glossary ..................................................................................................................................... 147Appendix A: Summit WM-Series Switch Software system states and LEDs ...................................... 167Summit WM-Series Switch system states and LEDs....................................................................167Altitude AP system states ........................................................................................................168
FCS Review Draft IITable of ContentsSummit WM-Series WLAN Switch and Altitude Access Point Software Version 1.0 User Guide6Appendix B: CLI command reference ............................................................................................ 169Appendix C: DHCP, SLP, and Option 78 reference ......................................................................... 173Service Location Protocol (SLP) (RFC2608)...............................................................................174DHCP Options for Service Location Protocol (RFC2610) .............................................................174SLP Directory Agent Option (Option 78) ....................................................................................174SLP Service Scope Option (Option 79)......................................................................................175Appendix D: Reference lists of standards...................................................................................... 177RFC list..................................................................................................................................177802.11 standards list..............................................................................................................178Appendix E: Support for Altitude AP.............................................................................................. 181Altitude AP diagnostics by Telnet .............................................................................................181Appendix F: RADIUS Attributes ..................................................................................................... 183RADIUS Vendor-Specific Attributes (VSAs) ................................................................................183RADIUS Accounting ................................................................................................................184Account-Start Packet.........................................................................................................184Account-Stop/Interim Packet..............................................................................................185Termination Codes ............................................................................................................186Appendix G: Logs and Events ....................................................................................................... 187Overview ................................................................................................................................187Critical...................................................................................................................................187ACCESSPOINT..................................................................................................................187CDR_COLLECTOR .............................................................................................................191CONFIG_MANAGER ..........................................................................................................191EVENT_SERVER ...............................................................................................................192LANGLEY .........................................................................................................................194RADIUS_ACCOUNTING .....................................................................................................194RADIUS_CLIENT ..............................................................................................................194RF_DATA_COLLECTOR......................................................................................................195RU_MANAGER .................................................................................................................195SECURITY_MANAGER.......................................................................................................196STARTUP_MANAGER........................................................................................................197STATS_SERVER................................................................................................................198VNMGR............................................................................................................................199Major .....................................................................................................................................200ACCESSPOINT..................................................................................................................200CDR_COLLECTOR .............................................................................................................201CLI ..................................................................................................................................202CONFIG_MANAGER ..........................................................................................................203CPDP_AGENT_ID ..............................................................................................................203EVENT_SERVER ...............................................................................................................204LANGLEY .........................................................................................................................205NSM_SERVER ..................................................................................................................205OSPF_SERVER .................................................................................................................206PORT_INFO_J_MANAGER..................................................................................................206RADIUS_ACCOUNTING .....................................................................................................206RADIUS_CLIENT ..............................................................................................................206
Table of ContentsFCS Review Draft IISummit WM-Series WLAN Switch and Altitude Access Point Software Version 1.0 User Guide 7REDIR_ID ........................................................................................................................207RF_DATA_COLLECTOR......................................................................................................207RU_MANAGER .................................................................................................................208SECURITY_MANAGER.......................................................................................................208VNMGR............................................................................................................................210Appendix H: Regulatory Information ............................................................................................. 213Summit WM100 (15945), Summit WM1000 (15937) ...............................................................213Safety ..............................................................................................................................213Emissions.........................................................................................................................213Altitude 350-2 Integrated Antenna (15938), Altitude 350-2 Detachable Antenna AP (15939) ......214United States - FCC Declaration of Conformity Statement .....................................................214Conditions Under Which a Second party may replace a Part 15 Unlicensed Antenna ...............216FCC RF Radiation Exposure Statement ..........................................................................216Department of Communications Canada Compliance Statement.......................................216European Community ........................................................................................................217Declaration of Conformity with regard to R&TTE Directive of theEuropean Union 1999/5/EC .........................................................................................217Conditions of Use in the European Community...............................................................218Permitted 5 GHz Channels for the European Community .................................................220European Spectrum Usage Rules ..................................................................................220Declarations of Conformity ...........................................................................................222Certifications of Other Countries ...............................................................................................223Index .......................................................................................................................................... 225
FCS Review Draft IITable of ContentsSummit WM-Series WLAN Switch and Altitude Access Point Software Version 1.0 User Guide8
FCS Review Draft IISummit WM-Series WLAN Switch and Altitude Access Point Software Version 1.0 User Guide 9About this GuideThis guide describes how to install, configure, and manage the Summit WM-Series Switch Software.Who should use this guideThis guide is a reference for system administrators who install and manage the Summit WM-Series Switch Software.What is in this guideThis guide contains the following chapters:●About this Guide describes the target audience and content of the guide, the formatting conventions used in it, and how to provide feedback on the guide.●Chapter 1 provides an overview of the product, its features and functionality.●Chapter 2 describes how to perform the installation and first-time setup of the Summit WM-Series Switch.●Chapter 3 describes setting up the initial configuration, as well as configuring the data ports and defining routing.●Chapter 4 tells how to install the Altitude AP, how it discovers and registers with the Summit WM-Series Switch, how to view and modify the radio configuration, and how to enable Dynamic Radio Frequency Management.●Chapter 5 provides an overview of WM Access Domain Services (WM-AD), the mechanism by which the Summit WM-Series Switch Software controls and manages network access.●Chapter 6 gives detailed instructions in how to configure a WM-AD, its topology, authentication, accounting, RADIUS policy, multicast, filtering and privacy. Both Captive Portal and AAA types of WM-AD are described.●Chapter 7 describes how to set up the features that provide availability in the event of a Summit WM-Series Switch failover, and mobility for a wireless device user.●Chapter 8 includes functions, such as user privileges, network time, Check Point event logging and SNMP.●Chapter 9 describes how to use the Summit WM-Series Switch Software features with third-party Altitude APs.●Chapter 10 explains the security tool that scans for, detects and reports on rogue access points.●Chapter 11 describes maintenance activities, such as software upgrades on both the Summit WM-Series Switch and the Altitude AP. This chapter also includes information on the logs, traces, reports and displays available.●Appendix A provides a reference on the LED displays and their significance.●Appendix B provides a list of the CLI command line syntax.
About this GuideFCS Review Draft IISummit WM-Series WLAN Switch and Altitude Access Point Software Version 1.0 User Guide10●Appendix C provides background information on how the discovery process uses these network services.●Appendix D provides a reference list of RFCs supported.●Appendix E provides information on a support tool.●Appendix F provides a reference list of the RADIUS Attributes that are supported by the Summit WM-Series Switch Software.●Appendix G provides a reference list of the log and event messages.●Appendix H provides regulatory information for the Summit WM-Series Switch and the Altitude 350-2 Wireless Access Point.This guide also contains a glossary of standard industry terms used in this guide.Formatting conventionsThe Summit WM-Series Switch Software documentation uses the following formatting conventions to make it easier to find information and follow procedures:●Bold text is used to identify components of the management interface, such as menu items and section of pages, as well as the names of buttons and text boxes.For example: Click Logout.●Monospace font is used in code examples and to indicate text that you type.For example: Type https://<hls-address>[:mgmt-port>]●The following symbols are used to draw your attention to additional information:NOTENotes identify useful information that is not essential, such as reminders, tips, or other ways to perform a task.WARNING!Warnings identify essential information. Ignoring a warning can lead to problems with the application.Documentation feedbackIf you have any problems using this document, please contact your next level of support:●Customers should contact the Extreme Networks Technical Assistance Center (TAC).When you call, please have the following information ready. This will help us to identify the document that you are referring to.●Title: Summit WM-Series WLAN Switch and Altitude Access Point Software Version 1.0 User Guide●Part Number: 100198-00 Rev 01
Protocols and standardsFCS Review Draft IISummit WM-Series WLAN Switch and Altitude Access Point Software Version 1.0 User Guide 11Protocols and standardsAppendix D lists the protocols and standards supported by the Summit WM-Series Switch Software. These lists include the Requests for Comment (RFCs) of the Internet Engineering Task Force (IETF) and the 802.11 standards developed by the Institute of Electrical and Electronics Engineers (IEEE).Regulatory informationAppendix H provides regulatory information for the Summit WM-Series Switch and the Altitude 350-2 Wireless Access Point.
About this GuideFCS Review Draft IISummit WM-Series WLAN Switch and Altitude Access Point Software Version 1.0 User Guide12
FCS Review Draft IISummit WM-Series WLAN Switch and Altitude Access Point Software Version 1.0 User Guide 131The Summit WM-Series Switch Software solutionThe next generation of Extreme Networks wireless networking devices provides a truly scalable WLAN solution. Extreme Networks Altitude APs are thin access points that are controlled through a sophisticated network device, the Summit WM-Series Switch. This solution provides the security and manageability required by enterprises and service providers alike.The Summit WM-Series Switch Software system is a highly scalable wireless local area network (WLAN) solution developed by Extreme Networks. Based on a third generation WLAN topology, the Summit WM-Series Switch Software system makes wireless practical for medium and large-scale enterprises and for service providers. The Summit WM-Series Switch Software system provides a secure, highly scalable, cost-effective solution based on the IEEE 802.11standard. The solution is intended for enterprise networks operating on many floors in more than one building, as well as in public environments such as airports and convention centers that require more than two access points. This section provides an overview of the fundamental principles of the Summit WM-Series Switch Software system: what it is, how it works, and its advantages.What is the Summit WM-Series Switch Software system?The Summit WM-Series Switch Software system replaces the conventional access points used in wireless networking with two network devices that work as a system:●Summit WM-Series Switch: A network device that provides smart centralized control over the elements (Altitude APs) in the wireless network.●Altitude APs: The access points for 802.11 clients (wireless devices) in the network, controlled by the Summit WM-Series Switch. The Altitude AP is a “fit access point” because its wireless control is handled by the Summit WM-Series Switch. The Altitude AP is a dual-band access point, with both 802.11a and 802.11b/g radios.Together, the Summit WM-Series Switch Software products enable a radically simplified new approach to setting up, administering and maintaining a WLAN. Summit WM-Series Switch Software provides a Layer 3 IP routed WLAN architecture. This architecture can be implemented over several subnets without requiring the configuration of virtual local area networks (VLANs).Conventional wireless LANSAt its simplest, wireless communication between two or more computers requires that each one is equipped with a receiver/transmitter – a WLAN Network Interface Card (NIC) – capable of exchanging digital information over a common radio frequency. This is called an ad hoc configuration. An ad hoc network allows wireless devices to communicate together. This is an independent basic service set (IBSS).
The Summit WM-Series Switch Software solutionFCS Review Draft IISummit WM-Series WLAN Switch and Altitude Access Point Software Version 1.0 User Guide14An alternative to the ad hoc configuration is the use of an access point. This may be a dedicated hardware router or a computer running special software. Computers and other wireless devices communicate with each other through this access point. The 802.11 standard defines Access Point communications as devices that allow wireless devices to communicate with a “distribution system”. This is a basic service set (BSS) or infrastructure network.For the wireless devices to communicate with computers on a wired network, the access points must be connected into the wired network, and provide access to the networked computers. This is called bridging. Clearly, there are security issues and management scalability issues in this arrangement.Figure 1: Standard wireless network solutionThe wireless devices and the wired networks communicate with each other using standard networking protocols and addressing schemes. Most commonly, Internet Protocol (IP) addressing is used.While this topology works well enough for small installations, as the network grows the difficulty of setting up and administering all the individual access points expands as well. When the expanding network has to cope with a large number of wireless users all signing on and off at random times, the complexity grows rapidly. Imagine, for example, a university library filled with professors and students – all equipped with laptops. Or a conference full of delegates and exhibitors.Clearly, there must be a better way than setting up each access point individually. The Summit WM-Series Switch Software solutionThe Summit WM-Series Switch Software solution consists of two devices:●The Summit WM-Series Switch is a rack-mountable network device designed to be integrated into an existing wired Local Area Network (LAN). It provides centralized control over all access points (both Altitude APs and third-party access points) and manages the network assignment of wireless device clients associating through access points.●The Altitude AP is a wireless LAN fit access point (IEEE 802.11) provided with unique software that allows it to communicate only with a Summit WM-Series Switch. (A fit access point handles the radio RADIUSauthenticationserverRouterEthernet switchDHCPserverAccesspointWirelessdeviceWirelessdevice
What is the Summit WM-Series Switch Software system?FCS Review Draft IISummit WM-Series WLAN Switch and Altitude Access Point Software Version 1.0 User Guide 15frequency (RF) communication but relies on a controller to handle WLAN elements such as authentication.) The Altitude AP also provides local processing such as encryption.This architecture allows a single Summit WM-Series Switch to control many Altitude APs, making the administration and management of large networks much easier.There can be several Summit WM-Series Switchs in the network, each with its set of registered Altitude APs. The Summit WM-Series Switchs can also act as backups to each other, providing stable network availability.In addition to the Summit WM-Series Switchs and Altitude APs, the solution requires three other components, which are standard for enterprise and service provider networks:●RADIUS Server (Remote Access Dial-In User Service) (RFC2865 and RFC2866), or other authentication server. Assigns and manages ID and Password protection throughout the network. Used for authentication of the wireless users.●DHCP Server (Dynamic Host Configuration Protocol) (RFC2131). Assigns IP addresses, gateways and subnet masks dynamically. Also used by the Altitude APs to discover the location of the Summit WM-Series Switch during the initial registration process.●SLP (Service Location Protocol) (RFC2608) supported on the DHCP server, when SLP is used as part of the discovery mechanism.Figure 2: Summit WM-Series Switch Software solutionThe Summit WM-Series Switch appears to the existing network as if it were an access point, but in fact one Summit WM-Series Switch controls many Altitude APs.The Summit WM-Series Switch has built-in capabilities to recognize and manage the Altitude APs. The Summit WM-Series Switch activates the Altitude APs, enables them to receive wireless traffic from wireless devices, processes the data traffic from the Altitude APs and forwards or routes that data traffic out to the network. This processing includes authenticating requests and applying access policies.RADIUSauthenticationserverRouterEthernet switchEthernet switchDHCPserverWireless APSummit WMWireless ControllerWirelessdeviceWirelessdevice
The Summit WM-Series Switch Software solutionFCS Review Draft IISummit WM-Series WLAN Switch and Altitude Access Point Software Version 1.0 User Guide16Simplifying the Altitude APs makes them:●cost-effective●easy to manage●easy to deployPutting control on an intelligent centralized Summit WM-Series Switch enables:●centralized configuration, management, reporting, maintenance●high security●flexibility to suit enterprise●scalable and resilient deployments with a few Summit WM-Series Switches controlling hundreds of Altitude APsHere are some of the Summit WM-Series Switch Software system advantages:Table 1: Advantages of the Summit WM-Series Switch Software systemScales up to Enterprise capacity One Summit WM-Series Switch controls as many as 200 Altitude APs. In turn each Altitude AP can handle up to 127 wireless devices. With additional Summit WM-Series Switches, the number of wireless devices the system can support is in the thousands.Integrates in existing network A Summit WM-Series Switch can be added to an existing enterprise network as a new network device, greatly enhancing its capability without interfering with existing functionality. Integration of the Summit WM-Series Switches and Altitude APs does not require any reconfiguration of the existing infrastructure (e.g., VLANs).Offers centralized management and controlAn administrator accesses the Summit WM-Series Switch in its centralized location to monitor and administer the entire wireless network. The Summit WM-Series Switch has functionality to recognize, configure, and manage the Altitude APs and distribute new software releases.Provides easy deployment of Altitude APsThe initial configuration of the Altitude APs on the centralized Summit WM-Series Switch can be done with an automatic “discovery” technique.Provides security via user authenticationSummit WM-Series Switch Software uses existing authentication (AAA) servers to authenticate and authorize users.Provides security via filters and privilegesSummit WM-Series Switch Software uses virtual networking techniques to create separate virtual networks with defined authentication and billing services, access policies and privileges.Supports seamless mobility and roamingSummit WM-Series Switch Software supports seamless roaming of a wireless device from one Altitude AP to another on the same Summit WM-Series Switch or on a different Summit WM-Series Switch.Integrates third-party access pointsSummit WM-Series Switch Software can integrate legacy third-party access points, using a combination of network routing and authentication techniques.Prevents rogue devices Unauthorized access points will be detected and identified as harmless or dangerous rogue APs.Provides accounting services Summit WM-Series Switch Software logs wireless user sessions, user group activity, and other activity reporting, enabling the generation of consolidated billing records.Offers troubleshooting capability Summit WM-Series Switch Software logs system and session activity and provides reports to aid in troubleshooting analysis.Offers dynamic RF management Summit WM-Series Switch Software can automatically select channels and adjust Radio Frequency (RF) signal propagation power levels without user intervention.
Summit WM-Series Switch Software and your networkFCS Review Draft IISummit WM-Series WLAN Switch and Altitude Access Point Software Version 1.0 User Guide 17Summit WM-Series Switch Software and your networkComponents of the solution: a summaryThe following is a summary checklist of the components of the Summit WM-Series Switch Software solution on your enterprise network. These are described in detail in this guide.●The Summit WM-Series Switch, providing centralized control over all access points (both Altitude APs and third-party access points) and manages the network assignment of wireless device clients associating through access points.●The Altitude AP is a wireless LAN thin access point (IEEE 802.11) that communicates only with a Summit WM-Series Switch.●RADIUS Server (Remote Access Dial-In User Service) (RFC2865), or other authentication server. Assigns and manages ID and Password protection throughout the network. Used for authentication of the wireless users in either 802.1x or Captive Port security modes.The RADIUS Server system can be set up for certain standard attributes, such as Filter-ID, and for the Vendor Specific Attributes (VSAs).●DHCP Server (Dynamic Host Configuration Protocol) (RFC2131). Assigns IP addresses, gateways and subnet masks dynamically. IP address assignment for clients can be done by the DCHP server internal to the Summit WM-Series Switch, or by existing servers using DHCP relay. Also used by the Altitude APs to discover the location of the Summit WM-Series Switch during the initial registration process. For SLP, DHCP should have Option 78 enabled (Option 78 specifies the location of one or more SLP Directory Agents).●Service Location Protocol (SLP) (SLP RFC2608). Client applications are User Agents and services are advertised by Service Agents. In larger installations, a Directory Agent collects information from Service Agents and creates a central repository. The Extreme Networks solution relies on registering “extreme” as an SLP Service Agent.●Domain Name Server (DNS), for an alternate mechanism (if present on the enterprise network) for the automatic discovery process. Summit WM-Series Switch Software relies on the DNS for Layer 3 deployments and for static configuration of Altitude APs. The Extreme Networks solution relies on registering “controller” as the DNS name.●Web Authentication Server, if desired for external authentication. ●RADIUS Accounting Server (Remote Access Dial-In User Service) (RFC2866), if RADIUS Accounting is enabled.●Simple Network Management Protocol (SNMP) Manager Server, if forwarding SNMP messages is enabled.●Check Point Server, Check Point Event Logging API (ELA), for security event logging if a firewall application is enabled. ●Network infrastructure, Ethernet switches and routers, must be configured to allow routing between the various services noted above.Routing must also be enabled between multiple Summit WM-Series Switches, for such Summit WM-Series Switch Software features as Availability, WM-AD Manager for mobility, Third-Party Access Points, and Summit Spy for detection of rogue access points (some features require the definition of static routes).●Web Browser, providing access to the Summit WM-Series Switch Management GUI to configure Summit WM-Series Switch Software.
The Summit WM-Series Switch Software solutionFCS Review Draft IISummit WM-Series WLAN Switch and Altitude Access Point Software Version 1.0 User Guide18●a device that supports SSH, for serial port access to the Command Line Interface (CLI), for file management and monitoring by a network technician.Network traffic flowFigure 3: Traffic Flow diagramThe diagram above shows a simple configuration with a single Summit WM-Series Switch and two Altitude APs, each supporting a wireless device. A RADIUS server on the network provides authentication, and a DHCP server is used by the Altitude APs to discover the location of the Summit WM-Series Switch during the initial registration process. Also present in the network are routers and ethernet switches.Each wireless device sends IP packets in the 802.11 standard to the Altitude AP. The Altitude AP uses a UDP (User Datagram Protocol) based tunnelling protocol to encapsulate the packets and forward them to the Summit WM-Series Switch.The Summit WM-Series Switch decapsulates the packets, and routes these to destinations on the network, after authentication by the RADIUS server.The Summit WM-Series Switch functions like a standard router, except that it is configured to route only network traffic associated with wireless connected users. The Summit WM-Series Switch can also be configured to simply forward traffic to a default or static route if dynamic routing is not preferred.RADIUSauthenticationserverRouterEthernet switchEthernetswitchDHCPserverWireless APSummit WMWireless ControllerSummit WM Wireless Controllercontrol & routingSWC authenticateswireless user, forwards IPpacket to wired network.802.11IP packet transmission802.11 beacon & probe,wireless device associateswith a Wireless AP by its SSID.Summit WM Wireless ControllerWireless AP tunneling· AP sends data traffic to SWCthrough a UDP tunnel· SWC controls AP througha UDP tunnel· Using the UDP tunnels, SWCallows wireless clients toroam to APs on different SWCsWireless device Wireless deviceExternal webauthenticationserver
Summit WM-Series Switch Software and your networkFCS Review Draft IISummit WM-Series WLAN Switch and Altitude Access Point Software Version 1.0 User Guide 19Network securityThe Summit WM-Series Switch Software system provides features and functionality to control network access. These are based on standard wireless network security practices.Current wireless network security methods provide a degree of protection. These methods include: ●Shared Key authentication that relies on Wired Equivalent Privacy (WEP) keys●Open System that relies on Service Set Identifiers (SSIDs)●802.1x that is compliant with Wi-Fi Protected Access (WPA) ●Captive Portal based on Secure Sockets Layer (SSL) protocolThe Summit WM-Series Switch Software system supports these encryption approaches:●Wired Equivalent Privacy (WEP), a security protocol for wireless local area networks defined in the 802.11b standard●Wi-Fi Protected Access version 1 (WPA1TM) with Temporal Key Integrity Protocol (TKIP)●Wi-Fi Protected Access version 2 (WPA2TM) with Advanced Encryption Standard (AES) and Counter Mode with Chipher Block Chaining Message Authentication Code (CCMP).AuthenticationThe Summit WM-Series Switch relies on a RADIUS server, or authentication server, on the enterprise network to provide the authentication information (whether the user is to be allowed or denied access to the network).The Summit WM-Series Switch provides authentication using:●Captive Portal, a browser-based mechanism that forces users to a web page●RADIUS (using IEEE 802.1x)The 802.1x mechanism is a standard for authentication developed within the 802.11 standard. This mechanism is implemented at the port, blocking all data traffic between the wireless device and the network until authentication is complete. Authentication by 802.1x standard uses Extensible Authentication Protocol (EAP) for the message exchange between the Summit WM-Series Switch and the RADIUS server.When 802.1x is used for authentication, the Summit WM-Series Switch provides the capability to dynamically assign per-wireless-device WEP keys (called per-station WEP keys in 802.11).In Summit WM-Series Switch Software, a RADIUS redundancy feature is provided, where you can define a failover RADIUS server (up to 2 servers) in the event that the active RADIUS server fails.PrivacyPrivacy is a mechanism that protects data over wireless and wired networks, usually by encryption techniques.Summit WM-Series Switch Software supports the Wired Equivalent Privacy (WEP) standard common to conventional access points.
The Summit WM-Series Switch Software solutionFCS Review Draft IISummit WM-Series WLAN Switch and Altitude Access Point Software Version 1.0 User Guide20It also provides Wi-Fi Protected Access version 1 (WPA v.1) encryption, based on Pairwise Master Key (PMK) and Temporal Key Integrity Protocol (TKIP). The most secure encryption mechanism is WPA version 2 using Advanced Encryption Standard (AES).Interaction with wired networks: Wireless Mobility Access DomainSummit WM-Series Switch Software provides a versatile means of mapping wireless networks to the topology of an existing wired network. This is accomplished through the assignment of WM Access Domain Services.When you set up WM Access Domain Services (WM-AD) on the Summit WM-Series Switch, you are defining subnets for groups of wireless users. This WM-AD definition creates a virtual IP subnet where the Summit WM-Series Switch acts as a default gateway for wireless devices. This technique enables policies and authentication to be applied to the groups of wireless users on a WM-AD, as well as the collecting of accounting information on user sessions that can be used for billing.When a WM-AD is set up on the Summit WM-Series Switch:●one or more Altitude APs (by radio) are associated with it●a range of IP addresses is set aside for the Summit WM-Series Switch’s DHCP server to assign to wireless devicesIf routing protocol is enabled, the Summit WM-Series Switch advertises the WM-AD as a routable network segment to the wired network, and routes traffic between the wireless devices and the wired network.Each radio on a Altitude AP can participate in up to four WM-ADs, via the multi-SSID function.Static routing and routing protocolsRouting can be used on the Summit WM-Series Switch to support the WM-AD definitions. In the User Interface, you can configure routing on the Summit WM-Series Switch to use one of the following routing techniques:●Static routes: Use static routes to set the default route of a Summit WM-Series Switch so that legitimate wireless device traffic can be forwarded to the default gateway.●Open Shortest Path First (OSPF, version 2) (RFC2328): Use OSPF to specify the next best hop (route) of a Summit WM-Series Switch. Open Shortest Path First (OSPF) is a protocol designed for medium and large IP networks, with the ability to segment routers into different routing areas for routing information summarization and propagation.●Next Hop Routing: Use next hop routing as part of a WM-AD definition to specify a unique default gateway to which traffic on a unique WM-AD is forwarded.
Summit WM-Series Switch Software and your networkFCS Review Draft IISummit WM-Series WLAN Switch and Altitude Access Point Software Version 1.0 User Guide 21Policy: packet filteringPolicy refers to the rules that allow different network access to different groups of users. The Summit WM-Series Switch Software system can link authorized users to user groups. These user groups then can be confined to predefined portions of the network.In the Summit WM-Series Switch Software system, policy is carried out by means of packet filtering, within a WM-AD.In the Summit WM-Series Switch user interface, you set up a filtering policy by defining a set of hierarchical rules that allow (or deny) traffic to specific IP addresses, IP address ranges, or services (ports). The sequence and hierarchy of these filtering rules must be carefully designed, based on your enterprise’s user access plan.The authentication technique selected determines how filtering is carried out:●If authentication is by SSID and Captive Portal, a non-authenticated filter will allow all users to get as far as the Captive Portal web page, where login occurs. When authentication is returned, then filters are applied, based on user ID and permissions.●If authentication is by AAA (802.1x), users will already have logged in and have been authenticated before being assigned an IP address. At this point, filters are applied, based on user ID and permissions.Mobility and roamingThe 802.11 standard allows a wireless device to preserve its IP connection when it roams from one access point to another on the same subnet. However, if a user roams to an access point on a different subnet, the user is disconnected.Summit WM-Series Switch Software has functionality that supports mobility on any subnet in the network. Wireless device users can roam between Altitude APs on any subnet without having to renew the IP connection.The Summit WM-Series Switch stores the wireless device’s current session information, such as IP address and MAC address. If the wireless device has not disassociated, then when it requests network access on a different Altitude AP, the Summit WM-Series Switch can match its session information and recognize it as still in a current session.In addition, a Summit WM-Series Switch can learn about other Summit WM-Series Switches on the network, and then exchange client session information. This enables a wireless device user to roam seamlessly between different Altitude APs on different Summit WM-Series Switches.
The Summit WM-Series Switch Software solutionFCS Review Draft IISummit WM-Series WLAN Switch and Altitude Access Point Software Version 1.0 User Guide22AvailabilitySummit WM-Series Switch Software provides seamless availability against Altitude AP outages, Summit WM-Series Switch outages, and even network outages. For example, if one Altitude AP fails, coverage for the wireless device is automatically provided by the next nearest Altitude AP. If a Summit WM-Series Switch fails, all of its associated Altitude APs, or access points, can automatically migrate to another Summit WM-Series Switch that has been defined as the secondary or backup Summit WM-Series Switch. When the original Summit WM-Series Switch returns to the network, the Altitude APs automatically re-establish their normal connection with their original Summit WM-Series Switch.Quality of Service (QoS)Summit WM-Series Switch Software provides advanced Quality of Service (QoS) management, in order to provide better network traffic flow. Such techniques include:●WMM (Wi-Fi Multimedia): enabled globally on the Altitude AP. For devices with WMM enabled., the standard provides multimedia enhancements for audio, video, and voice applications. WMM shortens the time between transmitting packets for higher priority traffic. WMM is part of the 802.11e standard for QoS.●IP ToS (Type of Service) or DSCP (Diffserv Codepoint): the ToS/DSCP field in the IP header of a frame is used to indicate the priority and Quality of Service for each frame. The IP TOS and/or DSCP is maintained within CTP (CAPWAP Tunneling Protocol) by copying the user IP QoS information to the CTP header — this is referred to as Adaptive QoS. Quality of Service (QoS) management is also provided by:●assigning high priority to an SSID (configurable)●Adaptive QoS (automatic)●support for legacy devices that use SpectraLink Voice Protocol (SVP) for prioritizing voice traffic (configurable)
FCS Review Draft IISummit WM-Series WLAN Switch and Altitude Access Point Software Version 1.0 User Guide 232Summit WM-Series Switch: StartupSummit WM-Series Switch features and installationThe Summit WM-Series Switch is a network device designed to be integrated into an existing wired Local Area Network (LAN). Figure 4: The Summit WM-Series SwitchThe Summit WM-Series Switch provides centralized management, network access and routing to wireless devices that are using Altitude APs to access the network. It can also be configured to handle data traffic from third-party access points.The Summit WM-Series Switch performs the following functions:●Controls and configures Altitude APs, providing centralized management●Authenticates wireless devices that contact a Altitude AP●Assigns each wireless device to a WM-AD when it connects●Routes traffic from wireless devices, using WM-ADs, to the wired network●Applies filtering policies to the wireless device session●Provides session logging and accounting capabilityThe Summit WM-Series Switch is rack-mountable. It comes in the following product families:Model Number SpecificationsSummit WM-Series Switch Summit WM100• Four Fast-Ethernet ports, (10/100 BaseT), supporting up to 75 Altitude APs• One management port, (10/100 BaseT)• One console port (DB9 serial)• Power supply redundant (R)Summit WM-Series Switch Summit WM1000• Two GigE ports (dual 1GB SX network interfaces), supporting up to 200 Altitude APs• One management port, (10/100 BaseT)• One console port (DB9 serial) • Power supply redundant (R)
Summit WM-Series Switch: StartupFCS Review Draft IISummit WM-Series WLAN Switch and Altitude Access Point Software Version 1.0 User Guide24Installing the Summit WM-Series SwitchBefore you begin installation, make sure that a site survey has been done, to determine the number and location of Altitude APs and Summit WM-Series Switches required. The site survey should take a number of factors into consideration, including:●coverage areas●number of users●architectural features that affect transmission●existing wired network and access to ethernet cabling●type of mount (wall, ceiling, plenum) for Altitude APs●type of power (Power-over-Ethernet or AC adaptor) for Altitude APs●physical security of the Summit WM-Series Switch, including access controlInstalling the Summit WM-Series Switch1Unpack and mount the Summit WM-Series Switch following the detailed instructions in the Quick Start Guide2Install the ferrite beads provided, black for the power cord and white for the ethernet cables, as described in the Quick Start Guide. 3Plug the Summit WM-Series Switch power supply (single or dual) in to the back of the Controller. Figure 5: The Summit WM-Series Switch – back view diagram4Perform initial setup of the Summit WM-Series Switch to change its factory default IP address.5After that, connect the Summit WM-Series Switch to the enterprise LAN. First-time setup of Summit WM-Series SwitchManagement port first-time setupBefore you can connect the Summit WM-Series Switch to the enterprise network, you must change the IP address of the Summit WM-Series Switch management port from its factory default to the IP address suitable for your enterprise network.Access the Summit WM-Series Switch for initial setup by one of two methods:●a device supporting VT100 emulation such as a PC running HyperTerm, attached to the Summit WM-Series Switch’s DB9 serial port (COM1 port) via a cross-over (null modem) cable. The Power supply Power On/Off switchData ports (4 or 2)Management ports
First-time setup of Summit WM-Series SwitchFCS Review Draft IISummit WM-Series WLAN Switch and Altitude Access Point Software Version 1.0 User Guide 25Command Line Interface (CLI) commands for the initial setup are described in an attached appendix.●a laptop computer, running a web browser such as Internet Explorer 6.0 (or higher), attached to the Summit WM-Series Switch’s ethernet Management Port (RJ45 port) via an ethernet cross-over cable (cable provided with the Summit WM-Series Switch). The steps for initial setup in the Graphical User Interface are described below.The factory default management port setup of the Summit WM-Series Switch is:Changing the Management Port IP address: web browser method1Connect a cross-over ethernet cable between the ethernet port of the laptop and ethernet Management Port of the Summit WM-Series Switch.2Statically assign an unused IP address in the 192.168.10.0/24 subnet for the ethernet port of the PC (for example, 192.168.10.205).3Run Internet Explorer (version 6.0 or above) or other web browser on the laptop.4Point the browser to the URL https://192.168.10.1:5825. This URL launches the web-based GUI on the Summit WM-Series Switch. The login screen appears. Hostname: SWMManagement Port IP address: 192.168.10.1:5825Management Network Mask:  255.255.255.0
Summit WM-Series Switch: StartupFCS Review Draft IISummit WM-Series WLAN Switch and Altitude Access Point Software Version 1.0 User Guide265Key in the factory default User Name (“admin”) and Password (“abc123”). Click on the Login button. The main menu screen appears.6Click on the Summit WM-Series Switch Configuration menu option to navigate to the Summit WM-Series Switch Configuration screen. 7In the left-hand list, click on the IP Addresses option. The Management Port Settings area (top portion of the screen) displays the factory settings for the Summit WM-Series Switch.
First-time setup of Summit WM-Series SwitchFCS Review Draft IISummit WM-Series WLAN Switch and Altitude Access Point Software Version 1.0 User Guide 278To modify Management Port Settings, click the Modify button. The System Port Configuration screen appears.9Key in:10 Click OK to return to the Summit WM-Series Switch Configuration screen.11 Click on the Save button to save the port changes. The web connection between the laptop and the Summit WM-Series Switch is now lost, because their IP addresses are now on different networks. Adding the Summit WM-Series Switch to your enterprise network1Disconnect the laptop from the Summit WM-Series Switch Management Port.2Connect the Summit WM-Series Switch Management Port to the enterprise ethernet LAN.The Summit WM-Series Switch resets automatically. Now you will be able to launch the Summit WM-Series Switch Software GUI again, with the system visible to the enterprise network.The remaining steps in initial configuration of the Summit WM-Series Switch Software system are described in the next topic, after an overview of the GUI.Hostname The name of the Summit WM-Series SwitchDomain The IP domain name of the enterprise networkManagement IP Address The new IP address for the Summit WM-Series Switch’s management port (change this as appropriate to the enterprise network). Subnet mask For the IP address, the appropriate subnet mask to separate the network portion from the host portion of the address (typically 255.255.255.0)Management Gateway The default gateway of the network.Primary DNS The primary name server used by the network.Secondary DNS The secondary name server used by the network
Summit WM-Series Switch: StartupFCS Review Draft IISummit WM-Series WLAN Switch and Altitude Access Point Software Version 1.0 User Guide28The graphical user interface (GUI): overviewThe administrator can configure and administer the Summit WM-Series Switch Software system using the web-based Graphical User Interface.To run the graphical user interface1Launch Microsoft Internet Explorer (version 6.0 or above), or other web browser. 2In the address bar, key in the URL https://x.x.x.x:5825 (your management gateway as defined in initial setup plus port 5825, formerly factory default 192.168.10.1:5825). The Summit WM-Series Switch Software login screen appears.3Key in the factory default User Name (”admin”) and Password (“abc123”). Click on the Login button. The main menu screen appears.NOTEYou can define which user names have full read/write access to the user interface (“Admin” users) and which users have “read-only” privileges. This is done the Summit WM-Series Switch Configuration: Management Users screen.The main areas in the Summit WM-Series Switch Software user interface are accessed from the main menu, or by clicking on the appropriate tab across the top of each screen. Within each area, to access the associated subscreens, click on the screen name in the left-hand list.Table 2:  Summit WM-Series Switch Software user interface summaryTab Screen FunctionLogs & Traces Logs normal events and alarm eventsTrace logs are by component.Reports & Displays Access to various on-screen reportsSummit WM-Series Switch ConfigurationSystem MaintenanceRouting ProtocolsIP AddressesCheck PointSummit SpyWM-AD ManagerSNMPNetwork TimeManagement UsersSoftware MaintenanceTasks including shutdown, enable syslog.Define static routes, configure OSPF.Set up management port (Modify screen)Set up the data ports.Enable event logging for Check Point.Enable “detect rogue APs” mechanism.Manage multiple Summit WM-Series Switches.Enable SNMP messages to be sent.Configure synchronized time.Define user level.<Product Keys and software upgrades.Altitude AP Configuration Highlight a APAccess ApprovalAP MaintenanceAP RegistrationClient DisassociateModify properties, radios, static config.Modify the status of a Altitude AP.View and set up AP software upgrade.Define registration mode, pairing of APs.Force a wireless device to disassociate.WM-AD Configuration Global SettingsAdd a subnetWM-AD TopologyWM-AD Authen & AcctWM-AD RADIUS PolicyWM-AD FilteringWM-AD PrivacyDefine RADIUS servers,& global settingsLeft-hand list. Enter name. Click to add.Define the WM-AD topology, authentication and accounting set upDefine Filter IDsDefine filtering rules to control accessSet up WEP keys or WPA privacy.
The graphical user interface (GUI): overviewFCS Review Draft IISummit WM-Series WLAN Switch and Altitude Access Point Software Version 1.0 User Guide 29Summit Spy Configure and view reports for the Summit Spy(rogue access point detection)Table 2:  Summit WM-Series Switch Software user interface summaryTab Screen Function
Summit WM-Series Switch: StartupFCS Review Draft IISummit WM-Series WLAN Switch and Altitude Access Point Software Version 1.0 User Guide30
FCS Review Draft IISummit WM-Series WLAN Switch and Altitude Access Point Software Version 1.0 User Guide 313Summit WM-Series Switch Software configurationConfiguration steps: overviewTo set up and configure the Summit WM-Series Switch and Altitude APs, follow these steps:1First-time Setup: Perform “First-Time Setup” of the Summit WM-Series Switch on the physical network to modify the Management Port IP address for the enterprise network.2Product Key: Apply a Product Key file, for licensing purposes. If no Product Key is enabled, the Summit WM-Series Switch functions with all features enabled in demonstration mode.3Data Port Setup: Set up the Summit WM-Series Switch on the network by configuring the physical data ports and their function as “host port”, “router port”, or “3rd party AP port”.4Routing Setup: For any port defined as a “router port”, configure static routes and OSPF parameters, if appropriate to the network5Altitude AP Initial Setup: Connect the Altitude APs to the Summit WM-Series Switch. They will automatically begin the “Discovery” of the Summit WM-Series Switch, based on factors that include:●their Registration mode (in the Altitude AP Registration screen)●the enterprise network services that will support the discovery process. 6Altitude AP Configuration: Modify properties or settings of the Altitude AP, if desired.7WM Access Domain Services Setup: Set up one or more virtual subnetworks on the Summit WM-Series Switch. For each WM-AD, configure the following:●Topology: configure the WM-AD, and assign the Altitude APs radios to the WM-AD.●Authentication and Accounting: configure the authentication method for the wireless device user and enable the accounting method.●RADIUS Policy: define Filter ID values for user groups●Filtering: define filtering rules to control network access●Multicast: define groups of IP addresses for multicast traffic●Privacy: select and configure the wireless security method on the WM-AD.Enabling the product keyOnce the “First-Time Setup” is complete, the next step in the initial setup of the Summit WM-Series Switch is to enter your product key. This is a one-time event. The Product Key file is provided with your Summit WM-Series Switch in a downloaded file.For assistance, if you cannot find the product key, contact your local represenative. To find your nearest service organization, access the Extreme Networks website at www.extremenetworks.com, and then select your country’s Extreme website from the drop-down list. The service organizations for your country will be listed on the local site. This product area is IP Convergence Solutions or Wireless.If no Product Key is enabled, the Summit WM-Series Switch functions with all features enabled in demonstration mode.
Summit WM-Series Switch Software configurationFCS Review Draft IISummit WM-Series WLAN Switch and Altitude Access Point Software Version 1.0 User Guide32Enabling the product key on the Summit WM-Series Switch1Click on the Summit Switch tab. The Summit WM-Series Switch Configuration screen appears. Click on the Software Maintenance option. Then click on the SWM Product Keys tab. The Product Keys screen appears.The top portion of the screen displays the current Product Key settings. The lower portion permits you to browse for a Product Key file and apply it.2To select a product key file, click Browse to navigate to a downloads folder or a CD drive.3To activate this product key file, click Apply Now.Setting up the data portsThe next step in the initial setup of the Summit WM-Series Switch is to configure the physical data ports.Configuring the data port interfaces on the Summit WM-Series Switch1Click on the Summit Switch tab. In the Summit WM-Series Switch Configuration screen, click on the IP Address option. The Management Port Settings and Interfaces screen appears.The lower portion of the Summit WM-Series Switch Configuration screen displays the Interfaces, either the four ethernet ports (for the Summit WM100 and Summit WM1000), or the two ports (for the Summit WM1000). For each port, the MAC address is displayed automatically.
Setting up the data portsFCS Review Draft IISummit WM-Series WLAN Switch and Altitude Access Point Software Version 1.0 User Guide 332Click in a port row to highlight it. 3For the highlighted port, key in the:NOTEIn a “Branch Office” scenario, where the Altitude AP is configured statically on a local network whose MTU is lower than 1500, the Summit WM-Series Switch automatically adjusts the MTU size to prevent packet fragmentation.4For the highlighted port, select its Function from the drop-down list: Host Port, 3rd Party AP, Router (defined below). For OSPF routing on a port, that port must be configured as a “Router” Port. No more than one port should be configured as a router port.5To allow Management traffic on a highlighted port, click the Mgmt checkbox on. This choice must be used carefully since it overrides the built-in protection filters on the port. 6For the highlighted port, click the SLP checkbox on to allow SLP protocol on this port for Altitude APs using this port for discovery and registration.7To save the port configuration, click Save.To cancel the entries without saving, click Cancel.IP address IP Address of the physical ethernet port.Subnet mask For the IP address, the appropriate subnet mask to separate the network portion from the host portion of the address (typically 255.255.255.0)MTU Maximum Transmission Unit (maximum packet size for this port). Default setting is 1500. If you change this setting, and are using OSPF, be sure that the MTU of each port in the OSPF link matches.
Summit WM-Series Switch Software configurationFCS Review Draft IISummit WM-Series WLAN Switch and Altitude Access Point Software Version 1.0 User Guide34Port Type or FunctionA new Summit WM-Series Switch is shipped from the factory with all its data ports set up as “Host ports”, and support of management traffic disabled on all data ports. In the Summit WM-Series Switch Configuration – IP Addresses screen, you can redefine the data ports to function as one of three types:●Host PortUse “Host Port” for connecting Altitude APs, with no dynamic routing. A “Host Port” has dynamic routing disabled to ensure that the port does not participate in dynamic routing operations, such as OSPF, to advertise the availability of WM-ADs hosted by the Summit WM-Series Switch. “Host Ports” may still be used as the target for static route definitions. ●Third-Party AP PortDefine as “3rd-Party AP” a port to which you will connect third-party access points. No more than one port can be configured for third-party APs.Selecting this option prepares the port to support a third-party AP setup that allows the mapping of an WM-AD to the physical port. The WM-AD settings then permit the definition of policy, such as filters and Captive Portal, that manage the traffic flow for wireless users connected to these access points.The third-party access points must be operating as layer-2 bridges. The “third-party AP” WM-AD is isolated from the rest of the network. The Summit WM-Series Switch assumes control over the layer-3 functions such as DHCP.Altitude APs must not be attached to a “3rd-Party AP” port.●Router PortDefine as “Router Port” a port that you wish to connect to an upstream next-hop router in the network. Dynamic routing protocol such as OSPF can be turned on for this port type. Altitude APs can be attached to a “Router” port. The Summit WM-Series Switch will create a virtual WM-AD port and handle wireless device traffic in the same manner as a “Host port”. Third-party access points must not be directly connected to a “Router” port. There is a fourth port type that is not configurable in the user interface:●WM Access Domain Services (WM-AD) interfaceAn WM-AD port is a virtual port created automatically on the Summit WM-Series Switch when a new WM-AD is defined. The WM-AD port becomes the default gateway for wireless devices on this WM-AD. No Altitude APs can be associated with an WM-AD port and no routing is permitted on this port.The chart below summarizes the port types and their functions:Table 3: Port types and functionsPort Type IP ForwardingAltitude AP supportMgmt traffic support (SNMP, HTTP, TELNET, SLP, RADIUS, DHCP)Routing protocol support (IP, OSPF and PIM)Host No Yes Selectable No3rd-Party AP No No Selectable NoRouter Selectable. Route wireless device traffic onlyYes Selectable SelectableWM-AD No No Selectable No
Setting up static routesFCS Review Draft IISummit WM-Series WLAN Switch and Altitude Access Point Software Version 1.0 User Guide 35Setting up static routesIt is recommended that you define a default route to your enterprise network, either with a static route or by using OSPF protocol. This will enable the Summit WM-Series Switch to forward wireless packets to the remainder of the network.Setting up a static route on the Summit WM-Series Switch1Click on the Summit Switch tab. In the Summit WM-Series Switch Configuration screen, click on the Routing Protocols option. 2Click the Static Routes tab. The Static Routes screen appears.3To add a new route, click in the Destination Address field and key in the destination IP address of a packet.[The destination network IP address that this static route applies to. Packets with this destination address will be sent to the Destination below.] To define a default static route for any unknown address not in the routing table, key in 0.0.0.0.4Key in the Subnet Mask. For the IP address, the appropriate subnet mask to separate the network portion from the host portion of the address (typically 255.255.255.0). For the default static route for any unknown address, key in 0.0.0.0.5In the Gateway field, key in the IP address of the gateway (the IP address of the specific router port or gateway on the same subnet as the Summit WM-Series Switch to which to route these packets; that is, the IP address of the next hop between the Summit WM-Series Switch and the packet’s ultimate destination).6Click on the Add button. The new route appears in the list, numbered sequentially.
Summit WM-Series Switch Software configurationFCS Review Draft IISummit WM-Series WLAN Switch and Altitude Access Point Software Version 1.0 User Guide367The Override dynamic routes checkbox is on by default. This means the static routes defined here will have priority over the OSPF learned routes (including default route) that the Summit WM-Series Switch uses for routing. If you wish to remove this priority for static routes, so that routing is controlled dynamically at all times, click the Override dynamic routes checkbox off.NOTEIf you enable dynamic routing (OSPF), the dynamic routes will normally have priority for outgoing routing. For internal routing on the Summit WM-Series Switch, the static routes normally have priority.8Click on Save to update the routing table on the Summit WM-Series Switch. Viewing the Routing Table on the Summit WM-Series SwitchTo view the static routes that have been defined for the Summit WM-Series Switch, click on the View Forwarding Table tab. This displays the Forwarding Table also accessed in the Reports & Displays area of the user interface.This report displays all defined routes, whether static or OSPF, and their current status. To update the display, click on the Refresh button.Setting up OSPF RoutingTo enable OSPF routing, you must first define one data port as a “Router Port” in the IP Addresses screen. Next, enable OSPF globally on the Summit WM-Series Switch, and define the global OSPF parameters. Then you enable (or disable) OSPF on the port that you defined as a “Router Port”.
Setting up OSPF RoutingFCS Review Draft IISummit WM-Series WLAN Switch and Altitude Access Point Software Version 1.0 User Guide 37Ensure that the OSPF parameters defined here for the Summit WM-Series Switch are consistent with the adjacent routers in the OSPF area. The parameters include the following:●If the peer router has different timer settings, the protocol timer settings in the Summit WM-Series Switch must be changed to match, in order to achieve OSPF adjacency.●The MTU of the ports on either end of an OSPF link must match. The MTU for ports on the Summit WM-Series Switch is defined as 1500, in the IP Addresses screen, during data port setup. This matches the default MTU in standard routers.Setting up OSPF Routing on the Summit WM-Series Switch1Click on the OSPF tab in the Routing Protocols screen. The OSPF Settings screen appears.2In the Global Settings area, enable OSPF by filling in the following fields:3To save these settings, click on the Save button.OSPF Status: To enable OSPF, select ON from the drop-down list.Router ID: If left blank, the OSPF daemon will automatically pick a router ID from one of the Summit WM-Series Switch’s interface IP addresses.If filled in here with the IP address of the Summit WM-Series Switch, this ID must be unique across the OSPF area.Area ID: 0 is the main area in OSPFArea Type: Select Default (Normal), Stub, or Not-so-stubby (OSPF area types) from the drop-down list.
Summit WM-Series Switch Software configurationFCS Review Draft IISummit WM-Series WLAN Switch and Altitude Access Point Software Version 1.0 User Guide384In the Port Settings area, for the data port defined as a “Router Port”, fill in these fields:NOTEIf more than one port is enabled for OSPF, it is desirable to prevent the Summit WM-Series Switch from serving as a router for other network traffic (other than the traffic from wireless device users controlled by the Summit WM-Series Switch). To ensure that the Summit WM-Series Switch is never the preferred OSPF route, one solution is to set the Link Cost to its maximum value of 65535. Filters should also be defined in the WM Access Domain Configuration – Filtering screen that will drop routed packets.5To save these settings, click on the Save button. To confirm that the ports are set up for OSPF, and that advertised routes from the upstream router are recognized, click View Forwarding Table to view the Forwarding Table report. Two additional reports display OSPF information when the protocol is in operation:●OSPF Neighbor report displays the current neighbors for OSPF (routers that have interfaces to a common network)●OSPF Linkstate report shows the Link State Advertisements (LSAs) received by the currently running OSPF process. The LSAs describe the local state of a router or network, including the state of the router’s interfaces and adjacencies.Filtering at the interface levelThe Summit WM-Series Switch Software has a number of built-in filters that protect the system from unauthorized traffic. These filters are applied at the network interface level and are automatically invoked.In addition to these built-in filters, the administrator can define specific exception filters at the interface-level to customize network access. These filters do not depend on a WM-AD definition.Port Status: To enable OSPF on the port, select Enabled from the drop-down list.Link Cost: Key in the OSPF standard for your network for this port. Default displayed is 10. (The cost of sending a data packet on the interface. The lower the cost, the more likely the interface is to be used to forward data traffic.) Authentication: From the drop-down list, select the authentication type set up for the OSPF on your network: None or Password.Password: If “Password” was selected above, key it in here. This password must match on either end of the OSPF connection.Dead-Interval: Time in seconds (displays OSPF default).Hello-Interval: Time in seconds (displays OSPF default).Retransmit-Interval: Time in seconds (displays OSPF default).Transmit delay: Time in seconds (displays OSPF default).
Filtering at the interface levelFCS Review Draft IISummit WM-Series WLAN Switch and Altitude Access Point Software Version 1.0 User Guide 39Port-based exception filters: built-inOn the Summit WM-Series Switch, various port-based exception filters are built in and invoked automatically. These filters protect the Summit WM-Series Switch from unauthorized access to system management functions and services via the ports. For example, on the Summit WM-Series Switch’s data interfaces (both physical interfaces and WM-AD virtual interfaces), the built-in exception filter prohibits invoking SSH, HTTPS, or SNMP. However, such traffic is allowed, by default, on the Management port.To enable SSH, HTTPS, or SNMP access through a data interface, select the interface in the IP Addresses screen and click the “Management” checkbox on. You can also enable such management traffic in the WM-AD definition.If management traffic is explicitly enabled for any interface (physical port or WM-AD), access is implicitly extended to that interface through any of the other interface. (WM-AD).Only traffic specifically allowed by the interface’s exception filter is allowed to reach the Summit WM-Series Switch itself. All other traffic is dropped. Exception filters are dynamically configured, and are regenerated whenever the system's interface topology changes (a change of IP address for any interface). Enabling management traffic on an interface adds additional rules to the exception filter to open up the well-known IP(TCP/UDP) ports corresponding to the HTTPS, SSH and SNMP applications.The port-based built-in exception filtering rules, in the case of traffic from WM-AD users, operate only on traffic that is targeted directly to one of the WM-AD's interfaces. For example, a WM-AD filter may be generic enough to allow traffic access to the Summit WM-Series Switch's management (Allow All [*.*.*.*]). The traffic will initially be allowed according to the WM-AD user’s policy, but may then be denied by the exception filter of the WM-AD interface.Port-based exception filters: user definedYou can add specific filtering rules at the port level in addition to the built-in rules. Such rules give you the capability of restricting access to a port, for specific reasons, such as a Denial of Service (DoS) attack.To define filtering rules that are associated with one of the physical data ports on the Summit WM-Series Switch rather than with a WM-AD, use the Port Exception Filter screen. The filtering rules are set up in the same manner as filtering rules defined for a WM-AD — specify an IP address and then either “Allow” or “Deny” traffic to that address. See “Filtering rules for a WM-AD” on page 86.Exception filtering rules that you will define for a WM-AD will apply to the wireless device users after their authentication, whereas the filtering rules that you define here apply to all traffic on a physical port.
Summit WM-Series Switch Software configurationFCS Review Draft IISummit WM-Series WLAN Switch and Altitude Access Point Software Version 1.0 User Guide40Define port exception filters1Click on the Summit Switch tab. Click on the Port Exception Filters option. The Port Exception Filters screen appears.2Select the data port from the pull-down list to which these filters will apply.3For each filtering rule you are defining: 4Click on the Add button. The information appears in a new line in the Filter area of the screen. 5Highlight the new filtering rule and click Allow checkbox on to allow traffic. Leave unchecked to disallow traffic. 6Edit the order of a filtering rule by highlighting the line and clicking on the Up and Down buttons. The filtering rules are executed in the order defined here.7To save the filtering rules, click on the Save button.IP / Port: Type in the destination IP address. You can also specify an IP range, a port designation or a port range on that IP address.Protocol: Default is N/A. To specify a protocol, select from the drop-down list (may inc l u de  U D P,  TC P,  I P se c - E SP,  I P se c - A H,  I C MP) .
FCS Review Draft IISummit WM-Series WLAN Switch and Altitude Access Point Software Version 1.0 User Guide 414Altitude AP: startupYou are now ready to add the Altitude APs to the Summit WM-Series Switch Software system and register them with the Summit WM-Series Switch. Before the Altitude APs can handle wireless traffic, you will also need to assign the Altitude APs to a WM-AD.NOTEChanges or modifications made to the Summit WM-Series Switch or the Altitude APs which are not expressly approved by Extreme and/or the party responsible for compliance upon installation could void the user's authority to operate the equipment.Altitude AP featuresThe Altitude AP is a wireless LAN access point using the 802.11 wireless standards (802.11a, 802.11b and 802.11g) for network communications. The Altitude AP bridges network traffic to an Ethernet LAN.The Altitude AP is provided with proprietary software that allows it to communicate only with the Summit WM-Series Switch. The Altitude AP is physically connected to a LAN infrastructure and establishes an IP connection to a Summit WM-Series Switch. The Altitude AP has no user interface. The only way to manage a Altitude AP is through the Summit WM-Series Switch. All communication with the Summit WM-Series Switch is carried out using a UDP-based protocol to encapsulate IP traffic from the Altitude APs and direct it to the Summit WM-Series Switch. The Summit WM-Series Switch decapsulates the packets and routes them to the appropriate destinations, while managing sessions and applying policy. Figure 6: The Altitude AP
Altitude AP: startupFCS Review Draft IISummit WM-Series WLAN Switch and Altitude Access Point Software Version 1.0 User Guide42The Altitude AP has two radios:●a 5 GHz radio that supports the 802.11a standardThe 802.11a standard is an extension to 802.11 that applies to wireless LANs and provides up to 54 Mbps in the 5-GHz band. 802.11a uses an orthogonal frequency division multiplexing encoding scheme rather than FHSS or DSSS. NOTEThe Altitude 350-2 access point will automatically discontinue transmission in case of either absence of information to tranmit (no frames transmitted through Ethernet) or operational failure.●a 2.4 GHz radio that supports both the 802.11g and 802.11b standardsThe 802.11g standard applies to wireless LANs and specifies a transmission rate of 54 Mbps. The 802.11b (High Rate) standard is an extension to 802.11 that specifies a transmission rate of 11 Mbps. Because 802.11g uses the same communication frequency range as 802.11b (2.4 GHz), 802.11g devices can co-exist with 802.11b devices on the same network Either radio on the Altitude AP can be enabled or disabled in the user interface. Both radios can be enabled and offer service simultaneously.The Altitude AP supports the full range of 802.11a:WARNING!The Altitude 350-2 utilizing the internal or detachable antennaa are intended only for indoor use.  Ths specfically applies when the 5.15 to 5.25 GHz band is enabled. The U-NII bands (Unlicensed National Information Infrastructure) are three frequency bands of 100 MHz each in the 5 GHz band designated for short-range, high-speed wireless networking communication. Altitude APs are licensed to operate in North America, the European Union countries and European Union free trade countries. The Altitude AP will operate on the radio band allowed for each European Union country, after being configured on the Summit WM-Series Switch in the Altitude AP Configuration: Properties screen.The Altitude AP has two models:●internal antenna (Altitude 350-2 Integrated Antenna), internal dual (multimode) diversity antennas●external antenna (Altitude 350-2 Detachable Antenna) (dual external antennas), RP-SMA connectorsFor North America, the U-NII Low Band (5.15 to 5.25 GHz band) is disabled for the Altitude 350-2 Detachable Antenna to comply with FCC regulations.5.15 to 5.25 GHz  U-NII Low Band5.25 to 5.35 GHz  U-NII Middle Band5.725 to 5.825 GHz  U-NII High Band New 5.470 GHz to 5.725 GHz Band (when approved by FCC)
Installing the Altitude APsFCS Review Draft IISummit WM-Series WLAN Switch and Altitude Access Point Software Version 1.0 User Guide 43Installing the Altitude APsInstall the Altitude APs as described in the Altitude AP Installation Guide packed with the units. 1Unpack the Altitude AP from its shipment carton. Check that all parts are present, using the Installation Guide packed with the unit. 2Mount the Altitude AP wall bracket, using 3 screws, near the LAN ethernet cable plug coming from the wall.3Press the back of the Altitude AP onto the bracket, aligning it with the open notches in the bracket. Then slide it downwards until it clicks into place.CAUTIONThere should be at least 9 inches (20 cm) separation between the Altitude 350-2 and, or antenna and users.To remove the Altitude AP, release the spring clip by inserting the Allen key (provided) into the small hole at the bottom of the bracket. Use the Allen key to depress the spring clip. Then slide the case up the bracket and lift off the Altitude AP. Keep the Allen key in a safe place.4Insert the plastic spreading rivet through the hole at the bottom of the bracket and into the Altitude AP case. Then screw in the plastic screw. This spreads the rivet and locks the case to the bracket. To remove the Altitude AP, use a screwdriver to take out the screw.WARNING!For installations that use Receive diversity (the default) the antennae should be pointed in the same direction. For installations that do NOT use Receive diversity or for those that split the 802.11a and 802.11b/g radio onto different physical ports, then the antennae can be pointed in whatever direction is desired.AP_top_bottomPower connector LAN ethernet port connectorOpening forAllen keyOpeningfor rivet
Altitude AP: startupFCS Review Draft IISummit WM-Series WLAN Switch and Altitude Access Point Software Version 1.0 User Guide44Connecting and powering the Altitude APWARNING!The Altitude 350-2 with internal and detachable antenna is intended for indoor use only.  Device must not be connected to a LAN segment exposed to outdoor wiring. Ensure that all cables are installed to avoid strain.  Replace the power supply adaptor immediately, if it shows any signs of damage.Powering up the Altitude AP initiates its automatic discovery and registration process with the Summit WM-Series Switch, The parameters for this process should be set in the Altitude AP Registration screen.CAUTIONThe Altitude 350-2 shall be powered by UL approved limited power source adapter or UL approved limited power source power over ethernet (PoE)Connect and power up the Altitude APs in one of three ways: ●Power Over Ethernet (PoE)If your network is already set up with PoE, attach the LAN ethernet cable to the RJ45 ethernet connector at the top of the Altitude AP.●Power Over Ethernet: Adding PoE InjectorIf your network is not set up with PoE, you can provide power to the ethernet cable with a PoE injector. The PoE injector must be 802.3af compliant. The PoE injector is not provided with the Altitude AP. ●Power by AC AdaptorAn AC adaptor is not provided with the Altitude AP. If you wish to use one, the specifications are: Input: 120-240 VAC, Output Voltage DC +6V, max amps 1.50, max watts 10.To use an adaptor, install the Altitude AP within six feet of a wall outlet, attach the adaptor to the Altitude AP and then plug the adaptor into the wall outlet.WARNING!Use only a safety approved POE injector or a safety approved Limited Power Source (Class 2) AC adaptor. Do not connect both power sources at the same time.Discovery and registration: Altitude AP registration settingsBefore the Altitude APs are powered and begin their “discovery” process, you should define the parameters of this process in the Altitude AP Registration screen. In this screen, you define two elements involved in the “discovery” process:●Security Mode●Discovery Timers
Discovery and registration: Altitude AP registration settingsFCS Review Draft IISummit WM-Series WLAN Switch and Altitude Access Point Software Version 1.0 User Guide 45The Stand-alone or Paired options are part of the Availability feature to define a failover Summit WM-Series Switch if the primary Summit WM-Series Switch fails, described later in this Guide.During the “Registration” process, the Summit WM-Series Switch’s approval of the serial number of the Altitude AP depends on the security mode that has been set:●Allow allIf the Summit WM-Series Switch does not recognize the serial number, it sends a default configuration to the Altitude AP. If it recognizes the serial number, it sends the specific configuration (port and binding key) set for that Altitude AP.●Allow approvedIf the Summit WM-Series Switch does not recognize the serial number, the operator is prompted to create a configuration. If it recognizes the serial number, it sends the configuration for that Altitude AP.NOTEIt may be advisable, for the initial set up of the network, to select the “Allow All” option here. This is the most efficient way to get a large number of Altitude APs registered with the Summit WM-Series Switch. After that, you may want to reset this option to “Allow Approved”, so that no unapproved Altitude APs would be able to connect. You can modify the status of an unapproved Altitude AP in the Access Approval screen.Define the Security Mode for registering Altitude APs 1Select the Altitude APs tab in any screen. Click on AP Registration. The Altitude AP Registration Mode screen appears.2To  allow all Altitude APs to connect, click this radio button (default mode)To  allow only approved Altitude APs to connect, click on this radio button.
Altitude AP: startupFCS Review Draft IISummit WM-Series WLAN Switch and Altitude Access Point Software Version 1.0 User Guide46Set the discovery timers3Define the timing parameters for the “discovery” process:4To save the above parameters, click the Save button.This completes the preparation for the “discovery” process. Now you can go back to the Altitude APs and power them on. Discovery and registrationWhen the Altitude AP is powered on, it automatically begins a “discovery” process to determine the IP address of the Summit WM-Series Switch. When successful, it registers with the Summit WM-Series Switch. When the Altitude AP is registered, it appears in the Altitude AP Access Approval screen. You can check its status in this screen. If the status is “Pending”, you must modify it to “Approved”.You can now assign the registered and approved Altitude AP to a WM Access Domain Service (WM-AD) and it will be ready to handle wireless traffic.Discovery stepsThe Altitude APs “discover” the IP address of a Summit WM-Series Switch using a sequence of mechanisms that allow for the possible services available on the enterprise network. The “discovery” steps are processed in the following order, until the Altitude AP successfully locates a Summit WM-Series Switch with which it can “register”.1Use the IP address of the last successful connection to a Summit WM-Series Switch.2Use the predefined static IP addresses for the Summit WM-Series Switchs on the network (if so configured).3Use Dynamic Host Configuration Protocol (DHCP) Option 78 to locate a Service Location Protocol (SLP) Directory Agent (DA), followed by a unicast SLP request to the Directory Agent.4Use a Domain Name Server (DNS) lookup for the host name “ext-summitwm-connect-1”.5Use a multicast SLP request to find SLP Service Agents (SAs).You must ensure that the appropriate services on your enterprise network are prepared to support the “discovery” process.Discovery step 1: last successful connectionOnce a Altitude AP has successfully registered with a Summit WM-Series Switch, it remembers that controller's IP address, and will use that address on subsequent reboots. In effect, it will bypass discovery, and go straight on to registration. However, if this discovery method fails, it cycles through the remaining steps until it meets with success.Number of Retries The default number of retries is 3.Delay between Retries The default is 1 second
Discovery and registrationFCS Review Draft IISummit WM-Series WLAN Switch and Altitude Access Point Software Version 1.0 User Guide 47Discover step 2: static IP addressYou can specify a list of static IP addresses of the Summit WM-Series Switches on your network. On the Altitude AP Configuration screen Static Configuration tab, add the addresses to the Summit WM-Series Switch Search List. WARNING!Care must be taken when setting or changing these values. Altitude APs configured statically will connect only to Summit WM-Series Switches in the list. Improperly configured Altitude APs will not be able to connect to a non-existent Summit WM-Series Switch address and therefore will not be able to receive a corrected configuration.Discovery step 3: the DHCP and unicast SLP solutionTo use the DHCP and unicast SLP discovery method, you must ensure that the DHCP server on your network supports Option 78 (DHCP for SLP RFC2610). The Altitude APs use this to discover the Summit WM-Series Switch.This solution takes advantage of two services that are present on most networks: ●DHCP (Dynamic Host Configuration Protocol), the standard means of providing IP addresses dynamically to devices on a network. ●SLP (Service Location Protocol), a means of allowing client applications to discover network services without knowing their location beforehand. Devices advertise their services, using a Service Agent. In larger installations, a Directory Agent collects information from Service Agents and creates a central repository (SLP RFC2608).The Summit WM-Series Switch contains an SLP Service Agent that, when it starts up, queries the DHCP server for Option 78 and if found, registers itself with the Directory Agent as service type “extreme”. The Summit WM-Series Switch contains a Directory Agent (slpd).The Altitude AP queries DHCP servers for Option 78 in order to locate any Directory Agents.   The Altitude AP's SLP User Agent will then query the DAs for a list of “extreme” Service Agents. Option 78 needs to be set for the subnets connected to the ports of the Summit WM-Series Switch and the subnets connected to the Altitude APs. These should contain an identical list of Directory Agent IP addresses.Discovery step 4: the DNS solutionIf no Directory Agent is found, or if it has no “extreme” Service Agents registered, the Altitude AP will attempt to locate a Summit WM-Series Switch via DNS. If you choose to use this method for discovery, place an “A” record in the DNS server for “ext-summitwm-connect-1”. The <domain-name> is optional, but if you use one, ensure that it is listed with the DHCP server. Discovery step 5: the multicast SLP solutionIf all of the preceding methods fail to locate a Summit WM-Series Switch, then the Altitude AP sends out a multicast SLP request, looking for any SLP Service Agents providing the “extreme” service.
Altitude AP: startupFCS Review Draft IISummit WM-Series WLAN Switch and Altitude Access Point Software Version 1.0 User Guide48Registration after discoveryAny of the discovery steps 2 through 5 can inform the Altitude AP of a list of multiple IP addresses to which the Altitude AP may attempt to connect. Once the Altitude AP has “discovered” these addresses, it sends out connection requests to all of them simultaneously. It will attempt to register only with the first which responds to its request.When the Altitude AP obtains the IP address of the Summit WM-Series Switch, it connects and registers, sending its serial number identifier to the Summit WM-Series Switch, and receiving from the Summit WM-Series Switch a port IP address and binding key. Once a Altitude AP is registered with a Summit WM-Series Switch:●it appears in the Altitude AP Access Approval screen. You can check its status in this screen. If the registration mode was “Approved only” then the status will be “Pending”. You must modify it to “Approved”.●it appears in the side list in the Altitude AP Configuration: Properties screen, where you can modify the properties and radio parameters.●its two radios appear as available choices in the WM Access Domain Configuration: Topology screen, when you are setting up a WM-AD (up to four WM-ADs for each radio).Before a registered Altitude AP can handle wireless traffic, you must set up a WM-AD definition and assign the Altitude AP's radios to a WM-AD. See Chapter 6.Discovery and registration: Altitude AP LED sequenceAs the Altitude AP is powered on and boots up, you can follow its progress through the registration process by observing the LED sequence described below. The Status LED (center) also indicates power: dark when unit is off and green (solid) when the AP has completed discovery and is operational.The Altitude AP boot sequence is described below:1When powered on, the Altitude AP status LED turns from dark to green briefly. Status LED: green (solid) then to dark before beginning boot sequence.2The Altitude AP performs a self-test. Status LED: red (solid) if POST failed.3The “Discovery” mode: the Altitude AP sends a request to the DHCP server on the enterprise network for the location of the Summit WM-Series Switch (as described above.)Status LED: orange (solid) while searching (“Discovery”)Status LED: red-orange (alternate blink) if DHCP server not found on networkStatus LED: green-orange (alternate blink) if SLP issues in failed discovery.Status LEDLeft LED2.4 GHz radio activity Right LED5 GHz radio activity
Altitude AP access approvalFCS Review Draft IISummit WM-Series WLAN Switch and Altitude Access Point Software Version 1.0 User Guide 494The Altitude AP “learns” the IP address of the Summit WM-Series Switch, Status LED: orange (blink) when IP address successfully obtained (“Registration” process underway)Status LED: red (blink) if “Registration” fails5The Altitude AP sends its serial number (a unique identifier that is hard coded during manufacture) to the Summit WM-Series Switch.Status LED: green (blink) when Altitude AP finds Summit WM-Series Switch (“Standby” status)6The Summit WM-Series Switch sends the Altitude AP a port IP address and a binding key, as follows: ●If the Summit WM-Series Switch does not recognize the serial number, it sends a default configuration to the Altitude AP. ●If it does recognize the serial number, it sends the specific configuration (port and binding key) set for that Altitude AP.The Summit WM-Series Switch also adds the Altitude AP to its database.Status LED: green (blink) when Altitude AP finds Summit WM-Series Switch (“Standby” status)7When the binding key is received, the Altitude AP's status changes from “Standby” to “Active”. It becomes active and is enabled to transmit data traffic.LED: green steady (“Active”)When the Altitude AP has wireless traffic, you will see a green blink on the traffic LED. The left LED indicates the traffic LED for activity on the 2.4 GHz radio, while the right LED indicates activity on the 5 GHz radio.Altitude AP access approvalYou can also view and modify the status of registered Altitude APs. Use this function to modify the status of a Altitude AP from “Pending” to “Approved” for a manual registration. You can also delete the configuration of Altitude APs that are no longer in service.
Altitude AP: startupFCS Review Draft IISummit WM-Series WLAN Switch and Altitude Access Point Software Version 1.0 User Guide50Modify a Altitude AP's registration status (approve access)1Click on the Altitude APs tab. The Altitude AP Configuration screen appears. Click on the Access Approval option. The Access Approval screen appears, displaying the current registered Altitude APs and their current status. The Home field displays “Local” (this Summit WM-Series Switch) or “Foreign” (other Summit WM-Series Switches), if you have set up two Summit WM-Series Switches in Paired Mode, as described in the Summit WM-Series Switch Configuration: Availability topic.2Select the Altitude APs for status change, either by:●clicking the checkbox on to select a specific Altitude AP, or●using one of the Select Altitude APs buttons to select by category3To perform an action on the selected Altitude APs, click on one of the Action buttons: Approved, Pending, Release, Delete.●Change a Altitude AP's status from “Pending” to “Approved”, if the Altitude AP Configuration: AP Registration screen was set to register only approved Altitude APs.●Release “foreign” Altitude APs after recovery from a Failover, as described in the Availability topic.Configuring properties and radiosOnce a Altitude AP has successfully registered on the Summit WM-Series Switch, it appears in the side list in the Altitude AP Configuration: Properties screen, where you can modify its properties and radio parameters.
Configuring properties and radiosFCS Review Draft IISummit WM-Series WLAN Switch and Altitude Access Point Software Version 1.0 User Guide 51View and modify properties of registered Altitude APs 1Select the Altitude APs tab in any screen. The Altitude AP Configuration screen appears, with a list of registered Altitude APs. 2Highlight the appropriate Altitude AP in the list. Click on the AP Properties tab to view basic information about the highlighted Altitude AP.
Altitude AP: startupFCS Review Draft IISummit WM-Series WLAN Switch and Altitude Access Point Software Version 1.0 User Guide523To modify the default information about a selected Altitude AP, key in information in the following fields (where appropriate):4If this Altitude AP is to used in Bridge Mode as part of a static configuration for Branch Office deployment, click the Maintain client session in event of poll failure checkbox on in order to maintain the session. See “Altitude AP static configuration: branch office deployment” on page 57.5To save the modified information, click on the Save button.View and modify the radio settings of registered Altitude APs Most properties of the Altitude AP radios can be modified without triggering a reboot of the Altitude AP. However, modifying the following will trigger a reboot:●enabling or disabling either radio●changing the radio channel between “Auto” and any fixed channel number.Serial # (Display only) A unique identifier set during manufacture. Name Defaults to the serial number. Change this to a unique descriptive name that more easily identifies the Altitude AP.Description Available for descriptive comments (optional). Port # From the drop-down list, select the ethernet port through which the Altitude AP can be reached.Hardware Version (Display only) Current version of the Altitude AP hardware.Application Version (Display only) Current version of the Altitude AP software.Status (Display only) “Approved” = Altitude AP has received its binding key from the Summit WM-Series Switch after the Discovery process. “Pending” = binding key not yet received.You can modify the status of a Altitude AP (for example from “Pending” to “Approved”) in the Access Approval screen.Active Clients (Display only) The number of wireless devices currently active on the Altitude AP.Poll Timeout The default is 30 seconds.Poll Interval The default is 5 seconds.
Configuring properties and radiosFCS Review Draft IISummit WM-Series WLAN Switch and Altitude Access Point Software Version 1.0 User Guide 53View and modify the radio settings1Select the Altitude APs tab in any screen. The Altitude AP Configuration screen appears, with a list of registered Altitude APs. 2Highlight the appropriate Altitude AP in the list. Then click on either radio tab:●802.11 b/g (2.4 GHz radio)●802.11a (5 GHz radio)Each screen displays the default radio settings for each radio on the Altitude AP. If this radio has been assigned to a WM-AD (up to four WM-ADs), the WM-AD names and MAC addresses appear in the Base Settings area.
Altitude AP: startupFCS Review Draft IISummit WM-Series WLAN Switch and Altitude Access Point Software Version 1.0 User Guide543Modify these Base Settings where appropriate.BSS Info (Display only) After WM-AD configuration, the Basic Service Set (BSS) area displays the MAC address on the Altitude AP for each WM-AD and the SSIDs of the WM-AD to which this radio has been assigned.DTIM Delivery Traffic Indication Message period. Default is 2.Beacon Period Time units between beacon transmissions. Default is 100.Short Retry Limit The maximum number of transmission attempts of a frame that is less than or equal to the RTS Threshold, before a failure condition is indicated. Default is 4.Long Retry Limit The maximum number of transmission attempts of a frame that is greater than the RTS Threshold, before a failure condition is indicated. Default is 7.RTS Threshold Request To Send Threshold, the size of a data unit below which an RTS/CTS (RTS/Clear to Send) handshake is not performed. Default is 2330.Frag. Threshold The Fragmentation Threshold, the maximum size of a packet or data unit that can be delivered. Default is 2346.Enable Radios Click checkbox on for each radio.Radio Settings:Channel (Drop-down list) The wireless channel that the Altitude AP should use to communicate with wireless devices (see chart below). Depending on the regulatory domain (based on country), some channels may be restricted. The default setting is based on North America.Tx Power Level (Drop-down list) Min, 13%, 25%, 50%, MaxIf Auto Cell was enabled in the previous window, it will override selections made here in the Tx Power Level field.Operational Rate Set (Drop-down list) in MbpsA: Best data rate, 6, 9 12,18, 24, 36, 48, 54B/G: Best data rate, 1, 2, 5.5, 11, 6, 9 12,18, 24, 36, 48, 54 Diversity From the drop-down list, select “Best,” for the best signal from both antennas, or “Left” or “Right” to choose either of the two diversity antennas.Basic Rates (for b radio only) Select a set of basic rates from the drop-down list. The best data rate from the set will be used for current conditions (power vs. range)Short Preamble Invoked Click checkbox on to enable.g Radio Settings:Protection Mode (Drop-down list) None, Auto (default), AlwaysProtection Rate (Drop-down list) in Mbps: 1, 2, 5.5, 11 (default)Protection Type (Drop-down list) CTS (Clear To Send), RTS CTS (Request To Send, Clear To Send) - default.
Configuring properties and radiosFCS Review Draft IISummit WM-Series WLAN Switch and Altitude Access Point Software Version 1.0 User Guide 55NOTERadio A Channels 100 to 140 occupy the 5470-5725 MHz band, in the regulatory domains of the European Union and European Union free trade countries.Radio B/G Channels 12 to 14 are not available in North America.4To save the modified information, click on the Save button.Radio Channels802.11a Auto 34: 5170  MHz36: 5180  MHz38: 5190  MHz40: 5200  MHz42: 5210  MHz44: 5220  MHz46: 5230  MHz48: 5240  MHz52: 5260  MHz56: 5280  MHz60: 5300  MHz64: 5320  MHz100: 104:108: 112: 116: 120: 124: 128: 132: 136: 140: 149: 5745  MHz153: 5765  MHz157: 5785  MHz161: 5805  MHzRadio Channels802.11b/g1: 2412 MHz2: 2417 MHz3: 2422 MHz4: 2437 MHz5: 2432 MHz6: 2437 MHz7: 2442 MHz8: 2447 MHz9: 2452 MHz10: 2457 MHz11: 2462 MHz12 2467 MHz13: 2472 MHz14: 2484 MHz
Altitude AP: startupFCS Review Draft IISummit WM-Series WLAN Switch and Altitude Access Point Software Version 1.0 User Guide56Adding a Altitude AP manuallyAdd and register a Altitude AP manually:1Select the Altitude AP tab. In any radio screen, click on the Add Altitude AP button. The Add Altitude AP subscreen appears.2Key in, or select from the drop-down list, information in the following fields:3To add the Altitude AP, click the Add Altitude AP button.To return to the previous screen, click Close.The Altitude AP is added with default settings. To modify these settings, use the Altitude AP Configuration screens described earlier. You can modify the properties and the settings for each radio on the Altitude AP.Before a registered Altitude AP can handle wireless traffic, you must set up a WM-AD definition, and assign one or both of the Altitude AP's radios to a WM-AD. See Chapter 6 for details.Serial # A unique identifier set during manufacture.Name A unique name for the Altitude AP. Description Available for descriptive comments (optional). Port # The ethernet port through which the Altitude AP can be reached
Configuring properties and radiosFCS Review Draft IISummit WM-Series WLAN Switch and Altitude Access Point Software Version 1.0 User Guide 57Altitude AP static configuration: branch office deploymentThe Altitude AP static configuration feature provides Summit WM-Series Switch Software capability for a network with the central office / branch office model. In this scenario, Altitude APs are installed in remote sites, while the Summit WM-Series Switch is in the central office. The Altitude APs require the capability to interact in both the local site network and the central network. To achieve this, a static configuration is used. NOTEIn static configuration, if the Altitude AP cannot register with the Summit WM-Series Switch within the specified number of retries), the Altitude AP will use SLP, DNS and SLP multicast as a backup mechanism (as described in the discovery process). If unsuccessful, the Altitude AP resumes the discovery process with the static configuration, followed with SLP, DNS and SLP multicast.Once the static configuration is set up, then all traffic is bridged locally on the wired Ethernet segment that the Altitude AP is connected to, without going through a Summit WM-Series Switch.Set up a Altitude AP with static configuration 1Select the Altitude AP tab in any screen. In the Altitude AP Properties screen, click on the Static Configuration tab. The Static Configuration screen appears.2Select one of the two methods of IP address assignment for the Altitude AP:●to enable DHCP, click the radio button on (default), or●to specify the IP address of the Altitude AP, click the Static Values radio button on and fill in the IP Address, Subnet Mask, and Gateway.NOTEFor first-time deployment of the Altitude AP for a Branch Office scenario, it is recommended that you use DHCP initially on the central office network to obtain an IP address for the Altitude AP. Then enter these values in the Static Configuration screen for this Altitude AP and save the configuration.
Altitude AP: startupFCS Review Draft IISummit WM-Series WLAN Switch and Altitude Access Point Software Version 1.0 User Guide583Click the Bridge Traffic Locally checkbox on to enable this. When authentication of a wireless device user in the Branch Office is complete, the Altitude AP will direct all traffic to the local network. Authentication is 802.1x-AAA. Authentication by Captive Portal is not supported4In the Summit WM-Series Switch Search List area of the screen, in the entry field, key in the IP address of the Summit WM-Series Switch that will control this Altitude AP. Click on the Add button to add it to the list. Repeat to add a secondary Summit WM-Series Switch. Use the Up and Down buttons to modify the order of the controllers (maximum 3 controllers).This allows the Altitude AP to bypass the discovery process. If this field is not filled in, the Altitude AP will use SLP to discover a Summit WM-Series Switch.The DHCP function for wireless clients must be provided locally by a local DHCP server, unless each wireless client has a static IP address5To save the static configuration, click on the Save button.NOTEIn a “Branch Office” scenario, where the Altitude AP is configured statically on a local network whose MTU is lower than 1500, the Summit WM-Series Switch automatically adjusts the MTU size to prevent packet fragmentation. The MTU is set in the IP Addresses screen and should not be changed.Auto Cell softwareYou can enable the Auto Cell software on the Altitude AP. With the Auto Cell feature enabled, the Altitude AP will:●adjust power levels to balance coverage if another Altitude AP which is assigned to the same SSID and is on the same channel is added to, or leaves, the network.●allow wireless clients to be moved to another Altitude AP if the load is too high●scan automatically for a channel, using a channel selection algorithm●avoid other WLANs by reducing transmit power whenever other APs with the same channel, but different SSIDs are detected
Auto Cell softwareFCS Review Draft IISummit WM-Series WLAN Switch and Altitude Access Point Software Version 1.0 User Guide 59Configure Auto Cell software 1Select the Altitude AP tab in any screen. Click on the Auto Cell option. The Auto Cell Configuration screen appears.2The Enable Auto Cell checkbox is on by default., enabling the software globally.3From the list of registered Altitude APs, select the Altitude AP you want to configure for Auto Cell by clicking its checkbox on. The fields for Auto Cell populate with default values, with Auto Cell “on”. 4In the Coverage field, select from the drop-down list:●Std (Standard Coverage) adjusts the range to the client that is the most distant, as indicated by its signal strength●Shpd (Shaped Coverage) adjusts the range based on neighboring Altitude APs 5To enable the Avoid WLAN feature, select on from the drop-down list.6To configure a range within which the transmit power can be adjusted dynamically, select the Minimum and Maximum power levels from the drop-down list. 7When the configuration choices are complete, click on the Apply to selected APs button. 8To save these changes, click on the Save button.9To re-establish baseline settings, forcing the APs to go through the auto-channel selection process, click on the Reset Auto Cell button.
Altitude AP: startupFCS Review Draft IISummit WM-Series WLAN Switch and Altitude Access Point Software Version 1.0 User Guide60
FCS Review Draft IISummit WM-Series WLAN Switch and Altitude Access Point Software Version 1.0 User Guide 615WM Access Domain Services (WM-AD): IntroductionOverviewWM Access Domain Services (WM-AD) are the key to the advantages that the Summit WM-Series Switch Software system has to offer. This technique provides a versatile means of mapping wireless networks to the topology of an existing wired network. When you set up a WM-AD on the Summit WM-Series Switch, you are defining a subnet for a group of wireless device users. This WM-AD definition creates a virtual IP subnet where the Summit WM-Series Switch acts as a default gateway to wireless devices.Before you begin to define a WM-AD, you should have determined:●a user access plan for both individual users and user groups●the RADIUS attribute values that support the user access plan●the location and identity of the Altitude APs that will be used on the WM-AD●the routing mechanism to be used on the WM-AD●the network addresses that the WM-AD will use●the type of authentication for wireless device users on the WM-AD●the specific filters to be applied to the defined users and user groups to control network access●what privacy mechanisms should be employed between the Altitude APs and the wireless devices●whether the WM-AD is to be used for voice trafficThe user access plan should analyze the enterprise network and identify which users should have access to which areas of the network. What areas of the network should be separated? Which users can go out the World Wide Web?The Summit WM-Series Switch Software system relies on authenticating users via a RADIUS server (or other authentication server). To make use of this feature, you will, of course, require such an authentication server on the network. Make sure that the server's database of registered users, with login identification and passwords, is current. NOTETo deploy Summit WM-Series Switch Software without a RADIUS server (and without authentication of users on the network), select SSID for network assignment (in the Topology screen). In the Authentication - Configure Captive Portal screen, click on the No Captive Portal radio button. There will be no authentication of users, but Summit WM-Series Switch Software is otherwise operational.The user access plan should also identify the user groups in your enterprise, and the business structure of the enterprise network., such as:●department (such as Engineering, Sales, Finance) ●role (such as student, teacher, library user) ●status (such as guest, administration, technician)
WM Access Domain Services (WM-AD): IntroductionFCS Review Draft IISummit WM-Series WLAN Switch and Altitude Access Point Software Version 1.0 User Guide62For each user group, you should set up a Filter ID attribute in the RADIUS server, and then associate each user in the RADIUS server to at least one Filter ID name. The Summit WM-Series Switch Software enables you to define specific filtering rules, by Filter ID attribute, that will be applied to user groups to control network access.What is a WM-AD?A WM-AD is an IP subnet that is especially designed to enable Altitude APs to interact with wireless devices. In many ways, a WM-AD is similar to a regular IP subnet. However, it has the following required features:1Each WM-AD is assigned a unique identifier. 2Each WM-AD is assigned an SSID. These do not have to be unique. 3Each WM-AD is assigned a range of IP addresses for wireless devices. All the wireless devices share the same IP address prefix (the part of the IP address that identifies the network and subnet). The IP addresses of the wireless devices are assigned dynamically by the Summit WM-Series Switch's DHCP server within the assigned range.(These IP addresses are not “virtual”. They are regular IP addresses, and are unique over the network. These IP addresses are advertised to other hosts on the network so that they can exchange traffic with the wireless devices in the WM-AD.)NOTEAlternatively, you can allow the enterprise network's DHCP server to provide the IP addresses for the WM-AD, by enabling DHCP Relay in the Topology screen.4A single overall filtering policy applies to all the wireless devices within the WM-AD. Further filtering can be applied when the wireless user is authenticated by the RADIUS server. 5When the Summit WM-Series Switch creates the WM-AD, it also creates a virtual IP subnet for that WM-AD.6Each WM-AD represents a mobility group that, when configured, can be carried across multiple Summit WM-Series Switches.7Each WM-AD also offers unique AAA services. Topology of a WM-ADBefore you configure a WM-AD, you should define global settings that will apply to all WM-AD definitions. In the Global Settings screen, identify the location of the RADIUS servers. You also enable Priority Traffic Handling for voice-over-internet traffic.In the Top olog y screen, you name a new WM-AD and begin its configuration
Network assignment and authentication for a WM-ADFCS Review Draft IISummit WM-Series WLAN Switch and Altitude Access Point Software Version 1.0 User Guide 63The key choice for a WM-AD is the type of network assignment, which determines all the other factors of the WM-AD. There are two options for network assignment:●SSID:●has Captive Portal authentication, or no authentication.●requires restricted filtering rules before authentication and, after authentication, filtering rules for group Filter IDs. ●is used for a WM-AD supporting wireless voice traffic (QoS).●is used for a WM-AD supporting third-party APs.●has WEP and WPA-PSK privacy.●AAA (Authentication, Authorization and Accounting)●has 802.1x authentication●requires filtering rules for group Filter IDs and default filter.●has WEP and WPA privacy.In the Topology screen, you assign the available Altitude APs (by radio) to the WM-AD. An Altitude AP radio will appear in the list as available for WM-AD assignment until it has been assigned to four WM-ADs. After that, it will no longer appear in the list.After a WM-AD definition has been saved, the Summit WM-Series Switch updates this information on the Altitude AP. Each radio acquires up to four SSIDs (one for each WM-AD it is part of), and broadcasts these during beacon transmission (unless the SSID beacon is suppressed in the Topology screen).You can view (in the Altitude AP Configuration screen) a list of defined WM-ADs to which each radio has been assigned.In the Top olog y area of WM Access Domain Configuration, you also define other aspects of the WM-AD, such as the parameters for DHCP for IP address assignment. You might also configure this WM-AD for management traffic only, or for Third-Party Access Points, or for Voice Traffic. (These are described in detail later in this Guide.)Network assignment and authentication for a WM-ADThe second step is to configure the authentication mechanism for the WM-AD. The authentication mechanism depends on the network assignment. In addition, all WM-AD definitions can include authentication by MAC address.Authentication with SSID network assignmentIf SSID was selected, there are two authentication options:●None: The wireless device connects to the network, but can only access specified network destinations (defined in the Non-Authenticated Filter). No authentication is performed.●Captive Portal: The wireless device connects to the network, but can only access specified network destinations (defined in the Non-Authenticated Filter). One of those destinations is a web page logon screen (the portal in which he is captive), where the user must input an ID and a password. This
WM Access Domain Services (WM-AD): IntroductionFCS Review Draft IISummit WM-Series WLAN Switch and Altitude Access Point Software Version 1.0 User Guide64identification is sent by the Summit WM-Series Switch to the RADIUS server for authentication. Four authentication types are supported by Summit WM-Series Switch Software for Captive Portal:●PAP (Password Authentication Protocol) ●CHAP (Challenge Handshake Authentication Protocol)●MS CHAP (Windows-specific version of CHAP)●MS CHAP v2 (Windows-specific version of CHAP, version 2)For Captive Portal, the RADIUS server must support the selected authentication type: PAP, CHAP (RFC2484), MS-CHAP (RFC2433), MS-CHAPv2 (RFC2759).Authentication with AAA (802.1x) network assignmentIf network assignment is by AAA (802.1x) with 802.1x authentication, the wireless device user requesting network access via Summit WM-Series Switch Software must first be authenticated. The wireless device's client utility must support 802.1x. The user's request for network access along with login identification or user profile will be forwarded by the Summit WM-Series Switch to a RADIUS server. Summit WM-Series Switch Software supports these authentication types:●EAP-TLS Extensible Authentication Protocol - Transport Layer Security that relies on client-side and server-side certificates to perform authentication and can be used to dynamically generate user-based and session-based WEP keys. ●EAP-TTLS (EAP with Tunneled Transport Layer Security) is an extension of EAP-TLS to provide certificate-based, mutual authentication of the client and network through an encrypted tunnel, as well as to generate dynamic, per-user, per-session WEP keys. Unlike EAP-TLS, EAP-TTLS requires only server-side certificates. ●PEAP (Protected Extensible Authentication Protocol) is a standard to authenticate wireless LAN clients without requiring them to have certificates. In PEAP authentication, first the user authenticates the authentication server, then the authentication server authenticates the user.For 802.1x, the RADIUS server must support RADIUS extensions (RFC2869).If the RADIUS server sends an “access-accept” message to the Summit WM-Series Switch, the Summit WM-Series Switch's DHCP server assigns the device its IP address and allows network access controlled by the filtering rules defined for the specific Filter ID value associated with the wireless device user.Both Captive Portal and AAA (802.1x) authentication mechanisms in Summit WM-Series Switch Software rely on a RADIUS server on the enterprise network. You can identify and prioritize up to three RADIUS servers on the Summit WM-Series Switch. This means that in the event of a failover of the active RADIUS server, the Summit WM-Series Switch will poll the other servers in the list for a response. Filtering for a WM-ADThe WM-AD capability provides a technique to apply policy, to allow different network access to different groups of users. This is done by packet filtering.After setting up the authentication, the next step is to define the filtering rules for the filters that apply to your network and the WM-AD you are setting up.
Filtering for a WM-ADFCS Review Draft IISummit WM-Series WLAN Switch and Altitude Access Point Software Version 1.0 User Guide 65Four types of filters are applied by the Summit WM-Series Switch in the following order:1Exception filter, to provide the administrator optional additional flexibility in securing the system and blocking Denial of Service (DoS) attacks, on any type of WM-AD.2Non-Authenticated filter, with filtering rules that apply before authentication, to control network access and to direct users to a Captive Portal web page for login.3Group filters (by Filter ID) for designated user groups, to control access to certain areas of the network, with values that match the values defined for the RADIUS Filter ID attribute.4Default filter, to control access if there is no matching Filter ID for a user.Within each type of filter, you define a sequence of filtering rules. This sequence must be carefully planned and arranged in the order that you want them to take effect. You define each rule to either allow or deny traffic in either direction:●“In”: from a wireless device in to the network ●“Out”: from the network out to the wireless deviceThe final rule in any filter should be a catch-all for any traffic that did not match a filter. This final rule should either “allow all” or “deny all” traffic, depending on the requirements for network access. For example, the final rule in a Non-Authenticated Filter for Captive Portal is typically “deny all”. A final “allow all” rule in a Default Filter will ensure that a packet is not dropped entirely if no other match can be found.Each rule can be based on any one of the following:●destination IP address, or any IP address within a specified range that is on the network subnet (as a wildcard)●destination ports, by number and range●protocols (UDP, TCP, etc.)This is how the Summit WM-Series Switch software filters traffic:1The Summit WM-Series Switch software attempts to match each packet of a WM-AD to the filtering rules that apply to the wireless device user. 2If a filtering rule is matched, the operation (allow or deny) is executed. 3The next packet is fetched for filtering.The filtering sequence depends on the type of authentication:●No authentication (network assignment by SSID)Only the Non-Authenticated filter will apply. Specific network access can be defined. Since there will be no authentication, the final rule should be “deny all”.●Authentication by captive portal (network assignment by SSID)The Non-Authenticated filter will apply before authentication. Specific network access can be defined. The filter should also include a rule to allow all users to get as far as the Captive Portal webpage where the user can enter login identification for authentication. When authentication is returned, then the Filter ID group filters are applied. If no Filter ID matches are found, then the Default filter is applied.
WM Access Domain Services (WM-AD): IntroductionFCS Review Draft IISummit WM-Series WLAN Switch and Altitude Access Point Software Version 1.0 User Guide66●Authentication by AAA (802.1x)Since users have already logged in and have been authenticated, there is no need for a Non-Authenticated filter. When authentication is returned, then the Filter ID group filters are applied. For AAA, a WM-AD can have a subgoup with Login-LAT-group ID that has its own filtering rules. If no Filter ID matches are found, then the Default filter is applied. Privacy on a WM-AD: WEP and WPAPrivacy is a mechanism that protects data over wireless and wired networks, usually by encryption techniques. Summit WM-Series Switch Software supports:●Wired Equivalent Privacy (WEP) which encrypts data sent between wireless nodes. Each node must use the same encryption key.●Wi-Fi Protected Access (WPA v.1 and WPA v.2) privacy, in Enterprise Mode (which specifies 802.1x authentication and requires an authentication server) or in Pre-Shared Key (PSK) mode (which relies on a shared secret). Encryption is by Advanced Encryption Standard (AES) or by Temporal Key Integrity Protocol (TKIP). If WPA v.2 is selected, both WPA v.1 and WPA v.2 are supported simultaneously, defaulting to the highest encryption method.Setting up a new WM-ADClick on the WM-AD Configuration tab in any screen. The WM Access Domain Configuration screen appears. For a new Summit WM-Series Switch Software installation, where no WM-AD has yet been defined, the screen is blank, except for the Add subnet function.Create a new WM-AD name1In the entry field above the Add subnet button, key in a name that will uniquely identify the new WM-AD.2Click on the Add subnet button. The name appears in the left-hand list. The Top olo gy screen appears.
Setting up a new WM-ADFCS Review Draft IISummit WM-Series WLAN Switch and Altitude Access Point Software Version 1.0 User Guide 673In the left-hand list, highlight the name of the new WM-AD. You can now configure its parameters in the Topology screen.Configure the new WM-AD (overview of basic steps)1Select the network assignment mechanism from the Assignment by drop-down list:●SSID●AAA2In the SSID box at the right, key in the SSID that the wireless devices will use to access the Altitude AP.3Select the Altitude APs (by radio) to be assigned to this WM-AD. The displayed list of available Altitude APs has a checkbox for each radio on the Altitude AP. Each radio on a Altitude AP can be assigned to a maximum of four WM-ADs. When this maximum is reached, the radio will no longer be available in this list.4Configure other options for this WM-AD: Allow Management Traffic, Use DHCP Relay, Use 3rd Party APs, or Enable Priority Traffic Handling.5Define the DHCP settings for this WM-AD.6To save the new WM-AD Topology, click on the Save button.When the new Topology has been saved, the screen displays tabs for Auth & Acct, RAD Policy, Filtering, Multicast, and Privacy, for configuring these aspects of the new WM-AD.Before you configure the WM-AD, you must first define the Global Settings.
WM Access Domain Services (WM-AD): IntroductionFCS Review Draft IISummit WM-Series WLAN Switch and Altitude Access Point Software Version 1.0 User Guide68Global Settings for a WM-ADBefore defining specific WM Access Domain Service (WM-AD), define various settings that will apply to all WM-AD definitions. These global settings include:●enabling or disabling Priority Traffic Handling for voice-over internet traffic●identifying the location and password of RADIUS servers on the enterprise network The servers defined here will appear as available choices when you set up the authentication mechanism for each WM-AD. ●defining the shared secret used to encrypt the Pairwise Master Key (PMK) for WPA v.2 between Summit WM-Series Switchs on the network1In the WM Access Domain Configuration screen, in the left-hand list click on the Global Settings option. Enable Priority Traffic Handling for a VoIP WM-AD2The Priority Traffic Handling field is disabled by default. After you have defined a WM-AD, its name will appear in the drop-down list. To prioritize voice-over-internet traffic on a WM-AD, select its name from the drop-down list. 3To activate this setting, click on the Apply button.
Global Settings for a WM-ADFCS Review Draft IISummit WM-Series WLAN Switch and Altitude Access Point Software Version 1.0 User Guide 69Define the RADIUS servers available on the network4For each RADIUS server, fill in the following fields:To display the shared secret (in order to proofread your entry before saving the configuration), click on the Unmask button. To mask the shared secret, click on the button again (the button toggles between Mask and Unmask). This precautionary step is recommended in order to avoid an error later when the Summit WM-Series Switch attempts to communicate with the RADIUS server.5To add the defined server to the list, click on the Add button.6To remove a defined server from the list, highlight it and click on the Remove selected server button.7To save these settings, click on the Save button.Key distribution between Summit WM-Series Switches8Key in a shared secret (between 8 and 63 characters long) to be used between Summit WM-Series Switches. Mask or unmask as you type, as described above. The same shared secret must also be defined on the other Summit WM-Series Switches on the network.9To save this Shared Secret, click on the Save button.Server Name Name of the RADIUS serverServer Address The IP address of the RADIUS serverShared Secret The password that is required in both directions that is set up on the RADIUS Server. This password is used to validate the connection between the Summit WM-Series Switch and the RADIUS Server.
WM Access Domain Services (WM-AD): IntroductionFCS Review Draft IISummit WM-Series WLAN Switch and Altitude Access Point Software Version 1.0 User Guide70
FCS Review Draft IISummit WM-Series WLAN Switch and Altitude Access Point Software Version 1.0 User Guide 716WM Access Domain ConfigurationFor each WM-AD, you define its topology, authentication, accounting, RADIUS servers, filtering, multicast parameters and privacy mechanism. When you set up a new WM-AD definition, the additional tabs will appear only after you save the Topology.Topology for a WM-ADIn the Top olog y screen, the key choice for a WM-AD is the type of network assignment, which determines all the other factors of the WM-AD. There are two options for network assignment:●SSID:●has Captive Portal authentication, or no authentication (as well as MAC-based authentication).●requires restricted filtering rules before authentication and, after authentication, filtering rules for group Filter IDs. ●is used for a WM-AD supporting wireless voice traffic (QoS).●is used for a WM-AD supporting third-party APs.●has WEP and WPA-PSK privacy.●AAA (Authentication, Authorization and Accounting):●has 802.1x authentication (as well as MAC-based authentication)●requires filtering rules for group Filter IDs and default filter.●has WEP and WPA (WPA v.1 and WPA v.2) privacy.Topology for a WM-AD for Captive PortalThe section describes how to set up a WM-AD for Captive Portal. In the WM Access Domain Configuration screen, highlight the WM-AD name in the left-hand list and click on the Top olo gy  tab.
WM Access Domain ConfigurationFCS Review Draft IISummit WM-Series WLAN Switch and Altitude Access Point Software Version 1.0 User Guide72Create an SSID for Captive Portal WM-AD1Using the Assignment by drop-down list, select SSID. 2In the SSID box, key in the SSID that wireless devices will use to access the Altitude AP.3Click the Suppress SSID checkbox on to prevent this SSID from appearing in the beacon message sent by the Altitude AP. The wireless device user seeking network access will not see this SSID as an available choice, and will need to specify it.Define the Session Timeout parameters for this WM-AD4In the Timeout area, in the Idle “pre” field, key in the number of minutes that a wireless device can be inactive before a session, and in the Idle “post” field, key in the number of minutes that a wireless device can be inactive after a session. In the Session area, key in the absolute time limit of a session (0 = no limit).Identify the Altitude AP radios that will be assigned to this WM-AD5From the displayed list of Altitude AP Radios that are available throughout the network, check the ones to be assigned to this WM-AD. NOTEIf two Summit WM-Series Switches have been paired for availability (as described in the Availability topic), each Summit WM-Series Switch's registered Altitude APs will appear as “foreign” in the list of available Altitude APs on the other Summit WM-Series Switch.Once you have assigned a Altitude AP radio to four WM-ADs, it will not appear in the list for another WM-AD setup. You can view the WM-ADs that each radio is participating in by clicking on each radio tab in the Altitude AP Configuration screen.
Topology for a WM-ADFCS Review Draft IISummit WM-Series WLAN Switch and Altitude Access Point Software Version 1.0 User Guide 73Enable Management Traffic on this WM-AD6To use this WM-AD for Management Traffic such as SSH, HTTPS, or SNMP, click the Allow mgmt traffic checkbox on. Use this capability with caution, since it overrides the built-in exception filters that prohibit such traffic on the Summit WM-Series Switch data interfaces. (See also “Port-based exception filters: built-in” on page 39.)Enable Third Party Access Points on this WM-AD7If this WM-AD is to be used for third-party access points, click the Use 3rd Party AP checkbox on. The screen changes to include fields to enter the IP Address and MAC Address of the third-party access point. Use this function as part of the process defined in Chapter 9.Define a next hop route for this WM-AD8To define a static route specifically for this WM-AD, in the Next Hop Address field, key in the IP address of the next hop router on the network through which you wish all traffic on this WM-AD to be directed. If traffic from a wireless device on this WM-AD is destined outside of the WM-AD, then it is forwarded to the next hop IP address, where this router applies policy and forwards the traffic. This features applies to unicast traffic only.You can also modify the OSPF Route Cost.9To  disable OSPF Advertisement on this WM-AD, click the checkbox on.Set the IP address for the WM-AD (for the DHCP server on the Summit WM-Series Switch)10 In the Gateway box, key in the network IP address for the WM-AD. This IP address is the default gateway for the WM-AD. The Summit WM-Series Switch advertises this address to the wireless devices when they sign on. 11 In the Mask box, key in the appropriate subnet mask for this IP address, to separate the network portion from the host portion of the address (typically 255.255.255.0)The Address Ranges fields populate automatically (based on the IP address you keyed in) with the range of IP addresses to be assigned to wireless devices using this WM-AD.12 To modify the Address Ranges, key the first available address in the from box. Key the last available address in the to box.
WM Access Domain ConfigurationFCS Review Draft IISummit WM-Series WLAN Switch and Altitude Access Point Software Version 1.0 User Guide7413 If there are specific IP addresses to be excluded from this range, click on the Exclusions button. The Address Exclusion subscreen appears. 14 In the Exclusions subscreen, key in the IP addresses or address ranges to exclude. Click on the Add button after each entry. Click on the Save button to save the changes and return to the Topo log y screen.15 The Broadcast Address field populates automatically, based on the Gateway IP address and subnet mask of the WM-AD. Modify this if appropriate.16 In the Domain Name box, key in the external enterprise domain name. Set time limits for IP assignments17 In the Default Lease box, accept the default value of 36000 seconds (10 hours), or modify. This is the default time limit that an IP address would be assigned by the DHCP server to a wireless device.In the Max Lease box, accept the default value is 2592000 seconds (720 hours, 30 days), or modify. This is the maximum time that an IP address can be assigned. Set the name server configuration18 In the DNS Servers box, key in the IP Address of the Domain Name Server(s) to be used.19 If the DHCP server uses WINS (Windows Internet Naming Service), key in the IP address in the WINS box. If not, leave it blank.Use DHCP Relay for the WM-AD20 To use an external DHCP server, click the Use DHCP Relay checkbox on. The DHCP Settings area of the screen changes to display only the Gateway IP, Mask and DHCP Server fields. Key in the appropriate IP addresses and mask to reach the enterprise's external DHCP server.Use DHCP Relay to force the Summit WM-Series Switch to forward DHCP requests to an external DHCP server on the enterprise network. This function will bypass the local DHCP server on Summit WM-Series Switch (to bypass steps 10 to 19 above). This function allows the enterprise to manage IP address allocation to a WM-AD from its existing infrastructure.
Topology for a WM-ADFCS Review Draft IISummit WM-Series WLAN Switch and Altitude Access Point Software Version 1.0 User Guide 75The range of IP addresses to be assigned to the wireless device users on this WM-AD should also be designated on the external DHCP server.Save the new WM-AD21 To save this WM-AD configuration, click on the Save button.When the new Topology has been saved, the screen changes to display tabs for Authentication and Accounting, RAD Policy, Filtering, Multicast and Privacy.Topology for a WM-AD for AAAFor a WM-AD with 802.1x authentication, select Network Assignment by AAA (Authentication, Authorization, Accounting) in the To pol ogy  screen. In the WM Acess Domain Configuration screen, highlight the WM-AD name in the left-hand list and click on the Top olo gy  tab.Create an AAA topology1Using the Assignment by drop-down list, select AAA. 2To configure the WM-AD, follow steps 2 to 20 above, for the Topology for Captive Portal (SSID network assignment), with the exception of step 7. Configuring a WM-AD for Third-party APs is only available with SSID network assignment.Save the new WM-AD3To save this WM-AD configuration for AAA, click on the Save button.
WM Access Domain ConfigurationFCS Review Draft IISummit WM-Series WLAN Switch and Altitude Access Point Software Version 1.0 User Guide76Authentication for a WM-ADThe next step in configuring a WM-AD is to set up the Authentication mechanism in the Authentication and Accounting screen. There are various combinations available:●If network assignment is by SSID, authentication can be:●none●by Captive Portal using internal Captive Portal●by MAC-based authentication●If network assignment is by AAA (802.1x), authentication can be:●by 802.1x authentication, the wireless device user must be authenticated before gaining network access●by MAC-based authenticationThe first step for any type of authentication is to select RADIUS servers (defined in the Global Settings screen), to be used for:●Authentication●Accounting●MAC-based authenticationMAC-based authentication enables network access to be restricted to specific devices by MAC address. The Summit WM-Series Switch queries a RADIUS server for MAC address when a wireless client attempts to connect to the network. This is available in addition to the other types of authentication for all WM-AD definitions.The chart below shows the authentication and accounting combinations available: Table 4: Authentication types and featuresAccounting CDR Internal CPSSID / None Unavailable Unavailable UnavailableSSID / MAC Unavailable Unavailable UnavailableSSID / Int. Auth Configurable Configurable ConfigurableSSID / Ext. Auth Configurable if ExtCP=TConfigurable if ExtCP=T  UnavailableSSID / MAC / Int Auth Configurable Configurable ConfigurableSSID / MAC / Ext Auth Configurable if ExtCP=TConfigurable if ExtCP=T UnavailableAAA Configurable Configurable UnavailableAAA / MAC Configurable Configurable Unavailable
Authentication for a WM-ADFCS Review Draft IISummit WM-Series WLAN Switch and Altitude Access Point Software Version 1.0 User Guide 77Vendor Specific Attributes (VSAs)In addition to the standard RADIUS message, you can include Vendor Specific Attributes (VSAs). The Summit WM-Series Switch Software authentication mechanism provides six Vendor Specific Attributes (VSAs), for RADIUS and other authentication mechanisms. The first five of these VSAs provide information about the identify of the specific Altitude AP that is handling the wireless device, enabling the provision of location-based services.The RADIUS message also includes RADIUS attributes “Called-Station-Id” and “Calling-Station-Id” in order to include the MAC address of the wireless device.Authentication for a WM-AD for Captive PortalFor Captive Portal authentication, the wireless device connects to the network, but can only access the specific network destinations defined in the Non-Authenticated Filter (see “The non-authenticated filter for Captive Portal” on page 87). One of these destinations should be a server (internal) that presents a web page logon screen (the Captive Portal). The wireless device user must input an ID and a Password. This request for authentication is sent by the Summit WM-Series Switch to a RADIUS server or other authentication server. Based on the permissions returned from the authentication server, the Summit WM-Series Switch implements policy and allows the appropriate network access.There are three mechanisms by which Captive Portal authentication can be carried out:●internal Captive Portal: the Summit WM-Series Switch presents the Captive Portal webpage, carries out the authentication and implements policyCaptive Portal authentication relies on a RADIUS server on the enterprise network. Table 5: Vendor Specific Attributes in RADIUSVSA Attribute Name  Attribute # CommentAP-Name 1Name of Altitude AP as specified in the AP Properties screenAP-Serial 2Altitude AP Serial number from manufacturingAP-Radio 3The Altitude AP radio type the client has connected toWM-AD-Name 4The WM-AD that the user associated withSSID 5Value of SSID that the user associated withURL-Redirection 6Provides the specific URL that the user will be redirected to
WM Access Domain ConfigurationFCS Review Draft IISummit WM-Series WLAN Switch and Altitude Access Point Software Version 1.0 User Guide78Set up authentication by Captive Portal1In the WM Access Domain Configuration screen, highlight the WM-AD name and click on the Auth & Acct tab. The Authentication and Accounting screen appears (in the Captive Portal version if network assignment is by SSID).2In the right-hand portion of the screen, there are three options:●Auth. to define authentication servers●MAC to define servers for MAC-based authentication●Acct. to define accounting serversSelect Auth. A box appears around this area of the screen.3From the drop-down list of RADIUS servers that were defined in the Global Settings screen, select the server you wish to use for Captive Portal authentication. Click on the Use button. The boxed area fills with fields displaying the default information about this server. This server is no longer available in the drop-down list.
Authentication for a WM-ADFCS Review Draft IISummit WM-Series WLAN Switch and Altitude Access Point Software Version 1.0 User Guide 79The server name now appears in the list of configured servers (beside the Up and Down buttons) where it can be prioritized for RADIUS redundancy. It can also be assigned again for MAC-based authentication or accounting purposes. A red asterisk appears in the right-hand list, showing that a server has been assigned.4Fill in the following fields:5In the Auth. Type field, select the authentication protocol to be used by the RADIUS server to authenticate the wireless device users (for a WM-AD with Captive Portal authentication).6In the Include VSA Attributes area, click on the appropriate checkbox to include the Vendor Specific Attributes in the message to the RADIUS server: AP Identification, WM-AD Identification, and SSID Identification. The Vendor Specific Attributes must be defined on the RADIUS Server.7If appropriate, click the Set as primary server checkbox on.8To save this configuration, click on Save.NOTEIf you have already assigned a server to either MAC-based authentication or accounting, and wish to use it again for authentication, highlight its name in the list beside the Up and Down buttons. Click the Use server for Authentication checkbox on. The boxed area populates with fields about this server.Define the RADIUS server priority for RADIUS redundancyIf more than one server has been defined for any type of authentication, you can define the priority of the servers in the case of failover. 1Select from the drop-down list: Configured Servers, Authentication Servers, MAC Servers, Accounting Servers.2Highlight a RADIUS server in the list and use the Up or Down key to change the order. The first server in the list is the active one. In the event of a failover of the main RADIUS server (if no response after the set number of retries), then the other servers in the list will be polled on a round-robin basis until one responds.Port # The port used to access the RADIUS server (default: 1812)# of Retries Number of times the Summit WM-Series Switch will attempt to access the RADIUS serverTimeout The maximum time that a Summit WM-Series Switch will wait for a response from the RADIUS server before attempting againNAS Identifier Network Access Server (NAS) identifier, a RADIUS attribute that identifies the server responsible for passing information to designated RADIUS Servers and then acting on the response returned. [Optional] PAP (Password Authentication Protocol) CHAP (Challenge Handshake Authentication Protocol)MS CHAP (Windows-specific version of CHAP)MS CHAP v2 (Windows-specific version of CHAP, version 2)
WM Access Domain ConfigurationFCS Review Draft IISummit WM-Series WLAN Switch and Altitude Access Point Software Version 1.0 User Guide80If one of the other servers becomes the active one during a failover, an “A” will appear after that server name. If all defined RADIUS servers fail to respond, a critical message is generated in the logs.3To run a test of the Summit WM-Series Switch’s connection to all configured RADIUS servers, click on the Tes t button. In the pop-up screen, key in your User ID and click on the Te st   button. 4To view a summary of the RADIUS test results, click on the View Summary button. 5To save the authentication parameters for this WM-AD, click on the Save button.Configure Captive Portal for internal authenticationClick on the Configure Captive Settings button in the Authentication screen. The Captive Portal Settings subscreen appears.On the Captive Portal Settings subscreen, you have three options (radio buttons):●No Captive Portal Support●Internal Captive Portal: define the parameters of the internal Captive Portal page presented by the Summit WM-Series Switch, and the authentication request from the Summit WM-Series Switch to the RADIUS serverConfigure the Captive Portal settings for internal Captive Portal1Click on the Internal Captive Portal radio button in the Captive Portal Settings screen. 2Key in the text that will appear on the Captive Portal page.Login Label The text that will appear as a label for the user login fieldPassword Label The text that will appear as a label for the user password field
Authentication for a WM-ADFCS Review Draft IISummit WM-Series WLAN Switch and Altitude Access Point Software Version 1.0 User Guide 813Key in the locations of the header and footers.4In the Message field, key in the message that will appear above the login field to greet the user. For example, this could explain why this Captive Portal page is appearing, and what the user should do. 5If use a Fully Qualified Domain Name (FQDN) as the gateway address, key in the appropriate name in the Replace Gateway IP with FQDN field.6Key in the Default Redirection URL.7Click on the appropriate checkboxes to include the following VSA Attributes in the message to the authentication server: AP Serial number, AP Name, WM-AD Name, SSID, MAC Address. Check whether these apply to the header or footer of the Captive Portal page. These choices influence what URL is returned in either area. For example, wireless users can be identified by which Altitude AP or which WM-AD they are associated with, and can be presented with a Captive Portal web page that is customized for those identifiers.Refer to a separate Technical Note for instructions on integrating the VSA information into Captive Portal authentication display.8To provide either of two buttons on a popup status page, click the appropriate checkbox on:●Logoff, for a button that displays a popup logoff screen, allowing users to control their logoff●Status check, for a button that displays a popup window with session statistics for users to monitor their usage and time left in session.9To save this configuration, click on Save.10 To see how the Captive Portal page you have designed will look (after saving the configuration), click on the View Sample Portal Page button.NOTEIn order for Captive Portal authentication to work, all the URLs referenced in the Captive Portal setup must also be specifically identified and allowed in the Non-Authenticated Filter (see “The non-authenticated filter for Captive Portal” on page 87).Header URL The location of the file to be displayed in the Header portion of the Captive Portal screen. This page can be customized to suit your company, with logos or other graphics. (Caution: Ensure that such graphics in the header are not so large that they push the login area out of view.)Footer URL The location of the file to be displayed in the Footer portion of the Captive Portal screen
WM Access Domain ConfigurationFCS Review Draft IISummit WM-Series WLAN Switch and Altitude Access Point Software Version 1.0 User Guide82Authentication for a WM-AD for AAASet up authentication by AAA (802.1x) method1In the WM Access Domain Configuration screen, highlight the WM-AD name and click on the Auth & Acct tab. For an AAA WM-AD, the AAA version of the Authentication screen appears.2Follow steps 2 to 10 described above for Captive Portal, except for Step 5 (Authentication Type) which does not apply to AAA. See “Authentication for a WM-AD for Captive Portal” on page 77.3To save the authentication parameters for this WM-AD, click on the Save button.MAC-based authentication for a WM-ADMAC-based authentication enables network access to be restricted to specific devices by MAC address. The Summit WM-Series Switch queries a RADIUS server for MAC address when a wireless client attempts to connect to the network. MAC-based authentication can be set up on any type of WM-AD, in addition to the Captive Portal or AAA authentication.To set up a RADIUS server for MAC-based authentication, you must set up a user account with UserID=MAC and Password=MAC for each user. If MAC-based authentication is to be used in conjunction with the 802.1x or Captive Portal authentication, an additional account with a real “UserID” and “Password” must also be set up on the RADIUS server.
Authentication for a WM-ADFCS Review Draft IISummit WM-Series WLAN Switch and Altitude Access Point Software Version 1.0 User Guide 83Define MAC-based authentication for a WM-AD1In the WM Access Domain Configuration screen, highlight the WM-AD name and click on the Auth & Acct tab. The Authentication and Accounting screen appears (in either Captive Portal or AAA versions depending on network assignment). In the right-hand portion of the screen, select MAC. A box appears around this area of the screen.2From the drop-down list of RADIUS servers defined in the Global Settings screen, select the server you wish to use for MAC-based authentication. Click on the Use button.The boxed area fills with fields displaying the default information about this server. Alternatively, highlight a server name that has already been used for another type of authentication, or accounting, and click on the checkbox User server for MAC Authentication.3Fill in the fields described above for Captive Portal authentication or for AAA authentication.4In the Auth. Type field, select the authentication protocol to be used by the RADIUS server to authenticate the wireless device users (for a Captive Portal WM-AD), as described above for Captive Portal authentication.5In the Include VSA Attributes area, click on the appropriate checkbox to include the Vendor Specific Attributes in the message to the RADIUS server: AP Identification, WM-AD Identification, and SSID Identification. The Vendor Specific Attributes must be defined on the RADIUS Server.6To enable MAC-based authentication on roam, click the checkbox on.7To save these authentication parameters for this WM-AD, click on the Save button.
WM Access Domain ConfigurationFCS Review Draft IISummit WM-Series WLAN Switch and Altitude Access Point Software Version 1.0 User Guide84Accounting for a WM-ADThe next step is to enable and configure, for a WM-AD, the methods of accounting to track the activity of a wireless device users. Two types of accounting can be enabled:●Summit WM-Series Switch Accounting: enables the Summit WM-Series Switch to generate Call Data Records (CDRs) in a flat file on the Summit WM-Series Switch●RADIUS Accounting: enables the Summit WM-Series Switch to generate an “accounting request packet” with an “accounting start record” after successful login by the wireless device user and an “accounting stop record” based on session termination. The Summit WM-Series Switch sends the accounting requests to a remote RADIUS server.Summit WM-Series Switch Accounting creates Call Data Records (CDRs) in a standard format of user session information, such as start time and duration of session. The CDRs are stored in flat files that be downloaded via the CLI.If you enable RADIUS Accounting, you need to specify a RADIUS accounting server.Enable and configure accounting methods for this WM-AD1In the WM Access Domain Configuration screen, click on the Auth & Acct tab. The Authentication screen appears, for the highlighted WM-AD. 2In the RADIUS Accounting area of the screen, to enable Summit WM-Series Switch Accounting, click the Collect Accounting Information checkbox on. 3From the drop-down list of RADIUS servers that were defined in the Global Settings screen, select the server you wish to use for RADIUS accounting. Click on the Use button.The Acct. portion of the screen displays the information about this server, and it is no longer available in the list.4Click the Use server for Accounting checkbox on.5Fill in the fields as described above for the Authentication server.6Type in the RADIUS Accounting Interim Interval. Interim accounting records are sent out if the interim time interval is reached before the session ends. The default is 60 minutes.7To save this configuration, click on Save.RADIUS Policy for a WM-ADThe next step is to define the Filter ID values for a WM-AD. These Filter ID values must match those set up on the RADIUS servers.
RADIUS Policy for a WM-ADFCS Review Draft IISummit WM-Series WLAN Switch and Altitude Access Point Software Version 1.0 User Guide 85RADIUS Policy for Captive Portal1In the WM Access Domain Configuration screen, highlight the WM-AD name and click on the RAD Policy tab. For a WM-AD with SSID network assignment, the Captive Portal version of the RADIUS Policy screen appears.Define the Filter ID values on this WM-AD.1In the Filter ID Values entry field, key in the name of a group that you want to define specific filtering rules for, to control network access. Click on the Add button. The Filter ID value appears in the list above.Repeat for additional Filter ID values.These will appear in the Filter ID list in the Filtering screen. These Filter ID values must match the those set up for the Filter-ID attribute in the RADIUS server.2To save the Filter ID values for this WM-AD, click on the Save button.RADIUS Policy for AAA and AAA groupsIn addition the Filter ID values described above, you can also set up group ID, for a WM-AD with AAA authentication. You can set up a group within a WM-AD that relies on the RADIUS attribute Login-LAT-Group (RFC2865). For each group, you can define filtering rules to control access to the network.If you define a group within an AAA WM-AD, the group (or child) definition acquires the same authentication and privacy parameters as the parent WM-AD. However, you need to define a different topology and filtering rules for this group.
WM Access Domain ConfigurationFCS Review Draft IISummit WM-Series WLAN Switch and Altitude Access Point Software Version 1.0 User Guide86Define the Filter ID values on this WM-AD1In the WM Access Domain Configuration screen, highlight the WM-AD name and click on the RAD Policy tab. For a WM-AD with AAA network assignment, the AAA version of the RADIUS Policy screen appears.1In the Filter ID Values entry field, key in the name of a group that you want to define specific filtering rules for, to control network access. Click on the Add button. The Filter ID value appears in the list above. Repeat for additional Filter ID values.These will appear in the Filter ID list in the Filtering screen. These Filter ID values must match the those set up for the Filter-ID attribute in the RADIUS server.2To create and define a WM-AD Group within the selected parent WM-AD, key in the name in the WM-AD Group Name field. Then click on the Add button.The Group Name will appear as a child of the parent WM-AD in the left-hand list.3To save the Filter ID values and Group definition for this WM-AD, click on the Save button.Filtering rules for a WM-ADThe next step is to configure the filtering rules for a WM-AD. Four types of filters are applied by the Summit WM-Series Switch in the following order:1Exception filter, to provide the administrator optional additional flexibility in securing the system and blocking Denial of Service (DoS) attacks, on any type of WM-AD.2Non-Authenticated filter, with restrictive filtering rules that apply before authentication, to control network access and to direct users to a Captive Portal web page for login.3Group filters (by Filter ID) for designated user groups, that apply after authentication, when the RADIUS server returns the “access-accept” message along with the Filter-ID attribute value associated with the user.4Default filter, to control access if there is no matching Filter ID for a user.
Filtering rules for a WM-ADFCS Review Draft IISummit WM-Series WLAN Switch and Altitude Access Point Software Version 1.0 User Guide 87For an AAA WM-AD, since users have already been authenticated, there is no need for a Non-Authenticated filter. When authentication is returned, then the Filter ID group filters are applied. For AAA, a WM-AD can have a subgoup with Login-LAT-group ID that has its own filtering rules. If no Filter ID matches are found, then the Default filter is applied. Filtering rules for an exception filterThe exception filter on an WM-AD applies only to the destination portion of the packet. The screen is set to allow or deny (allow left unchecked) traffic to the specified IP address and IP port.Adding the exception filtering rules allows the network administration to either tighten or relax the built-in filtering that automatically drops packets not specifically allowed by filtering rule definitions. The exception filtering rules could deny access in the event of DoS attack, or on the other hand, could allow certain types of management traffic that would otherwise be denied.Define the filtering rules for an exception filter1In the WM Access Domain Configuration - Filtering screen, using the Filter ID drop-down list, select Exception. 2Follow the steps described below for the non-authenticated filter.The non-authenticated filter for Captive PortalThe non-authenticated filter should allow access to the Captive Portal page IP address, as well as to any URLs for the header and footer of the Captive Portal page. The filter should also allow network access to the IP address of the DNS server and to the Network Address, the Gateway, of the WM-AD (the WM-AD Gateway is used as the IP for the Captive Portal page). You can also set up filtering rules to allow access, before authentication, to explicitly defined areas of the network. Then you must deny all other access.
WM Access Domain ConfigurationFCS Review Draft IISummit WM-Series WLAN Switch and Altitude Access Point Software Version 1.0 User Guide88Redirection and Captive Portal credentials apply to HTTP traffic only. A wireless device user attempting to reach websites other than those specifically allowed in the Non-Authenticated Filter will be redirected to the allowed destinations. Most HTTP traffic outside of those defined in the non-authenticated filter will be redirected.All other network access will be controlled after the user is authenticated, when the filter ID or default filtering rules are applied. The wireless device user who does not authenticate will not get a wireless session.Define filtering rules for a non-authenticated filter1In the WM Access Domain Configuration screen, highlight the WM-AD name and click on the Filtering tab. For a WM-AD with SSID network assignment, the Captive Portal version of the Filtering screen appears. 2Using the Filter ID drop-down list, select Non-Authenticated. The Filtering screen automatically provides a “Deny All” rule already in place. Use this rule as the final rule in the Non-Authenticated Filter for Captive Portal.3For each filtering rule you are defining: 4For Captive Portal, define a rule to allow access to the default gateway for this WM-AD. Select IP / Port and key in the default gateway IP address that you defined in the Top olo gy screen for this WM-AD.5Click on the Add button. The information appears in a new line in the Filter Rules area of the screen. IP / Port: Type in the destination IP address. You can also specify an IP range, a port designation or a port range on that IP address.Protocol: Default is N/A. To specify a protocol, select from the drop-down list (may inc l u de  U D P,  TC P,  I P se c - E SP,  I P se c - A H,  I C MP) .
Filtering rules for a WM-ADFCS Review Draft IISummit WM-Series WLAN Switch and Altitude Access Point Software Version 1.0 User Guide 896Highlight the new filtering rule and fill in (or leave unchecked) the three checkboxes in the combinations that define the traffic access:For Captive Portal, to allow access to the defined IP address, check all three boxes on.7Edit the order of a filtering rule by highlighting the line and clicking on the Up and Down buttons. The filtering rules are executed in the order defined here.8To save the filtering rules, click on the Save button.Non-authenticated filters: examplesA basic Non-Authenticated filter for Captive Portal should have three rules in this order:If you put URLs in the header and footer of the Captive Portal page, you must include a filtering rule to allow traffic to each of these URLs. Put these rules above the “deny everything” rule.Here is another example of a Non-Authenticated Filter that adds two more filtering rules: one denies access to a specific IP address, and the next rule allows only HTTP traffic, before denying all other access:In: Click checkbox on to refer to traffic from the wireless device that is trying to get on the network (“going to” the network)Out: Click checkbox on to refer to traffic from the network host that is trying to get to a wireless device. (“coming from” the network)Allow: Click checkbox on to allow. Leave unchecked to disallow.In Out Allow IP / Port Descriptionx x x IP address of the Default GatewayAllow all incoming wireless devices access to the default gateway of the WM-AD.x x x IP address of the DNS ServerAllow all incoming wireless devices access to the DNS server of the WM-AD.x x *.*.*.* Deny everything else.In Out Allow IP / Port Descriptionx x x IP address of the Default GatewayAllow all incoming wireless devices access to the default gateway of the WM-AD.x x x IP address of the DNS ServerAllow all incoming wireless devices access to the DNS server of the WM-AD.x x [a specific IP address, or address plus range]Deny all traffic to a specific IP address, or to a specific IP address range (such as :0/24).x x x *.*.*.*:80 Allow all port 80 (HTTP) traffic.x x *.*.*.* Deny everything else.
WM Access Domain ConfigurationFCS Review Draft IISummit WM-Series WLAN Switch and Altitude Access Point Software Version 1.0 User Guide90Once a wireless device user has logged in on the Captive Portal page, and has been authenticated by the RADIUS server, then the following filters will apply:●Filter ID Filter, if a Filter ID associated with this user was returned the authentication server●Default Filter, if no matching Filter ID was returned from the authentication serverThese filters are described below. Filtering rules for a Filter ID groupThe next step is to define the filtering rules for the Filter ID values on the WM-AD.When the wireless device user enters a login identification, that identification is sent by the Summit WM-Series Switch to the RADIUS server or other authentication server, through a sequence of exchanges depending on the type of authentication protocol used. When the server allows this request for authentication (sends an “access-accept” message), the RADIUS server may also send back to the Summit WM-Series Switch a Filter ID attribute value associated with the user. For an AAA WM-AD, a Login-LAT-Group identifier for the user may also be returned. If the Filter ID attribute value (or Login-LAT-Group attribute value) from the RADIUS server matches a Filter ID value that you have set up on the Summit WM-Series Switch, the Summit WM-Series Switch applies to the wireless device user the filtering rules that you defined for that Filter ID value. If no Filter ID is returned by the authentication server, or no match is found on the Summit WM-Series Switch, then the filtering rules in the Default Filter will apply to the wireless device user.
Filtering rules for a WM-ADFCS Review Draft IISummit WM-Series WLAN Switch and Altitude Access Point Software Version 1.0 User Guide 91Define filtering rules for a Filter ID group1In the WM Access Domain Configuration screen, click on the Filtering tab. The Filtering screen appears for the highlighted WM-AD. 2Using the Filter ID drop-down list, select one of the names you defined in the Filter ID Values field in the Authentication screen [one of your enterprise's user groups, such as Sales, Engineering, Teacher, Guest....]The screen automatically provides a “Deny All” rule already in place. This can be modified to “Allow All”, if appropriate to the network access needs for this WM-AD.3Select one of the following as the basis for each filtering rule you are defining: 4Click on the Add button. The information appears in a new line in the Filter Rules area of the screen. 5Highlight the new filtering rule and fill in (or leave unchecked) the three checkboxes in the combinations that define the traffic access:6Edit the order of a filtering rule by highlighting the line and clicking on the Up and Down buttons. The filtering rules are executed in the order defined here7To save the filtering rules, click on the Save button.IP / Port: Type in the destination IP address, and if desired, the port designation on that IP address.Protocol: Select from the drop-down list (may incl u d e  UD P,  T C P, I P s e c- E S P, I P s e c- A H , ICMP)In: Click checkbox on to refer to traffic from the wireless device that is trying to get on the network (“going to” to network)Out: Click checkbox on to refer to traffic from the network host that is trying to get to a wireless device. (“coming from” the network)Allow: Click checkbox on to allow. Leave unchecked to disallow
WM Access Domain ConfigurationFCS Review Draft IISummit WM-Series WLAN Switch and Altitude Access Point Software Version 1.0 User Guide92Filtering Rules by Filter ID: ExamplesBelow are two examples of possible filtering rules for a Filter ID. The first disallows only some specific access before allowing everything else.The second example does the opposite of the first example. It allows only some specific access and denies everything else. Filtering rules for a default filterAfter authentication of the wireless device user, the default filter will apply only after:●no match is found for the Exception flittering rules●no Filter ID attribute value is returned by the authentication server for this user●no match is found on the Summit WM-Series Switch for a Filter ID valueThe final rule in the Default filter should be a catch-all for any traffic that did not match a filter. A final “allow all” rule in a Default Filter will ensure that a packet is not dropped entirely if no other match can be found.In Out Allow IP / Port Descriptionx x *.*.*.*:22-23 Deny all telnet sessionsx x [specific IP address, range] Deny all traffic to a specific IP address or address rangex x x *.*.*.*. Allow everything elseIn Out Allow IP / Port Descriptionx x x [specific IP address, range] Allow traffic to a specific IP address or address range.x x *.*.*.*. Deny everything else.
Filtering rules for a WM-ADFCS Review Draft IISummit WM-Series WLAN Switch and Altitude Access Point Software Version 1.0 User Guide 93Define the filtering rules for a default filter1In the WM Access Domain Configuration - Filtering screen, using the Filter ID drop-down list, select Default. 2Follow Steps 2 to 6, as described above for Filter ID values rules.3To save the filtering rules, click on the Save button.Default Filter: ExamplesHere is an example of filtering rules for a Default Filter:In Out Allow IP / Port Descriptionx x Intranet IP, range Deny all access to an IP rangex x Port 80 (HTTP) Deny all access to web browsingx x Intranet IP Deny all access to a specific IPx x x *.*.*.*. Allow everything else
WM Access Domain ConfigurationFCS Review Draft IISummit WM-Series WLAN Switch and Altitude Access Point Software Version 1.0 User Guide94Here is another example of filtering rules for a Default Filter:Filtering Rules for an AAA Group WM-ADIf you defined a child group for an AAA WM-AD, it will have the same authentication parameters and Filter IDs as the parent WM-AD. However, you can define different filtering rules for these Filters IDs in the child configuration than in the parent configuration. 1In the WM Access Domain Configuration screen, highlight the WM-AD group name in the list and click on the Filtering tab. The Filtering screen for this WM-AD group appears.2Follow Steps 2 to 6, as described above for a parent WM-AD.3To save the filtering rules, click on the Save button.Filtering rules between two wireless devicesTraffic from two wireless devices that are on the same WM-AD and are connected to the same Altitude AP will pass through the Summit WM-Series Switch and therefore be subject to filtering policy. You can set up filtering rules that allow each wireless device access to the default gateway, but prevent each device from communicating each other. Add the following two rules to a Filter ID filter before allowing everything else:In Out Allow IP / Port DescriptionxPort 80 (HTTP) on host IP Deny all incoming wireless devices access to web browsing the hostxIntranet IP 10.3.0.20, ports 10-30 Deny all traffic from the network to the wireless devices on the port range, such as TELNET (port 23) or FTP (port 21)x x Intranet IP 10.3.0.20 Allow all other traffic from the wireless devices to the Intranet networkx x Intranet IP 10.3.0.20 Allow all other traffic from Intranet network to wireless devicesx x x *.*.*.*. Allow everything elseIn Out Allow IP / Port Descriptionx x x [Intranet IP] Allow access to the Gateway IP address of the WM-AD onlyx x [Intranet IP, range] Deny all access to the WM-AD subnet range 0/24x x x *.*.*.*. Allow everything else
Multicast for a WM-ADFCS Review Draft IISummit WM-Series WLAN Switch and Altitude Access Point Software Version 1.0 User Guide 95Multicast for a WM-ADA mechanism that supports multicast traffic can be enabled as part of a WM-AD definition. This is provided to support the demands of VoIP and IPTV network traffic, while still providing the network access control.In the Multicast screen, you define a list of multicast groups whose traffic is allowed to be forwarded to and from the WM-AD. The default behavior is to drop the packets. For each group defined, you can enable Multicast Replication by group.1In the WM Access Domain Configuration screen, highlight the WM-AD name and click on the Multicast tab. The Multicast screen for this WM-AD appears.2To enable the multicast function, click the Enable Multicast Support checkbox on.3Define the multicast groups by clicking one of the radio buttons:●IP Group: Key in the IP address range ●Defined groups: select from the drop-down list.4Click on the Add button. The group appears in the list above.5To enable the defined multicast replication for this group, click the Wireless Replication checkbox on.6To modify the priority of the multicast groups, highlight the group row and click the Up or Down buttons.7A “Deny all” rule is automatically added as the last rule (IP = *.*.*.* and the Replication box left unchecked). This ensures that all other traffic is dropped.8To save these settings, click on the Save button.
WM Access Domain ConfigurationFCS Review Draft IISummit WM-Series WLAN Switch and Altitude Access Point Software Version 1.0 User Guide96Privacy for a WM-ADPrivacy for a WM-AD for Captive PortalFor the Captive Portal WM-AD, there are three options for the Privacy mechanism:●None●Static Wired Equivalent Privacy (WEP) keys for a selected WM-AD, so that it matches the WEP mechanism used on the rest of the network. You can assign each radio on a Altitude AP to up to four WM-ADs by SSID. For each WM-AD, only one WEP key can be specified. Summit WM-Series Switch Software always uses the first key (key index 0).●Wi-Fi Protected Access (WPA) privacy in PSK mode, using a Pre-Shared Key (PSK), or shared secret for authentication. WPA a new security solution that adds authentication to enhanced WEP encryption and key management. WPA in PSK mode does not require an authentication server (suitable for home or small office). Configure Privacy by static WEP for a Captive Portal WM-AD1In the WM Access Domain Configuration screen, highlight the WM-AD name and click on the Privacy tab. For a WM-AD with SSID network assignment, the Captive Portal version of the Privacy screen appears.2For no privacy mechanism on this WM-AD, click on the None radio button.3To configure static keys for WEP, click on the Static Keys (WEP) radio button.4From the drop-down list, select the WEP Key Length: 40-bit, 104-bit, 128-bit5Click on the appropriate radio button to select the Input Method: Input Hex, Input String.6Type in the WEP key input, as appropriate to the technique selected. The key is generated automatically, based on the input.7To save these settings, click on the Save button.
Privacy for a WM-ADFCS Review Draft IISummit WM-Series WLAN Switch and Altitude Access Point Software Version 1.0 User Guide 97Configure privacy by WPA-PSK for a Captive Portal WM-AD1In the WM Access Domain Configuration screen, click on the Privacy tab. The Privacy screen appears for the highlighted WM-AD. 2To configure privacy by WPA-PSK, click on the WPA-PSK radio button.3Type in the Pre-Shared Key (PSK), or shared secret, to be used between the wireless device and Altitude AP. The key should be between 8 and 63 characters. It is used to generate the 256-bit key.4To display the Pre-Shared Key (in order to proofread your entry before saving the configuration), click on the Unmask button. To mask the key again, click on the button again (the button toggles between Mask and Unmask).5To enable re-keying after a time interval, click the Broadcast re-key interval checkbox on (the default is on). Type in the re-key time interval (the time after which the broadcast encryption key is changed automatically) in seconds.If the box is unchecked, the Broadcast encryption key is never changed and the Altitude AP will always use the same broadcast key for Broadcast/Multicast transmissions. Note that this reduces the level of security for wireless communications.6To save the privacy parameters for the new WM-AD, click on the Save button.Privacy for a WM-AD for AAAFor a WM-AD with authentication by 802.1x (AAA), there are four Privacy options:●Static keys (WEP)●Dynamic keys●Wi-Fi Protected Access (WPA) version 1, with encryption by Temporal Key Integrity Protocol (TKIP)●Wi-Fi Protected Access (WPA) version 2, with encryption by Advanced Encryption Standard with Counter-Mode/CBC-MAC Protocol (AES-CCMP)
WM Access Domain ConfigurationFCS Review Draft IISummit WM-Series WLAN Switch and Altitude Access Point Software Version 1.0 User Guide98Set up static WEP privacy for a WM-AD for AAA1In the WM Access Domain Configuration screen, highlight the WM-AD name and click on the Privacy tab. For a AAA WM-AD, the AAA version of the Privacy screen appears.2To use static keys, click on the Static Keys (WEP) radio button. 3From the drop-down list, select the WEP Key Length: 40-bit, 104-bit, 128 bit4Click on the appropriate radio button to select the Input Method: Input Hex, Input String.5Type in the WEP key input, as appropriate to the technique selected. The key is generated automatically, based on the input.6To save these settings, click on the Save button.Set up dynamic WEP privacy for a selected AAA WM-ADThe dynamic key WEP mechanism changes to key for each user and each session.1To use dynamic keys, click on the Dynamic Keys radio button.2To save these settings, click on the Save button.Privacy for a WM-AD for AAA: Wi-Fi Protected Access (WPA v1 and WPA v2)The WM-AD Privacy function supports Wi-Fi Protected Access (WPA v1 and WPA v2), a security solution that adds authentication to enhanced WEP encryption and key management. The authentication portion of WPA for AAA is in Enterprise Mode: ●Specifies 802.1x with Extensible Authentication Protocol (EAP)●Requires a RADIUS or other authentication server●Uses RADIUS protocols for authentication and key distribution●Centralizes management of user credentials
Privacy for a WM-ADFCS Review Draft IISummit WM-Series WLAN Switch and Altitude Access Point Software Version 1.0 User Guide 99The encryption portion of WPA v1 is Temporal Key Integrity Protocol (TKIP). TKIP includes:●a per-packet key mixing function that shares a starting key between devices, and then changes their encryption key for every packet or after the specified re-key time interval.●a extended WEP key length of 256-bits●an enhanced Initialization Vector (IV) of 48 bits, instead of 24 bits, making it more difficult to compromise.●a Message Integrity Check or Code (MIC), an additional 8-byte code that is inserted before the standard WEP 4-byte Integrity Check Value (ICV). These integrity codes are used to calculate and compare, between sender and receiver, the value of all bits in a message, to ensure that the message has not been tampered with.The encryption portion of WPA v2 is Advanced Encryption Standard (AES). AES includes:●a 128 bit key length, for the WPA2/802.11i implementation of AES●four stages that make up one round. Each round is iterated 10 times. a per-packet key mixing function that shares a starting key between devices, and then changes their encryption key for every packet or after the specified re-key time interval.●the Counter-Mode/CBC-MAC Protocol (CCMP), a new mode of operation for a block cipher that enables a single key to be used for both encryption and authentication. The two underlying modes employed in CCM include ●Counter mode (CTR) that achieves data encryption ●Cipher Block Chaining Message Authentication Code (CBC-MAC) to provide data integrityThe steps in the WPA authentication and encryption process are as follows:1The wireless device client associates with Altitude AP.2Altitude AP blocks the client's network access while the authentication process is carried out (the Summit WM-Series Switch sends the authentication request to the RADIUS authentication server).3The wireless client provides credentials that are forwarded by the Summit WM-Series Switch to the authentication server.4If the wireless device client is not authenticated, the wireless client stays blocked from network access.5If the wireless device client is authenticated, the Summit WM-Series Switch distributes encryption keys to the Altitude AP and the wireless client.6The wireless device client gains network access via the Altitude AP, sending and receiving encrypted data. The traffic is controlled with permissions and policy applied by the Summit WM-Series Switch.
WM Access Domain ConfigurationFCS Review Draft IISummit WM-Series WLAN Switch and Altitude Access Point Software Version 1.0 User Guide100Set up Wi-Fi Protected Access privacy (WPA) for an AAA WM-AD1To set up WPA privacy on the WM-AD, click on the WPA radio button.2To enable either WPA v1 or WPA v2, or both, click the appropriate checkboxes on.3To enable re-keying after a time interval, click the Broadcast re-key interval checkbox on (the default is on). Type in the re-key time interval (the time after which the broadcast encryption key is changed automatically) in seconds.If the box is unchecked, the Broadcast encryption key is never changed and the Altitude AP will always use the same broadcast key for Broadcast/Multicast transmissions. Note that this reduces the level of security for wireless communications.4To save the privacy parameters for the new WM-AD, click on the Save button.A WM-AD with no authenticationYou can choose to set up a WM-AD that will bypass all authentication mechanisms and run Summit WM-Series Switch Software with no authentication of a wireless device user. On such a WM-AD, however, you can still control network access with filtering rules. See “The non-authenticated filter for Captive Portal” on page 87 for information on how to set up filtering rules that allow access only to specified IP addresses and ports.Set up a WM-AD with no authentication1In the WM Access Domain Configuration screen, highlight the WM-AD name in the left-hand list and click on the Topo logy tab.2In the Top olog y screen, select Network Assignment by SSID. Follow the steps described above for a WM-AD for Captive Portal. Save the new WM-AD Topology by clicking on the Save button. 3Click on the Authentication tab for this WM-AD. Click on the Configure Captive Portal button. 4In the Configure Captive Portal subscreen, select the No Captive Portal radio button, for no authentication on this WM-AD, then click on the Save button.
A WM-AD for voice trafficFCS Review Draft IISummit WM-Series WLAN Switch and Altitude Access Point Software Version 1.0 User Guide 1015In the Filtering screen, define a Non-Authenticated Filter that will control specific network access for any wireless device users on this WM-AD. These rules should be very restrictive. The final rule should be a “Deny All” rule. The Non-Authenticated Filter for a WM-AD with no authentication will not have a Captive Portal page for login.A WM-AD for voice trafficVoice data traffic on a wireless networkNew developments are enabling the integration of internet telephony technology on wireless networks – Voice over Internet Protocol (VoIP) using 802.11 wireless local area networks (WLANs). VoIP over 802.11 WLANs raises various issues including quality-of-service (QoS), call control, network capacity, and network architecture.Wireless voice data requires a constant transmission rate and must be delivered within a time limit. This type of data is called isochronous data. This requirement for isochronous data is in contradiction to the concepts in the 802.11 standard that allow for data packets to wait their turn, to avoid data collisions. (Regular traffic on a wireless network is an asynchronous process in which data streams are broken up by random intervals.)The solution is to add mechanisms to the network that give voice data traffic priority over all other traffic, and allow for continuous transmission of voice traffic.Summit WM-Series Switch Software provides advanced Quality of Service (QoS) management, in order to provide better network traffic flow. Such techniques include:●WMM (Wi-Fi Multimedia): enabled globally on the Altitude AP, for devices with WMM enabled., the standard provides multimedia enhancements that improve the user experience for audio, video, and voice applications. WMM is part of the 802.11e standard for QoS.●IP ToS (Type of Service) or DSCP (Diffserv Codepoint): the ToS/DSCP field in the IP header of a frame is used to indicate the priority and Quality of Service for each frame. The IP TOS and/or DSCP is maintained within CTP (CAPWAP Tunneling Protocol) by copying the user IP QoS information to the CTP header — this is referred to as Adaptive QoS. Quality of Service (QoS) management is also provided by:●assigning high priority to a WM-AD●static configuration of an SSID●support for legacy devices that use SpectraLink Voice Protocol (SVP) for prioritizing voice trafficSetting up a WM-AD for voice trafficIn order to set up a WM-AD for voice-over-internet traffic, a number of factors should be taken into account, on the enterprise network and in the Summit WM-Series Switch Software system.On the enterprise network, the wireless telephone users will require access to:●a private branch exchange (PBX), a private telephone system within an enterprise, with such features as voicemail.
WM Access Domain ConfigurationFCS Review Draft IISummit WM-Series WLAN Switch and Altitude Access Point Software Version 1.0 User Guide102●a Telephony Gateway, for access to an external standard telephone network, such as the wireless cellular network or the public switched telephone network (PSTN). The Telephony Gateway should be located on the same subnet as the Summit WM-Series Switch.For large deployments, an SVP server is required on the enterprise network, if Spectralink devices are to be supported.In Summit WM-Series Switch Software, configure the WM-AD for voice-over-internet traffic as follows: 1In the Top olog y screen, set network assignment by SSID2In the Authentication screen, set authentication to No Captive Portal (no authentication), since wireless telephone users do not have a user interface in which they can enter authentication identification3In the Multicast screen, ●enable Multicast by clicking the checkbox on ●define the multicast groups by IP address range, or select a predefined multicast group from the drop-down list (such as Spectralink-enabled devices using the SVP Protocol).4In the Filtering screen, define rules that allow access to the DNS server, to the Telephony Gateway, and then deny all other traffic5In the Privacy screen, set privacy to use 104-bit WEP key (recommended for greater security).6As the final step, in the Global Settings screen, from the Priority Traffic Handling drop-down list, select the WM-AD name to which this priority will apply: Configure the Altitude AP radio for a voice traffic WM-ADIn the Altitude AP Configuration screen, make the following changes on the Altitude AP radio for this WM-AD, to support SVP requirements:1Set the 2.4 Ghz radio to support only B mode (G mode not supported).2Set the operational radio rate to Best data rate. 3The save these modifications, click on the Save button.
FCS Review Draft IISummit WM-Series WLAN Switch and Altitude Access Point Software Version 1.0 User Guide 1037Summit WM-Series Switch Configuration: Availability and MobilityAvailabilityThe Summit WM-Series Switch Software system provides a feature that maintains service availability in the event of a Summit WM-Series Switch outage. The Availability feature links two Summit WM-Series Switches as a pair, so that they share information about their Altitude APs. If one Summit WM-Series Switch in a pair fails, then its Altitude APs are allowed to connect instead to the second Summit WM-Series Switch. The second Summit WM-Series Switch provides the wireless network and a pre-assigned WM-AD for the Altitude AP. From the viewpoint of a Altitude AP, if its home Summit WM-Series Switch fails, the Altitude AP reboots and begins its discovery process. The Altitude AP will be directed to the appropriate second Summit WM-Series Switch of the pair.NOTEThe Availability feature relies on SLP and a DHCP server that supports Option 78, as described earlier in the Altitude AP discovery and registration process. The Availability feature controls how the paired Summit WM-Series Switches register as services with SLP, in normal operations and in the event of an outage.The wireless device users that were on the Altitude AP must log in again and become authenticated on the second Summit WM-Series Switch. The Availability feature is set up in the Altitude AP Registration Mode screen.Prepare for setting up the Availability featureBefore you begin, the following preparation should be done:●Choose which Summit WM-Series Switch is the primary and which is the secondary.●Determine the physical communication link for the TCP/IP connection between the two Summit WM-Series Switches (this is done over TCP port 13907), and ensure that the interfaces used for this connection are routable.●Set up DHCP to support Option 78 for SLP, so that it points to the IP addresses of the physical interfaces on both Summit WM-Series Switches that the Altitude APs are connected to, or can reach after the Availability setup.Now set up each Summit WM-Series Switch separately. One method is as follows:1 In the AP Registration screen, set up each Summit WM-Series Switch in “Stand-alone Mode” and “Secure Mode” (allow only approved Altitude APs to connect).2In the WM-AD Configuration, Topo logy  screen, define a WM-AD on each Summit WM-Series Switch with the same SSID (but different IP addresses). 3On one Summit WM-Series Switch, allow all Altitude APs to associate with it. Then set the Registration Mode to “Allow only approved” so that no more Altitude APs can register.
Summit WM-Series Switch Configuration: Availability and MobilityFCS Review Draft IISummit WM-Series WLAN Switch and Altitude Access Point Software Version 1.0 User Guide1044On the other Summit WM-Series Switch that is to be paired, allow all Altitude APs to associate with it. Then set the Registration Mode to “Allow only approved” so that no more Altitude APs can register5In the AP Registration screen, now enable the two Summit WM-Series Switchs as a pair, as described below.6On each Summit WM-Series Switch, in the Access Approval screen, check the status of the Altitude APs. Each set of Altitude APs on the home Summit WM-Series Switch should appear as “local” while those on the other Summit WM-Series Switch should appear as “foreign”.A second method to set up the Summit WM-Series Switchs is as follows:1In the AP Registration screen, enable the two Summit WM-Series Switchs as a pair, as described below.2Add each Altitude AP manually to each Summit WM-Series Switch. (Select the Altitude AP tab. In the Altitude AP Properties screen, click on the Add Altitude AP button. The Altitude AP Configuration subscreen appears. Define the Altitude AP and click on the Add Altitude AP button. In the Access Approval screen, change the Altitude AP status from “Pending” to “Approved”.)WARNING!If two Summit WM-Series Switches are paired and one has the “Allow All” option set for Altitude AP registration, all Altitude APs will register with that Summit WM-Series Switch.Set up two Summit WM-Series Switches as a pair, for availability 1On the Summit WM-Series Switch that is to be the primary, select Altitude APs tab. Click on AP Registration. The Altitude AP Registration Mode screen appears.2Click the Paired radio button.3Enter the IP address of the physical port of the secondary Summit WM-Series Switch. This IP must be on a routable subnet between the two Summit WM-Series Switches.4Select a Default Failover WM-AD on the other Summit WM-Series Switch from the drop-down list of WM-ADs (this list will be populated only after a WM-AD has been defined).
AvailabilityFCS Review Draft IISummit WM-Series WLAN Switch and Altitude Access Point Software Version 1.0 User Guide 1055Since this Summit WM-Series Switch is to be the primary connection point, click the checkbox on.6Set the Security Mode to “Allow Approved” by clicking the radio button. [recommended after initial set up for paired Summit WM-Series Switches]7To save these settings, click on the Save button.On the Summit WM-Series Switch that is to be the secondary one, repeat Steps 1 to 7, with these exceptions:●In Step 3, enter the IP address of the Management port or physical port of the primary Summit WM-Series Switch.●In Step 5, leave the primary connection point checkbox unchecked.NOTEWhen two Summit WM-Series Switches have been paired as described above, each Summit WM-Series Switch's registered Altitude APs will appear as “foreign” in the list of available Altitude APs when configuring a WM-AD topology.View the Altitude AP Availability DisplayWhen the Altitude AP Configuration: AP Registration Mode screen has been saved for the Summit WM-Series Switch in Paired Mode, the Altitude AP Availability display will show the status of both “local” and “foreign” Altitude APs for that Summit WM-Series Switch.In normal operations, when Availability is enabled, the “local” Altitude APs are green, and the “foreign” Altitude APs are red. If the other Summit WM-Series Switch fails, and the “foreign” Altitude APs connect to the current Summit WM-Series Switch, the display will show all Altitude APs as green. If the Altitude APs are not attached they do not appear in the report.
Summit WM-Series Switch Configuration: Availability and MobilityFCS Review Draft IISummit WM-Series WLAN Switch and Altitude Access Point Software Version 1.0 User Guide106View the SLP activity with the “slpdump tool”1In the Altitude AP Registration Mode screen, click on the View SLP Registration button. A popup screen displays the results of the diagnostic “slpdump tool”, to confirm SLP registration.In normal operations, the primary Summit WM-Series Switch registers as an SLP service called “ac_manager” and directs the Altitude APs to the appropriate Summit WM-Series Switch of a pair. During an outage, if the remaining Summit WM-Series Switch is the secondary one, it will register as an SLP service “ru_manager”. Events and actions during a FailoverIf one of the Summit WM-Series Switches in a pair fails, the connection between the two Summit WM-Series Switches is lost. This triggers a “Failover mode” condition, and a critical message appears in the information log of the remaining Summit WM-Series Switch.After the Altitude AP on the failed Summit WM-Series Switch loses its connection, it will attempt a reboot. Because of the pairing of the two Summit WM-Series Switches, the Altitude AP will then register with the other Summit WM-Series Switch. NOTEA Altitude AP connects first to a Summit WM-Series Switch registered as “ac_manager” and, if not found, then seeks an “ru_manager”. If the primary Summit WM-Series Switch fails, the secondary one registers as “ru_manager”. This enables the secondary Summit WM-Series Switch to be found by Altitude APs after they reboot.When the Altitude APs connect to the second Summit WM-Series Switch, they will be assigned to the Failover WM-AD defined in setup in that Summit WM-Series Switch. The wireless device users will log in again and be authenticated on the second Summit WM-Series Switch.When the failed Summit WM-Series Switch recovers, each Summit WM-Series Switch in the pair goes back to normal mode. They exchange information that includes the latest lists of registered Altitude APs. The administrator will release the Altitude APs on the second Summit WM-Series Switch, so that they may re-register with their home Summit WM-Series Switch.
Mobility and the WM-AD ManagerFCS Review Draft IISummit WM-Series WLAN Switch and Altitude Access Point Software Version 1.0 User Guide 107To support the Availability feature during a “Failover” event, administrator will need to perform the following actions:1Monitor the critical messages for the “Failover mode” message, in the information log of the remaining Summit WM-Series Switch (in the Reports and Displays area).2After recovery, on the Summit WM-Series Switch that did not fail, select the “foreign” Altitude APs and click on the Release button (in the Altitude AP Configuration - AP Maintenance screen).Mobility and the WM-AD ManagerThe Summit WM-Series Switch Software system has a technique by which multiple Summit WM-Series Switches on a network can discover each other and exchange information about a client session. This enables a wireless device user to roam seamlessly between different Altitude APs on different Summit WM-Series Switches. The solution introduces the concept of a “WM-AD Manager”. This means that one Summit WM-Series Switch on the network must be designated as the “WM-AD Manager”. All other Summit WM-Series Switchs are designated as “WM-AD Agents”. To define whether the Summit WM-Series Switch is a Manager or an Agent, use the WM-AD Manager screen in the Summit WM-Series Switch Configuration area.The wireless device will keep the IP address, WM-AD assignment and filtering rules that it received from the Summit WM-Series Switch that it first connected to - its “home” Summit WM-Series Switch. (This information is collected in the Active Clients by WM-AD display on the home Summit WM-Series Switch.) The WM-AD on each Summit WM-Series Switch must have the same SSID. If the WM-AD has static WEP, it is recommended that the same key be used.NOTEThe “WM-ADManager” concept relies on SLP and DHCP. Before you begin, you must ensure that the DHCP server on your network supports Option 78. These are also used during the Altitude AP discovery process, explained earlier in this Guide.VW-AD Manager and VW-AD Agent: BackgroundThe Summit WM-Series Switch that is the “WM-AD Manager”:●uses SLP to register itself (as “ExtremeNet”) with the SLP Directory Agent●listens for connection attempts from “WM-AD Agents”●if it receives a connection attempt from “WM-AD Agent”, establishes connection and sends a message to the “WM-AD Agent” specifying the Heartbeat interval, and the WM-AD Manager's IP address●sends regular Heartbeat messages (which contain wireless device session changes and Agent changes) to the WM-AD Agents and waits for an Update message back●if it fails to receive an Update from the WM-AD Agent after three Heartbeat messages, sends a Disconnect message to the WM-AD Agent, removes all wireless device users associated with that WM-AD Agent Summit WM-Series Switch from its tables and closes down the connection.
Summit WM-Series Switch Configuration: Availability and MobilityFCS Review Draft IISummit WM-Series WLAN Switch and Altitude Access Point Software Version 1.0 User Guide108The Summit WM-Series Switch that is a “WM-AD Agent”:●uses SLP to find the location of the WM-AD Manager●attempts to establish a TCP/IP connection with the WM-AD Manager ●when it receives the connection-established message (see above), updates its tables, and sets up data tunnels to and between all Summit WM-Series Switchs it has been informed of●after every Heartbeat massage received, uses the information to update its own tables and then sends an Update message to the WM-AD Manager, with updates on wireless device users and data tunnels it is managing.Set up a Summit WM-Series Switch as a WM-AD Manager1In the Summit WM-Series Switch Configuration screen, click on the WM-AD Manager option. The WM Access Domain Settings screen appears.2From the Role drop-down list, select WM-AD Manager (other options: None, Agent).3From the drop-down list, select the Port on the Summit WM-Series Switch to be used by the WM-AD Manager process. Ensure that the port selected is routable on the network.4In the Heartbeat field, type in the time interval at which the WM-AD Manager sends a Heartbeat message to a WM-AD Agent. The default is 5 seconds.5To save these settings, click on the Save button.If you set up one Summit WM-Series Switch on the network as a “WM-AD Manager”, then all other Summit WM-Series Switchs must be set up as “WM-AD Agents”. In the WM-AD Manager screen, in the Role drop-down list, select Agent. The Heartbeat value for a “WM-AD Agent” is how long to wait for a connection establishment response before trying again.
Mobility and the WM-AD ManagerFCS Review Draft IISummit WM-Series WLAN Switch and Altitude Access Point Software Version 1.0 User Guide 109View additional displays when WM-AD Manager is enabledOn a Summit WM-Series Switch has been configured as a WM-AD Manager, three additional displays appear as options in the List of Displays screen:●Client Location by Home: shows the active wireless clients, listed by their “Home” Summit WM-Series Switch●Client Location by Foreign SWM: shows the active wireless clients, listed by the foreign Summit WM-Series Switch they are active on●SWM Tunnel Traffic: shows the status of the tunnels between the Summit WM-Series Switchs.To view the status of the tunnels between the Summit WM-Series Switches, click on the SWM Tunnel Traffic option. This screen displays the Summit WM-Series Switches known to the WM-AD Manager. If a tunnel is active, a green band is displayed between Summit WM-Series Switches. A red band indicates that there is no traffic on the tunnel. If the Summit WM-Series Switches are not displayed, the tunnel is inactive.The Active Clients by WM-AD display also collects information on the WM-AD Manager Summit WM-Series Switches of for all Altitude APs, and for the wireless devices that travel, if they are on the same SSID.
Summit WM-Series Switch Configuration: Availability and MobilityFCS Review Draft IISummit WM-Series WLAN Switch and Altitude Access Point Software Version 1.0 User Guide110
FCS Review Draft IISummit WM-Series WLAN Switch and Altitude Access Point Software Version 1.0 User Guide 1118Summit WM-Series Switch: configuring other functionsManagement usersIn this screen you define the login usernames that have access to the GUI, either for Summit WM-Series Switch Software Administrators with “read/write” privileges, or users with “read only” privileges. For each user added, you can also define and modify a User ID and Password.Designate Summit WM-Series Switch management users1Click on the Summit Switch tab. Click on the Management Users option. The Management Users screen appears.The user_Admin list displays “Admin” users who have read/write privileges. The user_read list is for users who have “read only” privileges.2To add a user, select from the pull-down list whether this is an Admin or a "read only" user. Then in the entry field, type in the User ID. A User ID can only be used once, in only one category. Key in, and confirm, the password for this user. The $ character is not permitted.3Click on the Add User button.4To modify a user’s password, click on the name to select it, key in and confirm the new password. Then click on the Change password button.5To remove a user, click on the name to select it, then click on the Remove user button.
Summit WM-Series Switch: configuring other functionsFCS Review Draft IISummit WM-Series WLAN Switch and Altitude Access Point Software Version 1.0 User Guide112Network time Use the Network Time screen to synchronize the elements on the network to a universal clock. This ensures accuracy in usage logs. Network time is synchronized in one of two ways:●using system time●using Network Time Protocol (NTP), an Internet standard protocol that synchronizes client workstation clocks.Set Network Time parameters1Click on the Summit Switch tab. Click on the Network Time option. The Network Time screen appears.2From the drop-down list, select the Continent or Ocean, the large-scale geographic grouping.3From the drop-down list, select the Country, within the previous group (the contents of the list will change based on the selection in the previous field).4From the drop-down list, select the Time Zone Region for the country selected.5To apply these time zone settings, click on the Apply Time Zone button.6To use System Time, click on its radio button. Type in the time setting.7To use Network Time Protocol, click on the NTP radio button. Then fill in the location (IP address or FQDN) of up to three standard NTP Time Servers.8To apply these settings, click on the Apply button
Check Point event loggingFCS Review Draft IISummit WM-Series WLAN Switch and Altitude Access Point Software Version 1.0 User Guide 113Check Point event loggingThe Summit WM-Series Switch has the capability to forward specified event messages to an ELA server using the OPSEC ELA protocol - Event Logging API (Application Program Interface). On the ELA server (such as Check Point Management Console), the event messages are tracked and analyzed, so that suspicious messages can be forwarded to a firewall application (such as Check Point Firewall-1) that can take corrective action. Check Point created the OPSEC (Open Platform for Security) alliance program for security application and appliance vendors to enable an open industry-wide framework for interoperability.When ELA is enabled on the Summit WM-Series Switch, the Summit WM-Series Switch forwards the specified event messages from its internal event server to the designated ELA Management Station on the enterprise network. NOTEBefore you set up the Summit WM-Series Switch, you must first create OPSEC objects for Summit WM-Series Switch in the Check Point management software. The name and password you define there must also be entered into the Summit WM-Series Switch Check Point configuration screen.Enable and configure Check Point1Click on the Summit Switch tab. Click on the Check Point option. The Check Point Configuration screen appears.2To enable Check Point Logging, click the checkbox on.
Summit WM-Series Switch: configuring other functionsFCS Review Draft IISummit WM-Series WLAN Switch and Altitude Access Point Software Version 1.0 User Guide1143Key in values in the following fields, or accept the defaults:4To save these parameters, click on the Save button.5To create the certificate that is sent to the ELA Management Station, click on the Generate Certificate button.6If the certificate worked and the connection with the ELA Management Station is made, the Connection Status area displays a message “OPSEC Connection OK”. If there is an error in generating the certificate or establishing the connection, the message “OPSEC Connection Error” appears.The events for the ELA Management Station are grouped under Extreme Network and are mapped to two types: “info” and “alerts”. The alerts include:●Altitude AP registration and/or authentication failed.●Authentication User Request unsuccessful.●RADIUS server rejected login (Access Rejected).●An unknown AP has attempted to connect. AP authentication failure. ●A connection request failed to authenticate with the CM messaging server. (This may indicate port-scanning the Summit WM-Series Switch, or a backdoor access attempt.)●Unauthorized client attempting to connect.Check Point Server IP: Type in the Check Point fw-1 IP address, the IP address of the ELA Management Station.ELA Port: Default port is 18187. Modify if desired.ELA Log Interval: Type in the amount of time (in milliseconds) you want the system to wait before attempting to log, once there is a connection between Summit WM-Series Switch and the Check Point gateway.ELA Retrial Interval: Type in the amount of time (in milliseconds) you want the system to wait before attempting a reconnection between Summit WM-Series Switch and the Check Point gateway.ELA Message Queue size:  The number of messages the log queue will hold if Summit WM-Series Switch and the Check Point gateway become disconnected. The default value is 1000 log entries.SIC Name: Type in Secure Internal Communication (SIC) Name, your security-based ID. Note: Copy in this field the information displayed in the DN field in Secure Internal Communication (SIC) area of Check Point “Application Properties” screen. The DN (Distinguished Name) field displays a reminder of information you will needSIC Password: Type in your Secure Internal Communication (SIC) password. Use the Unmask button to display the password.Note: Copy in this field the Activation Key defined in OPSEC setup as the Certificate password.
Setting up SNMPFCS Review Draft IISummit WM-Series WLAN Switch and Altitude Access Point Software Version 1.0 User Guide 115Setting up SNMP The Summit WM-Series Switch Software system supports Simple Network Management Protocol (SNMP), Version 1 and 2c, for retrieving Summit WM-Series Switch statistics and configuration information.Simple Network Management Protocol, a set of protocols for managing complex networks, sends messages, called protocol data units (PDUs), to different parts of a network. Devices on the network that are SNMP-compliant, called agents, store data about themselves in Management Information Bases (MIBs) and return this data to the SNMP requesters.MIB supportThe Summit WM-Series Switch Software system accepts SNMP “Get” commands and generates “Trap” messages. Support is provided for the retrieval information from the router MIB-II (SNMP_GET) as well as SNMP traps, and for the retrieval of wireless information from the 802.11 MIB. For MIB-II (RFC1213), the following groups for the router characteristics of the Summit WM-Series Switch are supported:●System Group●Interfaces Group●Address Translation Group●IP Group●ICMP Group●TCP Group●UDP GroupNOTEBecause of limitations in data captured in the control / data planes, MIB II compliance is incomplete. For example, esa/IXP ports can only provide the interface statistics.For the 802.11 MIB (IEEE 802.11 standard), the following are supported:●IANAif Type-MIB●IF-MIB●INET-ADDRESS-MIB●IP-FORWARD-MIB●SNMPv2-MIB●SNMPv2-SMI●SNMPv2-TCThe Extreme Enterprise MIB includes:●EXTREME-BM-MIB●EXTREME-PRODUCTS-MIB
Summit WM-Series Switch: configuring other functionsFCS Review Draft IISummit WM-Series WLAN Switch and Altitude Access Point Software Version 1.0 User Guide116●EXTREME-SMI●EXTREME-DOT11-EXTNS-MIB●EXTREME-BEACON-CELL-MIB●EXTREME-BRANCH-OFFICE-MIBThe MIB is provided for compilation into an external NMS. No support has been provided for automatic device discovery by an external NMS.The Summit WM-Series Switch is the only point of SNMP access for the entire system. In effect, the Summit WM-Series Switch will proxy sets and gets and alarms from the associated Altitude APs.Enabling SNMP on the Summit WM-Series SwitchIf your enterprise network uses SNMP, you can enable SNMP on the Summit WM-Series Switch and define where the Summit WM-Series Switch should send the SNMP messages. To enable SNMP traps, ensure that the following three fields are defined in the Simple Network Management Protocol screen:●SNMP port ●Read Community●Manager A and/or Manager B The list of SNMP traps supported can be found in the Extreme MIB.Setting SNMP Parameters1Click on the Summit WM-Series Switch tab. Click on the SNMP option. The Simple Network Management Protocol screen appears.
Setting up SNMPFCS Review Draft IISummit WM-Series WLAN Switch and Altitude Access Point Software Version 1.0 User Guide 1172Key in:Contact Name: The name of SNMP administrator.Location: Location of the SNMP administration machine (descriptive).Read Community Name: Key in the password for Read activity.Read/Write Community Name:Key in the password for Read/Write activity. (Write ability is not supported.)SNMP Port: Key in the destination port for SNMP traps. The industry standard is 162. [If left blank, no traps are generated.]Forward Traps: From the drop-down list, select the severity level of the traps to be forwarded: Informational, Minor, Major, Critical.Manager A: The IP address of the specific machine on the network where the SNMP traps are monitored.Manager B: The IP address of a second machine on the network where the SNMP traps are monitored, if Manager A is not available.
Summit WM-Series Switch: configuring other functionsFCS Review Draft IISummit WM-Series WLAN Switch and Altitude Access Point Software Version 1.0 User Guide118
FCS Review Draft IISummit WM-Series WLAN Switch and Altitude Access Point Software Version 1.0 User Guide 1199Setting up third-party access pointsYour enterprise's WLAN may have existing third-party access points that you would like to integrate into the Summit WM-Series Switch Software WLAN solution. You can set up the Summit WM-Series Switch to handle wireless device traffic from third-party access points, providing the same policy and network access control.Set up third-party access points on the Summit WM-Series Switch1Define one data port as a “3rd-party AP” port: In the Summit WM-Series Switch Configuration screen, click on the IP Address option. The Management Port Settings and Interfaces screen appears. Highlight the appropriate port, and in the Function field, select “3rd-party AP” from the drop-down list. Make sure that Management Traffic and SLP are disabled for this port.2Connect the third-party access point to this port, via a switch.3Define a static route to the access point:In the Summit WM-Series Switch Configuration screen, click on the Routing Protocols option. Then click the Static Routes tab. The Static Routes screen appears. Define a static route to the access point (see “Setting up static routes” on page 35).
Setting up third-party access pointsFCS Review Draft IISummit WM-Series WLAN Switch and Altitude Access Point Software Version 1.0 User Guide1204Set up a WM-AD for the “3rd-party AP” port:In the WM Access Domain Configuration screen, add a new WM-AD. Then highlight the WM-AD name in the left-hand list and click on the To pol og y tab.In the Topology screen, select Assignment by SSID.Click on the Use 3rd Party AP checkbox to select it.Fill in the IP Address and MAC Address entry fields that appear on the right (the addresses of the third party access points, and click on the Add button. They will appear in the list of access points known to the Summit WM-Series Switch.Follow the remaining steps described in the setting up a WM-AD for Captive Portal earlier in this Guide.5Set up Authentication by Captive Portal for the “3rd-party AP” WM-AD:Click on the Authentication tab. In the Authentication configuration screen, click the Captive Portal radio button. In the Captive Portal portion of the screen, define the RADIUS Attributes and the Filter IDs to match those in RADIUS.NOTEAlternatively, for third-party APs, you can define network assignment by AAA, and authentication by 802.1x. The RADIUS requests from the third-party access point will flow through the Summit WM-Series Switch.6Set up filtering rules for the third-party APs:Because the third-party APs are mapped to a physical port, you must define the Exception filters on the physical port, using the Port Exception Filters screen. See “Port-based exception filters: user defined” on page 39.Define filtering rules that allow access to other services and protocols on the network such as HTTP, FTP, Telnet, SNMP.In addition, modify the following functions on the third-party access point:●Disable the access point's DHCP server, so that the IP address assignment for any wireless device on the AP is from the DHCP server at the Summit WM-Series Switch with WM-AD information.
FCS Review Draft IISummit WM-Series WLAN Switch and Altitude Access Point Software Version 1.0 User Guide 121●Disable the third-party access point's layer-3 IP routing capability and set the access point to work as a layer-2 bridge.Here are the differences between third-party access points and Altitude APs on the Summit WM-Series Switch Software system:●A third-party access point exchanges data with the Summit WM-Series Switch's data port using standard IP over ethernet protocol. The third-party access points do not support the tunnelling protocol for encapsulation.●For third-party access points, the WM-AD is mapped to the physical data port and this is the default gateway for mobile units supported by the third-party access points. ●A Summit WM-Series Switch cannot directly control or manage the configuration of a third-party access point.●Third-party access points are required to broadcast an SSID unique to their segment. This SSID cannot be used by any other WM-AD.●Roaming from third-party access points to Altitude APs is not supported.
Setting up third-party access pointsFCS Review Draft IISummit WM-Series WLAN Switch and Altitude Access Point Software Version 1.0 User Guide122
FCS Review Draft IISummit WM-Series WLAN Switch and Altitude Access Point Software Version 1.0 User Guide 12310 Summit Spy: detecting rogue access pointsOverviewThe Summit WM-Series Switch Software system includes a mechanism that assists in the detection of rogue access points. The function is called the Summit Spy.The Summit Spy feature has three components:●a radio frequency (RF) scanning task that runs on the Altitude AP. The Altitude AP itself functions as a scan device. Its scan function alternates with providing its regular service the wireless devices on the network. You set up the scan parameters in the Summit Spy user interface.●an application called the RF Data Collector (RFDC) on the Summit WM-Series Switch that receives and manages the RF scan messages sent by the Altitude AP. The scan data includes lists of all connected Altitude APs, third Party APs and other friendly APs and the RF scan information that has been collected from the Altitude APs.●an Analysis Engine on the Summit WM-Series Switch that processes the scan data from the RFDC through algorithms that make decisions about whether a detected access point is a rogue access point. NOTEIn a network with more than one Summit WM-Series Switch, the analysis engine should be active on only one Summit WM-Series Switch that communicates with the RFDC applications running on itself and on the other Summit WM-Series Switchs on the network. Ensure that these are all routable.To use the Summit Spy, you must first enable it in the Summit WM-Series Switch Configuration area of the user interface.
Summit Spy: detecting rogue access pointsFCS Review Draft IISummit WM-Series WLAN Switch and Altitude Access Point Software Version 1.0 User Guide124Enabling the Analysis and RFDC EnginesEnable and configure the Summit Spy Analysis Engine1In the Summit WM-Series Switch Configuration screen, click on the Summit Spy option. The Summit Spy Configuration screen appears.2To enable the Summit Spy Analysis Engine, click the checkbox on.Define the Summit Spy RF Data Collector Engines3To enable the Summit Spy Data Collection Engine on this Summit WM-Series Switch click the checkbox on.4Identify the remote RF Data Collector Engines that the Analysis Engine will poll for data: In the Collection Engine IPs entry field, key in the IP address of the Summit WM-Series Switch on which the remote RFDC resides. (For this Summit WM-Series Switch, the local IP address is displayed by default.)5For each data collection engine, enter: ●In the Poll interval field (the interval that the Analysis Engine polls the RF Data Collector for data), key in the time in seconds. Default is 30 seconds. ●In the Poll retry count field, key in the number of times the Analysis Engine will attempt to poll the RF Data Collector for data before it stops sending requests. Default is 2 attempts.6Click on the Add button. The IP address of the Data Collection Engine, with its Poll Interval and Poll Retry parameters, appears in the list.NOTEFor each remote RF Data Collection Engine you define here, you must also:> enable it (click the checkbox on) in the same screen on the remote Summit WM-Series Switch> ensure that static routes are defined between the Summit WM-Series Switchs.
Summit Spy: running scansFCS Review Draft IISummit WM-Series WLAN Switch and Altitude Access Point Software Version 1.0 User Guide 1257To clear the entry fields and add a new Collection Engine, click on the Add Collection Engine option. Repeat steps 4 to 6 above.8To save these settings, click on the Apply button.Summit Spy: running scansAfter enabling the Summit Spy engines (as described above), click the Summit Spy menu item in the main menu, or the Summit Spy tab in any screen. The Summit Spy Scanner screen appears, with five tabs.Set up and run the Summit Spy scan task mechanism:1To set up the parameters of the scan task mechanism, click on the Scan Groups tab. The Scan Groups screen appears.2In the Scan Group Name entry field, key in a name for this Scan Group.3In the Altitude APs area, clicking the checkbox on to select the Altitude AP (or Altitude APs) that will be included in this Scan Group and will perform the scan function. A Altitude AP can participate in only one Scan Group at a time. It is recommended that the Scan Groups represent geographical groupings of Altitude APs.4In the Radio field, from the drop-down list select which radios on the Altitude AP are to perform the scan function: Both, A only, B/G only.5In the Channel List field, from the drop-down list select the radio channels to scan on: All or Current.6In the Scan Type field, from the drop-down list select either Active or Passive.
Summit Spy: detecting rogue access pointsFCS Review Draft IISummit WM-Series WLAN Switch and Altitude Access Point Software Version 1.0 User Guide126●Active: the Altitude AP sends out ProbeRequests and waits for ProbeResponse messages from any access points.●Passive: the Altitude AP listens for 802.11 beacons7In the Channel Dwell Time field, key in the time in milliseconds that the scanner waits for a response (either for 802.11 beacons in passive scanning, or ProbeResponse in active scanning).8In the Scan Time Interval field, key in the time in minutes {1 to 120}, to define the frequency at which a Altitude AP within the Scan Group will initiate a scan of the RF space.9To start a scan, using the periodic scanning parameters defined above, click on the Start Scan button10 To initiate an immediate scan that will run once, click on the Run Now button. A scan will not run on an inactive AP, even though it appears as part of the Scan Group. It it become active, it will be sent a scan request during the next periodic scan.11 To stop the scan, click on the Stop Scan button. NOTEYou must stop the scan before modifying any parameters of the Scan Group, or before adding or removing a Altitude AP from a Scan Group.12 The Scan Activity field displays the current state of the scan engine.13 To view a popup report showing the timeline of scan activity and results, click on the Show Details button.The Analysis EngineThe Analysis Engine relies on a database of known devices on the Summit WM-Series Switch Software system as follows:●Altitude APs registered with any Summit WM-Series Switch that has its RF Data Collector enabled and has been associated with the Analysis Engine on this Summit WM-Series Switch.●Third-Party Access Points that have been defined and assigned to a WM-AD (as described earlier in this Guide).●Friendly APs, a list created in the Summit Spy user interface as potential rogue access points are designated by the administrator as “Friendly”.●Wireless devices registered with any Summit WM-Series Switch that has its RF Data Collector enabled and has been associated with the Analysis Engine on this Summit WM-Series Switch.The Analysis Engine compares the data from the RF Data Collector with the above database of known devices. The Analysis Engine looks for access points with seven conditions:●unknown MAC address and unknown SSID (critical alarm)●unknown MAC, with a valid SSID - a known SSID is being broadcast by the unknown access point (critical alarm)●known MAC, with an unknown SSID - a rogue may be spoofing a MAC address (critical alarm)●inactive Altitude AP with valid SSID (critical alarm)●inactive Altitude AP with unknown SSID (critical alarm)
The Analysis EngineFCS Review Draft IISummit WM-Series WLAN Switch and Altitude Access Point Software Version 1.0 User Guide 127●known Altitude AP with an unknown SSID (major alarm)●in ad-hoc mode (major alarm)NOTEIn the current release, there is no capability to initiate a DoS attack on the detected rogue access point. Containment of a detected rogue will require an inspection of the geographical location of its Scan Group area (where its RF activity has been found).View the Summit Spy scan results and build list of friendly APs1Click on the Summit Spy tab in any screen Then click on the Rogue Detection tab. The Rogue Detection screen appears displaying all access points and Altitude APs that were found in the scan but are not in the database of known devices (as defined above).2To modify the rate that this information is refreshed, key in a time in seconds and click on the Apply button. 3To remove an access point from this list, click on the Delete button. 4To add an access point or Altitude AP to the Friendly APs list, click on the Add to Friendly List button. The access point item will be removed from this list and will appear in the Friendly APs list. A third-party access point will always appear first as a Rogue AP. Add it to the Friendly AP list as noted above.
Summit Spy: detecting rogue access pointsFCS Review Draft IISummit WM-Series WLAN Switch and Altitude Access Point Software Version 1.0 User Guide1285Click the Rogue Summary button to view the Rogue Summary popup report.6To view the Friendly list, click on the Friendly APs tab. The Friendly AP Definitions screen appears.7To add friendly access points manually to the Friendly AP Definitions list, key in the MAC Address, SSID, Channel, and a text description of the access point. Click on the Add button. The new access point appears in the list above. 8To delete an access point from the list, highlight it and click on the Delete button.9To modify an access point in the list, highlight it and make the appropriate changes in the entry fields. Click on the Save button.NOTETo avoid the Summit Spy's database becoming too large, it is recommended that you either delete Rogue APs or add them to Friendly AP list, rather than leaving them in the Rogue list.
The Analysis EngineFCS Review Draft IISummit WM-Series WLAN Switch and Altitude Access Point Software Version 1.0 User Guide 129View the Summit Spy list of Third-Party APsTo view the list of the known third-party access points, click on the 3rd Party APs tab. The 3rd Party APs screen appears.Maintain the Summit Spy list of access points and Altitude APsWhen Altitude APs or Third-Party Access Points are deleted in the Summit WM-Series Switch Software user interface on a Summit WM-Series Switch has its RFDC running and is in communication with the Analysis Engine, this information will also be displayed in the Summit Spy's AP Maintenance screen. 1To view the AP Maintenance screen, click on the AP Maintenance tab. The deleted access points and Altitude APs will be marked with a “Deleted” flag.2To delete the marked access points and Altitude APs from the Summit Spy's database, click on the Delete marked APs button.
Summit Spy: detecting rogue access pointsFCS Review Draft IISummit WM-Series WLAN Switch and Altitude Access Point Software Version 1.0 User Guide130This will only delete them from the Summit Spy's database, not from the Summit WM-Series Switch's database.Viewing the Scanner Status reportWhen the Summit Spy is enabled, you can view a report on the connection status of the RF Data Collector Engines with the Analysis Engine. View the Summit Spy scanner engine status display1Click the Summit Spy tab in any screen, and then click on the Scanner Status tab. The Scanner Status report appears, as shown in the example below.The boxes display the IP address of the RFDC engine, with status indicated by colour:●Connected (green box) - the Analysis Engine has connection with the RFDC on that Summit WM-Series Switch.●Connected but not serviced (yellow box) - the Analysis Engine has connection with the RFDC but is not synchronized with it yet.●Not connected (red box) - the Analysis Engine is aware of the RFDC and attempting connection.If no box appears, this means that the Analysis Engine is not trying to set up a connection with that RFDC Engine. Ensure that the RFDC address has been entered in the Summit Spy Configuration screen.If the box appears red and remains red, ensure that the RFDC Engine is enabled on the appropriate Summit WM-Series Switch in the Summit Spy Configuration screen.In the Logs - Traces screen, the Analysis Engine will appear as “Remote INS” and the RF Data Collection Engine will appear as RF Data Collector.
FCS Review Draft IISummit WM-Series WLAN Switch and Altitude Access Point Software Version 1.0 User Guide 13111 Ongoing operationAltitude AP maintenance: softwarePeriodically, the software used by the Altitude APs is altered, either for reasons of upgrade or security. The new version of the software is installed from the Summit WM-Series Switch, using the Altitude AP Maintenance option. You select the version of software for each Altitude AP that will be uploaded either immediately, or the next time the Altitude AP connects (part of the Altitude AP boot sequence is to seek and install its software from the Summit WM-Series Switch).A number of the properties of each radio on a Altitude AP can be modified (in the Altitude AP Configuration screen) without requiring a reboot of the Altitude AP is also required after:●enabling or disabling either radio, or changing the radio channel between “Auto” and any fixed channel number (in the Altitude AP Configuration screen)●adding the Altitude AP to a WM-AD, or changing its radio assignment in a WM-AD (in the WM-AD Configuration screen)The Altitude AP keeps a backup copy of its software image. When a software upgrade is sent to the Altitude AP, the upgrade becomes the Altitude AP's current image and the previous image becomes the backup. In the event of failure of the current image, the Altitude AP will run the backup image.
Ongoing operationFCS Review Draft IISummit WM-Series WLAN Switch and Altitude Access Point Software Version 1.0 User Guide132Maintain the list of current Altitude AP software images1Click on the Altitude APs tab. The Altitude AP Configuration screen appears. Click on the AP Maintenance option. 2Click on the AP Software Maintenance tab. The AP Software Maintenance screen appears.The Current AP Images area displays the list of AP software versions that have been downloaded and are available. (This list appears in the drop-down list of available images in the Controlled Upgrade screen.)3To select an image as the default image to be used for software upgrade, highlight the image name in the list and click on the Set as default button.4To delete a software image from the list, highlight the version in the displayed list of Current AP Images and click on the Delete button.5To download a new image to be added to the list, fill in the fields in the Download AP Images area with parameters for FTP transfer: FTP server, User ID, Password, Confirm password, Directory, Filename. Click on the Download button.6In the Upgrade Behavior area, select one of these radio buttons:●Upgrade when AP connects using setting from Controlled Upgrade●Always upgrade AP to default image (overrides Controlled Upgrade settings)For either choice, click the checkbox on to prevent an upgrade if current image version is the same as the upgrade version (this overrides Upgrade Now behavior)7In the Downgrade Behavior area, click the checkbox on to automatically downgrade the AP to the default image if AP is at later release number (major/minor rev)8To save these parameters, click on the Save button.
Altitude AP client managementFCS Review Draft IISummit WM-Series WLAN Switch and Altitude Access Point Software Version 1.0 User Guide 133Define parameters for a Altitude AP controlled software upgrade.1Click on the Altitude APs tab. The Altitude AP Configuration screen appears. Click on the AP Maintenance option. 2Click on the Controlled Upgrade tab. The Controlled Upgrade screen appears.The screen displays the steps to initiate a software upgrade.3Step 1: From the drop-down list, select the software version you wish to use for the upgrade. (This list is maintained in the AP Software Maintenance screen.) 4Step 2: In the list of the registered Altitude APs and the current software image on each one, select a Altitude AP for software upgrade by clicking its checkbox on. Use the Select All or Clear All buttons to modify your selections.5Step 3: Click on Apply AP image version button. The selected software image from Step 1 now appears in the Upgrade To column beside the selected Altitude AP.6Step 4: To save the software upgrade strategy so that you run it later, click on the Save for later button, or,To run the software upgrade immediately, click on the Upgrade Now button. This will force the selected Altitude AP to reboot, and the new software version will be loaded during this process. The “Always upgrade AP to default image” choice in the AP Software Maintenance screen overrides Controlled Upgrade settings.Altitude AP client managementThere are times when you want to cut the connection with a particular wireless device, for service reasons or to deal with a security issue. Using the Altitude AP Client Management screen, you can view all the associated wireless devices, by MAC address, on a selected Altitude AP. Then you can then:●disassociate a selected wireless device from its Altitude AP. ●add a selected wireless device's MAC address to a Blacklist of wireless clients that will not be allowed to associate with the Altitude AP.
Ongoing operationFCS Review Draft IISummit WM-Series WLAN Switch and Altitude Access Point Software Version 1.0 User Guide134Client disassociateDisassociate a wireless device client1Click on the Altitude APs tab. Click on the Client Management option. Click on the Disassociate tab. The Disassociate screen appears.2Click on the checkbox to select the wireless device to be disassociated. 3To search for a client by MAC Address, IP Address or User ID, select the search parameters from the pull-down list. Then key in the search string and click on the Search button. (Wildcard searches are supported.)4Click on the Add to blacklist button to add the selected wireless client's MAC address to the blacklist (see next topic).5Click on the Disassociate button to terminate the client's session immediately.
Altitude AP client managementFCS Review Draft IISummit WM-Series WLAN Switch and Altitude Access Point Software Version 1.0 User Guide 135Client blacklistAdd a wireless device client to a blacklist1Click on the Client Management option in the Altitude AP Configuration screen. Click on the Blacklist tab. The Blacklist screen appears.The Blacklist screen displays the current list of MAC addresses that will be not be allowed to associate. Clients selected in the Disassociate screen for the Blacklist will appear here.2To add a new MAC address to the Blacklist, key it in the MAC Address field and click on the Add button. It will appear in the list of addresses on the left.3To clear an address from the Blacklist, click its checkbox on, and then click on the Remove Selected button.4To save the amended Blacklist, click on the Save button.5To import a list of MAC addresses for the Blacklist, key in or brows for the file name, and then click on the Import button.6To export the current Blacklist, first use the File menu Save option to save the file, and then click on the Summit WM-Series Switch system maintenance.Use the System Maintenance screen to perform various maintenance tasks, including:●change the log level●set a poll interval for checking the status of the Altitude APs (“Health Checking”)●force an immediate system shutdown, with or without reboot●enable and define parameters for Syslog event reporting.Syslog event reporting uses the syslog protocol to relay event messages to a centralized event server on your enterprise network. In the protocol a device generates messages, a relay receives and forwards the messages, and a collector (a syslog server) receives the messages without relaying them.
Ongoing operationFCS Review Draft IISummit WM-Series WLAN Switch and Altitude Access Point Software Version 1.0 User Guide1361Click on the Summit WM-Series Switch tab. Click on the System Maintenance option. The System Maintenance screen appears. Health Checking1In the Poll Interval field, key in a time in seconds for the Summit WM-Series Switch to check that the Altitude APs are still there. Click on the Apply button.Force a system shutdown on the Summit WM-Series Switch1To shut down the Summit WM-Series Switch Software system, with its Altitude APs, click on the appropriate radio button:●Halt system, reboot●Halt system, reset database to factory default and reboot●Halt system, reset to factory default and reboot●Halt system, shutdown power2Click on the Apply Now button.Change the system log level1From the Log Level drop-down list, select the desired log level (Trace, Info, Minor, Major, Critical). Click on the Apply button.Enable and configure Syslog1Click the checkbox on to enable the Syslog function for up to three syslog servers. 2For each enabled syslog server, key in a valid IP address for the server on the network. The default port for syslog is 514.3In the Facilities area, in the Application Logs drop-down list, select the log level (“local.0” to “local.6”) to be sent to the syslog server. (This will apply to all three servers.)
Summit WM-Series Switch software maintenanceFCS Review Draft IISummit WM-Series WLAN Switch and Altitude Access Point Software Version 1.0 User Guide 1374To include additional system messages, click the Include all service messages checkbox on. If the box is left unchecked, only component messages (logs and traces) are relayed. (This will apply to all three servers.) The additional system messages are:●DHCP messages reporting users receiving IP addresses●Startup Manager Task messages reporting component startup and failureIf you clicked the Include all service messages checkbox on, the Facilities drop-down list for Service Logs become selectable. Select a log level from the list.5To activate the above settings, click on the Apply button.NOTEThe syslog daemon must be running on both the Summit WM-Series Switch and on the remote syslog server before the logs can be synchronized. If you change the log level on the Summit WM-Series Switch, you must also modify the appropriate setting in the syslog configuration on remote syslog server.Syslog and Summit WM-Series Switch Software event log mapping is shown below:Summit WM-Series Switch software maintenanceYou can update the core Summit WM-Series Switch software files, and the Operating System (OS) software using the Software Maintenance function in the Summit WM-Series Switch Configuration area of the user interface. This function is also provided in the Command Line Interface (CLI). See Appendix , “CLI command reference”.A facility to backup and restore the Summit WM-Series Switch database will also be available in the GUI user interface and in the Command Line Interface (CLI).The maintenance interface also includes the product key maintenance, for first-time setup and upgrades, if appropriate. See “Enabling the product key” on page 31.Syslog Summit WM-Series Switch SoftwareLOG_CRIT CriticalLOG_ERR MajorLOG_WARNING MinorLOG_INFO InformationLOG_DEBUG Trace
Ongoing operationFCS Review Draft IISummit WM-Series WLAN Switch and Altitude Access Point Software Version 1.0 User Guide138Upgrade the Summit WM-Series Switch software1Click on the Summit WM-Series Switch tab. Click on the Software Maintenance option. Click on the SWM Software Maintenance tab. The Software Maintenance screen appears.The Current SWM Images area displays the list of software versions that have been downloaded and are available. (This list appears in the drop-down list of available images in the Upgrade area.)2To select an image as the default image to be used for software upgrade, highlight the image name in the list and click on the Set as default button.3To delete a software image from the list, highlight the version in the displayed list of Current SWM Images and click on the Delete button.4To download a new image to be added to the list, fill in the fields in the Download SWM Images area with parameters for FTP transfer: FTP server, User ID, Password, Confirm password, Directory, Filename. 5Click on the Download button.6In the Upgrade area, select an image from the drop-down list.7To launch the upgrade with the selected image, click on the Upgrade Now button.8In the dialog box that appears, confirm the upgrade.At this point, all sessions will be logged. The previous software will be uninstalled automatically. The new software will be installed. The Summit WM-Series Switch will reboot automatically. The database will be updated and migrated behind the scenes.
Summit WM-Series Switch software maintenanceFCS Review Draft IISummit WM-Series WLAN Switch and Altitude Access Point Software Version 1.0 User Guide 139Upgrade the Operating System software1Click on the Summit WM-Series Switch tab. Click on the Software Maintenance option. Click on the OS Software tab. The OS Software Maintenance screen appears.2Follow the steps described for the Software Maintenance screen.Back up the Summit WM-Series Switch software1Click on the Summit WM-Series Switch tab. Click on the Software Maintenance option. Click on the Backup tab. The Backup screen appears.2Follow the steps described for the Software Maintenance screen. In the Backup area, select what to backup from the drop-down list.
Ongoing operationFCS Review Draft IISummit WM-Series WLAN Switch and Altitude Access Point Software Version 1.0 User Guide140Restore the Summit WM-Series Switch software1Click on the Summit WM-Series Switch tab. Click on the Software Maintenance option. Click on the Restore tab. The Restore screen appears.2Follow the steps described for the Software Maintenance screen.Summit WM-Series Switch Software logs and tracesSummit WM-Series Switch Software log and data filesThe Summit WM-Series Switch Software system stores configuration data and log files. These files include:●event and alarm logs (triggered by events, described below)●trace logs (triggered by component activity, described below)●accounting files (created on a half-hourly basis, up to six files)The files are stored in the operating system and have a maximum size of 1 GB. The accounting files are stored in flat files in a directory that is created every day. Eight directories are maintained in a circular buffer (when all are full, the most recent replaces the earliest).
Summit WM-Series Switch Software logs and tracesFCS Review Draft IISummit WM-Series WLAN Switch and Altitude Access Point Software Version 1.0 User Guide 141Viewing log, alarm and trace messagesTo view the logs and traces, select the Logs & Traces tab. The Summit WM-Series Switch generates three types of messages:●Logs (including alarms): messages that are triggered by events●Traces: messages that display activity by component, for system debugging, troubleshooting and internal monitoring of software●Audits: files that record administrative changes made to the system (the GUI Audit displays changes to the Graphical User Interface on the Summit WM-Series Switch)Logs and alarmsThe log messages contain the time of event, severity, source component and any details generated by the source component. The messages are classified at four levels of severity:●Informational, the activity of normal operation●Minor (alarm)●Major (alarm)●Critical (alarm)The alarm messages (minor, major or critical log messages) are triggered by activities that meet certain conditions that should be known and dealt with. Examples of events on the Summit WM-Series Switch that generate an alarm message:●Reboot due to failure●Software upgrade failure on the Summit WM-Series Switch●Software upgrade failure on the Altitude AP●Detection of rogue access point activity without valid IDIf SNMP is enabled on the Summit WM-Series Switch, alarm conditions will trigger a trap in SNMP (Simple Network Management Protocol). An SNMP trap is an event notification sent by the managed agent (a network device) to the management system to identify the occurrence of conditions. (See “Setting up SNMP” on page 115 for more information on enabling this function on the Summit WM-Series Switch).
Ongoing operationFCS Review Draft IISummit WM-Series WLAN Switch and Altitude Access Point Software Version 1.0 User Guide142View the Logs1Click on the Logs & Traces tab. In the Navigation bar, click on one of the Log tabs. The selected Log screen appears:The events are displayed in chronological order, sorted by the Timestamp column.2To sort the display by Type or Component, click on the column heading.3To filter the logs by severity, in order to display only Info, Minor, Major, or Critical logs, click on the appropriate Log tab at the top of the screen.4To refresh the information in any display, click on the Refresh button.5To export information from adisplay as an HTML file, click on the Export to HTML button.View the Traces1To view the list of Traces, messages by component, click on its tab.
Summit WM-Series Switch Software logs and tracesFCS Review Draft IISummit WM-Series WLAN Switch and Altitude Access Point Software Version 1.0 User Guide 143You can sort, refresh and export the Trace information, as described for Log displays.View the Audits1To view the GUI Audit display, click on the GUI Audit tab.
Ongoing operationFCS Review Draft IISummit WM-Series WLAN Switch and Altitude Access Point Software Version 1.0 User Guide144Reports and displaysView displaysTo view Summit WM-Series Switch Software reports and displays, click on the Reports tab. The List of Displays screen appears, with a menu of available displays. The three options on the right-hand side of the screen appear only if the WM-AD Manager function has been enabled.Click on an option in the menu to view its display screen (examples below):
Reports and displaysFCS Review Draft IISummit WM-Series WLAN Switch and Altitude Access Point Software Version 1.0 User Guide 145View statistics for Altitude APsTwo displays are snapshots of activity at that point in time on a selected Altitude AP:●Wired Ethernet Statistics by Altitude APs●Wireless Statistics by Altitude APsThe statistics displayed are those defined in the 802.11 MIB, in the IEEE 802.11 standard.In the Wired Ethernet Statistics by Altitude APs display, click on one of the registered Altitude APs to display its information.To view the Wireless Statistics by Altitude APs display, click on its option in the List of Displays menu.
Ongoing operationFCS Review Draft IISummit WM-Series WLAN Switch and Altitude Access Point Software Version 1.0 User Guide146The displays lists the registered Altitude APs Click on the selected Altitude AP. Then click on the appropriate tab to display information for each radio on the Altitude AP.If there are associated clients on this radio, you can view information on a selected client. Click on the View Client button. The Associated Clients popup window appears.View reportsTo view Summit WM-Series Switch Software reports and displays, click on the Reports tab. The List of Displays screen appears. To access a report, click on one of the options in the navigation bar. The following reports are currently available in Summit WM-Series Switch Software:●Forwarding Table (routes defined in the Summit WM-Series Switch Routing Protocols screen)●OSPF Neighbor (if OSPF is enabled in the Routing Protocols screen)●OSPF Linkstate (if OSPF is enabled in the Routing Protocols screen)●AP Inventory (a consolidated summary of Altitude AP setup)An example of a report is shown below:
FCS Review Draft IISummit WM-Series WLAN Switch and Altitude Access Point Software Version 1.0 User Guide 147GlossaryNetworking terms and abbreviationsAAAA Authentication, Authorization and Accounting. A system in IP-based networking to control what computer resources users have access to and to keep track of the activity of users over a network.Access Point (AP)  A wireless LAN transceiver or “base station” that can connect a wired LAN to one or many wireless devices. Ad-hoc mode An 802.11 networking framework in which devices or stations communicate directly with each other, without the use of an access point (AP). (Compare Infrastructure Mode)AES Advanced Encryption Standard (AES) is an algorithm for encryption that works at multiple network layers simultaneously. As a block cipher, AES encrypts data in fixed-size blocks of 128 bits. AES was created by the National Institute of Standards and Technology (NIST). AES is a privacy transform for IPSec and Internet Key Exchange (IKE). AES has a variable key length - the algorithm can specify a 128-bit key (the default), a 192-bit key, or a 256-bit key. For the WPA2/802.11i implementation of AES, a 128 bit key length is used. AES encryption includes 4 stages that make up one round. Each round is then iterated 10, 12 or 14 times depending upon the bit-key size. For the WPA2/802.11i implementation of AES, each round is iterated 10 times. AES-CCMP AES uses the Counter-Mode/CBC-MAC Protocol (CCMP). CCM is a new mode of operation for a block cipher that enables a single key to be used for both encryption and authentication. The two underlying modes employed in CCM include Counter mode (CTR) that achieves data encryption and Cipher Block Chaining Message Authentication Code (CBC-MAC) to provide data integrity.ARP Address Resolution Protocol. A protocol used to obtain the physical addresses (such as MAC addresses) of hardware units in a network environment. A host obtains such a physical address by broadcasting an ARP request, which contains the IP address of the target hardware unit. If the request finds a unit with that IP address, the unit replies with its physical hardware address.Association A connection between a wireless device and an Access Point.asynchronous Asynchronous transmission mode (ATM). A start/stop transmission in which each character is preceded by a start signal and followed by one or more stop signals. A variable time interval can exist between characters. ATM is the preferred technology for the transfer of images.
GlossaryFCS Review Draft IISummit WM-Series WLAN Switch and Altitude Access Point Software Version 1.0 User Guide148BBSS Basic Service Set. A wireless topology consisting of one Access Point connected to a wired network and a set of wireless devices. Also called an infrastructure network. See also IBSS.CCaptive Portal A browser-based authentication mechanism that forces unauthenticated users to a web page. Sometimes called a “reverse firewall”.CDR  Call Data (Detail) RecordIn Internet telephony, a call detail record is a data record that contains information related to a telephone call, such as the origination and destination addresses of the call, the time the call started and ended, the duration of the call, the time of day the call was made and any toll charges that were added through the network or charges for operator services, among other details of the call. In essence, call accounting is a database application that processes call data from your switch (PBX, iPBX, or key system) via a CDR (call detail record) or SMDR (station message detail record) port. The call data record details your system's incoming and outgoing calls by thresholds, including time of call, duration of call, dialing extension, and number dialed. Call data is stored in a PC database CHAP Challenge-Handshake Authentication Protocol. One of the two main authentication protocols used to verify a user's name and password for PPP Internet connections. CHAP is more secure than PAP because it performs a three-way handshake during the initial link establishment between the home and remote machines. It can also repeat the authentication anytime after the link has been established. CLI Command Line Interface.Collision Two Ethernet packets attempting to use the medium simultaneously. Ethernet is a shared media, so there are rules for sending packets of data to avoid conflicts and protect data integrity. When two nodes at different locations attempt to send data at the same time, a collision will result. Segmenting the network with bridges or switches is one way of reducing collisions in an overcrowded network.DDatagram A datagram is “a self-contained, independent entity of data carrying sufficient information to be routed from the source to the destination computer without reliance on earlier exchanges between this source and destination computer and the transporting network.” (RFC1594). The term has been generally replaced by the term packet. Datagrams or packets are the message units that the Internet Protocol deals with and that the Internet transports. Decapsulation See tunnelling.
DFCS Review Draft IISummit WM-Series WLAN Switch and Altitude Access Point Software Version 1.0 User Guide 149Device Server A specialized, network-based hardware device designed to perform a single or specialized set of server functions. Print servers, terminal servers, remote access servers and network time servers are examples of device servers.DHCP Dynamic Host Configuration Protocol. A protocol for assigning dynamic IP addresses to devices on a network. With dynamic addressing, a device can have a different IP address every time it connects to the network. In some systems, the device's IP address can even change while it is still connected. DHCP also supports a mix of static and dynamic IP addresses. DHCP consists of two components: a protocol for delivering host-specific configuration parameters from a DHCP server to a host and a mechanism for allocation of network addresses to hosts. (IETF RFC1531.)Option 78 specifies the location of one or more SLP Directory Agents. Option 79 specifies the list of scopes that a SLP Agent is configured to use.(RFC2610 - DHCP Options for Service Location Protocol)Directory Agent (DA)Diversity antenna and receiverDNS Domain Name ServerDSSS Direct-Sequence Spread Spectrum. A transmission technology used in Local Area Wireless Network (LAWN) transmissions where a data signal at the sending station is combined with a higher data rate bit sequence, or chipping code, that divides the user data according to a spreading ratio. The chipping code is a redundant bit pattern for each bit that is transmitted, which increases the signal's resistance to interference. If one or more bits in the pattern are damaged during transmission, the original data can be recovered due to the redundancy of the transmission. (Compare FHSS)DTIM DTIM delivery traffic indication message (in 802.11 standard)D (Continued)
GlossaryFCS Review Draft IISummit WM-Series WLAN Switch and Altitude Access Point Software Version 1.0 User Guide150EEAP-TLSEAP-TTLSEAP-TLS Extensible Authentication Protocol - Transport Layer Security. A general protocol for authentication that also supports multiple authentication methods, such as token cards, Kerberos, one-time passwords, certificates, public key authentication and smart cards. IEEE 802.1x specifies how EAP should be encapsulated in LAN frames.In wireless communications using EAP, a user requests connection to a WLAN through an access point, which then requests the identity of the user and transmits that identity to an authentication server such as RADIUS. The server asks the access point for proof of identity, which the access point gets from the user and then sends back to the server to complete the authentication. EAP-TLS provides for certificate-based and mutual authentication of the client and the network. It relies on client-side and server-side certificates to perform authentication and can be used to dynamically generate user-based and session-based WEP keys.EAP-TTLS (Tunneled Transport Layer Security) is an extension of EAP-TLS to provide certificate-based, mutual authentication of the client and network through an encrypted tunnel, as well as to generate dynamic, per-user, per-session WEP keys. Unlike EAP-TLS, EAP-TTLS requires only server-side certificates. (See also PEAP)ELA (OPSEC) Event Logging API (Application Program Interface) for OPSEC, a module in Check Point used to enable third-party applications to log events into the Check Point VPN-1/FireWall-1 management system. Encapsulation See tunnelling.ESS Extended Service Set (ESS). Several Basic Service Sets (BSSs) can be joined together to form one logical WLAN segment, referred to as an extended service set (ESS). The SSID is used to identify the ESS. (See BSS and SSID.)FFHSS Frequency-Hopping Spread Spectrum. A transmission technology used in Local Area Wireless Network (LAWN) transmissions where the data signal is modulated with a narrowband carrier signal that “hops” in a random but predictable sequence from frequency to frequency as a function of time over a wide band of frequencies. This technique reduces interference. If synchronized properly, a single logical channel is maintained. (Compare DSSS)
GFCS Review Draft IISummit WM-Series WLAN Switch and Altitude Access Point Software Version 1.0 User Guide 151Fit, thin and fat APs A thin AP architecture uses two components: an access point that is essentially a stripped-down radio and a centralized management controller that handles the other WLAN system functions. Wired network switches are also required. A fit AP, a variation of the thin AP, handles the RF and encryption, while the central management controller, aware of the wireless users' identities and locations, handles secure roaming, quality of service, and user authentication. The central management controller also handles AP configuration and management. A fat (or thick) AP architecture concentrates all the WLAN intelligence in the access point. The AP handles the radio frequency (RF) communication, as well as authenticating users, encrypting communications, secure roaming, WLAN management, and in some cases, network routing. FQDN Fully Qualified Domain Name. A “friendly” designation of a computer, of the general form computer.[subnetwork.].organization.domain. The FQDN names must be translated into an IP address in order for the resource to be found on a network, usually performed by a Domain Name Server.FTM Forwarding Table ManagerFTP File Transfer ProtocolGGateway  In the wireless world, an access point with additional software capabilities such as providing NAT and DHCP. Gateways may also provide VPN support, roaming, firewalls, various levels of security, etc. Gigabit Ethernet The high data rate of the Ethernet standard, supporting data rates of 1 gigabit (1,000 megabits) per second.GUI Graphical User InterfaceHHeartbeat message A heartbeat message is a UDP data packet used to monitor a data connection, polling to see if the connection is still alive.In general terms, a heartbeat is a signal emitted at regular intervals by software to demonstrate that it is still alive. In networking, a heartbeat is the signal emitted by a Level 2 Ethernet transceiver at the end of every packet to show that the collision-detection circuit is still connected.Host (1) A computer (usually containing data) that is accessed by a user working on a remote terminal, connected by modems and telephone lines. (2) A computer that is connected to a TCP/IP network, including the Internet. Each host has a unique IP address.F (Continued)
GlossaryFCS Review Draft IISummit WM-Series WLAN Switch and Altitude Access Point Software Version 1.0 User Guide152HTTP Hypertext Transfer Protocol is the set of rules for transferring files (text, graphic images, sound, video, and other multimedia files) on the World Wide Web. A Web browser makes use of HTTP. HTTP is an application protocol that runs on top of the TCP/IP suite of protocols. (RFC2616: Hypertext Transfer Protocol -- HTTP/1.1)HTTPS Hypertext Transfer Protocol over Secure Socket Layer, or HTTP over SSL, is a Web protocol that encrypts and decrypts user page requests as well as the pages that are returned by the Web server. HTTPS uses Secure Socket Layer (SSL) as a sublayer under its regular HTTP application layering. (HTTPS uses port 443 instead of HTTP port 80 in its interactions with the lower layer, TCP/IP.) SSL uses a 40-bit key size for the RC4 stream encryption algorithm, which is considered an adequate degree of encryption for commercial exchange. IIBSS Independent Basic Service Set. See BSS. An IBSS is the 802.11 term for an adhoc network. See adhoc network.ICMP Internet Control Message Protocol, an extension to the Internet Protocol (IP) defined by RFC792. ICMP supports packets containing error, control, and informational messages. The PING command, for example, uses ICMP to test an Internet connection.ICV ICV (Integrity Check Value) is a 4-byte code appended in standard WEP to the 802.11 message. Enhanced WPA inserts an 8-byte MIC just before the ICV. (See WPA and MIC)IE Internet Explorer.IEEE Institute of Electrical and Electronics Engineers, a technical professional association, involved in standards activities.IETF Internet Engineering Task Force, the main standards organization for the Internet.Infrastructure Mode An 802.11 networking framework in which devices communicate with each other by first going through an Access Point (AP). In infrastructure mode, wireless devices can communicate with each other or can communicate with a wired network. (See ad-hoc mode and BSS.)Internet or IP telephony IP or Internet telephony are communications, such as voice, facsimile, voice-messaging applications, that are transported over the Internet, rather than the public switched telephone network (PSTN). IP telephony is the two-way transmission of audio over a packet-switched IP network (TCP/IP network). An Internet telephone call has two steps: (1) converting the analog voice signal to digital format, (2) translating the signal into Internet protocol (IP) packets for transmission over the Internet. At the receiving end, the steps are reversed. Over the public Internet, voice quality varies considerably. Protocols that support Quality of Service (QoS) are being implemented to improve this.H (Continued)
IFCS Review Draft IISummit WM-Series WLAN Switch and Altitude Access Point Software Version 1.0 User Guide 153IP Internet Protocol is the method or protocol by which data is sent from one computer to another on the Internet. Each computer (host) on the Internet has at least one IP address that uniquely identifies it. Internet Protocol specifies the format of packets, also called datagrams, and the addressing scheme. Most networks combine IP with a higher-level protocol called Transmission Control Protocol (TCP), which establishes a virtual connection between a destination and a source.IPC Interprocess Communication. A capability supported by some operating systems that allows one process to communicate with another process. The processes can be running on the same computer or on different computers connected through a network. IPsecIPsec-ESPIPsec-AHInternet Protocol security (IPSec) Internet Protocol security Encapsulating Security Payload (IPsec-ESP). The encapsulating security payload (ESP) encapsulates its data, enabling it to protect data that follows in the datagram.Internet Protocol security Authentication Header (IPsec-AH). AH protects the parts of the IP datagram that can be predicted by the sender as it will be received by the receiver.IPsec is a set of protocols developed by the IETF to support secure exchange of packets at the IP layer. IPsec has been deployed widely to implement Virtual Private Networks (VPNs). IPsec supports two encryption modes: Transport and Tunnel. Transport mode encrypts only the data portion (payload) of each packet, but leaves the header untouched. The more secure Tunnel mode encrypts both the header and the payload. On the receiving side, an IPSec-compliant device decrypts each packet. For IPsec to work, the sending and receiving devices must share a public key. This is accomplished through a protocol known as Internet Security Association and Key Management Protocol/Oakley (ISAKMP/Oakley), which allows the receiver to obtain a public key and authenticate the sender using digital certificates. isochronous Isochronous data is data (such as voice or video) that requires a constant transmission rate, where data must be delivered within certain time constraints. For example, multimedia streams require an isochronous transport mechanism to ensure that data is delivered as fast as it is displayed and to ensure that the audio is synchronized with the video. Compare: asynchronous processes in which data streams can be broken by random intervals, and synchronous processes, in which data streams can be delivered only at specific intervals. ISP Internet Service Provider.IV IV (Initialization Vector), part of the standard WEP encryption mechanism that concatenates a shared secret key with a randomly generated 24-bit initialization vector. WPA with TKIP uses 48-bit IVs, an enhancement that significantly increases the difficulty in cracking the encryption. (See WPA and TKIP)I (Continued)
GlossaryFCS Review Draft IISummit WM-Series WLAN Switch and Altitude Access Point Software Version 1.0 User Guide154LLAN Local Area Network.LSA Link State Advertisements received by the currently running OSPF process. The LSAs describe the local state of a router or network, including the state of the router's interfaces and adjacencies. See also OSPF.MMAC Media Access Control layer. One of two sublayers that make up the Data Link Layer of the OSI model. The MAC layer is responsible for moving data packets to and from one Network Interface Card (NIC) to another across a shared channel.MAC address Media Access Control address. A hardware address that uniquely identifies each node of a network.MIB Management Information Base is a formal description of a set of network objects that can be managed using the Simple Network Management Protocol (SNMP). The format of the MIB is defined as part of the SNMP. A MIB is a collection of definitions defining the properties of a managed object within a device. Every managed device keeps a database of values for each of the definitions written in the MIB. Definition of the MIB conforms to RFC1155 (Structure of Management Information). MIC Message Integrity Check or Code (MIC), also called “Michael”, is part of WPA and TKIP. The MIC is an additional 8-byte code inserted before the standard 4-byte integrity check value (ICV) that is appended in by standard WEP to the 802.11 message. This greatly increases the difficulty in carrying out forgery attacks. Both integrity check mechanisms are calculated by the receiver and compared against the values sent by the sender in the frame. If the values match, there is assurance that the message has not been tampered with. (See WPA, TKIP and ICV).MTU Maximum Transmission Unit. The largest packet size, measured in bytes, that a network interface is configured to accept. Any messages larger than the MTU are divided into smaller packets before being sent. MU Mobile Unit, a wireless device such as a PC laptop.multicast, broadcast, unicastMulticast: transmitting a single message to a select group of recipients. Broadcast: sending a message to everyone connected to a network. Unicast: communication over a network between a single sender and a single receiver.
NFCS Review Draft IISummit WM-Series WLAN Switch and Altitude Access Point Software Version 1.0 User Guide 155NNAS Network Access Server, a server responsible for passing information to designated RADIUS Servers and then acting on the response returned. A NAS-Identifier is a RADIUS attribute identifying the NAS server. (RFC2138)NAT  Network Address Translator. A network capability that enables a group of computers to dynamically share a single incoming IP address. NAT takes the single incoming IP address and creates new IP address for each client computer on the network. Netmask In administering Internet sites, a netmask is a string of 0's and 1's that mask or screen out the network part of an IP address, so that only the host computer part of the address remains. A frequently-used netmask is 255.255.255.0, used for a Class C subnet (one with up to 255 host computers). The “.0” in the “255.255.255.0” netmask allows the specific host computer address to be visible. NIC Network Interface Card. An expansion board in a computer that connects the computer to a network. NMS  Network Management System. The system responsible for managing a network or a portion of a network. The NMS talks to network management agents, which reside in the managed nodes. NTP Network Time Protocol, an Internet standard protocol (built on top of TCP/IP) that assures accurate synchronization to the millisecond of computer clock times in a network of computers. Based on UTC, NTP synchronizes client workstation clocks to the U.S. Naval Observatory Master Clocks in Washington, DC and Colorado Springs CO. Running as a continuous background client program on a computer, NTP sends periodic time requests to servers, obtaining server time stamps and using them to adjust the client's clock. (RFC1305)OOFDM Orthogonal frequency division multiplexing, a method of digital modulation in which a signal is split into several narrowband channels at different frequencies. OFDM is similar to conventional frequency division multiplexing (FDM). The difference lies in the way in which the signals are modulated and demodulated. Priority is given to minimizing the interference, or crosstalk, among the channels and symbols comprising the data stream. Less importance is placed on perfecting individual channels. OFDM is used in European digital audio broadcast services. It is also used in wireless local area networks. OID Object Identifier. OPSEC OPSEC (Open Platform for Security) is a security alliance program created by Check Point to enable an open industry-wide framework for interoperability of security products and applications. Products carrying the “Secured by Check Point” seal have been tested to guarantee integration and interoperability.
GlossaryFCS Review Draft IISummit WM-Series WLAN Switch and Altitude Access Point Software Version 1.0 User Guide156OS Operating system.OSI Open System Interconnection. An ISO standard for worldwide communications that defines a networking framework for implementing protocols in seven layers. Control is passed from one layer to the next, starting at the application layer in one station, down through the presentation, session, transport, network, data link layer to the physical layer at the bottom, over the channel to the next station and back up the hierarchy.OSI Layer 2 At the Data Link layer (OSI Layer 2), data packets are encoded and decoded into bits. The data link layer has two sublayers: ●the Logical Link Control (LLC) layer controls frame synchronization, flow control and error checking●The Media Access Control (MAC) layer controls how a computer on the network gains access to the data and permission to transmit it. OSI Layer 3 The Network layer (OSI Layer 3) provides switching and routing technologies, creating logical paths, known as virtual circuits, for transmitting data from node to node. Routing and forwarding are functions of this layer, as well as addressing, internetworking, error handling, congestion control and packet sequencing.OSPF Open Shortest Path First, an interior gateway routing protocol developed for IP networks based on the shortest path first or link-state algorithm. Routers use link-state algorithms to send routing information to all nodes in an internetwork by calculating the shortest path to each node based on a topography of the Internet constructed by each node. Each router sends that portion of the routing table (keeps track of routes to particular network destinations) that describes the state of its own links, and it also sends the complete routing structure (topography). Using OSPF, a host that obtains a change to a routing table or detects a change in the network immediately multicasts the information to all other hosts in the network so that all will have the same routing table information. The host using OSPF sends only the part that has changed, and only when a change has taken place. (RFC2328)OUI Organizationally Unique Identifier (used in MAC addressing).PPacket The unit of data that is routed between an origin and a destination on the Internet or any other packet-switched network. When any file is sent from one place to another on the Internet, the Transmission Control Protocol (TCP) layer of TCP/IP divides the file into packets. Each packet is separately numbered and includes the Internet address of the destination. The individual packets for a given file may travel different routes through the Internet. When they have all arrived, they are reassembled into the original file (by the TCP layer at the receiving end). O (Continued)
QFCS Review Draft IISummit WM-Series WLAN Switch and Altitude Access Point Software Version 1.0 User Guide 157PAP Password Authentication Protocol is the most basic form of authentication, in which a user's name and password are transmitted over a network and compared to a table of name-password pairs. Typically, the passwords stored in the table are encrypted. (See CHAP).PDU Protocol Data Unit. A data object exchanged by protocol machines (such as management stations, SMUX peers, and SNMP agents) and consisting of both protocol control information and user data. PDU is sometimes used as a synonym for “packet''. PEAP PEAP (Protected Extensible Authentication Protocol) is an IETF draft standard to authenticate wireless LAN clients without requiring them to have certificates. In PEAP authentication, first the user authenticates the authentication server, then the authentication server authenticates the user. If the first phase is successful, the user is then authenticated over the SSL tunnel created in phase one using EAP-Generic Token Card (EAP-GTC) or Microsoft Challenged Handshake Protocol Version 2 (MSCHAP V2). (See also EAP-TLS).PHP server Hypertext PreprocessorPKI Public Key InfrastructurePoE  Power over Ethernet. The Power over Ethernet standard (802.3af) defines how power can be provided to network devices over existing Ethernet connection, eliminating the need for additional external power supplies.POST Power On Self Test, a diagnostic testing sequence performed by a computer to determine if its hardware elements are present and powered on. If so, the computer begins its boot sequence.push-to-talk (PTT) The push-to-talk (PTT) is feature on wireless telephones that allows them to operate like a walkie-talkie in a group, instead of standard telephone operation. The PTT feature requires that the network be configured to allow multicast traffic. A PTT call is initiated by selecting a channel and pressing the “talk” key on the wireless telephone. All wireless telephones on the same network that are monitoring the channel will hear the transmission. On a PTT call you hold the button to talk and release it to listen.QQoS Quality of Service. A term for a number of techniques that intelligently match the needs of specific applications to the network resources available, using such technologies as Frame Relay, Asynchronous Transfer Mode (ATM), Ethernet and 802.1 networks, SONET, and IP-routed networks. QoS features provide better network service by supporting dedicated bandwidth, improving loss characteristics, avoiding and managing network congestion, shaping network traffic, setting traffic priorities across the network. Quality-of-Service (QoS): A set of service requirements to be met by the network while transporting a flow. (RFC2386)P (Continued)
GlossaryFCS Review Draft IISummit WM-Series WLAN Switch and Altitude Access Point Software Version 1.0 User Guide158RRADIUS Remote Authentication Dial-In User Service. An authentication and accounting system that checks User Name and Password and authorizes access to a network. The RADIUS specification is maintained by a working group of the IETF (RFC2865 RADIUS, RFC2866 RADIUS Accounting, RFC2868 RADIUS Attributes for Tunnel Protocol Support).RF Radio Frequency, a frequency in the electromagnetic spectrum associated with radio wave propagation. When an RF current is supplied to an antenna, an electromagnetic field is created that can propagate through space. These frequencies in the electromagnetic spectrum range from Ultra-low frequency (ULF) -- 0-3 Hz to Extremely high frequency (EHF) -- 30GHz - 300 GHz. The middle ranges are: Low frequency (LF) -- 30 kHz - 300 kHz, Medium frequency (MF) -- 300 kHz - 3 MHz, High frequency (HF) -- 3MHz - 30 MHz, Very high frequency (VHF) -- 30 MHz - 300 MHz, Ultra-high frequency (UHF)-- 300MHz - 3 GHz.RFC Request for Comments, a series of notes about the Internet, submitted to the Internet Engineering Task Force (IETF) and designated by an RFC number, that may evolve into an Internet standard. The RFCs are catalogued and maintained on the IETF RFC website: www.ietf.org/rfc.html.Roaming In 802.11, roaming occurs when a wireless device (a station) moves from one Access Point to another (or BSS to another) in the same Extended Service Set (ESS) -identified by its SSID.RP-SMA Reverse Polarity-Subminiature version A, a type of connector used with wireless antennasRSN Robust Security Network. A new standard within IEEE 802.11 to provide security and privacy mechanisms. The RSN (and related TSN) both specify IEEE 802.1x authentication with Extensible Authentication Protocol (EAP).RSSI RSSI received signal strength indication (in 802.11 standard)RTS / CTS RTS request to send, CTS clear to send (in 802.11 standard)
SFCS Review Draft IISummit WM-Series WLAN Switch and Altitude Access Point Software Version 1.0 User Guide 159SSegment In ethernet networks, a section of a network that is bounded by bridges, routers or switches. Dividing a LAN segment into multiple smaller segments is one of the most common ways of increasing available bandwidth on the LAN. SLP Service Location Protocol. A method of organizing and locating the resources (such as printers, disk drives, databases, e-mail directories, and schedulers) in a network. Using SLP, networking applications can discover the existence, location and configuration of networked devices. With Service Location Protocol, client applications are 'User Agents' and services are advertised by 'Service Agents'. The User Agent issues a multicast 'Service Request' (SrvRqst) on behalf of the client application, specifying the services required. The User Agent will receive a Service Reply (SrvRply) specifying the location of all services in the network which satisfy the request. For larger networks, a third entity, called a 'Directory Agent', receives registrations from all available Service Agents. A User Agent sends a unicast request for services to a Directory Agent (if there is one) rather than to a Service Agent.(SLP version 2, RFC2608, updating RFC2165)SMI Structure of Management Information. A hierarchical tree structure for information that underlies Management Information Bases (MIBs), and is used by the SNMP protocol. Defined in RFC1155 and RFC1442 (SNMPv2).SMT (802.11) Station ManagemenT. The object class in the 802.11 MIB that provides the necessary support at the station to manage the processes in the station such that the station may work cooperatively as a part of an IEEE 802.11 network. The four branches of the 802.11 MIB are:●dot11smt - objects related to station management and local configuration●dot11mac - objects that report/configure on the status of various MAC parameters●dot11res - Objects that describe available resources●dot11phy - Objects that report on various physical items.SNMP Simple Network Management Protocol. A set of protocols for managing complex networks. SNMP works by sending messages, called protocol data units (PDUs), to different parts of a network. SNMP-compliant devices, called agents, store data about themselves in Management Information Bases (MIBs) and return this data to the SNMP requesters.SNMP includes a limited set of management commands and responses. The management system issues Get, GetNext and Set messages to retrieve single or multiple object variables or to establish the value of a single variable. The managed agent sends a Response message to complete the Get, GetNext or Set.
GlossaryFCS Review Draft IISummit WM-Series WLAN Switch and Altitude Access Point Software Version 1.0 User Guide160SNMP trap An event notification sent by the SNMP managed agent to the management system to identify the occurrence of conditions (such as a threshold that exceeds a predetermined value).SSH Secure Shell, sometimes known as Secure Socket Shell, is a Unix-based command interface and protocol for securely getting access to a remote computer. SSH is a suite of three utilities - slogin, ssh, and scp - secure versions of the earlier UNIX utilities, rlogin, rsh, and rcp. With SSH commands, both ends of the client/server connection are authenticated using a digital certificate, and passwords are protected by being encrypted.SSID Service Set Identifier. A 32-character unique identifier attached to the header of packets sent over a Wireless LAN that acts as a password when a wireless device tries to connect to the Basic Service Set (BSS). Several BSSs can be joined together to form one logical WLAN segment, referred to as an extended service set (ESS). The SSID is used to identify the ESS. In 802.11 networks, each Access Point advertises its presence several times per second by broadcasting beacon frames that carry the ESS name (SSID). Stations discover APs by listening for beacons, or by sending probe frames to search for an AP with a desired SSID. When the station locates an appropriately-named Access Point, it sends an associate request frame containing the desired SSID. The AP replies with an associate response frame, also containing the SSID. Some APs can be configured to send a zero-length broadcast SSID in beacon frames instead of sending their actual SSID. The AP must return its actual SSID in the probe response.SSL Secure Sockets Layer. A protocol developed by Netscape for transmitting private documents via the Internet. SSL works by using a public key to encrypt data that's transferred over the SSL connection. URL's that require an SSL connection start with https: instead of http. SSL uses a program layer located between the Internet's Hypertext Transfer Protocol (HTTP) and Transport Control Protocol (TCP) layers. The “sockets” part of the term refers to the sockets method of passing data back and forth between a client and a server program in a network or between program layers in the same computer. SSL uses the public-and-private key encryption system from RSA, which also includes the use of a digital certificate.SSL has recently been succeeded by Transport Layer Security (TLS), which is based on SSL.Subnet mask (See netmask)Subnets Portions of networks that share the same common address format. A subnet in a TCP/IP network uses the same first three sets of numbers (such as 198.63.45.xxx), leaving the fourth set to identify devices on the subnet. A subnet can be used to increase the bandwidth on the network by breaking the network up into segments.S (Continued)
TFCS Review Draft IISummit WM-Series WLAN Switch and Altitude Access Point Software Version 1.0 User Guide 161SVP SpectraLink Voice Protocol, a protocol developed by SpectraLink to be implemented on access points in order to facilitate voice prioritization over an 802.11 wireless LAN that will carry voice packets from SpectraLink wireless telephones.Switch In networks, a device that filters and forwards packets between LAN segments. Switches operate at the data link layer (layer 2) and sometimes the network layer (layer 3) of the OSI Reference Model and therefore support any packet protocol. LANs that use switches to join segments are called switched LANs or, in the case of Ethernet networks, switched Ethernet LANs.syslog A protocol used for the transmission of event notification messages across networks, originally developed on the University of California Berkeley Software Distribution (BSD) TCP/IP system implementations, and now embedded in many other operating systems and networked devices. A device generates a messages, a relay receives and forwards the messages, and a collector (a syslog server) receives the messages without relaying them. Syslog uses the user datagram protocol (UDP) as its underlying transport layer mechanism. The UDP port that has been assigned to syslog is 514. (RFC3164)TTCP / IP Transmission Control Protocol. TCP, together with IP (Internet Protocol), is the basic communication language or protocol of the Internet. Transmission Control Protocol manages the assembling of a message or file into smaller packets that are transmitted over the Internet and received by a TCP layer that reassembles the packets into the original message. Internet Protocol handles the address part of each packet so that it gets to the right destination. TCP/IP uses the client/server model of communication in which a computer user (a client) requests and is provided a service (such as sending a Web page) by another computer (a server) in the network. TFTP Trivial File Transfer Protocol. An Internet software utility for transferring files that is simpler to use than the File Transfer Protocol (FTP) but less capable. It is used where user authentication and directory visibility are not required. TFTP uses the User Datagram Protocol (UDP) rather than the Transmission Control Protocol (TCP). TFTP is described formally in Request for Comments (RFC) 1350. TKIP Temporal Key Integrity Protocol (TKIP) is an enhancement to the WEP encryption technique that uses a set of algorithms that rotates the session keys. TKIP's enhanced encryption includes a per-packet key mixing function, a message integrity check (MIC), an extended initialization vector (IV) with sequencing rules, and a re-keying mechanism. The encryption keys are changed (rekeyed) automatically and authenticated between devices after the rekey interval (either a specified period of time, or after a specified number of packets has been transmitted).S (Continued)
GlossaryFCS Review Draft IISummit WM-Series WLAN Switch and Altitude Access Point Software Version 1.0 User Guide162TLS Transport Layer Security. (See EAP, Extensible Authentication Protocol)ToS / DSCP ToS (Type of Service) / DSCP (Diffserv Codepoint). The ToS/DSCP field contained in the IP header of a frame is used by applications to indicate the priority and Quality of Service (QoS) for each frame. The level of service is determined by a set of service parameters which provide a three way trade-off between low-delay, high-reliability, and high-throughput. The use of service parameters may increase the cost of service. TSN Transition Security Network. A subset of Robust Security Network (RSN), which provides an enhanced security solution for legacy hardware. The Wi-Fi Alliance has adopted a solution called Wireless Protected Access (WPA), based on TSN. RSN and TSN both specify IEEE 802.1x authentication with Extensible Authentication Protocol (EAP).Tunnelling Tunnelling (or encapsulation) is a technology that enables one network to send its data via another network's connections. Tunnelling works by encapsulating packets of a network protocol within packets carried by the second network. The receiving device then decapsulates the packets and forwards them in their original format.UUDP User Datagram Protocol. A connectionless protocol that, like TCP, runs on top of IP networks. Unlike TCP/IP, UDP/IP provides very few error recovery services, offering instead a direct way to send and receive packets over an IP network. It is used primarily for broadcasting messages over a network.U-NII Unlicensed National Information Infrastructure. Designated to provide short-range, high-speed wireless networking communication at low cost, U-NII consists of three frequency bands of 100 MHz each in the 5 GHz band: 5.15-5.25GHz (for indoor use only), 5.25-5.35 GHz and 5.725-5.825GHz. The three frequency bands were set aside by the FCC in 1997 initially to help schools connect to the Internet without the need for hard wiring. U-NII devices do not require licensing. URL Uniform Resource Locator. the unique global address of resources or files on the World Wide Web. The URL contains the name of the protocol to be used to access the file resource, the IP address or the domain name of the computer where the resource is located, and a pathname -- a hierarchical description that specifies the location of a file in that computer. T (Continued)
VFCS Review Draft IISummit WM-Series WLAN Switch and Altitude Access Point Software Version 1.0 User Guide 163VVLAN Virtual Local Area Network. A network of computers that behave as if they are connected to the same wire when they may be physically located on different segments of a LAN. VLANs are configured through software rather than hardware, which makes them extremely flexible. When a computer is physically moved to another location, it can stay on the same VLAN without any hardware reconfiguration. The standard is defined in IEEE 802.1Q - Virtual LANs, which states that “IEEE 802 Local Area Networks (LANs) of all types may be connected together with Media Access Control (MAC) Bridges, as specified in ISO/IEC 15802-3. This standard defines the operation of Virtual LAN (VLAN) Bridges that permit the definition, operation and administration of Virtual LAN topologies within a Bridged LAN infrastructure.”WM-AD WM Access Domain Services (WM-AD). A Chantry-specific technique that provides a means of mapping wireless networks to a wired topology.VoIP Voice Over Internet Protocol. An internet telephony technique. With VoIP, a voice transmission is cut into multiple packets, takes the most efficient path along the Internet and is reassembled when it reaches the destination.VPN Virtual Private Network. A private network that is constructed by using public wires to connect nodes. These systems use encryption and other security mechanisms to ensure that only authorized users can access the network and that the data cannot be intercepted.VSA Vendor Specific Attribute, an attribute for a RADIUS server defined by the manufacturer.(compared to the RADIUS attributes defined in the original RADIUS protocol RFC2865). A VSA attribute is defined in order that it can be returned from the RADIUS server in the Access Granted packet to the Radius Client.WWalled Garden A restricted subset of network content that wireless devices can access.WEP Wired Equivalent Privacy. A security protocol for wireless local area networks (WLANs) defined in the 802.11b standard. WEP aims to provide security by encrypting data over radio waves so that it is protected as it is transmitted from one end point to another.Wi-Fi Wireless fidelity. A term referring to any type of 802.11 network, whether 802.11b, 802.11a, dual-band, etc. Used in reference to the Wi-Fi Alliance, a nonprofit international association formed in 1999 to certify interoperability of wireless Local Area Network products based on IEEE 802.11 specification.
GlossaryFCS Review Draft IISummit WM-Series WLAN Switch and Altitude Access Point Software Version 1.0 User Guide164WINS Windows Internet Naming Service. A system that determines the IP address associated with a particular network computer, called name resolution. WINS supports network client and server computers running Windows and can provide name resolution for other computers with special arrangements. WINS supports dynamic addressing (DHCP) by maintaining a distributed database that is automatically updated with the names of computers currently available and the IP address assigned to each one.DNS is an alternative system for name resolution suitable for network computers with fixed IP addresses. WLAN Wireless Local Area Network.WMM Wi-Fi Multimedia (WMM), a Wi-Fi Alliance certified standard that provides multimedia enhancements for Wi-Fi networks that improve the user experience for audio, video, and voice applications. This standard is complicant with the IEEE 802.11e Quality of Service (QoS) extensions for 802.11 networks. WMM provides prioritized media access by shortening the time between transmitting packets for higher priority traffic. WMM is based on the Enhanced Distributed Channel Access (EDCA) method. WPA Wireless Protected Access, or Wi-Fi Protected Access is a security solution adopted by the Wi-Fi Alliance that adds authentication to WEP's basic encryption. For authentication, WPA specifies IEEE 802.1x authentication with Extensible Authentication Protocol (EAP). For encryption, WPA uses the Temporal Key Integrity Protocol (TKIP) mechanism, which shares a starting key between devices, and then changes their encryption key for every packet. Certificate Authentication (CA) can also be used. Also part of the encryption mechanism are 802.1X for dynamic key distribution and Message Integrity Check (MIC) a.k.a. “Michael”.WPA requires that all computers and devices have WPA software. WPA-PSK Wi-Fi Protected Access with Pre-Shared Key, a special mode of WPA for users without an enterprise authentication server. Instead, for authentication, a Pre-Shared Key is used. The PSK is a shared secret (passphrase) that must be entered in both the Altitude Access Point or router and the WPA clients. This preshared key should be a random sequence of characters at least 20 characters long or hexadecimal digits (numbers 0-9 and letters A-F) at least 24 hexadecimal digits long. After the initial shared secret, the Temporal Key Integrity Protocol (TKIP) handles the encryption and automatic rekeying.W (Continued)
WFCS Review Draft IISummit WM-Series WLAN Switch and Altitude Access Point Software Version 1.0 User Guide 165Summit WM-Series Switch Software terms and abbreviationsTerm ExplanationCTP CAPWAP Tunnelling Protocol (CTP). The Altitude AP uses a UDP (User Datagram Protocol) based tunnelling protocol called CAPWAP Tunnelling Protocol (CTP) to encapsulate the 802.11 packets and forward them to the Summit WM-Series Switch. The CTP protocol defines a mechanism for the control and provisioning of wireless access points (CAPWAP) through centralized access controllers. In addition, it provides a mechanism providing the option to tunnel the mobile client data between the access point and the access controller. Auto Cell The Auto Cell feature consists of software on the Altitude AP that provides dynamic radio frequency (RF) management. For Altitude APs with the Auto Cell feature enabled and on a common channel, the power levels will be adjusted to balance coverage if a Altitude AP is added to, or leaves, the network. The feature also allows wireless clients to be moved to another Altitude AP if the load is too high. The feature can also be set to scan automatically for a channel, using a channel selection algorithm.Summit WM-Series Switch The Summit WM-Series Switch is a rack-mountable network device designed to be integrated into an existing wired Local Area Network (LAN). It provides centralized control over all access points (both Altitude APs and third-party access points) and manages the network assignment of wireless device clients associating through access points. Langley “Langley” is a Summit WM-Series Switch Software term for the inter-process messaging infrastructure on the Summit WM-Series Switch.Summit Spy The Summit Spy is a mechanism that assists in the detection of rogue access points. The feature has three components: (1) a radio frequency (RF) scanning task that runs on the Altitude AP, (2) an application called the RF Data Collector (RFDC) on the Summit WM-Series Switch that receives and manages the RF scan messages sent by the Altitude AP, (3) an Analysis Engine on the Summit WM-Series Switch that processes the scan data.RFDC The RF Data Collector (RFDC) is an application on the Summit WM-Series Switch that receives and manages the Radio Frequency (RF) scan messages sent by the Altitude AP. This application is part of the Summit Spy technique, working in conjunction with the scanner mechanism and the analysis engine to assist in detecting rogue access points.WM Access Domain Services (WM-AD)The WM Access Domain Services (WM-AD) technique is the Extreme Networks means of mapping wireless networks to the topology of an existing wired network. When you set up WM Access Domain Services (WM-AD) on the Summit WM-Series Switch, you are defining subnets for groups of wireless users. This WM-AD definition creates a virtual IP subnet where the Summit WM-Series Switch acts as a default gateway for wireless devices. This technique enables policies and authentication to be applied to the groups of wireless users on a WM-AD, as well as the collecting of accounting information. When a WM-AD is set up on the Summit WM-Series Switch, one or more Altitude APs (by radio) are associated with it. A range of IP addresses is set aside for the Summit WM-Series Switch's DHCP server to assign to wireless devices.
GlossaryFCS Review Draft IISummit WM-Series WLAN Switch and Altitude Access Point Software Version 1.0 User Guide166Term ExplanationWM-AD Manager (and WM-AD Agent)The technique in Summit WM-Series Switch Software by which multiple Summit WM-Series Switches on a network can discover each other and exchange information about a client session. This enables a wireless device user to roam seamlessly between different Altitude APs on different Summit WM-Series Switches, to provide mobility to the wireless device user.One Summit WM-Series Switch on the network must be designated as the “WM-AD Manager”. All other Summit WM-Series Switches are designated as “WM-AD Agents”. Relying on SLP, the WM-AD Manager registers with the Directory Agent and the WM-AD Agents discover the location of the WM-AD Manager. Altitude AP The Altitude AP is a wireless LAN thin access point (IEEE 802.11) provided with unique software that allows it to communicate only with a Summit WM-Series Switch. (A thin access point handles the radio frequency (RF) communication but relies on a controller to handle WLAN elements such as authentication.) The Altitude AP also provides local processing such as encryption. The Altitude AP is a dual-band access point, with both 802.11a and 802.11b/g radios.
FCS Review Draft IISummit WM-Series WLAN Switch and Altitude Access Point Software Version 1.0 User Guide 167ASummit WM-Series Switch Software system states and LEDsSummit WM-Series Switch system states and LEDsThe Summit WM-Series Switch has the two system states: Standby and Active.It enters “Standby” when shut down in the Summit WM-Series Switch Configuration – System Maintenance screen. The Summit WM-Series Switch:●sends control message to Altitude AP to enter “Standby” state●will not handle any wireless traffic or sessions●disables DHCP, Policy Manager, Security Manager, Altitude AP Manager, Redirector●remains on the wired networkIt enters “Active” state on startup in the user interface. The Summit WM-Series Switch can now respond to the Altitude AP's “discover” message by returning a message that the Altitude AP can enter the “active” state.The activity and traffic on the Summit WM-Series Switch can be monitored via three LEDs on the back of the Summit WM-Series Switch: Link, Status, Activity.The three LEDs perform the following functions:●Link LED: Displays the link status of management port Ethernet link as seen by the system software.●Status LED: Indicates the state of the CM from software point of view, normal operation, whether processes have gone down and are restarting, etc.●Activity LED: Indicates the amount of traffic carried to and from Altitude APs.The Link LED is only seen at the back of the Summit WM-Series Switch. The Status and Activity LEDs can be seen from both the front and the back of the Summit WM-Series Switch. The sequence of the Status and Activity LEDs is as follows:System State Status LED Activity LEDPower up Off OffServices started: WDTSTAT installed (init.d starts services) Blinking Amber OffStartup Manager Task started Solid Amber Blinking AmberStartup Manager Task completes startup – all components started Solid Green Blinking green, if trafficBlank, if no traffic
Summit WM-Series Switch Software system states and LEDsFCS Review Draft IISummit WM-Series WLAN Switch and Altitude Access Point Software Version 1.0 User Guide168Altitude AP system statesFor the Altitude AP the Status LED in the center also indicates power. The Status LED is dark when unit is off and is green (solid) when the AP has completed discovery and is operational.The chart below shows states and corresponding Status LED displays:A component fails to start or needs restarting (Startup Manager Task retrying that component)Solid Amber Blinking greenSummit WM-Series Switch fails to boot Solid Red OffA component fails (no more retries) Solid Red OffSystem about to be reset by watchdog Blinking Red OffTable 6: Altitude AP system states and status LED displaysState / Process Description LEDsPower Altitude AP not powered. OffPower Start up: Power On Self Test (POST) Steady green (briefly)Power Power On Self Test (POST) successful Off (briefly)Discovery If the POST self test is successful, the AP begins “Discovery” process. Altitude AP is powered on and searching for an active Summit WM-Series Switch. It sends a “discover” message and waits for a responseOrange (steady)Fail to find DHCP Altitude AP failed to find DHCP (will stay in this state until a route appears).Red-orange (alternate blink)Failed discovery If there are SLP issues in failed discovery, the LED display changes. Green-orange (alternate blink)Registration Altitude AP learns the Summit WM-Series Switch's IP address, and can begin the Registration processOrange (blink)Failed Registration Altitude AP fails to learn the Summit WM-Series Switch's IP address.Red (blink)Standby 1. Altitude AP enters this state from “Discovery” when it encounters an active Summit WM-Series Switch and completes the Registration process.2. Altitude AP enters this state from “Active” when it receives a control message from the Summit WM-Series Switch to enter this state. If the Altitude AP has any wireless device traffic, it will drop the traffic.Green (blink) Altitude AP fails to register. It will wait 5 seconds and try again. Red (slow blink)Firmware download from the Summit WM-Series Switch is in progressOrange + green (blink)Active (Ready) Altitude AP has received a control message from an active Summit WM-Series Switch to enter “active” or “ready” state. It is ready to receive wireless traffic.Note: The two Traffic LEDs on either side of the Status LED display a green (blink) if there is active wireless traffic. The left LED is for the 2.4 GHz radio. The right LED is for the 5 GHz radio.Green (steady)System State Status LED Activity LED
FCS Review Draft IISummit WM-Series WLAN Switch and Altitude Access Point Software Version 1.0 User Guide 169BCLI command referenceTable 7: CLI commandsCategory Syntax CommentTop Level <hostname># ipinterfaceexit quit ssh sessionlogout logs out of systemSystem State <hostname># shutdown <reboot|halt> requires confirmation<hostname># reset <database> requires confirmation<hostname># reset <factory> requires confirmationSystem Maintenance<hostname># loglevel <1|2|3|4|5><hostname># syslog<hostname>:syslog# syslogip # <xxx.xxx.xxx.xxx><hostname>:syslog# (no) syslog #<hostname>:syslog# (no) svcmsg<hostname>:syslog# logs <hostname> # (0,1,3,4,5,6: valid numbers;default is 0)<hostname>:syslog# logs service # (0,1,3,4,5,6: valid numbers; default is 3)<hostname>:syslog# logs application # (0,1,3,4,5,6: valid numbers; default is 3)<hostname># show loglevel=<critical | major | minor | info>output log to consoleRouting ProtocolsStatic Routes <hostname># ip<hostname>:ip# route  <address/mask> <x.y.z.a> <on|off>creates a static routeOR route <address> <mask> <x.y.z.a> <on|off>alternate format<hostname>:ip# route <a.b.c.d> <on|off> creates default route; ip keyword optional<hostname>:ip# show routes displays a numbered table of static routes<hostname>:ip# no route #n clears static route #nOR no route <x.y.z.a> clears static route; has to match an existing route with address x.y.z.a
CLI command referenceFCS Review Draft IISummit WM-Series WLAN Switch and Altitude Access Point Software Version 1.0 User Guide170OSPF <hostname># ip<hostname>:ip# (no) protocol ospf<hostname>:ip# ospf only 1 protocol can be enabled on the AC<hostname>:ospf# routerid <value>area <area-id>areatype <default|stub|nssa>config ospfinterface <0|1|2|3><hostname>:ospf.0# (no) ospfinterface Port has to be made router port during esa configurationlinkcost <val|default>auth <on|off>authkey <password>hello <val|default>dead <val|default>retx <val|default>txdelay <val|default>IP AddressesManagement Port<hostname># interface<hostname>:interface:# eth0 selects interface to configure<hostname>:interface: eth0# hostname '<string>' hostname<hostname>:interface: eth0# domain '<string>' domain name<hostname>:interface :eth0# ip <xxx.xxx.xxx.xxx>/mask enter management IP addressOR ip <xxx.xxx.xxx.xxx> mask <255.255.255.255>enter network mask<hostname>:interface: eth0# gateway <xxx.xxx.xxx.xxx> enter gateway address<hostname>:interface: eth0# (no) nameserver # <x.y.z.a> (opt) domain controller addressesexit return to <hostname>(if)#esa Ports <hostname>:interface:# esa [0-3]<hostname>:interface: esa-X# ip <xxx.xxx.xxx.xxx>/mask enter IXP port IP addressOR ip <xxx.xxx.xxx.xxx> mask <255.255.255.255>enter network mask<hostname>:interface: esa-X# #mtu <integer> has to be 64 <= X <= 1500<hostname>:interface: esa-X# function [host | ap | router] set interface type<hostname>:interface: esa-X# (no) mgmt enable / disable management traffic<hostname>:interface: esa-X# (no) regslp register interface with slpTable 7: CLI commands (Continued)Category Syntax Comment
FCS Review Draft IISummit WM-Series WLAN Switch and Altitude Access Point Software Version 1.0 User Guide 171File Management<hostname># show backup [filename|number] list back-up files on system<hostname># show cdrs [dir] [filename|number]list CDRs available on system<hostname># show restore list restore files on system<hostname># show upgrade list upgrade files on system<hostname># show osupgrade list os upgrade files on system<hostname># show apup list ap image upgrade files on system<hostname># show bootrom list ap bootrom image files on systemBack-up system<hostname># backup <cdrs|configuration|logs|audit|all>RestoreBack-up<hostname># restore <filename|number>Upgrade CM <hostname># upgrade ac <filename|number>Upgrade OS <hostname># upgrade os <filename|number>Upgrade AP <hostname># upgrade apup <filename|number> ap <bserial#, …, bserial#>Upgrade Product Key<hostname># upgrade key executes script to apply product keyUpload / Download<hostname># copy backup <server> <user> <dir> <file>copy restore <server> <user> <dir> <file>copy upgrade <server> <user> <dir> <file>copy osupgrade <server> <user> <dir> <file>copy cdrs <server> <user> <dir> <file>copy apup <server> <user> <dir> <file>copy key <server> <user><dir> <file>loads key onto serverno backup <filename|number> deletes backup fileno restore <filename|number> deletes restore fileno upgrade <filename|number> deletes upgrade fileno apup <filename|number> deletes ap upgrade imageno cdr <filename|number> deletes cdr recordno key deletes key – only available from the CLITable 7: CLI commands (Continued)Category Syntax Comment
CLI command referenceFCS Review Draft IISummit WM-Series WLAN Switch and Altitude Access Point Software Version 1.0 User Guide172Users <hostname># users<hostname>:users#id <userid> [admin] [enable|disable]end of command, enter password & confirm password<hostname>:users#id no id <userid> confirm delete<hostname>:users#id (no) logon <userid> disable / enable user access to management system; confirm action<hostname>:users#id pwd id <userid> change password for userid; enter password & confirm passwordDiagnostics <hostname># ping <target_ip> issues 4 iCMP ping messages to target IP address<hostname># traceroute <target_ip> attempts to trace route to target IP addressradtest <wm-ad_name> <username> <password>][tracing]tests RADIUS authentication settingsradtest_mba <wm-ad> <mac> <ap_bss_mac> <ap_eth_mac> [tracing]tests RADIUS MAC-based authenticationAltitude APs <hostname># show ap displays list of AP serial numbersTable 7: CLI commands (Continued)Category Syntax Comment
FCS Review Draft IISummit WM-Series WLAN Switch and Altitude Access Point Software Version 1.0 User Guide 173CDHCP, SLP, and Option 78 referenceFor the Altitude AP’s process to “discover” the Summit WM-Series Switch, the Summit WM-Series Switch Software system relies on a DHCP server that supports Option 78 and 79 for Service Location Protocol (SLP). The combination of Dynamic Host Configuration Protocol (DHCP), Option 78 and 79, and SLP provide a technique that defines the Summit WM-Series Switch as the only element on the network that the Altitude AP can communicate with.Option 78 is a list of IP addresses of Directory Agents, used by Service Agents and Users Agents. For the purposes of the Summit WM-Series Switch Software system, Option 78 should be set to the IP address of the Summit WM-Series Switch management port. The Summit WM-Series Switch will run the SLP daemon and act as a directory service.NOTEOne of the ethernet ports on the Summit WM-Series Switch should be set to allow management traffic so that SLP messages can arrive on that port.Option 79 is an identifier that refers to a set of services called a “scope”. If a User Agent has been assigned to a scope, it can only see the services in that scope. This will limit the IP addresses of Directory Agents available to the User Agent.Here's how Summit WM-Series Switch Software uses these SLP options:1The Summit WM-Series Switch Manager or the Altitude AP Manager use the Service Agent: ●to look up the location of the Directory Agent using Option 78 and 79 in the DHCP server ●to register with the Directory Agent2The Altitude AP User Agent looks up the location of the Directory Agent using Option 78 and 79 in the DHCP server.3The Altitude AP User Agent contacts the Directory Agent for services of the types “Chantry”. 4The Altitude AP attempts to connect with the Summit WM-Series Switch or Altitude AP Manager.Now the use of SLP is completed and the Altitude AP and Summit WM-Series Switch will now communicate using a UDP-based tunneling protocol.
DHCP, SLP, and Option 78 referenceFCS Review Draft IISummit WM-Series WLAN Switch and Altitude Access Point Software Version 1.0 User Guide174Service Location Protocol (SLP) (RFC2608)Service Location Protocol (RFC2608) is a method of organizing and locating the resources (such as printers, disk drives, databases, e-mail directories, and schedulers) in a network. Using SLP, networking applications can discover the existence, location and configuration of networked devices.In larger installations, services will register their services with one or more Directory Agents, and clients will contact the Directory Agent to fulfill requests for Service Location information.Service Location Protocol consists of three cooperating services:●User Agent (UA): A process working on the user's behalf to acquire service attributes and configuration. The User Agent retrieves service information from the Service Agents or Directory Agents.●Service Agent (SA): A process working on the behalf of one or more services to advertise service attributes and configuration.●Directory Agent (DA): A process which collects information from Service Agents to provide a single repository of service information in order to centralize it for efficient access by User Agents. There can only be one DA present per given host.When a service starts on the network, its Service Agent will query the DHCP server for Option 78 and 79 and will register itself appropriately.DHCP Options for Service Location Protocol (RFC2610)The Dynamic Host Configuration Protocol (RFC2131) provides a framework for passing configuration information to hosts on a TCP/IP network. Entities using the Service Location Protocol, Version 2 (RFC2608) and Service Location Protocol, Version 1 (RFC2165) need to obtain the address of Directory Agents in order to transact messages. The SLP Directory Agent option described below (Option 78) is used to configure User Agents and Service Agents with the location of Directory Agents in the network.The SLP Scope Option (Option 79) provides an assignment of scope for configuration of SLP User and Service Agents. This option takes precedence over both default and static scope configuration of SLP agents. A scope is a set of services, typically making up a logical administrative group.SLP Directory Agent Option (Option 78)The SLP Directory Agent Option 78 specifies a list of IP addresses for SLP Directory Agents. Directory Agents should be listed in order of preference.The Length value must include one for the 'Mandatory' byte and include four for each Directory Agent address which follows. The address of the Directory Agent is given in network byte order. The 'Mandatory' byte in the Directory Agent option may be set to either 0 or 1. If it is set to 1, the SLP User Agent or Service Agent so configured must not employ either active or passive multicast discovery of Directory Agents.The Directory Agents listed in Option 78 must be configured with the a non-empty subset of the scope list that the Agent receiving the Directory Agent Option 78 is configured with.
SLP Service Scope Option (Option 79)FCS Review Draft IISummit WM-Series WLAN Switch and Altitude Access Point Software Version 1.0 User Guide 175SLP Service Scope Option (Option 79)Services are grouped together using 'scopes'. These are strings that identify a set of services that form an administrative grouping. Service Agents (SAs) and Directory Agents (DAs) are always assigned a scope string. A User Agent (UA) is normally assigned a scope string (in which case the User Agent will only be able to discover that particular grouping of services). This allows a network administrator to provision services to users. The use of scopes also allows the administrator to scale SLP deployments to larger networks.The Scope-List String is a comma-delimited list of the scopes that a SLP Agent is configured to use. The Length value must include one for the 'Mandatory' byte.The 'Mandatory' byte determines whether SLP Agents override their static configuration for scopes with the <Scope List> string provided by the option. This allows DHCP administrators to implement a policy of assigning a set of scopes to Agents for service provision. If the Mandatory byte is 0, static configuration takes precedence over the DHCP provided scope list. If the Mandatory byte is 1, the <Scope List> provided in this option must be used by the SLP Agent.The Scope List String usage is defined in the SLPv2 specification (RFC2608).
DHCP, SLP, and Option 78 referenceFCS Review Draft IISummit WM-Series WLAN Switch and Altitude Access Point Software Version 1.0 User Guide176
FCS Review Draft IISummit WM-Series WLAN Switch and Altitude Access Point Software Version 1.0 User Guide 177DReference lists of standardsRFC listListed below are the Internet Engineering Task Force (IETF) Request for Comments (RFCs) standards supported by Summit WM-Series Switch Software. The Request for Comments, a series of notes about the Internet, submitted to the Internet Engineering Task Force (IETF) and designated by an RFC number, that may evolve into an Internet standard. The RFCs are catalogued and maintained on the IETF RFC website: www.ietf.org/rfc.html.Table 8: List of RFCsRFC Number TitleRFC 791 IPv4RFC 1812  Minimum Router RequirementsRFC 793 Transport Control Protocol (TCP)RFC 768 User Datagram Protocol (UDP)RFC 792 Internet Control Message Protocol (ICMP)RFC 826 Address Resolution Protocol (ARP)RFC 2865 Remote Access Dial In User Service (RADIUS)RFC 2866  RADIUS Accounting RFC 2165, 2608 Service Location Protocol (SLP)RFC 2131 Dynamic Host Configuration Protocol (DHCP)RFC 2328 Open Shortest Path First (OSPF v2)RFC 1587 OSPF Not So Stubby Area (NSSA) OptionRFC1350:  The TFTP Protocol (Revision 2)RFC 2716 EAP-TLSRFC 1155 Structure and identification of management information for TCP/IP-based internets.RFC 1157 Simple Network Management Protocol (SNMP).RFC 1212 Concise MIB definitions.RFC 1213 Management Information Base for Network Management of TCP/IP-based internets MIB-II.RFC 1215 Convention for defining traps for use with the SNMP.RFC 1901 Introduction to Community-based SNMPv2 (SNMPv2c).RFC 2011 SNMPv2 Management Information Base for the Internet Protocol using SMIv2.RFC 2012 SNMPv2 Management Information Base for the Transmission Control Protocol using SMIv2.RFC 2013 SNMPv2 Management Information Base for the User Datagram Protocol using SMIv2.RFC 2578 Structure of Management Information Version 2 (SMIv2). RFC 2579 Textual Conventions for SMIv2. 2580 Conformance Statements for SMIv2. RFC 2863 The Interfaces Group MIB.
Reference lists of standardsFCS Review Draft IISummit WM-Series WLAN Switch and Altitude Access Point Software Version 1.0 User Guide178802.11 standards listAlso supported are the following 802.11 standards:RFC 3416 Version 2 of the Protocol Operations for the Simple Network Management Protocol (SNMP)RFC 3417 Transport Mappings for the Simple Network Management Protocol (SNMP). RFC 3418 Management Information Base (MIB) for the Simple Network Management Protocol (SNMP).RFC 959 File Transfer Protocol. (FTP)RFC 2660 The Secure HyperText Transfer Protocol (HTTPS)RFC 2030 Simple Network Time Protocol v4RFC 1191 Path MTU DiscoveryInternet Draft Secure Shell v2 (SSHv2)Internet Draft EAP-TTLSInternet Draft EAP-PEAPInternet Draft CAPWAP Tunneling Protocol (CTP)Table 9: List of 802.11 standards supportedStandard Name802.11 Wireless LAN MAC and PHY Specifications802.11a Wireless LAN High Speed Physical Layer in 5 GHz band802.11b Wireless LAN High Speed Physical Layer in 2.4 GHz band802.11d 802.11 Extensions to Operate in Additional Regulatory Domains802.11g Wireless LAN Further High Data Rate Extensions in 2.4 GHz band802.11h Spectrum managed 802.11a (in 5 GHz band in Europe)802.11i  WLAN security and provide better network access control802.1x Port based network access control802.11e MAC Enhancements for Quality of Service (future)802.1aa 802.1x maintenance802.3af DTE Power via MDI (Power over Ethernet)802.3 CSMA/CD (Ethernet)802.3i 10Base-T802.3u 100Base-T802.3x Full DuplexTable 8: List of RFCs (Continued)RFC Number Title
802.11 standards listFCS Review Draft IISummit WM-Series WLAN Switch and Altitude Access Point Software Version 1.0 User Guide 179802.3z 1000Base-X (Gigabit Ethernet)802.1d MAC bridges802.11 MIB management information base for 802.11Table 9: List of 802.11 standards supported (Continued)Standard Name
Reference lists of standardsFCS Review Draft IISummit WM-Series WLAN Switch and Altitude Access Point Software Version 1.0 User Guide180
FCS Review Draft IISummit WM-Series WLAN Switch and Altitude Access Point Software Version 1.0 User Guide 181ESupport for Altitude APAltitude AP diagnostics by TelnetWARNING!For security reasons, Telnet is disabled by default. Only enable it in order to perform a diagnostic session. When finished, disable Telnet again. As a support tool to perform diagnostic debugging of the Altitude AP, the capability to access the Altitude AP by Telnet has been provided. Normally Telnet is disabled and should be disabled again after diagnostics. This process should only be used by support services.The process to enable Telnet access has two steps.Use the AP Registration screen to set up password configuration for Telnet on the Altitude AP:
Support for Altitude APFCS Review Draft IISummit WM-Series WLAN Switch and Altitude Access Point Software Version 1.0 User Guide1821In the Telnet Access Password entry field, key in the password for a Telnet session. To confirm the password, key it in again.2To send the password information to all registered Altitude APs, click on the Save button. Use the AP Properties screen, to enable Telnet on a selected Altitude AP.1Highlight the selected Altitude AP in the left-hand list.2In the Telnet Access field, select “Enable” from the drop-down list.3Click on the Save button. You can now begin a Telnet session on this Altitude AP.When the diagnostics are finished, disable Telnet access as follows:1In the Telnet Access field, select “Disable” from the drop-down list.2Click on the Save button.
FCS Review Draft IISummit WM-Series WLAN Switch and Altitude Access Point Software Version 1.0 User Guide 183FRADIUS AttributesRemote Authentication Dial-In User Service (RADIUS) is an industry standard for providing identification, authentication, authorization, and accounting services for distributed dial-up/remote access networking.RADIUS Vendor-Specific Attributes (VSAs)RADIUS Vendor-Specific Attributes (VSAs) are RADIUS Authentication and Accounting attributes defined by vendors to customize information exchanges between clients and servers. This allows unique behaviors to be implemented in client applications without requiring custom server development. VSA support is included directly in dictionary files distributed with RADIUS server product (for example, with Funk Steel Belted RADIUS), or can be configured manually on most server products. The following defines the Extreme NetworksVSAs currently implemented in the Summit WM-Series Switch Software solution, defined using the Extreme Networks Organizationally Unique Identifier (OUI):ID Attribute Name Type Messages Description1Extreme Network-URL-Redirectionstring Returned from RADIUS serverA URL that can be returned to redirect a session to a specific Web page.2Extreme Networks-AP-Name string Sent to RADIUS serverThe name of the AP the client is associating to. It can be used to assign policy based on AP name or location.3Extreme Networks-AP-Serial string Sent to RADIUS serverThe AP serial number. It can be used instead of (or in addition to) the AP name.4Extreme Networks-VNS-Namestring Sent to RADIUS serverThe name of the Virtual Network the client has been assigned to. It is used in assigning policy and billing options, based on service selection.5Extreme Networks-SSID string Sent to RADIUS serverThe name of the SSID the client is associating to. It is used in assigning policy and billing options, based on service selection.6Extreme Networks-BSS-MACstring Sent to RADIUS serverThe name of the BSS-ID the client is associating to. It is used in assigning policy and billing options, based on service selection and location.
RADIUS AttributesFCS Review Draft IISummit WM-Series WLAN Switch and Altitude Access Point Software Version 1.0 User Guide184RADIUS AccountingAccount-Start PacketThe following table lists the information elements (including VSAs) supported in a RADIUS Start message, issued by Summit WM-Series Switch Software, with RADIUS Accounting enabled:Attribute NO. RAD. Data Type NameAcct-Session-Id 44 string mu_session_id User-Name 1string mu_user_idFilter-Id 11 string Filter-Id (Accept-response)Acct-Interim-Interval 85 integer (Accept-response/GUI input)Session-Timeout 27 integer (Accept-response/GUI input)Class 25 octets (Accept-response)Login-LAT-Group 36 octets (Accept-response)Acct-Status-Type 40 integer StartAcct-Authentic 45 integer Radius/Local/RemoteFramed-IP-Address 8ipaddr Mu_ip_addressConnect-Info 77 string 802.11 a[b][g]NAS-port-type 61 integer 18/19 Called-Station-ID 30 string BP MACCalling-Station-ID 31 string mu_mac_addressAcct-Delay-Time 41 integerBP-Serial VSA string Extreme Networks-AP-Serial BP-Name VSA string Extreme Networks-AP-NameVNS-Name VSA string Extreme Networks-VNS-NameSSID VSA string Extreme Networks-SSID
RADIUS AccountingFCS Review Draft IISummit WM-Series WLAN Switch and Altitude Access Point Software Version 1.0 User Guide 185Account-Stop/Interim PacketThe following table lists the information elements (including VSAs) supported in a RADIUS Stop or Interim messages, issued by Summit WM-Series Switch Software, with RADIUS Accounting enabled:Attribute NO. RAD. Data Type NameAcct-Session-Id 44 string mu_session_id User-Name 1string mu_user_idFilter-Id 11 string  Filter-Id (Accept-response)Acct-Interim-Interval 85 integer (Accept-response/GUI input)Session-Timeout 27 integer (Accept-response/GUI input)Class 25 octets (Accept-response)Login-LAT-Group 36 octets (Accept-response)Acct-Status-Type 40 integer Stop/Interim-UpdateAcct-Authentic 45 integer Radius/Local/RemoteFramed-IP-Address 8ipaddr Mu_ip_addressConnect-Info 77 string 802.11 a[b][g]NAS-port-type 61 integer 18/19Called-Station-ID 30 string BP MACCalling-Station-ID 31 string mu_mac_addressAcct-Delay-Time 41 integerAcct-Session-Time 46 integerAcct-Input-Packets 47 integerAcct-Output-Packets 49 integerAcct-Input-Octets 42 integerAcct-Output-Octets 43 integerAcct-Input-Gigawords 52 integerAcct-Output-Gigawords 53 integerAcct-Terminate-Cause 49 integerBP-Serial VSA string Extreme Networks-AP-Serial BP-Name VSA string Extreme Networks-AP-NameVNS-Name VSA string Extreme Networks-VNS-NameSSID VSA string Extreme Networks-SSID
RADIUS AttributesFCS Review Draft IISummit WM-Series WLAN Switch and Altitude Access Point Software Version 1.0 User Guide186Termination CodesThe RADIUS client (SWM or AP) terminates the wireless device user’s session when one of the following events occur:●user request●idle timeout●session timeout●administrator resetWhen a user session is terminated, the RADIUS client sends a RADIUS accounting stop request that will include one of the following termination codes:Radius ValueRadius DefinitionXP Value XP/SMT Definition XP Name1User Request 9RF notification that MU has disconnected from RU. This would be the case if there is a Logoff button for Captive Portal. Normally this would not apply to 802.1x connections.MU_DEREG_REASON_USER_REQUEST4Idle Timeout 1User has been disconnected due to idle timeout and inactivity MU_DEREG_REASON_IDLE_TIMEOUT5Session Timeout7Disconnection as a result of the maximum session length value returned by the RADIUS server upon successful authentication.MU_DEREG_REASON_LIFETIME_TIMEOUT6Admin Reset 238Explicit request by Management infrastructure (GUI user) to disconnect MUMU_DEREG_REASON_RF_DICONNECTMU_DEREG_REASON_ADMIN_REQMU_DEREG_REASON_TUNNEL_DISCONNECT11 NAS Reboot BM graceful shutdown N/A17 User Error Unknown reason  N/A
FCS Review Draft IISummit WM-Series WLAN Switch and Altitude Access Point Software Version 1.0 User Guide 187GLogs and EventsOverviewThe Summit WM-Series Switch is designed to behave like an appliance. It is either in an operational state, or it has failed due to a hardware problem or low level packet processing issue. In general, the system will self recover by rebooting if the system fault is recoverable.There are two main monitoring processes in the system:●a hardware watchdog●a software watchdogThe software watchdog restarts stalled or failed processes, while the hardware watchdog causes system reboot should the software watchdog fail. The result of this approach is that little intervention is required once the system is properly configured and operational.CriticalThe following subsections contain tables describing all Critical log messages. The sections are listed alphabetically by Component Name.ACCESSPOINTACCESSPOINTSeverity CriticalLog Message AccessPoint software upgrade failed. Cannot find out flash free space.Description AccessPoint software upgrade failed.Action Make sure to have the proper Access Point software file on AC for downloading .ACCESSPOINTSeverity CriticalLog Message AccessPoint software upgrade failed. Not enough flash space for backup file.Description AccessPoint software upgrade failed.Action Make sure to have the proper Access Point software file on AC for downloading .
Logs and EventsFCS Review Draft IISummit WM-Series WLAN Switch and Altitude Access Point Software Version 1.0 User Guide188ACCESSPOINTSeverity CriticalLog Message AccessPoint software upgrade failed. Cannot open application backup file.Description AccessPoint software upgrade failed.Action Make sure to have the proper Access Point software file on AC for downloading .ACCESSPOINTSeverity CriticalLog Message AccessPoint software upgrade failed. Writing backup file failedDescription AccessPoint software upgrade failed.Action Make sure to have the proper Access Point software file on AC for downloading .ACCESSPOINTSeverity CriticalLog Message AccessPoint software upgrade failed. File small or ELF header corrupted.Description AccessPoint software upgrade failed.Action Make sure to have the proper Access Point software file on AC for downloading .ACCESSPOINTSeverity CriticalLog Message AccessPoint software upgrade failed. File wrong size.Description AccessPoint software upgrade failed.Action Make sure to have the proper Access Point software file on AC for downloading .ACCESSPOINTSeverity CriticalLog Message AccessPoint configuration failed. Wassp config rcv: cannot decode tlv packet.Description AccessPoint configuration failedAction Check software  and configuration compatibility. Check the connection to AP.ACCESSPOINTSeverity CriticalLog Message AccessPoint configuration failed. Wassp config rcv: config missing from tlv packet.Description AccessPoint configuration failedAction Check software  and configuration compatibility. Check the connection to AP.
CriticalFCS Review Draft IISummit WM-Series WLAN Switch and Altitude Access Point Software Version 1.0 User Guide 189ACCESSPOINTSeverity CriticalLog Message AccessPoint configuration failed. Wassp config rcv: cannot send config to SNMP Agent.Description AccessPoint configuration failedAction Check software  and configuration compatibility. Check the connection to AP.ACCESSPOINTSeverity CriticalLog Message AccessPoint configuration failed. Wassp config rcv: cannot get response from SNMP Agent.Description AccessPoint configuration failedAction Check software  and configuration compatibility. Check the connection to AP.ACCESSPOINTSeverity CriticalLog Message AccessPoint configuration failed. Wassp config rcv: received error in Response from SNMP Agent.Description AccessPoint configuration failedAction Check software  and configuration compatibility. Check the connection to AP.ACCESSPOINTSeverity CriticalLog Message AccessPoint Rebooting. Radio Interference detected in channel 2.Description AccessPoint Rebooting.Action AP detected a problem and rebooted automatically. Check the log message detail. No action is normally needed. ACCESSPOINTSeverity CriticalLog Message AccessPoint Rebooting. Radar interference is detected.Description AccessPoint Rebooting.Action AP detected a problem and rebooted automatically. Check the log message detail. No action is normally needed. ACCESSPOINTSeverity CriticalLog Message AccessPoint Rebooting. Radar detected.Description AccessPoint Rebooting.Action AP detected a problem and rebooted automatically. Check the log message detail. No action is normally needed.
Logs and EventsFCS Review Draft IISummit WM-Series WLAN Switch and Altitude Access Point Software Version 1.0 User Guide190ACCESSPOINTSeverity CriticalLog Message AccessPoint Rebooting. AP-AC poll timeout.Description AccessPoint Rebooting.Action AP detected a problem and rebooted automatically. Check the log message detail. No action is normally needed. ACCESSPOINTSeverity CriticalLog Message AccessPoint Rebooting. ChipReset: Error resetting WLAN HW.Description AccessPoint Rebooting.Action AP detected a problem and rebooted automatically. Check the log message detail. No action is normally needed. ACCESSPOINTSeverity CriticalLog Message AccessPoint Rebooting. Error resetting WLAN HW during mode change.Description AccessPoint Rebooting.Action AP detected a problem and rebooted automatically. Check the log message detail. No action is normally needed. ACCESSPOINTSeverity CriticalLog Message AccessPoint Rebooting. AP Discovery timeout AFTER 5 MINUTES.Description AccessPoint Rebooting.Action AP detected a problem and rebooted automatically. Check the log message detail. No action is normally needed. ACCESSPOINTSeverity CriticalLog Message AccessPoint Rebooting. AP Unable to allocate memory.Description AccessPoint Rebooting.Action AP detected a problem and rebooted automatically. Check the log message detail. No action is normally needed. ACCESSPOINTSeverity CriticalLog Message AccessPoint Running Backup image File size is 1500222.Description AccessPoint Running Backup image.Action AP could not run the latest installed software and is running the backup software instead. Upgrade AP with the proper latest software.
CriticalFCS Review Draft IISummit WM-Series WLAN Switch and Altitude Access Point Software Version 1.0 User Guide 191CDR_COLLECTORCONFIG_MANAGERCDR_COLLECTORSeverity CriticalLog Message CDR Manager failed to open accounting file for writing. The CDR Manager will halt.Description The accounting record file could not be opened; as accounting records cannot be written, the service halted.Action Indicates that the accounting record partition is corrupted. Contact service as the controller may require servicing.CDR_COLLECTORSeverity CriticalLog Message Memory allocation failure - unable to generate accounting record. CDR Manager will halt.Description Indicates that the system memory has been corrupted.Action In normal operating circumstances, the entire system behaves erratically, if functioning at all. Contact service as the system may need to be replaced.CDR_COLLECTORSeverity CriticalLog Message File storage limit has been reached for the accounting files. The oldest file(s) will be deleted to free up room for the new accounting files.Description Indicates that the system memory has been corrupted.Action In normal operating circumstances, the entire system behaves erratically, if functioning at all. Contact service as the system may need to be replaced.CDR_COLLECTORSeverity CriticalLog Message File storage limit has been reached for the accounting files. The oldest file(s) will be deleted to free up room for the new accounting files.Description Indicates that a large number of accounting records have been stored within the 7 day turn-over period. This notification indicates that to keep processing, records will be deleted.Action Copy off the relevant data records to ensure that accounting information is not lost.CONFIG_MANAGERSeverity CriticalLog Message Config Manager has suffered a critical error and will halt.Description Indicates a memory allocation failure. Action In normal operating circumstances, the entire system behaves erratically, if functioning at all. Contact service as the system may need to be replaced.
Logs and EventsFCS Review Draft IISummit WM-Series WLAN Switch and Altitude Access Point Software Version 1.0 User Guide192EVENT_SERVERCONFIG_MANAGERSeverity CriticalLog Message Access point controlled software upgrade has failed. This normally occurs if a corrupt image file was selected as the upgrade image. Please select another image for the upgrade: %sDescription AP upgrade has failed due to a bad software image.Action The selected upgrade image has a problem. Select a known good image and apply it to the access points for upgrade. Normally, this error results from the original image having been obtained via FTP without the "bin" directive.CONFIG_MANAGERSeverity CriticalLog Message Access point automatic software upgrade/downgrade has failed. This normally occurs if a corrupt image file was selected as the default image. Please select another default image. This alarm will repeat as long as the system is in automatic mode: %sDescription Automatic AP upgrade request has failed due to a bad software image.Action The selected upgrade image has a problem. Select a known good image and apply it to the access points for upgrade. Normally, this error results from the original image having been obtained via FTP without the "bin" directive.EVENT_SERVERSeverity CriticalLog Message Cannot access logging file. Unable to save any system log messages.Description Unable to open log files for message storage.Action Indicates a low level file system problem, or the file permissions may have been altered. Check the file permissions first. If they appear to be correct, the file system may be corrupted. Log messages should still be forwarded to syslog and SNMP if services are enabled.EVENT_SERVERSeverity CriticalLog Message Critical internal error - log file protection flags have been corrupted. Event server will halt.Description File system has encountered a problem and the log file cannot be opened for writing.Action Indicates that the logging partition is corrupted. Contact service as the controller may require servicing.EVENT_SERVERSeverity CriticalLog Message Internal system interrupt handlers failed to initialize. Event server will halt.Description Internal service failure.Action In normal operating circumstances, the entire system behaves erratically, if functioning at all. Contact service s the system may require servicing.
CriticalFCS Review Draft IISummit WM-Series WLAN Switch and Altitude Access Point Software Version 1.0 User Guide 193EVENT_SERVERSeverity CriticalLog Message Unable to initialize internal program thread. Event server will halt.Description Internal service failureAction In normal operating circumstances, the entire system behaves erratically, if functioning at all. Contact service as the system may need to be replaced.EVENT_SERVERSeverity CriticalLog Message Memory allocation failure. Unable to log last event.Description Indicates a memory allocation failure.Action In normal operating circumstances, the entire system behaves erratically, if functioning at all. Contact service as the system may need to be replaced.EVENT_SERVERSeverity CriticalLog Message Socket call failed. Will not be able to communicate with specific component. Error no: %d.Description Inter-component communication failure.Action Indicates that a service the event server depends on has failed. There may be another event from the Start-up Manager indicating that a service has been restarted.EVENT_SERVERSeverity CriticalLog Message Socket select error - 100% CPU utilization can occur and overall system performance will be impaired.Description Internal communication error.Action Shell into the O/S and kill the process. Report event to service.EVENT_SERVERSeverity CriticalLog Message The evaluation license for the controller has expired. Please contact your customer representative and purchase licenses to continue using the controller. If you do not purchase a license, the legal requirement is to put the system out of service.Description Licensing infrastructure.Action Acquire a valid license for the system to ensure legal operation of the equipment.
Logs and EventsFCS Review Draft IISummit WM-Series WLAN Switch and Altitude Access Point Software Version 1.0 User Guide194LANGLEYRADIUS_ACCOUNTINGRADIUS_CLIENTLANGLEYSeverity CriticalLog Message Langley has suffered a critical error, and has halted. Error Details: %sDescription Messaging infrastructure alarm.Action If this error appears, the system is completely non-functional. The hardware watchdog timer will kick in and the system will reboot. If the error persists, contact service as the system may need to be replaced.RADIUS_ACCOUNTINGSeverity CriticalLog Message No Response from all RADIUS accounting server(s): %s.Description External RADIUS Accounting server access has been interrupted.Action Indicates that network connectivity needs to be checked. The system is operating correctly, but the external connections have been lost. Therefore, no RADIUS accounting records can be saved for the client sessions.RADIUS_CLIENTSeverity CriticalLog Message A file system error occurred. Unable to open RADIUS dictionary file. RADIUS client exiting.Description The file system has encountered a problem and the RADIUS dictionary file cannot be opened for reading.Action Indicates that the main service partition is corrupted, or there has been a low level file error. Alternatively, the file permissions may have been altered. First check the file permissions; if they appear correct, contact service as the controller may need servicing.RADIUS_CLIENTSeverity CriticalLog Message Cannot allocate memory for either Captive Portal and/or EAP modules. RADIUS client exiting.Description Indicates a memory allocation failure.Action In normal operating circumstances, the entire system will most likely behave erratically if it functions at all. Contact service as the system may need to be replaced.
CriticalFCS Review Draft IISummit WM-Series WLAN Switch and Altitude Access Point Software Version 1.0 User Guide 195RF_DATA_COLLECTORRU_MANAGERRADIUS_CLIENTSeverity CriticalLog Message Failed to send process status success to Startup Manager. Start-up Manager will reboot the RADIUS client.Description Interprocess communication failure.Action No action required. RADIUS_CLIENTSeverity CriticalLog Message No radius server available for VNS: %s.Description None of the RADIUS servers configured for a VNS are reachable by the RADIUS client.Action Indicates that network connectivity needs to be checked. The system is operating correctly, but the external connections have been lost. No RADIUS servers can be contacted for client authentication.RF_DATA_COLLECTORSeverity CriticalLog Message An error has occurred in the RF Data Collector which will cause this component to shutdown (and be restarted by the system). Details:%s.Description Indicates an internal service failure.Action Monitor the system for re-occurrences. If it appears under similar operating circumstances, there may be data corruption in the network. If other parts of the controller begin to behave erratically, this may indicate a hardware failure. Contact service as the controller may need servicing.RU_MANAGERSeverity CriticalLog Message RU Manager has suffered a critical internal error and will halt (unable to start process thread).Description Indicates an internal service failure.Action In normal operating circumstances, the entire system behaves erratically, if functioning at all. Contact service as the system may need to be replaced.
Logs and EventsFCS Review Draft IISummit WM-Series WLAN Switch and Altitude Access Point Software Version 1.0 User Guide196SECURITY_MANAGERRU_MANAGERSeverity CriticalLog Message RU Manager has suffered a critical internal error and will halt (unable to open data dictionary).Description The file system has encountered a problem, and the messaging data dictionary file cannot be opened for reading.Action Indicates that the main service partition is corrupted, or there has been a low level file error. Alternatively, the file permissions may have been altered. First check the file permissions; if they appear correct, contact service as the controller may need servicing.RU_MANAGERSeverity CriticalLog Message AC Manager: Moving into failover modeDescription The controller is in availability mode, and the paired controller has failed. The system is moving into fail-over mode. Action Investigate failure of other controller to return environment to normal operation.SECURITY_MANAGERSeverity CriticalLog Message Cannot allocate memory. Will not be able to process Captive portal authentication request.Description Indicates a memory allocation failure.Action In normal operating circumstances, the entire system behaves erratically, if functioning at all. Contact service as the system may need to be replaced.SECURITY_MANAGERSeverity CriticalLog Message Failed to initialize list of session tracking tags (token). Will not be able to process Captive portal authentication requests.Description Indicates a memory allocation failure for a specific program function. Action In normal operating circumstances, the entire system behaves erratically, if functioning at all. Contact service as the system may need to be replaced.SECURITY_MANAGERSeverity CriticalLog Message Unable to open listening socket. Will not be able to communicate with Apache server.Description Inter-component communication failure.Action Verify that the web server is still running. If it is, re-start the security manager process to clear the problem.
CriticalFCS Review Draft IISummit WM-Series WLAN Switch and Altitude Access Point Software Version 1.0 User Guide 197STARTUP_MANAGERSECURITY_MANAGERSeverity CriticalLog Message Error binding to listener socket. Will not be able to communicate with Apache server.Description Inter-component communication failure.Action Verify that the web server is still running. If it is, re-start the security manager process to clear the problem. SECURITY_MANAGERSeverity CriticalLog Message Listen call failed. Will not be able to communicate with Apache Server.Description Inter-component communication failure.Action Verify that the web server is still running. If it is, re-start the security manager process to clear the problem. SECURITY_MANAGERSeverity CriticalLog Message Socket call failed. Will not be able to communicate with specific component.Description Inter-component communication failure.Action Indicates that a service the Security Manager depends on has failed. There may be another event from the Start-up Manager indicating that a service has been restarted.STARTUP_MANAGERSeverity CriticalLog Message Failed attempting to start router ports. System reboot initiated.Description Hardware initialization error. Action The router ports could not be initialized. The system reboots to attempt recovery. If the problem does not clear, Contact service as the system may need to be replaced.STARTUP_MANAGERSeverity CriticalLog Message Internal connection to router ports lost. Restart initiated.Description Hardware failure. Action Communication path to the router ports is lost. Reboot the system to attempt recovery.
Logs and EventsFCS Review Draft IISummit WM-Series WLAN Switch and Altitude Access Point Software Version 1.0 User Guide198STATS_SERVERSTARTUP_MANAGERSeverity CriticalLog Message HSM failed to start. System reboot initiated.Description Major system process start failure Action The process responsible for starting the interface IP stack failed to start. The system is rebooted automatically to attempt to clear the problem. If failure persists, try installing a previous version of the system software. If this fails to clear the problem, contact service as the operating system has failed or the base line configuration files have been corrupted. STARTUP_MANAGERSeverity CriticalLog Message HSM is down. System reboot initiatedDescription Major system process failure Action The process responsible for managing the interface IP stack failed. The system is rebooted automatically to attempt to clear the problem. If failure persists, try installing a previous version of the system software. If this fails to clear the problem, contact service as the operating system has failed or the base line configuration files have been corrupted. STARTUP_MANAGERSeverity CriticalLog Message HSM failed to reply to status notification. System reboot initiated.Description Major system process failure Action The process responsible for managing the interface IP stack failed. The system is rebooted automatically to attempt to clear the problem. If failure persists, try installing a previous version of the system software. If this fails to clear the problem, contact service as the operating system has failed or the base line configuration files have been corrupted. STARTUP_MANAGERSeverity CriticalLog Message Failed to connect to Langley. System reboot initiated.Description Messaging infrastructure could not start. Action The messaging system has failed. The system is rebooted automatically to attempt to clear the problem. If failure persists, try installing a previous version of the system software. If this fails to clear the problem, contact service as the box may need to be replaced.STATS_SERVERSeverity CriticalLog Message Statistics Server suffered an internal connection failure. Retrying connection in 5 seconds.Description Process could not connect to internal messaging infrastructure. Action Indicates that the process cannot connect to the message bus. The system may behave erratically at this point. Shell into the O/S and kill the process to see if that clears the problem. If the problem does not clear, try downgrading to a previous software release.
CriticalFCS Review Draft IISummit WM-Series WLAN Switch and Altitude Access Point Software Version 1.0 User Guide 199VNMGRVNMGRSeverity CriticalLog Message Critical internal error - memory protection flags have been corrupted. VN Manager will halt.Description Indicates that internal memory protection flags have been corrupted.Action If the process did not restart after emitting this error, or if client association, MAC-based authentication, or mobility problems continue to exist, shell into the O/S and kill the process to see if that clears the problem. If the problem does not clear, try downgrading to a previous software releaseVNMGRSeverity CriticalLog Message Internal system interrupt handlers failed to initialize. VN Manager will halt.Description Indicates that internal system interrupt handlers have failed to initialize. Action If the process did not restart after emitting this error, or if client association, MAC-based authentication, or mobility problems continue to exist, shell into the O/S and kill the process to see if that clears the problem. If the problem does not clear, try downgrading to a previous software releaseVNMGRSeverity CriticalLog Message Unable to initialize internal program thread. VN Manager will halt.Description Indicates that the process cannot allocate or update process threads.Action If the process did not restart after emitting this error, or if client association, MAC-based authentication, or mobility problems continue to exist, shell into the O/S and kill the process to see if that clears the problem. If the problem does not clear, try downgrading to a previous software releaseVNMGRSeverity CriticalLog Message Critical internal error - unable to allocate memory for VN Manager. VN Manager will halt.Description Indicates a memory allocation failure.Action If the process did not restart after emitting this error or if client association, MAC-based authentication, or mobility problems continue to exist, shell into the O/S and kill the process to see if that clears the problem. If the problem does not clear, try downgrading to a previous software release, where the memory leak may not exist.
Logs and EventsFCS Review Draft IISummit WM-Series WLAN Switch and Altitude Access Point Software Version 1.0 User Guide200MajorThe following subsections contain tables describing all Major log messages. The sections are listed alphabetically by Component Name.ACCESSPOINTVNMGRSeverity CriticalLog Message Socket call failed. Will not be able to communicate with specific component.Description A socket call has failed, which may make the process unable to communicate with another process. Action This log may be generated after a normal restart of the process, a normal restart of the controller, or a change in the role for mobility, and in these cases can be ignored. If the log is generated outside of these cases, the process cannot communicate with another process. Shell into the O/S and kill the process to see if that clears the problem. If the problem does not clear, try downgrading to a previous software.ACCESSPOINTSeverity MajorLog Message Communication with Access Controller lost. AP - AC poll timeout.Description AccessPoint poll timed out.Action Check the IP connection between Access controller and Access Point. If the Heartbeat between AC and AP timed out, check the configuration of AP poll and timeout periods.ACCESSPOINTSeverity MajorLog Message AccessPoint Problem Report captured. Ap-report-5.txt (size 37222 bytes).Description AccessPoint Problem Report captured.Action AP detected a problem and captured relevant data to a file. Upload ap-report file to Access controller and send it to field support. The file will be analyzed by Extreme Networks to resolve and correct the problem.ACCESSPOINTSeverity MajorLog Message AccessPoint software upgrade done. File size is 1500222.Description AccessPoint software upgrade done.Action None. AP software upgrade has been successfully completed.
MajorFCS Review Draft IISummit WM-Series WLAN Switch and Altitude Access Point Software Version 1.0 User Guide 201CDR_COLLECTORACCESSPOINTSeverity MajorLog Message Beacon Creation Problem. Cannot allocate beacon.Description Beacon Creation Problem.Action Upgrade AP with the proper latest software.CDR_COLLECTORSeverity MajorLog Message Internal messaging error: %d. Accounting information for one client session will be incomplete.Description Accounting record is incomplete for a single client session. Action A single accounting record is incomplete. To accurately bill for usage, the client session needs to be audited against the RADIUS accounting server. CDR_COLLECTORSeverity MajorLog Message Can not create new CDR record for session%d. Accounting record for one client session will be unavailable.Description Transient error condition while creating an accounting record. Action A single accounting record is incomplete. To accurately bill for usage, the client session needs to be audited against the RADIUS accounting server. CDR_COLLECTORSeverity MajorLog Message Error will be ignored and message re-tried.Description Error sending message on the system messaging infrastructure. Action Recoverable messaging error; the process will recover. Monitor for future occurrences, and contact support if the problem persists.CDR_COLLECTORSeverity MajorLog Message Internal messaging error:%d. Error will be ignored and message re-tried.Description Process could not connect to internal messaging infrastructure. Action Recoverable messaging error; the process will recover. Monitor for future occurrences, and contact support if the problem persists.
Logs and EventsFCS Review Draft IISummit WM-Series WLAN Switch and Altitude Access Point Software Version 1.0 User Guide202CLICDR_COLLECTORSeverity MajorLog Message CDR Manager failed when attempting to write client record to accounting file. Accounting record for this client session will be unavailable.Description File input error. Action A single accounting record was not written to the accounting log. To accurately bill for usage, the client session needs to be audited against the RADIUS accounting server. Monitor for future occurrences, and contact support if the problem persists as it points to a file system corruption or that the accounting partition has been corrupted.CDR_COLLECTORSeverity MajorLog Message Internal messaging error - more accounting records were received than expected. Known sessions will be processed; unknown information will be dropped.Description Valid message with unknown client information received. Action Indicates that a valid accounting message was received for an unknown client. The information will be dropped. It is recommended that the RADIUS accounting server be audited to verify accounting data accuracy. CLISeverity MajorLog Message Upgrade process failed - failure reason:%s.Description Software maintenance error. Action Indicates that the attempted upgrade failed. Verify that the image is valid. Try downloading the image before upgrading.CLISeverity MajorLog Message System restore process failed - failure reason:%s.Description System maintenance error. Action Failed to restore system to previous save point. Try another system restore file, or verify that the current restore has not been corrupted prior to being uploaded to the controller.CLISeverity MajorLog Message Patch installation failed - failure reason:%s.Description Software maintenance error. Action Try applying a different patch, or verify that the patch has not been corrupted prior to being uploaded to the controller.
MajorFCS Review Draft IISummit WM-Series WLAN Switch and Altitude Access Point Software Version 1.0 User Guide 203CONFIG_MANAGERCPDP_AGENT_IDCONFIG_MANAGERSeverity MajorLog Message Config Manager has experienced an error which has prevented it from properly processing a request. CM will continue running, however this error may be an indicator of a larger system problem. Error DetailsDescription CM messaging error. Action Monitor the system for re-occurrence. If problem re-occurs, other components may report additional problems. Try rebooting system to clear problem, and contact support if the problem persists.CONFIG_MANAGERSeverity MajorLog Message Access point %s has reported a radar interference violation on %s. The affected radio(s) have been placed in auto channel select mode, and will not respond to channel changes until 30min after the radar interference is last detected.Description AP behavior message. Action No action required. However, the AP will appear as though it is out of service. The message is provided as an informational response to client queries regarding service outage.CPDP_AGENT_IDSeverity MajorLog Message Possible LAND DoS attack (%s).Description Denial of service attack warning. Action Investigate the source of attack, and block offending system from the network.CPDP_AGENT_IDSeverity MajorLog Message Possible PING-OF-DEATH DoS attack (%s).Description Denial of service attack warning. Action Investigate source of attack, and block offending system from the network.
Logs and EventsFCS Review Draft IISummit WM-Series WLAN Switch and Altitude Access Point Software Version 1.0 User Guide204EVENT_SERVEREVENT_SERVERSeverity MajorLog Message The controller evaluation license will expire in %s days. Please contact your customer representative and purchase licenses to continue using the controller.Description License expiration warning Action See log message for appropriate action.EVENT_SERVERSeverity MajorLog Message Audit message error. Unable to log audit message.Description Logging behavior. Action An event from the web pages could not be logged. If problem persists, check logs for other related error messages.EVENT_SERVERSeverity MajorLog Message Unknown internal program message received - type %d. Message will be ignored and processing continued.Description Internal communications. Action No action required. EVENT_SERVERSeverity MajorLog Message Unable to open audit file - Error no: %d. Message will be dropped.Description Audit file open error. Action Indicates that the logging partition may be full or corrupted. Contact service. EVENT_SERVERSeverity MajorLog Message Unable to determine audit file size - Error no: %d. Message will be dropped.Description Audit file write error. Action Indicates that the logging partition may be full or corrupted. Contact service.
MajorFCS Review Draft IISummit WM-Series WLAN Switch and Altitude Access Point Software Version 1.0 User Guide 205LANGLEYNSM_SERVEREVENT_SERVERSeverity MajorLog Message Cannot reset audit file pointer to beginning of the audit file - Error no: %d. The message and subsequent messages will be dropped.Description Audit file circular buffer problem. Action Indicates that the audit file may be corrupted, or the logging partition is full or corrupted. Try deleting the audit file and restarting the event server. EVENT_SERVERSeverity MajorLog Message Cannot set audit file pointer to specific position in the log - Error no: %d. The message and subsequent messages will be lost.Description Audit file circular buffer problem. Action Indicates that the audit file could be corrupted or that the logging partition is full or corrupted. Try deleting the audit file and restarting the event server. LANGLEYSeverity MajorLog Message Langley has experienced an error which has prevented it from properly processing a request. Langley will continue running, however this error may be an indicator of a larger system problem. Error Details: %sDescription Internal messaging problem. Action No action required. However, monitoring for re-occurrence is recommended. Other event logs may indicate that a component has failed and been re-started.LANGLEYSeverity MajorLog Message A connection request from '%s' failed to authenticate with the messaging server. This may indicate that somebody is port-scanning the access controller, or is attempting to gain backdoor access.Description Internal messaging security warning. Action Block network access to the process or user that is attempting to connect to the messaging bus. This is an attempt to compromise the internal operation of the system.NSM_SERVERSeverity MajorLog Message NSM suffered an internal connection failure. Re-trying connection.Description Internal communications error. Action No action required. Process should recover. If failure continues, try restarting process.
Logs and EventsFCS Review Draft IISummit WM-Series WLAN Switch and Altitude Access Point Software Version 1.0 User Guide206OSPF_SERVERPORT_INFO_J_MANAGERRADIUS_ACCOUNTINGRADIUS_CLIENTNSM_SERVERSeverity MajorLog Message NSM suffered an internal messaging failure. Re-trying connection.Description Internal communications error. Action No action required. Process should recover. If failure continues, try restarting process. OSPF_SERVERSeverity MajorLog Message OSPF server suffered an internal messaging failure. Re-trying connection.Description Internal communications error. Action No action required. Process should recover. If failure continues, try restarting process. PORT_INFO_J_MANAGERSeverity MajorLog Message Next hop device is unreachable (%s)Description Network Connectivity problem Action Investigate network equipment problem. While the next hop route is down, no client traffic from the affected VNSs is being forwarded. All clients will have effectively lost wired service. RADIUS_ACCOUNTINGSeverity MajorLog Message No Response from one RADIUS accounting server: %s.Description RADIUS accounting server interaction. Action May indicate that a RADIUS accounting server is down or that network connectivity has been lost. Investigate to see if the network is working correctly, or if the RADIUS accounting server has unexpectedly failed.RADIUS_CLIENTSeverity MajorLog Message Failed to retrieve configuration from the Config Manager. Will retry connection to Config Manager.Description RADIUS client service information. Action No action required. The config manager process has not responded. System should recover.
MajorFCS Review Draft IISummit WM-Series WLAN Switch and Altitude Access Point Software Version 1.0 User Guide 207REDIR_IDRF_DATA_COLLECTORRADIUS_CLIENTSeverity MajorLog Message Radius server changed: %sDescription RADIUS client service information. Action No action required RADIUS_CLIENTSeverity MajorLog Message Failed to get radius profile for VNS: %s.Description RADIUS client service information. Action No action required. The config manager process has not responded. System should recover. REDIR_IDSeverity MajorLog Message Redirect packet is too big, packet will be dropped (%s)Description Data path behavior.Action If this message appears, a client session has attempted to connect to a site with a very large initial target URL. As the buffer size for the URL redirect process has been exceeded, the packet is dropped. The client will not be redirected to the captive portal authentication screen. For the client to be successfully authenticated, they need to connect to a different web site before they will be re-directed. RF_DATA_COLLECTORSeverity MajorLog Message An error has occurred in the RF Data Collector. This error will be ignored and the component will attempt to continue. Details: %s.Description RF_Data_collector service information. Action No action required; process should recover.
Logs and EventsFCS Review Draft IISummit WM-Series WLAN Switch and Altitude Access Point Software Version 1.0 User Guide208RU_MANAGERSECURITY_MANAGERRU_MANAGERSeverity MajorLog Message An AP has attempted to connect that is unknown to the system. AP authentication failure. %s.Description Access point registration information.Action Indicates that someone may be attempting to set-up a rogue AP and/or spoof the registration/authentication process. It is recommended that the device be blocked from the network until the identity of the AP can be verified.RU_MANAGERSeverity MajorLog Message AP fails discovery. %sDescription Access point registration information Action No action required; AP will come back through discovery. However, this message may also indicate that an unsupported AP version is attempting to connect to the system. If this is the case, an older version of the system software must be installed and the AP upgraded to a software version that can register with the current version.SECURITY_MANAGERSeverity MajorLog Message Status thread failed to start. It is unable to communicate with startup/shutdown Manager until status thread starts.Description Security Manager service information. Action No action required; process will recover or will be automatically restarted. SECURITY_MANAGERSeverity MajorLog Message Error occurred when sending response message to Apache server.Description Security Manager service information. Action If this occurs, a client session will fail captive portal authentication. The end user should try to authenticate again. Alternatively, try restarting the process to see if this clears the problem.
MajorFCS Review Draft IISummit WM-Series WLAN Switch and Altitude Access Point Software Version 1.0 User Guide 209SECURITY_MANAGERSeverity MajorLog Message Unable to create new session tracking tag (token mapping) based on MAC address. Will not be able to process Captive portal authentication request.Description Security Manager service information. Action If this occurs, a client session will fail captive portal authentication. The end user should try to authenticate again. Alternatively, try restarting to the process to see if this clears the problem.SECURITY_MANAGERSeverity MajorLog Message Get next available session tracking tag (token) returns zero. Will not be able to process Captive portal authentication request.Description Security Manager service information. Action If this occurs, a client session will fail captive portal authentication. The end user should try to authenticate again. Alternatively, try restarting to the process to see if this clears the problem.SECURITY_MANAGERSeverity MajorLog Message Error on deleting session tracking tag (token) %d. This will not impact success/failure of authentication request - it may create a memory leak if multiple tokens cannot be deleted.Description Security Manager service information. Action No action required. If the failure frequently re-occurs, it may be useful to restart the process to free lost memory. SECURITY_MANAGERSeverity MajorLog Message Unable to start component [%d]. Services provided by the component will be unavailable.Description System service status message. Action Try restarting the controller to see if that clears the problem. If rebooting does not clear the problem, contact support. Even though the process is down, it may not operationally effect the system. It may impair only parts of the system behavior.SECURITY_MANAGERSeverity MajorLog Message Component [%d] is down. Component will be restarted.Description System service status message. Action No action required.
Logs and EventsFCS Review Draft IISummit WM-Series WLAN Switch and Altitude Access Point Software Version 1.0 User Guide210VNMGRSECURITY_MANAGERSeverity MajorLog Message Component [%s] is down. Component will be restarted.Description System service status message. Action No action required. VNMGRSeverity MajorLog Message Configuration error - missing or bad parameters. VN Manager will retry configuration request. VN Manager will not start-up until configuration is successful.Description VN Manager status message. Action Verify that Config Manager is operational. Re-start if process has stopped. Problem should clear without intervention. VNMGRSeverity MajorLog Message Set Configuration data failed. The VNMgr may be restarted.Description VN Manager status message. Action No action required. Process should be restarted without intervention. VNMGRSeverity MajorLog Message Get Configuration data failed. The VNMgr may be restarted.Description VN Manager status message. Action No action required. Process should be restarted without intervention. VNMGRSeverity MajorLog Message VN Manager internal status changed. VN Manager will shutdown and be re-started by the Start-up Manager.Description VN Manager status message. Action VN Manager has been changed from Agent to Manager or vice-versa. No action required. VNMGRSeverity MajorLog Message Received unknown message type %d from Langley (CM socket).Description VN Manager status message. Action No action required.
MajorFCS Review Draft IISummit WM-Series WLAN Switch and Altitude Access Point Software Version 1.0 User Guide 211VNMGRSeverity MajorLog Message Heart-beat interval has expired - have missed too many heart-beats from VN Manager. VN Agent will reset all remote client information and revert to nodal operation.Description VN Manager status message. Action Indicates there is a network connectivity issue between controllers in the mobility domain. Resolve the connectivity issues for mobility to be returned to normal operation.VNMGRSeverity MajorLog Message Update interval has expired for VN Agent with IP address %s. VN Manager will remove all information for VN Agent including client session information.Description VN Manager status message. Action Indicates that there is a network connectivity issue between controllers in the mobility domain. Resolve the connectivity issues for mobility to be returned to normal operation.
Logs and EventsFCS Review Draft IISummit WM-Series WLAN Switch and Altitude Access Point Software Version 1.0 User Guide212
FCS Review Draft IISummit WM-Series WLAN Switch and Altitude Access Point Software Version 1.0 User Guide 213HRegulatory InformationThis section provides the regulatory information for the Summit WM-Series Switch and Altitude 350-2 Wireless Access Point.NOTEPlease refer to http://www.extremenetworks.com/go/rfcertification.htm for latest regulatory information regarding operation of the Altitude 350-2 wireless access point. Only authorized Extreme Networks service personnel are permitted to service the system. Procedures that should be performed only by Extreme Networks personnel are clearly identified in this guide.Changes or modifications made to the Summit WM-Series Switch or the Altitude APs which are not expressly approved by Extreme and party responsible for compliance upon installation could void the user's authority to operate the equipment.Summit WM100 (15945), Summit WM1000 (15937)Safety●cULus Listed Device UL 60950-1:2001 1st Edition (North America)●CSA C22.2 No.60950-1-03 1st Edition (Canadian Safety)●73/23/EEC Low Voltage Directive (LVD)●CB Certification:●IEC 60950-1:2001 1st Edition with applicable country deviations●TUV-R GS Mark ●EN60950-1:2001 (European Safety)●AS/NZS 3260 (Australia/New Zealand ACMA Safety of ITE)●FCC 21 CFR subpart 1040.10, 1040.11 (Safety of Laser Products)●CDRH Letter of Approval (US FDA Laser Approval)Emissions●FCC Part 15, Subpart B, Class A●ICES-003, Class A●89/336/EEC EMC Directive●EN 55022:1998 A2:2003 Class A (European Emissions)●EN55024:1998 A2:2003 includes IEC/EN61000-2,3,4,5,6,11 (Europe Immunity)●EN61000-3-2:2000 Class A (Harmonics)
Regulatory InformationFCS Review Draft IISummit WM-Series WLAN Switch and Altitude Access Point Software Version 1.0 User Guide214●EN61000-3-3:1995 A1:2001 (Flicker)●ETSI/EN 300 386:2001-9 (EU Telecommunication  Emissions & Immunity)●IEC/CISPR22:1997 Class A (International Emissions)●IEC/CISPR24:1998 (International Immunity)●IEC/EN 61000-4-2 Electrostatic Discharge ●IEC/EN 61000-4-3 Radiated Immunity●IEC/EN 61000-4-4 Transient Bursts●IEC/EN 61000-4-5 Surge●IEC/EN 61000-4-6 Conducted Immunity●IEC/EN 61000-4-11 Power Dips & Interruptions●Australia/New Zealand AS/NZS 3548 (ACMA Emissions)Altitude 350-2 Integrated Antenna (15938), Altitude 350-2 Detachable Antenna AP (15939)The A350-2 is Wi-Fi certified for operation in accordance with IEEE 802.11a/b/g. The regulatory domain of the purchased A300 and the country code selected during set-up will determine the operational channels within the 5 GHz (a) and 2.4 GHz (b/g) frequencies.NOTEOperation in the European Community and rest of the world may be dependant on securing certifications/regulatory approvals. For latest detail and information on country specific requirements, please go to http://www.extremenetworks.com/go/rfcertification.htm.United States - FCC Declaration of Conformity StatementThis device complies with Part 15 of the FCC Rules. Operation is subject to the following two conditions: ●This device may not cause harmful interference.●This device must accept any interference received, including interference that may cause undesired operation.This equipment has been tested and found to comply with the limits for a Class B digital device, pursuant to Part 15 of the FCC Rules. These limits are designed to provide reasonable protection against harmful interference when the equipment is operated in a residential and business environment. This equipment generates, uses, and radiates radio frequency energy, and if not installed and used in accordance with instructions, may cause harmful interference. However, there is no guarantee that interference will not occur. If this equipment does cause harmful interference, which can be determined by turning the equipment off and on, the user is encouraged to try to correct the interference by one or more of the following measures:●Reorient or relocate the transceiver antenna.
Altitude 350-2 Integrated Antenna (15938), Altitude 350-2 Detachable Antenna AP (15939)FCS Review Draft IISummit WM-Series WLAN Switch and Altitude Access Point Software Version 1.0 User Guide 215●Increase the distance between the equipment and transceiver.●Consult the dealer or an experienced radio/TV technician for suggestion.This equipment meets the conformance standards listed in Table 10.NOTEThe Altitude 350-2 must be installed and used in strict accordance with the manufacture's instructions as described in this guide and the software manual of the switch to which this device is connected. Any other installation or use violates FCC Part 15 regulations.NOTEThe Altitude 350-2 Model 15938 with integral antenna is restricted for indoor use specifically in the UNII 5.15 - 5.25 GHz band in accordance with 47 CFR 15.407(e). The Altitude A350-2 Model 15939 with detachable antenna is disabled in the UNII 5.15 - 5.25 GHz band in accordance with 47 CFR 15.407(d). CAUTIONThis Part 15 radio device operates on a non-interference basis with other devices operating at this frequency when using integrated antennas or other Extreme Networks certified antennas. Any changes or modification to the product not expressly approved by Extreme Networks could void the user's authority to operate this device. Table 10: USA Conformance StandardsSafety • UL 60950-1:2001 1st Edition, Listed Accessory• UL 2043 Plenum ratedEMC • FCC CFR 47 Part 15 Class BRadio Transceiver • CFR 47 Part 15.247, Class C, 2.4 GHz• CFR 47 Part 15.407, Class C, 5 GHz• CFR 47 Part 15.205, 15.207, 15.209• CFR 47 Part 2.1091, 2.1093 • FCC OET No. 65 1997Other:• IEEE 802.11a (5 Ghz)• IEEE 802.11b/g (2.4 GHz)• IEEE 802.3af• FCC ID: RJF-A3502Environmental See Environmental Conditions.FCC ID#: RJF-A3502
Regulatory InformationFCS Review Draft IISummit WM-Series WLAN Switch and Altitude Access Point Software Version 1.0 User Guide216Conditions Under Which a Second party may replace a Part 15 Unlicensed AntennaSecond party antenna replacement (end user or second manufacturer) is permitted under the conditions listed below, with no testing or filing requirement. The general technical requirement of FCC Part 15.15 (a)(b)(c) still applies, however.●Replacement antennas must be equal or lower gain and of the same type previously authorized by the Commission/TCB. ●Replacement antennas must be the same type (i.e. similar in-band and out-of-band antenna beam patterns). Special care must be taken when adhering to this condition; the antenna beam patterns of the antennas tested must be compared with the beam patterns of the replacement antennas for similarities.●Integral antennas and detachable antennas included with the product have been tested and included within the FCC/TCB grant. Any other antennas used with the A350-2 must follow these guidelines to be used legally with the A350-2. ●Antennas offered for sale by Extreme Networks have been tested using the highest gain of each antenna type at maximum output power. FCC RF Radiation Exposure StatementThe Altitude A350-2 access point complies with FCC RF radiated exposure limits set forth for an uncontrolled environment. End users must follow the specific operating instructions for satisfying RF exposure compliance. This device has been tested and has demonstrated compliance when simultaneously operated in the 2.4 GHz and 5 GHz frequency ranges. This device must not be co-located or operated in conjunction with any other antenna or transmitter. NOTEThe radiated output power of the Altitude A350-2 s far below the FCC radio frequency exposure limits as specified in “Guidelines for Human Exposure to Radio Frequency Electromagnetic Fields” (OET Bullet 65, Supplement C). This equipment should be installed and operated with a minimum distance of 20 centimeters (8 inches) between the radiator and your body or other co-located operating antennas.Department of Communications Canada Compliance StatementThis digital apparatus does not exceed the Class B limits for radio noise emissions from digital apparatus as set out in the interference-causing equipment standard entitled “Digital Apparatus,” ICES-003 of the Department of Communications.Cet appareil numerique respecte les limites de bruits radioelectriques applicables aux appareils numeriques de Classe B prescrites dans la norme sur le materiel brouilleur: “Appareils Numeriques,” NMB-003 edictee par le ministere des Communications.This device complies with Part 15 of the FCC Rules and Canadian Standard RSS-210. Operation is subject to the following conditions: (1) This device may not cause harmful interference, and (2) this device must accept any interference received, including interference that may cause undesired operation. This Class   B device digital apparatus complies with Canada ICES-003.
Altitude 350-2 Integrated Antenna (15938), Altitude 350-2 Detachable Antenna AP (15939)FCS Review Draft IISummit WM-Series WLAN Switch and Altitude Access Point Software Version 1.0 User Guide 217This equipment meets the following conformance standards:European CommunityThe Altitude 350-2 are wireless ports designed for use in the European Union and other countries with similar regulatory restrictions and where the end user or installer is allowed to configure the wireless port for operation by entry of a country code relative to a specific country. Upon connection to the switch the software will prompt the user to enter a country code. After the country code is entered, the switch will set up the wireless port with the proper frequencies and power outputs for that country code.Declaration of Conformity with regard to R&TTE Directive of the European Union 1999/5/EC The symbol   indicates compliance with the Essential Requirements of the R&TTE Directive of the European Union (1999/5/EC). The Altitude 350-2 Integral Antenna AP (15938) and Altitude 350-2 Detachable Antenna AP (15939) models meet the following conformance standards.Table 11: Canada Conformance StandardsSafety • cULus Listed Accessory#60950-1-03 1st edition• Plenum Rated EnclosureEMC • ICES-003 Class BRadio Transceiver• RSS-210• RSS-139-1• RSS-102 FR Exposure• ID# 4141A-3502Other:• IEEE 802.11a (5 GHz)• IEEE 802.11b/g (2.4 GHz)• IEEE 802.3afEnvironmental See Environmental Conditions.Table 12: European Conformance StandardsSafety • 73/23/EEC Low Voltage Directive (LVD)• CB Scheme, IEC 60950-1:2001 with all available country deviations• GS Mark, EN 60950-1:2001• Plenum Rated EnclosureEMC • 89/336/EEC EMC DirectiveEmissions• EN55022:1998 Class B• CISPR22:1997 Class B• EN61000-3-2 and 3-3• EN/ETSI 301 489-17 (9-2000)Immunity• EN55024:1998 Class A, includes IEC 61000-4-2,3,4,5,6,11• EN/ETSI 301 489-17 (9-2000)0891
Regulatory InformationFCS Review Draft IISummit WM-Series WLAN Switch and Altitude Access Point Software Version 1.0 User Guide218NOTEA signed copy of the Declaration of Conformity (DoC) in accordance with the preceding directives and standards has been made and is available at www.extremenetworks.com/go/rfcertification.htm.Conditions of Use in the European CommunityThe Altitude 350-2 models 15706 and 15707 for the European Union and Rest of the World (Group II) regulatory domain are designed to operate in all countries of the European Community. Requirements for indoor versus outdoor operation, license requirements, and permitted channels of operation apply in some countries, as described in this section.   For the most up to date restriction and limitations go to www.extremenetworks.com/go/rfcertification.htm.WARNING!The user or installer is responsible to ensure that he Altitude 350-2 is operated according to channel limitations, indoor / outdoor restrictions, license requirements, and within power level limits for the current country of operation. A configuration utility has been provided with the switch to allow the end user to check the configuration and make necessary configuration changes to ensure proper operation in accordance with the spectrum usage rules for compliance with the European R&TTE directive 1999/5/EC. See the switch software guide for detailed instructions on use of this utility.NOTEThe Altitude 350-2 is completely configured and managed by the switch connected to the Altitude 350-2. Please see the appropriate Extreme Networks software user guide to properly configure the Altitude 350-2.Radio Transceiver • R&TTE Directive 1999/5/EC• ETSI/EN 300 328-2 2003-04 (2.4 GHz)• ETSI/EN 301 893-1 2002-07 (5 GHz)• ETSI/EN 301 489-1 2002-08Other:• IEEE 802.11a (5 Ghz)• IEEE 802.11b/g (2.4 GHz• IEEE 802.3af• ETSI/EN 301 489-17 2002-08 (RLAN) NOTE: Must use ExtremeWare 7.4 for compliance with ETSI/EN 301 893-1 2002-07 DFS requirementEnvironmental • EN/ETSI 300 019-2-1 v2.1.2 - Class 1.2 Storage• EN/ETSI 300 019-2-2 v2.1.2 - Class 2.3 Transportation• EN/ETSI 300 019-2-3 v2.1.2 - Class 3.1e Operational• ASTM D5276 Drop Packaged• ASTM D3580 Random Vibration Unpackaged 1.5 GTable 12: European Conformance Standards (Continued)
Altitude 350-2 Integrated Antenna (15938), Altitude 350-2 Detachable Antenna AP (15939)FCS Review Draft IISummit WM-Series WLAN Switch and Altitude Access Point Software Version 1.0 User Guide 219●The Altitude 350-2 wireless port requires the end user or installer to properly enter the correct country code into the switch software prior to operating the A350-2, to allow for proper configuration in conformance with European National spectrum usage laws. ●After the first Altitude 350-2 wireless port is connected to the switch, each additional wireless port connected will inherit the operating configuration of the first Altitude 350-2 wireless port. The user or installer is responsible to ensure the first Altitude 350-2 wireless port is properly configured.●The software within the switch will automatically limit the allowable channels and output power determined by the current country code entered. Incorrectly entering the country of operation, selecting the correct indoor/outdoor setting or identifying the proper antenna used, may result in illegal operation and may cause harmful interference to other systems. ●This device employs a radar detection feature required for European Community operation in the 5 GHz band. This feature is automatically enabled when the country of operation is correctly configured for any European Community country. The presence of nearby radar operation may result in temporary interruption of operation of this device. The radar detection feature will automatically restart operation on a channel free of radar.●The 5 GHz Turbo Mode feature is not enabled for use on the A350-2 Model 15938 and 15939 access point. ●The AutoChannelSelect/SmartSelect setting of the 5 GHz described in the switch software guide must always remain enabled to ensure that automatic 5 GHz channel selection complies with European requirements. The current setting for this feature is found in the 5 GHz Radio Configuration Window as described in the switch software manual.●The A350-2 with integral or detachable antennas may be used to transmit indoors and outdoors in countries of the European Community, as indicated in Table 14.Go to http://www.extremenetworks.com/go/rfcertification.htm for the most up to date limitation and restrictions.●The A350-2 must be operated indoors only when using the 5150- 5350 MHz bands, channels 36, 40, 44, 48, 52, 56, 60, or 64. See Table 13 for permitted 5 GHz channels by country.●The A350-2 with detachable antenna must be used only with antennas certified by Extreme Networks.●The A350-2 may be operated indoors or outdoors in all countries of the European Community using the 2.4 GHz band: Channels 1 – 13, except where noted in Table 14. ●In Italy, the end user must apply for a license from the national spectrum authority to operate this device outdoors. ●In Belgium, outdoor operation is only permitted using the 2.46 - 2.4835 GHz band: Channel 13.●In France, outdoor operation is only permitted using the 2.4 - 2.454 GHz band: Channels 1 - 7.
Regulatory InformationFCS Review Draft IISummit WM-Series WLAN Switch and Altitude Access Point Software Version 1.0 User Guide220Permitted 5 GHz Channels for the European CommunityTable 13 lists the 5 GHz channels approved for operation in the European Community.European Spectrum Usage RulesTable 14 lists the rules and restrictions for operating a 2.4 GHz or 5 GHz device in the European Community. Always use the latest software version for the most up-to-date channel list; some earlier software versions supply only a limited number of channels.The A350-2 must be installed in the proper indoor or outdoor location. Use the installation utility provided with the switch software to insure proper set-up in accordance with all European spectrum usage rules. Table 13: Permitted 5 GHz Channels in European Community CountriesPermitted Frequency Bands Permitted Channel Numbers  Countries5.15-5.25GHz 36, 40, 44, 48 Austria, Belgium5.15-5.35GHz 36, 40, 44, 48, 52, 56, 60, 64 France, Switzerland, Liechtenstein5.15-5.35* & 5.470-5.725GHz36, 40, 44, 48, 52, 56, 60, 64, 100, 104, 108, 112, 116, 120, 124, 128, 132, 136, 140Denmark, Finland, Germany, Iceland, Ireland, Italy, Luxembourg, Netherlands, Norway, Portugal, Spain, Sweden, U.K.5GHz Operation Not Allowed None GreeceTable 14: European Spectrum Usage Rules - Effective Feb. 2005Country5.15-5.25 (GHz)Channels: 36,40,44,485.25-5.35 (GHz)Channels: 52,56,60,645.47-5.725 (GHz)Channels: 100,104,108,112,116,120,124,128,132,136,1402.4-2.4835 (GHz)Channels: 1 to 13(Except Where Noted)Austria Indoor Only Not Allowed Not Allowed Indoor or OutdoorBelgiumaIndoor Only Indoor Only Indoor or Outdoor Indoor or OutdoorBulgaria Indoor Only Indoor Only Indoor or Outdoor Indoor or OutdoorDenmark Indoor Only Indoor Only Indoor or Outdoor Indoor or OutdoorCyprus Indoor Only Indoor Only Not Allowed Indoor or OutdoorCzech Rep. Indoor Only Indoor Only Not Allowed Indoor or OutdoorEstonia Indoor Only Indoor Only Indoor or Outdoor Indoor or OutdoorFinland  Indoor Only Indoor Only Indoor or Outdoor Indoor or OutdoorFrance Indoor Only Indoor Only Not Allowed Indoor channels 1-13Outdoor channels 1-7 onlyGermany Indoor Only Indoor Only Indoor or Outdoor Indoor or OutdoorGreece Indoor Only Indoor Only Indoor or Outdoor Indoor or OutdoorHungary Indoor Only Indoor Only Not Allowed Indoor or OutdoorIceland Indoor Only Indoor Only Indoor or Outdoor Indoor or OutdoorIreland Indoor Only Indoor Only Indoor or Outdoor Indoor or Outdoor
Altitude 350-2 Integrated Antenna (15938), Altitude 350-2 Detachable Antenna AP (15939)FCS Review Draft IISummit WM-Series WLAN Switch and Altitude Access Point Software Version 1.0 User Guide 221Italy Indoor Only Indoor Only Indoor (Outdoor w/License)Indoor (Outdoor w/License)Latvia Indoor Only Indoor Only Indoor or Outdoor Indoor or OutdoorLiechtenstein Indoor Only Indoor Only Not Allowed Indoor or OutdoorLithuania Indoor Only Indoor Only Indoor or Outdoor Indoor or OutdoorLuxembourg Indoor Only Indoor Only Indoor or Outdoor Indoor or OutdoorNetherlands Indoor Only Indoor Only Indoor or Outdoor Indoor or OutdoorMalta Indoor Only Indoor Only Indoor or Outdoor Indoor or OutdoorNorway Indoor Only Indoor Only Indoor or Outdoor Indoor or OutdoorPoland Indoor Only Indoor Only Indoor or Outdoor Indoor or OutdoorPortugal Indoor Only Indoor Only Indoor or Outdoor Indoor or OutdoorSlovakia Indoor Only Indoor Only Indoor or Outdoor Indoor or OutdoorSlovenia Indoor Only Indoor Only Indoor or Outdoor Indoor or OutdoorSpain Indoor Only Indoor Only Indoor or Outdoor Indoor or OutdoorSweden Indoor Only Indoor Only Indoor or Outdoor Indoor or OutdoorSwitzerland Indoor Only Indoor Only Not Allowed Indoor or OutdoorU. K. Indoor Only Indoor Only Indoor or Outdoor Indoor or OutdoorTurbo Mode Not Allowed in 5GHzNot Allowed in 5GHzNot Allowed in 5GHz Same 2.4 GHz rules as aboveAd Hoc Mode Not Allowed Not Allowed Not Allowed Same 2.4 GHz rules as abovea. Belgium requires that the spectrum agency be notified if you deploy wireless links greater than 300 meters in outdoor public areas using 2.4 GHz band.Table 14: European Spectrum Usage Rules - Effective Feb. 2005 (Continued)Country5.15-5.25 (GHz)Channels: 36,40,44,485.25-5.35 (GHz)Channels: 52,56,60,645.47-5.725 (GHz)Channels: 100,104,108,112,116,120,124,128,132,136,1402.4-2.4835 (GHz)Channels: 1 to 13(Except Where Noted)
Regulatory InformationFCS Review Draft IISummit WM-Series WLAN Switch and Altitude Access Point Software Version 1.0 User Guide222Declarations of ConformityTable 15 presents the Extreme Networks declarations of conformity for the languages used in the European Community. Table 15: Declaration of Conformity in Languages of the European CommunityEnglish Hereby, Extreme Networks, declares that this Radio LAN device is in compliance with the essential requirements and other relevant provisions of Directive 1999/5/EC.Finnish Valmistaja Extreme Networks vakuuttaa taten etta Radio LAN device tyyppinen laite on direktiivin 1999/5/EY oleellisten vaatimusten ja sita koskevien direktiivin muiden ehtojen mukainen.Dutch Hierbij verklaart Extreme Networks dat het toestel Radio LAN device in overeenstemming is met de essentiele eisen en de andere relevante bepalingen van richtlijn 1999/5/EGBij deze verklaart Extreme Networks dat deze Radio LAN device voldoet aan de essentiele eisen en aan de overige relevante bepalingen van Richtlijn 1999/5/EC.French Par la presente Extreme Networks declare que l'appareil Radio LAN device est conforme aux exigences essentielles et aux autres dispositions pertinentes de la directive 1999/5/CEPar la presente, Extreme Networks declare que ce Radio LAN device est conforme aux exigences essentielles et aux autres dispositions de la directive 1999/5/CE qui lui sont applicablesSwedish Harmed intygar Extreme Networks att denna Radio LAN device star I overensstammelse med de vasentliga egenskapskrav och ovriga relevanta bestammelser som framgar av direktiv 1999/5/EG.Danish Undertegnede Extreme Networks erklarer herved, at folgende udstyr Radio LAN device overholder de vasentlige krav og ovrige relevante krav i direktiv 1999/5/EFGerman Hiermit erklart Extreme Networks, dass sich diese Radio LAN device in Ubereinstimmung mit den grundlegenden Anforderungen und den anderen relevanten Vorschriften der Richtlinie 1999/5/EG befindet". (BMWi)Hiermit erklart Extreme Networks die Ubereinstimmung des Gerates Radio LAN device mit den grundlegenden Anforderungen und den anderen relevanten Festlegungen der Richtlinie 1999/5/EG. (Wien)GreekItalian Con la presente Extreme Networks dichiara che questo Radio LAN device e conforme ai requisiti essenziali ed alle altre disposizioni pertinenti stabilite dalla direttiva 1999/5/CE.Spanish Por medio de la presente Extreme Networks declara que el Radio LAN device cumple con los requisitos esenciales y cualesquiera otras disposiciones aplicables o exigibles de la Directiva 1999/5/CEPortuguese Extreme Networks declara que este Radio LAN device esta conforme com os requisitos essenciais e outras disposicoes da Directiva 1999/5/CE.ΜΕ ΤΗΝ ΠΑΡΟΥΣΑ Extreme Networks ∆ΗΛΩΝΕΙ ΟΤΙ Radio LAN device ΣΥΜΜΟΡΦΩΝΕΤΑΙ ΠΡΟΣ ΤΙΣ ΟΥΣΙΩ∆ΕΙΣ ΑΠΑΙΤΗΣΕΙΣ ΚΑΙ ΤΙΣ ΛΟΙΠΕΣ ΣΧΕΤΙΚΕΣ ∆ΙΑΤΑΞΕΙΣ ΤΗΣ Ο∆ΗΓΙΑΣ 1999/5/ΕΚ
Certifications of Other CountriesFCS Review Draft IISummit WM-Series WLAN Switch and Altitude Access Point Software Version 1.0 User Guide 223Certifications of Other CountriesThe A350-2 Model 15938 and 15939 wireless port has been certified for use in the countries listed in Table 16. When the A350-2 is connected to the Extreme Networks switch, the user is prompted to enter a country code. Once the correct country code is entered, the switch automatically sets up the A300 with the proper frequencies and power outputs for that country code. Go to http://www.extremenetworks.com/go/rfcertification.htm for the most up to date list of certified countries.NOTEIt is the responsibility of the end user to enter the proper country code for the country the device will be operated within.Table 16: Other Country Specific Compliance Standards, Approvals and DeclarationsCountry Standards, Approvals, DeclarationsAustralia and New Zealand• A350-2 Model 15938 & 15939• EEE 802.11a/b/g• IEEE 802.3af (PoE)• ACN 090 029 066• EN 300 328-2:2003-4 (2.4 GHz)• EN 301 893-1:2003-08 (5 GHz)• EN 301 489-17:2002-08 (RLAN)• EN 60950 with Australia deviation
Regulatory InformationFCS Review Draft IISummit WM-Series WLAN Switch and Altitude Access Point Software Version 1.0 User Guide224
FCS Review Draft IISummit WM-Series WLAN Switch and Altitude Access Point Software Version 1.0 User Guide 225IndexAaccess approvalAltitude AP, in discovery, 49accountingsetup on a WM-AD, 84addinga new WM-AD subnet name, 66Altitude AP manually, 56RADIUS server definitions, 69alarmsoverview of log types and levels, 140allow all or approved APsfor availability setup, 104for discovery and registration, 44allow or deny in a filtering rule, 65Altitude APaccess approval, 49adding for availability setup, 104adding manually, 56assigning to a WM-AD, 72client blacklist, 135client disassociate, 133configure for a WM-AD for voice traffic, 102connecting and powering, 44enabling Telnet for debugging, 181LED sequence in discovery, 48maintenance and reboot, 131radios, 42, 52static configuration, 57view statistics, 145Analysis enginefunctions, 126overview of Summit Spy feature, 123antennae on the Altitude AP, 42auditsview GUI audits, 143authenticationMAC-based, 82no RADIUS server, 61none on a WM-AD, 100on a WM-AD for AAA, 82on a WM-AD for Captive Portal, 77overview of types, 76protocols supported, 63, 79Authentication, Authorization, Accounting (AAA)filter ID values (RADIUS policy), groups, 85set up 802.1x authentication, 82set up a WM-AD topology, 75set up privacy on a WM-AD, 97Auto Cell, 58Bblacklist a wireless client, 135branch office, static configuration of Altitude AP,57bridge traffic locally, branch office, 58Ccall data records (CDRs), 84Captive Portalauthentication on a WM-AD, 77configuring internal, 80defined, 63filter ID values (RADIUS policy), 85non-authenticated filtering rules, 87privacy mechanisms, 96set up a WM-AD topology, 71view sample page, 81Check Point event logging, 113configuringa new WM-AD, 66Captive Portal, internal, 80data ports, 32software - overview steps, 31static routes, 35Ddata port interfacesconfiguring, 32default filter, 92default gateway on a WM-AD, 73disassociate a wireless client, 133discoveryAltitude AP LED sequence, 48registration settings, 44steps, 46displaysAltitude AP availability, 105Altitude AP wired and wireless statistics, 145client location by foreign SWM, 109client location by home, 109list of displays, 144
IndexFCS Review Draft IISummit WM-Series WLAN Switch and Altitude Access Point Software Version 1.0 User Guide226SWM tunnel traffic, 109documentation feedback, 10Domain Name Server (DNS)in discovery, 46Dynamic Host Configuration Protocol (DHCP)for availability, 103for mobility (WM-AD Manager), 107Option 78 in discovery, 46relay on a WM-AD, 74required as part of solution, 15Eevent loggingin Check Point, 113in SWM software, 140exception filterson a WM-AD, 87port-based, 39exclusions, IP address range on a WM-AD, 73Ffailover of a RADIUS server, 79failover of a Summit WM-Series Switchavailability overview, 22events and recovery, 106ferrite beads, installing on Controller cables, 24filteringdefault filter, 92exception filter on a WM-AD, 87filtering rules, overview of set up, 86for an AAA group, 94for Captive Portal authentication, 81non-authenticated filter for Captive Portal, 87non-authenticated filtering rules, examples,89on a WM-AD for third-party APs, 120overview of packet filtering, 21overview, four types, 64port-based, 39rules forFilter ID values, 90set Filter ID values (RADIUS policy), 84foreign Altitude APs, for availability, 49, 72formatting conventions, 10forwarding table report, 36friendly APs, Summit Spy feature, 128Ggateway, default, on a WM-AD, 73global settingsfor a WM-AD, 68priority traffic handling on a WM-AD, 102RADIUS servers for authentication, 78graphical user interface (GUI)main menu, 26overview, 28view audit log, 143groups for Authentication, Authorization,Accounting (AAA), 85Hhealth checking status of Altitude APs, 135heartbeat messages, in WM-AD Manager feature,107IinstallingAltitude AP, 43Summit WM-Series Switch, 24IP address range on a WM-AD, 73LLED sequencein discovery, 48local Altitude APs, for availability, 49login user name and password, 26Login-LAT-Group, 90for WM-AD AAA authentication, 85logschanging log level, 135event logging in Check Point, 113overview of types and levels, 140MMAC-based authentication, 82main menu, 26Management Information Bases (MIBs)supported, 115management portfirst-time setup, 24management traffic on data port, 33modify management port settings, 27port-based filtering, 39management trafficenabling on a WM-AD, 73mobilityoverview, 21WM-AD Manager and WM-AD Agent, 107MTU (Maximum Transmission Unit)in data port setup, 32multicastfor a WM-AD, 95set up a WM-AD for VoIP, 102
IndexFCS Review Draft IISummit WM-Series WLAN Switch and Altitude Access Point Software Version 1.0 User Guide 227Nnetwork assignmentby AAA, 75, 97by SSID for Captive Portal, 71options for a WM-AD, 63network time synchronization, 112next hop route for a WM-AD, 73non-authenticated filter for Captive Portal, 81, 87Ooperating system software upgrade, 137OSPFconfiguring, 36linkstate report, 38neighbor report, 38on a WM-AD, 73Ppaired Summit WM-Series Switch for availability,104portconfiguring data ports, 32management, first-time setup, 24port exception filters, 39power supply, Summit WM-Series Switch, 24poweringAltitude AP, 44priority traffic handlingenable for a WM-AD, 102privacydynamic WEP on a WM-AD for AAA, 98encryption methods supported, 19on a WM-AD for AAAAAA, 97overview on a WM-AD, 66setup on a WM-AD for Captive Portal, 96static WEP for an AAA WM-AD, 98WPA v1 and WPA v2 on a WM-AD for AAA, 98product keyenabling, 31part of maintenance screen, 137protocolsfor authentication by Captive Portal, 79supported, overview, 11Rradio5 GHz (a) and 2.4 GHz (b/g), 42Auto Cell, 58channels, 55RF scanner, 123radio settingsview and modify, 52RADIUS serverdefining servers in global settings screen, 69deployment with no server, 61Filter ID values, 90for authentication, 78for MAC-based authentication, 82priority for redundancy, 79RADIUS accounting, 84RADIUS policy for a WM-AD, 84required as part of solution, 15VSAs in RADIUS message, 77read/write privileges, 111reboot Altitude AP, 131registrationsettings for availability setup, 104settings for discovery process, 44regulatory information, 11reportsAP inventory, 146forwarding table, 36, 146list of displays, 144OSPF linkstate, 38, 146OSPF neighbor, 38, 146restore Summit WM-Series Switch softwareconfiguration, 140RF Data Collector (RFDC), 123RF scans, Summit Spy feature, 125rogue detection, Summit Spy feature, 127routingconfiguring OSPF on data port, 36configuring static routes, 35next hop route on a WM-AD, 73overview, 20routing tableviewing, 36Ssafety compliances, 11scan results, Summit Spy feature, 127scanning RF via the Summit Spy feature, 125security clip and rivet on the Altitude AP bracket,43security of network, overview of methods, 19Service Location Protocol (SLP)for availability, 103for mobility (WM-AD Manager), 107in discovery, 46required as part of solution, 15traffic allowed on data port, 33view slpdump tool report, 106set up for a WM-AD, 119
IndexFCS Review Draft IISummit WM-Series WLAN Switch and Altitude Access Point Software Version 1.0 User Guide228shut down system, 135Simple Network Management Protocol (SNMP)enabling, 116MIBs supported, 115softwaremaintenance of Altitude AP software, 131maintenance of Summit WM-Series Switchsoftware, 137SSID network assignment for Captive Portal, 71standards supported, 11static configuration of Altitude AP, 57static routesconfiguring, 35viewing forwarding table report, 36status of Altitude APs in Access Approval screen,49Summit WM-Series Switchavailability overview, 22define management user names, passwords,111define network time synchronization, 112defined as WM-AD Manager for mobility, 107enable ELA event logging (Check Point), 113enabling SNMP, 116events during a failover, 106installing, 24paired for availability, 103restore software configuration, 140set up third-party APs, 119software maintenance, product key, 31system maintenance, 135system shutdown, 135Summit WM-Series Switch software configuration,139syslog event reportingdefine parameters, 135TTelnet, configuring and enabling for the AP, 181third-party APs, 119defining a WM-AD for, 73in Summit Spy feature, 129topology of a WM-ADAAA, 75Captive Portal, 71tracesoverview of log types and levels, 140Type of Service (ToS/DSCP)part of Quality of Service, 22Uuser name and password for login, 26Vvendor specific attributes (VSA)in RADIUS message, 77RADIUS servervendor specific attributes, 79Voice-over-IP (VoIP)define multicast groups on a WM-AD, 95set up a WM-AD for, 101WWi-Fi Multimedia (WMM)part of Quality of Service, 22Wi-Fi Protected Access (WPA)overview on a WM-AD, 66PSK mode for Captive Portal, 97WPA v1 and v2 on a WM-AD for AAA, 98Wired Equivalent Privacy (WEP)on a WM-AD for AAA, 98overview on a WM-AD, 66static for Captive Portal, 96WM Access Domain Services (WM-AD)authentication by AAA (802.1x), 82authentication by Captive Portal, 77creating a new WM-AD, 66define filtering rules, 86defined, 62for third-party APs, 120global settings, 68multicast, 95network assignment overview, 63overview, 20privacy for AAA, 97privacy overview, 96set up for VoIP, 101topology for AAA, 75topology for Captive Portal, 71WM-AD Managerdefining a Summit WM-Series Switch formobility, 107

Navigation menu