Extreme Networks OAP36B HiPath Wireless Outdoor Access Point User Manual I

Download:
Mirror Download [FCC.gov]
Document ID	1395763
Application ID	ENY/fD2iqT0qS1nq/K9EeQ==
Document Description	User Manual I
Short Term Confidential	No
Permanent Confidential	No
Supercede	No
Document Type	User Manual
Display Format	Adobe Acrobat PDF - pdf
Filesize	365.75kB (4571841 bits)
Date Submitted	2010-12-23 00:00:00
Date Available	2010-12-23 00:00:00
Creation Date	2010-12-23 10:19:13
Producing Software	Acrobat Distiller 7.0.5 (Windows)
Document Lastmod	2010-12-23 10:21:13
Document Title	HiPath Wireless Controller, Access Points and Convergence Software V7.21 User Guide
Document Creator	FrameMaker 8.0
Document Author:	Enterasys Networks

Documentation
HiPath Wireless Controller, Access Points and
Convergence Software V7.31
User Guide
9034530-04
Communication for the open minded
Siemens Enterprise Communications
www.siemens.com/open
Copyright © Siemens Enterprise
Communications GmbH & Co. KG 2010
Hofmannstr. 51, 80200 München
Siemens Enterprise Communications GmbH & Co. KG is
a Trademark Licensee of Siemens AG
Reference No.: 9034530-04
Communication for the open minded
Siemens Enterprise Communications
www.siemens.com/open
The information provided in this document contains
merely general descriptions or characteristics of
performance which in case of actual use do not always
apply as described or which may change as a result of further development of the products. An obligation to provide the respective characteristics shall only exist if expressly agreed in the terms of contract. Availability and
technical specifications are subject to change without notice.
OpenScape, OpenStage and HiPath are registered trademarks of Siemens Enterprise
Communications GmbH & Co. KG.
All other company, brand, product and service names are
trademarks or registered trademarks of their respective
holders.
hwc_user_guideTOC.fm
Nur für den internen Gebrauch
Contents
Contents
1 About this Guide . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1.1 Who should use this guide . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1.2 What is in this guide . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1.3 Formatting conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1.4 Additional documentation. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1.5 Getting Help . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1.6 Safety Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1.7 Sicherheitshinweise . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1.8 Consignes de sécurité . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
11
11
11
13
13
14
14
16
17
2 Overview of the HiPath Wireless Controller, Access Points and Convergence Software solution . . .
2.1 Conventional wireless LANs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
2.2 Elements of the HiPath Wireless Controller, Access Points and Convergence Software solution . . . . . . .
2.2.1 Enterasys NetSight Suite integration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
2.3 HiPath Wireless Controller, Access Points and Convergence Software and your network . . . . . . . . . . . . .
2.3.1 Network traffic flow . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
2.3.2 Network security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
2.3.2.1 Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
2.3.2.2 Privacy. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
2.3.3 Virtual Network Services. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
2.3.4 VNS components . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
2.3.4.1 Topology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
2.3.4.2 Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
2.3.4.3 WLAN Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
2.3.5 Static routing and routing protocols . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
2.3.6 Mobility and roaming. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
2.3.7 Network availability . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
2.3.8 Quality of Service (QoS) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
2.4 HiPath Wireless Controller product family . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
19
20
22
26
27
29
31
32
32
33
34
34
35
36
36
37
38
38
39
3 Configuring the HiPath Wireless Controller . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
3.1 System configuration overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
3.2 Logging on to the HiPath Wireless Controller . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
3.3 Working with the basic installation wizard . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
3.4 Configuring the HiPath Wireless Controller for the first time . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
3.4.1 Changing the administrator password . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
3.4.2 Applying product license keys . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
3.4.2.1 Installing the license keys . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
3.4.3 Setting up the data ports. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
3.4.3.1 Viewing and changing the L2 ports information. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
3.4.3.2 Viewing and changing the L2 port related topologies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
3.4.4 Setting up Internal VLAN ID and multi-cast support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
3.4.5 Setting up static routes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
3.4.5.1 Viewing the forwarding table . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
3.4.6 Setting up OSPF Routing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
3.4.7 Configuring filtering at the interface level . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
3.4.7.1 Built-in interface-based exception filters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
3.4.7.2 Working with administrator-defined interface-based exception filters . . . . . . . . . . . . . . . . . . . . . .
41
41
44
46
51
51
52
54
55
56
57
62
63
65
65
68
69
70
9034530-04, September 2010
HiPath Wireless Controller, Access Points and Convergence Software V7.31, User Guide
hwc_user_guideTOC.fm
Contents
Nur für den internen Gebrauch
3.4.8 Installing certificates on the HiPath Wireless Controller . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72
3.4.8.1 Installing a certificate for a HiPath Wireless Controller interface . . . . . . . . . . . . . . . . . . . . . . . . . 74
3.4.9 Configuring the login authentication mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 78
3.4.9.1 Configuring the local login authentication mode and adding new users . . . . . . . . . . . . . . . . . . . 79
3.4.9.2 Configuring the RADIUS login authentication mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81
3.4.9.3 Configuring the local, RADIUS login authentication mode. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85
3.4.9.4 Configuring the RADIUS, local login authentication mode. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 86
3.4.10 Configuring SNMP. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 88
3.4.10.1 Configuring SNMPv1/v2c-specific parameters. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 90
3.4.10.2 Configuring SNMPv3-specific parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 90
3.4.10.3 Editing an SNMPv3 User . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 91
3.4.10.4 Deleting an SNMPv3 User . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 91
3.4.11 Configuring network time. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 92
3.4.11.1 Configuring the network time using the system’s time . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 92
3.4.11.2 Configuring the network time using an NTP server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93
3.4.12 Configuring DNS servers for resolving host names of NTP and RADIUS servers . . . . . . . . . . . . . . 95
3.5 Using an AeroScout location based solution . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 96
3.6 Additional ongoing operations of the system . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 100
4 Configuring the Wireless AP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 101
4.1 Wireless AP overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 101
4.1.1 HiPath Standard Wireless AP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 102
4.1.1.1 HiPath Standard Wireless AP radios . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 103
4.1.1.2 AP4102/4102C Access Points . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 105
4.1.2 HiPath Wireless Outdoor AP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 106
4.1.3 HiPath Wireless 802.11n AP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 107
4.1.3.1 HiPath Wireless 802.11n AP’s radios . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 109
4.1.4 Wireless AP international licensing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 111
4.1.5 Wireless AP default IP address and first-time configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 112
4.1.6 Assigning a static IP address to the Wireless AP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 113
4.2 Discovery and registration overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 113
4.2.1 Wireless AP discovery. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 113
4.2.2 Registration after discovery . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 115
4.2.2.1 Default Wireless AP configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 116
4.2.3 Understanding the Wireless AP LED status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 116
4.2.3.1 HiPath Wireless AP LED status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 117
4.2.3.2 HiPath Wireless Outdoor AP LED status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 121
4.2.3.3 HiPath Wireless 802.11n AP LED status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 123
4.2.3.4 AP4102 and AP2605 LED status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 127
4.2.3.5 Configuring Wireless AP LED behavior . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 129
4.2.4 Configuring the Wireless APs for the first time . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 131
4.2.5 Defining properties for the discovery process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 132
4.2.6 Connecting the Wireless AP to a power source and initiating the discovery and registration process 134
4.3 Adding and registering a Wireless AP manually . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 135
4.4 Configuring Wireless AP settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 136
4.4.1 Modifying a Wireless AP’s status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 136
4.4.2 Configuring a Wireless AP’s properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 138
4.4.3 AP properties tab configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 138
4.4.4 Assigning Wireless AP radios to a VNS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 145
4.4.5 Configuring Wireless AP radio properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 146
4.4.5.1 Modifying Wireless 802.11n AP 3610/3620 radio properties . . . . . . . . . . . . . . . . . . . . . . . . . . . 148
4.4.5.2 Achieving high throughput with the Wireless 802.11n AP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 165
9034530-04, September 2010
HiPath Wireless Controller, Access Points and Convergence Software V7.31, User Guide
hwc_user_guideTOC.fm
Nur für den internen Gebrauch
Contents
4.4.5.3 Modifying Wireless AP 2610/2620 radio properties. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
4.4.6 Setting up the Wireless AP using static configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
4.4.7 Configuring Telnet/SSH Access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
4.5 Configuring VLAN tags for Wireless APs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
4.5.1 Setting up 802.1x authentication for a Wireless AP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
4.5.1.1 Configuring 802.1x PEAP authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
4.5.1.2 Configuring 802.1x EAP-TLS authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
4.5.1.3 Viewing 802.1x credentials . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
4.5.1.4 Deleting 802.1x credentials . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
4.5.2 Setting up 802.1x authentication for Wireless APs using Multi-edit . . . . . . . . . . . . . . . . . . . . . . . . . .
4.5.3 Configuring the default Wireless AP settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
4.5.3.1 Configure common configuration default AP settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
4.5.3.2 Configure AP2610/20, AP2605, W788, BP200, and WB500 default AP settings . . . . . . . . . . . .
4.5.3.3 Configure AP3605/10/20 default AP settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
4.5.3.4 Configure AP2650/60 and W786 default AP settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
4.5.3.5 Configure AP4102 and AP4102C default AP settings. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
4.6 Modifying a Wireless AP’s properties based on a default AP configuration. . . . . . . . . . . . . . . . . . . . . . . .
4.7 Modifying the Wireless AP’s default setting using the Copy to Defaults feature . . . . . . . . . . . . . . . . . . . .
4.8 Configuring multiple Wireless APs simultaneously . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
4.9 Configuring co-located APs in load balance groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
4.9.1 How availability affects load balancing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
4.9.2 Load balance group statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
4.10 Configuring AP clusters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
4.11 Converting the Wireless Standalone 802.11n AP to standalone mode . . . . . . . . . . . . . . . . . . . . . . . . . .
4.12 Configuring an AP as a sensor . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
4.13 Performing Wireless AP software maintenance. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
167
179
182
183
184
186
187
190
191
192
196
196
198
205
213
221
228
228
229
231
235
235
235
237
238
241
5 Virtual Network Services concepts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
5.1 VNS overview. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
5.1.1 Topology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
5.1.2 Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
5.1.3 WLAN Service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
5.1.4 New VNS definition . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
5.2 Setting up a VNS checklist. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
5.3 NAC integration with HiPath WLAN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
5.4 Assigning Wireless APs to WLAN Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
5.5 Authentication for a VNS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
5.5.1 Authentication with Captive Portal . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
5.5.2 Authentication with 802.1x and WPA . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
5.6 Filtering . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
5.6.1 Final filter rule . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
5.6.2 Filtering sequence . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
5.6.3 Legacy compatibility with Policy-based filtering and VNS assignment . . . . . . . . . . . . . . . . . . . . . . . .
5.7 Multicast traffic . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
5.8 Data protection — WEP and WPA. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
5.9 QoS Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
5.10 Flexible Client Access (FCA) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
245
245
246
247
248
249
251
253
256
256
258
258
259
260
260
261
262
262
263
263
6 Configuring a VNS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
6.1 High level VNS configuration flow . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
6.1.1 Controller defaults. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
6.2 VNS global settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
6.2.1 Defining RADIUS servers and MAC address format . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
265
265
267
267
269
9034530-04, September 2010
HiPath Wireless Controller, Access Points and Convergence Software V7.31, User Guide
hwc_user_guideTOC.fm
Contents
Nur für den internen Gebrauch
6.2.2 Configuring Dynamic Authorization Server support. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
6.2.3 Defining Wireless QoS Admission Control Thresholds . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
6.2.4 Defining Wireless QoS Flexible Client Access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
6.2.5 Working with bandwidth control profiles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
6.2.6 Configuring the Global Default Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
6.2.7 Using the Sync Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
6.3 Methods for configuring a VNS. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
6.4 Working with the VNS wizard to create a new VNS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
6.4.1 Creating a NAC VNS using the VNS wizard . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
6.4.2 Creating a voice VNS using the VNS wizard. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
6.4.3 Creating a data VNS using the VNS wizard . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
6.4.4 Creating a Captive Portal VNS using the VNS wizard. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
6.5 Working with a GuestPortal VNS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
6.5.1 Creating a GuestPortal VNS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
6.6 Creating a VNS using the advanced method . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
6.7 Working with existing VNSs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
6.7.1 Enabling and disabling a VNS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
6.7.2 Renaming a VNS. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
6.7.3 Deleting a VNS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
6.8 Configuring a Topology. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
6.8.1 Configuring a basic topology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
6.8.1.1 Physical Port Topologies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
6.8.1.2 Enabling management traffic . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
6.8.2 Layer 3 configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
6.8.2.1 IP address configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
6.8.2.2 DHCP configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
6.8.2.3 Defining a next hop route and OSPF advertisement . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
6.8.3 Exception filtering . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
6.8.4 Multicast filtering . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
6.9 Configuring WLAN Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
6.9.1 Configuring a WLAN Service. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
6.9.1.1 Third-party AP WLAN Service Type. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
6.9.1.2 Configuring a basic WLAN service. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
6.9.1.3 Assigning an optional default topology to a service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
6.9.1.4 Assigning Wireless APs to a service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
6.9.2 Configuring privacy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
6.9.2.1 About Wi-Fi Protected Access (WPA v1 and WPA v2) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
6.9.2.2 Wireless 802.11n APs and WPA authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
6.9.2.3 WPA Key Management Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
6.9.2.4 Configuring WLAN Service privacy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
6.9.3 Configuring accounting and authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
6.9.3.1 Vendor Specific Attributes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
6.9.3.2 Defining accounting methods for a WLAN Service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
6.9.3.3 Configuring authentication for a WLAN Service. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
6.9.3.4 Defining the RADIUS server priority for RADIUS redundancy . . . . . . . . . . . . . . . . . . . . . . . . . .
6.9.3.5 Configuring assigned RADIUS servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
6.9.3.6 Defining a WLAN Service with no authentication. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
6.9.3.7 Configuring Captive Portal for internal or external authentication . . . . . . . . . . . . . . . . . . . . . . .
6.9.4 Configuring the QoS policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
6.9.4.1 Defining priority level and service class . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
6.9.4.2 Defining the service class . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
6.9.4.3 Configuring the priority override . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
272
273
274
275
276
278
280
280
281
284
288
295
307
309
316
317
317
318
318
319
320
321
321
322
322
323
326
327
330
331
332
332
333
333
334
337
338
340
341
342
346
347
348
350
353
353
357
358
368
370
371
372
9034530-04, September 2010
HiPath Wireless Controller, Access Points and Convergence Software V7.31, User Guide
hwc_user_guideTOC.fm
Nur für den internen Gebrauch
Contents
6.9.4.4 QoS modes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
6.10 Configuring Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
6.10.1 Configuring VLAN and Class of Service for a Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
6.10.2 About filtering rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
6.10.3 Configuring Filter Rules for a Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
6.10.3.1 Non-authenticated filter examples . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
6.10.3.2 Authenticated filter examples . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
6.10.4 ICMP Type enforcement . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
6.10.5 Filtering rules for a default filter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
6.10.5.1 Default filter examples . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
6.10.5.2 Filtering rules between two wireless devices. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
6.10.6 Defining filter rules for Wireless APs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
6.11 Working with a Wireless Distribution System. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
6.11.1 Simple WDS configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
6.11.2 Wireless Repeater configuration. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
6.11.3 Wireless Bridge configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
6.11.4 Examples of deployment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
6.11.5 WDS WLAN Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
6.11.6 Key features of WDS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
6.11.6.1 Tree-like topology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
6.11.6.2 Radio Channels . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
6.11.6.3 Multi-root WDS topology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
6.11.6.4 Automatic discovery of parent and backup parent Wireless APs . . . . . . . . . . . . . . . . . . . . . . .
6.11.6.5 Link security. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
6.11.7 Deploying the WDS system . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
6.11.7.1 Connecting the WDS Wireless APs to the enterprise network for discovery and registration. .
6.11.7.2 Configuring the WDS Wireless APs through the HiPath Wireless Controller . . . . . . . . . . . . . .
6.11.7.3 Assigning the Satellite Wireless APs’ radios to the network WLAN Services . . . . . . . . . . . . . .
6.11.7.4 Connecting the WDS Wireless APs to the enterprise network for provisioning. . . . . . . . . . . . .
6.11.7.5 Moving the WDS Wireless APs to the target location . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
6.11.8 Changing the pre-shared key in a WDS WLAN Service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
372
377
378
379
381
384
385
385
386
386
387
387
389
389
390
391
391
392
394
394
396
396
397
397
398
399
400
404
405
406
406
7 Availability and session availability . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
7.1 Availability . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
7.1.1 Events and actions in availability . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
7.1.2 Availability prerequisites . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
7.2 Configuring availability using the availability wizard. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
7.3 Configuring availability manually . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
7.4 Session availability. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
7.4.1 Events and actions in session availability . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
7.4.2 Enabling session availability . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
7.4.2.1 Configuring fast failover and enabling session availability . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
7.4.2.2 Verifying session availability . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
7.4.2.3 Verify synchronization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
7.5 Viewing the Wireless AP availability display . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
7.6 Viewing SLP activity. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
407
407
408
409
410
412
417
419
420
421
425
427
429
429
8 Configuring Mobility . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
8.1 Mobility overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
8.2 Mobility domain topologies. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
8.3 Configuring mobility domain. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
431
431
433
435
9 Working with third-party APs. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 439
9034530-04, September 2010
HiPath Wireless Controller, Access Points and Convergence Software V7.31, User Guide
hwc_user_guideTOC.fm
Contents
Nur für den internen Gebrauch
9.1 Define authentication by Captive Portal for the third-party AP WLAN Service: . . . . . . . . . . . . . . . . . . . . 439
9.2 Define the third-party APs list . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 439
9.3 Define filtering rules for the third-party APs: . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 440
10 Working with the Mitigator . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 441
10.1 Mitigator overview. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 441
10.2 Enabling the Analysis and data collector engines . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 442
10.3 Running Mitigator scans . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 444
10.4 Analysis engine overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 446
10.5 Working with Mitigator scan results . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 447
10.6 Working with friendly APs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 449
10.7 Maintaining the Mitigator list of APs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 450
10.8 Viewing the Scanner Status report . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 451
11 Working with reports and displays . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 453
11.1 Available reports and displays . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 453
11.2 Viewing reports and displays . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 454
11.3 Viewing the Wireless AP availability display . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 455
11.4 Viewing statistics for Wireless APs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 456
11.5 Viewing load balance group statistics. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 461
11.6 Viewing the System Information and Manufacturing Information displays . . . . . . . . . . . . . . . . . . . . . . . 464
11.7 Viewing displays for the mobility manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 465
11.8 Viewing reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 467
11.9 Call Detail Records (CDRs) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 471
11.9.1 CDR files naming convention . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 472
11.9.2 CDR file types . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 472
11.9.3 CDR file format . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 473
11.9.4 Viewing CDRs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 474
12 Performing system administration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 479
12.1 Performing Wireless AP client management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 479
12.1.1 Disassociating a client . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 479
12.1.2 Blacklisting a client . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 480
12.2 Defining HiPath Wireless Assistant administrators and login groups . . . . . . . . . . . . . . . . . . . . . . . . . . . 483
12.2.1 Working with GuestPortal Guest administration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 485
12.2.1.1 Adding new guest accounts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 486
12.2.1.2 Enabling or disabling guest accounts. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 488
12.2.1.3 Editing guest accounts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 489
12.2.1.4 Removing guest accounts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 491
12.2.1.5 Importing and exporting a guest file . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 492
12.2.1.6 Viewing and printing a GuestPortal account ticket. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 494
12.2.1.7 Working with the GuestPortal ticket page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 496
12.3 Configuring Web session timeouts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 498
13 Glossary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 499
13.1 Networking terms and abbreviations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 499
13.2 Controller, Access Points and Convergence Software terms and abbreviations . . . . . . . . . . . . . . . . . . 512
A HiPath Wireless Controller’s physical description . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 515
A.1 HiPath Wireless Controller C5110 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 515
A.2 HiPath Wireless Controller C4110 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 518
A.3 HiPath Wireless Controller C2400 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 518
A.4 HiPath Wireless Controller C20 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 522
A.5 HiPath Wireless Controller C20N . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 525
A.6 HiPath Wireless Controller CRBT8210/8110 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 525
9034530-04, September 2010
HiPath Wireless Controller, Access Points and Convergence Software V7.31, User Guide
hwc_user_guideTOC.fm
Nur für den internen Gebrauch
Contents
B Regulatory information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 529
B.1 HiPath Wireless Controller C20N/C20/C2400/C4110/C5110 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 530
B.2 Wireless APs 26XX and 36XX. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 532
C optiPoint WL2 Configuration. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 551
C.1 optiPoint WL2 wireless telephone configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 551
C.2 HiPath Wireless Controller configuration. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 555
D SpectraLink Wireless Telephones . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 559
D.1 Network Topology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 559
D.2 Configuring HiPath Wireless Controller for SpectraLink telephones . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 560
E Default GuestPortal source code . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
E.1 Ticket page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
E.1.1 Placeholders used in the default GuestPortal ticket page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
E.1.2 Default GuestPortal ticket page source code . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
E.2 GuestPortal sample header page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
E.3 GuestPortal sample footer page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
9034530-04, September 2010
HiPath Wireless Controller, Access Points and Convergence Software V7.31, User Guide
567
567
567
568
570
572
hwc_user_guideTOC.fm
Contents
10
Nur für den internen Gebrauch
9034530-04, September 2010
HiPath Wireless Controller, Access Points and Convergence Software V7.31, User Guide
hwc_pref.fm
About this Guide
Who should use this guide
1 About this Guide
This guide describes how to install, configure, and manage the HiPath Wireless
Controller, Access Points and Convergence Software system. This guide is also
available as an online help system.
To access the online help system:
1. In the HiPath Wireless Assistant Main Menu bar, click Help. The About
HiPath Wireless Assistant screen is displayed.
2. In the left pane, click Controller Documentation. The online help system is
launched.
1.1 Who should use this guide
This guide is a reference for system administrators who install and manage the
HiPath Wireless Controller, Access Points and Convergence Software system.
Any administrator performing tasks described in this guide must have an account
with administrative privileges.
1.2 What is in this guide
This guide contains the following:
•
Chapter 1, “About this Guide”, describes the target audience and content of
the guide, the formatting conventions used in it, and how to provide feedback
on the guide.
•
Chapter 2, “Overview of the HiPath Wireless Controller, Access Points and
Convergence Software solution”, provides an overview of the product, its
features and functionality.
•
Chapter 3, “Configuring the HiPath Wireless Controller”, describes how to
perform the installation, first time setup and configuration of the HiPath
Wireless Controller, as well as configuring the data ports and defining routing.
•
Chapter 4, “Configuring the Wireless AP”, describes how to install the
Wireless AP, how it discovers and registers with the HiPath Wireless
Controller, and how to view and modify radio configuration.
•
Chapter 5, “Virtual Network Services concepts”, provides an overview of
Virtual Network Services (VNS), the mechanism by which the HiPath
Wireless Controller, Access Points and Convergence Software controls and
manages network access.
9034530-04, September 2010
HiPath Wireless Controller, Access Points and Convergence Software V7.31, User Guide
11
hwc_pref.fm
About this Guide
What is in this guide
12
•
Chapter 6, “Configuring a VNS”, provides detailed instructions in how to
configure a VNS, either using the Wizards or by manually creating the
component parts of a VNS.
•
Chapter 7, “Availability and session availability”, describes how to set up the
features that maintain service availability in the event of a HiPath Wireless
Controller failover.
•
Chapter 8, “Configuring Mobility”, describes how to set up the mobility domain
that provides mobility for a wireless device user when the user roams from
one Wireless AP to another in the mobility domain.
•
Chapter 9, “Working with third-party APs”, describes how to use the
Controller, Access Points and Convergence Software features with third-party
wireless access points.
•
Chapter 10, “Working with the Mitigator”, describes the security tool that
scans for, detects, and reports on rogue APs.
•
Chapter 11, “Working with reports and displays”, describes the various
reports and displays available in the HiPath Wireless Controller, Access
Points and Convergence Software system.
•
Chapter 12, “Performing system administration”, describes system
administration activities, such as performing Wireless AP client management,
defining management users, configuring the network time, and configuring
Web session timeouts.
•
Chapter 13, “Glossary”, contains a list of terms and definitions for the HiPath
Wireless Controller and the Wireless AP as well as standard industry terms
used in this guide.
•
Appendix A, describes the physical description and LED states of the HiPath
Wireless Controller.
•
Appendix B, provides the regulatory information for the HiPath Wireless
Controller and the HiPath Wireless Access Points (APs).
•
Appendix C, describes how to configure the WL2 phone.
•
Appendix D, describes how to configure NetLink Wireless Telephones and
WLAN infrastructure products.
•
Appendix E, provides the default GuestPortal ticket page source code.
9034530-04, September 2010
HiPath Wireless Controller, Access Points and Convergence Software V7.31, User Guide
hwc_pref.fm
About this Guide
Formatting conventions
1.3 Formatting conventions
The HiPath Wireless Controller, Access Points and Convergence Software
documentation uses the following formatting conventions to make it easier to find
information and follow procedures:
•
Bold text is used to identify components of the management interface, such
as menu items and section of pages, as well as the names of buttons and text
boxes.
For example: Click Logout.
•
Monospace font is used in code examples and to indicate text that you type.
For example: Type https://[:mgmt-port>]
•
The following notes are used to draw your attention to additional information:
Note: Notes identify useful information, such as reminders, tips, or other ways to
perform a task.
Caution: Cautionary notes identify essential information, which if ignored can
adversely affect the operation of your equipment or software.
Warning: Warning notes identify essential information, which if ignored can lead
to personal injury or harm.
1.4 Additional documentation
For additional HiPath Wireless documentation, see the HiPath Wireless
documentation at
http://www.enterasys.com/support/manuals
9034530-04, September 2010
HiPath Wireless Controller, Access Points and Convergence Software V7.31, User Guide
13
hwc_pref.fm
About this Guide
Getting Help
1.5 Getting Help
For additional support related to the product or this document, contact Enterasys
Networks using one of the following methods:
World Wide Web
www.enterasys.com/support
Phone
1-800-872-8440 (toll-free in U.S. and Canada)
or 1-978-684-1000
To find the Enterasys Networks Support toll-free number in your
country: www.enterasys.com/support
Internet mail
support@enterasys.com
To expedite your message, type HiPath Wireless in the subject line
To send comments concerning this document to the Technical Publications Department:
techpubs@enterasys.com
Please include the document part number in your email message.
Before contacting Enterasys Networks for technical support, have the following
information ready:
•
Your Enterasys Networks service contract number
•
A description of the failure
•
A description of any action(s) already taken to resolve the problem (for
example, changing mode switches or rebooting the unit)
•
The serial and revision numbers of all involved Enterasys Networks products
in the network
•
A description of your network environment (such as layout, cable type, other
relevant environmental information)
•
Network load and frame size at the time of trouble (if known)
•
The device history (for example, if you have returned the device before, or if
this a recurring problem)
•
Any previous Return Material Authorization (RMA) numbers
1.6 Safety Information
Dangers
14
•
Replace the power cable immediately if it shows any sign of damage.
•
Replace any damaged safety equipment (covers, labels and protective
cables) immediately.
•
Use only original accessories or components approved for the system.
Failure to observe these instructions may damage the equipment or even
violate safety and EMC regulations.
9034530-04, September 2010
HiPath Wireless Controller, Access Points and Convergence Software V7.31, User Guide
hwc_pref.fm
About this Guide
Safety Information
•
Only authorized Siemens service personnel are permitted to service the
system.
Warnings
•
This device must not be connected to a LAN segment with outdoor wiring.
•
Ensure that all cables are run correctly to avoid strain.
•
Replace the power supply adapter immediately if it shows any sign of
damage.
•
Disconnect all power before working near power supplies unless otherwise
instructed by a maintenance procedure.
•
Exercise caution when servicing hot swappable HiPath Wireless Controller
components: power supplies or fans. Rotating fans can cause serious
personal injury.
•
This unit may have more than one power supply cord. To avoid electrical
shock, disconnect all power supply cords before servicing. In the case of unit
failure of one of the power supply modules, the module can be replaced
without interruption of power to the HiPath Wireless Controller. However, this
procedure must be carried out with caution. Wear gloves to avoid contact with
the module, which will be extremely hot.
•
There is a risk of explosion if a lithium battery is not correctly replaced. The
lithium battery must be replaced only by an identical battery or one
recommended by the manufacturer.
•
Always dispose of lithium batteries properly.
•
Do not attempt to lift objects that you think are too heavy for you.
Cautions
•
Check the nominal voltage set for the equipment (operating instructions and
type plate). High voltages capable of causing shock are used in this
equipment. Exercise caution when measuring high voltages and when
servicing cards, panels, and boards while the system is powered on.
•
Only use tools and equipment that are in perfect condition. Do not use
equipment with visible damage.
•
To protect electrostatic sensitive devices (ESD), wear a wristband before
carrying out any work on hardware.
•
Lay cables so as to prevent any risk of them being damaged or causing
accidents, such as tripping.
9034530-04, September 2010
HiPath Wireless Controller, Access Points and Convergence Software V7.31, User Guide
15
hwc_pref.fm
About this Guide
Sicherheitshinweise
1.7 Sicherheitshinweise
Gefahrenhinweise
•
Sollte das Netzkabel Anzeichen von Beschädigungen aufweisen, tauschen
Sie es sofort aus.
•
Tauschen Sie beschädigte Sicherheitsausrüstungen (Abdeckungen,
Typenschilder und Schutzkabel) sofort aus.
•
Verwenden Sie ausschließlich Originalzubehör oder systemspezifisch
zugelassene Komponenten. Die Nichtbeachtung dieser Hinweise kann zur
Beschädigung der Ausrüstung oder zur Verletzung von Sicherheits- und
EMV-Vorschriften führen.
•
Das System darf nur von autorisiertem Siemens-Servicepersonal gewartet
werden.
Warnhinweise
16
•
Dieses Gerät darf nicht über Außenverdrahtung an ein LAN-Segment
angeschlossen werden.
•
Stellen Sie sicher, dass alle Kabel korrekt geführt werden, um Zugbelastung
zu vermeiden.
•
Sollte das Netzteil Anzeichen von Beschädigung aufweisen, tauschen Sie es
sofort aus.
•
Trennen Sie alle Stromverbindungen, bevor Sie Arbeiten im Bereich der
Stromversorgung vornehmen, sofern dies nicht für eine Wartungsprozedur
anders verlangt wird.
•
Gehen Sie vorsichtig vor, wenn Sie an Hotswap-fähigen HiPath Wireless
Controller-Komponenten (Stromversorgungen oder Lüftern) Servicearbeiten
durchführen. Rotierende Lüfter können ernsthafte Verletzungen verursachen.
•
Dieses Gerät ist möglicherweise über mehr als ein Netzkabel angeschlossen.
Um die Gefahr eines elektrischen Schlages zu vermeiden, sollten Sie vor
Durchführung von Servicearbeiten alle Netzkabel trennen. Falls eines der
Stromversorgungsmodule ausfällt, kann es ausgetauscht werden, ohne die
Stromversorgung zum HiPath Wireless Controller zu unterbrechen. Bei
dieser Prozedur ist jedoch mit Vorsicht vorzugehen. Das Modul kann extrem
heiß sein. Tragen Sie Handschuhe, um Verbrennungen zu vermeiden.
•
Bei unsachgemäßem Austausch der Lithium-Batterie besteht
Explosionsgefahr. Die Lithium-Batterie darf nur durch identische oder vom
Händler empfohlene Typen ersetzt werden.
•
Achten Sie bei Lithium-Batterien auf die ordnungsgemäße Entsorgung.
•
Versuchen Sie niemals, ohne Hilfe schwere Gegenstände zu heben.
9034530-04, September 2010
HiPath Wireless Controller, Access Points and Convergence Software V7.31, User Guide
hwc_pref.fm
About this Guide
Consignes de sécurité
Vorsichtshinweise
•
Überprüfen Sie die für die Ausrüstung festgelegte Nennspannung
(Bedienungsanleitung und Typenschild). Diese Ausrüstung arbeitet mit
Hochspannung, die mit der Gefahr eines elektrischen Schlages verbunden
ist. Gehen Sie mit großer Vorsicht vor, wenn Sie bei eingeschaltetem System
Hochspannungen messen oder Karten, Schalttafeln und Baugruppen warten.
•
Verwenden Sie nur Werkzeuge und Ausrüstung in einwandfreiem Zustand.
Verwenden Sie keine Ausrüstung mit sichtbaren Beschädigungen.
•
Tragen Sie bei Arbeiten an Hardwarekomponenten ein Armband, um
elektrostatisch gefährdete Bauelemente (EGB) vor Beschädigungen zu
schützen.
•
Verlegen Sie Leitungen so, dass sie keine Unfallquelle (Stolpergefahr) bilden
und nicht beschädigt werden.
1.8 Consignes de sécurité
Dangers
•
Si le cordon de raccordement au secteur est endommagé, remplacez-le
immédiatement.
•
Remplacez sans délai les équipements de sécurité endommagés (caches,
étiquettes et conducteurs de protection).
•
Utilisez uniquement les accessoires d'origine ou les modules agréés
spécifiques au système. Dans le cas contraire, vous risquez d'endommager
l'installation ou d'enfreindre les consignes en matière de sécurité et de
compatibilité électromagnétique.
•
Seul le personnel de service Siemens est autorisé à maintenir/réparer le
système.
Avertissements
•
Cet appareil ne doit pas être connecté à un segment de LAN à l'aide d'un
câblage extérieur.
•
Vérifiez que tous les câbles fonctionnent correctement pour éviter une
contrainte excessive.
•
Si l'adaptateur d'alimentation présente des dommages, remplacez-le
immédiatement.
•
Coupez toujours l'alimentation avant de travailler sur les alimentations
électriques, sauf si la procédure de maintenance mentionne le contraire.
9034530-04, September 2010
HiPath Wireless Controller, Access Points and Convergence Software V7.31, User Guide
17
hwc_pref.fm
About this Guide
Consignes de sécurité
•
Prenez toutes les précautions nécessaires lors de l'entretien/réparations des
modules du HiPath Wireless Controller pouvant être branchés à chaud :
alimentations électriques ou ventilateurs.Les ventilateurs rotatifs peuvent
provoquer des blessures graves.
•
Cette unité peut avoir plusieurs cordons d'alimentation.Pour éviter tout choc
électrique, débranchez tous les cordons d'alimentation avant de procéder à
la maintenance.En cas de panne d'un des modules d'alimentation, le module
défectueux peut être changé sans éteindre le HiPath Wireless Controller.
Toutefois, ce remplacement doit être effectué avec précautions. Portez des
gants pour éviter de toucher le module qui peut être très chaud.
•
Le remplacement non conforme de la batterie au lithium peut provoquer une
explosion. Remplacez la batterie au lithium par un modèle identique ou par
un modèle recommandé par le revendeur.
•
Sa mise au rebut doit être conforme aux prescriptions en vigueur.
•
N'essayez jamais de soulever des objets qui risquent d'être trop lourds pour
vous.
Précautions
18
•
Contrôlez la tension nominale paramétrée sur l'installation (voir le mode
d'emploi et la plaque signalétique). Des tensions élevées pouvant entraîner
des chocs électriques sont utilisées dans cet équipement. Lorsque le
système est sous tension, prenez toutes les précautions nécessaires lors de
la mesure des hautes tensions et de l'entretien/réparation des cartes, des
panneaux, des plaques.
•
N'utilisez que des appareils et des outils en parfait état. Ne mettez jamais en
service des appareils présentant des dommages visibles.
•
Pour protéger les dispositifs sensibles à l'électricité statique, portez un
bracelet antistatique lors du travail sur le matériel.
•
Acheminez les câbles de manière à ce qu'ils ne puissent pas être
endommagés et qu'ils ne constituent pas une source de danger (par
exemple, en provoquant la chute de personnes).
9034530-04, September 2010
HiPath Wireless Controller, Access Points and Convergence Software V7.31, User Guide
hwc_intro.fm
Overview of the HiPath Wireless Controller, Access Points and Convergence Software solution
2 Overview of the HiPath Wireless Controller, Access
Points and Convergence Software solution
This chapter describes HiPath Wireless Controller, Access Points and
Convergence Software concepts, including:
•
Conventional wireless LANs
•
Elements of the HiPath Wireless Controller, Access Points and Convergence
Software solution
•
HiPath Wireless Controller, Access Points and Convergence Software and
your network
The next generation of Siemens wireless networking devices provides a truly
scalable WLAN solution. Siemens Wireless APs are fit access points controlled
through a sophisticated network device, the HiPath Wireless Controller. This
solution provides the security and manageability required by enterprises and
service providers.
The HiPath Wireless Controller, Access Points and Convergence Software
system is a highly scalable Wireless Local Area Network (WLAN) solution
developed by Siemens. Based on a third generation WLAN topology, the
Controller, Access Points and Convergence Software system makes wireless
practical for service providers as well as medium and large-scale enterprises.
The HiPath Wireless Controller, Access Points and Convergence Software
system provides a secure, highly scalable, cost-effective solution based on the
IEEE 802.11 standard. The system is intended for enterprise networks operating
on multiple floors in more than one building, and is ideal for public environments,
such as airports and convention centers that require multiple access points.
This chapter provides an overview of the fundamental principles of the HiPath
Wireless Controller, Access Points and Convergence Software system.
The HiPath Wireless system
The HiPath Wireless Controller is a network device designed to integrate with an
existing wired Local Area Network (LAN). The rack-mountable HiPath Wireless
Controller provides centralized management, network access, and routing to
wireless devices that use Wireless APs to access the network. It can also be
configured to handle data traffic from third-party access points.
The HiPath Wireless Controller provides the following functionality:
•
Controls and configures Wireless APs, providing centralized management
•
Authenticates wireless devices that contact a Wireless AP
•
Assigns each wireless device to a VNS when it connects
•
Routes traffic from wireless devices, using VNS, to the wired network
9034530-04, September 2010
HiPath Wireless Controller, Access Points and Convergence Software V7.31, User Guide
19
hwc_intro.fm
Overview of the HiPath Wireless Controller, Access Points and Convergence Software solution
Conventional wireless LANs
•
Applies filtering policies to the wireless device session
•
Provides session logging and accounting capability
2.1 Conventional wireless LANs
Wireless communication between multiple computers requires that each
computer is equipped with a receiver/transmitter—a WLAN Network Interface
Card (NIC)—capable of exchanging digital information over a common radio
frequency. This is called an ad hoc network configuration. An ad hoc network
configuration allows wireless devices to communicate together. This setup is
defined as an independent basic service set (IBSS).
An alternative to the ad hoc configuration is the use of an access point. This may
be a dedicated hardware bridge or a computer running special software.
Computers and other wireless devices communicate with each other through this
access point. The 802.11 standard defines access point communications as
devices that allow wireless devices to communicate with a distribution system.
This setup is defined as a basic service set (BSS) or infrastructure network.
To allow the wireless devices to communicate with computers on a wired network,
the access points must be connected to the wired network providing access to the
networked computers. This topology is called bridging. With bridging, security
and management scalability is often a concern.
20
9034530-04, September 2010
HiPath Wireless Controller, Access Points and Convergence Software V7.31, User Guide
hwc_intro.fm
Overview of the HiPath Wireless Controller, Access Points and Convergence Software solution
Conventional wireless LANs
RADIUS
Authentication
Server
DCHP Server
Ethernet
Router/Switch
Wireless AP
Wireless AP
Ethernet
Wireless
Devices
Wireless
Devices
Figure 1
Standard wireless network solution example
The wireless devices and the wired networks communicate with each other using
standard networking protocols and addressing schemes. Most commonly,
Internet Protocol (IP) addressing is used.
9034530-04, September 2010
HiPath Wireless Controller, Access Points and Convergence Software V7.31, User Guide
21
hwc_intro.fm
Overview of the HiPath Wireless Controller, Access Points and Convergence Software solution
Elements of the HiPath Wireless Controller, Access Points and Convergence Software solution
2.2 Elements of the HiPath Wireless Controller, Access Points and
Convergence Software solution
The HiPath Wireless Controller, Access Points and Convergence Software
solution consists of two devices:
•
HiPath Wireless Controller
•
Wireless APs
This architecture allows a single HiPath Wireless Controller to control many
Wireless APs, making the administration and management of large networks
much easier.
There can be several HiPath Wireless Controllers in the network, each with a set
of registered Wireless APs. The HiPath Wireless Controllers can also act as
backups to each other, providing stable network availability.
In addition to the HiPath Wireless Controllers and Wireless APs, the solution
requires three other components, all of which are standard for enterprise and
service provider networks:
22
•
RADIUS Server (Remote Access Dial-In User Service) or other
authentication server
•
DHCP Server (Dynamic Host Configuration Protocol). If you do not have a
DHCP Server on your network, you can enable the local DHCP Server on the
HiPath Wireless Controller. The local DHCP Server is useful as a general
purpose DHCP Server for small subnets. For more information, see Step 10
of Section 3.4.3, “Setting up the data ports”, on page 55.
•
SLP (Service Location Protocol)
9034530-04, September 2010
HiPath Wireless Controller, Access Points and Convergence Software V7.31, User Guide
hwc_intro.fm
Overview of the HiPath Wireless Controller, Access Points and Convergence Software solution
Elements of the HiPath Wireless Controller, Access Points and Convergence Software solution
RADIUS
Authentication
Server
DCHP Server
HiPath Wireless
Controller
Ethernet
Router/Switch
Wireless AP
Wireless AP
Ethernet
Wireless
Devices
Wireless
Devices
Figure 2
Siemens HiPath Wireless Controller solution
As illustrated in Figure 2, the HiPath Wireless Controller appears to the existing
network as if it were an access point, but in fact one HiPath Wireless Controller
controls many Wireless APs. The HiPath Wireless Controller has built-in
capabilities to recognize and manage the Wireless APs. The HiPath Wireless
Controller:
•
Activates the Wireless APs
•
Enables Wireless APs to receive wireless traffic from wireless devices
•
Processes the data traffic from the Wireless APs
•
Forwards or routes the processed data traffic out to the network
•
Authenticates requests and applies access policies
9034530-04, September 2010
HiPath Wireless Controller, Access Points and Convergence Software V7.31, User Guide
23
hwc_intro.fm
Overview of the HiPath Wireless Controller, Access Points and Convergence Software solution
Elements of the HiPath Wireless Controller, Access Points and Convergence Software solution
Simplifying the Wireless APs makes them cost-effective, easy to manage, and
easy to deploy. Putting control on an intelligent centralized HiPath Wireless
Controller enables:
•
Centralized configuration, management, reporting, and maintenance
•
High security
•
Flexibility to suit enterprise
•
Scalable and resilient deployments with a few HiPath Wireless Controllers
controlling hundreds of Wireless APs
The HiPath Wireless Controller, Access Points and Convergence Software
system:
•
Scales up to Enterprise capacity – HiPath Wireless Controllers are
scalable:
•
C5110 – Up to 525 APs
•
C4110 – Up to 250 APs
•
C2400 – Up to 200 APs
•
C20 – Up to 32 APs
•
C20N – Up to 32 APs
•
CRBT8210 – Up to 72 APs
•
CRBT8110 – Up to 24 APs
In turn, each Wireless AP can handle up to 254 wireless devices, with each
radio supporting a maximum of 127. With additional HiPath Wireless
Controllers, the number of wireless devices the solution can support can
reach into the thousands.
•
Integrates with existing network – A HiPath Wireless Controller can be
added to an existing enterprise network as a new network device, greatly
enhancing its capability without interfering with existing functionality.
Integration of the HiPath Wireless Controllers and Wireless APs does not
require any re-configuration of the existing infrastructure (for example,
VLANs).
•
Integrates with the Enterasys NetSight Suite of products. For more
information, see Section 2.2.1, “Enterasys NetSight Suite integration”, on
page 26.
Plug-in applications include:
24
•
Automated Security Manager
•
Inventory Manager
•
NAC Manager
9034530-04, September 2010
HiPath Wireless Controller, Access Points and Convergence Software V7.31, User Guide
hwc_intro.fm
Overview of the HiPath Wireless Controller, Access Points and Convergence Software solution
Elements of the HiPath Wireless Controller, Access Points and Convergence Software solution
•
Policy Control Console
•
Policy Manager
•
Offers centralized management and control – An administrator accesses
the HiPath Wireless Controller in its centralized location to monitor and
administer the entire wireless network. From the HiPath Wireless Controller
the administrator can recognize, configure, and manage the Wireless APs
and distribute new software releases.
•
Provides easy deployment of Wireless APs – The initial configuration of
the Wireless APs on the centralized HiPath Wireless Controller can be done
with an automatic “discovery” technique. For more information, see Section
4.2, “Discovery and registration overview”, on page 107.
•
Provides security via user authentication – Uses existing authentication
(AAA) servers to authenticate and authorize users.
•
Provides security via filters and privileges – Uses virtual networking
techniques to create separate virtual networks with defined authentication
and billing services, access policies, and privileges.
•
Supports seamless mobility and roaming – Supports seamless roaming of
a wireless device from one Wireless AP to another on the same HiPath
Wireless Controller or on a different HiPath Wireless Controller.
•
Integrates third-party access points – Uses a combination of network
routing and authentication techniques.
•
Prevents rogue devices – Unauthorized access points are detected and
identified as harmless or dangerous rogue APs.
•
Provides accounting services – Logs wireless user sessions, user group
activity, and other activity reporting, enabling the generation of consolidated
billing records.
•
Offers troubleshooting capability – Logs system and session activity and
provides reports to aid in troubleshooting analysis.
•
Offers dynamic RF management – Automatically selects channels and
adjusts Radio Frequency (RF) signal propagation and power levels without
user intervention.
9034530-04, September 2010
HiPath Wireless Controller, Access Points and Convergence Software V7.31, User Guide
25
hwc_intro.fm
Overview of the HiPath Wireless Controller, Access Points and Convergence Software solution
Elements of the HiPath Wireless Controller, Access Points and Convergence Software solution
2.2.1 Enterasys NetSight Suite integration
The HiPath Wireless Controller, Access Points and Convergence Software
solution now integrates with the Enterasys NetSight Suite of products. The
Enterasys NetSight Suite of products provides a collection of tools to help you
manage networks. Its client/server architecture lets you manage your network
from a single workstation or, for networks of greater complexity, from one or more
client workstations. It is designed to facilitate specific network management tasks
while sharing data and providing common controls and a consistent user
interface. For more information, see http://www.enterasys.com/products/visibilitycontrol/index.aspx
The NetSight Suite is a family of products comprised of NetSight Console and a
suite of plug-in applications, including:
•
Automated Security Manager – Automated Security Manager is a unique
threat response solution that translates security intelligence into security
enforcement. It provides sophisticated identification and management of
threats and vulnerabilities. For information on how the HiPath Wireless
Controller, Access Points and Convergence Software solution integrates with
the Automated Security Manager application, see the HiPath Wireless
Controller, Access Points and Convergence Software Maintenance Guide.
•
Inventory Manager – Inventory Manager is a tool for efficiently documenting
and updating the details of the ever-changing network. For information on
how the HiPath Wireless Controller, Access Points and Convergence
Software solution integrates with the Automated Security Manager
application, see the HiPath Wireless Controller, Access Points and
Convergence Software Maintenance Guide.
•
NAC Manager – NAC Manager is a leading-edge NAC solution to ensure
only the right users have access to the right information from the right place
at the right time. The Enterasys NAC solution performs multi-user, multimethod authentication, vulnerability assessment and assisted remediation.
For information on how the HiPath Wireless Controller, Access Points and
Convergence Software solution integrates with the Enterasys NAC solution,
see Section 5.3, “NAC integration with HiPath WLAN”, on page 253.
•
Policy Manager
Policy Manager recognizes the HiPath Wireless Controller suite as policy
capable devices that accept partial configuration from Policy Manager.
Currently this integration is partial in the sense that NetSight is unable to
create WLAN services directly; The WLAN services need to be directly
provisioned on the controller and are represented to Policy Manager as
logical ports. The HiPath Wireless Controller allows Policy Manager to:
26
•
Attach Topologies (assign VLAN to port) to the HiPath Wireless Controller
physical ports (Console).
•
Attach policy to the logical ports (WLAN Service/SSID),
9034530-04, September 2010
HiPath Wireless Controller, Access Points and Convergence Software V7.31, User Guide
hwc_intro.fm
Overview of the HiPath Wireless Controller, Access Points and Convergence Software solution
HiPath Wireless Controller, Access Points and Convergence Software and your network
•
Assign a Default Role/Policy to a WLAN Service, thus creating the VNS.
•
Perform authentication operations which can then reference defined
policies for station-specific policy enforcement.
This can be seen as a three step process:
1. Deploy the controller and perform local configuration
–
The HiPath Wireless Controller ships with a default SSID, attached by
default to all AP radios, when enabled.
–
Use the basic installation wizard to complete the HiPath Wireless
Controller configuration.
2. Use Policy Manager to:
–
Push the VLAN list to the HiPath Wireless Controller (Topologies)
–
Attach VLANs to HiPath Wireless Controller physical ports (Console
- Complete Topology definition)
–
Push RADIUS server configuration to the HiPath Wireless Controller
–
Push policy definitions to the HiPath Wireless Controller
–
Attach the default policy to create a VNS
3. Fine tune controller settings. For example, configuring filtering at APs and
HiPath Wireless Controller for a bridged at controller or routed topologies
and associated VNSs.
Note: Complete information about integration with Policy Manager is outside
the scope of this document.
2.3 HiPath Wireless Controller, Access Points and Convergence Software
and your network
This section is a summary of the components of the HiPath Wireless Controller,
Access Points and Convergence Software solution on your enterprise network.
The following are described in detail in this guide, unless otherwise stated:
•
HiPath Wireless Controller – A rack-mountable network device that
provides centralized control over all access points and manages the network
assignment of wireless device clients associating through access points.
•
Wireless AP – A wireless LAN fit access point that communicates with a
HiPath Wireless Controller. A Wireless AP can also be configured as a
sensor, which monitors and interdicts intrusions by rogue APs and rogue
clients.
9034530-04, September 2010
HiPath Wireless Controller, Access Points and Convergence Software V7.31, User Guide
27
hwc_intro.fm
Overview of the HiPath Wireless Controller, Access Points and Convergence Software solution
HiPath Wireless Controller, Access Points and Convergence Software and your network
28
•
HiPath Wireless Manager – An optional component of the solution, the
HiPath Wireless Manager monitors the performance and health of the
wireless network. The HiPath Wireless Manager is particularly valuable for
installations that incorporate more than one HiPath Wireless Controller. For
more information, see the HiPath Wireless Manager User Guide.
•
RADIUS Server (Remote Access Dial-In User Service) (RFC2865), or other
authentication server – An authentication server that assigns and manages
ID and Password protection throughout the network. Used for authentication
of the wireless users in either 802.1x or Captive Portal security modes. The
RADIUS Server system can be set up for certain standard attributes, such as
filter ID, and for the Vendor Specific Attributes (VSAs). In addition, Radius
Disconnect (RFC3576) which permits dynamic adjustment of user policy
(user disconnect) is supported.
•
DHCP Server (Dynamic Host Configuration Protocol) (RFC2131) – A server
that assigns dynamically IP addresses, gateways, and subnet masks. IP
address assignment for clients can be done by the DHCP server internal to
the HiPath Wireless Controller, or by existing servers using DHCP relay. It is
also used by the Wireless APs to discover the location of the HiPath Wireless
Controller during the initial registration process using Options 43, 60, and
Option 78. Options 43 and 60 specify the vendor class identifier (VCI) and
vendor specific information. Option 78 specifies the location of one or more
SLP Directory Agents. For SLP, DHCP should have Option 78 enabled.
•
Service Location Protocol (SLP) (SLP RFC2608) – Client applications are
User Agents and services that are advertised by a Service Agent. In larger
installations, a Directory Agent collects information from Service Agents and
creates a central repository. The Siemens solution relies on registering
“siemens” as an SLP Service Agent.
•
Domain Name Server (DNS) – A server used as an alternate mechanism (if
present on the enterprise network) for the automatic discovery process.
HiPath Wireless Controller, Access Points and Convergence Software relies
on the DNS for Layer 3 deployments and for static configuration of Wireless
APs. The controller can be registered in DNS, to provide DNS assisted AP
discovery. In addition, DNS can also be used for resolving RADIUS server
hostnames.
•
Web Authentication Server – A server that can be used for external Captive
Portal and external authentication. The HiPath Wireless Controller has an
internal Captive portal presentation page, which allows Web authentication
(Web redirection) to take place without the need for an external Captive Portal
server.
•
RADIUS Accounting Server (Remote Access Dial-In User Service)
(RFC2866) – A server that is required if RADIUS Accounting is enabled.
•
Simple Network Management Protocol (SNMP) – A Manager Server that
is required if forwarding SNMP messages is enabled.
9034530-04, September 2010
HiPath Wireless Controller, Access Points and Convergence Software V7.31, User Guide
hwc_intro.fm
Overview of the HiPath Wireless Controller, Access Points and Convergence Software solution
HiPath Wireless Controller, Access Points and Convergence Software and your network
•
Network infrastructure – The Ethernet switches and routers must be
configured to allow routing between the various services noted above.
Routing must also be enabled between multiple HiPath Wireless Controllers
for the following features to operate successfully:
•
Availability
•
Mobility
•
Mitigator for detection of rogue access points
Some features also require the definition of static routes.
•
Web Browser – A browser provides access to the HiPath Wireless Controller
Management user interface to configure the Controller, Access Points and
Convergence Software.
•
SSH Enabled Device – A device that supports Secure Shell (SSH) is used
for remote (IP) shell access to the system.
•
Zone Integrity – The Zone integrity server enhances network security by
ensuring clients accessing your network are compliant with your security
policies before gaining access. Zone Integrity Release 5 is supported.
•
HiPath HiGuard – Provides continuous active intrusion detection and
prevention capabilities. For more information, see the HiPath HiGuard
documentation.
2.3.1 Network traffic flow
Figure 3 illustrates a simple configuration with a single HiPath Wireless Controller
and two Wireless APs, each supporting a wireless device. A RADIUS server on
the network provides authentication, and a DHCP server is used by the Wireless
APs to discover the location of the HiPath Wireless Controller during the initial
registration process. Network inter-connectivity is provided by the infrastructure
routing and switching devices.
9034530-04, September 2010
HiPath Wireless Controller, Access Points and Convergence Software V7.31, User Guide
29
hwc_intro.fm
Overview of the HiPath Wireless Controller, Access Points and Convergence Software solution
HiPath Wireless Controller, Access Points and Convergence Software and your network
RADIUS
Authentication
Server
Packet transmission
DHCP
Server
External Web
Authentication
Server
External
CP Server
Control and Routing
>HWC authenticates wireless user
>HWC forwards IP packet to wired
network
Tunnelling
>AP sends data traffic to HWC
through UDP tunnel called WASSP
>HWC controls Wireless AP
through WASSP tunnel
>Using WASSP tunnels, HWC
allows wireless clients to roam to
Wireless APs on different HWCs
Router/Switch
HiPath Wireless
Controller
Wireless APs
802.11 packet transmission
802.11 beacon and probe, wireless
device associates
with a Wireless AP
by its SSID
Wireless Devices
Figure 3
Traffic Flow diagram
Each wireless device sends IP packets in the 802.11 standard to the Wireless AP.
The Wireless AP uses a UDP (User Datagram Protocol) based tunnelling
protocol. In tunneled mode of operation, it encapsulates the packets and forwards
them to the HiPath Wireless Controller. The HiPath Wireless Controller
decapsulates the packets and routes these to destinations on the network. In a
typical configuration, access points can be configured to locally bridge traffic (to
a configured VLAN) directly at their network point of attachment.
The HiPath Wireless Controller functions like a standard L3 router or L2 switch. It
is configured to route the network traffic associated with wireless connected
users. The HiPath Wireless Controller can also be configured to simply forward
traffic to a default or static route if dynamic routing is not preferred or available.
30
9034530-04, September 2010
HiPath Wireless Controller, Access Points and Convergence Software V7.31, User Guide
hwc_intro.fm
Overview of the HiPath Wireless Controller, Access Points and Convergence Software solution
HiPath Wireless Controller, Access Points and Convergence Software and your network
2.3.2 Network security
The HiPath Wireless Controller, Access Points and Convergence Software
system provides features and functionality to control network access. These are
based on standard wireless network security practices.
Current wireless network security methods provide protection. These methods
include:
•
Shared Key authentication that relies on Wired Equivalent Privacy (WEP)
keys
•
Open System that relies on Service Set Identifiers (SSIDs)
•
802.1x that is compliant with Wi-Fi Protected Access (WPA)
•
Captive Portal based on Secure Sockets Layer (SSL) protocol
The HiPath Wireless Controller, Access Points and Convergence Software
system provides the centralized mechanism by which the corresponding security
parameters are configured for a group of users.
•
Wired Equivalent Privacy (WEP) is a security protocol for wireless local area
networks defined in the 802.11b standard
•
Wi-Fi Protected Access version 1 (WPA1™) with Temporal Key Integrity
Protocol (TKIP)
•
Wi-Fi Protected Access version 2 (WPA2™) with Advanced Encryption
Standard (AES) and Counter Mode with Cipher Block Chaining Message
Authentication Code (CCMP)
HiPath HiGuard
The HiPath HiGuard solution provides network security, including:
•
Monitoring – 2.4 GHz and 5 GHz, all channels association activity
•
Identifying – Detect all Wi-Fi activity and correlate information from multiple
sensors
•
Auto-Classifying – Limit user intervention to maximize the protection of all
devices from all threats
•
Preventing – Automatically block threats through dedicated sensors to
prevent any impact on the service level
•
Visualizing – Visualize measured coverage for service, detection, and
prevention
•
Locating – Identify the position of rogue APs and clients on the floor-plan for
permanent removal
9034530-04, September 2010
HiPath Wireless Controller, Access Points and Convergence Software V7.31, User Guide
31
hwc_intro.fm
Overview of the HiPath Wireless Controller, Access Points and Convergence Software solution
HiPath Wireless Controller, Access Points and Convergence Software and your network
2.3.2.1 Authentication
The HiPath Wireless Controller relies on a RADIUS server, or authentication
server, on the enterprise network to provide the authentication information
(whether the user is to be allowed or denied access to the network). A RADIUS
client is implemented to interact with infrastructure RADIUS servers.
The HiPath Wireless Controller provides authentication using:
•
Captive Portal – a browser-based mechanism that forces users to a Web
page
•
RADIUS (using IEEE 802.1x)
The 802.1x mechanism is a standard for authentication developed within the
802.11 standard. This mechanism is implemented at the wireless Port, blocking
all data traffic between the wireless device and the network until authentication is
complete. Authentication by 802.1x standard uses Extensible Authentication
Protocol (EAP) for the message exchange between the HiPath Wireless
Controller and the RADIUS server.
When 802.1x is used for authentication, the HiPath Wireless Controller provides
the capability to dynamically assign per-wireless-device WEP keys (called per
session WEP keys in 802.11). In the case of WPA, the HiPath Wireless Controller
is not involved in key assignment. Instead, the controller is involved in the
information exchange between RADIUS server and the user’s wireless device to
negotiate the appropriate set of keys. With WPA2 the material exchange
produces a Pairwise Master Key which is used by the AP and the user to derive
their temporal keys. (The keys change over time.)
The HiPath Wireless Controller, Access Points and Convergence Software
solution provide a RADIUS redundancy feature that enables you to define a
failover RADIUS server in the event that the active RADIUS server becomes
unresponsive.
2.3.2.2 Privacy
Privacy is a mechanism that protects data over wireless and wired networks,
usually by encryption techniques.
HiPath Wireless Controller, Access Points and Convergence Software supports
the Wired Equivalent Privacy (WEP) standard common to conventional access
points.
It also provides Wi-Fi Protected Access version 1 (WPA v.1) encryption, based on
Pairwise Master Key (PMK) and Temporal Key Integrity Protocol (TKIP). The
most secure encryption mechanism is WPA version 2, using Advanced
Encryption Standard (AES).
32
9034530-04, September 2010
HiPath Wireless Controller, Access Points and Convergence Software V7.31, User Guide
hwc_intro.fm
Overview of the HiPath Wireless Controller, Access Points and Convergence Software solution
HiPath Wireless Controller, Access Points and Convergence Software and your network
2.3.3 Virtual Network Services
Virtual Network Services (VNS) provide a versatile method of mapping wireless
networks to the topology of an existing wired network.
In releases prior to V7.0, a VNS was a collection of operational entities. Starting
with Release V7.0, a VNS becomes the binding of reusable components:
•
WLAN Service components that define the radio attributes, privacy and
authentication settings, and QoS attributes of the VNS
•
Policy components that define the topology (typically a VLAN), filter rules,
and Class of Service applied to the traffic of a station.
Figure 4 illustrates the transition of the concept of a VNS to a binding of reusable
components.
Figure 4
VNS as a binding of reusable components
WLAN Service components and Policy components can be configured separately
and associated with a VNS when the VNS is created or modified. Alternatively,
they can be configured during the process of creating a VNS.
Additionally, Policies can be created using the Enterasys NetSight Policy
Manager and pushed to the HiPath Wireless Controller. Policy assignment
ensures that the correct topology and traffic behavior are applied to a user
regardless of WLAN service used or VNS assignment.
When VNS components are set up on the HiPath Wireless Controller, among
other things, a range of IP addresses is set aside for the HiPath Wireless
Controller’s DHCP server to assign to wireless devices.
9034530-04, September 2010
HiPath Wireless Controller, Access Points and Convergence Software V7.31, User Guide
33
hwc_intro.fm
Overview of the HiPath Wireless Controller, Access Points and Convergence Software solution
HiPath Wireless Controller, Access Points and Convergence Software and your network
If the OSPF routing protocol is enabled, the HiPath Wireless Controller advertises
the routed topologies as reachable segments to the wired network infrastructure.
The controller routes traffic between the wireless devices and the wired network.
The HiPath Wireless Controller also supports VLAN-bridged assignment for
VNSs. This allows the controller to directly bridge the set of wireless devices
associated with a WLAN service directly to a specified core VLAN.
Each HiPath Wireless Controller model can support a specified number of active
VNSs, as listed below:
•
C5110 – Up to 128 VNSs
•
C4110 – Up to 64 VNSs
•
C2400 – Up to 64 VNSs
•
C20 – Up to 8 VNSs
•
C20N – Up to 8 VNSs
•
CRBT8210 – Up to 16 VNSs
•
CRBT8110 – Up to 8 VNSs
The Wireless AP radios can be assigned to each of the configured WLAN
services and, therefore, VNSs in a system. Each Wireless AP can be the subject
of 16 service assignments — 8 assignments per radio — which corresponds to
the number of SSIDs it can support. Once a radio has all 8 slots assigned, it is no
longer eligible for further assignment.
2.3.4 VNS components
The distinct constituent high-level configurable umbrella elements of a VNS are:
•
Topology
•
Policy
•
WLAN Services
2.3.4.1 Topology
Topologies represent the networks with which the HiPath Wireless Controller and
its APs interacts. The main configurable attributes of a topology are:
34
•
Name - a string of alphanumeric characters designated by the administrator.
•
VLAN ID - the VLAN identifier as specified in the IEEE 802.1Q definition.
•
VLAN tagging options.
9034530-04, September 2010
HiPath Wireless Controller, Access Points and Convergence Software V7.31, User Guide
hwc_intro.fm
Overview of the HiPath Wireless Controller, Access Points and Convergence Software solution
HiPath Wireless Controller, Access Points and Convergence Software and your network
•
Port of presence for the topology on the HiPath Wireless Controller. (This
attribute is not required for Routed and Bridged at AP topologies.)
•
Interface. This attribute is the IP (L3) address assigned to the HiPath Wireless
Controller on the network described by the topology. (Optional.)
•
Type. This attribute describes how traffic is forwarded on the topology.
Options are:
–
“Physical” - the topology is the native topology of a data plane and it
represents the actual Ethernet ports
–
“Management” - the native topology of the HiPath Wireless Controller
management port
–
“Routed” - the controller is the routing gateway for the routed topology.
–
“Bridged at Controller” - the user traffic is bridged (in the L2 sense)
between wireless clients and the core network infrastructure.
–
“Bridged at AP” - the user traffic is bridged locally at the AP without being
redirected to the HiPath Wireless Controller.
•
Exception Filters. Specifies which traffic has access to the HiPath Wireless
Controller from the wireless clients or the infrastructure network.
•
Certificates.
•
Multicast filters. Defines the multicast groups that are allowed on a specific
topology segment.
2.3.4.2 Policy
A Policy is a collection of attributes and rules that determine actions taken user
traffic accesses the wired network through the WLAN service (associated to the
WLAN Service's SSID). Depending upon its type, a VNS can have between 1 and
3 Authorization Policies associated with it:
1. Default non-authorized policy — This is a mandatory policy that covers all
traffic from stations that have not authenticated. At the administrator's
discretion the default non-authorized policy can be applied to the traffic of
authenticated stations as well.
2. Default authorized policy — This is a mandatory policy that applies to the
traffic of authenticated stations for which no other policy was explicitly
specified. It can be the same as the default non-authorized policy.
3. Third party AP policy — This policy applies to the list of MAC addresses
corresponding to the wired interfaces of third party APs specifically defined
by the administrator to be providing the RF access as an AP WLAN Service.
This policy is only relevant when applied to third party AP WLAN Services.
9034530-04, September 2010
HiPath Wireless Controller, Access Points and Convergence Software V7.31, User Guide
35
hwc_intro.fm
Overview of the HiPath Wireless Controller, Access Points and Convergence Software solution
HiPath Wireless Controller, Access Points and Convergence Software and your network
As mentioned previously, policies can be configured using the NetSight Policy
Manager and pushed to the HiPath Wireless Controller, or they can be configured
directly on the controller. When using Policy Manager, you should note that the
HiPath Wireless Controller implements most of the Policy Manager concept of
Policy except for QoS assignment. The HiPath Wireless Controller implements
per policy inbound and outbound rate limits, but not policy-based DSCP
remarking or queue assignment.
2.3.4.3 WLAN Services
A WLAN Service represents all the RF, authentication and QoS attributes of a
wireless access service offered by the HiPath Wireless Controller and its APs. A
WLAN Service can be one of three basic types:
•
Standard — A conventional service. Only APs running HiPath Wireless
software can be part of this WLAN Service. This type of service is usable as
a Bridged at Controller, Bridged at AP, or Routed Topology. This type of
service provides access for mobile stations. Policies can be associated with
this type of WLAN service to create a VNS.
•
Third Party AP — A Wireless Service offered by third party APs. This type of
service provides access for mobile stations. Policies can be assigned to this
type of WLAN service to create a VNS.
•
WDS — This represent a group of APs organized into a hierarchy for
purposes of providing a Wireless Distribution Service. This type of service is
in essence a wireless trunking service rather than a service that provides
access for stations. As such, this type of service cannot have policies
attached to it.
In release V7.0, the components of a WLAN Service map to the corresponding
components of a VNS in previous releases. The exception is that WLAN Services
are not classified as SSID-based or AAA-based, as was the case in previous
releases. Instead, the administrator makes an explicit choice of the type of
authentication to use on the WLAN Service. If his choice of authentication option
conflicts with any of his other authentication or privacy choices, the WLAN
Service cannot be enabled.
2.3.5 Static routing and routing protocols
Routing can be used on the HiPath Wireless Controller to support the VNS
definitions. Through the user interface you can configure routing on the HiPath
Wireless Controller to use one of the following routing techniques:
•
36
Static routes – Use static routes to set the default route of a HiPath Wireless
Controller so that legitimate wireless device traffic can be forwarded to the
default gateway.
9034530-04, September 2010
HiPath Wireless Controller, Access Points and Convergence Software V7.31, User Guide
hwc_intro.fm
Overview of the HiPath Wireless Controller, Access Points and Convergence Software solution
HiPath Wireless Controller, Access Points and Convergence Software and your network
•
Open Shortest Path First (OSPF, version 2) (RFC2328) – Use OSPF to
allow the HiPath Wireless Controller to participate in dynamic route selection.
OSPF is a protocol designed for medium and large IP networks with the ability
to segment routes into different areas by routing information summarization
and propagation. Static Route definition and OSPF dynamic learning can be
combined, and the precedence of a static route definition over dynamic rules
can be configured by selecting or clearing the Override dynamic routes
option checkbox.
•
Next-hop routing – Use next-hop routing to specify a unique gateway to
which traffic on a VNS is forwarded. Defining a next-hop for a VNS forces all
the traffic in the VNS to be forwarded to the indicated network device,
bypassing any routing definitions of the controller's route table.
2.3.6 Mobility and roaming
In typical simple configurations, APs are setup as bridges that bridge wireless
traffic to the local subnet. In bridging configurations, the user obtains an IP
address from the same subnet as the AP, assuming no VLAN trunking
functionality. If the user roams between APs on the same subnet, it is able to keep
using the same IP address. However, if the user roams to another AP outside of
that subnet, its IP address is no longer valid. The user's client device must
recognize that the IP address it has is no longer valid and re-negotiate a new one
on the new subnet. This mechanism does not mandate any action on the user.
The recovery procedure is entirely client device dependent. Some clients
automatically attempt to obtain a new address on roam (which affects roaming
latency), while others will hold on to their IP address. This loss of IP address
continuity seriously affects the client's experience in the network, because in
some cases it can take minutes for a new address to be negotiated.
The HiPath Wireless Controller, Access Points and Convergence Software
solution centralizes the user's network point of presence, therefore abstracting
and decoupling the user's IP address assignment from that of the APs location
subnet. That means that the user is able to roam across any AP without loosing
its own IP address, regardless of the subnet on which the serving APs are
deployed.
In addition, a HiPath Wireless Controller can learn about other HiPath Wireless
Controllers on the network and then exchange client session information. This
enables a wireless device user to roam seamlessly between different Wireless
APs on different HiPath Wireless Controllers.
9034530-04, September 2010
HiPath Wireless Controller, Access Points and Convergence Software V7.31, User Guide
37
hwc_intro.fm
Overview of the HiPath Wireless Controller, Access Points and Convergence Software solution
HiPath Wireless Controller, Access Points and Convergence Software and your network
2.3.7 Network availability
The HiPath Wireless Controller, Access Points and Convergence Software
solution provides availability against Wireless AP outages, HiPath Wireless
Controller outages, and even network outages. The HiPath Wireless Controller in
a VLAN bridged topology can potentially allow the user to retain the IP address in
a failover scenario, if the VNS/VLAN is common to both controllers. For example,
availability is provided by defining a paired controller configuration by which each
peer can act as the backup controller for the other's APs. APs in one controller
are allowed to failover and register with the alternate controller.
If a HiPath Wireless Controller fails, all of its associated Wireless APs can
automatically switch over to another HiPath Wireless Controller that has been
defined as the secondary or backup HiPath Wireless Controller. If the AP reboots,
the original HiPath Wireless Controller is restored. The original HiPath Wireless
Controller is restored if it is active. However, active APs will continue to be
attached to the failover controller until the administrator releases them back to the
original home controller.
2.3.8 Quality of Service (QoS)
HiPath Wireless Controller, Access Points and Convergence Software solution
provides advanced Quality of Service (QoS) management to provide better
network traffic flow. Such techniques include:
38
•
WMM (Wi-Fi Multimedia) – WMM is enabled per WLAN service. The HiPath
Wireless Controller provides centralized management of the AP features. For
devices with WMM enabled, the standard provides multimedia
enhancements for audio, video, and voice applications. WMM shortens the
time between transmitting packets for higher priority traffic. WMM is part of
the 802.11e standard for QoS. In the context of the HiPath Wireless Solution,
the ToS/DSCP field is used for classification and proper class of service
mapping, output queue selection, and priority tagging.
•
IP ToS (Type of Service) or DSCP (Diffserv Codepoint) – The ToS/DSCP
field in the IP header of a frame indicates the priority and class of service for
each frame. The IP TOS and/or DSCP is maintained and transported within
CTP (CAPWAP Tunneling Protocol) by copying the user IP QoS information
to the CTP header—this is referred to as Adaptive QoS.
•
Rate Control – Rate Control for user traffic can also be considered as an
aspect of QoS. As part of Policy definition, the user can specify (default)
policy that includes Ingress and Egress rate control. Ingress rate control
applies to traffic generated by wireless clients and Egress rate control applies
to traffic targeting specific wireless clients. The bit-rates can be configured as
part of globally available profiles which can be used by any particular
configuration. A global default is also defined.
9034530-04, September 2010
HiPath Wireless Controller, Access Points and Convergence Software V7.31, User Guide
hwc_intro.fm
Overview of the HiPath Wireless Controller, Access Points and Convergence Software solution
HiPath Wireless Controller product family
Quality of Service (QoS) management is also provided by:
•
Assigning high priority to a WLAN service
•
Adaptive QoS (automatic and all time feature)
•
Support for legacy devices that use SpectraLink Voice Protocol (SVP) for
prioritizing voice traffic (configurable)
2.4 HiPath Wireless Controller product family
The HiPath Wireless Controller is available in the following product families:
HiPath Wireless Controller
Model Number
Specifications
C5110
• Three data ports supporting up to 525 Wireless APs
– 2 fiber optic SR (10Gbps)
– 1 Ethernet port GigE
• One management port (Ethernet) GigE
• One console port (DB9 serial)
• Four USB ports — two on each front and back panel
(only one active at a time)
• Redundant dual power supply unit
C4110
•
•
•
•
•
Four GigE ports supporting up to 250 Wireless APs
One management port (Ethernet) GigE
One console port (DB9 serial)
Four USB ports (only one active at a time)
Redundant dual power supply unit
C2400
•
•
•
•
Four GigE ports supporting up to 200 Wireless APs
One management port (10/100 BaseT)
One console port (DB9 serial)
Redundant dual power supply unit
C20
•
•
•
•
•
Two GigE ports supporting up to 32 Wireless APs
One management port GigE
One console port (USB control)
One USB port
Power supply standard (R)
C20N
•
•
•
•
Two GigE ports supporting up to 32 Wireless APs
One management port GigE
One console port (DB9 serial)
One USB port
CRBT8210
• One GigE ports supporting up to 72 Wireless APs
• One management port (10/100 Base)
• One console port (DB9 serial)
CRBT8110
•
•
•
•
Table 1
One GigE ports supporting up to 24 Wireless APs
One management port (10/100 Base)
One console port (DB9 serial)
One USB port
HiPath Wireless Controller product families
9034530-04, September 2010
HiPath Wireless Controller, Access Points and Convergence Software V7.31, User Guide
39
hwc_intro.fm
Overview of the HiPath Wireless Controller, Access Points and Convergence Software solution
HiPath Wireless Controller product family
40
9034530-04, September 2010
HiPath Wireless Controller, Access Points and Convergence Software V7.31, User Guide
hwc_startup.fm
Configuring the HiPath Wireless Controller
System configuration overview
3 Configuring the HiPath Wireless Controller
This chapter describes the steps involved in the initial configuration and setup, of
the HiPath Wireless Controller, including:
•
System configuration overview
•
Logging on to the HiPath Wireless Controller
•
Working with the basic installation wizard
•
Configuring the HiPath Wireless Controller for the first time
•
Using an AeroScout location based solution
•
Additional ongoing operations of the system
3.1 System configuration overview
The following section provides a high-level overview of the steps involved in the
initial configuration of your system:
1. Before you begin the configuration process, research the type of WLAN
deployment that is required. For example, topology and VLAN IDs, SSIDs,
security requirements, and filter policies.
2. Prepare the network servers. Ensure that the external servers, such as DHCP
and RADIUS servers (if applicable) are available and appropriately
configured.
3. Install the HiPath Wireless Controller. For more information, see the
documentation for your HiPath Wireless Controller.
If you are deploying the HiPath Wireless Controller C20N, use the DFE CLI
to configure the VLAN assignments for the corresponding PC ports on the
Controller Module. For example:
set port vlan pc.slot.port# vlan-id
Note: The VLAN configuration of the PC ports on the DFE module (VLAN ID
and tagged vs. untagged) must match the VLAN configuration of the
controller’s data ports defined using the HiPath Wireless Assistant.
4. Perform the first time setup of the HiPath Wireless Controller on the physical
network, which includes configuring the IP addresses of the interfaces on the
HiPath Wireless Controller.
9034530-04, September 2010
HiPath Wireless Controller, Access Points and Convergence Software V7.31, User Guide
41
hwc_startup.fm
Configuring the HiPath Wireless Controller
System configuration overview
–
Change the default IP address to be the relevant subnet point of
attachment to the existing network. The IP address is 10.0.#.1 is set by
default the first time you start up the controller.
–
To manage the HiPath Wireless Controller through the interface
configured above, select the Mgmt checkbox on the Interfaces tab.
–
Configure the data port interfaces to be on separate VLANs, matching the
VLANs configured in step 3 above. Ensure also that the tagged vs.
untagged state is consistent with the switch port (DFE if configuring the
HiPath Wireless Controller C20N) configuration.
–
Configure the time zone. Because changing the time zone requires
restarting the HiPath Wireless Controller, Siemens recommends that you
configure the time zone during the initial installation and configuration of
the HiPath Wireless Controller to avoid network interruptions. For more
information, see Section 3.4.11, “Configuring network time”, on page 92.
–
Apply an activation key file. If an activation key is not applied, the HiPath
Wireless Controller functions with some features enabled in
demonstration mode. Not all features are enabled in demonstration
mode. For example, mobility is not enabled and cannot be used.
Caution: Whenever the licensed region changes on the HiPath Wireless
Controller, all Wireless APs are changed to Auto Channel Select to
prevent possible infractions to local RF regulatory requirements. If this
occurs, all manually configured radio channel settings will be lost.
Installing the new license key before upgrading will prevent the HiPath
Wireless Controller from changing the licensed region, and in addition,
manually configured channel settings will be maintained. For more
information, see the HiPath Wireless Controller, Access Points and
Convergence Software Maintenance Guide.
–
42
Configure the HiPath Wireless Controller for remote access:
•
Set up an administration station (laptop) on subnet 192.168.10.0/24.
By default, the HiPath Wireless Controller's Management interface is
configured with the static IP address 192.168.10.1.
•
Configure the HiPath Wireless Controller’s management interface.
•
Configure the data interfaces.
•
Set up the HiPath Wireless Controller on the network by configuring
the physical data ports.
•
Configure the routing table.
•
Configure static routes or OSPF parameters, if appropriate to the
network.
9034530-04, September 2010
HiPath Wireless Controller, Access Points and Convergence Software V7.31, User Guide
hwc_startup.fm
Configuring the HiPath Wireless Controller
System configuration overview
For more information, see Section 3.4, “Configuring the HiPath Wireless
Controller for the first time”, on page 51.
5. Configure the traffic topologies your network must support. Topologies
represent the Controller’s points of network attachment, therefore VLANs and
port assignments need to be coordinated with the corresponding network
switch ports. For more information, see Section 6.8, “Configuring a Topology”,
on page 319.
6. Configure policies. Policies are typically bound to topologies. Policy
application assigns user traffic to the corresponding network point.
–
Policies define user access rights (filtering or ACL)
–
Polices reference user's rate control profile.
For more information, see Section 6.10, “Configuring Policy”, on page 377.
7. Configure WLAN services.
–
Define SSID and privacy settings for the wireless link.
–
Select the set of APs/Radios on which the service is present.
–
Configure the method of credential authentication for wireless users
(None, Internal CP, External CP, GuestPortal, 802.1x[EAP])
For more information, see Section 6.9, “Configuring WLAN Services”, on
page 331.
8. Create the VNSs.
A VNS binds a WLAN Service to a Policy that will be used for default
assignment upon a users’ network attachment.
You can create topologies, policies, and WLAN services first, before VNS
configuration a VNS, or you can select one of the wizards (such as the VNS
wizard), or you can simply select to create new VNS.
The VNS page then allows for in-place creation and definition of any
dependency it may require, such as:
–
Creating a new WLAN Service
–
Creating a new policy
–
Creating a new topology (within a policy)
–
Creating new rate controls, etc.
The default shipping configuration does not ship any pre-configured WLAN
Services, VNSs, or Policies.
9. Install, register, and assign APs to the VNS.
9034530-04, September 2010
HiPath Wireless Controller, Access Points and Convergence Software V7.31, User Guide
43
hwc_startup.fm
Configuring the HiPath Wireless Controller
Logging on to the HiPath Wireless Controller
–
Confirm the latest firmware version is loaded. For more information, see
Section 4.11, “Performing Wireless AP software maintenance”, on page
190.
–
Deploy Wireless APs to their corresponding network locations.
–
If applicable, configure a default AP template for common radio
assignment, whereby APs automatically receive complete configuration.
For typical deployments where all APs are to have the same
configuration, this feature will expedite deployment, as an AP will
automatically receive full configuration (including VNS-related
assignments) upon initial registration with the HiPath Wireless Controller.
If applicable, modify the properties or settings of the Wireless APs. For
more information, see Chapter 4, “Configuring the Wireless AP”.
–
Connect the Wireless APs to the HiPath Wireless Controller.
–
Once the Wireless APs are powered on, they automatically begin the
Discovery process of the HiPath Wireless Controller, based on factors
that include:
•
Their Registration mode (on the Wireless AP Registration screen)
•
The enterprise network services that will support the discovery
process
3.2 Logging on to the HiPath Wireless Controller
1. Launch your Web browser (Internet Explorer version 6.0 or higher, or
FireFox).
See the V7.31 release notes for the supported Web browsers.
2. In the browser address bar, type the following:
https://192.168.10.1:5825
This launches the HiPath Wireless Assistant. The login screen is displayed.
44
9034530-04, September 2010
HiPath Wireless Controller, Access Points and Convergence Software V7.31, User Guide
hwc_startup.fm
Configuring the HiPath Wireless Controller
Logging on to the HiPath Wireless Controller
3. In the User Name box, type your user name.
4. In the Password box, type your password.
Note: The HiPath Wireless Controller default user name is admin. The default
password is abc123.
5. Click Login. The HiPath Wireless Assistant main menu screen is displayed.
9034530-04, September 2010
HiPath Wireless Controller, Access Points and Convergence Software V7.31, User Guide
45
hwc_startup.fm
Configuring the HiPath Wireless Controller
Working with the basic installation wizard
3.3 Working with the basic installation wizard
The HiPath Wireless Controller, Access Points and Convergence Software
system provides a basic installation wizard that can help administrators configure
the minimum HiPath Wireless Controller settings that are necessary to deploy a
functioning HiPath wireless solution on a network.
Administrators can use the basic installation wizard to quickly configure the
HiPath Wireless Controller for deployment, and then once the installation is
complete, continue to revise the HiPath Wireless Controller configuration
accordingly.
The basic installation wizard is automatically launched when an administrator
logs on to the HiPath Wireless Controller for the first time, including if the system
has been reset to the factory default settings. In addition, the basic installation
wizard can also be launched at any time from the left pane of the HiPath Wireless
Controller Configuration screen.
To configure the HiPath Wireless Controller with the basic installation
wizard:
1. Log on to the HiPath Wireless Controller. For more information, see Section
3.2, “Logging on to the HiPath Wireless Controller”, on page 44.
2. From the main menu, click Wireless Controller Configuration. The HiPath
Wireless Controller Configuration screen is displayed.
3. In the left pane, click Installation Wizard. The Basic Installation Wizard
screen is displayed.
4. In the Time Settings section, configure the HiPath Wireless Controller
timezone:
46
9034530-04, September 2010
HiPath Wireless Controller, Access Points and Convergence Software V7.31, User Guide
hwc_startup.fm
Configuring the HiPath Wireless Controller
Working with the basic installation wizard
•
Continent or Ocean – Click the appropriate large-scale geographic
grouping for the time zone.
•
Country – Click the appropriate country for the time zone. The contents
of the drop-down list change, based on the selection in the Continent or
Ocean drop-down list.
•
Time Zone Region – Click the appropriate time zone region for the
selected country.
5. To configure the HiPath Wireless Controller’s time, do one of the following:
•
To manually set the HiPath Wireless Controller time, use the Year,
Month, Day, HR, and Min. drop-down lists to specify the time.
•
To use the HiPath Wireless Controller as the NTP time server, select the
Run local NTP Server option.
•
To use NTP to set the HiPath Wireless Controller time, select the Use
NTP option, and then type the IP address of an NTP time server that is
accessible on the enterprise network.
The Network Time Protocol is a protocol for synchronizing the clocks of
computer systems over packet-switched data networks.
6. In the Port Configuration section, click the physical interface of the HiPath
Wireless Controller you want to assign as a data port. The system assigns
default IP Address and Netmask values for the data port. If applicable, type
a different IP address and netmask for the selected physical interface.
For information on how to obtain a temporary IP address from the network,
click How to obtain a temporary IP address.
7. Click Next. The Management screen is displayed.
9034530-04, September 2010
HiPath Wireless Controller, Access Points and Convergence Software V7.31, User Guide
47
hwc_startup.fm
Configuring the HiPath Wireless Controller
Working with the basic installation wizard
8. In the Management Port section, confirm the port configuration values that
were defined when the HiPath Wireless Controller was physically deployed
on the network. If applicable, edit these values:
•
IP Address – Displays the IP address for the HiPath Wireless Controller’s
management port. Revise this as appropriate for the enterprise network.
•
Netmask – Displays the appropriate subnet mask for the IP address to
separate the network portion from the host portion of the address.
•
Gateway – Displays the default gateway of the network.
9. In the SNMP section, click V2c or V3 in the Mode drop-down list to enable
SNMP, if applicable. Only one mode can be supported on the controller at a
time.
If you selected V2c, do the following:
•
Read Community – Type the password that is used for read-only SNMP
communication.
•
Write Community – Type the password that is used for write SNMP
communication.
•
Trap Destination – Type the IP address of the server used as the
network manager that will receive SNMP messages.
10. In the OSPF section, select the Enable checkbox to enable OSPF, if
applicable. Use OSPF to allow the HiPath Wireless Controller to participate
in dynamic route selection. OSPF is a protocol designed for medium and
large IP networks with the ability to segment routes into different areas by
routing information summarization and propagation.
Do the following:
•
Port – Click the physical interface of the HiPath Wireless Controller you
want to assign as a router port.
•
Area ID – Type the desired area. Area 0.0.0.0 is the main area in OSPF.
11. In the Syslog Server section, select the Enable checkbox to enable the
syslog protocol for the HiPath Wireless Controller, if applicable. Syslog is a
protocol used for the transmission of event notification messages across
networks.
In the IP Address box, type the IP address of the syslog server.
12. Click Next. The Services screen is displayed.
48
9034530-04, September 2010
HiPath Wireless Controller, Access Points and Convergence Software V7.31, User Guide
hwc_startup.fm
Configuring the HiPath Wireless Controller
Working with the basic installation wizard
13. In the RADIUS section, select the Enable checkbox to enable RADIUS login
authentication, if applicable. RADIUS login authentication uses a RADIUS
server to authenticate user login attempts. RADIUS is a client/server
authentication and authorization access protocol used by a network access
server (NAS) to authenticate users attempting to connect to a network device.
Do the following:
•
Server Alias – Type a name that you want to assign to the RADIUS
server. You can type a name or IP address of the server.
•
Hostname/IP – Type the RADIUS server’s hostname or IP address.
•
Shared Secret – Type the password that will be used to validate the
connection between the HiPath Wireless Controller and the RADIUS
server.
14. In the Mobility section, select the Enable checkbox to enable the HiPath
Wireless Controller mobility feature, if applicable. Mobility allows a wireless
device user to roam seamlessly between different Wireless APs on the same
or different HiPath Wireless Controllers.
A dialog is displayed informing you that NTP is required for the mobility
feature and prompting you to confirm you want to enable mobility.
Note: If the HiPath Wireless Controller is configured as a mobility agent, it will
act as an NTP client and use the mobility manager as the NTP server. If the
HiPath Wireless Controller is configured as a mobility manager, the HiPath
Wireless Controller’s local NTP will be enabled for the mobility domain.
Click OK to continue, and then do the following:
9034530-04, September 2010
HiPath Wireless Controller, Access Points and Convergence Software V7.31, User Guide
49
hwc_startup.fm
Configuring the HiPath Wireless Controller
Working with the basic installation wizard
Role – Select the role for the HiPath Wireless Controller, Manager or Agent.
One HiPath Wireless Controller on the network is designated as the mobility
manager and all other HiPath Wireless Controllers are designated as mobility
agents.
Port – Click the interface on the HiPath Wireless Controller to be used for
communication between mobility manager and mobility agent. Ensure that
the selected interface is routable on the network. For more information, see
Chapter 8, “Configuring Mobility”.
Manager IP – Type the IP address of the mobility manager port if the HiPath
Wireless Controller is configured as the mobility agent.
15. In the Default VNS section, select the Enable checkbox to enable a default
VNS for the HiPath Wireless Controller. The default VNS parameters are
displayed. Refer to Chapter 5, “Virtual Network Services concepts” for more
information about the default VNS.
16. Click Finish. The Success screen is displayed. Siemens recommends that
you change the factory default administrator password.
Do the following:
•
New Password – Type a new administrator password.
•
Confirm Password – Type the new administrator password again.
17. Click Save. Your new password is saved.
18. Click OK, and then click Close. The HiPath Wireless Assistant main menu
screen is displayed.
Note: The HiPath Wireless Controller reboots after you click Save if the time
zone is changed during the Basic Install Wizard. If the IP address of the
management port is changed during the configuration with the Basic Install
Wizard, the HiPath Wireless Assistant session is terminated and you will
need to log back in with the new IP address.
50
9034530-04, September 2010
HiPath Wireless Controller, Access Points and Convergence Software V7.31, User Guide
hwc_startup.fm
Configuring the HiPath Wireless Controller
Configuring the HiPath Wireless Controller for the first time
3.4 Configuring the HiPath Wireless Controller for the first time
This section describes HiPath Wireless Controller configuration that is typically
performed as soon as the HiPath Wireless Controller is deployed.
Although the basic installation wizard has already configured some aspects of the
HiPath Wireless Controller deployment, you can continue to revise the HiPath
Wireless Controller configuration according to your network needs.
3.4.1 Changing the administrator password
Siemens recommends that you change your default administrator password once
your system is deployed. The HiPath Wireless Controller default password is
abc123. When the HiPath Wireless Controller is installed and you elect to
change the default password, the new password must be a minimum of eight
characters.
The minimum eight character password length is not applied to existing
passwords. For example, if a six character password is already being used and
an upgrade of the software is performed, the software does not require the
password to be changed to a minimum of eight characters. However, once the
upgrade is completed and a new account is created, or the password of an
existing account is changed, the new password length minimum will be enforced.
9034530-04, September 2010
HiPath Wireless Controller, Access Points and Convergence Software V7.31, User Guide
51
hwc_startup.fm
Configuring the HiPath Wireless Controller
Configuring the HiPath Wireless Controller for the first time
To change the administrator password:
1. From the main menu, click Wireless Controller Configuration. The HiPath
Wireless Controller Configuration screen is displayed.
2. In the left pane, click Login Management.
3. In the Full Administrator table, click the administrator user name.
4. In the Password box, type the new administrator password.
5. In the Confirm Password box, type the new administrator password again.
6. Click Change Password.
Note: The HiPath Wireless Controller provides you with local login authentication
mode, the RADIUS-based login authentication mode, and combinations of the
two authentication modes. The local login authentication is enabled by default.
For more information, see Section 3.4.9, “Configuring the login authentication
mode”, on page 78.
3.4.2 Applying product license keys
The HiPath Wireless Controller’s license system works on simple software-based
key strings. A key string consists of a series of numbers and/or letters. Using
these key strings, you can license the software, enable the optional external
captive portal feature, and enhance the capacity of the HiPath Wireless
Controller to manage additional Wireless APs.
The key strings can be classified into the following variants:
•
•
Activation Key – Activates the software. This key is further classified into two
sub-variants:
•
Temporary Activation Key – Activates the software for a trial period of
90 days.
•
Permanent Activation Key – Activates the software for an infinite period.
Option Key – Activates the optional features. This key is further classified
into two sub-variants:
•
Capacity Enhancement Key – Enhances the capacity of the HiPath
Wireless Controller to manage additional Wireless APs. You may have to
add multiple capacity enhancement keys to reach the HiPath Wireless
Controller’s limit. Depending on the HiPath Wireless Controller model, a
capacity enhancement key adds the following Wireless APs:
•
52
C5110 – Adds 25 Wireless APs
9034530-04, September 2010
HiPath Wireless Controller, Access Points and Convergence Software V7.31, User Guide
hwc_startup.fm
Configuring the HiPath Wireless Controller
Configuring the HiPath Wireless Controller for the first time
•
•
C4110 – Adds 25 Wireless APs
•
C2400 – Adds 25 Wireless APs
•
C20N – Adds 16 Wireless APs
•
C20 – Adds 16 Wireless APs
External Captive Portal Key – Enables the external Captive Portal for
the mobile user’s authentication. For more information on the external
Captive Portal, see Section 5.5.1, “Authentication with Captive Portal”, on
page 258.
Note: If you connect additional Wireless APs to a HiPath Wireless Controller
that has a permanent activation key without installing a capacity
enhancement key, or if you configure an external Captive Portal without
installing the appropriate key, a grace period of seven days will start. You
must install the correct key during the grace period. If you do not install the
key, the HiPath Wireless Controller will start generating event logs every 15
minutes, indicating that the key is required. In addition, you will not be able to
edit the Virtual Network Services (VNS) parameters.
The HiPath Wireless Controller can be in the following licensing modes:
•
Unlicensed – When the HiPath Wireless Controller is not licensed, it
operates in ‘demo mode.’ In ‘demo mode,’ the HiPath Wireless Controller
allows you to operate as many Wireless APs as you want, subject to the
maximum limit of the platform type, and enables you to configure the optional
external captive portal for authentication. In demo mode, you can use only the
b/g radio, with channels 6, 11, and auto. 11n support and Mobility are disabled
in demo mode.
•
Licensed with a temporary activation key – A temporary activation key
comes with a regulatory domain. With the temporary activation key, you can
select a country from the domain and operate the Wireless APs on any
channel permitted by the country. A temporary activation key allows you to
use all software features. You can operate as many Wireless APs as you
want, subject to the maximum limit of the platform type. In addition, you can
configure the external captive portal feature.
A temporary activation key is valid for 90 days. Once the 90 days are up, the
temporary key expires. You must get a permanent activation key and install it
on the HiPath Wireless Controller. If you do not install a permanent activation
key, the HiPath Wireless Controller will start generating event logs every 15
minutes, indicating that an appropriate license is required for the current
software version. In addition, you will not be able to edit the Virtual Network
Services (VNS) parameters.
9034530-04, September 2010
HiPath Wireless Controller, Access Points and Convergence Software V7.31, User Guide
53
hwc_startup.fm
Configuring the HiPath Wireless Controller
Configuring the HiPath Wireless Controller for the first time
•
Licensed with permanent activation key – A permanent activation key is
valid for an infinite period. In addition, unlike the temporary activation key, the
permanent activation key allows you to operate a stipulated number of the
Wireless APs, depending upon the platform type. If you want to connect
additional Wireless APs, you have to install a capacity enhancement key. You
may even have to install multiple capacity enhancement keys to reach the
HiPath Wireless Controller’s limit.
The following table lists the platform type and the corresponding number of
the Wireless APs allowed by the permanent activation key.
Platform
Wireless APs permitted Platform’s
by permanent
optimum limit
activation key
Number of capacity
enhancement keys to
reach the optimum limit
C20
16
32
C20N
16
32
C2400
50
200
CRBT8110
24
24
CRBT8210 72
72
C4110
50
250
C5110
150
525
15
Table 2
Platform type and corresponding number of Wireless APs allowed by
a permanent activation key
Similarly, if you want to configure the external captive portal feature, you have
to install the optional feature key.
If the HiPath Wireless Controller detects multiple license violations, such as
capacity enhancement and optional feature violations, a grace period counter will
start from the moment the first violation occurred. The HiPath Wireless Controller
will generate event logs for every violation. The only way to leave the grace period
is to clear all outstanding license violations.
The HiPath Wireless Controller can be in an unlicensed state for an infinite
period. However, if you install a temporary activation key, the unlicensed state is
terminated. After the validity of a temporary activation key and the related grace
period expire, the HiPath Wireless Controller will generate event logs every 15
minutes, indicating that an appropriate license is required for the current software
version. In addition, you will not be able to edit the Virtual Network Services (VNS)
parameters.
3.4.2.1 Installing the license keys
This section describes how to install the license key on the HiPath Wireless
Controller. It does not explain how to generate the license key. For information on
how to generate the license key, see the HiPath Wireless License Certificate,
which is sent to you via traditional mail.
54
9034530-04, September 2010
HiPath Wireless Controller, Access Points and Convergence Software V7.31, User Guide
hwc_startup.fm
Configuring the HiPath Wireless Controller
Configuring the HiPath Wireless Controller for the first time
You have to type the license keys on the HiPath Wireless Assistant GUI.
To install the license keys:
1. From the main menu, click Wireless Controller Configuration. The HiPath
Wireless Controller Configuration screen is displayed.
2. In the left pane, click Software Maintenance.
3. Click the HWC Product Keys tab.
The bottom pane displays the license summary.
4. If you are installing a temporary or permanent activation license key, type the
key in the Activation Key box, and then click the Apply Activation Key
button.
5. If you are installing a capacity enhancement or optional feature license key,
type the key In the Option Key box, and then click the Apply Option Key
button.
6. To view installed keys, click View Installed Keys.
3.4.3 Setting up the data ports
A new HiPath Wireless Controller is shipped from the factory with all its data ports
set up. Support of management traffic is disabled on all data ports. By default,
data interface states are enabled. A disabled interface does not allow data to flow
(receive/transmit).
9034530-04, September 2010
HiPath Wireless Controller, Access Points and Convergence Software V7.31, User Guide
55
hwc_startup.fm
Configuring the HiPath Wireless Controller
Configuring the HiPath Wireless Controller for the first time
Physical ports are represented by the L2 (Ethernet) Ports and associated
Topologies which are created by default when the controller is first powered up.
The L2 port and Topology information can be accessed from L2 Ports and
Topology tabs under HiPath Wireless Controller Configuration. The L2 Ports
cannot be removed from the system but their operational status can be changed
(together with a few other parameters, as explained below).
Note: You can redefine a data port to function as a Third-Party AP Port. Refer
to Section 3.4.3.2, “Viewing and changing the L2 port related topologies” for more
information.
3.4.3.1 Viewing and changing the L2 ports information
To view and change the L2 port information:
1. From the main menu, click Wireless Controller Configuration. The HiPath
Wireless Controller Configuration screen is displayed.
2. In the left pane, click L2 Ports. The L2 Ports tab is displayed.
The L2 Ports tab presents the Physical (that is, Ethernet) ports that exist on
the HiPath Wireless Controller. These ports cannot be deleted and new ones
cannot be created. The number of Ethernet ports and their names per
controller are:
56
•
C5110 – Three data ports, displayed as esa0, esa1, and esa2.
•
C4110 – Four data ports, displayed as Port1, Port2, Port3, and Port4.
9034530-04, September 2010
HiPath Wireless Controller, Access Points and Convergence Software V7.31, User Guide
hwc_startup.fm
Configuring the HiPath Wireless Controller
Configuring the HiPath Wireless Controller for the first time
•
C2400 – Four data ports, displayed as esa0, esa1, esa2, and esa3.
•
C20 – Two data ports, displayed as esa0 and esa1.
•
C20N – Two data ports, displayed as PC.1 and PC.2.
•
CRBT8210 – One data port, displayed as esa0.
•
CRBT8110 – One data port, displayed as esa0.
Also an “Admin” port is created by default. This represents a physical port,
separate from the other data ports, being used for management connectivity.
Parameters displayed for the L2 Ports are:
•
Operational status, represented graphically with a green checkmark (UP)
or red X (DOWN). This is the only configurable parameter.
•
Port name, as described above.
•
MAC address, as per Ethernet standard.
•
VLAN ID, for different types of topology. Refer to Section 3.4.3.2, “Viewing
and changing the L2 port related topologies” for more information about
L2 port topologies.
3. If desired, change the operational status by clicking the Enable checkbox.
You can change the operational state for each port. By default, data interface
states are enabled. If they are not enabled, you can enable them individually.
A disabled interface does not allow data to flow (receive/transmit).
3.4.3.2 Viewing and changing the L2 port related topologies
Each of the L2 Ports has a predefined Topology associated with it.
To view and change the L2 port topologies:
1. From the main menu, click Wireless Controller Configuration. The HiPath
Wireless Controller Configuration screen is displayed.
2. In the left pane, click Topology. The Topologies tab is displayed.
An associated topology entry is created by default for each L2 Port with the
same name.
9034530-04, September 2010
HiPath Wireless Controller, Access Points and Convergence Software V7.31, User Guide
57
hwc_startup.fm
Configuring the HiPath Wireless Controller
Configuring the HiPath Wireless Controller for the first time
3. To change any of the associated parameters, click on the topology entry to be
modified. An “Edit Topology” pop up window appears.
For the data ports predefined in the system, Name and Mode are not
configurable.
4. Optionally, configure one of the physical ports for Third Party AP connectivity
by clicking the 3rd Party checkbox.
You must configure a port to which you will be connecting third-party APs by
checking this box. Only one port can be configured for third-party APs.
58
9034530-04, September 2010
HiPath Wireless Controller, Access Points and Convergence Software V7.31, User Guide
hwc_startup.fm
Configuring the HiPath Wireless Controller
Configuring the HiPath Wireless Controller for the first time
Third-party APs must be deployed within a segregated network for which the
HiPath Wireless Controller becomes the single point of access (i.e., routing
gateway). When you define a port as the third-party AP port, the interface
segregates the third-party AP from the remaining network.
5. To configure an interface for VLAN assignment, configure the VLAN Settings
in the Layer 2 box.
When you configure a HiPath Wireless Controller port to be a member of a
VLAN, you must ensure that the VLAN configuration (VLAN ID and tagged vs.
untagged attribute) is matched with the correct configuration on the network
switch.
6. If the desired IP configuration is different from the one displayed, change the
Interface IP and Mask accordingly in the Layer 3 box.
For this type of data interface, the Layer 3 check box is selected
automatically. This allows for IP Interface and subnet configuration together
with other networking services.
7. If desired, change the MTU value. This value specifies the Maximum
Transmission Unit or maximum packet size for this port. The default value is
1500 bytes for physical topologies.
If you change this setting and are using OSPF, be sure that the MTU of all the
ports in the OSPF link match.
Note: If the routed connection to an AP traverses a link that imposes a lower
MTU than the default 1500 bytes, the HiPath Wireless Controller and AP
participate in automatic MTU discovery and adjust their settings accordingly.
At the HiPath Wireless Controller, MTU adjustments are tracked on a per AP
basis.
8. To enable AP registration through this interface, select the AP Registration
checkbox.
Wireless APs use this port for discovery and registration. Other controllers
can use this port to enable inter-controller device mobility if this port is
configured to use SLP or the HiPath Wireless Controller is running as a
manager and SLP is the discovery protocol used by the agents.
9034530-04, September 2010
HiPath Wireless Controller, Access Points and Convergence Software V7.31, User Guide
59
hwc_startup.fm
Configuring the HiPath Wireless Controller
Configuring the HiPath Wireless Controller for the first time
9. To enable management traffic, select the Management Traffic checkbox.
Enabling management provides access to SNMP (v2, V3, get), SSH, and
HTTPs management interfaces.
Note: This option does not override the built-in protection filters on the port.
The built-in protection filters for the port, which are restrictive in the types of
packets that are allowed to reach the management plane, are extended with
a set of definitions that allow for access to system management services
through that interface (SSH, SNMP, HTTPS:5825).
10. To enable the local DHCP Server on the HiPath Wireless Controller, in the
DHCP box, select Local Server. Then, click on the Configure button to open
the DHCP configuration pop up window.
Note: The local DHCP Server is useful as a general purpose DHCP Server
for small subnets.
a) In the Domain Name box, type the name of the domain that you want the
Wireless APs to use for DNS Server’s discovery.
b) In the Lease (seconds) default box, type the time period for which the IP
address will be allocated to the Wireless APs (or any other device
requesting it).
c) In the Lease (seconds) max box, type the maximum time period in
seconds for which the IP address will be allocated to the Wireless APs.
d) In the DNS Servers box, type the DNS Server’s IP address if you have a
DNS Server.
60
9034530-04, September 2010
HiPath Wireless Controller, Access Points and Convergence Software V7.31, User Guide
hwc_startup.fm
Configuring the HiPath Wireless Controller
Configuring the HiPath Wireless Controller for the first time
e) In the WINS box, type the WINS Server’s IP address if you have a WINS
Server.
Note: You can type multiple entries in the DNS Servers and WINS boxes.
Each entry must be separate by a comma. These two fields are not
mandatory to enable the local DHCP feature.
f)
In the Gateway box, type the IP address of the default gateway.
Note: Since the HiPath Wireless Controller is not allowed to be the gateway
for the segment, including Wireless APs, you cannot use the Interface IP
address as the gateway address.
g) Configure the address range from which the local DHCP Server will
allocate IP addresses to the Wireless APs.
•
In the Address Range: from box, type the starting IP address of the
IP address range.
•
In the Address Range: to box, type the ending IP address of the IP
address range.
h) Click the Exclusion(s) button to exclude IP addresses from allocation by
the DHCP Server. The DHCP Address Exclusion window opens.
The HiPath Wireless Controller automatically adds the IP addresses of
the Interfaces (Ports), and the default gateway to the exclusion list. You
can not remove these IP addresses from the exclusion list.
•
Select the Range radio button. In the From box, type the starting IP
address of the IP address range that you want to exclude from the
DHCP allocation.
•
In the To box, type the ending IP address of the IP address range that
you want to exclude from the DHCP allocation.
9034530-04, September 2010
HiPath Wireless Controller, Access Points and Convergence Software V7.31, User Guide
61
hwc_startup.fm
Configuring the HiPath Wireless Controller
Configuring the HiPath Wireless Controller for the first time
i)
•
To exclude a single address, select the Single Address radio button
and type the IP address in the adjacent box.
•
In the Comment box, type any relevant comment. For example, you
can type the reason for which a certain IP address is excluded from
the DHCP allocation.
•
Click on Add. The excluded IP addresses are displayed in the IP
Address(es) to exclude from DHCP Address Range box.
•
To delete a IP Address from the exclusion list, select it in the IP
Address(es) to exclude from DHCP Range box, and then click
Delete.
•
To save your changes, click OK.
Click Close to close the DHCP configuration window.
Note: The Broadcast (B’cast) Address field is view only. This field is
computed from the mask and the IP addresses.
11. You are returned to the L2 port topology edit window.
3.4.4 Setting up Internal VLAN ID and multi-cast
support
You can configure the Internal VLAN ID, and enable multicast support. The
internal VLAN used only internally and is not visible on the external traffic. The
physical topology used for multicast is represented by a physical port to/from
which the multicast traffic is forwarded in conjunction with the virtual routed
topologies (and VNSs) configured on the controller. Please note that no multicast
routing is available at this time.
To configure the Internal VLAN ID and enable multicast support:
1. From the main menu, click Wireless Controller Configuration. The HiPath
Wireless Controller Configuration screen is displayed.
2. In the left pane, click Topology. The Topologies tab is displayed.
3. Click the Interfaces tab.
62
9034530-04, September 2010
HiPath Wireless Controller, Access Points and Convergence Software V7.31, User Guide
hwc_startup.fm
Configuring the HiPath Wireless Controller
Configuring the HiPath Wireless Controller for the first time
4. In the Internal VLAN ID box, type the internal VLAN ID.
5. From the Multicast Support drop-down list, select the desired data port
(physical Ethernet topology).
If you are configuring a HiPath Wireless Controller C20N, the data ports are
PC.1 and PC.2.
If you are configuring a HiPath Wireless Controller C4110, the data ports are
Port1, Port2, Port3, and Port4.
6. To save your changes, click Save.
3.4.5 Setting up static routes
Siemens recommends that you define a default route to your enterprise network,
either with a static route or by using the OSPF protocol. A default route enables
the HiPath Wireless Controller to forward packets to destinations that do not
match a more specific route definition.
To set a static route on the HiPath Wireless Controller:
1. From the main menu, click Wireless Controller Configuration. The HiPath
Wireless Controller Configuration screen is displayed.
2. In the left pane, click Routing Protocols. The Static Routes tab is displayed.
9034530-04, September 2010
HiPath Wireless Controller, Access Points and Convergence Software V7.31, User Guide
63
hwc_startup.fm
Configuring the HiPath Wireless Controller
Configuring the HiPath Wireless Controller for the first time
3. To add a new route, in the Destination Address box type the destination IP
address of a packet.
To define a default static route for any unknown address not in the routing
table, type 0.0.0.0.
4. In the Subnet Mask box, type the appropriate subnet mask to separate the
network portion from the host portion of the IP address (typically
255.255.255.0). To define the default static route for any unknown address,
type 0.0.0.0.
5. In the Gateway box, type the IP address of the specific router port or gateway
on the same subnet as the HiPath Wireless Controller to which to forward
these packets. This is the IP address of the next hop between the HiPath
Wireless Controller and the packet’s ultimate destination.
6. Click Add. The new route is added to the list of routes.
7. Select the Override dynamic routes checkbox to give priority over the OSPF
learned routes, including the default route, which the HiPath Wireless
Controller uses for routing. This option is enabled by default.
To remove this priority for static routes, so that routing is controlled
dynamically at all times, clear the Override dynamic routes checkbox.
Note: If you enable dynamic routing (OSPF), the dynamic routes will normally
have priority for outgoing routing. For internal routing on the HiPath Wireless
Controller, the static routes normally have priority.
8. To save your changes, click Save.
64
9034530-04, September 2010
HiPath Wireless Controller, Access Points and Convergence Software V7.31, User Guide
hwc_startup.fm
Configuring the HiPath Wireless Controller
Configuring the HiPath Wireless Controller for the first time
3.4.5.1 Viewing the forwarding table
You can view the defined routes, whether static or OSPF, and their current status
in the forwarding table.
To view the forwarding table on the HiPath Wireless Controller:
1. From the Routing Protocols Static Routes tab, click View Forwarding
Table. The Forwarding Table is displayed.
2. Alternatively. from the main menu, click Reports & Displays. The HiPath
Reports & Displays screen is displayed. Then, click Forwarding Table. The
Forwarding Table is displayed.
This report displays all defined routes, whether static or OSPF, and their
current status.
3. To update the display, click Refresh.
3.4.6 Setting up OSPF Routing
To enable OSPF (OSPF RFC2328) routing, you must:
•
Specify at least one data port on which OSPF is enabled on the Port Settings
option of the OSPF tab. This is the interface on which you can establish OSPF
adjacency.
•
Enable OSPF globally on the HiPath Wireless Controller
•
Define the global OSPF parameters
Ensure that the OSPF parameters defined here for the HiPath Wireless Controller
are consistent with the adjacent routers in the OSPF area. This consistency
includes the following:
9034530-04, September 2010
HiPath Wireless Controller, Access Points and Convergence Software V7.31, User Guide
65
hwc_startup.fm
Configuring the HiPath Wireless Controller
Configuring the HiPath Wireless Controller for the first time
•
If the peer router has different timer settings, the protocol timer settings in the
HiPath Wireless Controller must be changed to match to achieve OSPF
adjacency.
•
The MTU of the ports on either end of an OSPF link must match. The MTU
for ports on the HiPath Wireless Controller is defined as 1500, on the L2 Port
tab, during data port setup. This matches the default MTU in standard routers.
To set OSPF Routing Global Settings on the HiPath Wireless Controller:
1. From the main menu, click Wireless Controller Configuration. The HiPath
Wireless Controller Configuration screen is displayed.
2. In the left pane, click Routing Protocols. The Static Routes tab is displayed
by default.
3. Click the OSPF tab.
4. From the OSPF Status drop-down list, click On to enable OSPF.
In the Router ID box, type the IP address of the HiPath Wireless Controller.
This ID must be unique across the OSPF area. If left blank, the OSPF
daemon automatically picks a router ID from one of the HiPath Wireless
Controller’s interface IP addresses.
5. In the Area ID box, type the area. 0.0.0.0 is the main area in OSPF.
6. In the Area Type drop-down list, click one of the following:
•
66
Default – The default acts as the backbone area (also known as area
zero). It forms the core of an OSPF network. All other areas are
connected to it, and inter-area routing happens via a router connected to
the backbone area.
9034530-04, September 2010
HiPath Wireless Controller, Access Points and Convergence Software V7.31, User Guide
hwc_startup.fm
Configuring the HiPath Wireless Controller
Configuring the HiPath Wireless Controller for the first time
•
Stub – The stub area does not receive external routes. External routes
are defined as routes which were distributed in OSPF via another routing
protocol. Therefor, stub areas typically rely on a default route to send
traffic routes outside the present domain.
•
Not-so-stubby – The not-so-stubby area is a type of stub area that can
import autonomous system (AS) external routes and send them to the
default/backbone area, but cannot receive AS external routes from the
backbone or other areas.
7. To save your changes, click Save.
To set OSPF Routing Port Settings on the HiPath Wireless Controller:
1. From the main menu, click Wireless Controller Configuration. The HiPath
Wireless Controller Configuration screen is displayed.
2. In the left pane, click Routing Protocols.
3. Click the OSPF tab.
4. Select a port to configure by clicking on the desired port in the Port Settings
table.
5. In the Port Status drop-down list, click Enabled to enable OSPF on the port.
The default setting is Disabled.
6. In the Link Cost box, type the OSPF standard value for your network for this
port. This is the cost of sending a data packet on the interface. The lower the
cost, the more likely the interface is to be used to forward data traffic.
Note: If more than one port is enabled for OSPF, it is important to prevent the
HiPath Wireless Controller from serving as a router for other network traffic (other
than the traffic from wireless device users on routed topologies controlled by the
HiPath Wireless Controller). For more information, see Section 6.10.2, “About
filtering rules”, on page 379.
7. In the Authentication drop-down list, click the authentication type for OSPF
on your network: None or Password. The default setting is None.
8. If Password is selected as the authentication type, in the Password box,
type the password.
If None is selected as the Authentication type, leave this box empty. This
password must match on either end of the OSPF connection.
9. Type the following:
•
Hello-Interval – Specifies the time in seconds (displays OSPF
default).The default setting is 10 seconds.
9034530-04, September 2010
HiPath Wireless Controller, Access Points and Convergence Software V7.31, User Guide
67
hwc_startup.fm
Configuring the HiPath Wireless Controller
Configuring the HiPath Wireless Controller for the first time
•
Dead-Interval – Specifies the time in seconds (displays OSPF default).
The default setting is 40 seconds.
•
Retransmit-Interval – Specifies the time in seconds (displays OSPF
default). The default setting is 5 seconds.
•
Transmit Delay– Specifies the time in seconds (displays OSPF default).
The default setting is 1 second.
10. To save your changes, click Save.
To confirm that ports are set for OSPF:
1. To confirm that the ports are set up for OSPF, and that advertised routes from
the upstream router are recognized, click View Forwarding Table. The
Forwarding Table is displayed.
The following additional reports display OSPF information when the protocol
is in operation:
•
OSPF Neighbor – Displays the current neighbors for OSPF (routers that
have interfaces to a common network)
•
OSPF Linkstate – Displays the Link State Advertisements (LSAs)
received by the currently running OSPF process. The LSAs describe the
local state of a router or network, including the state of the router’s
interfaces and adjacencies.
2. To update the display, click Refresh.
3.4.7 Configuring filtering at the interface level
The HiPath Wireless solution has a number of built-in filters that protect the
system from unauthorized traffic. These filters are specific only to the HiPath
Wireless Controller. These filters are applied at the network interface level and
are automatically invoked. By default, these filters provide stringent-level rules to
allow only access to the system's externally visible services. In addition to these
built-in filters, the administrator can define specific exception filters at the
interface-level to customize network access. These filters depend on Topology
Modes and the configuration of an L3 interface for the topology.
For Bridged at Controller topologies, exception filters are defined only if L3 (IP)
interfaces are specified. For Physical, Routed, and 3rd Party AP topologies,
exception filtering is always configured since they all have an L3 interface
presence.
68
9034530-04, September 2010
HiPath Wireless Controller, Access Points and Convergence Software V7.31, User Guide
hwc_startup.fm
Configuring the HiPath Wireless Controller
Configuring the HiPath Wireless Controller for the first time
3.4.7.1 Built-in interface-based exception filters
On the HiPath Wireless Controller, various interface-based exception filters are
built in and invoked automatically. These filters protect the HiPath Wireless
Controller from unauthorized access to system management functions and
services via the interfaces. Access to system management functions is granted if
the administrator selects the allow management traffic option in a specific
topology.
Allow management traffic is possible on the topologies that have L3 IP interface
definitions. For example, if management traffic is allowed on a physical topology
(esa0), only users connected through ESA0 will be able to get access to the
system. Users connecting on any other topology, such as Routed or Bridged
Locally at Controller, will no longer be able to target ESA0 to gain management
access to the system. To allow access for users connected on such a topology,
the given topology configuration itself must have allow management traffic
enabled and users will only be able to target the topology interface specifically.
On the HiPath Wireless Controller’s L3 interfaces (associated with either
physical, Routed, or Bridged Locally at Controller topologies), the built-in
exception filter prohibits invoking SSH, HTTPS, or SNMP. However, such traffic
is allowed, by default, on the management port.
If management traffic is explicitly enabled for any interface, access is implicitly
extended to that interface through any of the other interfaces (VNS). Only traffic
specifically allowed by the interface’s exception filter is allowed to reach the
HiPath Wireless Controller itself. All other traffic is dropped. Exception filters are
dynamically configured and regenerated whenever the system's interface
topology changes (for example, a change of IP address for any interface).
Enabling management traffic on an interface adds additional rules to the
exception filter, which opens up the well-known IP(TCP/UDP) ports,
corresponding to the HTTPS, SSH, and SNMP applications.
The interface-based built-in exception filtering rules, in the case of traffic from
wireless users, are applicable to traffic targeted directly for the topology L3
interface. For example, a filter specified by a Policy may be generic enough to
allow traffic access to the HiPath Wireless Controller's management (for
example, Allow All [*.*.*.*]). Exception filter rules are evaluated after the user's
assigned filter policy, as such, it is possible that the policy allows the access to
management functions that the exception filter denies. These packets are
dropped.
To enable SSH, HTTPS, or SNMP access through a physical data interface:
1. From the main menu, click Wireless Controller Configuration. The HiPath
Wireless Controller Configuration screen is displayed.
2. In the left pane, click Topology. The Topologies tab is displayed.
9034530-04, September 2010
HiPath Wireless Controller, Access Points and Convergence Software V7.31, User Guide
69
hwc_startup.fm
Configuring the HiPath Wireless Controller
Configuring the HiPath Wireless Controller for the first time
3. On the Topologies tab, click the appropriate data port topology. The Edit
Topology window displays.
4. Select the Management Traffic checkbox if the topology has specified an L3
IP interface presence.
5. To save your changes, click Save.
3.4.7.2 Working with administrator-defined interface-based
exception filters
You can add specific filtering rules at the interface level in addition to the built-in
rules. Such rules give you the capability of restricting access to a port, for specific
reasons, such as a Denial of Service (DoS) attack.
The filtering rules are set up in the same manner as filtering rules defined for a
Policy — specify an IP address, select a protocol if applicable, and then either
allow or deny traffic to that address. For more information, see Section 6.10.2,
“About filtering rules”, on page 379.
70
9034530-04, September 2010
HiPath Wireless Controller, Access Points and Convergence Software V7.31, User Guide
hwc_startup.fm
Configuring the HiPath Wireless Controller
Configuring the HiPath Wireless Controller for the first time
The rules defined for port exception filters are prepended to the normal set of
restrictive exception filters and have precedence over the system's normal
protection enforcement (that is, they are evaluated first).
Warning: If defined improperly, user exception rules may seriously compromise
the system’s normal security enforcement rules. They may also disrupt the
system's normal operation and even prevent system functionality altogether. It is
advised to only augment the exception-filtering mechanism if absolutely
necessary.
To define interface exception filters:
1. From the main menu, click Wireless Controller Configuration. The HiPath
Wireless Controller Configuration screen is displayed.
2. In the left pane, click Topology. The Topologies screen is displayed.
3. Select a topology to be configured. The Edit Topology window is displayed.
4. If the topology has an L3 interface defined, an Exception Filters tab is
available. Select this tab. The Exception Filter rules are displayed.
5. Add rules by either:
•
Clicking the Add Predefined button, selecting a filter from the drop down
list, and clicking Add.
9034530-04, September 2010
HiPath Wireless Controller, Access Points and Convergence Software V7.31, User Guide
71
hwc_startup.fm
Configuring the HiPath Wireless Controller
Configuring the HiPath Wireless Controller for the first time
•
Clicking the Add button, filling in the following fields, then clicking OK:
a) In the IP / subnet:port box, type the destination IP address. You can
also specify an IP range, a port designation, or a port range on that IP
address.
b) In the Protocol drop-down list, click the protocol you want to specify
for the filter. This list may include UDP, TCP, GRE, IPsec-ESP, IPsecAH, ICMP. The default is N/A.
6. The new filter is displayed in the upper section of the screen.
7. Click the new filter entry.
8. To allow traffic, select the Allow checkbox.
9. To adjust the order of the filtering rules, click Up or Down to position the rule.
The filtering rules are executed in the order defined here.
10. To save your changes, click Save.
3.4.8 Installing certificates on the HiPath Wireless
Controller
You can install certificates on the HiPath Wireless Controller that help secure the
HiPath Wireless Controller’s interfaces and internal Captive Portal pages.
The Interface certificates are actually associated with Topologies that have
configured a L3 (IP) interface. For simplicity, they will be called Interface
certificates in this document.
72
9034530-04, September 2010
HiPath Wireless Controller, Access Points and Convergence Software V7.31, User Guide
hwc_startup.fm
Configuring the HiPath Wireless Controller
Configuring the HiPath Wireless Controller for the first time
Factory default certificate
By default, the HiPath Wireless Controller is shipped with a self-signed certificate.
The self-signed certificate does the following:
•
Protects all interfaces that provide administrative access to the HiPath
Wireless Controller
•
Protects the internal Captive Portal page
If you chose to use the default certificate to secure the HiPath Wireless Controller
and internal Captive Portal page, your Web browser will likely continue to produce
security warnings regarding the security risks of trusting self-signed certificates.
To avoid the certificate-related Web browser security warnings, you can install
customized certificates on the HiPath Wireless Controller.
Note: To avoid the certificate-related Web browser security warnings when
accessing the HiPath Wireless Assistant, you must also import the customized
certificates into your Web browser application.
Certificate formats
The HiPath Wireless Controller supports the following formats:
•
PKCS#12 — The PKCS#12 certificate (.pfx) file contains both a certificate
and the corresponding private key.
•
PEM/DER — The PEM/DER certificate (.crt) file requires a separate PEM/
DER private key (.key) file. The HiPath Wireless Controller uses OpenSSL
PKCS12 command to convert the .crt and .key files into a single .pfx
PKCS#12 certificate file.
CA public certificate
You also have the option of installing a PEM-formatted CA public certificate file.
If you choose to install this optional certificate, you must do so when specifying
the PCKCS#12 or PEM/DER certificates.
Certificate monitoring
The HiPath Wireless Controller monitors the expiration date of installed
certificates. The HiPath Wireless Controller generates an entry in the events
information log as the certificate expiry date approaches, based on the following
schedule: 15, 8, 4, 2, and 1 day prior to expiration. The log messages cease when
the certificate expires. For more information, see the HiPath Wireless Controller,
Access Points and Convergence Software Maintenance Guide.
Upgrades and migrations
Installed certificates will be backed up and restored with the HiPath Wireless
Controller configuration data. Installed certificates will also be migrated during an
upgrade and during a migration.
9034530-04, September 2010
HiPath Wireless Controller, Access Points and Convergence Software V7.31, User Guide
73
hwc_startup.fm
Configuring the HiPath Wireless Controller
Configuring the HiPath Wireless Controller for the first time
Prerequisite for installing a certificate
You can chose your preferred CA to generate the PKCS#12 file or PEM/DER
files. The HiPath Wireless Controller will accept the PKCS#12 file or PEM/DER
files as long as the format of the private key and certificate are valid.
When generating the PKCS#12 certificate file or PEM/DER certificate and key
files, you must ensure that the interface identified in the certificate corresponds to
the HiPath Wireless Controller’s interface for which the certificate is being
installed.
Certificate Common Name
To avoid getting security warnings, the common name of the certificate should
match the interface IP (port IP or Topology gateway IP) that the WLAN service
uses.
•
HiPath Wireless Controller ports (pcX, esaX, and eth0) – Physical
interface IP address
•
Internal Captive Portal – VNS gateway IP address.
3.4.8.1 Installing a certificate for a HiPath Wireless Controller
interface
To install a certificate for a HiPath Wireless Controller data interface:
1. From the main menu, click Wireless Controller Configuration. The
Wireless Controller Configuration screen is displayed.
2. In the left pane, click Topology. The Topologies tab is displayed.
3. Click the Certificates tab.
74
9034530-04, September 2010
HiPath Wireless Controller, Access Points and Convergence Software V7.31, User Guide
hwc_startup.fm
Configuring the HiPath Wireless Controller
Configuring the HiPath Wireless Controller for the first time
4. In the Interface Certificates table, click the topology (which has an L3
interface) for which you want to install a certificate.
Note: The interface identified in the certificate must correspond to the HiPath
Wireless Controller’s interface for which the certificate is being installed.
The Configuration for Topology section is displayed.
9034530-04, September 2010
HiPath Wireless Controller, Access Points and Convergence Software V7.31, User Guide
75
hwc_startup.fm
Configuring the HiPath Wireless Controller
Configuring the HiPath Wireless Controller for the first time
5. In the Configuration for Topology section, select one of the following:
•
Replace/Install selected Topology’s certificate and key – Select to
replace the existing port’s certificate and key, and then do the following:
a) Click Browse next to the PKCS #12 file to install box. The Choose
file dialog is displayed.
b) Navigate to the .pfx certificate file you want to install for this port, and
then click Open. The certificate .pfx file name is displayed in the
PKCS #12 file to install box.
c) In the Private key password box, type the password for the
certificate file. The PKCS#12 file is password protected.
d) (Optional) Click Browse next to the Optional:Enter PEM-encoded
CA public certificates file box. The Choose file dialog is displayed.
Note: If you choose to install a CA public certificate, you must install it
when you install the PKCS#12 certificate and key.
e) (Optional) Navigate to the certificate file you want to install for this
port, and then click Open. The certificate file name is displayed in the
Optional:Enter PEM-encoded CA public certificates file box.
•
76
Replace/Install selected Topology’s certificate and key from
separate files – Select to replace the existing port’s certificate and key,
and then do the following:
9034530-04, September 2010
HiPath Wireless Controller, Access Points and Convergence Software V7.31, User Guide
hwc_startup.fm
Configuring the HiPath Wireless Controller
Configuring the HiPath Wireless Controller for the first time
a) Click Browse next to the Certificate file to install box. The Choose
file dialog is displayed.
b) Navigate to the certificate file you want to install for this port, and then
click Open. The certificate file name is displayed in the Certificate
file to install box.
c) Click Browse next to the Private key file to install box. The Choose
file dialog is displayed.
d) Navigate to the key file you want to install for this port, and then click
Open. The file name is displayed in the Private key file to install
box.
e) In the Private key password box, type the password for the key file.
The key file is password protected.
f)
(Optional) Click Browse next to the Optional:Enter PEM-encoded
CA public certificates file box. The Choose file dialog is displayed.
Note: If you choose to install a CA public certificate, you must install it
when you install the PEM/DER certificate and key.
g) (Optional) Navigate to the certificate file you want to install for this
port, and then click Open. The certificate file name is displayed in the
Optional:Enter PEM-encoded CA public certificates file box.
•
Reset selected Topology to the factory default certificate and key –
Select to assign the factory default certificate and key to the interface.
9034530-04, September 2010
HiPath Wireless Controller, Access Points and Convergence Software V7.31, User Guide
77
hwc_startup.fm
Configuring the HiPath Wireless Controller
Configuring the HiPath Wireless Controller for the first time
•
No change
6. To save your changes, click Save. A message in the footer will be displayed
to confirm if the certificate installation is successful or fails.
Note: To avoid the certificate-related Web browser security warnings when
accessing the HiPath Wireless Assistant, you must also import the customized
certificates into your Web browser application.
3.4.9 Configuring the login authentication mode
You can configure the following login authentication modes to authenticate
administrator login attempts:
•
Local authentication — The HiPath Wireless Controller uses locally
configured login credentials and passwords. See Section 3.4.9.1,
“Configuring the local login authentication mode and adding new users”, on
page 79.
•
RADIUS authentication — The HiPath Wireless Controller uses login
credentials and passwords configured on a RADIUS server. See Section
3.4.9.2, “Configuring the RADIUS login authentication mode”, on page 81.
•
Local authentication first, then RADIUS authentication — The HiPath
Wireless Controller first uses locally configured login credentials and
passwords. If this login fails, the HiPath Wireless Controller attempts to
validate login credentials and passwords configured on a RADIUS server.
See Section 3.4.9.3, “Configuring the local, RADIUS login authentication
mode”, on page 85.
•
RADIUS authentication first, then local authentication — The HiPath Wireless
Controller first uses login credentials and passwords configured on a RADIUS
server. If this login fails, the HiPath Wireless Controller attempts to validate
login credentials and passwords configured locally. See Section 3.4.9.4,
“Configuring the RADIUS, local login authentication mode”, on page 86.
Note: The HiPath Wireless Controller, Access Points and Convergence Software
enables you to recover the HiPath Wireless Controller via the Rescue mode if
you have lost its login password. For more information, see the HiPath Wireless
Controller, Access Points and Convergence Software Maintenance Guide.
78
9034530-04, September 2010
HiPath Wireless Controller, Access Points and Convergence Software V7.31, User Guide
hwc_startup.fm
Configuring the HiPath Wireless Controller
Configuring the HiPath Wireless Controller for the first time
3.4.9.1 Configuring the local login authentication mode and
adding new users
Local login authentication mode is enabled by default. If the login authentication
was previously set to another authentication mode, you can change it to the local
authentication. You can also add new users and assign them to a login group —
as full administrators, read-only administrators, or as a GuestPortal managers.
For more information, see Section 12.2, “Defining HiPath Wireless Assistant
administrators and login groups”, on page 483
To configure the local login authentication mode:
1. From the main menu, click Wireless Controller Configuration. The
Wireless Controller Configuration screen is displayed.
2. In the left pane, click Login Management. The Login Management screen
is displayed.
3. In the Authentication mode section, click Configure.
The Login Authentication Mode Configuration window is displayed.
9034530-04, September 2010
HiPath Wireless Controller, Access Points and Convergence Software V7.31, User Guide
79
hwc_startup.fm
Configuring the HiPath Wireless Controller
Configuring the HiPath Wireless Controller for the first time
4. Select the Local checkbox.
If the RADIUS checkbox is selected, deselect it.
5. Click OK.
6. In the Add User section, select one of the following from the Group dropdown list:
•
Full Administrator – Grants the administrator’s access rights to the
administrator.
•
Read-only Administrator – Grants read-only access right to the
administrator.
•
GuestPortal Manager – Grants the user GuestPortal manager rights.
7. In the User ID box, type the user’s ID.
8. In the Password box, type the user’s password.
Note: The password must be 8 to 24 characters long.
9. In the Confirm Password box, re-type the password.
10. To add the user, click Add User. The new user is added.
11. Click Save.
The Administrator Password Confirmation window is displayed.
12. Select the appropriate option.
–
Yes — Change authentication mode to local. Use the administrator
password currently defined on the controller.
–
Yes, but I want to change administrator’s password first — Change
authentication mode to local and change the administrator password
currently defined on the controller.
–
No — Do not change the authentication mode to local.
13. Click Submit.
14. If you chose Yes, but I want to change administrator’s password first, you
are prompted to change the administrator’s password.
80
9034530-04, September 2010
HiPath Wireless Controller, Access Points and Convergence Software V7.31, User Guide
hwc_startup.fm
Configuring the HiPath Wireless Controller
Configuring the HiPath Wireless Controller for the first time
3.4.9.2 Configuring the RADIUS login authentication mode
The local login authentication mode is enabled by default. You can change the
local login authentication mode to RADIUS-based authentication.
Note: Before you change the default local login authentication to RADIUS-based
authentication, you must configure the RADIUS Server on the Global Settings
screen. For more information, see Section 6.2, “VNS global settings”, on page
267.
RADIUS is a client/server authentication and authorization access protocol used
by a network access server (NAS) to authenticate users attempting to connect to
a network device. The NAS functions as a client, passing user information to one
or more RADIUS servers. The NAS permits or denies network access to a user
based on the response it receives from one or more RADIUS servers. RADIUS
uses User Datagram Protocol (UDP) for sending the packets between the
RADIUS client and server.
You can configure a RADIUS key on the client and server. If you configure a key
on the client, it must be the same as the one configured on the RADIUS servers.
The RADIUS clients and servers use the key to encrypt all RADIUS packets
transmitted. If you do not configure a RADIUS key, packets are not encrypted.
The key itself is never transmitted over the network.
Note: Before you configure the system to use RADIUS-based login
authentication, you must configure the Service-Type RADIUS attribute on the
RADIUS server. For more information, see the RADIUS-based login
authentication section in the HiPath Wireless Controller, Access Points and
Convergence Software Technical Reference Guide.
To configure the RADIUS login authentication mode:
1. From the main menu, click Wireless Controller Configuration. The
Wireless Controller Configuration screen is displayed.
2. In the left pane, click Login Management. The Login Management screen
is displayed.
3. Click the RADIUS Authentication tab.
9034530-04, September 2010
HiPath Wireless Controller, Access Points and Convergence Software V7.31, User Guide
81
hwc_startup.fm
Configuring the HiPath Wireless Controller
Configuring the HiPath Wireless Controller for the first time
4. In the Authentication mode section, click Configure.
The Login Authentication Mode Configuration window is displayed.
5. Select the RADIUS checkbox.
If the Local checkbox is selected, deselect it.
6. Click OK.
7. From the drop-down list, located next to the Use button, select the RADIUS
Server that you want to use for the RADIUS login authentication, and then
click Use. The RADIUS Server’s name is displayed in the Configured
Servers box, and in the Auth section, and the following default values of the
RADIUS Server are displayed.
Note: The RADIUS Servers displayed in the list located against the Use
button are defined on Global Settings screen. For more information, see
Section 6.2, “VNS global settings”, on page 267.
82
9034530-04, September 2010
HiPath Wireless Controller, Access Points and Convergence Software V7.31, User Guide
hwc_startup.fm
Configuring the HiPath Wireless Controller
Configuring the HiPath Wireless Controller for the first time
The following values can be edited:
•
NAS IP address – The IP address of Network Access Server (NAS).
•
NAS Identifier – The Network Access Server (NAS) identifier. The NAS
identifier is a RADIUS attribute that identifies the server responsible for
passing information to designated RADIUS servers, and then acting on
the response returned.
•
Auth Type – The authentication protocol type (PAP, CHAP, MS-CHAP, or
MS-CHAP2).
•
Set as Primary Server – Specifies the primary RADIUS server when
there are multiple RADIUS servers.
8. To add additional RADIUS servers, repeat step 7.
Note: You can add up to three RADIUS servers to the list of login
authentication servers. When you add two or more RADIUS servers to the
list, you must designate one of them as the Primary server. The HiPath
Wireless Controller first attempts to connect to the Primary server. If the
Primary Server is not available, it tries to connect to the second and third
server according to their order in the Configured Servers box. You can
change the order of RADIUS servers in the Configured Servers box by
clicking on the Up and Down buttons.
9. Click Test to test connectivity to the RADIUS server.
Note: You can also test the connectivity to the RADIUS server after you save
the configuration.
If you do not test the RADIUS server connectivity, and you have made an
error in configuring the RADIUS-based login authentication mode, you will be
locked out of the HiPath Wireless Controller when you switch the login mode
to the RADIUS login authentication mode. If you are locked out, access
Rescue mode via the console port to reset the authentication method to local.
The following window is displayed.
9034530-04, September 2010
HiPath Wireless Controller, Access Points and Convergence Software V7.31, User Guide
83
hwc_startup.fm
Configuring the HiPath Wireless Controller
Configuring the HiPath Wireless Controller for the first time
10. In the User ID and the Password boxes, type the user’s ID and the password,
which were configured on the RADIUS Server, and then click Test. The
RADIUS connectivity result is displayed.
Note: To learn how to configure the User ID and the Password on the
RADIUS server, refer to your RADIUS server’s user guide.
If the test is not successful, the following message will be displayed:
11. If the RADIUS connectivity test displays “Successful” result, click Save on the
RADIUS Authentication screen to save your configuration.
The following window is displayed:
12. If you tested the RADIUS server connectivity earlier in this procedure (steps
9 and 10), click No. If you click Yes, you will be asked to enter the RADIUS
server user ID and password. See step 10 for more information.
The following message is displayed:
13. To change the authentication mode to RADIUS authentication, click OK.
84
9034530-04, September 2010
HiPath Wireless Controller, Access Points and Convergence Software V7.31, User Guide
hwc_startup.fm
Configuring the HiPath Wireless Controller
Configuring the HiPath Wireless Controller for the first time
You will be logged out of the HiPath Wireless Controller immediately. You
must use the RADIUS login user name and password to log on the HiPath
Wireless Controller.
To cancel the authentication mode changes, click Cancel.
3.4.9.3 Configuring the local, RADIUS login authentication
mode
To configure the Local, RADIUS login authentication mode:
1. From the main menu, click Wireless Controller Configuration. The
Wireless Controller Configuration screen is displayed.
2. In the left pane, click Login Management. The Login Management screen
is displayed.
3. In the Authentication mode section, click Configure.
The Login Authentication Mode Configuration window is displayed.
9034530-04, September 2010
HiPath Wireless Controller, Access Points and Convergence Software V7.31, User Guide
85
hwc_startup.fm
Configuring the HiPath Wireless Controller
Configuring the HiPath Wireless Controller for the first time
4. Select the Local and RADIUS checkboxes.
5. If necessary, select Local and use the Move Up button to move Local to the
top of the list.
6. Click OK.
7. On the Login Management screen, click Save.
For information on setting local login authentication settings, see Section 3.4.9.1,
“Configuring the local login authentication mode and adding new users”, on page
79.
For information on setting RADIUS login authentication settings, see Section
3.4.9.2, “Configuring the RADIUS login authentication mode”, on page 81.
3.4.9.4 Configuring the RADIUS, local login authentication
mode
To configure the RADIUS, Local login authentication mode:
1. From the main menu, click Wireless Controller Configuration. The
Wireless Controller Configuration screen is displayed.
2. In the left pane, click Login Management. The Login Management screen
is displayed.
86
9034530-04, September 2010
HiPath Wireless Controller, Access Points and Convergence Software V7.31, User Guide
hwc_startup.fm
Configuring the HiPath Wireless Controller
Configuring the HiPath Wireless Controller for the first time
3. In the Authentication mode section, click Configure.
The Login Authentication Mode Configuration window is displayed.
4. Select the Local and RADIUS checkboxes.
5. If necessary, select RADIUS and use the Move Up button to move RADIUS
to the top of the list.
9034530-04, September 2010
HiPath Wireless Controller, Access Points and Convergence Software V7.31, User Guide
87
hwc_startup.fm
Configuring the HiPath Wireless Controller
Configuring the HiPath Wireless Controller for the first time
6. Click OK.
7. On the Login Management screen, click Save.
For information on setting RADIUS login authentication settings, see Section
3.4.9.2, “Configuring the RADIUS login authentication mode”, on page 81.
For information on setting local login authentication settings, see Section 3.4.9.1,
“Configuring the local login authentication mode and adding new users”, on page
79.
3.4.10 Configuring SNMP
The HiPath Wireless Controller supports the Simple Network Management
Protocol (SNMP) for retrieving statistics and configuration information. If you
enable SNMP on the HiPath Wireless Controller, you can choose either
SNMPv3 or SNMPv1/v2 mode. If you configure the HiPath Wireless Controller to
use SNMPv3, then any request other than SNMPv3 request is rejected. The
same is true if you configure the HiPath Wireless Controller to use SNMPv1/v2.
To configure SNMP:
1. From the main menu, click Wireless Controller Configuration. The
Wireless Controller Configuration screen is displayed.
2. In the left pane, click SNMP. The SNMP screen is displayed.
88
9034530-04, September 2010
HiPath Wireless Controller, Access Points and Convergence Software V7.31, User Guide
hwc_startup.fm
Configuring the HiPath Wireless Controller
Configuring the HiPath Wireless Controller for the first time
3. In the SNMP Common Settings section, configure the following:
•
Mode — Select SNMPv1/v2c or SNMPv3 to enable SNMP.
•
Contact Name — The name of the SNMP administrator.
•
Location — The physical location of the HiPath Wireless Controller
running the SNMP agent.
•
SNMP Port — The destination port for the SNMP traps. Possible ports are
0–65555.
•
Forward Traps — The lowest severity level of SNMP trap that you want
to forward.
•
Publish AP as interface of controller — Enable or disable SNMP
publishing of the access point as an interface to the HiPath Wireless
Controller.
4. Continue with the appropriate procedure for configuring SNMPv1/v2cspecific or SNMPv3-specific parameters.
•
Section 3.4.10.1, “Configuring SNMPv1/v2c-specific parameters”
•
Section 3.4.10.2, “Configuring SNMPv3-specific parameters”
9034530-04, September 2010
HiPath Wireless Controller, Access Points and Convergence Software V7.31, User Guide
89
hwc_startup.fm
Configuring the HiPath Wireless Controller
Configuring the HiPath Wireless Controller for the first time
3.4.10.1 Configuring SNMPv1/v2c-specific parameters
1. Configure the following parameters on the SNMPv1/v2c tab:
•
Read Community Name — The password that is used for read-only
SNMP communication.
•
Read/Write Community Name — The password that is used for write
SNMP communication.
•
Manager A — The IP address of the server used as the primary network
manager that will receive SNMP messages.
•
Manager B — The IP address of the server used as the secondary
network manager that will receive SNMP messages.
2. Click Save.
3.4.10.2 Configuring SNMPv3-specific parameters
1. Configure the parameters following on the SNMPv3 tab:
•
Context String — A description of the SNMP context.
•
Engine ID — The SNMPv3 engine ID for the HiPath Wireless Controller running
the SNMP agent. The engine ID must be from 5 to 32 characters long.
•
RFC3411 Compliant — The engine ID will be formatted as defined by
SnmpEngineID textual convention (that is, the engine ID will be
prepended with SNMP agents' private enterprise number assigned by
IANA as a formatted HEX text string).
2. Click Add User Account. The Add SNMPv3 User Account window
displays.
3. Configure the following parameters:
90
•
User — Enter the name of the user account.
•
Security Level — Select the security level for this user account. Choices
are: authPriv, authNoPriv, noAuthnoPriv.
•
Auth Protocol — If you have selected a security level of authPriv or
authNoPriv, select the authentication protocol. Choices are: MD5, SHA,
None.
•
Auth Password — If you have selected a security level of authPriv or
authNoPriv, enter an authentication password.
•
Privacy Protocol — If you have selected the security level of authPriv,
select the privacy protocol. Choices are: DES, None
9034530-04, September 2010
HiPath Wireless Controller, Access Points and Convergence Software V7.31, User Guide
hwc_startup.fm
Configuring the HiPath Wireless Controller
Configuring the HiPath Wireless Controller for the first time
•
Privacy Password — If you have selected the security level of authPriv,
enter a privacy password.
•
Engine ID — If desired, enter an engine ID. The ID can be between 5 and
32 bytes long, with no spaces, control characters, or tabs.
•
Trap Destination — If desired, enter the IP address of a trap destination.
4. Click OK. The Add SNMPv3 User Account window closes.
5. Repeat steps 2 through 4 to add additional users.
6. In the Trap 1 and Trap 2 sections, configure the following parameters:
•
Destination IP — The IP address of the machine monitoring SNMPv3 traps
•
User Name — The SNMPv3 user to configure for use with SNMPv3 traps
7. Click Save.
3.4.10.3 Editing an SNMPv3 User
To edit an SNMPv3 user:
1. From the main menu, click Wireless Controller Configuration. The
Wireless Controller Configuration screen is displayed.
2. In the left pane, click SNMP. The SNMP screen is displayed.
3. Click the SNMPv3 tab.
4. Select an SNMP user.
5. Click Edit Selected User. The Edit SNMPv3 User Account window
displays.
6. Edit the user configuration as desired.
7. Click OK. The Edit SNMPv3 User Account window closes.
8. Click Save.
3.4.10.4 Deleting an SNMPv3 User
To delete an SNMPv3 user:
1. From the main menu, click Wireless Controller Configuration. The
Wireless Controller Configuration screen is displayed.
2. In the left pane, click SNMP. The SNMP screen is displayed.
3. Click the SNMPv3 tab.
4. Select an SNMP user.
9034530-04, September 2010
HiPath Wireless Controller, Access Points and Convergence Software V7.31, User Guide
91
hwc_startup.fm
Configuring the HiPath Wireless Controller
Configuring the HiPath Wireless Controller for the first time
5. Click Delete Selected User. You are prompted to confirm that you want to
delete the selected user.
6. Click OK.
3.4.11 Configuring network time
You should synchronize the clocks of the HiPath Wireless Controller and the
Wireless APs to ensure that the logs and reports reflect accurate time stamps. For
more information, see Chapter 11, “Working with reports and displays”.
The normal operation of the HiPath Wireless Controller will not be affected if you
do not synchronize the clock. The clock synchronization is necessary to ensure
that the logs display accurate time stamps. In addition, clock synchronization of
network elements is a prerequisite for the following configuration:
•
Mobility Manager
•
Session Availability
Network time synchronization
Network time is synchronized in one of two ways:
•
Using the system’s time – The system’s time is the HiPath Wireless
Controller’s time.
•
Using Network Time Protocol (NTP) – The Network Time Protocol is a
protocol for synchronizing the clocks of computer systems over
packet-switched data networks.
Note: If the HiPath Wireless Controller C2400 is left powered-down for more than
78 hours. In such a case, you must synchronize the network time, using the NTP
server. If the NTP server is not reachable, you must manually set the system to
the correct time.
The HiPath Wireless Controller automatically adjusts for any time change due to
Daylight Savings time.
3.4.11.1 Configuring the network time using the system’s time
To configure the network time, using the system’s time:
1. From the main menu, click Wireless Controller Configuration. The
Wireless Controller Configuration screen is displayed.
2. In the left pane, click Network Time. The Network Time screen is displayed.
92
9034530-04, September 2010
HiPath Wireless Controller, Access Points and Convergence Software V7.31, User Guide
hwc_startup.fm
Configuring the HiPath Wireless Controller
Configuring the HiPath Wireless Controller for the first time
3. From the Continent or Ocean drop-down list, click the appropriate
large-scale geographic grouping for the time zone.
4. From the Country drop-down list, click the appropriate country for the time
zone. The contents of the drop-down list change, based on the selection in
the Continent or Ocean drop-down list.
5. From the Time Zone Region drop-down list, click the appropriate time zone
region for the selected country.
6. Click Apply Time Zone.
7. In the System Time box, type the system time.
8. Click Set Clock.
9. The WLAN network time is synchronized in accordance with the HiPath
Wireless Controller’s time.
3.4.11.2 Configuring the network time using an NTP server
To configure the network time using an NTP server:
1. From the main menu, click Wireless Controller Configuration. The
Wireless Controller Configuration screen is displayed.
2. In the left pane, click Network Time. The Network Time screen is displayed.
9034530-04, September 2010
HiPath Wireless Controller, Access Points and Convergence Software V7.31, User Guide
93
hwc_startup.fm
Configuring the HiPath Wireless Controller
Configuring the HiPath Wireless Controller for the first time
3. From the Continent or Ocean drop-down list, click the appropriate
large-scale geographic grouping for the time zone.
4. From the Country drop-down list, click the appropriate country for the time
zone. The contents of the drop-down list change, based on the selection in
the Continent or Ocean drop-down list.
5. From the Time Zone Region drop-down list, click the appropriate time zone
region for the selected country.
6. Click Apply Time Zone.
7. In the System Time box, type the system time.
8. Select the Use NTP checkbox.
Note: If you want to use the HiPath Wireless Controller as the NTP Server,
select the Run local NTP Server checkbox, and then skip to Step 11.
9. In the Time Server 1 text box, type the IP address or FQDN (Full Qualified
Domain Name) of an NTP time server that is accessible on the enterprise
network.
10. Repeat for Time Server2 and Time Server3 text boxes.
If the system is not able to connect to the Time Server 1, it will attempt to
connect to the additional servers that have been specified in Time Server 2
and Time Server 3 text boxes.
11. Click Apply.
94
9034530-04, September 2010
HiPath Wireless Controller, Access Points and Convergence Software V7.31, User Guide
hwc_startup.fm
Configuring the HiPath Wireless Controller
Configuring the HiPath Wireless Controller for the first time
12. The WLAN network time is synchronized in accordance with the specified
time server.
3.4.12 Configuring DNS servers for resolving host
names of NTP and RADIUS servers
Since the Global Settings screen (Main Menu > Virtual Network
Configuration > Global Settings) allows you to set up NTP and RADIUS
servers by defining their host names, you have to configure your DNS servers to
resolve the host names of NTP and RADIUS servers to the corresponding IP
addresses.
Note: For more information on RADIUS server configuration, see Section 6.2.1,
“Defining RADIUS servers and MAC address format”, on page 269.
You can configure up to three DNS servers to resolve NTP and RADIUS server
host names to their corresponding IP addresses.
The HiPath Wireless Controller sends the host name query to the first DNS server
in the stack of three configured DNS servers. The DNS server resolves the
queried domain name to an IP address and sends the result back to the HiPath
Wireless Controller.
If for some reason, the first DNS server in the stack of configured DNS servers is
not reachable, the HiPath Wireless Controller sends the host name query to the
second DNS server in the stack. If the second DNS server is also not reachable,
the query is sent to the third DNS server in the stack.
To configure DNS servers for resolving host names of NTP and RADIUS
servers:
1. From the main menu, click Wireless Controller Configuration. The
Wireless Controller Configuration screen is displayed.
2. In the left pane, click Host Attributes. The Host Attributes screen is
displayed.
9034530-04, September 2010
HiPath Wireless Controller, Access Points and Convergence Software V7.31, User Guide
95
hwc_startup.fm
Configuring the HiPath Wireless Controller
Using an AeroScout location based solution
3. In the DNS box, type the DNS server’s IP address in the Server Address
field and then click Add Server. The new server is displayed in the DNS
servers’ list.
Note: You can configure up to three DNS servers.
4. To save your changes, click Save.
3.5 Using an AeroScout location based solution
You can deploy your HiPath Wireless Controller and Wireless APs as part of an
AeroScout location based solution.
On the HiPath Wireless Controller, you configure the AeroScout server IP
address and enable the location based service. The AeroScout server is aware
only of the HiPath Wireless Controller IP address and is notified of the operational
APs by the Controller.
On the APs that you want to participate in the location based service, you enable
the location based service.
Note: Participating Wireless APs must use the 2.4 GHz band.
96
9034530-04, September 2010
HiPath Wireless Controller, Access Points and Convergence Software V7.31, User Guide
hwc_startup.fm
Configuring the HiPath Wireless Controller
Using an AeroScout location based solution
Once you have enabled the location based service on the HiPath Wireless
Controller and the participating Wireless APs, at least one of the participating
Wireless APs will receive reports from an AeroScout Wi-Fi RFID tag in the
2.4GHZ band. The tag reports are collected by the AP and forwarded to the
AeroScout server by encapsulating the tag reports in a WASSP tunnel and
routing them as IP packets through the HiPath Wireless Controller.
Note: Tag reports are marked with UP=CS5, and DSCP = 0xA0. On the HiPath
Wireless Controller, tag reports are marked with UP=CS5 to the core (if 802.1p
exists).
An AP’s tag report collection status is reported in the Wireless AP Inventory
report. For more information, see Section 11.8, “Viewing reports”, on page 467.
If availability is enabled, tag report transmission pauses on failed over APs until
they are configured and notified by the AeroScout server.
When AeroScout support is disabled on the HiPath Wireless Controller, the
HiPath Wireless Controller does not communicate with the AeroScout server and
the APs do not perform any AeroScout-related functionality.
Ensure that your AeroScout tags are configured to transmit on all nonoverlapping channels (1, 6 and 11) and also on channels above 11 for countries
where channels above 11 are allowed. Refer to AeroScout documentation for
proper deployment of the AeroScout location based solution.
To configure a HiPath Wireless Controller for use with an AeroScout
solution:
1. From the main menu, click Wireless Controller Configuration. The
Wireless Controller Configuration screen is displayed.
2. In the left pane, click Location Based Service. The Location Based
Service screen is displayed.
9034530-04, September 2010
HiPath Wireless Controller, Access Points and Convergence Software V7.31, User Guide
97
hwc_startup.fm
Configuring the HiPath Wireless Controller
Using an AeroScout location based solution
3. Select the Enable Location Based Service checkbox to enable the location
based service on the HiPath Wireless Controller.
4. In the Aeroscout Address field, enter the IP address of the AeroScout
server.
5. Click Save.
You must now assign Wireless APs to participate in the location based
service.
6. From the top menu, click Wireless APs. The All APs screen is displayed.
98
9034530-04, September 2010
HiPath Wireless Controller, Access Points and Convergence Software V7.31, User Guide
hwc_startup.fm
Configuring the HiPath Wireless Controller
Using an AeroScout location based solution
7. Select an AP.
8. Click Advanced. The Advanced window displays.
9. In the Location-based Service field, select Enable.
10. Click Close. The Advanced window closes.
11. Repeats steps 7 through 10 for each additional AP that you want to participate
in the location based service.
12. Click Save.
Note: You can also enable location based service on APs through the Location
based service field on the AP Multi-edit screen and the Advanced window of
the AP Default Settings screen.
9034530-04, September 2010
HiPath Wireless Controller, Access Points and Convergence Software V7.31, User Guide
99
hwc_startup.fm
Configuring the HiPath Wireless Controller
Additional ongoing operations of the system
3.6 Additional ongoing operations of the system
Ongoing operations of the HiPath Wireless Controller, Access Points and
Convergence Software system can include the following:
•
HiPath Wireless Controller System Maintenance
•
Wireless AP Maintenance
•
Client Disassociate
•
Logs and Traces
•
Reports and Displays
For more information, see Chapter 12, “Performing system administration” or the
HiPath Wireless Controller, Access Points and Convergence Software
Maintenance Guide.
100
9034530-04, September 2010
HiPath Wireless Controller, Access Points and Convergence Software V7.31, User Guide
hwc_apstartup.fm
Configuring the Wireless AP
Wireless AP overview
4 Configuring the Wireless AP
This chapter describes the Wireless access point (AP) and its role in the
Controller, Access Points and Convergence Software solution, including:
•
Wireless AP overview
•
Discovery and registration overview
•
Configuring the Wireless APs for the first time
•
Adding and registering a Wireless AP manually
•
Configuring Wireless AP settings
•
Configuring the default Wireless AP settings
•
Modifying a Wireless AP’s properties based on a default AP configuration
•
Modifying the Wireless AP’s default setting using the Copy to Defaults feature
•
Configuring multiple Wireless APs simultaneously
•
Configuring co-located APs in load balance groups
•
Configuring AP clusters
•
Converting the Wireless Standalone 802.11n AP to standalone mode
•
Configuring an AP as a sensor
•
Performing Wireless AP software maintenance
4.1 Wireless AP overview
The Wireless AP uses the 802.11 wireless standards (802.11a/b/g/n) for network
communications and bridges network traffic to an Ethernet LAN. The Wireless AP
runs proprietary software that allows it to communicate only with the HiPath
Wireless Controller.
The Wireless AP physically connects to a LAN infrastructure and establishes an
IP connection to the HiPath Wireless Controller, which manages the Wireless AP
configuration through the HiPath Wireless Assistant. The HiPath Wireless
Controller also provides centralized management (verification and upgrade) of
the Wireless AP firmware image.
A UDP-based protocol enables communication between the Wireless AP and the
HiPath Wireless Controller. The UDP-based protocol encapsulates IP traffic from
the Wireless AP and directs it to the HiPath Wireless Controller. The HiPath
Wireless Controller decapsulates the packets and routes them to the appropriate
destinations, while managing sessions and applying policies.
9034530-04, September 2010
HiPath Wireless Controller, Access Points and Convergence Software V7.31, User Guide
101
hwc_apstartup.fm
Configuring the Wireless AP
Wireless AP overview
Deploying a Wireless AP with external antennas
Some Wireless AP models support external antennas. The external antennas are
individually certified and determine the available channel list and the maximum
transmitting power for the country in which the Wireless AP is deployed. The
following Wireless AP models support external antennas:
•
AP2620 – The Wireless AP 2620 is a HiPath Standard Wireless AP model.
•
AP2660 – The Wireless AP 2660 is a HiPath Wireless Outdoor AP model.
•
AP3620 – The Wireless AP 3620 is a HiPath Wireless 802.11n AP model.
•
AP4102/4102C – The AP4102 and AP4102C access points are 802.11a/b/g
AP models.
When you deploy a Wireless AP with external antennas, you must:
•
Configure the Wireless AP to indicate if the external antennas, and not the
Wireless AP, are deployed indoor or outdoor.
•
Configure the antenna selection for the Wireless AP.
Note: An individual HiPath Wireless AP cannot support an indoor mounted
antenna and an outdoor mounted antenna simultaneously. The AP4102/4102C,
however, can support both indoor and outdoor antennas simultaneously.
Deploying a Wireless AP with external antennas is part of the Wireless AP
configuration process. For more information, see Section 4.4, “Configuring
Wireless AP settings”, on page 136.
4.1.1 HiPath Standard Wireless AP
The HiPath Standard Wireless AP is available in the following models:
•
AP2610 – Internal antenna, internal dual (multimode) diversity antennas
•
AP2620 – External antenna (dual external antennas), RP-SMA connectors
•
AP2605 – Two external, non-detachable antennas
•
AP4102/4102C – Integrated and external antenna
Each model, except for the AP4102/4102C APs, has two radios — Radio 1 and
Radio 2. Figure 5 shows a block diagram of the HiPath Standard Wireless AP
equipped with external antennas.
102
9034530-04, September 2010
HiPath Wireless Controller, Access Points and Convergence Software V7.31, User Guide
hwc_apstartup.fm
Configuring the Wireless AP
Wireless AP overview
4.1.1.1 HiPath Standard Wireless AP radios
Note: The following access point radio discussion does not apply to the
AP4102/4102C access points. For more information on the AP4102/4102C
access points, see Section 4.1.1.2, “AP4102/4102C Access Points”, on page
105.
The HiPath Standard Wireless AP is equipped with two radios — Radio 1 and
Radio 2.
•
Radio 1 supports the 5 GHz radio, with radio mode a.
•
Radio 2 supports the 2.4 GHz radio, with radio modes b, g, and b/g.
Radio 1 and Radio 2 are connected to both external antennas — EA1 and EA2.
The following is a block diagram of the HiPath Standard Wireless AP equipped
with external antennas.
9034530-04, September 2010
HiPath Wireless Controller, Access Points and Convergence Software V7.31, User Guide
103
hwc_apstartup.fm
Configuring the Wireless AP
Wireless AP overview
Figure 5
HiPath Standard Wireless AP’s Baseband
Figure 5 illustrates the following:
104
•
The HiPath Standard Wireless AP has two radios — Radio 1 and Radio 2.
•
Radio 1 supports the 5 GHz radio, with radio mode a.
•
Radio 2 supports the 2.4 GHz radio, with radio modes b, g, and b/g.
•
Radio 1 and Radio 2 are connected to both external antennas — EA1 and
EA2.
9034530-04, September 2010
HiPath Wireless Controller, Access Points and Convergence Software V7.31, User Guide
hwc_apstartup.fm
Configuring the Wireless AP
Wireless AP overview
5 GHz radio supporting the 802.11a standard – The 802.11a standard is an
extension to 802.11 that applies to wireless LANs and provides up to 54 Mbps in
the 5-GHz band. The 802.11a standard uses an orthogonal frequency division
multiplexing encoding scheme, rather than Frequency-Hopping Spread Spectrum
(FHSS) or Direct-Sequence Spread Spectrum (DSSS).
2.4 GHz radio supporting the 802.11b/g standards – The 802.11g standard
applies to wireless LANs and specifies a transmission rate of 54 Mbps. The
802.11b (High Rate) standard is an extension to 802.11 that specifies a
transmission rate of 11 Mbps. Since 802.11g uses the same communication
frequency range as 802.11b (2.4 GHz), 802.11g devices can co-exist with
802.11b devices on the same network.
The radios are enabled or disabled through the HiPath Wireless Assistant. Both
radios can be enabled to offer service simultaneously. For more information, see
Section 4.4.5.3, “Modifying Wireless AP 2610/2620 radio properties”, on page
167.
The Unlicensed National Information Infrastructure (U-NII) bands are three
frequency bands of 100 MHz each in the 5 GHz band, designated for short-range,
high-speed, wireless networking communication.
The Wireless AP supports the full range of 802.11a:
•
5.15 to 5.25 GHz – U-NII Low Band
•
5.25 to 5.35 GHz – U-NII Middle Band
•
5.47 to 5.725 GHz – UNII 2+
•
5.725 to 5.825 GHz – U-NII High Band
4.1.1.2 AP4102/4102C Access Points
The AP4102 and AP4102C access points are Enterasys manufactured access
points that run HiPath WLAN software. The AP4102/4102C access point has 2
integrated dual-band antennas. Diversity, which is the use of two antennas to
increase the odds that a better radio stream is received on either of the antennas,
is supported only with integrated antennas.
The available external antennas for the AP4102/4102C access point are:
•
Left antenna:
•
RBT4K - AG - IA, 2 dBi
•
RBTES - BG - M08M, 8dBi
•
RBTES - BG - P18M, 18 dBi
•
RBTES - BG - S1490M, 14 dBi
9034530-04, September 2010
HiPath Wireless Controller, Access Points and Convergence Software V7.31, User Guide
105
hwc_apstartup.fm
Configuring the Wireless AP
Wireless AP overview
•
Right antenna:
•
RBT4K - AG - IA, 4 dBi
•
RBTES - AH - M10M, 110 dBi
•
RBTES - AH - P23M, 23 dBi
•
RBTES - AM - M10M, 10 dBi
•
RBTES - AW - S1590M, 15 dBi 90 Deg
•
RBTES - AW - S1590M, 16 dBi 60 Deg
The antenna selection automatically restricts channels and respective power
settings according to certifications.
4.1.2 HiPath Wireless Outdoor AP
The HiPath Wireless Outdoor AP is also referred to as the Outdoor AP. The
HiPath Wireless Outdoor AP enables you to extend your Wireless LAN beyond
the confines of indoor locations. The HiPath Wireless Outdoor AP is resistant to
harsh outdoor conditions and extreme temperatures. Using the advanced
wireless distribution feature of the HiPath Wireless LAN, the HiPath Wireless
Outdoor AP can extend your Wireless LAN to outdoor locations without Ethernet
cabling. A mounting bracket is available to enable quick and easy mounting of the
HiPath Wireless Outdoor APs to walls, rails, and poles.
The HiPath Wireless Outdoor AP supports 802.11a, 802.11g, and full backward
compatibility with legacy 802.11b devices.
The HiPath Wireless Outdoor AP is available in two models:
•
AP2650 – Internal antenna, internal dual (multimode) diversity antennas
•
AP2660 – External antenna (dual external antennas), RP-SMA connectors
Note: Any Outdoor AP model number in the Hardware Version box on the AP
Properties tab that ends with -1 is an Outdoor AP that contains the new Siemens
radio card. For example, the HiPath Wireless AP2650-1 Internal.
106
9034530-04, September 2010
HiPath Wireless Controller, Access Points and Convergence Software V7.31, User Guide
hwc_apstartup.fm
Configuring the Wireless AP
Wireless AP overview
4.1.3 HiPath Wireless 802.11n AP
The HiPath Wireless 802.11n AP delivers total data rates of up to 300 Mbps,
depending on its configuration. The improved throughput of 300 Mbps is spread
over a number of simultaneous users so that the Wireless 802.11n AP provides
mobile users with an experience similar to that of a wired 100 Mbps Ethernet
connection — the standard for desktop connectivity.
To configure the HiPath Wireless 802.11n AP to achieve this high link rate, see
Section 4.4.5.2, “Achieving high throughput with the Wireless 802.11n AP”, on
page 165.
Note: The Wireless 802.11n AP is backward-compatible with existing
802.11a/b/g networks.
Note: The Wireless 802.11n AP cannot operate as a stand-alone access point.
MIMO
The mainstay of 802.11 AP is MIMO (multiple input, multiple output) — a
technology that uses advanced signal processing with multiple antennas to
improve the throughput. MIMO takes advantage of multipath propagation to
decrease packet retries to improve the fidelity of the wireless network.
The 802.11n AP’s MIMO radio sends out one or two radio signals through its three
antennas. Each of these signals is called a spatial stream. Because the location
of the antennas on the 802.11n AP is spaced out, each spatial stream follows a
slightly different path to the client device. Furthermore, the two spatial streams get
multiplied into several streams as they bounce off the obstructions in the vicinity.
This phenomenon is called multipath. Since these streams are bounced from
different surfaces, they follow different paths to the client device. The client
device, which is also 802.11n compliant, also has multiple antennas. Each of the
antennas independently decodes the arriving signal. Then each antenna’s
decoded signal is combined with the decoded signals from the other antennas.
The software algorithm uses the redundancy to extract one or two spatial streams
and enhances the streams’ ‘signal to noise ratio’.
The client device too sends out one or two spatial streams through its multiple
antennas. These spatial streams get multiplied into several steams as they
bounce off the obstructions in the vicinity en route to the 802.11n AP. The 802.11n
AP's MIMO receiver receives these multiple streams with three antennas. Each
of the three antennas independently decodes the arriving signal. Then each
antennas's decoded signal is combined with the decoded signals from the other
antennas. The 802.11n AP's MIMO receiver again uses the redundancy to extract
one or two spatial streams and enhances the streams' ‘signal to noise ratio.’
By using the multiple streams, MIMO doubles the throughput.
9034530-04, September 2010
HiPath Wireless Controller, Access Points and Convergence Software V7.31, User Guide
107
hwc_apstartup.fm
Configuring the Wireless AP
Wireless AP overview
Figure 6
MIMO in HiPath Wireless 802.11n AP
Note: MIMO should not be confused with the Diversity feature. While Diversity
is the use of two antennas to increase the odds that a better radio stream is
received on either of the antennas, MIMO antennas radiate and receive multistreams of the same packet to achieve the increased throughput.
The Diversity feature is meant to offset the liability of RF corruption, arising out
of multipath, whereas MIMO converts the liability of multipath to its advantage.
Because the 802.11n AP operates with multiple antennas, it is capable of picking
up even the weakest signals from the client devices.
Channel bonding
In addition to MIMO technology, the 802.11n AP makes a number of additional
changes to the radio to increase the effective throughput of the Wireless LAN.
The radios of regular HiPath Wireless APs use radio channels that are 20 MHz
wide. This means that the channels must be spaced at 20 MHz to avoid
108
9034530-04, September 2010
HiPath Wireless Controller, Access Points and Convergence Software V7.31, User Guide
hwc_apstartup.fm
Configuring the Wireless AP
Wireless AP overview
interference. The radios of 802.11n AP can use two channels at the same time to
create a 40 MHz wide channel. By using the two 20 MHz channels in this manner,
the 802.11n AP achieves more than double throughput. The 40-MHz channels in
802.11n are two adjacent 20-MHz channels, bonded together. This technique of
using two channels at the same time is called channel bonding.
Shortened guard interval
The purpose of the guard interval is to introduce immunity to propagation delays,
echoes and reflections of symbols in orthogonal frequency division multiplexing
(OFDM) — a method by which information is transmitted via a radio signal in
Wireless APs.
In OFDM, the beginning of each symbol is preceded by a guard interval. As long
as the echoes fall within this interval, they will not affect the safe decoding of the
actual data, as data are only interpreted outside the guard interval. Longer guard
periods reduce the channel efficiency. The 802.11n AP provides reduced guard
periods, thereby increasing the throughput.
MAC enhancements
The 802.11n AP also has an improved MAC layer protocol that reduces overhead
(in the MAC layer protocol) and contention losses. This results in increased
throughput.
Models
The Wireless 802.11n AP is available in the following models:
•
Model AP3605 – Six internal antennas
•
Model AP3610 – Six internal antennas
•
Model AP3620 – Three external antennas
Note: Any Wireless 802.11n AP model number in the Hardware Version box on
the Properties tab that ends with -1 is a Wireless 802.11n AP that has its DFS
channels disabled. For more information, see Appendix B.
Environment
The Wireless 802.11n AP cannot be deployed in an outdoor environment.
4.1.3.1 HiPath Wireless 802.11n AP’s radios
The HiPath Wireless 802.11n AP is equipped with two radios — Radio 1 and
Radio 2. The following is a block diagram of the HiPath Wireless 802.11n AP
equipped with external antennas.
9034530-04, September 2010
HiPath Wireless Controller, Access Points and Convergence Software V7.31, User Guide
109
hwc_apstartup.fm
Configuring the Wireless AP
Wireless AP overview
Figure 7
HiPath Wireless 802.11n AP’s Baseband
Figure 7 illustrates the following:
110
•
The HiPath Wireless 802.11n AP has two radios — Radio 1 and Radio 2.
•
Radio 1 supports the 5 GHz radio, with radio modes a and a/n.
•
Radio 2 supports the 2.4 GHz radio, with radio modes b, b/g, and b/g/n.
•
Radio 1 and Radio 2 are connected to all three antennas — EA1, EA2, and
EA3.
9034530-04, September 2010
HiPath Wireless Controller, Access Points and Convergence Software V7.31, User Guide
hwc_apstartup.fm
Configuring the Wireless AP
Wireless AP overview
5 GHz radio supporting the 802.11a/n standard — When in legacy 802.11a
mode, the AP36xx supports data rates up to 54Mbps, identical to the AP26xx.
The modulation used is OFDM. In 802.11n mode there are 2 supported channel
bandwidths, 20MHz and 40MHz. The 802.11n AP supports up to 300Mbps in
40MHz channels and 130Mbps in 20MHz channels. The modulation used is
MIMO-OFDM with one or two spatial streams.
2.4 GHz radio supporting the 802.11b/g/n standard — When in legacy
802.11b/g mode, the AP36xx supports data rates up to 54Mbps, identical to the
AP26xx. The modulation used is OFDM for 11g and CCK for 11b. In 802.11n
mode there are 2 supported channel bandwidths, 20MHz and 40MHz. The
AP36xx supports up to 300Mbps in 40MHz channels and 130Mbps in 20MHz
channels. The modulation used is MIMO-OFDM with one or two spatial streams.
The radios are enabled or disabled through the HiPath Wireless Assistant. For
more information, see Section 4.4.5.1, “Modifying Wireless 802.11n AP
3610/3620 radio properties”, on page 148.
The Unlicensed National Information Infrastructure (U-NII) bands are three
frequency bands of 100 MHz each in the 5 GHz band, designated for short-range,
high-speed, wireless networking communication.
The 802.11n AP supports the full range of frequencies available in the 5GHz
band:
•
5150 to 5250 MHz - U-NII Low band
•
5250 to 5350 MHz - U-NII middle band
•
5470 to 5700 MHz - U-NII Worldwide
•
5725 to 5825 MHz - U-NII high band
Note: The Wireless 802.11n AP can achieve link rates of up to 300Mbps. To
achieve this level of high link rates, specific items need to be configured through
the HiPath Wireless Assistant. For more information, see Section 4.4.5.2,
“Achieving high throughput with the Wireless 802.11n AP”, on page 165.
4.1.4 Wireless AP international licensing
The Wireless AP must be configured to operate on the appropriate radio band in
accordance with the regulations of the country in which it is being used. For more
information, see Appendix B.
To configure the appropriate radio band according to the country of operation, use
the HiPath Wireless Assistant. For more information, see Section 4.4,
“Configuring Wireless AP settings”, on page 136.
9034530-04, September 2010
HiPath Wireless Controller, Access Points and Convergence Software V7.31, User Guide
111
hwc_apstartup.fm
Configuring the Wireless AP
Wireless AP overview
4.1.5 Wireless AP default IP address and first-time
configuration
The Wireless APs are shipped from the factory with a default IP address —
192.168.1.20. The default IP address simplifies the first-time IP address
configuration process for Wireless APs. If the Wireless AP fails in its discovery
process, it returns to its default IP address. This Wireless AP behavior ensures
that only one Wireless AP at a time can use the default IP address on a subnet.
For more information, see Section 4.2, “Discovery and registration overview”, on
page 113.
The Wireless APs can acquire their IP addresses by one of two methods:
•
DHCP assignment – When the Wireless AP is powered on, it attempts to
reach the DHCP server on the network to acquire the IP address. If the
Wireless AP is successful in reaching the DHCP server, the DHCP server
assigns an IP address to the Wireless AP.
•
If the DHCP assignment is not successful in the first 60 seconds, the
Wireless AP returns to its default IP address.
•
The Wireless AP waits for 30 seconds in default IP address mode before
again attempting to acquire an IP address from the DHCP server.
•
The process repeats itself until the DHCP assignment is successful, or
until an administrator assigns the Wireless AP an IP address, using static
configuration.
Note: DCHP assignment is the default method for the Wireless AP
configuration. DHCP assignment is part of the discovery process. For more
information, see Section 4.2, “Discovery and registration overview”, on page
113.
•
Static configuration – You can assign a static IP address to the Wireless AP,
using the static configuration option. For more information, see the following
section.
Note: You can establish a telnet or SSH session with the Wireless AP during
the time window of 30 seconds when the Wireless AP returns to its default IP
address mode. If a static IP address is assigned during this period, you must
reboot the Wireless AP for the configuration to take effect. For more
information, see Section 4.1.6, “Assigning a static IP address to the Wireless
AP”, on page 113.
112
9034530-04, September 2010
HiPath Wireless Controller, Access Points and Convergence Software V7.31, User Guide
hwc_apstartup.fm
Configuring the Wireless AP
Discovery and registration overview
4.1.6 Assigning a static IP address to the Wireless AP
Depending upon the network condition, you can assign a static IP address to the
Wireless AP using the HiPath Wireless Assistant (Controller’s GUI). Refer to
Section 4.4.6, “Setting up the Wireless AP using static configuration”, on page
179 for more information.
4.2 Discovery and registration overview
When the Wireless AP is powered on, it automatically begins a discovery process
to determine its own IP address and the IP address of the HiPath Wireless
Controller. When the discovery process is successful, the Wireless AP registers
with the HiPath Wireless Controller.
Warning: Only use power supplies that are recommended by Siemens. For
example, for the Wireless 802.11n AP use WS-PS361020-MR (AP3610/AP3620
AC Power Supply-Multi-Region).
4.2.1 Wireless AP discovery
Wireless APs discover the IP address of a HiPath Wireless Controller using a
sequence of mechanisms that allow for the possible services available on the
enterprise network. The discovery process is successful when the Wireless AP
successfully locates a HiPath Wireless Controller to which it can register.
Ensure that the appropriate services on your enterprise network are prepared to
support the discovery process. The following steps summarize the discovery
process:
1. Use the IP address of the last successful connection to a HiPath Wireless
Controller.
Once a Wireless AP has successfully registered with a HiPath Wireless
Controller, it recalls that controller's IP address, and uses that address on
subsequent reboots. The Wireless AP bypasses discovery and goes straight
to registration.
If this discovery method fails, it cycles through the remaining steps until
successful.
2. Use the predefined static IP addresses for the HiPath Wireless Controllers on
the network (if configured).
9034530-04, September 2010
HiPath Wireless Controller, Access Points and Convergence Software V7.31, User Guide
113
hwc_apstartup.fm
Configuring the Wireless AP
Discovery and registration overview
You can specify a list of static IP addresses of the HiPath Wireless Controllers
on your network. On the Static Configuration tab, add the addresses to the
Wireless Controller Search List.
Caution: Wireless APs configured with a static Wireless Controller Search
List can only connect to HiPath Wireless Controllers in the list. Improperly
configured Wireless APs cannot connect to a non-existent HiPath Wireless
Controller address, and therefore cannot receive a corrected configuration.
3. Use Dynamic Host Configuration Protocol (DHCP) Option 60 to query the
DHCP server for available HiPath Wireless Controllers. The DHCP server will
respond to the Wireless AP with Option 43, which will list the available HiPath
Wireless Controllers.
For the DHCP server to respond to a Wireless AP’s Option 60 request, you
must configure the DHCP server with the vendor class identifier (VCI) for
each Wireless AP. You must also configure the DHCP server with the IP
addresses of the HiPath Wireless Controllers. For more information, refer to
HiPath Wireless Controller, Access Points and Convergence Software V7.21
Getting Started Guide.
4. Use a Domain Name Server (DNS) lookup for the host name
Controller.domain-name.
The Wireless AP tries the DNS server if it is configured in parallel with SLP
unicast and SLP multicast.
If you use this method for discovery, place an A record in the DNS server for
Controller.. The  is optional, but if used,
ensure it is listed with the DHCP server.
5. Use a multicast SLP request to find SLP SAs
The Wireless AP sends a multicast SLP request, looking for any SLP Service
Agents providing the Siemens service.
The Wireless AP will try SLP multicast in parallel with other discovery
methods.
6. Use DHCP Option 78 to locate a Service Location Protocol (SLP) Directory
Agent (DA), followed by a unicast SLP request to the Directory Agent.
To use the DHCP and unicast SLP discovery method, you must ensure that
the DHCP server on your network supports Option 78 (DHCP for SLP
RFC2610). The Wireless APs use this method to discover the HiPath
Wireless Controller.
This solution takes advantage of two services that are present on most
networks:
•
114
DHCP (Dynamic Host Configuration Protocol) – The standard is a
means of providing IP addresses dynamically to devices on a network.
9034530-04, September 2010
HiPath Wireless Controller, Access Points and Convergence Software V7.31, User Guide
hwc_apstartup.fm
Configuring the Wireless AP
Discovery and registration overview
•
SLP (Service Location Protocol) – A means of allowing client
applications to discover network services without knowing their location
beforehand. Devices advertise their services using a Service Agent (SA).
In larger installations, a Directory Agent (DA) collects information from
SAs and creates a central repository (SLP RFC2608).
The HiPath Wireless Controller contains an SLP SA that, when started,
queries the DHCP server for Option 78 and if found, registers itself with the
DA as service type Siemens. The HiPath Wireless Controller contains a DA
(SLPD).
The Wireless AP queries DHCP servers for Option 78 to locate any DAs. The
Wireless APs SLP User Agent then queries the DAs for a list of Siemens SAs.
Option 78 must be set for the subnets connected to the ports of the HiPath
Wireless Controller and the subnets connected to the Wireless APs. These
subnets must contain an identical list of DA IP addresses.
4.2.2 Registration after discovery
Any of the discovery steps 2 through 6 can inform the Wireless AP of a list of
multiple IP addresses to which the Wireless AP may attempt to connect. Once the
Wireless AP has discovered these addresses, it sends out connection requests
to each of them. These requests are sent simultaneously. The Wireless AP will
attempt to register only with the first which responds to its request.
When the Wireless AP obtains the IP address of the HiPath Wireless Controller,
it connects and registers, sending its serial number identifier to the HiPath
Wireless Controller, and receiving from the HiPath Wireless Controller a port IP
address and binding key.
Once the Wireless AP is registered with a HiPath Wireless Controller, you must
configure the Wireless AP. After the Wireless AP is registered and configured,
you can assign it to a Virtual Network Services (VNS) to handle wireless traffic.
9034530-04, September 2010
HiPath Wireless Controller, Access Points and Convergence Software V7.31, User Guide
115
hwc_apstartup.fm
Configuring the Wireless AP
Discovery and registration overview
4.2.2.1 Default Wireless AP configuration
Default Wireless AP configuration, which simplifies the registration after
discovery process, acts as a configuration template that can be automatically
assigned to new registering Wireless APs. The default Wireless AP configuration
allows you to specify common sets of radio configuration parameters and VNS
assignments for Wireless APs. For more information, see Section 4.5.3,
“Configuring the default Wireless AP settings”, on page 196.
4.2.3 Understanding the Wireless AP LED status
When you power on and boot the Wireless AP, you can follow its progress
through the registration process by observing the LED sequence as described in
the following sections:
•
Section 4.2.3.1, “HiPath Wireless AP LED status”
•
Section 4.2.3.2, “HiPath Wireless Outdoor AP LED status”
•
Section 4.2.3.3, “HiPath Wireless 802.11n AP LED status”
•
Section 4.2.3.4, “AP4102 and AP2605 LED status”
After you power on and boot the Wireless AP for the first time, you can configure
LED behavior as described in Section 4.2.3.5, “Configuring Wireless AP LED
behavior”.
116
9034530-04, September 2010
HiPath Wireless Controller, Access Points and Convergence Software V7.31, User Guide
hwc_apstartup.fm
Configuring the Wireless AP
Discovery and registration overview
4.2.3.1 HiPath Wireless AP LED status
The following figure depicts the location of the three LEDs on the HiPath Wireless
AP.
Status
Left LED
LED
2.4 GHz
radio activity
Figure 8
Right LED
5 GHz radio
activity
HiPath Wireless AP LEDs
Warning: Never disconnect a Wireless AP from its power supply during a
firmware upgrade.
Disconnecting a Wireless AP from its power supply during a firmware upgrade
may cause firmware corruption rendering the AP unusable.
LED color codes
The AP LEDs indicate “normal-operation”, “warning/special”, or “failed” state of
the Wireless AP in the following color codes:
•
Green – Indicates the normal-operation state.
•
Orange/Amber – Indicates the warning, or special state such as WDS.
•
Red – Indicates the error state.
•
Blinking – Indicates that the state, such as initialization, or discovery is in
progress.
•
Steady – Indicates that the state is stable/completed. For example,
initialization finished, or discovery completed.
9034530-04, September 2010
HiPath Wireless Controller, Access Points and Convergence Software V7.31, User Guide
117
hwc_apstartup.fm
Configuring the Wireless AP
Discovery and registration overview
Center LED
The Center LED indicates the general status of the Wireless AP:
Center LED
HiPath Wireless AP’s status
Blinking Green
Initialization and discovery in progress via Ethernet link
Blinking Orange/Amber
Initialization and discovery in progress via WDS link
Blinking Red
Error during initialization/discovery process
Solid Red
Irrecoverable error
Solid Green
Discovery finished via Ethernet link
Solid Orange/Amber
Discovery finished via WDS link
Table 3
Center LED and Wireless AP’s status
Left LED
The Left LED indicates the high-level state of the Wireless AP during the
initialization and discovery process:
Left LED
HiPath Wireless AP’s high-level state
Off
Initialization
Blinking Green
Network Discovery
Solid Green
Connecting with the HiPath Wireless Controller
Table 4
Left LED and Wireless AP’s high-level state
Left and Right LEDs
The Right LED indicates the detailed state during the initialization and discovery
processes:
Left LED
Right LED
HiPath Wireless AP’s detailed state
Off
Off
Initialization: Power-on self-test (POST)
Blinking Green
Initialization: Random delay
Solid Green
Initialization: Vulnerable period
Off
Network Discovery: 802.1x authentication
Blinking Green
Network Discovery: Attempting to obtain IP
address via DHCP
Solid Green
Network Discovery: Discovered HiPath Wireless
Controller
Off
Connecting to HiPath Wireless Controller:
Attempting to register with the HiPath Wireless
Controller
Blinking Green
Connecting to HiPath Wireless Controller:
Upgrading to higher version
Solid Green
Connecting to HiPath Wireless Controller:
Configuring itself
Blinking Green
Solid Green
Table 5
118
Left and Right LEDs and Wireless AP’s detailed state
9034530-04, September 2010
HiPath Wireless Controller, Access Points and Convergence Software V7.31, User Guide
hwc_apstartup.fm
Configuring the Wireless AP
Discovery and registration overview
Composite view of the three LEDs
The Center, Left and the Right LEDs work in conjunction to indicate the general,
high-level state and the detailed state respectively.
Table 6 provides a composite view of the three LED lights of the Wireless AP’s
state:
Left LED
Right LED
Center LED
HiPath Wireless AP’s Detailed
state
Off
Off
Blinking Green
Initialization: Power-on self-test
(POST)
Blinking Green
Blinking Green
Initialization: Random delay
Blinking Red
Initialization: Neither Ethernet nor
WDS link
Blinking Green
Initialization: Vulnerable period
Blinking Red
Reset to factory defaults
Solid Green
Blinking Orange WDS scanning
Blinking Green
Off
Blinking Green
Solid Green
Solid Green
Off
Blinking Green
Solid Green
Table 6
Blinking
Green/Orange
Network discovery: 802.1x
authentication
Blinking Red
Failed 802.1x authentication
Blinking
Green/Orange
Network discovery: DHCP
Blinking Red
Default IP address
Blinking
Green/Orange
Network discovery: HWC
discovery / connect
Blinking Red
Discovery failed
Blinking
Green/Orange
Connecting with HiPath Wireless
Controller: Registration
Blinking Red
Registration failed
Blinking
Green/Orange
Connecting with HiPath Wireless
Controller: Image upgrade
Solid Green/
Orange
AP operating normally: Forced
image upgrade
Blinking Red
Image upgrade failed
Blinking
Green/Orange
Connecting with HiPath Wireless
Controller: Configuration
Blinking Red
Configuration failed
Composite view of three LED lights
9034530-04, September 2010
HiPath Wireless Controller, Access Points and Convergence Software V7.31, User Guide
119
hwc_apstartup.fm
Configuring the Wireless AP
Discovery and registration overview
Note: The Left and Right LEDs turn on after the Center LED. This allows you to
distinguish easily between the Center LED and the Left/Right LEDs.
Note: If the Center LED begins blinking RED, it indicates that the Wireless AP’s
state has failed.
Note: Random delays do not occur during normal reboot. A random delay only
occurs after a vulnerable period power-down.
The Wireless AP can be reset to its factory default settings. For more information,
see the HiPath Wireless Controller, Access Points and Convergence Software
Maintenance Guide.
LEDS indicating WDS strength for AP2610 and AP2620
The AP indicates the WDS signal strength as a bar graph. To avoid confusion with
startup LED behavior, the patterns go from right to left and an LED is always
blinking at least twice as fast as the LEDs in normal mode.
Table 7 illustrates the behavior of the three LED lights of the Wireless AP’s WDS
strength.
LED
RSS (dBm)
Left LED
Middle LED
Right LED
RSS < -84
Off
Off
Blinking green
-84 < RSS < -77
Off
Off
FastBlinking
green
-77 < RSS < -70
Off
Blinking green
Solid green
-70 < RSS < -63
Blinking green
Solid green
Solid green
RSS < -63
Fast Blinking green
Solid green
Solid green
Table 7
120
AP2610 and AP2620 LEDs indicating Signal Strength
9034530-04, September 2010
HiPath Wireless Controller, Access Points and Convergence Software V7.31, User Guide
hwc_apstartup.fm
Configuring the Wireless AP
Discovery and registration overview
4.2.3.2 HiPath Wireless Outdoor AP LED status
The following figure depicts the location of the LEDs on the HiPath Wireless
Outdoor AP.
Figure 9
HiPath Wireless Outdoor AP LEDs.
The R1, R2 and F LEDs work in conjunction to indicate the general, high-level
and detailed state respectively. The remaining LEDs indicate link status.
Table 8 provides a composite view of the R1, R2 and F LEDs:
9034530-04, September 2010
HiPath Wireless Controller, Access Points and Convergence Software V7.31, User Guide
121
hwc_apstartup.fm
Configuring the Wireless AP
Discovery and registration overview
R1 LED
R2 LED
F LED
HiPath Wireless Outdoor AP’s
detailed status
Off
Off
Blinking Red
Initialization: Power-on-self test (POST)
Blinking
Green
Blinking Red
Initialization: Random delay
Solid Green
Blinking Red
Initialization: Vulnerable Period
Solid Red
Reset to factory defaults
Blinking Red
WDS scanning
Blinking Red
Network discovery: 802.1x
authentication
Solid Red
Failed 802.1x authentication
Solid Green
Blinking
Off
Green/Yellow
Solid Green
Blinking
Blinking Red
Green/Yellow
Solid Red
Default IP address
Solid
Blinking Red
Green/Yellow
Network discovery: HWC
discovery/connect
Off
Solid Red
Discovery failed
Blinking Red
Connecting with HWC: Registration
Solid Red
Registration failed
Blinking
Blinking Red
Green/Yellow
Solid Red
Connecting with HWC: Image upgrade
Solid
Blinking Red
Green/Yellow
Solid Red
Connecting with HWC: Configuration
Blinking
Off
Green/Yellow
AP operating and running normally:
Forced image upgrade
Solid Red
Table 8
Network discovery: DHCP
Image upgrade failed
Configuration failed
Image upgrade failed
HiPath Wireless Outdoor AP LED status
Note: After discovery is finished, the Left and Right LEDs will be Green for
Ethernet uplink, and Yellow for WDS uplink.
Note: If a fatal AP error occurs, the Status LED will be solid Red.
LEDS indicating WDS strength for AP2650 and AP2660
The AP indicates the WDS signal strength as a bar graph. To avoid confusion with
startup LED behavior, the patterns go from right to left and an LED is always
blinking at least twice as fast as the LEDs in normal mode.
Table 9 illustrates the behavior of the LED in WDS Signal Strength for AP models
AP2650 and AP2660.
122
9034530-04, September 2010
HiPath Wireless Controller, Access Points and Convergence Software V7.31, User Guide
hwc_apstartup.fm
Configuring the Wireless AP
Discovery and registration overview
RSS (dBm)
LED
L1
PoE
P1
R1
R2
RSS < -84
Off
Off
Off
Off
Off
Blinking green
-84 < RSS < -77
Off
Off
Off
Off
Off
Fast Blinking
green
-77 < RSS < -70
Off
Off
Off
Off
Blinking green Solid green
-70 < RSS < -63
Off
Off
Off
Blinking green Solid green
Solid green
-63 < RSS < -56
Off
Off
Blinking green
Solid green
Solid green
Solid green
-56 < RSS < -49
Off
Blinking
green
Solid green
Solid green
Solid green
Solid green
-49 < RSS < -42
Blinking green
Solid green
Solid green
Solid green
Solid green
Solid green
RSS < -42
Fast Blinking
green
Solid green
Solid green
Solid green
Solid green
Solid green
Table 9
AP2650 and AP2660 LEDs indicating Signal Strength
4.2.3.3 HiPath Wireless 802.11n AP LED status
Figure 10 depicts the location of the LEDs on the HiPath Wireless 802.11n.
Figure 10
HiPath Wireless 802.11n AP LEDs
LEDs L1, L3, and L4 work in conjunction to indicate the general, high-level, and
detailed state respectively. LED L2 indicates the status of the Ethernet port.
After initialization and discovery is completed and the 802.11n AP is connected
to the HiPath Wireless Controller, LEDs L3 and L4 indicate the state of the
corresponding radio — L3 for Radio 5 GHz, and L4 for Radio 2.4 GHz.
9034530-04, September 2010
HiPath Wireless Controller, Access Points and Convergence Software V7.31, User Guide
123
hwc_apstartup.fm
Configuring the Wireless AP
Discovery and registration overview
LEDs color codes
The 802.11n AP LEDs indicate “normal-operation”, “warning/special”, or “failed”
state of the Wireless AP in the following color codes:
LED Color/State
Description
Green
Normal operational state.
Orange/amber
Warning or special state, such as WDS.
Blinking
AP state, such as initialization or discovery, is in progress.
Red
Error state
Steady color
AP state is stable; process is completed. For example, initialization
is finished or discovery completed.
Table 10
LED color codes
LED L1
LED L1 indicates the general state of the 802.11n AP:
L1
HiPath Wireless 802.11n AP’s general state
Blink Green
Initialization and discovery in progress via Ethernet
Blink Amber
Initialization and discovery in progress via WDS
Blink Red
Error during initialization and discovery
Solid Green
Discovery finished via Ethernet
Solid Amber
Discovery finished via WDS
Table 11
LED L1 and Wireless AP’s status
LEDs L3 and L4
LEDs L3 and L4 indicate the detailed state of the Wireless AP. LEDs L1, L3, and
L4 work in conjunction to indicate the general and detailed state of the 802.11n
AP.
124
9034530-04, September 2010
HiPath Wireless Controller, Access Points and Convergence Software V7.31, User Guide
hwc_apstartup.fm
Configuring the Wireless AP
Discovery and registration overview
Table 12 provides a composite view of the three LEDs and the corresponding
state of the 802.11n AP:
L3
L4
L1
HiPath Wireless 802.11n AP’s detailed state
Off
Off
Blink Green Initialization: Power-on self test (POST)
Blink Green Blink Green
Blink Red
Solid Green Blink Green
Blink Red
Blink Amber
Blink
Green
Off
Blink Green Network discovery: 802.1x authentication
/ Orange
Blink Red
Failed 802.1x authentication
Blink Green Blink Green Network discovery: DHCP
/ Amber
Blink Red
Default IP address
Solid Green Blink Green Network discovery: HWC discovery / connect
/ Amber
Blink Red
Solid
Green
Off
Discovery failed
Blink Green Connecting to HWC: Registration
/ Amber
Blink Red
Registration failed
Blink Green Blink Green Connecting to HWC: Image upgrade
Amber
Solid Green AP operating normally: Forced image upgrade
/ Amber
Blink Red
Image upgrade failed
Solid Green Blink Green Connecting to HWC: Configuration
/ Amber
Blink Red
Table 12
Configuration failed
LEDs L3, L4 and L1, and Wireless 802.11n AP’s detailed state
After initialization and discovery is completed and the 802.11n AP is connected
to the HiPath Wireless Controller, the LEDs L3 and L4 indicate the state of the
corresponding radio — L3 for Radio 5 GHz, and L4 for Radio 2.4 GHz.
Figure 10 provides a view of the LEDs L3 and L4 and the corresponding radio
state after the discovery is completed.
L3/L4
Radio status
Off
Radio off
Solid Blue
Radio in HT mode
Solid Green
Radio in legacy mode
Table 13
LEDs L3 and L4, and corresponding radio state
9034530-04, September 2010
HiPath Wireless Controller, Access Points and Convergence Software V7.31, User Guide
125
hwc_apstartup.fm
Configuring the Wireless AP
Discovery and registration overview
LED L2
The LED L2 indicates the status of the Ethernet port:
L2
Ethernet port’s status
Off
No Ethernet connection: WDS is enabled
Solid Blue
1 Gb Ethernet connection
Solid Green
100 Mb Ethernet connection
Solid Amber
10 Mb Ethernet connection
Table 14
LED L2 and Ethernet port’s status
Note: A 10 Mb Ethernet connection is considered a warning state since it is not
sufficient to sustain a single radio in the legacy 11g or 11a modes.
LEDS indicating WDS strength for AP3610 and AP3620
The AP indicates the WDS signal strength as a bar graph. To avoid confusion with
startup LED behavior, the patterns go from right to left and an LED is always
blinking at least twice as fast as the LEDs in normal mode.
Table 15 illustrates the behavior of the LED behavior in WDS Signal Strength
mode for AP models AP3610 and AP3620.
RSS (dBm)
LED
L1
L2
L3
L4
RSS < -84
Off
Off
Off
Blinking green
-84 < RSS < -77
Off
Off
Off
Fast Blinking
green
-77 < RSS < -70
Off
Off
Blinking green
Solid green
-70 < RSS < -63
Off
Blinking green
Solid green
Solid green
-63 < RSS < -56
Blinking green
Solid green
Solid green
Solid green
RSS < -56
Fast Blinking
green
Solid green
Solid green
Solid green
Table 15
AP3610 and AP3620 LEDs indicating signal strength
Note: The LEDs on the AP3605 do not indicate WDS signal strength.
126
9034530-04, September 2010
HiPath Wireless Controller, Access Points and Convergence Software V7.31, User Guide
hwc_apstartup.fm
Configuring the Wireless AP
Discovery and registration overview
4.2.3.4 AP4102 and AP2605 LED status
The following figure shows the LEDs on the AP4102 and AP2605 Access Points.
Status LED
The Status LED indicates the general status of the access point.
Status LED
AP Status
Blink green
Initialization and discovery in progress via Ethernet or WDS link
Blink amber
Error during initialization and discovery
Solid green
Discovery finished via Ethernet or WDS link
Table 16
AP4102 and AP2605 Status indicators
Radio B/G LED
The Radio B/G LED will show the general high-level state during initialization and
discovery for the access point.
Radio B/G LED
AP High-Level State
Off
Initialization
Blink green
Network discovery
Solid green
Connecting with HiPath Wireless Controller
Table 17
AP4102 and AP2605 initialization and discovery indicators
Composite view of LEDs
The following table summarizes all LEDs during the initialization and discovery.
These states will be shown together with a status LED blinking green or orange.
If the status LED is blinking green, the state will be the one executed by the AP
in that moment. If the status LED is blinking orange, the state will be the one that
the AP failed.
The status and radio LEDs will blink with 1/3 pulse width, but the radio LEDs will
turn on after the status LED. This solution also allows the user to distinguish
easily between the status LED and the radio LEDs.
9034530-04, September 2010
HiPath Wireless Controller, Access Points and Convergence Software V7.31, User Guide
127
hwc_apstartup.fm
Configuring the Wireless AP
Discovery and registration overview
Radio B/G
LED
Off
Radio A
LED
Blink green
Initialization: Power-on self test
(POST)
Blink green
Blink green
Initialization: Random delay
Blink orange
Initialization: No Ethernet nor WDS
link
Blink green
Initialization: Vulnerable period
Blink orange
Reset to factory defaults
Solid green
Blink green
WDS scanning
Off
Blink green
Network discovery: 802.1x
authentication
Blink orange
Failed 802.1x authentication
Blink green
Network discovery: DHCP
Blink orange
Default IP address
Blink green
Network discovery: HWC discovery /
connect
Blink orange
Discovery failed
Blink green
Connecting with HWC: Registration
Blink orange
Registration failed
Blink green
Connecting with HWC: Image
upgrade
Blink orange
Image upgrade failed
Blink green
Connecting with HWC: Configuration
Blink orange
Configuration failed
Solid green
AP up and running: Forced image
upgrade
Blink orange
Image upgrade failed
Blink green
Solid green
Solid Green
Off
Blink green
Solid green
Blink green
Table 18
AP Detailed State
Off
Solid green
Blink green
Status
LED
AP4102 and AP2605 composite view of LEDs
LEDS indicating WDS strength for AP4102 and AP2605
The AP indicates the WDS signal strength as a bar graph. To avoid confusion with
startup LED behavior, the patterns go from right to left and an LED is always
blinking at least twice as fast as the LEDs in normal mode.
128
9034530-04, September 2010
HiPath Wireless Controller, Access Points and Convergence Software V7.31, User Guide
hwc_apstartup.fm
Configuring the Wireless AP
Discovery and registration overview
Table 19 illustrates the LED behavior in WDS Signal Strength mode for AP
models AP4102 and AP2605.
RSS (dBm)
LED
Status
Link
Radio A
Radio B/G
RSS < -84
Off
Eth state
Off
Blinking green
-84 < RSS < -77
Off
Eth state
Off
Fast Blinking
green
-77 < RSS < -70
Off
Eth state
Blinking green
Solid green
-70 < RSS < -63
Blinking green
Eth state
Solid green
Solid green
RSS < -63
Fast Blinking
green
Eth state
Solid green
Solid green
Table 19
AP4102 and AP2605 LEDs indicating Signal Strength
4.2.3.5 Configuring Wireless AP LED behavior
You can configure the behavior of the LEDs so that they provide the following
information:
LED Mode
Information Displayed
Off
Displays fault patterns only. LEDs do not light when the
AP is fault free and the discovery is complete.
Normal
Identifies the AP status during the registration process
during power on and boot process.
Identify
All LEDs blink simultaneously approximately two to four
times every second.
WDS Signal Strength
Indicates the WDS signal strength as a bar graph. See
Table 7, Table 9, Table 15, and Table 19 for a description
of LED behavior.
This setting helps to align external antennas in WDS
deployments by correlating the WDS link RSS with the
LED pattern. Use this setting only if the AP operates in
WDS mode by being a member of a WDS VNS.
Table 20
LED operational modes
You can configure the AP LED mode when you configure:
•
An individual Wireless AP.
•
Multiple Wireless APs simultaneously.
•
Default Wireless AP behavior.
Note: You can configure all four AP LED modes if you configure an individual
Wireless AP or multiple Wireless APs simultaneously. If you configure the default
Wireless AP behavior, the only LED modes available are Off and Normal.
9034530-04, September 2010
HiPath Wireless Controller, Access Points and Convergence Software V7.31, User Guide
129
hwc_apstartup.fm
Configuring the Wireless AP
Discovery and registration overview
To configure the AP LED operational mode when configuring an individual
Wireless AP:
1. From the main menu, click Wireless AP Configuration. The HiPath
Wireless AP screen displays.
2. In the left-hand pane, click All APs. The AP Configuration page displays
with the AP Properties tab exposed.
3. In the second column from the left, select the appropriate
4. On the AP Properties tab, click the Advanced button. The Advanced
window displays.
5. In the LED field, click the arrow and select an LED operational mode. See
Table 20 for a description of each option.
To set the AP LED operational mode when using the AP mulit-edit feature:
1. From the main menu, click Wireless AP Configuration. The HiPath
Wireless AP window displays.
2. In the left-hand pane, click AP Multi-edit. The AP Multi-edit window
displays.
3. In the Wireless AP section, select one or more Wireless APs. The AP
Configuration screen displays.
4. In the AP Configuration section, locate the LED field. Click the arrow and
select an LED operational mode. See Table 20 for a description of each
option.
To set the AP LED operational mode when configuring default AP behavior:
1. From the main menu, click Wireless AP Configuration. The HiPath
Wireless AP screen is displayed.
2. In the left pane, click AP Default Settings. The AP Default Settings page
displays with the Common Configuration tab exposed.
3. Click the AP tab that corresponds to the type of AP that you want to configure.
The AP Properties and Radio settings become available.
4. Click the Advanced button. The Advanced window displays.
5. In the LED field, click the arrow and select an LED operational mode. See
Table 20 for a description of each option.
130
9034530-04, September 2010
HiPath Wireless Controller, Access Points and Convergence Software V7.31, User Guide
hwc_apstartup.fm
Configuring the Wireless AP
Discovery and registration overview
4.2.4 Configuring the Wireless APs for the first time
Before the Wireless AP is configured for the first time, you must first confirm that
the following has already occurred:
•
The HiPath Wireless Controller has been set up. For more information, see
Chapter 3, “Configuring the HiPath Wireless Controller”.
•
The HiPath Wireless Controller, Access Points and Convergence Software
has been configured. For more information, see Chapter 3, “Configuring the
HiPath Wireless Controller”.
•
The Wireless APs have been installed.
•
If you are installing the HiPath Wireless AP, see the HiPath Wireless AP
Installation Instructions.
•
If you are installing the HiPath Wireless 802.11n AP, see the HiPath
Wireless 802.11n AP Installation Instructions.
•
If you are installing the HiPath Wireless Outdoor AP, see the HiPath
Wireless Outdoor AP Installation Instructions and the HiPath Wireless
Outdoor AP Installation Guide.
Once the installations are completed, you can then continue with the Wireless AP
initial configuration. The Wireless AP initial configuration involves two steps:
1. Define parameters for the discovery process. For more information, see
Section 4.2.5, “Defining properties for the discovery process”, on page 132.
2. Connect the Wireless AP to a power source to initiate the discovery and
registration process. For more information, see Section 4.2.6, “Connecting
the Wireless AP to a power source and initiating the discovery and
registration process”, on page 134.
Adding a Wireless AP manually option
An alternative to the automatic discovery and registration process of the Wireless
AP is to manually add and register a Wireless AP to the HiPath Wireless
Controller. For more information, see Section 4.3, “Adding and registering a
Wireless AP manually”, on page 135.
9034530-04, September 2010
HiPath Wireless Controller, Access Points and Convergence Software V7.31, User Guide
131
hwc_apstartup.fm
Configuring the Wireless AP
Discovery and registration overview
4.2.5 Defining properties for the discovery process
Before a Wireless AP is configured, you must define the following properties for
the discovery process:
•
Security mode
•
Discovery timers
The discovery process is the process by which the Wireless APs determine the
IP address of the HiPath Wireless Controller.
Security mode
Security mode defines how the HiPath Wireless Controller behaves when
registering new, unknown devices. During the registration process, the HiPath
Wireless Controller’s approval of the Wireless AP’s serial number depends on the
security mode that has been set:
•
•
132
Allow all Wireless APs to connect
•
If the HiPath Wireless Controller does not recognize the registering serial
number, a new registration record is automatically created for the AP (if
within MDL license limit). The AP receives a default configuration. The
default configuration can be the default template assignment.
•
If the HiPath Wireless Controller recognizes the serial number, it indicates
that the registering device is pre-registered with the controller. The
controller uses the existing registration record to authenticate the AP and
the existing configuration record to configure the AP.
Allow only approved Wireless APs to connect (this is also known as
secure mode)
•
If HiPath Wireless Controller does not recognize the AP, the AP's
registration record is created in pending state (if within MDL limits). The
administrator is required to manually approve a pending AP for it to
provide active service. The pending AP receives minimum configuration,
which only allows it to maintain an active link with the controller for future
state change. The AP's radios are not configured or enabled. Pending
APs are not eligible for configuration operations (VNS Assignment,
default template, Radio parameters) until approved.
•
If the HiPath Wireless Controller recognizes the serial number, the
controller uses the existing registration record to authenticate the AP.
Following successful authentication, the AP is configured according to its
stored configuration record.
9034530-04, September 2010
HiPath Wireless Controller, Access Points and Convergence Software V7.31, User Guide
hwc_apstartup.fm
Configuring the Wireless AP
Discovery and registration overview
Note: During the initial setup of the network, Siemens recommends that
you select the Allow all Wireless APs to connect option. This option is
the most efficient way to get a large number of Wireless APs registered
with the HiPath Wireless Controller.
Once the initial setup is complete, Siemens recommends that you reset
the security mode to the Allow only approved Wireless APs to connect
option. This option ensures that no unapproved Wireless APs are allowed
to connect. For more information, see Section 4.4, “Configuring Wireless
AP settings”, on page 136.
Discovery timers
The discovery timer parameters dictate the number of retry attempts and the time
delay between each attempt.
To define the discovery process parameters:
1. From the main menu, click Wireless AP Configuration. The HiPath
Wireless AP screen is displayed.
2. In the left pane, click AP Registration. The Wireless AP Registration
screen is displayed.
3. In the Security Mode section, select one of the following:
•
Allow all Wireless APs to connect
•
Allow only approved Wireless APs to connect
9034530-04, September 2010
HiPath Wireless Controller, Access Points and Convergence Software V7.31, User Guide
133
hwc_apstartup.fm
Configuring the Wireless AP
Discovery and registration overview
The Allow all Wireless APs to connect option is selected by default. For
more information, see Section 4.2.5, “Security mode”, on page 132.
4. In the Discovery Timers section, type the discovery timer values in the
following boxes:
•
Number of retries
•
Delay between retries
The number of retries is limited to 255 for the discovery. The default number
of retries is 3, and the default delay between retries is 3 seconds.
5. To save your changes, click Save.
Once the discovery parameters are defined, you can connect the Wireless AP to
a power source.
4.2.6 Connecting the Wireless AP to a power source
and initiating the discovery and registration process
When a Wireless AP is powered on, it automatically begins the discovery and
registration process with the HiPath Wireless Controller.
Table 21 lists the ways in which Wireless APs can be connected and powered.
Wireless AP
Method of Connecting and Powering
HiPath Wireless AP
• Power over Ethernet (802.3af):
– PoE enabled switch port
– PoE Injector
• Power by AC adaptor
HiPath Wireless
Outdoor AP
• Power over Ethernet (802.3af)
– PoE enabled switch port
– PoE Injector
• Power by 48VDC (Direct Current)
• 110-230 VAC (Alternating Current)
For more information, see the HiPath Wireless Outdoor Access
Point Installation Guide.
HiPath Wireless
802.11n AP
• Power over Ethernet (802.3af)
– PoE enabled switch port
– PoE Injector
Note: Use a 1 GB PoE injector to ensure optimum
performance of the HiPath Wireless 802.11n AP.
• Power by AC adaptor
Table 21
134
Connecting and powering a Wireless AP
9034530-04, September 2010
HiPath Wireless Controller, Access Points and Convergence Software V7.31, User Guide
hwc_apstartup.fm
Configuring the Wireless AP
Adding and registering a Wireless AP manually
4.3 Adding and registering a Wireless AP manually
An alternative to the automatic discovery and registration process of the Wireless
AP is to manually add and register a Wireless AP to the HiPath Wireless
Controller. The Wireless AP is added with default settings. For more information,
see Section 4.4, “Configuring Wireless AP settings”, on page 136.
To add and register a Wireless AP manually:
1. From the main menu, click Wireless AP Configuration. The HiPath
Wireless AP screen is displayed.
2. Click Add Wireless AP. The Add Wireless AP screen is displayed.
3. In the Serial # box, type the unique identifier.
4. In the Hardware Type drop-down list, click the hardware type of the Wireless
AP.
5. In the Name box, type a unique name for the Wireless AP.
6. In the Role drop-down list, click the Wireless AP’s role — Access Point or
Sensor. The Role drop-down list may be view-only if the Hardware Type you
select only supports the Access Point role. Not all Wireless AP hardware
types support the Sensor role.
7. In the Description box, type descriptive comments for the Wireless AP.
8. Click Add Wireless AP. The Wireless AP is added and registered.
When a Wireless AP is added manually, it is added to the controller database
only and does not get assigned.
9. Click Close.
9034530-04, September 2010
HiPath Wireless Controller, Access Points and Convergence Software V7.31, User Guide
135
hwc_apstartup.fm
Configuring the Wireless AP
Configuring Wireless AP settings
4.4 Configuring Wireless AP settings
Wireless APs are added with default settings, which you can adjust and configure
according to your network requirements. In addition, you can modify the
properties and the settings for each radio on the Wireless AP.
You can also locate and select Wireless APs in specific registration states to
modify their settings. For example, this feature is useful when approving pending
Wireless APs when there are a large number of other Wireless APs that are
already registered. On the Access Approval screen, click Pending to select all
pending Wireless APs, then click Approve to approve all selected Wireless APs.
Configuring Wireless AP settings can include the following processes:
•
Modifying a Wireless AP’s status
•
Configuring a Wireless AP’s properties
•
Configuring Wireless AP radio properties
•
Setting up the Wireless AP using static configuration
•
Setting up 802.1x authentication for a Wireless AP
When configuring Wireless APs, you can choose to configure individual Wireless
APs or simultaneously configure a group of Wireless APs. For more information,
see Section 4.8, “Configuring multiple Wireless APs simultaneously”, on page
229.
4.4.1 Modifying a Wireless AP’s status
If during the discovery process, the HiPath Wireless Controller security mode was
Allow only approved Wireless APs to connect, then the status of the Wireless
AP is Pending. You must modify the security mode to Allow all Wireless APs to
connect. For more information, see Section 4.2.5, “Security mode”, on page 132.
To modify a Wireless AP's registration status:
1. From the main menu, click Wireless AP Configuration. The HiPath
Wireless AP screen is displayed.
2. In the left pane, click Access Approval. The Access Approval screen is
displayed, along with the registered Wireless APs and their status.
136
9034530-04, September 2010
HiPath Wireless Controller, Access Points and Convergence Software V7.31, User Guide
hwc_apstartup.fm
Configuring the Wireless AP
Configuring Wireless AP settings
3. To select the Wireless APs for status change, do one of the following:
•
For a specific Wireless AP, select the corresponding checkbox.
•
For Wireless APs by category, click one of the Select Wireless APs
options.
To clear your Wireless AP selections, click Deselect All.
4. Click the appropriate Perform action on selected Wireless APs option:
•
Approved – Change a Wireless AP's status to Approved — a Wireless
AP's status changes from Pending to Approved if the AP Registration
screen was configured to register only approved Wireless APs.
•
Pending – AP is removed from the Active list, and is forced into
discovery.
•
Release – Release foreign Wireless APs after recovery from a failover.
Releasing an AP corresponds to the Availability functionality. For more
information, see Chapter 7, “Availability and session availability”.
•
Reboot – Reboot the AP without using Telnet or SSH to access it.
•
Delete – Releases the Wireless AP from the HiPath Wireless Controller
and deletes the Wireless AP’s entry in the HiPath Wireless Controller's
management database.
•
Standalone Mode – The 802.11n AP running V7.31 or later converts from
thin mode to standalone mode. For more information, see Section 4.11,
“Converting the Wireless Standalone 802.11n AP to standalone mode”,
on page 237.
9034530-04, September 2010
HiPath Wireless Controller, Access Points and Convergence Software V7.31, User Guide
137
hwc_apstartup.fm
Configuring the Wireless AP
Configuring Wireless AP settings
•
Sensor – The Wireless AP ceases performing RF services and begins
performing scanning services. For more information, see Section 4.12,
“Configuring an AP as a sensor”, on page 238.
Note: Only approve a Wireless AP as a sensor if HiPath HiGuard has
been installed on your HiPath Wireless Manager. For more information,
see the HiPath Wireless Manager User Guide.
Note: Only the Wireless AP 2610/2620 and AP 3610/3620 can be
configured as a sensor.
4.4.2 Configuring a Wireless AP’s properties
Once a Wireless AP has successfully registered, you can then continue to
configure its properties. Configuring Wireless AP properties includes working with
the following Wireless AP tabs:
•
AP properties
•
VNS Assignment
•
Radio 1
•
Radio 2
•
Static Configuration
•
802.1x
You can configure Wireless AP properties based on its role either as an access
point or as a sensor. For more information, see Section 4.12, “Configuring an AP
as a sensor”, on page 238.
4.4.3 AP properties tab configuration
Use the AP Properties tab to view and configure basic Wireless AP properties.
Some of the Wireless AP properties can be viewed and configured via the
Advanced dialog. The following Wireless AP properties on this tab are read-only:
•
138
Serial # – Displays a unique identifier that is assigned during the
manufacturing process.
9034530-04, September 2010
HiPath Wireless Controller, Access Points and Convergence Software V7.31, User Guide
hwc_apstartup.fm
Configuring the Wireless AP
Configuring Wireless AP settings
•
Host Name – This value, which is based on AP Name, cannot be directly
edited. This value depicts the AP Host-Name value. If the AP Name value
does begin with a number, for example when it is the AP's serial number, the
AP's model is prepended to the value. This value is used for tracking
purposes on the DHCP server.
•
Port – Displays the Ethernet port of the HiPath Wireless Controller to which
the Wireless AP is connected.
•
Hardware Version – Displays the current version of the Wireless AP
hardware.
•
Application Version – Displays the current version of the Wireless AP
software.
•
Status:
•
Approved – Indicates that the Wireless AP has received its binding key
from the HiPath Wireless Controller after the discovery process.
•
If no status is shown, that indicates that the Wireless AP has not yet
successfully been approved for access with the secure HiPath Wireless
Controller.
You can modify the status of a Wireless AP on the Access Approval screen.
For more information, see Section 4.4.1, “Modifying a Wireless AP’s status”,
on page 136.
•
Active Clients – Displays the number of wireless devices currently
associated with the Wireless AP.
To modify a Wireless AP’s properties as an access point:
1. From the main menu, click Wireless AP Configuration. The HiPath
Wireless AP screen is displayed.
2. In the Wireless AP list, click the Wireless AP whose properties you want to
modify. The AP Properties tab displays Wireless AP information.
9034530-04, September 2010
HiPath Wireless Controller, Access Points and Convergence Software V7.31, User Guide
139
hwc_apstartup.fm
Configuring the Wireless AP
Configuring Wireless AP settings
3. Modify the Wireless AP’s information:
•
Name – Type a unique name for the Wireless AP that identifies the
access point. The default value is the Wireless AP’s serial number.
•
Location – The location of the Wireless AP.
•
Description – Type comments for the Wireless AP.
•
AP Environment – Click the Wireless AP’s environment — Indoor or
Outdoor.
Note: The AP Environment drop-down is displayed on the AP
Properties tab only if the selected Wireless AP is the HiPath Outdoor
Wireless AP.
The HiPath Outdoor Wireless AP can be deployed in both indoor and
outdoor environments.
•
Role – Click the role for the Wireless AP, either Access Point or Sensor.
A Wireless AP configured as an access point performs RF services and
is managed by the HiPath Wireless Controller. A Wireless AP configured
as a sensor no longer performs RF services and is no longer managed by
the HiPath Wireless Controller.
When a Wireless AP is configured to the sensor role, its configuration
data is preserved on the HiPath Wireless Controller. The configuration
data can only be modified when the Wireless AP is switched back to the
access point role.
140
9034530-04, September 2010
HiPath Wireless Controller, Access Points and Convergence Software V7.31, User Guide
hwc_apstartup.fm
Configuring the Wireless AP
Configuring Wireless AP settings
In addition, if a Wireless AP is assigned to the sensor role, no additional
Wireless AP tabs are visible.
Note: The Role drop-down list is displayed on the AP Properties screen
only if the corresponding Sensor Management settings are configured
and only if the selected Wireless AP is the HiPath Wireless AP 2610/2620
or AP 3610/3620. Only the HiPath Wireless AP 2610/2620 and the AP
3610/3620 can perform the role of a sensor.
•
Country – Click the country of operation. This option is only available with
some licenses.
4. If the selected Wireless AP model supports external antenna configuration,
click the external applicable antenna you want to assign to the Wireless AP.
The model of the selected Wireless AP determines the available antenna
options.
Note: The antenna you select determines the available channel list and the
maximum transmitting power for the country in which the Wireless AP is
deployed.
Until you select a real antenna type, the external antenna types are set as
follows:
–
No Antenna – This antenna setting is in place for new external antenna
APs added to a new installation or for new external antenna APs added
to an existing installation. The radio is off, even if a VNS is configured on
the AP/radio.
–
Default – This antenna setting is in place for existing installations
upgraded to V7.21. As long as this setting is in place, you cannot change
the Max Tx Power setting.
After you select a real antenna, you cannot set the antenna type back to the
No Antenna or Default settings.
5. To modify Wireless AP advanced settings, click Advanced. The Advanced
dialog is displayed.
•
Poll Timeout – Type the timeout value, in seconds, for the Wireless AP
to re-establish the link with the HiPath Wireless Controller if it (Wireless
AP) does not get an answer to its polling. The default value is 10 seconds.
Note: If you are configuring session availability, the Poll Timeout value
should be 1.5 to 2 times the Detect link failure value on the AP Properties
screen. For more information, see Section 7.4, “Session availability”, on page
417.
9034530-04, September 2010
HiPath Wireless Controller, Access Points and Convergence Software V7.31, User Guide
141
hwc_apstartup.fm
Configuring the Wireless AP
Configuring Wireless AP settings
•
Telnet Access/SSH Access – Click to enable or disable telnet or access
to the Wireless AP.
Note: The name of this field depends on type of Wireless AP that you
have selected.
•
Location based service – Enable or disable the AeroScout location
based service for the Wireless AP.
•
Maintain client session in event of poll failure – Select this option (if
using a bridged at AP VNS) if the Wireless AP should remain active if a
link loss with the controller occurs.This option is enabled by default.
•
Restart service in the absence of controller – Select this option (if
using a bridged at AP VNS) to ensure the Wireless AP’s radios continue
providing service if the Wireless AP’s connection to the HiPath Wireless
Controller is lost. If this option is enabled, it allows the Wireless AP to start
a bridged at AP VNS even in the absence of a HiPath Wireless Controller.
•
Use broadcast for disassociation – Select this option if you want the
Wireless AP to use broadcast disassociation when disconnecting all
clients, instead of disassociating each client one by one. This will affect
the behavior of the Wireless AP under the following conditions:
•
If the Wireless AP is preparing to reboot or to enter one of the special
modes (DRM initial channel selection).
•
If a BSSID is deactivated or removed on the Wireless AP.
This option is disabled by default.
•
LLDP – Click to enable or disable the Wireless AP from broadcasting
LLDP information. This option is disabled by default.
If SNMP is enabled on the HiPath Wireless Controller and you enable
LLDP, the LLDP Confirmation dialog is displayed.
•
Select one of the following:
•
142
Proceed (not recommended) – Select this option to enable LLDP
and keep SNMP running, and then click OK.
9034530-04, September 2010
HiPath Wireless Controller, Access Points and Convergence Software V7.31, User Guide
hwc_apstartup.fm
Configuring the Wireless AP
Configuring Wireless AP settings
•
Disable SNMP publishing, and proceed – Select this option to
enable LLDP and disable SNMP, and then click OK.
For more information on enabling SNMP, see the HiPath Wireless
Controller, Access Points and Convergence Software Maintenance
Guide.
•
Announcement Interval – If LLDP is enabled, type how often the
Wireless AP advertises its information by sending a new LLDP packet.
This value is measured in seconds.
If there are no changes to the Wireless AP configuration that impact the
LLDP information, the Wireless AP sends a new LLDP packet according
to this schedule.
Note: The Time to Live value cannot be directly edited. The Time to Live
value is calculated as four times the Announcement Interval value.
•
Announcement Delay – If LLDP is enabled, type the announcement
delay. This value is measured in seconds. If a change to the Wireless AP
configuration occurs which impacts the LLDP information, the Wireless
AP sends an updated LLDP packet. The announcement delay is the
length of time that delays the new packet delivery. The announcement
delay helps minimize LLDP packet traffic.
6. Click Close. The Advanced dialog is closed.
7. To save your changes, click Save.
To modify a Wireless AP’s properties as a sensor:
1. From the main menu, click Wireless AP Configuration. The HiPath
Wireless AP screen is displayed.
2. In the Wireless AP list, click the Wireless AP whose properties you want to
modify. The AP Properties tab displays Wireless AP information.
9034530-04, September 2010
HiPath Wireless Controller, Access Points and Convergence Software V7.31, User Guide
143
hwc_apstartup.fm
Configuring the Wireless AP
Configuring Wireless AP settings
3. Modify the Wireless AP’s information:
•
Name – Type a unique name for the Wireless AP that identifies the AP.
The default value is the Wireless AP’s serial number.
•
Host Name – This value, which is be based on AP Name, cannot be
directly edited. This value depicts the AP Host-Name value. If the AP
Name value does begin with a number, for example when it is the AP's
serial number, the AP's model is prepended to the value. This value is
used for tracking purposes on the DHCP server.
•
Location – The location of the Wireless AP.
•
Description – Type comments for the Wireless AP.
•
Role – Click the role for the AP, either Access Point or Sensor. Once the
AP is configured as a Sensor, the AP no longer performs RF services and
is no longer managed by the HiPath Wireless Controller. For more
information, see Section 4.12, “Configuring an AP as a sensor”, on page
238.
4. To save your changes, click Save.
144
9034530-04, September 2010
HiPath Wireless Controller, Access Points and Convergence Software V7.31, User Guide
hwc_apstartup.fm
Configuring the Wireless AP
Configuring Wireless AP settings
4.4.4 Assigning Wireless AP radios to a VNS
There are three methods of assigning Wireless AP radios to a VNS:
•
VNS configuration – When a VNS is configured, you can assign Wireless
AP radios to the VNS through its associated WLAN Service. For more
information, see Section 6.9.1, “Configuring a WLAN Service”, on page 332.
Note: To configure foreign Wireless AP radios to a VNS, use the VNS
configuration method. Foreign Wireless APs are only listed and available for
VNS assignment from the WLAN Services tab. For more information, see
Chapter 6, “Configuring a VNS”.
•
AP Multi-edit – When you configure multiple Wireless APs simultaneously,
you can use the AP Multi-edit feature. For more information, see Section 4.8,
“Configuring multiple Wireless APs simultaneously”, on page 229.
•
Wireless AP configuration – When you configure an individual Wireless AP,
you can assign its radios to a specific WLAN Service.
To assign Wireless AP radios when configuring an individual Wireless AP:
1. From the main menu, click Wireless AP Configuration. The HiPath
Wireless AP screen is displayed.
2. Click the appropriate Wireless AP in the list. The AP Properties tab is
displayed.
3. Click the WLAN Assignment tab.
9034530-04, September 2010
HiPath Wireless Controller, Access Points and Convergence Software V7.31, User Guide
145
hwc_apstartup.fm
Configuring the Wireless AP
Configuring Wireless AP settings
4. In the Radio 1 and Radio 2 columns, select the Wireless AP radios that you
want to assign for each WLAN Service.
5. To save your changes, click Save.
4.4.5 Configuring Wireless AP radio properties
Modifying Wireless AP radio properties can vary significantly depending on the
model of the Wireless AP your are configuring:
•
For specific information on modifying a Wireless 802.11n AP, see Section
4.4.5.1, “Modifying Wireless 802.11n AP 3610/3620 radio properties”, on
page 148.
•
For specific information on modifying a Wireless AP 2610/2620 or HiPath
Wireless Outdoor AP, see Section 4.4.5.3, “Modifying Wireless AP 2610/2620
radio properties”, on page 167.
Dynamic Radio Management (DRM)
When you modify a Wireless AP’s radio properties, the Dynamic Radio
Management (DRM) functionality of the HiPath Wireless Controller can be used
to help establish the optimum radio configuration for your Wireless APs. DRM is
enabled by default. The HiPath Wireless Controller’s DRM:
•
Adjusts transmit power levels to balance coverage between Wireless APs
assigned to the same RF domain and operating on the same channel.
•
Scans and coordinates with other Wireless APs to select an optimal operating
channel.
The DRM feature consists of three functions:
•
Auto Channel Selection (ACS) – ACS provides an easy way to optimize
channel arrangement based on the current situation in the field. ACS provides
an optimal solution only if it is triggered on all Wireless APs in a deployment.
Triggering ACS on a single Wireless AP or on a subset of Wireless APs
provides a useful but suboptimal solution. Also, ACS only relies on the
information observed at the time it is triggered. Once a Wireless AP has
selected a channel, it will remain operating on that channel until the user
changes the channel or triggers ACS.
ACS can be triggered by one of the following events:
146
–
A new Wireless AP registers with the HiPath Wireless Controller and the
AP Default Settings channel is Auto.
–
A user selects Auto from the Request New Channel drop-down list on
the Wireless AP’s radio configuration tabs.
–
A user selects Auto from the Channel drop-down list on the AP
Multi-edit screen.
9034530-04, September 2010
HiPath Wireless Controller, Access Points and Convergence Software V7.31, User Guide
hwc_apstartup.fm
Configuring the Wireless AP
Configuring Wireless AP settings
–
If Dynamic Channel Selection (DCS) is enabled in active mode and a
DCS threshold is exceeded.
–
A Wireless AP detects radar on its current operating channel and it
employs ACS to select a new channel.
–
Channel Plan – If ACS is enabled, you can define a channel plan for the
Wireless AP. Defining a channel plan allows you to limit which channels
are available for use during an ACS scan. For example, you may want to
avoid using specific channels because of low power, regulatory domain,
or radar interference. Select from the following options:
Depending on the radio used, when defining a channel plan you can
either create your customized channel plan by selecting individual
channels or you can select a default 3 or 4 channel plan.
You can use the channel plan to avoid transmission overlap on 40MHz
channels of the Wireless 802.11n APs. To avoid channel overlap between
Wireless 802.11n APs that operate on 40MHz channels, configure the
channel plan for the 5 GHz radio band to use every other channel
available.
If using half of the available channels is not an option for your
environment, do not configure a channel plan. Instead, allow ACS to
select from all available channels. This alternate solution may contribute
to increased congestion on the extension channels.
Note: ACS in the 2.4GHz radio band with 40MHz channels is not recommended
due to severe co-channel interference.
•
Dynamic Channel Selection (DCS) – DCS allows a Wireless AP to monitor
traffic and noise levels on the channel on which the Wireless AP is currently
operating. DCS can operate in two modes:
–
Monitor – When DCS is enabled in monitor mode and traffic or noise
levels exceed the configured DCS thresholds, an alarm is triggered and
an information log is generated. The DCS monitor alarm is used for
evaluating the RF environment of your deployed Wireless APs.
–
Active – When DCS is enabled in active mode and traffic or noise levels
exceed the configured DCS thresholds, an alarm is triggered and an
information log is generated. In addition, the Wireless AP will cease
operating on the current channel and ACS is employed to automatically
select an alternate channel for the Wireless AP to operate on. DCS will
not trigger channel changes on neighboring Wireless APs.
9034530-04, September 2010
HiPath Wireless Controller, Access Points and Convergence Software V7.31, User Guide
147
hwc_apstartup.fm
Configuring the Wireless AP
Configuring Wireless AP settings
Note: If DCS is enabled, DCS statistics can be viewed in the Wireless
Statistics by Wireless APs display. For more information, see Chapter
11, “Working with reports and displays”.
•
Auto Tx Power Control (ATPC) – ATPC guarantees your LAN a stable RF
environment by automatically adapting transmission power signals according
to the coverage provided by the Wireless APs. ATPC can be either enabled
or disabled.
When you disable ATPC, you are given the option of automatically adjusting
the Max Tx Power setting to match the Current Tx Power Level. In the case
of AP Multi-edit, if you reply yes, then each individual Wireless AP's Max Tx
Power setting will be adjusted to correspond with its Current Tx Power Level
in the database.
4.4.5.1 Modifying Wireless 802.11n AP 3610/3620 radio
properties
The Wireless 802.11n AP 3610/3620 is a 802.11n-compliant access point. The
following section describes how to modify a Wireless 802.11n AP.
For information on how to modify a Wireless AP 2610/2620 or the HiPath
Wireless Outdoor AP, see Section 4.4.5.3, “Modifying Wireless AP 2610/2620
radio properties”, on page 167.
Channel bonding
Channel bonding improves the effective throughput of the wireless LAN. In
contrast to the Wireless AP 26xx which uses radio channel spacings that are only
20MHz wide, the Wireless 802.11n AP can use two channels at the same time to
create a 40MHz wide channel. To achieve a 40MHz channel width, the Wireless
802.11n AP employs channel bonding — two 20MHz channels at the same time.
The 40MHz channel width is achieved by bonding the primary channel (20MHz)
with an extension channel that is either 20MHz above (bonding up) or 20MHz
below (bonding down) of the primary channel.
Depending on the Radio, channel bonding can be predefined:
•
Radio 1 – Bonding pairs are predefined.
•
Radio 2 – Channels can bond up or down as long as the band edge is not
exceeded, but some channels have predefined bonding directions.
Channel bonding is enabled by selecting the Channel Width on the Radio tabs.
When selecting Channel Width, the following options are available:
•
148
20MHz – Channel bonding is not enabled:
9034530-04, September 2010
HiPath Wireless Controller, Access Points and Convergence Software V7.31, User Guide
hwc_apstartup.fm
Configuring the Wireless AP
Configuring Wireless AP settings
•
•
–
802.11n clients use the primary channel (20MHz)
–
Non-802.11n clients, as well as beacons and multicasts, use the
802.11a/b/g radio protocols.
40MHz – Channel bonding is enabled:
–
802.11n clients that support the 40MHz frequency can use 40MHz,
20MHz, or the 802.11a/b/g radio protocols.
–
802.11n clients that do not support the 40MHz frequency can use 20MHz
or the 802.11a/b/g radio protocols.
–
Non-802.11n clients, beacons, and multicasts use the 802.11a/b/g radio
protocols.
–
If the primary channel allows for both bonding types (up and down), you
can select the channel bonding type from the Channel Bonding dropdown list.
–
If the primary channel allows for only one of the bonding types (up or
down), that channel bond type is displayed in the Channel Bonding
drop-down list.
Auto – Channel bonding is automatically enabled or disabled, switching
between 20MHz and 40MHz, depending on how busy the extension channel
is. If the extension channel is busy above a prescribed threshold percentage,
which is defined in the 40MHz Channel Busy Threshold box, channel
bonding is disabled.
Channel selection — primary and extension
The primary channel of the Wireless 802.11n AP is selected from the Request
New Channel drop-down list. If auto is selected, the ACS feature selects the
primary channel. Depending on the primary channel that is selected, channel
bonding may be allowed: up or down.
Guard interval
The guard intervals ensure that individual transmissions do not interfere with one
another. The Wireless 802.11n AP provides a shorter guard interval that
increases the channel throughput. When a 40MHz channel is used, you can
select the guard interval to improve the channel efficiency. The guard interval is
selected from the Guard Interval drop-down list. Longer guard periods reduce
the channel efficiency.
Aggregate MSDU and MPDU
The Wireless 802.11n AP provides aggregate Mac Service Data Unit (MSDU)
and aggregate Mac Protocol Data Unit (MPDU) functionality, which combines
multiple frames together into one larger frame for a single delivery. This
9034530-04, September 2010
HiPath Wireless Controller, Access Points and Convergence Software V7.31, User Guide
149
hwc_apstartup.fm
Configuring the Wireless AP
Configuring Wireless AP settings
aggregation reduces the overhead of the transmission and results in increased
throughput. The aggregate methods are enabled and defined selected from the
Aggregate MSDUs and Aggregate MPDUs drop-down lists.
Antenna selection
The Wireless 802.11n AP has three antennas: left, middle, and right. The
illustration below identifies the left and right antennas.
Left antenna
Right antenna
The Wireless 802.11n AP is configured, by default, to transmit on all three
antennas. Depending on your deployment requirements, you can configure the
Wireless 802.11n AP to transmit on specific antennas. You can configure the
Wireless 802.11n AP to transmit on specific antennas for both radios, including
all the available modes:
•
Radio 1 – a, a/n modes
•
Radio 2 – b, b/g, b/g/n modes
When you configure the Wireless 802.11n AP to use specific antennas, the
following occurs:
•
Transmission power is recalculated – The Current Tx Power Level value for
the radio is automatically adjusted to reflect the recent antenna configuration.
It takes approximately 30 seconds for the change to the Current Tx Power
Level value to be reflected in the HiPath Wireless Assistant.
•
Radio is reset – The radio is reset causing client connections on this radio to
be lost.
To modify Wireless 802.11n AP radio properties:
1. From the main menu, click Wireless AP Configuration. The HiPath
Wireless AP screen is displayed.
2. Click the appropriate Wireless 802.11n AP in the list. The AP Properties tab
is displayed.
150
9034530-04, September 2010
HiPath Wireless Controller, Access Points and Convergence Software V7.31, User Guide
hwc_apstartup.fm
Configuring the Wireless AP
Configuring Wireless AP settings
3. Click the Radio tab you want to modify.
Each Radio tab displays the radio settings for each radio on the Wireless AP.
If the Radio has been assigned to a VNS, the VNS names and MAC
addresses are displayed in the Base Settings section. The HiPath Wireless
Controller can support the following active VNSs:
–
C5110 – Up to 128 VNSs
–
C4110 – Up to 64 VNSs
–
C2400 – Up to 64 VNSs
–
C20 – Up to 8 VNSs
–
C20N – Up to 8 VNSs
–
CRBT8210 – Up to 16 VNSs
–
CRBT8110 – Up to 8 VNSs
The Wireless AP radios can be assigned to each of the configured VNSs in a
system. Each radio can support eight WLAN assignments, corresponding to
the number of SSIDs it can support. Once a radio has all 8 slots assigned, it
is no longer eligible for further assignment.
The BSS Info section is view-only. After VNS configuration, the Basic
Service Set (BSS) section displays the MAC address on the Wireless AP for
each WLAN Service as well as the SSIDs of the WLAN Services to which this
radio has been assigned.
4. If applicable, click the Radio 1 tab.
5. In the Base Settings section, do the following:
9034530-04, September 2010
HiPath Wireless Controller, Access Points and Convergence Software V7.31, User Guide
151
hwc_apstartup.fm
Configuring the Wireless AP
Configuring Wireless AP settings
•
Radio Mode – Click one of the following radio options:
•
off – Click to disable Radio 1.
•
a – Click to enable the 802.11a mode of Radio 1 without 802.11n
capability.
•
a/n – Click to enable the 802.11a mode of Radio 1 with 802.11n
capability.
Note: Depending on the radio modes you select, some of the radio
settings may not be available for configuration. The Wireless AP
hardware version dictates the available radio modes.
•
Channel Width – Click the channel width for the radio:
–
20MHz – Click to allow 802.11n clients to use the primary channel
(20MHz) and non-802.11n clients, as well as beacons and multicasts, to
use the 802.11b/g radio protocols.
–
40MHz – Click to allow 802.11n clients that support the 40MHz frequency
to use 40MHz, 20MHz, or the 802.11b/g radio protocols. 802.11n clients
that do not support the 40MHz frequency can use 20MHz or the
802.11b/g radio protocols and non-802.11n clients, beacons, and
multicasts use the 802.11b/g radio protocols.
–
Auto – Click to automatically switch between 20MHz and 40MHz channel
widths, depending on how busy the extension channel is.
6. In the Basic Radio Settings section, do the following:
•
RF Domain – Type a string that uniquely identifies a group of APs that
cooperate in managing RF channels and transmission power levels. The
maximum length of the string is 16 characters. The RF Domain is used to
identify a group of Wireless APs.
•
Request New Channel – Click the wireless channel you want the
Wireless 802.11n AP to use to communicate with wireless devices.
Click Auto to request the ACS to search for a new channel for the
Wireless AP, using a channel selection algorithm. This forces the
Wireless AP to go through the auto-channel selection process again.
Note: ACS in the 2.4GHz radio band with 40MHz channels is not
recommended due to severe co-channel interference.
Depending on the regulatory domain (based on country), some channels
may be restricted. The default value is based on North America. For more
information, see Appendix B.
152
9034530-04, September 2010
HiPath Wireless Controller, Access Points and Convergence Software V7.31, User Guide
hwc_apstartup.fm
Configuring the Wireless AP
Configuring Wireless AP settings
•
Auto Tx Power Ctrl (ATPC) – Select to enable ATPC. ATPC
automatically adapts transmission power signals according to the
coverage provided by the Wireless APs. After a period of time, the system
will stabilize itself based on the RF coverage of your Wireless APs.
Note: If you disable ATPC, you can still choose to maintain using the
current Tx power setting ATPC had established. If you elect to maintain
using the ATPC power setting, the displayed Current Tx Power Level
value becomes the new Max Tx Power value for the Wireless AP.
•
Channel Bonding – Click the bonding method, Up or Down. The primary
channel (20MHz) is bonded with an extension channel that is either
20MHz above (bonding up) or 20MHz below (bonding down) of the
primary channel. Note that the available choices for Channel Bonding in
the drop-down list may depend on the channel first selected in Request
New Channel.
•
Guard Interval – Click a guard interval, Long or Short, when a 40MHz
channel is used. Siemens recommends that you use a short guard
interval in small rooms (for example, a small office space) and a long
guard interval in large rooms (for example, a conference hall).
•
Max Tx Power – Click the maximum Tx power level to which the range of
transmit power can be adjusted: 0 to 24 dBm. Siemens recommends that
you select 24 dBm to use the entire range of potential Tx power.
Note: In reality, the lowest achievable power level is 5 dBm for the
Wireless 802.11n AP 3610 and 2 dBm for the Wireless 802.11n AP 3620.
If you assign a lower value, it will automatically default to the lowest
achievable level.
•
Min Tx Power – If ATPC is enabled, click the minimum Tx power level to
which the range of transmit power can be adjusted. Siemens
recommends that you select the lowest value available to use the entire
range of potential Tx power.
Note: The Minimum Tx Power level is subject to the regulatory
compliance requirement for the selected country.
•
Auto Tx Power Ctrl Adjust – If ATPC is enabled, click the Tx power level
that can be used to adjust the ATPC power levels that the system has
assigned. Siemens recommends that you to use 0 dB during your initial
configuration. If you have an RF plan that recommended Tx power levels
for each Wireless AP, compare the actual Tx power levels your system
9034530-04, September 2010
HiPath Wireless Controller, Access Points and Convergence Software V7.31, User Guide
153
hwc_apstartup.fm
Configuring the Wireless AP
Configuring Wireless AP settings
has assigned against the recommended values your RF plan has
provided. Use the Auto Tx Power Ctrl Adjust value to achieve the
recommended values.
Note: The following fields are view only.
• Current Channel – The actual channel the ACS has assigned to the
Wireless AP radio. The Current Channel value and the Last Requested
Channel value may be different because the ACS automatically assigns
the best available channel to the Wireless AP, ensuring that a Wireless
AP’s radio is always operating on the best available channel.
• Last Requested Channel – The last wireless channel that you had
selected to communicate with the wireless devices.
• Current Tx Power Level – The actual Tx power level assigned to the
Wireless AP radio.
•
154
Channel Plan – If ACS is enabled, you can define a channel plan for the
Wireless AP. Defining a channel plan allows you to limit which channels
are available for use during an ACS scan. For example, you may want to
avoid using specific channels because of low power, regulatory domain,
or radar interference. Click one of the following:
–
All channels – ACS scans all channels for an operating channel and
returns both DFS and non-DFS channels, if available.
–
All Non-DFS Channels – ACS scans all non-DFS channels for an
operating channel. This selection is available when there is at least
one DFS channel supported for the selected country.
–
Custom – To configure individual channels from which the ACS will
select an operating channel, click Configure. The Custom Channel
Plan dialog displays. By default, all channels participate in the
channel plan. Click the individual channels you want to include in the
channel plan. To select contiguous channels, use the Shift key. To
select multiple, non-contiguous channels in the list, use the CTRL
key. Click OK to save the configuration.
9034530-04, September 2010
HiPath Wireless Controller, Access Points and Convergence Software V7.31, User Guide
hwc_apstartup.fm
Configuring the Wireless AP
Configuring Wireless AP settings
•
Antenna Selection – Click the antenna, or antenna combination, you
want to configure on this radio.
Note: The antennas listed are the only antennas approved for use with
the AP. The pull down list contains currently available WS-XXXXX
antennas as well as legacy antenna part numbers that may have been in
use prior to the v7.11 release.
Note: When you configure the Wireless 802.11n AP to use specific
antennas, the transmission power is recalculated; the Current Tx Power
Level value for the radio is automatically adjusted to reflect the recent
antenna configuration. It takes approximately 30 seconds for the change
to the Current Tx Power Level value to be reflected in the HiPath
Wireless Assistant. Also, the radio is reset which may cause client
connections on this radio to be lost.
7. To modify Radio 1 advanced settings, click Advanced. The Advanced dialog
is displayed.
8. In the Advanced dialog Base Settings section, do the following:
•
DTIM Period – Type the desired DTIM (Delivery Traffic Indication
Message) period — the number of beacon intervals between two DTIM
beacons. To ensure the best client power savings, use a large number.
Use a small number to minimize broadcast and multicast delay. The
default value is 5.
•
Beacon Period – Type the desired time, in milliseconds, between beacon
transmissions. The default value is 100 milliseconds.
9034530-04, September 2010
HiPath Wireless Controller, Access Points and Convergence Software V7.31, User Guide
155
hwc_apstartup.fm
Configuring the Wireless AP
Configuring Wireless AP settings
•
RTS/CTS Threshold – Type the packet size threshold, in bytes, above
which the packet will be preceded by an RTS/CTS (Request to
Send/Clear to Send) handshake. The default value is 2346, which means
all packets are sent without RTS/CTS. Reduce this value only if
necessary.
•
Frag. Threshold – Type the fragment size threshold, in bytes, above
which the packets will be fragmented by the Wireless AP prior to
transmission. The default value is 2346, which means all packets are sent
unfragmented. Reduce this value only if necessary.
•
Max % of non-unicast traffic per Beacon period – Enter the maximum
percentage of time that the AP will transmit non-unicast packets
(broadcast and multicast traffic) for each configured Beacon Period. For
each non-unicast packet transmitted, the system calculates the airtime
used by each packet and drops all packets that exceed the configured
maximum percentage. By restricting non-unicast traffic, you limit the
impact of broadcasts and multicasts on overall system performance.
•
Maximum Distance – Enter a value from 100 to 15,000 meters that
identifies the maximum link distance between APs that participate in a
WDS. This value ensures that the acknowledgement of communication
between APs does not exceed the timeout value predefined by the 802.11
standard. The default value is 100 meters. If the link distance between
APs is greater than 100 meters, configure the maximum distance up to
15,000 meters so that the software increases the timeout value
proportionally with the distance between APs.
Do not change the default setting for the radio that provides service to
802.11 clients only.
9. In the Advanced dialog Basic Radio Settings section, do the following:
•
156
Dynamic Channel Selection – To enable Dynamic Channel Selection,
click one of the following:
–
Monitor Mode – If traffic or noise levels exceed the configured DCS
thresholds, an alarm is triggered and an information log is generated.
–
Active Mode – If traffic or noise levels exceed the configured DCS
thresholds, an alarm is triggered and an information log is generated.
In addition, the Wireless AP will cease operating on the current
channel and ACS is employed to automatically select an alternate
channel for the Wireless AP to operate on.
–
DCS Noise Threshold – Type the noise interference level, measured
in dBm, after which ACS will scan for a new operating channel for the
Wireless AP if the threshold is exceeded.
–
DCS Channel Occupancy Threshold – Type the channel utilization
level, measured as a percentage, after which ACS will scan for a new
operating channel for the Wireless AP if the threshold is exceeded.
9034530-04, September 2010
HiPath Wireless Controller, Access Points and Convergence Software V7.31, User Guide
hwc_apstartup.fm
Configuring the Wireless AP
Configuring Wireless AP settings
–
DCS Update Period – Type the time, measured in minutes that
determines the period during which the Wireless AP averages the
DCS Noise Threshold and DCS Channel Occupancy Threshold
measurements. If either one of these thresholds is exceeded, then the
Wireless AP will trigger ACS.
10. In the Advanced dialog 11n Settings section, do the following:
•
Protection Mode – Click a protection mode: Enabled or Disabled. This
protects high throughput transmissions on primary channels from non11n APs and clients. Click Disabled if non-11n APs and clients are not
expected. Click Enabled if you expect many non-11n APs and clients.
The overall throughput is reduced when Protection Mode is enabled.
•
40MHz Protection Mode – Click a protection type, CTS Only or RTSCTS, or None, when a 40MHz channel is used. This protects high
throughput transmissions on extension channels from interference from
non-11n APs and clients.
•
40MHz Prot. Channel Offset – Select a 20MHz channel offset if the
deployment is using channels that are 20MHz apart (for example, using
channels 1, 5, 9, and 13) or a 25MHz channel offset if the deployment is
using channels that are 25MHz apart (for example, using channels 1, 6,
and 11).
•
40MHz Channel Busy Threshold – Type the extension channel
threshold percentage, which if exceeded, will disable transmissions on
the extension channel (40MHz).
•
Aggregate MSDUs – Click an aggregate MSDU mode: Enabled or
Disabled. Aggregate MSDU increases the maximum frame transmission
size.
•
Aggregate MSDU Max Length – Type the maximum length of the
aggregate MSDU. The value range is 2290-4096 bytes.
•
Aggregate MPDUs – Click an aggregate MPDU mode: Enabled or
Disabled. Aggregate MPDU provides a significant improvement in
throughput.
•
Aggregate MPDU Max Length – Type the maximum length of the
aggregate MPDU. The value range is 1024-65535 bytes.
•
Agg. MPDU Max # of Sub-frames – Type the maximum number of
sub-frames of the aggregate MPDU. The value range is 2-64.
•
ADDBA Support – Click an ADDBA support mode: Enabled or
Disabled. ADDBA, or block acknowledgement, provides
acknowledgement of a group of frames instead of a single frame. ADDBA
Support must be enabled if Aggregate APDU is enable.
11. Click Close. The Advanced dialog is closed.
9034530-04, September 2010
HiPath Wireless Controller, Access Points and Convergence Software V7.31, User Guide
157
hwc_apstartup.fm
Configuring the Wireless AP
Configuring Wireless AP settings
12. Click Save to save your changes.
13. If applicable, click the Radio 2 tab.
14. In the Base Settings section, do the following:
•
Radio Mode – Click one of the following radio options:
–
off – Click to disable Radio 2.
–
b – Click to enable the 802.11b-only mode of Radio 2. If selected, the
AP will use only 11b (CCK) rates with all associated clients.
–
b/g – Click to enable both the 802.11g mode and the 802.11b mode
of Radio 2. If selected, the AP will use 11b (CCK) and 11g-specific
(OFDM) rates with all of the associated clients. The AP will not
transmit or receive 11n rates.
–
b/g/n – Click to enable b/g/n modes of Radio 2. If selected, the AP
will use all available 11b, 11g, and 11n rates.
Note: Depending on the radio modes you select, some of the radio
settings may not be available for configuration.
•
Channel Width – Click the channel width for the radio:
–
20MHz – Click to allow 802.11n clients to use the primary channel
(20MHz) and non-802.11n clients, beacons, and multicasts to use the
802.11b/g radio protocols.
–
40MHz – Click to allow 802.11n clients that support the 40MHz
frequency to use 40MHz, 20MHz, or the 802.11b/g radio protocols.
802.11n clients that do not support the 40MHz frequency can use
20MHz or the 802.11b/g radio protocols and non-802.11n clients,
beacons, and multicasts use the 802.11b/g radio protocols.
–
Auto – Click to automatically switch between 20MHz and 40MHz
channel widths, depending on how busy the extension channel is.
15. In the Basic Radio Settings section, do the following:
158
•
RF Domain – Type a string that uniquely identifies a group of APs that
cooperate in managing RF channels and transmission power levels. The
maximum length of the string is 16 characters. The RF Domain is used to
identify a group of Wireless APs.
•
Request New Channel – Click the wireless channel you want the
Wireless 802.11n AP to use to communicate with wireless devices.
9034530-04, September 2010
HiPath Wireless Controller, Access Points and Convergence Software V7.31, User Guide
hwc_apstartup.fm
Configuring the Wireless AP
Configuring Wireless AP settings
Click Auto to request the ACS to search for a new channel for the
Wireless 802.11n AP, using a channel selection algorithm. This forces the
Wireless 802.11n AP to go through the auto-channel selection process
again.
Note: ACS in the 2.4GHz radio band with 40MHz channels is not
recommended due to severe co-channel interference.
Depending on the regulatory domain (based on country), some channels
may be restricted. For more information, see Appendix B.
•
Auto Tx Power Ctrl (ATPC) – Select to enable ATPC. ATPC
automatically adapts transmission power signals according to the
coverage provided by the Wireless APs. After a period of time, the system
will stabilize itself based on the RF coverage of your Wireless APs.
Note: If you disable ATPC, you can still choose to maintain using the
current Tx power setting ATPC had established. If you elect to maintain
using the ATPC power setting, the displayed Current Tx Power Level
value becomes the new Max Tx Power value for the Wireless AP.
•
Channel Bonding – Click the bonding method, Up or Down. The primary
channel (20MHz) is bonded with an extension channel that is either
20MHz above (bonding up) or 20MHz below (bonding down) of the
primary channel. Note that the available choices for Channel Bonding in
the drop-down list may depend on the channel first selected in Request
New Channel.
•
Guard Interval – Click a guard interval, Long or Short, when a 40MHz
channel is used. Siemens recommends that you use a short guard
interval in small rooms (for example, a small office space) and a long
guard interval in large rooms (for example, a conference hall).
•
Max Tx Power – Click the maximum Tx power level to which the range of
transmit power can be adjusted: 0 to 23 dBm. Siemens recommends that
you select 23 dBm to use the entire range of potential Tx power.
Note: The lowest Max Tx Power level that can be assigned is 5 dBm for
the Wireless 802.11n AP 3610 and 4 dBm for the Wireless 802.11n AP
3620; a lower Max Tx Power level assignment will automatically default
to the lowest allowed levels.
9034530-04, September 2010
HiPath Wireless Controller, Access Points and Convergence Software V7.31, User Guide
159
hwc_apstartup.fm
Configuring the Wireless AP
Configuring Wireless AP settings
•
Min Tx Power – If ATPC is enabled, click the minimum Tx power level to
which the range of transmit power can be adjusted. Siemens
recommends that you select the lowest value available to use the entire
range of potential Tx power.
Note: The Minimum Tx Power level is subject to the regulatory
compliance requirement for the selected country.
•
Auto Tx Power Ctrl Adjust – If ATPC is enabled, click the Tx power level
that can be used to adjust the ATPC power levels that the system has
assigned. Siemens recommends that you use 0 dB during your initial
configuration. If you have an RF plan that recommends Tx power levels
for each Wireless AP, compare the actual Tx power levels your system
has assigned against the recommended values your RF plan has
provided. Use the Auto Tx Power Ctrl Adjust value to achieve the
recommended values.
Note: The following fields are view only.
• Current Channel – The actual channel the ACS has assigned to the
Wireless AP radio. The Current Channel value and the Last Requested
Channel value may be different because the ACS automatically assigns
the best available channel to the Wireless AP, ensuring that a Wireless
AP’s radio is always operating on the best available channel.
• Last Requested Channel – The last wireless channel that you had
selected to communicate with the wireless devices.
• Current Tx Power Level – The actual Tx power level assigned to the
Wireless AP radio.
•
160
Channel Plan – If ACS is enabled, you can define a channel plan for the
Wireless AP. Defining a channel plan allows you to limit which channels
are available for use during an ACS scan. For example, you may want to
avoid using specific channels because of low power, regulatory domain,
or radar interference. Click one of the following:
–
3 Channel Plan – ACS will scan the following channels: 1, 6, and 11
in North America, and 1, 7, and 13 in most other parts of the world.
–
4 Channel Plan – ACS will scan the following channels: 1, 4, 7, and
11 in North America, and 1, 5, 9, and 13 in most other parts of the
world.
–
Auto – ACS will scan the default channel plan channels: 1, 6, and 11
in North America, and 1, 5, 9, and 13 in most other parts of the world.
9034530-04, September 2010
HiPath Wireless Controller, Access Points and Convergence Software V7.31, User Guide
hwc_apstartup.fm
Configuring the Wireless AP
Configuring Wireless AP settings
–
•
Custom – If you want to configure individual channels from which the
ACS will select an operating channel, click Configure. The Add
Channels dialog is displayed. Click the individual channels you want
to add to the channel plan while pressing the CTRL key, and then click
OK.
Antenna Selection – Click the antenna, or antenna combination, you
want to configure on this radio.
Note: The antennas listed are the only antennas approved for use with
the AP. The pull down list contains currently available WS-XXXXX
antennas as well as legacy antenna part numbers that may have been in
use prior to the v7.11 release.
Note: When you configure the Wireless 802.11n AP to use specific
antennas, the transmission power is recalculated; the Current Tx Power
Level value for the radio is automatically adjusted to reflect the recent
antenna configuration. It takes approximately 30 seconds for the change
to the Current Tx Power Level value to be reflected in the HiPath
Wireless Assistant. Also, the radio is reset which may cause client
connections on this radio to be lost.
16. To modify Radio 2 advanced settings, click Advanced. The Advanced dialog
is displayed.
17. In the Advanced dialog Base Settings section, do the following:
•
DTIM Period – Type the desired DTIM (Delivery Traffic Indication
Message) period — the number of beacon intervals between two DTIM
beacons. To ensure the best client power savings, use a large number.
Use a small number to minimize broadcast and multicast delay. The
default value is 5.
•
Beacon Period – Type the desired time, in milliseconds, between beacon
transmissions. The default value is 100 milliseconds.
9034530-04, September 2010
HiPath Wireless Controller, Access Points and Convergence Software V7.31, User Guide
161
hwc_apstartup.fm
Configuring the Wireless AP
Configuring Wireless AP settings
•
RTS/CTS Threshold – Type the packet size threshold, in bytes, above
which the packet will be preceded by an RTS/CTS (Request to
Send/Clear to Send) handshake. The default value is 2346, which means
all packets are sent without RTS/CTS. Reduce this value only if
necessary.
•
Frag. Threshold – Type the fragment size threshold, in bytes, above
which the packets will be fragmented by the Wireless AP prior to
transmission. The default value is 2346, which means all packets are sent
unfragmented. Reduce this value only if necessary.
•
Max % of non-unicast traffic per Beacon period – Enter the maximum
percentage of time that the AP will transmit non-unicast packets
(broadcast and multicast traffic) for each configured Beacon Period. For
each non-unicast packet transmitted, the system calculates the airtime
used by each packet and drops all packets that exceed the configured
maximum percentage. By restricting non-unicast traffic, you limit the
impact of broadcasts and multicasts on overall system performance.
•
Maximum Distance – Enter a value from 100 to 15,000 meters that
identifies the maximum link distance between APs that participate in a
WDS. This value ensures that the acknowledgement of communication
between APs does not exceed the timeout value predefined by the 802.11
standard. The default value is 100 meters. If the link distance between
APs is greater than 100 meters, configure the maximum distance up to
15,000 meters so that the software increases the timeout value
proportionally with the distance between APs.
Do not change the default setting for the radio that provides service to
802.11 clients only.
18. In the Advanced dialog Basic Radio Settings section, do the following:
•
162
Dynamic Channel Selection – To enable Dynamic Channel Selection,
click one of the following:
–
Monitor Mode – If traffic or noise levels exceed the configured DCS
thresholds, an alarm is triggered and an information log is generated.
–
Active Mode – If traffic or noise levels exceed the configured DCS
thresholds, an alarm is triggered and an information log is generated.
In addition, the Wireless AP will cease operating on the current
channel and ACS is employed to automatically select an alternate
channel for the Wireless AP to operate on.
–
DCS Noise Threshold – Type the noise interference level, measured
in dBm, after which ACS will scan for a new operating channel for the
Wireless AP if the threshold is exceeded.
–
DCS Channel Occupancy Threshold – Type the channel utilization
level, measured as a percentage, after which ACS will scan for a new
operating channel for the Wireless AP if the threshold is exceeded.
9034530-04, September 2010
HiPath Wireless Controller, Access Points and Convergence Software V7.31, User Guide
hwc_apstartup.fm
Configuring the Wireless AP
Configuring Wireless AP settings
–
DCS Update Period – Type the time, measured in minutes that
determines the period during which the Wireless AP averages the
DCS Noise Threshold and DCS Channel Occupancy Threshold
measurements. If either one of these thresholds is exceeded, then the
Wireless AP will trigger ACS.
19. In the Advanced dialog 11b Settings section, do the following:
•
Preamble – Click a preamble type for 11b-specific (CCK) rates: Short or
Long. Click Short if you are sure that there is no pre-11b AP or a client
in the vicinity of this Wireless 802.11n AP. Click Long if compatibility with
pre-11b clients is required.
20. In the Advanced dialog 11g Settings section, do the following:
•
Protection Mode – Click a protection mode: None, Auto, or Always.
The default and recommended setting is Auto. Click None if 11b APs and
clients are not expected. Click Always if you expect many 11b-only
clients.
•
Protection Rate – Click a protection rate: 1, 2, 5.5, or 11 Mbps. The
default and recommended setting is 11. Only reduce the rate if there are
many 11b clients in the environment or if the deployment has areas with
poor coverage. For example, rates lower than 11 Mbps are required to
ensure coverage.
•
Protection Type – Click a protection type: CTS Only or RTS CTS. The
default and recommended setting is CTS Only. Click RTS CTS only if an
11b AP that operates on the same channel is detected in the
neighborhood, or if there are many 11b-only clients in the environment.
Note: The overall throughput is reduced when Protection Mode is
enabled, due to the additional overhead caused by the RTS/CTS. The
overhead is minimized by setting Protection Type to CTS Only and
Protection Rate to 11 Mbps. The overhead causes the overall
throughput to be sometimes lower than if just 11b mode is used. If there
are many 11b clients, Siemens recommends that you disable 11g support
(11g clients are backward compatible with 11b APs).
An alternate approach, although potentially a more expensive method, is
to dedicate all APs on a channel for 11b (for example, disable 11g on
these APs) and disable 11b on all other APs. The difficulty with this
method is that the number of APs must be increased to ensure coverage
separately for 11b and 11g clients.
21. In the Advanced dialog 11n Settings section, do the following:
9034530-04, September 2010
HiPath Wireless Controller, Access Points and Convergence Software V7.31, User Guide
163
hwc_apstartup.fm
Configuring the Wireless AP
Configuring Wireless AP settings
•
Protection Mode – Click a protection mode: Enabled or Disabled. This
protects high throughput transmissions on primary channels from non11n APs and clients. Click Disabled if non-11n APs and clients are not
expected. Click Enabled if you expect many non-11n APs and clients.
The overall throughput is reduced when Protection Mode is enabled.
•
40MHz Protection Mode – Click a protection type, CTS Only or RTSCTS, or None, when a 40MHz channel is used. This protects high
throughput transmissions on extension channels from interference from
non-11n APs and clients.
•
40MHz Prot. Channel Offset – Select a 20MHz channel offset if the
deployment is using channels that are 20MHz apart (for example, using
channels 1, 5, 9, and 13) or a 25MHz channel offset if the deployment is
using channels that are 25MHz apart (for example, using channels 1, 6,
and 11).
•
40MHz Channel Busy Threshold – Type the extension channel
threshold percentage, which if exceeded, will disable transmissions on
the extension channel (40MHz).
•
Aggregate MSDUs – Click an aggregate MSDU mode: Enabled or
Disabled. Aggregate MSDU increases the maximum frame transmission
size.
•
Aggregate MSDU Max Length – Type the maximum length of the
aggregate MSDU. The value range is 2290-4096 bytes.
•
Aggregate MPDUs – Click an aggregate MPDU mode: Enabled or
Disabled. Aggregate MPDU provides a significant improvement in
throughput.
•
Aggregate MPDU Max Length – Type the maximum length of the
aggregate MPDU. The value range is 1024-65535 bytes.
•
Agg. MPDU Max # of Sub-frames – Type the maximum number of
sub-frames of the aggregate MPDU. The value range is 2-64.
•
ADDBA Support – Click an ADDBA support mode: Enabled or
Disabled. ADDBA, or block acknowledgement, provides
acknowledgement of a group of frames instead of a single frame. ADDBA
Support must be enabled if Aggregate APDU is enable.
22. Click Close. The Advanced dialog is closed.
23. To save your changes, click Save.
164
9034530-04, September 2010
HiPath Wireless Controller, Access Points and Convergence Software V7.31, User Guide
hwc_apstartup.fm
Configuring the Wireless AP
Configuring Wireless AP settings
4.4.5.2 Achieving high throughput with the Wireless 802.11n
AP
To achieve link rates of up to 300Mbps with the Wireless 802.11n AP, configure
your system as described in the following section.
Note: Maximum throughput cannot be achieved if both 802.11n and legacy client
devices are to be supported.
Note: Some client devices will choose a 2.4GHz radio even when a 5GHz
high-speed radio network is available; you may need to force those client devices
to use only 5GHz if you have configured high throughput only on the 5GHz radio.
To achieve high throughput with the Wireless 802.11n AP:
1. From the main menu, click Wireless AP Configuration. The HiPath
Wireless AP screen is displayed.
2. In the Wireless AP list, click the Wireless 802.11n AP you want to configure.
3. Click the Radio 2 tab, and then do the following:
•
In the Radio Mode drop-down list, click b/g/n.
•
In the Channel Width drop-down list, click 40MHz.
Note: Some client devices do not support 40MHz in b/g/n mode. To
accommodate these clients, you must enable a/n mode on the Radio 1 tab.
Otherwise, the client device will connect at only 130Mbps.
•
In the Guard Interval drop-down list, click Short.
•
In the 11g Settings section, click None in the Protection Mode
drop-down list.
Note: Do not disable 802.11g protection mode if you have 802.11b or 802.11g
client devices using this Wireless AP; instead, configure only Radio 1 for high
throughput unless it is acceptable to achieve less than maximum 802.11n
throughput on Radio 2.
•
If only 802.11n devices are present, you must disable 11n protection and
40Mz protection:
–
Protection Mode – Click Disabled.
9034530-04, September 2010
HiPath Wireless Controller, Access Points and Convergence Software V7.31, User Guide
165
hwc_apstartup.fm
Configuring the Wireless AP
Configuring Wireless AP settings
–
40MHz Protection Mode – Click None.
Note: Do not disable 802.11n protection mode if you have 802.11b or
802.11g client devices using this Wireless AP; instead, configure only
Radio 1 for high throughput unless it is acceptable to achieve less than
maximum 802.11n throughput on Radio 2.
•
Aggregate MSDUs – Click Enabled.
•
Aggregate MSDU Max Length – Type 4096
•
Aggregate MPDU – Click Enabled.
•
Aggregate MPDU Max Length – Click 65535
•
Agg. MPDU Max # of Sub-frames – Type 64.
•
ADDBA Support – Click Enabled.
4. Click the Radio 1 tab, and then do the following:
•
In the Radio Mode drop-down list, click the a/n option.
•
In the Channel Width drop-down list, click 40MHz.
•
In the Guard Interval drop-down list, click Short.
•
If only 802.11n devices are present, you must disable 11n protection and
40Mz protection:
–
Protection Mode – Click Disabled.
–
40MHz Protection Mode – Click None.
•
Aggregate MSDUs – Click Enabled.
•
Aggregate MSDU Max Length – Type 4096
•
Aggregate MPDU – Click Enabled.
•
Aggregate MPDU Max Length – Click Enabled.
•
Agg. MPDU Max # of Sub-frames – Type 64.
•
ADDBA Support – Click Enabled.
5. From the main menu, click Virtual Network Configuration. The Virtual
Network Configuration screen is displayed.
6. In the left pane Virtual Networks list, click the VNS you want to configure.
The Topology tab is displayed.
7. Click the Privacy tab. Some client devices will not use 802.11n mode if they
are using WEP or TKIP for security. Therefore, do one of the following:
166
9034530-04, September 2010
HiPath Wireless Controller, Access Points and Convergence Software V7.31, User Guide
hwc_apstartup.fm
Configuring the Wireless AP
Configuring Wireless AP settings
•
Select None.
•
Select WPA-PSK, and then clear the WPA v.1 option:
–
Select WPA v.2.
–
In the Encryption drop-down list, click AES only.
Note: To achieve the strongest encryption protection for your VNS,
Siemens recommends that you use WPA v.1 or WPA v.2.
8. Click the QoS Policy tab.
9. In the Wireless QoS section, select the WMM option. Some 802.11n client
devices will remain at 54Mbps unless WMM is enabled.
4.4.5.3 Modifying Wireless AP 2610/2620 radio properties
The following section describes how to modify a Wireless AP 2610/2620 and the
HiPath Wireless Outdoor AP. For information on how to modify a Wireless
802.11n AP 3610/3620, see Section 4.4.5.1, “Modifying Wireless 802.11n AP
3610/3620 radio properties”, on page 148.
To modify the Wireless AP’s radio properties:
1. From the main menu, click Wireless AP Configuration. The HiPath
Wireless AP screen is displayed.
2. Click the appropriate Wireless AP in the list. The AP Properties tab is
displayed.
3. Click the Radio tab you want to modify.
Each Radio tab displays the radio settings for each radio on the Wireless AP.
If the radio has been assigned to a VNS, the VNS names and MAC addresses
are displayed in the Base Settings section. The HiPath Wireless Controller
can support the following active VNSs:
•
C5110 – Up to 128 VNSs
•
C4110 – Up to 64 VNSs
•
C2400 – Up to 64 VNSs
•
C20 – Up to 8 VNSs
•
C20N – Up to 8 VNSs
•
CRBT8210 – Up to 16 VNSs
•
CRBT8110 – Up to 8 VNSs
9034530-04, September 2010
HiPath Wireless Controller, Access Points and Convergence Software V7.31, User Guide
167
hwc_apstartup.fm
Configuring the Wireless AP
Configuring Wireless AP settings
The Wireless AP radios can be assigned to each of the configured VNSs in a
system. Each radio can be the subject of 8 VNS assignments (corresponding
to the number of SSIDs it can support). Once a radio has all 8 slots assigned,
it is no longer eligible for further assignment.
The BSS Info section is view only. After VNS configuration, the Basic
Service Set (BSS) section displays the MAC address on the Wireless AP for
each VNS and the SSIDs of the VNSs to which this radio has been assigned.
4. If applicable, click the Radio 1 tab.
5. In the Base Settings section, do the following:
•
Radio Mode – Click one of the following radio options:
–
off – Click to disable Radio 1.
–
a – Click to enable 802.11a mode of Radio 1.
Note: The Wireless AP hardware version dictates the available radio
modes.
6. In the Basic Radio Settings section, do the following:
168
•
RF Domain – Type a string that uniquely identifies a group of APs that
cooperate in managing RF channels and transmission power levels. The
maximum length of the string is 16 characters. The RF Domain is used to
identify a group of Wireless APs.
•
Request New Channel – Click the wireless channel you want the
Wireless AP to use to communicate with wireless devices.
9034530-04, September 2010
HiPath Wireless Controller, Access Points and Convergence Software V7.31, User Guide
hwc_apstartup.fm
Configuring the Wireless AP
Configuring Wireless AP settings
Click Auto to request the ACS to search for a new channel for the
Wireless AP, using a channel selection algorithm. This forces the
Wireless AP to go through the auto-channel selection process again.
Depending on the regulatory domain (based on country), some channels
may be restricted. The default value is based on North America. For more
information, see Appendix B.
•
Auto Tx Power Ctrl (ATPC) – Select to enable ATPC. ATPC
automatically adapts transmission power signals according to the
coverage provided by the Wireless APs. After a period of time, the system
will stabilize itself based on the RF coverage of your Wireless APs.
Note: If you disable ATPC, you can elect to maintain using the current Tx
power setting ATPC had established. If you elect to maintain using the
ATPC power setting, the displayed Current Tx Power Level value
becomes the new Max Tx Power value for the Wireless AP.
•
Max Tx Power – Click the maximum Tx power level to which the range of
transmit power can be adjusted: 0 to 23 dBm. Siemens recommends that
you select 23 dBm to use the entire range of potential Tx power.
•
Min Tx Power – If ATPC is enabled, click the minimum Tx power level to
which the range of transmit power can be adjusted. Siemens
recommends that you select the lowest value available to use the entire
range of potential Tx power.
Note: The Minimum Tx Power level is subject to the regulatory
compliance requirement for the selected country.
•
Auto Tx Power Ctrl Adjust – If ATPC is enabled, click the Tx power level
that can be used to adjust the ATPC power levels that the system has
assigned. Siemens recommends that you use 0 dB during your initial
configuration. If you have an RF plan that recommends Tx power levels
for each Wireless AP, compare the actual Tx power levels your system
has assigned against the recommended values your RF plan has
provided. Use the Auto Tx Power Ctrl Adjust value to achieve the
recommended values.
Note: The following fields are view only.
• Current Channel – The actual channel the ACS has assigned to the
Wireless AP radio. The Current Channel value and the Last Requested
Channel value may be different because the ACS automatically assigns the
best available channel to the Wireless AP, ensuring that a Wireless AP’s radio
is always operating on the best available channel.
• Last Requested Channel – The last wireless channel that you had selected
9034530-04, September 2010
HiPath Wireless Controller, Access Points and Convergence Software V7.31, User Guide
169
hwc_apstartup.fm
Configuring the Wireless AP
Configuring Wireless AP settings
for the Wireless AP to communicate with the wireless devices.
• Current Tx Power Level – The actual Tx power level assigned to the
Wireless AP radio.
•
170
Channel Plan – If ACS is enabled, you can define a channel plan for the
Wireless AP. Defining a channel plan allows you to limit which channels
are available for use during an ACS scan. For example, you may want to
avoid using specific channels because of low power, regulatory domain,
or radar interference. Click one of the following:
–
All channels – ACS scans all channels for an operating channel and
returns both DFS and non-DFS channels, if available.
–
All Non-DFS Channels – ACS scans all non-DFS channels for an
operating channel. This selection is available when there is at least
one DFS channel supported for the selected country.
–
Custom – To configure individual channels from which the ACS will
select an operating channel, click Configure. The Custom Channel
Plan dialog displays. By default, all channels participate in the
channel plan. Click the individual channels you want to include in the
channel plan. To select contiguous channels, use the Shift key. To
select multiple, non-contiguous channels in the list, use the CTRL
key. Click OK to save the configuration.
•
Min Basic Rate – Click the minimum data rate that must be supported by
all stations in a BSS: 6, 12, or 24 Mbps. If necessary, the Max Basic Rate
choices adjust automatically to be higher or equal to the Min Basic Rate.
•
Max Basic Rate – Click the maximum data rate that must be supported
by all stations in a BSS: 6, 12, or 24 Mbps. If necessary, the Max Basic
Rate choices adjust automatically to be higher or equal to the Min Basic
Rate.
•
Max Operational Rate – Click the maximum data rate that clients can
operate at while associated with the Wireless AP: 24, 36, 48, or 54 Mbps.
If necessary, the Max Operational Rate choices adjust automatically to
be higher or equal to the Max Basic Rate.
9034530-04, September 2010
HiPath Wireless Controller, Access Points and Convergence Software V7.31, User Guide
hwc_apstartup.fm
Configuring the Wireless AP
Configuring Wireless AP settings
7. To modify Radio 1 advanced settings, click Advanced. The Advanced dialog
is displayed.
8. In the Advanced dialog Base Settings section, do the following:
•
DTIM Period – Type the desired DTIM (Delivery Traffic Indication
Message) period — the number of beacon intervals between two DTIM
beacons. To ensure the best client power savings, use a large number.
For example, 5. Use a small number to minimize broadcast and multicast
delay. The default value is 5.
•
Beacon Period – Type the desired time, in milliseconds, between beacon
transmissions. The default value is 100 milliseconds.
•
RTS/CTS Threshold – Type the packet size threshold, in bytes, above
which the packet will be preceded by an RTS/CTS (Request to
Send/Clear to Send) handshake. The default value is 2346, which means
all packets are sent without RTS/CTS. Reduce this value only if
necessary.
•
Frag. Threshold – Type the fragment size threshold, in bytes, above
which the packets will be fragmented by the Wireless AP prior to
transmission. The default value is 2346, which means all packets are sent
unfragmented. Reduce this value only if necessary.
•
Max % of non-unicast traffic per Beacon period – Enter the maximum
percentage of time that the AP will transmit non-unicast packets
(broadcast and multicast traffic) for each configured Beacon Period. For
each non-unicast packet transmitted, the system calculates the airtime
used by each packet and drops all packets that exceed the configured
maximum percentage. By restricting non-unicast traffic, you limit the
impact of broadcasts and multicasts on overall system performance.
•
Maximum Distance – Enter a value from 100 to 15,000 meters that
identifies the maximum link distance between APs that participate in a
WDS. This value ensures that the acknowledgement of communication
between APs does not exceed the timeout value predefined by the 802.11
standard. The default value is 100 meters. If the link distance between
APs is greater than 100 meters, configure the maximum distance up to
15,000 meters so that the software increases the timeout value
proportionally with the distance between APs.
Do not change the default setting for the radio that provides service to
802.11 clients only.
9. In the Advanced dialog Basic Radio Settings section, do the following:
•
Dynamic Channel Selection – To enable Dynamic Channel Selection,
click one of the following:
–
Monitor Mode – If traffic or noise levels exceed the configured DCS
thresholds, an alarm is triggered and an information log is generated.
9034530-04, September 2010
HiPath Wireless Controller, Access Points and Convergence Software V7.31, User Guide
171
hwc_apstartup.fm
Configuring the Wireless AP
Configuring Wireless AP settings
172
–
Active Mode – If traffic or noise levels exceed the configured DCS
thresholds, an alarm is triggered and an information log is generated.
In addition, the Wireless AP will cease operating on the current
channel and ACS is employed to automatically select an alternate
channel for the Wireless AP to operate on.
–
DCS Noise Threshold – Type the noise interference level, measured
in dBm, after which ACS will scan for a new operating channel for the
Wireless AP if the threshold is exceeded.
–
DCS Channel Occupancy Threshold – Type the channel utilization
level, measured as a percentage, after which ACS will scan for a new
operating channel for the Wireless AP if the threshold is exceeded.
–
DCS Update Period – Type the time, measured in minutes that
determines the period during which the Wireless AP averages the
DCS Noise Threshold and DCS Channel Occupancy Threshold
measurements. If either one of these thresholds is exceeded, then the
Wireless AP will trigger ACS.
•
Rx Diversity – Click Best for the best signal from both antennas, or Left
or Right to choose either of the two diversity antennas. The default and
recommended selection is Best. If only one antennae is connected, use
the corresponding Left or Right diversity setting. Do not use Best if two
identical antennas are not used.
•
Tx Diversity – Click Alternate for the best signal from both antennas, or
Left or Right to choose either of the two diversity antennas. The default
selection is Alternate that maximizes performance for most clients.
However, some clients may behave oddly with Tx Diversity set to
Alternate. Under those circumstances, Siemens recommends that you
use either Left or Right for Tx Diversity. If only one antennae is
connected, use the corresponding Left or Right diversity setting. Do not
use Alternate if two identical antennas are not used.
•
Total # of Retries for Background BK – Click the number of retries for
the Background transmission queue. The default value is adaptive
(multi-rate). The recommended setting is adaptive (multi-rate).
•
Total # of Retries for Best Effort BE – Click the number of retries for the
Best Effort transmission queue. The default value is adaptive (multirate). The recommended setting is adaptive (multi-rate).
•
Total # of Retries for Video VI – Click the number of retries for the Video
transmission queue. The default value is adaptive (multi-rate). The
recommended setting is adaptive (multi-rate).
•
Total # of Retries for Voice VO – Click the number of retries for the Voice
transmission queue. The default value is adaptive (multi-rate). The
recommended setting is adaptive (multi-rate).
9034530-04, September 2010
HiPath Wireless Controller, Access Points and Convergence Software V7.31, User Guide
hwc_apstartup.fm
Configuring the Wireless AP
Configuring Wireless AP settings
•
Total # of Retries for Turbo Voice TVO – Click the number of retries for
the Turbo Voice transmission queue. The default value is adaptive
(multi-rate). The recommended setting is adaptive (multi-rate).
10. Click Close. The Advanced dialog is closed.
11. If applicable, click the Radio 2 tab.
12. In the Base Settings section, do the following:
•
Radio Mode – Click one of the following radio options:
–
off – Click to disable Radio 2.
–
b – Click to enable the 802.11b-only mode of Radio 2. If selected, the
AP will use only 11b (CCK) rates with all associated clients.
–
g – Click to select the 802.11g-only mode of Radio 2. If selected, the
AP will not accept associations from 11b clients, but it will still use all
CCK and OFDM 11g rates with its associated clients. To disable CCK
rates, use the Min/Max Basic Rate and Max Operation Rate
controls to select OFDM-only rates.
–
b/g – Click to enable both the 802.11g mode and the 802.11b mode
of Radio 2. If selected, the AP will use 11b (CCK) and 11g-specific
(OFDM) rates with all of the associated clients. The AP will not
transmit or receive 11n rates.
Note: Depending on the radio modes you select, some of the radio
settings may not be available for configuration.
9034530-04, September 2010
HiPath Wireless Controller, Access Points and Convergence Software V7.31, User Guide
173
hwc_apstartup.fm
Configuring the Wireless AP
Configuring Wireless AP settings
13. In the Basic Radio Settings section, do the following:
•
RF Domain – Type a string that uniquely identifies a group of APs that
cooperate in managing RF channels and transmission power levels. The
maximum length of the string is 16 characters. The RF Domain is used to
identify a group of Wireless APs.
•
Request New Channel – Click the wireless channel you want the
Wireless AP to use to communicate with wireless devices.
Click Auto to request the ACS to search for a new channel for the
Wireless AP, using a channel selection algorithm. This forces the
Wireless AP to go through the auto-channel selection process again.
Depending on the regulatory domain (based on country), some channels
may be restricted. The default value is based on North America. For more
information, see Appendix B.
•
Auto Tx Power Ctrl (ATPC) – Select to enable ATPC. ATPC
automatically adapts transmission power signals according to the
coverage provided by the Wireless APs. After a period of time, the system
will stabilize itself based on the RF coverage of your Wireless APs.
Note: If you disable ATPC, you can elect to maintain using the current Tx
power setting ATPC had established. If you elect to maintain using the
ATPC power setting, the displayed Current Tx Power Level value
becomes the new Max Tx Power value for the Wireless AP.
•
Max Tx Power – Click the maximum Tx power level to which the range of
transmit power can be adjusted: 8 to 18 dBm. Siemens recommends that
you select 18 dBm to use the entire range of potential Tx power.
•
Min Tx Power – If ATPC is enabled, click the minimum Tx power level to
which the range of transmit power can be adjusted. Siemens
recommends that you select the lowest value available to use the entire
range of potential Tx power.
Note: The Minimum Tx Power level is subject to the regulatory
compliance requirement for the selected country.
•
174
Auto Tx Power Ctrl Adjust – If ATPC is enabled, click the Tx power level
that can be used to adjust the ATPC power levels that the system has
assigned. Siemens recommends that you use 0 dB during your initial
configuration. If you have an RF plan that recommends Tx power levels
for each Wireless AP, compare the actual Tx power levels your system
9034530-04, September 2010
HiPath Wireless Controller, Access Points and Convergence Software V7.31, User Guide
hwc_apstartup.fm
Configuring the Wireless AP
Configuring Wireless AP settings
has assigned against the recommended values your RF plan has
provided. Use the Auto Tx Power Ctrl Adjust value to achieve the
recommended values.
Note: The following fields are view only.
• Current Channel – The ACS has assigned to the Wireless AP radio. The
Current Channel value and the Last Requested Channel value may be
different because the ACS automatically assigns the best available channel
to the Wireless AP, ensuring that a Wireless AP’s radio is always operating
on the best available channel.
• Last Requested Channel – The last wireless channel that you had selected
for the Wireless AP to communicate with the wireless devices.
• Current Tx Power Level – The actual Tx power level assigned to the
Wireless AP radio.
•
Channel Plan – If ACS is enabled, you can define a channel plan for the
Wireless AP. Defining a channel plan allows you to limit which channels
are available for use during an ACS scan. For example, you may want to
avoid using specific channels because of low power, regulatory domain,
or radar interference. Click one of the following:
–
3 Channel Plan – ACS will scan the following channels: 1, 6, and 11
in the US, and 1, 7, and 13 in Europe.
–
4 Channel Plan – ACS will scan the following channels: 1, 4, 7, and
11 in the US, and 1, 5, 9, and 13 in Europe.
–
Auto – ACS will scan the default channel plan channels: 1, 6, and 11
in the US, and 1, 5, 9, and 13 in Europe.
–
Custom – If you want to configure individual channels from which the
ACS will select an operating channel, click Configure. The Add
Channels dialog is displayed. Click the individual channels you want
to add to the channel plan while pressing the CTRL key, and then click
OK.
9034530-04, September 2010
HiPath Wireless Controller, Access Points and Convergence Software V7.31, User Guide
175
hwc_apstartup.fm
Configuring the Wireless AP
Configuring Wireless AP settings
•
Min Basic Rate – Click the minimum data rate that must be supported by
all stations in a BSS: 1, 2, 5.5, or 11 Mbps. If necessary, the Max Basic
Rate choices adjust automatically to be higher or equal to the Min Basic
Rate.
•
Max Basic Rate – Click the maximum data rate that must be supported
by all stations in a BSS: 1, 2, 5.5, or 11 Mbps. If necessary, the Max Basic
Rate choices adjust automatically to be higher or equal to the Min Basic
Rate.
•
Max Operational Rate – Click the maximum data rate that clients can
operate at while associated with the Wireless AP: 11, 12, 18, 24, 36, 48,
or 54 Mbps. If necessary, the Max Operational Rate choices adjust
automatically to be higher or equal to the Max Basic Rate.
14. To modify Radio 2 advanced settings, click Advanced. The Advanced dialog
is displayed.
15. In the Advanced dialog Base Settings section, do the following:
176
•
DTIM Period – Type the desired DTIM (Delivery Traffic Indication
Message) period — the number of beacon intervals between two DTIM
beacons. To ensure the best client power savings, use a large number.
For example, 5. Use a small number to minimize broadcast and multicast
delay. The default value is 5.
•
Beacon Period – Type the desired time, in milliseconds, between beacon
transmissions. The default value is 100 milliseconds.
•
RTS/CTS Threshold – Type the packet size threshold, in bytes, above
which the packet will be preceded by an RTS/CTS (Request to
Send/Clear to Send) handshake. The default value is 2346, which means
all packets are sent without RTS/CTS. Reduce this value only if
necessary.
•
Frag. Threshold – Type the fragment size threshold, in bytes, above
which the packets will be fragmented by the Wireless AP prior to
transmission. The default value is 2346, which means all packets are sent
unfragmented. Reduce this value only if necessary.
•
Max % of non-unicast traffic per Beacon period – Enter the maximum
percentage of time that the AP will transmit non-unicast packets
(broadcast and multicast traffic) for each configured Beacon Period. For
each non-unicast packet transmitted, the system calculates the airtime
used by each packet and drops all packets that exceed the configured
maximum percentage. By restricting non-unicast traffic, you limit the
impact of broadcasts and multicasts on overall system performance.
•
Maximum Distance – Enter a value from 100 to 15,000 meters that
identifies the maximum link distance between APs that participate in a
WDS. This value ensures that the acknowledgement of communication
between APs does not exceed the timeout value predefined by the 802.11
9034530-04, September 2010
HiPath Wireless Controller, Access Points and Convergence Software V7.31, User Guide
hwc_apstartup.fm
Configuring the Wireless AP
Configuring Wireless AP settings
standard. The default value is 100 meters. If the link distance between
APs is greater than 100 meters, configure the maximum distance up to
15,000 meters so that the software increases the timeout value
proportionally with the distance between APs.
Do not change the default setting for the radio that provides service to
802.11 clients only.
16. In the Advanced dialog Basic Radio Settings section, do the following:
•
Dynamic Channel Selection – To enable Dynamic Channel Selection,
click one of the following:
•
Monitor Mode – If traffic or noise levels exceed the configured DCS
thresholds, an alarm is triggered and an information log is generated.
•
Active Mode – If traffic or noise levels exceed the configured DCS
thresholds, an alarm is triggered and an information log is generated.
In addition, the Wireless AP will cease operating on the current
channel and ACS is employed to automatically select an alternate
channel for the Wireless AP to operate on.
•
DCS Noise Threshold – Type the noise interference level, measured
in dBm, after which ACS will scan for a new operating channel for the
Wireless AP if the threshold is exceeded.
•
DCS Channel Occupancy Threshold – Type the channel utilization
level, measured as a percentage, after which ACS will scan for a new
operating channel for the Wireless AP if the threshold is exceeded.
•
DCS Update Period – Type the time, measured in minutes that
determines the period during which the Wireless AP averages the
DCS Noise Threshold and DCS Channel Occupancy Threshold
measurements. If either one of these thresholds is exceeded, then the
Wireless AP will trigger ACS.
•
Rx Diversity – Click Best for the best signal from both antennas, or Left
or Right to choose either of the two diversity antennas. The default and
recommended selection is Best. If only one antennae is connected, use
the corresponding Left or Right diversity setting. Do not use Best if two
identical antennas are not used.
•
Tx Diversity – Click Alternate for the best signal from both antennas, or
Left or Right to choose either of the two diversity antennas. The default
selection is Alternate that maximizes performance for most clients.
However, some clients may behave oddly with Tx Diversity set to
Alternate. Under those circumstances, Siemens recommends that you
use either Left or Right for Tx Diversity. If only one antennae is
connected, use the corresponding Left or Right diversity setting. Do not
use Alternate if two identical antennas are not used.
9034530-04, September 2010
HiPath Wireless Controller, Access Points and Convergence Software V7.31, User Guide
177
hwc_apstartup.fm
Configuring the Wireless AP
Configuring Wireless AP settings
•
Total # of Retries for Background BK – Click the number of retries for
the Background transmission queue. The default value is adaptive
(multi-rate). The recommended setting is adaptive (multi-rate).
•
Total # of Retries for Best Effort BE – Click the number of retries for the
Best Effort transmission queue. The default value is adaptive (multirate). The recommended setting is adaptive (multi-rate).
•
Total # of Retries for Video VI – Click the number of retries for the Video
transmission queue. The default value is adaptive (multi-rate). The
recommended setting is adaptive (multi-rate).
•
Total # of Retries for Voice VO – Click the number of retries for the Voice
transmission queue. The default value is adaptive (multi-rate). The
recommended setting is adaptive (multi-rate).
•
Total # of Retries for Turbo Voice TVO – Click the number of retries for
the Turbo Voice transmission queue. The default value is adaptive
(multi-rate). The recommended setting is adaptive (multi-rate).
17. In the Advanced dialog 11b Settings section, select the Preamble. Click a
preamble type for 11b-specific (CCK) rates: Short or Long. Click Short if you
are sure that there is no pre-11b AP or a client in the vicinity of this AP. Click
Long if compatibility with pre-11b clients is required.
18. In the Advanced dialog 11g Settings section, do the following:
•
Protection Mode – Click a protection mode: None, Auto, or Always.
The default and recommended setting is Auto. Click None if 11b APs and
clients are not expected. Click Always if you expect many 11b-only
clients.
•
Protection Rate – Click a protection rate: 1, 2, 5.5, or 11 Mbps. The
default and recommended setting is 11. Only reduce the rate if there are
many 11b clients in the environment or if the deployment has areas with
poor coverage. For example, rates lower than 11 Mbps are required to
ensure coverage.
•
Protection Type – Click a protection type: CTS Only or RTS CTS. The
default and recommended setting is CTS Only. Click RTS CTS only if an
11b AP that operates on the same channel is detected in the
neighborhood, or if there are many 11b-only clients in the environment.
Note: The overall throughput is reduced when Protection Mode is enabled,
due to the additional overhead caused by the RTS/CTS. The overhead is
minimized by setting Protection Type to CTS Only and Protection Rate to
11 Mbps. The overhead causes the overall throughput to be sometimes lower
than if just 11b mode is used. If there are many 11b clients, Siemens
recommends that you disable 11g support (11g clients are backward
compatible with 11b APs).
An alternate approach, although a more expensive method, is to dedicate all
178
9034530-04, September 2010
HiPath Wireless Controller, Access Points and Convergence Software V7.31, User Guide
hwc_apstartup.fm
Configuring the Wireless AP
Configuring Wireless AP settings
APs on a channel for 11b (for example, disable 11g on these APs) and disable
11b on all other APs. The difficulty with this method is that the number of APs
must be increased to ensure coverage separately for 11b and 11g clients.
19. Click Close. The Advanced dialog is closed.
20. To save your changes, click Save.
4.4.6 Setting up the Wireless AP using static
configuration
The Wireless AP static configuration feature provides the HiPath Wireless
Controller, Access Points and Convergence Software solution with the capability
for a network with either a central office or a branch office model. The static
configuration settings assist in the setup of branch office support. These settings
are not dependent of branch topology, but instead can be employed at any time
if required. In the branch office model, Wireless APs are installed in remote sites,
while the HiPath Wireless Controller is in a central office. The Wireless APs
require the capability to interact in both the local site network and the central
network. To achieve this model, a static configuration is used.
Note: If a Wireless AP with a statically configured IP address (without a statically
configured Wireless Controller Search List) cannot register with the HiPath
Wireless Controller within the specified number of retries, the Wireless AP will
use SLP, DNS, and SLP multicast as a backup mechanism.
To set up a Wireless AP using static configuration:
1. From the main menu, click Wireless AP Configuration. The HiPath
Wireless AP screen is displayed.
2. Click the appropriate Wireless AP in the list.
3. Click the Static Configuration tab.
9034530-04, September 2010
HiPath Wireless Controller, Access Points and Convergence Software V7.31, User Guide
179
hwc_apstartup.fm
Configuring the Wireless AP
Configuring Wireless AP settings
4. Select one of the VLAN settings for the Wireless AP:
•
Tagged - VLAN ID – Select if you want to assign this AP to a specific
VLAN and type the value in the box.
•
Untagged – Select if you want this AP to be untagged. This option is
selected by default.
Caution: Caution should be exercised when using this feature. For more
information, see Section 4.5, “Configuring VLAN tags for Wireless APs”,
on page 183.
If the Wireless AP VLAN is not configured properly (wrong tag),
connecting to the Wireless AP may not be possible. To recover from this
situation, you will need to reset the Wireless AP to its factory default
settings. For more information, see the HiPath Wireless Controller,
Access Points and Convergence Software Maintenance Guide.
5. Select one of the two methods of IP address assignment for the Wireless AP:
180
•
Use DHCP – Select this option to enable Dynamic Host Configuration
Protocol (DHCP). This option is enabled by default.
•
Static Values – Select this option to specify the IP address of the
Wireless AP.
–
IP Address – Type the IP address of the AP.
–
Subnet Mask – Type the appropriate subnet mask to separate the
network portion from the host portion of the address.
9034530-04, September 2010
HiPath Wireless Controller, Access Points and Convergence Software V7.31, User Guide
hwc_apstartup.fm
Configuring the Wireless AP
Configuring Wireless AP settings
–
Gateway – Type the default gateway of the network.
Note: For the initial configuration of a Wireless AP to use a static IP
address assignment, the following is recommended:
• Allow the Wireless AP to first obtain an IP address using DHCP. By
default, Wireless APs are configured to use the DHCP IP address
configuration method.
• Allow the Wireless AP to connect to the HiPath Wireless Controller using
the DHCP assigned IP address.
• After the Wireless AP has successfully registered to the HiPath Wireless
Controller, use the Static Configuration tab to configure a static IP
address for the Wireless AP, and then save the configuration.
• Once the static IP address has been configured on the Wireless AP, the
Wireless AP can then be moved to its target location, if applicable. (A
branch office scenario is an example of a setup that may require static IP
assignment.)
6. If the Wireless AP has an Ethernet port, select values in the Ethernet Speed
and Ethernet Mode drop down lists.
7. In the Add box, type the IP address of the HiPath Wireless Controller that will
control this Wireless AP.
8. Click Add. The IP address is added to the list.
9. Repeat steps 7 and 8 to add additional HiPath Wireless Controllers.
10. Click Up and Down to modify the order of the HiPath Wireless Controllers.
The maximum is three controllers.
The Wireless AP is successful when it finds a HiPath Wireless Controller that
will allow it to register.
This feature allows the Wireless AP to bypass the discovery process. If the
Wireless Controller Search List box is not populated, the Wireless AP will
use SLP unicast/multicast, DNS, or DHCP vendor option 43 to discover a
HiPath Wireless Controller.
For the initial Wireless AP deployment, it is necessary to use one of the
described options in Section 4.2, “Discovery and registration overview”, on
page 113.
11. To save your changes, click Save.
9034530-04, September 2010
HiPath Wireless Controller, Access Points and Convergence Software V7.31, User Guide
181
hwc_apstartup.fm
Configuring the Wireless AP
Configuring Wireless AP settings
4.4.7 Configuring Telnet/SSH Access
If you are configuring a static IP address either for the Wireless AP or Outdoor
Wireless AP, you must ensure that Telnet Access/SSH Access is Enabled on
the Wireless AP Configuration screen.
Note: The new telnet access password that you set up over the controller’s user
interface overrides the default telnet access password.
To enable or disable telnet or SSH access:
1. From the main menu, click Wireless AP Configuration. The Wireless AP
Configuration screen is displayed.
2. In the Wireless AP list, click the Wireless AP for which you want to enable or
disable telnet.
3. Click Advanced. The Advanced dialog is displayed.
4. In the Telnet Access/SSH Access drop-down list, click one of the following:
•
Enable – Enables telnet access
•
Disable – Disables telnet access
Note: The option to enable or disable telnet access or SSH access will only
be displayed if the Wireless AP is a Standard Wireless AP or Outdoor AP. For
11n Wireless APs, SSH is always enabled by default.
5. To save your changes, click Save.
To set up a new telnet/SSH access password:
1. From the main menu, click Wireless AP Configuration. The Wireless AP
Configuration screen is displayed.
2. In the left pane, click AP Registration. The Wireless AP Registration
screen is displayed.
182
9034530-04, September 2010
HiPath Wireless Controller, Access Points and Convergence Software V7.31, User Guide
hwc_apstartup.fm
Configuring the Wireless AP
Configuring VLAN tags for Wireless APs
Note: The SSH Access section on the AP Registration screen is applicable
to the 11n Wireless APs. The Telnet Access section is applicable to the
Standard Wireless AP or the HiPath Wireless Outdoor AP.
3. If you are setting up a new telnet access password for either the Wireless AP
or Wireless Outdoor AP, type the new password in the Password box under
the Telnet Access section. If you are setting up a new SSH access password
for the Wireless 802.11n AP, type the new password in the Password box
under the SSH Access section.
4. In the Confirm Password box, re-type the password.
5. To save your changes, click Save.
4.5 Configuring VLAN tags for Wireless APs
Caution: You must exercise caution while configuring a VLAN ID tag. If a VLAN
tag is not configured properly, the connectivity between the HiPath Wireless
Controller and the Wireless AP will be lost.
To configure the VLAN tag for the Wireless AP, you must connect the Wireless
AP to a point on the central office network that does not require VLAN tagging. If
the VLAN tagging is configured correctly and you are still on the central office
9034530-04, September 2010
HiPath Wireless Controller, Access Points and Convergence Software V7.31, User Guide
183
hwc_apstartup.fm
Configuring the Wireless AP
Configuring VLAN tags for Wireless APs
network, the Wireless AP will lose connection with the HiPath Wireless Controller
after it is rebooted (the Wireless AP reboots when the configuration settings are
saved).
If the Wireless AP does not lose its connection with the HiPath Wireless
Controller after the reboot, the VLAN ID has not been configured correctly. After
the VLAN is configured correctly, you can move the Wireless AP to the target
location.
To configure Wireless APs with a VLAN tag:
1. Connect the Wireless AP in the central office to the HiPath Wireless
Controller port (or to a network point) that does not require VLAN tagging.
2. From the main menu, click Wireless AP Configuration. The Wireless AP
Configuration screen is displayed.
3. Click the Static Configuration tab.
4. In the VLAN Settings section, select Tagged - VLAN ID.
5. In the Tagged - VLAN ID text box, type the VLAN ID on which the Wireless
AP will operate.
6. To save your changes, click Save. The Wireless AP reboots and loses
connection with the HiPath Wireless Controller.
7. Log out from the HiPath Wireless Controller.
8. Disconnect the Wireless AP from the central office network and move it to the
target location.
9. Power up the Wireless AP. The Wireless AP connects to the HiPath Wireless
Controller.
If the Wireless AP does not connect to the HiPath Wireless Controller, the
Wireless AP was not configured properly. To recover from this situation, you
must reset the Wireless AP to its factory default settings, and reconfigure the
static IP address. For more information, see the HiPath Wireless Controller,
Access Points and Convergence Software User Guide.
4.5.1 Setting up 802.1x authentication for a Wireless
AP
802.1x is an authentication standard for wired and wireless LANs. The 802.1x
standard can be used to authenticate access points to the LAN to which they are
connected. 802.1x support provides security for network deployments where
access points are placed in public spaces.
184
9034530-04, September 2010
HiPath Wireless Controller, Access Points and Convergence Software V7.31, User Guide
hwc_apstartup.fm
Configuring the Wireless AP
Configuring VLAN tags for Wireless APs
To successfully set up 802.1x authentication of a Wireless AP, the Wireless AP
must be configured for 802.1x authentication before the Wireless AP is connected
to a 802.1x enabled switch port.
Caution: If the switch port, to which the Wireless AP is connected to, is not
802.1x enabled, the 802.1x authentication will not take effect.
802.1x authentication credentials can be updated at any time, whether or not the
Wireless AP is connected with an active session. If the Wireless AP is connected,
the new credentials are sent immediately. If the Wireless AP is not connected, the
new credentials are delivered the next time the Wireless AP connects to the
HiPath Wireless Controller.
There are two main aspects to the 802.1x feature:
•
Credential management – The HiPath Wireless Controller and the Wireless
AP are responsible for the requesting, creating, deleting, or invalidating the
credentials used in the authentication process.
•
Authentication – The Wireless AP is responsible for the actual execution of
the EAP-TLS or PEAP protocol.
802.1x authentication can be configured on a per access point basis. For
example, 802.1x authentication can be applied to specific Wireless APs
individually or with a multi-edit function.
The 802.1x authentication supports two authentication methods:
•
•
PEAP (Protected Extensible Authentication Protocol)
–
Is the recommended 802.1x authentication method
–
Requires minimal configuration effort and provides equal authentication
protection to EAP-TLS
–
Uses user ID and passwords for authentication of access points
EAP-TLS
–
Requires more configuration effort
–
Requires the use of a third-party Certificate Authentication application
–
Uses certificates for authentication of access points
–
HiPath Wireless Controller can operate in either proxy mode or pass
through mode.
•
Proxy mode – The HiPath Wireless Controller generates the public
and private key pair used in the certificate.
•
Pass through mode – The certificate and private key is created by the
third-party Certificate Authentication application.
9034530-04, September 2010
HiPath Wireless Controller, Access Points and Convergence Software V7.31, User Guide
185
hwc_apstartup.fm
Configuring the Wireless AP
Configuring VLAN tags for Wireless APs
Note: Although a Wireless AP can support using both PEAP and EAP-TLS
credentials simultaneously, it is not recommended to do so. Instead, Siemens
recommends that you use only one type of authentication and that you install the
credentials for only that type of authentication on the Wireless AP.
4.5.1.1 Configuring 802.1x PEAP authentication
PEAP authentication uses user ID and passwords for authentication. To
successfully configure 802.1x authentication of a Wireless AP, the Wireless AP
must first be configured for 802.1x authentication before the Wireless AP is
deployed on a 802.1x enabled switch port.
Note: User names and passwords for PEAP authentication credentials each
have a maximum length of 128 characters.
To configure 802.1x PEAP authentication:
1. From the main menu, click Wireless AP Configuration. The HiPath
Wireless AP screen is displayed.
2. In the Wireless AP list, click the Wireless AP for which you want to configure
802.1x PEAP authentication.
3. Click the 802.1x tab.
186
9034530-04, September 2010
HiPath Wireless Controller, Access Points and Convergence Software V7.31, User Guide
hwc_apstartup.fm
Configuring the Wireless AP
Configuring VLAN tags for Wireless APs
4. In the Username drop-down list, click the value you want to assign as the
user name credential:
•
Name – The name of the Wireless AP, which is assigned on the AP
Properties tab. The Wireless AP name can be edited.
•
Serial – The serial number of the Wireless AP. The Wireless AP serial
number cannot be edited.
•
MAC – The MAC address of the Wireless AP. The Wireless AP MAC
address cannot be edited.
•
Other – Click to specify a custom value. A text box is displayed. In the text
box, type the value you want to assign as the user name credential.
5. In the Password drop-down list, click the value you want to assign as the
password credential:
•
Name – The name of the Wireless AP, which is assigned on the AP
Properties tab. The Wireless AP name can be edited.
•
Serial – The serial number of the Wireless AP. The Wireless AP serial
number cannot be edited.
•
MAC – The MAC address of the Wireless AP. The Wireless AP MAC
address cannot be edited.
•
Other – Click to specify a custom value. A text box is displayed. In the text
box, type the value you want to assign as the password credential.
6. To save your changes, click Save.
The 802.1x PEAP authentication configuration is assigned to the Wireless
AP. The Wireless AP can now be deployed to a 802.1x enabled switch port.
4.5.1.2 Configuring 802.1x EAP-TLS authentication
EAP-TLS authentication uses certificates for authentication. A third-party
Certificate Authentication application is required to configure EAP-TLS
authentication. Certificates can be overwritten with new ones at any time.
With EAP-TLS authentication, the HiPath Wireless Controller can operate in the
following modes:
•
Proxy mode
•
Pass through mode
9034530-04, September 2010
HiPath Wireless Controller, Access Points and Convergence Software V7.31, User Guide
187
hwc_apstartup.fm
Configuring the Wireless AP
Configuring VLAN tags for Wireless APs
Note: When a Wireless AP configured with 802.1x EAP-TLS authentication is
connected to a HiPath Wireless Controller, the Wireless AP begins submitting
logs to the HiPath Wireless Controller 30 days before the certificate expires to
provide administrators with a warning of the impending expiry date.
Proxy mode
In proxy mode, HiPath Wireless Controller generates the public and private key
pair used in the certificate. You can specify the criteria used to create the
Certificate Request. The Certificate Request that is generated by the HiPath
Wireless Controller is then used by the third-party Certificate Authentication
application to create the certificate used for authentication of the Wireless AP. To
successfully configure 802.1x authentication of a Wireless AP, the Wireless AP
must first be configured for 802.1x authentication before the Wireless AP is
deployed on a 802.1x enabled switch port.
To configure 802.1x EAP-TLS authentication in proxy mode:
1. From the main menu, click Wireless AP Configuration. The HiPath
Wireless AP screen is displayed.
2. In the Wireless AP list, click the Wireless AP for which you want to configure
802.1x EAP-TLS authentication.
3. Click the 802.1x tab.
4. Click Generate certificate request. The Generate Certificate Request
window is displayed.
5. Type the criteria to be used to create the certificate request. All fields are
required:
188
•
Country name – The two-letter ISO abbreviation of the name of the
country
•
State or Province name – The name of the State/Province
•
Locality name (city) – The name of the city
9034530-04, September 2010
HiPath Wireless Controller, Access Points and Convergence Software V7.31, User Guide
hwc_apstartup.fm
Configuring the Wireless AP
Configuring VLAN tags for Wireless APs
•
Organization name – The name of the organization
•
Organizational Unit name – The name of the unit within the organization
•
Common name – Click the value you want to assign as the common
name of the Wireless AP:
•
–
Name – The name of the Wireless AP, which is assigned on the AP
Properties tab. The Wireless AP name can be edited.
–
Serial – The serial number of the Wireless AP. The Wireless AP serial
number cannot be edited.
–
MAC – The MAC address of the Wireless AP. The Wireless AP MAC
address cannot be edited.
–
Other – Click to specify a custom value. A text box is displayed. In the
text box, type the value you want to assign as the common name of
the Wireless AP.
Email address – The email address of the organization
6. Click Generate certificate request. A certificate request file is generated
(.csr file extension). The name of the file is the Wireless AP serial number.
The File Download dialog is displayed.
7. Click Save. The Save as window is displayed.
8. Navigate to the location on your computer that you want to save the
generated certificate request file, and then click Save.
9. In the third-party Certificate Authentication application, use the content of the
generated certificate request file to generate the certificate file (.cer file
extension).
10. On the 802.1x tab, click Browse. The Choose file window is displayed.
11. Navigate to the location of the certificate file, and click Open. The name of the
certificate file is displayed in the X509 DER / PKCS#12 file box.
12. To save your changes, click Save.
The 802.1x EAP-TLS (certificate and private key) authentication in proxy
mode is assigned to the Wireless AP. The Wireless AP can now be deployed
to a 802.1x enabled switch port.
Pass through mode
In pass through mode, the certificate and private key is created by the third-party
Certificate Authentication application. To successfully configure 802.1x
authentication of a Wireless AP, the Wireless AP must first be configured for
802.1x authentication before the Wireless AP is deployed on a 802.1x enabled
switch port.
9034530-04, September 2010
HiPath Wireless Controller, Access Points and Convergence Software V7.31, User Guide
189
hwc_apstartup.fm
Configuring the Wireless AP
Configuring VLAN tags for Wireless APs
Before you configure 802.1x using EAP-TLS authentication in pass through
mode, you must first create a certificate using the third-party Certificate
Authentication application and save the certificate file in PKCS #12 file format
(.pfx file extension) on your system.
To configure 802.1x EAP-TLS authentication in pass through mode:
1. From the main menu, click Wireless AP Configuration. The HiPath
Wireless AP screen is displayed.
2. In the Wireless AP list, click the Wireless AP for which you want to configure
802.1x EAP-TLS authentication.
3. Click the 802.1x tab.
4. Click Browse. The Choose file window is displayed.
5. Navigate to the location of the certificate file (.pfx) and click Open. The name
of the certificate file is displayed in the X509 DER / PKCS#12 file box.
6. In the Password box, type the password that was used to protect the private
key.
Note: The password that was used to protect the private key must be a
maximum of 31 characters long.
7. To save your changes, click Save.
The 802.1x EAP-TLS authentication in pass through mode is assigned to the
Wireless AP. The Wireless AP can now be deployed to a 802.1x enabled
switch port.
4.5.1.3 Viewing 802.1x credentials
When 802.1x authentication is configured on a Wireless AP, the light bulb icon on
the 802.1x tab for the configured Wireless AP is lit to indicate which 802.1x
authentication method is used. A Wireless AP can be configured to use both
EAP-TLS and PEAP authentication methods. For example, when both EAP-TLS
and PEAP authentication methods are configured for the Wireless AP, both light
bulb icons on the 802.1x tab are lit.
Note: You can only view the 802.1x credentials of Wireless APs that have an
active session with the HiPath Wireless Controller. If you attempt to view the
credentials of a Wireless AP that does not have an active session, the Wireless
AP Credentials window displays the following message:
Unable to query Wireless AP: not connected.
190
9034530-04, September 2010
HiPath Wireless Controller, Access Points and Convergence Software V7.31, User Guide
hwc_apstartup.fm
Configuring the Wireless AP
Configuring VLAN tags for Wireless APs
To view current 802.1x credentials:
1. From the main menu, click Wireless AP Configuration. The HiPath
Wireless AP screen is displayed.
2. In the Wireless AP list, click the Wireless AP for which you want to view its
current 802.1x credentials.
3. In the Current Credentials section, click Get Certificate details. The
Wireless AP Credentials window is displayed.
4.5.1.4 Deleting 802.1x credentials
Caution: Exercise caution when deleting 802.1x credentials. For example,
deleting 802.1x credentials may prevent the Wireless AP from being
authenticated or to lose its connection with the HiPath Wireless Controller.
To delete current 802.1x credentials:
1. From the main menu, click Wireless AP Configuration. The HiPath
Wireless AP screen is displayed.
2. In the Wireless AP list, click the Wireless AP for which you want to delete its
current 802.1x credentials.
3. Do the following:
•
To delete EAP-TLS credentials, click Delete EAP-TLS credentials.
•
To delete PEAP credentials, click Delete PEAP credentials.
The credentials are deleted and the Wireless AP settings are updated.
9034530-04, September 2010
HiPath Wireless Controller, Access Points and Convergence Software V7.31, User Guide
191
hwc_apstartup.fm
Configuring the Wireless AP
Configuring VLAN tags for Wireless APs
Note: If you attempt to delete the 802.1x credentials of a Wireless AP that
currently does not have an active session with the HiPath Wireless Controller,
the credentials are only deleted after the Wireless AP connects with the
HiPath Wireless Controller.
4.5.2 Setting up 802.1x authentication for Wireless
APs using Multi-edit
In addition to configuring Wireless APs individually, you can also configure 802.1x
authentication for multiple Wireless APs simultaneously by using the AP 802.1x
Multi-edit feature.
When you use the AP 802.1x Multi-edit feature, you can choose to:
•
Assign EAP-TLS authentication based on generated certificates to multiple
Wireless APs by uploading a .pfx, .cer, or .zip file.
•
Assign PEAP credentials to multiple Wireless APs based on a user name and
password that you define
To configure 802.1x EAP-TLS authentication in proxy mode using
Multi-edit:
1. From the main menu, click Wireless AP Configuration. The HiPath
Wireless AP screen is displayed.
2. In the left pane, click AP 802.1x Multi-edit.
192
9034530-04, September 2010
HiPath Wireless Controller, Access Points and Convergence Software V7.31, User Guide
hwc_apstartup.fm
Configuring the Wireless AP
Configuring VLAN tags for Wireless APs
3. In the Wireless APs list, click one or more Wireless APs to configure. To
select multiple Wireless APs, click the Wireless APs from the list while
pressing the CTRL key.
4. In the Certificate Signing Request section, type the following:
•
Country name – The two-letter ISO abbreviation of the name of the
country
•
State or Province name – The name of the State/Province
•
Locality name (city) – The name of the city
•
Organization name – The name of the organization
•
Organizational Unit name – The name of the unit within the organization
•
Common name – Click the value you want to assign as the common
name of the Wireless AP:
•
–
Name – The name of the Wireless AP, which is assigned on the AP
Properties tab. The Wireless AP name can be edited.
–
Serial – The serial number of the Wireless AP. The Wireless AP serial
number cannot be edited.
–
MAC – The MAC address of the Wireless AP. The Wireless AP MAC
address cannot be edited.
Email address – The email address of the organization
5. Click Generate Certificates. The AP 802.1x Multi-edit progress window is
displayed, which provides the status of the configuration process. Once
complete, the File Download dialog is displayed.
6. Click Save. The Save as window is displayed.
7. Navigate to the location on your computer that you want to save the
generated certificate_requests.tar file, and then click Save.
The certificate_requests.tar file contains a certificate request (.csr) file for
each Wireless AP.
8. Do one of the following:
•
For each certificate request, generate a certificate using the third-party
Certificate Authentication application. This method will produce a
certificate for each Wireless AP. Once complete, zip all the certificates
files (.cer) into one .zip file.
•
Use one of the certificate requests and generate one certificate using the
Certificate Authentication application. This method will produce one
certificate that can be applied to all Wireless APs.
9034530-04, September 2010
HiPath Wireless Controller, Access Points and Convergence Software V7.31, User Guide
193
hwc_apstartup.fm
Configuring the Wireless AP
Configuring VLAN tags for Wireless APs
9. In the Bulk Certificate Upload section, click Browse. The Choose file
window is displayed.
10. Navigate to the location of the file (.zip or .cer), and then click Open. The
name of the file is displayed in the PFX, CER or ZIP Archive box.
11. Click Upload and Set certificates. Once complete, the Settings updated
message is displayed in the footer of the HiPath Wireless Assistant.
The 802.1x EAP-TLS authentication configuration is assigned to the Wireless
APs. The Wireless APs can now be deployed to 802.1x enabled switch ports.
Configuring 802.1x EAP-TLS authentication in pass through mode using
Multi-edit:
When you configure 802.1x EAP-TLS authentication in pass through mode using
Multi-edit, do one of the following:
•
•
Generate a certificate for each Wireless AP using the third-party Certificate
Authentication application. When generating the certificates:
–
Use the Common name value (either Name, Serial, or MAC) of the
Wireless AP to name each generated certificate.
–
Use a common password for each generated certificate.
–
All .pfx files created by the third-party Certificate Authentication
application must be zipped into one file.
Generate one certificate, using the third-party Certificate Authentication
application, to be applied to all Wireless APs. When generating the certificate,
use the Common name value (either Name, Serial, or MAC) of the Wireless
AP to name the generated certificate.
To configure 802.1x EAP-TLS authentication in pass through mode using
Multi-edit:
1. From the main menu, click Wireless AP Configuration. The HiPath
Wireless AP screen is displayed.
2. In the left pane, click AP 802.1x Multi-edit.
3. In the Wireless APs list, click one or more Wireless APs to configure. To
select multiple Wireless APs, click the Wireless APs from the list while
pressing the CTRL key.
4. In the Bulk Certificate Upload section, click Browse. The Choose file
window is displayed.
5. Navigate to the location of the file (.zip or .pfx), and then click Open. The
name of the file is displayed in the PFX, CER or ZIP Archive box.
6. In the Password box, type the password used during the certificates
generation process.
194
9034530-04, September 2010
HiPath Wireless Controller, Access Points and Convergence Software V7.31, User Guide
hwc_apstartup.fm
Configuring the Wireless AP
Configuring VLAN tags for Wireless APs
7. Click Upload and Set certificates. Once complete, the Settings updated
message is displayed in the footer of the HiPath Wireless Assistant.
The 802.1x EAP-TLS authentication configuration is assigned to the Wireless
APs. The Wireless APs can now be deployed to 802.1x enabled switch ports.
To configure 802.1x PEAP authentication using Multi-edit:
1. From the main menu, click Wireless AP Configuration. The HiPath
Wireless AP screen is displayed.
2. In the left pane, click AP 802.1x Multi-edit.
3. In the Wireless APs list, click one or more APs to edit. To select multiple APs,
click the APs from the list while pressing the CTRL key.
4. In the PEAP Authentication section, do the following:
•
•
In the Username drop-down list, click the value you want to assign as the
user name credential:
–
Name – The name of the Wireless AP, which is assigned on the AP
Properties tab. The Wireless AP name can be edited.
–
Serial – The serial number of the Wireless AP. The Wireless AP serial
number cannot be edited.
–
MAC – The MAC address of the Wireless AP. The Wireless AP MAC
address cannot be edited.
In the Password drop-down list, click the value you want to assign as the
password credential:
•
Name – The name of the Wireless AP, which is assigned on the AP
Properties tab. The Wireless AP name can be edited.
•
Serial – The serial number of the Wireless AP. The Wireless AP serial
number cannot be edited.
•
MAC – The MAC address of the Wireless AP. The Wireless AP MAC
address cannot be edited.
5. Click Set PEAP credentials. The AP 802.1x Multi-edit progress window is
displayed, which provides the status of the configuration process. Once
complete, the Settings updated message is displayed in the footer of the
HiPath Wireless Assistant.
The 802.1x PEAP authentication configuration is assigned to the Wireless
APs. The Wireless APs can now be deployed to 802.1x enabled switch ports.
9034530-04, September 2010
HiPath Wireless Controller, Access Points and Convergence Software V7.31, User Guide
195
hwc_apstartup.fm
Configuring the Wireless AP
Configuring VLAN tags for Wireless APs
4.5.3 Configuring the default Wireless AP settings
Wireless APs are added with default settings. You can modify the system’s
Wireless AP default settings, and then use these default settings to configure
newly added Wireless APs. In addition, you can base the system’s Wireless AP
default settings on an existing Wireless AP configuration or have configured
Wireless APs inherit the properties of the default Wireless AP configuration when
they register with the system.
The process of configuring the default Wireless AP settings is divided into five
tabs:
•
Common Configuration – Configure common configuration, such as WLAN
assignments and static configuration options for all Wireless APs. See
Section 4.5.3.1, “Configure common configuration default AP settings”, on
page 196.
•
AP2610 AP2620 AP2605 W788 BP200 WB500 – Configure the default
settings for the standard Wireless APs, and the W788, BP200, and WB500
access points. See Section 4.5.3.2, “Configure AP2610/20, AP2605, W788,
BP200, and WB500 default AP settings”, on page 198.
•
AP3605 AP3610 AP3620 – Configure the default settings for the Wireless
802.11n APs. See Section 4.5.3.3, “Configure AP3605/10/20 default AP
settings”, on page 205.
•
AP2650 AP2660 W786 – Configure the default settings for the HiPath
Wireless Outdoor APs and the W786 access points. See Section 4.5.3.4,
“Configure AP2650/60 and W786 default AP settings”, on page 213.
•
AP4102 AP4102C – Configure the default settings for the AP4102 and the
AP4102C access points. See Section 4.5.3.5, “Configure AP4102 and
AP4102C default AP settings”, on page 221.
4.5.3.1 Configure common configuration default AP settings
To configure common configuration default AP settings:
1. From the main menu, click Wireless AP Configuration. The HiPath
Wireless AP screen is displayed.
2. In the left pane, click AP Default Settings. The Common Configuration tab
is displayed.
196
9034530-04, September 2010
HiPath Wireless Controller, Access Points and Convergence Software V7.31, User Guide
hwc_apstartup.fm
Configuring the Wireless AP
Configuring VLAN tags for Wireless APs
3. In the Static Configuration section, do one of the following:
•
To allow each Wireless AP to provide its own HWC Search List, select the
Learn HWC Search List from AP checkbox.
•
To specify a common HWC Search List for all Wireless APs, clear the
Learn HWC Search List from AP checkbox, and then do the following:
a) In the Add box, type the IP address of the HiPath Wireless Controller
that will control this Wireless AP.
b) Click Add. The IP address is added to the list.
c) Repeat steps a and b to add additional HiPath Wireless
Controllers.The maximum is three controllers.
d) Click Up and Down to modify the order of the HiPath Wireless
Controllers.
The Wireless AP is successful when it finds a HiPath Wireless Controller that
will allow it to register.
This feature allows the Wireless AP to bypass the discovery process. If the
Wireless Controller Search List box is not populated, the Wireless AP will
use SLP unicast/multicast, DNS, or DHCP vendor option 43 to discover a
HiPath Wireless Controller.
The DHCP function for wireless clients must be provided locally by a local
DHCP server, unless each wireless client has a static IP address.
9034530-04, September 2010
HiPath Wireless Controller, Access Points and Convergence Software V7.31, User Guide
197
hwc_apstartup.fm
Configuring the Wireless AP
Configuring VLAN tags for Wireless APs
For the initial Wireless AP deployment, it is necessary to use one of the
described options in Section 4.2, “Discovery and registration overview”, on
page 113.
4. In the WLAN Assignments section, assign the Radios for each VNS in the
list by selecting or clearing the option boxes.
5. To save your changes, click Save Settings.
4.5.3.2 Configure AP2610/20, AP2605, W788, BP200, and
WB500 default AP settings
To configure AP2610/20, AP2605, W788, BP200, and WB500 default AP
settings:
1. From the main menu, click Wireless AP Configuration. The HiPath
Wireless AP screen is displayed.
2. In the left pane, click AP Default Settings. The Common Configuration tab
is displayed.
3. Click the AP2610 AP2620 AP2605 W788 BP200 WB500 tab.
4. In the AP Properties section, do the following:
•
LLDP – Click to Enable or Disable the Wireless AP from broadcasting
LLDP information. This option is disabled by default.
If SNMP is enabled on the HiPath Wireless Controller and you enable
LLDP, the LLDP Confirmation dialog is displayed.
198
9034530-04, September 2010
HiPath Wireless Controller, Access Points and Convergence Software V7.31, User Guide
hwc_apstartup.fm
Configuring the Wireless AP
Configuring VLAN tags for Wireless APs
•
Select one of the following:
–
Proceed (not recommended) – Select this option to enable LLDP
and keep SNMP running, and then click OK.
–
Disable SNMP publishing, and proceed – Select this option to
enable LLDP and disable SNMP, and then click OK.
For more information on enabling SNMP, see the HiPath Wireless
Controller, Access Points and Convergence Software Maintenance
Guide.
•
Announcement Interval – If LLDP is enabled, type how often the
Wireless AP advertises its information by sending a new LLDP packet.
This value is measured in seconds.
If there are no changes to the Wireless AP configuration that impact the
LLDP information, the Wireless AP sends a new LLDP packet according
to this schedule.
Note: The Time to Live value cannot be directly edited. The Time to Live
value is calculated as four times the Announcement Interval value.
•
Announcement Delay – If LLDP is enabled, type the announcement
delay. This value is measured in seconds. If a change to the Wireless AP
configuration occurs which impacts the LLDP information, the Wireless
AP sends an updated LLDP packet. The announcement delay is the
length of time that delays the new packet delivery. The announcement
delay helps minimize LLDP packet traffic.
•
Country – Click the country of operation. This option is only available with
certain licenses.
5. In the Radio Settings section, do the following for each radio:
•
Radio mode – Click the radio mode you want to enable:
–
Radio 1 – off or a.
–
Radio 2 – off, b, g, or b/g.
9034530-04, September 2010
HiPath Wireless Controller, Access Points and Convergence Software V7.31, User Guide
199
hwc_apstartup.fm
Configuring the Wireless AP
Configuring VLAN tags for Wireless APs
Note: Depending on the radio modes you select, some of the radio settings
may not be available for configuration.
•
RF Domain – Type a string that uniquely identifies a group of APs that
cooperate in managing RF channels and transmission power levels. The
maximum length of the string is 16 characters. The RF Domain is used to
identify a group of Wireless APs.
•
Auto Tx Power Ctrl – Click to either enable or disable ATPC from the
Auto Tx Power Ctrl drop-down list. ATPC automatically adapts
transmission power signals according to the coverage provided by the
Wireless APs. After a period of time, the system will stabilize itself based
on the RF coverage of your Wireless APs.
•
Max Tx Power – Click the appropriate Tx power level from the Max TX
Power drop-down list. The values in the Max TX Power drop-down are
in dBm.
•
Min Tx Power – If ATPC is enabled, click the minimum Tx power level to
which the range of transmit power can be adjusted: 0 to 23 (b/g or b/g/n)
or 24 (a or a/n) dBm. Siemens recommends that you use 0 dBm if you do
not want to limit the potential Tx power level range that can be used.
•
Auto Tx Power Ctrl Adjust – If ATPC is enabled, click the Tx power level
that can be used to adjust the ATPC power levels that the system has
assigned. Siemens recommends that use 0 dBm during your initial
configuration. If you have an RF plan that recommends Tx power levels
for each Wireless AP, compare the actual Tx power levels your system
has assigned against the recommended values your RF plan has
provided. Use the Auto Tx Power Ctrl Adjust value to achieve the
recommended values.
•
Channel Plan – If ACS is enabled you can define a channel plan for the
Wireless AP. Defining a channel plan allows you to limit which channels
are available for use during an ACS scan. For example, you may want to
avoid using specific channels because of low power, regulatory domain,
or radar interference.
For Radio 1, click one of the following:
200
–
All channels – ACS scans all channels for an operating channel and
returns both DFS and non-DFS channels, if available.
–
All Non-DFS Channels – ACS scans all non-DFS channels for an
operating channel. This selection is available when there is at least
one DFS channel supported for the selected country.
–
Custom – To configure individual channels from which the ACS will
select an operating channel, click Configure. The Custom Channel
Plan dialog displays. By default, all channels participate in the
9034530-04, September 2010
HiPath Wireless Controller, Access Points and Convergence Software V7.31, User Guide
hwc_apstartup.fm
Configuring the Wireless AP
Configuring VLAN tags for Wireless APs
channel plan. Click the individual channels you want to include in the
channel plan. To select contiguous channels, use the Shift key. To
select multiple, non-contiguous channels in the list, use the CTRL
key. Click OK to save the configuration.
For Radio 2, click one of the following:
–
3 Channel Plan – ACS will scan the following channels: 1, 6, and 11
in the US, and 1, 7, and 13 in Europe.
–
4 Channel Plan – ACS will scan the following channels: 1, 4, 7, and
11 in the US, and 1, 5, 9, and 13 in Europe.
–
Auto – ACS will scan the default channel plan channels: 1, 6, and 11
in the US, and 1, 5, 9, and 13 in Europe.
–
Custom – If you want to configure individual channels from which the
ACS will select an operating channel, click Configure. The Add
Channels dialog is displayed. Click the individual channels you want
to add to the channel plan while pressing the CTRL key, and then click
OK.
6. To modify default access point advanced settings, click Advanced. The
Advanced dialog is displayed.
7. In the Advanced dialog AP Properties section, do the following:
•
Poll Timeout – Type the timeout value, in seconds. The Wireless AP
uses this value to trigger re-establishing the link with the HiPath Wireless
Controller if it (Wireless AP) does not get an answer to its polling. The
default value is 10 seconds.
Note: If you are configuring session availability, the Poll Timeout value
should be 1.5 to 2 times of Detect link failure value on AP Properties
screen. For more information, see Section 7.4, “Session availability”, on page
417.
•
Remote Access – Click to Enable or Disable telnet or SSH access to the
Wireless AP.
•
Location based service – Click to Enable or Disable location based
service on this Wireless AP. Location based service allows you to use this
Wireless AP with an AeroScout solution.
•
Maintain client session in event of poll failure – Click to Enable or
Disable (if using a bridged at AP VNS) if the AP should remain active if a
link loss with the controller occurs.This option is enabled by default.
•
Restart service in the absence of controller – Click to Enable or
Disable (if using a bridged at AP VNS) to ensure the Wireless APs’ radios
continue providing service if the Wireless AP’s connection to the HiPath
9034530-04, September 2010
HiPath Wireless Controller, Access Points and Convergence Software V7.31, User Guide
201
hwc_apstartup.fm
Configuring the Wireless AP
Configuring VLAN tags for Wireless APs
Wireless Controller is lost. If this option is enabled, it allows the Wireless
AP to start a bridged at AP VNS even in the absence of a HiPath Wireless
Controller.
•
Use broadcast for disassociation – Click to Enable or Disable if you
want the Wireless AP to use broadcast disassociation when
disconnecting all clients, instead of disassociating each client one by one.
This will affect the behavior of the AP under the following conditions:
–
If the Wireless AP is preparing to reboot or to enter one of the special
modes (DRM initial channel selection).
–
If a BSSID is deactivated or removed on the Wireless AP.
This option is disabled by default.
8. In the Advanced dialog Radio Settings section, do the following:
202
•
DTIM – Type the desired DTIM (Delivery Traffic Indication Message)
period — the number of beacon intervals between two DTIM beacons. To
ensure the best client power savings, use a large number. For example,
5. Use a small number to minimize broadcast and multicast delay. The
default value is 5.
•
Beacon Period – Type the desired time, in milliseconds, between beacon
transmissions. The default value is 100 milliseconds.
•
RTS/CTS – Type the packet size threshold, in bytes, above which the
packet will be preceded by an RTS/CTS (Request to Send/Clear to Send)
handshake. The default value is 2346, which means all packets are sent
without RTS/CTS. Reduce this value only if necessary.
•
Frag. Threshold – Type the fragment size threshold, in bytes, above
which the packets will be fragmented by the AP prior to transmission. The
default value is 2346, which means all packets are sent unfragmented.
•
Max % of non-unicast traffic per Beacon period – Enter the maximum
percentage of time that the AP will transmit non-unicast packets
(broadcast and multicast traffic) for each configured Beacon Period. For
each non-unicast packet transmitted, the system calculates the airtime
used by each packet and drops all packets that exceed the configured
maximum percentage. By restricting non-unicast traffic, you limit the
impact of broadcasts and multicasts on overall system performance.
•
Maximum Distance – Enter a value from 100 to 15,000 meters that
identifies the maximum link distance between APs that participate in a
WDS. This value ensures that the acknowledgement of communication
between APs does not exceed the timeout value predefined by the 802.11
standard. The default value is 100 meters. If the link distance between
APs is greater than 100 meters, configure the maximum distance up to
15,000 meters so that the software increases the timeout value
proportionally with the distance between APs.
9034530-04, September 2010
HiPath Wireless Controller, Access Points and Convergence Software V7.31, User Guide
hwc_apstartup.fm
Configuring the Wireless AP
Configuring VLAN tags for Wireless APs
Do not change the default setting for the radio that provides service to
802.11 clients only.
•
Dynamic Channel Selection – Click one of the following:
–
Off – Disables DCS.
–
Monitor Mode – If traffic or noise levels exceed the configured DCS
thresholds, an alarm is triggered and an information log is generated.
–
Active Mode – If traffic or noise levels exceed the configured DCS
thresholds, an alarm is triggered and an information log is generated.
In addition, the Wireless AP will cease operating on the current
channel and ACS is employed to automatically select an alternate
channel for the Wireless AP to operate on.
–
DCS Noise Threshold – If DCS is enabled, type the noise
interference level, measured in dBm, after which ACS will scan for a
new operating channel for the Wireless AP if the threshold is
exceeded.
–
DCS Channel Occupancy Threshold – If DCS is enabled, type the
channel utilization level, measured as a percentage, after which ACS
will scan for a new operating channel for the Wireless AP if the
threshold is exceeded.
–
DCS Update Period – If DCS is enabled, type the time, measured in
minutes that determines the period during which the Wireless AP
averages the DCS Noise Threshold and DCS Channel Occupancy
Threshold measurements. If either one of these thresholds is
exceeded, then the Wireless AP will trigger ACS.
•
Rx Diversity – Click Best for the best signal from both antennas, or Left
or Right to choose either of the two diversity receiving antennas. The
default and recommended selection is Best. If only one antenna is
connected, use the corresponding Left or Right diversity setting. Do not
use Best if two identical antennas are not used.
•
Tx Diversity – Click Alternate for the best signal from both antennas, or
Left or Right to choose either of the two diversity receiving antennas. The
default selection is Alternate that maximizes performance for most
clients. However, some clients may behave oddly with Tx Diversity set to
Alternate. Under those circumstances, Siemens recommends that you
use either Left or Right for Tx Diversity. If only one antenna is connected,
use the corresponding Left or Right diversity setting. Do not use
Alternate if two identical antennas are not used.
•
Preamble – Click a preamble type for 11b-specific (CCK) rates: Short,
Long, or Auto. The recommended value is Auto. Click Short if you are
sure that there is no pre-11b AP or a client in the vicinity of this AP. Click
Long if compatibility with pre-11b clients is required.
9034530-04, September 2010
HiPath Wireless Controller, Access Points and Convergence Software V7.31, User Guide
203
hwc_apstartup.fm
Configuring the Wireless AP
Configuring VLAN tags for Wireless APs
•
Protection Mode – Click a protection mode: None, Auto, or Always.
The default and recommended setting is Auto. Click None if 11b APs and
clients are not expected. Click Always if you expect many 11b-only
clients.
•
Protection Rate – Click a protection rate: 1, 2, 5.5, or 11 Mbps. The
default and recommended setting is 11. Only reduce the rate if there are
many 11b clients in the environment or if the deployment has areas with
poor coverage. For example, rates lower than 11 Mbps are required to
ensure coverage.
•
Protection Type – Click a protection type: CTS Only or RTS CTS. The
default and recommended setting is CTS Only. Click RTS CTS only if an
11b AP that operates on the same channel is detected in the
neighborhood, or if there are many 11b-only clients in the environment.
9. In the Advanced dialog Enhanced Rate Control section, do the following:
•
Min Basic Rate – For each radio, click the minimum data rate that must
be supported by all stations in a BSS: 1, 2, 5.5, or 11 Mbps for 11b and
11b+11g modes. Click 1, 2, 5.5, 6, 11, 12, or 24 Mbps for 11g-only mode.
Click 6, 12, or 24 Mbps for 11a mode. If necessary, the Max Basic Rate
choices adjust automatically to be higher or equal to the Min Basic Rate.
If both Min Basic Rate and Max Basic Rate are set to an 11g-specific
(OFDM) rate, (for example, 6, 12, or 24 Mbps) all basic rates will be 11gspecific.
•
Max Basic Rate – For each radio, click the maximum data rate that must
be supported by all stations in a BSS: 1, 2, 5.5, or 11 Mbps for 11b and
11b+11g modes. Click 1, 2, 5.5, 6, 11, 12, or 24 Mbps for 11g-only mode.
Click 6, 12, or 24 Mbps for 11a mode. If necessary, the Max Basic Rate
choices adjust automatically to be higher or equal to the Min Basic Rate.
If both Min Basic Rate and Max Basic Rate are set to an 11g-specific
(OFDM) rate, (for example, 6, 12, or 24 Mbps) all basic rates will be 11gspecific.
•
Max Operational Rate – For each radio, click the maximum data rate that
clients can operate at while associated with the AP: 1, 2, 5.5, or 11 Mbps
for 11b-only mode. Click 1, 2, 5.5, 6, 9, 11, 12, 18, 24, 36, 28, or 54 Mbps
for 11b+11g or 11g-only modes. Click 6, 9, 12, 18, 24, 36, 48, or 54 Mbps
for 11a mode. If necessary, the Max Operational Rate choices adjust
automatically to be higher or equal to the Min Basic Rate.
10. In the Advanced dialog No of Retries section, do the following:
•
204
Background BK – For each radio, click the number of retries for the
Background transmission queue. The default value is adaptive (multirate). The recommended setting is adaptive (multi-rate).
9034530-04, September 2010
HiPath Wireless Controller, Access Points and Convergence Software V7.31, User Guide
hwc_apstartup.fm
Configuring the Wireless AP
Configuring VLAN tags for Wireless APs
•
Best Effort BE – For each radio, click the number of retries for the Best
Effort transmission queue. The default value is adaptive (multi-rate).
The recommended setting is adaptive (multi-rate).
•
Video VI – For each radio, click the number of retries for the Video
transmission queue. The default value is adaptive (multi-rate). The
recommended setting is adaptive (multi-rate).
•
Voice VO – For each radio, click the number of retries for the Voice
transmission queue. The default value is adaptive (multi-rate). The
recommended setting is adaptive (multi-rate).
•
Turbo Voice TVO – For each radio, click the number of retries for the
Turbo Voice transmission queue. The default value is adaptive (multirate). The recommended setting is adaptive (multi-rate).
11. Click Close. The Advanced dialog is closed.
12. To save your changes, click Save Settings.
4.5.3.3 Configure AP3605/10/20 default AP settings
To configure AP3605/10/20 default AP settings:
1. From the main menu, click Wireless AP Configuration. The HiPath
Wireless AP screen is displayed.
2. In the left pane, click AP Default Settings. The Common Configuration tab
is displayed.
3. Click the AP3605 AP3610 AP3620 tab.
9034530-04, September 2010
HiPath Wireless Controller, Access Points and Convergence Software V7.31, User Guide
205
hwc_apstartup.fm
Configuring the Wireless AP
Configuring VLAN tags for Wireless APs
4. In the AP Properties section, do the following:
•
LLDP – Click to enable or disable the Wireless AP from broadcasting
LLDP information. This option is disabled by default.
If SNMP is enabled on the HiPath Wireless Controller and you enable
LLDP, the LLDP Confirmation dialog is displayed.
•
Select one of the following:
•
Proceed (not recommended) – Select this option to enable LLDP
and keep SNMP running, and then click OK.
•
Disable SNMP publishing, and proceed – Select this option to
enable LLDP and disable SNMP, and then click OK.
For more information on enabling SNMP, see the HiPath Wireless
Controller, Access Points and Convergence Software Maintenance
Guide.
206
9034530-04, September 2010
HiPath Wireless Controller, Access Points and Convergence Software V7.31, User Guide
hwc_apstartup.fm
Configuring the Wireless AP
Configuring VLAN tags for Wireless APs
•
Announcement Interval – If LLDP is enabled, type how often the
Wireless AP advertises its information by sending a new LLDP packet.
This value is measured in seconds.
If there are no changes to the Wireless AP configuration that impact the
LLDP information, the Wireless AP sends a new LLDP packet according
to this schedule.
Note: The Time to Live value cannot be directly edited. The Time to Live
value is calculated as four times the Announcement Interval value.
•
Announcement Delay – If LLDP is enabled, type the announcement
delay. This value is measured in seconds. If a change to the Wireless AP
configuration occurs which impacts the LLDP information, the Wireless
AP sends an updated LLDP packet. The announcement delay is the
length of time that delays the new packet delivery. The announcement
delay helps minimize LLDP packet traffic.
•
Country – Click the country of operation. This option is only available with
some licenses.
5. In the Radio Settings section, do the following for each radio:
•
Radio mode – Click the radio mode you want to enable:
•
Radio 1 – off, a or a/n.
•
Radio 2 – off, b, b/g, or b/g/n.
Note: Depending on the radio modes you select, some of the radio settings
may not be available for configuration.
•
Channel Width – Click the channel width for the radio:
•
20MHz – Click to allow 802.11n clients to use the primary channel
(20MHz) and non-802.11n clients, beacons, and multicasts to use the
802.11b/g radio protocols.
•
40MHz – Click to allow 802.11n clients that support the 40MHz
frequency to use 40MHz, 20MHz, or the 802.11b/g radio protocols.
802.11n clients that do not support the 40MHz frequency can use
20MHz or the 802.11b/g radio protocols and non-802.11n clients,
beacons, and multicasts use the 802.11b/g radio protocols.
•
Auto – Click to automatically switch between 20MHz and 40MHz
channel widths, depending on how busy the extension channel is.
9034530-04, September 2010
HiPath Wireless Controller, Access Points and Convergence Software V7.31, User Guide
207
hwc_apstartup.fm
Configuring the Wireless AP
Configuring VLAN tags for Wireless APs
•
RF Domain – Type a string that uniquely identifies a group of APs that
cooperate in managing RF channels and transmission power levels. The
maximum length of the string is 16 characters. The RF Domain is used to
identify a group of Wireless APs.
•
Guard Interval – Click a guard interval, Long or Short, when a 40MHz
channel is used. Siemens recommends that you use a short guard
interval in small rooms (for example, a small office space) and a long
guard interval in large rooms (for example, a conference hall).
•
Auto Tx Power Ctrl – Click to enable or disable ATPC from the Auto Tx
Power Ctrl drop-down list. ATPC automatically adapts transmission
power signals according to the coverage provided by the Wireless APs.
After a period of time, the system will stabilize itself based on the RF
coverage of your Wireless APs.
•
Max Tx Power – Click the appropriate Tx power level from the Max TX
Power drop-down list. The values in the Max TX Power drop-down are
in dBm.
•
Min Tx Power – If ATPC is enabled, click the minimum Tx power level to
which the range of transmit power can be adjusted: 0 to 23 (b/g or b/g/n)
or 24 (a or a/n) dBm. Siemens recommends that you select 0 dBm to use
the entire range of potential Tx power.
•
Auto Tx Power Ctrl Adjust – If ATPC is enabled, click the Tx power level
that can be used to adjust the ATPC power levels that the system has
assigned. Siemens recommends that you use 0 dBm during your initial
configuration. If you have an RF plan that recommends Tx power levels
for each Wireless AP, compare the actual Tx power levels your system
has assigned against the recommended values your RF plan has
provided. Use the Auto Tx Power Ctrl Adjust value to achieve the
recommended values.
•
Channel Plan – If ACS is enabled, you can define a channel plan for the
Wireless AP. Defining a channel plan allows you to limit which channels
are available for use during an ACS scan. For example, you may want to
avoid using specific channels because of low power, regulatory domain,
or radar interference.
For Radio 1, click one of the following:
208
•
All channels – ACS scans all channels for an operating channel and
returns both DFS and non-DFS channels, if available.
•
All Non-DFS Channels – ACS scans all non-DFS channels for an
operating channel. This selection is available when there is at least
one DFS channel supported for the selected country.
•
Custom – To configure individual channels from which the ACS will
select an operating channel, click Configure. The Custom Channel
Plan dialog displays. By default, all channels participate in the
9034530-04, September 2010
HiPath Wireless Controller, Access Points and Convergence Software V7.31, User Guide
hwc_apstartup.fm
Configuring the Wireless AP
Configuring VLAN tags for Wireless APs
channel plan. Click the individual channels you want to include in the
channel plan. To select contiguous channels, use the Shift key. To
select multiple, non-contiguous channels in the list, use the CTRL
key. Click OK to save the configuration.
For Radio 2, click one of the following:
•
•
3 Channel Plan – ACS will scan the following channels: 1, 6, and 11
in the US, and 1, 7, and 13 in Europe.
•
4 Channel Plan – ACS will scan the following channels: 1, 4, 7, and
11 in the US, and 1, 5, 9, and 13 in Europe.
•
Auto – ACS will scan the default channel plan channels: 1, 6, and 11
in the US, and 1, 5, 9, and 13 in Europe.
•
Custom – If you want to configure individual channels from which the
ACS will select an operating channel, click Configure. The Add
Channels dialog is displayed. Click the individual channels you want
to add to the channel plan while pressing the CTRL key, and then click
OK.
Antenna Selection – Click the antenna, or antenna combination, you
want to configure on this radio.
Note: The antennas listed are the only antennas approved for use with
the AP. The pull down list contains currently available WS-XXXXX
antennas as well as legacy antenna part numbers that may have been in
use prior to the v7.11 release.
When you configure the Wireless 802.11n AP to use specific antennas,
the transmission power is recalculated; the Current Tx Power Level
value for the radio is automatically adjusted to reflect the recent antenna
configuration. It takes approximately 30 seconds for the change to the
Current Tx Power Level value to be reflected in the HiPath Wireless
Assistant. Also, the radio is reset causing client connections on this radio
to be lost.
Note: Antenna Selection is not applicable to the AP3605.
6. To modify default access point advanced settings, click Advanced. The
Advanced dialog is displayed.
7. In the Advanced dialog AP Properties section, do the following:
9034530-04, September 2010
HiPath Wireless Controller, Access Points and Convergence Software V7.31, User Guide
209
hwc_apstartup.fm
Configuring the Wireless AP
Configuring VLAN tags for Wireless APs
•
Poll Timeout – Type the timeout value, in seconds. The Wireless AP
uses this value to trigger re-establishing the link with the HiPath Wireless
Controller if it (Wireless AP) does not get an answer to its polling. The
default value is 10 seconds.
Note: If you are configuring session availability, the Poll Timeout value
should be 1.5 to 2 times of Detect link failure value on AP Properties
screen. For more information, see Section 7.4, “Session availability”, on page
417.
•
Remote Access – Click to Enable or Disable telnet or SSH access to the
Wireless AP.
•
Location based service – Click to Enable or Disable location based
service on this Wireless AP. Location based service allows you to use this
Wireless AP with an AeroScout solution.
•
Maintain client session in event of poll failure – Select this option (if
using a bridged at AP VNS) if the AP should remain active if a link loss
with the controller occurs.This option is enabled by default.
•
Restart service in the absence of controller – Select this option (if
using a bridged at AP VNS) to ensure the Wireless AP’s radios continue
providing service if the Wireless AP’s connection to the HiPath Wireless
Controller is lost. If this option is enabled, it allows the Wireless AP to start
a bridged at AP VNS even in the absence of a HiPath Wireless Controller.
•
Use broadcast for disassociation – Select if you want the Wireless AP
to use broadcast disassociation when disconnecting all clients, instead of
disassociating each client one by one. This will affect the behavior of the
AP under the following conditions:
–
If the Wireless AP is preparing to reboot or to enter one of the special
modes (DRM initial channel selection).
–
If a BSSID is deactivated or removed on the Wireless AP.
This option is disabled by default.
8. In the Advanced dialog Radio Settings section, do the following:
210
•
DTIM – Type the desired DTIM (Delivery Traffic Indication Message)
period — the number of beacon intervals between two DTIM beacons. To
ensure the best client power savings, use a large number. For example,
5. Use a small number to minimize broadcast and multicast delay. The
default value is 5.
•
Beacon Period – Type the desired time, in milliseconds, between beacon
transmissions. The default value is 100 milliseconds.
9034530-04, September 2010
HiPath Wireless Controller, Access Points and Convergence Software V7.31, User Guide
hwc_apstartup.fm
Configuring the Wireless AP
Configuring VLAN tags for Wireless APs
•
RTS/CTS – Type the packet size threshold, in bytes, above which the
packet will be preceded by an RTS/CTS (Request to Send/Clear to Send)
handshake. The default value is 2346, which means all packets are sent
without RTS/CTS. Reduce this value only if necessary.
•
Frag. Threshold – For each radio, type the fragment size threshold, in
bytes, above which the packets will be fragmented by the AP prior to
transmission. The default value is 2346, which means all packets are sent
unfragmented. Reduce this value only if necessary.
•
Max % of non-unicast traffic per Beacon period – Enter the maximum
percentage of time that the AP will transmit non-unicast packets
(broadcast and multicast traffic) for each configured Beacon Period. For
each non-unicast packet transmitted, the system calculates the airtime
used by each packet and drops all packets that exceed the configured
maximum percentage. By restricting non-unicast traffic, you limit the
impact of broadcasts and multicasts on overall system performance.
•
Maximum Distance – Enter a value from 100 to 15,000 meters that
identifies the maximum link distance between APs that participate in a
WDS. This value ensures that the acknowledgement of communication
between APs does not exceed the timeout value predefined by the 802.11
standard. The default value is 100 meters. If the link distance between
APs is greater than 100 meters, configure the maximum distance up to
15,000 meters so that the software increases the timeout value
proportionally with the distance between APs.
Do not change the default setting for the radio that provides service to
802.11 clients only.
•
Dynamic Channel Selection – To enable Dynamic Channel Selection,
click one of the following:
–
Monitor Mode – If traffic or noise levels exceed the configured DCS
thresholds, an alarm is triggered and an information log is generated.
–
Active Mode – If traffic or noise levels exceed the configured DCS
thresholds, an alarm is triggered and an information log is generated.
In addition, the Wireless AP will cease operating on the current
channel and ACS is employed to automatically select an alternate
channel for the Wireless AP to operate on.
•
DCS Noise Threshold – Type the noise interference level, measured in
dBm, after which ACS will scan for a new operating channel for the
Wireless AP if the threshold is exceeded.
•
DCS Channel Occupancy Threshold – Type the channel utilization
level, measured as a percentage, after which ACS will scan for a new
operating channel for the Wireless AP if the threshold is exceeded.
9034530-04, September 2010
HiPath Wireless Controller, Access Points and Convergence Software V7.31, User Guide
211
hwc_apstartup.fm
Configuring the Wireless AP
Configuring VLAN tags for Wireless APs
•
DCS Update Period – Type the time, measured in minutes that
determines the period during which the Wireless AP averages the DCS
Noise Threshold and DCS Channel Occupancy Threshold
measurements. If either one of these thresholds is exceeded, then the
Wireless AP will trigger ACS.
•
Preamble – Click a preamble type for 11b-specific (CCK) rates: Short,
Long, or Auto. The recommended value is Auto. Click Short if you are
sure that there is no pre-11b AP or a client in the vicinity of this AP. Click
Long if compatibility with pre-11b clients is required.
•
Protection Mode – Click a protection mode: None, Auto, or Always.
The default and recommended setting is Auto. Click None if 11b APs and
clients are not expected. Click Always if you expect many 11b-only
clients.
•
Protection Rate – Click a protection rate: 1, 2, 5.5, or 11 Mbps. The
default and recommended setting is 11. Only reduce the rate if there are
many 11b clients in the environment or if the deployment has areas with
poor coverage. For example, rates lower than 11 Mbps are required to
ensure coverage.
•
Protection Type – Click a protection type: CTS Only or RTS CTS. The
default and recommended setting is CTS Only. Click RTS CTS only if an
11b AP that operates on the same channel is detected in the
neighborhood, or if there are many 11b-only clients in the environment.
9. In the Advanced dialog 11n Settings section, do the following:
212
•
Protection Mode – Click a protection mode: None, Auto, or Always.
The default and recommended setting is Auto. Click None if 11b APs and
clients are not expected. Click Always if you expect many 11b-only
clients.
•
40MHz Protection Mode – Click a protection type, CTS Only or RTSCTS, or None, when a 40MHz channel is used. This protects high
throughput transmissions on extension channels from interference from
non-11n APs and clients.
•
40MHz Prot. Channel Offset – Select a 20MHz channel offset if the
deployment is using channels that are 20MHz apart (for example, using
channels 1, 5, 9, and 13) or a 25MHz channel offset if the deployment is
using channels that are 25MHz apart (for example, using channels 1, 6,
and 11).
•
40MHz Channel Busy Threshold – Type the extension channel
threshold percentage, which if exceeded, will disable transmissions on
the extension channel (40MHz).
•
Aggregate MSDUs – Click an aggregate MSDU mode: Enabled or
Disabled. Aggregate MSDU increases the maximum frame transmission
size.
9034530-04, September 2010
HiPath Wireless Controller, Access Points and Convergence Software V7.31, User Guide
hwc_apstartup.fm
Configuring the Wireless AP
Configuring VLAN tags for Wireless APs
•
Aggregate MSDU Max Length – Type the maximum length of the
aggregate MSDU. The value range is 2290-4096 bytes.
•
Aggregate MPDUs – Click an aggregate MPDU mode: Enabled or
Disabled. Aggregate MPDU provides a significant improvement in
throughput.
•
Aggregate MPDU Max Length – Type the maximum length of the
aggregate MPDU. The value range is 1024-65535 bytes.
•
Agg. MPDU Max # of Sub-frames – Type the maximum number of
sub-frames of the aggregate MPDU. The value range is 2-64.
•
ADDBA Support – Click an ADDBA support mode: Enabled or
Disabled. ADDBA, or block acknowledgement, provides
acknowledgement of a group of frames instead of a single frame. ADDBA
Support must be enabled if Aggregate APDU is enable.
10. Click Close. The Advanced dialog is closed.
11. To save your changes, click Save Settings.
4.5.3.4 Configure AP2650/60 and W786 default AP settings
To configure AP2650/60 and W786 default access point settings:
1. From the main menu, click Wireless AP Configuration. The HiPath
Wireless AP screen is displayed.
2. In the left pane, click AP Default Settings. The Common Configuration tab
is displayed.
3. Click the AP2650 AP2660 W786 tab.
9034530-04, September 2010
HiPath Wireless Controller, Access Points and Convergence Software V7.31, User Guide
213
hwc_apstartup.fm
Configuring the Wireless AP
Configuring VLAN tags for Wireless APs
4. In the AP Properties section, do the following:
•
LLDP – Click to Enable or Disable the Wireless AP from broadcasting
LLDP information. This option is disabled by default.
If SNMP is enabled on the HiPath Wireless Controller and you enable
LLDP, the LLDP Confirmation dialog is displayed.
•
Select one of the following:
–
Proceed (not recommended) – Select this option to enable LLDP
and keep SNMP running, and then click OK.
–
Disable SNMP publishing, and proceed – Select this option to
enable LLDP and disable SNMP, and then click OK.
For more information on enabling SNMP, see the HiPath Wireless
Controller, Access Points and Convergence Software Maintenance
Guide.
214
9034530-04, September 2010
HiPath Wireless Controller, Access Points and Convergence Software V7.31, User Guide
hwc_apstartup.fm
Configuring the Wireless AP
Configuring VLAN tags for Wireless APs
•
Announcement Interval – If LLDP is enabled, type how often the
Wireless AP advertises its information by sending a new LLDP packet.
This value is measured in seconds.
If there are no changes to the Wireless AP configuration that impact the
LLDP information, the Wireless AP sends a new LLDP packet according
to this schedule.
Note: The Time to Live value cannot be directly edited. The Time to Live
value is calculated as four times the Announcement Interval value.
•
Announcement Delay – If LLDP is enabled, type the announcement
delay. This value is measured in seconds. If a change to the Wireless AP
configuration occurs which impacts the LLDP information, the Wireless
AP sends an updated LLDP packet. The announcement delay is the
length of time that delays the new packet delivery. The announcement
delay helps minimize LLDP packet traffic.
5. Country – Click the country of operation. This option is only available with
some licenses.
6. In the Radio Settings section, do the following for each radio:
•
Radio mode – Click the radio mode you want to enable:
–
Radio 1 – off, b, g, b/g, or a.
–
Radio 2 – off, b, g, b/g, or a.
Note: Depending on the radio modes you select, some of the radio settings
may not be available for configuration.
•
RF Domain – Type a string that uniquely identifies a group of APs that
cooperate in managing RF channels and transmission power levels. The
maximum length of the string is 16 characters. The RF Domain is used to
identify a group of Wireless APs.
•
Auto Tx Power Ctrl – Click to either enable or disable ATPC from the
Auto Tx Power Ctrl drop-down list. ATPC automatically adapts
transmission power signals according to the coverage provided by the
Wireless APs. After a period of time, the system will stabilize itself based
on the RF coverage of your Wireless APs.
•
Max Tx Power – Click the appropriate Tx power level from the Max TX
Power drop-down list. The values in the Max TX Power drop-down are
in dBm.
9034530-04, September 2010
HiPath Wireless Controller, Access Points and Convergence Software V7.31, User Guide
215
hwc_apstartup.fm
Configuring the Wireless AP
Configuring VLAN tags for Wireless APs
•
Min Tx Power – If ATPC is enabled, click the minimum Tx power level to
which the range of transmit power can be adjusted: 0 to 23 (b/g or b/g/n)
or 24 (a or a/n) dBm. Siemens recommends that you select 0 dBm to use
the entire range of potential Tx power.
•
Auto Tx Power Ctrl Adjust – If ATPC is enabled, click the Tx power level
that can be used to adjust the ATPC power levels that the system has
assigned. Siemens recommends that you use 0 dBm during your initial
configuration. If you have an RF plan that recommends Tx power levels
for each Wireless AP, compare the actual Tx power levels your system
has assigned against the recommended values your RF plan has
provided. Use the Auto Tx Power Ctrl Adjust value to achieve the
recommended values.
•
Channel Plan – If ACS is enabled you can define a channel plan for the
Wireless AP. Defining a channel plan allows you to limit which channels
are available for use during an ACS scan. For example, you may want to
avoid using specific channels because of low power, regulatory domain,
or radar interference.
If you have set the radio to 802.11a, click one of the following:
–
All channels – ACS scans all channels for an operating channel and
returns both DFS and non-DFS channels, if available.
–
All Non-DFS Channels – ACS scans all non-DFS channels for an
operating channel. This selection is available when there is at least
one DFS channel supported for the selected country.
–
Custom – To configure individual channels from which the ACS will
select an operating channel, click Configure. The Custom Channel
Plan dialog displays. By default, all channels participate in the
channel plan. Click the individual channels you want to include in the
channel plan. To select contiguous channels, use the Shift key. To
select multiple, non-contiguous channels in the list, use the CTRL
key. Click OK to save the configuration.
If you have set the radio to 802.11b, g, or b/g, click one of the following:
216
–
3 Channel Plan – ACS will scan the following channels: 1, 6, and 11
in the US, and 1, 7, and 13 in Europe.
–
4 Channel Plan – ACS will scan the following channels: 1, 4, 7, and
11 in the US, and 1, 5, 9, and 13 in Europe.
–
Auto – ACS will scan the default channel plan channels: 1, 6, and 11
in the US, and 1, 5, 9, and 13 in Europe.
9034530-04, September 2010
HiPath Wireless Controller, Access Points and Convergence Software V7.31, User Guide
hwc_apstartup.fm
Configuring the Wireless AP
Configuring VLAN tags for Wireless APs
–
Custom – If you want to configure individual channels from which the
ACS will select an operating channel, click Configure. The Add
Channels dialog is displayed. Click the individual channels you want
to add to the channel plan while pressing the CTRL key, and then click
OK.
7. To modify default access point advanced settings, click Advanced. The
Advanced dialog is displayed.
8. In the Advanced dialog AP Properties section, do the following:
•
Poll Timeout – Type the timeout value, in seconds. The Wireless AP
uses this value to trigger re-establishing the link with the HiPath Wireless
Controller if it (Wireless AP) does not get an answer to its polling. The
default value is 10 seconds.
Note: If you are configuring session availability, the Poll Timeout value
should be 1.5 to 2 times of Detect link failure value on AP Properties
screen. For more information, see Section 7.4, “Session availability”, on page
417.
•
Remote Access – Click to Enable or Disable telnet or SSH access to the
Wireless AP.
•
Location based service – Click to Enable or Disable location based
service on this Wireless AP. Location based service allows you to use this
Wireless AP with an AeroScout solution.
•
Maintain client session in event of poll failure – Select this option (if
using a bridged at AP VNS) if the AP should remain active if a link loss
with the controller occurs.This option is enabled by default.
•
Restart service in the absence of controller – Select this option (if
using a bridged at AP VNS) to ensure the Wireless AP’s radios continue
providing service if the Wireless AP’s connection to the HiPath Wireless
Controller is lost. If this option is enabled, it allows the Wireless AP to start
a bridged at AP VNS even in the absence of a HiPath Wireless Controller.
•
Use broadcast for disassociation – Select if you want the Wireless AP
to use broadcast disassociation when disconnecting all clients, instead of
disassociating each client one by one. This will affect the behavior of the
AP under the following conditions:
•
If the Wireless AP is preparing to reboot or to enter one of the special
modes (DRM initial channel selection).
•
If a BSSID is deactivated or removed on the Wireless AP.
This option is disabled by default.
9. In the Advanced dialog Radio Settings section, do the following:
9034530-04, September 2010
HiPath Wireless Controller, Access Points and Convergence Software V7.31, User Guide
217
hwc_apstartup.fm
Configuring the Wireless AP
Configuring VLAN tags for Wireless APs
•
DTIM – Type the desired DTIM (Delivery Traffic Indication Message)
period — the number of beacon intervals between two DTIM beacons. To
ensure the best client power savings, use a large number. For example,
5. Use a small number to minimize broadcast and multicast delay. The
default value is 5.
•
Beacon Period – Type the desired time, in milliseconds, between beacon
transmissions. The default value is 100 milliseconds.
•
RTS/CTS – Type the packet size threshold, in bytes, above which the
packet will be preceded by an RTS/CTS (Request to Send/Clear to Send)
handshake. The default value is 2346, which means all packets are sent
without RTS/CTS. Reduce this value only if necessary.
•
Frag. Threshold – Type the fragment size threshold, in bytes, above
which the packets will be fragmented by the AP prior to transmission. The
default value is 2346, which means all packets are sent unfragmented.
Reduce this value only if necessary.
•
Max % of non-unicast traffic per Beacon period – Enter the maximum
percentage of time that the AP will transmit non-unicast packets
(broadcast and multicast traffic) for each configured Beacon Period. For
each non-unicast packet transmitted, the system calculates the airtime
used by each packet and drops all packets that exceed the configured
maximum percentage. By restricting non-unicast traffic, you limit the
impact of broadcasts and multicasts on overall system performance.
•
Maximum Distance – Enter a value from 100 to 15,000 meters that
identifies the maximum link distance between APs that participate in a
WDS. This value ensures that the acknowledgement of communication
between APs does not exceed the timeout value predefined by the 802.11
standard. The default value is 100 meters. If the link distance between
APs is greater than 100 meters, configure the maximum distance up to
15,000 meters so that the software increases the timeout value
proportionally with the distance between APs.
Do not change the default setting for the radio that provides service to
802.11 clients only.
•
218
Dynamic Channel Selection – Click one of the following:
–
Off – Disables DCS.
–
Monitor Mode – If traffic or noise levels exceed the configured DCS
thresholds, an alarm is triggered and an information log is generated.
–
Active Mode – If traffic or noise levels exceed the configured DCS
thresholds, an alarm is triggered and an information log is generated.
In addition, the Wireless AP will cease operating on the current
channel and ACS is employed to automatically select an alternate
channel for the Wireless AP to operate on.
9034530-04, September 2010
HiPath Wireless Controller, Access Points and Convergence Software V7.31, User Guide
hwc_apstartup.fm
Configuring the Wireless AP
Configuring VLAN tags for Wireless APs
–
DCS Noise Threshold – If DCS is enabled, type the noise
interference level, measured in dBm, after which ACS will scan for a
new operating channel for the Wireless AP if the threshold is
exceeded.
–
DCS Channel Occupancy Threshold – If DCS is enabled, type the
channel utilization level, measured as a percentage, after which ACS
will scan for a new operating channel for the Wireless AP if the
threshold is exceeded.
–
DCS Update Period – If DCS is enabled, type the time, measured in
minutes that determines the period during which the Wireless AP
averages the DCS Noise Threshold and DCS Channel Occupancy
Threshold measurements. If either one of these thresholds is
exceeded, then the Wireless AP will trigger ACS.
•
Rx Diversity – Click Best for the best signal from both antennas, or Left
or Right to choose either of the two diversity receiving antennas. The
default and recommended selection is Best. If only one antenna is
connected, use the corresponding Left or Right diversity setting. Do not
use Best if two identical antennas are not used.
•
Tx Diversity – Click Alternate for the best signal from both antennas, or
Left or Right to choose either of the two diversity receiving antennas. The
default selection is Alternate that maximizes performance for most
clients. However, some clients may behave oddly with Tx Diversity set to
Alternate. Under those circumstances, Siemens recommends that you
use either Left or Right for Tx Diversity. If only one antenna is connected,
use the corresponding Left or Right diversity setting. Do not use
Alternate if two identical antennas are not used.
•
Preamble – Click a preamble type for 11b-specific (CCK) rates: Short,
Long, or Auto. The recommended value is Auto. Click Short if you are
sure that there is no pre-11b AP or a client in the vicinity of this AP. Click
Long if compatibility with pre-11b clients is required.
•
Protection Mode – Click a protection mode: None, Auto, or Always.
The default and recommended setting is Auto. Click None if 11b APs and
clients are not expected. Click Always if you expect many 11b-only
clients.
•
Protection Rate – Click a protection rate: 1, 2, 5.5, or 11 Mbps. The
default and recommended setting is 11. Only reduce the rate if there are
many 11b clients in the environment or if the deployment has areas with
poor coverage. For example, rates lower than 11 Mbps are required to
ensure coverage.
•
Protection Type – Click a protection type: CTS Only or RTS CTS. The
default and recommended setting is CTS Only. Click RTS CTS only if an
11b AP that operates on the same channel is detected in the
neighborhood, or if there are many 11b-only clients in the environment.
9034530-04, September 2010
HiPath Wireless Controller, Access Points and Convergence Software V7.31, User Guide
219
hwc_apstartup.fm
Configuring the Wireless AP
Configuring VLAN tags for Wireless APs
10. In the Advanced dialog Enhanced Rate Control section, do the following:
•
Min Basic Rate – For each radio, click the minimum data rate that must
be supported by all stations in a BSS: 1, 2, 5.5, or 11 Mbps for 11b and
11b+11g modes. Click 1, 2, 5.5, 6, 11, 12, or 24 Mbps for 11g-only mode.
Click 6, 12, or 24 Mbps for 11a mode. If necessary, the Max Basic Rate
choices adjust automatically to be higher or equal to the Min Basic Rate.
If both Min Basic Rate and Max Basic Rate are set to an 11g-specific
(OFDM) rate, (for example, 6, 12, or 24 Mbps) all basic rates will be 11gspecific.
•
Max Basic Rate – For each radio, click the maximum data rate that must
be supported by all stations in a BSS: 1, 2, 5.5, or 11 Mbps for 11b and
11b+11g modes. Click 1, 2, 5.5, 6, 11, 12, or 24 Mbps for 11g-only mode.
Click 6, 12, or 24 Mbps for 11a mode. If necessary, the Max Basic Rate
choices adjust automatically to be higher or equal to the Min Basic Rate.
If both Min Basic Rate and Max Basic Rate are set to an 11g-specific
(OFDM) rate, (for example, 6, 12, or 24 Mbps) all basic rates will be 11gspecific.
•
Max Operational Rate – For each radio, click the maximum data rate that
clients can operate at while associated with the AP: 1, 2, 5.5, or 11 Mbps
for 11b-only mode. Click 1, 2, 5.5, 6, 9, 11, 12, 18, 24, 36, 28, or 54 Mbps
for 11b+11g or 11g-only modes. Click 6, 9, 12, 18, 24, 36, 48, or 54 Mbps
for 11a mode. If necessary, the Max Operational Rate choices adjust
automatically to be higher or equal to the Min Basic Rate.
11. In the Advanced dialog No of Retries section, do the following:
•
Background BK – For each radio, click the number of retries for the
Background transmission queue. The default value is adaptive (multirate). The recommended setting is adaptive (multi-rate).
•
Best Effort BE – For each radio, click the number of retries for the Best
Effort transmission queue. The default value is adaptive (multi-rate).
The recommended setting is adaptive (multi-rate).
•
Video VI – For each radio, click the number of retries for the Video
transmission queue. The default value is adaptive (multi-rate). The
recommended setting is adaptive (multi-rate).
•
Voice VO – For each radio, click the number of retries for the Voice
transmission queue. The default value is adaptive (multi-rate). The
recommended setting is adaptive (multi-rate).
•
Turbo Voice TVO – For each radio, click the number of retries for the
Turbo Voice transmission queue. The default value is adaptive (multirate). The recommended setting is adaptive (multi-rate).
12. Click Close. The Advanced dialog is closed.
13. To save your changes, click Save Settings.
220
9034530-04, September 2010
HiPath Wireless Controller, Access Points and Convergence Software V7.31, User Guide
hwc_apstartup.fm
Configuring the Wireless AP
Configuring VLAN tags for Wireless APs
4.5.3.5 Configure AP4102 and AP4102C default AP settings
To configure AP4102 and AP4102C default AP settings:
1. From the main menu, click Wireless AP Configuration. The HiPath
Wireless AP screen is displayed.
2. In the left pane, click AP Default Settings. The Common Configuration tab
is displayed.
3. Click the AP4102 AP4102C tab.
4. In the AP Properties section, do the following:
•
LLDP – Click to Enable or Disable the Wireless AP from broadcasting
LLDP information. This option is disabled by default.
If SNMP is enabled on the HiPath Wireless Controller and you enable
LLDP, the LLDP Confirmation dialog is displayed.
•
Select one of the following:
9034530-04, September 2010
HiPath Wireless Controller, Access Points and Convergence Software V7.31, User Guide
221
hwc_apstartup.fm
Configuring the Wireless AP
Configuring VLAN tags for Wireless APs
–
Proceed (not recommended) – Select this option to enable LLDP
and keep SNMP running, and then click OK.
–
Disable SNMP publishing, and proceed – Select this option to
enable LLDP and disable SNMP, and then click OK.
For more information on enabling SNMP, see the HiPath Wireless
Controller, Access Points and Convergence Software Maintenance
Guide.
•
Announcement Interval – If LLDP is enabled, type how often the
Wireless AP advertises its information by sending a new LLDP packet.
This value is measured in seconds.
If there are no changes to the Wireless AP configuration that impact the
LLDP information, the Wireless AP sends a new LLDP packet according
to this schedule.
Note: The Time to Live value cannot be directly edited. The Time to Live
value is calculated as four times the Announcement Interval value.
•
Announcement Delay – If LLDP is enabled, type the announcement
delay. This value is measured in seconds. If a change to the Wireless AP
configuration occurs which impacts the LLDP information, the Wireless
AP sends an updated LLDP packet. The announcement delay is the
length of time that delays the new packet delivery. The announcement
delay helps minimize LLDP packet traffic.
•
Country – Click the country of operation. This option is only available with
some licenses.
5. In the Radio Settings section, do the following for each radio:
•
Radio mode – Click the radio mode you want to enable:
•
Radio 1 – off or a.
•
Radio 2 – off, b, g, or b/g.
Note: Depending on the radio modes you select, some of the radio settings
may not be available for configuration.
•
222
RF Domain – Type a string that uniquely identifies a group of APs that
cooperate in managing RF channels and transmission power levels. The
maximum length of the string is 16 characters. The RF Domain is used to
identify a group of Wireless APs.
9034530-04, September 2010
HiPath Wireless Controller, Access Points and Convergence Software V7.31, User Guide
hwc_apstartup.fm
Configuring the Wireless AP
Configuring VLAN tags for Wireless APs
•
Auto Tx Power Ctrl – Click to either enable or disable ATPC from the
Auto Tx Power Ctrl drop-down list. ATPC automatically adapts
transmission power signals according to the coverage provided by the
Wireless APs. After a period of time, the system will stabilize itself based
on the RF coverage of your Wireless APs.
•
Max Tx Power – Click the appropriate Tx power level from the Max TX
Power drop-down list. The values in the Max TX Power drop-down are
in dBm.
•
Min Tx Power – If ATPC is enabled, click the minimum Tx power level to
which the range of transmit power can be adjusted: 0 to 23 (b/g or b/g/n)
or 24 (a or a/n) dBm. Siemens recommends that you select 0 dBm to use
the entire range of potential Tx power.
•
Auto Tx Power Ctrl Adjust – If ATPC is enabled, click the Tx power level
that can be used to adjust the ATPC power levels that the system has
assigned. Siemens recommends that you use 0 dBm during your initial
configuration. If you have an RF plan that recommends Tx power levels
for each Wireless AP, compare the actual Tx power levels your system
has assigned against the recommended values your RF plan has
provided. Use the Auto Tx Power Ctrl Adjust value to achieve the
recommended values.
•
Channel Plan – If ACS is enabled you can define a channel plan for the
Wireless AP. Defining a channel plan allows you to limit which channels
are available for use during an ACS scan. For example, you may want to
avoid using specific channels because of low power, regulatory domain,
or radar interference.
For Radio 1, click one of the following:
–
All channels – ACS scans all channels for an operating channel and
returns both DFS and non-DFS channels, if available.
–
All Non-DFS Channels – ACS scans all non-DFS channels for an
operating channel. This selection is available when there is at least
one DFS channel supported for the selected country.
–
Custom – To configure individual channels from which the ACS will
select an operating channel, click Configure. The Custom Channel
Plan dialog displays. By default, all channels participate in the
channel plan. Click the individual channels you want to include in the
channel plan. To select contiguous channels, use the Shift key. To
select multiple, non-contiguous channels in the list, use the CTRL
key. Click OK to save the configuration.
For Radio 2, click one of the following:
–
3 Channel Plan – ACS will scan the following channels: 1, 6, and 11
in the US, and 1, 7, and 13 in Europe.
9034530-04, September 2010
HiPath Wireless Controller, Access Points and Convergence Software V7.31, User Guide
223
hwc_apstartup.fm
Configuring the Wireless AP
Configuring VLAN tags for Wireless APs
–
4 Channel Plan – ACS will scan the following channels: 1, 4, 7, and
11 in the US, and 1, 5, 9, and 13 in Europe.
–
Auto – ACS will scan the default channel plan channels: 1, 6, and 11
in the US, and 1, 5, 9, and 13 in Europe.
–
Custom – If you want to configure individual channels from which the
ACS will select an operating channel, click Configure. The Add
Channels dialog is displayed. Click the individual channels you want
to add to the channel plan while pressing the CTRL key, and then click
OK.
6. To modify default access point advanced settings, click Advanced. The
Advanced dialog is displayed.
7. In the Advanced dialog AP Properties section, do the following:
•
Poll Timeout – Type the timeout value, in seconds. The Wireless AP
uses this value to trigger re-establishing the link with the HiPath Wireless
Controller if it (Wireless AP) does not get an answer to its polling. The
default value is 10 seconds.
Note: If you are configuring session availability, the Poll Timeout value
should be 1.5 to 2 times of Detect link failure value on AP Properties
screen. For more information, see Section 7.4, “Session availability”, on page
417.
224
•
Remote Access – Click to Enable or Disable telnet or SSH access to the
Wireless AP.
•
Location based service – Click to Enable or Disable location based
service on this Wireless AP. Location based service allows you to use this
Wireless AP with an AeroScout solution.
•
Maintain client session in event of poll failure – Click to Enable or
Disable (if using a bridged at AP VNS) if the AP should remain active if a
link loss with the controller occurs.This option is enabled by default.
•
Restart service in the absence of controller – Click to Enable or
Disable (if using a bridged at AP VNS) to ensure the Wireless APs’ radios
continue providing service if the Wireless AP’s connection to the HiPath
Wireless Controller is lost. If this option is enabled, it allows the Wireless
AP to start a bridged at AP VNS even in the absence of a HiPath Wireless
Controller.
•
Use broadcast for disassociation – Click to Enable or Disable if you
want the Wireless AP to use broadcast disassociation when
disconnecting all clients, instead of disassociating each client one by one.
This will affect the behavior of the AP under the following conditions:
9034530-04, September 2010
HiPath Wireless Controller, Access Points and Convergence Software V7.31, User Guide
hwc_apstartup.fm
Configuring the Wireless AP
Configuring VLAN tags for Wireless APs
–
If the Wireless AP is preparing to reboot or to enter one of the special
modes (DRM initial channel selection).
–
If a BSSID is deactivated or removed on the Wireless AP.
This option is disabled by default.
8. In the Advanced dialog Radio Settings section, do the following:
•
DTIM – Type the desired DTIM (Delivery Traffic Indication Message)
period — the number of beacon intervals between two DTIM beacons. To
ensure the best client power savings, use a large number. For example,
5. Use a small number to minimize broadcast and multicast delay. The
default value is 5.
•
Beacon Period – Type the desired time, in milliseconds, between beacon
transmissions. The default value is 100 milliseconds.
•
RTS/CTS – Type the packet size threshold, in bytes, above which the
packet will be preceded by an RTS/CTS (Request to Send/Clear to Send)
handshake. The default value is 2346, which means all packets are sent
without RTS/CTS. Reduce this value only if necessary.
•
Frag. Threshold – Type the fragment size threshold, in bytes, above
which the packets will be fragmented by the AP prior to transmission. The
default value is 2346, which means all packets are sent unfragmented.
Reduce this value only if necessary.
•
Max % of non-unicast traffic per Beacon period – Enter the maximum
percentage of time that the AP will transmit non-unicast packets
(broadcast and multicast traffic) for each configured Beacon Period. For
each non-unicast packet transmitted, the system calculates the airtime
used by each packet and drops all packets that exceed the configured
maximum percentage. By restricting non-unicast traffic, you limit the
impact of broadcasts and multicasts on overall system performance.
•
Maximum Distance – Enter a value from 100 to 15,000 meters that
identifies the maximum link distance between APs that participate in a
WDS. This value ensures that the acknowledgement of communication
between APs does not exceed the timeout value predefined by the 802.11
standard. The default value is 100 meters. If the link distance between
APs is greater than 100 meters, configure the maximum distance up to
15,000 meters so that the software increases the timeout value
proportionally with the distance between APs.
Do not change the default setting for the radio that provides service to
802.11 clients only.
•
Dynamic Channel Selection – Click one of the following:
–
Off – Disables DCS.
9034530-04, September 2010
HiPath Wireless Controller, Access Points and Convergence Software V7.31, User Guide
225
hwc_apstartup.fm
Configuring the Wireless AP
Configuring VLAN tags for Wireless APs
226
–
Monitor Mode – If traffic or noise levels exceed the configured DCS
thresholds, an alarm is triggered and an information log is generated.
–
Active Mode – If traffic or noise levels exceed the configured DCS
thresholds, an alarm is triggered and an information log is generated.
In addition, the Wireless AP will cease operating on the current
channel and ACS is employed to automatically select an alternate
channel for the Wireless AP to operate on.
–
DCS Noise Threshold – If DCS is enabled, type the noise
interference level, measured in dBm, after which ACS will scan for a
new operating channel for the Wireless AP if the threshold is
exceeded.
–
DCS Channel Occupancy Threshold – If DCS is enabled, type the
channel utilization level, measured as a percentage, after which ACS
will scan for a new operating channel for the Wireless AP if the
threshold is exceeded.
–
DCS Update Period – If DCS is enabled, type the time, measured in
minutes that determines the period during which the Wireless AP
averages the DCS Noise Threshold and DCS Channel Occupancy
Threshold measurements. If either one of these thresholds is
exceeded, then the Wireless AP will trigger ACS.
•
Rx Diversity – Click Best for the best signal from both antennas, or Left
or Right to choose either of the two diversity receiving antennas. The
default and recommended selection is Best. If only one antenna is
connected, use the corresponding Left or Right diversity setting. Do not
use Best if two identical antennas are not used.
•
Tx Diversity – Click Alternate for the best signal from both antennas, or
Left or Right to choose either of the two diversity receiving antennas. The
default selection is Alternate that maximizes performance for most
clients. However, some clients may behave oddly with Tx Diversity set to
Alternate. Under those circumstances, Siemens recommends that you
use either Left or Right for Tx Diversity. If only one antenna is connected,
use the corresponding Left or Right diversity setting. Do not use
Alternate if two identical antennas are not used.
•
Preamble – Click a preamble type for 11b-specific (CCK) rates: Short,
Long, or Auto. The recommended value is Auto. Click Short if you are
sure that there is no pre-11b AP or a client in the vicinity of this AP. Click
Long if compatibility with pre-11b clients is required.
•
Protection Mode – Click a protection mode: None, Auto, or Always.
The default and recommended setting is Auto. Click None if 11b APs and
clients are not expected. Click Always if you expect many 11b-only
clients.
9034530-04, September 2010
HiPath Wireless Controller, Access Points and Convergence Software V7.31, User Guide
hwc_apstartup.fm
Configuring the Wireless AP
Configuring VLAN tags for Wireless APs
•
Protection Rate – Click a protection rate: 1, 2, 5.5, or 11 Mbps. The
default and recommended setting is 11. Only reduce the rate if there are
many 11b clients in the environment or if the deployment has areas with
poor coverage. For example, rates lower than 11 Mbps are required to
ensure coverage.
•
Protection Type – Click a protection type: CTS Only or RTS CTS. The
default and recommended setting is CTS Only. Click RTS CTS only if an
11b AP that operates on the same channel is detected in the
neighborhood, or if there are many 11b-only clients in the environment.
9. In the Advanced dialog Enhanced Rate Control section, do the following:
•
Min Basic Rate – For each radio, click the minimum data rate that must
be supported by all stations in a BSS: 1, 2, 5.5, or 11 Mbps for 11b and
11b+11g modes. Click 1, 2, 5.5, 6, 11, 12, or 24 Mbps for 11g-only mode.
Click 6, 12, or 24 Mbps for 11a mode. If necessary, the Max Basic Rate
choices adjust automatically to be higher or equal to the Min Basic Rate.
If both Min Basic Rate and Max Basic Rate are set to an 11g-specific
(OFDM) rate, (for example, 6, 12, or 24 Mbps) all basic rates will be 11gspecific.
•
Max Basic Rate – For each radio, click the maximum data rate that must
be supported by all stations in a BSS: 1, 2, 5.5, or 11 Mbps for 11b and
11b+11g modes. Click 1, 2, 5.5, 6, 11, 12, or 24 Mbps for 11g-only mode.
Click 6, 12, or 24 Mbps for 11a mode. If necessary, the Max Basic Rate
choices adjust automatically to be higher or equal to the Min Basic Rate.
If both Min Basic Rate and Max Basic Rate are set to an 11g-specific
(OFDM) rate, (for example, 6, 12, or 24 Mbps) all basic rates will be 11gspecific.
•
Max Operational Rate – For each radio, click the maximum data rate that
clients can operate at while associated with the AP: 1, 2, 5.5, or 11 Mbps
for 11b-only mode. Click 1, 2, 5.5, 6, 9, 11, 12, 18, 24, 36, 28, or 54 Mbps
for 11b+11g or 11g-only modes. Click 6, 9, 12, 18, 24, 36, 48, or 54 Mbps
for 11a mode. If necessary, the Max Operational Rate choices adjust
automatically to be higher or equal to the Min Basic Rate.
10. In the Advanced dialog No of Retries section, do the following:
•
Background BK – For each radio, click the number of retries for the
Background transmission queue. The default value is adaptive (multirate). The recommended setting is adaptive (multi-rate).
•
Best Effort BE – For each radio, click the number of retries for the Best
Effort transmission queue. The default value is adaptive (multi-rate).
The recommended setting is adaptive (multi-rate).
•
Video VI – For each radio, click the number of retries for the Video
transmission queue. The default value is adaptive (multi-rate). The
recommended setting is adaptive (multi-rate).
9034530-04, September 2010
HiPath Wireless Controller, Access Points and Convergence Software V7.31, User Guide
227
hwc_apstartup.fm
Configuring the Wireless AP
Modifying a Wireless AP’s properties based on a default AP configuration
•
Voice VO – For each radio, click the number of retries for the Voice
transmission queue. The default value is adaptive (multi-rate). The
recommended setting is adaptive (multi-rate).
•
Turbo Voice TVO – For each radio, click the number of retries for the
Turbo Voice transmission queue. The default value is adaptive (multirate). The recommended setting is adaptive (multi-rate).
11. Click Close. The Advanced dialog is closed.
12. To save your changes, click Save Settings.
4.6 Modifying a Wireless AP’s properties based on a default AP
configuration
If you have a Wireless AP that is already configured with its own settings, but
would like the Wireless AP to be reset to use the system’s default AP settings,
use the Reset to Defaults feature on the AP Properties tab.
To configure a Wireless AP with the system’s default AP settings:
1. From the main menu, click Wireless AP Configuration. The HiPath
Wireless AP screen is displayed.
2. In the Wireless AP list, click the Wireless AP whose properties you want to
modify. The AP Properties tab displays Wireless AP information.
3. To have the Wireless AP inherit the system’s default AP settings, click Reset
to Defaults. A pop-up dialog asking you to confirm the configuration change
is displayed.
4. To confirm resetting the Wireless AP to the default settings, click OK.
Caution: If you reset an AP to defaults, its HWC Search List will be deleted,
regardless of the settings in Common Configuration.
4.7 Modifying the Wireless AP’s default setting using the Copy to Defaults
feature
You can modify the system’s default AP settings by using the Copy to Defaults
feature on the AP Properties tab. This feature allows the properties of an already
configured Wireless AP to become the system’s default Wireless AP settings.
228
9034530-04, September 2010
HiPath Wireless Controller, Access Points and Convergence Software V7.31, User Guide
hwc_apstartup.fm
Configuring the Wireless AP
Configuring multiple Wireless APs simultaneously
To modify the system’s default AP settings based on an already configured
AP:
1. From the main menu, click Wireless AP Configuration. The HiPath
Wireless AP screen is displayed.
2. In the Wireless AP list, click the Wireless AP whose properties you want to
become the system’s default AP settings. The AP Properties tab is
displayed.
3. If applicable, modify the Wireless AP’s properties. For more information, see
Section 4.4.2, “Configuring a Wireless AP’s properties”, on page 138.
4. To make this Wireless AP’s configuration be the system’s default AP settings,
click Copy to Defaults. A pop-up dialog asking you to confirm the
configuration change is displayed.
5. To confirm resetting the system’s default Wireless AP settings, click OK.
4.8 Configuring multiple Wireless APs simultaneously
In addition to configuring Wireless APs individually, you can also configure
multiple Wireless APs simultaneously by using the AP Multi-edit function.
Configuring Wireless APs simultaneously is similar to modifying the system’s
default AP settings or individual Wireless APs.
When selecting which Wireless APs to configure simultaneously, you can use the
following criteria:
•
Select the Wireless APs by hardware type
•
Select the Wireless APs individually
You can select multiple hardware types and individual Wireless APs by pressing
the Ctrl key and selecting the hardware types and specific Wireless APs.
When you configure multiple Wireless APs using the AP Multi-edit screen, it is
important to note that for some Wireless AP settings to be available for
configuration, other Wireless AP settings must be enabled or configured first.
Note: Only settings and options supported by all of the currently selected
hardware types are available for configuring.
To configure Wireless APs simultaneously:
1. From the main menu, click Wireless AP Configuration. The HiPath
Wireless AP screen is displayed.
2. In the left pane, click AP Multi-edit.
9034530-04, September 2010
HiPath Wireless Controller, Access Points and Convergence Software V7.31, User Guide
229
hwc_apstartup.fm
Configuring the Wireless AP
Configuring multiple Wireless APs simultaneously
3. Do the following:
•
In the Hardware Types list, click one or more Wireless AP hardware
types.
•
In the Wireless APs list, click one or more Wireless APs to edit. To click
multiple Wireless APs, click the APs from the list while pressing the CTRL
key.
Note: When using the Multi-edit function, any box or option that is not
explicitly modified will not be changed by the update.
The Wireless APs shown in the Wireless APs list can be from any version of
the software. Attributes that are common between software versions are set
on all Wireless APs. Attributes that are not common, are only sent to the AP
versions to which the attributes apply. Attempting to set an attribute that does
not apply for an AP will not abort the multi-edit operation.
4. Modify the configuration of the selected Wireless APs:
•
AP Properties – For more information, see Section 4.4.2, “Configuring a
Wireless AP’s properties”, on page 138.
•
Radio Settings – For more information, see Section 4.4.5, “Configuring
Wireless AP radio properties”, on page 146.
5. To modify the static configuration of the selected Wireless APs, in the HWC
Search List, click one of the following:
230
9034530-04, September 2010
HiPath Wireless Controller, Access Points and Convergence Software V7.31, User Guide
hwc_apstartup.fm
Configuring the Wireless AP
Configuring co-located APs in load balance groups
•
Clear search list – Click to clear previously assigned HiPath Wireless
Controllers that were configured to control this Wireless AP.
•
Re-configure search list – Click to assign HiPath Wireless Controllers
to control this Wireless AP.
a) In the Add box, type the IP address of the HiPath Wireless Controller
that will control this Wireless AP.
b) Click Add. The IP address is added to the list.
c) Repeat to add additional HiPath Wireless Controllers.
d) Click Up and Down to modify the order of the HiPath Wireless
Controllers. The maximum is three HiPath Wireless Controllers.
The Wireless AP is successful when it finds a HiPath Wireless Controller that
will allow it to register.
This feature allows the Wireless AP to bypass the discovery process. If the
HWC Search List is not populated, the Wireless AP will use SLP
unicast/multicast, DNS, or DHCP vendor option 43 to discover a HiPath
Wireless Controller. For the initial Wireless AP deployment, it is necessary to
use one of the described options in Section 4.2, “Discovery and registration
overview”, on page 113.
6. To modify the WLAN assignments of the selected Wireless APs, in the WLAN
Assignment Option drop-down list, click one of the following:
•
Clear WLAN list – Click to clear previously assigned WLAN services of
the Wireless APs.
•
Re-configure WLAN list – Click to assign WLAN services to the Wireless
APs.
In the Radio 1 and Radio 2 columns, select the Wireless AP radios that
you want to assign for each WLAN service.
7. To save your changes, click Save.
4.9 Configuring co-located APs in load balance groups
You can configure APs that are co-located in an open area, such as a classroom,
a conference hall, or an entrance lobby, to act as a load balance group. Load
balancing distributes clients across the co-located APs that are members of the
load balance group. The co-located APs should provide the same SSID, have
LOS between each other, and be deployed on multiple channels with overlapping
coverage.
You must assign an AP’s radio to the load balance group for the client distribution
to occur. Load balancing occurs only among the assigned AP radios of the load
balance group. Each radio can be assigned to only one load balance group.
9034530-04, September 2010
HiPath Wireless Controller, Access Points and Convergence Software V7.31, User Guide
231
hwc_apstartup.fm
Configuring the Wireless AP
Configuring co-located APs in load balance groups
Multiple radios on the same AP do not have to be in the same load balance group.
The APs that you assign to the load balance group must be controlled by the
same HiPath Wireless Controller.
The load balance group uses one VNS for all APs assigned to the load balance
group.
Note: Load balance groups do not support APs that use a WDS VNS.
Load balancing on the HiPath Wireless Controller is an AP-centric and requires
no input from the client. The AP radios in the load balance group share
information with secure (AES) SIAPP messaging using multicast on the wired
network. All APs in a load balance group must be in the same SIAPP cluster to
ensure that each AP can reach all other APs in the load balance group over wired
subnet. If the APs in a load balance group are not in same SIAPP cluster, load
balancing will happen independently within the subgroups defined by SIAPP
clusters.
The benefits of configuring your co-located APs that are controlled by the same
HiPath Wireless Controller as a load balance group are the following:
•
Efficient use of the deployed 2.4 and 5 GHz channels
•
Reduce client interference by distributing clients on different channels
•
Scalable 802.11 deployment: if more clients need to be served in the area,
additional APs can be deployed on a new channel
•
Resource sharing of the balanced AP
You can assign a maximum of 32 APs to a load balance group. Table 22 lists the
maximum number of load balance groups for each HiPath Wireless Controller.
HiPath Wireless Controller
Number of load balance groups
C20
C4110
32
C2400
32
C5100
64
C20N
Table 22
Maximum number of load balance groups
Currently, the following Wireless AP models support load balance groups:
232
•
AP3605
•
AP3610
•
AP3620
•
AP3660
9034530-04, September 2010
HiPath Wireless Controller, Access Points and Convergence Software V7.31, User Guide
hwc_apstartup.fm
Configuring the Wireless AP
Configuring co-located APs in load balance groups
•
AP3630 (in Thin Mode only)
•
AP3640 (in Thin Mode only)
To create a load balance group:
1. From the main menu, click Wireless AP Configuration. The HiPath
Wireless AP screen is displayed.
2. In the left pane, click Load Groups. The Wireless AP Load Groups screen
is displayed.
3. Click New. The Add Load Group window displays.
4. Enter a unique name for the load group.
You can create load groups with the same name on different HiPath Wireless
Controllers; however, the groups will be treated as separate groups according
to the home controller where the group was originally created.
5. Click Add. The Add Load Group window closes. The new load group is the
currently displayed load group in the Wireless AP Load Groups screen.
You must now assign radios and a WLAN to the load group.
6. On the Radio Assignment tab, select the AP radios that you want to assign
to the load group from the Select AP radios drop-down list.
9034530-04, September 2010
HiPath Wireless Controller, Access Points and Convergence Software V7.31, User Guide
233
hwc_apstartup.fm
Configuring the Wireless AP
Configuring co-located APs in load balance groups
You can assign a radio to only one load balance group. A radio that is
assigned to another load balance group will have an asterisk next to it. If you
select a radio that has been assigned to another load balance group, the
radio is reassigned to the new load balance group.
Note: You can assign radio 1 and radio 2 of an AP to different load balance
groups.
You must now assign a WLAN to the load balance group.
7. Click the WLAN Assignment tab.
8. Click the checkbox of the WLAN that you want to assign to all member radios
of the load balance group.
When you assign a radio to a load group, WLAN assignment can only be
done from the WLAN Assignment tab on the Wireless AP Load Groups
screen. On all other WLAN Assignment tabs associated with the member
AP, the radio checkboxes will be grayed out. When you remove a radio from
a load group, the load group’s WLAN will remain assigned to the radio, but
you can now assign a different WLAN to the radio.
9. Click Save.
234
9034530-04, September 2010
HiPath Wireless Controller, Access Points and Convergence Software V7.31, User Guide
hwc_apstartup.fm
Configuring the Wireless AP
Configuring AP clusters
4.9.1 How availability affects load balancing
All AP radios assigned to a load group must belong to APs that are all controlled
by the same HiPath Wireless Controller. If you have enabled availability
configuration of a load group is only possible from the home controller where the
load group was created. Load balancing will continue to operate if member APs
fail over to the foreign controller as long as the WLAN assignment remains the
same.
To ensure that the WLAN assignment remains the same, you must enable
synchronization of the system configuration and the WLAN service when you
configure availability. For more information, see Section 7.2, “Configuring
availability using the availability wizard”, on page 410.
If you have configured synchronization, in a failover situation you will be able to
change the load balance group’s WLAN assignment from the VNS
Configuration screens and the Wireless AP's WLAN Assignment screens on
the foreign controller.
If you have not configured synchronization, you must configure the foreign
controller to ensure that all AP radios in the load balance group have the same
WLAN assignments when the APs fail over, as originally configured for the load
group. If the WLAN assignments do not match when an AP fails over, the affected
AP radios will be removed from the load group.
4.9.2 Load balance group statistics
You can view load balance group statistics through the Active Wireless Load
Groups report. For more information, see Section 11.5, “Viewing load balance
group statistics”, on page 461.
4.10 Configuring AP clusters
APs operating in both thin mode and standalone mode operate in a cluster setup.
A cluster is a group of wireless APs configured to communicate with each other.
Mobile users (MU) can seamlessly roam between the APs participating in the
cluster. The Enterasys Wireless Standalone 802.11n AP extends basic cluster
functionality with the following enhancements:
•
Support for fast roaming
•
Automatic Channel Selection (ACS) for all APs in the cluster
•
Cluster member information is available to the user
•
MU statistic history
•
Pre-authentication
9034530-04, September 2010
HiPath Wireless Controller, Access Points and Convergence Software V7.31, User Guide
235
hwc_apstartup.fm
Configuring the Wireless AP
Configuring AP clusters
A cluster forms when APs operating within the same subnet are configured with
the same cluster ID (shared secret) and multicast and IGMP snooping are
enabled.
An AP cluster can exist at any point in your network. Each cluster member
periodically (30 seconds) sends a secure SIAPP multicast message to update
other cluster members. The SIAPP message includes:
•
The AP name
•
The AP Ethernet MAC address
•
The AP IP address
•
The client count
•
The base BSSIDs for both radios
Each AP caches locally stored information about other cluster members and
maintains its own view of the cluster.
To enable the APs to form a cluster:
1. From the main menu, click Wireless AP Configuration. The HiPath
Wireless AP screen is displayed.
2. In the left pane, click AP Registration. The AP Registration screen is
displayed.
3. In the Secure Cluster section, enter a cluster shared secret. All APs that use
the same shared secret will participate in the cluster.
236
9034530-04, September 2010
HiPath Wireless Controller, Access Points and Convergence Software V7.31, User Guide
hwc_apstartup.fm
Configuring the Wireless AP
Converting the Wireless Standalone 802.11n AP to standalone mode
4. Enable cluster encryption by clicking on the User Cluster Encryption
checkbox. APs on which user cluster encryption is disabled cannot participate
in the cluster.
5. Enable or disable support for inter-AP roaming by clicking on the Inter AP
Roam checkbox.
6. Click Save.
4.11 Converting the Wireless Standalone 802.11n AP to standalone mode
The Enterasys Wireless Standalone 802.11n AP by default operates in
standalone (thick) AP mode. However, as long as the Enterasys Wireless
Standalone 802.11n AP is running release V7.31 or later, you can configure it to
operate in thin mode in a controller-based deployment. Conversion from
standalone to thin mode is seamless and can be performed from either the
Enterasys Wireless Standalone 802.11n AP UI or CLI. Conversion from thin to
standalone mode is performed from the HiPath Wireless Assistant UI or from the
HWC CLI.
To convert the Enterasys Wireless Standalone 802.11n AP operating in thin
mode back to standalone mode:
1. From the main menu, click Wireless AP Configuration. The HiPath
Wireless AP screen is displayed.
2. In the left pane, click Access Approval. The Access Approval screen is
displayed.
9034530-04, September 2010
HiPath Wireless Controller, Access Points and Convergence Software V7.31, User Guide
237
hwc_apstartup.fm
Configuring the Wireless AP
Configuring an AP as a sensor
3. Select one or more APs that you want to convert to standalone mode.
Note: If you try to convert an AP other than an AP3630/40 or an inactive or
foreign AP running V7.31 to standalone mode, the system returns an error.
Only an AP3630/40 running V7.31 can operate in both standalone and thin
mode.
4. In the Perform Action on Selected Wireless AP section, click the
Standalone Mode button. The system warns you that the AP will be removed
from the HiPath Wireless Controller. Click OK to continue.
Note: After you convert the Enterasys Wireless Standalone 802.11n AP to
standalone mode, you can no longer access it using the Wireless Assistant
UI or HWC CLI. Instead, you must access AP using the Enterasys Wireless
Standalone 802.11n AP UI or CLI.
4.12 Configuring an AP as a sensor
Only the HiPath Wireless AP 2610/2620 and AP 3610/3620 can be configured as
sensors.
A Wireless AP that is configured as a sensor performs scanning services and
relays information to HiPath Wireless Manager HiGuard. When an AP is
Approved as Sensor:
•
The AP severs its connection to the HiPath Wireless Controller
•
The AP registers with HiPath Wireless Manager HiGuard
•
The AP performs scanning services
•
The AP no longer performs RF services for the HiPath Wireless Controller
When an AP is operating as a sensor, it has no interaction with the HiPath
Wireless Controller, and it does not perform like an AP: it does not allow devices
to associate to it and traffic is not forwarded through it. An AP operating as a
sensor is managed by HiPath Wireless Manager HiGuard. The HiPath Wireless
Manager HiGuard’s sensor domain license (SDL) limit governs the number of
sensors the customer can have.
When an AP is configured as a sensor, the AP’s current configuration is retained
in the controller database. If the sensor is later configured back to perform RF
services, its previous configuration data is reassigned to it. For more information,
see the HiPath Wireless Manager User Guide and the HiPath Wireless Manager
HiGuard User Guide.
238
9034530-04, September 2010
HiPath Wireless Controller, Access Points and Convergence Software V7.31, User Guide
hwc_apstartup.fm
Configuring the Wireless AP
Configuring an AP as a sensor
Before APs can be configured as sensors, you must first download the sensor
image from a TFTP server to the HiPath Wireless Controller:
To download the sensor image from a TFTP server to the HiPath Wireless
Controller:
1. From the main menu, click Wireless AP Configuration. The HiPath
Wireless AP screen is displayed.
2. In the left pane, click Sensor Management. The Wireless AP Sensor
Management screen is displayed.
3. In the Sensor Platform field, select AP26xx or AP36xx.
4. Type the following:
•
TFTP Server – The IP address of the TFTP server the AP is to retrieve
the sensor image file from.
•
Directory – The location of the AP26xx or AP36xx sensor image on the
TFTP server.
•
Filename – The filename of the AP26xx or AP36xx sensor image on the
TFTP server.
5. Click Download.
9034530-04, September 2010
HiPath Wireless Controller, Access Points and Convergence Software V7.31, User Guide
239
hwc_apstartup.fm
Configuring the Wireless AP
Configuring an AP as a sensor
6. Once you have downloaded the sensor image, configure the appropriate
Wireless AP as a sensor from either the Wireless APs All APs screen or the
Wireless APs Access Approval screen.
–
To configure the Wireless AP as a sensor from the Wireless APs All APs
screen:
1. From the main menu, click Wireless AP Configuration. The HiPath
Wireless AP screen is displayed.
2. In the Wireless AP list, click the Wireless AP whose properties you
want to modify. The AP Properties tab displays Wireless AP
information.
3. Select the AP that you want to configure as a sensor.
4. In the Role field, select Sensor.
5. Click Save.
–
To configure the Wireless AP as a sensor from the Wireless APs Access
Approval screen:
1. From the main menu, click Wireless AP Configuration. The HiPath
Wireless AP screen is displayed.
2. In the left pane, click Access Approval. The Access Approval
screen is displayed, along with the registered Wireless APs and their
status.
240
9034530-04, September 2010
HiPath Wireless Controller, Access Points and Convergence Software V7.31, User Guide
hwc_apstartup.fm
Configuring the Wireless AP
Performing Wireless AP software maintenance
3. Select the checkbox next to the Wireless AP that you want to
configure as a sensor.
4. Click Sensor.
4.13 Performing Wireless AP software maintenance
Periodically, the software used by the Wireless APs is altered for reasons of
upgrade or security. The new version of the AP software is installed from the
HiPath Wireless Controller.
The software for each Wireless AP can be uploaded either immediately, or the
next time the Wireless AP connects. Part of the Wireless AP boot sequence is to
seek and install its software from the HiPath Wireless Controller.
Most of the properties of each radio on a Wireless AP can be modified without
requiring a reboot of the AP.
The Wireless AP keeps a backup copy of its software image. When a software
upgrade is sent to the Wireless AP, the upgrade becomes the Wireless AP's
current image and the previous image becomes the backup. In the event of failure
of the current image, the Wireless AP will run the backup image.
Note: The HiPath Wireless Controller does not ship with sensor software. You
must download sensor software from a TFTP server to the local controller.
9034530-04, September 2010
HiPath Wireless Controller, Access Points and Convergence Software V7.31, User Guide
241
hwc_apstartup.fm
Configuring the Wireless AP
Performing Wireless AP software maintenance
To maintain the list of current Wireless AP software images:
1. From the main menu, click Wireless AP Configuration. The Wireless AP
Configuration screen is displayed.
2. In the left pane, click AP Maintenance. The AP Software Maintenance tab
is displayed.
3. In the AP Images for Platform drop-down list, click the appropriate platform.
4. To select an image to be the default image for a software upgrade, click it in
the list, and then click Set as default.
5. In the Upgrade Behavior section, select one of the following:
•
Upgrade when AP connects using settings from Controlled
Upgrade – The Controlled Upgrade tab is displayed when you click
Save. Controlled upgrade allows you to individually select and control the
state of an AP image upgrade: which APs to upgrade, when to upgrade,
how to upgrade, and to which image the upgrade or downgrade should
be done. Administrators decide on the levels of software releases that the
equipment should be running.
•
Always upgrade AP to default image (overrides Controlled Upgrade
settings) – Selected by default. Allows for the selection of a default
revision level (firmware image) for all APs in the domain. As the AP
registers with the controller, the firmware version is verified. If it does not
match the same value as defined for the default-image, the AP is
automatically requested to upgrade to the default-image.
6. To save your changes, click Save.
242
9034530-04, September 2010
HiPath Wireless Controller, Access Points and Convergence Software V7.31, User Guide
hwc_apstartup.fm
Configuring the Wireless AP
Performing Wireless AP software maintenance
To delete a Wireless AP software image:
1. From the main menu, click Wireless AP Configuration. The Wireless AP
Configuration screen is displayed.
2. In the left pane, click AP Maintenance. The AP Software Maintenance tab
is displayed.
3. In the AP Images for Platform drop-down list, click the appropriate platform.
4. In the AP Images list, click the image you want to delete.
5. Click Delete. The image is deleted.
To download a new Wireless AP software image:
1. From the main menu, click Wireless AP Configuration. The Wireless AP
Configuration screen is displayed.
2. In the left pane, click AP Maintenance. The AP Software Maintenance tab
is displayed.
3. In the Download AP Images list, type the following:
•
FTP Server – The IP of the FTP server to retrieve the image file from.
•
User ID – The user ID that the controller should use when it attempts to
log in to the FTP server.
•
Password – The corresponding password for the user ID.
•
Confirm – The corresponding password for the user ID to confirm it was
typed correctly.
•
Directory – The directory on the server in which the image file that is to
be retrieved is stored.
•
Filename – The name of the image file to retrieve.
•
Platform – The AP hardware type to which the image applies. The are
several types of AP and they require different images.
4. Click Download. The new software image is downloaded.
To define parameters for a Wireless AP controlled software upgrade:
1. From the main menu, click Wireless AP Configuration. The Wireless AP
Configuration screen is displayed.
2. In the left pane, click AP Maintenance. The AP Software Maintenance tab
is displayed.
3. Click the Controlled Upgrade tab.
9034530-04, September 2010
HiPath Wireless Controller, Access Points and Convergence Software V7.31, User Guide
243
hwc_apstartup.fm
Configuring the Wireless AP
Performing Wireless AP software maintenance
Note: The Controlled Upgrade tab is displayed only when the Upgrade
Behavior is set to Upgrade when AP connects using settings from
Controlled Upgrade on the AP Software Maintenance tab.
4. In the Select AP Platform drop-down list, click the type of AP you want to
upgrade.
5. In the Select an image to use drop-down list, click the software image you
want to use for the upgrade.
6. In the list of registered Wireless APs, select the checkbox for each Wireless
AP to be upgraded with the selected software image.
7. Click Apply AP image version. The selected software image is displayed in
the Upgrade To column of the list.
8. To save the software upgrade strategy to be run later, click Save for later.
9. To run the software upgrade immediately, click Upgrade Now. The selected
Wireless AP reboots, and the new software version is loaded.
Note: The Always upgrade AP to default image checkbox on the AP
Software Maintenance tab overrides the Controlled Upgrade settings.
244
9034530-04, September 2010
HiPath Wireless Controller, Access Points and Convergence Software V7.31, User Guide
hwc_vnsintro.fm
Virtual Network Services concepts
VNS overview
5 Virtual Network Services concepts
This chapter introduces and describes the concept of Virtual Network Services
(VNS), including:
•
VNS overview
•
Setting up a VNS checklist
•
NAC integration with HiPath WLAN
•
Assigning Wireless APs to WLAN Services
•
Authentication for a VNS
•
Filtering
•
Multicast traffic
•
Data protection — WEP and WPA
•
QoS Policy
•
Flexible Client Access (FCA)
5.1 VNS overview
Starting with Release V7.0, the VNS concept has two main components:
•
WLAN Service — Defines the radio/RF attributes of a service (for example,
its SSID), its privacy and authentication settings and the QoS attributes.
•
User Policy — Defines the topology (typically a VLAN), filter rules, and Class
of Service applied to the traffic of a station.
Rather than being a collection of operational entities, a VNS becomes simply the
binding between the WLAN service and the user policy for default operation. The
policy assignment ensures that the correct topology and traffic behavior are
applied to a user regardless/independent of the SSID.
This representation model extends provisioning functionality by allowing for:
•
Multiple WLAN services associated to the same topology (VLAN Mapping)
•
Overlapped role/policy assignment
•
User to policy association independent of access SSID
•
Separation of L2/L3 representations
•
Topology now allow for VLANs without L3 presence
9034530-04, September 2010
HiPath Wireless Controller, Access Points and Convergence Software V7.31, User Guide
245
hwc_vnsintro.fm
Virtual Network Services concepts
VNS overview
Note: The concepts introduced in V7.0 facilitate the integration between HiPath.
WLAN and the Enterasys Policy Manager. However, discussion about their
integration, the communication between the two, provisioning model, and so on
are not part of this document.
The configurable high-level distinct umbrella elements of a VNS are:
•
Topology
•
Policy
•
WLAN Services
It is important to note, however, that topologies are associated with policies,
which makes configuration of a VNS association between a WLAN Service and
a policy (that in turn defines a policy).
5.1.1 Topology
A topology is represented by the configurable networking parameters and options
which define the HiPath Wireless Controller and APs’ interactions with the other
networking elements. The main attributes of a topology are the following:
•
Name
•
Mode, which can be one of the following:
–
Routed
–
Bridge Traffic Locally at AP
–
Bridge Traffic Locally at HWC
•
VLAN ID
•
Tagged or untagged
•
Port attachments to the network for the HiPath Wireless Controller only. This
is not required for Routed or Bridge Traffic Locally at AP topologies, but it is
required for Bridge Traffic Local at HWC.
•
Interface (L3) definition — the IP address assigned to the HiPath Wireless
Controller’s interface attached to the network described by a given topology
(optional)
•
Topology type, which is the intuitive description of traffic forwarding
mechanisms. The options are:
–
246
“Physical,” describing an Ethernet port
9034530-04, September 2010
HiPath Wireless Controller, Access Points and Convergence Software V7.31, User Guide
hwc_vnsintro.fm
Virtual Network Services concepts
VNS overview
•
–
“Admin,” meaning this is the native topology of the HiPath Wireless
Controller management port
–
“Routed,” describing the L3 stub network segments
–
“Bridged at Controller,” which allows L2 forwarding between the wireless
clients and core network, or
–
“Bridged at AP,” which is implemented by local bridging done at the APs
themselves.
Exception filters (available only if an L3 presence has been defined)
As a matter of implementation, a topology that does not have a layer 3
presence (IP address) assigned to it will have a “deny all” exception filter
attached to it. This filter will not be configurable or even visible to the
administrator.
•
Certificates (only allowed if an L3 presence has been defined)
•
Multicast filters
The main topologies GUI includes a field for configuring the internal VLAN. This
field's default value is 1 as in previous releases. This value can also be changed
to match the existing network configuration.
5.1.2 Policy
In general, a policy profile is defined as a collection of attributes and rules to be
applied to the traffic of ports and stations. The Enterasys Policy Manager's policy
profile permits the definition of default VLAN and Class of Service assignments
that can be used when other more specific policy assignment mechanisms (that
is, policy rule matches) do not apply.
On HiPath platforms, the policy defines the binding of default topology, default
rate profiles, and default filter rules.
In general, the Class of Service refers to a set of attributes that define the
importance of a frame, while forwarded through the network, relative to other
packets, and to the maximum throughput per time unit that a station or port
assigned to the policy is permitted. The Class of Service defines actions to be
taken when rate limits are exceeded.
On the HiPath Wireless Controller, the configuration of the CoS is part of WLAN
Service while the rate control and filtering are part of policy definition. The actions
allowed by the HiPath implementation are: allow or drop.
Policies don't need to be fully specified; unspecified attributes are retained by the
user or inherited from global policy definitions
9034530-04, September 2010
HiPath Wireless Controller, Access Points and Convergence Software V7.31, User Guide
247
hwc_vnsintro.fm
Virtual Network Services concepts
VNS overview
Default global policy definitions provide a placeholder for completion of
incomplete policies for initial default assignment. If a policy is defined as default
for a particular VNS, incomplete (or NO-CHANGE) attributes are inherited from
default global policy definitions.
Default global policy parameter values are the following:
•
Topology = Bridged at AP
•
Filter = Deny All
•
Rate Control = “Unlimited”
Note that you can change these global policy parameters from their default values
during configuration.
5.1.3 WLAN Service
A WLAN Service represents all the RF, authentication and QoS attributes of a
wireless access service. There are three types of WLAN Service:
•
Standard — A conventional service. Only APs running HiPath Wireless
software can be part of this WLAN Service. This type of service is usable as
a Bridged @ Controller, Bridged @ AP or Routed topologies. This type of
service provides access for mobile stations. Therefore, policies can be
assigned to this type of WLAN service to create a VNS.
•
Third Party AP — A Wireless Service offered by third party APs. This type of
service provides access for mobile stations. Therefore, policies can be
assigned to this type of WLAN service to create a VNS. Note that the
requirement is to run the deployment of the third party topology using the
controller as the routing gateway for the segments served by third party APs.
•
WDS — A group of APs organized into an interconnection hierarchy for
purposes of providing a Wireless Distribution Service. This service is, in
essence, a wireless trunking service rather than a service that provides
access for stations. As such, this type of service cannot have policies
attached to it.
APs from a WDS still can provide access for mobile clients via standard
service.
For V7.0 the components of the WLAN Service map more or less completely to
the corresponding components of a VNS in V7.0. The exception is that WLAN
Services are not classified as SSID-based or AAA-based, as VNSs were in
releases prior to V6Rx. Instead, the administrator makes an explicit choice of the
type of authentication to use on the WLAN Service. If his choice of authentication
option conflicts with any of his other authentication or privacy choices the WLAN
Service cannot be enabled.
248
9034530-04, September 2010
HiPath Wireless Controller, Access Points and Convergence Software V7.31, User Guide
hwc_vnsintro.fm
Virtual Network Services concepts
VNS overview
5.1.4 New VNS definition
The central objective of the newly defined (in V7.0) VNS is to allow for more
configuration flexibility by separating reusable components (such as topology,
policies, and so forth) and to allow for integration with the Enterasys Policy
Manager.
Figure 11 shows the breakdown of a VNS into its primary components. The
direction of the arrows in this diagram indicates the direction of a dependency.
The VNS is split into two main entities:
1. WLAN Service — This represents the 802.11 network access service offered
by the HWC and its APs.
2. Authorization Policy — A policy that determines how the traffic of users
accessing the wired network through the WLAN service. An authorization
policy is made of several components.
Figure 11
New VNS definition
Breaking the VNS into two main parts permits a VNS to be created from
components that were defined at different times. For example the HWC can ship
with predefined WLAN Services that are created by the development team. At a
later date a policy can be defined on the HWC (by the administrator or Policy
Manager) and combined with the WLAN Service to create a functional SSID.
9034530-04, September 2010
HiPath Wireless Controller, Access Points and Convergence Software V7.31, User Guide
249
hwc_vnsintro.fm
Virtual Network Services concepts
VNS overview
In Release V7.0 the new concepts introduced provide new capabilities such as:
250
•
The ability to share an HWC physical port between 3rd party AP VNS and
other types of VNS so long as the VNSs are on different VLANs. Since many
HWC implementations have only 2 physical ports, this allows those
implementations to offer support for 3rd party APs in conjunction with
standard VNSs.
•
The ability to have Bridged @ Controller VNSs that do not have a layer 3
presence (IP address). This greatly simplifies “Out of the box” deployments in
which the HWC is only required to function as a layer 2 device.
•
The ability to assign separate inbound and outbound rate limits on a per
station basis. These rate limits will apply at the AP and the HWC
•
The ability to assign stations to VLANs on a per station basis. All HiPath APs
and controllers running V7.0 software will be able to perform per station
VLAN.
•
Simplification of VNS RADIUS server configuration through the migration of
various RADIUS server settings to the global RADIUS server definition.
•
Support for allowing Policy Manager to define and manage policies that
specify VLAN assignment, rate limits and filters
•
Support for allowing Policy Manager to create VNS by defining policies and
attaching them to WLAN Services
•
Support for “Branch Captive Portal”. This feature allows the administrator to
configure any desired type of HWC Captive portal authentication for a WLAN
Service while allowing the APs to locally bridge the payload traffic of
authenticated stations.
•
Workflow improvements for defining VNS and their components. One
example of such an improvement is the ability to define topologies, policies
and rate profiles globally and which can then be reused to define many
different services.
•
The ability to have multiple WLAN Services use the same VLAN topology. An
administrator can now design his network so that users accessing it from
different SSIDs can share the same physical segment. Different users on the
same segment can be subject to different policies. Support for administratorconfigurable multicast and broadcast rate limiting at the AP. The more flexible
approach to handling network topologies introduced by this feature could lead
to reduced radio capacity without this enhancement being implemented.
•
Removal of the distinction between AAA and SSID-based VNS. Instead of
this being an explicit attribute that cannot be changed once set, the HWC will
determine from the WLAN Service privacy and authentication settings
whether EAP or Captive portal is required, and will ensure that the
administrator cannot save a configuration that has incomplete or incompatible
RADIUS options. The administrator can change these privacy and
9034530-04, September 2010
HiPath Wireless Controller, Access Points and Convergence Software V7.31, User Guide
hwc_vnsintro.fm
Virtual Network Services concepts
Setting up a VNS checklist
authentication settings pretty much at any time without having to delete and
recreate the VNS. Changing privacy and authentication settings will cause
the sessions of stations on the VNS to be terminated.
•
Automatic synchronization of VNS and session information when fast failover
is enabled.
•
The HWC UI for managing ports and topologies has moved in the direction of
a true L2-L3 separation.
5.2 Setting up a VNS checklist
When you set up a VNS on the HiPath Wireless Controller, you are defining a
topology, policies, and WLAN services for a group of wireless device users.
The checklist suggested in this section is focused on strictly necessary
parameters and selections an administrator has to consider. Proper full contexts
(such as topology, policy, WLAN services) are further described in Chapter 6,
“Configuring a VNS”.
The HiPath Wireless Controller provides the option to define a topology as locally
bridged to a VLAN at the controller. To support that configuration, you must define
which VLAN ID should be used. The network port on which the VLAN is assigned
must be configured on the switch, and the corresponding HiPath Wireless
Controller port must match the correct configuration. With this configuration, it is
possible that the controller is not involved in the IP address assignment for user
addresses. Instead, the IP addresses for users are assigned directly by the
DHCP infrastructure that services the VLAN.
Note: In a VLAN-bridged topology, the default configuration dictates that the
controller is not the DHCP server for that segment. However, DHCP services can
selectively be enabled, including DHCP Relay, allowing you to use the controller
to become the default DHCP server for the VLAN, if applicable.
Before defining a VNS, the following properties must be determined across
topology, policy, and WLAN services:
•
The RADIUS attribute values that support the user access plan.
•
The location and identity of the Wireless APs that will be used on the VNS.
•
The routing mechanism to be used on the associated topology.
•
For tunneled configurations mostly, the network addresses that the topology
will use.
9034530-04, September 2010
HiPath Wireless Controller, Access Points and Convergence Software V7.31, User Guide
251
hwc_vnsintro.fm
Virtual Network Services concepts
Setting up a VNS checklist
•
A bridge traffic locally at the HWC topology optionally needs the specification
of the IP address for the controller's own interface point on that VLAN.
Alternatively, other modes for topology can be used (bridged at AP, routed,
3rd Part AP).
In addition, if you elect to have the controller operate as the default DHCP
server for the VLAN, the corresponding IP subnet for that subnet must also
be specified.
•
The type of authentication for wireless device users on the associated WLAN
service mapped to the desired VNS.
•
Proper definition and selection of the user Policy would define the filters to be
applied to the users and user groups to control network access.
•
The quality of service (QoS) definition is part of the WLAN Services
requirements.
•
The privacy mechanisms that should be employed between the Wireless APs
and the wireless devices are also configurable at the level of WLAN services.
•
Classification list for traffic priority. For example, whether the VNS is to be
used for voice traffic and if voice traffic is to be given priority.
•
A user access plan for both individual users and user groups.
The user access plan should analyze the enterprise network and identify
which users should have access to which areas of the network. What areas
of the network should be separated? Which users can go out to the World
Wide Web?
The HiPath Wireless Controller, Access Points and Convergence Software
system relies on authenticating users via a RADIUS server (or other
authentication server). To make use of this feature, an authentication server
on the network is required. Make sure that the server's database of registered
users, with login identification and passwords, is current.
In the case of certificate-based installations, you must ensure that the proper
user certificate profiles are setup on the RADIUS server and mobile user.
Note: Deploying Controller, Access Points and Convergence Software
without a RADIUS server (and without authentication of users on the network)
is also possible.
The user access plan should also identify the user groups in your enterprise,
and the business structure of the enterprise network, such as:
252
•
Department (such as Engineering, Sales, Finance)
•
Role (such as student, teacher, library user)
•
Status (such as guest, administration, technician)
9034530-04, September 2010
HiPath Wireless Controller, Access Points and Convergence Software V7.31, User Guide
hwc_vnsintro.fm
Virtual Network Services concepts
NAC integration with HiPath WLAN
For each user group, set up a filter ID attribute in the RADIUS server, and then
associate each user in the RADIUS server to at least one filter ID name. You
can define specific filtering rules, by filter ID attribute, that will be applied to
user groups to control network access. Filtering is applied by the controller.
The controller checks if there is a Policy with a matching name (Filter ID =
Policy name) and applies the set of filter rules from that policy to the session.
Filter ID assignments is a configuration option, and not a requirement to setup
per user filter ID definitions. If a filter is not returned as an attribute in the
RADIUS server’s confirmation (Access-Accept packet) for a particular user,
the controller uses the default filter policy as the applicable filter set.
5.3 NAC integration with HiPath WLAN
HiPath WLAN supports integration with a NAC (Network Admission Control)
Gateway. The NAC Gateway can provide your network with authentication,
registration, assessment, remediation, and access control for mobile users.
NAC Gateway integration with HiPath WLAN supports SSID VNSs when used in
conjunction with MAC-based external captive portal authentication.
The following illustration depicts the topology and workflow relationship between
HiPath WLAN that is configured for external captive portal and a NAC Gateway.
For more information, see Section 6.4.1, “Creating a NAC VNS using the VNS
wizard”, on page 281.
Note: The following illustration depicts the workflow for a network environment in
which the NAC Gateway is configured to use a RADIUS server. With this
configuration, the NAC Gateway acts like a RADIUS proxy server. An alternative
is to configure the NAC Gateway to perform MAC-based authentication itself,
using its own database of MAC addresses and permissions.
9034530-04, September 2010
HiPath Wireless Controller, Access Points and Convergence Software V7.31, User Guide
253
hwc_vnsintro.fm
Virtual Network Services concepts
NAC integration with HiPath WLAN
NAC
RADIUS
DCHP
HiPath
Wireless
Controller
Wireless AP
Figure 12
HiPath WLAN and NAC integration with external captive portal
authentication
Step 1
•
The client laptop connects to the Wireless AP.
•
The Wireless AP determines that authentication is required, and sends an
association request to the HiPath Wireless Controller.
Step 2
254
•
The HiPath Wireless Controller forwards to the NAC Gateway an
access-request message for the client laptop, which is identified by its MAC
address.
•
The NAC Gateway forwards the access-request to the RADIUS server. The
NAC Gateway acts like a RADIUS proxy server.
9034530-04, September 2010
HiPath Wireless Controller, Access Points and Convergence Software V7.31, User Guide
hwc_vnsintro.fm
Virtual Network Services concepts
NAC integration with HiPath WLAN
Step 3
•
The RADIUS server evaluates the access-request and sends an
Access-Accept message back to the NAC.
•
The NAC receives the access-accept packet. Using its local database, the
NAC determines the correct policy to apply to this client laptop and updates
the access-accept packet with the policy assignment. The updated
Access-Accept message is forwarded to the HiPath Wireless Controller and
Wireless AP.
Step 4
The HiPath Wireless Controller and Wireless AP apply policy against the client
laptop accordingly. The HiPath Wireless Controller assigns a set of filters to the
client laptop’s session and the Wireless AP allows the client laptop access to the
network.
Step 5
The client laptop interacts with a DHCP server to obtain an IP address.
Step 6
•
Eventually the client laptop uses its Web browser to access a Website.
•
The HiPath Wireless Controller determines that the target Website is blocked
and that the client laptop still requires authentication.
•
The HiPath Wireless Controller sends an HTTP redirect to the client laptop’s
browser. The redirect sends the browser to the Web server on the NAC
Gateway.
•
The NAC displays an appropriate Web page in the client laptop’s browser.
The contents of the page depend on the current policy assignment
(enterprise, remediation, assessing, quarantine, or unregistered) for the MAC
address.
Step 7
•
When the NAC determines that the client laptop is ready for a different policy
assignment, it sends a ‘disconnect message’ (RFC 3576) to the HiPath
Wireless Controller.
•
When the HiPath Wireless Controller receives the ‘disconnect message’ sent
by the NAC, the HiPath Wireless Controller terminates the session for the
client laptop.
•
The HiPath Wireless Controller forwards the command to terminate the client
laptop’s session to the Wireless AP, which disconnects the client laptop.
9034530-04, September 2010
HiPath Wireless Controller, Access Points and Convergence Software V7.31, User Guide
255
hwc_vnsintro.fm
Virtual Network Services concepts
Assigning Wireless APs to WLAN Services
5.4 Assigning Wireless APs to WLAN Services
The second step in setting up a VNS is to assign Wireless APs to a VNS through
the associated WLAN Services. From the Wireless APs box of the WLAN
Services tab, you assign APs to a WLAN Service and SSID definitions.
Once you have assigned a Wireless AP Radio to eight WLAN Services/VNSs, it
will not appear in the list for another WLAN Service setup. Each Radio can
support up to eight WLAN Services (16 per AP). Each AP can be assigned to any
of the WLAN Services defined within the system. The HiPath Wireless Controller
can support the following active WLAN Services/VNSs:
•
C5110 – Up to 128
•
C4110 – Up to 64
•
C2400 – Up to 64
•
C20 – Up to 8
•
C20N – Up to 8
•
CRBT8210 – Up to 16
•
CRBT8110 – Up to 8
5.5 Authentication for a VNS
The authentication mechanism is specified at the WLAN Services level. In
addition, all WLAN Service definitions can include authorization by Media Access
Control (MAC) address. Authorization by MAC address provides a method of
access control for a mobile user as it associates with the Wireless AP based on
the device's MAC address.
The HiPath Wireless Controller offers several authentication options.
•
Captive Portal – Captive Portal redirects the http clients (Web browsers) to
a Web page. This Web page is a login page, where users enter their
authentication information. This authentication method offers the following
Captive Portal options:
–
Internal Captive Portal –The HiPath Wireless Controller uses its built-in
Web server and Web page to accept authentication data. This Web page
can be customized using the HiPath Wireless Assistant to present a web
login page where the user can enter credentials (user ID and password)
which are being used in the authentication process.
Note: The internal Captive Portal does not substitute for an external
RADIUS server. A RADIUS server is still needed. The internal Captive
Portal within the HiPath Wireless Controller displays the Web page to
256
9034530-04, September 2010
HiPath Wireless Controller, Access Points and Convergence Software V7.31, User Guide
hwc_vnsintro.fm
Virtual Network Services concepts
Authentication for a VNS
enable users to supply their user name and password. The user name
and password are sent to the configured RADIUS server for
authentication.
–
•
External Captive Portal – External Captive Portal can be classified
under the following two categories:
–
External Captive Portal with Internal Authentication – After an
external server displays the Captive Portal Web page, the HiPath
Wireless Controller carries out the authentication and implements
policy.
–
External Captive Portal with External Authentication — After an
external server displays the Captive Portal Web page and carries out
the authentication, the HiPath Wireless Controller implements policy.
–
GuestPortal – Provides wireless device users with temporary guest
network services. A GuestPortal is serviced by a GuestPortal-dedicated
WLAN Service. For more information, see Section 6.5, “Working with a
GuestPortal VNS”, on page 307.
–
Guest Splash – Provides minimal authorization. Login information is not
required when the user is re-directed to the authorization Web page. The
user is only required to select a button and authorization is approved. This
typically could be used where the user is expected to read and accept
some terms and conditions before being granted network access.
MAC-based authentication – The RADIUS server authorizes the client
device on the basis of its MAC address. After MAC-based authorization, an
authorized client can go through the selected authentication method for the
applied WLAN service (Captive Portal or 802.1x). If the client device fails the
authentication, the controller will inform the Wireless AP to disassociate the
client device.
MAC-based authentication enables network access to be restricted to
specific devices by MAC address. In addition to the other types of
authentication, when MAC-based authentication is employed, the HiPath
Wireless Controller queries a RADIUS server to determine if the wireless
client's MAC address is authorized to access the network.
•
802.1x authentication – The RADIUS server typically authenticates the
client device on the basis of a certificate. After the client device is
authenticated, it can optionally (if so configured) also go through the Captive
Portal authentication. If the client device fails the Captive Portal
authentication, the controller will inform the Wireless AP to disassociate the
client device.
If a specific filter ID is not defined or returned by the access-accept packet
operation, the HiPath Wireless Controller assigns the VNS' default policy for
authenticated users.
9034530-04, September 2010
HiPath Wireless Controller, Access Points and Convergence Software V7.31, User Guide
257
hwc_vnsintro.fm
Virtual Network Services concepts
Authentication for a VNS
5.5.1 Authentication with Captive Portal
Four authentication types are supported for Captive Portal authentication:
•
Password Authentication Protocol (PAP)
•
Challenge Handshake Authentication Protocol (CHAP)
•
Windows-specific version of CHAP (MS CHAP)
•
MS CHAP v2 (Windows-specific version of CHAP, version 2)
For Captive Portal authentication, the RADIUS server must support the selected
authentication type: PAP, CHAP (RFC2484), MS-CHAP (RFC2433), or MSCHAPv2 (RFC2759).
5.5.2 Authentication with 802.1x and WPA
If the applied WLAN Service is configured with WPA privacy, the wireless device
user requesting network access must first be authenticated. The wireless
device's client utility must support 802.1x. The user's request for network access
along with login identification or a user profile is forwarded by the HiPath Wireless
Controller to a RADIUS server. The HiPath Wireless Controller, Access Points
and Convergence Software system supports the following authentication types:
•
Extensible Authentication Protocol - Transport Layer Security (EAPTLS) — Relies on client-side and server-side certificates to perform
authentication. Can be used to dynamically generate a Pairwise Master Key
for encryption.
•
Extensible Authentication Protocol with Tunneled Transport Layer
Security (EAP-TTLS) — Relies on mutual authentication of client and server
through an encrypted tunnel. Unlike EAP-TLS, it requires only server-side
certificates. The client uses PAP, CHAP, or MS-CHAPv2 for authentication.
•
Protected Extensible Authentication Protocol (PEAP) — Is an
authentication protocol similar to TTLS in its use of server side certificates for
server authentication and privacy and its support for a variety of user
authentication mechanisms.
For EAP-SIM and EAP-FAST, the RADIUS server must support RADIUS
extensions (RFC2869).
Until the access-accept packet is received from the RADIUS server for a specific
user, the user is kept in an unauthenticated state. 802.1x rules dictate no other
packets other than EAP are allowed to traverse between the AP and the HiPath
Wireless Controller until authentication completes. Once authentication is
completed (access-accept packet is received), the user's client is then allowed to
proceed with IP services, which typically implies the request of an IP address via
DHCP.
258
9034530-04, September 2010
HiPath Wireless Controller, Access Points and Convergence Software V7.31, User Guide
hwc_vnsintro.fm
Virtual Network Services concepts
Filtering
In addition, the definition of a specific filter ID is optional configuration. If a specific
filter ID is not defined or returned by the access-accept packet operation, the
HiPath Wireless Controller assigns the VNS' default policy for authenticated
users.
Note: The HiPath Wireless Controller only assigns the device's IP after the client
requests one.
Both Captive Portal and 802.1x authentication mechanisms in Controller, Access
Points and Convergence Software rely on a RADIUS server on the enterprise
network. You can identify and prioritize up to three RADIUS servers on the HiPath
Wireless Controller—in the event of a failover of the active RADIUS server, the
HiPath Wireless Controller will poll the other servers in the list for a response.
Once an alternate RADIUS server is found, it becomes the active RADIUS server,
until it either also fails, or the administrator redefines another.
5.6 Filtering
The Policy capability provides a technique to specify different network access to
different groups of users. This is accomplished by packet filtering.
After setting the authentication mode, define the filtering rules for the filters that
apply to your network. Exception filters and Multicast filters are part of the Topology
definition. All other filter types are part of the Policy definition.
•
Policy-based filtering — These filters can apply to non-authenticated and
authenticated users:
–
Non-authenticated filter with filtering rules that apply before
authentication — Controls network access and to direct users to a
Captive Portal Web page for login.
–
Authenticated filters — Controls access to certain areas of the network,
with values that match the values defined for the RADIUS filter ID
attribute.
•
Exception filter — Protect access to a system's own interfaces. VNS
exception filters are applied to the traffic intended for the HiPath Wireless
Controller's own interface point of presence in the network. These filters are
applied after the policy-based assigned filters are evaluated.
•
Multicast filtering — These filters define a list of multicast groups whose
traffic is allowed to be forwarded to and from the VNS. They are configured
as part of the Topology assigned to the VNS.
9034530-04, September 2010
HiPath Wireless Controller, Access Points and Convergence Software V7.31, User Guide
259
hwc_vnsintro.fm
Virtual Network Services concepts
Filtering
Within each type of filter, define a sequence of filtering rules. The filtering rule
sequence must be arranged in the order that you want them to take effect. Each
rule is defined to allow or deny traffic in either direction:
•
In — From the network into a wireless device
•
Out — From a wireless device out to the network
5.6.1 Final filter rule
The final rule in any filter should act as a catch-all for any traffic that did not match
a filter entry. This final rule should either allow all or deny all traffic, depending on
the requirements for network access. For example, the final rule in a nonauthenticated filter for Captive Portal is typically deny all. A final allow all rule in a
default filter will ensure that a packet is not dropped entirely if no other match can
be found.
A default rule of deny all is automatically created by the system for initial filter
definitions. The administrator can change the action to allow all. However, a
default filter rule cannot be removed. Since a default filter rule provides a catchall default behavior for packet handling, all applicable user defined filter rules
must be defined prior to this rule.
Each rule can be based on any one of the following:
•
Destination IP address or any IP address within a specified range that is on
the network subnet (as a wildcard)
•
Destination ports, by number and range
•
Protocols (UDP, TCP, etc.)
5.6.2 Filtering sequence
The policy based filtering sequence depends on the type of authentication used:
260
•
No authentication — Only the non-Authenticated filter will apply. Specific
network access can be defined.
•
Authentication by captive portal — The non-authenticated filter will apply
before authentication. Specific network access can be defined. The filter
should also include a rule to allow all users to get as far as the Captive Portal
Web page where the user can enter login identification for authentication.
When authentication is returned, the filter ID determines what Policy, and
therefore filters, are applied. If no filter ID matches are found, then the default
filter is applied. The filter ID is an optional behavior specification. If a filter ID
is not returned, or an invalid one is returned, the default filter is applied.
9034530-04, September 2010
HiPath Wireless Controller, Access Points and Convergence Software V7.31, User Guide
hwc_vnsintro.fm
Virtual Network Services concepts
Filtering
•
Authentication by 802.1x — When authentication by 802.1x is configured,
user authentication is completed using the 802.1x/EAP protocol before a user
is granted access to a network resource. Therefore, the enforcement of nonauthenticated traffic rules is not applicable. When authentication is returned,
then the filter ID determines what Policy, and therefore filters, are applied to
the user.
The following is a high-level description of how HiPath Wireless Controller filters
traffic:
1. The HiPath Wireless Controller attempts to match each packet of a VNS to
the filtering rules (that is, Policy) that apply to the wireless device user.
2. If a filtering rule is matched, the operation to allow or deny is executed.
3. The next packet is fetched for filtering.
5.6.3 Legacy compatibility with Policy-based filtering
and VNS assignment
Prior to V7.0, policy re-assignments were made through the return of special
attributes in the RADIUS Accept message. These attributes included:
•
“Login-Lat-Group” and “Tunnel-Private-Group-ID” to assign the user to a child
VNS context
•
“Filter ID” to assign the user to a specified Filter Group.
At V7.0, the upgrade process converts and generates the necessary relationships
for all elements of a VNS.
Each Filter Group definition for a VNS becomes a new Policy, with the Policy
name determined by VNS hierarchy. The Policy name is created by adding the
internal context to the RADIUS-returned attributes. For example:
Policy name = [ :] : FilterID | “Default”
The child VNS concept is deprecated, with child VNSs becoming just pure Policy
definitions, assigned by the authentication action.
The RADIUS client or Security Manager applies legacy decision rules to pick the
correct Policy name if the “Restrict Policy Set” feature is selected for the VNS.
9034530-04, September 2010
HiPath Wireless Controller, Access Points and Convergence Software V7.31, User Guide
261
hwc_vnsintro.fm
Virtual Network Services concepts
Multicast traffic
5.7 Multicast traffic
A mechanism that supports multicast traffic can be enabled as part of a topology
definition. This mechanism is provided to support the demands mainly of VoIP
and IPTV network traffic, while still providing the network access control.
The multicast traffic can be enabled or disabled at the Topology level. In support
for multicast traffic over routed topologies, a physical port needs to be selected
as the gateway to/from the network for the multicast traffic. The desired multicast
groups need to be explicitly specified in the multicast filter list. The entry order of
these filter rules is not relevant and the presence of an entry is associated with
the “allow” action. The end default value is the “deny all” rule.
There is a high premium paid in terms of RF access time when it comes to
multicast traffic. The HiPath multicast solution optimizes the multicast forwarding
on air and also provides a mechanism to enable or disable the replication on air,
per multicast group.
5.8 Data protection — WEP and WPA
Privacy is a mechanism that protects data over wireless and wired networks,
usually by encryption techniques. The HiPath Wireless Controller provides
several privacy mechanisms to protect data over the WLAN. Privacy type is
configured as part of a WLAN Service.
Data protection encryption techniques
Note: Regardless of the Wireless AP model or VNS type, a maximum of 112
simultaneous clients, per radio, are supported by all of the data protection
encryption techniques listed below.
262
•
Wired Equivalent Privacy (WEP) – WEP encrypts data sent between
wireless nodes. Each node must use the same encryption key.
•
Wi-Fi Protected Access Privacy (WPA v.1 and v.2) – Encryption is by
Advanced Encryption Standard (AES) or by Temporal Key Integrity Protocol
(TKIP). Two modes are available:
•
Enterprise – Specifies 802.1x authentication and requires an
authentication server
•
Pre-Shared Key (PSK) – Relies on a shared secret. The PSK is a shared
secret (pass-phrase) that must be entered in both the Wireless AP or
router and the WPA clients.
9034530-04, September 2010
HiPath Wireless Controller, Access Points and Convergence Software V7.31, User Guide
hwc_vnsintro.fm
Virtual Network Services concepts
QoS Policy
Note: To achieve the strongest encryption protection for your VNS, Siemens
recommends that you use WPA v.1 or WPA v.2.
5.9 QoS Policy
The HiPath Wireless Controller, Access Points and Convergence Software
solution provides advanced Quality of Service (QoS) management to provide
better network traffic flow.
The HiPath WLAN distinguishes between two levels of QoS treatment applied to
the client traffic: wireless and wired. Wireless QoS is applied at the APs, while the
wired QoS is applied at both the APs and the HiPath Wireless Controller. QoS
definition and configuration are part of the WLAN Services specifications.
On the wired side, a class of service can define DSCP and IP/TOS markings that
can overwrite the markings in the ingress frame. A class of service can specify
the transmission queuing behavior that is applied to frames.
Rate limiting can also be considered part of overall QoS specification. Rate
limiting/control is applied to all traffic assigned to a policy.
5.10 Flexible Client Access (FCA)
Flexible client access provides the ability to adjust media access fairness in five
levels between packet fairness and airtime fairness.
•
Packet Fairness is the default 802.11 access policy.
–
Each WLAN participant gets the same (equal) opportunity to send
packets.
–
All WLAN clients will show the same throughput regardless of their PHY
rate.
–
WLAN clients with lower PHY rates will occupy most of the airtime.
–
Example of packet fairness:
•
2 clients @ 300Mbps get media access equivalent to a PHY rate of
150Mbps each = 300Mbps total
•
2 clients @ 6Mbps get media access of 3Mbps each = 6Mbps total
•
Client1 @ 300Mbps + Client2 @ 6Mbps get media access of
5.88Mbps each = 11.76Mbps total
9034530-04, September 2010
HiPath Wireless Controller, Access Points and Convergence Software V7.31, User Guide
263
hwc_vnsintro.fm
Virtual Network Services concepts
Flexible Client Access (FCA)
•
Airtime fairness
–
Each WLAN participant gets equal time access.
–
WLAN clients will show throughput proportional to the PHY rate.
–
Provides better overall throughput.
–
Example of airtime fairness: Client1 @ 300Mbps + Client2 @ 6Mbps get
media access or 150Mbps for Client1 + 3Mbps for Client 2 = 153Mbps
total
With FCA, you can adjust the client access policy in multiple steps between
packet fairness and airtime fairness.
You can enable or disable FCA for any given WLAN Service in its QoS Settings
tab. The level at which it is applied (between 100% Airtime Fairness and 100%
Packet Fairness) is a global parameter that is set under VNS Configuration ->
Global -> Wireless QoS.
264
9034530-04, September 2010
HiPath Wireless Controller, Access Points and Convergence Software V7.31, User Guide
hwc_vnsconfiguration.fm
Configuring a VNS
High level VNS configuration flow
6 Configuring a VNS
This chapter describes VNS (Virtual Network Services) configuration, including:
•
High level VNS configuration flow
•
VNS global settings
•
Methods for configuring a VNS
•
Working with the VNS wizard to create a new VNS
•
Working with a GuestPortal VNS
•
Creating a VNS using the advanced method
•
Working with existing VNSs
•
Configuring a Topology
•
Configuring WLAN Services
•
Configuring Policy
•
Working with a Wireless Distribution System
6.1 High level VNS configuration flow
Setting up a VNS defines a binding between a default policy specified for wireless users
and an associated WLAN Service set, as shown in Figure 13 below.
There are conceptually hierarchical dependencies on the configuration elements
of a VNS. However, the provisioning framework is flexible enough that you may
select an existing dependent element or create one on the fly. Therefore, each
element can be provisioned independently (WLAN services, Topologies, and
Policies). For service activation, all the pieces will need to be in place, or defined
during VNS configuration.
Figure 13
VNS configuration flow
9034530-04, September 2010
HiPath Wireless Controller, Access Points and Convergence Software V7.31, User Guide
265
hwc_vnsconfiguration.fm
Configuring a VNS
High level VNS configuration flow
You can use the VNS Creation Wizard to guide you through the necessary steps
to create a virtual network service (and the necessary subcomponents during the
process). The end result is a fully resolved set of elements and an active service.
The recommended order of configuration events is:
1. Before you begin, draft out the type of services the system is expected to
provide – wireless services, encryption types, infrastructure mapping
(VLANs), and connectivity points (switch ports). Switch port VLAN
configuration/trunks must match the controller's.
2. Set up basic controller services such as NTP, Routing, DNS, and RADIUS
Servers, using one of the following methods:
•
Run the Basic Configuration Wizard, or
•
Manually define the necessary infrastructure components such as
RADIUS Servers. RADIUS Servers are defined via the VNS
Configuration > Global > Authentication tab.
3. Define Topologies. Topologies represent the controller’s points of network
attachment. Therefore, VLANs and port assignments need to be coordinated
with the corresponding switch ports.
4. Define Policies. Policies are typically bound to Topologies. Policy application
assigns user traffic to the corresponding network point of attachment.
•
Policies define mobile user access rights by filtering.
•
Polices reference the mobile user's traffic rate control profiles.
5. Define the WLAN Service.
•
Define SSID and privacy settings for the wireless link.
•
Select the set of APs and Radios on which the service is present.
•
Configure the method of credential authentication for wireless users
(None, Internal CP, External CP, GuestPortal, 802.1x[EAP]).
6. Create a VNS that binds the WLAN Service to the Policy that will be used
for default assignment upon user network attachment.
The VNS configuration page in turn allows for in-place creation of any
dependencies it may require. For example:
266
•
Create a new WLAN Service.
•
Create a new Policy.
–
Create a new Topology.
–
Create new ingress and egress rate control policies.
9034530-04, September 2010
HiPath Wireless Controller, Access Points and Convergence Software V7.31, User Guide
hwc_vnsconfiguration.fm
Configuring a VNS
VNS global settings
6.1.1 Controller defaults
The default shipping HiPath Wireless Controller configuration does not include
any pre-configured WLAN Services, VNSs, or Policies.
The HiPath Wireless Controller system does ship with Topology entities
representing each of it's physical interfaces, plus an admin interface.
There are, however, global default settings corresponding to:
•
A Default Topology named “Bridged @ AP Untagged”
•
An “Unlimited” Rate Control Profile
•
A Filter Definition of “Deny all”
These entities are simply placeholders for Policy completion, in case policies are
incompletely defined. For example, a Policy may be defined as “no-change” for
Topology assignment.
If an incomplete Policy is assigned as the default for a VNS / WLAN Service
(wireless port), the incomplete Policy needs to be fully qualified, at which point the
missing values are picked from the Default Global Policy definitions, and the
resulting policy is applied as default.
Note: You can edit the attributes of the Default Global Policy (in the VNS >
Globals tab) to any other parameters of your choosing (for example, any other
topology, more permissive filter sets, more restrictive Rate Control profile).
It is possible to define a Default Global Policy to refer to a specific Topology (for
example, Topology_VLAN), and then configure every other Policy’s topology
simply as “No-change.” This will cause the default assignment to
Topology_VLAN, so that all user traffic, regardless of which policy they're
currently using (with different access rights, different rate controls) will be carried
through the same VLAN.
6.2 VNS global settings
Before defining a specific VNS, define the global settings that will apply to all VNS
definitions. These global settings include:
•
Authentication
–
Configuring RADIUS servers on the enterprise network. The defined
servers are displayed as available choices when you set up the
authentication mechanism for each WLAN Service.
–
Configuring the MAC format.
9034530-04, September 2010
HiPath Wireless Controller, Access Points and Convergence Software V7.31, User Guide
267
hwc_vnsconfiguration.fm
Configuring a VNS
VNS global settings
•
DAS (Dynamic Authorization Service)
–
•
•
Wireless QoS, comprising Admission Control Thresholds and Flexible Client
Access Fairness Policy.
–
Admission control thresholds protect admitted traffic against overloads,
provide distinct thresholds for VO (voice) and VI (video), and distinct
thresholds for roaming and new streams.
–
Flexible Client Access provides the ability to adjust media access fairness
in five levels between Packet Fairness and Airtime Fairness.
Bandwidth Control
–
•
Configuring Dynamic Authorization Service (DAS) support. DAS helps
secure your network by providing the ability to disconnect a mobile device
from your network.
The Bandwidth Control Profiles you define are displayed as available
choices in the Rate Profiles menu when you set up QoS policy.
Default Policy
The Global Default Policy specifies:
–
A topology to use when a VNS is created using a policy that does not
specify a topology
–
An Inbound Rate Profile
–
An Outbound Rate Profile
–
A Set of filters
The HiPath Wireless Controller ships from the factory with a default “Global
Default Policy” that has the following settings:
–
Topology is set to an Bridged at AP untagged topology. This topology will
itself be defined in V7.31 HiPath Wireless Controllers by default.
–
Inbound Rate Profile - No rate control (Unlimited)
–
Outbound Rate Profile - No rate control (Unlimited)
–
Filters - A single “Deny All” filter.
The Global Default Policy is user-configurable. Changes to the Global Default
Policy immediately effect all shadow policies created from it, just as if the
administrator had made a comparable change directly to the incomplete
policy.
•
Sync Summary
The “Sync Summary” screen provides an overview of the synchronization
status of paired controllers. The screen is divided into 4 sections: Virtual
Networks, WLAN services, Policies and Topologies. Each section lists the
268
9034530-04, September 2010
HiPath Wireless Controller, Access Points and Convergence Software V7.31, User Guide
hwc_vnsconfiguration.fm
Configuring a VNS
VNS global settings
name of the corresponding configuration object, its synchronization mode,
and the status of last synchronization attempt. For more information, see
Section 6.2.7, “Using the Sync Summary”, on page 278.
6.2.1 Defining RADIUS servers and MAC address
format
The Authentication global settings include configuring RADIUS servers, the MAC
format to be used, and the SERVICE-TYPE attribute in the client ACCESSREQUEST messages.
To define RADIUS servers for VNS global settings:
1. From the main menu, click Virtual Network Configuration. The Virtual
Network Configuration screen is displayed.
2. In the left pane, click Global, then Authentication.
3. To enable changing RADIUS server settings per WLAN Service, select Strict
Mode.
4. To define a new RADIUS server available on the network, click the New
button. The RADIUS Settings pop up window displays.
9034530-04, September 2010
HiPath Wireless Controller, Access Points and Convergence Software V7.31, User Guide
269
hwc_vnsconfiguration.fm
Configuring a VNS
VNS global settings
5. In the Server Alias box, type a name that you want to assign to the RADIUS
server.
Note: You can also type the RADIUS server’s IP address in the Server Alias
box in place of a nickname. The RADIUS server will identify itself by the value
typed in the Server Alias box in the RADIUS Servers drop down list on the
RADIUS Authentication tab of the Login Management screen (Main Menu
> Wireless Controller Configuration > Login Management). For more
information, see Section 3.4.9, “Configuring the login authentication mode”,
on page 78.
6. In the Hostname/IP box, type either the RADIUS server’s FQDN (fully
qualified domain name) or IP address.
Note: If you type the host name in the Hostname/IP address box, the HiPath
Wireless Controller will send a host name query to the DNS server for host
name resolution. The DNS servers must be appropriately configured for
resolving the RADIUS servers’ host names. For more information, see
Section 3.4.12, “Configuring DNS servers for resolving host names of NTP
and RADIUS servers”, on page 95.
7. In the Shared Secret box, type the password that will be used to validate the
connection between the HiPath Wireless Controller and the RADIUS server.
To proofread your shared secret key, click Unmask. The password is
displayed.
Note: You should always proofread your Shared Secret key to avoid any
problems later when the HiPath Wireless Controller attempts to communicate
with the RADIUS server.
270
9034530-04, September 2010
HiPath Wireless Controller, Access Points and Convergence Software V7.31, User Guide
hwc_vnsconfiguration.fm
Configuring a VNS
VNS global settings
8. If desired, change the Default Protocol using the drop down list. Choices are
PAP, CHAP, MS-CHAP, or MS-CHAP2.
9. If desired, change the pre-defined default values for Authentication and
Accounting operations:
a) Priority — default is 4
b) Total number of tries — default is 3
c) RADIUS Request timeout — default is 5 seconds
d) Port — default Authentication port is 1812. Default Accounting port is
1813.
e) For Accounting operations, the Interim Accounting Interval — default is
30 minutes.
10. To save your changes, click Save. The new server is displayed in the
RADIUS Servers list.
Note: The RADIUS server is identified by its Server Alias.
11. To edit an existing server, click the row containing the server. The RADIUS
Settings window displays, containing the server’s configuration values.
12. To remove a server from the list, select the checkbox next to the server, and
then click Delete Selected. You cannot remove a server that is used by any
VNS.
9034530-04, September 2010
HiPath Wireless Controller, Access Points and Convergence Software V7.31, User Guide
271
hwc_vnsconfiguration.fm
Configuring a VNS
VNS global settings
To configure the global MAC address format for use with the RADIUS
servers:
1. From the main menu, click Virtual Network Configuration. The Virtual
Network Configuration screen is displayed.
2. In the left pane, click Global, then Authentication.
3. In the MAC Address area, select the MAC Address Format from the drop
down list.
4. Click Save to save your changes.
To include the SERVICE-TYPE attribute in the client ACCESS-REQUEST
messages:
1. From the main menu, click Virtual Network Configuration. The Virtual
Network Configuration screen is displayed.
2. In the left pane, click Global, then Authentication.
3. In the MAC Address area, click Advanced.
4. Select Include Service-Type attribute in Client Access Request
messages.
5. In the Delay for Client Message for Topology Change field, specify how
long, in seconds, the warning web page is displayed to the client when the
topology changes as a result of a policy change.
6. Click Close.
7. Click Save to save your changes.
6.2.2 Configuring Dynamic Authorization Server
support
DAS helps secure your network by forcing the disconnection of any mobile device
from your network. Typically, you would want to disconnect any unwelcome or
unauthorized mobile device from your network. The “disconnect message” that is
defined in RFC 3576 is enforced by the DAS support. If an unauthorized mobile
device is detected on the network, the DAS client sends a disconnect packet,
forcing the mobile device off the network. Your DAS client can be an integration
with NAC or another third-party application, including RADIUS applications. For
more information, see Section 5.3, “NAC integration with HiPath WLAN”, on page
253.
DAS support is available to all physical interfaces of the HiPath Wireless
Controller, and by default DAS listens to the standard-specified UDP port 3799.
272
9034530-04, September 2010
HiPath Wireless Controller, Access Points and Convergence Software V7.31, User Guide
hwc_vnsconfiguration.fm
Configuring a VNS
VNS global settings
To configure Dynamic Authorization Server support:
1. From the main menu, click Virtual Network Configuration. The Virtual
Network Configuration screen is displayed.
2. In the left pane, click Global, then click DAS.
3. In the Port box, type the UDP port you want DAS to monitor. By default, DAS
is configured for the standard-specified UDP port 3799. It is unlikely this port
value needs to be revised.
4. In the Replay Interval box, type how long you want DAS to ignore repeated
identical messages. By default, DAS is configured for 300 seconds.
This time buffer helps defend against replay network attacks.
5. To save your changes, click Save.
6.2.3 Defining Wireless QoS Admission Control
Thresholds
The Wireless QoS global settings include Admission Control Thresholds,
described here, and Flexible Client Access, described in Section 6.2.4, “Defining
Wireless QoS Flexible Client Access”, on page 274.
To define admission control thresholds for VNS global settings:
1. From the main menu, click Virtual Network Configuration. The Virtual
Network Configuration screen is displayed.
2. In the left pane, click Global, then click Wireless QoS.
9034530-04, September 2010
HiPath Wireless Controller, Access Points and Convergence Software V7.31, User Guide
273
hwc_vnsconfiguration.fm
Configuring a VNS
VNS global settings
3. In the Admission Control Thresholds area, define the thresholds for the
following:
•
Max Voice (VO) BW for roaming streams – The maximum allowed
overall bandwidth on the new AP when a client with an active voice
stream roams to a new AP and requests admission for the voice stream.
•
Max Voice (VO) BW for new streams – The maximum allowed overall
bandwidth on an AP when an already associated client requests
admission for a new voice stream.
•
Max Video (VI) BW for roaming streams – The maximum allowed
overall bandwidth on the new AP when a client with an active video
stream roams to a new AP and requests admission for the video stream.
•
Max Video (VI) BW for new streams – The maximum allowed overall
bandwidth on an AP when an already associated client requests
admission for a new video stream.
These global QoS settings apply to all APs that serve QoS enabled VNSs
with admission control.
4. To save your changes, click Save.
6.2.4 Defining Wireless QoS Flexible Client Access
This feature allows you to adjust client access policy in multiple steps between
“packet fairness” and “airtime fairness.”
•
274
Packet fairness is the default 802.11 access policy. Each WLAN participant
gets the same (equal) opportunity to send packets. All WLAN clients will show
the same throughput, regardless of their PHY rate.
9034530-04, September 2010
HiPath Wireless Controller, Access Points and Convergence Software V7.31, User Guide
hwc_vnsconfiguration.fm
Configuring a VNS
VNS global settings
•
Airtime fairness gives each WLAN participant the same (equal) time access.
WLAN clients’ throughput will be proportional to their PHY rate.
To define flexible client access for VNS global settings:
1. From the main menu, click Virtual Network Configuration. The Virtual
Network Configuration screen is displayed.
2. In the left pane, click Global, then click Wireless QoS.
3. In the Flexible Client Access area, select a policy from the Fairness Policy
drop-down list. Choices range from 100% packet fairness to 100% airtime
fairness.
4. To save your changes, click Save.
6.2.5 Working with bandwidth control profiles
Bandwidth control limits the amount of bidirectional traffic from a mobile device.
A bandwidth control profile provides a generic definition for the limit applied to certain
wireless clients' traffic. A bandwidth control profile is assigned on a per policy basis.
A bandwidth control profile is not applied to multicast traffic.
Bandwidth control profile parameters
A bandwidth control profile consists of the following parameters:
•
Profile Name – Name assigned to a profile
•
Committed Information Rate (CIR) – Rate at which the network supports
data transfer under normal operations. It is measured in kilo bytes per second
(Kbps).
9034530-04, September 2010
HiPath Wireless Controller, Access Points and Convergence Software V7.31, User Guide
275
hwc_vnsconfiguration.fm
Configuring a VNS
VNS global settings
The bandwidth control profiles you define on the VNS Global Settings screen
are displayed as available choices in the Bandwidth Control Profiles list on the
Policy screen.
To create a bandwidth control profile:
1. From the main menu, click Virtual Network Configuration. The Virtual
Network Configuration screen is displayed.
2. In the left pane, click Global, then click Bandwidth Control.
3. Create a bandwidth control profile by doing the following:
•
Profile Name – Type a name for the bandwidth control profile.
•
In the Average Rate (CIR) – Type the CIR value for the bandwidth control
profile.
4. Click Add Profile. The profile is created and displayed in the Bandwidth
Control Profiles list.
5. Create additional bandwidth control profiles, if applicable.
6. To save your changes, click Save.
6.2.6 Configuring the Global Default Policy
The HiPath Wireless Controller ships with a Global Default Policy that can be
configured. The Global Default Policy specifies:
276
•
A topology to use when a VNS is created using a policy that does not specify
a topology. The default assigned topology is named Bridged at AP untagged.
•
An Inbound Rate Profile
9034530-04, September 2010
HiPath Wireless Controller, Access Points and Convergence Software V7.31, User Guide
hwc_vnsconfiguration.fm
Configuring a VNS
VNS global settings
•
An Outbound Rate Profile
•
A set of filters
To configure the topology and rate profiles:
1. From the main menu, click Virtual Network Configuration. The Virtual
Network Configuration screen is displayed.
2. In the left pane, click Global, then click Default Policy.
3. Select the VLAN & Class of Service tab.
4. In the Topology area, select a topology using one of the following methods:
•
Select an existing topology from the Assigned Topology drop-down list.
•
Select an existing topology from the Assigned Topology drop-down list,
then click Edit. The Edit Topology window displays, showing the current
values for the selected topology.
•
Click the New button. The New Topology window displays.
Edit or create the selected topology as described in Section 6.8, “Configuring
a Topology”, on page 319.
5. In the Rate Profiles area, select ingress and egress rate profiles using one
of the following methods:
•
Select an existing Ingress Rate Profile and Egress Rate Profile from
the drop-down lists.
•
Select an existing rate from the drop-down lists, then click Edit. The Edit
Rate Control Profile window displays.
•
Click the New button. The Add Rate Control Profile window displays.
9034530-04, September 2010
HiPath Wireless Controller, Access Points and Convergence Software V7.31, User Guide
277
hwc_vnsconfiguration.fm
Configuring a VNS
VNS global settings
Edit or create the rate control profile as described in Section 6.10,
“Configuring Policy”, on page 377.
To configure the filters:
1. Click the Filter Rules tab. The HWC Filters tab displays, allowing you to
create filter rules that will be applied by the controller when default nonauthentication policy does not specify filters.
2. To add a rule, click Add. The fields in the Add Filter area are enabled.
3. Configure the fields as desired. For more information, see Section 6.10.2,
“About filtering rules”, on page 379.
4. To configure custom AP filters, select the Enable AP Filtering checkbox,
then select the Custom AP Filters checkbox and click the AP Filters tab.
Then configure the rules as desired.
For more information, see Section 6.10.6, “Defining filter rules for Wireless
APs”, on page 387.
6.2.7 Using the Sync Summary
The Sync Summary screen provides an overview of the synchronization status of
paired controllers. The screen is divided into four sections: Virtual Networks,
WLAN services, Policies and Topologies. Each section lists the name of the
corresponding configuration object, its synchronization mode, and the status of
last synchronization attempt.
If Synchronization of an object is not enabled, then there is a button in the Status
field which says “Synchronize Now”, which performs a single synchronization of
the object, pushing the object from local controller to the peer.
278
9034530-04, September 2010
HiPath Wireless Controller, Access Points and Convergence Software V7.31, User Guide
hwc_vnsconfiguration.fm
Configuring a VNS
VNS global settings
If Synchronization of an object is enabled, then the “Status” field can have the
following values:
•
Synchronized
•
Not Synchronized
•
Failed
•
Conflict (with a button called “Resolve”)
The checkbox “Enable Synchronization of System Configuration” acts as a global
synchronization flag. When it's disabled, synchronization is not performed in the
background. When it is enabled, only the objects that have “Sync” enabled are
synchronized.
An object may have a synchronization state of “Conflict” if it was updated on both
controllers in the availability pair while the availability link was down. In such a
case, the “Resolve” button lets you choose which version of the object should be
taken, local or remote. Please note that controllers don't compare the actual
configuration when they declare a conflict — only the fact that the object was
updated on both controllers in the availability pair triggers the “Conflict” state.
9034530-04, September 2010
HiPath Wireless Controller, Access Points and Convergence Software V7.31, User Guide
279
hwc_vnsconfiguration.fm
Configuring a VNS
Methods for configuring a VNS
6.3 Methods for configuring a VNS
To configure a VNS, you can use one of the following methods:
•
Wizard configuration — The VNS wizard helps create and configure a new
VNS by prompting you for a minimum amount of configuration information.
The VNS is created using minimum parameters. The remaining parameters
are automatically assigned in accordance with best practice standards.
After the VNS wizard completes the VNS creation process, you can then edit
or revise any of the VNS configuration to suit your network needs.
•
Advanced configuration — Allows you to create a new VNS by first
configuring the topology, policy, and WLAN services and then configuring any
remaining individual VNS tabs that are necessary to complete the process.
When configuring a VNS, you can navigate between the various VNS tabs
and define your configuration without having to save your changes on each
individual tab. After your VNS configuration is complete, click Save on any
VNS tab to save your completed VNS configuration.
Note: If you navigate away from the VNS configuration tabs without saving
your VNS changes, your VNS configuration changes will be lost.
6.4 Working with the VNS wizard to create a new VNS
The VNS wizard helps create and configure a new VNS by prompting you for a
minimum amount of configuration information during the sequential configuration
process. After the VNS wizard completes the VNS creation process, you can then
continue to configure or revise any of the VNS configuration to suit your network
needs.
When using the VNS wizard to create a new VNS, you can create the following
types of VNSs:
280
•
NAC SSID-based VNS — NAC gateway-compatible VNS. The HiPath
Wireless Controller integrates with an Enterasys NAC Controller to provide
authentication, assessment, remediation and access control for mobile users.
For more information, see Section 6.4.1, “Creating a NAC VNS using the VNS
wizard”, on page 281.
•
Voice — Voice-specific VNS that can support various wireless telephones,
including optiPoint, Spectralink, Vocera, and Mobile Connect - Nokia. For
more information, see Section 6.4.2, “Creating a voice VNS using the VNS
wizard”, on page 284.
9034530-04, September 2010
HiPath Wireless Controller, Access Points and Convergence Software V7.31, User Guide
hwc_vnsconfiguration.fm
Configuring a VNS
Working with the VNS wizard to create a new VNS
•
Data — Data-specific VNS, that can be configured to use either SSID or AAA
authentication. For more information, see Section 6.4.3, “Creating a data
VNS using the VNS wizard”, on page 288.
•
Captive Portal — A VNS that employs a Captive Portal page, which requires
mobile users to provide login credentials when prompted to access network
services. In addition, use the VNS wizard to configure a GuestPortal VNS
using the Captive Portal option. For more information, see Section 6.4.4,
“Creating a Captive Portal VNS using the VNS wizard”, on page 295.
•
Other — Use this VNS wizard option to create a VNS as you would if you
were creating a new VNS using the advanced configuration method. For
more information, see Section 6.6, “Creating a VNS using the advanced
method”, on page 316.
The VNS type dictates the configuration information that is required during the
VNS creation process.
6.4.1 Creating a NAC VNS using the VNS wizard
The HiPath Wireless Controller integrates with an Enterasys NAC Controller to
provide authentication, assessment, remediation and access control for mobile
users. For more information, see Section 5.3, “NAC integration with HiPath
WLAN”, on page 253.
Use the VNS wizard to configure a NAC gateway-compatible VNS by defining the
following essential parameters:
•
VNS Name – The name that will be assigned to the VNS and SSID.
•
IP Address – The IP address of the HiPath Wireless Controller’s interface on
the VLAN.
•
Mask – The subnet mask for the IP address to separate the network portion
from the host portion of the address.
•
VLAN ID – ID number of the VLAN to which the HiPath Wireless Controller is
bridged for the VNS.
•
Port – Physical L2 port to which the configured VLAN is attached.
•
RADIUS server – IP address of the Enterasys NAC Controller.
•
Redirection URL – The URL that points to the NAC Controller’s web server.
The VNS wizard creates a Bridge Traffic Locally at HWC VNS. This VNS has
the crucial attributes — SSID Network Assignment Type, MAC-based external
captive portal authentication and WPA-PSK encryption — that makes it
compatible with the Enterasys NAC Controller.The remaining VNS parameters
are defined automatically according to best practice standards.
9034530-04, September 2010
HiPath Wireless Controller, Access Points and Convergence Software V7.31, User Guide
281
hwc_vnsconfiguration.fm
Configuring a VNS
Working with the VNS wizard to create a new VNS
To configure a NAC VNS using the VNS wizard:
1. From the main menu, click Virtual Network Configuration. The Virtual
Network Configuration screen is displayed.
2. In the left pane, expand the New pane, then click START VNS WIZARD. The
VNS Creation Wizard screen is displayed.
3. In the Name box, type a name for the NAC SSID-based VNS.
4. In the Category drop-down list, click NAC VNS, and then click Next. The
NAC-compatible SSID-based VNS screen is displayed.
5. Do the following:
282
•
In the IP address box, type the IP address of the HiPath Wireless
Controller’s interface on the VLAN.
•
In the Mask box, type the appropriate subnet mask for this IP address to
separate the network portion from the host portion of the address
(typically 255.255.255.0).
•
In the VLAN ID box, type the VLAN tag to which the HiPath Wireless
Controller will be bridged for the VNS.
•
In the Interface drop-down list, select the physical port that provides the
access to the VLAN.
•
In the NAS drop-down list, click the interface/port through which the NAC
gateway will communicate with the HiPath Wireless Controller. The IP
address in this field will be used as the NAS IP RADIUS attribute when
communicating with the NAC gateway.
•
In the NAC server drop-down list, click the existing NAC server you want
to use for the VNS, or select the Add new server option, and then do the
following:
9034530-04, September 2010
HiPath Wireless Controller, Access Points and Convergence Software V7.31, User Guide
hwc_vnsconfiguration.fm
Configuring a VNS
Working with the VNS wizard to create a new VNS
a) In the Server Alias box, type the name or IP address of the NAC
server.
b) In the Hostname/IP box, type the NAC server’s FQDN (fully qualified
domain name) or IP address.
c) In the Shared Secret box, type the password that will be used to
validate the connection between the HiPath Wireless Controller and
the NAC server.
d) To proofread your shared secret key, click Unmask. The password is
displayed.
After the new NAC server is added, it will be displayed in the Use existing
server drop-down list the next time you use the VNS wizard.
Note: You should always proofread your Shared Secret key to avoid any
problems later when the HiPath Wireless Controller attempts to communicate
with the NAC Controller.
e) In the NAC web server IP box, type the NAC web server IP address.
6. To save your changes, click Finish. The VNS wizard creates a SSID-based
NAC Controller-compatible VNS, and displays the configuration summary.
7. To close the VNS wizard, click Close.
8. If applicable, you can continue to configure or edit the new VNS by clicking
the individual VNS configuration tabs.
9034530-04, September 2010
HiPath Wireless Controller, Access Points and Convergence Software V7.31, User Guide
283
hwc_vnsconfiguration.fm
Configuring a VNS
Working with the VNS wizard to create a new VNS
6.4.2 Creating a voice VNS using the VNS wizard
Use the VNS wizard to create a voice-specific VNS that can support various
wireless telephones, including optiPoint, Spectralink, Vocera, and Mobile
Connect - Nokia.
When you use the VNS wizard to create a voice-specific VNS, you optimize the
voice VNS to support one wireless telephone vendor. If the voice VNS needs to
be optimized for more than one wireless phone vendor, use the advanced method
to create the voice-specific VNS. For more information, see Section 6.6, “Creating
a VNS using the advanced method”, on page 316.
When you create a new voice VNS using the VNS wizard, you configure the VNS
in the following stages:
•
Basic settings
•
Authentication settings, if applicable
•
DHCP settings
•
Privacy settings
•
Radio assignment settings
•
Summary
To configure a voice VNS using the VNS wizard:
1. From the main menu, click Virtual Network Configuration. The Virtual
Network Configuration screen is displayed.
2. In the left pane, expand the New pane, then click START VNS WIZARD. The
VNS Creation Wizard screen is displayed.
3. Click Start VNS Wizard. The VNS Creation Wizard screen is displayed.
4. In the Name box, type a name for the voice VNS.
5. In the Category drop-down list, click Voice, and then click Next. The Basic
Settings screen is displayed.
6. Configure the VNS basic settings. The VNS type and mode you configure on
the Basic Settings screen will dictate the VNS information you will need to
provide.
284
•
Enabled – By default, the Enabled checkbox for the new VNS is enabled.
A VNS must be enabled for it to be able to provide service for mobile user
traffic.
•
Type – Click the wireless phone you want to support for the new voice
VNS you are creating.
•
Mode – Click the VNS mode you want to assign:
9034530-04, September 2010
HiPath Wireless Controller, Access Points and Convergence Software V7.31, User Guide
hwc_vnsconfiguration.fm
Configuring a VNS
Working with the VNS wizard to create a new VNS
•
Routed is a VNS type where user traffic is tunneled to the HiPath
Wireless Controller.
•
Bridge Traffic Locally at HWC is a VNS type that has associated
with it a Topology with a mode of Bridge Traffic Locally at HWC. User
traffic is tunneled to the HiPath Wireless Controller and is directly
bridged at the controller to a specific VLAN. With this VNS type,
mobile users become a natural extension of a VLAN subnet. For each
Bridge Traffic Locally at HWC VNS that is created, a VLAN needs to
be specified. In addition, the network port on which the VLAN is
assigned must be configured on the switch, and the corresponding
HiPath Wireless Controller interface must match the correct VLAN.
If you configure a routed voice VNS
Do the following:
a) Gateway – Type the HiPath Wireless Controller's own IP address of the
topology associated with that VNS. This IP address is also the default
gateway for the VNS. The HiPath Wireless Controller advertises this
address to the wireless devices when they sign on. For routed VNSs, it
corresponds to the IP address that is communicated to mobile users (in
the VNS) as the default gateway for the VNS subnet. (Mobile users target
the HiPath Wireless Controller's interface in their effort to route packets to
an external host).
b) Mask – Type the appropriate subnet mask for this IP address to separate
the network portion from the host portion of the address (typically
255.255.255.0).
c) Gateway/SVP – If the voice VNS is to support Spectralink wireless
phones, type the IP address of the SpectraLink Voice Protocol (SVP)
gateway.
d) Vocera Server – If the voice VNS is to support Vocera wireless phones,
type the IP address of the Vocera server.
e) PBX – If the voice VNS is to support either WL2 or Mobile Connect Nokia wireless phones, type the PBX IP address.
f)
Enable Authentication – If applicable, select this checkbox to enable
authentication for the new voice VNS.
g) Enable DHCP – By default, this option is selected.
If you configure a bridge traffic locally at the HWC voice VNS
Do the following:
9034530-04, September 2010
HiPath Wireless Controller, Access Points and Convergence Software V7.31, User Guide
285
hwc_vnsconfiguration.fm
Configuring a VNS
Working with the VNS wizard to create a new VNS
a) Interface – Click the physical interface that provides the access to the
VLAN.
b) Interface IP address – Type the IP address of the HiPath Wireless
Controller’s interface on the VLAN.
c) Mask – Type the appropriate subnet mask for this IP address to separate
the network portion from the host portion of the address (typically
255.255.255.0).
d) VLAN ID – Type the VLAN tag to which the HiPath Wireless Controller will
be bridged for the VNS.
e) Gateway/SVP – If the voice VNS is to support Spectralink wireless
phones, type the IP address of the SpectraLink Voice Protocol (SVP)
gateway.
f)
Vocera Server – If the voice VNS is to support Vocera wireless phones,
type the IP address of the Vocera server.
g) PBX Server – If the voice VNS is to support either WL2 or Mobile
Connect - Nokia wireless phones, type the PBX IP address.
h) Enable Authentication – If applicable, select this checkbox to enable
authentication for the new voice VNS.
i)
Enable DHCP – If applicable, select this checkbox to enable DHCP
authentication for the new voice VNS.
7. Click Next.
If the Enable Authentication checkbox is selected, you now must configure
the Authentication properties of the new voice VNS. Continue with step 8.
If the Enable Authentication checkbox is clear, you must now configure the
DHCP properties of the new voice VNS. Continue with step 10.
8. On the Authentication screen, do the following:
•
•
286
Radius Server – Click the RADIUS server you want to assign to the new
voice VNS, or click Add New Server and then do the following:
•
Server Alias – Type a name you want to assign to the new RADIUS
server.
•
Hostname/IP – Type either the RADIUS server’s FQDN (fully
qualified domain name) or IP address.
•
Shared Secret – Type the password that will be used to validate the
connection between the HiPath Wireless Controller and the RADIUS
server.
•
Mask/Unmask – Click to display or hide your shared secret key.
Roles – Select the authentication role options for the RADIUS server.
9034530-04, September 2010
HiPath Wireless Controller, Access Points and Convergence Software V7.31, User Guide
hwc_vnsconfiguration.fm
Configuring a VNS
Working with the VNS wizard to create a new VNS
MAC-based Authentication – Select to enable the RADIUS server to
perform MAC-based authentication on the voice VNS.
If applicable, and the MAC-based authentication option is enabled,
select to enable MAC-based authorization on roam.
9. Click Next. The DHCP screen is displayed.
10. On the DHCP screen, in the DHCP Option drop-down list, click one of the
following:
•
Use DHCP Relay – Using DHCP relay forces the HiPath Wireless
Controller to forward DHCP requests to an external DHCP server on the
enterprise network. DHCP relay bypasses the local DHCP server for the
HiPath Wireless Controller and allows the enterprise to manage IP
address allocation to a VNS from its existing infrastructure.
–
DHCP Servers – Type the IP address of the DHCP server to which
DHCP discover and request messages will be forwarded for clients on
this VNS. The HiPath Wireless Controller does not handle DHCP
requests from users, but instead forwards the requests to the
indicated DHCP server.
The DHCP server must be configured to match the VNS settings. In
particular for a Routed VNS, the DHCP server must identify the
HiPath Wireless Controller's interface IP as the default Gateway
(router) for the subnet. (Users intending to reach devices outside of
the subnet will forward the packets to the default gateway (controller)
for delivery upstream.)
•
Local DHCP Server – If applicable, edit the local DHCP server settings.
11. In the DNS Servers box, type the IP Address of the Domain Name Servers
to be used.
12. In the WINS box, type the IP address if the DHCP server uses Windows
Internet Naming Service (WINS).
13. Click Next. The Privacy screen is displayed. Most options on this screen are
view-only.
14. On the Privacy screen, do the following:
•
Pre-shared key – Type the shared secret key to be used between the
wireless device and Wireless AP. The shared secret key is used to
generate the 256-bit key.
•
Mask/Unmask – Click to display or hide your shared secret key.
15. Click Next. The Radio Assignment screen is displayed.
16. On the Radio Assignment screen, do the following:
9034530-04, September 2010
HiPath Wireless Controller, Access Points and Convergence Software V7.31, User Guide
287
hwc_vnsconfiguration.fm
Configuring a VNS
Working with the VNS wizard to create a new VNS
•
In the AP Default Settings section, select the radios of the AP default
settings profile that you want to broadcast the voice VNS.
•
In the AP Selection section, select the group of APs that will broadcast
the voice VNS:
•
•
all radios – Click to assign all of the APs’ radios.
•
radio 1 – Click to assign only the APs’ Radio 1.
•
radio 2– Click to assign only the APs’ Radio 2.
•
local APs - all radios – Click to assign only the local APs.
•
local APs - radio 1 – Click to assign only the local APs’ Radio 1.
•
local APs - radio 2 – Click to assign only the local APs’ Radio 2.
•
foreign APs - all radios – Click to assign only the foreign APs.
•
foreign APs - radio 1 – Click to assign only the foreign APs’ Radio 1.
•
foreign APs - radio 2 – Click to assign only the foreign APs’ Radio 2.
If applicable, select the WMM checkbox. WMM (Wi-Fi Multimedia), if
enabled on an individual VNS, provides multimedia enhancements that
improve the user experience for audio, video, and voice applications.
WMM is part of the 802.11e standard for QoS. If enabled, the AP will
accept WMM client associations, and will classify and prioritize the
downlink traffic for all WMM clients. WMM clients will also classify and
prioritize the uplink traffic.
17. Click Next. The Summary screen is displayed.
18. Confirm your voice VNS configuration. To revise your configuration, click
Back.
19. To create your VNS, click Finish, and then click Close.
20. If applicable, you can continue to configure or edit the new VNS by clicking
the individual VNS configuration tabs.
6.4.3 Creating a data VNS using the VNS wizard
Use the VNS wizard to create a data-specific VNS that can be configured to use
either SSID or AAA authentication.
When you create a new data VNS using the VNS wizard, you configure the VNS
in the following stages:
288
•
Basic settings
•
Authentication settings
9034530-04, September 2010
HiPath Wireless Controller, Access Points and Convergence Software V7.31, User Guide
hwc_vnsconfiguration.fm
Configuring a VNS
Working with the VNS wizard to create a new VNS
•
DHCP settings
•
Filter settings
•
Privacy settings
•
Radio assignment settings
•
Summary
To configure a data VNS using the VNS wizard:
1. From the main menu, click Virtual Network Configuration. The Virtual
Network Configuration screen is displayed.
2. In the left pane, expand the New pane, then click START VNS WIZARD. The
VNS Creation Wizard screen is displayed.
3. Click Start VNS Wizard. The VNS Creation Wizard screen is displayed.
4. In the Name box, type a name for the data VNS.
5. In the Category drop-down list, click Data, and then click Next. The Basic
Settings screen is displayed.
6. Configure the data VNS basic settings. The VNS type and mode you
configure on the Basic Settings screen will dictate the VNS information you
will need to provide.
•
Enabled – By default, the Enabled checkbox for the new VNS is enabled.
A VNS must be enabled for it to be able to provide service for mobile user
traffic.
•
Type – Click the type of network assignment for the VNS. There are two
options for network assignment, Disabled or 802.1x.
•
Mode – Click the VNS mode you want to assign:
•
Routed is a VNS type where user traffic is tunneled to the HiPath
Wireless Controller.
•
Bridge Traffic Locally at HWC is a VNS type where user traffic is
tunneled to the HiPath Wireless Controller and is directly bridged at
the controller to a specific VLAN. With this VNS type, mobile users
become a natural extension of a VLAN subnet. For each Bridge
Traffic Locally at HWC VNS that is created, a VLAN needs to be
specified. In addition, the network port on which the VLAN is assigned
must be configured on the switch, and the corresponding HiPath
Wireless Controller interface must match the correct VLAN.
•
Bridge Traffic Locally at AP is a VNS type where user traffic is
directly bridged to a VLAN at the AP network point of access (switch
port).
9034530-04, September 2010
HiPath Wireless Controller, Access Points and Convergence Software V7.31, User Guide
289
hwc_vnsconfiguration.fm
Configuring a VNS
Working with the VNS wizard to create a new VNS
If you are configuring a routed data VNS
Do the following:
a) Gateway – Type the HiPath Wireless Controller's own IP address of the
topology associated with that VNS. This IP address is the default gateway
for the VNS. The HiPath Wireless Controller advertises this address to
the wireless devices when they sign on. For routed VNSs, it corresponds
to the IP address that is communicated to mobile users (in the VNS) as
the default gateway for the VNS subnet. (Mobile users target the HiPath
Wireless Controller's interface in their effort to route packets to an
external host).
b) Mask – Type the appropriate subnet mask for this IP address to separate
the network portion from the host portion of the address (typically
255.255.255.0).
c) Enable Authentication – This option is enabled by default if the Type is
802.1x.
d) Enable DHCP – By default, this option is enabled for a routed data VNS.
If you configuring a bridge traffic locally at AP data VNS
Do the following:
a) Tagged – Select if you want to assign this VNS to a specific VLAN.
b) VLAN ID – Type the VLAN tag to which the HiPath Wireless Controller will
be bridged for the data VNS.
c) Untagged – Select if you want this VNS to be untagged. This option is
selected by default.
d) Enable Authentication – If applicable, select this checkbox to enable
authentication for the new data VNS. This option is enabled by default if
the Type is 802.1x.
If you are configuring a bridge traffic locally at HWC data VNS
Do the following:
a) Interface – Click the physical port that provides the access to the VLAN.
b) Interface IP address – Type the IP address of the HiPath Wireless
Controller’s interface on the VLAN.
c) Mask – Type the appropriate subnet mask for this IP address to separate
the network portion from the host portion of the address (typically
255.255.255.0).
d) VLAN ID – Type the VLAN tag to which the HiPath Wireless Controller will
be bridged for the VNS.
290
9034530-04, September 2010
HiPath Wireless Controller, Access Points and Convergence Software V7.31, User Guide
hwc_vnsconfiguration.fm
Configuring a VNS
Working with the VNS wizard to create a new VNS
e) Enable Authentication – If applicable, select this checkbox to enable
authentication for the new data VNS. This option is enabled by default if
the Type is 802.1x.
f)
Enable DHCP – If applicable, select this checkbox to enable DHCP
authentication for the new data VNS.
7. Click Next. The Authentication screen is displayed.
8. On the Authentication screen, do the following:
•
•
Radius Server – Click the RADIUS server you want to assign to the new
data VNS, or click Add New Server and then do the following:
•
Server Alias – Type a name you want to assign to the new RADIUS
server.
•
Hostname/IP – Type either the RADIUS server’s FQDN (fully
qualified domain name) or IP address.
•
Shared Secret – Type the password that will be used to validate the
connection between the HiPath Wireless Controller and the RADIUS
server.
•
Mask/Unmask – Click to display or hide your shared secret key.
Roles – Select the authentication role options for the RADIUS server:
•
MAC-based Authentication – Select to enable the RADIUS server
to perform MAC-based authentication on the data VNS.
If applicable, and the MAC-based authentication option is enabled,
select to enable MAC-based authorization on roam.
9. Click Next. The DHCP screen is displayed, if DHCP was enabled previously.
10. In the DHCP Option drop-down list, click one of the following:
•
Use DHCP Relay – Using DHCP relay forces the HiPath Wireless
Controller to forward DHCP requests to an external DHCP server on the
enterprise network. DHCP relay bypasses the local DHCP server for the
HiPath Wireless Controller and allows the enterprise to manage IP
address allocation to a VNS from its existing infrastructure.
–
DHCP Servers – If Use DHCP Relay was selected, type the IP
address of the DHCP server to which DHCP discover and request
messages will be forwarded for clients on this VNS. The HiPath
Wireless Controller does not handle DHCP requests from users, but
instead forwards the requests to the indicated DHCP server.
The DHCP server must be configured to match the VNS settings. In
particular for a Routed VNS, the DHCP server must identify the
HiPath Wireless Controller's interface IP as the default Gateway
9034530-04, September 2010
HiPath Wireless Controller, Access Points and Convergence Software V7.31, User Guide
291
hwc_vnsconfiguration.fm
Configuring a VNS
Working with the VNS wizard to create a new VNS
(router) for the subnet. (Users intending to reach devices outside of
the subnet will forward the packets to the default gateway (controller)
for delivery upstream.)
•
Local DHCP Server – If applicable, edit the local DHCP server settings.
11. In the DNS Servers box, type the IP Address of the Domain Name Servers
to be used.
12. In the WINS box, type the IP address if the DHCP server uses Windows
Internet Naming Service (WINS).
13. Click Next. The Filtering screen is displayed.
14. On the Filtering screen, do the following:
•
In the Filter ID drop-down list, click one of the following:
•
Default – Controls access if there is no matching filter ID for a user.
•
Exception – Protects access to the HiPath Wireless Controller’s own
interfaces, including the VNSs own interface. VNS exception filters
are applied to user traffic intended for the HiPath Wireless Controller's
own interface point on the VNS. These filters are applied after the
user's specific VNS state assigned filters.
15. In the Filter table, select the Allow or Deny option buttons for each filter if
applicable, and then select the Enable checkbox accordingly.
16. Click Next. The Privacy screen is displayed.
17. On the Privacy screen, select one of the following:
•
Static Keys – Select to configure static keys. Then enter:
–
WEP Key Index – Click the WEP encryption key index: 1, 2, 3, or 4.
Note: Specifying the WEP key index is supported only for AP36XX
Wireless APs.
–
WEP Key Length – Click the WEP encryption key length: 64 bit, 128
bit, or 152 bit.
–
Select an Input Method:
Input Hex – type the WEP key input in the WEP Key box. The key is
generated automatically based on the input.
Input String – type the secret WEP key string used for encrypting
and decrypting in the WEP Key String box. The WEP Key box is
automatically filled by the corresponding Hex code.
292
9034530-04, September 2010
HiPath Wireless Controller, Access Points and Convergence Software V7.31, User Guide
hwc_vnsconfiguration.fm
Configuring a VNS
Working with the VNS wizard to create a new VNS
•
WPA-PSK – Select to configure Wi-Fi Protected Access (WPA v1 and
WPA v2), a security solution that adds authentication to enhanced WEP
encryption and key management.
–
To enable WPA v1 encryption, select WPA v.1. In the Encryption
drop-down list, select one of the following encryption types:
Auto – The Wireless AP will advertise both TKIP and CCMP (Counter
Mode with Cipher Block Chaining Message Authentication Code
Protocol) for WPAv1. CCMP is an IEEE 802.11i encryption protocol
that uses the encryption cipher AES (Advanced Encryption
Standard).
TKIP only – The AP will advertise TKIP as an available encryption
protocol for WPAv1. It will not advertise CCMP.
–
To enable WPA v2 encryption, select WPA v.2. In the Encryption
drop-down list, click one of the following encryption types:
Auto – The AP advertises both TKIP and CCMP (counter mode with
cipher block chaining message authentication code protocol). CCMP
is an IEEE 802.11i encryption protocol that uses the encryption cipher
AES (Advanced Encryption Standard).
AES only – The AP advertises CCMP as an available encryption
protocol. It will not advertise TKIP.
–
To enable re-keying after a time interval, select Broadcast re-key
interval, then type the time interval after which the broadcast
encryption key is changed automatically. The default is 3600.
If this checkbox is not selected, the Broadcast encryption key is never
changed and the Wireless AP will always use the same broadcast key
for Broadcast/Multicast transmissions. This will reduce the level of
security for wireless communications.
–
To enable the group key power save retry, select Group Key Power
Save Retry.
Note: The group key power save retry is only supported for AP36XX
Wireless APs.
•
In the Pre-shared key box, type the shared secret key to be used
between the wireless device and Wireless AP. The shared secret key is
used to generate the 256-bit key.
–
Mask/Unmask – Click to display or hide your shared secret key.
18. Click Next. The Radio Assignment screen is displayed.
19. On the Radio Assignment screen, do the following:
9034530-04, September 2010
HiPath Wireless Controller, Access Points and Convergence Software V7.31, User Guide
293
hwc_vnsconfiguration.fm
Configuring a VNS
Working with the VNS wizard to create a new VNS
•
In the AP Default Settings section, select the radios of the AP default
settings profile that you want to broadcast the data VNS.
•
In the AP Selection section, select the group of APs that will broadcast
the data VNS:
•
•
all radios – Click to assign all of the APs’ radios.
•
radio 1 – Click to assign only the APs’ Radio 1.
•
radio 2– Click to assign only the APs’ Radio 2.
•
local APs - all radios – Click to assign only the local APs.
•
local APs - radio 1 – Click to assign only the local APs’ Radio 1.
•
local APs - radio 2 – Click to assign only the local APs’ Radio 2.
•
foreign APs - all radios – Click to assign only the foreign APs.
•
foreign APs - radio 1 – Click to assign only the foreign APs’ Radio 1.
•
foreign APs - radio 2 – Click to assign only the foreign APs’ Radio 2.
If applicable, select the WMM checkbox. WMM (Wi-Fi Multimedia), if
enabled on an individual VNS, provides multimedia enhancements that
improve the user experience for audio, video, and voice applications.
WMM is part of the 802.11e standard for QoS. If enabled, the AP will
accept WMM client associations, and will classify and prioritize the
downlink traffic for all WMM clients. WMM clients will also classify and
prioritize the uplink traffic.
20. Click Next. The Summary screen is displayed.
21. Confirm your data VNS configuration. To revise your configuration, click
Back.
22. To create your VNS, click Finish, and then click Close.
The data VNS is created and saved.
23. If applicable, you can continue to configure or edit the new VNS by clicking
the individual VNS configuration tabs.
If the HiPath Wireless Controller is configured to be part of an availability pair,
you can chose to synchronize the VNS on the secondary HiPath Wireless
Controller. See Chapter 7, “Availability and session availability” for more
information.
294
9034530-04, September 2010
HiPath Wireless Controller, Access Points and Convergence Software V7.31, User Guide
hwc_vnsconfiguration.fm
Configuring a VNS
Working with the VNS wizard to create a new VNS
6.4.4 Creating a Captive Portal VNS using the VNS
wizard
Use the VNS wizard to create a Captive Portal VNS. A Captive Portal VNS
employs an authentication method that uses a Web redirection which directs a
mobile user's Web session to an authentication server. Typically, the mobile user
must provide their credentials (user ID, password) to be authenticated. There are
three types of Captive Portal VNSs you can create:
•
GuestPortal – A GuestPortal VNS provides wireless device users with
temporary guest network services. For more information, see Section 6.5,
“Working with a GuestPortal VNS”, on page 307.
•
Internal Captive Portal – The HiPath Wireless Controller’s own Captive
Portal authentication page — configured as an editable form — is used to
request user credentials. The redirection triggers the locally stored
authentication page where the mobile user must provide the appropriate
credentials, which then is checked against what is listed in the configured
RADIUS server.
•
External Captive Portal – An entity outside of the HiPath Wireless Controller
is responsible for handling the mobile user authentication process, presenting
the credentials request forms and performing user authentication procedures.
The external Web server location must be explicitly listed as an allowed
destination in the non-authenticated filter.
When you create a new captive portal VNS using the VNS wizard, you configure
the VNS in the following stages:
•
Basic settings
•
Authentication settings
•
DHCP settings
•
Filter settings
•
Privacy settings
•
Radio assignment settings
•
Summary review
To configure an internal Captive Portal VNS using the VNS wizard:
1. From the main menu, click Virtual Network Configuration. The Virtual
Network Configuration screen is displayed.
2. In the left pane, expand the New pane, then click START VNS WIZARD. The
VNS Creation Wizard screen is displayed.
3. In the Name box, type a name for the Captive Portal VNS.
9034530-04, September 2010
HiPath Wireless Controller, Access Points and Convergence Software V7.31, User Guide
295
hwc_vnsconfiguration.fm
Configuring a VNS
Working with the VNS wizard to create a new VNS
4. In the Category drop-down list, click Captive Portal, and then click Next. The
Basic Settings screen is displayed.
5. Configure the Captive Portal VNS basic settings. The VNS type and mode
you configure on the Basic Settings screen will dictate the VNS information
you will need to provide.
•
Enabled – By default, the Enabled checkbox for the new VNS is enabled.
A VNS must be enabled for it to be able to provide service for mobile user
traffic.
•
Type – Click Internal Captive Portal.
•
Mode – Click the VNS mode you want to assign:
•
Routed is a VNS type where user traffic is tunneled to the HiPath
Wireless Controller.
•
Bridge Traffic Locally at HWC is a VNS type where user traffic is
tunneled to the HiPath Wireless Controller and is directly bridged at
the controller to a specific VLAN. With this VNS type, mobile users
become a natural extension of a VLAN subnet. For each Bridge
Traffic Locally at HWC VNS that is created, a VLAN needs to be
specified. In addition, the network port on which the VLAN is assigned
must be configured on the switch, and the corresponding HiPath
Wireless Controller interface must match the correct VLAN.
If configuring a routed internal Captive Portal VNS
Do the following:
a) Gateway – Type the HiPath Wireless Controller's own IP address in that
VNS. This IP address is the default gateway for the VNS. The HiPath
Wireless Controller advertises this address to the wireless devices when
they sign on. For routed VNSs, it corresponds to the IP address that is
communicated to mobile users (in the VNS) as the default gateway for the
VNS subnet. (Mobile users target the HiPath Wireless Controller's
interface in their effort to route packets to an external host).
b) Mask – Type the appropriate subnet mask for this IP address to separate
the network portion from the host portion of the address (typically
255.255.255.0).
c) Message – Type a brief message.
d) Enable Authentication – By default, this option is selected if the VNS
Type is Internal Captive Portal, which enables authentication for the
new Captive Portal VNS.
e) Enable DHCP – By default, this option is selected if the VNS Type is
Internal Captive Portal, which enables DHCP authentication for the new
Captive Portal VNS.
296
9034530-04, September 2010
HiPath Wireless Controller, Access Points and Convergence Software V7.31, User Guide
hwc_vnsconfiguration.fm
Configuring a VNS
Working with the VNS wizard to create a new VNS
If configuring a bridge traffic locally at HWC internal Captive Portal VNS
Do the following:
a) Interface – Click the physical port that provides the access to the VLAN.
b) Interface IP address – Type the IP address of the HiPath Wireless
Controller’s interface on the VLAN.
c) Mask – Type the appropriate subnet mask for this IP address to separate
the network portion from the host portion of the address (typically
255.255.255.0).
d) VLAN ID – Type the VLAN tag to which the HiPath Wireless Controller will
be bridged for the VNS.
e) Message – Type a brief message that will be displayed above the Login
button that greets the mobile device user.
f)
Enable Authentication – By default, this option is selected if the VNS
Type is Internal Captive Portal, which enables authentication for the
new Captive Portal VNS.
g) Enable DHCP – If applicable, select this checkbox to enable DHCP
authentication for the new Captive Portal VNS.
6. Click Next. The Authentication screen is displayed.
7. On the Authentication screen, do the following:
•
•
Radius Server – Click the RADIUS server you want to assign to the new
Captive Portal VNS, or click Add New Server and then do the following:
–
Server Alias – Type a name you want to assign to the new RADIUS
server.
–
Hostname/IP – Type either the RADIUS server’s FQDN (fully
qualified domain name) or IP address.
–
Shared Secret – Type the password that will be used to validate the
connection between the HiPath Wireless Controller and the RADIUS
server.
–
Mask/Unmask – Click to display or hide your shared secret key.
Roles – Select the authentication role options for the RADIUS server:
–
Authentication – By default, this option is selected if the VNS Type
is Internal Captive Portal, which enables the RADIUS server to
perform authentication on the Captive Portal VNS.
–
MAC-based Authentication – Select to enable the RADIUS server
to perform MAC-based authentication on the Captive Portal VNS.
If the MAC-based authentication option is enabled, select to enable
MAC-based authorization on roam, if applicable.
9034530-04, September 2010
HiPath Wireless Controller, Access Points and Convergence Software V7.31, User Guide
297
hwc_vnsconfiguration.fm
Configuring a VNS
Working with the VNS wizard to create a new VNS
–
Accounting – Select to enable the RADIUS server to perform
accounting on the Captive Portal VNS.
8. Click Next. The DHCP screen is displayed.
9. On the DHCP screen, do the following:
•
In the DHCP Option drop-down list, click one of the following:
–
Use DHCP Relay – Using DHCP relay forces the HiPath Wireless
Controller to forward DHCP requests to an external DHCP server on
the enterprise network. DHCP relay bypasses the local DHCP server
for the HiPath Wireless Controller and allows the enterprise to
manage IP address allocation to a VNS from its existing
infrastructure.
–
DHCP Servers – Type the IP address of the DHCP server to which
DHCP discover and request messages will be forwarded for clients on
this VNS. The HiPath Wireless Controller does not handle DHCP
requests from users, but instead forwards the requests to the
indicated DHCP server.
The DHCP server must be configured to match the VNS settings. In
particular for a Routed VNS, the DHCP server must identify the
HiPath Wireless Controller's interface IP as the default Gateway
(router) for the subnet. (Users intending to reach devices outside of
the subnet will forward the packets to the default gateway (controller)
for delivery upstream.)
•
Local DHCP Server – If applicable, edit the local DHCP server settings.
10. In the DNS Servers box, type the IP Address of the Domain Name Servers
to be used.
11. In the WINS box, type the IP address if the DHCP server uses Windows
Internet Naming Service (WINS).
12. Click Next. The Filtering screen is displayed.
13. On the Filtering screen, do the following:
•
298
In the Filter ID drop-down list, click one of the following:
•
Default – Controls access if there is no matching filter ID for a user.
•
Exception – Protects access to the HiPath Wireless Controller’s own
interfaces, including the VNSs own interface. VNS exception filters
are applied to user traffic intended for the HiPath Wireless Controller's
own interface point on the VNS. These filters are applied after the
user's specific VNS state assigned filters.
•
Non-Authenticated – Controls network access and also used to
direct mobile users to a Captive Portal Web page for login.
9034530-04, September 2010
HiPath Wireless Controller, Access Points and Convergence Software V7.31, User Guide
hwc_vnsconfiguration.fm
Configuring a VNS
Working with the VNS wizard to create a new VNS
14. In the Filter table, select the Allow or Deny option buttons for each filter if
applicable, and then select the Enable checkbox accordingly.
15. Click Next. The Privacy screen is displayed.
16. On the Privacy screen, do the following:
•
None – Select if you do not want to assign any privacy mechanism.
•
Static Keys – Select to configure static keys.
•
WEP Key Index – Click the WEP encryption key index: 1, 2, 3, or 4.
Note: Specifying the WEP key index is supported only for AP36XX
Wireless APs.
•
WEP Key Length – Click the WEP encryption key length: 64 bit, 128
bit, or 152 bit.
•
Select one of the following input methods:
Input Hex – If you select Input Hex, type the WEP key input in the
WEP Key box. The key is generated automatically based on the
input.
Input String – If you select Input String, type the secret WEP key
string used for encrypting and decrypting in the WEP Key String box.
The WEP Key box is automatically filled by the corresponding Hex
code.
•
WPA-PSK – Select to use a Pre-Shared Key (PSK), or shared secret for
authentication. WPA-PSK (Wi-Fi Protected Access Pre-Shared key) is a
security solution that adds authentication to enhanced WEP encryption
and key management. WPA-PSK mode does not require an
authentication server. It is suitable for home or small office.
•
To enable WPA v1 encryption, select WPA v.1. If WPA v.1 is enabled, click
one of the following encryption types from the Encryption drop-down list:
•
–
Auto – The AP will advertise both TKIP and CCMP (Counter Mode
with Cipher Block Chaining Message Authentication Code Protocol)
for WPAv1. CCMP is an IEEE 802.11i encryption protocol that uses
the encryption cipher AES (Advanced Encryption Standard). Auto is
the default.
–
TKIP only – The AP will advertise TKIP as an available encryption
protocol for WPAv1. It will not advertise CCMP.
To enable WPA v2-type encryption, select WPA v.2. The other options for
this drop-down list are:
9034530-04, September 2010
HiPath Wireless Controller, Access Points and Convergence Software V7.31, User Guide
299
hwc_vnsconfiguration.fm
Configuring a VNS
Working with the VNS wizard to create a new VNS
•
–
Auto – If you click Auto, the Wireless AP advertises both TKIP and
CCMP (counter mode with cipher block chaining message
authentication code protocol). CCMP is an IEEE 802.11i encryption
protocol that uses the encryption cipher AES (Advanced Encryption
Standard).
–
AES only – If you click AES, the Wireless AP advertises CCMP as an
available encryption protocol. It will not advertise TKIP.
To enable re-keying after a time interval, select Broadcast re-key
interval. If this checkbox is not selected, the Broadcast encryption key is
never changed and the Wireless AP will always use the same broadcast
key for Broadcast/Multicast transmissions. This will reduce the level of
security for wireless communications.
–
•
In the Broadcast re-key interval box, type the time interval after
which the broadcast encryption key is changed automatically.
To enable the group key power save retry, select Group Key Power Save
Retry.
Note: The group key power save retry is only supported for AP36XX
Wireless APs.
•
In the Pre-shared key box, type the shared secret key to be used
between the wireless device and Wireless AP. The shared secret key is
used to generate the 256-bit key.
–
Mask/Unmask – Click to display or hide your shared secret key.
17. Click Next. The Radio Assignment screen is displayed.
18. On the Radio Assignment screen, do the following:
300
•
In the AP Default Settings section, select the radios of the AP default
settings profile that you want to broadcast the Captive Portal VNS.
•
In the AP Selection section, select the group of APs that will broadcast
the Captive Portal VNS:
•
all radios – Click to assign all of the APs’ radios.
•
radio 1 – Click to assign only the APs’ Radio 1.
•
radio 2– Click to assign only the APs’ Radio 2.
•
local APs - all radios – Click to assign only the local APs.
•
local APs - radio 1 – Click to assign only the local APs’ Radio 1.
•
local APs - radio 2 – Click to assign only the local APs’ Radio 2.
•
foreign APs - all radios – Click to assign only the foreign APs.
9034530-04, September 2010
HiPath Wireless Controller, Access Points and Convergence Software V7.31, User Guide
hwc_vnsconfiguration.fm
Configuring a VNS
Working with the VNS wizard to create a new VNS
•
•
foreign APs - radio 1 – Click to assign only the foreign APs’ Radio 1.
•
foreign APs - radio 2 – Click to assign only the foreign APs’ Radio 2.
If applicable, select the WMM checkbox. WMM (Wi-Fi Multimedia), if
enabled on an individual VNS, provides multimedia enhancements that
improve the user experience for audio, video, and voice applications.
WMM is part of the 802.11e standard for QoS. If enabled, the AP will
accept WMM client associations, and will classify and prioritize the
downlink traffic for all WMM clients. WMM clients will also classify and
prioritize the uplink traffic.
19. Click Next. The Summary screen is displayed.
20. Confirm your data VNS configuration. To revise your configuration, click
Back.
21. To create your VNS, click Finish, and then click Close.
22. If applicable, you can continue to configure or edit the new VNS by clicking
the individual VNS configuration tabs.
To configure an external Captive Portal VNS using the VNS wizard:
1. From the main menu, click Virtual Network Configuration. The Virtual
Network Configuration screen is displayed.
2. In the left pane, expand the New pane, then click START VNS WIZARD. The
VNS Creation Wizard screen is displayed.
3. In the Name box, type a name for the Captive Portal VNS.
4. In the Category drop-down list, click Captive Portal, and then click Next. The
Basic Settings screen is displayed.
5. Configure the Captive Portal VNS basic settings. The VNS type and mode
you configure on the Basic Settings screen will dictate the VNS information
you will need to provide.
•
Enabled – By default, the Enabled checkbox for the new VNS is enabled.
A VNS must be enabled for it to be able to provide service for mobile user
traffic.
•
Type – Click External Captive Portal.
•
Mode – Click the VNS mode you want to assign:
•
Routed is a VNS type where user traffic is tunneled to the HiPath
Wireless Controller.
•
Bridge Traffic Locally at HWC is a VNS type where user traffic is
tunneled to the HiPath Wireless Controller and is directly bridged at
the controller to a specific VLAN. With this VNS type, mobile users
become a natural extension of a VLAN subnet. For each Bridge
9034530-04, September 2010
HiPath Wireless Controller, Access Points and Convergence Software V7.31, User Guide
301
hwc_vnsconfiguration.fm
Configuring a VNS
Working with the VNS wizard to create a new VNS
Traffic Locally at HWC VNS that is created, a VLAN needs to be
specified. In addition, the network port on which the VLAN is assigned
must be configured on the switch, and the corresponding HiPath
Wireless Controller interface must match the correct VLAN.
If configuring a routed external Captive Portal VNS
Do the following:
a) Gateway – Type the HiPath Wireless Controller's own IP address in that
VNS. This IP address is the default gateway for the VNS. The HiPath
Wireless Controller advertises this address to the wireless devices when
they sign on. For routed VNSs, it corresponds to the IP address that is
communicated to mobile users (in the VNS) as the default gateway for the
VNS subnet. (Mobile users target the HiPath Wireless Controller's
interface in their effort to route packets to an external host).
b) Mask – Type the appropriate subnet mask for this IP address to separate
the network portion from the host portion of the address (typically
255.255.255.0).
c) HWC Connection – Click the HiPath Wireless Controller IP address.
Also type the port of the HiPath Wireless Controller in the accompanying
box.
If there is an authentication server configured for this VNS, the external
Captive Portal page on the external authentication server will send the
request back to the HiPath Wireless Controller to allow the HiPath
Wireless Controller to continue with the RADIUS authentication and
filtering.
d) Redirection URL – Type the URL to which the wireless device user will
be directed to after authentication.
e) Shared Secret – Type the password that is common to both the HiPath
Wireless Controller and the external Web server if you want to encrypt the
information passed between the HiPath Wireless Controller and the
external Web server.
f)
Enable Authentication – Select this checkbox to enable authentication
for the new Captive Portal VNS.
g) Enable DHCP – Select this checkbox to enable DHCP services for this
new Captive Portal VNS.
If configuring a bridge traffic locally at HWC external Captive Portal VNS
Do the following:
a) Interface – Click the physical port that provides the access to the VLAN.
b) Interface IP address – Type the IP address of the HiPath Wireless
Controller’s interface on the VLAN.
302
9034530-04, September 2010
HiPath Wireless Controller, Access Points and Convergence Software V7.31, User Guide
hwc_vnsconfiguration.fm
Configuring a VNS
Working with the VNS wizard to create a new VNS
c) Mask – Type the appropriate subnet mask for this IP address to separate
the network portion from the host portion of the address (typically
255.255.255.0).
d) VLAN ID – Type the VLAN tag to which the HiPath Wireless Controller will
be bridged for the VNS.
e) HWC Connection – Click the HiPath Wireless Controller IP address.
Also type the port of the HiPath Wireless Controller in the accompanying
box.
If there is an authentication server configured for this VNS, the external
Captive Portal page on the external authentication server will send the
request back to the HiPath Wireless Controller to allow the HiPath
Wireless Controller to continue with the RADIUS authentication and
filtering.
f)
Redirection URL – Type the URL to which the wireless device user will
be directed to after authentication.
g) Shared Secret – Type the password that is common to both the HiPath
Wireless Controller and the external Web server if you want to encrypt the
information passed between the HiPath Wireless Controller and the
external Web server.
h) Enable Authentication – Select this checkbox to enable authentication
for the new Captive Portal VNS.
i)
Enable DHCP – Select this checkbox to enable DHCP authentication for
the new Captive Portal VNS.
6. Click Next. The VNS wizard displays the appropriate configuration screens,
depending on your selection of the Enable Authentication and Enable
DHCP checkboxes.
7. If applicable, on the Authentication screen, do the following:
•
•
Radius Server – Click the RADIUS server you want to assign to the new
Captive Portal VNS, or click Add New Server and then do the following:
•
Server Alias – Type a name you want to assign to the new RADIUS
server.
•
Hostname/IP – Type either the RADIUS server’s FQDN (fully
qualified domain name) or IP address.
•
Shared Secret – Type the password that will be used to validate the
connection between the HiPath Wireless Controller and the RADIUS
server.
•
Mask/Unmask – Click to display or hide your shared secret key.
Roles – Select the authentication role options for the RADIUS server:
9034530-04, September 2010
HiPath Wireless Controller, Access Points and Convergence Software V7.31, User Guide
303
hwc_vnsconfiguration.fm
Configuring a VNS
Working with the VNS wizard to create a new VNS
•
Authentication – Select to enable the RADIUS server to perform
authentication on the Captive Portal VNS.
•
MAC-based Authentication – Select to enable the RADIUS server
to perform MAC-based authentication on the Captive Portal VNS.
If the MAC-based authentication option is enabled, select to enable
MAC-based authorization on roam, if applicable.
•
Accounting – Select to enable the RADIUS server to perform
accounting on the Captive Portal VNS.
8. Click Next.
9. If applicable, on the DHCP screen, do the following:
•
In the DHCP Option drop-down list, click one of the following:
•
Use DHCP Relay – Using DHCP relay forces the HiPath Wireless
Controller to forward DHCP requests to an external DHCP server on
the enterprise network. DHCP relay bypasses the local DHCP server
for the HiPath Wireless Controller and allows the enterprise to
manage IP address allocation to a VNS from its existing
infrastructure.
•
DHCP Servers – Type the IP address of the DHCP server to which
DHCP discover and request messages will be forwarded for clients on
this VNS. The HiPath Wireless Controller does not handle DHCP
requests from users, but instead forwards the requests to the
indicated DHCP server.
The DHCP server must be configured to match the VNS settings. In
particular for a Routed VNS, the DHCP server must identify the
HiPath Wireless Controller's interface IP as the default Gateway
(router) for the subnet. (Users intending to reach devices outside of
the subnet will forward the packets to the default gateway (controller)
for delivery upstream.)
•
Local DHCP Server – If applicable, edit the local DHCP server settings.
10. In the DNS Servers box, type the IP Address of the Domain Name Servers
to be used.
11. In the WINS box, type the IP address if the DHCP server uses Windows
Internet Naming Service (WINS).
12. Click Next. The Filtering screen is displayed.
13. On the Filtering screen, do the following:
•
In the Filter ID drop-down list, click one of the following:
•
304
Default – Controls access if there is no matching filter ID for a user.
9034530-04, September 2010
HiPath Wireless Controller, Access Points and Convergence Software V7.31, User Guide
hwc_vnsconfiguration.fm
Configuring a VNS
Working with the VNS wizard to create a new VNS
•
Exception – Protects access to the HiPath Wireless Controller’s own
interfaces, including the VNSs own interface. VNS exception filters
are applied to user traffic intended for the HiPath Wireless Controller's
own interface point on the VNS. These filters are applied after the
user's specific VNS state assigned filters.
•
Non-Authenticated – Controls network access and also used to
direct mobile users to a Captive Portal Web page for login.
14. In the Filter table, select the Allow or Deny option buttons for each filter if
applicable, and then select the Enable checkbox accordingly.
15. Click Next. The Privacy screen is displayed.
16. On the Privacy screen, do the following:
•
None – Select if you do not want to assign any privacy mechanism.
•
Static Keys – Select to configure static keys.
–
WEP Key Index – Click the WEP encryption key index: 1, 2, 3, or 4.
Note: Specifying the WEP key index is supported only for AP36XX
Wireless APs.
–
WEP Key Length – Click the WEP encryption key length: 64 bit, 128
bit, or 152 bit.
–
Select one of the following input methods:
Input Hex – If you select Input Hex, type the WEP key input in the
WEP Key box. The key is generated automatically based on the
input.
Input String – If you select Input String, type the secret WEP key
string used for encrypting and decrypting in the WEP Key String box.
The WEP Key box is automatically filled by the corresponding Hex
code.
•
WPA-PSK – Select to use a Pre-Shared Key (PSK), or shared secret for
authentication. WPA-PSK (Wi-Fi Protected Access Pre-Shared key) is a
security solution that adds authentication to enhanced WEP encryption
and key management. WPA-PSK mode does not require an
authentication server. It is suitable for home or small office.
–
To enable WPA v1 encryption, select WPA v.1. If WPA v.1 is enabled,
click one of the following encryption types from the Encryption dropdown list:
9034530-04, September 2010
HiPath Wireless Controller, Access Points and Convergence Software V7.31, User Guide
305
hwc_vnsconfiguration.fm
Configuring a VNS
Working with the VNS wizard to create a new VNS
Auto – The AP will advertise both TKIP and CCMP (Counter Mode
with Cipher Block Chaining Message Authentication Code Protocol)
for WPAv1. CCMP is an IEEE 802.11i encryption protocol that uses
the encryption cipher AES (Advanced Encryption Standard). Auto is
the default.
TKIP only – The AP will advertise TKIP as an available encryption
protocol for WPAv1. It will not advertise CCMP.
–
To enable WPA v2-type encryption, select WPA v.2. The other options
for this drop-down list are:
Auto – If you click Auto, the Wireless AP advertises both TKIP and
CCMP (counter mode with cipher block chaining message
authentication code protocol). CCMP is an IEEE 802.11i encryption
protocol that uses the encryption cipher AES (Advanced Encryption
Standard).
AES only – If you click AES, the Wireless AP advertises CCMP as an
available encryption protocol. It will not advertise TKIP.
•
To enable re-keying after a time interval, select Broadcast re-key
interval. If this checkbox is not selected, the Broadcast encryption key is
never changed and the Wireless AP will always use the same broadcast
key for Broadcast/Multicast transmissions. This will reduce the level of
security for wireless communications.
–
•
In the Broadcast re-key interval box, type the time interval after
which the broadcast encryption key is changed automatically.
To enable the group key power save retry, select Group Key Power Save
Retry.
Note: The group key power save retry is only supported for AP36XX
Wireless APs.
•
In the Pre-shared key box, type the shared secret key to be used
between the wireless device and Wireless AP. The shared secret key is
used to generate the 256-bit key.
–
Mask/Unmask – Click to display or hide your shared secret key.
17. Click Next. The Radio Assignment screen is displayed.
18. On the Radio Assignment screen, do the following:
306
•
In the AP Default Settings section, select the radios of the AP default
settings profile that you want to broadcast the Captive Portal VNS.
•
In the AP Selection section, select the group of APs that will broadcast
the Captive Portal VNS:
9034530-04, September 2010
HiPath Wireless Controller, Access Points and Convergence Software V7.31, User Guide
hwc_vnsconfiguration.fm
Configuring a VNS
Working with a GuestPortal VNS
•
•
all radios – Click to assign all of the APs’ radios.
•
radio 1 – Click to assign only the APs’ Radio 1.
•
radio 2– Click to assign only the APs’ Radio 2.
•
local APs - all radios – Click to assign only the local APs.
•
local APs - radio 1 – Click to assign only the local APs’ Radio 1.
•
local APs - radio 2 – Click to assign only the local APs’ Radio 2.
•
foreign APs - all radios – Click to assign only the foreign APs.
•
foreign APs - radio 1 – Click to assign only the foreign APs’ Radio 1.
•
foreign APs - radio 2 – Click to assign only the foreign APs’ Radio 2.
If applicable, select the WMM checkbox. WMM (Wi-Fi Multimedia), if
enabled on an individual VNS, provides multimedia enhancements that
improve the user experience for audio, video, and voice applications.
WMM is part of the 802.11e standard for QoS. If enabled, the AP will
accept WMM client associations, and will classify and prioritize the
downlink traffic for all WMM clients. WMM clients will also classify and
prioritize the uplink traffic.
19. Click Next. The Summary screen is displayed.
20. Confirm your data VNS configuration. To revise your configuration, click
Back.
21. To create your VNS, click Finish, and then click Close.
22. If applicable, you can continue to configure or edit the new VNS by clicking
the individual VNS configuration tabs.
6.5 Working with a GuestPortal VNS
A GuestPortal provides wireless device users with temporary guest network
services. A GuestPortal is serviced by a GuestPortal-dedicated VNS. A HiPath
Wireless Controller is allowed only one GuestPortal-dedicated VNS at a time.
GuestPortal user accounts are administered by a GuestPortal manager. A
GuestPortal manager is a login group — GuestPortal manager’s must have their
accounts created for them on the HiPath Wireless Controller. For more
information, see Section 12.2.1, “Working with GuestPortal Guest
administration”, on page 485
The GuestPortal VNS is a Captive Portal authentication-based VNS that uses a
database on the HiPath Wireless Controller for managing user accounts. The
database is administered through a simple, user-friendly graphic user interface
that can be used by non-technical staff.
9034530-04, September 2010
HiPath Wireless Controller, Access Points and Convergence Software V7.31, User Guide
307
hwc_vnsconfiguration.fm
Configuring a VNS
Working with a GuestPortal VNS
The GuestPortal VNS can be a Routed or a Bridge Traffic Locally at the HWC
VNS, with SSID-based network assignment. The GuestPortal VNS is a simplified
VNS. It does not support the following:
•
RADIUS authentication or accounting
•
MAC-based authorization
•
Child VNS support
The GuestPortal VNS can be created as a new VNS or can be configured from
an already existing VNS. When you create a new VNS using the VNS wizard, you
configure the VNS in the following stages:
•
Basic settings
•
DHCP settings
•
Filter settings
•
Privacy settings
•
Radio assignment settings
•
Summary
Setting up a GuestPortal
Use the following high-level description to set up a GuestPortal on your system:
1. Create a GuestPortal VNS.
The GuestPortal VNS can be created as a new VNS or can be configured
from an already existing VNS. For more information, see Section 6.5.1,
“Creating a GuestPortal VNS”, on page 309.
2. Configure the GuestPortal ticket.
A GuestPortal account ticket is a print-ready form that displays the guest
account information, system requirements, and instructions on how to log on
to the guest account. For more information, see Section 12.2.1.7, “Working
with the GuestPortal ticket page”, on page 496.
3. Configure availability, if applicable.
Availability maintains service availability in the event of a HiPath Wireless
Controller outage. For more information, see Chapter 7, “Availability and
session availability”.
4. Create GuestPortal manager and user accounts.
For more information, see Section 12.2.1, “Working with GuestPortal Guest
administration”, on page 485
5. Manage your guest accounts and GuestPortal logs.
308
9034530-04, September 2010
HiPath Wireless Controller, Access Points and Convergence Software V7.31, User Guide
hwc_vnsconfiguration.fm
Configuring a VNS
Working with a GuestPortal VNS
For more information, see the HiPath Wireless Controller, Access Points and
Convergence Software Maintenance Guide.
6.5.1 Creating a GuestPortal VNS
The GuestPortal VNS can be created as a new VNS or can be configured from
an already existing VNS. A HiPath Wireless Controller is allowed only one
GuestPortal-dedicated VNS at a time.
To create a GuestPortal VNS from an already existing VNS:
1. From the main menu, click Virtual Network Configuration. The Virtual
Network Configuration screen is displayed.
2. In the left pane, select and expand the Virtual Networks pane.
3. Click on the VNS you want to configure as a GuestPortal VNS. The VNS
configuration window Core tab is displayed.
4. Select a preconfigured WLAN Service and click Edit, or press New to create
a new WLAN Service.
5. In the Edit WLAN Service window, click the Auth & Acct tab.
6. In the Authentication Mode drop-down list, click GuestPortal.
7. To save your changes, click Save.
To create a new GuestPortal VNS using the VNS wizard:
1. From the main menu, click Virtual Network Configuration. The Virtual
Network Configuration screen is displayed.
2. In the left pane, expand the New pane, then click START VNS WIZARD. The
VNS Creation Wizard screen is displayed.
3. In the Name box, type a name for the GuestPortal VNS.
4. In the Category drop-down list, click Captive Portal, and then click Next. The
Basic Settings screen is displayed.
9034530-04, September 2010
HiPath Wireless Controller, Access Points and Convergence Software V7.31, User Guide
309
hwc_vnsconfiguration.fm
Configuring a VNS
Working with a GuestPortal VNS
5. Configure the VNS basic settings:
310
•
Enabled – By default, the Enabled checkbox for the new VNS is enabled.
A VNS must be enabled for it to be able to provide service for mobile user
traffic.
•
Type – In the drop-down list, click GuestPortal.
•
Mode – In the drop-down list, click one of the following the VNS modes:
•
Routed – User traffic is tunneled to the HiPath Wireless Controller.
–
In the Gateway box, type the HiPath Wireless Controller's own IP
address in that VNS. This IP address is the default gateway for the
VNS. The HiPath Wireless Controller advertises this address to the
wireless devices when they sign on. For routed VNSs, it corresponds
to the IP address that is communicated to mobile users (in the VNS)
as the default gateway for the VNS subnet. (Mobile users target the
HiPath Wireless Controller's interface in their effort to route packets
to an external host).
–
In the Mask box, type the appropriate subnet mask for this IP address
to separate the network portion from the host portion of the address
(typically 255.255.255.0).
•
Bridge Traffic Locally at the HWC – User traffic is tunneled to the
HiPath Wireless Controller and is directly bridged at the controller to
a specific VLAN. With this VNS type, mobile users become a natural
extension of a VLAN subnet. For each Bridge Traffic Locally at HWC
VNS that is created, a VLAN needs to be specified. In addition, the
network port on which the VLAN is assigned must be configured on
the switch, and the corresponding HiPath Wireless Controller
interface must match the correct VLAN.
9034530-04, September 2010
HiPath Wireless Controller, Access Points and Convergence Software V7.31, User Guide
hwc_vnsconfiguration.fm
Configuring a VNS
Working with a GuestPortal VNS
–
In the Interface drop-down list, click the physical interface that
provides the access to the VLAN.
–
In the Interface IP address box, type the IP address of the HiPath
Wireless Controller’s interface on the VLAN.
–
In the Mask box, type the appropriate subnet mask for this IP address
to separate the network portion from the host portion of the address
(typically 255.255.255.0).
–
In the VLAN ID box, type the VLAN tag to which the HiPath Wireless
Controller will be bridged for the VNS.
–
If applicable, select the Enable DHCP checkbox.
6. Click Next. The DHCP screen is displayed.
If DHCP is disabled, continue with step 11 on page 312. The Filtering screen
is displayed.
7. Configure the DHCP settings. In the DHCP Option drop-down list, click one
of the following:
•
Use DHCP Relay – Using DHCP relay forces the HiPath Wireless
Controller to forward DHCP requests to an external DHCP server on the
enterprise network. DHCP relay bypasses the local DHCP server for the
HiPath Wireless Controller and allows the enterprise to manage IP
address allocation to a VNS from its existing infrastructure.
•
DHCP Servers – Type the IP address of the DHCP server to which
DHCP discover and request messages will be forwarded for clients on
this VNS. The HiPath Wireless Controller does not handle DHCP
requests from users, but instead forwards the requests to the
indicated DHCP server.
9034530-04, September 2010
HiPath Wireless Controller, Access Points and Convergence Software V7.31, User Guide
311
hwc_vnsconfiguration.fm
Configuring a VNS
Working with a GuestPortal VNS
The DHCP server must be configured to match the VNS settings. In
particular for a Routed VNS, the DHCP server must identify the
HiPath Wireless Controller's interface IP as the default Gateway
(router) for the subnet. (Users intending to reach devices outside of
the subnet will forward the packets to the default gateway (controller)
for delivery upstream.)
•
Local DHCP Server – If applicable, edit the local DHCP server settings.
8. In the DNS Servers box, type the IP Address of the Domain Name Servers
to be used.
9. In the WINS box, type the IP address if the DHCP server uses Windows
Internet Naming Service (WINS).
10. Click Next. The Filtering screen is displayed.
11. Configure the VNS filtering settings:
12. In the Filter ID drop-down list, click one of the following:
•
Authenticated – Controls network access after the user has been
authenticated.
•
Non-authenticated – Controls network access and to direct users to a
Captive Portal Web page for login.
13. In the Filter table, select the Enable checkbox for the desired filters, then
select the Allow or Deny option buttons for each filter as needed.
14. At the bottom of the Filter list, select Allow or Deny for All Other Traffic.
15. Click Next. The Privacy screen is displayed.
16. Configure the VNS Privacy settings:
•
312
None – Select if you do not want to assign any privacy mechanism.
9034530-04, September 2010
HiPath Wireless Controller, Access Points and Convergence Software V7.31, User Guide
hwc_vnsconfiguration.fm
Configuring a VNS
Working with a GuestPortal VNS
•
Static Keys (WEP) – Select to use keys on the VNS that match the WEP
mechanism used on the rest of the network. Each AP can participate in
up to 50 VNSs. For each VNS, only one WEP key can be specified. It is
treated as the first key in a list of WEP keys.
•
From the WEP Key Index drop-down list, click the WEP encryption
key index: 1, 2, 3, or 4.
Note: Specifying the WEP key index is supported only for AP36XX
Wireless APs.
•
From the WEP Key Length drop-down list, click the WEP encryption
key length: 64 bit, 128 bit, or 152 bit.
•
Input Method – Select one of the following:
Input Hex – If you select Input Hex, type the WEP key input in the
WEP Key box. The key is generated automatically, based on the
input.
Input String – If you select Input String, type the secret WEP key
string used for encrypting and decrypting in the Strings box. The
WEP Key box is automatically filled by the corresponding Hex code.
•
WPA-PSK – Select to use a Pre-Shared Key (PSK), or shared secret for
authentication. WPA-PSK (Wi-Fi Protected Access Pre-Shared key) is a
security solution that adds authentication to enhanced WEP encryption
and key management. WPA-PSK mode does not require an
authentication server. It is suitable for home or small office.
•
To enable WPA v1 encryption, select WPA v.1. If WPA v.1 is enabled, click
one of the following encryption types from the Encryption drop-down list:
•
•
Auto – The AP will advertise both TKIP and CCMP (Counter Mode
with Cipher Block Chaining Message Authentication Code Protocol)
for WPAv1. CCMP is an IEEE 802.11i encryption protocol that uses
the encryption cipher AES (Advanced Encryption Standard). Auto is
the default.
•
TKIP only – The AP will advertise TKIP as an available encryption
protocol for WPAv1. It will not advertise CCMP.
To enable WPA v2-type encryption, select WPA v.2. The other options for
this drop-down list are:
•
Auto – If you click Auto, the Wireless AP advertises both TKIP and
CCMP (counter mode with cipher block chaining message
authentication code protocol). CCMP is an IEEE 802.11i encryption
protocol that uses the encryption cipher AES (Advanced Encryption
Standard). Auto is the default.
9034530-04, September 2010
HiPath Wireless Controller, Access Points and Convergence Software V7.31, User Guide
313
hwc_vnsconfiguration.fm
Configuring a VNS
Working with a GuestPortal VNS
•
AES only – If you click AES, the Wireless AP advertises CCMP as an
available encryption protocol. It will not advertise TKIP.
•
To enable re-keying after a time interval, select Broadcast re-key
interval. If this checkbox is not selected, the Broadcast encryption key is
never changed and the Wireless AP will always use the same broadcast
key for Broadcast/Multicast transmissions. This will reduce the level of
security for wireless communications.
•
In the Broadcast re-key interval box, type the time interval after which
the broadcast encryption key is changed automatically. The default is
3600.
•
To enable the group key power save retry, select Group Key Power Save
Retry.
Note: The group key power save retry is only supported for AP36XX
Wireless APs.
•
In the Pre-shared key box, type the shared secret key to be used
between the wireless device and Wireless AP. The shared secret key is
used to generate the 256-bit key.
•
Mask/Unmask – Click to display or hide your shared secret key.
17. Click Next. The Radio Assignment screen is displayed.
18. Configure the radio assignments:
314
•
In the AP Default Settings section, select the radios of the AP default
settings profile that you want to broadcast the VNS.
•
In the AP Selection section, select the group of APs that will broadcast
the VNS:
9034530-04, September 2010
HiPath Wireless Controller, Access Points and Convergence Software V7.31, User Guide
hwc_vnsconfiguration.fm
Configuring a VNS
Working with a GuestPortal VNS
•
•
all radios – Click to assign all of the APs’ radios.
•
radio 1 – Click to assign only the APs’ Radio 1.
•
radio 2– Click to assign only the APs’ Radio 2.
•
local APs - all radios – Click to assign only the local APs.
•
local APs - radio 1 – Click to assign only the local APs’ Radio 1.
•
local APs - radio 2 – Click to assign only the local APs’ Radio 2.
•
foreign APs - all radios – Click to assign only the foreign APs.
•
foreign APs - radio 1 – Click to assign only the foreign APs’ Radio 1.
•
foreign APs - radio 2 – Click to assign only the foreign APs’ Radio 2.
If applicable, select the WMM checkbox. WMM (Wi-Fi Multimedia), if
enabled on an individual VNS, provides multimedia enhancements that
improve the user experience for audio, video, and voice applications.
WMM is part of the 802.11e standard for QoS. If enabled, the AP will
accept WMM client associations, and will classify and prioritize the
downlink traffic for all WMM clients. WMM clients will also classify and
prioritize the uplink traffic.
19. Click Next. The Summary screen is displayed.
20. Confirm your VNS configuration. To revise your configuration, click Back.
21. To create your VNS, click Finish, and then click Close.
If the HiPath Wireless Controller is configured to be part of an availability pair,
you can chose to synchronize the VNS on the secondary HiPath Wireless
Controller.
9034530-04, September 2010
HiPath Wireless Controller, Access Points and Convergence Software V7.31, User Guide
315
hwc_vnsconfiguration.fm
Configuring a VNS
Creating a VNS using the advanced method
22. If applicable, you can continue to configure or edit the new VNS by clicking
the individual VNS configuration tabs.
6.6 Creating a VNS using the advanced method
Advanced configuration allows administrators to create a new VNS once the
topology, policy, and WLAN services required by the VNS parameters are
available. The topology, policy and WLAN services could be created in advance
or could be created at the time of VNS configuration.
When you create a new VNS, additional tabs are displayed depending on the
selections made in the Core box of the main VNS configuration tab.
When configuring a VNS, you can navigate between the various VNS tabs and
define your configuration without having to save your changes on each individual
tab. After your VNS configuration is complete, click Save on any VNS tab to save
your complete VNS configuration.
Note: If you navigate away from the VNS Configuration tabs without saving your
VNS changes, your VNS configuration changes will be lost.
The following procedure lists the steps necessary to create a VNS in advanced
mode. Each step references a section in this document that describes the full
details. Follow the links provided to go directly to the appropriate sections.
To create a VNS using advanced configuration:
1. From the main menu, click Virtual Network Configuration. The Virtual
Network Configuration screen is displayed.
2. In the left pane, expand the Virtual Networks pane and select an existing
VNS to edit, or click the New button.
3. Enter a name for the VNS.
4. Select an existing WLAN Service for the VNS, or create a new WLAN Service,
or edit an existing one.
For more information, see Section 6.9, “Configuring WLAN Services”, on
page 331.
5. Configure the Default Policies for the VNS. Select existing policies, or create
new policies, or edit existing ones.
For more information, see:
316
•
Section 6.10, “Configuring Policy”, on page 377.
•
Section 6.8, “Configuring a Topology”, on page 319.
9034530-04, September 2010
HiPath Wireless Controller, Access Points and Convergence Software V7.31, User Guide
hwc_vnsconfiguration.fm
Configuring a VNS
Working with existing VNSs
6. Configure the Status parameters for the VNS:
•
Synchronize – Enable automatic synchronization with its availability
peer. Refer to Section 6.2.7, “Using the Sync Summary”, on page 278 for
information about viewing synchronization status. If this VNS is part of an
availability pair, Siemens recommends that you enable this feature.
•
Restrict Policy Set – This feature provides backward compatibility for
legacy VNSs that were upgraded from software releases prior to V7.0.
When it is enabled, the controller respects the prior hierarchical view of
parent/child VNSs and maps external references to properly named (that
is, hierarchically named) Policies.
•
Enabled – Check to enable the VNS.
7. Click Save to save your changes.
6.7 Working with existing VNSs
When you work with an existing VNS, you can do the following:
•
Enabling and disabling a VNS
•
Renaming a VNS
•
Deleting a VNS
Also, as with creating a new VNS, you can:
•
Configure a topology for the VNS
•
Configure a policy for the VNS
•
Configure WLAN services for the VNS
•
Configure additional policies for the VNS
6.7.1 Enabling and disabling a VNS
By default, when a new VNS is created, the VNS is added to the system as an
enabled VNS. A VNS can be enabled or disabled. Disabling a VNS provides the
ability to temporarily stop wireless service on a VNS. The disabled VNS
configuration remains in the database for future use.
9034530-04, September 2010
HiPath Wireless Controller, Access Points and Convergence Software V7.31, User Guide
317
hwc_vnsconfiguration.fm
Configuring a VNS
Working with existing VNSs
A HiPath Wireless Controller can support the following VNSs:
Platform
Active VNSs
Defined VNSs
C5110
128
256
C4110
64
128
C2400
64
128
C20/C20N
16
CRBT8210
16
32
CRBT8110
16
Table 23
HiPath Wireless Controller active and defined VNS support
To enable or disable a VNS:
1. From the main menu, click Virtual Network Configuration. The Virtual
Network Configuration screen is displayed.
2. In the left pane expand the Virtual Networks pane, then select the VNS you
want to either enable or disable.
3. On the Core tab, in the Status box, select or de-select the Enabled checkbox.
4. Click Save. The VNS is enabled or disabled accordingly.
6.7.2 Renaming a VNS
To rename a VNS:
1. From the main menu, click Virtual Network Configuration. The Virtual
Network Configuration screen is displayed.
2. In the left pane expand the Virtual Networks pane, then select the VNS you
want to rename.
3. On the Core tab, in the VNS Name field, enter the new name.
4. Click Save. The VNS is renamed.
6.7.3 Deleting a VNS
You can delete a VNS that is no longer necessary.
To delete a VNS:
1. From the main menu, click Virtual Network Configuration. The Virtual
Network Configuration screen is displayed.
2. In the left pane expand the Virtual Networks pane, then select the VNS you
want to rename.
318
9034530-04, September 2010
HiPath Wireless Controller, Access Points and Convergence Software V7.31, User Guide
hwc_vnsconfiguration.fm
Configuring a VNS
Configuring a Topology
3. On the Core tab, click the Delete button. A pop-up window prompts you to
confirm you want to delete the VNS. Click OK.
4. Click Save. The VNS is deleted.
6.8 Configuring a Topology
Topology configuration is independent of the WLAN services or Policies that are
defined in the system. You can navigate to the Topology configuration page from
either Wireless Controller Configuration or Virtual Network Configuration options
of the HiPath Wireless Assistant main menu. Also, the Policy definition page
allows the user to edit or create a Topology definition at any time.
Topologies are not activated until they are referenced by a Policy. Creating an
interface on a VLAN will not take effect until a Policy references its usage.
Topologies cannot be deleted while they are active (that is, referenced by a
Policy).
On the Topology configuration page, the key field is the Mode, which determines
some of the other factors of the topology. When you have completed defining the
topology for your VNS, save the topology settings. Once your topology is saved,
you can then access the remaining VNS tabs and continue configuring your VNS.
On the Topology configuration page, a number of parameters related to network
topology can be defined:
•
VLAN ID and associated L2 port
•
L3 (IP) interface presence and the associated IP address and subnet range
•
The rules for using DHCP
•
Enabling or disabling the use of the associated interface for
management/control traffic
•
Selection of an interface for AP registration
•
Multicast filter definition
•
Exception filter definition.
9034530-04, September 2010
HiPath Wireless Controller, Access Points and Convergence Software V7.31, User Guide
319
hwc_vnsconfiguration.fm
Configuring a VNS
Configuring a Topology
6.8.1 Configuring a basic topology
The configuration procedure below is sufficient to create and be able to save a
new topology. Optional configuration options are described in the following
sections.
To configure a basic topology:
1. From the main menu, click either Wireless Controller Configuration or
Virtual Network Configuration. Then, in the left pane, select Topology. The
Topologies window displays.
2. If you want to edit an existing topology, select the desired topology. If you
want to create a new topology, click the New button. Depending on your
selection, two or three tabs are displayed.
3. On the General tab, enter a name for the topology in the Name field.
4. Select a mode of operation from the Mode drop-down list. Choices are:
•
Routed – Routed topologies do not need any Layer 2 configuration, but
do require Layer 3 configuration. See Section 6.8.2, “Layer 3
configuration”, on page 322 for more information.
•
Bridge Traffic Locally at AP – Requires Layer 2 configuration. Does not
require Layer 3 configuration. Bridge Traffic at the AP VNSs do not
require the definition of a corresponding IP address since all traffic for
users in that VNS will be directly bridged by the Wireless AP at the local
network point of attachment (VLAN at AP port).
•
Bridge Traffic Locally at HWC – Requires Layer 2 configuration. May
optionally have Layer 3 configuration. Layer 3 configuration would be
necessary if services (such as DHCP, captive portal, etc.) are required
over the configured network segment, or if controller management
operations are intended to be done through the configured interface.
5. Configure the Layer 2 parameters, depending on the previously selected
Mode.
•
For Bridge Traffic Locally at HWC, enter a VLAN identifier that is valid
for your system and enter the port to which this VLAN is attached to,
according to the networking deployment model pre-established during
planning.
•
For Bridge Traffic Locally at AP, enter a VLAN identifier that is valid for
your system, and specify whether the VLAN configuration is Tagged or
Untagged.
6. Click Save to save your changes.
These steps are sufficient to create and save a topology. The following
configuration options are optional and depend on the mode of the topology.
320
9034530-04, September 2010
HiPath Wireless Controller, Access Points and Convergence Software V7.31, User Guide
hwc_vnsconfiguration.fm
Configuring a VNS
Configuring a Topology
6.8.1.1 Physical Port Topologies
Starting with V7.0, “Physical Ports” refers to the data plane physical ports. The
attributes of a physical port are:
•
Administrative status (read-write)
•
Name (read-only)
•
MAC address (read-only)
•
MTU size
•
Multicast Support for Routed VNS
Physical port topologies are pre-defined by the HiPath Wireless Controller and
cannot be removed from the HiPath Wireless Controller configuration. By default,
all physical ports are set with multicast support for Routed VNS disabled. At most,
one non-management plane port can be enabled for the multicast support for
Routed VNS. This can be configured on the new physical port GUI.
6.8.1.2 Enabling management traffic
If management traffic is enabled for a VNS, it overrides the built-in exception
filters that prohibit traffic on the HiPath Wireless Controller data interfaces. For
more information, see Section 6.10, “Configuring Policy”, on page 377.
To enable management traffic for a topology:
1. From the main menu, click either Wireless Controller Configuration or
Virtual Network Configuration. Then, in the left pane, select Topology or
Topologies. The Topologies window displays.
2. Select the desired physical or routed topology. If the Layer 3 parameters are
not displayed, check the Layer 3 checkbox.
3. Select the Management Traffic checkbox.
4. To save your changes, click Save.
9034530-04, September 2010
HiPath Wireless Controller, Access Points and Convergence Software V7.31, User Guide
321
hwc_vnsconfiguration.fm
Configuring a VNS
Configuring a Topology
6.8.2 Layer 3 configuration
This section describes configuring IP addresses, DHCP options, Next Hop and
OSPF parameters, for Physical port, Routed, and Bridge Traffic Locally at HWC
topologies.
6.8.2.1 IP address configuration
The L3 (IP) address definition is only required for Physical port and Routed
topologies. For Bridge Traffic Locally at HWC topologies, L3 configuration is
optional. L3 configuration would be necessary if services (such as DHCP, captive
portal, etc.) are required over the configured network segment or if controller
management operations are intended to be done through the configured
interface.
Bridge Traffic Locally at AP VNSs do not require the definition of a corresponding
IP address since all traffic for users in that VNS will be directly bridged by the
Wireless AP at the local network point of attachment (VLAN at AP port).
To define the IP address for the topology:
1. From the main menu, click Wireless Controller Configuration and then
from the left pane select Topology. Alternatively, from the main menu select
Virtual Network Configuration and then press Topologies button.
2. If already defined, click the topology you want to define the IP address for.
The Topology window is displayed. Alternatively, press the New button to
create a new topology. Depending on the preselected options, two or three
tabs are displayed.
3. For IP interface configuration for Routed topologies, configure the following
Layer 3 parameters.
a) In the Gateway field, type the HiPath Wireless Controller's own IP
address in that VNS. This IP address is the default gateway for the VNS.
The HiPath Wireless Controller advertises this address to the wireless
devices when they sign on. For routed VNSs, it corresponds to the IP
address that is communicated to MUs (in the VNS) as the default gateway
for the VNS subnet. (MUs target the HiPath Wireless Controller's
interface in their effort to route packets to an external host).
b) In the Mask field, type the appropriate subnet mask for the IP address. to
separate the network portion from the host portion of the address
(typically, 255.255.255.0).
c) If necessary, configure the MTU value. Typically, you will not change this
value from the default.
d) If desired, enable Management traffic.
322
9034530-04, September 2010
HiPath Wireless Controller, Access Points and Convergence Software V7.31, User Guide
hwc_vnsconfiguration.fm
Configuring a VNS
Configuring a Topology
4. For IP interface configuration for Bridge Traffic Locally at HWC topologies,
configure the following Layer 3 parameters.
a) In the Interface IP field, type the IP address that corresponds to the
HiPath Wireless Controller's own point of presence on the VLAN. In this
case, the controller's interface is typically not the gateway for the subnet.
The gateway for the subnet is the infrastructure router defined to handle
the VLAN.
b) In the Mask field, type the appropriate subnet mask for the IP address. to
separate the network portion from the host portion of the address
(typically, 255.255.255.0).
c) Configure Strict Subnet Adherence.
d) If necessary, configure the MTU value. Typically, you will not change this
value from the default.
e) If desired, configure AP Registration. If selected, Wireless APs can use
this port for discovery and registration.
f)
If desired, enable Management traffic.
6.8.2.2 DHCP configuration
On the Topology page, define parameters for DHCP.
DHCP IP assignment is not applicable to Bridge Traffic Locally at AP mode
since all traffic for users in that VNS will be directly bridged by the Wireless AP at
the local network point of attachment (VLAN at AP port). DHCP assignment is
disabled by default for Bridged to VLAN mode. However, you can enable DHCP
server/relay functionality to have the controller service the IP addresses for the
VLAN (and wireless users).
To configure DHCP options:
1. On the Topology page, from the DHCP drop-down list, select one of the
following options and click the Configure button.
•
Local Server if the HiPath Wireless Controller's local DHCP server is
used for managing IP address allocation.
•
Use Relay if the HiPath Wireless Controller forwards DHCP requests to
an external DHCP server on the enterprise network. DHCP relay
bypasses the local DHCP server for the HiPath Wireless Controller and
allows the enterprise to manage IP address allocation to a VNS from its
existing infrastructure.
9034530-04, September 2010
HiPath Wireless Controller, Access Points and Convergence Software V7.31, User Guide
323
hwc_vnsconfiguration.fm
Configuring a VNS
Configuring a Topology
2. If you selected Local Server, the following window displays. Configure the
following parameters:
a) In the Domain Name box, type the external enterprise domain name
server to be used.
b) In the Lease default box, type the default time limit. The default time limit
dictates how long a wireless device can keep the DHCP server assigned
IP address. The default value is 36000 seconds (10 hours).
c) In the DNS Servers box, type the IP Address of the Domain Name
Servers to be used.
d) In the WINS box, type the IP address if the DHCP server uses Windows
Internet Naming Service (WINS).
e) Check the Enable DLS DHCP Option checkbox if you expect optiPoint
WL2 wireless phone traffic on the VNS. HiPath DLS (HiPath Deployment
Service) is an application that provides configuration management and
software deployment and licensing for optiPoint WL2 phones. For more
information, see Appendix C, “optiPoint WL2 Configuration”.
f)
In the Gateway field, type the HiPath Wireless Controller’s own IP
address in that topology. This IP address This IP address is the default
gateway for the topology. The HiPath Wireless Controller advertises this
address to the wireless devices when they sign on. For routed topologies,
it corresponds to the IP address that is communicated to Wireless clients
as the default gateway for the subnet. (wireless clients target the HiPath
Wireless Controller's interface in their effort to route packets to an
external host).
For a Bridge traffic locally at the HWC topology, the IP address
corresponds to the HiPath Wireless Controller's own point of presence on
the VLAN. In this case, the controller's interface is typically not the
gateway for the subnet. The gateway for the subnet is the infrastructure
router defined to handle the VLAN.
g) The Address Range boxes (from and to) populate automatically with the
range of IP addresses to be assigned to wireless devices using this VNS,
based on the IP address you provided.
324
9034530-04, September 2010
HiPath Wireless Controller, Access Points and Convergence Software V7.31, User Guide
hwc_vnsconfiguration.fm
Configuring a VNS
Configuring a Topology
•
•
To modify the address in the Address Range from box, type the first
available address.
•
To modify the address in the Address Range to box, type the last
available address.
•
If there are specific IP addresses to be excluded from this range, click
Exclusion(s). The DHCP Address Exclusion dialog is displayed.
In the DHCP Address Exclusion dialog, do one of the following:
–
To specify an IP range, type the first available address in the From
box and type the last available address in the to box. Click Add for
each IP range you provide.
–
To specify an IP address, select the Single Address option and type
the IP address in the box. Click Add for each IP address you provide.
–
To save your changes, click OK. The DHCP Address Exclusion dialog
closes.
h) The Broadcast Address box populates automatically based on the
Gateway IP address and subnet mask of the VNS.
i)
Click Close.
3. If you selected Use Relay, the following window displays.
9034530-04, September 2010
HiPath Wireless Controller, Access Points and Convergence Software V7.31, User Guide
325
hwc_vnsconfiguration.fm
Configuring a VNS
Configuring a Topology
a) in the DHCP Servers box, type the IP address of the DHCP server to
which DHCP discover and request messages will be forwarded for clients
on this VNS. The HiPath Wireless Controller does not handle DHCP
requests from users, but instead forwards the requests to the indicated
DHCP server.
Note: The DHCP Server must be configured to match the topology settings.
In particular for Routed topologies, the DHCP server must identify the HiPath
Wireless Controller's interface IP as the default Gateway (router) for the
subnet. (Users intending to reach devices outside of the subnet will forward
the packets to the default gateway (controller) for delivery upstream.)
4. To save your changes, click Save.
6.8.2.3 Defining a next hop route and OSPF advertisement
The next hop definition allows the administrator to define a specific host as the
target for all non-VNS targeted traffic for users in a VNS. The next hop IP
identifies the target device to which all VNS (user traffic) will be forwarded to.
Next-hop definition supersedes any other possible definition in the routing table.
If the traffic destination from a wireless device on a VNS is outside of the VNS, it
is forwarded to the next hop IP address, where this router applies policy and
forwards the traffic. This feature applies to unicast traffic only. In addition, you can
also modify the Open Shortest Path First (OSPF) route cost.
OSPF is an interior gateway routing protocol developed for IP networks based on
the shortest path first or link-state algorithm. Using OSPF, a host that obtains a
change to a routing table or detects a change in the network immediately
distributes the information to all other hosts in the network so that all will have the
same routing table information. The host using OSPF sends only the part that has
changed, and only when a change has taken place.
To define a next hop route and OSPF advertisement:
1. From the main menu, click Virtual Network Configuration. The Virtual
Network Configuration screen is displayed.
2. In the left pane, expand the Topologies pane, then click the routed Topology
you want to define a next-hop route for. The Topology tab is displayed.
3. In the Layer 3 area, click the Configure button. The DHCP configuration
dialog window displays.
326
9034530-04, September 2010
HiPath Wireless Controller, Access Points and Convergence Software V7.31, User Guide
hwc_vnsconfiguration.fm
Configuring a VNS
Configuring a Topology
4. In the Next Hop Address box, type the IP address of the next hop router on
the network through which you wish all traffic on the VNS using this Topology
to be directed.
5. In the OSPF Route Cost box, type the OSPF cost of reaching the VNS
subnet.
The OSPF cost value provides a relative cost indication to allow upstream
routers to calculate whether or not to use the HiPath Wireless Controller as a
better fit or lowest cost path to reach devices in a particular network. The
higher the cost, the less likely of the possibility that the HiPath Wireless
Controller will be chosen as a route for traffic, unless that HiPath Wireless
Controller is the only possible route for that traffic.
6. To disable OSPF advertisement on this VNS, select the Disable OSPF
Advertisement checkbox.
7. Click Close.
8. To save your changes, click Save.
6.8.3 Exception filtering
The exception filter provides a set of rules aimed at restricting the type of traffic
that is delivered to the controller. By default, your system is shipped with a set of
restrictive filtering rules that help control access through the interfaces to only
absolutely necessary services.
By configuring to allow management on an interface, an additional set of rules is
added to the shipped filter rules that provide access to the system's management
configuration framework (SSH, HTTPS, SNMP Agent). Most of this functionality
is handled directly behind the scenes by the system, rolling and un-rolling canned
filters as the system's topology and defined access privileges for an interface
change.
9034530-04, September 2010
HiPath Wireless Controller, Access Points and Convergence Software V7.31, User Guide
327
hwc_vnsconfiguration.fm
Configuring a VNS
Configuring a Topology
Note: An interface for which Allow Management is enabled, can be reached by
any other interface. By default, Allow Management is disabled and shipped
interface filters will only permit the interface to be visible directly from it's own
subnet.
The visible exception filter definitions, both in physical ports and topology
definitions, allow administrators to define a set of rules to be prepended to the
system's dynamically updated exception filter protection rules. Rule evaluation is
performed top to bottom, until an exact match is determined. Therefore, these
user-defined rules are evaluated before the system’s own generated rules. As
such, these user-defined rules may inadvertently create security lapses in the
system's protection mechanism or create a scenario that filters out packets that
are required by the system.
Note: Use exception filters only if absolutely necessary. Siemens recommends
that you avoid defining general allow all or deny all rule definitions since those
definitions can easily be too liberal or too restrictive to all types of traffic.
The exception rules are evaluated in the context of referring to the specific
controller's interface. The destination address for the filter rule definition is
typically defined as the interface's own IP address. The port number for the filter
definition corresponds to the target (destination) port number for the applicable
service running on the controller's management plane.
The exception filter on an topology applies only to the destination portion of the
packet. Traffic to a specified IP address and IP port is either allowed or denied.
Adding exception filtering rules allows network administrators to either tighten or
relax the built-in filtering that automatically drops packets not specifically allowed
by filtering rule definitions. The exception filtering rules can deny access in the
event of a DoS attack, or can allow certain types of management traffic that would
otherwise be denied. Typically, Allow Management is enabled.
To define exception filters:
1. On the Topology page, click the Exception Filters tab.
2. To add a new filter, click the Add button.
328
9034530-04, September 2010
HiPath Wireless Controller, Access Points and Convergence Software V7.31, User Guide
hwc_vnsconfiguration.fm
Configuring a VNS
Configuring a Topology
3. For each filtering rule you are defining, do the following:
•
In the IP/subnet:port box, type the destination IP address. You can also
specify an IP range, a port designation, or a port range on that IP address.
•
In the Protocol drop-down list, click the applicable protocol. The default
is N/A.
•
Click OK to add the user-defined rule to the rule table.
4. To add a predefined filter, click the Add Predefined button, then select the
desired filter from the drop-down list. Click Add to add the rule to the rule
table.
5. By default, user-defined rules are enabled on ingress (In) and egress (Out),
and are assumed to be Allow rules. To disable the rule in either direction, or
to make it a Deny rule, click the new filter, then de-select the relevant
checkbox.
6. To edit the order of filters, click the filter, and then click the Up and Down
buttons. The filtering rules are executed in the order you define here.
7. To delete a user-defined rule, click the filter, then click the Delete button.
8. To save your changes, click Save.
Note: For external Captive Portal, you need to add an external server to a
non-authentication filter.
9034530-04, September 2010
HiPath Wireless Controller, Access Points and Convergence Software V7.31, User Guide
329
hwc_vnsconfiguration.fm
Configuring a VNS
Configuring a Topology
6.8.4 Multicast filtering
A mechanism that supports multicast traffic can be enabled as part of a topology
definition. This mechanism is provided to support the demands of VoIP and IPTV
network traffic, while still providing the network access control.
Note: To use the mobility feature with this topology, you must select the Enable
Multicast Support checkbox for the data port.
Define a list of multicast groups whose traffic is allowed to be forwarded to and
from the VNS using this topology. The default behavior is to drop the packets. For
each group defined, you can enable Multicast Replication by group.
Note: Before enabling multicast filters and depending on the topology, you may
need to define which physical interface to use for multicast relay. Define the
multicast port on the IP Addresses tab. For more information, see Section 3.4.3,
“Setting up the data ports”, on page 55.
To enable multicast for a topology:
1. On the Topology page, click the Multicast Filters tab.
2. To enable the multicast function, select Enable Multicast Support.
3. Define the multicast groups by selecting one of the radio buttons:
•
IP Group – Type the IP address range.
•
Defined groups – Click from the drop-down list.
4. Click Add. The group is added to the list above.
330
9034530-04, September 2010
HiPath Wireless Controller, Access Points and Convergence Software V7.31, User Guide
hwc_vnsconfiguration.fm
Configuring a VNS
Configuring WLAN Services
5. To enable the wireless multicast replication for this group, select the
corresponding Wireless Replication checkbox.
6. To modify the priority of the multicast groups, click the group row, and then
click the Up or Down buttons.
A Deny All rule is automatically added as the last rule, IP = *.*.*.* and the
Wireless Replication checkbox is not selected. This rule ensures that all
other traffic is dropped.
7. To save your changes, click Save.
Note: The multicast packet size should not exceed 1450 bytes.
6.9 Configuring WLAN Services
A WLAN Service represents all the RF, authentication and QoS attributes of a
wireless access service. The WLAN Service can be one of the following types:
•
Standard — A conventional service. Only APs running HiPath Wireless
software can be part of this WLAN Service. This type of service is usable as
a Bridged @ Controller, Bridged @ AP, or Routed VNS. This type of service
provides access for mobile stations. Therefore, policies can be assigned to
this type of WLAN service to create a VNS.
•
Third Party AP — A wireless service offered by third party APs. This type of
service provides access for mobile stations. Therefore, policies can be
assigned to this type of WLAN service to create a VNS.
•
WDS — A group of APs organized into a hierarchy for purposes of providing
a Wireless Distribution Service. This type of service is in essence a wireless
trunking service rather than a service that provides access for stations. As
such, this service cannot have policies attached to it.
•
Remote — A service that resides on the edge (foreign) HiPath Wireless
Controller. This service is paired with a remoteable service on the home
HiPath Wireless Controller and should have the same SSID name and
privacy as home remoteable service.
Any WLAN Service/VNS can be a remoteable service, though deployment
preference is given to tunneled topologies (Bridged@Controller and Routed).
To reduce the amount of information distributed across the domain, you will
explicitly select which WLAN Services are available from one controller to any
other controller in the domain.
The WLAN Service remoteable property is synchronized with the availability
peer, making the WLAN service published by both controllers.
9034530-04, September 2010
HiPath Wireless Controller, Access Points and Convergence Software V7.31, User Guide
331
hwc_vnsconfiguration.fm
Configuring a VNS
Configuring WLAN Services
The following types of authentication are supported for remote WLAN
services:
–
None
–
Internal/External CP
–
Guest Portal
–
AAA/802.1x
With the introduction of V7.0, the components of the WLAN Service map more or
less completely to the corresponding components of a VNS in V6Rx. The
exception is that WLAN Services are not classified as SSID-based or AAA-based,
as they were in V6Rx. Instead, the administrator makes an explicit choice of the
type of authentication to use on the WLAN Service. If the choice of authentication
option conflicts with any of the other authentication or privacy choices, the WLAN
Service cannot be enabled.
6.9.1 Configuring a WLAN Service
This section describes how to create a new or edit an existing WLAN Service,
including assigning Wireless APs to the service. Following sections describe how
to configure Privacy, Authentication and Accounting, and QoS for a WLAN
Service.
6.9.1.1 Third-party AP WLAN Service Type
For more information, see Chapter 9, “Working with third-party APs”.
A third-party AP WLAN Service allows for the specification of a segregated
subnet by which non-HiPath Wireless APs are used to provide RF services to
users while still utilizing the HiPath Wireless Controller for user authentication and
user policy enforcement.
Note: Third-party AP devices are not fully integrated with the system and
therefore must be managed individually to provide the correct user access
characteristics.
The definition of third-party AP identification parameters allows the system to be
able to differentiate the third-party AP device (and corresponding traffic) from
user devices on that segment. Devices identified as third-party APs are
considered pre-authenticated, and are not required to complete the
corresponding authentication verification stages defined for users in that segment
(typically Captive Portal enforcement).
332
9034530-04, September 2010
HiPath Wireless Controller, Access Points and Convergence Software V7.31, User Guide
hwc_vnsconfiguration.fm
Configuring a VNS
Configuring WLAN Services
In addition, third-party APs have a specific set of filters (third-party) applied to
them by default, which allows the administrator to provide different traffic access
restrictions to the third-party AP devices for the users that use those resources.
The third-party filters could be used to allow access to third-party APs
management operations (for example, HTTP, SNMP).
6.9.1.2 Configuring a basic WLAN service
To configure a WLAN service:
1. From the main menu, click either Wireless Controller Configuration or
Virtual Network Configuration. Then, in the left pane, select WLAN
Services. The WLAN Services window displays.
2. If you want to edit an existing service, select the desired service from the left
pane. If you want to create a new service, click the New button. The WLAN
Services configuration window displays.
3. In the Core area, do the following:
a) Enter the Name of the service.
b) Select the Service Type.
c) Enter the SSID.
If you are creating a remote WLAN service, select the SSID of the
remoteable service that this remote service will be paired with.
d) If you selected Remote as the Service Type, select the Privacy type.
4. If you set Service Type as either Standard or Remote, select Synchronize,
in the Status area, if desired. Enabling this feature allows availability pairs to
be synchronized automatically.
The WLAN service is enabled by default.
5. Click Save. If you are creating a new service, the WLAN Services
configuration window is redisplayed, allowing you to assign Wireless APs to
the service.
6.9.1.3 Assigning an optional default topology to a service
A WLAN service uses the topology of the policy assigned to the VNS, if such a
topology is defined. If the policy doesn't define a topology, you can assign an
existing topology as the default topology to the WLAN service. If you choose not
to assign a default topology to the WLAN service, the WLAN service will use the
topology of the global default policy (by default, Bridged at AP Untagged).
9034530-04, September 2010
HiPath Wireless Controller, Access Points and Convergence Software V7.31, User Guide
333
hwc_vnsconfiguration.fm
Configuring a VNS
Configuring WLAN Services
Note: You cannot assign a default topology to a WDS, 3rd party, or remote WLAN
service.
1. If the WLAN Service configuration page is not already displayed, from the
main menu, click either Wireless Controller Configuration or Virtual
Network Configuration. Then, in the left pane, select WLAN Services. The
WLAN Services window displays.
2. Select the desired standard service to edit from the left pane. The WLAN
Service configuration page is displayed.
3. In the Core area, select a topology from the Default Topology list.
If an appropriate topology does not exist, click New Topology to create a
topology.
4. Click Save.
6.9.1.4 Assigning Wireless APs to a service
1. If the WLAN Service configuration page is not already displayed, from the
main menu, click either Wireless Controller Configuration or Virtual
Network Configuration. Then, in the left pane, select WLAN Services. The
WLAN Services window displays.
2. Select the desired service to edit from the left pane. The WLAN Service
configuration page is displayed.
Note: If two HiPath Wireless Controllers have been paired for availability (for
more information, see Section 7.1, “Availability”, on page 407), each HiPath
Wireless Controller's registered Wireless APs are displayed as foreign in the
list of available Wireless APs on the other HiPath Wireless Controller.
334
9034530-04, September 2010
HiPath Wireless Controller, Access Points and Convergence Software V7.31, User Guide
hwc_vnsconfiguration.fm
Configuring a VNS
Configuring WLAN Services
3. In the Wireless APs area, assign the Wireless APs’ Radios to the service by
selecting the individual radios’ checkboxes.
You can also use the Select APs list, to select APs and their radios by
grouping:
•
all radios – Click to assign all of the APs’ radios.
•
radio 1 – Click to assign only the APs’ Radio 1.
•
radio 2– Click to assign only the APs’ Radio 2.
•
local APs - all radios – Click to assign only the local APs.
•
local APs - radio 1 – Click to assign only the local APs’ Radio 1.
•
local APs - radio 2 – Click to assign only the local APs’ Radio 2.
•
foreign APs - all radios – Click to assign only the foreign APs.
•
foreign APs - radio 1 – Click to assign only the foreign APs’ Radio 1.
•
foreign APs - radio 2 – Click to assign only the foreign APs’ Radio 2.
•
clear all selections – Click to clear all of the AP radio assignments.
9034530-04, September 2010
HiPath Wireless Controller, Access Points and Convergence Software V7.31, User Guide
335
hwc_vnsconfiguration.fm
Configuring a VNS
Configuring WLAN Services
•
original selections – Click to return to the AP radio selections prior to the
most recent save.
Note: You can assign the Radios of all three Wireless AP variants — HiPath
Wireless AP, HiPath Wireless Outdoor AP, and Wireless 802.11n AP — to
any VNS.
4. Click Advanced. The Advanced dialog is displayed.
5. In the RF area, do the following:
•
Suppress SSID – Select to prevent this SSID from appearing in the
beacon message sent by the Wireless AP. The wireless device user
seeking network access will not see this SSID as an available choice, and
will need to specify it.
•
Enable 11h support – Select to enable TPC (Transmission Power
Control) reports. By default this option is disabled. Siemens recommends
that you enable this option.
•
Apply power reduction to 11h clients – Select to enable the
Wireless AP to use reduced power (as does the 11h client). By default
this option is disabled. Siemens recommends that you enable this
option.
•
Process client IE requests – Select to enable the Wireless AP to accept
IE requests sent by clients via Probe Request frames and responds by
including the requested IE’s in the corresponding Probe Response
frames. By default this option is disabled. Siemens recommends that you
enable this option.
•
Energy Save Mode – Select to reduce the number of beacons the AP
transmits on a BSSID when no client is associated with the BSSID. This
reduces both the power consumption of the AP and the interference
created by the AP when no client is associated.
6. In the Timeout area, do the following:
336
•
Idle: (pre) – Specify the amount of time in minutes that a Mobile user can
have a session on the controller in pre-authenticated state but no active
traffic is passed. The session will be terminated if no active traffic is
passed within this time. The default value is 5 minutes.
•
Idle: (post) – Specify the amount of time in minutes that a Mobile user can
have a session on the controller in authenticated state but no active traffic
is passed. The session will be terminated if no active traffic is passed
within this time. The default value is 30 minutes.
•
Session – Specify the maximum number of minutes of service to be
provided to the user before termination of the session.
9034530-04, September 2010
HiPath Wireless Controller, Access Points and Convergence Software V7.31, User Guide
hwc_vnsconfiguration.fm
Configuring a VNS
Configuring WLAN Services
7. In the Client Behavior area, select the Block Mu to MU traffic checkbox if
you want to prevent two devices associated with this SSID and registered as
users of the controller, to be able to talk to each other. The blocking is
enforced at the L2 (device) classification level.
8. The 802.1D Base Port number in the 802.1D area is the port number by
which NetSight recognizes the SSID. It is read-only.
9. In the Remote Service area, select Remoteable if you want to pair this
service with a remote service.
10. To save your changes, click Save.
You can view the WLAN Services that each radio is assigned to by clicking
the WLAN Assignment tab on the Wireless AP Configuration screen.
Once you have assigned a Wireless AP Radio to eight WLAN Services, it will not
appear in the list for another WLAN Service setup. Each Radio can support up to
eight SSIDs (16 per AP). Each AP can be assigned to any of the VNSs defined
within the system. The HiPath Wireless Controller can support the following
active VNSs:
•
C5110 – Up to 128 VNSs
•
C4110 – Up to 64 VNSs
•
C2400 – Up to 64 VNSs
•
C20 – Up to 8 VNSs
•
C20N – Up to 8 VNSs
•
CRBT8210 – Up to 8 VNSs
•
CRBT8110 – Up to 8 VNSs
6.9.2 Configuring privacy
Privacy is a mechanism that protects data over wireless and wired networks,
usually by encryption techniques. The HiPath Wireless Controller provides
several privacy mechanism to protect data over the WLAN.
There are five privacy options:
•
None
•
Static Wired Equivalent Privacy (WEP) – Keys for a selected VNS, so that
it matches the WEP mechanism used on the rest of the network. Each AP can
participate in up to 50 VNSs. For each VNS, only one WEP key can be
specified. It is treated as the first key in a list of WEP keys.
•
Dynamic Keys – The dynamic key WEP mechanism changes the key for
each user and each session.
9034530-04, September 2010
HiPath Wireless Controller, Access Points and Convergence Software V7.31, User Guide
337
hwc_vnsconfiguration.fm
Configuring a VNS
Configuring WLAN Services
•
•
Wi-fi Protected Access (WPA)
–
version 1 with encryption by temporal key integrity protocol (TKIP)
–
version 2 with encryption by advanced encryption standard with countermode/CBC-MAC protocol (AES-CCMP)
Wi-Fi Protected Access (WPA) Pre-Shared key (PSK) – Privacy in PSK
mode, using a Pre-Shared Key (PSK), or shared secret for authentication.
WPA-PSK is a security solution that adds authentication to enhanced WEP
encryption and key management. WPA-PSK mode does not require an
authentication server. It is suitable for home or small office.
Note: Regardless of the Wireless AP model or WLAN Service type, a maximum
of 112 simultaneous clients, per radio, are supported by all of the data protection
encryption techniques.
6.9.2.1 About Wi-Fi Protected Access (WPA v1 and WPA v2)
Note: To achieve the strongest encryption protection for your VNS, Siemens
recommends that you use WPA v.1 or WPA v.2.
WPA v1 and WPA v2 add authentication to WEP encryption and key
management. Key features of WPA privacy include:
•
Specifies 802.1x with Extensible Authentication Protocol (EAP)
•
Requires a RADIUS or other authentication server
•
Uses RADIUS protocols for authentication and key distribution
•
Centralizes management of user credentials
The encryption portion of WPA v1 is Temporal Key Integrity Protocol (TKIP). TKIP
includes:
338
•
A per-packet key mixing function that shares a starting key between devices,
and then changes their encryption key for every packet (unicast key) or after
the specified re-key time interval (broadcast key) expires
•
An extended WEP key length of 256-bits
•
An enhanced Initialization Vector (IV) of 48 bits, instead of 24 bits, making it
more difficult to compromise
9034530-04, September 2010
HiPath Wireless Controller, Access Points and Convergence Software V7.31, User Guide
hwc_vnsconfiguration.fm
Configuring a VNS
Configuring WLAN Services
•
A Message Integrity Check or Code (MIC), an additional 8-byte code that is
inserted before the standard WEP 4-byte Integrity Check Value (ICV). These
integrity codes are used to calculate and compare, between sender and
receiver, the value of all bits in a message, which ensures that the message
has not been tampered with.
The encryption portion of WPA v2 is Advanced Encryption Standard (AES). AES
includes:
•
A 128 bit key length, for the WPA2/802.11i implementation of AES
•
Four stages that make up one round. Each round is iterated 10 times.
•
A per-packet key mixing function that shares a starting key between devices,
and then changes their encryption key for every packet or after the specified
re-key time interval expires.
•
The Counter-Mode/CBC-MAC Protocol (CCMP), a new mode of operation for
a block cipher that enables a single key to be used for both encryption and
authentication. The two underlying modes employed in CCM include:
•
Counter mode (CTR) that achieves data encryption
•
Cipher Block Chaining Message Authentication Code (CBC-MAC) to
provide data integrity
The following is an overview of the WPA authentication and encryption process:
1. The wireless device client associates with Wireless AP.
2. Wireless AP blocks the client's network access while the authentication
process is carried out (the HiPath Wireless Controller sends the
authentication request to the RADIUS authentication server).
3. The wireless client provides credentials that are forwarded by the HiPath
Wireless Controller to the authentication server.
4. If the wireless device client is not authenticated, the wireless client stays
blocked from network access.
5. If the wireless device client is authenticated, the HiPath Wireless Controller
distributes encryption keys to the Wireless AP and the wireless client.
6. The wireless device client gains network access via the Wireless AP, sending
and receiving encrypted data. The traffic is controlled with permissions and
policy applied by the HiPath Wireless Controller.
9034530-04, September 2010
HiPath Wireless Controller, Access Points and Convergence Software V7.31, User Guide
339
hwc_vnsconfiguration.fm
Configuring a VNS
Configuring WLAN Services
6.9.2.2 Wireless 802.11n APs and WPA authentication
Note: If you configure a WLAN Service to use either WEP or TKIP authentication,
any Wireless 802.11n AP associated to a VNS using that service will be limited to
legacy AP performance rates.
If a VNS is configured to use WPA authentication, any Wireless 802.11n AP within
that VNS will do the following:
•
WPA v.1 – If WPA v.1 is enabled, the Wireless 802.11n AP will advertise only
TKIP as an available encryption protocol.
•
WPA v.2 – If WPA v.2 is enabled, the Wireless 802.11n AP will do the
following:
•
If WPA v.1 is enabled, the Wireless 802.11n AP will advertise TKIP as an
available encryption protocol.
Note: If WPA v.2 is enabled, the Wireless 802.11n AP does not support the
Auto option.
•
If WPA v.1 is disabled, the Wireless 802.11n AP will advertise the
encryption cipher AES (Advanced Encryption Standard).
Note: The security encryption for some network cards must not to be set to
WEP or TKIP to achieve a data rate beyond 54 Mbps.
340
9034530-04, September 2010
HiPath Wireless Controller, Access Points and Convergence Software V7.31, User Guide
hwc_vnsconfiguration.fm
Configuring a VNS
Configuring WLAN Services
6.9.2.3 WPA Key Management Options
Wi-Fi Protected Access (WPA v1 and WPA v2) Privacy offers you the following
key management options:
•
None
•
Opportunistic Keying
•
Pre-authentication
•
Opportunistic Keying & Pre-auth
The following sections explain the key management options.
None
The wireless client device performs a complete 802.1x authentication each time
it associates or tries to connect to a Wireless AP.
Opportunistic Keying
Opportunistic Keying or opportunistic key caching (OKC) enables the client
devices to roam fast and securely from one Wireless AP to another in 802.1x
authentication setup.
The client devices that run applications such as video streaming and VoIP require
rapid reassociation during roaming. OKC helps such client devices by enabling
them to rapidly reassociate with the Wireless APs. This avoids delays and gaps
in transmission and thus helps in secure fast roaming (SFR).
Note: The client devices should support OKC to use the OKC feature in the
HiPath WLAN.
Pre-authentication
Pre-authentication enables a client device to authenticate simultaneously with
multiple Wireless APs in 802.1x authentication setup. When the client device
roams from one Wireless AP to another, it does not have to perform the complete
802.1x authentication to reassociate with the new Wireless AP as it is already
pre-authenticated with it. This reduces the reassociation time and thus helps in
seamless roaming.
Note: The client devices should support pre-authentication to use the preauthentication feature in HiPath WLAN.
9034530-04, September 2010
HiPath Wireless Controller, Access Points and Convergence Software V7.31, User Guide
341
hwc_vnsconfiguration.fm
Configuring a VNS
Configuring WLAN Services
Opportunistic Keying & Pre-auth
Opportunistic Keying and Pre-auth options is meant for the device clients that
support both the authentication processes. For example, the Microsoft-operated
device clients support opportunistic keying by default, but they can be configured
to support pre-authentication too.
6.9.2.4 Configuring WLAN Service privacy
To configure privacy:
1. If the WLAN Service configuration page is not already displayed, from the
main menu, click either Wireless Controller Configuration or Virtual
Network Configuration. Then, in the left pane, select WLAN Services. The
WLAN Services window displays.
2. Select the desired service to edit from the left pane. The WLAN Service
configuration page is displayed.
3. Click the Privacy tab, then select the desired privacy method.
4. If you select Static Keys (WEP), do the following:
342
9034530-04, September 2010
HiPath Wireless Controller, Access Points and Convergence Software V7.31, User Guide
hwc_vnsconfiguration.fm
Configuring a VNS
Configuring WLAN Services
a) From the WEP Key Index drop-down list, click the WEP encryption key
index:
•
•
•
•
Note: Specifying the WEP key index is supported only for AP36XX
Wireless APs.
b) From the WEP Key Length drop-down list, click the WEP encryption key
length:
•
64-bit
•
128-bit
•
152-bit
c) Select one of the following input methods:
•
Input Hex – If you select Input Hex, type the WEP key input in the
WEP Key box. The key is generated automatically, based on the
input.
•
Input String – If you select Input String, type the secret WEP key
string used for encrypting and decrypting in the Strings box. The
WEP Key box is automatically filled by the corresponding Hex code.
d) To save your changes, click Save.
5. If you select Dynamic Keys, click Save to save your changes.
6. If you select WPA, do the following:
9034530-04, September 2010
HiPath Wireless Controller, Access Points and Convergence Software V7.31, User Guide
343
hwc_vnsconfiguration.fm
Configuring a VNS
Configuring WLAN Services
a) To enable WPA v1 encryption, select WPA v.1. Then, click one of the
following encryption types from the Encryption drop-down list:
•
Auto – The AP will advertise both TKIP and CCMP (Counter Mode
with Cipher Block Chaining Message Authentication Code Protocol)
for WPAv1. CCMP is an IEEE 802.11i encryption protocol that uses
the encryption cipher AES (Advanced Encryption Standard). Auto is
the default.
•
TKIP only – The AP will advertise TKIP as an available encryption
protocol for WPAv1. It will not advertise CCMP.
b) To enable WPA v2-type encryption, select WPA v.2. Then, click one of the
following encryption types from the Encryption drop-down list:
•
Auto – If you click Auto, the Wireless AP advertises both TKIP and
CCMP (counter mode with cipher block chaining message
authentication code protocol). CCMP is an IEEE 802.11i encryption
protocol that uses the encryption cipher AES (Advanced Encryption
Standard). Auto is the default.
•
AES only – If you click AES, the Wireless AP advertises CCMP as an
available encryption protocol. It will not advertise TKIP.
•
available encryption protocol. It will not advertise TKIP.
c) From the Key Management Options, click one of the following key
management options:
•
344
None – The mobile units (client devices) performs a complete 802.1x
authentication each time it associates or connects to a Wireless AP.
9034530-04, September 2010
HiPath Wireless Controller, Access Points and Convergence Software V7.31, User Guide
hwc_vnsconfiguration.fm
Configuring a VNS
Configuring WLAN Services
•
Opportunistic Keying – Enables secure fast roaming (SFR) of
mobile units. For more information, see Opportunistic Keying on page
341.
•
Pre-authentication – Enables seamless roaming. For more
information, see Pre-authentication on page 341.
•
Opportunistic Keying & Pre-auth – For more information, see
Opportunistic Keying & Pre-auth on page 342.
d) To change the Broadcast re-key interval, type the time interval after
which the broadcast encryption key is changed automatically. The default
is 3600 seconds.
e) Click Save to save your changes.
7. If you select WPA-PSK, do the following:
a) To enable WPA v1 encryption, select WPA v.1. Then, click one of the
following encryption types from the Encryption drop-down list:
•
Auto – The AP will advertise both TKIP and CCMP (Counter Mode
with Cipher Block Chaining Message Authentication Code Protocol)
for WPAv1. CCMP is an IEEE 802.11i encryption protocol that uses
the encryption cipher AES (Advanced Encryption Standard). Auto is
the default.
•
TKIP only – The AP will advertise TKIP as an available encryption
protocol for WPAv1. It will not advertise CCMP.
b) To enable WPA v2-type encryption, select WPA v.2. Then, click one of the
following encryption types from the Encryption drop-down list:
9034530-04, September 2010
HiPath Wireless Controller, Access Points and Convergence Software V7.31, User Guide
345
hwc_vnsconfiguration.fm
Configuring a VNS
Configuring WLAN Services
•
Auto – If you click Auto, the Wireless AP advertises both TKIP and
CCMP (counter mode with cipher block chaining message
authentication code protocol). CCMP is an IEEE 802.11i encryption
protocol that uses the encryption cipher AES (Advanced Encryption
Standard). Auto is the default.
•
AES only – If you click AES, the Wireless AP advertises CCMP as an
available encryption protocol. It will not advertise TKIP.
c) To enable re-keying after a time interval, select the Broadcast re-key
interval box, then type the time interval after which the broadcast
encryption key is changed automatically. The default is 3600 seconds.
If this checkbox is not selected, the Broadcast encryption key is never
changed and the Wireless AP will always use the same broadcast key for
Broadcast/Multicast transmissions. which will reduce the level of security
for wireless communications.
d) To enable the group key power save retry, select Group Key Power Save
Retry.
Note: The group key power save retry is only supported for AP36XX
Wireless APs.
e) In the Pre-Shared Key box, type the shared secret key to be used
between the wireless device and Wireless AP. The shared secret key is
used to generate the 256-bit key.
f)
To proofread your entry before saving the configuration, click Unmask to
display the Pre-Shared Key. To mask the key, click Mask.
g) To save your changes, click Save.
6.9.3 Configuring accounting and authentication
The next step in configuring a WLAN Service is to set up the authentication
mechanism. There are various authentication modes available:
346
•
none
•
Captive Portal using internal Captive Portal
•
Captive Portal using external Captive Portal
•
MAC-based authentication
•
802.1x authentication, the wireless device user must be authenticated before
gaining network access
9034530-04, September 2010
HiPath Wireless Controller, Access Points and Convergence Software V7.31, User Guide
hwc_vnsconfiguration.fm
Configuring a VNS
Configuring WLAN Services
Note: You cannot configure accounting and authentication for a remote WLAN
service. The authentication that you configure for the corresponding remoteable
WLAN service applies to the remote WLAN service as well.
The first step for any type of authentication is to select RADIUS servers for the
following:
•
Authentication
•
Accounting
•
MAC-based authentication
6.9.3.1 Vendor Specific Attributes
In addition to the standard RADIUS message, you can include Vendor Specific
Attributes (VSAs). The Controller, Access Points and Convergence Software
authentication mechanism provides six VSAs for RADIUS and other
authentication mechanisms.
Attribute Name
ID
Type
Messages
Siemens-URLRedirection
string
Returned from A URL that can be returned to
RADIUS server redirect a session to a specific Web
page.
Siemens-APName
string
Sent to
The name of the AP the client is
RADIUS server associating to. It can be used to
assign policy based on AP name or
location.
Siemens-APSerial
string
Sent to
The AP serial number. It can be
RADIUS server used instead of (or in addition to)
the AP name.
Siemens-VNSName
string
Sent to
The name of the Virtual Network the
RADIUS server client has been assigned to. It is
used in assigning policy and billing
options, based on service selection.
Siemens-SSID
string
Sent to
The name of the SSID the client is
RADIUS server associating to. It is used in
assigning policy and billing options,
based on service selection.
Siemens-BSSMAC
string
Sent to
The name of the BSS-ID the client
RADIUS server is associating to. It is used in
assigning policy and billing options,
based on service selection and
location.
Table 24
Description
Vendor Specific Attributes
9034530-04, September 2010
HiPath Wireless Controller, Access Points and Convergence Software V7.31, User Guide
347
hwc_vnsconfiguration.fm
Configuring a VNS
Configuring WLAN Services
The first five of these VSAs provide information on the identity of the specific
Wireless AP that is handling the wireless device, enabling the provision of
location-based services.
The RADIUS message also includes RADIUS attributes Called-Station-Id and
Calling-Station-Id to include the MAC address of the wireless device.
Note: Siemens-URL-Redirection is supported by MAC-based authentication.
6.9.3.2 Defining accounting methods for a WLAN Service
Accounting tracks the activity of wireless device users. There are two types of
accounting available:
•
HiPath Wireless Controller accounting – Enables the HiPath Wireless
Controller to generate Call Data Records (CDRs), containing usage
information about each wireless session. CDR generation is enabled on a per
VNS basis. For more information on CDRs, refer to section Section 11.9, “Call
Detail Records (CDRs)”, on page 471.
•
RADIUS accounting – Enables the HiPath Wireless Controller to generate
an accounting request packet with an accounting start record after successful
login by the wireless device user, and an accounting stop record based on
session termination. The HiPath Wireless Controller sends the accounting
requests to a remote RADIUS server.
HiPath Wireless Controller accounting creates Call Data Records (CDRs). If
RADIUS accounting is enabled, a RADIUS accounting server needs to be
specified.
To define accounting methods:
1. From the main menu, click Virtual Network Configuration. The Virtual
Network Configuration screen is displayed.
2. In the left pane expand the WLAN Services pane, then click the WLAN
Service you want to define accounting methods for. The WLAN Services
configuration page is displayed.
3. Click the Auth & Acct tab.
348
9034530-04, September 2010
HiPath Wireless Controller, Access Points and Convergence Software V7.31, User Guide
hwc_vnsconfiguration.fm
Configuring a VNS
Configuring WLAN Services
4. To enable HiPath Wireless Controller accounting, select Collect Accounting
Information of Wireless Controller.
5. To enable RADIUS accounting, from the RADIUS Servers drop-down list,
click the RADIUS server you want to use for RADIUS accounting, and then
click Use.
The server name is added to the Server table of assigned RADIUS servers.
The selected server is no longer available in the RADIUS servers drop-down
list.
The RADIUS servers are defined on the Global Settings screen. For more
information, see Section 6.2.1, “Defining RADIUS servers and MAC address
format”, on page 269.
6. In the Server table, select the checkbox in the Acct column to enable
accounting for each applicable RADIUS server.
7. In the Server table click the RADIUS server, and then click Configure.The
RADIUS Parameters dialog is displayed.
The configured values for the selected server are displayed in the table at the
top.
9034530-04, September 2010
HiPath Wireless Controller, Access Points and Convergence Software V7.31, User Guide
349
hwc_vnsconfiguration.fm
Configuring a VNS
Configuring WLAN Services
8. For NAS IP Address, accept the default of “Use VNS IP address” or de-select
the checkbox and type the IP address of a Network Access Server (NAS).
9. For NAS Identifier, accept the default of “Use VNS name” or type the
Network Access Server (NAS) identifier. The NAS identifier is a RADIUS
attribute that identifies the server responsible for passing information to
designated RADIUS servers and then acting on the response returned.
10. Click OK.
11. To save your changes, click Save.
6.9.3.3 Configuring authentication for a WLAN Service
802.1x Authentication
If 802.1x authentication mode is configured, the wireless device must
successfully complete the user authentication verification prior to being granted
network access. This enforcement is performed by both the user's client and the
AP. The wireless device's client utility must support 802.1x. The user's EAP
packets request for network access along with login identification or a user profile
is forwarded by the HiPath Wireless Controller to a RADIUS server.
Captive Portal authentication
For Captive Portal authentication, the wireless device connects to the network,
but can only access the specific network destinations defined in the nonauthenticated filter. For more information, see Section 6.10.2, “About filtering
rules”, on page 379. One of these destinations should be a server, either internal
or external, which presents a Web login page — the Captive Portal. The wireless
device user must input an ID and a password. This request for authentication is
sent by the HiPath Wireless Controller to a RADIUS server or other authentication
server. Based on the permissions returned from the authentication server, the
HiPath Wireless Controller implements policy and allows the appropriate network
access.
350
9034530-04, September 2010
HiPath Wireless Controller, Access Points and Convergence Software V7.31, User Guide
hwc_vnsconfiguration.fm
Configuring a VNS
Configuring WLAN Services
Captive Portal authentication relies on a RADIUS server on the enterprise
network. There are three mechanisms by which Captive Portal authentication can
be carried out:
•
Internal Captive Portal – The HiPath Wireless Controller displays the
Captive Portal Web page, carries out the authentication, and implements
policy.
•
External Captive Portal – After an external server displays the Captive
Portal Web page and carries out the authentication, the HiPath Wireless
Controller implements policy.
•
External Captive Portal with internal authentication – After an external
server displays the Captive Portal Web page, the HiPath Wireless Controller
carries out the authentication and implements policy.
RADIUS servers
RADIUS servers can perform the following for a WLAN Service:
•
Authentication – RADIUS servers are configured to provide authentication.
•
MAC authentication – RADIUS servers are configured to provide MACbased authentication.
•
Accounting – RADIUS servers are configured to provide accounting
services.
MAC-based authentication
MAC-based authentication enables network access to be restricted to specific
devices by MAC address. The HiPath Wireless Controller queries a RADIUS
server for a MAC address when a wireless client attempts to connect to the
network.
MAC-based authentication can be set up on any type of WLAN Service. To set up
a RADIUS server for MAC-based authentication, you must set up a user account
with UserID=MAC and Password=MAC (or a password defined by the
administrator) for each user. Specifying a MAC address format and policy
depends on which RADIUS server is being used.
If MAC-based authentication is to be used in conjunction with the 802.1x or
Captive Portal authentication, an additional account with a real UserID and
Password must also be set up on the RADIUS server.
MAC-based authentication responses may indicate to the HiPath Wireless
Controller what VNS a user should be assigned to. Authentication (if enabled) can
apply on every roam.
9034530-04, September 2010
HiPath Wireless Controller, Access Points and Convergence Software V7.31, User Guide
351
hwc_vnsconfiguration.fm
Configuring a VNS
Configuring WLAN Services
To assign RADIUS servers for authentication:
1. From the main menu, click Virtual Network Configuration. The Virtual
Network Configuration screen is displayed.
2. In the left pane expand the WLAN Services pane, then click the WLAN
Service. The WLAN Services configuration page is displayed.
3. Click the Auth & Acct tab.
4. If applicable, in the MAC Based Authorization section, select the Enable
checkbox to enable the RADIUS server to perform MAC-based
authentication for the VNS with Captive Portal.
MAC-based authorization on roam – If MAC-based authentication is
enabled, select the MAC-based authorization on roam checkbox.
Note: Only select this checkbox if you want your clients to be authorized
every time they roam to another Wireless AP. If this option is not enabled, and
MAC-based authentication is in use, the client is authenticated only at the
start of a session.
5. In the RADIUS Servers drop-down list, click the server you want to assign to
the WLAN Service, and then click Use.
The server name is added to the Server table of assigned RADIUS servers.
The selected server is no longer available in the RADIUS servers drop-down
list.
352
9034530-04, September 2010
HiPath Wireless Controller, Access Points and Convergence Software V7.31, User Guide
hwc_vnsconfiguration.fm
Configuring a VNS
Configuring WLAN Services
The RADIUS servers are defined on the Global Settings screen. For more
information, see Section 6.2.1, “Defining RADIUS servers and MAC address
format”, on page 269.
6. In the Server table, select the checkboxes in the Auth, MAC, or Acct
columns, to enable the authentication or accounting, if applicable.
7. To save your changes, click Save.
6.9.3.4 Defining the RADIUS server priority for RADIUS
redundancy
If more than one server has been defined for any type of authentication, you can
define the priority of the servers in the case of failover.
In the event of a failover of the main RADIUS server—if there is no response after
the set number of retries—then the other servers in the list will be polled on a
round-robin basis until a server responds.
If all defined RADIUS servers fail to respond, a critical message is generated in
the logs.
To define the RADIUS server priority for RADIUS redundancy:
1. From the main menu, click Virtual Network Configuration. The Virtual
Network Configuration screen is displayed.
2. In the left pane expand the WLAN Services pane, then click the WLAN
Service. The WLAN Services configuration page is displayed.
3. Click the Auth & Acct tab.
4. In the Server table, click the RADIUS server and then click Move Up or Move
Down to arrange the order. The first server in the list is the active one.
5. To save your changes, click Save.
6.9.3.5 Configuring assigned RADIUS servers
Configuring assigned RADIUS servers for a VNS can include the following:
•
Defining common RADIUS settings
•
Defining RADIUS settings for individual RADIUS servers
•
Testing RADIUS server connections
•
Viewing the RADIUS server configuration summary
•
Removing assigned RADIUS servers
9034530-04, September 2010
HiPath Wireless Controller, Access Points and Convergence Software V7.31, User Guide
353
hwc_vnsconfiguration.fm
Configuring a VNS
Configuring WLAN Services
To define common RADIUS settings:
1. From the main menu, click Virtual Network Configuration. The Virtual
Network Configuration screen is displayed.
2. In the left pane expand the WLAN Services pane, then click the WLAN
Service. The WLAN Services configuration page is displayed.
3. Click the Auth & Acct tab.
4. In the Common RADIUS Settings section, select the appropriate
checkboxes to include the Vendor Specific Attributes in the message to the
RADIUS server:
•
AP’s
•
VNS’s
•
SSID
The Vendor Specific Attributes must be defined on the RADIUS server.
5. To save your changes, click Save.
To define RADIUS settings for individual RADIUS servers:
1. From the main menu, click Virtual Network Configuration. The Virtual
Network Configuration screen is displayed.
2. In the left pane expand the WLAN Services pane, then click the WLAN
Service. The WLAN Services configuration page is displayed.
3. Click the Auth & Acct tab.
4. In the Server table, click the RADIUS server you want to define, and then
click Configure. The RADIUS Parameters dialog is displayed.
5. For NAS IP Address, accept the default of “Use VNS IP address” or de-select
the checkbox and type the IP address of a Network Access Server (NAS).
354
9034530-04, September 2010
HiPath Wireless Controller, Access Points and Convergence Software V7.31, User Guide
hwc_vnsconfiguration.fm
Configuring a VNS
Configuring WLAN Services
6. For NAS Identifier, accept the default of “Use VNS name” or type the
Network Access Server (NAS) identifier. The NAS identifier is a RADIUS
attribute that identifies the server responsible for passing information to
designated RADIUS servers and then acting on the response returned.
7. Click OK.
8. To save your changes, click Save.
To test RADIUS server connections:
1. From the main menu, click Virtual Network Configuration. The Virtual
Network Configuration screen is displayed.
2. In the left pane expand the WLAN Services pane, then click the WLAN
Service. The WLAN Services configuration page is displayed.
3. Click the Auth & Acct tab.
4. In the Server table, click the RADIUS server whose connection you want to
test, and then click Test. The Test RADIUS Servers screen is displayed.
The RADIUS test is a test of connectivity to the RADIUS server, not of full
RADIUS functionality. The HiPath Wireless Controller’s RADIUS connectivity
test initiates an Access-Request, to which the RADIUS server will respond. If
a response is received (either Access-Reject or Access-Accept), then the test
is deemed to have succeeded. If a response is not received, then the test is
deemed to have failed. In either case, the test ends at this point.
If the WLAN Service Authentication mode is Internal or External Captive
Portal, or if MAC-Based Authorization is selected, then this test can also test
a user account configured on the RADIUS server. In these cases, if proper
credentials are filled in for User ID and Password, an Access-Accept could
be returned.
If the WLAN Service Authentication mode is 802.1x, however, an AccessReject is expected if the RADIUS server is accessible, and the text is
considered a success.
9034530-04, September 2010
HiPath Wireless Controller, Access Points and Convergence Software V7.31, User Guide
355
hwc_vnsconfiguration.fm
Configuring a VNS
Configuring WLAN Services
5. In the User ID box, type the user ID that you know can be authenticated.
6. In the Password box, type the corresponding password. A password is not
required for a AAA VNS.
7. Click Test. The Test Result screen is displayed.
8. Click Close.
9. To save your changes, click Save.
To view the RADIUS server configuration summary:
1. From the main menu, click Virtual Network Configuration. The Virtual
Network Configuration screen is displayed.
2. In the left pane expand the WLAN Services pane, then click the WLAN
Service. The WLAN Services configuration page is displayed.
3. Click the Auth & Acct tab.
4. In the Server table, click a RADIUS server whose configuration summary you
want to view, and then click Summary. The RADIUS Summary screen is
displayed.
5. Click Close.
6. To save your changes, click Save.
356
9034530-04, September 2010
HiPath Wireless Controller, Access Points and Convergence Software V7.31, User Guide
hwc_vnsconfiguration.fm
Configuring a VNS
Configuring WLAN Services
To remove an assigned RADIUS server from a WLAN Service:
1. From the main menu, click Virtual Network Configuration. The Virtual
Network Configuration screen is displayed.
2. In the left pane expand the WLAN Services pane, then click the WLAN
Service you want to define accounting methods for. The WLAN Services
configuration page is displayed.
3. Click the Auth & Acct tab.
4. In the Server table, click the assigned RADIUS server that you want to
remove from the VNS, and then click Remove. The RADIUS server is
removed from the VNS.
5. To save your changes, click Save.
6.9.3.6 Defining a WLAN Service with no authentication
You can set up a WLAN Service that will bypass all authentication mechanisms
and run the HiPath Wireless Controller, Access Points and Convergence
Software with no authentication of a wireless device user.
A WLAN Service with no authentication can still control network access using
filtering rules. For more information on how to set up filtering rules that allow
access only to specified IP addresses and ports, see Section 6.10.2, “About
filtering rules”, on page 379.
To define a WLAN Service with no authentication:
1. From the main menu, click Virtual Network Configuration. The Virtual
Network Configuration screen is displayed.
2. In the left pane expand the WLAN Services pane, then click the WLAN
Service you want to configure or click New. The WLAN Services
configuration page is displayed.
3. Configure the service as described in Section 6.9, “Configuring WLAN
Services”, on page 331.
4. Click the Auth & Acct tab.
5. From the Authentication Mode drop-down list, select Disabled.
6. To save your changes, click Save.
9034530-04, September 2010
HiPath Wireless Controller, Access Points and Convergence Software V7.31, User Guide
357
hwc_vnsconfiguration.fm
Configuring a VNS
Configuring WLAN Services
6.9.3.7 Configuring Captive Portal for internal or external
authentication
There are four Captive Portal options:
•
Internal Captive Portal – Define the parameters of the internal Captive
Portal page displayed by the HiPath Wireless Controller, and the
authentication request from the HiPath Wireless Controller to the RADIUS
server.
•
External Captive Portal – Define the parameters of the external Captive
Portal page displayed by an external server. The authentication can be
carried out by an external authentication server or by the HiPath Wireless
Controller request to a RADIUS server.
•
GuestPortal – Define the parameters for a GuestPortal Captive Portal page.
A GuestPortal provides wireless device users with temporary guest network
services.
•
Guest Splash – Define the parameters of the Guest Splash page displayed
by the HiPath Wireless Controller. These parameters are similar to those for
an internal Captive Portal page, except that the options to configure the labels
for user id and password fields are not present since login information is not
required when the user is re-directed to the authorization Web page. This type
of Captive Portal could be used where the user is expected to read and
accept some terms and conditions before being granted network access.
To configure the Captive Portal settings for internal Captive Portal:
1. From the main menu, click Virtual Network Configuration. The Virtual
Network Configuration screen is displayed.
2. In the left pane expand the WLAN Services pane, then click the WLAN
Service. The WLAN Services configuration page is displayed.
3. Click the Auth & Acct tab.
4. In the Authentication Mode drop-down list, click Internal, and then click
Configure. The Captive Portal Settings screen is displayed.
358
9034530-04, September 2010
HiPath Wireless Controller, Access Points and Convergence Software V7.31, User Guide
hwc_vnsconfiguration.fm
Configuring a VNS
Configuring WLAN Services
5. In the Login Credentials section, do the following:
•
In the Login Label box, type the text that will be displayed as a label for
the user login field.
•
In the Password Label box, type the text that will be displayed as a label
for the user password field.
•
In the Submit Label box, type the text that will be displayed as a label for
the submit button.
6. In the Communication Options section, do one of the following:
•
Manual Settings – Select this option if you want to manually define the
location of the files that will be used for the header and footer of the
Captive Portal page.
a) In the Header URL box, type the server location of the file to be
displayed in the Header portion of the Captive Portal page. This page
can be customized to suit your organization, with logos or other
graphics.
Caution: If you use logos or graphics, ensure that the graphics or logos are
appropriately sized. Large graphics or logos may force the login section out
of view.
b) In the Footer URL box, type the server location of the file to be
displayed in the Footer portion of the Captive Portal page.
c) In the Message box, type the message that will be displayed above
the Login box to greet the user. For example, the message could
explain why the Captive Portal page is appearing, and instructions for
the user. The message can be a maximum of 255 characters,
including spaces.
9034530-04, September 2010
HiPath Wireless Controller, Access Points and Convergence Software V7.31, User Guide
359
hwc_vnsconfiguration.fm
Configuring a VNS
Configuring WLAN Services
•
Use Zip File – Select this option to upload a zip file that contains custom
Captive Portal content.
The zip file you upload must have a flat structure — it cannot contain any
sub-directories. The contents of the zip must adhere to the following file
formats:
•
Content to be used in the Captive Portal header must be in a file
named portalheader.htm.
•
Content to be used in the Captive Portal footer must be in a file named
portalfooter.htm.
•
The number of graphics and the size of the graphics is unlimited, and
can be either .gif, .jpg, or .png.
Note: The html files must only contain html. Java Script, redirects, or
dynamic CS is not permitted.
7. In the Replace Gateway IP with FQDN box, type the appropriate name if a
Fully Qualified Domain Name (FQDN) is used as the gateway address.
8. In the Default Redirection URL box, type the URL to which the wireless
device user will be directed to after authentication.
9. In the Specific Message URL box, type the URL of a document that will be
displayed in a text frame on the Captive Portal login page. This text frame can
be used to display lengthier messages, such as terms and conditions of use
for users who have not yet logged in.
10. In the right pane, select the appropriate checkboxes in both Header and
Footer columns, if applicable, to include the following VSA Attributes in the
message to the authentication server:
•
AP Serial
•
AP Name
•
VNS Name
•
SSID
•
MAC Address
The selections influence what URL is returned in either section. For example,
wireless users can be identified by which Wireless AP or which VNS they are
associated with, and can be presented with a Captive Portal Web page that
is customized for those identifiers.
11. To provide users with a logoff button, select Logoff. The Logoff button
launches a pop-up logoff page, allowing users to control their logoff.
360
9034530-04, September 2010
HiPath Wireless Controller, Access Points and Convergence Software V7.31, User Guide
hwc_vnsconfiguration.fm
Configuring a VNS
Configuring WLAN Services
When the user clicks the Logoff button, the user is disassociated and returns
to the non-authenticated state.
12. To provide users with a status check button, select Status check. The Status
check button launches a pop-up window, which allows users to monitor
session statistics such as system usage and time left in a session.
13. To install a certificate for the internal Captive Portal page, refer to Section
3.4.8, “Installing certificates on the HiPath Wireless Controller”, on page 72.
14. Click Apply.
15. To see how the Captive Portal page you have designed will look, click View
Sample Portal Page.
Caution: In order for Captive Portal authentication to be successful, all the
URLs referenced in the Captive Portal setup must also be specifically
identified and allowed in the non-authenticated filter. For more information,
see Section 6.10.2, “About filtering rules”, on page 379.
16. To save your changes, click Save.
To configure the Captive Portal Settings for external Captive Portal:
1. From the main menu, click Virtual Network Configuration. The Virtual
Network Configuration screen is displayed.
2. In the left pane expand the WLAN Services pane, then click the WLAN
Service. The WLAN Services configuration page is displayed.
3. Click the Auth & Acct tab.
4. In the Authentication Mode drop-down list, click External, and then click
Configure. The Captive Portal Settings screen is displayed.
5. In the HWC Connection drop-down list, click the IP address of the external
Web server.
6. Type the port of the HiPath Wireless Controller.
9034530-04, September 2010
HiPath Wireless Controller, Access Points and Convergence Software V7.31, User Guide
361
hwc_vnsconfiguration.fm
Configuring a VNS
Configuring WLAN Services
If there is an authentication server configured for this VNS, the external
Captive Portal page on the external authentication server will send the
request back to the HiPath Wireless Controller to allow the HiPath Wireless
Controller to continue with the RADIUS authentication and filtering.
7. Select Enable https support if you want to enable HTTPS support
(TLS/SSL) for this external captive portal.
8. In the Shared Secret box, type the password common to both the HiPath
Wireless Controller and the external Web server if you want to encrypt the
information passed between the HiPath Wireless Controller and the external
Web server.
9. In the Redirection URL box, type the URL to which the wireless device user
will be directed to after authentication.
10. Click Apply.
11. To save your changes, click Save.
Note: You must add a filtering rule to the non-authenticated filter that allows
access to the external Captive Portal site. For more information, see Section
6.10.2, “About filtering rules”, on page 379.
To configure the Captive Portal settings for a GuestPortal:
1. From the main menu, click Virtual Network Configuration. The Virtual
Network Configuration screen is displayed.
2. In the left pane expand the WLAN Services pane, then click the WLAN
Service. The WLAN Services configuration page is displayed.
3. Click the Auth & Acct tab.
4. In the Authentication Mode drop-down list, click GuestPortal, and then click
Configure. The Captive Portal Settings screen is displayed.
362
9034530-04, September 2010
HiPath Wireless Controller, Access Points and Convergence Software V7.31, User Guide
hwc_vnsconfiguration.fm
Configuring a VNS
Configuring WLAN Services
5. In the GuestPortal section, do the following:
•
To add and configure guest user accounts, click Manage Guest Users.
For more information, see Section 12.2.1, “Working with GuestPortal
Guest administration”, on page 485.
•
To configure the GuestPortal ticket, click Configure Ticket Page. For
more information, see Section 12.2.1.7, “Working with the GuestPortal
ticket page”, on page 496.
•
In the Account lifetime box, type the account lifetime, in days, for the
guest account. A value of 0 specifies no limit to the account lifetime.
•
In the Maximum Session Lifetime box, type the maximum session
lifetime, in hours, for the guest account. The default 0 value does not limit
a session lifetime. The session lifetime is the allowed cumulative total in
hours spent on the network during the account lifetime.
•
In the User ID Prefix, type a prefix that will be added to all guest account
user IDs. The default is Guest.
•
In the Minimum Password Length, type a minimum password length
that will be applied to all guest accounts.
6. In the Login Credentials section, do the following:
•
In the Login Label box, type the text that will be displayed as a label for
the user login field.
•
In the Password Label box, type the text that will be displayed as a label
for the user password field.
9034530-04, September 2010
HiPath Wireless Controller, Access Points and Convergence Software V7.31, User Guide
363
hwc_vnsconfiguration.fm
Configuring a VNS
Configuring WLAN Services
•
In the Submit Label box, type the text that will be displayed as a label for
the submit button.
7. In the Communication Options section, do one of the following:
•
Manual Settings – Select this option if you want to manually define the
location of the files that will be used for the header and footer of the
Captive Portal page.
a) In the Header URL box, type the server location of the file to be
displayed in the Header portion of the Captive Portal page. This page
can be customized to suit your organization, with logos or other
graphics.
Caution: If you use logos or graphics, ensure that the graphics or logos are
appropriately sized. Large graphics or logos may force the login section out
of view.
b) In the Footer URL box, type the server location of the file to be
displayed in the Footer portion of the Captive Portal page.
c) In the Message box, type the message that will be displayed above
the Login box to greet the user. For example, the message could
explain why the Captive Portal page is appearing, and instructions for
the user. The message can be a maximum of 255 characters,
including spaces.
•
Use Zip File – Select this option to upload a zip file that contains custom
Captive Portal content.
The zip file you upload must have a flat structure — it cannot contain any
sub-directories. The contents of the zip must adhere to the following file
formats:
•
Content to be used in the Captive Portal header must be in a file
named portalheader.htm.
•
Content to be used in the Captive Portal footer must be in a file named
portalfooter.htm.
•
The number of graphics and the size of the graphics is unlimited, and
can be either .gif, .jpg, or .png.
Note: The html files contain must only contain html. Java Script, redirects,
or dynamic CS is not permitted.
8. In the Replace Gateway IP with FQDN box, type the appropriate name if a
Fully Qualified Domain Name (FQDN) is used as the gateway address.
364
9034530-04, September 2010
HiPath Wireless Controller, Access Points and Convergence Software V7.31, User Guide
hwc_vnsconfiguration.fm
Configuring a VNS
Configuring WLAN Services
9. In the Default Redirection URL box, type the URL to which the wireless
device user will be directed to after authentication.
10. In the Specific Message URL box, type the URL of a document that will be
displayed in a text frame on the Captive Portal login page. This text frame can
be used to display lengthier messages, such as terms and conditions of use
for users who have not yet logged in.
11. In the right pane, select the appropriate checkboxes:
•
To provide users with a logoff button, select Logoff. The Logoff button
launches a pop-up logoff page, allowing users to control their logoff.
When the user clicks the Logoff button, the user is disassociated and
returns to the non-authenticated state.
•
To provide users with a status check button, select Status check. The
Status check button launches a pop-up window, which allows users to
monitor session statistics such as system usage and time left in a
session.
12. To install a certificate for the internal Captive Portal page, refer to Section
3.4.8, “Installing certificates on the HiPath Wireless Controller”, on page 72.
13. Click Apply.
14. To see how the Captive Portal page you have designed will look, click View
Sample Portal Page.
Caution: In order for Captive Portal authentication to be successful, all the
URLs referenced in the Captive Portal setup must also be specifically
identified and allowed in the non-authenticated filter. For more information,
see Section 6.10.2, “About filtering rules”, on page 379.
15. To save your changes, click Save.
To configure the Captive Portal settings for Guest Splash:
1. From the main menu, click Virtual Network Configuration. The Virtual
Network Configuration screen is displayed.
2. In the left pane expand the WLAN Services pane, then click the WLAN
Service. The WLAN Services configuration page is displayed.
3. Click the Auth & Acct tab.
4. In the Authentication Mode drop-down list, click Guest Splash, and then
click Configure. The Guest Splash Settings screen is displayed.
9034530-04, September 2010
HiPath Wireless Controller, Access Points and Convergence Software V7.31, User Guide
365
hwc_vnsconfiguration.fm
Configuring a VNS
Configuring WLAN Services
5. In the Login Credentials section, do the following:
•
In the Submit Label box, type the text that will be displayed as a label for
the submit button. This text should be “Accept” or something similar, since
pressing the button will indicate that the user accepts the terms and
conditions.
6. In the Communication Options section, do one of the following:
•
Manual Settings – Select this option if you want to manually define the
location of the files that will be used for the header and footer of the
Captive Portal page.
a) In the Header URL box, type the server location of the file to be
displayed in the Header portion of the Captive Portal page. This page
can be customized to suit your organization, with logos or other
graphics.
Caution: If you use logos or graphics, ensure that the graphics or logos are
appropriately sized. Large graphics or logos may force the login section out
of view.
b) In the Footer URL box, type the server location of the file to be
displayed in the Footer portion of the Captive Portal page.
c) In the Message box, type the message that will be displayed above
the Login box to greet the user. Use this field to make it clear that by
pressing the “Accept” button, the user accepts the terms and
conditions. The message can be a maximum of 255 characters,
including spaces.
•
Use Zip File – Select this option to upload a zip file that contains custom
Captive Portal content.
The zip file you upload must have a flat structure — it cannot contain any
sub-directories. The contents of the zip must adhere to the following file
formats:
366
9034530-04, September 2010
HiPath Wireless Controller, Access Points and Convergence Software V7.31, User Guide
hwc_vnsconfiguration.fm
Configuring a VNS
Configuring WLAN Services
•
Content to be used in the Captive Portal header must be in a file
named portalheader.htm.
•
Content to be used in the Captive Portal footer must be in a file named
portalfooter.htm.
•
The number of graphics and the size of the graphics is unlimited, and
can be either .gif, .jpg, or .png.
Note: The html files must only contain html. Java Script, redirects, or
dynamic CS is not permitted.
7. In the Replace Gateway IP with FQDN box, type the appropriate name if a
Fully Qualified Domain Name (FQDN) is used as the gateway address.
8. In the Default Redirection URL box, type the URL to which the wireless
device user will be directed to after authentication.
9. In the Specific Message URL box, type the URL of a document that will be
displayed in a text frame on the Captive Portal login page. This text frame
should be used to display the lengthier message describing the terms and
conditions of use for users who have not yet logged in.
10. In the right pane, select the appropriate checkboxes in both Header and
Footer columns, if applicable, to include the following VSA Attributes in the
message to the authentication server:
•
AP Serial
•
AP Name
•
VNS Name
•
SSID
•
MAC Address
The selections influence what URL is returned in either section. For example,
wireless users can be identified by which Wireless AP or which VNS they are
associated with, and can be presented with a Captive Portal Web page that
is customized for those identifiers.
11. To provide users with a logoff button, select Logoff. The Logoff button
launches a pop-up logoff page, allowing users to control their logoff.
When the user clicks the Logoff button, the user is disassociated and returns
to the non-authenticated state.
12. To provide users with a status check button, select Status check. The Status
check button launches a pop-up window, which allows users to monitor
session statistics such as system usage and time left in a session.
9034530-04, September 2010
HiPath Wireless Controller, Access Points and Convergence Software V7.31, User Guide
367
hwc_vnsconfiguration.fm
Configuring a VNS
Configuring WLAN Services
13. To install a certificate for the internal Captive Portal page, refer to Section
3.4.8, “Installing certificates on the HiPath Wireless Controller”, on page 72.
14. Click Apply.
15. To see how the Captive Portal page you have designed will look, click View
Sample Portal Page.
Caution: In order for Captive Portal authentication to be successful, all the
URLs referenced in the Captive Portal setup must also be specifically
identified and allowed in the non-authenticated filter. For more information,
see Section 6.10.2, “About filtering rules”, on page 379.
16. To save your changes, click Save.
6.9.4 Configuring the QoS policy
The following is an overview of the steps involved in configuring the QoS for
WLAN Services.
Step one – Define the QoS mode for the service:
•
Legacy – Enables DL (downlink) classification for all clients
•
WMM:
•
•
Enables WMM support
•
Enables DL classification for WMM clients
•
Enables UL (uplink) classification in WMM clients
802.11e:
•
Enables 802.11e support
•
Enables DL classification for 802.11e clients
•
Enables UL classification in 802.11e clients
WMM and 802.11e are similar but, they use different signaling (same as WPA
and WPA2).
Step two – Enable Turbo Voice:
368
•
Ensures traffic is optimized for voice performance and capacity
•
Can be enabled or disabled on individual WLAN Services
9034530-04, September 2010
HiPath Wireless Controller, Access Points and Convergence Software V7.31, User Guide
hwc_vnsconfiguration.fm
Configuring a VNS
Configuring WLAN Services
•
If Turbo Voice is enabled, together with QoS modes Legacy, WMM, or
802.11e, DL voice traffic is sent via Turbo Voice queue instead of voice
queue. A separate turbo voice queue allows for some VNSs to use the
Turbo Voice parameters for voice traffic, while other VNSs use the voice
parameters for voice traffic.
•
If WMM mode is also enabled, WMM clients use Turbo Voice-like
contention parameters for UL voice traffic.
•
If 802.11e mode is also enabled, 802.11e clients use Turbo Voice-like
contention parameters for UL voice traffic.
Note: The Wireless 802.11n AP does not support the Turbo Voice option.
Step 3 – Define the DSCP and service class classifications:
All 64 DSCP code-points are supported. The IETF defined codes are listed by
name and code. Un-defined codes are listed by code. The following is the default
DSCP service class classification (where SC is Service Class and UP is User
Priority):
DSCP
SC/UP
DSCP
SC/UP
DSCP
SC/UP
CS0/DE
2/0
AF11
2/0
AF33
4/4
CS1
0/1
AF12
2/0
AF41
5/5
CS2
1/2
AF13
2/0
AF42
5/5
CS3
3/3
AF21
3/3
AF43
5/5
CS4
4/4
AF22
3/3
EF
6/6
CS5
5/5
AF23
3/3
Others
0/1
CS6
6/6
AF31
4/4
CS7
7/7
AF32
4/4
Step 4 – If preferred instead of DSCP classification, enable Priority override:
•
•
Click the applicable service class and implicitly desired UP
•
Updates UP in user packet
•
Updates UP for WASSP frame (if field exists) sent by AP
Select the desired DSCP
•
Updates DSCP for WASSP frames sent by AP
•
Does not change DSCP in user packet
Step 5 – Configure the advanced wireless QoS:
•
Enable the Unscheduled Automatic Power Save Delivery (U-APSD)
feature
9034530-04, September 2010
HiPath Wireless Controller, Access Points and Convergence Software V7.31, User Guide
369
hwc_vnsconfiguration.fm
Configuring a VNS
Configuring WLAN Services
•
Works in conjunction with WMM and/or 802.11e, and it is automatically
disabled if both WMM and 802.11e are disabled
Step 6 – Configure Global Admission Control:
•
Enable admission control. Admission control protects admitted traffic against
new bandwidth demands. Admission control is available for Voice and Video.
•
If admission control is enabled, you can configure the UL and DL policer
action.
•
The UL and DL policers act as enforcement of a traffic management system.
Depending on the TSPEC negotiation per traffic class, Voice and Video, you
can configure what actions the Wireless AP takes when admitted traffic has
violated its TSPEC.
•
You can configure the UL and DL policers per VNS
•
TSPEC statistics can be viewed in the Admission Control Statistics by
Wireless AP display. For more information, see Chapter 11, “Working
with reports and displays”.
Step 7 – Apply Bandwidth Control Profile
Select the Bandwidth Control Profile that you want to apply to the VNS. The
Bandwidth Control Profiles ensure that no single user on any VNS is able to
consume disproportionate amount of bandwidth. For more information, see
Section 6.2.5, “Working with bandwidth control profiles”, on page 275.
6.9.4.1 Defining priority level and service class
Voice over Internet Protocol (VoIP) using 802.11 wireless local area networks are
enabling the integration of internet telephony technology on wireless networks.
Various issues including Quality-of-Service (QoS), call control, network capacity,
and network architecture are factors in VoIP over 802.11 WLANs.
Wireless voice data requires a constant transmission rate and must be delivered
within a time limit. This type of data is called isochronous data. This requirement
for isochronous data is in contradiction to the concepts in the 802.11 standard that
allow for data packets to wait their turn to avoid data collisions. Regular traffic on
a wireless network is an asynchronous process in which data streams are broken
up by random intervals.
To reconcile the needs of isochronous data, mechanisms are added to the
network that give voice data traffic or another traffic type priority over all other
traffic, and allow for continuous transmission of data.
To provide better network traffic flow, the Controller, Access Points and
Convergence Software provides advanced Quality of Service (QoS)
management. These management techniques include:
370
9034530-04, September 2010
HiPath Wireless Controller, Access Points and Convergence Software V7.31, User Guide
hwc_vnsconfiguration.fm
Configuring a VNS
Configuring WLAN Services
•
WMM (Wi-Fi Multimedia) – Enabled on individual WLAN Services, is a
standard that provides multimedia enhancements that improve the user
experience for audio, video, and voice applications. WMM is part of the
802.11e standard for QoS.
•
IP ToS (Type of Service) or DSCP (Diffserv Codepoint) – The ToS/DSCP
field in the IP header of a frame is used to indicate the priority and Quality of
Service for each frame. The IP TOS and/or DSCP is maintained within CTP
(CAPWAP Tunneling Protocol) by copying the user IP QoS information to the
CTP header—this is referred to as Adaptive QoS.
6.9.4.2 Defining the service class
Service class is determined by the combination of the following operations:
•
The class of treatment given to a packet. For example, queuing or per hop
behavior (PHB).
•
The packet marking of the output packets (user traffic and/or transport).
Service class name (number)
Priority level
Network Control (7)
7 (highest priority)
Premium (Voice) (6)
Platinum (video) (5)
Gold (4)
Silver (3)
Bronze (2)
Best Effort (1)
Background (0)
0 (lowest priority)
Table 25
Service classes
The service class is equivalent to the 802.1D UP (user priority).
SC name
SC Value
802.1d UP
AC
Queue
Network Control
VO
VO or TVO
Premium (voice)
VO
VO or TVO
Platinum (video)
VI
VI
Gold
VI
VI
Silver
BE
BE
Bronze
BE
BE
Best Effort
BK
BK
Background
BK
BK
Table 26
Relationship between service class and 802.1D UP.
9034530-04, September 2010
HiPath Wireless Controller, Access Points and Convergence Software V7.31, User Guide
371
hwc_vnsconfiguration.fm
Configuring a VNS
Configuring WLAN Services
6.9.4.3 Configuring the priority override
Priority override allows you to define and force the traffic to a desired priority level.
Priority override can be used with any combination, as displayed in Table 27. You
can configure the service class and the DSCP values.
When Priority Override is enabled, the configured service class overrides the
queue selection in the downlink and uplink direction, the 802.1P UP for the VLAN
tagged Ethernet packets, and the UP for the wireless QoS packets (WMM or
802.11e) according to the mapping in Table 26. If Priority Override is enabled
and the VNS is not locally bridged, the configured DSCP value is used to tag the
IP header of the encapsulated packets. The AP does not override the DSCP in
the IP header of the user packet.
6.9.4.4 QoS modes
You can enable the following Qos modes for a WLAN Service:
•
Legacy – If enabled, the AP will classify and prioritize the downlink traffic for
all clients according to the same rules.
•
WMM – If enabled, the AP will accept WMM client associations, and will
classify and prioritize the downlink traffic for all WMM clients. WMM clients will
also classify and prioritize the uplink traffic.
•
802.11e – If enabled, the AP will accept WMM client associations, and will
classify and prioritize the downlink traffic for all 802.11e clients. The 802.11e
clients will also classify and prioritize the uplink traffic.
•
Turbo Voice – If any of the above QoS modes are enabled, the Turbo Voice
mode is available. If enabled, all the downlink traffic that is classified to the
Voice (VO) AC and belongs to that VNS is transmitted by the AP via a queue
called Turbo Voice (TVO) instead of the normal Voice (VO) queue. The TVO
queue is tailored in terms of contention parameters and number of retries to
maximize voice quality and voice capacity.
All combinations of the three modes are valid. The following table summarizes all
possible combinations:
Legacy mode
Configuration
WMM mode
802.11e mode
372
9034530-04, September 2010
HiPath Wireless Controller, Access Points and Convergence Software V7.31, User Guide
hwc_vnsconfiguration.fm
Configuring a VNS
Configuring WLAN Services
To legacy client
Traffic that is
classified and
prioritized
From legacy client
To WMM client
From WMM client
To 802.11e client
From 802.11e client
Table 27
QoS mode combinations
The APs are capable of supporting 5 queues. The queues are implemented per
radio. For example, 5 queues per radio. The queues are:
Queue Name
Purpose
AC_VO
Voice
AC_VI
Video
AC_BK
Background
AC_BE
Best Effort
AC_TVO
Turbo Voice
Table 28
Queues
The HiPath Wireless Controller supports the definition of 8 levels of user priority
(UP). These priority levels are mapped at the AP to the best appropriate access
class. Of the 8 levels of user priority, 6 are considered low priority levels and 2 are
considered high priority levels.
WMM clients have the same 4 AC queues. WMM clients will classify the traffic
and use these queues when they are associated with a WMM-enabled AP. WMM
clients will behave like non-WMM clients—map all traffic to the Best Effort (BE)
queue—when not associated with WMM-enabled AP.
The prioritization of the traffic on the downstream (for example, from wired to
wireless) and on the upstream (for example, from wireless to wired) is dictated by
the configuration of the WLAN Service and the QoS tagging within the packets,
as set by the wireless devices and the host devices on the wired network.
Both Layer 3 tagging (DSCP) and Layer 2 (802.1d) tagging are supported, and
the mapping is conformant with the WMM specification. If both L2 and L3 priority
tags are available, then both are taken into account and the chosen AC is the
highest resulting from L2. If only one of the priority tags is present, it is used to
select the queue. If none is present, the default queue AC_BE is chosen.
Note: If the wireless packets to be transmitted must include the L2 priority (send
to a WMM client from a WMM-enabled AP), the outbound L2 priority is copied
from the inbound L2 priority if available, or it is inferred from the L3 priority using
the above table if the L2 inbound priority is missing.
9034530-04, September 2010
HiPath Wireless Controller, Access Points and Convergence Software V7.31, User Guide
373
hwc_vnsconfiguration.fm
Configuring a VNS
Configuring WLAN Services
VNS type
Packet Source
Packet type
L2
L3
Tunneled
Wired
Untagged
No
Yes
Branch
Wired
VLAN tagged
Yes
Yes
Branch
Wired
Untagged
No
Yes
Branch or Tunneled
Wireless
WMM
Yes
Yes
Branch or Tunneled
Wireless
non-WMM
No
Yes
Table 29
Traffic prioritization
To configure QoS Policy:
1. From the main menu, click Virtual Network Configuration. The Virtual
Network Configuration screen is displayed.
2. In the left pane expand the WLAN Services pane, then click the WLAN
Service. The WLAN Services configuration page is displayed.
3. Click the QoS tab.
4. From the Wireless QoS list, do the following:
374
•
Legacy – Select if your service will support legacy devices.
•
WMM – Select to enable the AP to accept WMM client associations, and
classify and prioritize the downlink traffic for all WMM clients. Note that
WMM clients will also classify and prioritize the uplink traffic. WMM is part
of the 802.11e standard for QoS. If selected, the Turbo Voice and Enable
U-APSD options are displayed.
9034530-04, September 2010
HiPath Wireless Controller, Access Points and Convergence Software V7.31, User Guide
hwc_vnsconfiguration.fm
Configuring a VNS
Configuring WLAN Services
•
802.11e – Select to enable the AP to accept WMM client associations,
and classify and prioritize the downlink traffic for all 802.11e clients. The
802.11e clients will also classify and prioritize the uplink traffic. If selected,
the Turbo Voice and the Enable U-APSD options are displayed:
•
Turbo Voice – Select to enable all downlink traffic that is classified to the
Voice (VO) AC and belongs to that VNS to be transmitted by the AP via a
queue called Turbo Voice (TVO) instead of the normal Voice (VO) queue.
When Turbo Voice is enabled together with WMM or 802.11e, the WMM
and/or 802.11e clients in that VNS are instructed by the AP to transmit all
traffic classified to VO AC with special contention parameters tailored to
maximize voice performance and capacity.
•
Enable U-APSD – Select to enable the Unscheduled Automatic Power
Save Delivery (U-APSD) feature. This feature can be used by mobile
devices to efficiently sustain one or more real-time streams while being in
power-save mode. This feature works in conjunction with WMM and/or
802.11e, and it is automatically disabled if both WMM and 802.11e are
disabled.
5. To configure advanced QoS policy settings, click Advanced. The Advanced
dialog is displayed.
9034530-04, September 2010
HiPath Wireless Controller, Access Points and Convergence Software V7.31, User Guide
375
hwc_vnsconfiguration.fm
Configuring a VNS
Configuring WLAN Services
6. To force a service class and DSCP marking, select the Priority Override
checkbox. For the Service Class selection, you can click one of the eight
service classes.
•
•
Service class – From the drop-down list, click the appropriate priority
level:
•
Network control (7) – The highest priority level.
•
Premium (Voice) (6)
•
Platinum (5)
•
Gold (4)
•
Silver (3)
•
Bronze (2)
•
Best Effort (1)
•
Background (0) – The lowest priority level
DSCP marking – From the drop-down list, click the DSCP value used to
tag the IP header of the encapsulated packets.
When Priority Override is enabled, the configured service class forces
queue selection in the downlink direction, the 802.1P user priority for the
VLAN tagged Ethernet packets and the user priority for the wireless QoS
packets (WMM or 802.11e), according to the mapping between service class
and user priority. If Priority Override is enabled and the VNS is not locally
bridged, the configured DSCP value is used to tag the IP header of the
encapsulated packets. The AP does not override the DSCP in the IP header
of the user packet.
7. If you want to assign a service class to each DSCP marking, clear the Priority
Override checkbox and define the DSCP service class priorities in the DSCP
classification table.
8. The Advanced Wireless QoS options are only displayed if the WMM or
802.11e checkboxes are selected:
376
•
Use Global Admission Control for Voice (VO) – Select to enable
admission control for Voice. With admission control, clients are forced to
request admission to use the high priority access categories in both
downlink and uplink direction. Admission control protects admitted traffic
against new bandwidth demands.
•
Use Global Admission Control for Video (VI) – This feature is only
available If admission control is enabled for Voice. Select to enable
admission control for Video. With admission control, clients are forced to
request admission to use the high priority access categories in both
downlink and uplink direction. Admission control protects admitted traffic
against new bandwidth demands.
9034530-04, September 2010
HiPath Wireless Controller, Access Points and Convergence Software V7.31, User Guide
hwc_vnsconfiguration.fm
Configuring a VNS
Configuring Policy
•
•
UL Policer Action – If Use Global Admission Control for Voice (VO)
or Use Global Admission Control for Video (VI) is enabled, click the
action you want the Wireless AP to take when TSPEC violations occurring
on the uplink direction are discovered:
•
Do nothing – Click to allow TSPEC violations to continue when they
are discovered. Data transmissions will continue and no action is
taken against the violating transmissions.
•
Send DELTS to Client – Click to end TSPEC violations when it they
are discovered. This action deletes the TSPEC.
DL Policer Action – If Use Global Admission Control for Voice (VO)
or Use Global Admission Control for Video (VI) is enabled, click the
action you want the Wireless AP to take when TSPEC violations occurring
on the downlink direction are discovered:
•
Do nothing – Click to allow TSPEC violations to continue when they
are discovered. Data transmissions will continue and no action is
taken against the violating transmissions.
•
Downgrade – Click to force the transmission’s data packets to be
downgraded to the next priority when a TSPEC violation is
discovered.
•
Drop – Click to force the transmission’s data packets to be dropped
when a TSPEC violation is discovered.
9. Close the Advanced window.
10. Check the Use Flexible Client Access checkbox to enable flexible client
access. Flexible client access levels are set as part of the VNS global
settings.
11. To save your changes, click Save.
6.10 Configuring Policy
Policy configuration defines the binding of a Topology (VLAN), ingress and egress
Rate Profiles applied to the traffic of a station, and filter rules.
In general, Class of Service refers to a set of attributes that define the importance
of a frame while it is forwarded through the network relative to other packets, and
to the maximum throughput per time unit that a station or port assigned to the
policy is permitted. The Class of Service defines actions to be taken when rate
limits are exceeded.
On the HiPath Wireless Controller, configuration of the CoS is part of a WLAN
Service while the Rate Control and Filtering are part of Policy definition.
9034530-04, September 2010
HiPath Wireless Controller, Access Points and Convergence Software V7.31, User Guide
377
hwc_vnsconfiguration.fm
Configuring a VNS
Configuring Policy
Policies don't need to be fully specified; Unspecified attributes are retained by the
user or inherited from Global Policy definitions (see Section 6.2.6, “Configuring
the Global Default Policy”, on page 276 for more information).
Default Global Policy definitions provide a placeholder for completion of
incomplete policies for initial default assignment. If a policy is defined as Default
for a particular VNS, incomplete (NO-CHANGE) attributes are inherited from
Default Global Policy Definitions
6.10.1 Configuring VLAN and Class of Service for a
Policy
1. From the main menu, click Virtual Network Configuration. The Virtual
Network Configuration screen is displayed.
2. In the left pane expand the Policies pane and click the Policy you want to edit,
or click the New button to create a new Policy. The Policy window is
displayed.
3. Select the VLAN & Class of Service tab.
4. In the Core area, enter the name of the policy.
5. In the Topology area, select an existing topology from the Assigned
Topology drop-down list, or click the New button to create a new topology.
To edit an existing topology, select the topology and then click the Edit button.
Refer to Section 6.8, “Configuring a Topology”, on page 319 for information
about configuring a topology.
378
9034530-04, September 2010
HiPath Wireless Controller, Access Points and Convergence Software V7.31, User Guide
hwc_vnsconfiguration.fm
Configuring a VNS
Configuring Policy
6. In the Rate Profiles area, select an existing Ingress and/or Egress Rate
Profile from the drop-down lists, or click the New button to create a new rate
control profile. To edit an existing profile, click Edit.
7. In the Add or Edit Rate Control Profile dialog, do the following:
a) Enter the name of the new profile.
b) Enter a value for the Average Rate (Committed Information Rate) in Kbps.
c) Enable or disable synchronization.
d) Click Add to save your changes and return to the VLAN & Class of
Service tab.
Refer to Section 6.2.5, “Working with bandwidth control profiles”, on page 275
for more information.
8. If desired, enable synchronization by selecting the Synchronize checkbox.
9. Click Save to save your changes.
6.10.2 About filtering rules
The next step in configuring a Policy is to define the filter rules. The Policy name
should match filter ID values set up on the RADIUS servers.
Note: This configuration step is optional. If filter ID values are not defined, the
system uses the default filter as the applicable filter for authenticated users.
However, if more user-specific filter definitions are required, for example filters
based on a user’s department, then the filter ID configuration is used to identify
the specific Policy that should be applied to the user.
The filter definition can be static on the HiPath Wireless Controller itself, or the
filter definition can be set to be dynamically provisioned if RADIUS authentication
is used. The standard RADIUS attribute can be used to identify a specific filter
definition to apply to incoming/outgoing user traffic upon successful
authentication of the user during authentication.
9034530-04, September 2010
HiPath Wireless Controller, Access Points and Convergence Software V7.31, User Guide
379
hwc_vnsconfiguration.fm
Configuring a VNS
Configuring Policy
Configuring filtering rules/Policy in the case of SSID network assignment
The SSID network assignment type offers the following three default filters:
•
Exception
•
Non-authenticated
•
Default
Configuring filtering rules for a Non-authenticated filter
The rules for a Non-authenticated filter enable you to identify and manage the
destinations to which a mobile device is allowed to gain access without
undergoing an authentication redirection. Typically, the recommended default
rule is to deny all. Administrators must define the rules that will permit users to
access essential services such as the following:
•
DNS
•
Default Gateway (VNS interface IP for routed VNSs)
Any HTTP streams requested by the client for denied targets will be redirected to
the specified location.
Configuring filtering rules for Default filter
The Default filter is applied by default (automatically) after the authentication of
the wireless device under the following circumstances:
•
No match is found in the Exception filter rules
•
No filter ID attribute value is returned by the authentication server for the
device
•
No Policy name match to the filter ID value is found
To ensure that a packet is not dropped entirely under the above circumstances,
the final rule in the Default filter must be Allow All.
Configuring filtering rules/Policy in the case of AAA network assignment
The AAA network assignment type offers the following two default filters:
•
Default
•
Exception
In AAA network assignment type, a Non-authenticated filter becomes
unnecessary because the users are already authenticated.
380
9034530-04, September 2010
HiPath Wireless Controller, Access Points and Convergence Software V7.31, User Guide
hwc_vnsconfiguration.fm
Configuring a VNS
Configuring Policy
6.10.3 Configuring Filter Rules for a Policy
Defining non-authenticated filters allows administrators to identify destinations to
which a mobile user is allowed to access without incurring an authentication
redirection. Typically, the recommended default rule is to deny all. Administrators
should define a rule set that will permit users to access essential services:
•
DNS (IP of DNS server)
•
Default Gateway (VNS Interface IP)
Any HTTP streams requested by the client for denied targets will be redirected to
the specified location.
The non-authenticated filter should allow access to the Captive Portal page IP
address, as well as to any URLs for the header and footer of the Captive Portal
page. This filter should also allow network access to the IP address of the DNS
server and to the network address—the gateway of the Topology. The gateway is
used as the IP for an internal Captive Portal page. An external Captive Portal will
provide a specific IP definition of a server outside the HiPath Wireless Controller.
Redirection and Captive Portal credentials apply to HTTP traffic only. A wireless
device user attempting to reach Websites other than those specifically allowed in
the non-authenticated filter will be redirected to the allowed destinations. Most
HTTP traffic outside of those defined in the non-authenticated filter will be
redirected.
Note: Although non-authenticated filters definitions are used to assist in the
redirection of HTTP traffic for restricted or denied destinations, the nonauthenticated filter is not restricted to HTTP operations. The filter definition is
general. Any traffic other than HTTP that the filter does not explicitly allow will be
discarded by the controller.
The non-authenticated filter is applied by the HiPath Wireless Controller to
sessions until they successfully complete authentication. The authentication
procedure results in an adjustment to the user's applicable filters for access
policy.
Typically, default filter ID access is less restrictive than a non-authenticated
profile. It is the administrator’s responsibility to define the correct set of access
privileges.
To define filtering rules for a non-authenticated filter:
1. From the main menu, click Virtual Network Configuration. The Virtual
Network Configuration screen is displayed.
2. In the left pane expand the Policies pane and click the Policy you want to edit,
or click the New button to create a new Policy. The Policy tab is displayed.
9034530-04, September 2010
HiPath Wireless Controller, Access Points and Convergence Software V7.31, User Guide
381
hwc_vnsconfiguration.fm
Configuring a VNS
Configuring Policy
3. Click the Filter Rules tab. The HWC Filters tab displays, allowing you to
create filter rules that will be applied by the controller.
The HWC Filters tab automatically provides a Deny All rule already in place.
Use this rule as the final rule in the non-authenticated filter for Captive Portal.
4. If you do not want the currently applied filter settings to change when this
Policy is applied, check the Do not change checkbox.
5. To add a rule, click Add. The fields in the Add Filter area are enabled.
6. From the IP/subnet drop-down list, select one of the following:
•
User Defined, then type the destination IP address and mask.
Use this option to explicitly define the IP/subnet aspect of the filter rule.
•
IP. Use this option to map the rule to the associated Topology IP address.
•
Subnet. Use this option to map the rule to the associated Topology
segment definition (IP address/mask).
7. From the Port drop-down list, select one of the following:
•
User Defined, then type the port number.
Use this option to explicitly specify the port number.
•
382
A specific port type. The appropriate port number or numbers are added
to the Port text field.
9034530-04, September 2010
HiPath Wireless Controller, Access Points and Convergence Software V7.31, User Guide
hwc_vnsconfiguration.fm
Configuring a VNS
Configuring Policy
8. In the Protocol drop-down list, click the applicable protocol. The default is
N/A. Refer to Section 6.10.4, “ICMP Type enforcement”, on page 385 for
more information when selecting the ICMP protocol.
Note: For Captive Portal assignment, define a rule to allow access to the
default gateway for this controller. You should also configure a rule denying
HTTP on the controller.
9. Click OK. The information is displayed in the HWC Filters rule table.
10. Click the new filter in the rule table, then do the following:
•
If applicable, select In to refer to traffic from the network host that is trying
to get to a wireless device.
•
If applicable, select Out to refer to traffic from the wireless device that is
trying to get on the network.
•
Select the Allow checkbox applicable to the rule you defined.
11. To edit the order of filters, click the filter, and then click the Up and Down
buttons. The filtering rules are executed in the order you define here.
12. To save your changes, click Save.
Note: Administrators must ensure that the non-authenticated filter allows
access to the corresponding authentication server:
• Internal Captive Portal – IP address of the VNS interface
• External Captive Portal – IP address of external Captive Portal server
9034530-04, September 2010
HiPath Wireless Controller, Access Points and Convergence Software V7.31, User Guide
383
hwc_vnsconfiguration.fm
Configuring a VNS
Configuring Policy
6.10.3.1 Non-authenticated filter examples
A basic non-authenticated filter for internal Captive Portal should have three
rules, in the following order:
In
Out
Allow IP / Port
IP address of default
Allow all incoming wireless devices
gateway (VNS Interface access to the default gateway of the VNS.
IP)
IP address of the DNS
Server
Allow all incoming wireless devices
access to the DNS server of the VNS.
*.*.*.*
Deny everything else.
Table 30
Description
Non-authenticated filter example A
Note: For external Captive Portal, an additional rule to Allow (in/out) access to
the external Captive Portal authentication/Web server is required.
If you place URLs in the header and footer of the Captive Portal page, you must
explicitly allow access to any URLs mentioned in the authentication's server
page, such as:
•
Internal Captive Portal – URLs referenced in a header or footer
•
External Captive Portal – URLs mentioned in the page definition
Here is another example of a non-authenticated filter that adds two more filtering
rules. The two additional rules do the following:
•
Deny access to a specific IP address.
•
Allows only HTTP traffic.
In
Out
Allow IP / Port
IP address of the default Allow all incoming wireless devices
gateway
access to the default gateway of the VNS.
IP address of the DNS
Server
Table 31
384
Description
Allow all incoming wireless devices
access to the DNS server of the VNS.
[a specific IP address, or Deny all traffic to a specific IP address, or
address plus range]
to a specific IP address range (such
as:0/24).
*.*.*.*:80
Allow all port 80 (HTTP) traffic.
*.*.*.*
Deny everything else.
Non-authenticated filter example B
9034530-04, September 2010
HiPath Wireless Controller, Access Points and Convergence Software V7.31, User Guide
hwc_vnsconfiguration.fm
Configuring a VNS
Configuring Policy
Once a wireless device user has logged in on the Captive Portal page, and has
been authenticated by the RADIUS server, then the following filters will apply:
•
Policy filters – If a filter ID associated with this user was returned by the
authentication server, then the Policy with the same name as the filter ID will
be applied.
•
Default filter – If no matching filter ID was returned from the authentication
server.
6.10.3.2 Authenticated filter examples
Below are two examples of possible filtering rules for authenticated users. The
first example disallows some specific access before allowing everything else.
In
Out
Allow IP / Port
*.*.*.*:22-23
SSH and telnet sessions
[specific IP address,
range]
Deny all traffic to a specific IP address
or address range
*.*.*.*.
Allow everything else
Table 32
Description
Filtering rules example A
The second example does the opposite of the first example. It allows some
specific access and denies everything else.
In
Out
Allow IP / Port
Description
[specific IP address,
range]
Allow traffic to a specific IP address or
address range.
*.*.*.*.
Deny everything else.
Table 33
Filtering rules example B
6.10.4 ICMP Type enforcement
ICMP filter rules can now be constrained to ICMP type/range. You can define the
ICMP type/range in the Port field using the TCP/UDP port definition
nomenclature. That is, define the rule as a normal IP/subnet:port signature
(10.0.0.0/24:8), where the ICMP type is entered in the Port field.
This feature allows for tighter granularity over enforcement of ICMP restrictions.
You can allow redirects and DF/MTU indications, and deny ICMP Echo (pings) for
users.
9034530-04, September 2010
HiPath Wireless Controller, Access Points and Convergence Software V7.31, User Guide
385
hwc_vnsconfiguration.fm
Configuring a VNS
Configuring Policy
6.10.5 Filtering rules for a default filter
After authentication of the wireless device user, the default filter will apply only
after:
•
No match is found for the Exception filter rules.
•
No filter ID attribute value is returned by the authentication server for this
user.
•
No Policy match is found on the HiPath Wireless Controller for the filter ID
value.
The final rule in the default filter should be a catch-all rule for any traffic that did
not match a filter. A final Allow All rule in a default filter will ensure that a packet
is not dropped entirely if no other match can be found. VNS Policy is also
applicable for Captive Portal and MAC-based authorization.
6.10.5.1 Default filter examples
The following are examples of filtering rules for a default filter:
In
Out
Allow IP / Port
Intranet IP, range
Deny all access to an IP range
Port 80 (HTTP)
Deny all access to Web browsing
Intranet IP
Deny all access to a specific IP
*.*.*.*.
Allow everything else
Table 34
In
Out
Default filter example A
Allow IP / Port
Intranet IP 10.3.0.20, ports Deny all traffic from the network to the
10-30
wireless devices on the port range,
such as telnet (port 23) or FTP (port 21)
Table 35
386
Description
Port 80 (HTTP) on host IP Deny all incoming wireless devices
access to Web browsing the host
Description
Intranet IP 10.3.0.20
Allow all other traffic from the wireless
devices to the Intranet network
Intranet IP 10.3.0.20
Allow all other traffic from Intranet
network to wireless devices
*.*.*.*.
Deny everything else
Default filter example B
9034530-04, September 2010
HiPath Wireless Controller, Access Points and Convergence Software V7.31, User Guide
hwc_vnsconfiguration.fm
Configuring a VNS
Configuring Policy
6.10.5.2 Filtering rules between two wireless devices
Traffic from two wireless devices that are on the same VNS and are connected to
the same Wireless AP will pass through the HiPath Wireless Controller and
therefore be subject to filtering policy. You can set up filtering rules that allow each
wireless device access to the default gateway, but also prevent each device from
communicating with each other.
Add the following two rules to a filter ID filter, before allowing everything else:
In
Out
Allow IP / Port
Description
Allow access to the Gateway IP address of the
VNS only
Table 36
[Intranet IP]
[Intranet IP, range] Deny all access to the VNS subnet range (such
as 0/24)
*.*.*.*.
Allow everything else
Rules between two wireless devices
Note: You can also prevent the two wireless devices from communicating with
each other by setting Block Mu to MU traffic. See Section 6.9.1.3, “Assigning an
optional default topology to a service”, on page 333.
6.10.6 Defining filter rules for Wireless APs
You can also apply filter rules on the Wireless AP. Applying filter rules at the
Wireless AP helps restrict unwanted traffic at the edge of your network. The
Wireless APs can support up to a maximum of 32 filters rules per group. Filtering
at the Wireless AP can be configured with the following Topology types:
•
Bridge Traffic Locally at the AP – If filtering at the Wireless AP is enabled
on a Bridge Traffic Locally at the AP topology, the filtering is applied to traffic
in both the uplink and downlink direction — the uplink direction is from the
wireless device to the network, and downlink direction is from the network to
the wireless device.
•
Routed and Bridge Traffic Locally at the HWC – If filtering at the Wireless
AP is enabled on a Routed or Bridge Traffic Locally at the HWC topology, the
filtering is applied only to traffic in the UL direction. The filters applied in the
UL direction at the Wireless AP can be the same or different from filters
applied at the HiPath Wireless Controller.
Wireless AP filtering
When filtering at the Wireless AP is enabled, Wireless APs obtain client filter
information from the HiPath Wireless Controller. In addition, direct inter-Wireless
AP communication allow Wireless APs to exchange client filter information as
9034530-04, September 2010
HiPath Wireless Controller, Access Points and Convergence Software V7.31, User Guide
387
hwc_vnsconfiguration.fm
Configuring a VNS
Configuring Policy
clients roam from one Wireless AP to another. This allows the system to achieve
a very fast roaming time. To take advantage of inter-Wireless AP communication,
you should configure the network so that Wireless APs in the mobility domain can
communicate with each other through the Wireless AP's Ethernet interface. Also,
multicast traffic with an IP address of 224.0.1.178 should be allowed between
Wireless APs.
To define filter rules to be applied by Wireless APs:
1. From the main menu, click Virtual Network Configuration. The Virtual
Network Configuration screen is displayed.
2. In the left pane expand the Policies pane and click the Policy you want to edit,
or click the New button to create a new Policy. The Policy tab is displayed.
3. Click the Filter Rules tab. The HWC Filters tab displays.
4. Select the Enable AP Filtering checkbox. This enables the filter rules
defined on the HWC Filters tab to be applied by Wireless APs.
5. If you want to configure additional filters for the APs, select the Custom AP
Filters checkbox. An AP Filters tab is added to the window. Click the AP
Filters tab to display it.
6. To add a rule, click Add. The fields in the Add Filter area are enabled.
7. From the IP/subnet drop-down list, select one of the following:
•
User Defined, then type the destination IP address and mask.
Use this option to explicitly define the IP/subnet aspect of the filter rule.
•
IP. Use this option to map the rule to the associated Topology IP address.
•
Subnet. Use this option to map the rule to the associated Topology
segment definition (IP address/mask).
8. From the Port drop-down list, select one of the following:
•
User Defined, then type the port number.
Use this option to explicitly specify the port number.
•
A specific port type. The appropriate port number or numbers are added
to the Port text field.
9. In the Protocol drop-down list, click the applicable protocol. The default is
N/A.
10. To add the new filter rule, click OK The filter rule is added to the filter group.
11. In the filter rule table, click the filter, and then do the following:
•
388
If applicable, select Out to refer to traffic from the wireless device that is
trying to get on the network.
9034530-04, September 2010
HiPath Wireless Controller, Access Points and Convergence Software V7.31, User Guide
hwc_vnsconfiguration.fm
Configuring a VNS
Working with a Wireless Distribution System
•
If applicable, select In to refer to traffic from the network host that is trying
to get to a wireless device.
•
Select the Allow checkbox applicable to the rule you defined.
12. To edit the order of filter rules, click the filter, and then click the Up and Down
buttons. The filtering rules are executed in the order you define here.
13. To save your changes, click Save.
6.11 Working with a Wireless Distribution System
A Wireless Distribution System (WDS) enables you to expand the wireless
network by interconnecting the Wireless APs through wireless links in addition to
the traditional method of interconnecting Wireless APs via a wired network.
Note: The Scalance AP W788-2 and AP2605 do not support WDS.
A WDS deployment is ideally suited for locations, where installing ethernet
cabling is too expensive, or physically impossible.
The WDS can be deployed in three configurations:
•
Simple WDS Configuration
•
Wireless Repeater Configuration
•
Wireless Bridge Configuration
6.11.1 Simple WDS configuration
In a typical configuration, the Wireless APs are connected to the distribution
system via an Ethernet network, which provides connectivity to the HiPath
Wireless Controller.
However, when a Wireless AP is installed in a remote location and can’t be wired
to the distribution system, an intermediate Wireless AP is connected to the
distribution system via the Ethernet link. This intermediate Wireless AP forwards
and receives the user traffic from the remote Wireless AP over a radio link.
The intermediate Wireless AP that is connected to the distribution system via the
Ethernet network is called Root AP, and the Wireless AP that is remotely located
is called the Satellite AP.
9034530-04, September 2010
HiPath Wireless Controller, Access Points and Convergence Software V7.31, User Guide
389
hwc_vnsconfiguration.fm
Configuring a VNS
Working with a Wireless Distribution System
The following figure illustrates the Simple WDS configuration:
Root Wireless AP
Satellite Wireless AP
HiPath Wireless Controller
Client Devices
Figure 14
Simple WDS configuration
6.11.2 Wireless Repeater configuration
In Wireless Repeater configuration, a Repeater Wireless AP is installed between
the Root Wireless AP and the Satellite Wireless AP. The Repeater Wireless AP
relays the user traffic between the Root Wireless AP and the Satellite Wireless
AP. This increases the WLAN range.
The following figure illustrates the Wireless Repeater configuration:
Root Wireless AP
Repeater Wireless AP
HiPath Wireless Controller
Satellite Wireless AP
Client Devices
Figure 15
Wireless Repeater configuration
Note: You should restrict the number of repeater hops in a Wireless Repeater
configuration to three for optimum performance.
390
9034530-04, September 2010
HiPath Wireless Controller, Access Points and Convergence Software V7.31, User Guide
hwc_vnsconfiguration.fm
Configuring a VNS
Working with a Wireless Distribution System
6.11.3 Wireless Bridge configuration
In Wireless Bridge configuration, the traffic between two Wireless APs that are
connected to two separate wired LAN segments is bridged via WDS link. You may
also install a Repeater Wireless AP between the two Wireless APs connected to
two separate LAN segments.
HiPath Wireless
Controller
Root AP
Repeater AP
LAN Segment 1
Figure 16
Satellite AP
LAN Segment 2
Wireless Bridge configuration
When you are configuring the Wireless Bridge configuration, you must specify on
the user interface that the Satellite AP is connected to the wired LAN.
6.11.4 Examples of deployment
The following illustration depicts a few examples of WDS deployment.
Figure 17
Examples of WDS deployment
9034530-04, September 2010
HiPath Wireless Controller, Access Points and Convergence Software V7.31, User Guide
391
hwc_vnsconfiguration.fm
Configuring a VNS
Working with a Wireless Distribution System
6.11.5 WDS WLAN Services
In a traditional HiPath WLAN deployment, each radio of the Wireless AP can
interact with the client devices on a maximum of eight networks.
In WDS deployment, one of the radios of every WDS Wireless AP establishes a
WDS link on an exclusive WLAN Service. The WDS Wireless AP is therefore
limited to seven network WLAN Services on the WDS radio. The other radio can
interact with the client-devices on a maximum of eight WLAN Services.
Note: The Root Wireless AP and the Repeater Wireless APs can also be
configured to interact with the client-devices. For more information, see Section
6.11.7.3, “Assigning the Satellite Wireless APs’ radios to the network WLAN
Services”, on page 404.
The WLAN Service on which the Wireless APs establish the WDS link is called
the WDS WLAN Service.
A WDS can be setup either by using either a single WDS WLAN Service or
multiple WDS WLAN Services. The following figures illustrate the point.
•
•
•
•
•
Figure 18
The rectangular
enclosure denotes an
office building
The four Wireless APs —
Minoru, Yosemite, Bjorn
and Lancaster — are
within the confines of the
building and are
connected to the wired
network.
The space around the
office building is a ware
house.
The solid arrows point
towards Preferred
Parents.
The dotted arrows point
towards Backup Parents.
Deployment Example
WDS setup with a single WDS WLAN Service
Deploying the WDS for the above example using a single WDS WLAN Service
results in the following structure.
392
9034530-04, September 2010
HiPath Wireless Controller, Access Points and Convergence Software V7.31, User Guide
hwc_vnsconfiguration.fm
Configuring a VNS
Working with a Wireless Distribution System
HiPath Wireless
Controller
Lancaster
Ion
Minoru
Urso
Dove
Theodore
Client
Devices
Figure 19
WDS setup with a single WDS WLAN Service
The tree will operate as a single WDS entity. It will have a single WDS SSID and
and a single pre-shared key for WDS links. This tree will have multiple roots. For
more information, see Section 6.11.6.3, “Multi-root WDS topology”, on page 396.
WDS setup with multiple WDS WLAN Services
You can also deploy the same WDS in Figure 18 using two WDS WLAN Services.
The Two WDS WLAN Services will create two independent WDS trees. Both the
trees will operate on separate SSIDs and use separate pre-shared keys.
9034530-04, September 2010
HiPath Wireless Controller, Access Points and Convergence Software V7.31, User Guide
393
hwc_vnsconfiguration.fm
Configuring a VNS
Working with a Wireless Distribution System
HiPath Wireless
Controller
Lancaster
Minoru
Ion
Urso
Theodore
Dove
Client Devices
Figure 20
WDS setup with multiple WDS WLAN Services
6.11.6 Key features of WDS
Some key features of WDS are:
•
Tree-like topology
•
Radio Channels
•
Multi-root WDS topology
•
Automatic discovery of parent and backup parent Wireless APs
•
Link security
6.11.6.1 Tree-like topology
The Wireless APs in WDS configuration can be regarded as nodes, and these
nodes form a tree-like structure. The tree builds in a top down manner with the
Root Wireless AP being the tree root, and the Satellite Wireless AP being the tree
leaves.
394
9034530-04, September 2010
HiPath Wireless Controller, Access Points and Convergence Software V7.31, User Guide
hwc_vnsconfiguration.fm
Configuring a VNS
Working with a Wireless Distribution System
The nodes in the tree-structure have a parent-child relationship. The Wireless AP
that provides the WDS service to the other Wireless APs in the downstream
direction is a parent. The Wireless APs that establish a link with the Wireless AP
in the upstream direction for WDS service are children.
Note: If a parent Wireless AP fails or stops to act a parent, the children Wireless
APs will attempt to discover their backup parents. If the backup parents are not
defined, the children Wireless APs will be left stranded.
The following figure illustrates the parent-child relationship between the nodes in
a WDS topology.
Root Wireless AP
•
•
HiPath Wireless
Controller
•
•
Repeater Wireless AP 1
•
Repeater Wireless AP 2
•
Satellite Wireless AP 1
Satellite Wireless AP 2
Client Devices
Figure 21
Root Wireless AP is the parent of
Repeater Wireless AP 1.
Repeater Wireless AP 1 is the child
of Root Wireless AP.
Repeater Wireless AP 1 is the
parent of Repeater Wireless AP 2.
Repeater Wireless AP 2 is the child
of Repeater Wireless AP 1.
Repeater Wireless AP 2 is the
parent of the following Wireless
APs:
– Satellite Wireless AP 1
– Satellite Wireless AP 2
– Satellite Wireless AP 3
All the three Satellite APs are the
children of Repeater Wireless AP 2.
Satellite Wireless AP 3
Client Devices
Parent-child relationship between Wireless APs in WDS
configuration
The WDS system enables you to configure the Wireless AP’s role — parent,
child or both — from the HiPath Wireless Controller’s interface. If the WDS
Wireless AP will be serving as a parent and a child in a given topology, its role is
configured as both.
9034530-04, September 2010
HiPath Wireless Controller, Access Points and Convergence Software V7.31, User Guide
395
hwc_vnsconfiguration.fm
Configuring a VNS
Working with a Wireless Distribution System
Note: Siemens recommends that you limit the number of APs participating in a
WDS tree to 8. This limit guarantees decent performance in most typical
situations.
Note: If a Wireless AP is configured to serve as a scanner in Mitigator, it cannot
be used in a WDS tree. For more information, see Chapter 10, “Working with the
Mitigator”.
6.11.6.2 Radio Channels
The radio channel on which the child Wireless AP operates is determined by the
parent Wireless AP.
A Wireless AP may connect to its parent Wireless AP and children Wireless APs
on the same radio, or on different radios. Similarly, a Wireless AP can have two
children operating on two different radios.
Note: When a Wireless AP is connecting to its parent Wireless AP and children
APs on the same radio, it uses the same channel for both the connections.
6.11.6.3 Multi-root WDS topology
A WDS topology can have multiple Root Wireless APs. Figure 22 illustrates the
multiple-root WDS topology.
396
9034530-04, September 2010
HiPath Wireless Controller, Access Points and Convergence Software V7.31, User Guide
hwc_vnsconfiguration.fm
Configuring a VNS
Working with a Wireless Distribution System
HiPath Wireless
Controller
Root Wireless AP 1
Root Wireless AP 2
Repeater AP 1
Satellite AP 1
Repeater AP 2
Satellite AP 2
Wireless
Devices
Figure 22
Root Wireless AP 3
Repeater AP 3
Satellite AP 3
Wireless
Devices
Multiple-root WDS topology
6.11.6.4 Automatic discovery of parent and backup parent
Wireless APs
The children Wireless APs, including the Repeater Wireless AP and the Satellite
Wireless APs, scan for their respective parents at a startup.
You can manually configure a parent and backup parent for the children Wireless
APs or you can enable the children Wireless APs to automatically select the best
parent out of all of the available APs. If you choose automatic parent Wireless AP
selection, a child Wireless AP selects a parent Wireless AP based on its received
signal strength and the number of hops to the root Wireless AP. After a parent
Wireless AP and backup parent Wireless AP is selected, the Wireless APs will
first try to negotiate a WDS link with the parent Wireless AP. If the WDS link
negotiation is unsuccessful, the Wireless AP will try to negotiate a link with the
backup parent.
6.11.6.5 Link security
The WDS link is encrypted using Advance Encryption Standard (AES).
9034530-04, September 2010
HiPath Wireless Controller, Access Points and Convergence Software V7.31, User Guide
397
hwc_vnsconfiguration.fm
Configuring a VNS
Working with a Wireless Distribution System
Note: The keys for AES are configured prior to deploying the Repeater or
Satellite Wireless APs.
6.11.7 Deploying the WDS system
Before you start configuring the WDS Wireless APs, you must ensure the
following:
•
The Wireless APs that are part of the wired HiPath WLAN are connected to
the wired network.
•
The wired Wireless APs that will serve as the Root AP/Root APs of the
proposed WDS topology are operating normally.
•
The HiPath WLAN is operating normally.
Sketching the WDS topology
You may sketch the proposed WLAN topology on paper before you start the WDS
deployment process. You should clearly identify the following in the sketch:
•
WDS Wireless APs with their names
•
Parent-child relationships between Wireless APs
•
Radios that you will choose to link the Wireless AP’s parents and children
Provisioning the WDS Wireless APs
This step is of crucial importance and involves connecting the WDS Wireless APs
to the enterprise network via the Ethernet link. This is done to enable the WDS
Wireless APs to connect to the HiPath Wireless Controller so that they can derive
their WDS configuration.
The WDS Wireless AP’s configuration includes pre-shared key, its role, preferred
parent name and the backup parent name.
Note: The provisioning of WDS Wireless APs must be done before they are
deployed at the target location. If the Wireless APs are not provisioned, they will
not work at their target location.
WDS deployment overview
The following is the high-level overview of the WDS deployment process:
398
9034530-04, September 2010
HiPath Wireless Controller, Access Points and Convergence Software V7.31, User Guide
hwc_vnsconfiguration.fm
Configuring a VNS
Working with a Wireless Distribution System
1. Connecting the WDS Wireless APs to the enterprise network via the Ethernet
network to enable them to discover and register themselves with the HiPath
Wireless Controller. For more information, see Section 4.2, “Discovery and
registration overview”, on page 107.
2. Disconnecting the WDS Wireless APs from the enterprise network after they
have discovered and registered with the HiPath Wireless Controller.
3. Creating a WDS VNS.
4. Assigning roles, parents and backup parents to the WDS Wireless APs.
5. Assigning the Satellite Wireless APs’ radios to the network VNSs.
6. Connecting the WDS Wireless APs to the enterprise network via the Ethernet
link for provisioning. For more information, see Section 6.11.7, “Provisioning
the WDS Wireless APs”, on page 398.
7. Disconnecting the WDS Wireless APs from the enterprise network and
moving them to the target location.
Note: During the WDS deployment process, the WDS Wireless APs are
connected to the enterprise network on two occasions — first to enable them to
discover and register with the HiPath Wireless Controller, and then the second
time to enable them to obtain the provisioning from the HiPath Wireless
Controller.
6.11.7.1 Connecting the WDS Wireless APs to the enterprise
network for discovery and registration
Connect each WDS Wireless AP to the enterprise network to enable it to discover
and register itself with the HiPath Wireless Controller.
Note: Before you connect the WDS Wireless APs to the enterprise network for
discovery and registration, you must ensure that the Security mode property of
the HiPath Wireless Controller is defined according to your security needs. The
Security mode property dictates how the HiPath Wireless Controller behaves
when registering new and unknown devices. For more information, see Section
4.2.5, “Defining properties for the discovery process”, on page 126.
If the Security mode is set to Allow only approved Wireless APs to connect
(this is also known as secure mode), you must manually approve the WDS
Wireless APs after they are connected to the network for the discovery and
registration. For more information, see Section 4.3, “Adding and registering a
Wireless AP manually”, on page 129.
9034530-04, September 2010
HiPath Wireless Controller, Access Points and Convergence Software V7.31, User Guide
399
hwc_vnsconfiguration.fm
Configuring a VNS
Working with a Wireless Distribution System
Depending upon the number of Ethernet ports available, you may connect one or
more WDS Wireless APs at a time, or you may connect all of them together.
Once a WDS Wireless AP has discovered and registered itself with the HiPath
Wireless Controller, disconnect it from the enterprise network.
6.11.7.2 Configuring the WDS Wireless APs through the HiPath
Wireless Controller
Configuring the WDS Wireless APs involves the following steps:
1. Creating a WDS WLAN Service.
2. Defining the SSID name and the pre-shared key.
3. Assigning roles, parents and backup parents to the WDS Wireless APs.
For ease of understanding, the WDS configuration process is explained with an
example. Figure 23 depicts a site with the following features:
•
An office building, denoted by a rectangular enclosure.
•
Four Wireless APs — Ardal, Arthur, Athens and Auberon — are within the
confines of the building, and are connected to the wired network.
•
The space around the building is the warehouse.
•
•
Figure 23
The solid arrows
point toward
Preferred
Parents.
The dotted
arrows point
toward Backup
Parents.
WDS Deployment
Note: With the single WDS VNS, the tree structure for the WDS deployment will
be as depicted on the bottom right of Figure 23. You can also implement the same
deployment using four WDS VNSs, each for a set of Wireless APs in the four
400
9034530-04, September 2010
HiPath Wireless Controller, Access Points and Convergence Software V7.31, User Guide
hwc_vnsconfiguration.fm
Configuring a VNS
Working with a Wireless Distribution System
corners of the building. Each set of Wireless APs will form an isolated topology
and will operate using a separate SSID and a separate Pre-shared key. For more
information, see Section 6.11.5, “WDS WLAN Services”, on page 392.
To configure the WDS Wireless APs through the HiPath Wireless Controller:
Note: You must identify and mark the Preferred Parents, Backup Parents and the
Child Wireless APs in the proposed WDS topology before starting the
configuration process.
1. From the main menu, click Virtual Network Configuration. The Virtual
Network Configuration screen is displayed.
2. In the left pane, expand the WLAN Services pane and select a WDS service
to edit or click the New button.
3. Enter a name for the service in the Name field.
4. The SSID field is automatically filled in with the name, but you can change it
if desired.
5. For Service Type, select WDS.
6. To save your changes, click Save. The WLAN configuration window is redisplayed to show additional configuration fields.
9034530-04, September 2010
HiPath Wireless Controller, Access Points and Convergence Software V7.31, User Guide
401
hwc_vnsconfiguration.fm
Configuring a VNS
Working with a Wireless Distribution System
7. In the WDS Pre-shared Key box, type the key.
Note: The pre-shared key must be 8 to 63 characters long.
The WDS Wireless APs use this pre-shared key to establish a WDS link
between them.
Note: Changing the pre-shared key after the WDS is deployed can be a
lengthy process. For more information, see Section 6.11.8, “Changing the
pre-shared key in a WDS WLAN Service”, on page 406.
8. Assign the roles, preferred parents and backup parents to the Wireless AP
Radios.
Note: The roles — parent, child, and both — are assigned to the Radios of
the Wireless APs. A Wireless AP may connect to its parent Wireless AP and
children Wireless APs on the same Radio, or on a different Radio. Similarly,
a Wireless AP can have two children operating on two different Radios.
The Radio on which the child Wireless AP operates is determined by the
parent Wireless AP.
If the Wireless AP will be serving both as parent and child, you must select
both as its role.
To configure the WDS as illustrated in Figure 23 with a single WDS VNS, you
must assign the roles, preferred parents and backup parents to the Wireless
APs according to the following table:
402
9034530-04, September 2010
HiPath Wireless Controller, Access Points and Convergence Software V7.31, User Guide
hwc_vnsconfiguration.fm
Configuring a VNS
Working with a Wireless Distribution System
Wireless AP Radio b/g
Radio a Preferred Parent
Backup Parent
Ardal
Parent
Parent
See the note below.
See the note below.
Arthur
Parent
Parent
See the note below.
See the note below.
Athens
Parent
Parent
See the note below.
See the note below.
Auberon
Parent
Parent
See the note below.
See the note below.
Bawdy
Both
Child
Ardal
Arthur
Bern
Both
Child
Arthur
Ardal
Barend
Both
Child
Athens
Auberon
Barett
Both
Child
Auberon
Athens
Osborn
Child
Child
Bawdy
Ardal
Oscar
Child
Child
Bern
Arthur
Orson
Child
Child
Barend
Athens
Oswald
Child
Child
Barett
Auberon
Table 37
Wireless APs and their roles
Note: Since the Root Wireless APs — Ardal, Arthur, Athens and Auberon —
are the highest entities in the tree structure, they do not have parents.
Therefore, the Preferred Parent and Backup Parent drop-down lists of the
Root Wireless APs do not display any Wireless AP. You must leave these two
fields blank.
Note: You must first assign the ‘parent’ role to the Wireless APs that will serve
as the parents. Unless this is done, the Parent Wireless APs will not be
displayed in the Preferred Parent and Backup Parent drop-down lists of
other Wireless APs.
Note: The WDS Bridge feature on the user interface relates to WDS Bridge
configuration. When you are configuring the WDS Bridge topology, you must
select WDS Bridge for Satellite Wireless AP that is connected to the wired
network. For more information, see Section 6.11.3, “Wireless Bridge
configuration”, on page 391.
To assign the roles, preferred parent and backup parent:
a) From the radio b/g drop-down list of the Root Wireless APs — Ardal,
Arthur, Athens and Auberon, click Parent.
b) From the radio a drop-down list of the Root Wireless APs — Ardal, Arthur,
Athens and Auberon, click Parent.
c) From the radio a and radio b/g drop-down list of other Wireless APs, click
the roles according to Table 37.
9034530-04, September 2010
HiPath Wireless Controller, Access Points and Convergence Software V7.31, User Guide
403
hwc_vnsconfiguration.fm
Configuring a VNS
Working with a Wireless Distribution System
d) From the Preferred Parent drop-down list of other Wireless APs, click the
parents according to Table 37.
e) From the Backup Parent drop-down list of other Wireless APs, click the
backup parents according to Table 37.
9. To save your changes, click Save.
6.11.7.3 Assigning the Satellite Wireless APs’ radios to the
network WLAN Services
You must assign the Satellite Wireless APs’s radios to the network WLAN
Services.
Note: Network WLAN Services are the typical WLAN Services on which the
Wireless APs service the client devices: Routed, Bridge Traffic Locally at
HWC, and Bridge Traffic Locally at AP. For more information, see Section 6.2,
“VNS global settings”, on page 267.
To assign the Satellite Wireless APs’ radios to the network WLAN Service:
1. From the main menu, click Virtual Network Configuration. The Virtual
Network Configuration screen is displayed.
2. In the left pane, expand the WLAN Services pane and select a network WDS
service to edit
404
9034530-04, September 2010
HiPath Wireless Controller, Access Points and Convergence Software V7.31, User Guide
hwc_vnsconfiguration.fm
Configuring a VNS
Working with a Wireless Distribution System
3. In the Wireless APs list, select the radios of the Satellite APs — Osborn,
Oscar, Orson and Oswald.
Note: If you want the Root Wireless AP and the Repeater Wireless APs to
service the client devices, you must select their radios in addition to the radios
of the Satellite Wireless APs.
4. To save your changes, click Save.
5. Log out from the HiPath Wireless Controller.
6.11.7.4 Connecting the WDS Wireless APs to the enterprise
network for provisioning
You must connect the WDS Wireless APs to the enterprise network once more to
enable them to obtain their configuration from the HiPath Wireless Controller. The
configuration includes the pre-shared key, the Wireless AP’s role, preferred
parent and backup parent. For more information, see Provisioning the WDS
Wireless APs on page 398.
Warning: If you skip this step, the WDS Wireless APs will not work at their target
location.
9034530-04, September 2010
HiPath Wireless Controller, Access Points and Convergence Software V7.31, User Guide
405
hwc_vnsconfiguration.fm
Configuring a VNS
Working with a Wireless Distribution System
6.11.7.5 Moving the WDS Wireless APs to the target location
1. Disconnect the WDS Wireless APs from the enterprise network, and move
them to the target location.
2. Install the WDS Wireless APs at the target location.
3. Connect the Wireless APs to a power source. The discovery and registration
processes are initiated.
Note: If you change any of the following configuration parameters of a WDS
Wireless AP, the WDS Wireless AP will reject the change:
• Reassigning the WDS Wireless AP’s role from Child to None
• Reassigning the WDS Wireless AP’s role from Both to Parent
• Changing the Preferred Parent of the WDS Wireless AP
However, the HiPath Wireless Controller will display your changes, as these
changes will be saved in the database. To enable the WDS Wireless AP to obtain
your changes, you must remove it from the WDS location and then connect it to
the HiPath Wireless Controller via the wired network.
Note: If you change any of the following radio properties of a WDS Wireless AP,
the WDS Wireless AP will reject the change:
• Disabling the radio on which the WDS link is established
• Changing the radio’s Tx Power of a radio on which the WDS link is established
• Changing the country
6.11.8 Changing the pre-shared key in a WDS WLAN
Service
To change the pre-shared key in a WDS WLAN Service
1. Create a new WDS WLAN Service with a new pre-shared key.
2. Assign the RF of the Wireless APs from the old WDS to the new WDS WLAN
Service.
3. Check the WDS Wireless AP Statistics report page to ensure that all the
WDS Wireless APs have connected to the HiPath Wireless Controller via the
new WDS VNS. For more information, see Section 11.4, “Viewing statistics
for Wireless APs”, on page 456.
4. Delete the old WDS WLAN Service. For more information, see Section 6.7.3,
“Deleting a VNS”, on page 318.
406
9034530-04, September 2010
HiPath Wireless Controller, Access Points and Convergence Software V7.31, User Guide
hwc_fastfailover.fm
Availability and session availability
Availability
7 Availability and session availability
This chapter describes the availability feature, including:
•
Availability
•
Session availability
•
Viewing the Wireless AP availability display
•
Viewing SLP activity
7.1 Availability
The HiPath Wireless Controller, Access Points and Convergence Software
system provides the availability feature to maintain service availability in the event
of a HiPath Wireless Controller outage.
The availability feature links two HiPath Wireless Controllers — the primary
controller and the secondary controller (backup controller). The primary and the
secondary controllers share information about their Wireless APs. If the primary
controller fails, its Wireless APs failover to the secondary controller. The
secondary controller provides the wireless network and pre-assigned VNSs for
the Wireless APs.
Note: During the failover event, the maximum number of failover APs the
secondary controller can accommodate is equal to the maximum number of APs
supported by the hardware platform.
Wireless APs that attempt to connect to the secondary controller during a failover
event are assigned to the WLAN Service that is defined in the system’s default
AP configuration, provided the administrator has not assigned the failover
Wireless APs to one or more VNSs. If a system default AP configuration does not
exist for the controller (and the administrator has not assigned the failover
Wireless APs to any WLAN Service), the APs will not be assigned to any WLAN
Service during the failover.
A HiPath Wireless Controller will not accept a connection by a foreign AP if the
HiPath Wireless Controller believes its availability partner controller is in service.
Also, the default Wireless AP configuration assignment is only applicable to new
APs that failover to the backup controller. Any Wireless AP that has previously
failed over and is already known to the backup system will receive the
configuration already present on that system. For more information, see Section
4.5.3, “Configuring the default Wireless AP settings”, on page 174.
9034530-04, September 2010
HiPath Wireless Controller, Access Points and Convergence Software V7.31, User Guide
407
hwc_fastfailover.fm
Availability and session availability
Availability
During the failover event when the Wireless AP connects to the secondary
controller, the users are disassociated from the Wireless AP. Consequently, the
users must log on again and be authenticated on the secondary controller before
the wireless service is restored.
Note: If you want the mobile user’s session to be maintained, you must use the
‘session availability’ feature that enables the primary controller’s Wireless APs to
failover to the secondary controller fast enough to maintain the session
availability (user session). For more information, see Section 7.4, “Session
availability”, on page 417.
The availability feature provides Wireless APs with a list of local active interfaces
for the active controller as well as the active interfaces for the backup controller.
The list is sorted by top-down priority.
If the connection with an active controller link is lost (poll failure), the Wireless AP
automatically scans (pings) all addresses in its availability interface list. The
Wireless AP then connects to the highest priority interface that responds to its
probe.
7.1.1 Events and actions in availability
If one of the HiPath Wireless Controllers in a pair fails, the communication
between the two HiPath Wireless Controllers stops. This triggers a failover
condition and a critical message is displayed in the information log of the
secondary HiPath Wireless Controller.
After a Wireless AP on the failed HiPath Wireless Controller loses its connection,
it will try to connect to all enabled interfaces on both controllers without rebooting.
If the Wireless AP is not successful, it will begin the discovery process. If the
Wireless AP is not successful in connecting to the HiPath Wireless Controller
after five minutes of attempting, the Wireless AP will reboot if there is no Bridge
traffic locally at the AP topology associated to it.
408
9034530-04, September 2010
HiPath Wireless Controller, Access Points and Convergence Software V7.31, User Guide
hwc_fastfailover.fm
Availability and session availability
Availability
All mobile user’s sessions using the failover Wireless AP will terminate except
those associated to a Bridge traffic locally at the AP and if the Maintain client
sessions in event of poll failure option is enabled on the AP Properties tab or
AP Default Settings screen.
When the Wireless APs connect to the second HiPath Wireless Controller, they
are either assigned to the VNS that is defined in the system’s default AP
configuration or manually configured by the administrator. The mobile users log
on again and are authenticated on the second HiPath Wireless Controller.
When the failed HiPath Wireless Controller recovers, each HiPath Wireless
Controller in the pair goes back to normal mode. They exchange information
including the latest lists of registered Wireless APs. The administrator must
release the Wireless APs manually on the second HiPath Wireless Controller, so
that they may re-register with their home HiPath Wireless Controller. Foreign APs
can now all be released at once by using the Foreign button on the Access
Approval screen to select all foreign APs, and then clicking Release.
To support the availability feature during a failover event, you need to do the
following:
1. Monitor the critical messages for the failover mode message, in the
information log of the remaining HiPath Wireless Controller (in the Logs &
Traces section of the HiPath Wireless Assistant).
2. After recovery, on the HiPath Wireless Controller that did not fail, select the
foreign Wireless APs, and then click Release on the Access Approval
screen.
7.1.2 Availability prerequisites
Before you configure availability, you must do the following:
•
Choose the primary and secondary HiPath Wireless Controllers.
•
Verify the network accessibility for the UDP connection between the two
controllers. The availability link is established as a UDP session on port
13911.
•
Set up a DHCP server for AP subnets to support Option 78 for SLP, so that it
points to the IP addresses of the physical interfaces on both the HiPath
Wireless Controllers.
•
Ensure that the Poll Timeout value on the AP Properties tab Advanced
dialog is set to 1.5 to 2 times of Detect link failure value on the HiPath
Wireless Controller > Availability screen. For more information, see
Section 4.4.2, “Configuring a Wireless AP’s properties”, on page 132.
9034530-04, September 2010
HiPath Wireless Controller, Access Points and Convergence Software V7.31, User Guide
409
hwc_fastfailover.fm
Availability and session availability
Configuring availability using the availability wizard
If the Poll Timeout value is less than 1.5 to 2 times of Detect link failure
value, the Wireless AP failover will not succeed because the secondary
controller will not be 'ready' to accept the failover APs.
On the other hand, if the Poll Timeout value is more than 1.5 to 2 times of
Detect link failure value, the Wireless APs failover will be unnecessarily
delayed, because the Wireless APs will continue polling the primary controller
even though the secondary controller is ready to accept them as the failover
APs.
•
To achieve ideal availability behavior, you must set the Poll Timeout value for
all Wireless APs to 15 seconds, and the Detect link failure on the HiPath
Wireless Controller > Availability screen to ten seconds.
7.2 Configuring availability using the availability wizard
The availability wizard allows you to create an availability pair from one of the
HiPath Wireless Controllers that will be in the availability pair. When creating the
availability pair, you also have the option to synchronize VNS definitions and
GuestPortal user accounts between the paired HiPath Wireless Controllers.
To configure availability using the availability wizard:
1. From the main menu, click Wireless Controller Configuration. The HiPath
Wireless Controller Configuration screen is displayed.
2. In the left pane, click Availability. The availability configuration screen is
displayed.
3. In the Availability Wizard section, click Start. The Availability Pair Wizard
screen is displayed.
4. In the Connection Details section, do the following:
410
9034530-04, September 2010
HiPath Wireless Controller, Access Points and Convergence Software V7.31, User Guide
hwc_fastfailover.fm
Availability and session availability
Configuring availability using the availability wizard
•
Select Port – Select the port and IP address of the primary controller that
is to be used to establish the availability link.
•
Peer Controller IP – Type the IP address of the peer (secondary)
controller.
•
User – Type the login user name credentials of an account that has full
administrative privileges on the peer controller.
•
Password – Type the login password used with the user ID to login to the
peer controller.
•
Enable Fast Failover – Select this checkbox to enable Fast Failover for
the availability pair.
5. In the Synchronize Options section, do the following:
•
Synchronize System Configuration – Select this checkbox to push the
configured Routed and Bridge Traffic Locally at HWC VNS definitions
from the primary controller to the peer controller. WDS and 3rd Party AP
VNS definitions are ignored and not synchronized.
Note: Synchronizing the VNS definitions will delete and replace existing
VNS definitions on the peer controller.
•
Synchronize Guest Portal Accounts – Select this checkbox to push
GuestPortal user accounts to the peer controller.
6. Click Next.
•
If you are synchronizing topology definitions, the Topology Definitions
screen is displayed. Do the following:
a) In the Synchronization Settings section, complete the topology
properties that are missing. Any topology that did not already exist on
the peer controller will have missing properties on the Topology
Definitions screen.
The fields configured are actual parameter values that are configured
at the remote Controller with respect to associated topologies chosen
for synchronization. Some of these parameters are: Interface IP
address, Netmask, L2 port, VLAN ID, DHCP range, etc.
b) Click Finish.
•
If you are not synchronizing topology definitions, the availability wizard
completes the configuration.
7. Click Close.
9034530-04, September 2010
HiPath Wireless Controller, Access Points and Convergence Software V7.31, User Guide
411
hwc_fastfailover.fm
Availability and session availability
Configuring availability manually
This operation marks the desired topologies for synchronization. The two
controllers exchange information and the configuration is applied to the remote
controller.
On the local controller, the “Enable Synchronization of System Configuration”
becomes selected. This can be double checked by navigating to VNS
Configuration, Global and then Sync Summary. This tab also lists all topologies,
policies, WLAN Services and VNSes with their synchronization status (on or off).
The Sync status for any of these elements can also be changed from this tab.
All these configurable elements have a Synchronize check box (on their main/
general configuration tab) that allows for individual control and selection of
availability from the main element configuration page.
7.3 Configuring availability manually
When configuring availability manually, you configure each HiPath Wireless
Controller separately.
1. On the HiPath Wireless Controller Configuration Availability screen, set up
the HiPath Wireless Controller in Paired Mode.
2. On the VNS configuration window, define a VNS (through topology, WLAN
service, policy and VNS configuration) on each HiPath Wireless Controller
with the same SSID. The IP addresses must be unique. For more information,
see Section 6.8, “Configuring a Topology”, on page 319. A HiPath Wireless
Controller VLAN Bridged topology can permit two controllers to share the
same subnet. This setup provides support for mobility users in a VLAN
Bridged VNS.
3. On both HiPath Wireless Controllers, on the Wireless AP Registration screen,
select the Security Mode Allow only approved Wireless APs to connect
option so that no more Wireless APs can register unless they are approved
by the administrator.
4. On each HiPath Wireless Controller, on the Wireless AP configuration
Access Approval screen, check the status of the Wireless APs and approve
any APs that should be connected to that controller.
System AP defaults can be used to assign a group of VNSs to the foreign
APs:
•
412
If the APs are not yet known to the system, the AP will be initially
configured according to AP default settings. To ensure better transition in
availability, Siemens recommends that the AP default settings match the
desired assignment for failover APs.
9034530-04, September 2010
HiPath Wireless Controller, Access Points and Convergence Software V7.31, User Guide
hwc_fastfailover.fm
Availability and session availability
Configuring availability manually
•
AP assignment to WLAN Services according to the AP default settings
can be overwritten by manually modifying the AP assignment. (For
example, select and assign each WLAN service that the AP should
connect to.)
•
If specific foreign APs have been assigned to a WLAN service, those
specific foreign AP assignments are used.
An alternate method to setting up APs includes:
1. Add each Wireless AP manually to each HiPath Wireless Controller.
2. On the AP Properties screen, click Add Wireless AP.
3. Define the Wireless AP, and then click Add Wireless AP.
Manually defined APs will inherit the default AP configuration settings.
Caution: If two HiPath Wireless Controllers are paired and one has the Allow
All option set for Wireless AP registration, all Wireless APs will register with
that HiPath Wireless Controller.
To set the primary or secondary HiPath Wireless Controllers for availability:
1. From the main menu, click Wireless Controller Configuration. The
Wireless Controller Configuration screen is displayed.
2. In the left pane, click Availability.
3. To enable availability, select the Paired option.
4. Do one of the following:
9034530-04, September 2010
HiPath Wireless Controller, Access Points and Convergence Software V7.31, User Guide
413
hwc_fastfailover.fm
Availability and session availability
Configuring availability manually
•
For a primary controller, in the Wireless Controller IP Address box, type
the IP address of the data interface of the secondary HiPath Wireless
Controller. This IP address must be on a routable subnet between the two
HiPath Wireless Controllers.
•
For a secondary controller, in the Wireless Controller IP Address box,
type the IP address of the Management port or data interface of the
primary HiPath Wireless Controller.
5. Set this HiPath Wireless Controller as the primary or secondary connection
point:
•
To set this HiPath Wireless Controller as the primary connection point,
select the Current Wireless Controller is primary connect point
checkbox.
•
To set this HiPath Wireless Controller as the secondary connection point,
clear the Current Wireless Controller is primary connect point
checkbox.
If the Current Wireless Controller is primary connect point checkbox is
selected, the specified controller sends a connection request. If the Current
Wireless Controller is primary connect point checkbox is cleared, the
specified controller waits for a connection request. Confirm that one controller
has this checkbox selected, and the second controller has this checkbox
cleared, since improper configuration of this option will result in incorrect
network configuration.
6. On both the primary and secondary controllers, type the Detect link failure
value.
Note: Ensure that the Detect link failure value on both the controllers is
identical.
7. On both the primary and secondary controllers, select the Synchronize
GuestPortal Guest Users option to synchronize GuestPortal guest accounts
between the controllers.
8. From the main menu, click Wireless AP Configuration. The HiPath
Wireless AP Configuration screen is displayed.
9. In the left pane, click AP Registration. To set the security mode for the
HiPath Wireless Controller, select one of the following options:
•
414
Allow all Wireless APs to connect – If the HiPath Wireless Controller
does not recognize the serial number, it sends a default configuration to
the Wireless AP. Or, if the HiPath Wireless Controller recognizes the
serial number, it sends the specific configuration (port and binding key)
set for that Wireless AP.
9034530-04, September 2010
HiPath Wireless Controller, Access Points and Convergence Software V7.31, User Guide
hwc_fastfailover.fm
Availability and session availability
Configuring availability manually
•
Allow only approved Wireless APs to connect – If the HiPath Wireless
Controller does not recognize the serial number, the Wireless APs will be
in pending mode and the administrator must manually approve them. Or,
if the HiPath Wireless Controller recognizes the serial number, it sends
the configuration for that Wireless AP.
Note: During the initial setup of the network, Siemens recommends that
you select the Allow all Wireless APs to connect option. This option is
the most efficient way to get a large number of Wireless APs registered
with the HiPath Wireless Controller.
Once the initial setup is complete, Siemens recommends that you reset
the security mode to the Allow only approved Wireless APs to connect
option. This option ensures that no unapproved Wireless APs are allowed
to connect. For more information, seeSection 4.4, “Configuring Wireless
AP settings”, on page 130.
10. To save your changes, click Save.
Note: When two HiPath Wireless Controllers have been paired as described
above, each HiPath Wireless Controller's registered Wireless APs will appear
as foreign on the other controller in the list of available Wireless APs when
configuring a VNS topology.
11. Verify that availability is configured correctly.
9034530-04, September 2010
HiPath Wireless Controller, Access Points and Convergence Software V7.31, User Guide
415
hwc_fastfailover.fm
Availability and session availability
Configuring availability manually
To verify that availability is configured correctly:
a) From the main menu of either of the two controllers, click Reports. The
HiPath Reports & Displays screen is displayed.
b) From the Reports and Displays menu, click Wireless AP Availability.
The Wireless Availability Report is displayed.
c) Check the statement at the top of the screen.
416
9034530-04, September 2010
HiPath Wireless Controller, Access Points and Convergence Software V7.31, User Guide
hwc_fastfailover.fm
Availability and session availability
Session availability
If the statement reads Availability link is up, the availability feature is
configured correctly. If the statement reads Availability link is down,
check the configuration error logs. For more information on logs, see the
HiPath Wireless Controller, Access Points and Convergence Software
Maintenance Guide.
7.4 Session availability
Session availability enables Wireless APs to switch over to a standby (secondary)
HiPath Wireless Controller fast enough to maintain the mobile user’s session
availability in the following scenarios:
•
The primary HiPath Wireless Controller goes down (Figure 24).
Figure 24
The Wireless AP fails over to the secondary controller when the
primary controller goes down
9034530-04, September 2010
HiPath Wireless Controller, Access Points and Convergence Software V7.31, User Guide
417
hwc_fastfailover.fm
Availability and session availability
Session availability
•
The Wireless AP’s network connectivity to the primary HiPath Wireless
Controller fails (Figure 25).
Figure 25
The Wireless AP fails over the secondary controller when the
network connectivity to he primary controller fails
The secondary HiPath Wireless Controller does not have to detect its link failure
with the primary HiPath Wireless Controller for the session availability to kick in.
If the Wireless AP loses five consecutive polls to the primary controller either due
to the controller outage or connectivity failure, it fails over to the secondary
controller fast enough to maintain the user session.
In session availability mode (Figure 26), the Wireless APs connect to both the
primary and secondary HiPath Wireless Controllers. While the connectivity to the
primary HiPath Wireless Controller is via the “active” tunnel, the connectivity to
the secondary HiPath Wireless Controller is via the “backup” tunnel.
Secondary Controller
Primary Controller
Wireless AP
Figure 26
418
Session availability mode
9034530-04, September 2010
HiPath Wireless Controller, Access Points and Convergence Software V7.31, User Guide
hwc_fastfailover.fm
Availability and session availability
Session availability
The following is the traffic flow of the topology illustrated in Figure 26:
•
The Wireless AP establishes the active tunnel to connect to the primary
HiPath Wireless Controller.
•
The HiPath Wireless Controller sends the configuration to the Wireless AP.
This configuration also contains the port information of the secondary HiPath
Wireless Controller.
•
On the basis of the secondary HiPath Wireless Controller’s port information,
the Wireless AP connects to the secondary controller via the backup tunnel.
•
After the connection is established via the backup tunnel, the secondary
HiPath Wireless Controller sends the backup configuration to the Wireless
AP.
•
The Wireless AP receives the backup configuration and stores it in its
memory to use it for failing over to the secondary controller. All this while, the
Wireless AP is connected to the primary HiPath Wireless Controller via the
‘active’ tunnel.
Session availability and topologies
Session availability applies only to the following topologies:
•
Bridge Traffic Locally at HWC
•
Bridge Traffic Locally at AP
Session availability is not available to users on conventional Routed VNSs.
Note: Session availability is not supported in a VNS that is configured for AAA
network assignment.
7.4.1 Events and actions in session availability
In the event of a primary HiPath Wireless Controller outage, or the network
connectivity failure to the primary controller, the Wireless AP:
•
Sends a ‘tunnel-active-req’ request message to the secondary HiPath
Wireless Controller.
•
The secondary HiPath Wireless Controller accepts the request by sending
the ‘tunnel-activate-response’ message.
•
The Wireless AP applies the backup configuration and starts sending the
data. The client devices’ authentication state is not preserved during failover.
9034530-04, September 2010
HiPath Wireless Controller, Access Points and Convergence Software V7.31, User Guide
419
hwc_fastfailover.fm
Availability and session availability
Session availability
When the fast failover takes place, a critical message is displayed in the
information log of the secondary HiPath Wireless Controller.
Note: In session availability, the maximum number of failover APs that the
secondary controller can accommodate is equal to the maximum number of APs
supported by the hardware platform.
When the failed HiPath Wireless Controller recovers, each HiPath Wireless
Controller in the pair goes back to normal mode. They exchange information that
includes the latest lists of registered Wireless APs. The administrator must
release the Wireless APs manually on the second HiPath Wireless Controller, so
that they may re-register with their home HiPath Wireless Controller. Foreign APs
can now all be released at once by using the Foreign button on the Access
Approval screen to select all foreign APs, and then clicking Released.
To support the availability feature during a failover event, administrators need to
do the following:
1. Monitor the critical messages for the failover mode message, in the
information log of the secondary HiPath Wireless Controller (in the Logs &
Traces section of the HiPath Wireless Assistant).
2. After recovery, on the secondary HiPath Wireless Controller, select the
foreign Wireless APs, and then click Release on the Access Approval
screen.
After the Wireless APs are released, they establish the active tunnel to their home
controller and backup tunnel to the secondary controller.
7.4.2 Enabling session availability
Starting with V7.0, session availability is supported when fast failover is enabled
and when “Synchronize System Configuration” is selected. For more information,
see Section 7.4.2.1, “Configuring fast failover and enabling session availability”,
on page 421.
In session availability, mobile user devices are able to retain their IP address. In
addition, the mobile user device does not have to have to re-associate after the
failover. These characteristics ensure that the failover is achieved within 5
seconds, which is fast enough to maintain the mobile user’s session.
Note: In session availability, the fast failover is achieved within 5 seconds only if
there is at least one client device (mobile unit) associated to the Wireless AP. In
the absence of any client device, the Wireless AP takes more time to failover
since there is no need to preserve the user session.
420
9034530-04, September 2010
HiPath Wireless Controller, Access Points and Convergence Software V7.31, User Guide
hwc_fastfailover.fm
Availability and session availability
Session availability
Authentication state during failover
The authentication state is not preserved during fast failover. If a WLAN Service
requires authentication, the client device must re-authenticate. However, in such
a case, the session availability is not guaranteed because authentication may
require additional time during which the user session may be disrupted.
Session availability is not supported in a WLAN Service that uses Captive Portal
(CP) authentication.
Session availability does not support user-specific filters as these filters are not
shared between the primary and secondary HiPath Wireless Controllers.
7.4.2.1 Configuring fast failover and enabling session
availability
Before you configure the fast failover feature, ensure the following:
•
The primary and secondary HiPath Wireless Controllers are properly
configured in availability mode. For more information, see Section 7.1,
“Availability”, on page 407.
•
The pair of HiPath Wireless Controllers in availability mode is formed by one
of the following combinations:
–
C5110 and C5110
–
C4110 and C4110
–
C2400 and C2400
–
C20N and C20N
–
C20 and C20
–
CRBT8110 and CRBT8110
–
CRBT8210 and CRBT8210
–
C5110 and C2400
–
C2400 and C20
–
C2400 and C20N
–
C20N and C20
–
CRBT8110 and CRBT8210
•
Both the primary and secondary HiPath Wireless Controllers are running the
most recent HiPath Wireless Convergence Software releases.
•
A network connection exists between the two HiPath Wireless Controllers.
9034530-04, September 2010
HiPath Wireless Controller, Access Points and Convergence Software V7.31, User Guide
421
hwc_fastfailover.fm
Availability and session availability
Session availability
•
The Wireless APs are operating in availability mode.
•
The deployment is designed in such a way that the service provided by the
Wireless APs is not dependent on which HiPath Wireless Controller the APs
associate with. For example, the fast failover feature will not support the
deployment in which the two HiPath Wireless Controllers in availability mode
are connected via a WAN link.
•
Both the primary and secondary HiPath Wireless Controllers have equivalent
upstream access to the servers on which they depend. For example, both the
controllers must have access to the same RADIUS and DHCP servers.
•
The users (client devices) that use DHCP must obtain their addresses from a
DHCP Server that is external to the HiPath Wireless Controller.
•
Time on all the network elements (both the HiPath Wireless Controllers in
availability pair, Wireless APs, DHCP and RADIUS servers etc.) is
synchronized. For more information, see Section 3.4.11, “Configuring
network time”, on page 92.
Note: The fast failover feature works optimally in fast networks (preferably
switched networks).
To configure fast failover and enable session availability:
1. Log on to both the primary and secondary HiPath Wireless Controllers.
2. From the main menu of the primary HiPath Wireless Controller, click
Wireless Controller Configuration. The Wireless Controller
Configuration screen is displayed.
3. In the left pane, click Availability.
422
9034530-04, September 2010
HiPath Wireless Controller, Access Points and Convergence Software V7.31, User Guide
hwc_fastfailover.fm
Availability and session availability
Session availability
4. Under Controller Availability Settings, select Paired.
5. Select the Enable Fast Failover checkbox.
6. Type the appropriate value in the Detect link failure box.
The Detect link failure field specifies the period within which the system
detects link failure after the link has failed. For fast failover configuration, this
parameter is tied closely to the Poll Timeout parameter on the AP
Properties tab Advanced dialog. The Poll Timeout field specifies the period
for which the Wireless AP waits before re-attempting to establish a link when
its polling to the primary HiPath Wireless Controller fails.
For the fast failover feature to work within 5 seconds, the Poll Timeout value
should be 1.5 to 2 times the Detect link failure value. For example, if you
have set the Detect link failure value to 2 seconds, the Poll Timeout value
should be set to 3 or 4 seconds.
7. In the Synchronization Option area, select Synchronize System
Configuration.
This is a global parameter that enables synchronization of VNS configuration
components (topology, policy, WLAN Service, VNS) on both controllers
paired for availability and/or fast failover.
For more information about synchronization, see Section 6.2.7, “Using the
Sync Summary”, on page 278.
8. Click Save.
9. Set the Wireless APs’ Poll Timeout value for fast failover.
9034530-04, September 2010
HiPath Wireless Controller, Access Points and Convergence Software V7.31, User Guide
423
hwc_fastfailover.fm
Availability and session availability
Session availability
a) From the main menu of the primary HiPath Wireless Controller, click
Wireless AP Configuration. The AP Properties screen is displayed.
b) In the left pane, click AP Multi-edit. The AP Multi-edit screen is
displayed.
c) In the Hardware Types list, select the hardware type of the Wireless APs
that are part of your deployment. You can select multiple hardware types
by pressing the CTRL key and clicking the hardware in the Hardware
Types list.
d) In the Wireless APs list, select the Wireless APs for which you want to
set the Poll Timeout value. You can select multiple Wireless APs by
pressing the CTRL key and clicking the Wireless APs in the Wireless
APs list.
e) In the Poll Timeout box, type/edit the appropriate value.
f)
To save your changes, click Save.
Note: The fast failover configuration must be identical on both the primary and
secondary HiPath Wireless Controllers. Logs are generated if the configuration is
not identical. For more information, see the HiPath Wireless Controller, Access
Points and Convergence Software Maintenance Guide.
After you have configured fast failover, you can verify session availability to
preserve the user session during the failover.
424
9034530-04, September 2010
HiPath Wireless Controller, Access Points and Convergence Software V7.31, User Guide
hwc_fastfailover.fm
Availability and session availability
Session availability
7.4.2.2 Verifying session availability
To have session availability, you must ensure the following:
•
The primary and secondary HiPath Wireless Controllers are properly
configured in ‘availability’ mode. For more information, see Section 7.1,
“Availability”, on page 407.
•
The fast failover feature is properly configured. For more information, see
Section 7.4.2.1, “Configuring fast failover and enabling session availability”,
on page 421.
Note: If you haven’t configured the fast failover feature, the Enable Session
Availability checkbox is not displayed.
•
Time on all the network elements — both the HiPath Wireless Controllers in
availability pair, Wireless APs, DHCP and RADIUS servers etc.— is
synchronized. For more information, see Section 3.4.11, “Configuring
network time”, on page 92.
•
Both the HiPath Wireless Controllers in fast failover mode must be running
the most recent HiPath Wireless Convergence Software release.
•
If you are using Bridge Traffic Locally at HWC topology, you must select
None from the DHCP Option drop-down menu.
•
The Bridge Traffic Locally at HWC must be mapped to the same VLAN on
both the primary and secondary HiPath Wireless Controllers.
9034530-04, September 2010
HiPath Wireless Controller, Access Points and Convergence Software V7.31, User Guide
425
hwc_fastfailover.fm
Availability and session availability
Session availability
To verify the session availability feature is configured correctly:
1. From the main menu of either of the two controllers, click Reports. The
HiPath Reports & Displays screen is displayed.
2. From the Reports and Displays menu, click Wireless AP Availability. The
Wireless Availability Report is displayed.
426
9034530-04, September 2010
HiPath Wireless Controller, Access Points and Convergence Software V7.31, User Guide
hwc_fastfailover.fm
Availability and session availability
Session availability
3. Check the statement at the top of the screen.
If the statement reads Availability link is up, the availability feature is
configured correctly. If the statement reads Availability link is down, check
the configuration error in logs. For more information on logs, see the HiPath
Wireless Controller, Access Points and Convergence Software Maintenance
Guide.
7.4.2.3 Verify synchronization
To verify that all elements have been synchronized correctly, navigate to the VNS
tab on both the primary and secondary HiPath Wireless Controllers, and confirm
that the topologies, WLAN services, policies and desired VNSs aredisplayed as
[synchronized].
You can verify this by selecting the appropriate tabs and then inspecting the
Synchronized flags or by navigating to VNS Configuration, Global, and then Sync
Summary page.
9034530-04, September 2010
HiPath Wireless Controller, Access Points and Convergence Software V7.31, User Guide
427
hwc_fastfailover.fm
Availability and session availability
Session availability
Configuration synchronization:
•
VNS configuration related synchronization will be supported with legacy or
fast failover availability configuration as long as there is an availability link
established.
•
Synchronization for VNS, WLAN Services, Policies, Topologies, and Rate
Limit Profiles can be enabled/disabled individually.
•
VNS, WLAN Service, Policy, Topology, and Rate Limit Profile configuration
will be dynamically synchronized when synchronization is enabled
individually between a pair of HiPath Wireless Controllers.
MU session synchronization:
428
•
MU session synchronization will be supported only when there is fast failover
configured between two HiPath Wireless Controllers.
•
If mobility is disabled, MU session with Bridge Traffic Locally at AP, Bridge
Traffic Locally at HWC, and Routed topologies will all be synchronized
between a pair of HiPath Wireless Controllers.
•
If mobility is enabled, an MU session with Routed topologies will not be
synchronized.
9034530-04, September 2010
HiPath Wireless Controller, Access Points and Convergence Software V7.31, User Guide

---

Source Exif Data:

File Type                       : PDF
File Type Extension             : pdf
MIME Type                       : application/pdf
PDF Version                     : 1.6
Linearized                      : Yes
Encryption                      : Standard V2.3 (128-bit)
User Access                     : Print, Extract, Print high-res
XMP Toolkit                     : 3.1-702
Modify Date                     : 2010:12:23 10:21:13+08:00
Create Date                     : 2010:12:23 10:19:13+08:00
Metadata Date                   : 2010:12:23 10:21:13+08:00
Creator Tool                    : FrameMaker 8.0
Format                          : application/pdf
Title                           : HiPath Wireless Controller, Access Points and Convergence Software V7.21 User Guide
Creator                         : Enterasys Networks
Document ID                     : uuid:2d4f9e2c-bd79-4737-a52f-5c76a43fee03
Instance ID                     : uuid:0efab86a-baa3-4853-af76-aed5f5256645
Producer                        : Acrobat Distiller 7.0.5 (Windows)
Page Count                      : 428
Author                          : Enterasys Networks

EXIF Metadata provided by EXIF.tools