Fortress Technologies ES210 The ES210 is a single radio access point/bridge User Manual GUI Guide
Fortress Technologies, Inc. The ES210 is a single radio access point/bridge GUI Guide
Contents
- 1. Manual
- 2. GUI Guide
- 3. HW Guide
- 4. User Manual
GUI Guide
Fortress Security System Secure Wireless Bridge and Security Controller Software GUI Guide www.fortresstech.com © 2010 Fortress Technologies Bridge GUI Guide Fortress Bridge and Controller version 5.4 Software GUI Guide [rev.1] 009-00035-00v5.4r1 Copyright © 2010 Fortress Technologies, Inc. All rights reserved. This document contains proprietary information protected by copyright. No part of this document may be reproduced or transmitted in any form or by any means, electronic or mechanical, without written permission of Fortress Technologies, 4023 Tampa Road, Suite 2200, Oldsmar, FL 34677, except as specified in the Product Warranty and License Terms. FORTRESS TECHNOLOGIES, INC., MAKES NO WARRANTY OF ANY KIND WITH REGARD TO THIS MATERIAL, INCLUDING BUT NOT LIMITED TO THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. FORTRESS TECHNOLOGIES, INC. SHALL NOT BE LIABLE FOR ERRORS CONTAINED HEREIN OR FOR INCIDENTAL OR CONSEQUENTIAL DAMAGES IN CONNECTION WITH THE FURNISHING, PERFORMANCE OR USE OF THIS MATERIAL. THE INFORMATION IN THIS DOCUMENT IS SUBJECT TO CHANGE WITHOUT NOTICE. The Fortress Technologies and AirFortress logos and AirFortress and are registered trademarks; Multi-Factor Authentication, Unified Security Model, Wireless Link Layer Security and Three Factor Authentication (TFA) are trademarks of Fortress Technologies, Inc. The technology behind Wireless Link Layer Security™ enjoys U.S. and international patent protection under patent number 5,757,924. Portions of this software are covered by the GNU General Public License (GPL) Copyright © 1989, 1991 Free Software Foundation, Inc,. 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA. To receive a complete machine-readable copy of the corresponding source code on CD, send $10 (to cover the costs of production and mailing) to: Fortress Technologies; 4023 Tampa Road, suite 2200; Oldsmar, FL 34677-3216. Please be sure to include a copy of your Fortress Technologies invoice and a valid “ship to” address. This product includes cryptographic software written by Eric Young (eay@cryptsoft.com). This product includes software written by Tim Hudson (tjh@cryptsoft.com). Copyright © 1995-1998 Eric Young (eay@cryptsoft.com) All rights reserved. This package is an SSL implementation written by Eric Young (eay@cryptsoft.com). The implementation was written so as to conform with Netscape’s SSL. THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. Atheros, the Atheros logo, Atheros Driven, Driving the wireless future, Super G and Super AG are all registered trademarks of Atheros Communications. ROCm, JumpStart for Wireless, Atheros XR, Wake-on-Wireless, Wake-on-Theft, and FastFrames, are all trademarks of Atheros Communications, Inc. This product uses Dynamic Host Control Protocol, Copyright © 2004–2010 by Internet Software Consortium, Inc. Copyright © 1995–2003 by Internet Software Consortium. All rights reserved. This product includes software developed by the OpenSSL Project for use in the OpenSSL Toolkit. (http://www.openssl.org/) Copyright © 1998-2007 The OpenSSL Project. All rights reserved.THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR ITS CONTRIBUTORS Bridge GUI Guide BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. This product uses Net-SNMP Copyright © 1989, 1991, 1992 by Carnegie Mellon University, Derivative Work - 1996, 1998-2000. Copyright © 1996, 1998-2000 The Regents of the University of California. All rights reserved. Copyright © 2001-2003, Cambridge Broadband Ltd. All rights reserved. Copyright © 2003 Sun Microsystems, Inc. All rights reserved. Copyright © 2001-2006, Networks Associates Technology, Inc. All rights reserved. Center of Beijing University of Posts and Telecommunications. All rights reserved. Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at http:// www.apache.org/licenses/LICENSE-2.0. Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License. Microsoft and Windows are registered trademarks of the Microsoft Corporation. Firefox is a trademark of the Mozilla Foundation. SSH is a trademark of SSH Communication Security. All other trademarks mentioned in this document are the property of their respective owners. End User License Agreement (EULA) IMPORTANT; PLEASE READ THIS END USER LICENSE AGREEMENT CAREFULLY. DOWNLOADING, INSTALLING OR USING FORTRESS TECHNOLOGIES SOFTWARE CONSTITUTES ACCEPTANCE OF THIS AGREEMENT. FORTRESS TECHNOLOGIES, INC., WILL LICENSE ITS SOFTWARE TO YOU THE CUSTOMER (END USER) ONLY UPON THE CONDITION THAT YOU ACCEPT ALL OF THE TERMS CONTAINED IN THIS END USER LICENSE AGREEMENT. THE ACT OF DOWNLOADING, INSTALLING, OR USING FORTRESS SOFTWARE, BINDS YOU AND THE BUSINESS THAT YOU REPRESENT (COLLECTIVELY, “CUSTOMER”) TO THE AGREEMENT. License Fortress grants to Customer (“Licensee”) a non-exclusive and non-transferable right to use the Fortress Software Product (“Software”) described in the Fortress Product Description for which Customer has paid any required license fees and subject to the use rights and limitations in this Agreement. Unless otherwise agreed to in writing, use of the Software is limited to the number of authorized users for which Licensee has purchased the right to the use of the software. Software is authorized for installation on any Fortress approved device. “Software” includes computer program(s) and any documentation (whether contained in user manuals, technical manuals, training materials, specifications, etc.) that is included with the software (including CD-ROM, or on-line). Software is authorized for installation on a single use computing device such as Fortress hardware platform, computer, laptop, PDA or any other computing device. Software is not licensed for installation or embedded use on any other system(s) controlling access to a secondary network of devices or securing access for any separate computing devices. Software contains proprietary technology of Fortress or third parties. No ownership in or title to the Software is transferred. Software is protected by copyright laws and international treaties. Customer may be required to input a software license key to initialize the software installation process. ii Bridge GUI Guide Customer may make backup or archival copies of Software and use Software on a backup processor temporarily in the event of a processor malfunction. Any full or partial copy of Software must include all copyright and other proprietary notices which appear on or in the Software. Control functions may be installed and enabled. Customer may not modify control utilities. Customer may not disclose or make available Software to any other party or permit others to use it except Customer's employees and agents who use it on Customer's behalf and who have agreed to these license terms. Customer may not transfer the software to another party except with Fortress' written permission. Customer agrees not to reverse engineer, decompile, or disassemble the Software. Customer shall maintain adequate records matching the use of Software to license grants and shall make the records available to Fortress or the third party developer or owner of the Software on reasonable notice. Fortress may terminate any license granted hereunder if Customer breaches any license term. Upon termination of the Agreement, Customer shall destroy or return to Fortress all copies of Software. General Limitations This is a License for the use of Fortress Software Product and documentation; it is not a transfer of title. Fortress retains ownership of all copies of the Software and Documentation. Customer acknowledges that Fortress or Fortress Solution Provider trade secrets are contained within the Software and Documentation. Except as otherwise expressly provided under the Agreement, Customer shall have no right and Customer specifically agrees not to: i.Transfer, assign or sublicense its license rights to any other person or entity and Customer acknowledges that any attempt to transfer, assign or sublicense shall “void” the license; ii.Make modifications to or adapt the Software or create a derivative work based on the Software, or permit third parties to do the same; iii.Reverse engineer, decompile, or disassemble the Software to a human-readable form, except to the extent otherwise expressly permitted under applicable law notwithstanding this restriction and; iv.Disclose, provide, or otherwise make available trade secrets contained within the Software and Documentation in any form to any third party without the prior written consent of Fortress Technologies. Customer shall implement reasonable security measures to protect such trade secrets. Software, Upgrades and Additional Copies For purposes of the Agreement, “Software” shall include computer programs, including firmware, as provided to Customer by Fortress or a Fortress Solution Provider, and any (a) bug fixes, (b) maintenance releases, (c) minor and major upgrades as deemed to be included under this agreement by Fortress or backup copies of any of the foregoing. NOTWITHSTANDING ANY OTHER PROVISION OF THE AGREEMENT: i.CUSTOMER HAS NO LICENSE OR RIGHT TO MAKE OR USE ANY ADDITIONAL COPIES OR UPGRADES UNLESS CUSTOMER, AT THE TIME OF MAKING OR ACQUIRING SUCH COPY OR UPGRADE, ALREADY HOLDS A VALID LICENSE TO THE ORIGINAL SOFTWARE AND HAS PAID THE APPLICABLE FEE FOR THE UPGRADE OR ADDITIONAL COPIES; ii.USE OF UPGRADES IS LIMITED TO FORTRESS EQUIPMENT FOR WHICH CUSTOMER IS THE ORIGINAL END USER CUSTOMER OR LESSEE OR OTHERWISE HOLDS A VALID LICENSE TO USE THE SOFTWARE WHICH IS BEING UPGRADED; AND; iii.THE MAKING AND USE OF ADDITIONAL COPIES IS LIMITED TO NECESSARY BACKUP PURPOSES ONLY. Proprietary Notices All copyright and other proprietary notices on all copies of the Software shall be maintained and reproduced by the Customer in the same manner that such copyright and other proprietary notices are included on the Software. Customer shall not make any copies or duplicates of any Software without the prior written permission of Fortress; except as expressly authorized in the Agreement. iii Bridge GUI Guide Term and Termination This Agreement and License shall remain in effect until terminated through one of the following circumstances: i.Agreement and License may be terminated by the Customer at any time by destroying all copies of the Software and any Documentation. ii.Agreement and License may be terminated by Fortress due to Customer non-compliance with any provision of the Agreement. Upon termination by either the Customer or Fortress, the Customer shall destroy or return to Fortress all copies of Software and Documentation in its possession or control. All limitations of liability, disclaimers, restrictions of warranty, and all confidentiality obligations of Customer shall survive termination of this Agreement. Also, the provisions set-forth in the sections titled “U.S. Government Customers” and “General Terms Applicable to the Limited Warranty Statement and End User License Agreement” shall survive termination of the Agreement. Customer Records Fortress and its independent accountants reserve the right to conduct an audit of Customer records to verify compliance with this agreement. Customer grants to Fortress and its independent accountants access to its books, records and accounts during Customer's normal business hours in support of such an audit. Customer shall pay to Fortress the appropriate license fees, plus the reasonable cost of conducting the audit should an audit disclose non-compliance with this Agreement. Export Restrictions Customer acknowledges that the laws and regulations of the United States restrict the export and re-export of certain commodities and technical data of United States origin, including the Product, Software and the Documentation, in any medium. Customer will not knowingly, without prior authorization if required, export or re-export the Product, Software or the Documentation in any medium without the appropriate United States and foreign government licenses. The transfer or export of the software outside the U.S. may require a license from the Bureau of Industry and Security. For questions call BIS at 202-482-4811. U.S Government Customers The Software and associated documentation were developed at private expense and are delivered and licensed as “commercial computer software” as defined in DFARS 252.2277013, DFARS 252.227-7014, or DFARS 252.227-7015 as a “commercial item” as defined in FAR 2.101(a), or as “Restricted computer software” as defined in FAR 52.227-19. All other technical data, including manuals or instructional materials, are provided with “Limited Rights” as defined in DFAR 252.227-7013 (a) (15), or FAR 52.227-14 (a) and in Alternative II (JUN 1987) of that clause, as applicable. Limited Warranty The warranties provided by Fortress in this Statement of Limited Warranty apply only to Fortress Products purchased from Fortress or from a Fortress Solution Provider for internal use on Customer's computer network. “Product” means a Fortress software product, upgrades, or firmware, or any combination thereof. The term “Product” also includes Fortress software programs, whether pre-loaded with the Fortress hardware Product, installed subsequently or otherwise. Unless Fortress specifies otherwise, the following warranties apply only in the country where Customer acquires the Product. Nothing in this Statement of Warranty affects any statutory rights of consumers that cannot be waived or limited by contract. Customer is responsible for determining the suitability of the Products in Customer's network environment. Unless otherwise agreed, Customer is responsible for the Product's installation, set-up, configuration, and for password and digital signature management. Fortress warrants the Products will conform to the published specifications and will be free of defects in materials and workmanship. Customer must notify Fortress within the specified warranty period of any claim of such defect. The warranty period for software is one (1) year commencing from the ship date to Customer [and in the case of resale by a Fortress Solution Provider, commencing not more than (90) days after original shipment by iv Bridge GUI Guide Fortress]. Date of shipment is established per the shipping document (packing list) for the Product that is shipped from Fortress location. Customer shall provide Fortress with access to the Product to enable Fortress to diagnose and correct any errors or defects. If the Product is found defective by Fortress, Fortress' sole obligation under this warranty is to remedy such defect at Fortress' option through repair, upgrade or replacement of product. Services and support provided to diagnose a reported issue with a Fortress Product, which is then determined not to be the root cause of the issue, may at Fortress’ option be billed at the standard time and material rates. Warranty Exclusions The warranty does not cover Fortress Hardware Product or Software or any other equipment upon which the Software is authorized by Fortress or its suppliers or licensors, which (a) has been damaged through abuse or negligence or by accident, (b) has been altered except by an authorized Fortress representative, (c) has been subjected to abnormal physical or electrical stress (i.e., lightning strike) or abnormal environmental conditions, (d) has been lost or damaged in transit, or (e) has not been installed, operated, repaired or maintained in accordance with instructions provided by Fortress. The warranty is voided by removing any tamper evidence security sticker or marking except as performed by a Fortress authorized service technician. Fortress does not warrant uninterrupted or error-free operation of any Products or third party software, including public domain software which may have been incorporated into the Fortress Product. Fortress will bear no responsibility with respect to any defect or deficiency resulting from accidents, misuse, neglect, modifications, or deficiencies in power or operating environment. Unless specified otherwise, Fortress does not warrant or support non-Fortress products. If any service or support is rendered such support is provided WITHOUT WARRANTIES OF ANY KIND. DISCLAIMER OF WARRANTY THE WARRANTIES HEREIN ARE SOLE AND EXCLUSIVE, AND NO OTHER WARRANTY, WHETHER WRITTEN OR ORAL, IS EXPRESSED OR IMPLIED. TO THE EXTENT PERMITTED BY LAW, FORTRESS SPECIFICALLY DISCLAIMS THE IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, TITLE AND NONINFRINGEMENT. General Terms Applicable to the Limited Warranty and End User License Agreement Disclaimer of Liabilities THE FOREGOING WARRANTIES ARE THE EXCLUSIVE WARRANTIES AND REPLACE ALL OTHER WARRANTIES OR CONDITIONS, EXPRESS OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OR CONDITIONS OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. FORTRESS SHALL HAVE NO LIABILITY FOR CONSEQUENTIAL, EXEMPLARY, OR INCIDENTAL DAMAGES EVEN IF IT HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. THE STATED LIMITED WARRANTY IS IN LIEU OF ALL LIABILITIES OR OBLIGATIONS OF FORTRESS FOR DAMAGES ARISING OUT OF OR IN CONNECTION WITH THE DELIVERY, USE, OR PERFORMANCE OF THE PRODUCTS (HARDWARE AND SOFTWARE). THESE WARRANTIES GIVE SPECIFIC LEGAL RIGHTS AND CUSTOMER MAY ALSO HAVE OTHER RIGHTS WHICH VARY FROM JURISDICTION TO JURISDICTION. SOME JURISDICTIONS DO NOT ALLOW THE EXCLUSION OR LIMITATION OF EXPRESS OR IMPLIED WARRANTIES, SO THE ABOVE EXCLUSION OR LIMITATION MAY NOT APPLY TO YOU. IN THAT EVENT, SUCH WARRANTIES ARE LIMITED IN DURATION TO THE WARRANTY PERIOD. NO WARRANTIES APPLY AFTER THAT PERIOD. Product Warranty and License Terms Indemnification Fortress will defend any action brought against Customer based on a claim that any Fortress Product infringes any U.S. patents or copyrights excluding third party software, provided that Fortress is immediately notified in writing and Fortress has the right to control Bridge GUI Guide the defense of all such claims, lawsuits, and other proceedings. If, as a result of any claim of infringement against any U.S. patent or copyright, Fortress is enjoined from using the Product, or if Fortress believes the Product is likely to become the subject of a claim of infringement, Fortress at its option and expense may procure the right for Customer to continue to use the Product, or replace or modify the Product so as to make it noninfringing. If neither of these two options is reasonably practicable, Fortress may discontinue the license granted herein on one month's written notice and refund to Licensee the unamortized portion of the license fees hereunder. The depreciation shall be an equal amount per year over the life of the Product as established by Fortress. The foregoing states the entire liability of Fortress and the sole and exclusive remedy of the Customer with respect to infringement of third party intellectual property. Limitation of Liability Circumstances may arise where, because of a default on Fortress' part or other liability, Customer is entitled to recover damages from Fortress. In each such instance, regardless of the basis on which you are entitled to claim damages from Fortress (including fundamental breach, negligence, misrepresentation, or other contract or tort claim), Fortress is liable for no more than damages for bodily injury (including death) and damage to real property and tangible personal property, and the amount of any other actual direct damages, up to either U.S. $25,000 (or equivalent in local currency) or the charges (if recurring, 12 months' charges apply) for the Product that is the subject of the claim, whichever is less. This limit also applies to Fortress' Solution Providers. It is the maximum for which Fortress and its Solution Providers are collectively responsible. UNDER NO CIRCUMSTANCES IS FORTRESS LIABLE FOR ANY OF THE FOLLOWING: 1) THIRD-PARTY CLAIMS AGAINST YOU FOR DAMAGES, 2) LOSS OF, OR DAMAGE TO, YOUR RECORDS OR DATA, OR 3) SPECIAL, INCIDENTAL, OR INDIRECT DAMAGES OR FOR ANY ECONOMIC CONSEQUENTIAL DAMAGES (INCLUDING LOST PROFITS OR SAVINGS), EVEN IF FORTRESS OR ITS SOLUTION PROVIDER IS INFORMED OF THEIR POSSIBILITY. SOME JURISDICTIONS DO NOT ALLOW THE EXCLUSION OR LIMITATION OF INCIDENTAL OR CONSEQUENTIAL DAMAGES, SO THE ABOVE LIMITATION OR EXCLUSION MAY NOT APPLY TO CUSTOMER. Telephone Support During the warranty period, Fortress or its Solution Provider will provide a reasonable amount of telephone consultation to the Customer. This support shall include assistance in connection with the installation and routine operation of the Product, but does not include network troubleshooting, security consultation, design and other services outside of the scope of routine Product operation. Warranty services for the Products shall be available during Fortress' normal U.S. (EST) business days and hours. Extended Warranty Service If the Customer purchases an extended warranty service agreement with Fortress, service will be provided in accordance to said agreement's terms and conditions. Access and Service Customer must provide Fortress or Solution Provider with access to the Product to enable Fortress or Solution Provider to provide the service. Access may include access via the Internet, on-site access or Customer shall be responsible for returning the Product to Fortress or Solution Provider. Fortress or Solution Provider will notify the Customer to obtain authorization to perform any repairs. If, during the warranty period, as established by the date of shipment [and in the case of resale by a Fortress Solution Provider, commencing not more than (90) days after original shipment by Fortress], the Customer finds any significant defect in materials and workmanship under normal use and operating conditions, the Customer shall notify Fortress Customer Service in accordance with the Fortress Service Policies in effect at that time which can be located on the Fortress web site: www.fortresstech.com. EULA Addendum for Products Containing 4.4 GHz Military Band Radio(s) This product contains one or more radios which operate in the 4.400GHz - 4.750GHz range. vi Bridge GUI Guide This frequency range is owned and operated by the U.S. Department of Defense and its use is restricted to users with proper authorization. By accepting this agreement, user acknowledges that proper authorization to operate in this frequency has been obtained and user accepts full responsibility for any unauthorized use. User agrees to indemnify and hold harmless Fortress Technologies, Inc. from any fines, costs or expenses resulting from or associated with unauthorized use of this frequency range. This EULA Addendum does not apply to Fortress products that do not contain 4.4 GHz radios. vii Bridge GUI Guide: Table of Contents Table of Contents Introduction This Document . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1 Related Documents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1 Network Security Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2 Fortress Security Systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2 Fortress Bridges and Controllers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2 ES-Series Model Numbers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .3 Fortress Bridge Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .4 Fortress Secure Client Software . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5 Network Deployment Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5 FastPath Mesh Network Deployments . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5 Isolated FastPath Mesh Networks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .6 Network-Attached FastPath Mesh Networks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .7 Separating and Rejoining in FastPath Mesh Networks . . . . . . . . . . . . . . . . . . . . . . . . .9 Bridging Loops in FastPath Mesh Networks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10 Traffic Duplication in FastPath Mesh Networks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11 STP Mesh Network Deployments . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .12 Point-to-Point Bridging Deployments . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .14 Wireless Client ES210 Bridge Deployments . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .14 Compatibility . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .15 Bridge GUI and Administrative Access 16 Bridge GUI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .16 System Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .16 Bridge GUI Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .16 Logging On . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .16 Using Bridge GUI Views . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .18 Accessing Bridge GUI Help . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .19 Logging Off . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .19 viii Bridge GUI Guide: Table of Contents Administrative Accounts and Access . . . . . . . . . . . . . . . . . . . . . . . . . .19 Global Administrator Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .20 Maximum Failed Logon Attempts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Failed Logon Timeout . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Lockout Behavior . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Session Idle Timeout . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Show Previous Logon . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Authentication Method and Failback . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Password Expiration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Password Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . System Messages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20 21 21 21 21 22 25 26 28 Individual Administrator Accounts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .30 Administrator User Names . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Account Administrative State . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Administrative Role . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Administrator Audit Requirement . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Administrator Full Name and Description . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Administrator Interface Permissions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Administrator Passwords and Password Controls . . . . . . . . . . . . . . . . . . . . . . . . . . . . Adding Administrative Accounts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Editing Administrative Accounts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Deleting Administrative Accounts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Changing Administrative Passwords . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Unlocking Administrator Accounts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31 31 31 32 32 32 33 34 37 37 38 39 Administrator IP Address Access Control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .39 SNMP Administration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .41 Configuring SNMP v3 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42 Configuring SNMP Traps . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43 Network and Radio Configuration 46 Network Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .46 Bridging Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .47 FastPath Mesh Bridging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .48 FastPath Mesh Bridging Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Fortress Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Mobility Factor . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Mesh Subnet ID . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Network Cost Weighting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Neighbor Cost Overrides . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Multicast Group Subscription . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Configuring FastPath Mesh Settings: . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50 50 51 51 51 52 52 53 STP Bridging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .56 Configuring STP Bridging: . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57 ix Bridge GUI Guide: Table of Contents Radio Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .57 Advanced Global Radio Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .58 Radio Frequency Kill . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Radio Distance Units . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Country of Operation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Environment Setting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Configuring Global Advanced Radio Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58 58 58 59 60 Individual Radio Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .60 Radio Administrative State . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Radio Band . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Channel and Channel Width . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Network Type . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Antenna Gain . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Tx Power Mode and Tx Power Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Distance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Beacon Interval . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Short Preamble . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Noise Immunity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Configuring Individual Radio Settings: . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61 61 63 64 64 65 65 66 67 67 67 DFS Operation and Channel Exclusion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .68 DFS Operation on the Bridge . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68 Channel Exclusion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69 Radio BSS Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .70 BSS Administrative State and Name . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . BSS SSID and Advertise SSID . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Wireless Bridge and Minimum RSS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . User Cost Offset and FastPath Mesh Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . BSS Switching Mode and Default VLAN ID . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . BSS G Band Only Setting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . BSS WMM Setting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . BSS DTIM Period . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . BSS RTS and Fragmentation Thresholds . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . BSS Unicast Rate Mode and Maximum Rate . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . BSS Multicast Rate . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . BSS Description . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . BSS Fortress Security Setting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . BSS Wi-Fi Security Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Configuring a Radio BSS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71 71 72 72 73 73 74 74 75 76 76 77 77 77 80 ES210 Bridge STA Settings and Operation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .81 Station Administrative State . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Station Name and Description . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Station SSID . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Station BSSID . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Station WMM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Station Fragmentation and RTS Thresholds . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Station Unicast Rate Mode and Maximum Rate . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Station Multicast Rate . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Station Fortress Security Status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Station Wi-Fi Security Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Establishing an ES210 Bridge STA Interface Connection . . . . . . . . . . . . . . . . . . . . . . Editing or Deleting the ES210 Bridge STA Interface . . . . . . . . . . . . . . . . . . . . . . . . . . Enabling and Disabling ES210 Bridge Station Mode . . . . . . . . . . . . . . . . . . . . . . . . . . 82 82 82 82 82 83 83 84 84 84 86 89 90 Bridge GUI Guide: Table of Contents Basic Network Settings Configuration . . . . . . . . . . . . . . . . . . . . . . . . .91 Hostname, Domain and DNS Client Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . .91 IP Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .93 IPv4 Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93 IPv6 Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93 System Clock and NTP Client Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . .95 System Date and Time Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95 NTP Client Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 96 Location or GPS Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .97 DHCP and DNS Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .98 IPv4 and IPv6 DHCP Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .98 DNS Service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 100 Ethernet Interface Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 102 Port Administrative State . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 103 Port Speed and Duplex Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 103 Port FastPath Mesh Mode and User Cost Offset . . . . . . . . . . . . . . . . . . . . . . . . . 103 Port Fortress Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 104 Port 802.1X Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 104 Port Default VLAN ID and Port Switching Mode . . . . . . . . . . . . . . . . . . . . . . . . . . 104 Port QoS Setting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 105 Port Power over Ethernet . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 105 Configuring Ethernet Ports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 106 QoS Implementation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 107 VLANs Implementation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 109 VLAN Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 109 Native VLAN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 111 VLAN ID Table . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 112 VLAN Map Records . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 113 ES210 Bridge Serial Port Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . 115 Configuring the Serial Port . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 115 Resetting the Serial Port . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 116 Security, Access, and Auditing Configuration 117 Fortress Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 117 Operating Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 117 MSP Encryption Algorithm . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 118 MSP Key Establishment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 119 MSP Re-Key Interval . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 120 Access to the Bridge GUI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 120 Secure Shell Access to the Bridge CLI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 120 Blackout Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 120 FIPS Self-Test Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 121 Encrypted Data Compression . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 121 xi Bridge GUI Guide: Table of Contents Encrypted Interface Cleartext Traffic . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 121 Encrypted Interface Management Access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 122 Guest Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 122 Cached Authentication Credentials . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 123 Fortress Beacon Interval . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 123 Global Client and Host Idle Timeouts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 123 Changing Basic Security Settings: . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 124 Fortress Access ID . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 125 Internet Protocol Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 126 Global IPsec Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 127 Interface Security Policy Database Entries . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 128 IPsec Pre-Shared Keys . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 131 IPsec Access Control List . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 132 Authentication Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 133 Authentication Server Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 136 Authentication Server State, Name, and IP Address . . . . . . . . . . . . . . . . . . . . . . . . . .136 Authentication Server Port and Shared Key . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .136 Server Type and Authentication Types . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .137 Authentication Server Priority . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .137 Authentication Server Max Retries and Retry Interval . . . . . . . . . . . . . . . . . . . . . . . . .137 Configuring Authentication Servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .137 The Local Authentication Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 138 Local Authentication Server State . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .138 Local Authentication Server Port and Shared Key . . . . . . . . . . . . . . . . . . . . . . . . . . . .139 Local Authentication Server Priority . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .139 Local Authentication Server Max Retries and Retry Interval . . . . . . . . . . . . . . . . . . . .139 Local Authentication Server Default Idle and Session Timeouts . . . . . . . . . . . . . . . . .139 Local Authentication Server Global Device, User and Administrator Settings . . . . . . .140 Local 802.1X Authentication Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .141 Configuring the Local RADIUS Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .142 Local User and Device Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 143 Local User Authentication Accounts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .143 Local Device Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .146 Local Session and Idle Timeouts . . . . . . . . . . . . . . . . . . . . . . . . . . . . 149 ACLs and Cleartext Devices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 150 MAC Address Access Control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 151 Controller Device Access Control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 153 Cleartext Device Access Control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 155 3rd-Party AP Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .156 Trusted Devices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .157 Remote Audit Logging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 159 Enabling Audit Logging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 159 Administrative Audit Logging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 160 Logging Administrative Activity by Event Type . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .161 Logging Administrative Activity by Interface and Fortress Security Status . . . . . . . . . .161 Logging Administrative Activity by MAC Address . . . . . . . . . . . . . . . . . . . . . . . . . . . . .163 Learned Device Audit Logging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 164 xii Bridge GUI Guide: Table of Contents System and Network Monitoring FIPS Indicators . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Administrative Account Details . . . . . . . . . . . . . . . . . . . . . . . . . . . . . System Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Topology View . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 166 166 167 167 168 Uploading a Background Image . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 170 Connections and DHCP Lease Monitoring . . . . . . . . . . . . . . . . . . . . 170 Associations Connections . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 170 Bridge Links . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 171 Secure Client and WPA2 Device Connections . . . . . . . . . . . . . . . . . . . . . . . . . . . 173 Controllers Connections . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 175 Hosts Connections . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 176 AP and Trusted Devices Connections . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 177 DHCP Leases . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 177 Statistics Monitoring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 178 Traffic Statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 178 Interface Statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 179 Ethernet Interface Statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .179 BSS Interface Statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .180 Bridge Link Interface Statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .181 VLAN Statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 182 IPsec SAs Monitoring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 182 FastPath Mesh Monitoring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 183 FastPath Mesh Bridging Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 183 FastPath Mesh Statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 184 FastPath Mesh Peers and Neighbors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 186 Multicast/Broadcast Forwarding . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 186 FastPath Mesh Multicast Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 187 FastPath Mesh Routing Table . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 188 FastPath Mesh Loops . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 189 System Log Monitoring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 189 System and Network Maintenance 192 System Maintenance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 192 Resetting Connections . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 192 Rebooting the Bridge . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 193 Viewing the Software Version . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 193 Booting Selectable Software Images . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 194 Upgrading Bridge Software . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 194 Backing Up and Restoring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 196 Initiating FIPS Retests . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 198 Restoring Default Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 199 xiii Bridge GUI Guide: Table of Contents Digital Certificates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 200 Generating CSRs and Key Pairs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 200 Managing Local Certificates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 202 Importing and Deleting Signed Certificates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .202 Assigning Stored Certificates to Bridge Functions . . . . . . . . . . . . . . . . . . . . . . . . . . . .205 Changing and Clearing Certificate Assignments . . . . . . . . . . . . . . . . . . . . . . . . . . . . .206 Features Licensing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 207 Obtaining License Keys . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 208 Licensing New Features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 209 Network Tools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 210 Support Package Diagnostics Files . . . . . . . . . . . . . . . . . . . . . . . . . . 211 Index Glossary VIII xiv Bridge GUI Guide: Introduction Chapter 1 Introduction 1.1 This Document This user guide covers configuring, managing and monitoring any current-model Fortress Bridge (or Controller) through the Bridge GUI. It also presents the most detailed descriptions of supported network topologies and overall Bridge software functions and operation available among the full set of user guides that cover Fortress Bridges. WARNING: can cause physical injury or death and/or severely damage your equipment. Fortress Bridge user guidance is intended for professional system and network administrators and assumes that its users have a level of technical expertise consistent with these roles. CAUTION: can corrupt your network, your data or an intended result. Side notes throughout this document are intended to alert you to particular kinds of information, as visually indicated by their icons. Examples appear to the right of this section, in descending order of urgency. 1.1.1 Related Documents Fortress software user guidance, including this guide, covers all current Fortress hardware platforms. In addition to this guide, Fortress Bridge software guides include: Secure Wireless Bridge and Security Controller CLI Software Guide Secure Wireless Bridge and Security Controller Auto Config Software Guide Although they run the same software, there are significant differences among the various ES-series Bridges and between the ES-series and the FC-X, or Fortress Controller. Each Fortress hardware device is therefore covered in a platformspecific hardware guide, currently including: ES820 Secure Wireless Bridge Hardware Guide ES520 Secure Wireless Bridge Hardware Guide ES440 Secure Wireless Bridge Hardware Guide ES210 Secure Wireless Bridge Hardware Guide FC-X Security Controller Hardware Guide NOTE: may assist you in executing the task, e.g. a convenient software feature or notice of something to keep in mind. Bridge GUI Guide: Introduction Each software version of the Fortress Secure Client is covered in a separate Fortress Secure Client user guide. 1.2 Network Security Overview Network security measures take a variety of forms; key components include: Confidentiality or privacy implementations prevent information from being derived from intercepted traffic. Integrity checking guards against deliberate or accidental changes to data transmitted on the network. Access control restricts network access to authenticated users and devices and defines resource availability and user permissions within the network. 1.3 Fortress Security Systems Fortress applies a combination of established and unique methodologies to network security. Fortress’s Mobile Security Protocol (MSP) provides device authentication and strong encryption at the Media Access Control (MAC) sublayer, within the Data Link Layer (Layer 2) of the Open System Interconnection (OSI) networking model. This allows a transmission’s entire contents, including IP addresses, to be encrypted. Fortress security systems also employ and support standardsand protocols-based network security measures, including RADIUS (Remote Authentication Dial in User Service), WPA (Wi-Fi Protected Access) and WPA2, IPsec (Internet Protocol Security), and NSA (National Security Agency) Suite B1 cryptography. Fortress security systems can be configured to operate in full compliance with Federal Information Processing Standards (FIPS) 140-2 Security Level 2. 1.3.1 NOTE: New releas- es may still be in FIPS 140-2 Level 2-validation process. Contact your Fortress representative for the current FIPS certification status of Fortress products. Fortress Bridges and Controllers Fortress hardware devices include the ES-series of Fortress Bridges and the Fortress Controller (FC-X) and may be collectively referred to as Bridges, Controllers or Controller devices. The ES820 Bridge is also known as Fortress's Vehicle Mesh Point. The ES440 Bridge is also known as an Infrastructure Mesh Point, and the ES210 Bridge is also known as a Tactical Mesh Point. 1. Suite B specifies only the cryptographic algorithms to be used. Many factors determine whether a given device should be used to satisfy a particular requirement: the quality of the implementation of the cryptographic algorithm in software, firmware or hardware; operational requirements associated with U.S. Government-approved key and key-management activities; the uniqueness of the information to be protected (e.g. special intelligence, nuclear command and control, U.S.-only data); interoperability requirements, both domestic and international. The National Security Agency may evaluate Suite B products for use in protecting U.S. Government classified information on a case-by-case basis and will provide extensive design guidance to develop products suitable for protecting classified information. Bridge GUI Guide: Introduction The term Bridge is used consistently throughout user guidance to refer to both ES- and FC-series Fortress hardware devices. Fortress Bridges provide network security by authenticating access to the bridged network and bridging encrypted wireless transmissions to the wired Local Area Network (and/or wired communication within the LAN) and by authenticating and encrypting Wireless Distribution System (WDS) links. Fortress Bridges are variously equipped for network connectivity. When one or more radio is present, the Bridge can both provide and protect wireless connections. Fortress devices without radios act as overlay security appliances for wireless networks. All Fortress devices are equipped for wired Ethernet with varying numbers of ports. Table 1.1 shows the various hardware configurations and capabilities of current Fortress hardware devices. Fortress model radios ES820 ES520 FC ES series Table 1.1. Radios and Ethernet Ports in Fortress Hardware Devices 4.4GHz # Eth option ports radio label standard equipment Radio 1 802.11a/g/n no Radio 2 802.11a/n no Radio 1 802.11a/g no Radio 2 802.11a yes Radio 1 802.11a/g/n no ES440 Radio 2– Radio 4 802.11a/n no ES210 Radio 1 802.11a/g/n no FC-X n/a Eth port HW label Eth port SW label Ethernet1 wan no no no encrypted Ethernet2 aux no no no clear 1–8 lan1–lan8 no yes no clear WAN wan1 yes no no encrypted Ethernet1 wan yes no no encrypted Ethernet2 aux no no no clear Ethernet aux no no no clear Ethernet (WAN) wan no no no encrypted Encrypted enc no no yes encrypted Unencrypted clr no no yes clear AUX aux no no no clear takes serves fiber default PoE PoE option encryption The ES210 is additionally equipped with a GPS (Global Positioning System) receiver and associated antenna port. 1.3.1.1 ES-Series Model Numbers Fortress ES-series model numbers provide information about the product platform and the number and type of radio(s) it contains. Figure 1 breaks down the model number for an ES520-35 Secure Wireless Bridge. Bridge GUI Guide: Introduction You can find the full model number for any ES-series Bridge on the Administration Settings screen under System Info. Figure 1. ES-Series Product Model Number Explication The number of digits after the hyphen corresponds to the number of radios installed in the Bridge. The value of each digit indicates the frequency band(s) that radio supports, as shown in Table 1.2. CAUTION: Use of 4.4 GHz radios is strictly forbidden outside of U.S. Department of Defense authority. Table 1.2. Radio Installed and Supported Frequencies 1.3.1.2 Number Radio Installed Supported Frequencies 802.11a/g or 802.11a/g/n 2.4 GHz or 5 GHz 802.11 military band 4.4 GHz 802.11a or 802.11a/n 5 GHz Fortress Bridge Management Fortress Bridges can be administered through either of two native software management tools. They support SNMP (Simple Network Management Protocol) transactions, and each model chassis provides a small subset of basic user controls and visual indicators. Bridge GUI The graphical user interface for Fortress Bridges is a browserbased management tool that provides administration and monitoring functions in a menu- and dialog-driven format. It is accessed over the network via the Bridge’s IP address. The Bridge GUI supports Microsoft® Internet Explorer and Mozilla Firefox™. Using the Bridge GUI is covered in this user guide. Bridge CLI The command-line interface for Fortress Bridges provides administration and monitoring functions via a command line. It is accessed over the network via a secure shell (SSH) connection to the Bridge’s management interface or through a terminal connected directly to the Bridge’s serial Console port. Using the Bridge CLI is covered in Secure Wireless Bridge and Security Controller CLI Software Guide. SNMP Fortress Bridges support monitoring through version 3 of the Simple Network Management Protocol (SNMP) Internet standard for network management. Fortress Management Bridge GUI Guide: Introduction Information Bases (MIBs) are included on the Bridge CD and can be downloaded from the Fortress Technologies web site: www.fortresstech.com/. Configuring SNMP through the Bridge GUI is covered in this guide; configuring it through the Bridge CLI is covered in Secure Wireless Bridge and Security Controller CLI Software Guide. Chassis Indicators and Controls Fortress Bridges are variously equipped with LED indicators and chassis controls. These are covered in each Bridge’s (or Controller’s) respective Hardware Guide. 1.3.2 Fortress Secure Client Software The Fortress Secure Client employs Fortress’s Multi-Factor Authentication™ and MSP to authenticate third-party client device connections and encrypt traffic between such devices and the Bridge-secured network. The Secure Client can be installed on a variety of mobile and hand-held devices. 1.4 Network Deployment Options You can expand Fortress Bridge functionality and associated configuration options by licensing advanced features. Among these, Fortress's FastPath Mesh link management function supports optimal path selection and independent IPv6 mesh addressing and DNS (Domain Name System) distribution. FastPath Mesh networks provide higher efficiency and greater mobility than networks using STP link management, which does not require a license. NOTE: Refer to Ta- ble 3.1 in Section 3.2 for a quick comparison of FastPath Mesh and STP networks. Although FastPath Mesh and STP networks serve the same essential functions, the details of deploying them are not identical. Each type of network is covered separately below, with a selection of representative deployment options. 1.4.1 FastPath Mesh Network Deployments When FastPath Mesh is licensed and selected for Bridging Mode, FastPath Mesh networks are automatically formed among compatibly configured Fortress Bridges. These bridging nodes are known as Mesh Points (MPs). MPs connect to one another over wired or wireless interfaces that have been configured as Core interfaces. All MPs on a given FP Mesh network are peers. Directly connected MPs are neighbors. On separate interfaces, configured as Access interfaces, FastPath Mesh Points can connect other devices, or Non-Mesh Points (NMPs), to the network and connect the mesh to a conventional hierarchical network. Refer to Section 3.2.1 for more on FastPath Mesh bridging and to sections 3.3.4 and 3.7 for per-port FastPath Mesh Mode settings for radio BSSs and Ethernet ports, respectively. NOTE: Once FastPath Mesh connections are established, the FP Mesh network acts as a flat, OSI layer-2 network for the Bridge GUI Guide: Introduction devices it connects, routing network traffic on the fastest, most efficient path to its destination. FastPath Mesh supports standard network DHCP (Dynamic Host Control Protocol) and DNS (Domain Name System) servers and static or dynamic IPv4 and IPv6 addressing. In addition, FastPath Mesh itself automatically generates a Unique Local IPv6 Unicast Address (defined in IETF RFC2 4193) for each MP and provides internal name resolution. 1.4.1.1 Isolated FastPath Mesh Networks The independent RFC-4193 IPv6 mesh addressing and DNS distribution functions embedded in FastPath Mesh enable a set of Fortress Bridges to form a fully functioning FastPath Mesh network as soon as they are connected. Access Network MP ES210 in STAtion mode MP MP ES210 ES820 NMP NMP ES210 MP Access Network NMP ES820 MP MP ES520 ES520 NMP NMP Access Network ES210 in STAtion mode MP = Mesh Point NMP = Non-Mesh Point = Mesh Core Connection = Access Network Connection Figure 1.1. Isolated FP Mesh Network with Access Network Connections In the case of an isolated wireless FP Mesh network, as shown in Figure 1.1, on each Bridge to be used as an MP you must, at minimum: License FastPath Mesh on the Bridge: on Maintain -> Licensing Select FastPath Mesh for Bridging Mode: on Configure -> Administration Enable the internal radio(s): on Configure -> Radio Settings 2. Internet Engineering Task Force Request for Comments Bridge GUI Guide: Introduction Create a bridging BSS on (one of) the radio(s) with: an SSID in common with the bridging BSSs on the rest of the MPs a Wireless Bridge setting of Enabled on Configure -> Radio Settings -> ADD BSS If the current MP will connect NMPs to the network, create an Access BSS on (one of) the radio(s) with: an SSID for NMP devices to connect to a Wireless Bridge setting of Disabled on Configure -> Radio Settings -> ADD BSS A BSSs bridging setting also determines its FP Mesh function. With Wireless Bridge Enabled, BSSs function as Core interfaces; with Wireless Bridge Disabled they function as Access interfaces (Section 3.3.4.3). NOTE: The Bridge will force you to change the password of the preconfigured administrator account when you log in for the first time. The Bridge is not fully secure until you have also changed passwords for the two remaining preconfigured administrative accounts and the network Access ID from their defaults. Including the RFC-4193 IPv6 address FP Mesh automatically generates, each MP can have up to sixteen IPv6 addresses. It always has a link-local address and can always have a manually configured IPv6 global address. If IPv6 Auto Addressing is Enabled (the default) and an IPv6 router is present on the network to provide routing prefixes, additional IPv6 addresses will be present. Each MP can also have a manually configured IPv4 address. Refer to Section 3.4.2 for more on IP addressing on the Bridge. To provide virtually configuration-free DHCP and DNS services for Non-Mesh Points on the FP Mesh network, enable one (or a few) of the DHCP servers internal to the network MPs and leave all of their internal DNS servers enabled (the default). The Bridge’s DNS service is used in common by IPv4 and IPv6 networks, while the Bridge provides separate, dedicated IPv4 and IPv6 DHCP servers. Refer to Section 3.6 for more on the Bridge’s internal DHCP and DNS servers. 1.4.1.2 Network-Attached FastPath Mesh Networks One or more of the Mesh Points in a FastPath Mesh network can connect the mesh to a conventional hierarchical LAN or WAN (wide are network). An MP that serves as a bridge between the FP Mesh network and a hierarchical network is a Mesh Border Gateway (MBG). The MBG interface that connects to the LAN or WAN must be configured as an Access interface, the MBG’s default gateway must be a router on the hierarchical network, and route(s) to the FastPath Mesh's subnet must be configured on the network router(s). If IPv6 network routers are configured to provide an IPv6 global prefix, the MBG will forward it to every node in the network (MPs and NMPs). Bridge GUI Guide: Introduction If a DHCP server internal to one of the MPs is enabled to configure the IP addresses of network NMPs, all NMPs will have the correct default gateway address and IPv6 prefix to automatically configure themselves without further manual configuration. To create a FastPath Mesh network and attach it to a conventional hierarchical network, as shown in Figure 1.2, you must, at minimum: follow the steps to configure an isolated FastPath Mesh network outlined in the preceding Section 1.4.1.1. on each Mesh Point that will serve as an MBG: configure the hierarchical network router as the MBG’s default gateway: on Configure -> Administration -> Network Configuration. be sure the interface that will connect to the hierarchical network is configured as an FP Mesh Access interface. FastPath Mesh Mode is specified for wired interfaces: on Configure -> Ethernet Settings -> EDIT. Wireless interfaces are automatically (and transparently) configured as Access interfaces when Wireless Bridge is Disabled: on Configure -> Radio Settings -> ADD BSS. on each router in the hierarchical network that will connect to an MBG, configure route(s) to the FP Mesh subnet. /$1 MBG ES440 03 03 0HVK3RLQW MBG 0HVK%RUGHU*DWHZD\ 0HVK&RUH&RQQHFWLRQ 0HVKļ+LHUDUFKLFDO&RQQHFWLRQ $FFHVV,QWHUIDFH ES210 03 03 03 ES820 ES210 03 ES440 ES210 03 ES820 03 03 ES440 ES820 03 ES210 Figure 1.2. Single FP Mesh Network with a Single MBG Attachment Point Bridge GUI Guide: Introduction In addition to the RFC-4193 IPv6 address FP Mesh automatically generates, the MBG is provided with a global prefix by the network IPv6 router. If a DHCP server internal to one of the MPs is enabled, each IPv6 node in the network can then be reached by the public address so provided. You can attach an FP Mesh network to a hierarchical network by more than one MBG to provide path redundancy between the mesh and the LAN or WAN. If one of the MBGs becomes unavailable, the other(s) will maintain the connection. NOTE: There is no coordination between FP Mesh MBGs. Regardless of the number of MBGs attached to the hierarchical network, traffic into the FP Mesh network typically flows through only one MBG. If two (or more) MBGs are used, you can manually split traffic between the two MBGs by IPv4 address ranges (10.1/16 -> MBG1, 10.2/16 -> MBG2, for example), but it will still be the case that only one MBG will send traffic to any given FP Mesh node. 1.4.1.3 Separating and Rejoining in FastPath Mesh Networks Mesh Points in a wireless FastPath Mesh network can separate and rejoin smoothly, individually or in groups, as mobile Mesh Points move in and out of range of each other. Changes in the costs and availability of FP Mesh data paths are propagated throughout the network. /$1 MBG 03 03 0HVK3RLQW MBG 0HVK%RUGHU*DWHZD\ 0HVK&RUH&RQQHFWLRQ 0HVKļ+LHUDUFKLFDO&RQQHFWLRQ $FFHVV,QWHUIDFH 03 03 03 03 03 03 03 03 Figure 1.3. Single Separated FP Mesh Network When a split forms in a mobile FP Mesh network attached to a hierarchical network, as shown in Figure 1.3, any nodes Bridge GUI Guide: Introduction separated from the MBG will be temporarily disconnected from the hierarchical network. Multiple MBGs can enable parts of the mesh temporarily separated from each other to remain connected to a hierarchical network, as long as there is an MBG present among the separated group of nodes. 1.4.1.4 Bridging Loops in FastPath Mesh Networks Bridging loops can form only when FastPath Mesh Points are connected over both Core and Access interfaces. In FastPath Mesh Networks with single MBG attachment points to the hierarchical network, such as those shown in Figure 1.4, simultaneous Core and Access connections are not present, and bridging loops cannot form. Although the two MBGs are connected to the same LAN by their Access interfaces, they are MPs in different FP Mesh networks and so are not also connected by Core interfaces. /$1 Mesh A MBG MBG 03 Mesh B 03 03 03 03 03 03 0HVK3RLQW 03 MBG 0HVK%RUGHU*DWHZD\ 0HVK&RUH&RQQHFWLRQ 0HVKļ+LHUDUFKLFDO&RQQHFWLRQ $FFHVV,QWHUIDFH Figure 1.4. Two FP Mesh Networks, One MBG Attachment Point Each, Connected to a Single Access Network When a FastPath Mesh network is attached to a hierarchical network by two (or more) Mesh Border Gateways, the Mesh Points serving these roles are connected to each other both by their Core interfaces and by the Access interfaces connecting them to the hierarchical network. FastPath Mesh detects and prevents the loop that would otherwise form over these connections: Among the many MPs that detect a loop, only the MP with the lowest MAC address will forward mesh traffic received 10 Bridge GUI Guide: Introduction on the Access interfaces on which the loop has been detected. Only the MP so chosen as the forwarder will advertise NMPs discovered on these Access interfaces. Because only one MBG in a given FP Mesh network will actively pass traffic to and from the hierarchical network, multiple MBGs can be present in multiple FP Mesh networks attached to the same LAN, as shown in Figure 1.5. /$1 MBG A2 Mesh A MBG A1 MBG B2 Mesh B MBG B1 03 03 03 03 03 0HVK3RLQW MBG 0HVK%RUGHU*DWHZD\ 0HVK&RUH&RQQHFWLRQ 0HVKļ+LHUDUFKLFDO&RQQHFWLRQ $FFHVV,QWHUIDFH 03 Figure 1.5. Two FP Mesh Networks, Two MBGs Each, Connected to a Single Access Network 1.4.1.5 Traffic Duplication in FastPath Mesh Networks Although you can attach more than one FP Mesh network simultaneously to more than one LAN, configurations in which separate hierarchical networks are “bridged” by multiple FP Mesh networks will necessarily generate duplicate traffic, as shown in Figure 1.6. 11 Bridge GUI Guide: Introduction VHQGHU WDUJHW LAN 2 LAN 1 Mesh A MBG A2 MBG B2 MBG A1 03 Mesh B MBG B1 03 03 03 03 0HVK3RLQW MBG 0HVK%RUGHU*DWHZD\ 0HVK&RUH&RQQHFWLRQ 0HVKļ+LHUDUFKLFDO&RQQHFWLRQ $FFHVV,QWHUIDFH 'XSOLFDWH7UDIILF 03 03 Figure 1.6. Traffic Duplication in Two FP Mesh Networks Attached to Separate Access Networks Avoid such configurations if traffic duplication is undesirable in your environment. 1.4.2 STP Mesh Network Deployments Fortress Bridges can be deployed in mesh networks managed by Spanning Tree Protocol without any additional features licensing. When STP is selected for Bridging Mode (the default), the Bridge can be used as a node in an STP-managed mesh network while—on a separate BSS—also acting as an AP (access point) to WLAN client devices within range. 12 Bridge GUI Guide: Introduction Bridges configured to be able to connect to one another automatically form mesh networks. WLAN WLAN LAN ...rear-panel grounding stud to earth ground mastmounted ES520 WAN port ...to PoE power STP Root (implementation dependent on lightning arrestor) PoE adapter Figure 1.7. STP Mesh Network Deployment At their default settings, the Bridge with the lowest MAC address will serve as the STP root. Alternatively, you can configure the order in which networked Bridges will assume the role of STP root, if the existing root is lost, by specifying the Bridge Priority order on individual Bridges in an STP network. Refer to Section 3.2.2 for more on STP bridging and configuring Bridge Priority. NOTE: One or more of the linked Bridges (or network nodes) can also be configured to connect the mesh network to a LAN and/or to serve as a WLAN AP for compatibly configured wireless clients within range. Figure 1.7 shows an STP mesh network in which all connected nodes are serving as WLAN APs and the STP root node is attached to a LAN. 13 Bridge GUI Guide: Introduction 1.4.3 Point-to-Point Bridging Deployments The Bridge can be deployed as a conventional wireless Bridge to connect two separately located LANs (local area networks), for example, or to link remotely located hardware to the local network for system management and data upload, as shown in Figure 1.8). wireless bridging link Ethernet Ethernet ...to power remote hardware satellite uplink management laptop modem Figure 1.8. Point-to-Point Wireless Bridging Deployment As long as the LAN or WAN to which the Bridge is connecting does not require STP to be enabled, Bridges can be deployed in point-to-point (two-node) bridging configurations without any link management (with a Bridging Mode setting of Off). If more than two Bridges will be networked, Fortress strongly recommends using FastPath Mesh (if licensed) or STP link management. 1.4.4 Wireless Client ES210 Bridge Deployments An ES210 Bridge can be dedicated to operate as a standard 802.11 wireless client by configuring a single station (STA) interface on its single internal radio. ES210 Bridges operating as wireless client devices can be integrated into Bridge-secured network deployments as any WLAN client would be: connecting to the WLAN (or access network) through another Bridge acting as a network AP (or configured with an access interface). 14 Bridge GUI Guide: Introduction 1.5 Compatibility The Fortress Bridge is fully compatible with WPA and WPA2 enterprise and pre-shared key modes and with Fortress Secure Client versions 2.5.6 and later. In addition or as an alternative to the Bridge’s native authentication service, the Bridge can be used with an external RADIUS server. Supported services include: Microsoft® Windows Server 2003 Internet Authentication Service® (IAS) freeRADIUS version 2.1 (open source) 15 Bridge GUI Guide: Administrative Access Chapter 2 Bridge GUI and Administrative Access 2.1 Bridge GUI The Fortress Secure Wireless Bridge’s graphical user interface provides access to Bridge administrative and monitoring functions. 2.1.1 System Requirements To display properly, the Bridge GUI requires a monitor resolution of at least 1024 × 768 pixels and the following (or later) browser versions: Microsoft® Internet Explorer 7.0 Mozilla Firefox™ 2.0 2.1.2 Bridge GUI Security Browser connections to the Bridge’s management interface are secured via https (Hypertext Transfer Protocol Secure). GUI access can be authenticated via the self-signed X.509 digital certificate automatically generated by the Bridge for use by SSL (Secure Socket Layer) and present by default in the local certificate store. You can also import and select a different certificate for the Bridge's SSL function (refer to Section 6.2). You can turn off GUI access to the Bridge altogether by disabling the user interface, requiring administrators to access the Bridge exclusively through the CLI (refer to Section 4.1.5). The Bridge GUI is enabled by default. 2.1.3 Logging On You can access the Bridge GUI from any computer with access to the Bridge: any computer on one of the Bridge’s clear interfaces, as well as any computer with a secure connection to an encrypted interface. To access the Bridge GUI: Open a browser and, in the address field, enter the IP address assigned to the Bridge’s management interface. If this is the first time an administrator has logged on to the Bridge and you agree to the terms of the license NOTE: The default IP address is 192.168.254.254. Default passwords for preconfigured accounts are the accounts’ respective user names (refer to Section 2.2.2) and must be changed when the account is first used. 16 Bridge GUI Guide: Administrative Access agreement, click to accept them. (Once accepted the agreement does not display.) or If an administrative logon banner has been configured (Section 2.2.1.9)—click to accept its terms. (There is no administrator logon banner by default.) On the Logon to Fortress Security System screen, enter a valid Username and Password. Click LOGON. Default complexity requirements force passwords to be changed on all three preconfigured accounts when the accounts are first used. If password requirements are changed to permit the defaults, first-time logons to Maintenance and Logviewer will not force password changes. NOTE: Figure 2.1. Bridge GUI Logon screen, all platforms If prompted to do so, enter and confirm a new password for the account and click SUBMIT. You will be prompted to create a new password if: You are logging on to the Bridge for the first time. The account password has expired or has been expired for non-conformance (refer to Section 2.2.1.7). The User must change password: Yes option is in effect for the account you are trying to log on (Section 2.2.2). You can optionally view current password complexity requirements by clicking Complexity Requirements at the bottom of the Create a new password dialog. If Pass. Dictionary is enabled (refer to Section 2.2.1.8), new passwords are checked against the list of words used by the function. You can pre-check the password against the list by clicking Pass. Dictionary: CHECK PASSWORD. The message Not Blacklisted will be returned if the entry passes the check; Blacklisted! indicates that the entry failed the check and cannot be used. By default, the password dictionary check is not in effect, and it is labeled disabled. You can view but not edit the list against which passwords are checked by clicking Password Dictionary: VIEW. NOTE: If you were prompted to create a new password, the Logon to Fortress Security System screen displays again: re-enter the account Username, enter the new Password, and click LOGON. 17 Bridge GUI Guide: Administrative Access Two administrators with Administrator-level privileges (refer to Section 2.2.2.3) cannot be logged on the Bridge at the same time. If you are trying to log on to an Administrator-level account when another such session is active, you will have the option of forcibly ending the active session and proceeding with the logon, or choosing Cancel Logon from the dropdown to preserve the first session. Click CONTINUE to execute your choice. Figure 2.2. Bridge GUI Logon screen when the account is active, all platforms Access configuration settings through the menu links under Configure on the left of all Bridge GUI screens. Monitoring functions are available under Monitor, maintenance and diagnostic tools under Maintain. 2.1.4 Using Bridge GUI Views The Bridge GUI initially opens in Simple View, which displays an abbreviated set of items under the main menu headings on the left side of the page and provides a limited set of configuration settings on Configure screens. To access the complete Bridge GUI, click ADVANCED VIEW in the upper right corner of any page. The Bridge GUI Advanced View includes additional items under the Configure and Maintain main menu headings and provides full access to configuration settings. In Advanced View, the button in the upper right corner changes to SIMPLE VIEW. Figure 2.3. Bridge GUI VIEW buttons, all platforms For Administrator-level accounts, Advanced View-selection is persistent over subsequent log-ons and reboots. The Advanced View button is absent altogether when you are logged into a Log Viewer-level account, where it would serve no purpose 18 Bridge GUI Guide: Administrative Access (refer to Section 2.2.2.3 for more information on account roles and access). On a screen common to both views, you can toggle between the two views of the screen. If you are viewing a screen exclusive to the Advanced View and you click SIMPLE VIEW, the Bridge GUI will return the main page for the function or, if no such page exists in Simple View, the Monitor -> Connections screen. 2.1.5 Accessing Bridge GUI Help Access the table of contents for Bridge GUI help by clicking HELP in the upper right corner of every page. For help with the screen you are currently viewing, click More Information in the upper right of the screen. 2.1.6 Logging Off To log off the Bridge GUI, click LOGOFF, in the upper right corner of the screen. If you simply close the browser you have used to access the Bridge GUI, you will not be logged off completely. Although you must re-open you browser and log back on to the Bridge in order to regain access to the same account, the previous administrative session persists until it times out or, at the point of logging back in to the account, you opt to end it. By default, the Bridge is configured to end administrative sessions after 10 minutes of inactivity, automatically logging the administrator off. You can reconfigure the global administrative Session Idle Timeout (refer to Section 2.2.1.4). 2.2 Administrative Accounts and Access There are three levels of permissions for administrative accounts on the Bridge, determined by Role assignment: Administrator account users have unrestricted access to management functions and system information on the Bridge. Maintenance account users can view complete system and configuration information and perform a few administrative functions but cannot make configuration changes beyond changing their own passwords (Section 2.2.2.11), if permitted (the default). Log Viewer account users can view only high-level system health indicators and only those log messages unrelated to configuration changes. If permitted (the default), they can also change the password for the account. NOTE: The preconfigured admin, Administrator-level, account corresponds to the Crypto Officer role as defined by Federal Information Processing Standards (FIPS) 140-2. For more detail on account privileges refer to Section 2.2.2.3. By default, one of each administrative account type is present in the Bridge’s local administrator database, with the 19 Bridge GUI Guide: Administrative Access predetermined user names: admin, maintenance, and logviewer, respectively. Administrative roles are described in greater detail in Section 2.2.2.3. Default passwords for preconfigured accounts are the same as their user names. The first time you log on to the admin account, you will be forced to enter a new password of at least 15 characters. Administrative password requirements are global and configurable: refer to Section 2.2.1.8. The default complexity requirements will force the passwords to be changed on all three preconfigured accounts when the accounts are first used. If password requirements are changed so that the default passwords are acceptable, however, administrators logging on to the Maintenance and Logviewer accounts for the first time, will not be forced to change these account passwords from their defaults. All default passwords should nonetheless be changed in order to fully secure the Bridge’s management interface. 2.2.1 An administrator logged on to an Administrator-level account can specify a number of global administrative account settings. In Advanced View, you can also add up to ten additional administrative accounts, as well as reconfigure individual account settings and delete accounts. Preconfigured accounts cannot be deleted. Global administrative account settings are covered in Section 2.2.1 (below). Individual administrative account management is covered in Section 2.2.2. NOTE: Except for Session Idle Time- Global Administrator Settings A number of configurable parameters apply globally to administrative accounts’ logon behaviors and passwords and to administrator authentication. View the these settings through Configuration -> Security -> Logon Settings. NOTE: out changes, which take effect immediately, changes to global Logon Settings are applied at the next administrator logon. Figure 2.4. Simple View Logon Settings frame, all platforms 2.2.1.1 Maximum Failed Logon Attempts You can configure how many times an administrator can try unsuccessfully to log on to one of the Bridge’s administrative accounts before the account is subject to the Bridge’s currently 20 Bridge GUI Guide: Administrative Access configured lockout behavior. Numbers from 1 to 9 are accepted; 3 is the default. 2.2.1.2 Failed Logon Timeout The Failed Logon Timeout setting specifies the number of seconds that must elapse after a failed logon attempt before the same administrator can successfully log on with valid credentials. If an administrator enters valid credentials before the specified number of seconds have elapsed, the action is interpreted as another failed logon attempt and the timeout counter resets. You can set Failed Logon Timeout from 0 (zero) to 60 seconds; a setting of 0 disables the function (no delay between logon attempts will be enforced). The default Failed Logon Timeout is 5 seconds. 2.2.1.3 NOTE: The lockout feature applies only to remote logon attempts. The Bridge CLI unlock command can always be executed via a physical connection to the Console port, which is never locked. Refer to the CLI Software Guide. Lockout Behavior You can set the length of time an administrator will remain locked out after reaching the specified maximum logon attempts in Lockout Duration. Alternatively, by enabling Permanent Lockout you can configure the Bridge to keep the account locked until you have logged on to the Bridge GUI through an Administrator-level account and unlocked it. If there is no other Administrator-level account available, you can unlock the account only through a direct, physical connection to the Bridge’s Console port, with the Bridge CLI’s unlock command. Administrative access to the Console port is never locked. Refer to the CLI Software Guide. Administrator accounts are locked when you exceed the maximum permitted number of failed logon attempts (Section 2.2.1.1) on the account. Attempts to log on fail when you supply invalid credentials and when you neglect to allow the specified period between failed attempts (Section 2.2.1.2). Refer to Section 2.2.2.12 for instructions on unlocking an administrative account in the Bridge GUI. 2.2.1.4 Session Idle Timeout By default, administrative sessions time out after 10 minutes of inactivity. You can disable administrative session timeouts with a Session Idle Timeout setting of 0 (zero) or reconfigure the timeout period in whole minutes between 1 and 60. 2.2.1.5 Show Previous Logon When Show Previous Logon is Enabled, the date and time the current administrator last logged on and the IP address and user interface (GUI or CLI) used to do so are displayed at the top of the first page displayed by the Bridge GUI (Monitor -> Connections for initial Administrator- or Maintenance-level The idle timeout setting for local administrator accounts is independent of timeout settings for network users and connecting devices (Section 4.4). NOTE: 21 Bridge GUI Guide: Administrative Access log-ons and Monitor -> Event Log when Log Viewer accounts first access the Bridge GUI). The feature is Disabled by default. Show Previous Logon is present only in Advanced View (refer to Section 2.1.4). 2.2.1.6 Authentication Method and Failback By default, administrative Usernames and passwords are authenticated by the Local administrator authentication service—a designated service running on the Bridge itself and separate from the local user authentication service configured on Configure -> RADIUS Settings -> Local Server (refer to Section 4.3.2). Alternatively, you can reconfigure the Bridge to send administrators’ logon credentials to a Remote Authentication Dial-In User Service (RADIUS) server, which may be any of: Administrators added in the external authentication service are Learned by the Bridge, but cannot be authenticated until their records have been opened locally for configuration (refer to Section 2.2.2.8). NOTE: the RADIUS server internal to the current Bridge the RADIUS server internal to another Bridge on the network a third-party RADIUS server running on the network The service(s) available are determined by the Bridge’s configuration for authentication servers as determined by the settings on Configure -> RADIUS Settings. When a Fortress or a third-party RADIUS server is used to evaluate administrator logon credentials, locally configured logon settings and password rules do not apply. Administrative logon behavior and password rules are determined by the account settings in effect on that RADIUS server. When the Bridge is configured to use a third-party or Fortress RADIUS server and Authentication Failback is Enabled, the Bridge will use its local administrator authentication service as a backup means of authenticating administrator credentials, should the third-party or Fortress user authentication database become unavailable. When Authentication Failback is disabled (the default) on a Bridge configured to use a third-party or Fortress RADIUS server for administrator authentication, and no such server is available, administrators cannot be authenticated and logged on to the Bridge until access to the external server is restored. Authentication Failback is not applicable to Bridges configured with the default Authentication Method of Local. Authentication Method and Authentication Failback are present only in Advanced View (refer to Section 2.1.4). To use the local Fortress RADIUS Server to authenticate administrators: Except for steps 7 through 11, which can be performed at any time, you must follow the steps of the procedure below in the order given. 22 Bridge GUI Guide: Administrative Access Log on to the Bridge GUI through an Administrator-level account and select ADVANCED VIEW in the upper right corner of the page, then Configure -> RADIUS Settings from the menu on the left. Click to access the Local Server tab, and in the Local Authentication Server frame: In Administrative State, click to select Enabled. In Administrator Auth, click to select Enabled. For help with other settings on this screen refer to Section 4.3.2. Figure 2.5. enabling local administrator authentication, all platforms Click APPLY in the upper right of the screen. Select Configure -> Security from the menu on the left. In the Security screen’s Logon Settings frame: In Authentication Method, select RADIUS from the dropdown. In Auth Failback, optionally click to select Enabled. For help with other settings in this frame refer to the rest of this section. CAUTION: Fortress strongly recommends selecting Enabled for Auth Failback to insure against administrative lockout in the event of network disruptions or administrator error. Figure 2.6. enabling administrator authentication failback, all platforms Click APPLY in the upper right of the screen. 23 Bridge GUI Guide: Administrative Access Select Configure -> RADIUS Settings from the menu on the left. Click to access the Local Server tab and in the User Entries frame, click NEW USER. In the Edit Local Authentication screen’s User Database Entry frame: In Username, enter a user name of at least one (1) alphanumeric characters. In New Password/Confirm Password, enter a password that confirms to current password requirements (Section 2.2.1.8). In Role, select Administrator from the dropdown. For help with other settings in this frame refer to Section 4.3.3.1. Figure 2.7. creating an administrator account on the local authentication server, all platforms 10 Click APPLY in the upper right of the screen. Repeat steps 8 through 2.7 for any additional administrators you want to configure. To use a remote Fortress RADIUS Server to authenticate administrators: To use a RADIUS server running on another Bridge on the network to authenticate administrators for the local Bridge, you must configure an entry for the server on the local Bridge’s Authentication Servers page, specifying Fortress Auth as its Server Type and Admin as a supported Auth Type (refer to Section 4.3.1). 11 Only administrators with user accounts (configured for the Role of Administrator) on the remote Bridge will be able to authenticate through its user authentication service (refer to Section 4.3.3.1). To use a third-party RADIUS Server to authenticate administrators: To use a third-party RADIUS server for administrator authentication, it must be configured to use Fortress’s VendorSpecific Attributes for Fortress-Administrative-Role and FortressPassword-Expired, provided in the dictionary.fortress configuration file included on the Bridge software CD and available for download at www.fortresstech.com/support/. 24 Bridge GUI Guide: Administrative Access Consult your RADIUS server documentation for information on configuring the service. You must additionally configure an entry for the server on the Bridge’s Authentication Servers list (Configure -> RADIUS Settings-> Server List), specifying 3rd Party RADIUS as its Server Type and Admin as a supported Auth Type for the service (refer to Section 4.3.1 for more information on configuring external authentication servers for the Bridge.). 2.2.1.7 Password Expiration You can configure the Bridge to expire administrative passwords after a specified period and to warn administrators a specified number of days before the password expires. Password expiration (Pass. Expire) is Disabled by default. When Pass. Expire is Enabled, you can specify a password expiration period (Pass. Expiration) of 1 to 365 days. The default expiration period is 60 days. Expiration Warning You can also configure the Bridge to warn administrators that their passwords are scheduled to expire. You can set Pass. Expire Warning from 0 to 365. An expiration warning setting of 0 or a setting greater than the specified password expiration period disables the function (no password expiration warning will be issued). When a Pass. Expire Warning smaller than Pass. Expiration is set, the warning **Your password will expire soon** appears at the top of the first screen displayed (initially Connections for Administrator-level accounts) whenever an administrator logs on, beginning the specified number of days before administrators are forced to change their passwords. The warning does not persist after the administrator navigates away from the first page viewed. (If Pass. Expiration and Pass. Expire Warning are set to the same value, the warning will display whenever an administrator logs on.) Nonconformance Expiration If you change the rules for administrative passwords (refer to Section 2.2.1.8), some existing passwords may not conform to the new requirements. Expire Nonconforming Pass. allows you to choose whether such passwords will expire at the time the rules change (Enabled) or will be allowed to persist until the next scheduled expiration date (Disabled). By default, Expire Nonconforming Pass. is Enabled: administrators are forced to change nonconforming passwords the first time they log on after the rules for passwords have changed. Expire Nonconforming Pass. is present only in Advanced View (refer to Section 2.1.4). 25 Bridge GUI Guide: Administrative Access 2.2.1.8 Password Requirements The Bridge will not accept new passwords that do not meet specified requirements. If you specify new requirements that existing passwords do not meet, nonconforming passwords are treated according to the Expire Nonconforming Passwords setting (described in Section 2.2.1.7). NOTE: Passwords do not need to be unique. Configured complexity requirements apply equally to administrative passwords and to those of locally authenticated network users (Section 4.3.3.1). You can apply up to nine rules for administrative and local user passwords: Pass. Minimum Length - Passwords must be at least the specified number of characters long. You can specify values from 8 to 32 characters. The default is 15. Pass. Minimum Capitals - Passwords must contain at least the specified number of uppercase letters. You can specify values from 0 (zero) to 5; a 0 value (the default) allows passwords containing no uppercase letters. Pass. Minimum Lowercase - Passwords must contain at least the specified number of lowercase letters. You can specify values from 0 (zero) to 5; a 0 value (the default) allows passwords containing no lowercase letters. Pass. Minimum Numbers - Passwords must contain at least the specified number of numerals. You can specify values from 0 (zero) to 5; a 0 value (the default) allows passwords containing no numerals. Pass. Minimum Punctuation - Passwords must contain at least the specified number of symbols from the set: ~ ! @ # $ % ^ & *( ) _ - + = { } [ ] | \ : ; < > , . ? / (excludes double and single quotation marks). You can specify values from 0 (zero) to 5; a 0 value (the default) allows passwords containing no symbols. Pass. Minimum Delta - Passwords must contain at least the specified number of changed characters, as compared to the previous password. You can specify values from 0 (zero) to 5. A 0 value disables the check: if Pass. History Depth (below) is also Disabled (the default), the same password can be used consecutively, without any change (provided it still conforms to the rest of the rules in effect). Pass. Minimum Delta is disabled by default. NOTE: Pass. Minimum Delta and Pass. History Depth are tracked separately for each administrative account. Pass. Consecutive Characters - Passwords can/cannot contain consecutive repeated characters or consecutive characters in ascending or descending numeric or alphabetic order. When Pass. Consecutive Characters is Disabled, passwords cannot include the character pairs 98 or ab, for examples. When it is Enabled (the default), passwords can contain consecutive characters in numeric or alphabetic order. 26 Bridge GUI Guide: Administrative Access Pass. Dictionary - Passwords can/cannot match words in the dictionary. When Pass. Dictionary is Enabled, passwords are checked against a list of English words, and the password is rejected if a match is found. When it is Disabled (the default), passwords can contain the words on the list. You can view but not edit the word list: Configuration -> Admin Users -> EDIT|NEW USER -> Pass. Dictionary -> VIEW. Pass. History Depth - Passwords cannot be reused until the specified number of new passwords have been created. You can specify values of 0 (zero) to 10. A 0 value disables the check: if Pass. Minimum Delta (above) is also Disabled (the default), the same password can be used consecutively, without any change (provided it still conforms to the rest of the rules in effect). Pass. History Depth is disabled by default. Password requirements settings are present only in Advanced View (refer to Section 2.1.4). To configure global administrative account settings: The Bridge GUI’s Logon Settings are shown in Advanced View below. Figure 2.8. Advanced View Logon Settings frame, all platforms Table 2.1 shows which Administrator Logon settings appear in the two GUI views. 27 Bridge GUI Guide: Administrative Access Table 2.1. Global Administrator Logon Settings Simple & Advanced Views Max Failed Logon Tries Failed Logon Timeout Permanent Lockout Lockout Duration Session Idle Timeout Pass. Expire Pass. Expiration Pass. Expire Warning 2.2.1.9 Advanced View Only Show Previous Logon Authentication Method Authentication Failback Expire Nonconforming Pass. Pass. Min. Length Pass. Min. Capitals Pass. Min. Lowercase Pass. Min. Numbers Pass. Min. Punctuation Pass. Min. Delta Pass. Consec. Characters Pass. Dictionary Pass. History Depth Log on to the Bridge GUI through an Administrator-level account and select Configure -> Security from the menu on the left. If you are configuring one or more Advanced View settings (see Table 2.1), click ADVANCED VIEW in the upper right corner of the page. (If not, skip this step.) In the Security screen’s Logon Settings frame, enter new values for those settings you want to configure (described in sections 2.2.1.1 through 2.2.1.8). Click APPLY in the upper right of the screen (or RESET screen settings to cancel your changes). System Messages The Comment field in the System Messages frame on Configure -> Administration is intended as a user-configured informational field. The Comment is displayed nowhere else. You can configure a Warning Banner for display on the Bridge’s administrator logon screens. When a logon banner is present, administrators are prompted to click to accept its conditions before they are permitted to proceed with the logon. There is no Warning Banner configured by default. 28 Bridge GUI Guide: Administrative Access Figure 2.9. Logon Banner on the Bridge GUI Logon Screen screen, all platforms To configure a comment or administrator logon banner: Log on to the Bridge GUI through an Administrator-level account and select Configure -> Administration from the menu on the left. Scroll down to the System Messages frame and: Optionally enter information into the Comment field. and/or In the Warning Banner field enter or paste a message of up to 2000 characters or click UPLOAD BANNER FILE to upload text from an existing file. Click APPLY in the upper right of the screen (or RESET screen settings to cancel your changes). Figure 2.10. System Messages frame, all platforms 29 Bridge GUI Guide: Administrative Access To eliminate an existing logon banner, delete all content from the Warning Banner field and APPLY the change. 2.2.2 Individual Administrator Accounts Up to thirteen usable administrative accounts can be present on the Bridge’s local administrator database at one time. Three of these are preconfigured with the fixed user names: admin, maintenance and logviewer, reflecting the default administrative Role of each account. While they can be reconfigured (refer to Section 2.2.2.9), preconfigured administrative accounts cannot be deleted. Figure 2.11. Simple View Administrator Settings frame, all platforms In Advanced View, you can add up to ten additional local administrative accounts and configure additional account parameters for both pre-configured and manually created accounts. On Bridges configured to authenticate administrators through a third-party or Fortress RADIUS server (refer to Section 2.2.1.6), an additional ten Learned administrative accounts can appear on the Admin Users page. Learned administrative accounts are not immediately usable to locally authenticate administrators. In order to be usable for local authentication, accounts for Learned administrators must be converted to configured accounts on the local administrator database (refer to Section 2.2.2.8). Learned accounts converted to configured accounts are retained in the local administrator database and count toward the maximum total of thirteen configured accounts. Although the credentials associated with a Learned account are initially learned by the local administrator database from an administrative account on another authentication service, the two accounts are not linked in any way after the Learned account has been converted to a configured account. NOTE: In order for any account in the local administrator database to authenticate an administrator, the Bridge must be using the local administrator database for that purpose (whether it has been configured for Local administrator authentication or has failed back to the local administrator database (Section 2.2.1.6). 30 Bridge GUI Guide: Administrative Access 2.2.2.1 Administrator User Names At the time a new administrative account is created, you must provide a Username. Once established, the Username associated with an administrative account cannot be changed. Administrator user names must be unique on the Bridge. They are case sensitive, can be from 1 to 32 characters long, and can include spaces and any of the symbols in the set: ~ ! @ # $ % ^ & *( ) _ - + = { } [ ] | \ : ; < > , . ? / (excludes double and single quotation marks). In Advanced View, the Username for any account listed in Administrator Settings links to a Detailed Statistics dialog for the account. Refer to Section 5.2 for more information. NOTE: An administrative account with a Learned state of Yes acquires the Username configured for the associated administrator in the third-party or Fortress RADIUS server (refer to Section 2.2.2.8). You can create new administrative accounts only in Advanced View. 2.2.2.2 Account Administrative State Preconfigured and newly added administrative accounts are Enabled by default. If you change an account’s Administrative State to Disabled, it will no longer be usable. If the associated administrator attempts to log on to a Disabled account, the Logon to Fortress Security System screen will be returned with an error message. If you re-enable the account, the administrator will be allowed to log on normally. At least one enabled Administrator-level account must be present on the Bridge at all times. You will not therefore be allowed to disable an Administrator-level account if it is the only such account on the Bridge. You can create new administrative accounts and edit them only in Advanced View, but you can change the Admin State of preconfigured accounts in both views. 2.2.2.3 Administrative Role An administrative account can be configured for one of three possible administrative roles: Administrator accounts provide unrestricted access to the Bridge. Administrator-level users can configure all functions and view all system and configuration information on the Bridge. Maintenance accounts provide view-only access to complete system and configuration information but no reconfiguration access. A maintenance administrator’s execution privileges are confined to using the network diagnostic tools on Maintain -> Network, resetting Secure Clients and controller device sessions, rebooting the Bridge, and generating a support package. Log Viewer accounts provide view-only access to high-level system health indicators and any log messages unrelated NOTE: Log Viewer and Maintenance administrators can change their own passwords, provided their account passwords are not locked (refer to Section 2.2.2.7). 31 Bridge GUI Guide: Administrative Access to configuration changes. Log Viewer-level accounts have no execution privileges on the Bridge. Only one Administrator-level account can be active on the Bridge at one time. Their limited permissions allow multiple Maintenance-level and Log Viewer-level accounts to be active on the Bridge at the same time. Only one active session per administrative account is supported, regardless of Role. You can reconfigure the Role of any administrative account, including the preconfigured accounts. If you downgrade the role of the Administrator-level account you are currently logged on through, you will be able to finish the session with full permissions. The role change takes effect when you next log on to the account. At least one enabled Administrator-level account must be present on the Bridge at all times. You will not therefore be allowed to reconfigure the Role of an Administrator-level account if it is the only such account on the Bridge. You can create administrative accounts and edit an account’s Role only in Advanced View. 2.2.2.4 Administrator Audit Requirement Whether and how an administrative account is subject to audit logging is configured in the Audit field. Three options are available at the individual account level: Required (the default) - Activity on the account will be included in the audit log. Prohibited - Activity on the account will not be included in the audit log. Auto - Account activity will be treated by the audit logging function according to the global settings in Configuration -> Logging (refer to Section 4.6.2). You can create administrative accounts and edit an account’s Audit setting only in Advanced View. 2.2.2.5 NOTE: An individ- ual account’s Audit setting overrides global Logging settings. Administrator Full Name and Description An administrative account does not require a Full Name or a Description to be entered for the administrator. If you choose to use these fields, they accept up to 250 alphanumeric characters, symbols and/or spaces. You can create and edit administrative accounts only in Advanced View. You can create administrative accounts and edit an account’s Full Name and Description only in Advanced View. 2.2.2.6 Administrator Interface Permissions You can control which of the Bridge’s management interfaces an administrative account can access. 32 Bridge GUI Guide: Administrative Access Console - The account can access the Bridge CLI through a direct, physical connection to the Bridge’s Console port (refer to the CLI Software Guide). Web - The account can access the Bridge GUI through a browser connected to the Bridge’s IP address (refer to Section 2.1.3). SSH - The account can access the Bridge CLI through a Secure Shell terminal session (refer to the CLI Software Guide). Interfaces are independently selectable in any combination. By default, all three are selected so that accounts can use any of them to access the Bridge. Clearing an option’s checkbox will deselect it, preventing access through the deselected interface for that account. Clearing all three Interface Permissions checkboxes effectively disables the account. NOTE: SSH must be enabled on the Bridge before an administrative account configured for SSH access can log on to the Bridge CLI remotely (refer to Section 4.1.6 and/or the CLI Software Guide). You can create new administrative accounts only in Advanced View, but you can change interface permissions for the three preconfigured accounts in Simple View. 2.2.2.7 Administrator Passwords and Password Controls You must configure a password for an administrative account at the time the account is created. Passwords must conform to the rules in effect on the Bridge as configured in Security settings (refer to Section 2.2.1.8) You can also view current password complexity requirements by clicking More Information in the upper right of the Edit Admin Users screen and then Password Complexity Settings. An administrative account with a Learned state of Yes acquires the password configured for the associated administrator in the external RADIUS server (refer to Section 2.2.2.8). This password need not conform to locally configured rules. Default passwords for preconfigured accounts are the same as their user names (admin, maintenance, logviewer) and should be changed when the Bridge is installed. NOTE: You can create and edit administrative accounts only in Advanced View, but, as long as you are logged on to an Administrator-level account, you can enable/disable the three preconfigured accounts in Simple View and change their passwords and interface permissions. (Refer to Section 2.2.2.11 for information on changing passwords from lower level administrator accounts.) Locking Passwords By default, passwords are not locked, allowing administrators with Maintenance and Log Viewer accounts to change their own passwords (refer to Section 2.2.2.11). When Yes is selected for Password is Locked, passwords cannot be changed. If an administrator attempts to change a locked password, the Edit Password screen will be returned with the error message: Password is locked against any changes. Configuring an administrative account’s Role is covered in Section 2.2.2.3. NOTE: 33 Bridge GUI Guide: Administrative Access The same message will be returned for an Administrator-level account if the administrator tries to change the password when the password is locked. Because Administrator-level accounts can change the Password is Locked setting for any account, it is impossible to effectively lock passwords on these accounts (although the administrator will have to select No for Password is Locked and APPLY the reconfiguration before changing the password). You can lock administrative account passwords only in Advanced View. Forcing Password Changes You can force an administrator to change an account’s password the next time s/he logs on to the account by selecting Yes for User must change password. After the administrator has successfully changed the password and logged on, the function will reset to User must change password: No. Preconfigured accounts force their default passwords to be changed when the accounts are first accessed. NOTE: You cannot force a password change on an account when the account’s password is locked. If both Password is Locked and User must change password are set to Yes, the administrator will be allowed to log on without changing the account password, and User must change password will reset to No without effect. You can force administrative account password changes only in Advanced View. 2.2.2.8 Adding Administrative Accounts You can create new administrative accounts from an existing Administrator-level account. When the Bridge is configured to use the local administrator database to authenticate administrator credentials (Authentication Method: Local, refer to Section 2.2.1.6), manual creation is the only way to add administrative accounts. (Accounts added automatically from external authentication databases are described in the second part of this section.) For manually created accounts, you can automatically generate a random password that exceeds the requirements currently in effect (Section 2.2.1.8). Generated passwords conform to all current complexity rules and exceed the specified minimum length by four characters, unless the specified minimum is fewer than four characters short of the 32-character maximum (in which cases characters are added to total 32). You can add administrative accounts only in Advanced View. To add a new administrative account: Log on to the Bridge GUI through an Administrator-level account and select ADVANCED VIEW in the upper right corner 34 Bridge GUI Guide: Administrative Access of the page, then Configure -> Administration from the menu on the left. In the Administration screen’s Administrator Settings frame, click NEW USER. Figure 2.12. creating a new administrator account, all platforms In the Account Information frame, enter at least a Username and optionally a Full Name and/or Description, and configure any additional settings for the account. (Your options are described in detail in sections 2.2.2.1through 2.2.2.6.) In the Password Controls frame, establish a new password for the account: Click GENERATE PASSWORD to automatically generate a password that complies with the complexity requirements currently in effect (Section 2.2.1.8). or CAUTION: Make a record of the password for future access to the Bridge. After the password is applied it cannot be queried by any means. Enter a New Password that complies with the complexity requirements currently in effect. You can check the password against the list of words used by the Bridge’s Password Dictionary function by clicking Password Dictionary: CHECK PASSWORD. The message Not Blacklisted will be returned if the entry passes the check; Blacklisted! indicates that the entry failed the check and cannot be used. If the Password Dictionary check is not in effect it is labeled (disabled). Record and secure the new password for future reference. You will need the password for subsequent access to the Bridge and the network it secures. Optionally, in the same frame, you can lock the password or require the administrator to change it when s/he first logs on (described in detail in Section 2.2.2.7.) 35 Bridge GUI Guide: Administrative Access You can optionally view current password complexity requirements by clicking More Information in the upper right of the Edit Password screen and then Password Complexity Settings. Click APPLY in the upper right of the screen (or CANCEL the creation of the new account). The new account will be listed, in Advanced View, in Administrator Settings on Configure -> Administration. You can view but not edit the list against which passwords are checked by clicking Password Dictionary: VIEW. NOTE: Figure 2.13. Advanced View Administrator Settings frame, all platforms When the Bridge is configured to authenticate administrators through a third-party or Fortress user authentication database (Authentication Method: RADIUS), administrators who log on successfully through a user account are automatically added to the Bridge’s local database of administrator accounts as Learned accounts. (Refer to Section 2.2.1.6 for more on administrative authentication methods.) NOTE: Refer to Section 2.2.1.6 for details on configuring the Bridge to use a thirdparty or Fortress RADIUS server to authenticate administrators. Up to ten such Learned accounts can be present. They appear among configured accounts on the Admin Users page—and in the local administrator database—with a Learned status of Yes. Learned account credentials can be authenticated only by the third-party RADIUS server or Fortress user authentication database on which their accounts were originally configured. A Learned administrator cannot log on to the Bridge through the local administrator database until you convert the account to a locally configured account (as indicated by a Learned state of No). To convert a learned account to a configured account: Log on to the Bridge GUI through an Administrator-level account and select ADVANCED VIEW in the upper right corner of the page, then Configure -> Administration from the menu on the left. In the Administrator Settings frame, locate the record for the Learned (Yes) administrator whose account you want to convert (the Username will match the administrator’s RADIUS-server user name), and click the EDIT button to the left of the record. You need not make any changes to the account. NOTE: Once a Learned account has been converted to a local configured account, it is completely independent of the account in the authentication service from which it was learned. 36 Bridge GUI Guide: Administrative Access Click APPLY in the upper right of the screen (or CANCEL the conversion of the account). The newly converted account will be listed, in Advanced View, on Configure -> Administration with Learned state of No, and the associated administrator will be allowed to log on (with valid credentials). Learned user names and passwords need not meet the Bridge’s configured requirements for local administrative accounts. 2.2.2.9 Editing Administrative Accounts You can reconfigure any setting for an individual administrative account except for the Username. Log on to the Bridge GUI through an Administrator-level account and select ADVANCED VIEW in the upper right corner of the page, then Configure -> Administration from the menu on the left. In the Administrator Settings frame, click the EDIT button to the left of the account you want to edit. On the resulting Administration screen, enter new values for those settings you want to configure. (Your options are described in detail in sections 2.2.2.2 through 2.2.2.7.) Click APPLY in the upper right of the screen (or CANCEL your changes). Global administrative account logon behaviors and password requirements can be edited through Configure -> Security, as described in Section 2.2.1. 2.2.2.10 NOTE: If an ac- count is the only Administratorlevel account present, you cannot change its Administrative State to Disabled or reconfigure its Role. Enabled NOTE: Changes to the account you are currently logged onto will take effect the next time you log on. Deleting Administrative Accounts You can delete any account in the Advanced View Administrator Settings frame (Configure -> Administration), except for: the preconfigured accounts: admin, logviewer and maintenance any account, if it is the only Administrator-level account with an Administrative State of Enabled present on the Bridge At least one account with the Role of Administrator (refer to Section 2.2.2.3) must always be present and enabled on the Bridge. Log on to the Bridge GUI through an Administrator-level account and select ADVANCED VIEW in the upper right corner of the page, then Configure -> Administration from the menu on the left. In the Administrator Settings frame, click to place a check in the box(es) to the left of the account(s) you want to eliminate. Click DELETE in the upper left of the frame. 37 Bridge GUI Guide: Administrative Access Click OK in the confirmation dialog (or CANCEL the deletion). Figure 2.14. deleting an administrator account, all platforms The account will be removed from the Advanced View Administrator Settings frame (Configure -> Administration). 2.2.2.11 Changing Administrative Passwords Administrators with Administrator-level accounts can change the password of any account, including their own, as described in sections 2.2.2.7 and 2.2.2.9. Provided the password is not locked (refer to Section 2.2.2.7), administrators with Maintenance or Log Viewer accounts can change their own passwords: To change the account password from Maintenance and Log Viewer accounts: Log on to the Bridge GUI through a Maintenance-level or Log Viewer-level account and select Configure -> Administration from the menu on the left. In the Change Your Password frame, enter a New Password and re-enter it in Confirm Password. NOTE: The Change Your Password op- tion does not appear on the Administration screen when you are logged on through an Administratorlevel account. Figure 2.15. changing the password from within a Maintenance- or Log Viewer-level account, all platforms You can optionally view current password complexity requirements by clicking More Information in the upper right of the Edit Password screen and then Password Complexity Settings. You can check the password against the list of words used by the Bridge’s Password Dictionary function (refer to Section 2.2.1.8) by clicking Password Dictionary: CHECK PASSWORD. The message Not Blacklisted will be returned if the entry passes the check; Blacklisted! indicates that the You can view but not edit the list against which passwords are checked by clicking Password Dictionary: VIEW. NOTE: 38 Bridge GUI Guide: Administrative Access entry failed the check and cannot be used. If the Password Dictionary check is not in effect it is labeled (disabled). Click APPLY in the upper right of the screen (or CANCEL the change). Role configuration options for administrative accounts are described in detail in Section 2.2.2.3. 2.2.2.12 Unlocking Administrator Accounts You can unlock administrator accounts in Advanced View only. Figure 2.16. unlocking an administrator account, all platforms Log on to the Bridge GUI through an Administrator-level account and select ADVANCED VIEW in the upper right corner of the page, then Configure -> Administration from the menu on the left. In the Administrator Settings frame, click to place a check in the box(es) to the left of the account(s) you want to unlock. Click UNLOCK in the upper left of the frame. Click OK in the confirmation dialog (or CANCEL the action). The account will be unlocked and the associated administrator will be able to log on normally (with valid credentials). NOTE: If no Administrator-level ac- count is available, you can unlock an account only through a direct, physical connection to the Bridge’s Console port, with the Bridge CLI’s unlock command (refer to the CLI Software Guide). The Lockout Duration can be set from 0 (zero) to 60 minutes; a Lockout Duration of 0 (the default) disables the lockout function, provided that Permanent Lockout is Disabled (the default). 2.2.3 Administrator IP Address Access Control You can control remote administrative access to the Bridge by restricting the IP addresses from which administrators are permitted to log on. When the Admin IP Access Control Whitelist is Enabled, only those IP addresses present on the list will be permitted to access the Bridge’s management interface remotely. To control remote access by specified IP addresses: Log on to the Bridge GUI through an Administrator-level account and select ADVANCED VIEW in the upper right corner of the page, then Configure -> Access Control from the menu on the left. CAUTION: If you ignore the relevant warning, you can lock out all network access to the Bridge by having the administrator IP ACL Enabled when there are no IP addresses listed. You can access the Bridge in this case only by a physical connection to the Bridge’s Console port (refer to the CLI Software Guide) 39 Bridge GUI Guide: Administrative Access In the resulting screen’s Admin IP Access Control Whitelist frame, click NEW IP. Figure 2.17. Advanced View Add an IP ACL Entry dialog, all platforms In the resulting Add an IP ACL Entry dialog, enter the IP Address of the computer from which you are currently logged on and, optionally, a Description for the entry. Then click APPLY (or CANCEL the addition). The IP address you added will be listed on the Admin IP Access Control Whitelist. Repeat steps 2 and 3 for any additional IP addresses from which you want to permit administrative access. When you have finished adding permitted IP addresses, in the Admin IP Access Control Whitelist frame, in Administrative State, click Enabled. Figure 2.18. Advanced View Admin IP Access Control Whitelist frame, all platforms Click APPLY on the right of the frame. If you navigate away from the screen without clicking APPLY, the Administrative State will not be changed. If you attempt to enable the Admin IP Access Control Whitelist when the IP address you are currently logged on through is not listed, a dialog warns that proceeding will lock the computer you are currently using out of the Bridge’s management interface. CAUTION: If your current IP address is not on the administrator IP ACL when you Enable it or you delete your address when the list is already enabled, and you do not Cancel the change when prompted, your session will end and your current IP address will be blocked until it is added to the list of permitted addresses or the function is disabled. Figure 2.19. Advanced View current IP address lockout dialog, all platforms 40 Bridge GUI Guide: Administrative Access A dialog will also warn you if you are deleting your current IP address from the list when it is already enabled (after you have cleared the usual confirmation dialog). Unless you want to prevent management access to the Bridge from your current IP address, Cancel these changes. The Admin IP Access Control Whitelist is Disabled by default, and no IP addresses are listed. If the Admin IP Access Control Whitelist is Enabled when there are no IP addresses on the list, administrative access to the Bridge will be possible only through a direct, physical connection to the Bridge’s Console port (refer to the CLI Software Guide). 2.2.4 SNMP Administration In the Bridge GUI Advanced View, the Fortress Bridge can be configured for monitoring through Simple Network Management Protocol (SNMP) version 3. The Fortress Management Information Bases (MIBs) for the Bridge are included on the Bridge CD-ROM. When SNMP v3 support is enabled, the SNMP v3 user (FSGSnmpAdmin) access to the Bridge is authenticated via the SHA-1 message hash algorithm as defined in RFC 2574, Userbased Security Model (USM) for version 3 of the Simple Network Management Protocol (SNMPv3), using the specified authentication passphrase. SNMP v3 privacy is secured via the Advanced Encryption Standard with a 128-bit key (AES-128), using the specified privacy passphrase. SNMP v3 support is disabled by default. When SNMP traps are enabled, the SNMP daemon running on the Bridge detects certain system events and sends notice of their occurrence to a server running an SNMP management application, the network management system (NMS), or trap destination. SNMP traps are disabled by default, and no SNMP trap destinations are configured (refer to Section 2.2.4.2). Figure 2.20. Advanced View SNMP frame, all platforms 41 Bridge GUI Guide: Administrative Access The settings that configure SNMP on the Bridge include: SNMP v3 Support - enables/disables SNMP v3 user access. When SNMP v3 Support is Enabled, the preconfigured SNMP v3 user is permitted to access the Bridge, and new passphrases should be configured in the SNMP v3 User frame: Username - identifies the v3 user, FSGSnmpAdmin. Username cannot be changed. New Auth Passphrase and Confirm Auth Passphrase - an authentication passphrase of 10–32 alphanumeric characters (without spaces). You should change the Auth Passphrase from the default if you enable SNMP v3 Support. NOTE: The default Auth Passphrase is FSGSnmpAdminPwd. New Privacy Passphrase and Confirm Privacy Passphrase - a passphrase of 10–32 alphanumeric characters (without spaces). You must enter a Privacy Passphrase if you enable SNMP v3 Support. SNMP v3 Support is Disabled by default. Refer to Section 2.20 for detailed instructions. SNMP Traps - enables/disables SNMP event notifications forwarded to specified trap destinations. When SNMP Traps are Enabled, you must configure SNMP Trap Destinations before traps can be sent: Trap Destination IP - IP Address of the NMS server Comment - optional description of the trap destination Refer to Section 2.2.4.2 for detailed instructions. System Contact - establishes the E-mail address for the Bridge’s administrative SNMP contact. System Location - establishes a name for the location of the Bridge-secured network. System Description - provides an optional description of the Bridge-secured system. 2.2.4.1 Configuring SNMP v3 If you enable SNMP v3 Support, you should specify and confirm a New Auth Passphrase and a New Privacy Passphrase. 1 Log on to the Bridge GUI through an Administrator-level account and select ADVANCED VIEW in the upper right corner of the page, then Configure -> Administration from the menu on the left. 2 Scroll down to the SNMP frame, and click Enabled for SNMP v3 Support to enable SNMP v3 (or disable it by clicking Disabled). 3 In the same frame: In New Auth Passphrase and Confirm Auth Passphrase, enter an authentication passphrase of 10–32 alphanumeric characters (without spaces). 42 Bridge GUI Guide: Administrative Access In New Privacy Passphrase and Confirm Privacy Passphrase, enter a privacy passphrase for the user (10–32 alphanumeric characters without spaces). In the same frame, optionally enter: an E-mail address to serve as the SNMP System Contact a description of the System Location a System Description 2.2.4.2 Click APPLY in the upper right of the screen (or RESET screen settings to cancel your changes). Configuring SNMP Traps You can create, edit and delete trap destinations regardless of whether SNMP traps are enabled. Table 2.2. Fortress SNMP Traps event type event the Gatewaya has started status the Gateway is active the Gateway is down change Access ID open window has closed a Secure Client has disconnected devices all Secure Clients have disconnected a Secure Client has idle timed out a Secure Client has roamed the partnersb have reset connections the clientsc have been reset the sessionsd have reset a. In SNMP traps, the Bridge is identified as a “Gateway.” b. Partners are devices on the encrypted network c. Clients are devices on the clear network d. Sessions of devices on both the secure and clear networks reset. Traps will not be sent to configured destinations when SNMP Traps are Disabled (the default). To enable/disable SNMP traps: 1 Log on to the Bridge GUI through an Administrator-level account and select ADVANCED VIEW in the upper right corner of the page, then Configure -> Administration from the menu on the left. Scroll down to the SNMP frame, and click Enabled for SNMP Traps to enable traps or Disabled to disable them. Click APPLY in the upper right of the screen (or RESET screen settings to cancel your changes). 43 Bridge GUI Guide: Administrative Access To create trap destinations: 1 Log on to the Bridge GUI through an Administrator-level account and select ADVANCED VIEW in the upper right corner of the page, then Configure -> Administration from the menu on the left. Scroll down to the SNMP frame, and click NEW DESTINATION. 3 In the Add SNMP Trap Destination dialog: In Trap Destination IP: enter the network address of an SNMP network management system. In Comment: optionally enter a comment for display with the associated destination IP address. 4 Click APPLY in the upper right of the screen (or CLOSE the dialog to cancel your changes). Configured traps are displayed in the SNMP Traps frame. Figure 2.21. Advanced View Add Trap Destination dialog, all platforms To edit a trap destination: Log on to the Bridge GUI through an Administrator-level account and select ADVANCED VIEW in the upper right corner of the page, then Configure -> Administration from the menu on the left. Scroll down to the SNMP frame and click the EDIT button for the trap destination you want to change. In the resulting Edit SNMP Trap Destination dialog: In Destination IP address: enter a new address of an SNMP network management system and/or revise the optional Comment. Click APPLY in the upper right of the screen (or CLOSE the dialog to cancel your changes). Figure 2.22. deleting an SNMP trap, all platforms 44 Bridge GUI Guide: Administrative Access To delete a trap destinations: Log on to the Bridge GUI through an Administrator-level account and select ADVANCED VIEW in the upper right corner of the page, then Configure -> Administration from the menu on the left. Scroll down to the SNMP frame and: If you want to delete one or more selected destinations, click to check the box(es) for those you want delete. or If you want to delete all destinations, click All to place a check in all destination checkboxes. Click DELETE. Click OK in the confirmation dialog (or Cancel your deletion). Figure 2.23. Advanced View deleting an SNMP trap confirmation dialog, all platforms Your changes are reflected in the SNMP Trap Destinations frame on the main Configuration -> SNMP screen. 45 Bridge GUI Guide: Network Configuration Chapter 3 Network and Radio Configuration 3.1 Network Interfaces Multiple Bridges can be connected through their wired and/or wireless interfaces to form fixed or mobile tactical mesh networks and to bridge or extend the reach and availability of conventional hierarchical networks. Different models of Fortress Bridge chassis feature varying numbers of user-configurable Ethernet ports. Fortress Bridges can be additionally equipped with one to four independent internal radios supporting various capabilities defined in the IEEE (Institute of Electrical and Electronics Engineers) 802.11-2007 standard, or with no radios. On each radio internal to a Bridge, up to four independent wireless interfaces, or Basic Service Sets (BSSs), can be configured, up to a total of eight per Bridge. CAUTION: All Bridges in a mesh network must run the same Bridge software version. Alternatively, an ES210 Bridge can be dedicated to act as a wireless client by configuring a single station (STA) interface on its single internal radio. Compare your Bridge’s model number (on the Administration Settings screen under System Info.) to Table 1.1 on page 3 to determine the number of Ethernet ports with which the Bridge you are configuring is equipped and the number and type(s) of radio(s) installed in it. Fortress Bridge radios can connect to the radios of remote Fortress Bridges to form mesh networks and, on separate BSSs, serve as access points (APs) or access interfaces to connect compatibly configured wireless devices to a wireless LAN (WLAN) or to an FP Mesh access network. On Bridges with more than one radio, the higher power radio(s) dedicated to the higher frequency band (5 GHz, standard equipment, or 4.4 GHz, military band) will generally be the better choice for network bridging (or backhaul) links. In Bridges with two radios (ES520 and ES820), these are Radio 2. In the four-radio ES440, Radio 2, Radio 3 and Radio 4 are all in this category. 46 Bridge GUI Guide: Network Configuration In Fortress Bridges equipped with any number of radios, the standard-equipment Radio 1 is a dual-band 802.11a/g (or 802.11a/g/n) radio. Radio 1’s 802.11g capability typically indicates its use to provide wireless access to devices within range. You can configure the Bridge's network interfaces to meet various deployment and security requirements. Ethernet port configuration is covered in Section 3.7. Creating and configuring radio interfaces are described in Section 3.3.4 (BSS interfaces) and Section 3.3.5 (WLAN client interfaces). 3.2 Bridging Configuration Each Bridge can maintain simultaneous network links with up to fifty other Bridges, so that up to fifty-one directly linked Fortress Bridges can be present on a given network. Many more Bridges can belong to a more widely deployed mesh network encompassing nodes linked indirectly through other nodes. FastPath and STP Bridging Modes are incompatible with the Bridge’s VLAN function (Section 3.9). NOTE: Mesh Networked radios must: use the same radio frequency band (Section 3.3.2.2) be set to the same channel (Section 3.3.2.3) The BSSs that comprise the network must: be enabled for bridging (Section 3.3.4.3) be configured with the same SSID (Section 3.3.4.2) Wireless bridging links must be formed over Fortress-secured interfaces. When a BSS’s Wireless Bridge setting is Enabled, the BSS’s Fortress Security setting is automatically fixed on Enabled, the Wi-Fi Security setting is automatically fixed on Disabled, and the fields are greyed out (refer to Section 3.3.4.3). When licensed to do so, the Bridge can manage bridging links and route network traffic using Fortress’s FastPath Mesh (FP Mesh) tactical mobile networking. Alternatively, Spanning Tree Protocol (STP) can be used for mesh link management without a license. Both protocols enable the deployment of self-forming, selfhealing secure networks, and both prevent bridging loops while providing path redundancy. STP prevents network loops by selectively shutting down some mesh network links. FastPath Mesh maintains the availability of every mesh connection and additionally provides optimal path routing of network traffic, along with independent IPv6 mesh addressing and DNS (Domain Name System) distribution functions to 47 Bridge GUI Guide: Network Configuration support the mesh network and user controls to configure and tune it. Table 3.1. STP Networks Compared to FastPath Mesh function STP FP Mesh self-forming supported supported self-healing supporteda supported end-to-end encryption supported supported all paths available at all times not supported supported optimal path selection not supported supported automatic IPv6 mesh addressing not supported supported independent DNS and .ftimesh.local domain not supported supported configurable network and neighbor cost weighting not supported supported a. except for STP root node Unless the network can be physically configured to eliminate any possibility of bridging loops (multiple OSI [open systems interconnection] layer-2 paths to the same device), either FastPath Mesh or STP must be used when Bridges are deployed in a mesh network. Supported FastPath Mesh and STP network topologies are illustrated and described in detail in Chapter 1. 3.2.1 FastPath Mesh and STP link management are mutually incompatible. Networked Bridges must all be configured to use the same Bridging Mode. NOTE: FastPath Mesh Bridging Nodes on a FastPath Mesh network are of two basic types: Mesh Point (MP) - a Fortress Bridge with FastPath Mesh enabled Non-Mesh Point (NMP) - any node that is not an MP FP Mesh nodes can connect over their Ethernet ports or radio BSSs. An FP Mesh interface must be configured for the type of connection it provides: MPs connect to other MPs only on Core interfaces. NMPs connect to MPs only on Access interfaces A given interface can be of only one type; so MPs and NMPs cannot share an interface. Per-port FastPath Mesh Mode settings for radio BSSs and Ethernet ports are described in sections 3.3.4.4 and 3.7.3, respectively. All MPs on a given FP Mesh network are peers. Directly connected MPs are neighbors. An MP that serves as a link between the FP Mesh network and a conventional hierarchical network is a Mesh Border Gateway (MBG). An FP Mesh network presents to NMPs as a flat, OSI layer-2 network, while optimizing operations to eliminate inefficiencies 48 Bridge GUI Guide: Network Configuration inherent in layer-2 networks, including advance ARP resolution and streamlined broadcast and multicast handling to significantly reduce broadcast traffic. FP Mesh enables each node to use all mesh network links and to route traffic on the optimal path by computing per-hop costs, based on link conditions, and end-to-end costs, based on cumulative per-hop costs. System and neighbor cost weighting are user configurable (refer to sections 3.2.1.5 and 3.2.1.6). Any node in an FP Mesh network can be reached via: MAC (media access control) address, as in conventional hierarchical networks IPv4 address, if IPv4 is in use for the network any IPv6 address locally generated for or assigned to the node, including RFC-4193 and local- and global-scope addresses FQDN (fully qualified domain name), if servers internal to FP Mesh network MPs are providing network DHCP (Dynamic Host Control Protocol) and DNS services (refer to Section 3.6). IPv4 Addressing and Name Resolution IPv4 is enabled by default on the Bridge (refer to Section 3.4.2.1). Although FastPath Mesh functionality does not require IPv4, it fully supports standard IPv4 addressing for all network nodes (MPs and NMPs). The Fortress Bridge’s internal DNS and DHCP servers are covered in Section 3.6. NOTE: The DHCP and DNS servers internal to the Fortress Bridge can be enabled on any Mesh Point. These severs provide virtually configuration-free DHCP and DNS services for Non-Mesh Points. FastPath Mesh operates best when the DNS servers internal to all network MPs are enabled (the default), and the DHCP server on one MP (or a small set of MP DHCP servers) is enabled to provide network DHCP service(s). Third-party external DHCP and DNS servers can be used with FP Mesh but require extensive configuration. Furthermore, the recommended Fortress internal server deployment uses far fewer network resources because it does not allow DNS network broadcast queries to enter the mesh from every NMP. Only NMPs are provided DHCP service. IPv4 addresses must be manually configured on FastPath Mesh Points (refer to Section 3.4.2.1). IPv6 Addressing, Namespace and Name Resolution IPv6 is always enabled on the Bridge and every MP thus has a link local IPv6 address (refer to Section 3.4.2.2). FP Mesh fully supports standard IPv6 addressing for all network nodes (MPs and NMPs), including locally assigned and local- and globalscope addresses, as well as multiple IPv6 routers and associated global prefixes. 49 Bridge GUI Guide: Network Configuration Additionally, FastPath Mesh functionality itself provides automatic IPv6 addressing without the need for a DHCP server and name distribution within the network without the need for a DNS server. To provide independent IPv6 addressing and facilitate optimal network traffic routing, FP Mesh generates an RFC-4193 Unique Local IPv6 Unicast Address (a.k.a., unique local addresses or ULAs) for every MP and supports up to sixteen IPv6-address prefixes using RFC-2461 Neighbor Discovery. Figure 3.1. Advanced View Bridging Configuration frame, Administration screen, all platforms FP Mesh Configuration Settings Once the Bridge’s radio is enabled (Section 3.3.2.1) and a bridging-enabled BSSs is created and configured on it (Section 3.3.4), the Bridge will act as a Mesh Point in a wireless FastPath Mesh network, automatically connecting to compatibly configured MPs via their automatically generated IPv6 addresses, without additional FP Mesh configuration. Sections 3.2.1.1 through 3.2.1.7 describe the complete settings for configuring FastPath Mesh networking. The first four settings (in sections 3.2.1.1–3.2.1.4), are located in two places in the Bridge GUI: Configure -> Administration -> Bridging Configuration Configure -> FastPath Mesh -> Global Settings Network Cost settings (Section 3.2.1.5) are present only among the FP Mesh settings on the Administration screen, while Neighbor Cost and Multicast Group settings (sections 3.2.1.6 and 3.2.1.7) are present only on the FastPath Mesh screen. CAUTION: Fortress-protected networks are not fully secured until all preconfigured administrative passwords and the Access ID have been changed from their defaults (sections 2.2.2.7 and 4.1.17, respectively). Step-by-step instructions for changing FP Mesh bridging settings appear on page 53, following the descriptive sections below. 3.2.1.1 FastPath Mesh Bridging Mode The Bridging Mode setting enables FastPath Mesh and the rest of the settings that configure it, described below. FastPath Mesh is available for selection only when the feature has been licensed on the Fortress Bridge: refer to Section 6.3. 3.2.1.2 Fortress Security For FP Mesh, you can choose to globally enable or disable end-to-end Fortress Security for the Core interface connections NOTE: The Bridge Priority setting on Configure -> Administration -> Bridging Configuration applies only to STP bridging and is greyed out when FastPath Mesh is selected. 50 Bridge GUI Guide: Network Configuration between FastPath MPs. When Enabled (the default), traffic between MPs is subject to Fortress’s Mobile Security Protocol (MSP), as configured on the Bridge itself (refer to Section 4.1). 3.2.1.3 Mobility Factor To facilitate node mobility in the FP Mesh network, Mobility Factor adjusts the frequency at which the costs of data paths to neighbor nodes are sampled so that cost changes can be transmitted to the network. The higher the Mobility Factor, the more frequent is the cost sampling. Enter the highest relative speed of nodes in the network, in miles per hour, as the Mobility Factor for all the MPs in the FP Mesh network. For example, if nodes could move at approximately 10 mph and in opposite directions, their highest relative speed is 20 mph: enter 20 for Mobility Factor. NOTE: All MPs in the FP Mesh network should use the same mobility factor. Set the Mobility Factor between 1 (the appropriate setting for a stationary node) and 60. The default is 30. 3.2.1.4 Mesh Subnet ID When FP Mesh is enabled, a Unique Local IPv6 Unicast Address, as defined in RFC 4193, is generated for the Fortress Bridge Mesh Point in the format: | 7 bits |1| 40 bits | 16 bits | 64 bits +--------+-+------------+-----------+----------------------------+ | Prefix |L| Global ID | Subnet ID | Interface ID +--------+-+------------+-----------+----------------------------+ Prefix - FC00::/7 identifies the address as a Local IPv6 unicast address L - 1 if the prefix is locally assigned (0 value definition t.b.d.) Global ID - pseudo-randomly allocated 40-bit global identifier used to create a globally unique prefix Subnet ID - 16-bit subnet identifier Interface ID - 64-bit Interface ID The subnet ID portion of the RFC-4193 address will facilitate network segmentation in a future release of FastPath Mesh. 3.2.1.5 Network Cost Weighting Traffic on an FP Mesh network is routed along the least costly path to its destination. You can rebalance how the FP Mesh network computes the throughput and latency costs of available data paths by specifying new values for a and/or b in the FP Mesh cost equation: cost = a *(1/CLS) + b*(Q/CLS) + U ...in which: CAUTION: The default cost equation values are optimal for FP Mesh implementation. Ill-considered changes can easily affect network behavior adversely. CLS - (Current Link Speed) is the time-averaged link speed, as measured in bits per second. Q - is the time-averaged current Queue depth, as measured in bits. 51 Bridge GUI Guide: Network Configuration U - is the user defined per-interface cost offset, which allows you to configure one link to be more costly than another. Any non-negative integer between 0 (zero) and 4,294,967,295 can be defined (for configuration information, refer to Section 3.3.4.4 for wireless and Section 3.7.3 for Ethernet interface controls). a and b - are device-wide user defined constants that correspond to throughput and latency, respectively. Any non-negative integer between 0 (zero) and 65,535 can be defined. As a rule, a higher value of the constant a, Throughput Cost Weighting, improves overall throughput, while a higher value of b, Latency Cost Weighting, reduces latency. The default for both is 1. 3.2.1.6 Neighbor Cost Overrides The cost of reaching a neighbor node (another Mesh Point directly linked to the current MP) on an FP Mesh network is the cost associated with the interface used to reach the node. You can override the interface cost for a particular neighbor by specifying a fixed cost for that node. The neighbor for which the cost override is specified should be configured with a reciprocal neighbor cost, of the same value, specified for the current MP. Asymmetric neighbor cost overrides are not recommended. To configure a neighbor cost override, you must identify the FP Mesh interface the neighbor connects to and specify the node by any one of: MAC address IP address RFC-4193 IPv6 address IPv4 address hostname Specify a given neighbor’s cost override by only one address identifier, in non-negative numbers between 1 and 4,294,967,295; or specify max. The higher the cost value, the less likely the neighbor will be used to route network traffic. A neighbor with a cost of max will never be used to route traffic. You can configure Neighbor Costs for devices that are not currently neighbor MPs, or even peers. If the specified node appears as or becomes a neighbor, the configured cost will be applied. 3.2.1.7 If more than one cost override is specified for the same neighbor by different identifiers, only the cost associated with the highest addresstype on the list shown (at left) will be applied. NOTE: NOTE: A node is assumed to have a only one IPv6 unique local address. If different costs are configured for the same neighbor by more than one IPv6 address, applied cost is unpredictable. Multicast Group Subscription FastPath MPs automatically subscribe/unsubscribe to multicast streams on behalf of NMPs by snooping IP multicast control messages (IGMP and MLD3) on mesh Access interfaces. 52 Bridge GUI Guide: Network Configuration You can also force MPs to join or leave specific multicast groups, if you need to support non-IP multicast groups or a device on an Access interface that doesn’t implement IGMP/ MLD, or for testing/debugging purposes. To subscribe to a multicast group, you must identify the FP Mesh interface for the stream and specify the multicast address for the group by MAC or IP address. MPs can subscribe as multicast listeners, talkers or both (the default). You can observe the multicast groups to which the MP is currently subscribed (whether learned or configured) on Monitor -> Mesh Status -> Multicast Groups (described in Section 5.8.5). You can observe and flush the Multicast/ Broadcast Forwarding table on the same page. Figure 3.2. Advanced View FastPath Mesh Settings screen, all platforms 3.2.1.8 Configuring FastPath Mesh Settings: Only Bridging Mode can be configured in both Bridge GUI views. Other FastPath Mesh bridging settings are accessible only in Advanced View. Basic FastPath Mesh settings are located in two places in the Bridge GUI, more advanced settings appear on only one Advanced View screen, as shown in Table 3.2. Table 3.2. FastPath Mesh Bridging Settings Administration screen FastPath Mesh screen Bridging Mode Bridging Configuration frame Mesh Fortress Security Global Settings Mobility Factor frame Mesh Subnet ID Throughput Cost Weighting Neighbor Costs Latency Cost Weighting Multicast Groups individual frames 3. Internet Group Management Protocol, Multicast Listener Discovery, Multicast Router Discovery 53 Bridge GUI Guide: Network Configuration Log on to the Bridge GUI through an Administrator-level account. If you are configuring any setting beyond Bridging Mode, click ADVANCED VIEW in the upper right corner of the page. (If not, skip this step.) Navigate to a Bridge GUI screen and frame through which the setting(s) you want to configure can be accessed: Configure -> Administration -> Bridging Configuration Configure -> FastPath Mesh -> Global Settings or Neighbor Costs or Multicast Groups (Refer to Table 3.2.) Enter new values for any settings you want to configure in the Bridging Configuration or Global Settings frames (described in sections 3.2.1.1 through 3.2.1.5, above), and click APPLY in the upper right of the screen (or RESET screen settings to cancel your changes). To configure neighbor cost overrides: In the FastPath Mesh screen’s Neighbor Costs frame: If you want to specify a new MP for a cost override: Click NEW NEIGHBOR COST. In the Add a new Neighbor Cost dialog, specify the Core interface through which the neighbor connects (or will connect) to the current MP: From the Interface dropdown, select a BSS currently configured on (one of) the MP’s radio(s) or one of the MP’s Ethernet ports. or Leave Interface at the default, New BSS, and enter a valid BSS Name, as it will be (or is currently) configured on (one of) the MP’s radio(s). Enter an Address for the neighbor: its MAC or IPv4 or IPv6 address or its host name. Enter the Cost, from 1 to 4,294,967,295, you want to configure for the neighbor (refer to Section 3.2.1.6). Click APPLY in the dialog (or CANCEL the action). and/or If you want to change an existing cost override: Click the EDIT button for the neighbor’s entry. In the Edit a Neighbor Cost dialog, enter a new value between 1 to 4,294,967,295 for Cost. Click APPLY in the dialog (or CANCEL the action). To subscribe to multicast groups: In the FastPath Mesh screen’s Multicast Groups frame: NOTE: You cannot change the Interface or Address for an existing Neighbor Costs entry. If these values have changed, delete the neighbor’s entry and recreate it with the new value. 54 Bridge GUI Guide: Network Configuration If you want to subscribe to a new multicast group: Click NEW MULTICAST GROUP. In the Add a Multicast Group dialog, specify the Access interface on which the current MP will subscribe to the multicast group: From the Interface dropdown, select a BSS currently configured on (one of) the MP’s radio(s) or one of the MP’s Ethernet ports. or Leave Interface at the default, New BSS, and enter a valid BSS Name, as it will be (or is currently) configured on (one of) the MP’s radio(s). Enter a MAC or IPv4 or IPv6 Address for the multicast group. From the Mode dropdown, select whether the MP is subscribing is as a multicast Listener, Talker or Both (refer to Section 3.2.1.7). Click APPLY in the dialog (or CANCEL the action). and/or If you want to change the Mode of an existing subscription: Click the EDIT button for the subscription’s entry. In the Edit a Multicast Group dialog, select a new value for Mode (you cannot change the Interface or Address). Click APPLY in the dialog (or CANCEL the action). To delete Neighbor Costs or Multicast Groups: You can delete a single entry or all entries in either list. Log on to the Bridge GUI through an Administrator-level account and select ADVANCED VIEW in the upper right corner of the page, then Configure -> FastPath Mesh from the menu on the left. In the FastPath Mesh screen’s Neighbor Costs or Multicast Groups frame: If you want to delete a single entry, click to place a check in the box beside it; then the DELETE button above the list. or If you want to delete all entries, click All to place a check in all entries’ boxes; then click the DELETE button above the list. The relevant list reflects the deletion(s). 55 Bridge GUI Guide: Network Configuration 3.2.2 STP Bridging When STP is used for link management, the Fortress Bridge can connect to other Fortress Bridges to form mesh networks and, on separate BSSs, simultaneously serve as access points (APs) to connect compatibly configured wireless devices to a wireless LAN (WLAN). STP is selected for Bridging Mode by default. Bridging BSSs BSSs enabled for wireless bridging automatically form STP mesh network connections with compatibly configured bridging BSSs on other Fortress Bridges. On Bridges equipped with multiple radios, the radio(s) fixed on the 5 GHz 802.11a frequency band will generally be the most appropriate for the bridging function. (These include Radio 2 in the ES520 and ES820 and Radio 2, Radio 3 and Radio 4 in the ES440.) BSSs configured on these radios are therefore Enabled for WDS by default. Settings other than Bridge Priority on Configure -> Administration -> Bridging Configuration apply only to FastPath Mesh bridging and are greyed out when STP is selected for Bridging Mode. NOTE: NOTE: Fortress Security is Enabled for WDS-enabled BSSs, Wi-Fi Security is Disabled, and these fields are greyed out. Access Point BSSs Under STP link management, a BSS on which bridging is disabled is acting as a conventional wireless AP. On Bridges equipped with multiple radios, Radio 1 is generally the better choice for the AP function, because it can be configured to use the 2.4 GHz 802.11g frequency band. By default, BSSs configured on Radio 1 are therefore Disabled for WDS. Any wireless device within range of the Bridge’s radio can connect to the Bridge-secured WLAN, if the connecting device: is using the same RF band and channel as the Bridge radio is using the same SSID as an AP BSS configured on the Bridge successfully meets all security requirements for connecting to that BSS, if the BSS is configured to enforce security measures One of the Bridges in the network must act as the root switch in the STP configuration. If a given root becomes unavailable, the root role can be assumed by another Bridge in the network. The network can experience significant traffic disruption in this event, until the new STP root node has been established. You can configure the order in which each Bridge in the network will assume the STP root role, should Bridge(s) ahead of it in the priority list become unavailable. The role of root is taken by the Bridge in the network with the lowest STP Bridge Priority number. When the Bridge is in STP Bridging Mode, STP must be enabled across all devices on the Bridge-secured network. 56 Bridge GUI Guide: Network Configuration Figure 3.3. Simple View Bridging Configuration frame, Administration screen, all platforms 3.2.2.1 3.3 Configuring STP Bridging: Log on to the Bridge GUI through an Administrator-level account and select Configure -> Administration from the menu on the left. In the Bridging Configuration frame: In Bridging Mode: select STP to enable Spanning Tree Protocol. In Bridge Priority: optionally enter a new STP root numbers between 0 and 65535 are valid. The default is 49152. Click APPLY in the upper right of the screen (or RESET screen settings to cancel your changes). If networked Bridges all have the same priority number, their MAC addresses are used, lowest to highest, to establish STP root priority. NOTE: Radio Settings Different Fortress Bridge models can be variously equipped with one to four independent internal radios supporting various 802.11 capabilities, or with no radios. series Table 3.3. Fortress Bridge Model Radios basic model # of radios ES820 FC ES440 standard equipment default band Radio 1 802.11a/g/n 802.11g ES210 FC-X standard model # 4.4 GHz option Radio 2 802.11a/n 802.11a Radio 1 802.11a/g 802.11g 4.4 GHz model #a no ES820-35 n/a no no ES ES520 radio label ES520-35 ES520-34 Radio 2 802.11a 802.11a yes Radio 1 802.11a/g/n 802.11g no Radio 2– Radio 4 802.11a/n 802.11a Radio 1 802.11a/g/n 802.11a ES440-3555 n/a no ES210-3 no n/a n/a a. Refer to Section 1.3.1.1 for more on ES-series model numbers. Compare your Bridge’s model number (on the Administration Settings screen under System Info.) to Table 3.3 above to determine the number of and type of radio(s) with which the Bridge you are configuring is equipped. On Bridge GUI Radio Settings screens, configuration settings for 4.4 GHz military band radios are also identified as such. 57 Bridge GUI Guide: Network Configuration Each radio installed in a Fortress Bridge can be configured with up to four BSSs, which can serve either as bridging interfaces networked with other Fortress Bridges or as access interfaces for connecting wireless client devices. Refer to Section 3.3.4 for details on radio BSS configuration. Alternatively, an ES210 Bridge can be dedicated to act as a wireless client by configuring a single station (STA) interface on its single internal radio. Refer to Section 3.3.5 for details on radio STA configuration. 3.3.1 Advanced Global Radio Settings Advanced Global Radio Settings apply to all radios internal to the Bridge and are available only in the Bridge GUI Advanced View. 3.3.1.1 Radio Frequency Kill The Kill All RF setting turns the radio(s) installed in the Bridge off (Enabled) and on (Disabled). The default Kill All RF setting is Disabled, in which state the Bridge receives and transmits radio frequency signals normally. You can also enable/disable RF kill through Fortress Bridge chassis controls (refer to the Fortress Hardware Guide for the Bridge you are configuring). 3.3.1.2 3.3.1.3 Radio Distance Units The increment used to set Distance for the Bridges’ radio(s) (refer to Section 3.3.2.7) is configured globally in Radio Units: Metric - (the default) the Distance setting is configured in kilometers. English - the Distance setting is configured in miles. Country of Operation By default, the following countries and territories are available for selection: American Samoa Austria Belgium Bosnia Herzegovina Bulgaria Canada Croatia Cyprus Czech Republic Denmark Estonia Finland France Germany Greece Guam Hungary Iceland Ireland Italy Kosovo Latvia Liechtenstein Lithuania Luxembourg Macedonia Malta Mexico Montenegro Netherlands Northern Mariana Islands Norway Poland Portugal Romania Saudi Arabia Serbia Slovakia Slovenia Spain Sweden Switzerland Turkey United Arab Emirates United Kingdom United States US Minor Outlying Islands US Virgin Islands 58 Bridge GUI Guide: Network Configuration When Country is licensed on the Bridge (Section 6.3), additional countries are available for selection. To allocate bandwidth and prevent interference, radio transmission is a regulated activity, and different countries specify hardware configurations and restrict the strength of signals broadcast on particular frequencies according to different rules. While some countries develop such regulations independently, national regulatory authorities more often adopt an established set of rules in common with other countries in the same region. Whether used in common by multiple countries or by a single country, a regulatory domain is distinguished by a single set of rules governing radio devices and transmissions. In order to comply with the relevant regulatory authority, you must establish the Bridge’s regulatory domain by identifying the country in which the Bridge will operate. Bridge software automatically filters the options available for individual radio settings (Section 3.3.2) according to the requirements of the relevant regulatory domain as they apply specifically to the Bridge’s internal radios. In some of the countries on the default Country Code list, radios using the 802.11a frequency band will have no compliant channels available unless Advanced Radio operation has been licensed on the Bridge. (Refer to Section 3.3.2 for more detail on radio operation with and without an Advanced Radio license and to Section 6.3 for licensing information.) By default, the United States is selected as the Bridge’s country of operation, and the rules of the Federal Communication Commission (FCC) regulatory domain dictate available radio settings in the 5 GHz 802.11a and the 2.4 GHz 802.11g frequency bands. The 4.400 GHz–4.750 GHz frequency range is regulated by the United States Department of Defense, rather than by the FCC. Use of military band radios is strictly forbidden outside of U.S. military applications and authority. On a Bridge with one or more 4.4 GHz radios installed, United States is selected as the Bridge’s country of operation and the setting cannot be changed. 3.3.1.4 Environment Setting It is common for regulatory domains to restrict certain channels to indoor-only use. In order for the Bridge’s radio(s) to comply with such requirements, you must specify whether the Bridge is operating Indoors or Outdoors (the default). 59 Bridge GUI Guide: Network Configuration In many regulatory domains, including the Bridge’s FCC domain, additional channels are available for selection (Section 3.3.2.3) when Environment is set to Indoors. Figure 3.4. Advanced View Advanced Global Radio Settings frame, all radio-equipped platforms 3.3.1.5 Configuring Global Advanced Radio Settings Log on to the Bridge GUI through an Administrator-level account and select ADVANCED VIEW in the upper right corner of the page, then Configure -> Radio Settings from the menu on the left. In the Radio Settings screen’s Advanced Global Radio Settings frame, use the dropdown menus to specify new values for the setting(s) you want to change (described above). 3.3.2 Click APPLY in the upper right of the screen (or RESET screen settings to cancel your changes). NOTE: You must reboot the Bridge in order for a change to Environment or Country Code to take effect. Individual Radio Settings The remaining settings that affect radio operation are configured, per radio, in the Radio Settings frame. Figure 3.5. Simple View RADIO 1 Radio Settings frame, all radio-equipped platforms As determined by your Country Code selection (under Global Radio Settings and described in Section 3.2), regulatory domain requirements can affect an individual radio’s operational state and Radio Band setting as well as determine available Channel and TxPower options (refer to 3.3.2.3 and 3.3.2.6). 60 Bridge GUI Guide: Network Configuration In addition, the Bridge uses your entries for Network Type and Antenna Gain (refer to sections 3.3.2.4 and 3.3.2.5, respectively) to calculate allowable TxPower settings. These settings are therefore also subject to regulatory compliance requirements. When Advanced Radio operation has not been licensed on the Bridge (the default), transmission by the Bridge’s 802.11a radio(s) is restricted to channels in the UNII-3/ISM4 band of the 5 GHz bands. Outside of the United States, this restriction can cause dual-band radios to be automatically reconfigured from 802.11a to 802.11g operation and radios that can use only the 802.11a frequency band to be disabled altogether (and their configuration fields greyed out). If you change the Country Code in effect on the Bridge to a domain in which current radio settings are not permitted, the relevant value(s) will revert to default(s), and reconfiguration options will be confined to permissible values. NOTE: When Advanced Radio is licensed, the Bridge’s 802.11a radio(s) can use additional licensed and unlicensed frequencies. Contact Fortress Technologies for additional information. An Advanced Radio license permits the Bridge’s 802.11a radio(s) to be used, in the 802.11a band, in any of the countries on the default Country Code list (Section 3.3.1.3) and in any of the additional countries in which the Bridge can be operated when Country is licensed. Country Code is described in Section 3.3.1.3. Features licensing is covered in Section 6.3. Per-radio settings are described in Sections 3.3.2.1 through 3.3.2.10; step-by-step instructions for changing them follow these sections. 3.3.2.1 Radio Administrative State The Admin State setting simply turns the radio on (Enabled) and off (Disabled). Bridge radios are Disabled by default. Although a radio’s Admin State always remains at its configured value, the actual operational state of the Bridge’s internal radios is subject to the regulatory domain in which the Bridge is operating (refer to Section 3.3.1.3). In some cases, radios that can use only the 802.11a frequency band must be automatically disabled (their configuration fields greyed out) in order to bring the Bridge into compliance. Refer to Section 3.3.2 for more operational detail, and consult your local regulatory authority for the applicable specifications and requirements for radio devices and transmissions. 3.3.2.2 Radio Band The Band setting selects both the frequency band of the radio spectrum a Bridge radio will use (for dual band radios) and whether it will use the 802.11n standard for wireless transmission/reception (for radios that support the option). CAUTION: Radios used to form a network (Section 3.2) must use compatible transmission and reception settings. 4. Unlicensed National Information Infrastructure-3/Industrial, Scientific and Medical 61 Bridge GUI Guide: Network Configuration 5 GHz and 2.4 GHz Options Radios installed as Radio 1 in radio-equipped Fortress Bridges (refer to Table 3.3, above) can operate in either the 5 GHz 802.11a frequency band or the 802.11g 2.4 GHz band of the radio spectrum, according to your selection in the Band field. By default, a dual-band radio installed as Radio 1 in a multiradio Bridge is configured to operate in the 2.4 GHz 802.11g band. The single dual-band radio installed in the ES210 is configured to operate in the 802.11a band by default. In Bridges equipped with more than one radio, the additional radio(s) can function in only a single frequency band: the 5 GHz 802.11a band in standard-equipment radios, or the 4.4 GHz military band in Bridges that support this option. The radio Band setting is among those subject to the relevant regulatory domain (Section 3.3.1.3). In some cases, in order to bring the Bridge into compliance, dual-band radios could be automatically fixed on the 802.11g band and radios fixed on the 802.11a band could be disabled altogether. Refer to Section 3.3.2 for more operational detail, and consult your local regulatory authority for the applicable specifications and requirements for radio devices and transmissions. The 4.400–4.750 GHz frequency range is regulated by the U.S. Department of Defense. Use of military band radios is strictly forbidden outside of U.S. military applications and authority. CAUTION: 802.11n Options BSSs configured on the radio(s) installed in certain Bridge models are additionally capable of 802.11n operation (refer to Table 3.3 on page 57), as defined by this recent IEEE amendment to the 802.11 standards. The ES210 Bridge’s Station Mode function (refer to Section 3.3.5) does not support 802.11n operation. You must set the ES210 radio’s Band to 802.11a or 802.11g before you can add a Station Interface to the ES210 radio. Although fully compatible with the IEEE standard, Bridge 802.11n-capable radios cannot perform MIMO (Multiple-Input Multiple-Output), or spatial multiplexing, at this time. NOTE: A Bridge radio BSS configured to use the 802.11n standard is fully interoperable with other 802.11n network devices. Figure 3.6. 802.11n-capable, dual-band radio Band options, ES210, ES440, ES820 Selecting an 802.11n option in a radio’s Band field permits the Bridge to take advantage of radio enhancements and traffic handling efficiencies defined in the newer standard, including both 20 MHz and 40 MHz channel widths, frame aggregation 62 Bridge GUI Guide: Network Configuration and block acknowledgement (block ACK), and smaller frame headers and inter-frame gaps. On 802.11n-capable radios, there are three possible highthroughput (ht) 802.11n options for each frequency band supported on the radio: three for the 5 GHz 802.11na band and three for the 2.4 GHz 802.11ng band, when present: 3.3.2.3 ht20 - 802.11n - High-Throughput 20 MHz, the radio will use only 20 MHz channel widths, while taking advantage of the standard’s traffic handling efficiencies. ht40plus - High-Throughput 40 MHz plus 20 MHz, the radio can use 40 MHz channel widths by binding the selected 20 MHz channel to the adjacent 20 MHz channel above it on the radio spectrum. ht40minus - High-Throughput 40 MHz minus 20 MHz, the radio can use 40 MHz channel widths by binding the selected 20 MHz channel to the adjacent 20 MHz channel below it on the radio spectrum. Channel and Channel Width The Channel setting selects the portion of the radio spectrum the radio will to use to transmit and receive—in order to provide wireless LAN access or to establish the initial connections in a mesh network. The channels available for user selection are determined by the frequency band the radio uses, subject to the relevant regulatory domain rules. In most regulatory domains, certain channels in the 5 GHz frequency band are designated DFS (Dynamic Frequency Selection) channels. DFS compliance also restricts the channels available for user selection (and broadcast) on 802.11a radios. Consult your local regulatory authority for applicable radio device and transmission rules and for DFS channel designations. NOTE: The Bridge GUI presents only currently permissible channels for user selection, according to the currently specified Country of operation (Section 3.3.1.3) and Band (Section 3.3.2.2), excluding channels on the radio’s DFS Channel Exclusions list (Section 3.3.3). A dual-band radio that uses the 2.4 GHz 802.11g band by default (Radio 1 in the multiple radio ES440, ES520 and ES820 Bridges) is set to channel 1 by default. A second internal 5 GHz 802.11a radio (Radio 2 in non-militaryband ES440, ES520 and ES820) or a single dual-band radio that uses 802.11a by default (Radio 1 in the ES210) has a default channel setting of 149. In the military-band ES440, Radio 2 is set to channel 4100 by default. Whether they use the 5 GHz 802.11a band or the 4.4 GHz military band, Radio 3 and Radio 4 in the ES440 are set by default to unique channels. 63 Bridge GUI Guide: Network Configuration Table 3.4 shows all channels available for selection on military band Bridge radios, with their corresponding frequencies. Table 3.4. 4.4 GHz Military Band Radio Channels Channel Frequency (GHz) Channel Frequency (GHz) 4100 4.476 4128 4.616 4104 4.496 4132 4.636 4108 4.516 4136 4.656 4112 4.536 4140 4.676 4116 4.556 4144 4.696 4120 4.576 4148 4.716 4124 4.596 To the right of the Channel field, the Radio Settings screen displays the view-only actual channel over which the radio is communicating. If the actual channel is different from the userspecified Channel, the actual channel was set by DFS operation. Refer to Section 3.3.3 for more detail. The Radio Settings screen also displays Channel Width informationally, view-only. 3.3.2.4 Network Type Whether the Bridge is a member of a multi-node, point-tomultipoint (PtMP) network (the default) or a two-node, point-topoint (PtP) network affects allowable TxPower settings for the Bridge’s current country of operation (refer to Section 3.3.1.3). You must enter the correct value for Network Type in order to comply with the requirements of the applicable regulatory domain. You can configure Network Type only in Advanced View. 3.3.2.5 Antenna Gain Measured in dBi (decibels over isotropic), Antenna Gain is used to determine allowable TxPower settings for the Bridge’s current country of operation (refer to Section 3.3.1.3). Consult the documentation for the antenna connected to the radio you are configuring to determine the antenna’s gain. Antenna port labels corresponds to radio numbering: Radio 1 uses ANT1, and so on. NOTE: The gain of the antenna affects the distribution of the radio frequency (RF) energy it emits and is therefore subject to the requirements of the applicable regulatory domain. You must enter the correct value for Antenna Gain in order to comply with local regulations. The dropdown provides selectable values from 0–50 dBi (inclusive). The default antenna gain depends on the Bridge you are configuring. In multi-radio Bridges, all radios have a default antenna gain setting of 9 dBi. The ES210 radio’s default antenna gain is 5 dBi. You can configure Antenna Gain only in Advanced View. 64 Bridge GUI Guide: Network Configuration 3.3.2.6 Tx Power Mode and Tx Power Settings The default transmit power level for all radios is Auto, which directs the Bridge to automatically set the transmit power at the maximum allowed for the selected Band, Channel, Network Type and Antenna Gain (refer to sections 3.3.2.2 through 3.3.2.5) by the regulatory domain established in Country Code (Section 3.3.1.3). Alternatively, you can specify a transmit power level for the radio. As for Auto power-level selection, the set of usable values for TxPower is a function of the Bridge’s regulatory domain, in combination with its Band, Channel, Network Type and Antenna Gain settings for that radio. WARNING: The FCC (the Bridge’s default regulatory domain) requires antennas to be professionally installed; the installer is responsible for ensuring compliance with FCC limits, including TX power restrictions. The power at which radios are permitted to transmit is subject to the applicable regulatory domain. You must configure the Bridge with accurate values in order to comply with local regulations. Consult your local regulatory authority for applicable specifications and requirements for radio devices and transmissions. In environments with a dense distribution of APs (and resulting potential for interference), it may be desirable to select a lower Tx Power setting than the default (Auto) for a radio using the 802.11g band. The Auto setting is otherwise appropriate for all radios. You can configure TxPower only in Advanced View. 3.3.2.7 Distance The Distance setting configures the maximum distance for which a radio in a mesh network must adjust for the propagation delay of its transmissions. Distance is set in kilometers (the default) or miles, according to the global Radio Units setting (Section 3.3.1.2), in increments of 1 and values from 1 to 56 km or 1 to 35 miles. In a network deployment, the Distance setting on the networked radios of all member Bridges should be the number of kilometers (or miles) separating the two Bridges with the greatest, unbridged distance between them. In Figure 3.7, the Distance setting would be 3 kilometers: the longest distance in the network between two Bridges without another Bridge between them. Propagation delay is not a concern at short range. At distances of one (kilometer or mile) and under, you should leave the setting at 1 (the default for both radios). 65 Bridge GUI Guide: Network Configuration Figure 3.7. Bridge network deployment with radio Distance settings of 3 kilometers You can configure Distance only in Advanced View. 3.3.2.8 Beacon Interval Bridge radios transmit beacons at regular intervals to announce their presence on their network, the strength of their RF signals and, when Advertise SSID is enabled (Section 3.3.4.2), the SSIDs of their basic service sets (BSSs). The beacon interval is also used to count down the DTIM (Delivery Traffic Indication Message) period (refer to Section 3.3.4.8). CAUTION: Radios using DFS channels (Section 3.3.3) must use the default Beacon Interval of 100 ms. In mesh network deployments, all of the Bridges in the network must use the same Beacon Interval. You can configure the number of milliseconds between beacons in whole numbers between 25 and 1000. You cannot disable the beacon. The default Beacon Interval is 100 milliseconds, which is optimal for almost all network deployments and recommended for bridging operation. A longer beacon interval conserves power and leaves more bandwidth free for data transmission, potentially improving throughput. A shorter interval provides faster, more reliable passive scanning for network nodes and devices, potentially improving mobility. Fortress recommends retaining the Beacon Interval default unless operating conditions require a change. You can configure Beacon Interval only in Advanced View. 66 Bridge GUI Guide: Network Configuration 3.3.2.9 Short Preamble The short preamble is used by virtually all wireless devices currently being produced. The Short Preamble is therefore the most likely requirement for new network implementations and is Enabled by default. The setting applies only to 802.11g band operation; it is greyed out for Radio 2 and for Radio 1 when it is configured to use the 802.11a band. When Short Preamble is Disabled connecting devices must use the long preamble, which is still in use by some older 802.11b devices. If the WLAN must support devices that use the long preamble, you must set Short Preamble for the radio on which the access point BSS is configured to Disabled. You can configure Short Preamble only in Advanced View. 3.3.2.10 Noise Immunity For radios using the 802.11a band (Section 3.3.2.2), enabling Noise Immunity allows the radio to aggressively lower the receive threshold for the signal strength of connected nodes, in order to compensate for unusual levels of local interference. Noise Immunity is Disabled by default, and Fortress recommends retaining the default, unless operating conditions require a change. 3.3.2.11 Configuring Individual Radio Settings: Table 3.5 shows which Radio Settings appear in the two GUI views. Table 3.5. Radio Settings Simple & Advanced Views Admin. State Band Channel Noise Immunity Advanced View Only Network Type Beacon Interval Distance Antenna Gain TxPower Short Preamble Channel Exclusions Log on to the Bridge GUI through an Administrator-level account and select Configure -> Radio Settings from the menu on the left. If you are configuring one or more Advanced View settings (see Table 3.5), click ADVANCED VIEW in the upper right corner of the page. (If not, skip this step.) In the Radio Settings screen’s Radio Settings frame, enter new values for those settings you want to configure (described in sections 3.3.2.1 through 3.3.2.10, above). 67 Bridge GUI Guide: Network Configuration Click APPLY in the upper right of the screen (or RESET screen settings to cancel your changes). Figure 3.8. Advanced View RADIO 1 Radio Settings frame, all radio-equipped platforms 3.3.3 DFS Operation and Channel Exclusion Most regulatory domains, including the Bridge’s default FCC domain, require that certain channels in the 5 GHz 801.11a frequency band operate as DFS (Dynamic Frequency Selection) channels. DFS is a radar (radio detection and ranging) avoidance protocol. Devices transmitting on a DFS channel must detect approaching radar on the channel, vacate the channel within 10 seconds of doing so, and stay off the channel for a minimum of 30 minutes thereafter. NOTE: The Bridge’s regulatory domain is determined by the specified Country of operation, described in Section 3.3.1.3. Radios using the 2.4 GHz 802.11g frequency band or the 4.4 GHz military band are not subject to DFS. 3.3.3.1 DFS Operation on the Bridge Bridge radios deployed in a mesh network must use a common channel in order to remain connected. For radios on which a Bridging-enabled BSSs are configured (Section 3.3.4), the actual channel on which the network transmits and receives will be subject to change according to the Bridge’s DFS implementation. Consult your local regulatory authority for applicable DFS channel designations. NOTE: In order to keep all network nodes connected, a network Bridge forced by DFS to change the channel on a bridging radio will 68 Bridge GUI Guide: Network Configuration signal the impending change and transmit the new channel number to the network, before switching its bridging radio to the new channel. Bridges receiving this transmission will do the same, until the new channel has been propagated to every Bridge in the network and all are all connected over the new channel. If you manually change the Channel setting on a bridging radio (Section 3.3.2.3), the new channel will be propagated to the rest of the network in the same manner. You can observe the view-only actual channel on Configure -> Radio Settings, to the right of the Channel setting (which persists as specified as the actual channel changes). 3.3.3.2 NOTE: Radios us- ing DFS channels must use the default Beacon Interval of 100 ms (Section 3.3.2.8). Channel Exclusion For each enabled radio, Fortress Bridges maintain a list of channels excluded from that radio’s use, Channels that are unavailable for DFS or for manual selection. Bridging radios in a mesh network maintain a global list of excluded channels by propagating their channel exclusions to all nodes. Figure 3.9. Advanced View DFS Channel Exclusions list, all radio-equipped platforms Channels can be excluded in four ways: The channel was manually added to the radio’s excluded list (see below). For DFS channels, a radio using the channel detected radar and had to change to a different channel. The channel on which radar was detected is excluded from use for 30 minutes, after which it will automatically become available again. For bridging radios, the channel was learned remotely from another node in the network. Remotely learned channel exclusions will age out a radio’s excluded list if the remote Bridge stops propagating the exclusion (or drops out of the network). For multi-radio Bridges, the channel is in use by the other radio internal to the Bridge and so is excluded from use by the current radio. You may want to exclude a channel from use if you are experiencing abnormal interference on the channel, for example, or in order to avoid a channel on which intermittent radar is known to take place. NOTE: While there can be no radar events on 4.4 GHz military band radio, it can receive a remote channel change from a network peer. 69 Bridge GUI Guide: Network Configuration You can observe the channels currently excluded from each radio’s use, in Advanced View only, on the Channel Exclusions list on Configure -> Radio Settings. Figure 3.10. Advanced View Add Channel To Exclude dialog, all radio-equipped platforms To manually add channels for exclusion: Log on to the Bridge GUI through an Administrator-level account and select ADVANCED VIEW in the upper right corner of the page, then Configure -> Radio Settings from the menu on the left. In the Radio Settings screen’s Radio Settings frame, above the Channel Exclusions list, click ADD CHANNEL. In the Add Channel to Exclude dialog, choose a channel from the Select Channel dropdown and click APPLY (or CLOSE the dialog without adding the channel). Delete a channel from the exclusion list by clicking to place a check in the box to the left of its entry on Channel Exclusions and then clicking DELETE at the top of the frame. Delete all channels by clicking All to check all their boxes and then DELETE. Figure 3.11. deleting a channel exclusion, all radio-equipped platforms You must be in Advanced View to access the Channel Exclusions list. 3.3.4 Radio BSS Settings A Bridge radio can support up to four Basis Service Sets (BSSs), each with its own SSID and associated settings and serving as an independent, virtual interface. In a Fortress FastPath Mesh network, a given BSS can either provide mesh connections to other Fortress Bridge Mesh Points or connect other wireless devices (Non-Mesh Points) to the FastPath Mesh. Refer to Section 3.2.1 for more detail. NOTE: An ES210 Bridge can alternatively support a single wireless client STA interface. Refer to Section 3.3.5. In a mesh network under STP link management, a given BSS can either provide mesh network connections to other Fortress 70 Bridge GUI Guide: Network Configuration Bridges or serve as a WLAN access point (AP). Refer to Section 3.2.2 for more detail. You can view the BSSs configured for each radio, under the radio’s entry on Configure -> Radio Settings. No BSSs are configured on Bridge radios by default. To create a BSS you need only specify a unique name (Section 3.3.4.1) and SSID (Section 3.3.4.2). Sections 3.3.4.1 through 3.3.4.14 describe complete settings to configure Bridge radio BSSs; step-by-step instructions for changing them follow these sections. Figure 3.12. Simple View New BSS settings frame, all radio-equipped platforms 3.3.4.1 BSS Administrative State and Name Admin State simply determines whether the BSS is Disabled or Enabled. Newly created BSSs are Enabled by default. You can enable and disable radio BSSs only in Advanced View. You must specify a BSS Name, an alphanumeric identifier of up to 254 characters and unique to the current radio, in order to create a BSS. 3.3.4.2 BSS SSID and Advertise SSID You must specify a service set identifier in order to create a BSS. You can manually enter an SSID of up to 32 alphanumeric characters, or randomly generate a 16-digit ASCII string to use for the SSID. The SSID associated with each BSS is a unique string of up to 32 characters normally included in the beacon and proberesponse 802.11 management frames transmitted by access points (APs) and wireless bridges. When they are broadcast (the default), SSIDs are used to advertise which devices can connect to the wireless network. When Advertise SSID is Disabled (see below), SSIDs function more like device passwords, limiting network access to those devices that “know” the BSSs unadvertised SSID. (Disabling Advertise SSID is not, however, sufficient to secure the BSS.) When Advertise SSID is Disabled, the SSID string is deleted from the radio beacons. A setting of Enabled, the default, causes the SSID to be included in these packets. You can set a BSS’s SSID in either Bridge GUI view. You can enable/disable Advertise SSID only in Advanced View. 71 Bridge GUI Guide: Network Configuration 3.3.4.3 Wireless Bridge and Minimum RSS In a Fortress FastPath Mesh network, the Wireless Bridge setting, in conjunction with FastPath Mesh Mode (below), determines whether the BSS will provide network connections to other Fortress Bridge Mesh Points (Enabled) or connect other Non-Mesh Points to the FastPath Mesh (Disabled). FastPath Mesh bridging is described in Section 3.2.1. NOTE: When Fast- Path Mesh is enabled, your selection in Wireless Bridge automatically configures the interface’s FP Mesh Mode (described below). In a mesh network under STP link management, the Wireless Bridge setting determines whether the BSS will act as a wireless bridge (Enabled) or a conventional WLAN access point (Disabled). STP bridging is described in Section 3.2.2. On the single-radio ES210, Wireless Bridge is Enabled by default for BSSs, when the radio is left on the default 5 GHz 802.11a band. On Bridges with two radios, the ES520 and ES820, Wireless Bridge is Disabled by default for BSSs on Radio1, when it is left on the default 2.4 GHz 802.11g band, and Enabled by default for BSSs on Radio 2. NOTE: Enabling Wireless Bridge for the BSS enforces a Fortress Security setting of Enabled (Section 3.3.4.13). On the four-radio ES440, Wireless Bridge is also Disabled by default for BSSs on Radio1, when it is left on the default 2.4 GHz 802.11g band, and Enabled by default for BSSs on Radio 2, Radio 3 and Radio 4. Once a Wireless Bridge value has been established for a BSS, the setting cannot be reconfigured. You must delete the BSS and recreate it with the new Wireless Bridge value in order to make such a change. When Wireless Bridge is Enabled, you can also configure the minimum received signal strength that the other nodes (bridging-enabled Bridges) in range must maintain in order to remain connected to the current Bridge. Minimum signal strength received (Minimum RSS) is configured in whole dBm (decibels referenced to milliwatts) from -95 to 0 dBm. The default is -80 dBm. You can enable/disable Wireless Bridge in either Bridge GUI view. You can set the Minimum RSS only in Advanced View. 3.3.4.4 User Cost Offset and FastPath Mesh Mode When FastPath Mesh is enabled, User Cost Offset allows you to weight the interface more or less heavily in the FP Mesh cost equation in order to make it less attractive than other interfaces. Enter a non-negative integer between 0 (zero) and 4,294,967,295. The higher the offset, the less attractive the interface. A neighbor with the maximum cost (4,294,967,295) will never be used to route traffic. The default is 0 (zero). Network Cost Weighting and the FP Mesh cost equation are described in Section 3.2.1.5. 72 Bridge GUI Guide: Network Configuration Because of its dependency on the BSSs Wireless Bridge function, the FastPath Mesh Mode of a wireless interface on the Bridge is not among the user controls provided. When FastPath Mesh is enabled and the BSS is configured as bridging interface (Wireless Bridge: Enabled), the BSS is automatically configured as an FP Mesh Core interface, allowing it to connect to other FP Mesh-enabled Fortress Mesh Points (MPs). When FastPath Mesh is enabled and the BSS is configured as a network Access interface (Wireless Bridge: Disabled), the BSS is automatically configured as an FP Mesh Access interface, allowing it to connect to connect Non-Mesh Points (NMPs) to the FP Mesh network. FastPath Mesh bridging is described in Section 3.2.1. 3.3.4.5 BSS Switching Mode and Default VLAN ID Two settings configure the BSS’s VLAN handling: Default VLAN ID - associates the BSS with a specified VLAN ID. The Bridge supports VLAN IDs 1–4094. If the VLAN ID you enter is not already present on the VLAN Active ID Table (Section 3.9.3), it will be added. The default is 1. Switching Mode - establishes the BSS’s behavior with regard to data packet VLAN tagging: Access - (the default) configures the interface to accept only: (1) packets that do not contain VLAN tags and (2) specialized priority-tagged packets, which provide support for Ethernet QoS exclusive of VLAN implementations. Trunk - configures the interface to accept incoming packets with any VLAN tag in the VLAN ID table and to pass packets with their VLAN tagging information unchanged, including 802.1p priority tags. Refer to Section 3.9 and to Table 3.14 for a complete description of VLAN handling on the Bridge. There is only one VLAN trunk per Bridge, used by all Trunk ports. It is defined by the Bridge’s NOTE: VLAN Active ID Table (Section 3.9.3). To support QoS, the Bridge treats incoming priority-tagged packets (characterized by a VLAN ID of zero) as untagged packets, but marks them for sorting into QoS priority queues according to the user-priority value contained in their VLAN tags. (Refer to Section 3.8 for details on the Bridge’s QoS implementation). You can configure BSS VLAN settings only in Advanced View. 3.3.4.6 BSS G Band Only Setting The G Band Only setting applies only to BSSs on radios using the 2.4 GHz frequency band (refer to Section 3.3.2.2). The 73 Bridge GUI Guide: Network Configuration function is Disabled by default, at which setting the BSS accepts connections from both 802.11g and 802.11b devices. Enabling G Band Only prevents 802.11b wireless devices from connecting to the BSSs. The older 802.11b is the slower of the two 2.4 GHz wireless standards and most new devices support 802.11g. Consult the connecting device’s documentation to determine which standard(s) it supports. The G Band Only setting does not apply to BSSs on 802.11a radios. You can configure G Band Only only in Advanced View. 3.3.4.7 BSS WMM Setting Traffic received on BSSs Enabled for Wi-Fi Multimedia (the default) is prioritized according to the QoS (Quality of Service) tags included in its VLAN tags, if present, or directly in its 802.11 headers, if no VLAN tags are present. Disabling WMM disables only the priority treatment of packets received wirelessly, disregarding any priority marking in the 802.11 header. When WMM is disabled on a BSS, traffic received on the interface is treated as untagged and marked internally for Medium (or Best Effort) QoS handling. The internal marking is used if the data is transmitted out an interface that requires marking (such as another WMM-enabled BSS or an 802.1Q VLAN trunk). NOTE: On BSSs serving as Core interfaces in a FP Mesh network (Section 3.3.4.4), Fortress recommends the WMM default of Enabled, to allow prioritization of FP Mesh control packets. Refer to Section 3.8 for more on the Bridge’s WMM and QoS implementation. 3.3.4.8 BSS DTIM Period APs buffer broadcast and multicast messages for devices on the network and then send a Delivery Traffic Indication Message to “wake-up” any inactive devices and inform all network clients that the buffered messages will be sent after a specified number of beacons have been transmitted. (The beacon interval, described in Section 3.3.2.8, is configured on the Radio Settings screen.) The DTIM Period determines the number of beacons in the countdown between transmitting the initial DTIM and sending the buffered messages. Whole values from 1 to 255, inclusive, are accepted; the default is 1. A longer DTIM Period conserves power by permitting longer periods of inactivity for power-saving devices, but it also delays the delivery of broadcast and multicast messages. Too long a delay can cause multicast packets to go undelivered. Because the broadcast beacon counts down the DTIM Period, the specified Beacon Interval (configured on the Radio Settings screen and described in Section 3.3.2.8.) also affects the DTIM function. You can configure DTIM Period only in Advanced View. 74 Bridge GUI Guide: Network Configuration 3.3.4.9 BSS RTS and Fragmentation Thresholds The RTS Threshold allows you to configure the maximum size of the frames the BSS sends without using the RTS/CTS protocol. Frame sizes over the specified threshold cause the BSS to first send a Request to Send message and then receive a Clear to Send message from the destination device before transmitting the frame. The RTS Threshold is measured in bytes. A value of zero (0) disables the function (the default), or whole values between 1 and 2345 are accepted. The smaller the RTS Threshold, the more RTS/CTS traffic is generated at the expense of data throughput. On large busy networks, however, RTS/CTS speeds recovery from radio interference and transmission collisions, and a relatively small RTS Threshold may be necessary to achieve significant improvements. The Frag. Threshold allows you to configure the maximum size of the frames the BSS sends whole. Frame sizes larger than the specified threshold are broken into smaller frames before they are transmitted. An acknowledgement is sent for each frame received, and if no acknowledgement is sent the frame is retransmitted. The Frag. Threshold is measured in bytes. A value of zero (0) disables the function (the default), or whole values between 256 and 2345 are accepted. Fragmentation becomes an advantage in networks that are: experiencing collision rates higher than five percent subject to heavy interference or multipath distortion serving highly mobile network devices A relatively small fragmentation threshold results in smaller, more numerous frames. Smaller frames reduce collisions and make for more reliable transmissions, but they also use more bandwidth. A larger fragmentation threshold results in fewer frames being transmitted and acknowledged and so can provide for faster throughput, but larger frames can also decrease the reliability with which transmissions are received. You can configure RTS and fragmentation thresholds only in Advanced View. 75 Bridge GUI Guide: Network Configuration 3.3.4.10 BSS Unicast Rate Mode and Maximum Rate When a BSS is configured to use a Unicast Rate Mode setting of auto (the default), the interface dynamically adjusts the bit rate at which it transmits unicast data frames—throttling between the configured Unicast Maximum Rate and the minimum rate—to provide the optimal data rate for the connection. At a Unicast Rate Mode setting of fixed, the BSS will use the configured Unicast Maximum Rate for all unicast transmissions. Transmission rates are set in megabits per second (Mbps). Unicast Maximum Rate can be set only to a value greater than or equal to the minimum rate. Usable values for Unicast Maximum Rate settings depend on the Band setting for the radio on which the BSS is configured, as indicated by the markers in Table 3.6. You can configure the unicast minimum rate in the Bridge CLI (refer to the CLI Software Guide). On a radio using any 802.11g band, the default is 1 Mbps. On a radio using any 802.11a band, the default is 6 Mbps. NOTE: Table 3.6. Usable BSS Rate Settings (in Mbps) per Radio Band Setting 5.5 802.11a 802.11g 802.11naht 802.11nght 11 12 18 24 36 48 54 6.5 13 19.5 26 39 52 58.5 65 The default Unicast Maximum Rate for a new BSS specifies the highest setting possible, as determined by the 802.11 standard in use by the radio on which you are configuring the BSS. The default depends on whether or not the radio is using 802.11n: On a radio with an 802.11a or 802.11g Band setting, the default Unicast Maximum Rate is 54 Mbps. On a radio using any of the 802.11n settings in either frequency band, the default Unicast Maximum Rate is 65 Mbps. NOTE: Radio Band settings are covered in detail in Section 3.3.2.2). You can configure Unicast Rate Mode and Unicast Maximum Rate only in Advanced View. 3.3.4.11 BSS Multicast Rate The bit rate at which a wireless interface sends multicast frames is negotiated per connection. Multicast Rate sets a floor for multicast transmissions by specifying the lowest bit rate at which the BSS will send multicast frames. BSSs on a radio configured by default to use the 2.4 GHz 802.11g band have a default Multicast Rate of 1 Mbps, which is appropriate for a BSS using the 2.4 GHz frequency band, typically to provide wireless access to local devices. Fortress recommends leaving BSSs in the 802.11g band, including all 802.11ng options, at the default of 1. CAUTION: Too high a Multicast Rate will limit the ability of a FastPath Mesh network to establish adjacency with neighbor MPs unable to receive multi-/broadcast packets at the specified rate (due to distance, for example). BSSs on a radio fixed on, or configured by default to use, the 5 GHz 802.11a band have a default Multicast Rate of 6 Mbps, 76 Bridge GUI Guide: Network Configuration which is appropriate for a BSS using the 5 GHz frequency band, typically for network bridging. Fortress recommends leaving BSSs in the 802.11a band, including all 802.11na options, at the default of 6. If the BSS will provide mesh network bridging in the 5 GHz 802.11a band, Fortress recommends a Multicast Rate of 6 Mbps. Set a higher rate only if you are certain that all neighbor links to the BSS can consistently maintain a significantly better data rate than the new Multicast Rate. 3.3.4.12 BSS Description You can optionally provide a Description of the BSS of up to 100 characters. A BSS’s description displays only on the Advanced View Edit BSS frame (Advanced View -> Configure -> Radio Settings -> [BSS Interfaces] EDIT). You can enter a Description for a BSS only in Advanced View. 3.3.4.13 BSS Fortress Security Setting Traffic on BSSs Enabled for Fortress Security is subject to Fortress’s Mobile Security Protocol (MSP), as configured on the Bridge itself (refer to Section 4.1). Fortress Security is Enabled on BSSs by default. When a BSS’s Wireless Bridge setting is Enabled (refer to Section 3.3.4.3), its Fortress Security setting is automatically fixed on Enabled and the Fortress Security field is view-only. Disabling Fortress Security on a BSS exempts all traffic on that BSS from Fortress’s Mobile Security Protocol (MSP). Standard Wi-Fi security protocols can be applied to the traffic on a BSS (Section 3.3.4.14, below), regardless of whether the BSS is Enabled or Disabled for Fortress Security. 3.3.4.14 BSS Wi-Fi Security Settings As an alternative or in addition to Fortress Security, a number of well known security protocols can be applied to the BSSs created on the Bridge. Your selection in the Wi-Fi Security field of the Edit BSS frame determines the additional fields you must configure for that setting—presented dynamically by the Bridge GUI for each possible Wi-Fi Security selection. Wi-Fi Security: None If Fortress Security is disabled on a BSS and it has a Wi-Fi Security setting of None, traffic on that BSS is unsecured. Devices connected to an unsecured BSS send and receive all traffic in the clear. CAUTION: An unsecured wireless interface leaves the network unsecured. 77 Bridge GUI Guide: Network Configuration BSSs enabled for bridging (Section 3.3.4.3) must be Enabled for Fortress Security. You cannot apply Wi-Fi Security to bridging-enabled BSSs. A Wi-Fi Security setting of None requires no further configuration. Figure 3.13. Advanced View New BSS settings frame, all radio-equipped platforms WPA, WPA2 and WPA2-Mixed Security WPA (Wi-Fi Protected Access) and WPA2 are the enterprise modes of WPA (as distinguished from the pre-shared key modes described below). You can specify that WPA or WPA2 be used exclusively by the BSS, or you can configure it to be able to use either by selecting WPA2-Mixed. WPA and WPA2 use EAP-TLS (Extensible Authentication Protocol-Transport Layer Security) to authenticate network connections via X.509 digital certificates. In order for the Bridge to successfully negotiate a WPA/WPA2 transaction, you must have specified a locally stored key pair and certificate for the Bridge to use to authenticate the connecting device as an EAPTLS peer, and at least one CA (Certificate Authority) certificate must be present in the local certificate store. Refer to Section 6.2.1 for guidance on configuring an EAP-TLS key pair and digital certificate. Enterprise WPA and WPA2 modes require an 802.1X authentication service to be available, as part of the Bridge configuration (Section 4.3.2.7) or externally (Section 4.3.1). NOTE: Figure 3.14. WPA Security Suite Options frame for WPA2 enterprise modes, all radio-equipped platforms You can configure WPA2 security in either Bridge GUI view. WPA and WPA2-Mixed security are available for selection only in Advanced View. 78 Bridge GUI Guide: Network Configuration On the New/Edit BSS screens, these additional settings apply to WPA, WPA2 and WPA2-Mixed selections: WPA Rekey Period - specifies the interval at which new pairwise transient keys (PTKs) are negotiated or 0 (zero), which disables the rekeying function: the interface will use the same key for the duration of each session seconds. Specify a new interval in whole seconds between 0 and 2147483647, inclusive. No WPA Rekey Period is specified by default. WPA Preauthentication - to facilitate roaming between network access points, enabling WPA Preauthentication on the BSS permits approaching WPA2 wireless clients to authenticate on the Bridge while still connected to another network access point, while wireless clients moving away from the Bridge can remain connected while they authenticate on the next network AP. WPA Preauthentication is Disabled by default. WPA-PSK, WPA2-PSK and WPA2-Mixed-PSK Security WPA-PSK (Wi-Fi Protected Access) and WPA2-PSK are the pre-shared key modes of WPA (as distinguished from the enterprise modes described above). You can specify that WPAPSK or WPA2-PSK be used exclusively by the BSS, or you can configure it to be able to use either by selecting WPA2-MixedPSK. NOTE: WPA Preauthentication applies only to wpa2 and wpa2 mixed enterprise mode Wi-Fi Security settings. It is not present when wpa is selected. Pre-shared key mode differs from enterprise mode in that PSK bases initial key generation on a user-specified key or passphrase instead of through digital certificates. Like enterprise-mode, PSK mode generates encryption keys dynamically and exchange keys automatically with connected devices at user-specified intervals. Figure 3.15. WPA Security Suite Options frame for WPA PSK modes, all radio-equipped platforms On the New/Edit BSS screens, these additional settings apply to WPA-PSK, WPA2-PSK and WPA2-Mixed-PSK selections: WPA Rekey Period - specifies the interval at which new keys are negotiated. Specify a new interval in whole seconds between 1 and 2147483647, inclusive, or 0 (zero) to permit the same key to be used for the duration of the session. Preshared Key Type - determines whether the specified key is an ASCII passphrase or a Hexadecimal key. 79 Bridge GUI Guide: Network Configuration New Preshared Key and Confirm Preshared Key - specify the preshared key itself, as: a plaintext passphrase between 8 and 63 characters in length, when ASCII is selected for Preshared Key Type, above. a 64-digit hexadecimal string, when Hex is selected for Preshared Key Type, above. You can configure WPA2-PSK security in either Bridge GUI view. WPA-PSK and WPA2-Mixed-PSK security are available for selection only in Advanced View. 3.3.4.15 Configuring a Radio BSS Table 3.7 shows which New/Edit BSS settings appear in the two GUI views. Table 3.7. BSS Settings Simple & Advanced Views Advanced View Only BSS Name SSID Wireless Bridge Fortress Security Admin State Advertise SSID G Band Only Switching Mode Wi-Fi Security: partiala Default VLAN ID Minimum RSS WMM DTIM Period RTS Threshold Frag. Threshold Unicast Rate Mode Unicast Maximum Rate Multicast Rate Description Wi-Fi Security: complete a. The complete set of Wi-Fi options (Section 3.3.4.14) is available for selection only in Advanced View. Simple View provides access to only None, WPA2 and WPA2-PSK options. Log on to the Bridge GUI through an Administrator-level account and select Configure -> Radio Settings from the menu on the left. If you are configuring one or more Advanced View settings (see Table 3.7), click ADVANCED VIEW in the upper right corner of the page. (If not, skip this step.) In the Radio Settings screen’s Radio Settings frame: If you are creating a new BSS, click the ADD BSS button for the radio to which you want to add the BSS. or If you are reconfiguring an existing BSS, click the EDIT button for the BSS you want to change. On the ES210 Bridge, the ADD BSS button is only present when the Station Mode function is disabled (the default; refer to Section 3.3.5.13). NOTE: 80 Bridge GUI Guide: Network Configuration 3.3.5 In the Radio Settings screen’s New/Edit BSS frame, enter new values for the settings you want to change (described in sections 3.3.4.1 through 3.3.4.14, above). Click APPLY in the upper right of the screen (or CANCEL your changes). ES210 Bridge STA Settings and Operation Configuring a STA Interface on the ES210 Bridge radio causes the Bridge to act as a dedicated WLAN client device, or station, rather than as an AP or a wireless bridge (or FP Mesh Point). An ES210 Bridge configured with such an interface is in Station Mode. Only a single STA Interface is permitted on a given Bridge, and when one is present, no additional wireless interface of any type can be configured. NOTE: Station Mode does not support 802.11n radio operation. You must set the radio Band to 802.11a or 802.11g before you can add a Station Interface (refer to Section 3.3.2.2). Station Mode is supported only the ES210 Bridge. A STA Interface can only bridge between a wireless AP and one or more Ethernet devices on the ES210 's clear Ethernet port(s), meaning Ethernet ports on which Fortress Security is Disabled (Section 3.7.4). In addition, no wired (Ethernet) bridging can occur when the ES210 Bridge is in Station Mode. For example, on an ES210 on which the aux port is clear and the wan port is encrypted (the defaults), a typical Station Mode setup would use the aux port to connect one or more Ethernet devices. If Fortress Security is Disabled on the WAN port, it can be used in the same way. Devices on a clear Ethernet port cannot, however, communicate with devices on an encrypted Ethernet port when the Bridge is in Station Mode. On the ES210, the aux port is labeled Ethernet on the chassis; the wan port, Ethernet (WAN). You can preconfigure the ES210 Bridge’s STA Interface with the settings required to connect to a specific network. Alternatively, you can scan for available networks within range and select one to use to create the STA Interface for the ES210 Bridge. NOTE: The ES210 The scan function for a Station Mode ES210 Bridge is supported through a preconfigured interface that operates transparently to Bridge GUI users to detect networks within range of the Bridge. You must enable the ES210 Bridge’s Station Mode function before you can scan for a network or preconfigure a STA Interface. You must enable the radio before you can scan for a network to connect to. NOTE: Bridge radio can alternatively support up to four BSS interfaces. Refer to Section 3.3.4. Figure 3.16. Simple View Add Station Mode settings frame, ES210 81 Bridge GUI Guide: Network Configuration Refer to the relevant step-by-step instructions in Section 3.3.5.11, Establishing an ES210 Bridge STA Interface Connection, for preconfiguring the interface or creating it through the ES210 Bridge’s scanning function. 3.3.5.1 Station Administrative State Admin State simply determines whether the interface is Disabled or Enabled. A newly created STA Interface is Enabled by default. 3.3.5.2 Station Name and Description In order to create a STA Interface, you must specify a STA Name of up to 254 alphanumeric characters to identify the interface in the ES210 Bridge configuration. You can optionally provide a Description of the interface of up to 100 characters, only in Advanced View. 3.3.5.3 Station SSID When you SCAN for wireless networks within range and choose one to which to associate, the SSID of the network you select will be automatically added as the STA Interface SSID. If you are manually creating a STA Interface in advance of connecting to a particular network, you must specify the network SSID for the ES210 Bridge to associate to. 3.3.5.4 Station BSSID To disable roaming among multiple APs with the same SSID, you can specify the MAC address of a single wireless AP to which the ES210 Bridge STA Interface is permitted to associate. When you SCAN for wireless networks within range, you can automatically fill in the BSSID field when you choose a network to associate to by clicking on the BSSID displayed (instead of the SSID) to select it. 3.3.5.5 Station WMM When Wi-Fi Multimedia QoS (Quality of Service) is Enabled on the STA Interface, it advertises that it is capable of WMM. If the AP that the STA Interface associates to is also capable of and enabled for WMM, the AP will respond to the Station Mode Bridge with this information and WMM will be used for the association. If the AP is not capable of and enabled for WMM, having WMM Enabled on the STA Interface will have no effect. WMM is Disabled by default for a STA Interface. If the association is made to a BSS configured on another Fortress Bridge to serve as a wireless AP (Wireless Bridge Disabled, refer to Section 3.3.4.3) and the WMM settings on both the BSS and the STA Interface are Enabled, WMM will be used for the association. 82 Bridge GUI Guide: Network Configuration In a WMM-enabled association, packets sent from the Bridge include WMM tags that permit traffic from the Bridge to be prioritized according to the information contained in those tags. You can configure WMM for the STA Interface only in Advanced View. 3.3.5.6 Station Fragmentation and RTS Thresholds The RTS Threshold allows you to configure the maximum size of the frames the STA Interface sends without using the RTS/ CTS protocol. Frame sizes over the specified threshold cause the interface to first send a Request to Send message and then receive a Clear to Send message from the destination device before transmitting the frame. The RTS Threshold is measured in bytes. A value of zero (0) disables the function (the default), or whole values between 1 and 2345 are accepted. The Frag. Threshold allows you to configure the maximum size of the frames the STA Interface sends whole. Frame sizes larger than the specified threshold are broken into smaller frames before they are transmitted. An acknowledgement is sent for each frame received, and if no acknowledgement is sent the frame is retransmitted. The Frag. Threshold is measured in bytes. A value of zero (0) disables the function (the default), or whole values between 256 and 2345 are accepted. You can configure RTS and fragmentation thresholds only in Advanced View. 3.3.5.7 Station Unicast Rate Mode and Maximum Rate When a STA Interface is configured to use a Unicast Rate Mode setting of auto (the default), the interface dynamically adjusts the bit rate at which it transmits unicast data frames—throttling between the configured Unicast Maximum Rate and the minimum rate—to provide the optimal data rate for the connection. You can configure the unicast minimum rate in the Bridge CLI (refer to the CLI Software Guide). On a radio using any 802.11g band, the default is 1 Mbps. On a radio using any 802.11a band, the default is 6 Mbps. NOTE: At a Unicast Rate Mode setting of fixed, the interface will use the configured Unicast Maximum Rate for all unicast transmissions. Transmission rates are set in megabits per second (Mbps). Unicast Maximum Rate can be set only to a value greater than or equal to the minimum rate. Usable values for Unicast Maximum Rate settings depend on the Band setting for the radio on which the STA Interface is configured, as shown in Table 3.8. Table 3.8. Usable STA Rate Settings (in Mbps) per Radio Band Setting 5.5 802.11a 802.11g 11 12 18 24 36 48 54 83 Bridge GUI Guide: Network Configuration The default Unicast Maximum Rate for a new STA interface is 54 Mbps, which specifies the highest setting possible in either frequency band. You can configure Unicast Rate Mode and Unicast Maximum Rate only in Advanced View. 3.3.5.8 NOTE: Radio Band settings are covered in detail in Section 3.3.2.2). Station Multicast Rate The bit rate at which a wireless interface sends multicast frames is negotiated per connection. Multicast Rate sets a floor for multicast transmissions by specifying the lowest bit rate at which the STA Interface will send multicast frames. A STA Interface on a radio configured by default to use the 2.4 GHz 802.11g band has a default Multicast Rate of 1 Mbps, which is appropriate for an interface using the 2.4 GHz frequency band. Fortress recommends leaving a STA Interface in the 802.11g band at the default Multicast Rate of 1. A STA Interface on a radio fixed on, or configured by default to use, the 5 GHz 802.11a band has a default Multicast Rate of 6 Mbps, which is appropriate for an interface using the 5 GHz frequency band. Fortress recommends leaving a STA Interface in the 802.11a band at the default Multicast Rate of 6. You can configure Multicast Rate only in Advanced View. 3.3.5.9 Station Fortress Security Status Fortress Security is displayed view-only for the STA Interface. Fortress’s MSP (Mobile Security Protocol) cannot be applied to the STA Interface, so the field will always display Clear. 3.3.5.10 Station Wi-Fi Security Settings Your selection in the Wi-Fi Security field of the Add Station Mode frame determines the additional fields you must configure for that setting. Wi-Fi Security: None By default, no Wi-Fi security is applied to traffic on a STA Interface. Traffic on a STA Interface with a Wi-Fi Security setting of None is unsecured. WPA, WPA2 and WPA2-Mixed Security WPA (Wi-Fi Protected Access) and WPA2 are the enterprise modes of WPA (as distinguished from the pre-shared key modes described below). You can specify that WPA or WPA2 be used exclusively by the STA Interface, or you can configure it to be able to use either by selecting WPA2-Mixed. WPA and WPA2 use EAP-TLS (Extensible Authentication Protocol-Transport Layer Security) to authenticate network connections via X.509 digital certificates. In order for a Bridge in station mode to successfully negotiate a WPA/WPA2 client connection, you must have specified a locally stored key pair and certificate to use to authenticate the Bridge as an EAP-TLS Enterprise WPA and WPA2 modes require an 802.1X authentication service to be available, as part of the Bridge configuration (Section 4.3.2.7) or externally (Section 4.3.1). NOTE: 84 Bridge GUI Guide: Network Configuration peer and at least one CA (Certificate Authority) certificate must be present in the local certificate store. Refer to Section 6.2.1 for guidance on configuring an EAP-TLS key pair and digital certificate. On the Add Station Mode screen, these additional settings apply to WPA, WPA2 and WPA2-Mixed selections: Rekey Period - specifies the interval at which new pair-wise transient keys (PTKs) are negotiated or 0 (zero), which disables the rekeying function: the interface will use the same key for the duration of each session seconds. Specify a new interval in whole seconds between 0 and 2147483647, inclusive. No Rekey Period is specified by default. TLS Cipher - specifies the list of supported cipher suites, the sets of encryption and integrity algorithms, that the Bridge will send to the 802.1X authentication server: All - the default, supports both Legacy and Suite B cipher suites (as described in the next two items) Legacy - supports Diffie-Hellman with RSA keys (DHE-RSA-AES128-SHA and DHE-RSA-AES256-SHA) Suite B - supports Diffie-Hellman with ECC keys (ECDHE-ECDSA-AES128-SHA and ECDHE-ECDSAAES256-SHA) In EAP-TLS, the authentication server selects the cipher suite to use from the list of supported suites sent by the client device (or rejects the authentication request if none of the proposed suites are acceptable). Unlike Suite B Key Establishment (Section 4.1.3), the Suite B TLS Cipher option is available regardless of whether Suite B is licensed on the Bridge (Section 6.3). NOTE: Subject Match - optionally provides a character string to check against the subject Distinguished Name (DN) of the authentication server certificate. Each RDN (Relative Distinguished Name) in the sequence comprising the certificate DN is compared to the corresponding RDN in the string provided. Wildcard characters cannot be used. Certificate Hash - optionally provides a 64-character hash value to check against the hash value of the authentication server certificate. When the Certificate Hash field is empty, the default, no hash value check is performed. WPA Strict Check - optionally enables strict checking of key usage and extended key usage extensions in the authentication server certificate. Strict key usage checking is Enabled by default. You can configure TLS Cipher, Certificate Hash, Subject Match and WPA Strict Check only in Advanced View. WPA-PSK, WPA2-PSK and WPA2-Mixed-PSK Security WPA-PSK (Wi-Fi Protected Access) and WPA2-PSK are the pre-shared key modes of WPA (as distinguished from the enterprise modes described above). You can specify that WPA85 Bridge GUI Guide: Network Configuration PSK or WPA2-PSK be used exclusively by the STA Interface, or you can configure it to be able to use either by selecting WPA2Mixed-PSK. Pre-shared key mode differs from enterprise mode in that PSK bases initial key generation on a user-specified key or passphrase instead of through digital certificates. Like enterprise-mode, PSK mode generates encryption keys dynamically and exchange keys automatically with connected devices at user-specified intervals. On the Add Station Mode screen, these additional settings apply to WPA-PSK, WPA2-PSK and WPA2-Mixed-PSK selections: Rekey Period - specifies the interval at which new keys are negotiated. Specify a new interval in whole seconds between 1 and 2147483647, inclusive, or 0 (zero) to permit the same key to be used for the duration of the session. Key Type - determines whether the specified key is an ascii passphrase or a hexadecimal key. WPA Key and Confirm WPA Key - specify the preshared key itself, as: a plaintext passphrase between 8 and 63 characters in length, when ascii is selected for Key Type, above. a 64-digit hexadecimal string, when hex is selected for Key Type, above. NOTE: The TLS Cipher, Subject Match, Certificate Hash and WPA Strict Check fields do not apply (and are greyed out) when WPA-PSK, WPA2-PSK or WPA2Mixed-PSK are selected. Figure 3.17. Advanced View Add Station Mode settings frame, ES210 3.3.5.11 Establishing an ES210 Bridge STA Interface Connection Table 3.9 shows which Add/Edit Station Mode settings appear in the two GUI views. 86 Bridge GUI Guide: Network Configuration Table 3.9. STA Interface Settings Simple & Advanced Views Admin State STA Name SSID BSSID Wi-Fi Security Key Type Rekey Period WPA Key/Key Confirm Advanced View Only Description WMM Frag. Threshold RTS Threshold Unicast Rate Mode Unicast Maximum Rate Multicast Rate TLS Cipher Certificate Hash Subject Match WPA Strict Check When Station Mode is enabled, you can scan for available wireless networks in range and select one to connect to, or you can configure the STA Interface in advance to connect to a specific network. To scan for available networks and choose one to connect to: If the network you will be connecting to uses WPA, WPA2 or WPA2-Mixed to authenticate connecting devices, you must import a valid EAP-TLS digital certificate for the STA Interface before the ES210 Bridge will be permitted to connect. Refer to Section 6.2 for guidance. If the network you will be connecting to uses WPA-PSK, WPA2PSK or WPA2-Mixed-PSK, you will be required to enter a valid pre-shared key for the STA Interface, as described below, before the ES210 Bridge will be permitted to connect. Refer to WPA-PSK, WPA2-PSK and WPA2-Mixed-PSK Security in Section 3.3.5.10 for more on the pre-shared key. Log on to the Bridge GUI through an Administrator-level account and select Configure -> Radio Settings from the menu on the left. If you are configuring one or more Advanced View settings (see tables 3.5 and 3.9), click ADVANCED VIEW in the upper right corner of the page. (If not, skip this step.) Preconfigure the radio on which you will create the STA Interface with settings that will permit it to scan for the network you want to connect to. Refer to Section 3.3 for guidance. In the Radio Settings frame for the radio configured in Step 3, under STA Interface, click the ENABLE STATION button to display the ADD STATION and DELETE STATION. Click the ADD STATION button. 87 Bridge GUI Guide: Network Configuration In the Radio screen’s Add Station Mode frame, click the SCAN button to detect and display available networks. Figure 3.18. selecting a network for the STA Interface to connect to, ES210 Click to select the network you want the Bridge to connect to: Click the network SSID to capture only the network SSID and Wi-Fi security requirement. Click the BSS ID to capture both of the above and the MAC address of the network access point for the BSSID field on Add Station Mode (in order to restrict the Bridge to connecting to only that AP). The Bridge GUI returns the Add Station Mode frame with settings, as described here, for the network you selected. Figure 3.19. preconfiguring the STA Interface to connect to a network, ES210 In the Add Station Mode frame, configure the STA Interface for operation: If the connection requires a pre-shared key for authentication, you must specify whether it is an ascii or hexadecimal string and enter, then re-enter, the correct key, as described under WPA-PSK, WPA2-PSK and WPA2-Mixed-PSK Security in Section 3.3.5.10. or If the connection uses a digital signature for authentication, you can optionally configure the 88 Bridge GUI Guide: Network Configuration additional security options described under WPA, WPA2 and WPA2-Mixed Security in Section 3.3.5.10. and Optionally configure any additional interface settings, as described in sections 3.3.5.2 through 3.3.5.8. Click APPLY in the upper right of the screen (or CANCEL the action). To preconfigure a Station Mode ES210 Bridge to connect to a specific network: Log on to the Bridge GUI through an Administrator-level account and select Configure -> Radio Settings from the menu on the left. If you are configuring one or more Advanced View settings (see tables 3.5 and 3.9), click ADVANCED VIEW in the upper right corner of the page. (If not, skip this step.) Preconfigure the radio on which you will create the STA Interface with settings that will permit it to connect to the same network as the STA Interface. Refer to Section 3.3 for guidance. In the Radio Settings frame for the radio configured in Step 3, under STA Interface, click the ENABLE STATION button to display the ADD STATION and DELETE STATION buttons. 3.3.5.12 Click the ADD STATION button. In the Radio screen’s Add Station Mode frame: Enter at least a STA Name (Section 3.3.5.2) and the SSID (Section 3.3.5.3) of the network the Bridge will be connecting to. Leave Admin State at the default of Enabled (Section 3.3.5.1). Optionally preconfigure any additional setting(s) (described in sections 3.3.5.2 through 3.3.5.10, above). Click APPLY in the upper right of the screen (or CANCEL the action). If you are using WPA, WPA2 or WPA2-Mixed Wi-Fi Security, import a valid EAP-TLS digital certificate to authenticate the STA Interface on the network it will connect to. Refer to Section 6.2 for guidance. Before connecting the STA Interface to the network, you must enable the radio on which the STA Interface is configured (Bridge radios are Disabled by default; refer to Section 3.3.2.1). NOTE: For WPA PSK authentication, you must enter the correct key in the WPA Key/WPA Key Confirm fields, as described in Section 3.3.5.10. These fields do not apply (and are greyed out) for Enterprise WPA modes. Editing or Deleting the ES210 Bridge STA Interface An established STA Interface can be reconfigured or deleted. 89 Bridge GUI Guide: Network Configuration To edit or delete the STA Interface: Log on to the Bridge GUI through an Administrator-level account and select Configure -> Radio Settings from the menu on the left. If you are reconfiguring the existing STA Interface, on the Radio screen: If you are reconfiguring one or more Advanced View settings (see Table 3.8), click ADVANCED VIEW in the upper right corner of the page. (If not, skip this step.) Click the EDIT STATION button. In the Radio screen’s Edit Station Mode frame, enter new values for the setting(s) you want to change (described in sections 3.3.5.1 through 3.3.5.10, above). Click APPLY in the upper right of the screen (or CANCEL your changes). or If you are deleting the STA Interface, on the Radio screen: 3.3.5.13 Click the DELETE STATION button. Enabling and Disabling ES210 Bridge Station Mode Station Mode is disabled by default, in which state the preconfigured scanning interface used for network detection is disabled. You must enable the function before you can manually configure a STA Interface or scan for a network. To enable or disable Station Mode: If one or more BSSs have been configured on the ES210 Bridge radio, you must delete all BSSs before you can enable Station Mode (refer to Section 3.3.4). If a STA Interface is present, you must delete it before you can disable Station Mode (refer to Section 3.3.5.12). Log on to the Bridge GUI through an Administrator-level account and select Configure -> Radio Settings from the menu on the left. Change the Station Mode state: If you are enabling Station Mode, click the ENABLE STATION button. or If you are disabling Station Mode, click the DISABLE STATION button. Station Mode must be disabled on the ES210 Bridge radio, before you can configure a BSS on the radio (refer to Section 3.3.4). 90 Bridge GUI Guide: Network Configuration 3.4 Basic Network Settings Configuration The basic settings that establish the Bridge’s presence on the network are configured in the Network Configuration frame on Configure -> Administration, described in sections 3.4.1 and 3.4.2, below. The Bridge’s system clock and, optionally, NTP (network time protocol) configuration are set in the Time Configuration frame of the same screen, as described in Section 3.4.3. The Bridge’s global bridging function is also configured on Configure -> Administration, in the Bridging Configuration frame, and described in Section 3.2 The Bridge’s Ethernet interfaces are also individually configurable, on Configure -> Ethernet Settings, as described in Section 3.7. 3.4.1 Hostname, Domain and DNS Client Settings The Bridge’s configuration settings must include a Hostname, which by default is based on the hardware series to which the Bridge belongs (ES-) and its MAC address. You can optionally identify redundant external Domain Name System servers (Preferred DNS and Alternate DNS) for the Bridge. In Advanced View, you can change the Bridge’s default Domain name, ftimesh.local. Bridge software itself includes a standard network DNS service, enabled by default, which uses the domain name configured here. If the Bridge cannot resolve a DNS request internally, it will forward the request to the external servers configured here. Refer to Section 3.6.2 for additional information on the internal DNS server and additional configuration options. When FastPath Mesh is licensed and enabled, Bridge functionality additionally includes independent name distribution within the FastPath Mesh network without the need for any DNS server, using the Bridge’s configurable Domain. 91 Bridge GUI Guide: Network Configuration Configure these settings on the Bridge GUI’s Network Configuration screen. Figure 3.20. Advanced View Network Configuration frame, all platforms Preferred DNS and Alternate DNS- provide addresses of external Domain Name System servers on the network or specifies no network DNS server with any, which maps to an IP address of 0.0.0.0, the default for both settings. Leaving both settings at their defaults (or later specifying 0.0.0.0 addresses for both) effectively disables the Bridge’s ability to query external DNS servers. Domain - specifies the Bridge’s local domain name. NOTE: When en- abled (the default), the Bridge’s internal DNS service is preferred over either external server, forwarding only those DNS requests that cannot be resolved internally. Table 3.10. Network and IPv4 Configuration Settings Simple & Advanced Views IPv4 State IPv4 Address IPv4 Subnet Mask IPv4 Default Gateway Hostname Preferred DNS Alternate DNS Advanced View Only Domain To configure hostname and DNS Client settings: Log on to the Bridge GUI through an Administrator-level account and select Configure -> Administration from the menu on the left. If you are changing the Bridge’s local domain name, select ADVANCED VIEW in the upper right corner of the page. If not, skip this step. In the Administration screen’s Network Configuration frame, enter new values for the settings you want to configure (described above). Click APPLY in the upper right of the screen (or RESET screen settings to cancel your changes). 92 Bridge GUI Guide: Network Configuration 3.4.2 IP Configuration The Bridge supports Internet Protocol version 4 (IPv4) and Internet Protocol version 6 (IPv6). IPv4 is enabled by default. When it is disabled, the Bridge's management IP address neither accepts or sends IPv4 packets. IPv6 is always enabled on the Bridge, a state which is not user configurable. 3.4.2.1 IPv4 Configuration The settings that configure Internet Protocol version 4 on the Bridge include: IPv4 State - adds the Bridge’s IPv4 address—and therefore the Bridge itself—to the IPv4 network (Enabled) or removes the Bridge’s address (and the Bridge) from the network (Disabled). IPv4 is Enabled by default. IPv4 Address - establishes an IPv4 network address for the Bridge’s management interface. The default IPv4 address is 192.168.254.254; it is normally changed during installation. IPv4 Subnet Mask - provides the correct IPv4 subnet mask for the Bridge’s management interface. IPv4 Default Gateway - provides the IP address of the default IPv4 gateway for the Bridge’s subnet. In order to re-access the Bridge’s management interface after changing the Bridge’s IPv4 settings, you must enter the Bridge’s new IP address into a new instance of your browser. 3.4.2.2 IPv6 Configuration Internet Protocol version 6 is always enabled on the Bridge. You can choose to allow all IPv6 settings to be automatically configured on the Bridge, opt to manually configure the global address and IPv6 gateway/metric, or use both manually and automatically configured global addresses. When IPv6 Auto Addressing is Enabled (the default) and there is an IPv6 router on the network configured to provide the global prefix, the Bridge will automatically configure a compatible IPv6 global address for itself, displayed under Other Addresses. If additional IPv6 routers are present, auto-addressing will configure additional IPv6 global addresses. Fortress’s FastPath Mesh functionality includes independent IPv6 addressing, which can supply additional IPv6 ULAs (Unique Local Addresses, refer to Section 3.2.1). NOTE: If a network IPv6 router is configured to do so, it will additionally supply its own address as one of the Bridge’s IPv6 Default Gateways, with the appropriate metric. If more than one IPv6 router is present on the network and so configured, the additional routers will also appear on the list of IPv6 Default Gateways, with their metrics. If you choose to manually configure IPv6 settings, these include: 93 Bridge GUI Guide: Network Configuration Auto Addressing - configures the Bridge to learn IPv6 global prefixes from network routers (Enabled, the default) or to use only a locally established global address (Disabled). Configurable Global Address - manually establishes an IPv6 global network address—which must be within the IPv6 global scope—for the Bridge’s management interface. Configurable Gateway - manually provides the IP address of the default gateway for the Bridge’s IPv6 subnet. The default gateway address must be a compatible link-local or global address (i.e., lie within the same prefix as either the global address or the link-local address). If no default gateway is necessary (i.e., you are configuring the Bridge for use on a private network unconnected to other OSI Layer 3 networks), you can leave Default Gateway at its default setting of all zeros. Configurable GW Metric - establishes the IPv6 metric, or relative routing cost, for the Configurable Gateway, allowing it to be assigned a preference relative to the automatically assigned default gateways. The rest of the settings in the IPv6 portion of the Network Configuration frame provide complete information about the current IPv6 configuration and are view-only (whether or not Auto Addressing is in effect). Configured Global Address - normally shows the manually configured IPv6 network address. There can, however, be several seconds’ delay before a change in Configurable Global Address takes effect and is displayed in the viewonly Configured Global Address field. Local Address - shows the Bridge’s link local IPv6 network address, which is automatically generated regardless of whether Auto Addressing is in effect. Other Addresses - shows all automatically configured IPv6 addresses for the Bridge, including router-configured addresses and, when FP Mesh is licensed and enabled, the RFC-4193 unique local address (Section 3.2.1). Each displayed address of any type additionally shows the applicable IPv6 subnet prefix length following the address itself, separated by a slash (ex. /64). Default Gateways - lists all network gateways, whether manually configured or active network IPv6 routers configured to automatically supply their addresses and metrics (shown in parentheses). You can configure and view all IPv4 and IPv6 settings in Simple View. 94 Bridge GUI Guide: Network Configuration Table 3.11. IPv6 Network Configuration Settings Configurable Settings Configurable Global Address Auto Addressing Configurable Gateway Configurable GW Metric View-Only Settings Configured Global Address/prefix length Local Address/prefix length Other Addresses/prefix lengths Default Gateways (metrics) To configure IP settings: 3.4.3 Log on to the Bridge GUI through an Administrator-level account and select Configure -> Administration from the menu on the left. In the Network Configuration frame, enter new values for those settings you want to configure (described in sections 3.4.2.1 and 3.4.2.2). Click APPLY in the upper right of the screen (or RESET screen settings to cancel your changes). System Clock and NTP Client Configuration You should set the Bridge’s internal clock at installation, regardless of whether you enable its NTP (Network Time Protocol) function. 3.4.3.1 System Date and Time Configuration Configure the Bridge’s local System Date, System Time and Time Zone in the Time Configuration frame. System date and time settings are accessible regardless of the current Bridge GUI view. Figure 3.21. Simple View Time Configuration frame, all platforms The Bridge’s internal clock is set in UTC (Universal Time Coordinated) by default. The Bridge CLI includes an option to set time on the Bridge in local time (refer to the CLI Software Guide); no such option is available in the Bridge GUI. 95 Bridge GUI Guide: Network Configuration 3.4.3.2 NTP Client Configuration In Advanced View, after you have set the Bridge’s internal clock to within 1000 seconds of the current time on the network, you can enable the Bridge to synchronize its clock with the time disseminated by up to three configured NTP servers. Once the Bridge’s system clock is successfully synchronized with NTP server time, NTP manages the drift between the time on the Bridge (the NTP client) and the time maintained by the NTP server(s) for the network. If the Bridge is out of sync with NTP server time, NTP automatically corrects the Bridge’s system clock. If an NTP server is configured with a shared key to authenticate NTP transactions and you specify that key on the Bridge, the Bridge will require the shared key for NTP transactions with that server. If you do not specify a key for a configured NTP server, the Bridge will synchronize its clock with that of the NTP server without shared-key authentication. The Bridge supports up to three NTP servers. NTP Timeout applies globally to the configured server(s). Three settings establish each NTP server individually. Figure 3.22. Advanced View Time Configuration frame, all platforms NTP Timeout - globally determines the interval, in minutes from 5 to 1440, of silence from configured NTP servers after which you will be notified that the Bridge cannot reach any of its configured and enabled NTP servers. The default NTP Timeout is 240 minutes. Server State 1–3 - establishes whether the NTP server (when configured) will be used (Enabled) to set system time on the Bridge. All three are Disabled by default. IP /Hostname 1–3 - provides the IP address or fully qualified hostname of the NTP server. New/Confirm Server Key 1–3 - provides the key in effect for the NTP server. The Bridge’s NTP client function is disabled by default, and no NTP servers are configured. 96 Bridge GUI Guide: Network Configuration To configure system clock and NTP: 3.5 Log on to the Bridge GUI through an Administrator-level account and select Configure -> Administration from the menu on the left. If you are configuring NTP client settings, select ADVANCED VIEW in the upper right corner of the page. If not, skip this step. In the Administration screen’s Time Configuration frame, select/enter new values for the settings you want to configure (described above). Click APPLY in the upper right of the screen (or RESET screen settings to cancel your changes). NOTE: When NTP is enabled, the values provided by the NTP server overwrite manually configured System Date and Time values. Location or GPS Configuration Only the ES210 Bridge is equipped with a GPS (Global Positioning System) receiver and associated antenna port. When the feature is Enabled (the default) and a GPS antenna connected, the ES210 uses the signals of GPS satellites in range to triangulate its exact position on the globe. It dynamically displays this information in Location fields and in Topology View details (on Monitor -> Topology View, refer to Section 5.4). Figure 3.23. GPS Location settings frame, ES210 At the default Admin State of Enabled, you can observe current readings of the Bridge’s GPS Longitude, GPS Latitude and GPS Altitude in the Location frame on Configure -> Administration (in the formats described below for manual entry), along with a count of GPS Satellites in contact with the Bridge. NOTE: The ES210 GPS antenna port is shown in the Fortress ES210 Secure Wireless Bridge Hardware Guide. On other model Fortress Bridges (or on the ES210, when the GPS function is Disabled), you can optionally configure fixed settings to reflect the Bridge’s physical position on the globe. Coordinates entered are shown only here (and for the Bridge CLI show location command). Figure 3.24. Location settings frame, ES440, ES520, ES820, FC-X Manually establish a Bridge’s Location with standard settings for: 97 Bridge GUI Guide: Network Configuration Latitude and Longitude - specify the Bridge’s global coordinates in degrees, minutes and seconds, north/south or east/west in the format: DD:MM:SS.ss N/S/E/W, with no spaces You need only specify whole seconds. You can optionally specify the Bridge’s coordinates to the 100th second. Altitude - specifies the Bridge’s altitude in whole meters above sea level. No manual Location is set by default. To enable GPS or manually configure the Bridge’s location: 3.6 Log on to the Bridge GUI through an Administrator-level account and select Configure -> Administration from the menu on the left. In the Location frame, enter new values into the Location settings you want to change. Click APPLY in the upper right of the screen (or RESET screen settings to cancel your changes). DHCP and DNS Services Bridge functionality includes standard, user configurable network IPv4 and IPv6 DHCP (Dynamic Host Control Protocol) and DNS (Domain Name System) services. 3.6.1 IPv4 and IPv6 DHCP Services When the Bridge’s internal DHCP servers are enabled, the Bridge provides standard DHCP services to network DHCP clients. You can observe current DHCP leases on Monitor -> Connections -> DHCP Leases tab. Internal DHCP services use the internal DNS server (see below) and the locally configured DNS client settings and domain name on Configure -> Administration -> Network Configuration (refer to Section 3.4.1). The IPv4 DHCP server uses the locally configured IPv4 Default Gateway in the upper half of the Network Configuration frame (refer to Section 3.4.2.1). The IPv6 DHCP server uses the IPv6 default gateway(s) in the lower IPv6 portion of the frame, including those established automatically and the manually configured default gateway (if present). Refer to Section 3.4.2.2 for more on IPv6 addressing. The Bridge’s internal DNS server is enabled by default, and the Bridge can be configured to use external network DNS servers, when available (refer to Section 3.4.1). If the Bridge’s DNS server and DNS client functions are enabled simultaneously, and the internal DHCP service is unable to resolve a name to 98 Bridge GUI Guide: Network Configuration an IP address, the Bridge will forward the request to up to two network DNS servers. When FastPath Mesh is used for bridging and the FastPath Mesh network is attached to a conventional hierarchical network, internal DHCP services obtain default gateway and DNS server settings from locally configured values. In addition, the Bridge passes DHCP client IP address-to-name mapping to the independent FastPath Mesh name resolution function, permitting all nodes in the FP Mesh network to reach DHCP clients by name, as well as by IPv4 address. Refer to Section 3.2.1.1 for more on FastPath Mesh bridging. Fortress’s FastPath Mesh functionality includes automatic RFC-4193 IPv6 addressing independent of network IPv6 DHCP services (see Section 3.2.1). NOTE: Both internal DHCP servers are Disabled by default. If you enable the Bridge’s internal IPv4 DHCP server, you must specify the lowest and highest IPv4 addresses in the Bridge’s IPv4 DHCP address pool. If you enable the Bridge’s internal IPv6 DHCP server and leave Auto Addressing at its default of Enabled, you do not need to manually define the service’s address pool. Alternatively, you can optionally disable Auto Addressing, and specify the pool’s start and end IPv6 addresses. Figure 3.25. Advanced View DHCP configuration frames, all platforms Although address formats are different, the four basic settings that configure the Bridge’s IPv4 and IPv6 DHCP services are the same: Admin. State - determines whether the Bridge will serve IP addresses to network devices (Enabled) or not (Disabled). Both DHCP services are Disabled by default. Max. Lease Time - determines the period of time leases issued to DHCP clients by the service are valid, in minutes between 1 and 525,600 (365 days). The default for both servers is 60 minutes. IP Range Min. and IP Range Max. - define the start and end IP addresses within the service’s DHCP address pool: For the IPv4 DHCP service, you must enter IPv4 addresses in the usual format when you enable the server. For the IPv6 DHCP service: 99 Bridge GUI Guide: Network Configuration If Auto Addressing will be left at its default of Enabled (see below), you should leave these settings at their defaults (::). If you opt to disable Auto Addressing, you must enter IPv6 addresses in the usual format. The Bridge’s IPv6 DHCP server has an additional setting: Auto Addressing - configures the IPv6 DHCP server to automatically define its address pool. When Auto Addressing is Enabled (the default), the IPv6 server’s manually configured IP Range Min. and IP Range Max. should remain undefined (at the default :: setting). To configure internal DHCP servers: Log on to the Bridge GUI through an Administrator-level account and select ADVANCED VIEW in the upper right corner of the page, then Configure -> DHCP/DNS from the menu on the left. In the frame for the type of DHCP server you are configuring, IPv4 DCHP or IPv6 DHCP, select/enter new values for the settings you want to configure (described above). Click APPLY in the upper right of the screen (or RESET screen settings to cancel your changes). When Bridge DHCP servers are enabled, the fields that configure their address pools are grayed out to indicate that you cannot reconfigure the address pool while the server is running. You must disable the server to re-enable these fields for editing. 3.6.2 DNS Service When enabled (the default), the Bridge’s internal DNS server provides local network name-to-IP address resolution, for both IPv4 and IPv6 addresses. The Bridge’s domain name, ftimesh.local by default, is configured in Advanced View in the Network Configuration frame on Configure -> Administration. The Bridge’s DNS service learns name-to-IP address mapping for locally resolved names from any of three sources: user entries to the DNS Host to IP Map (see below) when a DHCP server is available, from DHCP requests when FastPath Mesh is used for bridging, from name-to-IP address mappings learned by the other Mesh Points (i.e., peer nodes) in the FP Mesh network For manual entries, you can map a single name to multiple IP address and associate a single IP address with multiple names. 100 Bridge GUI Guide: Network Configuration The Bridge GUI’s DNS Host to IP Map shows all mappings, which you can sort by ascending or descending Hostname or IP Address. Each entry is identified by Type, which can be: self - a mapping for the current Bridge dynamic - a mapping supplied by a DHCP service or obtained from other Mesh Points in a FastPath Mesh network static - a manually established mapping Figure 3.26. Advanced View DNS configuration frame, all platforms When FastPath Mesh is used for bridging, the internal DNS service facilitates name resolution for FP Mesh network nodes and network resiliency in the absence of an external referral server. Fortress therefore recommends that the DNS service be left at its a default of Enabled for FastPath Mesh network deployment. Refer to Section 3.2.1.1 for more on FastPath Mesh bridging. CAUTION: Disabling the DNS server internal to a FastPath Mesh Point can degrade FP Mesh network performance. To configure the internal DNS server: Log on to the Bridge GUI through an Administrator-level account and select ADVANCED VIEW in the upper right corner of the page, then Configure -> DHCP/DNS from the menu on the left. In the DNS frame, in Admin. State, determine whether the internal service is Enabled (the default) or Disabled. Click APPLY in the upper right of the screen (or RESET screen settings to cancel the change). In the same frame, if you want to manually map one or more device names in the Bridge’s local domain to specific IPv4 and/or IPv6 address(es): Click ADD MAP. Figure 3.27. Advanced View Add a DNS Map dialog, all platforms 101 Bridge GUI Guide: Network Configuration In the same frame, if you want to remove manually configured name-to-IP address mappings: If you want to delete one or a selected group of manual mappings, click to place a check in the box beside each entry you want to delete; then the DELETE button above the list. or If you want to delete all manual mappings, click All to place a check in the boxes of all manually configured entries; then click the DELETE button above the list. DNS entries learned dynamically from network DHCP services or FastPath Mesh peer nodes cannot be manually deleted. NOTE: Ethernet Interface Settings Fortress Bridges are equipped for wired network connections with varying numbers of Ethernet ports with various optional characteristics. series Table 3.12. Fortress Bridge Model Ethernet Ports Fortress model # of Eth ports ES820 ES ES520 ES440 ES210 FC 3.7 In the resulting Add a DNS Map dialog, enter a network device’s Hostname and, in IP Address, the IPv4 or IPv6 address you want to the name to map to. Click APPLY (or CANCEL the addition). Repeat these steps for any additional name-to-IP address associations you want to manually add to the internal DNS service. FC-X takes serves fiber default PoE PoE option encryption HW label GUI label Ethernet1 wan no no no encrypted Ethernet2 aux no no no clear WAN wan1 yes no no encrypted 1–8 lan1–lan8 no yes no clear Ethernet1 wan yes no no encrypted Ethernet2 aux no no no clear Ethernet (WAN) wan no no no encrypted Ethernet aux no no no clear Encrypted enc no no yes encrypted Unencrypted clr no no yes clear AUX aux no no no clear Compare your Bridge’s model number (on the Administration Settings screen under System Info.) to Table 3.12 above to determine the number of Ethernet ports with which the Bridge you are configuring is equipped, how they are labeled on the 102 Bridge GUI Guide: Network Configuration chassis and in the GUI, and each port’s default Fortress Security setting. Bridge Ethernet ports can be configured per port, according to the requirements of your implementation. Access per-port settings through Configure -> Ethernet Settings. Figure 3.28. Simple View Ethernet Settings screen, ES210, ES440, ES820 Software labels cannot be changed. Ethernet Settings screens display each port’s view-only Name. 3.7.1 Port Administrative State Admin. State determines whether the port is Enabled or Disabled. All ports are Enabled by default. 3.7.2 Port Speed and Duplex Settings Speed determines whether the port will transmit and receive data at a specified speed (10 Mbps or 100 Mbps) or automatically adjust to the highest possible speed (Auto, the default). Duplex determines whether the port will allow only Full Duplex communication, only Half Duplex communication, or automatically determine whether to use full or half duplex communication according to the duplex communication in use by connected devices (Auto, the default). 3.7.3 Port FastPath Mesh Mode and User Cost Offset Two settings configure the port’s FastPath Mesh attributes: FastPath Mesh Mode - establishes the port’s role in the FP Mesh network. Core - configures the interface to connect to other FP Mesh-enabled Fortress Mesh Points (MPs) Access - configures the interface to connect Non-Mesh Points (NMPs) to the FP Mesh network. User Cost Offset - allows you to weight the port more heavily in the FP Mesh cost equation in order to make it less attractive relative to other interfaces. Enter a nonnegative integer between 0 (zero) and 4,294,967,295. The higher the offset, the less attractive the interface. A neighbor with the maximum cost (4,294,967,295) will never be used to route traffic. The default is 0 (zero). Network Cost Weighting and the FP Mesh cost equation are described in Section 3.2.1.5. FastPath Mesh bridging is described in Section 3.2.1. NOTE: Core can only be selected for FastPath Mesh Mode when the Fortress Security selection for the port (Section 3.7.4) matches that of the FP Mesh network overall (Section 3.2.1.2). Normally, Fortress Security should be Enabled for both. 103 Bridge GUI Guide: Network Configuration Figure 3.29. Advanced View Ethernet Port Settings screen, wan port, ES210, ES440, ES820 3.7.4 Port Fortress Security When Fortress Security is Enabled on a port, traffic on that port is subject to Fortress’s Mobile Security Protocol (MSP), as configured on the Bridge itself (refer to Section 4.1). Such a port is also known as an encrypted port. When Fortress Security is Disabled, traffic on the port is exempt from Fortress’s MSP. If Cleartext Traffic is Enabled on the Bridge (Section 4.1.10), configured cleartext devices (Section 4.5.3) are exempt from MSP and permitted to pass clear text on the Bridge’s encrypted ports. Refer to Table 3.12, above, to determine the default Fortress Security settings for a given Bridge model’s Ethernet ports. 3.7.5 NOTE: The current Cleartext traf- fic setting is shown in the upper left of all Bridge GUI screens. Port 802.1X Authentication Enabling 802.1X Auth. requires that devices connecting to the port are 802.1X supplicants successfully authenticated by the 802.1X service configured on or for the Bridge (Enabled) or allows non-802.1X authenticated devices to connect (Disabled). 802.1X is disabled on all ports by default. (Refer to Section 4.3 to configure an 802.1X server for the Bridge.) 3.7.6 Port Default VLAN ID and Port Switching Mode Two settings configure the port’s VLAN handling: Default VLAN ID associates the port with the specified VLAN ID. The Bridge supports VLAN IDs 1–4094. If the VLAN ID you enter is not already present on the VLAN Active ID Table (Section 3.9.3), it will be added. The default is 1. Switching Mode establishes the port’s behavior with regard to data packet VLAN tagging. Access - (the default) configures the port to accept only: (1) packets that do not contain VLAN tags and (2) specialized priority-tagged packets, which provide support for Ethernet QoS exclusive of VLAN implementations. 104 Bridge GUI Guide: Network Configuration Trunk - configures the port to accept incoming packets with any VLAN tag in the VLAN ID table and to send packets with their VLAN tagging information unchanged, including 802.1p priority tags, provided that the port’s QoS override function is disabled (see QoS, below). Refer to Section 3.9 and to Table 3.14 for a complete description of VLAN handling on the Bridge. There is only one VLAN trunk per Bridge, used by all Trunk ports. It is defined by the Bridge’s NOTE: VLAN Active ID Table (Section 3.9.3). To support QoS, the Bridge treats incoming priority-tagged packets (characterized by a VLAN ID of zero) as untagged packets, but marks them for sorting into QoS priority queues according to the user-priority value contained in their VLAN tags. (Refer to Section 3.8 for details on the Bridge’s QoS implementation). You can configure VLAN port settings only in Advanced View. 3.7.7 Port QoS Setting QoS enables/disables the port’s Quality of Service override feature. When enabled, the port’s QoS function forces all traffic on the port into the specified QoS priority queue and adds a priority marking for that queue to each packet. Bridge priority markings replace any 802.1p Quality of Service (QoS) tags included in the packets. If a packet received on the port is transmitted wirelessly, the Bridge uses the priority marking to determine its WMM (Wi-Fi Multimedia) priority level. If the packet egresses over an Ethernet port with a VLAN Switching Mode of Trunk (described above), the Bridge priority marking is inserted into the packet’s VLAN tag for QoS processing. (Ethernet ports with a Switching Mode of Access do not send VLAN tags and so cannot include priority tags.) By default, the QoS override is set to None on all ports, which disables the function. Alternatively, you can choose to associate all traffic on the port with the Bridge’s Low, Medium, High or Critical priority queue. (Refer to Section 3.8 for more information on QoS priority queues.) You can configure QoS settings only in Advanced View. 3.7.8 Port Power over Ethernet Only the ES520 Bridge can act as Power over Ethernet Power Sourcing Equipment (PoE PSE), and only via the eight ports of its internal LAN switch, labeled lan1–lan8 in the Bridge GUI. The PSE setting determines whether the port will serve PoE to connected Powered Devices (PDs). PSE is Disabled by default. It must be Enabled on every port through which you want to supply PSE, i.e., on all ports connected to PDs. NOTE: The ES520 can supply a maximum 36 Watts of PoE overall and up to 16 W per vertically stacked port-pair, to connected PDs. (Refer to the ES520 Hardware Guide for details.) 105 Bridge GUI Guide: Network Configuration Ethernet devices that do not support PoE, or non-Powered Devices, can use a PSE-enabled port with no effect on such devices or on PSE operation. If you are powering a PoE Class 3 or Class 0 device on a given port, you may want to leave PSE Disabled on the port above/ below it. Vertically stacked ports share a fuse that can bear only a single PoE Class 0/3 device. Plugging a PoE powered device into the remaining port in the pair will trip the shared fuse, when PSE is Enabled on that port (and the overall maximum PoE supply would not be exceeded by the addition). PSE connection capacities and limitations are described in full in Fortress’s ES520 Secure Wireless Bridge Hardware Guide. Figure 3.30. Advanced View Ethernet Port Settings screen, lan port, ES520 Table 3.13 shows which Ethernet Settings appear in the two GUI views. Table 3.13. Ethernet Port Settings Simple & Advanced Views Admin. State Speed Duplex Fortress Security 802.1X Auth. 3.7.9 Advanced View Only Switching Mode Default VLAN ID QoS PSE Configuring Ethernet Ports Log on to the Bridge GUI through an Administrator-level account and select Configure -> Ethernet Settings from the menu on the left. If you are configuring one or more Advanced View settings (see Table 3.13), click ADVANCED VIEW in the upper right corner of the page and then the EDIT button for the port you want to configure. In the Ethernet Settings frame, enter new values for those settings you want to configure, described above. Click APPLY in the upper right of the screen (or CANCEL your changes). 106 Bridge GUI Guide: Network Configuration 3.8 QoS Implementation The Bridge supports Quality of Service (QoS) expediting for wireless traffic according to the WMM® (Wi-Fi Multimedia) subset of the IEEE standard 802.11e, QoS for Wireless LAN, and for Ethernet traffic according to the IEEE standard 802.1p, Traffic Class Expediting. The Bridge marks traffic that contains 802.1p user-priority tags with the associated QoS priority level. The default mapping of priority tags to priority queues conforms to IEEE standard 802.1D, MAC Bridges, Annex G, but is user configurable (see below). Traffic received without user-priority tags is marked for Medium (or Best Effort) QoS handling. Ethernet QoS On Ethernet, QoS tags are conveyed as part of the VLAN tags that can be included in packet headers. If the Bridge is configured to use VLANs, it will apply the user-priority values in the VLAN tags of the traffic it receives according to the mapping specified on Configure -> Ethernet Settings. The Bridge can send 802.1p user-priority tags over Ethernet only when VLAN Mode is Enabled (Section 3.9) and only over ports with a VLAN Switching Mode of Trunk (Section 3.7.6), since these are the only conditions under which the Bridge sends VLAN-tagged packets. When VLANs are disabled, the Bridge drops regular VLAN traffic but accepts specialized priority-tagged packets in order to support Ethernet QoS exclusive of a VLAN implementation. Priority-tagged packets are those which include a VLAN tag with a VLAN ID of zero (or null-value VLAN ID). The Bridge sorts this traffic into QoS priority queues according to the userpriority information contained in the VLAN tag. The Bridge cannot send priority-tagged packets. The Bridge’s per-port QoS override function (Section 3.7.7) overrides any priority tagging information in the traffic on that port, marking all traffic on the port for sorting into the specified QoS priority queue. Wireless QoS When enabled on the BSS, WMM Quality of Service is in effect for bridge links, the connections formed between Bridge radio BSSs with Wireless Bridge Enabled (Section 3.3.4.3). QoS is negotiated individually for devices connecting to a WMM-enabled BSS configured to provide wireless access (Section 3.3.4). If the connecting device supports and is enabled for WMM QoS, the Bridge prioritizes traffic for the device according to its priority tags. Traffic from devices that do not send priority tags is marked for Medium (or Best Effort) QoS handling. To determine/configure WMM QoS capability for a given device, consult its documentation. NOTE: 107 Bridge GUI Guide: Network Configuration WMM is enabled by default on new BSSs (refer to Section 3.3.4.7). Wireless packets can convey QoS priority tags directly in their 802.11 headers. When no VLAN tags are present, the Bridge sorts wireless traffic into QoS priority queues according to these tags. If a wireless packet also contains a VLAN tag, the Bridge applies the user-priority tag conveyed in the VLAN tag, rather than in the 802.11 header. On ES210 Bridges in Station Mode (refer to Section 3.3.5), WMM is also enabled by default on new STA Interfaces (as described in Section 3.3.5.5). Priority Tag-to-Queue Mapping By default, 802.1p user-priority values are mapped to priority queues according to IEEE standard 802.1D, MAC Bridges, Annex G: Critical - packets are delivered ahead of all other QoS levels. WMM categorizes this level of service as Voice. The IEEE specification recommends Critical QoS for traffic tagged with 802.1p user-priority values 6 and 7. High - packets are delivered after Critical and ahead of lower QoS levels. WMM categorizes this level of service as Video. IEEE recommends High QoS for traffic tagged with user-priority values 4 and 5. Medium - is Best Effort delivery: packets are delivered after higher QoS levels, but ahead of Low priority traffic. IEEE recommends Medium QoS for traffic tagged with user-priority values 0 (zero) and 3 and for untagged traffic. Low - is for Background traffic: packets are delivered after all other QoS levels. IEEE recommends Low QoS for traffic tagged with user-priority values 1 and 2. Packets received with no priority information and not subject to an Ethernet-port QoS override are sorted into the Medium QoS priority queue. You can disable QoS on the Bridge by assigning all eight 802.1p tags to the same priority level. You can configure Ethernet Quality of Service only in Advanced View Figure 3.31. Advanced View 802.1p QoS Tag Priorities frame, all platforms 108 Bridge GUI Guide: Network Configuration To reconfigure QoS priority tag-to-queue mapping: 3.9 Log on to the Bridge GUI through an Administrator-level account and select ADVANCED VIEW in the upper right corner of the page, then Configure -> Ethernet Settings from the menu on the left. In the Ethernet Settings screen’s 802.1p QoS Tag Priorities frame, use the pull down menus to change how 802.1p priority tags are assigned to QoS priority queues. Click APPLY in the upper right of the screen (or RESET screen settings to cancel your changes). VLANs Implementation When Bridging Mode is Off (STP is selected by default, refer to Section 3.2), the Bridge supports multiple virtual local area networks (VLANs), either by transparently passing VLAN tagging information or by translating VLAN tags according to a user-defined routing map. NOTE: VLANs are incompatible with FastPath Mesh and STP Bridging Modes (Section 3.2). Each of the Bridge’s Ethernet ports and each BSS configured on its radio(s) can be configured to use a specified VLAN. The VLANs configured for these interfaces are automatically added to the Bridge’s table of active VLAN IDs (described below). At its default configuration, the Bridge has a VLAN Mode setting of Disabled. The only VLAN configured on the Bridge is the native VLAN with a VLAN ID of 1. VLAN 1 is specified for all of the Bridge’s interfaces by default and 1 is the sole VLAN ID configured on the VLAN Active ID Table. You can configure the Bridge’s VLAN mode, VLAN IDs and native VLAN. Figure 3.32. Advanced View VLAN Settings frame, all platforms 3.9.1 VLAN Mode Which VLAN mode to use is largely determined by your network configuration and its requirements. These instructions assume that you are familiar with VLAN concepts and implementation. VLAN Mode: Disabled The default VLAN Mode of the Bridge is Disabled, in which VLAN traffic is not passed. Packets received with VLAN tags traffic are discarded. Any per port VLAN settings are disregarded. 109 Bridge GUI Guide: Network Configuration External switches running in port-based VLAN modes require that the Bridge use the VLAN mode Disabled. VLAN Mode: Normal In Normal VLAN Mode, the Bridge passes the VLAN tag’s VLAN ID exactly as it is received, while encrypting/decrypting the rest of the data normally. The same tags are passed to and from the clear and encrypted interfaces. Per port VLAN settings are applied. The Bridge can support up to 48 VLANs in Normal mode. If the Bridge must support trunking between switches, bridging between multiple Fortress Bridges, or an access point with multiple SSIDs connected directly to the Bridge, use Normal mode. As shown in Table 3.14, Access interfaces can receive and transmit only untagged traffic. Traffic received on an Access interface is tagged internally with the ingress interface’s Default VLAN ID, and this tag is removed again at egress. Trunk ports pass most tagged traffic with its tags unchanged, except that traffic tagged with the same VLAN ID as the ingress interface’s Default VLAN ID is sent untagged. Table 3.14. Normal Mode VLAN Handling received traffic interface Switching Mode Access VLAN tagging on ingress untagged accept tagged drop untagged accept internal on egress tag = egress interface tag w/ ingress interface Default VLAN ID: send untagged Default VLAN ID tag ≠ egress interface Default VLAN ID: drop tag w/ ingress interface Default VLAN ID send untagged accept preserve tag as received send untagged tag ≠ ingress interface Default VLAN ID and is in VLAN Active ID Table accept preserve tag as received send tagged as received tag ≠ ingress interface Default VLAN ID and is not in VLAN Active ID Table drop tag = ingress interface Default VLAN ID Trunk VLAN traffic handling The Bridge’s Ethernet port Switching Mode and Default VLAN ID settings are covered in Section 3.7.6. Configuring these setting for radio BSSs is described in Section 3.3.4.5 VLAN Mode: Translate In Translate VLAN Mode, the Bridge alters the VLAN ID in the VLAN tag according to a routing map (or translation table) that 110 Bridge GUI Guide: Network Configuration you configure for each VLAN that the Bridge secures. The routable VLAN IDs received on clear interfaces are translated, according to the routing map, into non-routable IDs and transmitted on an encrypted interface, and vice versa (nonroutable VLAN IDs received on encrypted interfaces are translated into routable IDs and transmitted on a clear interface). Routable VLAN IDs must therefore be part of a trunk in the clear zone, and Non-Routable VLAN IDs must be part of a trunk on an encrypted port. VLAN IDs that are passed within the same zone do not have to be present in the VLAN routing map. The Bridge can support up to 24 VLANs in translate mode: each translation requires two VLAN IDs, for a maximum of 48 VLAN IDs on the VLAN translation map. If the Bridge's encrypted and clear interfaces reside on the same OSI layer-2 switch, use Translate mode. 3.9.2 VLAN translation occurs only on traffic received in one zone (clear or encrypted) and transmitted in the other zone. VLAN IDs passed from one interface to another within the same zone are not translated. NOTE: Native VLAN The native VLAN can be used as management VLAN, allowing you to use tagged traffic to manage the Bridge. On an interface with a VLAN Switching Mode of Trunk, you can access the Bridge’s management interface only with packets tagged with the Bridge’s Native VLAN ID. You can manage the Bridge on an interface with a VLAN Switching Mode of Access only with untagged packets and only when the interface’s Default VLAN ID matches the Bridge’s global Native VLAN ID. You can reconfigure the Bridge to use a native VLAN ID other than 1 (the default), which automatically adds the new number to the Bridge’s VLAN ID table (described in Section 3.9.3). If the new ID is already present on the VLAN ID table, it will simply be selected as the Native VLAN ID. VLAN functions are available only in Advanced View. To configure basic VLAN settings Log on to the Bridge GUI through an Administrator-level account and select ADVANCED VIEW in the upper right corner of the page, then Configure -> VLAN from the menu on the left. In the VLAN Settings frame, enter new values for those settings you want to configure (described above). Click APPLY in the upper right of the screen (or RESET screen settings to cancel your changes). If you selected a VLAN Mode of Normal or Translate, refer to Section 3.9.3 to configure additional VLANs. For Translate mode, refer to Section 3.9.4 to create VLAN map records. You cannot configure VLANs when STP or FastPath Mesh is selected as the Bridge’s Bridging Mode (refer to Section 3.2). 111 Bridge GUI Guide: Network Configuration 3.9.3 VLAN ID Table The VLAN IDs you use on your network, for the native VLAN and for translate-mode mapping, are stored in the VLAN ID Table. The contents of the table determine the VLANs available for assignment to the Bridge’s interfaces. The VLAN ID Table defines the VLAN trunk for the Bridge, as used by all interfaces on the Bridge configured as Trunk ports. It is populated through any of several operations: If, in Configure -> VLAN -> VLAN Settings (sections 3.9.1 and 3.9.2), you enter a VLAN ID not already present on the VLAN ID table as the Native VLAN ID, the new VLAN ID is automatically added to the table. If, in Configure -> VLAN -> VLAN Translate Map Records (Section 3.9.4), you enter a VLAN ID not already present on the VLAN ID table as a Routable ID or Non-Routable ID, the new VLAN ID is automatically added to the table. If, in Configure -> Radio Settings -> BSS Interfaces -> EDIT/ ADD BSS or in Configure -> Switch Settings -> Switchports -> EDIT, you enter a Default VLAN ID not already present on the VLAN ID table, the new VLAN ID is automatically added to the table. The settings that configure VLAN handling by the Bridge’s Ethernet ports are described in Section 3.7.6; VLAN settings for radio BSS interfaces are covered in Section 3.3.4.5. You can manually add VLAN IDs to the VLAN ID table (below). There is only one VLAN trunk per Bridge, defined by the Bridge’s VLAN Active ID Table and used by all Trunk ports. NOTE: NOTE: VLAN IDs added automatically to the VLAN ID table will remain on the table even if the Bridge is reconfigured to no longer use them. You can configure up to 48 VLAN IDs on the Bridge, using VLAN ID numbers 1–4094, inclusive. VLAN IDs 0 and 4095 are reserved for internal use. Figure 3.33. Advanced View Add a new Active VLAN ID dialog, all platforms VLAN functions are available only in Advanced View. To manually add VLAN IDs to the Bridge configuration Log on to the Bridge GUI through an Administrator-level account and select ADVANCED VIEW in the upper right corner of the page, then Configure -> VLAN from the menu on the left. In the VLAN Active ID Table frame, click NEW ID. 112 Bridge GUI Guide: Network Configuration In the resulting dialog, enter the ID number of the VLAN you want to add to the configuration and click OK. The ID number of VLAN you added will be listed in the VLAN Active ID Table. You cannot delete a VLAN ID from the Bridge configuration while it is in use, as indicated by a red asterisk to the right of the ID number. The marked VLAN ID may be in use by one of the Bridge’s Ethernet interfaces (Section 3.7.6), radio BSS interfaces (Section 3.3.4.5), or as the Native VLAN (Section 3.9.2); or the VLAN ID may be part of the VLAN translation map (Section 3.9.4). When you have reconfigured the Bridge so that the VLAN ID is no longer in use, you will be able to delete the VLAN ID from the configuration, as indicated by the checkbox to the right of the ID number. To delete VLANs from the Bridge configuration Log on to the Bridge GUI through an Administrator-level account and select ADVANCED VIEW in the upper right corner of the page, then Configure -> VLAN from the menu on the left. In the VLAN Active ID Table, click to check the box(es) of the VLAN(s) you want to delete (or check the boxes of all unused VLAN IDs with ALL). Click DELETE. Click OK in the confirmation dialog (or Cancel the deletion). The ID numbers of VLANs you delete will be removed from the VLAN ID Active Table. You cannot configure VLANs when STP or FastPath Mesh is selected as the Bridge’s Bridging Mode (refer to Section 3.2). 3.9.4 VLAN Map Records If you are using VLAN Translate mode (Section 3.9.1). you must create a VLAN translation map for your configuration: To add VLAN map records to the Bridge configuration: Figure 3.34. Advanced View VLAN Map Record frame, all platforms Log on to the Bridge GUI through an Administrator-level account and select ADVANCED VIEW in the upper right corner of the page, then Configure -> VLAN from the menu on the left. 113 Bridge GUI Guide: Network Configuration In the VLAN Translate Map Records frame, click NEW RECORD. On the resulting Edit VLAN screen, in VLAN Map Record : In Record Name: enter a descriptive name for the mapping record. In Routable ID: enter the routable VLAN ID for packets passed through the clear zone (to the wired LAN). In Non-Routable ID: enter the corresponding nonroutable VLAN ID for packets passed through the encrypted zone (to the WLAN). Click APPLY in the upper right of the screen (or CANCEL your addition). The mapping records you create display at the bottom of the VLAN Translate Map Records frame on the VLAN screen. To edit a VLAN map record Log on to the Bridge GUI through an Administrator-level account and select ADVANCED VIEW in the upper right corner of the page, then Configure -> VLAN from the menu on the left. In the VLAN Map Records frame click the EDIT button for the record you want to change. Change the settings you want to reconfigure (described above, and click APPLY in the upper right of the screen (or CANCEL your changes). Your changes will be reflected in the record’s entry at the bottom of the VLAN Map Records frame on the VLAN screen. To delete VLAN map records You can delete VLAN map records individually or all at once. Log on to the Bridge GUI through an Administrator-level account and select ADVANCED VIEW in the upper right corner of the page, then Configure -> VLAN from the menu on the left. In the VLAN Translate Map Records frame: Click to check the box(es) of the record(s) you want to delete. or Click All to select all map records. Click DELETE at the top of the frame. Click OK in the confirmation dialog (or Cancel the deletion). The records you delete are removed from the VLAN Translate Map Records frame on the VLAN screen. VLAN functions are available only in Advanced View, and you cannot configure VLANs when STP or FastPath Mesh is selected as the Bridge’s Bridging Mode (refer to Section 3.2). 114 Bridge GUI Guide: Network Configuration 3.10 ES210 Bridge Serial Port Settings The serial port on the front panel of the ES210 Bridge is configured by default to be used for Console port access to the Bridge CLI, as other Bridge model serial ports are used. On the ES210 Bridge, you can reconfigure the serial port to instead connect the Bridge to an external third-party Serial Sensor, or another serial device. When Serial Sensor Settings are Enabled, the serial port behaves like a serial terminal server, passing data between the specified TCP (Transmission Control Protocol) port and the device connected to the serial port. Serial data can be accessed using telnet ip_addr tcp_port, with no options. Only one TCP connection at a time is permitted to the Serial Sensor TCP port. The ES210 Bridge can send data from and to the connected serial device over any of the Bridge’s wired or wireless interfaces, under the security provisions configured for the interface and on the Bridge overall. 3.10.1 Configuring the Serial Port Enabling Serial Sensor Settings disables the serial port for Bridge CLI access. The Bridge CLI remains accessible by a terminal emulation application over an SSH2 (Secure Shell 2) network connection, provided SSH Access is Enabled (the default; refer to Section 4.1.6). NOTE: You must reboot the Bridge in order to change the function of the ES210 Bridge serial port. Disabling the Serial Sensor function re-enables the port’s Bridge CLI Console function and automatically returns serial port settings to the correct values for the Bridge CLI (baud rate: 9600, parity: none, stop bits: 1). Figure 3.35. Serial Sensor Settings frame, ES210 Use Serial Sensor Settings to enable and configure the ES210 Bridge’s serial port to connect to an external serial device. Admin. State - determines whether the port’s Serial Sensor function and the rest of the configuration settings in the Serial Sensor Settings frame are Enabled or Disabled (the default). You must reboot the ES210 Bridge in order to change Admin. State, as directed below. Port - specifies the TCP port for the serial interface. Port values between 5000 and 65534 are valid; the default is port 5001. Baud Rate - specifies the number of bits per second for the serial connection at 300, 1200, 2400, 4800, 9600 (the 115 Bridge GUI Guide: Network Configuration automatic setting for the Console port), 19200, or 38400 (the default when Serial Sensor Settings are Enabled). Parity - specifies whether the parity bit used for error checking results in an Even or Odd number of bits per byte or, with a setting of None (the default), that no parity bit should be added. Stop Bits - specifies whether the port should use a stop bit of 1 (the default) or 2. The serial port always uses 8 data bits per character and no hardware or software flow control. To configure the ES210 serial port: Log on to the Bridge GUI through an Administrator-level account and select Configure -> Serial Sensor from the menu on the left. In the Serial Sensor Settings frame, enter new values for those settings you want to configure (described above). Click APPLY in the upper right of the screen (or RESET screen settings to cancel your changes). CAUTION: Enabling the Serial Sensor function on the ES210 Bridge disables management access through the serial port. If you changed the Admin. State in Step 2, reboot the ES210 Bridge according to the instructions in Section 6.1.2. Restoring the ES210 Bridge’s factory default configuration restores the serial port to the default Bridge CLI Console function. 3.10.2 Resetting the Serial Port When the ES210 Bridge is enabled for and connected to an external serial device, you can manually restart the serial port’s TCP session. Figure 3.36. Reset Serial Sensor TCP Connection frame, ES210 To reset the ES210 serial port TCP session: Log on to the Bridge GUI through an Administrator-level account and select Configure -> Serial Sensor from the menu on the left. In the Reset Serial Sensor TCP Connection frame, click EXECUTE. Resetting the serial port has no effect when the Serial Sensor function is Disabled. 116 Bridge GUI Guide: Security Configuration Chapter 4 Security, Access, and Auditing Configuration 4.1 Fortress Security The Security Settings frame provides controls for various aspects of the Bridge’s overall network security provisions: Fortress MSP (Mobile Security Protocol) functions including key establishment, data encryption and network Access ID; FIPS operation; global session timeouts; and several additional management and network access settings. Fortress MSP is not supported on an ES210 Bridge in Station Mode (refer to Section 3.3.5). NOTE: A number of Fortress Security Settings are available only in ADVANCED VIEW. Table 4.1 shows which settings are available in each view. Figure 4.1. Simple View, Fortress Security Settings frame, all platforms In addition, administrative password requirements and the retry, timeout and lockout parameters for administrative accounts are set on the Security screen, in the Logon Settings frame (as described in Section 2.2.1). 4.1.1 Operating Mode The Fortress Bridge can be operated in either of two modes: Normal or FIPS (the default). The rigidly enforced administrative requirements of FIPS operating mode are required by deployments and applications that must comply with the Federal Information Processing Standards (FIPS) for cryptographic modules. However, the high levels of security that can be implemented in Normal operating mode generally meet or exceed the needs of virtually 117 Bridge GUI Guide: Security Configuration all networked environments that are not required to comply with FIPS. As of this writing, FIPS operating mode in the current version of Bridge software is in the process of being validated as compliant with FIPS 140-2 Security Level 2. These Federal standards enforce security measures beyond those of Normal operating mode, the most significant of which include: Only a designated Crypto Officer, as defined by FIPS, may perform administrative functions on the Bridge and its Secure Clients. (The preconfigured admin, Administratorlevel, account corresponds to the FIPS Crypto Officer role; refer to Section 2.2.) If the Bridge encounters a FIPS Error condition, it shuts down and reboots, running FIPS self-tests as a normal part of boot-up. If FIPS self-tests pass, the Bridge will return to normal operation. If FIPS self-tests fail, before any interfaces are accessible, the Bridge will again reboot. If the Bridge is unable to pass power-on self-tests, it will cycle perpetually through this reboot process. In this case, you must return the Bridge to your vendor for service or replacement. Contact your Fortress representative for up-todate information on the Bridge’s FIPS validation status. NOTE: DH-512 and DH-1024 key establishment (Section 4.1.3) are no longer FIPS 140-2-compliant and are therefore not compatible with FIPS operating mode. Regardless of the current operating mode, the Bridge can be configured to allow unencrypted data on encrypted interfaces by enabling Cleartext Traffic (refer to Section 4.1.10). In FIPS terminology, this indicates that the Bridge is in Bypass Mode (BPM), as selectively permitted clear text can pass, along with any encrypted traffic, on encrypted interfaces (Ethernet ports or radio BSSs on which Fortress Security is Enabled). NOTE: Only devic- es configured on the Bridge to pass clear text on encrypted interfaces are permitted to do so, even when Cleartext Traffic is enabled. The Bridge GUI displays the current operating Mode and Cleartext traffic setting in the status fields in the upper left, above the main menu (refer to Section 5.1). 4.1.2 MSP Encryption Algorithm The Bridge supports the strong, AES encryption standard at these user-specified key lengths: AES-256 (default) AES-192 AES-128 All Secure Clients (and other Fortress controller devices) connecting to the Bridge must be configured to use the same encryption algorithm as the Bridge. For information on setting encryption algorithms on Fortress Secure Clients, refer to that product’s user guide. 118 Bridge GUI Guide: Security Configuration 4.1.3 MSP Key Establishment You can configure the method that the Bridge and its Secure Clients (and other connecting controller devices) use to establish data encryption keys. In Normal operating mode (Section 4.1.1) the Bridge supports three Diffie-Hellman groups (DH groups) for key establishment—identified by the size of the modulus, in numbers of bits, used to generate the secret shared key: DH-512 (Normal [non-FIPS] operating mode only) DH-1024 (Normal [non-FIPS] operating mode only) DH-2048 (default selection) When operating the Bridge in FIPS mode (Section 4.1.1), you cannot use DH-512 or DH-1024 key establishment, because the smaller Diffie-Hellman group moduli are no longer compliant with FIPS 140-2 Security Level 2. On wireless networks, separate multicast packets are sent for each configured key group. To maximize throughput, limit the number selected. NOTE: When NSA (National Security Agency) Suite B5 cryptography is licensed on the Bridge, an additional elliptic curve DiffieHellman key establishment method is available for selection: Suite B (specified by the NSA as compliant with the Suite B set of cryptographic algorithms). When Suite B is not licensed on the Bridge, the Bridge GUI displays a link to the features licensing page (refer to Section 6.3). While a Secure Client can employ only one key establishment option at a time, the Bridge supports multiple key establishment selections, allowing connecting Clients to use any enabled key establishment option. A Secure Client logging on to the Bridge must use a key establishment option enabled on the Bridge. For information on configuring key establishment on Fortress Secure Clients, refer to the Secure Client’s user guide. When two Fortress controller devices are connected, they will negotiate keys using the highest security option mutually supported by the devices. NOTE: Secure Cli- ent versions earlier than 3.1 support only DH-512 key establishment. If you need to support pre-3.1 Secure Client devices, you must include DH-512. When Suite B key establishment has been licensed on the Bridge, this option represents the highest available security. Larger key moduli equate to more security for the standard Diffie-Hellman group key establishment options, as well. DH-512 is therefore the least secure DH group, and if you do not need the Bridge to support Secure Client versions earlier than 3.1 (which require DH-512), Fortress recommends more secure key establishment. NOTE: DH-512 key establishment cannot be selected when a 32-digit Access ID (Section 4.1.17) is in effect. Larger key moduli result in somewhat longer initial connection times. Refer to the Suite B requirements specific to your site and implementation for guidance on Suite B. 5. Refer to Footnote 1 on page 2. 119 Bridge GUI Guide: Security Configuration 4.1.4 MSP Re-Key Interval Fortress Bridges generate new keys at defined intervals, renegotiating dynamic keys with their Secure Clients whenever those Clients are logged on. You can specify the re-key interval, in hours, at values between 1 and 24. The default is 4. At the default, for example, to decrypt data intercepted over a 12-hour period, a hacker would need to recover three sets of keys just from the Bridge, quickly enough to employ them before the next re-key—a highly unlikely possibility. Connecting devices’ re-keying behaviors would generate additional key exchanges, and keys from the Bridge alone would not permit network access. Every new key negotiation adds network traffic, and the increased security of shorter re-key intervals should be balanced against throughput considerations. 4.1.5 Access to the Bridge GUI In order for the Bridge GUI to be usable, GUI Access must be Enabled. When GUI Access is Disabled, the Bridge can be managed exclusively through the Bridge CLI. Access to the Bridge GUI is Enabled by default. If you disable the Bridge GUI from within the interface, your current session will end. You must re-enable the Bridge GUI from the Bridge CLI before the former will again be accessible (refer to the CLI Software Guide). 4.1.6 Secure Shell Access to the Bridge CLI In order for the Bridge CLI to be accessible via the network, Secure Shell (SSH®) must be Enabled. When SSH Access is Disabled, you can access the Bridge CLI exclusively through a direct connection to its Console port. SSH Access is Enabled on the Bridge by default. 4.1.7 Blackout Mode The Bridge’s command-line interface can always be accessed via a direct connection to the Bridge’s serial Console port (refer to the CLI Software Guide). NOTE: The Blackout Mode setting on the Fortress Bridge globally turns all chassis LEDs on and off. When Blackout Mode is Enabled, none of the Bridge’s LEDs will illuminate for any reason—except for a single, initial blink (green) of less than half a second, at the beginning of the boot process. When Blackout Mode is Disabled (the default), the LED indicators function normally. You can also enable/disable blackout mode through chassis controls on some Bridge hardware models (refer to the Hardware Guide for the Bridge you are configuring) or through the Bridge CLI (refer to the CLI Software Guide). 120 Bridge GUI Guide: Security Configuration 4.1.8 FIPS Self-Test Settings The Bridge runs a number of self-tests described in FIPS 1402, (Federal Information Processing Standards’ Security Requirements for Cryptographic Modules). FIPS tests run—and self-test failures are logged—regardless of whether it is in FIPS or Normal operating mode. When the Bridge is in FIPS operating mode, it will additionally shut down and reboot upon the failure of any FIPS self-test, as required by FIPS 140-2 (refer to Section 4.1.1). By default, FIPS tests run when they are automatically triggered or manually executed (refer to Section 6.1.7). FIPS tests are triggered regardless of FIPS settings. You cannot turn triggered FIPS testing off on the Bridge. FIPS test triggers include any security-related change to the Bridge’s configuration (deleting a user, for example, or changing the rekey interval). You can configure the Bridge to run additional FIPS tests periodically, and when periodic tests are enabled, you can configure the FIPS self-test run-interval (the default is 86,400 seconds, or 24 hours). You can configure the interval at which the random number generator is reseeded (the default is 86,400 seconds, or 24 hours). You can also determine whether random number generator (RNG) tests are run routinely: continuous RNG tests are Enabled by default; when the Bridge is in FIPS operating mode they cannot be Disabled. You can configure FIPS self tests only in Advanced View. 4.1.9 Encrypted Data Compression You can configure whether or not data passed by devices on an encrypted interface on the Bridge (in the encrypted zone) is compressed. Data compression in the encrypted zone is enabled by default. The compression settings of all Secure Clients (and other Fortress controller devices) on the Bridge-secured network must match: either enabled for all devices or disabled for all devices. You can enable/disable data compression only in Advanced View. 4.1.10 Encrypted Interface Cleartext Traffic By default, cleartext traffic—both received and transmitted—is blocked on a Bridge’s encrypted interfaces (Ethernet ports or radio BSS on which Fortress Security is Enabled). 121 Bridge GUI Guide: Security Configuration Encrypted-interface cleartext traffic must be enabled to support AP management rules on the Bridge and Trusted Device access to the Bridge’s encrypted zone. In FIPS terminology, when clear text is enabled on the Bridge’s encrypted interfaces, the Bridge is in FIPS Bypass Mode. Disabling cleartext traffic on encrypted interfaces after AP management rules or Trusted Devices have been configured will not remove them from the configuration. Because these devices cannot decrypt encrypted traffic, however, the Bridge will not be able to communicate directly with them until cleartext traffic is permitted on encrypted interfaces. 802.1X devices will likewise be unable to access the Bridge-secured network when cleartext traffic on encrypted interfaces is blocked. NOTE: The current Cleartext traf- fic setting is shown in the upper left of all Bridge GUI screens (refer to Section 5.1). You can enable/disable cleartext traffic only in Advanced View. 4.1.11 Encrypted Interface Management Access By enabling or disabling Encrypted Interface Management, you can control whether or not the Bridge’s management interface can be accessed on interfaces enabled for Fortress Security (refer to sections 3.3.4.13 and 3.7.4 for wireless and Ethernet interfaces, respectively). Encrypted Interface Management applies to any connection to an encrypted interface on the current Bridge: local Fortress Secure Client connections connections through a remote Fortress controller device bridging links between networked Fortress Bridges authorized clear devices when Guest Management is Enabled (Section 4.1.12, below) Encrypted Interface Management is Enabled by default. If Encrypted Interface Management is Disabled, you will be able to manage the Bridge only through a clear interface (or through the serial Console port). You can enable/disable Encrypted Interface Management only in Advanced View. 4.1.12 Guest Management You can control whether or not the Bridge’s management interface can be accessed by authorized cleartext devices (Section 4.5.3) on encrypted interfaces on the Bridge by enabling or disabling Guest Management. Guest Management is Disabled by default, and Trusted Devices are not allowed to access the Bridge’s management interface. The Encrypted Interface Management setting (Section 4.1.11, above) overrules Guest Management. When Encrypted Interface Management is Disabled, no management access is permitted 122 Bridge GUI Guide: Security Configuration on any encrypted interface, including by configured cleartext devices, regardless of the Guest Management setting. You can enable/disable Guest Management only in Advanced View. 4.1.13 Cached Authentication Credentials When a device’s session times out, the device is required to renegotiate encryption keys in order to reconnect to the network. When Cached Auth. Credentials is Enabled (the default), users of devices that have timed out are reauthenticated transparently, using cached user credentials. When the Cached Auth. Credentials is Disabled, such users are prompted to re-enter their usernames and passwords in order to re-establish their network connections. You can enable/disable Cached Auth. Credentials only in Advanced View. 4.1.14 Fortress Beacon Interval The Fortress Bridge transmits a key beacon at regular intervals to maintain active, secure connections to other Fortress devices on the local, Bridge-secured network. This enables immediate, secure communication between Fortress devices. You can configure the number of seconds between Fortress beacons in whole numbers between 1 and 3000, or disable the Fortress beacon (by entering zero in the interval configuration field). The default beacon interval of 30 seconds is appropriate for most networks. Less frequent beacons (longer intervals) may be desirable where network bandwidth is in short supply. You can configure the beacon interval only in Advanced View. 4.1.15 Global Client and Host Idle Timeouts You can separately configure Secure Client connections to the Bridge’s encrypted zone and host connections to the clear zone to be forcibly ended after a specified period of inactivity. When local or external authentication is in effect for network users, the timeout settings configured globally on the applicable RADIUS server will override the Client Idle Timeout setting on the Security screen. For more detail on user timeout settings, refer to Section 4.4. Administrator idle timeouts (Section 2.2.1.4) are separate from host and Secure Client devices idle timeout settings. NOTE: You can configure Client and host device timeouts, in minutes, from 1 to 43,200 (30 days). A setting of 0 (zero), disables timeouts. By default, both types of session timeout after 30 minutes of inactivity. You can configure the Client and host device idle timeouts only in Advanced View. 123 Bridge GUI Guide: Security Configuration Figure 4.2. Advanced View, Fortress Security Settings frame, all platforms 4.1.16 Changing Basic Security Settings: Table 4.1 shows which settings can be configured only in Advanced View. Table 4.1. Security Settings Simple & Advanced Views Operating Mode Encryption Algorithm GUI Access SSH Access Re-key Interval Blackout Mode Key Establishment Access ID Advanced View Only FIPS Reseed Interval FIPS Test Interval FIPS Periodic Tests FIPS Cont. RNG Tests Enc. Zone Compression Cleartext Traffic Secure Client Mgmt. Guest Management. Cached Auth. Credentials Fortress Beacon Interval Client Idle Timeout Host Idle Timeout Log on to the Bridge GUI through an Administrator-level account and select Configure -> Security from the menu on the left. If you are configuring one or more Advanced View settings (see Table 4.1), click ADVANCED VIEW in the upper right corner of the page. (If not, skip this step.) In the Security screen’s Security Settings frame, enter new values for the settings you want to change (described in sections 4.1.1 through 4.1.14, above). Click APPLY in the upper right of the screen (or RESET screen settings to cancel your changes). 124 Bridge GUI Guide: Security Configuration 4.1.17 Fortress Access ID The Access ID provides network authentication for the Fortress Security System. This 16- or 32-digit hexadecimal ID is established during installation, after which the same Access ID must be specified for all of the Bridge’s Secure Clients (and other connecting Fortress controller devices). Likewise, if you change the Bridge’s Access ID, you must subsequently make the same change to all of its Secure Clients’ Access IDs. For information on setting the Access ID on Secure Clients, refer to the Fortress Secure Client user guide. NOTE: The default Access ID is represented by 16 zeros or the word, default. Manually entering either value returns the Bridge’s Access ID to its default setting. You can manually enter either a 16-digit or a 32-digit hexadecimal Access ID of your own composition, or you can elect to have the Bridge randomly generate an Access ID and display the result for you to record. Figure 4.3. Fortress Access ID controls, all platforms 32-digit hexadecimal Access IDs are incompatible with DH-512 key establishment (described in Section 4.1.3). A manually entered 32-digit Access ID will not be accepted if DH-512 is selected for key establishment in the Bridge. The length of a randomly generated Access ID is determined by the key establishment selections in effect when you click the GENERATE ACCESS ID button: if DH-512 is selected, a 16-digit hexadecimal Access ID is generated; if DH-512 is not selected, a 32-digit hexadecimal Access ID is generated. NOTE: Secure Cli- ent versions earlier than 3.1 support only 16-digit hexadecimal Access IDs. Regardless of how you establish the Bridge’s Access ID, you must make a record of the Access ID at the same time that you create it. For security purposes, once you have left the screen on which you establish it, the Access ID can never again be displayed. To change the Access ID: Log on to the Bridge GUI through an Administrator-level account and select Configure -> Security from the menu on the left. On the Security screen’s Security Settings frame: If you want to randomly generate the Access ID to be used on the Bridge-secured network: Click GENERATE ACCESS ID to generate a 16-digit (when DH-512 key establishment is selected) or a 32-digit (when DH-512 is not selected) hexadecimal Access ID. Record the Access ID in a safe place. Once you have left the page on which it was generated, the Access ID can never again be displayed. NOTE: A 32-digit Access ID cannot be configured when DH-512 key establishment (Section 4.1.3) is selected. CAUTION: The Access ID cannot be displayed after it has been created. 125 Bridge GUI Guide: Security Configuration or If you want to manually enter a 16-digit or a 32-digit hexadecimal Access ID of your own composition: 4.2 In New Access ID and Confirm Access ID, enter the 16or 32-digit hexadecimal Access ID to be used by the Bridge and its Secure Clients. Record the Access ID in a safe place. Once you have left the screen on which it was initially established, the Access ID can never again be displayed. Click APPLY in the upper right of the screen (or RESET screen settings to cancel your changes). Internet Protocol Security Fortress Bridges can be configured to secure private communications over public networks by implementing the IPsec protocol suite developed by the IETF (Internet Engineering Task Force) to protect data at the Network Layer (Layer 3) of the OSI model. Fortress’s IPsec function is not yet supported on IPv6 networks. NOTE: Fortress’s IPsec implementation uses: ISAKMP (Internet Security Association and Key Management Protocol) as defined in RFC 2408 IKEv2 (Internet Key Exchange version 2) as defined in RFC 4306 IPsec Tunnel Mode using ESP (Encapsulating Security Payload) as defined in RFC 4303 Strong standards-based cryptographic algorithm suites including: NSA (National Security Agency) Suite B 6 : AES-128-GCM, 16B ICV7 AES-256-GCM, 16B ICV Legacy AES-128-CBC (Cipher Block Chaining) In IPsec Phase 1, ISAKMP is used to authenticate the initial Security Association (SA)—via digital signature or pre-shared key—and to encrypt the control channel over which IKE messages are exchanged. The Phase 1 IKE SA secures negotiation of the Phase 2 IPsec SAs over which network traffic is sent and received, according to the ESP protocol, using the specified encryption standard(s). NOTE: Fortress de- vices do not initiate IKE v1 transactions, but will accept IKE v1 connections from legacy devices. How IPsec is applied to traffic on the Bridge is determined by the Security Policy Database (SPD) entries configured—per interface—to apply a specified action to traffic selected by its source and destination subnets. Once the function is enabled and configured, the Bridge functions as an IPsec gateway for the locally connected 6. Refer to Footnote 1 on page 2. 7. Advanced Encryption Standard-Galois/Counter Mode, 16-bit integrity check value 126 Bridge GUI Guide: Security Configuration devices, using its own IP address as the IPsec peer address and conducting IKE transactions on behalf of (and transparently to) the devices it secures. IPsec can be used alone or in conjunction with the Fortress Security settings described in Section 4.1. 4.2.1 Global IPsec Settings IPsec is globally disabled by default. When you enable IPsec, you must also provide for at least one authentication method for ISAKMP connections: For IPsec peers to be authenticated via digital signature using an X.509 certificate, you must also have specified a locally stored key pair and certificate to authenticate the Bridge as an IPsec endpoint. Refer to Section 6.2.1 for guidance on creating an IPsec key pair. For IPsec peers to be authenticated by pre-shared keys, you must specify those keys, per peer (refer to Section 4.2.3, below). Once IPsec is globally enabled and configured, you must specify at least one SPD entry (configured to Apply IPsec) on at least one Bridge interface, before the Bridge can send and receive IPsec-protected traffic (refer to Section 4.2.2). Figure 4.4. IPsec Global Settings frame, all platforms Global IPsec settings include: Admin. State - globally sets the Bridge’s IPsec function to Enabled or Disabled. Certificate Revocation List - When the IPsec CRL function is Disabled, the default, certificates used to authenticate IPsec peers are not checked against the lists of certificates that have been revoked by their issuing authorities. When the IPsec CRL function is Enabled, peer certificate chains are traced back to a trusted root certificate and each certificate's serial number is checked against the contents of the issuing authority’s CRL to verify that none of the certificates in the chain have been revoked, as described in RFC 3280. 127 Bridge GUI Guide: Security Configuration Suites - selects the cryptographic algorithm suite(s) that the Bridge will accept when acting as an IKE responder and will offer when acting as an IKE initiator. SuiteB 256 - AES-256-GCM, 16B ICV (default selection) SuiteB 128 - AES-128-GCM, 16B ICV (default selection) Legacy - AES-128-CBC SA Lifetime - specifies a time- and/or data-limited lifespan at the end of which a new IKE transaction must be negotiated to establish new IPsec SAs for the connection: in minutes (mins.) from 1 to 71,582,788 to determine how long the SA will be used before it expires, or specify 0 (zero) to impose no time limit. in kilobytes (KB) from 1 to 4,294,967,295 to determine how much data will pass on the SA before it expires, or specify 0 (zero) to impose no data limit. If both fields are set to positive values, both apply, and whichever condition occurs first will cause the SA to expire. The default SA Lifetime is set, in minutes, at 240 (4 hours), with an unlimited amount of traffic permitted. To configure global IPsec settings: 4.2.2 Log on to the Bridge GUI through an Administrator-level account and select Configure -> IPsec from the menu on the left. On the IPsec Settings screen’s Global Settings frame, enter new values for the settings you want to change (described above). Click APPLY in the upper right of the screen (or CANCEL your changes). Unlike Suite B Key Establishment options (Section 4.1.3), Suite B IPsec NOTE: Cryptographic Algorithm options are available regardless of whether Suite B is licensed on the Bridge (Section 6.3). CAUTION: If you disable IPsec when the function is in use, all IKE and IPsec SAs will be immediately terminated, configured SPD entries will be disabled, and IPsec traffic will cease to be sent or received on any interface. Interface Security Policy Database Entries When IPsec is globally enabled and configured (refer to Section 4.2.1), each of the Bridge’s network interfaces can be associated with up to 100 SPD entries. An interface with one or more SPD configured for it is enabled to pass IPsec traffic. An interface with no SPD configured for it is disabled for IPsec traffic. Each SPD entry defines the traffic to which it will apply by a specified local subnet of IP addresses—the source of outbound traffic and destination of inbound traffic. You can likewise specify a remote subnet of IP addresses to which an SPD will apply—defining traffic by its outbound destination/inbound source—as well as the IP address of the connecting device. 128 Bridge GUI Guide: Security Configuration How traffic defined by an SPD entry will be handled is determined by the Action specified in the entry, as shown in Table 4.2. Table 4.2. Configurable SPD Entry Actions action Apply inbound packets outbound packets must be IPsec-protected IPsec-encrypt and send as ESP Bypass must not be IPsec-protected Drop send unprotected by IPsec drop without further processing Traffic on an interface that has no matching SPD definition will be handled according to whether any SPD entry has been configured for that interface: An interface with no SPD entry configured for it permits packets to pass unprotected by IPsec. Such an interface is a red interface, in IPsec terms, indicating the unprotected status of traffic on that interface. An interface with at least one SPD entry configured for it drops any packet that does not match (one of) the traffic selector(s) defined by the SPD entry(-ies) configured for that interface. In IPsec terms, such an interface is functioning as a black interface, indicating the secure status of any traffic passing on it. SPD entry settings include: Policy Name - identifies the SPD entry in the Bridge configuration. Interface Name and BSS Name - associates the SPD entry with a particular interface on the Bridge. The Interface Name dropdown provides a list of the Bridge’s Ethernet interfaces. The BSS Name dropdown provides a list of BSSs currently configured on (one of) the Bridge’s internal radio(s). Use only one of these dropdown lists to specify only a single Ethernet or wireless interface. Local Address and Local Mask - defines the traffic to which the SPD entry will apply by the local subnet of IP addresses that will comprise the outbound source/inbound destination of that traffic. Remote Address and Remote Mask - defines the traffic to which the SPD entry will apply by the remote subnet of IP addresses that will comprise the inbound source/outbound destination of that traffic Priority - establishes the order in which the policy defined by the entry will be applied, from 1 to 100, relative to other configured policies. Priority values must be unique. Policies with lower Priority numbers take precedence over those with higher Priority numbers. Devices that implement the IPsec model are sometimes referred to as red/black boxes. NOTE: NOTE: A BSS must be already be present on a Bridge radio before it can be associated with an SPD entry. 129 Bridge GUI Guide: Security Configuration Action - determines how packets selected by the local and remote subnet parameters specified above will be handled: Drop - drop packets without further processing (default selection) Bypass - receive and send only packets unprotected by IPsec Apply - receive and send only packets protected by IPsec Peer Address - if the Action to be applied by the SPD entry is Apply, you must identify the IP address of the remote device to and from which IPsec-protected traffic will be sent. If the Action is Drop or Bypass, no IPsec peer is expected for the SPD and you cannot enter an IP address in this field. Figure 4.5. IPsec Security Policy Database entry frame, all platforms To add an IPsec SPD entry to a Bridge interface: 1 Log on to the Bridge GUI through an Administrator-level account and select Configure -> IPsec from the menu on the left. In the IPsec Settings screen’s Security Policies frame, click ADD SPD and, on the resulting screen, enter valid values for the settings described above. 3 Click APPLY in the upper right of the screen (or CANCEL the addition). The SPD entries you add are listed in the Security Policies frame. To delete IPsec SPD entries: 1 Log on to the Bridge GUI through an Administrator-level account and select Configure -> IPsec from the menu on the left. In the IPsec Settings screen’s Security Policies frame: If you want to delete a single SPD entry or selected entries, click to place a checkmark in the box(es) beside the entry(-ies) you want to eliminate. or If you want to delete all SPD entries, click ALL at the top of the Security Policies list to check all entries. Click the Security Policies frame’s DELETE SPD button. Deleted SPD entries are removed from the Security Policies list. 130 Bridge GUI Guide: Security Configuration 4.2.3 IPsec Pre-Shared Keys As an alternative to using a digital certificate, the identity a given IPsec peer can be authenticated by a static pre-shared key (PSK), as configured on both parties to the initial ISAKMP transaction. PSKs on the Bridge can be specified as a string of ASCII characters or a series of hex bytes (hexadecimal pairs). Alternatively, you can generate a random key, of a specified length, expressed in hex bytes. Figure 4.6. IPsec PSK settings frame, all platforms To configure a PSK for an IPsec peer: Log on to the Bridge GUI through an Administrator-level account and select Configure -> IPsec from the menu on the left. In the IPsec Settings screen’s Pre-Shared Keys frame, click ADD PSK and, on the resulting screen, in Peer Address, specify the IP address of the IPsec peer to be authenticated by the PSK. On the same screen, establish the key to be used to authenticate the specified IPsec peer: If you want to specify a key: In Key Type - use the dropdown to specify whether the key you enter is an ASCII string or a series of Hex bytes. In Key and Key Confirmation - enter a key in the format you specified above. NOTE: The Secret Length parameter is ignored for manually entered PSKs. or If you want to automatically generate a random key: In Key Length - optionally specify the number of bytes to comprise the key, from 1 to 64. If you omit this value, the default key length is 32 bytes. In Key Type - use the dropdown to specify whether an ASCII string or a series of Hex bytes should be generated, and click GENERATE PSK. Record the resulting PSK. You must configure a matching key on the IPsec peer specified in Step 2. Click APPLY in the upper right of the screen (or CANCEL the addition). The IP addresses of the IPsec peers for which PSKs are configured are listed in the Pre-Shared Keys frame. 131 Bridge GUI Guide: Security Configuration To delete IPsec peer PSKs: Log on to the Bridge GUI through an Administrator-level account and select Configure -> IPsec from the menu on the left. In the IPsec Settings screen’s Pre-Shared Keys frame: If you want to delete the PSK for a single or selected IPsec peers, click to place a checkmark in the box(es) beside the IP address(es) of the peer(s) for which you want to delete the PSK(s). or If you want to delete all IPsec peer PSKs, click ALL at the top of the Pre-Shared Keys list to check all IP addresses. Click the Pre-Shared Keys frame’s DELETE PSK button. The IP addresses of the IPsec peers whose PSKs are deleted are removed from the Pre-Shared Keys list. 4.2.4 IPsec Access Control List An additional level of security can be provided in the Bridge’s IPsec implementation via the IPsec ACL. The function is enabled when at least one ACL entry is configured. It is disabled by default: no ACL entries are present. When the IPsec access control function is enabled, the Bridge compares the Distinguished Names (DNs) contained in the X.509 digital certificates of authenticating IPsec peers against those recorded in the IPsec ACL. If no match is found, access is denied. If a match is found, access is allowed or denied according to the ACL entry’s Access rule. Figure 4.7. IPsec ACL entry frame, all platforms You can configure up to 100 IPsec ACL entries to be applied in the specified priority. Settings include: Name - identifies the ACL entry in the Bridge configuration. Distinguished Name - specifies the DN pattern against which those in the X.509 certificates of IPsec peers will be matched. Each RDN (Relative Distinguished Name) in the sequence comprising the certificate DN is compared to the corresponding RDN specified in the IPsec ACL entry. You can use wildcard characters (*) in the RDNs that comprise the Distinguished Name specified for an ACL entry. For example, the DN pattern: C=US, ST=Florida, O=* 132 Bridge GUI Guide: Security Configuration matches the DN: C=US, ST=Florida, O="Fortress Technologies” OU=Engineering but does not match the DNs: C=US, ST=Florida, OU=Engineering C=US, ST=Florida, L=Oldsmar, O="Fortress Technologies” Priority - establishes the order in which the ACL entry will be applied, from 1 to 100, relative to other configured ACL entries. Priority values must be unique. Entries with lower Priority numbers take precedence over those with higher Priority numbers. Access - determines whether the Bridge will Allow (the default) or Deny access to IPsec peers whose X.509 certificate DNs match the DN pattern of the entry. To add an IPsec ACL entry: Log on to the Bridge GUI through an Administrator-level account and select Configure -> IPsec from the menu on the left. In the IPsec Settings screen’s IPsec ACLs frame, click ADD ACL and, on the resulting screen, enter values for the settings described above. Click APPLY in the upper right of the screen (or CANCEL the addition). The ACL entries you add are listed in the IPsec ACLs frame. To delete IPsec ACL entries: Log on to the Bridge GUI through an Administrator-level account and select Configure -> IPsec from the menu on the left. In the IPsec Settings screen’s IPsec ACLs frame: If you want to delete a single ACL entry or selected entries, click to place a checkmark in the box(es) beside the entry(-ies) you want to eliminate. or If you want to delete all ACL entries, click ALL at the top of the IPsec ACLs list to check all entries. Click the IPsec ACLs frame’s DELETE ACL button. NOTE: Deleting all ACL entries disables the Bridge’s IPsec ACL function. Deleted ACL entries are removed from the IPsec ACLs list. 4.3 Authentication Services The Bridge is equipped with an internal, or local, RADIUS (Remote Authentication Dial In User Service) server (Section 4.3.2). It can also be configured to use external authentication servers, both 3rd-party RADIUS servers and those of other Fortress Bridges to which the current Bridge is connected (Section 4.3.1). 133 Bridge GUI Guide: Security Configuration Authentication is enabled on the Bridge when at least one authentication server is configured and enabled on the Bridge. You can configure two types of authentication server for the network, depending on the network configuration: NOTE: If you are using an external RADIUS server, configure user timeouts in that service. Fortress Auth. - identifies an authentication service running internally on a Fortress Bridge (either on the local Bridge or on a Fortress Bridge external to the current Bridge). A Bridge’s internal authentication server is always available. Availability of external Fortress authentication servers depends on whether other Bridges configured for authentication are present on the network. 3rd Party RADIUS - identifies a non-Fortress RADIUS server. The Bridge can be used with most standard RADIUS servers likely to be present on the network, including: Microsoft® Internet Authentication Service (IAS) included in Windows® Server 2003 the open source freeRADIUS version 2.1 For each of the three possible authentication types (Auth Types) that you want the Bridge to support, you must specify at least one authentication server that supports that authentication type. Auth Types include: User/Device Authentication - 1) the user name and password, as supplied by the user logging in and configured locally or on an authentication server providing user authentication to the network, and 2) the unique, hexadecimal Device ID generated for each Secure Client device and used to authenticate it on a Fortress-secured network 802.1X - supplicant credentials Admin - the user name and password of an CAUTION: Only the Fortress Auth. authentication server type supports both RADIUS user authentication and Fortress device authentication. 3rd Party RADIUS servers do not support device authentication. Enabling 802.1X on any Ethernet port or using WPA or WPA2 BSS Wi-Fi Security options that do not use PSK (Section 3.3.4.14) all require that you configure an 802.1X authentication service on or for the Bridge. NOTE: administrator on the Bridge, as supplied by the administrator logging in and configured locally or on an authentication server providing administrative authentication over the network Only Fortress RADIUS servers fully support all three types of authentication. Table 4.3 shows the authentication types supported by the two possible server types. Table 4.3. Supported Auth. Types by Configurable Server Type Authentication Fortress Auth. 3rd Party RADIUS User/Device yes user only 802.1X yes yes Admin yes yes In order to use a 3rd -party RADIUS server to authenticate Bridge administrators, the server must be configured to use Fortress’s Vendor-Specific Attributes (Fortress-Administrative134 Bridge GUI Guide: Security Configuration Role, Fortress-Password-Expired) and administrators must be configured on the server. Fortress Vendor-Specific Attributes are provided in the dictionary.fortress configuration file included on the Bridge software CD and are available for download at www.fortresstech.com/support/. Consult your external RADIUS server documentation for instructions on configuring the service You can configure the same authentication server for more than one supported authentication type. Even when no authentication server is configured for the Bridge, you can set global session idle timeouts for connected Secure Client and host devices connecting to the Bridge (Section 4.4). If you are using the Bridge’s internal RADIUS server, you can set local default timeout settings for authenticating Secure Client devices and users (Section 4.3.2) that will override the RADIUS-server-independent Secure Client idle timeout described above. Individual user and device timeout settings override the local defaults (Section 4.3.3). Figure 4.8. Simple View, external RADIUS Server frames, all platforms The Bridge can use up to four authentication servers at a time, although in Simple View you can configure only two. None is configured by default (as indicated by the blank IP Address and Shared Key fields in Simple View and the empty Server List in Advanced View). More than one authentication server can be configured on the Bridge for purposes of redundancy. For a given authentication type, however, only the relevant server with the first priority will be used to check authentication credentials. The success or failure of a given authentication attempt is therefore determined solely by the active authentication server for that authentication type. That is, credentials are authenticated or failed by the 135 Bridge GUI Guide: Security Configuration relevant server and failed credentials are not forwarded to any other server. If the server with first priority for a given authentication type becomes unavailable, the next server in the priority sequence that has also been configured to support that authentication type will be used. In Advanced View, where you can configure up to four RADIUS servers, you can specify the priority number of each. In Simple View, RADIUS Server 1 has priority over RADIUS Server 2. Advanced View also allows you to configure the maximum number of allowable authentication attempts and the retry interval for each server. These settings apply globally to all users and (if applicable) devices authenticated by that server. 4.3.1 Authentication Server Settings External authentication servers can be added and reconfigured only through the settings described below. Once the internal authentication server has been added to the Bridge configuration with the settings on the Local Server tab of the RADIUS Settings screen, you can reconfigure some aspects of its operation from its entry on the Server List or, in Simple View, in the corresponding RADIUS Server frame. However, the internal server can be added, and complete settings for it can be accessed, only on the Local Server tab, as described in Section 4.3.2. 4.3.1.1 Authentication Server State, Name, and IP Address The Admin State setting determines whether the Bridge forwards authentication requests of the applicable type(s) to the server (Enabled) or not (Disabled). You must specify a unique Server Name to identify an external server in the Bridge configuration. You cannot edit the Server Name once it is established. You must specify the network IP Address of an external authentication server in order to add it to the Bridge configuration. 4.3.1.2 NOTE: The Server Name and IP Address of the internal RADIUS server (Local Auth Sever and 127.0.0.1, respectively) are internally set and cannot be changed. Authentication Server Port and Shared Key The Port setting configures the UDP port to be used to communicate with the authentication server. The default authentication server port is 1812, as assigned by the IANA (Internet Assigned Numbers Authority) for RADIUS server authentication. Use the New Shared Key and Confirm Shared Key fields to establish the key used to authenticate the Bridge on the external authentication server. NOTE: The server key you enter here should already be present in the authentication service configuration. 136 Bridge GUI Guide: Security Configuration 4.3.1.3 Server Type and Authentication Types The Server Type setting identifies the type of authentication service running on the configured server, while Auth Types selections specify which type(s) of authentication credentials will be sent to the server. Refer to the description at the beginning of this section (Section 4.3) on page 133 for more detail. 4.3.1.4 Authentication Server Priority In configurations with multiple authentication servers, Priority establishes the server’s position in the order of redundant servers for the specified authentication type(s). Numerical values between 1 and 999 are accepted. The default value, Last, places the server last on the server priority list. 4.3.1.5 Authentication Server Max Retries and Retry Interval The Max Retries setting determines how many times the Bridge will attempt to connect to the server before assuming it is unavailable and going on to the next relevant server on the priority list. You can configure 1 to 10 maximum connection attempts; the default is 3. Max Retries is available in only Advanced View. NOTE: You must enable the Bridge’s internal authentication server in order to enable local authentication on the Bridge (refer to Section 4.3.2). Retry Interval specifies how long the Bridge will wait between connection retries (above). Retry Interval is available only in Advanced View. Figure 4.9. Advanced View, Authentication Server frame, all platforms 4.3.1.6 Configuring Authentication Servers You can add external servers to the Bridge configuration through the settings described in sections 4.3.1.1 through 4.3.1.5, and you can reconfigure these settings for any RADIUS server already in the Bridge configuration. You can add the internal server to the configuration and access all of the settings associated with it only on the Local Server tab, in Advanced View (refer to Section 4.3.2). Table 4.4 shows which of these settings can be configured in each Bridge GUI view. 137 Bridge GUI Guide: Security Configuration Table 4.4. External Authentication Server Settings Simple & Advanced Views Advanced View Only Admin. State Priority IP Address Max Retries Server Name Retry Interval Port Auth Types Server Type New/Confirmed Shared Key To configure a RADIUS server in Simple View: Log on to the Bridge GUI through an Administrator-level account and select Configure -> RADIUS Settings from the menu on the left. On the RADIUS Settings screen, enter new values for the RADIUS Server 1 and/or RADIUS Server 2 settings you want to change (described above). Click APPLY in the upper right of the screen (or RESET screen settings to cancel your changes). To configure a RADIUS server in Advanced View: 4.3.2 Log on to the Bridge GUI through an Administrator-level account and select ADVANCED VIEW in the upper right corner of the page, then Configure -> RADIUS Settings from the menu on the left. On the RADIUS Settings screen: If you want to add a new server, click the NEW SERVER button in the upper left of the screen. or If you want to edit an existing server, click the EDIT button to the left of its entry on the Authentication Servers list. In the RADIUS Settings screen’s Authentication Server frame, enter new values for the settings you want to change (described above). Click APPLY in the upper right of the screen (or CANCEL your changes.) The Local Authentication Server Enable and configure the Bridge’s internal RADIUS server and local user and device authentication, in Advanced View, on the Local Server tab of the RADIUS Settings screen. 4.3.2.1 Local Authentication Server State The Administrative State setting turns the local authentication service on (Enabled) and off (Disabled, the default). 138 Bridge GUI Guide: Security Configuration 4.3.2.2 Local Authentication Server Port and Shared Key The Port setting configures the port to be used to communicate with the local authentication server. The default authentication server port is 1812, as assigned by the IANA (Internet Assigned Numbers Authority) for RADIUS server authentication. Use the New Shared Key and Confirm Shared Key fields to establish the shared key for the Bridge’s internal authentication server. The key must be 1–16 (inclusive) characters in length, and it can contain any printable character. The same key must be configured on other Fortress controller devices when they are configured to use the current Bridge’s authentication server. 4.3.2.3 Local Authentication Server Priority In configurations with multiple authentication servers, Priority establishes the server’s position in the order of redundant servers for the specified authentication type(s). Numerical values between 1 and 999 are accepted. The default value, Last, places the server last on the server priority list. 4.3.2.4 Local Authentication Server Max Retries and Retry Interval The Max Server Retries setting determines the maximum number of unsuccessful local authentication attempts a user or device is allowed before being locked out. You can specify whole numbers between 1 and 10; the default is 3. A devices that exceeds the maximum allowable retry attempts to authenticate on the Bridge is locked out until the device’s individual Auth State Mode is set to Allow First. Such a device is locked out on every Bridge in a network, and you must change the device’s Auth State Mode on every Bridge that handles traffic from the device. Users who exceed the maximum allowable retry attempts to log on to the Bridge-secured network are locked out until you reset their sessions. On a network of Bridges, you must reset the session on each Bridge that passes traffic for the device. Retry Interval specifies how long the Bridge requires a user or device to wait between connection retries. 4.3.2.5 Local Authentication Server Default Idle and Session Timeouts The Default Idle Timeout setting determines the amount of time a device can be idle on the network before the current session is ended and the associated Device ID and/or user credentials must be reauthenticated and keys renegotiated before the connection can be re-established. If local user authentication is in effect for the device and Permit cached authentication credentials is globally Disabled on Configuration -> Security 139 Bridge GUI Guide: Security Configuration (Section 4.1.13), the user will be prompted to re-enter a valid username and password. Set Default Idle Timeout in minutes, between 1 and 720. The default is 30 minutes. The Default Session Timeout - setting determines the amount of time a device can be present on the network before the current session is ended and the associated Device ID and/or user credentials must be reauthenticated and keys renegotiated before the connection can be re-established. If local user authentication is in effect for the device, the user will be prompted to re-enter a valid username and password. Set Default Session Timeout in minutes, between 1 and 200. The default is 30 minutes. 4.3.2.6 Local Authentication Server Global Device, User and Administrator Settings The Default Device State setting globally determines the default connection state of devices auto-populating the device authentication screen and of devices with an individual Auth State Mode setting of Defer (the default, Section 4.3.3.2): Allow - the device will be allowed to connect (provided its individual Auth State Mode is Allow First or Defer and a compatible Key Length has been specified for the device). Pending - (the default) the connection requires administrator action: explicitly changing the device’s individual Auth State Mode to Allow First (or you can explicitly Deny All attempted key exchanges for a device), as described on page 147. Deny - the device is not allowed on the network (provided it is not already present on the Device Authentication tab with an individual Auth State Mode of Allow First). Whether device authentication is enabled and, if so, whether devices populating the device authentication database have user authentication enabled or disabled by default is determined by Authentication Method : NOTE: Individual device authentication settings for devices already present on the Bridge’s Device Authentication tab (whether you added them manually or edited their entries) override the global Default Device State setting on the local authentication server. User auth only - disables device authentication on the Bridge. Device auth with user auth by default - enables device authentication on the Bridge and enables user authentication by default for new devices auto-populating the Device Authentication tab on Local Authentication. Device auth without user auth by default - enables device authentication on the Bridge and disables user authentication by default for new devices. The Administrator Authentication setting enables support for administrator authentication (Enabled) or disables it (Disabled, the default). Refer to Section 2.2.1.6 for more detail. 140 Bridge GUI Guide: Security Configuration 4.3.2.7 Local 802.1X Authentication Settings The Bridge’s internal RADIUS server can be configured to authenticate 802.1X supplicant credentials using two possible EAP (Extensible Authentication Protocol) types. EAP-MD5 verifies an MD5 (Message-Digest algorithm 5) hash of each user’s password, which requires a user’s credentials to be present in the Bridge’s local user authentication service before the local 802.1X service can authenticate that user. Refer to Section 4.3.3.1 for guidance. EAP-TLS provides a significantly higher level of security than EAP-MD5. NOTE: In order to use EAP-TLS (EAP with Transport Layer Security) public key cryptography authentication, you must import a valid EAP-TLS digital certificate for the local service and the root CA (Certificate Authority) certificate that signs the local server certificate. You must also import any root CA certificate(s) used to sign supplicant certificates, so that the local server can verify their authenticity. Refer to Section 6.2 for guidance. In addition, as noted below, three local server configuration settings apply only when EAP-TLS is selected for EAP Protocols. 802.1X Authentication - turns the service on (Enabled) and off (Disabled, the default). CRL Check - for EAP-TLS only, determines whether certificates used to authenticate 802.1X supplicants are checked against the lists of certificates that have been revoked by their issuing authorities. CRL Check is Disabled by default. When the function is Enabled, supplicant certificate chains are traced back to a trusted root certificate and each certificate's serial number is checked against the contents of the issuing authority’s CRL to verify that none of the certificates in the chain have been revoked, as described in RFC 3280. CRL Check does not apply to EAP-MD5 authentication. Strict Check - for EAP-TLS only, controls strict checking of key usage and extended key usage extensions in the authentication server certificate. Strict Check is Enabled by default; you can turn it off by selecting Disabled. Strict Check does not apply to EAP-MD5 authentication. TLS Cipher - for EAP-TLS only, specifies the list of supported cipher suites, or sets of encryption and integrity algorithms, that the 802.1X service will accept: All - the default, supports both Legacy and Suite B cipher suites (below) Legacy - supports Diffie-Hellman with RSA keys (DHE-RSA-AES128-SHA and DHE-RSA-AES256-SHA) Suite B - supports Diffie-Hellman with ECC keys (ECDHE-ECDSA-AES128-SHA and ECDHE-ECDSAAES256-SHA) 141 Bridge GUI Guide: Security Configuration In EAP-TLS, the authentication server selects the cipher suite to use from the list of supported suites sent by the client device (or rejects the authentication request if none of the proposed suites are acceptable). TLS Cipher does not apply to EAP-MD5 authentication. EAP Protocols - specifies the EAP type(s) the Bridge can use to authenticate 802.1X supplicant credentials: EAP-MD5 - (default selection) permits the Bridge to authenticate a supplicant using an MD5 hash of the user’s password. EAP-TLS - when there is a valid EAP-TLS certificate in the Bridge’s local certificate store (refer to Section 6.2), permits the Bridge to authenticate a supplicant using public key cryptography. Figure 4.10. Advanced View Local Authentication Server tab, all platforms 4.3.2.8 Configuring the Local RADIUS Server You can configure local authentication only in Advanced View. Log on to the Bridge GUI through an Administrator-level account and select ADVANCED VIEW in the upper right corner of the page, then Configure -> RADIUS Settings from the menu on the left. On the RADIUS Settings screen, click the Local Server tab. In the Local Authentication Server frame, enter new values for the settings you want to configure (described above). Click APPLY in the upper right of the screen (or RESET screen settings to cancel your changes). 142 Bridge GUI Guide: Security Configuration 4.3.3 Local User and Device Authentication You can configure user and device authentication settings even when the Bridge’s local authentication is disabled (the default). The settings will only be applied when the local RADIUS server is enabled (refer to Section 4.3.2). 4.3.3.1 Local User Authentication Accounts Locally authenticating users are displayed on the User Entries list on Configure -> RADIUS Settings -> Local Server. NOTE: When using an external authentication server, user and (when applicable) device authentication settings are configured in the external application. You cannot disable local user authentication, per se, except by disabling local authentication entirely. There is, however, no requirement that you configure local users. The users for whom you create accounts can fall into one of two categories: Secure Client users - are running the Fortress Secure Client on their connecting devices. They use the Bridge’s local user authentication service to log on to the Bridgesecured network. Secure Client users pass only encrypted traffic on the Bridge’s encrypted interfaces. Administrative users - use the Bridge’s local user authentication service to log on to the management interface of another Fortress Bridge on the network (or of the local Bridge), when the administrative Authentication Method on that Bridge is set to RADIUS. Administrative users pass only encrypted traffic on the Bridge’s encrypted interfaces. When an administrative user logs on to the Bridge through a local or remote Fortress user authentication database (as configured on the relevant Local Server screen), a Learned administrative account is created for that user in the administrator authentication database. You can optionally convert a Learned account to a local administrative account that can be used if the original user authentication service becomes unavailable (refer to Section 2.2.2.8). One can optionally convert the learned account(s) to local account(s) that can be used when external admin auth is disabled. Default User Authentication Settings While idle timeout and session timeout settings can be individually configured for each user, the default values for these settings are determined by the Default Idle Timeout and Default Session Timeout values configured on the local RADIUS server (refer to Section 4.3.2). 143 Bridge GUI Guide: Security Configuration Individual User Authentication Settings User authentication on the Fortress Bridge requires the usual settings to identify, track and manage access for each user on the Bridge-secured network. Figure 4.11. Advanced View User Database Entry frame, all platforms Administrative State - determines whether user access to the account is Enabled (the default) or Disabled. Username - identifies the user on the network—from 1 to 16 alphanumeric characters—required. Full Name - associates the person, by name, with his/her user account—up to 64 alphanumeric characters, including spaces, dashes, dots and underscores—optional. New/Confirm Password - establishes the credentials the user must key in to access his/her user account—must comply with the password requirements configured in Configure -> Security -> Logon Settings (Section 2.2.1.8)— required. Role - Determines whether the user is a Secure Client user permitted access to only the Bridge-secured network (None) or an administrator permitted access to both the network and to the management interface of a remote or local Bridge—at the specified level of privileges (Log Viewer, Maintenance, or Administrator). Idle Timeout - sets the amount of time the user’s device can be idle on the network before it must renegotiate keys with the Bridge. NOTE: Administrative roles are described in Section 2.2.2.3. Idle Timeout is set in minutes, between 1 and 720. If you enabled Local Authentication while leaving the local authentication server’s Default Idle Timeout setting at its default, the Idle Timeout value in the User Authentication Setting frame will be 30 minutes. Session Timeout - sets the amount of time the user’s device can be present on the network before the current session is ended and he/she must log back in to re-establish the connection. Session Timeout is set in minutes, between 1 and 200. If you enabled Local Authentication while leaving the local authentication server’s Default Session Timeout setting at its 144 Bridge GUI Guide: Security Configuration default, the Session Timeout value in the User Authentication Setting frame will be 20 minutes. You can add and edit locally authenticated users only in Advanced View. To configure locally authenticated user accounts: An existing account’s Username cannot be changed, but you can edit any other value associated with a user account Log on to the Bridge GUI through an Administrator-level account and select ADVANCED VIEW in the upper right corner of the page, then Configure -> RADIUS Settings from the menu on the left. On the RADIUS Settings screen, click the Local Server tab. In the User Entries frame: If you are adding a user, click NEW USER and enter valid values (described above) into the User Database Entry frame. or If are editing an existing account, click the EDIT button for the account you want to reconfigure and enter new values for the settings you want to change. Click APPLY in the upper right of the screen (or CANCEL the addition). Newly created accounts are added to the User Entries list. Figure 4.12. Advanced View User Entries frame, all platforms To delete local user accounts: You can delete a single user account, selected accounts, or all user accounts from the Bridge’s internal RADIUS server. Log on to the Bridge GUI through an Administrator-level account and select ADVANCED VIEW in the upper right corner of the page, then Configure -> RADIUS Settings from the menu on the left. On the RADIUS Settings screen, click the Local Server tab. In the User Entries frame: If you want to delete a single user account or selected accounts, click to place a checkmark in the box(es) beside the account(s) you want to eliminate. or If you want to delete all local user accounts, click ALL at the top of the User Entries list to check all accounts. 145 Bridge GUI Guide: Security Configuration Click the User Entries frame’s DELETE button. Click OK in the confirmation dialog. Deleted accounts are removed from the User Entries list. 4.3.3.2 Local Device Authentication Fortress’s device authentication assigns each Fortress device, including those running the Fortress Secure Client, a unique Device ID subsequently used to authenticate the device for access to the Fortress-secured network. The Bridge’s native device authentication settings apply only to devices authenticating through the Bridge’s internal authentication server. When device authentication is enabled, the Bridge detects devices attempting to access the Bridge’s encrypted zone and lists them on Configure -> RADIUS Settings -> Local Server, in the Device Entries frame. NOTE: Device authentication is supported only by the authentication servers internal to Fortress controller devices; 3rd-party RADIUS servers do not support device authentication. You can also manually add devices to the Bridge’s Device Entries list. In order to add a device manually, you must specify its MAC address and Fortress-generated Device ID. Default Device Authentication Settings As devices auto-populate the Device Entries list., they are permitted or denied immediate access to the network based on the Default Device State setting on the (Configure -> RADIUS) Local Server tab: Allow - devices will be allowed to connect by default. Pending - (the default) connections require an administrator to change individual device authentication settings to Allow. Deny - devices are not allowed on the network by default. You can also configure whether user authentication is enabled or disabled by default for auto-populating devices. All Local Authentication Server settings are described in Section 4.3.2). To enable device authentication and configure defaults: Log on to the Bridge GUI through an Administrator-level account and select ADVANCED VIEW in the upper right corner of the page, then Configure -> RADIUS Settings from the menu on the left. On the RADIUS Settings screen, click the Local Server tab. In the Local Authentication Server frame: Verify that Administrative State is Enabled and that Port and Shared Key are correctly configured (Section 4.3.2). From the Default Device State dropdown choose a default state (described above) for auto-populating devices. 146 Bridge GUI Guide: Security Configuration In Authentication Method, simultaneously enable device authentication and configure the default user authentication setting, by selecting one of: Device auth with user auth by default - enables user authentication for new devices by default. Device auth without user auth by default - disables user authentication for new devices by default. Click APPLY in the upper right of the screen (or RESET screen settings to cancel your changes). Connecting devices will auto-populate the Device Entries list with the defaults you configured. Individual Device Authentication Settings When device authentication is enabled (above), connecting devices auto-populate the Bridge’s Device Entries list, and any manually created device authentication accounts on the Bridge are applied to the devices they specify. The Fortress Bridge tracks and manages access for devices on the Fortress-secured network through two identifiers: the device’s MAC address and its Fortress-generated Device ID. When a device auto-populates the Device Entries list, these values are detected and entered for the device. When you manually add a device, you must specify its MAC address and Device ID. Consult the relevant Fortress documentation for the device you are adding for information on determining its Fortress Device ID. NOTE: The Device ID of the current Bridge is shown on Configure -> Administration, in the System Info frame at the top of the screen. The values and settings that configure individual device authentication accounts include: Administrative State - Determines whether the device is Enabled (the default) or Disabled for network access. Device ID - a unique, 16-digit hexadecimal identifier generated for the device and used to authenticate it on the network Once a Fortress Device ID has been generated for a device, it is not user configurable. If you are manually adding a device, you must specify its valid, Fortress Device ID. Once established (manually or automatically), the Device ID cannot be changed. MAC Address - the device’s MAC address If you are manually adding a device, you must specify its MAC address. Once established (manually or automatically), the MAC address cannot be changed. Common Name - accepts up to 64 alphanumeric characters by which you can identify the device. If a device has a hostname associated with it (the hostname of a laptop running the Fortress Secure Client, 147 Bridge GUI Guide: Security Configuration for instance), that hostname is included for the device when it is first added to the DEVICE AUTHENTICATION screen. If no hostname is associated with the device, it will be added without one. You can edit an existing hostname or add one for a device that has no hostname. User Auth - configures whether the Bridge will require the device’s user to authenticate before allowing the device to connect to the encrypted zone (Enabled) or allow the device access without user authentication (Disabled). Auth State Mode - configures the initial state of the device’s connection to the encrypted zone: Allow First - the device will be allowed to connect using the first key establishment method it attempts to use. Once the device is connected the Bridge will automatically detect any other key establishment methods the connecting device supports, and you can specify those you wish to allow the device to use for subsequent connections to the network. If you want the device to be able to use a supported key establishment method other than that used for the initial connection, you must manually enable it for the device. Deny All - prevents all access to the network; all the device’s attempts to exchange keys will be denied. Defer - whether the device is allowed to connect depends upon the local authentication server’s Default Device State setting (Section 4.3.2). Authed Keys - after a device has been added to the Bridge’s device authentication database and allowed to connect, you can specify the key establishment method(s) the device will be allowed to use for subsequent connections. Available options are limited to the key establishment method(s) the device has previously used to try to connect. No Authed Keys are selected by default You can add and edit locally authenticated Secure Client devices only in Advanced View. Figure 4.13. Advanced View Device Database Entry frame, all platforms To configure locally authenticated Secure Client device accounts: Log on to the Bridge GUI through an Administrator-level account and select ADVANCED VIEW in the upper right corner 148 Bridge GUI Guide: Security Configuration of the page, then Configure -> RADIUS Settings from the menu on the left. On the RADIUS Settings screen, click the Local Server tab. In the Device Entries frame: If you are adding a device, click NEW DEVICE and enter valid values (described above) into the Device Database Entry frame. or If you are editing an existing account, click the EDIT button for the account you want to reconfigure and enter new values for the settings you want to change. Click APPLY in the upper right of the screen (or CANCEL the addition). Newly created accounts are added to the Device Entries list. Figure 4.14. Advanced View Device Entries frame, all platforms To delete Secure Client device accounts: You can delete a single device account, selected accounts, or all device accounts from the Bridge’s internal RADIUS server. Log on to the Bridge GUI through an Administrator-level account and select ADVANCED VIEW in the upper right corner of the page, then Configure -> RADIUS Settings from the menu on the left. On the RADIUS Settings screen, click the Local Server tab. In the Device Entries frame: If you want to delete a single device account or selected accounts, click to place a checkmark in the box(es) beside the account(s) you want to eliminate. or If you want to delete all local device accounts, click ALL at the top of the Device Entries list to checkmark all accounts. Click the Device Entries frame’s DELETE button. Click OK in the confirmation dialog. Deleted accounts are removed from the Device Entries list. 4.4 Local Session and Idle Timeouts When their connections to the Bridge have not passed traffic for a specified number of seconds, devices are cleared from the Bridge’s database of currently connected devices. When a 149 Bridge GUI Guide: Security Configuration device’s session is idle timed out by the Bridge in this way, the device must re-establish its connection; if it is re-accessing an encrypted zone it must also reauthenticate. Idle timeouts can be configured for two types of devices: Secure Client devices - are the devices running the Fortress Secure Client to connect to the Bridge’s encrypted zone. Host devices - are devices in the Bridge’s clear zone. Host idle timeouts can be set in only one place in the Bridge GUI, only in Advanced View, on Configure -> Security -> Security Settings -> Host Idle Timeout (refer to Section 4.1.15). The Bridge GUI provides more than one configuration field for Secure Client idle timeouts, to accommodate different authentication scenarios and administrative options: Configure -> Security -> Security Settings -> Client Idle Timeout allows you to configure global and individual Secure Client idle timeouts when local authentication is not enabled (refer to Section 4.1.15). Configure -> RADIUS Settings -> Local Server-> Default Idle Timeout globally determines the default Secure Client timeout on the Bridge’s local authentication server. When local authentication is enabled, this setting overrides the timeout configured on the Security screen (refer to Section 4.3.2). Configure -> RADIUS Settings -> Local Server-> NEW USER/ EDIT -> Idle Timeout determines the individual Secure Client’s idle timeout on the Bridge’s local authentication server. This setting overrides the default user timeout setting (refer to Section 4.3.3). NOTE: Idle timeout settings for network users’ connecting devices are distinct from the globally configured session idle timeout for administrators (Section 2.2.1.4). In addition, you can set global and individual session timeouts for locally authenticated users on the second and third screens described above. When FastPath Mesh is licensed and enabled, global idle timeout values for all types of devices are controlled by software, rather than by configured (or default) global values. Individual user timeout settings, however, continue to override global values, as described. 4.5 ACLs and Cleartext Devices The first Access Control List (ACL) on Configure -> Access Control, IP Access Whitelist, applies exclusively to administrative connections to the Bridge’s management interface and is covered in Section 2.2.3 with the other administrative access configuration settings. There is also an ACL associated with the Bridge’s IPsec function, which is covered in Section 4.2.4 with the other IPsec configuration settings. 150 Bridge GUI Guide: Security Configuration The remaining access Access Control functions are covered below. These prevent, or define limits for, overall network access, whether by administrators or users. 4.5.1 MAC Address Access Control The Bridge allows you to create and maintain an ACL of MAC (Media Access Control) addresses permitted to access the Bridge-secured network. When the MAC Access Whitelist is Enabled, only those MAC addresses present on the list will be permitted to access the Bridge-secured network. To control network access by specified MAC addresses: Log on to the Bridge GUI through an Administrator-level account and select ADVANCED VIEW in the upper right corner of the page, then Configure -> Access Control from the menu on the left. In the resulting screen’s MAC Access Whitelist frame, click NEW MAC. CAUTION: If you ignore the relevant warning, you can block all network access by having the MAC Access Whitelist Enabled when there are no MAC addresses listed. Access can be restored only by reconfiguring the function via a direct physical connection to the Bridge’s Console port. Figure 4.15. Advanced View Add a MAC filter entry dialog, all platforms In the resulting Add a MAC Filter Entry dialog, select your current MAC address from the dropdown list above the MAC Address field (or manually enter the address) and optionally enter a Description for the entry. Then click APPLY. Repeat steps 2 and 3 for any additional MAC addresses from which you want to permit network access. Only MAC addresses of devices currently connected to the network will be present in the dropdown list. To add a device that is not currently connected, you must leave the dropdown at its default, Manual Entry, and manually enter its MAC address. 151 Bridge GUI Guide: Security Configuration Figure 4.16. Advanced View MAC Access Whitelist frame, all platforms When you have finished adding permitted MAC addresses, in the MAC Access Whitelist frame, in Administrative State, click Enabled. Click APPLY on the right of the frame. If you navigate away from the screen without clicking APPLY, the Administrative State will not be changed. The MAC ACL reflects your changes. If you attempt to enable the MAC Access Whitelist when the MAC address you are currently logged on through is not listed, a dialog warns that proceeding will block network access for the computer you are currently using A dialog will also warn you if you are deleting your current MAC address from the list when the list is already enabled (after you have cleared the usual confirmation dialog). CAUTION: If your current MAC address is not on the MAC Access Whitelist when you Enable it or you delete your address when the list is already enabled, and you do not Cancel the change when prompted, your session will end and your current MAC address will be blocked until it is added to the list of permitted addresses or the function is disabled. Figure 4.17. Advanced View current MAC address lockout dialog, all platforms Unless you want to prevent network access from your current MAC address, Cancel these changes. The MAC Access Whitelist is Disabled by default, and only the current Bridge’s MAC address is automatically listed. If the MAC Access Whitelist is Enabled when there are no MAC addresses on the list, all network connections will be blocked. Network access can be restored only by reconfiguring the function through a direct, physical connection to the Bridge’s Console port. 152 Bridge GUI Guide: Security Configuration To edit the description of an existing MAC address entry: Log on to the Bridge GUI through an Administrator-level account and select ADVANCED VIEW in the upper right corner of the page, then Configure -> Access Control from the menu on the left. In the Access Control screen’s MAC Access Whitelist frame, click the EDIT button for the entry for which you want to change the description, and in the Edit a MAC filter entry dialog: Edit the Description (you cannot change the MAC Address). Click APPLY in the dialog (or CANCEL it to cancel the action). The MAC ACL reflects your changes. To delete MAC addresses from the ACL: You can delete a single device entry or all MAC addresses on the Bridge’s ACL. Log on to the Bridge GUI through an Administrator-level account and select ADVANCED VIEW in the upper right corner of the page, then Configure -> Access Control from the menu on the left. In the Access Control screen’s MAC Access Whitelist frame, If you want to delete a single entry, click to place a check in the box beside it; then the DELETE button above the list. or If you want to delete all entries, click All to place a check in all entries’ boxes; then click the DELETE button above the list. Click OK in the confirmation dialog (or Cancel the deletion). The MAC ACL reflects your changes. 4.5.2 Controller Device Access Control Fortress’s device authentication assigns every Fortress controller device (Fortress Bridges and Controllers) a unique Device ID that is subsequently used to authenticate the device for access to the Fortress-secured network. The Bridge detects other Fortress controller devices on the network, automatically populates the Controller Access List with these discovered devices and, by default, allows them to connect. As controller devices auto-populate the Authorized Controller Devices list, they are permitted or denied immediate access to the network based on the Default Auth State setting in the Controller Access List frame: 153 Bridge GUI Guide: Security Configuration Allow - (the default) auto-populating controller devices will be allowed to connect. Pending - auto-populating controller devices require an administrator to change their individual Auth State settings to Allow before they can connect. Deny - auto-populating controller devices are not allowed to connect. You can also manually add controller devices to the Bridge’s Authorized Controller Devices list. In order to add a device manually, you must specify its MAC address and Fortress-generated, 16-digit hexadecimal Device ID. The Bridge’s Device ID and MAC address are displayed in the System Info frame on Configure -> Administration. NOTE: Figure 4.18. Advanced View Add a Controller entry dialog, all platforms Access Control functions are available only in Advanced View. To configure the Controller ACL: Log on to the Bridge GUI through an Administrator-level account and select ADVANCED VIEW in the upper right corner of the page, then Configure -> Access Control from the menu on the left. In the Access Control screen’s Controller Access List frame, select the Default Auth State for auto-populating (and manually configured) Controller devices (described above). In the same frame: If you want to add a device to the Bridge’s Controller ACL: Click NEW CONTROLLER. In the Add a Controller entry dialog, enter the Device ID and the Device MAC address for the Controller. Select the Auth State at which the Controller will be permitted to connect (described above). and/or If you want to edit the entry of an existing entry: Click the EDIT button for the entry. 154 Bridge GUI Guide: Security Configuration In the Edit a Controller entry dialog, edit the MAC address or Auth State (you cannot change the Device ID). Click APPLY in the dialog (or CLOSE it to cancel the action). When you have finished adding and/or editing Controller entries, click APPLY in the upper right of the screen (or RESET screen settings to cancel your changes). The Controller Access List reflects your changes. Figure 4.19. Advanced View Controller Access List frame, all platforms To delete Controller devices from the ACL: You can delete a single Controller entry or all Controller devices on the Bridge’s ACL. Log on to the Bridge GUI through an Administrator-level account and select ADVANCED VIEW in the upper right corner of the page, then Configure -> Access Control from the menu on the left. In the Access Control screen’s Controller Access List frame, If you want to delete a single entry, click to place a check in the box beside it; then the DELETE button above the list. or If you want to delete all entries, click All to place a check in all entries’ boxes; then click the DELETE button above the list. Click OK in the confirmation dialog (or Cancel the deletion). The Controller ACL reflects your changes. 4.5.3 Cleartext Device Access Control You may want to allow certain devices to pass unencrypted data, or clear text, on the Bridge’s encrypted interfaces. These might be wireless 3rd-party APs (access points) or Trusted Devices that require cleartext access to the encrypted zone. Network security is maximized when: the smallest possible number of cleartext devices are permitted encrypted zone access 155 Bridge GUI Guide: Security Configuration the smallest effective set of accessible ports is specified for each 3 cleartext device access is enabled only when needed Once cleartext access to encrypted interfaces has been established for a device, the Bridge uses the device’s MAC address, IP address and port number to authenticate it on the network. Configured cleartext devices will not be allowed to pass traffic in the Bridge’s encrypted zone, unless Cleartext Traffic has been Enabled (on Advanced View -> Configure -> Security -> Security Settings, refer to Section 4.1.10). Cleartext Traffic is Disabled by default. These settings are available regardless of specified cleartext Device Type (below): NOTE: The current Cleartext traf- fic setting is shown in the upper left of all Bridge GUI screens (refer to Section 5.1). Admin State - determines whether the device’s cleartext access to the Bridge’s encrypted zone is Enabled or Disabled (the default). Device Name - establishes a descriptive name for the device. Access rules, whether for Trusted Devices or APs must be uniquely named on the Bridge. MAC Address - provides the MAC address of the device. IP Address - provides the network address of the device. Device Type - establishes the cleartext device as a wireless Access Point or a designated Trusted Device. Pass All Traffic - determines whether the Bridge will filter OSI Layer 2 traffic from the device (checkbox clear, the default) or allow all OSI Layer 2 traffic to pass to and from the device in the encrypted zone (box checked). STP and Cisco® Layer 2, VLAN management traffic to or from switches in the Bridge’s encrypted zone requires Pass All Traffic to be enabled (checked). NOTE: Figure 4.20. Advanced View Trusted Device/AP Settings frame, all platforms 4.5.3.1 3rd-Party AP Management Bridges equipped with one or more radios can themselves serve as wireless access points (APs), as described in Section 3.3.4. The Bridge-secured network can additionally include 3rd-party wireless APs, which will pass network traffic normally regardless of whether you have configured the Bridge to allow administrative access to the AP. If you want to manage a 3rd-party AP on the Bridge-secured network, you must communicate with it in clear text (the AP 156 Bridge GUI Guide: Security Configuration having no means to decrypt/encrypt Fortress MSP traffic). To do so, you must configure cleartext access for the AP. Cleartext access configured to permit direct communication with APs can represent a security risk: APs’ MAC addresses are necessarily transmitted in clear text and could be spoofed. Fortress recommends creating and enabling cleartext device access only as required and filtering that traffic to permit only the necessary minimum network access for the device. These settings are available only when Device Type (Section 4.5.3) is Access Point: Custom Management Ports - specifies ports by number (separate multiple entries by commas, no spaces). Two-Way - permits two-way communication for AP management (Enabled) or allows only one-way communication from the Bridge to the AP (Disabled, the default), according to the requirements of the AP. When Trusted Device is the selected Device Type, this field is greyed out. CAUTION: To maximize network security, permit the fewest possible cleartext devices to access encrypted interfaces and to configure the smallest effective set of accessible ports for each. Figure 4.21. Advanced View Access Point Settings frame, all platforms 4.5.3.2 Trusted Devices Some wireless devices—IP phones, digital scales or printers, for example—are not equipped to run additional software such as the Fortress Secure Client. In order to allow such a device onto the network, the Fortress Bridge must be configured to identify it as a Trusted Device— essentially a specialized, cleartext network device for which the narrowest possible access rules are applied. Visitor Access through Trusted Devices Visitors to your facilities can be granted temporary access to the WLAN by configuring Trusted Devices, with appropriate access rules, through which visitors can connect their mobile devices. Trusted Devices created to provide access to visiting mobile device are managed no differently from other Trusted Devices. To limit visitor access to the Web, select only the Web group of port numbers from the checkbox options in the Access Management Rules frame. Trusted Devices for visitors are managed no differently from other Trusted Devices. You should delete any Trusted Device access rule when it is no longer required. 157 Bridge GUI Guide: Security Configuration Well Known Trusted Device Ports Well Known TD Ports - specifies accessible groups of well known ports, grouped by function. Well Known TD Ports options are available only when Device Type (Section 4.5.3) is Trusted Device. Figure 4.22. Advanced View Well Known TD Ports frame, all platforms Access Control functions are available only in Advanced View. To configure cleartext access for APs and Trusted Devices: Log on to the Bridge GUI through an Administrator-level account and select ADVANCED VIEW in the upper right corner of the page, then Configure -> Access Control from the menu on the left. In the Access Control screen’s Controller Access List frame, click NEW TD/AP, and on the resulting screen: On the APs/Trusted Devices screen, configure basic cleartext device settings in the Trusted Device/AP Settings frame. If Access Point was selected for Type in the preceding step, configure Access Point Settings for the device. or If Trusted Device was selected for Type in the preceding step, configure Well Known TD Ports for the device. Click APPLY in the upper right of the screen (or CANCEL your addition). NOTE: Cleartext Traffic must be En- abled in order for any AP or Trusted Device to pass traffic on encrypted interfaces (refer to Section 4.1.10). Devices for which cleartext access to the encrypted zone has been configured are displayed on the Trusted Device/AP Access List. To edit APs and Trusted Device cleartext access: Log on to the Bridge GUI through an Administrator-level account and select ADVANCED VIEW in the upper right corner of the page, then Configure -> Access Control from the menu on the left. In the Access Control screen’s Controller Access List frame, click EDIT button beside the device entry you want to edit. On the resulting screen, change those settings you want to reconfigure. Click APPLY in the upper right of the screen (or CANCEL your changes). 158 Bridge GUI Guide: Security Configuration To delete cleartext access for APs and Trusted Device: You can delete cleartext access to the Bridge’s encrypted zone for a single device or for all devices. Log on to the Bridge GUI through an Administrator-level account and select ADVANCED VIEW in the upper right corner of the page, then Configure -> Access Control from the menu on the left. In the Access Control screen’s Controller Access List frame: If you want to delete one or more selected cleartext devices, click to check the box(es) for the cleartext device(s) you want to delete. or If you want to delete all cleartext devices, click All to place a check in the box of every device. Click DELETE. Disabling or deleting cleartext access for an AP does not disable the access point: it continues to pass network traffic among devices on the encrypted network. NOTE: Click OK in the confirmation dialog (or Cancel the deletion). The cleartext device ACL reflects your changes. 4.6 Remote Audit Logging The Bridge supports remote audit logging using the syslog standard with an external server, and you can specify a threshold severity level for the events sent to syslog. You can also specify a number of parameters by which to separately filter administrator and connecting device activity for audit logging. 4.6.1 Enabling Audit Logging To send audit log messages from the Bridge to an external server, you must enable the function and enable and configure the Bridge’s connection to the syslog server. You can send logged events of every severity level to the remote server, or you can globally configure the Bridge to send a only a subset of messages, filtered by severity level, for audit logging. NOTE: Remote log- ging settings do not affect which events the Bridge logs locally, in the native Event Log (refer to Section 5.9). Logging/Auditing functions are available only in Advanced View. Figure 4.23. Advanced View Global Logging Settings frame, all platforms To enable remote audit logging: Log on to the Bridge GUI through an Administrator-level account and select ADVANCED VIEW in the upper right corner 159 Bridge GUI Guide: Security Configuration of the page, then Configure -> Logging/Auditing from the menu on the left. In the Logging/Auditing screen’s Global Logging Settings frame: In Auditing - click Enabled to turn audit logging on. In Remote Log Storage - click Enabled to direct the Bridge to use the network syslog server. In Remote Log Host - enter the IP address of the syslog server. In Severity of Messages Retained - select from the dropdown the minimum severity level for which messages will be sent to the external audit log. At the default setting of Critical, for example, the Bridge will send only those messages at the Critical severity level, and not those at lower levels of severity (Warning, Error, and Informational messages). Click APPLY in the upper right of the screen (or RESET screen settings to cancel your changes). Audit logging is Enabled by default, but the external syslog server function is Disabled and no Remote Log Host is configured. Disable audit logging by selecting Disabled in Auditing. 4.6.2 Administrative Audit Logging You can globally configure the way in which administrative activity on the Bridge is filtered for audit logging. Global settings will apply to an administrative session only when the Audit setting for the administrator’s individual account is set to Auto (refer to Section 2.2.2.4). At the default Audit setting of Required, all activity on an administrative account is sent to the audit log without regard to global settings. Additionally, the settings that filter administrative events by User Interface, Fortress Security and Interface Type (sections 4.6.2.1 and 4.6.2.2) will apply only when the administrator is logged on from a MAC address that is not itself subject to the separately configured MAC Auditing Settings (Section 4.6.2.3). If an administrator logs on from a listed MAC address, the audit logging configuration for that MAC address is applied. NOTE: Individual administrative accounts’ Audit settings (refer to Section 2.2.2.4) override all other audit logging settings, and the audit settings associated with a given MAC address (Section 4.6.2.3) override those in Global Auditing Settings. Finally, audit logging must be enabled and an external syslog server configured on the Bridge before events can be sent to the audit log (refer to Section 4.6.1). 160 Bridge GUI Guide: Security Configuration Figure 4.24. Advanced View Global Auditing Settings frame, radio-equipped platforms 4.6.2.1 Logging Administrative Activity by Event Type You can specify which events can be sent to the audit log by three broad types: Login - When Enabled, logon activity by subject administrators can be sent to the audit log. When Login is Disabled, the logon activity of subject administrators will not be sent. Security - When Enabled, if Configuration (below) is also Enabled, any changes made by subject administrators to the Bridge’s security settings can be sent to the audit log. When Security is Disabled, security reconfiguration by subject administrators will not be sent. Configuration - When Enabled, if Security (above) is also Enabled, all changes made by subject administrators to the Bridge’s configuration can be sent to the audit log. If Security is Disabled when Configuration is Enabled, all changes except those to security settings can be logged. When Configuration is Disabled, Bridge reconfiguration by subject administrators will not be sent (even if Security logging is Enabled). In addition to the conditions described at the beginning of this section (4.6.2), whether or not events of an Enabled type are actually sent to the audit log depends on whether the event meets the interface and Fortress security status criteria for audit logging configured in the rest of the Global Auditing Settings frame (below). All three event types are Enabled by default. 4.6.2.2 Logging Administrative Activity by Interface and Fortress Security Status You can filter administrative activity sent to the audit log by the kind of management interface the administrator is logged on 161 Bridge GUI Guide: Security Configuration through and whether the interface is encrypted or clear, wired or wireless: Audit by User Interface - There are four ways an administrator can access the Bridge: Console - a serial connection to the chassis Console port SSH - a Secure Shell connection to the Bridge CLI GUI - an HTTPS (Hypertext Transfer Protocol Secure) connection to the Bridge GUI SNMP - Simple Network Management Protocol transactions Audit by Fortress Security - All remote management connections to the Bridge must be made on one of its Clear Interfaces (on which Fortress Security is Disabled) or on one of its Encrypted Interfaces (on which Fortress Security is Enabled). Audit by Interface Type - All remote management connections must be made through either a Wired interface (Ethernet port) or a Wireless interface, a BSS (Basic Service Set) on one of the Bridge’s radios. The Bridge handles audit event logging according to a hierarchy of categories, ordered as shown above. NOTE: The Wireless interface type does not apply to Bridges without radios and will not be present for those models (refer to Table 1.1 on page 3). Each of the interface and Fortress security status controls for audit event logging can be set to one of three behaviors: Required - events originating from that interface or from an interface with the specified Fortress security status will be logged, provided they are not Prohibited in a superior audit setting. Prohibited - events originating from that interface or from an interface with the specified Fortress security status will not be logged, provided they are not Required in a superior audit setting Auto - events originating from that interface or from an interface with the specified Fortress security status will be logged according to whether they are Prohibited or Required in a superior setting. If all applicable superior settings are at Auto, events will be logged according to any applicable inferior settings. In short, events are checked against the audit settings for User Interface, Fortress Security and Interface Type, in that order, and logged according to the first applicable Required or Prohibited setting. Audit logging is Required by default for all interfaces, regardless of user, type, or Fortress security status. Logging/Auditing functions are available only in Advanced View. 162 Bridge GUI Guide: Security Configuration To configure audit logging by event type, Fortress security status and interface: 4.6.2.3 Log on to the Bridge GUI through an Administrator-level account and select ADVANCED VIEW in the upper right corner of the page, then Configure -> Logging/Auditing from the menu on the left. In the Logging/Auditing screen’s Global Auditing Settings frame, enter new values for the controls you want to configure. (Your options are described in sections 4.6.2.1 and 4.6.2.2). Click APPLY in the upper right of the screen (or RESET screen settings to cancel your changes). Logging Administrative Activity by MAC Address You can filter administrative activity sent to the audit log by the MAC address from which it originates. NOTE: Changes to administrative audit logging take effect at the next administrator logon. The same categories of interfaces and Fortress security status of origin used to globally configure administrative audit logging apply when you configure audit event logging by individual MAC address (refer to Section 4.6.2.2). Audit by User Interface - includes the possible administrative network interfaces: SSH, GUI, SNMP Audit by Fortress Security - includes Clear Interfaces and Encrypted Interfaces. Audit by Interface Type - includes Wired and Wireless interfaces. Each control can be set to one of the same three behaviors described in Section 4.6.2.2: Required, Prohibited, Auto. Events originating from the MAC address are checked against the audit settings for User Interface, and Fortress Security and Interface Type, in that order, and logged according to the first applicable Required or Prohibited setting. NOTE: The Wireless interface type does not apply to Bridges without radios and will not be present for those models (refer to Table 1.1 on page 3). In new MAC address entries, logging is Required by default for all interfaces, regardless of user, type, or Fortress security status. Figure 4.25. Advanced View MAC Auditing Settings frame, all platforms To configure audit logging by MAC address: Log on to the Bridge GUI through an Administrator-level account and select ADVANCED VIEW in the upper right corner of the page, then Configure -> Logging/Auditing from the menu on the left. 163 Bridge GUI Guide: Security Configuration In the Logging/Auditing screen’s Mac Auditing Settings frame, click NEW MAC ENTRY. In the resulting screen’s MAC Auditing Entry frame, enter the MAC address you want to configure for audit logging and, optionally, a description of up to 250 alphanumeric characters, symbols and/or spaces. In the same frame, enter new values for the Audit by... controls you want to configure (described above). Click APPLY in the upper right of the screen (or CANCEL the addition). Figure 4.26. Advanced View MAC Auditing Entry frame, all radio-equipped platforms You can recall the MAC Auditing Entry frame for a configured MAC address by clicking the EDIT button to the left of its entry on MAC Auditing Settings. You can then reconfigure audit logging for that MAC address and APPLY your changes. Delete a MAC address from audit logging by clicking to place a check in the box to the left of its entry on MAC Auditing Settings and then clicking DELETE at the top of the frame. Delete all MAC addresses by clicking All to check all their boxes and then DELETE. 4.6.3 Learned Device Audit Logging The Bridge detects devices connecting to the network it secures. These events are logged locally regardless of how Learned Device Auditing Settings are configured. When audit logging is enabled and an external syslog server is configured on the Bridge (refer to Section 4.6.1), you can configure the Bridge to send events associated with Learned Device connections to the audit log, and you can filter logged events by the Fortress security status and type of interface on which the device is learned. Figure 4.27. Advanced View Learned Device Auditing Settings frame, all radio-equipped platforms 164 Bridge GUI Guide: Security Configuration To configure learned device audit logging: Log on to the Bridge GUI through an Administrator-level account and select Configure -> Logging/Auditing from the menu on the left. On the Logging/Auditing screen, in the Learned Device Auditing Settings frame, click to ENABLE/DISABLE audit event logging of devices learned: on one of the Clear Interfaces on one of the Encrypted Interfaces on a Wired interface on a Wireless interface Click APPLY in the upper right of the screen (or RESET screen settings to cancel your changes). NOTE: The Wireless interface type does not apply to Bridges without radios and will not be present for those models (refer to Table 1.1 on page 3). 165 Bridge GUI Guide: Monitoring Chapter 5 System and Network Monitoring The Bridge GUI provides access to an array of system and operating information on Configure -> Administration and under Monitor on the main menu and displays the FIPS indicators described below on every screen. 5.1 FIPS Indicators In the upper left of Bridge GUI screens, above the main menu, the Bridge reports three pieces of information relevant to Federal Information Processing Standards (FIPS) 140-2 Security Level 2. Figure 5.1. FIPS indicators, all screens, all platforms Mode - is the Operating Mode, as configured on Configure -> Security and explained in Section 4.1.1 FIPS - Bridge operation complies with FIPS 140-2 Security Level 2. Normal - Bridge operation can be secured but does not meet FIPS requirements. Cleartext - is the Cleartext Traffic setting, as configured on Configure -> Security and described in Section 4.1.10. Enabled - the Bridge allows clear text from specified devices to pass on its encrypted interfaces (Ethernet ports or radio BSSs on which Fortress Security is Enabled). Disabled - the Bridge allows no clear text to pass on any encrypted interface. NOTE: In FIPS ter- minology, the Bridge is in FIPS Bypass Mode (BPM) when cleartext is permitted to pass on any of its encrypted interfaces. Status - when the Bridge is in FIPS operating mode, indicates the current state of FIPS self testing (refer to Section 4.1.8). The Bridge’s color indicator to the left of 166 Bridge GUI Guide: Monitoring these fields displays the basic FIPS state; the text output can reiterate or augment the indicator: Green - Healthy Yellow - The Bridge passed the last FIPS tests. - Testing - The Bridge is running FIPS self tests. Red - Critical - The Bridge is in FIPS failed state and will reboot (refer to Section 4.1.1). A Bridge in Normal operating mode always displays a Status of Healthy. 5.2 Administrative Account Details In Advanced View, you can click the Username of any account listed in Configure -> Administration -> Administrator Settings for details of the account’s creation and modification and a record of logon activity on the account since the Bridge last booted. Figure 5.2. administrator Detailed Statistics dialog, all platforms 5.3 System Information In addition to the configured (or default) values of the settings on the Administration screen (Configure -> Administration), the Bridge GUI displays basic System Information at the top of the screen. Figure 5.3. System Info frame, all platforms (with relevant changes of Model Name) 167 Bridge GUI Guide: Monitoring System Information displays: 5.4 Unencrypted MAC - the MAC address of the Bridge’s management interface Device ID - the Fortress Device ID, as uniquely generated for each device on a Fortress-secured network and used, when applicable, for device authentication. Software Version/Firmware Revision - the Fortress software and firmware currently running on the Bridge The Model Name and Assembly Number - the Fortress hardware device on which the Bridge software is running Topology View On Bridges equipped with one or more radios (refer to Table 1.1 on page 3) and operating as a node in a wireless network, the Topology View screen provides a visual representation of the network to which the Bridge belongs. The screen displays an icon for the Bridge you are currently logged onto—identified by a blue box around the its IP address—and each of the Bridges (nodes) the current Bridge is connected to. When you first view this screen, the Bridges are arranged randomly, but within your frame of view. Figure 5.4. Topology View, all radio-equipped platforms (with relevant changes of current device indicator) Bridges on Monitor -> Topology View are connected by lines, which, by default, indicate by color the Link Speed in Mbps of each connection. You can change screen OPTIONS to have the lines indicate the Signal Strength (dBm) or to remove the lines 168 Bridge GUI Guide: Monitoring (No Lines). The legend in the top right corner of the screen shows what the lines depict and the relative ranges indicated by Green, Yellow, and Red status colors. By default, Bridges in the Topology View are labeled with their IPv4 addresses. Alternatively, you can change the OPTIONS to label network Bridges by Hostname, IPv6 Address, MAC Address, Device ID, or No Labels. Figure 5.5. Topology View Options dialog, all radio-equipped platforms You can view the nodes on the default grid or you can upload a map or satellite image of your location to use as the background for the Topology View (refer to Section 5.4.1). If you use your own image, you can then manually place each of the nodes near their physical location to make the view more representative. Alternatively, you can use the Arrange icons at the top of the screen to view the nodes in a grid, ellipse or in an STP tree configuration based on the STP root. The STP tree view is not available until an STP root has been discovered, which can take a few seconds after the page loads. In STP tree view, the zoom buttons are disabled and the background image and associated options are hidden. NOTE: Clicking an Arrange icon overrides each bridge’s previous placement, so you may not want to use these icons if you have spent time manually dragging each node into place. Figure 5.6. Topology View device details frame (for an ES210), all radio-equipped platforms Click any Bridge icon to open a frame at the bottom of the screen. The frame displays the selected Bridge’s Device ID, IPv4 Address, Hostname, Model, IPv6 Address, Location, Software version, MAC Address, and Temperature. Any field that is not available for the selected Bridge is left blank. The IPv4 Address serves as a link to that Bridge’s GUI logon screen. 169 Bridge GUI Guide: Monitoring 5.4.1 Uploading a Background Image You can upload a JPEG (.jpg) image file of up to 1 MB, typically a map or satellite image, to use as the Topology View background. Log on to the Bridge GUI through an Administrator-level account and select Monitor -> Topology View from the menu on the left. On the Topology View screen, click OPTIONS. On the resulting screen, click Browse. On the resulting screen, navigate to the image file you want to upload and click OK. Click UPLOAD. Once the image has loaded, click CLOSE. The image is now the background of the Topology View screen. You can reposition your image or zoom the view in or out as needed. 5.5 Connections and DHCP Lease Monitoring The tabs under Monitor -> Connections provide monitoring of all devices currently connected to the Bridge and simple network access controls for devices connected to the Bridge’s encrypted interface(s). The last tab displays current leases on the Bridge’s internal DHCP servers, when enabled. Each tab heading shows the type of connection displayed on the tab and, in brackets, a current count of connected devices of that type. The Bridge’s three status icons apply to the Connections shown on all tabs. successful connection unknown connection blocked connection You can sort the entries on any Connections tab, in ascending or descending order, by any displayed parameter, by clicking on the corresponding column heading. 5.5.1 Associations Connections On Bridges equipped with one or more radios (refer to Table 1.1 on page 3), the Associations tab of the Monitor -> Connections screen shows current connections to any BSSs NOTE: Associations are not relevant to Bridge models that do not contain radios. 170 Bridge GUI Guide: Monitoring configured (as APs or FP Mesh Access interfaces) to provide network access to wireless devices within range. Figure 5.7. Connections screen, Associations tab, all radio-equipped platforms Radio - identifies the radio to which the device is connected. BSS - shows the name of the Basic Service Set through which the device is connected. MAC Address - displays the Media Access Control address of the associated device. Wi-Fi Security - displays the IEEE 802.11i security protocol the device is using. Zone - indicates whether the BSS to which the device is connected is Encrypted (Fortress Security is Enabled) or Clear (Fortress Security is Disabled). Auth State - the state of the device’s network authentication process. Possible values include: Unknown - connected, not yet ready to proceed Initial - ready to proceed, waiting for device to respond Started - response received, authentication in process Success - authentication succeeded: network access permitted Locked - authentication failed: network access blocked Date Learned - the start date/time of the device’s current session 5.5.2 Bridge Links On Bridges equipped with one or more radios (refer to Table 1.1 on page 3), the Bridge Links tab of the Connections screen NOTE: Bridge Links are not relevant to Bridge models that do not contain radios. 171 Bridge GUI Guide: Monitoring shows current connections to any BSS the Bridge configured as the bridging interface in a network of Fortress Bridges. Figure 5.8. Connections screen, Bridge Links tab, all radio-equipped platforms radio N - identifies the radio on which the BSS forming the bridging link is configured. Signal Strength - dynamically displays the strength of the RF signal forming the link, measured in real time at onesecond intervals, in decibels referenced to milliwatts. MAC Address - the Media Access Control address of the connected network node Device ID - the Device ID—the unique hexadecimal Fortress-generated identifier—which provides device authentication on the Bridge-secured network—of the connected network node State - the bridging status of the connected network node. Possible values and meanings depend on the Bridge’s current Bridging Mode setting (Section 3.2): When STP is used for bridging, possible values include: Disabled - the interface is not passing traffic Forwarding - the interface is passing all traffic Listening - the interface is listening for BPDUs (Bridge Protocol Data Units) in order to build its loop-free path, but is not yet forwarding general data frames Blocking - the interface is blocking user traffic (usually because it is a duplicate or sub-optimal path) When FastPath Mesh is used for bridging, possible values include: Disabled - the interface is not passing traffic Forwarding All - the interface is passing all traffic Blocking - the interface is blocking all traffic Rate - the maximum data transmission rate of the link in megabits per second 172 Bridge GUI Guide: Monitoring Because of the radio enhancements and traffic handling efficiencies defined in the newer standard, bridging links formed between radios configured to use 802.11n (refer to Section 3.3.2.2) can show Rate values higher than the Maximum Rate configured for either individual interface (refer to Section 3.3.4.10). 5.5.3 Secure Client and WPA2 Device Connections Fortress Secure Clients connect to an encrypted interface on the Bridge using Fortress’s Mobile Security Protocol (MSP). Secure Client connections can be made through an Ethernet interface configured to apply Fortress Security (refer to Section 3.7.4) or through a BSS (Basic Service Set) on one of the Bridge’s radios that has been configured to apply Fortress Security (refer to Section 3.3.4.13). WPA2 (Wi-Fi Protected Access 2) clients connect to the Bridge using the 802.11i WPA2 security standard through a BSS on one of the Bridge’s radios that has been configured to use the same standard: WPA2, WPA2-Mixed, WPA2-PSK, or WPA2-MixedPSK (refer to Section 3.3.4.14). NOTE: The WPA2 Client Type applies only on Bridges equipped with one or more radios. Secure Client and WPA2 connections are shown on the Clients/ WPA2 tab of the Connections screen. Figure 5.9. Connections screen, Clients/WPA2 tab, all platforms8 The Connections screen displays these attributes of the connected device: Client Type - whether the device is an MSP (Fortress Secure) Client, or a WPA2 Client. MAC Address - the Media Access Control address of the Client device Key Length - the key establishment method (refer to Section 4.1.3) used to secure the current session Device ID - if the device is an MSP Client, the device’s unique, hexadecimal, Fortress-generated identifier, which provides device authentication on the Bridge-secured network (when device authentication is enabled). WPA2 client devices are not assigned Device IDs. Client Ver. - if the device is a Fortress Secure Client, the version of the Fortress software currently running on the connected device. WPA2 client devices, which do not run Fortress software, report N/A. 8. Associations and Bridge Links tabs absent when no internal radio is present (refer to Table 1.1 on page 3). 173 Bridge GUI Guide: Monitoring Auth State - the state of the device’s network authentication process. Possible values include: Unknown - connected, not yet ready to proceed Initial - ready to proceed, waiting for Client to respond Started - response received, authentication in process Success - authentication succeeded: network access permitted Locked - authentication failed: network access blocked Conn. State - the state of the device’s network connection. Possible values depend upon whether the Secure Client is authenticating through the current Bridge or through another Fortress controller device to which the current Bridge is connected: If the Secure Client device is authenticating through the current Bridge, the state of its connection is reported: Initializing - key exchange with Client device initializing SKey - static keys exchanged with Client device DKey - dynamic keys exchanged with Client device Blocked - key exchange with Client device failed Unbound - Client device is not connecting via another Fortress controller device when it is expected to be Bound - Client device is connecting via another Fortress controller device, should be followed by Partner Connection States (below). Inferior DKey - Received inferior dynamic key from Client device Key Failed - key exchange with Client device failed If the Secure Client device is authenticating through another Fortress controller device, the state of that device’s connection to the current Bridge is reported: Partner Initializing - key exchange with controller device initializing Partner Negotiating - static keys exchanged with controller device Partner Secure - dynamic keys exchanged with controller device Partner Failed - key exchange with controller device failed Partner Inferior DKey - Received inferior dynamic key from controller device Partner Key Failed - key exchange with controller device failed Date Learned - the start date/time of the connected device’s current session 174 Bridge GUI Guide: Monitoring The controls at the upper left of the tab and individual checkboxes for connected Clients permit you to: 5.5.4 RESET selected sessions: end their current sessions and force them to reauthenticate on the Bridge. When Allow Cached Credentials is Enabled (the default), locally authenticated users are reauthenticated transparently, using cached user credentials; when the function is Disabled, locally authenticated users are prompted for their login credentials (Section 4.1.13). Controllers Connections Fortress Controllers include Fortress ES-series Bridges and the Fortress Controller, or FC-X (refer to Section 1.3.1 for more detail). The Bridge GUI displays connections to them on the Controller tab of the Connections screen. Figure 5.10. Connections screen, Controllers tab, all platforms9 MAC Address - the Media Access Control address of the controller device Hostname - the network hostname of the device Device ID - the device’s unique, hexadecimal, Fortressgenerated identifier, which provides device authentication on the Bridge-secured network (when device authentication is enabled) Conn. State - the state of the controller device’s network connection. Possible values include: Initializing - key exchange with device initializing Negotiating - static keys exchanged with the device Secure - dynamic keys exchanged with the device Failed - key exchange with the device failed Inferior DKey - Received inferior dynamic key from the device Key Failed - key exchange with the device failed 9. Associations and Bridge Links tabs absent when no internal radio is present (refer to Table 1.1 on page 3). 175 Bridge GUI Guide: Monitoring Update Access ID - Access ID push in progress for the device Date Learned - the start date/time of the controller device’s current session The controls at the upper left of the tab and individual checkboxes for connected controller devices permit you to: 5.5.5 selected sessions: end their current sessions and force them to reauthenticate on the Bridge. RESET Hosts Connections Host devices are those connected to the Bridge’s clear interface(s), either through a clear interface on the current Bridge or through a clear interface on a remote Bridge with an encrypted connection to the current Bridge. The Bridge GUI displays these connections on the Hosts tab of the Connections screen. Figure 5.11. Connections screen, Hosts tab, all platforms10 MAC Address - the Media Access Control address of the host device Interface - for devices connected through a clear interface on the current Bridge, the Bridge interface the host device is connected through. If the host was learned from a remote Bridge with a wireless bridging link to the current Bridge, Interface identifies the internal radio on which the MRP (mesh radio port) link resides. Device ID - for devices connected through a clear interface on a remote Bridge, the Fortress Device ID of the remote Bridge the host device is connected through. Device ID does not apply to hosts connected through a clear interface on the current Bridge, unless the connected host is another Fortress Bridge (or controller device). Auth State - for devices connected through a clear interface on a remote Bridge, the state of the remote Bridge’s network authentication process. Possible values include: Unknown - connected, not yet ready to proceed Initial - ready to proceed, waiting for controller device to respond Started - response received, authentication in process NOTE: Device IDs are unique Fortress-generated identifiers that enable device authentication on the Bridge-secured network (Section 5.3). 10.Associations and Bridge Links tabs absent when no internal radio is present (refer to Table 1.1 on page 3). 176 Bridge GUI Guide: Monitoring Success - authentication succeeded: network access permitted Locked - authentication failed: network access blocked Auth State does not apply to hosts connected through a clear interface on the current Bridge. 5.5.6 Date Learned - the start date/time of the current session with the host device AP and Trusted Devices Connections Trusted Devices or 3rd-Party access points (APs) can be configured on the Bridge for encrypted interface access (Section 4.5.3). When these devices are connected, the Bridge GUI displays them on the AP/Trusted Device tab of the Connections screen. Device Type - whether the device is configured as an Access Point or Trusted Device MAC Address - the Media Access Control address of the AP or Trusted Device IP Address - the IP (version 4) address of the device Device Name - the Device Name configured for the device Port List - ports the AP or Trusted Device is configured to access. Auth State - the state of the device’s network authentication process. Possible values include: Unknown - connected, not yet ready to proceed Initial - ready to proceed, waiting for device to respond Started - response received, authentication in process Success - authentication succeeded: network access permitted Locked - authentication failed: network access blocked Date Learned - the start date/time of the device’s current session The controls at the upper left of the tab and individual checkboxes for connected devices permit you to: 5.5.7 RESET selected sessions: end their current sessions and force them to reauthenticate on the Bridge. DHCP Leases Leases obtained from the Bridge’s internal IPv4 and IPv6 DHCP servers are shown on the DHCP Leases tab on Monitor -> Connections. 177 Bridge GUI Guide: Monitoring The MAC Address, IP Address and Hostname of the DHCP client device are displayed, followed by the date and time the lease Expires. Figure 5.12. Connections screen, DHCP Leases tab, all platforms11 Configuration and operation of the Bridge’s DHCP services are described in Section 3.6.1. 5.6 Statistics Monitoring Traffic Statistics at the top of the Monitor -> Statistics screen displays statistics for overall encrypted-interface traffic. Subsequent frames provide statistics for each of the Bridge’s physical or virtual interfaces—including: 5.6.1 physical Ethernet ports Basic Service Sets configured on the radio(s) internal to the Bridge (when present) any VLANs configured on the Bridge. Traffic Statistics The packets that the Bridge has transmitted and received the encrypted interface(s) since cryptographic processing was last started are shown in the Traffic Statistics frame: Figure 5.13. Statistics screen, Traffic Statistics frame, all platforms Encrypted - encrypted packets—the packets received on a clear interface, encrypted, and then transmitted on an encrypted interface Decrypted - decrypted packets—the packets received on an encrypted interface, decrypted, and then transmitted on a clear interface Send Clear - cleartext packets sent to cleartext devices on an encrypted interface Receive Clear - cleartext packets received from cleartext devices an encrypted interface Key Packets - valid key exchange packets 11.Associations and Bridge Links tabs absent when no internal radio is present (refer to Table 1.1 on page 3). 178 Bridge GUI Guide: Monitoring Bad Packets - malformed packet received (Packets can be malformed for a number of reasons, such as version incompatibility or a failed hash check.) Bad Keys - bad key packets—malformed key exchange packets Bad Decrypted - key packets the Bridge was unable to decrypt 5.6.2 Interface Statistics Bridge interfaces displayed on the Monitor -> Statistics screen are grouped by type. Regardless of type, the Status of each interface can be: Up or Down, and a common set of traffic statistics is shown for each interface’s receive (RX) and transmit (TX) functions: Bytes - the total number of bytes received/transmitted on the interface Packets - the total number of packets received/transmitted on the interface Errors - the total number of receive/transmit errors reported on the interface The Statistics screen provides additional information, according to interface type. 5.6.2.1 Ethernet Interface Statistics Figure 5.14. Statistics screen, Ethernet Interface Statistics frame, ES210, ES440, ES820 For each of the Bridge’s Ethernet interfaces, the Bridge displays the Status and basic interface statistics described above, as well as: Link - displays whether the interface’s physical link is: Up - successful data connection with a device attached to that port Down - no data link with a device attached to the port, or the port is disconnected Negotiating or Resolved - transient states between a physical connection being made to the port and a data link being established (Up) or failing to be established (Down) Speed - displays the speed at which the interface is passing traffic in megabits per second. 179 Bridge GUI Guide: Monitoring Duplex - displays whether the device’s transmission mode is Full Duplex or Half Duplex (or displays n/a if the duplex setting does not apply. State - the bridging status of the node from which the link is made: Possible values and meanings depend on the Bridge’s current Bridging Mode setting (Section 3.2): When STP is used for bridging, possible values include: Disabled - the interface is not passing traffic Forwarding - the interface is passing all traffic Listening - the interface is listening for BPDUs (Bridge Protocol Data Units) in order to build its loop-free path, but is not yet forwarding general data frames Blocking - the interface is blocking user traffic (usually because it is a duplicate or sub-optimal path) When FastPath Mesh is used for bridging, possible values include: Disabled - the interface is not passing traffic Forwarding All - the interface is passing all traffic Blocking - the interface is blocking all traffic Above these statistics, the Bridge displays the global Ethernet MAC Address. 5.6.2.2 BSS Interface Statistics On Bridges equipped with one or more radios (refer to Table 1.1 on page 3), the Bridge displays the Status and basic interface statistics (described in Section 5.3.2) for any Basic Service Sets (BSSs) configured on its radio(s). Figure 5.15. Statistics screen, BSS Interface Statistics frame, all radio-equipped platforms BSSs that are acting as access points (i.e., those that do not have bridging enabled) are shown in their own frame with this additional information: Radio - the radio on which the BSS is configured BSS - the name configured for the BSS (Section 3.3.4.1) 180 Bridge GUI Guide: Monitoring 5.6.2.3 MAC Address - the Media Access Control address of the virtual interface the BSS provides Bridge Link Interface Statistics BSSs that are acting as nodes in a mesh network of Fortress Bridges (i.e., those performing a network bridging function) are shown in their own frame. Figure 5.16. Statistics screen, Bridge Link Interface Statistics frame, all radio-equipped platforms In addition to the Status and basic interface statistics (described in Section 5.3.2), the Bridge displays this additional information for bridging links: Radio - the radio internal to the Bridge on which the MRP BSS is configured MAC Address - the Media Access Control address of the virtual interface the BSS provides State - the bridging status of the node from which the link is made: Possible values and meanings depend on the Bridge’s current Bridging Mode setting (Section 3.2): When STP is used for bridging, possible values include: Disabled - the interface is not passing traffic Forwarding - the interface is passing all traffic Listening - the interface is listening for BPDUs (Bridge Protocol Data Units) in order to build its loop-free path, but is not yet forwarding general data frames Blocking - the interface is blocking user traffic (usually because it is a duplicate or sub-optimal path) When FastPath Mesh is used for bridging, possible values include: Disabled - the interface is not passing traffic Forwarding All - the interface is passing all traffic Blocking - the interface is blocking all traffic 181 Bridge GUI Guide: Monitoring 5.6.3 VLAN Statistics The Bridge tracks VLAN traffic and displays the information, by VLAN ID, for each configured VLAN ID, in Monitoring -> Statistics -> VLAN Statistics. Figure 5.17. Statistics screen, VLAN Statistics frame, all platforms For each of packets received (RX) and packets sent (TX) on each VLAN configured on the Bridge, the screen displays: Clear - unencrypted packets received/sent Encrypted - encrypted packets received/sent Config. - configuration packets received/sent Key Exch. - key exchange packets received/sent In addition, for packets received (RX), under VLAN Mgmt., the number of VLAN management packets received on the VLAN are shown. 5.7 IPsec SAs Monitoring The Security Associations established between the Bridge and its IPsec peers are displayed on Monitor -> IPsec Status. Except for the Remaining Time countdown, Inbound SPI and Outbound SPI (Security Parameter Index), the parameters shown here are configured, globally or per SPD (Security Policy Database) entry, with the settings accessed through Configure -> IPsec (refer to Section 4.2). Lifetime KB - optionally, a limit on the amount of data an SA can pass before being deleted can be globally set, in kilobytes, and the value displayed on IPsec Status. The default global setting configures no data limit for SAs, as indicated by the displayed value: unlimited. Remaining Time and Lifetime Seconds - a global SA time limit can also be specified and the value displayed on IPsec Status, in seconds, for all SAs present. The Remaining Time displayed is a countdown from this value, also in seconds. Local Address and Local Mask - identify the subnet of local IP addresses defined in the SPD entry used by the SA (the outbound source subnet or inbound destination subnet). Inbound SPI and Outbound SPI - the 32-bit Security Parameter Index included in an IPsec packet, together with the destination IP address and IPsec protocol, uniquely identifies the SA. SPIs are pseudorandomly derived during IKE transactions. NOTE: If both data and time limits are configured, an SA will expire at whichever comes first, potentially when Remaining Time still shows a positive value. 182 Bridge GUI Guide: Monitoring Peer Address - identifies the remote IPsec peer participating in the SA by IP address. Remote Address and Remote Mask - identify the subnet of remote IP addresses defined in the SPD entry used by the SA (the inbound source subnet or outbound destination subnet). Crypto Suite - shows the cryptographic algorithm suite in use by the SA. Figure 5.18. IPsec Status screen, all platforms 5.8 FastPath Mesh Monitoring When FastPath Mesh is licensed (Section 6.3) and enabled (Section 3.2.1), the Bridge GUI provides an array of information on the configuration, composition and operation of the FP Mesh network on Monitor -> Mesh Status. 5.8.1 FastPath Mesh Bridging Configuration The settings configured on Configure -> Administration -> Bridging Configuration and/or Configure -> FastPath Mesh -> 183 Bridge GUI Guide: Monitoring Global Settings are displayed in the Bridging Configuration frame and described in detail in sections 3.2.1.1 through 3.2.1.5. Figure 5.19. Mesh Status screen, Bridging Configuration frame, all platforms 5.8.2 FastPath Mesh Statistics When FP Mesh is licensed and enabled, the Fortress Bridge gathers statistics on mesh network operations for display in the FastPath Mesh Statistics frame. Statistics can be cleared manually (see below) or by a reboot. Figure 5.20. Mesh Status screen, FastPath Mesh Statistics frame, all platforms Neighbors - are other FP Mesh network Mesh Points (MPs) directly linked to the current MP (refer to Section 3.2.1). Discovered - a count of MP nodes that have linked directly to one of the current MP’s FP Mesh Core interfaces since Statistics were last cleared Lost - a count of neighbors (above) whose connection to the current MP has been lost since Statistics were last cleared, because they have moved to a more remote location relative to the current MP or have left the network. A neighbor can also be “bounced” into a Lost state and then back to a Discovered state, due to a temporary deterioration of its link to the current MP, followed by the link’s restoration. Local Tags - are non-routing control information in FP Mesh protocol packets provided by the local MP for distribution to network peers since Statistics were last cleared. Adds - the number of tags added by the current MP Deletes - the number of tags deleted by the current MP NMPs - are control information pertaining to NMPs inserted into FP Mesh protocol packets by network peers and 184 Bridge GUI Guide: Monitoring received by the current MP since Statistics were last cleared. Adds - NMP information added by network peers Deletes - NMP information deleted by network peers Access Rx Ctl - count of the number of FP Mesh control packets received on the current MP’s Access interfaces (refer to Section 3.2.1) since Statistics were last cleared. In a correctly configured FP Mesh network these counts should always be 0 (zero). Packets - total number of packets received Bytes - total number of bytes received Loop Detect - counts loop detection protocol packets since Statistics were last cleared. Tx Packets - the number of loop detection packets transmitted by the current Bridge Rx Packets - the number of loop detection packets received by the current Bridged Neighbor Packet Drops - counts FP Mesh routing protocol packets dropped by the current Bridge since Statistics were last cleared. New - the number of routing protocol packets received from new neighbors and dropped because of congestion Holddown - the number of routing protocol packets received from unstable neighbors and therefore dropped Other - displays additional statistical information. Max Used Ctl Packets - maximum FP Mesh control packets received in a single 250-millisecond interval, up to a maximum measurable count of 30, indicating how busy the FP Mesh network is. Nbr ID Changes - counts the number of times the current MP has detected a change in the routing protocol identifier of a neighbor since Statistics were last cleared. Congestion for Ms - shows current measure of the length of time in milliseconds that the current MP will remain in congested mode while processing routing control packets. Proto. Mem. Bytes - protocol memory bytes, shows current measure of the amount of Bridge memory used by the FP Mesh routing protocol. Clear the Bridge’s record of FastPath Mesh statistics by clicking CLEAR STATS in the upper right of the screen. CAUTION: Nonzero counts for Access Rx are caused by an FP Mesh bridging link on the current MP being incorrectly configured as an Access, rather than as a Core interface. 185 Bridge GUI Guide: Monitoring 5.8.3 FastPath Mesh Peers and Neighbors All MP nodes on the FP Mesh network, including the current MP, are shown in the Peers frame of the Mesh Status screen. MPs directly connected to the current MP are shown in Neighbors. For each MP of either type the Bridge GUI displays: MAC Address - the MP’s Media Access Control address Name - the MP’s hostname Cost - the lowest cost associated in FP Mesh of reaching the remote MP from the current MP Path cost is additive by hops. The current Bridge has a constant Cost of 0 (zero). Wired interfaces cost much less than wireless. A Cost of 4,294,967,295 is “infinite”: the MP is unreachable, a transient condition just before the MP leaves the list. The greater the cost to a peer, the less preferred is any route to or through that peer. IP Address - the IPv4 address of the MP IPv6 Addresses - all IPv6 addresses of the MP, including the link local address, the RFC-4193 unique local address, and any other user-configured or auto-configured global addresses. Figure 5.21. Mesh Status screen, Peers frame, all platforms For each MP listed on Peers, under NMPs, the MAC addresses of any connected Non-Mesh Points (devices on the peer MP’s Access interface[s]) are shown. Figure 5.22. Mesh Status screen, Neighbors frame, all platforms For each of the current MP’s Neighbors, the number of connected NMPs is displayed under NMP Count, followed by the Interfaces over which the current MP is connected to the neighbor. An MP can be connected to a neighbor over multiple interfaces. 5.8.4 Multicast/Broadcast Forwarding The three values that FP Mesh takes into account when making multicast forwarding decisions—destination, source 186 Bridge GUI Guide: Monitoring and previous hop—are shown in the first three columns of the Multicast/Broadcast Forwarding frame, along with local interface and mode information. Figure 5.23. Mesh Status screen, Multicast/Broadcast Forwarding frame, all platforms Dest. MAC - the destination MAC address of the multicast Source MAC - the MAC address of the MP from which the multicast originated (The actual source may be an NMP behind the MP.) Prev. Hop MAC - the MAC address of the previous hop in the multicast route Interface - the interface on which the multicast is received, if it is an Access interface (Core interfaces show N/A, not applicable.) Talker - whether the current MP is a sender for the destination MAC address (yes) or only a listener (no) An MP becomes a talker for a multicast group when it receives a packet from a sender on one of the MP’s FP Mesh Access interfaces, or when the MP is manually configured as a Talker (refer to Section 3.2.1.7). MPs do not show up as talkers on broadcast flows, even though the broadcast source may be on one of the MP’s Access interfaces. Forwarding On - the interfaces on which the multicast on this route is forwarded. Clear the Bridge’s Multicast/Broadcast Forwarding information by clicking FLUSH TABLE in the upper right of the screen. 5.8.5 FastPath Mesh Multicast Groups A FastPath MP automatically subscribes to and leaves multicast groups on behalf of NMPs by snooping IP multicast control messages on FP Mesh Access interfaces. You can also establish multicast stream subscriptions manually (refer to Section 3.2.1.7). Regardless of how they were established, 187 Bridge GUI Guide: Monitoring current multicast subscriptions are shown in the Multicast Groups frame. Figure 5.24. Mesh Status screen, Multicast Groups frame, all platforms MAC Address - the MAC address of the multicast stream IP Addresses - the addresses of IP multicast groups the MP is currently subscribed to that map to this MAC address Interfaces - FP Mesh Access interfaces on the current MP that are subscribed to this multicast, identifying the subscription mode as: Listener - receives multicast packets Talker - sends multicast packets Both - receives and sends In parentheses, Interfaces also shows whether the group was Learned from IGMP (as a listener) or incoming data packet (as a talker), or whether the group was manually Configured. Manually subscribing to multicast groups is described in Section 3.2.1.7. 5.8.6 FastPath Mesh Routing Table FP Mesh computes and records many routes to a given destination. While only the lowest cost route among these is stored in the forwarding table and used to forward traffic, all computed routes are shown in the Routing Table frame on the Mesh Status screen. NOTE: The Routing Table shows only routes to other MPs. Figure 5.25. Mesh Status screen, Routing Table frame, all platforms Destination - MAC address of the destination MP Path Cost - the lowest cost associated in FP Mesh of reaching the remote MP from the current MP (Paths are 188 Bridge GUI Guide: Monitoring 5.8.7 listed in ascending order of cost, with the lowest cost path listed first.) Routes - possible routes to the destination MP in descending order of preference FastPath Mesh Loops FP Mesh prevents bridging loops from forming on Core interfaces, which connect MPs to one another. A network loop can form, however, when MPs can also detect one another on their FP Mesh Access interfaces. If such a loop exists on the network, it is displayed in the Mesh Status screen’s Loops frame. Figure 5.26. Mesh Status screen, Loops frame, all platforms Review the network topology to make sure that the connections causing the loops are intentional (for purposes of redundancy) rather than accidental. 5.9 MAC Address - the MAC address of the Mesh Point detected by the current MP on an FP Mesh Access interface Interface - the FP Mesh Access interface on which the network MP is detected State - whether that interface is blocking, forwarding or disabled Reason - why the interface is the current State (above) System Log Monitoring The Bridge logs significant system activity and status information. Access the log by clicking Monitor -> System Log. If you log on to a Log Viewer-level account, the Bridge GUI opens on the System Log screen. Administrator- and Maintenance-level administrators can view the entire log, while Log Viewer-level administrators can view only nonconfiguration events. Each activity item is date-and-time stamped, its severity is indicated and a brief text description is given. Among other information, the log records: FIPS self-test runs and results when Secure Clients contact and negotiate keys with the Bridge system configuration changes 189 Bridge GUI Guide: Monitoring when the cryptographic processor is restarted system and communication errors when FP Mesh neighbors are discovered and lost (when Fortress’s FastPath Mesh is licensed and enabled) The log is allocated 256 Kbytes of memory and can contain a maximum of approximately 2,000 log messages (approximate because record sizes vary somewhat). When the log is full, the oldest records are overwritten as new messages are added to the log. Figure 5.27. System Log screen, all platforms12 The Bridge’s three status icons indicate the severity of System Log messages: Notice or Info - message is purely informational Warning - unexpected event may indicate a problem/require attention Error - failure or attempted breach requires attention You can use the controls at the lower right of the screen to page through the log and specify the number of messages shown per page: 10, 20, 40 or 60. 12.Radio-associated messages absent when no internal radio is present (refer to Table 1.1 on page 3). 190 Bridge GUI Guide: Monitoring When remote audit logging is enabled (Section 4.6.1), log messages sent to the external audit log are identified as AUDIT messages. Internally generated audit events are flagged AUDIT internal. Audit events generated by administrative action additionally identify the account and interface the administrator was logged onto at the time of the event. 191 Bridge GUI Guide: Maintenance Chapter 6 System and Network Maintenance The Bridge GUI provides access to a number of administrative and diagnostic functions under Maintenance on the main menu. Only Bridge GUI Advanced View displays the Licensing link. 6.1 System Maintenance The administrative functions you can access through Maintain -> System vary according to whether you are in Bridge GUI Simple View or Advanced View, as shown in Table 6.1 Table 6.1. System Maintenance Functions Simple & Advanced Views Version Restart Controller Device Upgrade Controller Device Backup System Settings Restore System Settings 6.1.1 Advanced View Only Reset Clients FIPS Retest Reset to Factory Defaults Resetting Connections You can reset all of the Bridge’s network connections, forcing users and devices to rekey and reauthenticate. If Cached Auth. Credentials is Disabled users are prompted to re-enter their user names and passwords in order to reestablish their network connections. If Allow Cached Credentials is Enabled (the default) locally authenticated users are reauthenticated transparently, using their cached user credentials (Section 4.1.13). Resetting connections can be useful after network reconfiguration, as part of a diagnostic procedure, or if an expected device is missing from the network. 192 Bridge GUI Guide: Maintenance You can reset sessions only in Advanced View. Figure 6.1. Advanced View Reset Clients frame, all platforms To reset connections: 6.1.2 Log on to the Bridge GUI through an Administrator-level or Maintenance-level account and select ADVANCED VIEW in the upper right corner of the page, then Maintain -> System from the menu on the left. In the System screen’s Reset Clients frame, click EXECUTE. Rebooting the Bridge The reboot option power cycles the Bridge, ending all sessions and forcing Secure Client devices (and any other Fortress Bridges) in communication with the Bridge to re-key in order to start a new session. Figure 6.2. Restart Controller Device frame, all platforms To reboot the Bridge: 6.1.3 Log on to the Bridge GUI through an Administrator-level or Maintenance-level account and select Maintain -> System from the menu on the left. In the System screen’s Restart Controller Device frame, click EXECUTE. A dialog asks you to confirm your intention: click OK. The Bridge GUI displays Restarting the controller device please be patient. Bridge chassis LEDs go dark, then signal the boot process, and finally resume normal operation (refer to the Fortress Hardware Guide for your Bridge model for more detail). Viewing the Software Version NOTE: You can also reboot the Bridge with chassis controls (refer to the appropriate Hardware Guide) or from the Bridge CLI (refer to the CLI Software Guide). CAUTION: When in blackout mode, some model Bridges still exhibits a single, initial blink of less than half a second, at the beginning of the boot process. To view the software version currently running on the Bridge, log on to the Bridge GUI through an Administrator-level account and from the menu on the left, select: Maintain -> System, and refer to Currently Running in the Version frame. 193 Bridge GUI Guide: Maintenance 6.1.4 Booting Selectable Software Images The Bridge stores two, user-selectable copies (or images) of the Bridge software on separate partitions of the internal flash memory. When the Bridge’s software is upgraded (Section 6.1.5), the new software is first written to the non-running boot partition, overwriting any version stored there. When the Bridge is rebooted to complete the upgrade process, it boots from the partition to which the upgrade was downloaded, with the same configuration settings that were in effect before the upgrade procedure. The Bridge then defaults to the boot partition with the latest software image—the last image booted—whenever it restarts. New configuration changes are not written to the non-running boot partition. If you boot from the non-running boot partition, configuration settings will return to those in effect at the time the Bridge’s software was last upgraded. To select the next boot image: Log on to the Bridge GUI through an Administrator-level account and select Maintain -> System from the menu on the left. In the System screen’s Version frame, in Image for Next Boot, select the next image to boot from the dropdown. Click EXECUTE. CAUTION: If Image for Next Boot indicates INVALID, do not select it or click EXECUTE. Figure 6.3. Version frame, all platforms The next time the Bridge boots, it will boot the specified image. 6.1.5 Upgrading Bridge Software Fortress Technologies regularly releases updated versions of Fortress Bridge software to add new features, improve functionality and/or fix known bugs. Upgrade files may be shipped to you on CD-ROM or, more often, made available for downloading from your account on www.fortresstech.com. Fortress Secure Clients are backward compatible with Bridge software. It is nonetheless recommended that the Secure Clients of the Bridge be upgraded to the most recent version of the Secure Client software available for their respective platforms. 194 Bridge GUI Guide: Maintenance The Bridge flash memory is partitioned into two, bootable image areas. The software upgrade file is written to the nonrunning partition—i.e., the partition that does not contain the software currently running on the Bridge. The upgrade does not therefore take effect until the Bridge is rebooted (as described in Section 6.1.2), and the currently running software is retained on the partition it was originally written to. The software image on a given flash partition cannot be downgraded, and you should not overwrite an image with an earlier version of the software. You can, however, revert to the earlier version of the software even after you have upgraded and rebooted the Bridge (refer to Section 6.1.2). Figure 6.4. Upgrade Controller Device frame, all platforms To upgrade Bridge software: Log on to the Bridge GUI through an Administrator-level account and select Maintain -> System from the menu on the left. In the System screen’s Upgrade Controller Device frame: Click to Browse to the location of the Bridge upgrade file and select it for upload. Enter the Upgrade Package Password : fortress Ensure that the Distribute only - do not upgrade this unit box is not selected (the default). The Distribute only - do not upgrade this unit checkbox is intended to be used in conjunction with the Bridge’s AutoConfig function, as are the Upgrade using stored file checkbox and DELETE STORED FILE button that will be present if an upgrade file has been uploaded for distribution. These controls should not be used during standard upgrade procedures; refer to the Auto Config Software Guide for more information. Click EXECUTE. The Upgrade Status dialog displays the name of the upgrade package, notes approximately how long the upgrade process will take, and provides dynamic Upgrade Status and Upgrade Operation information. Operations display in order: Starting, Uploading, Preparing, Loading, Decrypting, Checking Signature, Validating, Unpacking, Installing, and finally, Finished. Depending on CAUTION: If you have problems after successfully booting from the upgraded partition, do not retry the upgrade while the Bridge is still running the newer software. Revert to the previous software version before retrying the upgrade. 195 Bridge GUI Guide: Maintenance how quickly each completes, you may not see every operation. When upgrade operations are Finished, the dialog Note instructs you to restart the controller device to activate the newly upgraded software image. Click to CLOSE the Upgrade Status dialog. The Version frame on the System screen shows the nonrunning image number as the Image for Next Boot. In the System screen’s Restart Controller Device frame, click EXECUTE. The status line at the top of the screen advises: Restarting the controller device - please be patient. You will have to log back on after the Bridge reboots. After the upgrade, the Bridge defaults to the boot partition with the latest software image—the last image booted—whenever it restarts. If you experience problems after rebooting, revert to the previous Bridge software version (below) and then retry the upgrade. To revert to the previous software version: Because it is not overwritten, the software version the Bridge was running before the upgrade remains available in the event of a problem with the newer version of the software. 6.1.6 Log on to the Bridge GUI through an Administrator-level account and select Maintain -> System from the menu on the left. In the System screen’s Version frame, in Image for Next Boot, select the non-running image of the software version in effect before you upgraded from the dropdown. Click EXECUTE. In the same screen’s Restart Controller Device frame, click EXECUTE. The status line at the top of the screen advises: Restarting the controller device - please be patient. You will have to log back on after the Bridge reboots. NOTE: Configuration changes are written only to the running boot partition. If you boot from the nonrunning boot partition, settings will revert to those in effect at the time the Bridge’s software was last upgraded. Backing Up and Restoring The backup/restore function of the Bridge creates and downloads a configuration file that can be used to restore the settings it saves. You can create multiple backup files under pathnames of your choosing. 196 Bridge GUI Guide: Maintenance Most Bridge configuration settings are saved to the backup file. The only exceptions are the Bridge’s System Time and System Date settings (Configure -> Administration -> Time Configuration). When you restore from the backup file, the rest of the settings in the current configuration are overwritten by those in the backup file. Fortress Technologies recommends backing up the Bridge configuration: when the Bridge is first set up immediately before configuration changes are made after changes are made and the new configuration has been tested and proved fully operational You can also use the restore function to reconfigure a Bridge using a backup file created on a different Bridge. NOTE: The back- up file used to restore the Bridge configuration must have been made on the current or another Bridge of the same model. You cannot restore from a backup file created on a different Fortress Bridge model. Figure 6.5. Backup System Settings frame, all platforms To back up the Bridge configuration: Log on to the Bridge GUI through an Administrator-level account and select Maintain -> System from the menu on the left. In the System screen’s Backup System Settings frame, optionally enter a Backup System Password, or leave the field empty to apply a default password. You do not need to know the default password to restore from a file that uses it. Leave the password field empty during the restore operation, and the default will again be applied transparently. If you created a non-default password for the backup file, record it in a secure place; you will need it to restore from the backup file. Click EXECUTE. The standard browser dialog asks whether you want to open or save the file (if the .cfg file type is not yet associated with an application, IE7 presents options to find or save it). Save the file with the name and in the location of your choice. The default backup filename is configuration-backup.cfg. NOTE: Backup file passwords must be a minimum of ten alphanumeric characters. Strong passwords contain a mix of upper and lower cases. 197 Bridge GUI Guide: Maintenance To restore the Bridge configuration from a backup file: Log on to the Bridge GUI through an Administrator-level account and select Maintain -> System from the menu on the left. In the System screen’s Restore System Settings frame, in Restore System File, enter the pathname or browse to the location of the Bridge backup configuration file. In the same frame, enter the Restore System Password (the Backup System Password from the backup procedure above). Click EXECUTE. The Restore Status dialog displays the progress of the restore operation and notifies you when it has completed. CAUTION: The restore operation overwrites existing settings with those in the backup file. Figure 6.6. Restore System Settings frame, all platforms 6.1.7 Click OK to close the dialog informing you that a reboot is required to complete the restore procedure. In the same screen’s Restart Controller Device frame, click EXECUTE. Initiating FIPS Retests You can manually initiate the same self-tests that the Bridge runs automatically in accordance with FIPS 140-2, (Federal Information Processing Standards’ Security Requirements for Cryptographic Modules). When the Bridge is in FIPS operating mode, it will shut down and automatically reboot in the event of a FIPS self-test failure. It will not resume normal operation until it has passed FIPS power-on self-tests (refer to Section 4.1.1). When in Normal (non-FIPS) operating mode, the Bridge logs FIPS self-test failures, but continues to operate even if selftests fail. Figure 6.7. Advanced View FIPS Retest frame, all platforms You can initiate FIPS self tests only in Advanced View. 198 Bridge GUI Guide: Maintenance To run FIPS tests manually: 6.1.8 Log on to the Bridge GUI through an Administrator-level account and select ADVANCED VIEW in the upper right corner of the page, then Maintain -> System from the menu on the left. In the System screen’s FIPS Retest frame, click EXECUTE. Restoring Default Settings With the exceptions of any special features it has been licensed to use, the Fortress Bridge’s factory default configuration settings can be restored in their entirety. Because the Bridge’s configuration settings could themselves be sensitive, Fortress Technologies recommends restoring them to their default values whenever the Bridge is to be shipped (or otherwise transported) out of a secured location. Licensed features are retained even after the Bridge is reset to factory defaults. NOTE: In order to fully restore the Bridge to its factory configuration defaults, you must perform a separate restore operation for the software image on each of the Bridge’s flash memory partitions (refer to Section 6.1.4). You can reset to factory defaults only in Advanced View. Figure 6.8. Advanced View Reset to Factory Defaults frame, all platforms To restore the factory default configuration: Log on to the Bridge GUI through an Administrator-level and select ADVANCED VIEW in the upper right corner of the page, then Maintain -> System from the menu on the left. In the System screen’s Reset to Factory Defaults frame click EXECUTE. Click OK at the confirmation query. At the top of the screen the GUI displays: Reset to Factory Defaults - please be patient. Close your browser. NOTE: You can also restore the Bridge to its factory default settings with the chassis controls (refer to the appropriate Hardware Guide) and from the CLI (refer to the CLI Software Guide). 199 Bridge GUI Guide: Maintenance If you want to restore the default configuration on both of the Bridge’s flash memory partitions, reopen your browser. 6 Log back on to the Bridge GUI (at the default IP address: 192.168.254.254) through an Administrator-level account and select Tools -> System Tools from the menu on the left. 7 In the Version frame’s Image For Next Boot field, select the non-running software image. 8 On the same screen, in the Restart Controller Device frame button click EXECUTE. 9 When the Bridge has rebooted, repeat steps 1 through 4, above. After restoring default settings, the Bridge will have to be reconfigured for use. To do so you can re-install it as you would a new Bridge. Alternatively, you can back the configuration up before you reset the Bridge to its defaults and then restore the backup configuration, after you have manually configured network properties and passwords. 6.2 NOTE: In order to re-access a Bridge at factory defaults, you must use a new browser instance on a computer with a non-routed connection to a clear interface on the Bridge and an IP address in the same subnet as the Bridge’s default address. Digital Certificates The Bridge automatically generates a self-signed digital certificate conforming to the X.509 ITU-T13 standard for a public key infrastructure (PKI). This certificate and associated RSA 2048-bit public/private key pair are present in the Bridge’s certificate management configuration and used by the Bridge GUI by default. 6.2.1 Generating CSRs and Key Pairs The GENERATE CSR button allows you to generate a PKCS (Public Key Cryptography Standards) #10 certificate signing request (CSR) and a corresponding public/private key pair, at the same time. Figure 6.9. Generate KeyPair frame, all platforms 13.International Telecommunication Union-Telecommunication Standardization Sector; formerly, CCITT 200 Bridge GUI Guide: Maintenance The generated key pair is saved for use by the Bridge’s certificate management function. The PEM-formatted CSR generated is suitable for cutting and pasting for submission to a Certificate Authority (CA). It is not retained in the Bridge’s configuration, but you can open (or save) it at the time you generate the CSR, or reconstruct it later with the GET CSR button associated with its entry in the X.509 Keys list. -----BEGIN CERTIFICATE REQUEST----MIIByDCCATECAQAwgYcxFDASBgNVBAMTCzE5Mi4xNjguMS42MQswCQYDVQQGEwJV UzELMAkGA1UECBMCTlkxDDAKBgNVBAcTA05ZQzEQMA4GA1UEChMHQ29tcGFueTET MBEGA1UECxMKRGVwYXJ0bWVudDEgMB4GCSqGSIb3DQEJARYRYWRtaW5AY29tcGFu eS5jb20wgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAMxwsi83t4QTyp4SFjxS VIQnv8qpPRSS4xOaenO486gQsfQ5Cf4YyQ4/AZ3OZBr4ZsJgGmivXOTM2nz1d9BF 8U7mXmSvOq/EOHVi7tweJv7zFyhl5AnwfuVamXrqn17EH2KoFXAygbqjhncVksvk e3qHftzm0b7c4S8/h7pBo2RlAgMBAAGgADANBgkqhkiG9w0BAQUFAAOBgQBOhM5T vfZq9wgyyyCknX/H7NYcNDKy7Tym3qaQCKdIP/S4Wq/LHJI7I3NerSNSDPODuJyz DGgfPdVbvU+mICd4gNsTzjaB0bG/WJ9ccc6DtyJ6lAk2N8Sv9l5IT6CGjLBFedQg 67WFokZq8H4i6EjfBrxXu0XrPp6IOIC2rsj51w== -----END CERTIFICATE REQUEST----- In order to generate a CSR/key pair, you must provide a name to associate with the stored key pair and specify at least one X.500 distinguished name (DN) attribute: CSR Name - establishes a name for the public/private key pair generated with the CSR. Unit Country, Unit State, Unit Locality - establish the country (C), State or Province (ST) and Locality (L) attributes of the DN. Organization, Organizational Unit - establish the Organization (O) and Organizational Unit (OU) attributes of the DN. Key Type - selects the algorithm and key length, in bits, for the key pair to be generated for the CSR: rsa2048 - (the default) RSA (Rivest, Shamir and Adleman) 2048-bit ec256 - elliptical curve 256-bit ec384 - elliptical curve 384-bit Key types are listed on the dropdown (and above) from lowest to highest level of security. To generate a CSR and key pair: Log on to the Bridge GUI through an Administrator-level account and select Maintain -> Certificates from the menu on the left. In the X.509 Keys frame of the Certificates screen, click GENERATE CSR. 201 Bridge GUI Guide: Maintenance In the resulting Generate KeyPair frame, enter values into the fields provided (described above) and click APPLY (or CANCEL the addition). The generation of the CSR will be recorded in the X.509 Keys frame, with the associated key pair displayed by Name, with fields indicating the key Type and whether a certificate corresponding to the key pair is present in the local store (Valid displays yes) or no certificate has yet been imported for the key pair (Valid displays no). NOTE: You can retrieve the CSR for a key pair with the associated GET CSR button. Figure 6.10. X.509 Keys frame, all platforms To delete public/private key pairs: You can delete a single key pair, selected key pairs, or all key pairs present on the Bridge. Log on to the Bridge GUI through an Administrator-level account and select Maintain -> Certificates from the menu on the left. In the X.509 Keys frame of the Certificates screen: If you want to delete a single or selected key pair(s), click to place a checkmark in the box(es) beside the key(s) you want to eliminate. or If you want to delete all key pairs, click ALL at the top of the X.509 Keys list to checkmark all keys. Click the DELETE CSR button (or CANCEL the deletion). Click OK in the confirmation dialog (or CANCEL). Deleted key pairs are removed from the X.509 Keys list. 6.2.2 Managing Local Certificates The Bridge’s self-signed certificate, used by default for the Bridge GUI, is automatically generated and always present in the local certificate store. You can import additional PEM-formatted or ASN.1 DER encoded X.509 signed certificate files into the Bridge’s certificate store, and you can assign digital certificates stored on the Bridge to be used by specific Bridge functions. 6.2.2.1 Importing and Deleting Signed Certificates An imported certificate can be: the certificate of a trusted root CA 202 Bridge GUI Guide: Maintenance an intermediate CA certificate an end certificate corresponding to a public key manually generated on the Bridge with the GENERATE KEY/CSR button (described above) or Bridge CLI generate command (refer to the CLI Software Guide). Figure 6.11. X.509 Certificates frame, all platforms In order to import a signed digital certificate, you must specify: CSR Name or Certificate Name - specifies a name for the imported certificate, used to identify the certificate on the Bridge. If the certificate is an end certificate, you must select the CSR Name associated with the certificate’s public key from the dropdown. If the certificate is a trust anchor certificate, you must first check the box to indicate this (see below), and then enter a Certificate Name unique to the local certificate store. The name does not have to be related to either the issuer or subject DN in the certificate. NOTE: The certificate contains the information necessary to determine whether the certificate belongs to a CA or to an end entity or whether it is a root certificate. Trusted Anchor - when more than one root CA certificate is present, selects which will serve as trust anchors, or root certificates signed by trusted CAs in chains of trust applicable to the Bridge’s current requirements. Signed Certificate File - permits you to Browse to the location of the certificate file to be imported. Figure 6.12. Upload Certificate frame, all platforms In addition to the certificate’s Name, the X.509 Certificates list displays: Subject - shows the IP address of the device that generated the associated CSR and the subject X.500 distinguished name (DN), consisting a concatenation of selected attributes, or relative distinguished name (RDNs). 203 Bridge GUI Guide: Maintenance Issuer - identifies the issuer X.500 DN. Valid As Of / Valid Until - define the time span during which the certificate is valid by start and end times. In Use - identifies the Bridge function to which the certificate is assigned. Use - provides controls for assigning the certificate for use by specific Bridge functions. Section 6.2.2.2 (below) covers the possible values of In Use and instructions for the buttons under Use. To import a signed certificate file: Log on to the Bridge GUI through an Administrator-level account and select Maintain -> Certificates from the menu on the left. In the X.509 Certificates frame of the Certificates screen, click INSTALL CERTIFICATE. In the resulting Install a signed certificate dialog, enter values into the fields provided (described above) and click APPLY (or CANCEL the action). The imported certificate will be listed in the X.509 Certificates frame. To delete digital certificates: You can delete a single or selected certificate(s), or all certificates in the Bridge’s certificate store. Log on to the Bridge GUI through an Administrator-level account and select Maintain -> Certificates from the menu on the left. In the X.509 Certificates frame of the Certificates screen: If you want to delete a single or selected certificate(s), click to place a checkmark in the box(es) beside the certificate(s) you want to eliminate. or If you want to delete all certificates, click ALL at the top of the X.509 Certificates list to checkmark all accounts. Click the DELETE checked certificates button (or CANCEL the deletion). NOTE: If you delete the self-signed certificate, the Bridge will automatically generate a new one. Click OK in the confirmation dialog (or CANCEL). Deleted certificates are removed from the X.509 Certificates list. With the exception of the self-signed SSL certificate, if a deleted certificate was in use, the function to which it was assigned will no longer be able to perform certificatedependent authentication transactions until a new valid certificate is assigned. 204 Bridge GUI Guide: Maintenance 6.2.2.2 Assigning Stored Certificates to Bridge Functions Locally stored signed certificates can have any of three applications on the Bridge, as indicated in the In Use column of the X.509 Certificates list: ssl - the Secure Socket Layer certificate is used by the Bridge GUI to secure browser connections to the management interface via https (refer to Section 2.1.2). By default, the Bridge GUI uses the automatically generated self-signed certificate for SSL. When additional certificates have been imported, you can change this assignment. IPsec - the Internet Protocol Security certificate is used to authenticate the Bridge as an endpoint in IPsec transactions (refer to Section 4.2). eaptls - the Extensible Authentication Protocol-Transport Layer Security certificate is used: to authenticate EAP-TLS 802.1X supplicants—when the Bridge’s internal authentication server is configured to provide 802.1X authentication service (refer to Section 4.3.2). to authenticate an ES210 Bridge as a wireless station— when it is dedicated to act as a wireless Client (refer to Section 3.3.5.10). Because Bridges used as wireless Clients must be dedicated to the function, the EAP-TLS certificate will only be used for one of these applications. A given function can have only one certificate assigned to it. You can, however, assign the same certificate to more than one function. To assign local certificates to Bridge functions: Log on to the Bridge GUI through an Administrator-level account and select Maintain -> Certificates from the menu on the left. In the X.509 Certificates frame of the Certificates screen, in the Use column, click the button for the relevant function: USE IPSEC or USE EAPTLS, to the right of the certificate you are assigning to that function. The button(s) for a given function will only be present if no certificate has yet been assigned to it. 205 Bridge GUI Guide: Maintenance The specified function will be listed for that certificate in the X.509 Certificates frame, under In Use. Figure 6.13. X.509 Certificates frame, all platforms 6.2.2.3 Changing and Clearing Certificate Assignments You can change the SSL certificate assignment from the default, automatically generated, self-signed certificate, but you cannot configure the Bridge to use no digital certificate for SSL. If you assign a different certificate to the function, and then delete that certificate or the associated key pair (or if the certificate and key pair are mismatched), the Bridge GUI SSL function will revert to using the default certificate. Once established, you can also change the certificates assigned to EAP-TLS and to IPsec. To change certificate assignments: Log on to the Bridge GUI through an Administrator-level account and select Maintain -> Certificates from the menu on the left. In the X.509 Certificates frame of the Certificates screen, to the right of the certificate you want to assign, click the relevant button for the function you want to assign it to: USE SSL, USE IPSEC, or USE EAPTLS. The selected function will be displayed for the newly assigned certificate in the In Use column of the X.509 Certificates list, and the button for the function will be added to the Use column of the certificate formerly assigned to it. You can use the CLEAR EAPTLS CERTIFICATE button to return the Bridge’s EAP-TLS function to the default state, in which no certificate is assigned and only PSK is used for authentication (if pre-shared keys have been configured). Refer to Section 4.3.2.7 for more information on the local 802.1X authentication service and to Section 3.3.5.10 for more on authenticating ES210 Bridges deployed as wireless clients. 206 Bridge GUI Guide: Maintenance The CLEAR IPSEC CERTIFICATE button likewise returns the Bridge’s IPsec function to the default state, in which no certificate is assigned and only PSK is used to authenticate IPsec peers (if pre-shared keys have been configured). Refer to Section 4.2 for more information on IPsec operation and configuration. To clear certificate assignments: Log on to the Bridge GUI through an Administrator-level account and select Maintain -> Certificates from the menu on the left. In the X.509 Certificates frame of the Certificates screen, click the button at the top of the frame that corresponds to the function for which you want to clear the certificate: CLEAR EAPTLS CERTIFICATE or CLEAR IPSEC CERTIFICATE There must be a valid certificate assigned to the application in order for authentication transactions to be successfully performed by the Bridge for the corresponding function. 6.3 Features Licensing There are various optional features on Fortress Bridges that you can enable only after entering or uploading valid license keys for these functions. mesh - FastPath Mesh enables Fortress’s FastPath Mesh bridging link management function (refer to Section 3.2.1). This feature applies to all Fortress Bridges. advradio - Advanced Radio enables 802.11a radio support for additional licensed and unlicensed frequencies (refer to Section 3.3.1). This feature applies only to radio-equipped Bridges; refer to Section 1.3.1. country - Country enables an additional 70 selectable countries of operation through which to identify the regulatory domain for Bridge 802.11a radio operation (refer to Section 3.3.1.3). This feature applies only to radioequipped Bridges; refer to Section 1.3.1. suite-b - Suite B Security enables support for an additional key establishment method that employs NSA (National Security Agency) Suite B cryptography (refer to Section 4.1.3). This feature applies to all Fortress Bridges. perf-level - Performance Level allows for three fieldupgradable performance configurations for the FC-X. Performance level numbers represent optimum 207 Bridge GUI Guide: Maintenance performance at that level, with no more than the maximum number of active connections shown in Table 6.2. Table 6.2. Performance Levels Encrypted Throughput Maximum Active Devicesa FC-250: 250 Mbps 500 FC-500: 500 Mbps 1000 FC-1500: 1.5 Gbps 3000 Configuration a. concurrently connected Secure Clients, Trusted Devices and APs This feature applies only to FC-X model Fortress Controllers. Figure 6.14. Advanced View Installed Licenses frame, all platforms The Bridge GUI displays licensing options and the status of each on Maintain -> Licensing, available only in Advanced View. The Advanced Radio and Country licensed features are automatically enabled when you enter or upload valid license keys for the feature, as are performance upgrades for the FC-X. Once licensed, FastPath Mesh can be enabled on Configure -> Administration in Bridging Configuration (in Simple View and Advanced View) and on Configure -> FastPath Mesh (in Advanced View only). After it has been licensed, Suite B can be enabled on Configure -> Security. By default, no licenses are installed nor licensed features enabled on the Bridge. 6.3.1 Obtaining License Keys A unique, 20-character, hexadecimal key is required for each licensed feature on each Bridge, based on the Bridge’s serial number. Fortress can generate a single 20-digit license key for a single feature on a single Fortress Bridge, or a set of license keys for multiple features and/or multiple Bridges in a group license text file. Fortress’s group license files contain all the information needed to license a given set of features on a given set of Bridges. You NOTE: If you pur- chased the Bridge with a license for a given feature, the license key is included in your shipment. You can obtain special feature licenses after your initial purchase from Fortress Technologies. 208 Bridge GUI Guide: Maintenance must upload the file—or paste the entire file into the field provided—on each Bridge it applies to. (Refer to Section 6.3.2 for detailed instructions.) If you have not yet obtained a license key or group license for feature(s) you want to enable on Bridge(s) already in your possession, you will need to give Fortress Technologies the serial number of each Bridge on which you wish to enable a new feature. The serial number is displayed on the first frame of Maintain -> Licensing. Figure 6.15. Advanced View License Purchasing frame, all platforms Call your Fortress Technologies sales representative to purchase a new feature or group license and obtain valid license keys. You can access Bridge GUI licensing screens and functions only in Advanced View. 6.3.2 Licensing New Features Log on to the Bridge GUI through an Administrator-level account and select ADVANCED VIEW in the upper right corner of the page, then Maintain -> Licensing from the menu on the left. In the License Purchasing frame of the Licensing screen, click the button that corresponds to the action you want to perform: ENTER LICENSE KEY - to enter a single key for a single advanced feature. NOTE: Bridge fea- ture licensing is unchanged when configuration settings are restored from a backup file or reset to their factory defaults (refer to Section 6.1.8). Figure 6.16. Advanced View Enter License Key dialog, all platforms - to enter a plaintext group license file that covers multiple Bridges and/or multiple features: Copy and paste the entire license file into the ENTER LICENSE GROUP 209 Bridge GUI Guide: Maintenance field provided. (Group licensing files include a digital signature and must be used intact.) Figure 6.17. Advanced View Enter License Group dialog, all platforms UPLOAD LICENSE GROUP - to browse to the location of a group licensing file and select it for upload. Figure 6.18. Advanced View Upload License Group dialog, all platforms 6.4 In the resulting dialog, enter the license key or group license file, or browse to and select the group license file, and click Apply. As the Bridge GUI indicates, you must reboot the Bridge in order for the license to take effect. Do so according to the directions in Section 6.1.2. Network Tools Maintain -> Network provides standard ICMP (Internet Control Message Protocol) ping and traceroute tools. If FastPath Mesh is enabled (refer to Section 3.2.1), the screen also provides a Mesh Path trace tool that displays the total endto-end cost to reach a particular node in a FastPath Mesh network, along with each hop with its associated cost. NOTE: The Mesh Path trace tool is intended for use only when FastPath Mesh is licensed and enabled on the Bridge. Figure 6.19. Network diagnostics screen, all platforms 210 Bridge GUI Guide: Maintenance 6.5 Log on to the Bridge GUI through an Administrator-level or a Maintenance-level account and select Maintain -> Network from the menu on the left. In the Network screen’s Operation frame, use the Type radio buttons to select the tool you want to use: Ping, Traceroute or Mesh Path. In the same frame, in Hostname/IP Address, enter the IP address (IPv4 or IPv6) or hostname of the device you want to ping or trace a route to. Click START in the upper right of the screen. The Bridge will ping the target IP or trace a packet to the address, according to your selection in Step 2, and display the Result. To interrupt the operation, click STOP in the upper right of the screen. Support Package Diagnostics Files To assist in diagnosing a problem with the Bridge, Technical Support may request that you generate a diagnostics file. Diagnostics files encrypt the information collected from the Bridge, so the file can be securely sent as an e-mail attachment. Figure 6.20. Receiving Product Support frame, all platforms Log on to the Bridge GUI through an Administrator-level or a Maintenance-level account and select Maintain -> Support from the menu on the left. In the Support screen’s Receiving Product Support frame, enter a Password for the support package file. 211 Bridge GUI Guide: Maintenance Record the password in a secure place; Fortress Technical Support will need it to decrypt the support package file. Click DOWNLOAD, and, if your browser is set to block popups/file downloads, take the necessary actions to allow the file to download. The progress of file generation is displayed. When the download completes, Save the file, support.pkg, to the location of your choice. Support package file passwords can be 1–20 alphanumeric characters and/or symbols. NOTE: 212 Bridge GUI Guide: Index Index Numerics 3rd-party AP management 155–159 4.4 GHz radio see military band radio 802.11a/b/g see radios 802.11i authentication BSS Wi-Fi security 77–80 STA interface Wi-Fi security 84–86 802.11n 62–63, 76 802.1X authentication 141–142 cleartext setting 122 digital certificates 205 Ethernet ports 104 local server 141–142 servers 78, 84, 134–135, 141–142 Access Control Lists 150–159 administrative IP address ACL 39–41 cleartext device access 155–159 controller device access 153–155 IPsec ACL 132–133 MAC address ACL 151–153 Access ID 125–126 administrative accounts 19–41 authentication 22–25 individual accounts 30–38 administrative state 31 audit logging 32 in local user database 144 interface permissions 32 password controls 33–34 preconfigured accounts 19, 30 role 31–32, 144 user names 31 logon controls 20–25 configuration steps 27 logon message 28 configuration steps 29 passwords 20, 25–27, 33–34 changing 38–39 complexity 26–27 configuring requirements 27 defaults 16, 20, 33, 34 expiration 25 individual account controls 33–34 unlocking 39 AES-128/192/256 see encryption algorithm altitude see location settings antennas see radios AP management rules 155–159 AP/TD see cleartext devices archive settings see backup and restore associations configuring BSSs 70–81 monitoring 170–171 STA interface 87–89 audit logging 159–165 individual administrative accounts 32 see also system log authentication 802.1X authentication Ethernet ports 104 local server 141–142 servers 134–135, 141–142 administrator authentication 22–25 authentication servers 133–142 Client device authentication 146–149 default settings 146–147 controller device authentication 153–155 default settings 153 user authentication 143–145 default settings 140, 143 WPA/WPA2 authentication BSSs 78–80 STA interface 84–86 AUX port see Ethernet ports backup and restore 196–198 backing up 197 restoring 198 Basic Service Sets 70–80 monitoring associations 170–171 security settings 77–80 see also radios beacon interval 123 configuration steps 124 blackout mode 120 configuration steps 124 Bridge GUI Guide: Index boot image 194, 196 BPM see FIPS, bypass mode Bridge GUI see GUI bridging 5–14, 47–57 FastPath Mesh 5–12, 47–55 monitoring 183–189 network topologies 6–12 interfaces 72 FastPath Mesh 48, 73 received signal strength setting 72 monitoring bridging links 171–173 point-to-point 14 Spanning Tree Protocol 12–13, 56–57 browser support 16 BSS see Basic Service Sets cached user credentials 123 configuration steps 124 channel exclusion 69–70 channel settings 59, 60 configuration steps 67 cleartext devices 155–159 managing the Bridge 122–123 viewing 177 cleartext LED 118, 166 cleartext setting 121–122 configuration steps 124 CLI SSH access 120 Clients see Secure Clients compatibility hardware 3 software 15 compression 121 configuration steps 124 console port 115–116 controller devices 175 ACL authentication 153–155 monitoring connections 175 controller properties see network settings country of operation 58–59 crypto algorithm see encryption algorithm Crypto Officer 118 data compression 121 configuration steps 124 date and time system date and time 95 configuration steps 97 default Access ID 125 administrative passwords 16, 20, 33, 34 Client device authentication settings 146–147 controller device authentication settings 153 encryption algorithm 118 idle timeout settings 139, 144 IP address 16, 93 operating mode 117 re-keying interval 120 restoring defaults 199–200 SNMP passphrase 42 upgrade file password 195 user authentication settings 140, 143 device authentication 146–149 Client device authentication default settings 146–147 individual device settings 147–148 controller device authentication 153–155 default settings 153 see also Device ID Device ID 146, 153, 168 controller devices Device ID 175 local Bridge Device ID 168 Secure Client Device ID 147, 173 DFS operation 68–69 DHCP services 98–100 diagnostics file 211–212 digital certificates 200–207 assigning 205–207 generating 201–202 importing 202–204 digital signatures see digital certificates distance setting 65–66 units 58 DNS client settings 91, 92 configuration steps 92 DNS service 100–102 domain name 91, 92, 98, 100 FastPath Mesh 47, 49 domain name 91, 92, 98, 100 FastPath Mesh 47, 49 II Bridge GUI Guide: Index DTIM period 74 dynamic frequency selection see DFS operation EAP-TLS 141–142 BSS WPA 78–79 digital certificate 205–207 local authentication server 141–142 STA interface WPA 84–85, 89 encrypted interfaces 77–80, 102, 104 BSSs 77–80 cleartext traffic 121–122 Ethernet 102, 104 FastPath Mesh 47 management access 122 encryption algorithm 118 configuration steps 124 default 118 in Secure Clients 118 environment setting 59 Ethernet ports 102–106 FastPath Mesh 5–12, 47–55 interfaces 5, 48 Ethernet 103 wireless 72–73 licensing 209–210 monitoring 183–189 network topologies 6–12 tracing a mesh path 210 tuning performance 51–52 FIPS 117–121, 166–167, 198–199 bypass mode 118, 166 configuration steps 124 indicators 166–167 cleartext LED 118, 166 operating mode 117–121 retesting 198–199 Fortress Secure Client see Secure Clients Fortress Security BSSs 77 Ethernet ports 104 FastPath Mesh 47 see also security settings fragmentation threshold 75, 83 GPS 97–98 guest devices see cleartext devices; Trusted Devices, guest device access guest management see cleartext devices, guest devices managing the Bridge GUI 16–19 accessing 16–19 administrative accounts 19 configuration steps 30–38 enabling/disabling 120 getting help 19 security 16 GUI certification see digital certificates hardware 3 Ethernet ports 102 radios 57 serial port 115 help 19 host devices configuring timeouts 123–124 resetting 192–193 host name 91 configuration steps 92 interference 67 IPsec 126–133 ACL 132–133 monitoring 182–183 pre-shared keys 131–132 SPD 128–130 IPv4 93 configuration steps 95 default address 16, 93 IPv6 93–95 configuration steps 95 key establishment 119 licensing Suite B 207 Secure Client configuration 119 key pair see digital certificates III Bridge GUI Guide: Index LAN settings see network settings latitude and longitude see location settings LEDs blackout mode 120 configuration steps 124 licensed features 207–210 adding 209–210 location settings 97–98 logging on/off global logon settings 20–25 logging on/off 16–19 logon message 28 configuration steps 29 see also administrative accounts MAC addresses ACL filtering 151–153 cleartext device MAC addresses 156, 157 viewing 177 controller device MAC addresses 154 viewing 175 Secure Client MAC addresses 147 viewing 173 management interface IP address 93 configuration steps 95 default 16, 93 mesh see FastPath Mesh; STP mesh path see FastPath Mesh, tracing a mesh path MIB 41 military band radio 3–4, 46, 57 channels 63 DFS 69 EULA addendum vi regulation 59 monitor resolution 16 MSP 2, 5, 117 Access ID 125–126 beacon interval 123 configuration steps 124 encryption 118 key establishment 119 MSP Clients 173 re-keying interval 120 see also security settings network settings 91–95 configuration steps 92, 95 DHCP services 98–100 DNS client settings 92 DNS service 100–102 host name 91 IPv4 settings 93 IPv6 settings 93–95 network topologies 5–14 topology view 168–170 NTP 96 operating mode 117–121 configuration steps 124 default 117 FIPS 117–121 Normal 117 passwords administrator passwords 20, 25–27, 33–34 account controls 33–34 changing 38–39 defaults 16, 20, 33, 34 expiration 25 complexity 26–27 configuring requirements 27 SNMP passphrases 42 upgrade file password 195 user passwords 144 ping 210–211 PoE 3, 102 per port PSE 105–106 point-to-point bridging 14, 64 IV Bridge GUI Guide: Index ports authentication server ports 136, 139 Ethernet 102–106 for AP management rules 157 for Trusted Devices 158 serial port 115–116 public key certificate see digital certificates QoS 107–108 BSS WMM 74 Ethernet port override 105 STA interface WMM 82 quality of service see QoS radios 3, 46, 57–90 channel exclusion 69–70 DFS operation 68–69 military band radio 3–4, 46, 57 channels 63 DFS 69 EULA addendum vi regulation 59 monitoring bridging links 171–173 monitoring BSS associations 170–171 radio settings 57–70 administrative state 61 antenna gain 64 band 61 beacon interval 66 BSS settings 70–80 channel 59, 60 configuration steps 67 country 58–59 distance 65–66 distance units 58 environment 59 network type 64 noise immunity 67 preamble 67 STA interface 81–90 transmit power 60, 65 received signal strength 72, 170, 171 RF kill 58 wireless interfaces 70–90 rebooting 193 re-keying interval 120 configuration steps 124 default 120 remote logging 159–165 individual administrative accounts 32 resetting factory defaults 199–200 resetting connections 192 restoring default settings 199–200 from a backup file 198 previous software version 196 RF kill 58 RTS threshold 75, 83 safety precautions 1 Secure Clients 5 compatibility 15 device authentication 146–149 encryption configuration 118 key establishment 119 managing the Bridge 122 monitoring 173–175 resetting 192–193 timeout settings 123–124, 139–140, 144–145 Secure Shell see SSH security settings 77–80, 104, 117–126 Access ID 125–126 administrator passwords 20, 25–27, 33–34 account controls 33–34 changing 38–39 expiration 25 allow cached credentials 123 beacon interval 123 blackout mode 120 BSS security 77–80 cleartext traffic 121–122 compression 121 configuration steps 124 encryption algorithm 118 GUI access 120 key establishment 119 operating mode 117–121 passwords complexity 26–27 configuring requirements 27 re-keying interval 120 RF kill 58 SSH 120 serial port 115–116 Bridge GUI Guide: Index sessions monitoring 173–177 resetting 192 timeout settings 123–124, 139–140, 144–145 SNMP 4, 41–45 MIB 41 SNMP traps 43–45 software upgrades 194–196 reverting 196 upgrade file password 195 software version boot image 194 restoring previous version 196 upgrading 194–196 viewing 193 Spanning Tree Protocol see STP SSH 120 SSIDs 71 see also Basic Service Sets STA interface 81–90 scanning for networks 87–89 WPA/WPA2 authentication 84–86 station mode see STA interface statistics 178–180 interface statistics 179–180 traffic statistics 178–179 VLAN statistics 182 STP 12–13, 56–57 Suite B 2, 126 cipher suite 802.1X authentication 141 IPsec 128 STA interface 85 key establishment 119 licensing 207 support file 211–212 system clock 95 configuration steps 97 system log 189–191 see also audit logging system requirements 16 third-party AP management 155–159 time zone 95 configuration steps 97 timeout settings administrative timeouts 21 default 21 session and idle timeouts 123–124, 139–140, 144–145 default 139, 144–145 topology 5–14 topology view 168–170 traceroute 210–211 transmit power settings 60, 65 configuration steps 67 Trusted Devices 155–159 guest device access 157 managing the Bridge 122–123 resetting 192–193 timeout settings 123–124 upgrades see licensed features; software upgrades user accounts 144–146 see also administrative accounts user authentication 140, 143–145 cached credentials 123 default settings 140, 143 version see software version VLANs 109–114 configuration steps 111–114 viewing statistics 182 WAN port see Ethernet ports wireless client mode 81–90 wireless interfaces 70–90 see also radios WMM 107, 107–108 BSSs 74 STA interface 82 WPA/WPA2 authentication BSSs 78–80 STA interface 84–86 zone 171 see also Fortress Security VI ES520 Bridge: Glossary Glossary Triple Data Encryption Standard—a FIPS-approved NIST standard for data encryption using 192-bits (168-bit encryption, 24 parity bits) for protecting sensitive (unclassified) 3DES U.S. government (and related) data. NIST amended and re-approved 3DES for FIPS in May, 2004. 802.11 The IEEE standard that specifies technologies for wireless networks. 802.11i The amendment to the 802.11 standard that describes security for wireless networks, or Robust Security Networks. The IEEE standard for port-based network access control, providing authentication and 802.1X authorization to devices attached to a given port (or preventing access from that port if authentication fails). The IEEE standard that specifies technologies for fixed broadband wireless MANs that 802.16 use a point-to-multipoint architecture, also called WiMAX, WirelessMAN™ or the Air Interface Standard. In Fortress Technologies products, a user-defined, 16-digit hexadecimal value that provides network authentication for all devices authorized to communicate over a FortressAccess ID secured network. Network authentication is one of the components of Multi-factor Authentication™. access point (AP) A device that transmits and receives data between a wired LAN and a WLAN, to connect wireless devices within range to the LAN. Advanced Encryption Standard—a FIPS-approved NIST standard for 128/192/256-bit data encryption for protecting sensitive (unclassified) U.S. government (and related) AES data; also referred to as the Rijndael algorithm. NIST FIPS-approved AES in November, 2001. administrator password In Fortress Technologies products, a password that guards against unauthorized modifications to the system or its components (compare user password). Automatic Private IP Addressing—a Microsoft feature that allows a DHCP client unable APIPA to acquire an address from a DHCP server to automatically configure itself with an IP address from a reserved range (169.254.0.1 through 169.254.255.254). The client uses the self-configured IP address until a DHCP server becomes available. ARP Address Resolution Protocol—describes how IP addresses are converted into physical, DLC addresses (ex., MAC addresses). Authentication Server—a network device running an authentication service: software that checks credentials to verify the identity of network users and/or devices in order to restrict access to the network or to its resources or to track network activity. AS Autonomous System—as defined by RFC 1930, a network or connected set of networks, usually under a single administrative entity, with a single clearly defined routing policy; “the unit of routing policy in the modern world of exterior routing.” VIII ES520 Bridge: Glossary ATM Asynchronous Transfer Mode—a technology for transferring data over a network in packets or cells of a fixed size. BGP Border Gateway Protocol—a protocol, defined by RFC 1771, for interautonomous system routing; the interdomain routing protocol used by TCP/IP. BPM In FIPS, bypass mode—state in which cleartext is allowed to pass on an encrypted interface. bridge A network device that connects two networks or two segments of the same network. Bridge Refer to Fortress Secure Bridge and Fortress Secure Wireless Bridge. Bridge GUI BSS The browser-based graphical user interface through which a Fortress Bridge is configured and managed, locally or remotely. Basic Service Set—the primary collection of entities associated in a wireless network, as defined in the IEEE 802.11 standard. Common Access Card—a United States Department of Defense (DoD) smartcard issued CAC as standard identification for active duty military personnel, reserve personnel, civilian employees, and eligible contractor personnel. CCITT Comite Consultatif Internationale de Telegraphie et Telephonie, former name of the ITU-T. CLI command-line interface—a user interface in which the user enters textual commands on a single line on the monitor screen. client In client-server architecture, an application that relies on another, shared application (server) to perform some of its functions, typically for an end-user device. Client Refer to Fortress Secure Client. Controller Refer to Fortress Controller. controller device See Fortress controller device Controller GUI Crypto Officer password The browser-based graphical user interface through which the Fortress Controller is configured and managed, locally or remotely. A FIPS-defined term—sometimes, Crypto password—the administrator password in Fortress devices operating in FIPS mode. Data Link Layer Refer to DLC. decibels over isotropic—a unit of measure of RF antenna gain: the power emitted by an dBi antenna in its direction of strongest RF emission divided by the power that would be transmitted by an isotropic antenna emitting the same total power. decibels referenced to milliwatts—an absolute (non-relative) unit of power measuredBm ment that indicates the ratio, in decibels (dB), of measured power referenced to one milliwatt (mW) Data Encryption Standard—formerly, a FIPS-approved NIST standard for data encrypDES tion using 64 bits (56-bit encryption, 8 parity bits). NIST withdrew its FIPS-approval for DES on May 19, 2005. In Fortress Technologies products, a means of controlling network access at the level of individual devices, tracking them via their generated Device IDs and providing controls device authentication to explicitly allow and disallow them on the network; one of the factors in Fortress’s Multi-factor Authentication™. In Fortress Technologies products, a 16-digit hexadecimal value generated for and unique to each Fortress Bridge, Controller or MSP Secure Client device on the FortressDevice ID secured network. Device IDs are used for device authentication and are neither modifiable nor transferable. IX ES520 Bridge: Glossary Dynamic Host Configuration Protocol—an Internet protocol describing a method for flexibly assigning device IP addresses from a defined pool of available addresses as DHCP each networked device comes online, through a client-server architecture. DHCP is an alternative to a network of fixed IP addresses. A protocol by which two parties with no prior knowledge of one another can agree upon Diffie-Hellman key establishment a shared secret key for symmetric key encryption of data over an insecure channel. Also, Diffie-Hellman-Merkle key establishment; exponential key exchange. Data Link Control—the second lowest network layer in the OSI Model, also referred to DLC as the Data Link Layer, OSI Layer 2 or simply Layer 2. The DLC layer contains two sublayers: the MAC and LLC layers. DMZ Demilitarized Zone—in IT, a computer (or subnet) located between the private LAN and a public network, usually the Internet. Domain Name System, Server or Service—a system or network service, defined in the DNS TCP/IP Internet Protocol Suite, that translates between textual domain and host names and numerical IP addresses. DoD Department of Defense—the United States military. Extensible Authentication Protocol—defined by RFC 2284, a general protocol for user EAP authentication. EAP is implemented by a number of authentication services, including RADIUS. EAP-MD5 An EAP security algorithm developed by RSA Security® that uses a 128-bit generated number string to verify the authenticity of data transfers. EAP-Transport Layer Security—a Point-to-Point Protocol (PPP) extension supporting EAP-TLS mutual authentication, integrity-protected cipher suite negotiation, and key exchange between two endpoints, within PPP. EAP-TTLS EAP-Tunneled TLS—An EAP-TLS protocol developed by Funk and Certicom that uses TLS to establish a secure connection between a client and server. ES300 The Fortress hardware model identifier of the Secure Bridge. ES520 The Fortress hardware model identifier of the Secure Wireless Bridge. A device or system configuration in which two, identical components are installed for a given function so that if one of them fails the redundant component can carry on operfailover ations without substantial service interruption. Also, an instance in which an active component becomes inoperative and fails over operations to its partner. FC-X The Fortress hardware model identifier of the Fortress Controller. Federal Information Processing Standards—issued by NIST, FIPS mandate how IT, FIPS including network security, is implemented by the U.S. government and associated agencies. FIPS operating mode In Fortress Technologies products, the operating mode that complies with FIPS 140-2 Security Level 2. Sometimes, Fortress Security Controller—Fortress’s FC-X model network device for Fortress Controller securing communications between wireless devices and a LAN, or between devices within a LAN, or in a networked configuration. Fortress controller device A collective noun for Fortress network devices (Fortress Bridges and Controllers). A software client module for securing network communications on devices such as lapFortress Secure Client tops, PDAs, tablet PCs, and industrial equipment such as barcode scanners and portable terminals. Also, Fortress SCB or SCB—a hardware device for providing wireless connectivity and Fortress Secure Client Bridge securing network communications on wired devices such as portable medical equipment and point-of-sale (POS) terminals. ES520 Bridge: Glossary Fortress Security System The secure network deployment of one or more Fortress Bridges and the Fortress Secure Clients and/or Secure Client Bridges that will communicate with the Bridge(s). Fortress Secure Bridge Fortress’s ES300 model network device for securing communications between wireless devices and a LAN, or between devices within a LAN, or in a networked configuration. Fortress Secure Wireless Bridge Fortress’s ES520 model and ES210 model radio-equipped network devices that can act as wireless access points and/or bridges in a mesh network. FQDN Fully Qualified Domain Name—the complete, unambiguous domain name specifying the exact location in the DNS hierarchy of a particular entity on the network. In Fortress Technologies GUIs, a portion of a larger screen or dialog, graphically set apart from other elements on the screen and providing the interface for a specific feaframe ture or function set. In IT, a packet of data transmitted/received. gateway GINA In IT, a node on a network, usually a router, that provides a connection to another network. A library developed by Microsoft®; it is a component of some Microsoft Windows® operating systems and provides secure authentication and interactive logon services. GPS Global Positioning System groups An association of network objects (users, devices, etc.) typically used to allocate shared resources and apply access policies. GUI graphical user interface—a user interface in which the user manipulates various interactive objects (menu items, buttons, etc.) displayed on the monitor screen. hash function Mathematical computation for deriving a condensed representation or hash value, usually a fixed-size string, from a variable-size message or data file. HTTP Hypertext Transfer Protocol—used to transmit and receive all data over the World Wide Web. HTTPS HTTP Secure sockets—HTTP with an encryption/authentication layer. IANA Internet Assigned Number Authority—the organization that assigns Internet Protocol (IP) addresses and port numbers. ICMP Internet Control Message Protocol —supports packets containing error, control, and informational messages. The ping command uses ICMP to test an Internet connection. Intrusion Detection System—monitors network activity to identify suspicious patterns IDS that may indicate a network or system attack and supports automated and/or manual real-time responses. Institute of Electrical and Electronics Engineers—a nonprofit technical professional IEEE association that develops, promotes, and reviews standards within the electronics and computer science industries. IETF Internet Engineering Task Force—the primary standards organization for the Internet. IGMP Internet Group Management Protocol—The portion of the IP multicast specification that describes dynamically managing the membership of multicast groups. Internet Protocol Suite Also, TCP/IP—the basic, two-part communication protocol in use on the Internet (refer to IP and TCP). Internet Protocol—defines a method for transmitting data, in packets, from one comIP puter to another over a network; one of the founding protocols in the TCP/IP suite of networking protocols. IPS Intrusion Prevention System—allows network administrators to apply policies and rules to network traffic, as it is monitored by an intrusion detection system. XI ES520 Bridge: Glossary IPsec Internet Protocol security—a set of protocols developed by the IETF to support secure exchange of packets at the IP layer, deployed widely to implement VPNs. IPv4 Internet Protocol version 4—the first widely implemented and still the most prevalent version of IP. IPv6 Internet Protocol version 6—the next version of IP slated for wide implementation, intended to overcome the limitations of, and to eventually replace, IPv4. International Organization for Standardization, formerly the International Standards ISO Organization—ISO still refers to standards (ex., ISO 9000); the whole name refers to the organization, sometimes appending the earlier initialization in parentheses. isotropic antenna A theoretical, idealized antenna that would transmit power uniformly in all directions; used to measure antenna gain in dBi. IT Information Technology ITU-T International Telecommunications Union-Telecommunication, Geneva-based international organization for telecommunications standards, formerly CCITT. An transaction through which two parties with no prior knowledge of one another can key establishment agree upon a shared secret key for symmetric key encryption of data over an insecure channel. Sometimes, key exchange. Local Area Network—a collection of computers located within a small area (such as an LAN office building) that shares a common communications infrastructure and network resources (i.e., printers, servers, etc.). Layer 2 Refer to DLC. Lightweight Directory Access Protocol—a protocol used to access directories on a network, including the Internet. LDAP makes it possible to search compliant directories to LDAP locate information and resources on a network. LDAP is a streamlined version of the Directory Access Protocol, part of the X.500 standard for network directory services. LLC MAC Logical Link Control—one of two sublayers of OSI Layer 2 (refer to DLC), in which frame synchronization, flow control and error checking takes place. Media Access Control—one of two sublayers of the OSI Model’s DLC, at which data access and transmission permissions are controlled. MAC address Media Access Control address—a unique number that identifies a device, used to properly direct network traffic to the device. MAN Metropolitan Area Network—a collection of interconnected computers within a town or city. MBG Mesh Border Gateway—in Fortress Secure Wireless Bridges, an MP that connects the FastPath Mesh network to a conventional hierarchical network. MIB Management Information Base—SNMP-compliant information that an SNMP agent stores about itself and sends in response to SNMP server requests (PDUs). Man in the Middle attack—a network security breach in which an attacker is able to MITM intercept, read, insert and modify messages between two parties without their knowing that the link between them has been compromised. MLD MobileLink™ MP MRD Multicast Listener Discovery—a means, defined in the IPv6 ICMPv6 protocol, of discovering multicast listeners on a directly attached link (analogous to IGMP in IPv4). In GE Medical Systems Information Technologies, a proprietary method for wireless transmission of serial output. Mesh Point—in Fortress Secure Wireless Bridges, a Bridge on which FastPath Mesh routing is enabled. Multicast Router Discovery—a mechanism, defined in IETF RFC 4286, for identifying multicast routers independent of the multicast routing protocol they use. XII ES520 Bridge: Glossary MRP Mesh Radio Port—in Fortress Secure Wireless Bridges, a pair-wise network link formed between WDS-enabled BSSs configured on the Bridges. MSI The Microsoft installer system written by Microsoft for Windows platforms. The Fortress protocol that provides authentication and encryption at the Media Access MSP Control (MAC) sublayer, within the Data Link Layer (Layer 2) of the Open System Interconnection (OSI) networking model. In Fortress Technologies products, the combination of network authentication (through Multi-factor Authentication™ the network Access ID), device authentication (through the Device ID), and user authentication (through user credentials), that guards the network against unwanted access. multiplexing The practice of transmitting multiple signals over a single connection. Network Basic Input/Output System—an API that originally provided basic I/O services NetBIOS for a PC-Network and that has been variously adapted and augmented to support current LAN/WLAN technologies. In Fortress Technologies products, the requirement that all devices must authenticate network authentication with the correct Access ID in order to connect to the Fortress-secured network; one of the factors in Fortress’s Multi-factor Authentication™. network resource An entity on the network that provides a service or function, such as e-mail or printing, to devices and users on the network. NIC Network Interface Card—computer circuit board that enables a computer to connect to a network. National Information Assurance Partnership—a collaboration between NIST and the National Security Agency (NSA), in response to the Computer Security Act of 1987 (PL NIAP 100-235), to promote sound security requirements for IT products and systems and appropriate measures for evaluating them. NIST National Institute of Standards and Technology, the U.S. Government agency responsible for publishing FIPS. NMP Non-Mesh Point—in Fortress Secure Wireless Bridges, any node on a Fortress FastPath Mesh network that is not an MP. NSA National Security Agency—United States intelligence agency administered by the Department of Defense. NTLM Windows NT LAN Manager—a user authentication protocol developed by Microsoft®. operating mode In Fortress Technologies products, the way in which access controls and cryptographic processing are implemented on the Fortress-secured network. Open System Interconnection Model—an ISO standard that defines a networking framework for implementing data transfer and processing protocols in seven layers. OSI Model (Also see, DLC.) PAN Personal Area Network—a collection of networked computers and devices worn by or within reach of an individual person PDU Protocol Data Unit—often synonymous with packet, a unit of data and/or control information as defined by an OSI layer protocol. Public Key Infrastructure (PKI), a system of digital certificates and other registration PKI authorities that authenticate the validity of each party involved in an Internet transaction; sometimes, trusted hierarchy. policy PPP The means by which access to the secure network and its resources are controlled for users, devices and groups. Point-to-Point Protocol—a method for communicating TCP/IP traffic over serial point-topoint connections. XIII ES520 Bridge: Glossary QoS Quality of Service RSA SecurID® An authentication method created and owned by RSA Security. Remote Authentication Dial-In User Service—an authentication service design that issues challenges to connecting users for their usernames and passwords and authentiRADIUS cates their responses against a database of valid usernames and passwords; described in RFC 2865. RF Radio Frequency RFC Request for Comments—a document proposing an Internet standard that has been accepted by the IETF as potentially developing into an established Internet standard. Robust Security Network - the concept, introduced in the 802.11i amendment to the RSN IEEE 802.11 standard, of a wireless security network that allows only RSNAs to be created. Robust Security Network Association - in the IEEE 802.11i amendment, a wireless conRSNA nection between 802.11i entities established through the 802.11i 4-Way Handshake key management scheme. Resilient Radio Link—in Fortress Secure Wireless Bridges, active wireless links that form RRL along the best available path between the WDS-enabled BSSs of networked Bridges. RRLs provide fault-tolerant connections for Fortress’s self-healing wireless networks. SCB Refer to Fortress Secure Client Bridge. Secure Client Refer to Fortress Secure Client. Secure Client Bridge Refer to Fortress Secure Client Bridge. In Fortress Technologies products, a device such as a laptop, PDA, tablet PC, or barcode Secure Client device scanner, that has the Fortress Secure Client installed and configured to permit the device to communicate on the Fortress-secured network. SFP Small Form Pluggable—shorthand for fiber optic Small Form Pluggable transceiver. SHA Secure Hash Algorithm, cryptographic hash functions developed by the NSA and published by NIST in FIPS 180-2. SHS Secure Hash Standard—FIPS-approved NIST standard specifying five secure hash algorithms: SHA-1, SHA-224, SHA-256, SHA-384, and SHA-512 SLIP Serial Line Internet Protocol—a method for communicating over serial lines, developed for dial-up connections. SMTP Simple Mail Transfer Protocol—describes a method for transmitting e-mail between servers. Simple Network Management Protocol—a set of protocols for simplifying management of complex networks. The SNMP server sends requests (PDUs) to network devices, and SNMP SNMP-compliant devices (SNMP agents) respond with data about themselves (stored in MIBs). SNMP agent Any network device running the SNMP daemon and storing a MIB, a client of the SNMP server. Secure Shell®, sometimes, Secure Socket Shell—a protocol, developed by SSH ComSSH® munication Security®, for providing authenticated and encrypted logon, file transfer and remote command execution over a network. SSID Service Set Identifier—a unique name that identifies a particular wireless network STP Spanning Tree Protocol—a link management protocol, operating at OSI layer 2, that prevents bridging loops while permitting path redundancy in a bridged network. A set of cryptographic algorithms promulgated by the National Security Agency as part Suite B of its Cryptographic Modernization Program. Suite B is available in the Secure Client when licensed. XIV ES520 Bridge: Glossary SWLAN Secure Wireless Local Area Network symmetric key encryption Tactical Mesh Point A class of cryptographic algorithm in which a shared secret between two or more parties is used to maintain a private connection between or among them. In Fortress Secure Wireless Bridges, alternative name for the ES210 Secure Wireless Bridge. Transmission Control Protocol—defines a method for reliable (i.e., in order, with integTCP rity checking) delivery of data packets over a network; one of the founding protocols in the TCP/IP suite of networking protocols. TCP/IP Transmission Control Protocol/Internet Protocol, also Internet Protocol Suite—the basic, two-part communication protocol in use on the Internet (refer to IP and TCP). Transport Layer Security—a two-part protocol that defines secure data transmission between client/server applications communicating over the Internet. TLS Record ProtoTLS col uses data encryption to secure data transfer, and the TLS Handshake Protocol allows the client and server to authenticate each other and negotiate the encryption method to use before exchanging data. In Fortress Technologies products, a device that does not have the Secure Client Trusted Device installed but is allowed network access through rules defined for it on the Fortress Bridge. trusted hierarchy Refer to PKI. User Datagram Protocol—defines a method for “best effort” delivery of data packets UDP over a network that, like TCP, runs on top of IP but, unlike TCP, does not guarantee the order of delivery or provide integrity checking. UI User Interface—the means by which a human end user provides input to and receives output from computer software. Unique Local Address—an IPv6 globally unique unicast address (subnet identifier), ULA defined in IETF RFC 4193, intended for local (intranet) communications and not intended to be routable on the Internet. A mechanism for requiring users to submit established credentials (user name and user authentication password, smartcard, etc.) and checking the validity of these credentials before allowing users to log on to a device or network. user password The password an end must enter in order to access a network or device that requires user authentication (compare administrator password). Virtual Local Area Network—a collection of computers configured through software to VLAN behave as though they are members of the same network, even though they may be physically connected to separate subnets. VoIP Voice over IP, sometimes VOI (Voice over Internet)—any of several means for transmitting audio communications over the Internet. VPN Virtual Private Network—a private network of computers connected, entirely or in part, by public phone lines. WAN Wide Area Network—a collection of interconnected computers covering a large geographic area. WDS Wireless Distribution System—a means for interconnecting multiple stations (STAs), access points or nodes in a wireless network. Wired Equivalent Privacy—a security protocol for wireless networks, defined in the IEEE WEP 802.11b amendment. WEP has been found to be vulnerable to attack, and WPA is intended to supplant it in current and future 802.11 standards. Wi-Fi® Wireless Fidelity—used generically to refer to any type of 802.11 network (referred originally to the narrower 802.11b specification for WLANs). XV ES520 Bridge: Glossary Worldwide Interoperability for Microwave Access—the IEEE 802.16 specification for fixed, broadband, wireless MANs that use a point-to-multipoint architecture, defining WiMAX bandwidth use in the licensed frequency range of 10GHz–66GHz and the licensed and unlicensed frequency range of 2GHZ–11GHz. WIDS Wireless Intrusion Detection System—a means for detecting and preventing unauthorized or unwelcome connections to a network. WLAN Wireless Local Area Network. A local area network that allows mobile users network access through radio waves rather than cables. WMM® Wi-Fi Multimedia wireless quality of service implementation defined in subset of the IEEE standard 802.11e, QoS for Wireless LAN. Wi-Fi Protected Access—a security protocol for wireless networks, defined in the IEEE 802.11i amendment, that uses 802.1X and EAP to restrict network access, and TKIP WPA encryption to secure data transfer. WPA is intended to replace WEP in current and future 802.11 standards. WPA2 Wi-Fi Protected Access 2—a later implementation of WPA that uses the FIPS 140-2 compliant AES encryption algorithm. XVI
Source Exif Data:
File Type : PDF File Type Extension : pdf MIME Type : application/pdf PDF Version : 1.6 Linearized : No Author : Fortress Technologies [atritschler] Create Date : 2010:09:21 10:38:39Z Modify Date : 2010:09:21 17:54:12-04:00 Subject : Fortress Bridge Software version 5.4 GUI Operation XMP Toolkit : Adobe XMP Core 4.2.1-c043 52.372728, 2009/01/18-15:08:04 Creator Tool : FrameMaker 9.0 Metadata Date : 2010:09:21 17:54:12-04:00 Format : application/pdf Title : Secure Wireless Bridge and Security Controller Software GUI Guide [rev. 1] Creator : Fortress Technologies [atritschler] Description : Fortress Bridge Software version 5.4 GUI Operation Producer : Acrobat Distiller 9.3.3 (Windows) Document ID : uuid:678bac3f-4017-4350-af9d-44920a92e97e Instance ID : uuid:90aabbcc-fac7-4372-ac44-263b730cea4f Page Mode : UseOutlines Page Count : 242EXIF Metadata provided by EXIF.tools