Mojo Networks C-65 Access Point / Sensor User Manual AirTight Management Console User s Guide

AirTight Networks, Inc. Access Point / Sensor AirTight Management Console User s Guide

UserManual.wiki >

Mojo Networks >

C-65 User Manual >

User Guide rev

User Guide AirTight Management Console Version 7.1 Update 5

i Table of Contents About This Guide .......................................................................................................................................... 1 Intended Audience ..................................................................................................................................... 1 Product and Documentation Updates ....................................................................................................... 1 Contact Information ................................................................................................................................... 1 Introduction.................................................................................................................................................... 3 AirTight Management Console Configuration ............................................................................................... 7 Configure Language Setting ...................................................................................................................... 7 Set System Language............................................................................................................................ 7 Set SSID encoding ................................................................................................................................. 7 Copy Language Setting to Another Server ............................................................................................ 8 Configure Time Zone and Tag for Location ............................................................................................... 8 Set Time Zone ....................................................................................................................................... 8 Edit Time Zone ....................................................................................................................................... 8 Set Location Tag ................................................................................................................................... 9 User Management ..................................................................................................................................... 9 Configure Password Policy .................................................................................................................. 12 Configure Account Suspension Setting ............................................................................................... 13 Configure Login Parameters ................................................................................................................ 14 User Authentication ................................................................................................................................. 16 Configure LDAP Server Parameters .................................................................................................... 16 Configure RADIUS Parameters ........................................................................................................... 18 Configure Parameters for Certificate-based authentication................................................................. 20 Wireless Intrusion Prevention System ..................................................................................................... 22 Manage Authorized WLAN Policy ........................................................................................................ 23 Configure AP Auto-classification Policy ............................................................................................... 25 Configure Client Auto-classification Policy .......................................................................................... 26 Intrusion Prevention ............................................................................................................................. 30 Activate Intrusion Prevention for Location ........................................................................................... 32 Import Device List ................................................................................................................................ 33 Manage Banned Device List ................................................................................................................ 35 Manage Hotspot SSIDs ....................................................................................................................... 36 Manage Vulnerable SSIDs .................................................................................................................. 38 Manage Smart Device Types .............................................................................................................. 39 Manage WiFi Access ............................................................................................................................... 41 Manage SSID Profiles.......................................................................................................................... 41 Manage Mesh Profiles ......................................................................................................................... 82 Configure Event Notification ................................................................................................................ 87

AirTight Management Console User Guide ii Activate Event Generation for Location ............................................................................................... 88 Configure Email Recipients ................................................................................................................. 89 Configure Device - Server Communication Settings ............................................................................... 89 Use Key for Device - Server Communication ...................................................................................... 89 Use Passphrase for Device - Server Communication ......................................................................... 89 Reset Communication Key .................................................................................................................. 89 Manage Policy Templates ....................................................................................................................... 90 Add Policy Template ............................................................................................................................ 90 Edit Policy Template ............................................................................................................................ 91 Search Policy Template ....................................................................................................................... 92 Copy Policy Template to Another Location ......................................................................................... 93 Save Policy Template with a Different Name ...................................................................................... 93 Print Policy Template List .................................................................................................................... 93 Delete Policy Template ........................................................................................................................ 93 Manage Authorized WLAN Policy ........................................................................................................... 94 Configure Authorized WLAN Policy ..................................................................................................... 95 Edit Authorized WLAN Policy .............................................................................................................. 95 View High Availability Status for Server .................................................................................................. 96 View/Upgrade License Details ................................................................................................................ 97 Manage Look and Feel of Reports .......................................................................................................... 98 Customize Report Header Text ........................................................................................................... 98 Customize Summary Table ................................................................................................................. 98 Customize Section Results .................................................................................................................. 99 Restore Default Look and Feel Settings .............................................................................................. 99 Copy Reports Look and Feel Settings to Another Server .................................................................... 99 Configure NTP ....................................................................................................................................... 100 Check Time Drift between AirTight server and NTP server............................................................... 100 Synchronize AirTight Server Time with NTP Server .......................................................................... 100 Disable NTP ....................................................................................................................................... 100 Configure RF Propagation Settings ....................................................................................................... 100 Restore RF Propagation Defaults ...................................................................................................... 102 Copy RF Propagation Setting to Another Server ............................................................................... 102 Configure Live RF View Setting ............................................................................................................ 103 Restore Default Live RF View Settings.............................................................................................. 103 Copy Live RF View Setting to Another Server ................................................................................... 103 Configure Location Tracking.................................................................................................................. 104 Restore Location Tracking Configuration Defaults ............................................................................ 104 Copy Location Tracking Configuration to Another Server ................................................................. 104 Manage Auto Location Tagging ............................................................................................................ 105

Table of Contents iii Restore Auto Location Tagging Defaults ........................................................................................... 105 Copy Auto Location Tagging Settings to Another Server .................................................................. 106 Set up and Manage Server Cluster ....................................................................................................... 107 Benefits of Server Cluster .................................................................................................................. 107 Create and Manage Server Cluster ................................................................................................... 108 Manage Child Servers from Parent Server in Server Cluster ............................................................ 115 Manage Vendor OUIs ............................................................................................................................ 119 Add Vendor or MAC Prefix ................................................................................................................ 119 Delete Vendor or MAC Prefix ............................................................................................................ 119 Manage Device Template...................................................................................................................... 119 Customize Policy/Device Template for Location ............................................................................... 121 Revert to Inherited Device Template ................................................................................................. 121 Add Device Template......................................................................................................................... 122 Edit Device Template ......................................................................................................................... 128 Search Device Template ................................................................................................................... 128 Copy Device Template....................................................................................................................... 128 Print Device Template List for Location ............................................................................................. 129 Delete Device Template..................................................................................................................... 129 Configure SMTP Settings ...................................................................................................................... 129 Restore SMTP Configuration Defaults ............................................................................................... 130 Test SMTP Settings ........................................................................................................................... 131 Copy SMTP Configuration to Another Server .................................................................................... 131 View System Status ............................................................................................................................... 131 Start/Stop Server ............................................................................................................................... 132 Upgrade Server ..................................................................................................................................... 132 Configure Auto Deletion Settings .......................................................................................................... 133 Copy Auto Deletion Settings to Another Server ................................................................................ 134 Manage Audit Log Settings ................................................................................................................... 135 Set Duration for Audit Log Download ................................................................................................ 135 Download Audit Logs ......................................................................................................................... 135 Restore Default User Action Log Download Settings ........................................................................ 135 Copy Audit Log Settings to Another Server ....................................................................................... 136 Configure Integration with Enterprise Security Management Servers .................................................. 137 Syslog Integration .............................................................................................................................. 137 Arcsight Integration ............................................................................................................................ 138 SNMP Integration ............................................................................................................................... 140 Manage WLAN Integration .................................................................................................................... 142 WLAN Integration ............................................................................................................................... 142 Manage Integration with Aruba Mobility Controllers .......................................................................... 142

AirTight Management Console User Guide iv Configure Integration with HP MSM Controller .................................................................................. 145 Manage Integration with Cisco WLC ................................................................................................. 148 Manage Integration with Meru ........................................................................................................... 151 Manage AirTight Mobile Clients ............................................................................................................ 152 AirTight Mobile Settings ..................................................................................................................... 152 Manage AirTight Mobile Clients ......................................................................................................... 153 Add AirTight Mobile Group Manually ................................................................................................. 157 Edit AirTight Mobile Group ................................................................................................................. 157 Attach Policy to AirTight Mobile Group .............................................................................................. 158 Overwrite Existing Policy for AirTight Mobile Group .......................................................................... 158 Detach Policy from AirTight Mobile Group......................................................................................... 158 View AirTight Mobile Group Policy in HTML Format ......................................................................... 158 View AirTight Mobile Group Policy in XML Format ............................................................................ 159 Activate Automatic Client Grouping ................................................................................................... 159 Apply Default Policy to New Groups .................................................................................................. 159 Print List of AirTight Mobile Groups for Location ............................................................................... 159 Delete AirTight Mobile Group ............................................................................................................ 160 Dashboard ................................................................................................................................................. 161 Add a page to dashboard ...................................................................................................................... 161 Delete a page from dashboard .............................................................................................................. 162 Print dashboard page ............................................................................................................................ 162 WIPS Widgets ....................................................................................................................................... 162 Network Widgets ................................................................................................................................... 163 Client Widgets ....................................................................................................................................... 165 Access Point Widgets ............................................................................................................................ 165 Devices ...................................................................................................................................................... 167 AirTight Devices .................................................................................................................................... 167 Device Properties ............................................................................................................................... 168 View Visible LANs .............................................................................................................................. 173 View Visible APs ................................................................................................................................ 173 View Visible Clients ............................................................................................................................ 173 View Active APs ................................................................................................................................. 173 View Active Clients ............................................................................................................................ 173 View AirTight Device Events .............................................................................................................. 173 View Channel Occupancy .................................................................................................................. 173 View Interference ............................................................................................................................... 174 View Mesh Network Links .................................................................................................................. 174 Search AirTight Devices .................................................................................................................... 174 Sort AirTight Devices ......................................................................................................................... 174

Table of Contents v Change Location ................................................................................................................................ 174 Print AirTight Device Information for Location ................................................................................... 174 Reboot Device ................................................................................................................................... 175 Troubleshoot Device .......................................................................................................................... 175 Upgrade or Repair Device ................................................................................................................. 178 Enable Pagination for AirTight Device Listing and Set Page Size .................................................... 178 Disable Pagination for AirTight Device Listing ................................................................................... 180 Add Custom Filter .............................................................................................................................. 180 Edit Custom Filter .............................................................................................................................. 180 Delete Custom Filter .......................................................................................................................... 181 Delete Device ..................................................................................................................................... 181 Monitor Clients ....................................................................................................................................... 181 View Client Properties........................................................................................................................ 183 View Recently Associated APs/Ad hoc networks .............................................................................. 185 View Events related to Client ............................................................................................................. 185 View Client Retransmission Rate Trend ............................................................................................ 185 View Devices Seeing Client ............................................................................................................... 185 View Client Average Data Rate ......................................................................................................... 186 View Client Traffic .............................................................................................................................. 186 Change Client Location...................................................................................................................... 186 Quarantine Client ............................................................................................................................... 186 Disable Auto Quarantine/Exclude Device from Intrusion Prevention Policy ...................................... 186 Add to banned list .............................................................................................................................. 187 Classify / Declassify as Smart Device ............................................................................................... 187 Change Client Category..................................................................................................................... 187 Reset Data Transmitted by Client ...................................................................................................... 187 Locate Client ...................................................................................................................................... 187 View Recently Probed SSIDs ............................................................................................................ 187 Troubleshoot Client ............................................................................................................................ 188 Debug Client Connection Problems ................................................................................................... 191 Download Connection Log ................................................................................................................. 192 Delete Connection Log History .......................................................................................................... 193 Enable Pagination for Client Listing and Set Page Size .................................................................... 194 Disable Pagination for Client Listing .................................................................................................. 194 Add Custom Filter .............................................................................................................................. 194 Edit Custom Filter .............................................................................................................................. 195 Delete Custom Filter .......................................................................................................................... 195 Print Client List for Location ............................................................................................................... 195 Delete Client ...................................................................................................................................... 196

AirTight Management Console User Guide vi Spectrogram .......................................................................................................................................... 196 Monitor Access Points (APs) ................................................................................................................. 196 View AP Properties ............................................................................................................................ 198 View Recently Associated Clients ..................................................................................................... 201 View AP Utilization ............................................................................................................................. 201 View AP Associated Clients ............................................................................................................... 202 View AP Traffic .................................................................................................................................. 202 View AP Average Data Rate .............................................................................................................. 202 View Devices Seeing AP ................................................................................................................... 202 View AP Events ................................................................................................................................. 202 Change AP Location .......................................................................................................................... 202 Locate AP .......................................................................................................................................... 203 Quarantine an AP .............................................................................................................................. 203 Change AP Category ......................................................................................................................... 203 Disable Auto Quarantine .................................................................................................................... 203 Add to banned list .............................................................................................................................. 203 Sort APs ............................................................................................................................................. 203 Filter AP Details ................................................................................................................................. 204 Search APs ........................................................................................................................................ 204 Enable Pagination for AP Listing and Set Page Size ........................................................................ 204 Disable Pagination for AP Listing ...................................................................................................... 205 Add Custom Filter .............................................................................................................................. 205 Edit Custom Filter .............................................................................................................................. 205 Delete Custom Filter .......................................................................................................................... 206 Print AP List for Location ................................................................................................................... 206 Merge APs ......................................................................................................................................... 206 Split AP .............................................................................................................................................. 207 Troubleshoot AP ................................................................................................................................ 207 Delete AP ........................................................................................................................................... 210 Monitor Networks ................................................................................................................................... 211 Manage Locations and Location Layout ................................................................................................... 215 Define Location Tree ............................................................................................................................. 215 Add Location .......................................................................................................................................... 217 Edit Location .......................................................................................................................................... 217 Move Location ....................................................................................................................................... 218 Delete Location ...................................................................................................................................... 218 Search Locations ................................................................................................................................... 218 Add Layout ............................................................................................................................................ 218 Edit Layout ............................................................................................................................................. 219

Table of Contents vii Delete Layout ........................................................................................................................................ 220 Show / Hide Location List ...................................................................................................................... 220 Show/Hide Devices on Location Layout ................................................................................................ 220 Place Devices/Locations on Location Layout ........................................................................................ 220 Remove Devices/Locations from Location Layout ................................................................................ 221 View RF Coverage / Heat Maps ............................................................................................................ 221 View AP Coverage ............................................................................................................................. 222 View AP Coverage by RSSI Value .................................................................................................... 222 View Sensor Coverage ...................................................................................................................... 222 View AP Link Speed .......................................................................................................................... 223 View AP Channel Coverage .............................................................................................................. 223 Calibrate RF Views ................................................................................................................................ 223 Zoom in / Zoom out Layout.................................................................................................................... 224 Adjust the Layout Opacity...................................................................................................................... 224 Add Note ................................................................................................................................................ 224 Edit Note ................................................................................................................................................ 225 Move Note ............................................................................................................................................. 225 Hide Notes ............................................................................................................................................. 225 Show Notes ........................................................................................................................................... 225 View Mesh Topology ............................................................................................................................. 226 Hide Mesh Topology .............................................................................................................................. 226 View and Manage Events ......................................................................................................................... 227 View Events for Location ....................................................................................................................... 228 View Deleted Events for Location ......................................................................................................... 228 Change Event Location ......................................................................................................................... 228 Acknowledge Event ............................................................................................................................... 229 Turn on Vulnerability Status for Event ................................................................................................... 229 Turn off Vulnerability Status for Event ................................................................................................... 229 Mark Event as Read .............................................................................................................................. 229 Mark Event for Deletion ......................................................................................................................... 229 Enable Pagination for Event Listing and Set Page Size ....................................................................... 230 Disable Pagination for Event Listing ...................................................................................................... 230 Add Custom Filter .................................................................................................................................. 230 Edit Custom Filter .................................................................................................................................. 231 Delete Custom Filter .............................................................................................................................. 231 Print Event List for Location................................................................................................................... 231 Forensics ................................................................................................................................................... 233 View AP based /Client based Threat Details......................................................................................... 233 View Event Summary......................................................................................................................... 234

AirTight Management Console User Guide viii View Participating Devices and Quarantine Status ........................................................................... 234 Locate Participating Device ............................................................................................................... 235 View Administration Action Logs for Event ........................................................................................ 236 Acknowledge Event ........................................................................................................................... 236 Change Location of the Event ........................................................................................................... 236 Turn Vulnerability On/Off ................................................................................................................... 237 Print Event List for Location ............................................................................................................... 237 Mark Event for Deletion ..................................................................................................................... 237 Mark Event as Read .......................................................................................................................... 237 Show/Hide Deleted Events ................................................................................................................ 238 Reports ...................................................................................................................................................... 239 Analytics ................................................................................................................................................ 248 Manage Report Archive ......................................................................................................................... 250 Fetch Archived Report ....................................................................................................................... 251 Rename Archived Report .................................................................................................................. 251 Print Archived Report List for Location .............................................................................................. 251 Delete Archived Report ...................................................................................................................... 251 Schedule Report Generation ................................................................................................................. 251 Send report by e-mail......................................................................................................................... 255 Archive report ..................................................................................................................................... 255 View Report Schedules ......................................................................................................................... 255 Glossary of Icons ...................................................................................................................................... 257

1 About This Guide The AirTight Management Console User Guide explains how to configure and manage the AirTight Management Console . Important! Please read the EULA before installing AirTight WIPS or AirTight Wi-Fi. Installing AirTight WIPS or AirTight Wi-Fi constitutes your acceptance of the terms and conditions of the EULA mentioned above in this document. Intended Audience This guide is intended for anyone who wants to configure and use AirTight WIPS or AirTight Wi-Fi or use AirTight Cloud Services. Product and Documentation Updates To receive important news on product updates, please visit our website at http://www.airtightnetworks.com. We continuously enhance our product documentation based on customer feedback. To obtain a latest copy of this document, visit http://www.airtightnetworks.com/home/support.html. Contact Information AirTight® Networks, Inc. 339 N, Bernardo Avenue, Suite #200, Mountain View, CA 94043 Tel: (650) 961-1111 Fax: (650) 963-3388 For technical support, send an email to support@airtightnetworks.com

3 Introduction AirTight Management Console is a HTML 5 based user interface using which you can configure and monitor AirTight WIPS and/or AirTight Wi-Fi server to access the AirTight Cloud Services. HTML 5 makes AirTight Management Console compatible with most browsers and operating systems. AirTight Management Console is intuitive and easy to use. It can be configured with ease to suit your WIPS and/or Wi-Fi needs. The Console is divided into 7 sections - Dashboard, Locations, Devices, Events, Forensics, Configuration, and Reports. AirTight Management Console can be configured from the Configuration section. You can define and manage users, configure and manage WIPS settings, Wi-Fi access settings, integration settings for WLAN, integration settings for enterprise security management servers etc from the configuration section. The Dashboard section provides a graphical view of the WIPS and/or Wi-Fi implementation. It offers you the flexibility to choose from a good number of graphs related to the access points, clients on your wireless network, as well as the networks detected by WIPS sensors. Details of wireless threats to the network can be seen on the WIPS widgets. Apart from the pie chart or bar graph representation, the widget data can be viewed as a tabular representation by clicking the icon present on the top of widgets. You can alternate between tabular view and pie chart/bar graph view. This means that if you are in the pie/graph view, you will see the icon. If you are in the table view, you will see the or icon, depending on whether the alternate view is represented as a pie chart or bar graph. The widget data is presented in the last-viewed format when you log in to AirTight Management Console the next time. AirTight Management Console facilitates the creation of locations. These locations could be various buildings in your campus or the different floors or levels in your office space. You can create and manage your retail or office locations using the Locations section. You can attach a layout to each floor in the office space. You can then define WIPS / Wi-Fi policies specific to these locations. All APs, AirTight devices, sensors, smart devices are seen under the Devices section. Apart from the actual devices, the devices section also displays a list of networks detected by the WIPS sensors. The Events section displays the events detected by the WIPS implementation. The Forensics section lists AP-based threats and client-based threats in a user friendly format. You can drill down into the wireless threats using the forensics section. The Reports section facilitates generation of various built-in and custom reports. These reports comprise various compliance reports and reports related to devices in the network and events occurring in the network. You can schedule reports and generate analytics data using the Reports section. Following are the salient features of the AirTight Management Console. • Intuitive, portable and easy-to-use HTML5 UI

AirTight Management Console User Guide 4 HTML5 makes AirTight Management Console compatible with most browsers and operating systems. It can be operated using tablets and other smart devices as well. The interface is intuitive and can be used and configured without much effort. • Fully user-customizable dashboards and screens The dashboard offers you the flexibility to choose from a good number of graphs displaying access point, client, network, and WIPS statistics. Graphs are seen in widgets. You can have multiple dashboards on the console. Each dashboard can have multiple widgets based on your requirement, with widget repetition allowed. The widget classification is very intuitive. The widgets are classified as network widgets, access point widgets, client widgets and WIPS widgets. In all other sections of the UI, you can filter the information or columns visible in the respective section, based on your requirement. You also have the option to view information in various text and graphical format in some of the sections. For example, the Forensics section displays information in text and pie chart formats. In the Reports section, you can customize the reports as required. Standard compliance reports are also available. You can customize filters on device and event listings under Devices and Events respectively. You can add, edit and delete custom filters on device and event listings. You can define multiple filters on devices and events listings and save them. These will be retained until you delete them. When you apply a filter to device or event listing during a login session, the filtered list is retained till the end of the session. • Innovative drill down with navigation trail on any event, chart or device AirTight Management Console provides a unique feature with which you can delve deeper or drill down to events or devices from any section of the console where they are visible. The devices and events are seen as links across AirTight Management Console. You can click on the link to view the details of the respective event or device and the related devices or events. You can also take the required actions if you have the privilege to take those actions. Thus, you can hop across different sections by clicking the links for devices and events. When you navigate across pages in this way, a navigation trail is displayed at the top of the currently viewed page or screen. This is extremely useful for you to understand the path you have taken to drill down to the desired page. The navigation trail also makes it convenient for you to navigate back to one of the screens or pages in the navigation trail. See the image below for a sample drill down with a navigation trail.

Introduction 5 • Rich Visualization of Heat maps You can view radio frequency heat maps in various views. The AP coverage view is useful to find out the available signal strength at each point. The sensor coverage view enables you to view the detection and prevention zones of visibility for selected sensors. The color-coding scheme used enhances the readability of the heat maps. • Hierarchical management architecture ideal for geographically distributed sites AirTight Management Console provides for hierarchical management of geographically distributed sites. You can create a hierarchy of locations or a location tree. Each location folder could represent a country and a child location folder could represent a state. These location folders could then have city locations as child location folders. One of more buildings in the city office campus can be represented as child location folders under the respective city location folders. Individual floors or levels in the office space can be represented by location floors under the location folders that represent buildings. You can then define Wi-Fi/WIPS policies specific to each location. You can apply a common policy to the location folders. These policies are automatically inherited by the child locations. This makes management of related locations easy and convenient at the click of a button. • Role-based administration and extensible configuration framework The administration and operation of the Wi-Fi or WIPS solution through AirTight Management Console is role-based. A user has restricted access to one or more locations that he is associated with. He is able to view information and configure the console related to these locations only. Information from other locations are not visible to him. A user is able to perform operations based on his role. AirTight Management Console provides four distinct user roles-superuser, administrator, operator and viewer. • Configuration Wizard When a user logs in to AirTight Management Console, and navigates to Dashboard or Events for the first time, a configuration wizard guides the user on how to use these functionalities. The wizard is functional only during the first time view.

7 AirTight Management Console Configuration AirTight Management Console needs to be configured appropriately for use, before it can start monitoring and/or protecting the network. Click Configuration to view the various options to configure in AirTight Management Console. The Configuration page displays various categories - Device Configuration, WIPS, User Accounts, Events and System Settings, AirTight Mobile, ESM Integration. Device Configuration: Configure and manage the SSID profiles using Device Configuration>SSID Profiles. The SSID profiles can then be attached to the device templates. Configure and manage the device templates using Device Configuration>Device Template. These device templates can then be applied to various devices. WIPS: Configure and manage the wireless intrusion prevention parameters using WIPS. User Accounts: User management, password management, LDAP, RADIUS configuration, certificate configuration, account suspension management is done using User Accounts. Events: Configure and manage event related settings, e-mail notification on occurrence of certain critical events using Events. System Settings: Configure and manage AirTight server-related settings using System Settings. AirTight Mobile: Configure AirTight Mobile integration settings using AirTight Mobile. ESM Integration: Configure settings for integration with Enterprise Security Management software using ESM Integration. AirTight Management Console integrates with SNMP, Syslog and Arcsight. Configure Language Setting Define the system language and the SSID encoding using the Configuration>Language Setting option. This setting is used to set the language for email communication, Syslog messages etc. You can copy language setting from one server to another when the servers are part of the same server cluster. Set System Language The system language is the default language that the system will use to communicate via emails, syslog messages etc. If you want to use a language other than English as the system language for AirTight Management Console, the language of your choice should be defined under Language Setting. The default value for System Language Preference is English. Set SSID encoding Parameters like SSID, when configured on the AP using page encoding (either non-English native window or using a language pack), appear garbled if the page encoding does not match the encoding selected here.

AirTight Management Console User Guide 8 Select the appropriate SSID encoding commonly used in your region, in order to correctly see the local language SSIDs in the system. The default value for SSID encoding is UTF-8. To select a different SSID encoding, do the following. 1. Go to Configuration>System Settings>Language Setting. 2. Under SSID Encoding, select the required SSID encoding. 3. Click Save to save the new SSID encoding. Copy Language Setting to Another Server You can copy the language setting from one server to another server when both servers are part of the same server cluster. You can copy language setting from child server to child server, parent server to child server, or child server to parent server. You must be a superuser or an administrator to copy policies from one server to another. To copy language settings, do the following. 1. Go to Configuration>System Settings>Language Setting on the parent server. 2. Click Copy Policy. The Copy Policies dialog box appears. 3. Select the server from which language setting is to be copied. 4. Select the server to which the ;language setting is to be copied. 5. Click OK to copy the language setting, Configure Time Zone and Tag for Location Set the appropriate time zone for the selected location using the Configuration>System Settings>Location Specific Attributes page. The time zone settings are specific to individual locations and cannot be inherited from the parent location. You need administrator privileges to configure the location time zone for a location. The time zone settings help in accurate analytics. Make sure to select the correct time zone for the selected location. Note that you cannot set a time zone for a location floor because a location floor represents a floor location in the organization premises. The time zone set for the immediate parent location folder of a location floor applies to the location floor. In case you do not set the time zone for a location folder, the analytics data will show the server time zone in the fields where local time zone is shown. Set Time Zone To set the time zone for a location, do the following. 1. Go to Configuration>System Settings>Location Specific Attributes. 2. Select the location for which you want to set the time zone. 3. Select the time zone. 4. Click Save to save the new time zone. Alternatively, if you want to cancel the operation, click Cancel. Edit Time Zone To edit the time zone for a location, do the following. 1. Go to Configuration>System Settings>Location Specific Attributes. 2. Select the location for which you want to edit the time zone. 3. Select the new time zone.

AirTight Management Console User Guide 10 View devices Yes Yes Yes Yes Add, delete, and modify devices (APs, Clients, Sensors) Yes Yes Yes No View locations Yes Yes Yes Yes Add, delete, and modify locations Yes Yes Yes No Calibrate location tracking Yes Yes Yes No Reports Add, delete, modify Shared Report Yes (all) Yes (only self created) Yes (only self created) No Generate Shared Report Yes Yes Yes Yes Schedule Shared Report Yes Yes Yes No Add, delete, modify, generate, schedule My Report Yes (only self created) Yes (only self created) Yes (only self created) No Add User To add a user, do the following. 1. Go to Configuration>User Accounts>Users. 2. Select the location for which you want to add the user. 3. Click the Add User hyperlink. The Add New User dialog box appears. The following table describes the fields on the Add New User page. Field Description User Type Specifies the type of user. Login ID Specifies the login id of the user. Role Specifies the role assigned to the user. Choose from Viewer, Operator, Administrator and Super User. First Name Specifies the first name of the user. Last Name Specifies the last name of the user. Password Specifies the password of the user. Password should be a combination of letters, numerals and special characters. Confirm Password Specifies the same password as typed in the password field to confirm the password. Email Specifies the e-mail id of the user. Allowed Locations Specifies the locations for which the user can operate. Click Change hyperlink to modify the list of allowed locations. A user can operate on one or more locations. For instance, an administrator user could have rights to multiple locations. Password Expiry Specifies if the password expires or does not expire. By default, the password never expires. Click Change hyperlink to set an expiry for the password. Password Expiry Duration Specifies the duration in days from the time of change of the password after which the password expires. Password Expiry Warning Specifies the time in days before the password expiry to prompt the user to change the password. Session Timeout Specifies the idle time interval after which the user's User

AirTight Management Console Configuration 11 Interface (UI) session should be timed out. Two options are available. Select Never Expires, if you don't want the session to time out. Select Expires After and specify the time in minutes (between 10 and 120 minutes) after which the session should time out. Time Zone Specifies the time zone in which the user operates. Language Preference Specifies the language in which the user wants to view the UI text. The default value is English. Multi lingual Specifies if the UI should support multi-lingual font support. 4. Click Save to save the changes. Edit User To edit a user, do the following. 1. Go to Configuration>User Accounts>Users. 2. Select the location for which you want to edit the user. 3. Click the login id hyperlink for the user that you want to edit. The Edit User Details dialog box appears. 4. Edit the user details. 5. Click Save to save the changes. Print User List for Location You can print a list of users defined for a location. To print a user list for a location, do the following. 1. Go to Configuration>User Accounts>Users. 2. Select the location for which you want to print the user list. 3. Select the columns that you want in the printed list. Click any column name to select or deselect columns. 4. Click the print icon. The print preview of the user list appears. 5. Click Print to print the list. Search User You can search users using the login ID or name of the user. To delete a user, do the following. 1. Go to Configuration>User Accounts>Users. 2. Select the location for which you want to search user. 3. Enter the login ID string or the name string in the Quick Search box. 4. Press Enter key. 5. The users with login IDs or names matching the search string are displayed. The search string could be a substring of the login ID or name of the user.

AirTight Management Console User Guide 12 Delete User To delete a user, do the following. 1. Go to Configuration>User Accounts>Users. 2. Select the location for which you want to delete the user. The user list appears. 3. Click the Delete hyperlink for the user to delete. A message to confirm delete appears. 4. Click Yes to confirm deletion of user. Configure Password Policy The Password Policy determines the minimum requirements for system passwords. This policy applies to all user roles - super user, administrator, operator, and viewer. If you change this policy, older passwords are not affected. Only passwords created after a policy change are subject to the new policy. This setting applies only to local authentication and does not apply to LDAP and RADIUS authentication. You can copy password policy from one server to another when the servers are part of the same server cluster. To configure password settings or password policy, do the following. 1. Go to Configuration>User Accounts>Password Policy. 2. Specify the number of characters required for the password. Minimum number of characters is 4, maximum number of characters is 15. 3. If you want the password to contain at least one numerical character, select the At least one numerical character required check box. 4. If you want the password to contain at least one special character, select the At least one special character required check box. 5. Click Save to save the changes made to the page. Restore Default Password Policy The default password policy is as follows. The password length as 6 characters and no numeric or special characters are required in the password. To configure password settings or password policy, do the following. 1. Go to Configuration>User Accounts>Password Policy. 2. Click Restore Defaults to restore default password policy. 3. Click Save to save the changes. Copy Password Policy to Another Server You can copy the password policy from one server to another server when both servers are part of the same server cluster. You can copy password policy from child server to child server, parent server to child server, or child server to parent server. You must be a superuser or an administrator to copy policies from one server to another. To copy password policy, do the following. 1. Go to Configuration>User Account>Password Policy on the parent server. 2. Click Copy Policy. The Copy Policies dialog box appears. 3. Select the server from which the password policy is to be copied.

AirTight Management Console Configuration 13 4. Select the server to which the password policy is to be copied. 5. Click OK to copy the password policy, Configure Account Suspension Setting Account suspension protects the system from spurious logins through dictionary attacks. Define the account suspension policy using the Configuration>User Accounts>Account Suspension option. There are four roles available in the system- super user, administrator, viewer and operator. You can configure different policies for each of these user roles. Configure the suspension time in minutes and the number of failed login attempts during a specific time duration. You can copy account suspension setting from one server to another when the servers are part of the same server cluster. To configure Account Suspension Setting for a user role, do the following. 1. Go to Configuration>User Accounts>Account Suspension. 1 Specify a suspension time between 5 minutes and 30 minutes, during which the consecutive failed login attempts happen. 2 Specify the number of failed login attempts between 3 and 10. 3 Click Save to save the changes made to the page. The following diagrammatic representation explains the account suspension settings.

AirTight Management Console User Guide 14 Account Suspension Settings This policy is applicable on the root location only. Copy Account Suspension Settings to Another Server You can copy the account suspension settings from one server to another server when both servers are part of the same server cluster. You can copy account suspension settings from child server to child server, parent server to child server, or child server to parent server. You must be a superuser or an administrator to copy policies from one server to another. To copy account suspension settings, do the following. 1. Go to Configuration>User Accounts>Account Suspension on the parent server. 2. Click Copy Policy. The Copy Policies dialog box appears. 3. Select the server from which the account suspension settings are to be copied. 4. Select the server to which the account suspension settings are to be copied. 5. Click OK to copy the account suspension settings, Configure Login Parameters

AirTight Management Console Configuration 15 You can specify the number of concurrent console logins that a user can have, along with the welcome message that the user would see on logging on to AirTight Management Console. The user can have up to 5 concurrent console logins. You must have administrator privileges to configure login parameters. You can copy the login configuration from one server to another server when both servers are part of the same server cluster. To configure login parameters, do the following. 1. Go to Configuration>System Settings>Login Configuration, 2. Enter the message that the user would see on the login screen, in Configure Login Message. 3. To display the message on the login screen, select the Enable Login Message check box. 4. Specify the number of concurrent sessions per user. 5. Click Save to save the settings. Restore Defaults for Login Configuration To restore default settings for login configuration, do the following. 1. Go to Configuration>System Settings>Login Configuration, 2. Click Restore Defaults. Default settings are restored. 3. Click Save to save the changes. Copy Login Configuration to Another Server You can copy the login configuration from one server to another server when both servers are part of the same server cluster. You can copy login configuration from child server to child server, parent server to child server, or child server to parent server. You must be a superuser or an administrator to copy policies from one server to another. To copy login configuration, do the following. 1. Go to Configuration>System Settings>Login Configuration on the parent server. 2. Click Copy Policy. The Copy Policies dialog box appears. 3. Select the server from which the login configuration is to be copied. 4. Select the server to which the login configuration is to be copied. 5. Click OK to copy the login configuration,

AirTight Management Console User Guide 16 User Authentication Configure LDAP Server Parameters AirTight Management Console enables you to configure an LDAP server for user authentication. After an LDAP server is configured, users or groups defined in the LDAP server can login to AirTight Management Console. In LDAP configuration, you can configure the following details. • LDAP Configuration parameters to be able to access the LDAP compliant directory • LDAP authentication details to search records on the LDAP server • Privileges for LDAP users- Here you specify the default role and the default locations assigned when new LDAP users log in, for the case where the role and locations attributes are not provided by the LDAP server. Note that the default values here apply to all users authenticated via LDAP. If the LDAP server provides user role and locations attribute at the time of authentication, the attributes provided by the LDAP server will override the default role and locations attributes. You must have administrator privileges to configure the LDAP server access parameters. Configure LDAP Server Access Parameters To configure LDAP server access parameters, do the following. 1. Go to Configuration>User Accounts>LDAP Configuration option. 2. Select Enable LDAP to enable user authentication using an LDAP compliant directory. All the fields related to LDAP are enabled on selecting this check box. 3. Enter the connection details as described in the following table. Field Description Primary Server IP Address/Hostname The primary server IP address/Hostname of the LDAP server. (Primary Server) Port The primary server port number of the LDAP server.(Default:389). Backup Server IP Address/Hostname The backup server IP address/Hostname of the LDAP server. (Backup Server) Port The backup server port number of the LDAP server. Enforce Use of SSL/TLS When this option is checked, only the SSL/TLS connection to the LDAP server is allowed. When it is not checked, either of the Open or SSL/TLS connection to the LDAP server is allowed. Verify LDAP Server’s Certificate When this option is selected, the connection to the LDAP server is not allowed unless the certificate check passes. When this option is not selected, the connection to the LDAP server is allowed without verifying the LDAP server certificate. 4. If you have selected Verify LDAP Server's Certificate, you must add a certificate. Click Add Certificate to add trusted root CA Certificate(s) for the LDAP server and choose the certificate. 5. Enter the LDAP configuration details as described in the following table.

AirTight Management Console Configuration 17 Field Description Base Distinguished Name The base distinguished name of the directory to which you want to connect, for example, o=democorp, c=au. Distinguished Name is a unique identifier of an entry in the Directory Information Tree (DIT). The name is the concatenation of Relative Distinguished Names (RDNs) from the top of the DIT down to the entry in question. Filter String This is a mandatory argument. It is a string specifying the attributes (existing or new) that the LDAP server uses to filter users. For example, IsUser=A. By specifying a filter string you can allow or disallow login access to a particular OU or Group of user defined in the AD. You can specify a DN (Distinguish Name) of any particular group to allow access to only those who are member of that group. For example, memberOf=DC=GroupName,DC=com. You can include members from multiple groups by using an OR condition. For example, to allow access to users under Base DN who are member of any of the two groups, Airtight Admins OR Airtight Reviewer, you must include the following filter string: (|(memberOf=CN=AirTight Admins,DC=AirTight,DC=Com)(memberOf=CN=Airtight Reviewer,DC=AirTight,DC=Com)) Similarly, to allow access to users under Base DN who are member of both Airtight Admins AND Airtight Reviewer groups, you must include the following filter string: (&(memberOf=CN=AirTight Admins,DC=AirTight,DC=Com)(memberOf=CN=Airtight Reviewer,DC=AirTight,DC=Com)) You can have alternative configurations in AD such as, adding a new attribute, say ATNWIFI, to the users in AD that are granted access and then set filter string to allow users with that attribute only. For example, filter string = ATNWIFI You can also create a new group of users in AD with access granted and include the group in filter string. The most general filter string you can use is 'objectClass=*'.You can use this string when you do not want to filter out any LDAP entry. User ID Attribute The string defined in the LDAP schema that the system uses to identify the user.(Default: cn) 6. If the directory does not allow an anonymous search, you must configure user credentials to search the LDAP compliant directory. Configure the user credentials as described in the following table. Field Description Admin User DN The DN of the admin user to be used to authenticate in to the LDAP server. Append User DN Select this option if the base DN specified in the LDAP Configuration Details must be appended to the admin user DN Password The password for the admin user.

AirTight Management Console User Guide 18 • 7. Click Test Settings to test the authentication options. 8. Configure the default role and locations for new LDAP users. They are described in the following table. Field Description User Role Attribute The user role attribute string that the system uses to identify a user’s role, as defined in the LDAP schema. User Role The default role for the new LDAP users. You can select one of the following four options- superuser, administrator, operator, viewer. User Location Attribute The user location attribute string that the system uses to identify the locations where the user is allowed access, as defined in your LDAP schema. Locations The location to which a new LDAP user has access rights. You can select another location by clicking Change. 9. Click Save to save the changes. Edit LDAP Server Access Parameters To configure LDAP server access parameters, do the following. 1. Go to Configuration>User Accounts>LDAP Configuration option. 2. Make the required changes. 3. If you have made changes to the connection settings or the configuration settings, click Test Settings to ensure that the new details are valid. 4. Click Save to save the changes. Copy LDAP Configuration to Another Server You can copy the LDAP configuration from one server to another server when both servers are part of the same server cluster. You can copy LDAP configuration from child server to child server, parent server to child server, or child server to parent server. You must be a superuser or an administrator to copy policies from one server to another. Note: When an LDAP configuration is copied to another server, the value of the Locations field in the replicated policy on the destination server is set to 'root' (location). To copy LDAP configuration, do the following. 1. Go to Configuration>User Accounts>LDAP Configuration on the parent server. 2. Click Copy Policy. The Copy Policies dialog box appears. 3. Select the server from which the LDAP configuration is to be copied. 4. Select the server to which the LDAP configuration is to be copied. 5. Click OK to copy the LDAP configuration. Configure RADIUS Parameters AirTight Management Console can use a RADIUS server to facilitate user authentication. Configure the RADIUS server access parameters using the Configuration->User Accounts->RADIUS Configuration option.

AirTight Management Console Configuration 19 Select the Enable RADIUS Authentication check box to activate RADIUS authentication of users. You can configure the Authentication,Accounting , and Advanced Settings after selecting this check box. Click the respective option to view and edit the fields for the individual sections. Configure Authentication Parameters Configure access parameters for the RADIUS Authentication server using the Authentication section. To configure access parameters for RADIUS authentication server, do the following. 1. Go to Configuration->User Accounts->RADIUS Configuration. 2. Specify the IP address/ hostname, port number and shared secret for the primary and/or secondary RADIUS servers. 3. Click Test to test the connection to the RADIUS servers. 4. Select Enable RADIUS Integration for CLI login to enable CLI user authentication using RADIUS. 5. Select Enable RADIUS Integration for GUI login to enable GUI user authentication using RADIUS. 6. Select vendor specific attributes as appropriate. These are used when vendor specific attributes are not defined for RADIUS server. 7. Click Save to save the changes. Configure Accounting Parameters Configure accounting parameters for the RADIUS Accounting server under the Accounting section. To configure accounting parameters for RADIUS authentication server, do the following. 1. Go to Configuration->User Accounts->RADIUS Configuration. 2. Select the Enable RADIUS Accounting check box to enable RADIUS accounting. 3. Specify the IP address/ hostname, port number and shared secret for the primary and/or secondary RADIUS accounting servers. 4. Click Save to save the changes. Configure Advanced Settings Configure the realm (domain) for the CLI and GUI users using the Advanced Settings section. You can also specify how the real name is to be appended to the user name (prefix notation or postfix notation). Select the Use Prefix Notation check box to use a prefix notation. Postfix notation is used when this check box is not selected. To configure advanced settings, do the following. 1. Go to Configuration->User Accounts->RADIUS Configuration. 2. Enter the realm for CLI users in CLI.. 3. Enter the realm for GUI users in GUI. 4. Select the Use Prefix Notation check box to use a prefix notation. Postfix notation is used when this check box is not selected. 5. Click Save to save the changes made. Restore Default Settings By default, RADIUS authentication is disabled. To restore this default setting, do the following. 1. Go to Configuration->User Accounts->RADIUS Configuration.

AirTight Management Console User Guide 20 2. Click Restore Defaults. 3. Click Save to save the changes. Copy RADIUS Configuration to Another Server You can copy the RADIUS configuration from one server to another server when both servers are part of the same server cluster. You can copy RADIUS configuration from child server to child server, parent server to child server, or child server to parent server. You must be a superuser or an administrator to copy policies from one server to another. Note: When a RADIUS configuration is copied to another server, the value of the Locations field in the replicated policy on the destination server is set to 'root' (location). To copy RADIUS configuration, do the following. 1. Go to Configuration>User Accounts>RADIUS Configuration on the parent server. 2. Click Copy Policy. The Copy Policies dialog box appears. 3. Select the server from which the RADIUS configuration is to be copied. 4. Select the server to which the RADIUS configuration is to be copied. 5. Click OK to copy the RADIUS configuration. Configure Parameters for Certificate-based authentication AirTight Management Console supports user authentication using digital certificates. Configure the settings for user authentication using the Configuration>User Accounts>Certificate Configuration option. There are four ways to authenticate users - password only, certificate only, certificate and password and certificate or password. Password only: In this option, the user authentication is performed using the password. The user has to enter the user name and the password at the login prompt. The password may be locally verified by the system or may be verified using the external LDAP or RADIUS authentication service, as appropriate. Certificate only: In this option, the user authentication is performed using the client certificate (such as smart card). The user has to insert a smart card containing the client certificate in a reader attached to the computer from where the console is accessed and then press the Login button. The system then verifies the client certificate and obtains user identity (user name) from the certificate. Other attributes for the user are retrieved either locally or from the external authentication services such as LDAP or RADIUS, as appropriate. When this authentication option is set, the login screen appears as follows: Certificate and Password: In this option, both the client certificate and the password are required for the user authentication. The user has to insert a smart card containing the client certificate in a reader attached to the computer from where the console is accessed, as well as enter the password at the login prompt. The system verifies the password locally or using the external LDAP or RADIUS authentication service, as appropriate. When this authentication option is set, the login screen appears as follows: Certificate or Password: In this option, the user authentication is permitted either using the password or using the client certificate. This option is appropriate for organizations which have only partially migrated to using smart cards for authentication. At login prompt, the user can select certificate authentication by checking the Use certificate for login box or continue with password authentication by entering login name and password. When this authentication option is set, the login screen appears as follows:

AirTight Management Console Configuration 21 The required authentication option can be activated based on the various combinations of the Enable certificate based authentication box, Allow access without certificate box, and Users must provide password along with certificate box. The following table describes the activation of the authentication options based on the check boxes selected by the user. Authentication option to activate Check box to be selected Enable certificate based authentication Allow access without certificate Users must provide password along with certificate Password only No - - Certificate only Yes No No Certificate and password Yes No Yes Certificate or password Yes Yes No Note: In order to use certificate based authentication, it is necessary that the GUI host is able to access the server at TCP port 4433. If there is a firewall between the GUI host and the server, port 4433 must be opened from the host to the server. When either Certificate only, Certificate and Password, or Certificate or Password option is activated, the additional details should be provided as follows • The field in the client certificate from which user identity can be retrieved by AirTight Management Console. • Root CA certificates to facilitate the verification of the client certificate. • Preferred method to check for certificate revocation. Restore Certificate Configuration Defaults By default, certificate-based authentication is disabled. To restore this default value, do the following. 1. Go to Configuration>User Accounts>Certificate Configuration. 2. Click Restore Defaults. 3. Click Save to save the changes. Copy Certificate Configuration to Another Server You can copy the Certificate configuration from one server to another server when both servers are part of the same server cluster. You can copy Certificate configuration from child server to child server, parent server to child server, or child server to parent server. You must be a superuser or an administrator to copy policies from one server to another. To copy Certificate configuration, do the following. 1. Go to Configuration>User Accounts>Certificate Configuration on the parent server. 2. Click Copy Policy. The Copy Policies dialog box appears. 3. Select the server from which the certificate configuration is to be copied. 4. Select the server to which the certificate configuration is to be copied. 5. Click OK to copy the certificate configuration,

AirTight Management Console User Guide 22 Wireless Intrusion Prevention System A Wi-Fi network is easy to set up by way of access points. Small plug-and-play devices can act as access points. Smart phones and tablets that are now widely used, are also Wi-Fi enabled. They can act as mobile hotspots. Wireless clients can connect to any such access points and easily access a network that is not adequately protected against such wireless threats. Thus, a network can become vulnerable to wireless attacks. It is therefore important to understand and control the authorized and unauthorized access to networks. A proper wireless intrusion prevention (WIPS) policy needs to be in place to prevent unauthorized access to a network. The rules for wireless intrusion prevention into the network can be configured using Configuration>WIPS. You can set the rules for WIPS using the options seen under Configuration>WIPS. AirTight Management Console provides you the flexibility to set a generic WIPS policy for all locations in the organization, or a location-wise WIPS policy for individual locations. You can have WIPS activated at some locations and deactivated at others. Make sure that you have defined your location tree before you can proceed with WIPS configuration. You must have administrator privileges to do the WIPS settings. Specify the authorized WLAN policy templates to identify authorized APs, using Configuration>WIPS>Authorized WLAN Policy. This is inherited, by default, from the parent location. It can also be customized for a location. Configure the policy to auto-classify the APs detected by AirTight WIPS, using Configuration>WIPS>AP auto-classification. This is inherited, by default, from the parent location. It can also be customized for a location. Configure the policy to auto-classify clients detected by AirTight WIPS, using Configuration>WIPS>Client auto-classification. This is inherited, by default, from the parent location. It can also be customized for a location. Define the intrusion prevention policy, using Configuration>WIPS>Intrusion Prevention. This is inherited, by default, from the parent location. It can also be customized for a location. Activate or deactivate intrusion prevention for the selected location, using Configuration>WIPS>Intrusion Prevention Activation. This is location specific. You need to first select the desired location from the location tree. Then you use the Intrusion Prevention Activation option to activate or deactivate intrusion prevention for this location. Import device lists that can be referred to for AP/Client classification, using Configuration>WIPS>Import Devices. This is location specific. You need to first select the desired location from the location tree. Then you use the Import Devices option to import devices for this location. You can manage banned device list with the Configuration>WIPS>Banned Device List option. You can manage hotspot SSID list with the Configuration>WIPS>Hotspot SSIDs option. You can manage hotspot SSID list with the Configuration>WIPS>Vulnerable SSIDs option. You can manage the smart device types used in smart device detection with the Configuration>WIPS>Smart Device Types option. You can lock the list of authorized AP and/or clients for a location using the Configuration>WIPS>Device List Locking option.

AirTight Management Console Configuration 23 Manage Authorized WLAN Policy Specify the Authorized WLAN policy templates for the selected location in the location hierarchy using Configuration>WIPS>Authorized WLAN Policy. Authorized WLAN policy for a location includes a set of one or more policy templates that define the properties of one or more authorized wireless networks. A policy template is a collection of different network related settings such as wireless network protocols, encryption protocol used, allowed network SSIDs, security settings, authentication type used, allowed networks and so on. An authorized WLAN policy also specifies what networks are restricted from having Wi-Fi APs on them. Apart from this, you can also specify what APs to categorize as rogue or authorized APs based on their RSSI signal strength. All these parameters together constitute an authorized WLAN policy. The RSSI of a device is statistical parameter. Using the RSSI feature can cause legitimate neighborhood APs to be classified as Rogues and subjected to containment if automatic prevention is enabled. This will cause neighbor Wi-Fi disruption since clients, including the legitimate neighborhood clients, will NOT be able to connect to the Rogue AP under containment. Even if the intention is to use RSSI to identify APs that are within the facility, it will not always work since low power APs such as soft APs, hotspot APs running on smart phones, USB APs, etc. or APs which are away from RSSI measurement point will still not get classified as Rogue APs due to not meeting the RSSI threshold. Policy templates aid in the classification of APs. A new AP or an existing Authorized AP is compared against the templates to determine if it is a rogue or misconfigured AP. Any AP at a location that does not comply with the WLAN policy attached to that location, is not considered to be an authorized AP. You must apply the templates from the available list for the WLAN policy at that location. Authorized policy templates are used to identify authorized APs and constantly check that the actual Wi-Fi access parameters provisioned on the authorized APs meet the security policy. You can define multiple WLAN policy templates and assign them to each location. Any new AP that is added to a location is verified on the basis of the WLAN policy templates attached to that location. Any mismatch is used to detect misconfiguration of the Wi-Fi access network. The system uses the details of the authorized Wi-Fi setup at a particular location to detect the presence of misconfigured or rogue APs in your network. An AP is considered as being compliant to the Authorized WLAN Policy if: • It is not connected to a No Wi-Fi network for its location • Its SSID matches with one of the templates attached at that location • Is connected to one of the networks specified in that template • Conforms to the other settings in that template (except the Authentication Framework, as this setting is not a property of the AP itself but of the backend authentication system). Note: If the template specifies certain allowed AP capabilities (such as Turbo, 802.11n, and so on), the AP may or may not have those capabilities. However, if a capability is not selected, the AP must not have that capability to be considered as compliant. With location-based policies, you can apply different sets of policy templates for different locations. However, you cannot attach more than one template with the same SSID at any one location. Only the policy templates that are applied to a location are used for AP classification at that location. Other templates that are configured but not applied to the location, will not be used for AP classification, as they are not a part of the WLAN policy for that location.

AirTight Management Console User Guide 24 The authorized policy templates created at other locations can be applied to a selected location but cannot be edited or deleted. The edit and delete operations are possible only at the location where the template is created. A child location automatically inherits the authorized WLAN policy from its parent. You can customize the WLAN policy for a child location. You can also switch back to an inherited policy in case you have created a customized policy. Configure Authorized WLAN Policy To configure an authorized WLAN policy for a location, do the following. 1. Select the location from the location tree. 2. Go to Configuration>WIPS>Authorized WLAN Policy. 3. If Wi-Fi has been deployed at the location, select the Wi-Fi is deployed at this location check box. The Policy Template and Select "No Wi-Fi" Networks sections on this page are enabled on selecting this check box. 4. If you want to use an existing policy template, click the Applied icon for the existing policy template to be applied to the location. Alternatively, Click Add New Policy Template if no policy template exists, and add a new policy template. Refer to the Add Device Template or Edit Device Template subsection in the Manage Policy Templates section for details on how to add or edit a policy template. 5. If there are any networks at the location that are not allowed to have APs connected to them, a) Scroll down to the Select "No Wi-Fi" Networks section b) Click Add. The Add Networks dialog box appears. c) Enter the SSID or IP address of the network to add. 6. Define RSSI based classification, if the WIPS is intended for use in an isolated environment without much of a neighborhood activity like defense and military facilities. It is recommended to skip this section altogether in case of commercial or business district environments. Either of the following two mechanisms must be switched on to classify the APs. a) Enter the threshold RSSI value to use for preclassification of APs with signal strength stronger than this value as rogue or unauthorized APs. b)Select the Preclassify APs connected to monitored subnets as Rogue or Authorized APs to preclassify the APs connected to monitored subnets as rogue or authorized APs. 7. Click Save to save the changes. Edit Authorized WLAN Policy To edit an authorized WLAN policy for a location, do the following. 1. Select the location from the location tree. 1 Go to Configuration>WIPS>Authorized WLAN Policy. 2. If you want to apply an existing policy, click the Applied icon for that policy in the policy template list. 3. If you want to make changes to the policy template, click the policy template link in the policy template list. If you want to add a new policy template click Add New Policy Template, and add a new policy template. Refer to the Add Device Template or Edit Device Template subsections in the Manage Policy Templates section for details on how to add or edit a policy template. 4. If there are any networks at the location that are not allowed to have APs connected to them, a) Scroll down to the Select "No Wi-Fi" Networks section b) Click Add. The Add Networks dialog box appears. c) Enter the SSID or IP address of the network to add. 5. Define RSSI based classification, if the WIPS is intended for use in an isolated environment without much of a neighborhood activity like defense and military facilities. It is recommended to skip this

AirTight Management Console Configuration 25 section altogether in case of commercial or business district environments. Either of the following two mechanisms must be switched on to classify the APs. a) Enter the threshold RSSI value to use for preclassification of APs with signal strength stronger than this value as rogue or unauthorized APs. b)Select the Preclassify APs connected to monitored subnets as Rogue or Authorized APs to preclassify the APs connected to monitored subnets as rogue or authorized APs. 6. Click Save to save the changes. Configure AP Auto-classification Policy The AP Auto-Classification policy function enables you to specify the AP classification policy for different AP categories. It is important to know about the authenticity of APs in the network as unauthorized APs can cause irreparable damage to your network and business. AP classification is of prime importance in WIPS implementation. A diagrammatic representation of AP classification is shown below. AP classification Under External APs, AirTight recommends that you select Automatically move Potentially External APs in the Uncategorized list to the External Folder. The system automatically removes an AP from the External folder and moves it to an appropriate AP folder if it later detects that the AP is wired to the enterprise network. Under Rogue APs, AirTight recommends that you select Automatically move Potentially External APs in the Uncategorized list to the Rogue folder. Note: Once you move an AP to the Rogue folder, the system never automatically removes it from the Rogue folder, even if it later detects that the AP is unwired from the enterprise network or its security settings have changed.

AirTight Management Console User Guide 26 Configure Client Auto-classification Policy The client auto-classification policy determines how clients are classified upon initial discovery and subsequent associations with APs. Client auto classification Define how the system should automatically classify the detected wireless clients at the selected location based on their initial discovery and subsequent AP associations. This policy is automatically inherited by child locations of the selected location. The intrusion prevention actions enforced on the wireless clients are based on their classification in the system. If a client is ever manually classified, then it is never automatically classified by the system until it is deleted from the system and rediscovered. Under Initial Classification, select the Automatically classify newly discovered Clients at this location as check box and specify if newly discovered clients at a particular location, which are Uncategorized by default should be classified as External, Authorized or Guest. Under Automatic Client Classification, select one or more options to enable the system automatically re-classify Uncategorized and Unauthorized Clients based on their associations with APs. You can categorize the following types of clients. • Clients running AirTight Mobile • All External Clients running AirTight Mobile are classified as Authorized • All Uncategorized Clients running AirTight Mobile are classified as Authorized • All Rogue Clients running AirTight Mobile are classified as Authorized

AirTight Management Console Configuration 27 • All Guest Clients running AirTight Mobile are classified as Authorized • Clients connecting to Authorized APs • All External Clients that connect to an Authorized AP are re-classified as Authorized • All Uncategorized Clients that connect to an Authorized AP are reclassified as Authorized • All Guest Clients that connect to an Authorized AP are reclassified as Authorized You can select the following exceptions. • Do not reclassify a Client connecting to a Misconfigured AP as Authorized • Do not reclassify a Client if its wireless data packets are not detected on the wired network (except if the connection is reported by WLAN controller). Classification for clients connecting to Authorized APs Click Advanced to configure the auto classification settings for clients connecting to guest APs and external APs. • Clients connecting to Guest APs • All External Clients that connect to a Guest AP are reclassified as Guest • All Uncategorized Clients that connect to a Guest AP are reclassified as Guest You can select the following exceptions • Do not re-classify a Client connecting to a Mis-configured AP as Guest • Do not re-classify a Client as Guest if its wireless data packets are not detected on the wired network (except if the connection is reported by WLAN controller)

AirTight Management Console User Guide 28 Classification for Clients connecting to Guest APs • Clients connecting to External APs • All Uncategorized Clients that connect to an External AP are reclassified as External • All Uncategorized Clients that connect to a Potentially External AP are classified as External • All Guest Clients that connect to an External AP are re-classified as External • All Guest Clients that connect to a Potentially External AP are re-classified as External

AirTight Management Console Configuration 29 Classification of Clients connecting to External APs • Clients connecting to Rogue APs • All Clients other than Authorized Clients that connect to a Rogue AP are (re)classified as Rogue • All Clients other than Authorized Clients that connect to a Potentially Rogue AP are classified as Rogue Classsification of Clients connecting to Rogue APs

AirTight Management Console User Guide 30 • Bridging to the Corporate Network • Classify any non-authorized Client as Rogue if it is detected as bridging Wi-Fi to the corporate network • RSSI Based Classification You can enable RSSI based client classification for uncategorized clients and/or external clients and configure RSSI based classification for them. Specify a RSSI threshold and the category for such clients. Classification of Clients bridging to corporate network and RSSI based classification Intrusion Prevention The Intrusion Prevention Policy determines the wireless threats against which the system protects the network automatically. The system automatically moves such threat-posing APs and Clients to quarantine. The system can protect against multiple threats simultaneously based on the selected Intrusion Prevention level. If the server quarantines an AP or Client based on the Intrusion Prevention policy, the Disable Auto-quarantine option ensures that the system will not automatically quarantine this AP or Client (regardless of the specified Intrusion Prevention policies). AirTight Management Console can prevent any unwanted communication in your 802.11 network. It provides you various levels of prevention-blocking mechanisms of varying effectiveness. Intrusion

AirTight Management Console Configuration 31 Prevention Level enables you to specify a trade-off between the desired level of prevention and the desired number of multiple simultaneous preventions across radio channels. The greater the number of channels across which simultaneous prevention is desired, the lesser is the effectiveness of prevention in inhibiting unwanted communication. Scanning for new devices continues regardless of the chosen prevention level. You can select from the following intrusion prevention levels: • Block: A single sensor can block unwanted communication on any one channel in the 802.11b/g band and any one channel in the 802.11a band. • Disrupt: A single sensor can disrupt unwanted communication on any two channels in the 802.11b/g band and any two channels in the 802.11a band. • Interrupt: A single sensor can interrupt unwanted communication on any three channels in the 802.11b/g band and any three channels in the 802.11a band. • Degrade: A single sensor can degrade the performance of unwanted communication on any four channels in 802.11b/g band and any four channels in the 802.11a band. Block is the most powerful prevention level, that is, it can severely block almost all popular Internet applications including ping, SSH, Telnet, FTP, HTTP, and the like. However, at this level, a single sensor can simultaneously prevent unwanted communication on only one channel in the 802.11b/g band and one channel in the 802.11a band. If you want the sensor to prevent unwanted communication on multiple channels simultaneously in the 802.11 b/g and/or the 802.11a band, you must select other prevention levels. Note: Prevention Type determines the blocking strength to prevent communication from unwanted APs and Clients. The system can prevent multiple APs and Clients on each channel. Prevention Type is not applicable for Denial of Service (DoS) attacks or ad hoc networks. You must select a lower blocking level to prevent devices on more channels. Choosing a lower blocking level means that some packets from the blocked device may go through. You can enable intrusion prevention against the following threats • Rogue APs: APs connected to your network but not authorized by the administrator; an attacker can gain access to your network through the Rogue APs. You can also automatically quarantine uncategorized, indeterminate and banned APs connected to the network. • Misconfigured APs: APs authorized by the administrator but do not conform to the security policy; an attacker can gain access to your network through misconfigured APs. This could happen if the APs are reset, tampered with, or if there is a change in the security policy. • Client Misassociations: Authorized Clients that connect to rogue or external (neighboring) APs; corporate data on the authorized client is under threat due to such connections. AirTight recommends that you provide automatic intrusion prevention against authorized clients that connect to rogue or external APs. There is a special intrusion prevention policy for the smart devices that are not approved. Even if a current client policy restricts authorized clients from connecting to a guest AP, an unapproved smart device can still be allowed to do so. One needs to explicitly allow or restrict unapproved smart devices from connecting to a guest AP. Click Special Handling for Smart Devices to enable special handling for unapproved smart devices. You can allow the unapproved smart device to connect to a guest AP only. To do this, 1. Select Enable Special Handling for Unapproved Smart Devices. 2. Select Allow connection to Guest AP, but not Authorized AP. To disallow the unapproved smart device from connecting to both a guest AP as well as an authorized AP, select Do not allow connection to Guest AP and Authorized AP.

AirTight Management Console User Guide 32 Wireless Threats Following is a diagrammatic representation of the various wireless threats. Wireless Threats Non-authorized Associations: Non-authorized and Banned Clients that connect to Authorized APs; an attacker can gain access to your network through Authorized APs if the security mechanisms are weak. Non-authorized or Uncategorized Client connections to an Authorized AP using a Guest SSID are not treated as unauthorized associations. • Associations to Guest APs: External and Uncategorized Clients that connect to Guest APs are classified as Guest Clients. The Clients connected to a wired network or a MisConfigured AP can be specified as exceptions to this policy. • Ad hoc Connections: Peer-to-peer connections between Clients; corporate data on the Authorized Client is under threat if it is involved in an ad hoc connection. • MAC Spoofing: An AP that spoofs the wireless MAC address of an Authorized AP; an attacker can launch an attack through a MAC spoofing AP. • Honeypot/Evil Twin APs: Neighboring APs that have the same SSID as an Authorized AP; Authorized Clients can connect to Honeypot/Evil Twin APs. Corporate data on these Authorized Clients is under threat due to such connections. • Denial of Service (DoS) Attacks: DoS attacks degrade the performance of an official WLAN. • WEPGuard TM: Active WEP cracking tools allow attackers to crack the WEP key and gain access to confidential data in a matter of minutes or even seconds. Compromised WEP keys are used to gain entry into the authorized WLAN by spoofing the MAC address of an inactive Authorized Client. • Client Bridging/ICS: A Client with packet forwarding enabled between wired and wireless interfaces. An authorized Client bridging and unauthorized/uncategorized bridging Client connected to enterprise subnet is a serious security threat. Activate Intrusion Prevention for Location

AirTight Management Console Configuration 33 Activate intrusion prevention for a location using the Configuration>WIPS>Intrusion Prevention Activation option. The following figure explains intrusion prevention activation. Intrusion Prevention Activation The intrusion prevention policy is a location specific policy - it cannot be inherited from the parent location. Authorized APs should be in the Authorized folder before activating intrusion prevention. Their network connectivity icon may show the status as Wired, Unwired, or Indeterminate. If you deploy new Authorized APs later, you do not have to deactivate intrusion prevention. However, you need to ensure that the newly deployed APs are moved to the Authorized folder. AirTight recommends that you select the Activate Intrusion Prevention for <location> check box for the selected location only after the deployment is stable and fully configured. If you are modifying a deployment, clear the Activate Intrusion Prevention for <location> check box to avoid spurious activity during the transient phase. Click Save to the change. Click Cancel to cancel the change. Click Restore Defaults to restore the default value. Import Device List

AirTight Management Console User Guide 34 Importing an authorized AP List and an authorized or unauthorized client list is an efficient alternative to manual movement of these devices into the authorized / unauthorized bins. After successfully importing these lists, the system automatically classifies the APs and Clients in the respective lists as authorized or unauthorized. This is a location specific property and cannot be inherited from the parent location folder. You need administrator rights to import a device list. You can import authorized AP list, authorized client list, guest client list, rogue client list, and AirTight device list into AirTight Management Console using the Configuration>WIPS>Import Devices option. Format of the .txt or.csv file containing the AP/Client data Each line has comma separated list of MAC Address, IP Address, Device Name. For example, 11:11:11:11:11:11,192.168.8.1,name1 11:11:11:11:11:12,192.168.8.2,name2 11:11:11:11:11:13,192.168.8.3,name3 11:11:11:11:11:14,192.168.8.4,name4 11:11:11:11:11:15,192.168.8.5,name5 11:11:11:11:11:16,192.168.8.6,name6 11:11:11:11:11:17,192.168.8.7,name7 Format of.txt or .csv file containing the AirTight Device data Each line has comma separated list of MAC Address, Device Name. For example, 44:77:11:22:44:77, name1 44:77:11:22:11:12, name2 44:77:11:22:11:13, name3 44:77:11:22:11:14, name4 44:77:11:22:11:15, name5 Points to remember • Once you move an AP to the Authorized folder, AirTight Management Console never removes it from the Authorized folder automatically, even if the AP is unwired from the enterprise network. • When you import APs from the list, policy settings in the Setup Wizard do not affect these APs. • When you import sensors from the list, you can delete these sensors only from the Devices page. • When you import clients from the list, policy settings in the Setup Wizard do not affect these clients. To import devices, do the following. 1. Select the appropriate option from the Import list box, depending on whether you want to import an authorized AP list, an authorized client list, a guest client list, a rogue client list, or a sensor list. The text on the command button below the device list changes based on your selection. For instance, if you select the option Import Authorized Client List from the list box, the text on the command button changes to Import Authorized Client List. 2. Under the Auto Tag Devices area, select Auto tag Devices to automatically tag the device(s) to the selected location. Select Manually Tag Devices to, to manually tag the device(s) to the selected location. 3. Enter the MAC address, IP address and name of the AP or client. If the device is a sensor, enter the MAC address and the name of the sensor. Alternatively, you can specify a filename containing the AP/client/sensor data. Click Autofill using File, and select the .txt or .csv file containing the AP/client/sensor data. 4. Click Import Authorized AP List to import the list of authorized APs. Click Import Authorized Client List to import the list of authorized clients. Click Import Guest Client List to import the list of guest

AirTight Management Console Configuration 35 clients. Click Import Rogue Client List to import the lists of rogue clients. Click Import Sensor List to import the list of sensors. The file has to be a text file or a csv file. Refer to the subsequent sections for the text and csv file formats for the AP, client and sensor lists. Once imported successfully, the devices are seen under their respective tabs on the Devices page. The Dashboard page also reflects the activity of the newly imported sensors, APs, and clients. Delete device details from device list To delete the device details from the device list, do the following. 1. Select the AP/client/sensor row and click the corresponding Delete hyperlink. 2. Click Yes when asked to confirm deletion. Manage Banned Device List You can create and manage a list of banned APs and banned clients using the Configuration>WIPS>Banned Device List option. If the devices from this list are detected, they are not classified as rogue devices. Create banned AP list You can add the wireless MAC addresses of APs that are blacklisted in your organization. If APs with these MAC addresses become visible, AirTight Management Console generates an alert. You can either enter individual AP MAC addresses or to import a list of banned APs in to the database. To add an individual AP MAC address, do the following. 1. Go to Configuration>WIPS>Banned Device List. 2. Click to expand Banned AP List. 3. Click Add MAC Address. The Add to Banned List dialog box appears. 4. Click Add MAC Address under Banned AP list and enter the MAC Address of a banned AP. You can add one or more banned AP MAC addresses in this manner. You can also import a list of AP MAC addresses from a file. The file containing the list of AP MAC addresses must be a CSV file. To import a file containing a list of AP MAC addresses, do the following. 1. Go to Configuration>WIPS>Banned Device List 2. Click to expand Banned AP List. 3. Click Add MAC Address. The Add to Banned List dialog box appears. 4. Click File Upload. 5. Click Choose File to choose the file and then click Upload to upload the selected file. 6. Click Add to add the imported AP MAC addresses to the banned device list. Create banned Client list You define the wireless MAC addresses of Clients that are blacklisted in your organization. For example, such MAC addresses could belong to laptops of employees who are no longer with the organization. If APs with these MAC addresses become visible, AirTight Management Console generates an alert.

AirTight Management Console User Guide 36 You can either enter individual client MAC addresses or to import a list of banned clients to the database. To add an individual client MAC address, do the following. 1. Go to Configuration>WIPS>Banned Device List. 2. Click to expand Banned Client List. 3. Click Add MAC Address. The Add to Banned List dialog box appears. 4. Click Add Device link to add a MAC address manually. 5. Enter the MAC address to add. You can add one or more banned client MAC addresses in this manner. 6. Click Add to add the devices to the banned device list. You can also import a list of client MAC addresses. The file containing the list of client MAC addresses must be a CSV file. To import a file containing a list of client MAC addresses, do the following. 1. Go to Configuration>WIPS>Banned Device List. 2. Click to expand Banned Client List. 3. Click Add MAC Address. The Add to Banned List dialog box appears. 4. Click File Upload. 5. Click Choose File to choose the file and then click Upload to upload the selected file. 6. Click Add to add the imported client MAC addresses to the banned device list. Delete Banned Device 1. Go to Configuration>WIPS>Banned Device List. 2. Click the Delete link for the device to be deleted. A confirmation message is displayed to confirm deletion. 3. Click Yes to confirm deletion Copy Banned Device List to Another Server You can copy the banned device list from one server to another server when both servers are part of the same server cluster. You can copy banned device list from child server to child server, parent server to child server, or child server to parent server. You must be a superuser or an administrator to copy policies from one server to another. To copy banned device list, do the following. 1. Go to Configuration>WIPS>Banned Device List on the parent server. 2. Click Copy Policy. The Copy Policies dialog box appears. 3. Select the server from which the banned device list is to be copied. 4. Select the server to which the banned device list to be copied. 5. Click OK to copy the banned device list, Manage Hotspot SSIDs Configure and manage a list of hotspot SSIDs using the Configuration->WIPS-> Advanced Settings->Hotspot SSIDs option. It is highly likely that hotspot APs are present in the enterprise neighborhood. If enterprise Client probes for well known hotspot SSID, it is at risk of connecting to the hotspot AP without the user necessarily knowing about it. Also if enterprise AP uses hotspot SSID on it, such an AP may attract undesirable Clients to connect to it.

AirTight Management Console Configuration 37 If you consider an SSID to be vulnerable to hackers, you can open the Hotspot SSIDs screen and enter the SSID under SSID (ASCII character string). Add Hotspot SSIDs The system lists commonly known SSIDs by default. To enter a blank SSID: that is, with no string, click <Add> without entering any text. The list shows the SSID as NULL. To add a hotpsot SSID, do the following. 1. Go to Configuration>WIPS>Advanced Settings>Hotspot SSID. 2. Click Add New Hotspot SSID. The Add New Hotspot SSID dialog box appears. 3. Enter a new hotspot SSID and click OK. If an AP with a hotspot SSID is detected, the system generates an event. Search Hotspot SSIDs To search for hotspot IDs, do the following. 1. Go to Configuration>WIPS>Advanced Settings>Hotspot SSID. 2. Type in the search string in the search SSID box and press the Enter key. A list of hotspot SSIDs matching the search criteria appears. To clear the search string, click the x icon next to the search SSID box. Delete Hotspot SSID To delete hotspot SSIDs, do the following. 1. Go to Configuration>WIPS>Advanced Settings>Hotspot SSID. 2. click Delete link for the SSID to be deleted. 3. Click Yes on the confirmation message to confirm the deletion of the hotspot SSID. Restore Default Hotspot SSID list To restore the default hotspot SSID list, do the following. 1. Go to Configuration>WIPS>Advanced Settings>Hotspot SSIDs 2. Click Restore Defaults. A confirmation message prompting you to confirm the operation appears. 3. Click Yes. The default hotspot SSID list is restored. Copy Hotspot SSID List to Another Server You can copy the list of hotspot SSIDs from one server to another server when both servers are part of the same server cluster. You can copy a list of hotspot SSIDs from child server to child server, parent server to child server, or child server to parent server. You must be a superuser or an administrator to copy policies from one server to another. To copy a list of hotspot SSIDs, do the following. 1. Go to Configuration>WIPS>Advanced Settings>Hotspot SSIDs on the parent server. 2. Click Copy Policy. The Copy Policies dialog box appears. 3. Select the server from which the list of hotspot SSIDs is to be copied.

AirTight Management Console User Guide 38 4. Select the server to which the list of hotspot SSIDs is to be copied. 5. Click OK to copy the list of hotspot SSIDs. Manage Vulnerable SSIDs Configure and manage a list of vulnerable SSIDs using the Configuration>WIPS>Advanced Settings>Vulnerable SSIDs option. APs have well known default SSIDs and many users may not change these SSIDs when deploying the APs. Therefore it is highly likely that APs using default SSIDs are present in the enterprise neighborhood. If an enterprise Client probes for a default SSID, it is at risk of connecting to the neighborhood AP without the user necessarily knowing about it. Also if an enterprise AP uses a default SSID, such an AP may attract undesirable clients to connect to it. Add Vulnerable SSID If you consider an SSID to be vulnerable to hackers, you can add the SSID to the Vulnerable SSIDs list. To add a vulnerable SSID, do the following. 1. Go to Configuration>WIPS>Advanced Settings>Vulnerable SSIDs. 2. Click Add New Vulnerable SSID. 3. Enter the SSID and click OK to add it to the list of vulnerable SSIDs. If an AP point with a vulnerable SSID is detected, the system generates an event. Note: Commonly known SSIDs are listed by default. To enter a blank SSID: no string, click Add without entering any text. The list shows the SSID as NULL. Search Vulnerable SSID To search a vulnerable SSID, do the following. 1. Go to Configuration->WIPS-> Advanced Settings->Vulnerable SSIDs 2. Type in the search string in the search SSID box and press the Enter key. A list of vulnerable SSIDs matching the search criteria is displayed. To clear the search string, click the x icon next to the search SSID box. Delete Vulnerable SSID To delete a vulnerable SSID, do the following. 1. Go to Configuration->WIPS-> Advanced Settings->Vulnerable SSIDs 2. Click Delete link for the SSID to be deleted. 3. Click Yes on the confirmation message to confirm the deletion of the vulnerable SSID. Restore Default Vulnerable SSID list To restore the default vulnerable SSID list, do the following. 1. Go to Configuration>WIPS>Advanced Settings>Vulnerable SSIDs 2. Click Restore Defaults. A confirmation message prompting you to confirm the operation appears.

AirTight Management Console Configuration 39 3. Click Yes. The default vulnerable SSID list is restored. Copy Vulnerable SSID List to Another Server You can copy the list of vulnerable SSIDs from one server to another server when both servers are part of the same server cluster. You can copy a list of vulnerable SSIDs from child server to child server, parent server to child server, or child server to parent server. You must be a superuser or an administrator to copy policies from one server to another. To copy a list of vulnerable SSIDs, do the following. 1. Go to Configuration>WIPS>Advanced Settings>Vulnerable SSIDs on the parent server. 2. Click Copy Policy. The Copy Policies dialog box appears. 3. Select the server from which the list of vulnerable SSIDs is to be copied. 4. Select the server to which the list of vulnerable SSIDs is to be copied. 5. Click OK to copy the list of vulnerable SSIDs. Manage Smart Device Types You can view, add, and delete the smart device types using the Configuration->WIPS-> Advanced Settings->Smart Device Type option. The Smart Device Type page shows the system-defined smart device types, and the user-defined smart device types, if any. Add Smart Device Type You can add to the list of predefined smart device types. To add a new smart device type, do the following. 1. Go to Configuration>WIPS>Advanced Settings>Smart Device Type. 2. Click Add new smart device type. The Add new smart device type dialog box appears. 3. Enter the Smart Device Type. 4. Click OK to add the smart device type to the existing list of smart device types. Delete Smart Device Type You can delete only the smart device types that have been manually added. You cannot delete the system-defined smart device types. To delete a user-defined smart device type, do the following. 1. Go to Configuration>WIPS>Advanced Settings>Smart Device Type 2. Select the smart device type and click Delete. A message appears prompting you to confirm the deletion. 3. Click Yes to confirm the deletion. Copy Smart Device Types List to Another Server You can copy the list of smart device types from one server to another server when both servers are part of the same server cluster. You can copy a list of smart device types from child server to child server,

AirTight Management Console User Guide 40 parent server to child server, or child server to parent server. You must be a superuser or an administrator to copy policies from one server to another. To copy a list of smart device types, do the following. 1. Go to Configuration>WIPS>Advanced Settings>Smart Device Type on the parent server. 2. Click Copy Policy. The Copy Policies dialog box appears. 3. Select the server from which the list of smart device types is to be copied. 4. Select the server to which the list of smart device types is to be copied. 5. Click OK to copy the list of smart device types.

AirTight Management Console Configuration 47 Limit number of associations This field specifies the maximum number of clients that can associate with the AP. You can select the check box and then specify the number of clients. Security Mode This specifies the security mode applied to the virtual AP. The possible values are Open, WEP, WPA, WPA2, WPA and WPA2 mixed mode. Fields related to security mode WEP Authentication Type Select Open if the type of authentication is open. In case of open authentication, the key is used for encryption only. Select Shared if the authentication type is shared key. In case of shared key authentication, the same key is used for both encryption and authentication. WEP Type Select WEP40 if 40-bit WEP security is used. Select WEP104 if 104-bit WEP security is used. Key Type Select ASCII option if you are comfortable with ASCII format and want to enter WEP key in that format. The Sensor/AP combo converts it to hexadecimal internally. Select HEX option if you are comfortable with hexadecimal format and want to enter WEP key in that format. Key WEP key is a sequence of hexadecimal digits. If WEP Type is WEP40, enter the key as a 5 character ASCII key or a 10 digit hexadecimal key, depending on the Key Type selected by you. If WEP Type is WEP104, enter the key as a 13 character ASCII key or a 26 digit hexadecimal key, depending on the Key Type selected by you. Show Key Select this check box to see the actual key on the screen. If this check box is cleared, the key is masked. Fields related to security mode WPA/WPA2/WPA and WPA2 Mixed Mode PSK Select the PSK option if you want to use a personal shared key. The Pass phrase field is enabled when this option is selected. Pass Phrase Specify the shared key of length 8-63 ASCII characters for PSK authentication Show Key Select this check box to see the actual pass phrase on the screen. If this check box is cleared, the key is masked. 802.1x Select 802.1x option if you want to use a RADIUS server for authentication. The fields on the Authentication and Accounting tabs are enabled on selecting this check boxYou can enable dynamic VLANs after selecting this check box.

AirTight Management Console Configuration 51 be able to define the GRE related parameters present on this page. Tunnel IP Address IP address of the GRE tunnel interface on the access point. This IP address should not conflict with any other network setting in the access point. Remote Endpoint IP Address IP address of the remote endpoint of the GRE tunnel. Key Key in the GRE header. If configured, key should be same at both ends of the tunnel. Key is not mandatory to be configured in GRE tunnel. Exempted Host/Network List List of comma separated network and/or IP addresses that are exempted from using the GRE tunnel. 5. Click Save to save the changes to the network settings. Edit Network Settings To edit network address translation settings, do the following. 1. Specify the VLAN ID for which the NAT settings would be applicable. 2. Deselect the NAT check box if you want to disable NAT and have a bridged network instead. In case you want to continue using NAT and only want to edit NAT settings, edit them as required. Field Description NAT Select this check box to enable NAT (network address translation). Start IP address The starting IP address of the DHCP address pool in the selected network ID. End IP address The end IP address of the DHCP address pool in the selected network ID. Local IP address An IP address in selected network ID outside of the DHCP address pool. This address is used as the gateway address for the guest wireless network. Subnet Mask The net mask for the selected network ID. Lease Time The DHCP lease time in minutes. Minimum value is 30 minutes,maximum value is 1440 minutes. DNS Servers The DNS servers that the guest clients can make DNS queries to. Enable Wired Extension Select this check box to extend this wireless LAN to the wired side using the second Ethernet port present on AirTight device functioning as an access point. 3. Select the GRE check box if you want to enable Generic Routing Encapsulation (GRE). The following table describes the Generic Routing Encapsulation related fields. Field Description GRE Select this check box to enable Generic Routing Encapsulation and to be able to define the GRE related parameters present on this page. Tunnel IP Address IP address of the GRE tunnel interface on the access point. This IP address should not conflict with any other network setting in the access point. Remote Endpoint IP address of the remote endpoint of the GRE tunnel.

AirTight Management Console Configuration 55 (a) Wi-Fi user connects to the guest SSID and opens a URL from any web browser using the HTTP protocol. (b) AirTight AP intercepts this request and throws a portal page hosted on AP to guest user. (c) Guest user will accept terms and condition and submits on portal page. (d) AP will open gate for the client and client will be redirected to redirect URL (if any) or original requested URL. Following is a pictorial representation of AP hosted splash page with click through. 2. External Splash Page for Sign-In/Click-through: The portal is hosted on an external server. The portal is either click-through without any authentication or has its own authentication mechanism in place. Steps involved in this type of access are as follows. (a) Wi-Fi user connects to the guest SSID and opens a URL from any web browser using the HTTP protocol. (b) AirTight AP intercepts this request and redirects the browser to the configured external portal page along with the request parameters as the GET parameters of the redirected URL. (c) Portal will authenticate guest user by prompting sign-in or click-through splash page on wireless user. (d) After authentication, portal will redirect client to AP with success or failure reply. If AP and portal is configured with shared secret. Portal will send validation code using which AP will validate reply from Portal. Using shared secret between AP and portal would avoid fake user to get access using spoofing attack. (e) After successful validation AP will open gate for the client and client will be redirected to redirect URL (if any) or original requested URL. Following is a pictorial representation of External splash page for Sign-in/click-through

AirTight Management Console User Guide 56 3. External Splash Page with RADIUS Authentication: The guest user is redirected to a portal hosted on an external server. The guest user is authenticated by a RADIUS server, when he logs in to the external portal. Steps involved in this type of access are as follows (a) Wi-Fi user connects to the guest SSID and opens a URL from any web browser using the HTTP protocol (b) AirTight AP intercepts this request and redirects the browser to the configured external portal page along with the request parameters as the GET parameters of the redirected URL. (c) Portal will prompt the user with the splash page to enter username and password. (d) User will submit username and password. (e) Portal will redirect guest user to AP with username and encoded password using shared secret. (f) Airtight AP will authenticate guest user by RADIUS server using username and decoded password. (g) RADIUS server will reply with Access Accept or Reject message for guest user. (h) Airtight AP will open the Internet access for the client and redirect client to Redirect URL (if any) or original requested URL. Following is a pictorial representation of External splash page with RADIUS authentication.

AirTight Management Console Configuration 57 Set up Walled Garden A walled garden is a method to provide restricted access to the Internet. Walled garden destination(s) can be accessed at the specified port numbers without displaying the splash page. Domain (e.g. domain.com) also covers its subdomains (e.g. subdomain.domain.com). Configure a list of exempted domains, subdomains, IP address ranges and port numbers. (E.g. 192.168.1.0/24) . Services on these IP addresses can be accessed without redirection to the portal page. If some part of the portal page (e.g., images) is placed on a web server, the web server’s IP address must be included in this list for the content to be successfully displayed. If the mode of authentication is External Splash page for Sign-in/Click-through, you can restrict access to walled garden destinations unless the guest user accepts the terms and conditions specified on the splash page. Do the following to set up a walled garden. 1. Click Add. The Add Destination dialog opens. 2. Enter the details. Field Description Destination domain name, sub domain name, host name, subnet or IP address to which the rule applies. You can provide a comma-separated list of more than one host names here. For example, 192.168.8.173, www.facebook.com,192.168.121.0/24. Port port number. You can provide a comma-separated list of port numbers or port ranges here. For example, 20-22, 81, 443. 3. To delete an exempted destination, select the entry and click Remove. Configure Captive Portal Settings

AirTight Management Console User Guide 58 To configure captive portal settings, do the following. 1. Select the Enable Captive Portal check box to display a portal page to be shown to the client on using the guest network. 2. Select the mode of access to the Internet through the captive portal. Do one of the following: (a) Select the AP Hosted Splash Page with click through option. You must create a .zip file of the portal page along with any other files like images, style sheets etc and upload this file. The zip file must satisfy the following requirements for the portal to work correctly. a. The zip file should have a file with the name “index.html” at the root level (i.e., outside of any other folder). This is the main portal page. It can have other files and folders, (and folder within folders) at the root level that are referenced by the index.html file. b. The total unzipped size of the files in the bundle should be less than 100 KB. In case, large images or other content is to be displayed on the page, this content can be placed on an external web server with references from the index.html file. In this case, the IP address of the external web server must be included in the list of exempt hosts (see below). c. The index.html file must contain the following HTML tags for the portal to work correctly: • A form element with the exact starting tag: <form method="POST" action="$action"> • A submit button inside the above form element with the name “mode_login”. For example: <input type=”image” name=”mode_login” src=”images/login.gif”>The exact tag: <input type="hidden" name="redirect" value="$redirect"> inside the above form element. You can download the factory default portal bundle file and use it as a template to create a custom portal bundle. Click Download Sample to download the factory default portal bundle file. Upload the portal bundle (default or custom). Click Choose File following Upload Bundle to upload the bundle. Click Open to upload the portal bundle.

AirTight Management Console Configuration 59 To restore the portal bundle to factory default file, click Restore Default. (b) Select the External Splash Page for Sign-in/Click-through option. Specify Splash Page URL, using which wireless user will be redirected to external portal. This portal will prompt wireless user to enter username and password. You must select the check box for the shared secret, if applicable, and specify the shared secret for SSID-external portal communication. If you want the guest user to accept the terms and conditions on the splash page before being able to access walled garden destinations, select the Restrict access to Walled Garden check box. If this check box is not selected, the guest user is able to access the walled garden destinations without accepting the terms and conditions on the splash page. (c) Select External Splash Page with RADIUS Authentication. In this case, you also need to specify the following fields Splash Page URL, using which wireless user will be redirected to external portal. You must enter a shared secret for SSID-external portal communication. Click RADIUS settings hyperlink to configure RADIUS server settings, using which the AP will actually authenticate the wireless user. Specify the primary and optionally, secondary authentication server details. Field Description Called station ID a free form text parameter that the AP passes to the RADIUS server in the standard RADIUS parameter,'Called-Station-Id ', during the authentication process. The special format specifier ' %m' can be specified which will be expanded to the Ethernet MAC address of the AP. NAS ID This field is used when a network access server (NAS) serves as a single point to access network resources. Generally, a NAS supports hundreds of simultaneous users. When a RADIUS client connects to a NAS, the NAS sends access request packets to the RADIUS server. These packets must contain either the NAS IP address or the NAS identifier. The NAS ID or the NAS-Identifier is used to authenticate RADIUS clients with the RADIUS server. You can specify a string for the NAS ID. The default value is %m-%s, where %m represents the Ethernet MAC address of the AP and %s represents the SSID of the WLAN. This corresponds to the NAS-Identifier attribute on the RADIUS server. The attribute ID for the NAS-Identifier RADIUS attribute is 32. Ensure that the NAS ID is not the same as the shared secret configured for the RADIUS server in the RADIUS Authentication section. Primary Authentication server details Server IP IP address of primary authentication server. Port Number port number of primary authentication server listens for client requests. Shared Secret shared secret between the AP and primary authentication server. Secondary authentication server details Server IP IP address of secondary authentication server. Port Number port number of secondary authentication server listens for client requests. Shared Secret shared secret between the AP and secondary authentication server. If you want RADIUS accounting to be enabled, select the accounting check box and specify the accounting details, using which AP will actually authenticate wireless user. InRADIUS Server Settings specifyServer IPandPorton whichRADIUS server is running.

AirTight Management Console User Guide 62 User name field name for user name. Password field name for password. Note: The individual field names used by the AP should match the corresponding field names used by the external server hosting the portal. The AP and the external server may not be able to communicate if the name of the same parameter is different on either side. The fields in External Portal Parameters facilitate the field name change on the AirTight Wi-Fi / AirTight WIPS side. Edit Captive Portal Settings To edit captive portal settings, do the following. 1. Select the Enable Captive Portal check box to display a portal page to be shown to the client on using the guest network. 2. Select the mode of access to the Internet through the captive portal. Do one of the following: (a) Select the AP Hosted Splash Page with click through option. You must create a .zip file of the portal page along with any other files like images, style sheets etc and upload this file. The zip file must satisfy the following requirements for the portal to work correctly. a. The zip file should have a file with the name “index.html” at the root level (i.e., outside of any other folder). This is the main portal page. It can have other files and folders, (and folder within folders) at the root level that are referenced by the index.html file. b. The total unzipped size of the files in the bundle should be less than 100 KB. In case, large images or other content is to be displayed on the page, this content can be placed on an external web server with references from the index.html file. In this case, the IP address of the external web server must be included in the list of exempt hosts (see below). c. The index.html file must contain the following HTML tags for the portal to work correctly: • A form element with the exact starting tag: <form method="POST" action="$action"> • A submit button inside the above form element with the name “mode_login”. For example: <input type=”image” name=”mode_login” src=”images/login.gif”>The exact tag: <input type="hidden" name="redirect" value="$redirect"> inside the above form element. You can download the factory default portal bundle file and use it as a template to create a custom portal bundle. Click Download Sample to download the factory default portal bundle file. Upload the portal bundle (default or custom). Click Choose File following Upload Bundle to upload the bundle.

AirTight Management Console Configuration 63 Click Open to upload the portal bundle. To restore the portal bundle to factory default file, click Restore Default. (b) Select the External Splash Page for Sign-in/Click-through option. Specify Splash Page URL, using which wireless user will be redirected to external portal. This portal will prompt wireless user to enter username and password. You must select the check box for the shared secret, if applicable, and specify the shared secret for SSID-external portal communication. (c) Select External Splash Page with RADIUS Authentication. In this case, you also need to specify the following fields Splash Page URL, using which wireless user will be redirected to external portal. You must enter a shared secret for SSID-external portal communication. Click RADIUS settings hyperlink to configure RADIUS server settings, using which the AP will actually authenticate the wireless user. Specify the primary and optionally, secondary authentication server details. Field Description Called station id a free form text parameter that the AP passes to the RADIUS server in the standard RADIUS parameter,'Called-Station-Id ', during the authentication process. The special format specifier ' %m' can be specified which will be expanded to the Ethernet MAC address of the AP. Primary Authentication server details Server IP IP address of primary authentication server. Port Number port number of primary authentication server listens for client requests. Shared Secret shared secret between the AP and primary authentication server.

AirTight Management Console User Guide 66 here. For example, 192.168.8.173, www.facebook.com,192.168.121.0/24. Port port number. You can provide a comma-separated list of port numbers or port ranges here. For example, 20-22, 80, 443. Action if you want to block the traffic to or from the host option, select block. if you want to allow traffic to or from the host, select allow. Protocol network protocol. The following options are available. TCP: If the rule is for TCP-based communication, select the TCP option. UDP: If the rule is for UDP-based communication, select the UDP option. Other: If the rule is for a communication based on a protocol other than TCP and UDP, select Other. You must specify the protocol number in this case. Any: If the rule is for communication that is not protocol specific, select the Any option. Protocol No. protocol number. This field appears only when the selected protocol is Other Direction direction of network traffic. The following options are available. Outgoing: If the rule is to be applied to data going out of your network, that is, from wireless to wired, then select the Outgoing option. Incoming: If the rule is to be applied to data coming into your network, that is, from wired to wireless, select the Incoming option. Any: If the rule is to be applied to both outgoing and incoming traffic, select the Any option. For instance, if you want to allow or prevent users of your wireless network from accessing certain websites or domains, you can define the respective rule with direction as Outgoing. Similarly, if you want prevent certain hosts from accessing your wireless network, you can define the rule specific to this host name or domain name with direction as Incoming. For example, if you want to allow all incoming and outgoing TCP requests from and to the host 'mail.google.com', ports 80, 25, 110, 465, 995, you will specify the rule details as follows. Click Add New Rule to add the rule. Specify an appropriate name for the rule in Rule Name. Specify Host Name as 'mail.google.com, Port as 80, 25,110, 465, 995 Action as Allow, Protocol as TCP, Direction as Any. See the image below for the rule. Firewall Rule 4. Click Save to save the rule. Reorder Firewall Rules If you have more than 1 firewall rules defined, you can reorder them. Do the following to reorder the rules.

AirTight Management Console Configuration 67 1. Click the rule to move. 2. Hold the mouse down and drag the rule to the desired position, for instance between 2 other rules. 3. Release the mouse. The rule is placed at the new position. 4. Click Save to save the rule reordering. Edit Firewall Rule Do the following to add a firewall rule. 1. Click the radio button for the rule to edit. 2. Edit the rule details as specified in the following table. Field Description Rule Name name of the rule Host domain name, sub domain name, hostname or IP address to which the rule applies. You can provide a comma-separated list of more than one host names here. For example, 192.168.8.173, www.facebook.com, 192.168.121.0/24. Port port number. You can provide a comma-separated list of port numbers or port ranges here. For example, 20-22, 80, 443. Action if you want to block the traffic to or from the host option, select block. if you want to allow traffic to or from the host, select the allow option. Protocol network protocol. The following options are available. TCP: If the rule is for TCP-based communication, select the TCP option. UDP: If the rule is for UDP-based communication, select the UDP option. Other: If the rule is for a communication based on a protocol other than TCP and UDP, select Other. You must specify the protocol number in this case. Any: If the rule is for communication that is not protocol specific, select the Any option. Protocol No. protocol number. This field appears only when the selected protocol is 'other' Direction direction of network traffic. The following options are available. Outgoing: If the rule is to be applied to data going out of your network, that is, from wireless to wired, then select the Outgoing option. Incoming: If the rule is to be applied to data coming into your network, that is, from wired to wireless, select the Incoming option. Any: If the rule is to be applied to both outgoing and incoming traffic, select the Any option. For instance, if you want to allow or prevent users of your wireless network from accessing certain websites or domains, you can define the respective rule with direction as Outgoing. Similarly, if you want prevent certain hosts from accessing your wireless network, you can define the rule specific to this host name or domain name with direction as Incoming. Delete Firewall Rule Do the following to delete a rule. 1. Click the Delete hyperlink for a rule to delete the rule. 2. Click Yes on the message that appears, to confirm the delete operation. To cancel the delete operation click No.

AirTight Management Console Configuration 71 TOS value or 802.1p access category. The only exception will be DSCP value 46 which will be mapped to WMM access category 'Voice'. 5. Select the Upstream marking option as per the requirement. The incoming wireless access category is mapped to a priority subject to a maximum of the selected SSID priority and set in the 802.1p header and the IP header as selected. 6. Click Save to save the changes. Refer to the following table for downstream mapping. 802.1p Class of Service 802.11e/WMM access category 0 (Background) 1 (Background) 1 (Best Effort) 0 (Best Effort) 2 (Excellent Effort) 3 (Best Effort) 3 (Critical Apps) 4 (Video) 4 (Video) 5 (Video) 5 (Voice) 6 (Voice) 6 (Internetwork Ctrl) 7 (Voice) 7 (Network Ctrl) 7 (Voice) Refer to the following table for the priority, 802.11e/WMM access category and the corresponding 802.1p Class of Service and DSCP value, used for upstream marking. If 802.1p marking is enabled, the 802.11e/WMM access category maps to the corresponding 802.1p Class of Service. If DSCP/TOS marking is enabled, the 802.11e access category maps to the corresponding DSCP value. 802.11e/WMM access category 802.1p Class of Service DSCP 0 1 0 1 0 10 2 0 18 3 2 0 4 3 26 5 4 34 6 5 46 7 6 48 BYOD - Device Onboarding Device onboarding is a technique in which unapproved clients that are quarantined by the system are redirected to a configured splash page URL upon making any web access while all other communication is blocked. This technique can be enabled for all clients or selectively for smart clients, that is, smartphones and tablets only.

AirTight Management Console Configuration 73 The Hotspot 2.0 settings for an AirTight AP are divided into general settings, roaming consortium list, venue settings, domain name list, 3GPP Cellular network info list, NAI realm list, WAN metrics, Operator Friendly Name List, connection capability. General Settings The General Settings refer to the network configuration. It includes the network access type, network authentication type element, IP address type etc. The network type is a predefined list and can have one of the following values. • Private network- Unauthorized users are not permitted on this network. Examples of this access network type are home networks and enterprise networks, which may employ user accounts. • Private network with guest access- The network is a private network offering guest access. An example of this access network type is an enterprise network with guest access. • Chargeable public network- A public network that is available to everyone for a charge. An example of this access network type is a hotel offering in-room Internet access service for a fee. • Free public network- A public network that is available to everyone for free. An example of this access network type is an airport hotspot. • Personal device network - A network of personal devices such as a camera connecting to a printer thereby forming a network to print pictures. • Emergency services only network- The network is dedicated and limited to accessing emergency services only. • Test or experimental- The network is a test or experimental network only. • Wildcard- Wildcard access network type. Select this option if you want the AP to reply to the client (mobile device) irrespective of the access network type requested for in the client query. The network authentication element refers to the list of authentication types. This element is related to captive portal based authentication systems. A redirect URL can be specified in the General Settings to redirect the mobile user to the appropriate URL on connecting to the AP. The network authentication element is a predefined list and can have one of the following values. • Acceptance of terms and conditions- Select this option if the network requires the user to accept a set of terms and conditions. You can provide a URL that points to the terms and conditions page in the Redirect URL field. Providing redirect URL is optional. • Online enrollment- Select this option if online enrolment is supported by the network. • http/https redirection- Select this option if the network infrastructure perform http/https redirection. You can optionally provide a redirect URL for http/https redirection. • DNS redirection- Select this option if the network supports DNS redirection. • Not configured- Select this option if you don't want to provide specific information when the client queries about network authorization type. The Homogenous ESSID (HESSID) is a MAC address that is the same for all APs belonging to the same network. APs with the same HESSID have the same Hotspot 2.0 configuration. IPv4 address type and IPv6 address type are specified under General Settings. Roaming Consortiums Element The roaming consortiums element is configured under Roaming Consortium List. The network could be member of a roaming consortium or could support service providers. The element consists of one of more organization identifiers that are unique hexadecimal strings. If this element contains multiple organization identifiers, it means the network supports multiple service providers or consortia.

AirTight Management Console User Guide 74 Venue Settings The Venue Settings specify the configuration of the venue details where the AP is to be deployed. You can configure zero or more venues. The venue settings consist of venue groups and venue types. The venue group is selected from a predefined list of values. The venue type is dependent on the venue group and the list of values for the venue type is populated based on the venue type selected. You can select a venue type for the venue group from the list of relevant values for the selected venue group. The available venue groups are as follows. • Assembly: An arena or an amusement park is a place where a group of people assemble together. Select this venue group if the AP is deployed at such a location. • Business: If the AP is deployed on business premises such as a bank or an office,select this venue group. • Educational: If the AP is deployed at an educational institution such as a school or a university, select this venue group. • Factory and Industrial: If the AP is deployed at a factory or industrial location, select this venue group. • Institutional: If the AP is deployed at a venue hosptial or a rehabilitation center, select this venue group. • Mercantile: If the AP is deployed at a mercantile venue such as a gas station or a shopping mall, select this venue group. • Residential: If the AP is deployed at a residential location such as a hotel or a private residence, select this venue group. • Storage: If the AP is deployed at a storage facility, select this venue group. • Utility and Miscellaneous: If AP is deployed at a utility or miscellaneous location, select this venue group • Vehicular: If the AP is deployed on a vehicle such as a train or a boat, select this venue group. • Outdoor: If the AP is deployed at an outdoor location such as a kiosk or a bus stop, select this venue group. Domain Name List The Domain Name List provides a list of the Hotspot 2.0 operator domain names. 3GPP Cellular Network Info List The list of mobile networks supported by the AP can be configured under 3GPP Cellular Network Info List. NAI Realm List The NAI Realm List corresponds to the NAI realm element. The NAI realm element provides a list of network access identifier (NAI) realms corresponding to service providers or other entities whose networks or services are accessible through the AP. A list of one or more EAP Methods is optionally included for each NAI realm. WAN Metrics Under WAN metrics, you can specify details of the WAN connection available through the WLAN. The link status and the uplink and downlink speeds can be specified under WAN metrics. Under operator friendly name list, you can enter a list of operator friendly names along with the language code in which they are provided to AirTight Management Console. Connection Capability

AirTight Management Console User Guide 78

AirTight Management Console Configuration 87 Configure Event Notification The occurrence of certain events needs to be notified to external entities like Syslog, SNMP, Arcsight and OPSEC. This configuration is done using the Configuration->Events->Configuration option. Different types of events occur when the WLAN is functional. These are classified as security, performance and system events by AirTight Management Console. Each of these types is listed in the respective tab on the Configuration page. Security events indicate security vulnerability or breach in your network. Security events are further classified as follows. • Misconfigured AP events • DoS events • Reconnaissance events • Rogue AP events • Man-in-the-middle events • Ad hoc events • Cracking events • MAC spoofing events • Misbehaving clients events • Prevention events Performance events indicate problems in the wireless network. Performance events are further classified as follows. • Coverage events • Configuration events • Bandwidth events • Interference events System events indicate the system health. System events are further classified as follows. • Troubleshooting events • Sensor events • Server events There are multiple events under each of the security, performance and system event sub-categories. Some events need to be displayed on the console when they occur. Users or administrators need to be notified by email when certain events occur. Configure the settings for the events occurring in AirTight Management Console using the Configuration page. Do either or all of the following to configure settings for individual events in either of the tabs Security, Performance, and System, based on your requirement. • Select the Display check box that corresponds to the event that you want to appear on the Events page. • Select the Email check box that corresponds to the event for which you want to send e-mail notifications to users configured under Configuration->Events->Email Recipients. • Select the Notify check box that corresponds to the event for which you want notifications sent to external agents such as SNMP, Syslog, ArcSight, and OPSEC. • Select the Vulnerability check box that corresponds to the event that makes the WLAN vulnerable. If any of these events occur, the Security Status widget on the Dashboard displays the status as Vulnerable. • Select the option High, Medium, or Low based on the severity of each event.

AirTight Management Console User Guide 88 Note: The event 'Client RF Signature Anomaly Detected' that is visible under Security>MAC Spoofing option is available in specific deployments only. Activate Event Generation for Location Activate event generation for the selected location using the Configuration>Events>Event Activation option. Activation Switch defines the high level administrative settings for the selected location. It takes precedence over any conflicting policies. Event generation does not happen unless you select the Activate Event Generation for Location <selected location> check box. The following figure explains event generation activation. Activate Event Generation IMPORTANT: This policy cannot be inherited from the parent- it is specific to the location. It is recommended that the deployment be stable and fully configured before you select the Activate Event Generation for Location <selected location> check box. Click Save to save the changes made to the page. Click Cancel to cancel the unsaved changes on the page. Click Restore Defaults to restore the default values of the fields on the page.

AirTight Management Console Configuration 89 Configure Email Recipients Specify the e-mail addresses of the users that need to be notified on occurrence of certain events at the selected location. The events for which e-mail is to be sent are configured under Configuration->Events->Email Recipients. You can use the e-mail addresses available in the system or add an e-mail address that is not available in the system. Separate all the e-mail addresses using a comma or a space, or press Tab or Enter. Click Save to save the changes made to the page. Click Cancel to cancel the unsaved changes on the page. Click Restore Defaults to restore the default values of the fields on the page. Configure Device - Server Communication Settings Go to Configuration>System>Advanced Settings>Device Communication Key, to set or reset the communication key used for the communication between the AirTight devices and the AirTight Management Console server. The communication key is also used to encrypt the communication between the AirTight devices and server. The communication can happen either using a key or using a pass phrase. Use Key for Device - Server Communication You can set the key for the communication between AirTight devices and the AirTight server directly in hexadecimals. Select this option if you are comfortable working with hexadecimals. To set a hexadecimal key for device-server communication, do the following. 1. Go to Configuration>System>Advanced Settings>Device Communication Key. 1 Select the Key option to use a key for the communication. 2 Enter a 32 digit hexadecimal key in Enter Key. 3 Enter the same key again in Confirm Key. 4 Click Set to save the changes. Use Passphrase for Device - Server Communication You can set an alphanumeric passphrase for the communication between AirTight devices and the AirTight server. Select the Passphrase option if you are not comfortable working with hexadecimals. To set an alphanumeric passphrase for device-server communication, do the following. 2. Go to Configuration>System>Advanced Settings>Device Communication Key. 5 Select the Passphrase option to use a key for the communication. 6 Enter an alphanumeric passphrase in Enter Passphrase. 7 Enter the same passphrase again in Confirm Passphrase. 8 Click Set to save the changes. Reset Communication Key Click Restore Defaults to reset the communication key.

AirTight Management Console User Guide 90 Manage Policy Templates Policy templates form a part of the authorized WLAN policy for a location. A policy template comprises properties of the authorized SSIDs or networks. It is a collection of different network related settings such as wireless network protocols, encryption protocol used, allowed network SSIDs, security settings, authentication type used, allowed networks, and so on. You can have multiple such templates based on the number of authorized networks in the organization. Policy templates aid in the classification of APs. Policy templates are used to identify authorized APs and constantly check that the actual Wi-Fi access parameters provisioned on the authorized APs meet the security policy. Any new AP that is added to a location is verified on the basis of the WLAN policy templates attached to that location. You can define multiple WLAN policy templates and assign them to each location. You can add, edit, search, and delete policy templates. You can save a policy template with a different name and then make minor changes to suit your need. You can copy a policy template to another location. The following sections explain these operations in detail. Add Policy Template You can add a new policy template and then apply it to a location. To add a new policy template, do the following. 1. Go to Configuration>WIPS>Authorized WLAN Policy. 2. Select a location from the location tree. 3. Select the Wi-Fi is deployed at this location check box. The Policy Template and Select "No Wi-Fi" Networks sections on this page are enabled on selecting this check box. 4. Click Add New Policy Template to add a new policy template. The Add New Policy Template dialog box appears. Refer to the following table to define the properties of the policy templates related to authorized SSIDs. Field Description Authorized SSID Name of the existing or new authorized SSID or network name. The existing SSID template list is built using the data received from sensors. You can also enter a new name. Template Name Name of the authorized policy template. Description Short description to identify the policy template. This is Guest SSID Select this check box if this SSID is a guest SSID. Network Protocol The network protocol of the SSID. 'Any' is the default value. You can select one or more protocols from 802.11a, 802.11b, and 802.11b/g after deselecting 'Any'. Security Settings Security protocol for the SSID. 'Any' is the default value. You can select one or more protocols from 802.11i, Open, WPA, WEP after deselecting 'Any'. Encryption Protocol Encryption protocol for the SSID. This field is enabled only when the security protocol for the SSID is WPA or 802.11i. Authentication Framework Authentication protocols for the SSID. This field is enabled only when the security protocol for the SSID is WPA or 802.11i.

AirTight Management Console Configuration 91 Authentication Type Higher layer authentication types that clients can use while connecting to the SSID. Authentication types do not determine the classification of APs, but are used to raise an event if a client uses non-allowed authentication type. The system raises this event only if the system sees authentication protocol handshake frames. 'Any' is the default value. You can select one or more options from PEAP, EAP-TLS, LEAP, EAP-TTLS, EAP-FAST, and EAP-SIM after deselecting 'Any'. AP Capabilities Additional capabilities of the APs. If you select any of these advanced capabilities, the classification logic allows APs with and without these capabilities. 'Any' is the default value. You can select one or more Turbo/Super techniques used by Atheros to get higher throughputs–Turbo, 802.11n, and SuperAG, after deselecting 'Any'. MFP/802.11w Indicates whether MFP/802.11w is enabled or disabled on the SSID. 'Any' is the default value. You can select an option from MFP/802.11w enabled or MFP/802.11 disabled, after deselecting 'Any'. Allowed Networks Select the network(s) where wireless traffic on the SSID is to be mapped through Authorized APs. Select Any to allow wireless traffic on this SSID to be mapped to any network. Alternatively, you can deselect Any and choose from networks that are discovered automatically by the system or add new networks that are not yet discovered by the system. Allowed AP Vendors Allowed AP vendors whose APs are allowed to be connected to the SSID or network. 'Any' is the default value. You can select one or more vendors from a predefined list of AP vendors. Deselect 'Any' to be able to select specific vendors. Apply this Policy Template to current location Select the check box to apply the policy template to the selected location. Unless this check box is selected, the WLAN will not be evaluated against this policy template. 5. Click Save. Edit Policy Template You can edit a policy template only at a location where the policy template has been defined. To edit a policy template, do the following. 1. Go to Configuration>WIPS>Authorized WLAN Policy. 2. Select the location from the location tree where the policy template has been defined. 3. Click the link for the policy template in the policy list. The Edit Template for an Authorized 802.11 SSID dialog box appears. Make changes to the fields on this dialog box as required. Refer to the following table to define the properties of the policy templates related to authorized SSIDs. Field Description Authorized SSID Name of the existing or new authorized SSID or network name. The existing SSID template list is built using the data received from sensors. Template Name Name of the authorized policy template. Description Short description to identify the policy template. This is Guest SSID Select this check box if this SSID is a guest SSID. Network The network protocol of the SSID. 'Any' is the default value. You can

AirTight Management Console User Guide 92 Protocol select one or more protocols from 802.11a, 802.11b, and 802.11b/g after deselecting 'Any'. Security Settings Security protocol for the SSID. 'Any' is the default value. You can select one or more protocols from 802.11i, Open, WPA, WEP after deselecting 'Any'. Encryption Protocol Encryption protocol for the SSID. This field is enabled only when the security protocol for the SSID is WPA or 802.11i. Authentication Framework Authentication protocols for the SSID. This field is enabled only when the security protocol for the SSID is WPA or 802.11i. Authentication Type Higher layer authentication types that clients can use while connecting to the SSID. Authentication types do not determine the classification of APs, but are used to raise an event if a client uses non-allowed authentication type. The system raises this event only if the system sees authentication protocol handshake frames. 'Any' is the default value. You can select one or more options from PEAP, EAP-TLS, LEAP, EAP-TTLS, EAP-FAST, and EAP-SIM after deselecting 'Any'. AP Capabilities Additional capabilities of the APs. If you select any of these advanced capabilities, the classification logic allows APs with and without these capabilities. 'Any' is the default value. You can select one or more Turbo/Super techniques used by Atheros to get higher throughputs–Turbo, 802.11n, and SuperAG, after deselecting 'Any'. MFP/802.11w Indicates whether MFP/802.11w is enabled or disabled on the SSID. 'Any' is the default value. You can select an option from MFP/802.11w enabled or MFP/802.11 disabled, after deselecting 'Any'. Allowed Networks Select the network(s) where wireless traffic on the SSID is to be mapped through Authorized APs. Select Any to allow wireless traffic on this SSID to be mapped to any network. Alternatively, you can deselect Any and choose from networks that are discovered automatically by the system or add new networks that are not yet discovered by the system. Allowed AP Vendors Allowed AP vendors whose APs are allowed to be connected to the SSID or network. 'Any' is the default value. You can select one or more vendors from a predefined list of AP vendors. Deselect 'Any' to be able to select specific vendors. Apply this Policy Template to current location Select the check box to apply the policy template to the selected location. Unless this check box is selected, the WLAN will not be evaluated against this policy template. 4. Click Save. Search Policy Template You can search for policy templates from the policy template list based on their name or SSID. The policy templates list is filtered on the basis of the search string. To search a policy template, do the following. 1. Select a location from the location tree. 2. Navigate to Configuration>WIPS>Authorized WLAN Policy. 3. Enter the SSID or the policy template name in the Quick Search box seen on the left hand corner above the policy templates list. 4. Press the Enter key.

AirTight Management Console Configuration 93 5. The policy templates containing the search string as the SSID or policy template name are displayed in the policy template. The search utility also returns the policy templates having the search string as a substring in the SSID or policy template name. Copy Policy Template to Another Location To copy an authorized WLAN policy created at a location to another location, do the following. 1. Select the location at which the policy to be copied exists. 2. Go to Configuration>WIPS>Authorized WLAN Policy. 3. Select the check box for the WLAN policy to be copied. 4. Click the Copy to icon seen below the policy list. The Select Locations dialog box appears. 5. Select the location to which you want to copy the selected policy and click OK. The WLAN policy is copied to the selected location. Save Policy Template with a Different Name If you want to create a new policy template that has almost the same settings as that of an existing policy template, you can make a copy of an existing policy template, and then tweak it. To make a copy of a policy template or save an existing policy template with a different name, do the following. 1. Go to Configuration>WIPS>Authorized WLAN Policy. 2. Select the location at which you have created the policy template. 3. Click the link for the policy template in the policy template list. The Edit Template for an Authorized 802.11 SSID dialog box appears. 4. Edit the template name and, if required, make changes to other fields. 5. Click Save As. The policy template is saved with the new name, and modified values, if any. Print Policy Template List You can print a list of policy templates that have been defined for an authorized WLAN policy for a location. To print a list of policy templates for an authorized WLAN policy at a location, do the following. 1. Go to Configuration>WIPS>Authorized WLAN Policy. 2. Select the location for which you want to print the policy template list. If the selected location is not the root location, The print icon is enabled only if the authorized WLAN policy is customized for the selected location. 3. Click the print icon. A print preview of the policy template list appears. 4. Click Print to print the list of policy templates for the location. Delete Policy Template This option is enabled only at the location where the template was created, and only if the template is not applied at any other child locations of the location where it was created. To delete a policy template, do the following. 1. Go to Configuration>WIPS>Authorized WLAN Policy. 2. Select the location at which the policy template has been created. 3. Select the check box for the policy template to be deleted, from the policy template list. 4. Click the Delete icon to delete the policy template. A confirmation message appears. 5. Click Yes to delete the policy template. The policy template is deleted from the policy list.

AirTight Management Console User Guide 94 Manage Authorized WLAN Policy Specify the Authorized WLAN policy templates for the selected location in the location hierarchy using Configuration>WIPS>Authorized WLAN Policy. Authorized WLAN policy for a location includes a set of one or more policy templates that define the properties of one or more authorized wireless networks. A policy template is a collection of different network related settings such as wireless network protocols, encryption protocol used, allowed network SSIDs, security settings, authentication type used, allowed networks and so on. An authorized WLAN policy also specifies what networks are restricted from having Wi-Fi APs on them. Apart from this, you can also specify what APs to categorize as rogue or authorized APs based on their RSSI signal strength. All these parameters together constitute an authorized WLAN policy. The RSSI of a device is statistical parameter. Using the RSSI feature can cause legitimate neighborhood APs to be classified as Rogues and subjected to containment if automatic prevention is enabled. This will cause neighbor Wi-Fi disruption since clients, including the legitimate neighborhood clients, will NOT be able to connect to the Rogue AP under containment. Even if the intention is to use RSSI to identify APs that are within the facility, it will not always work since low power APs such as soft APs, hotspot APs running on smart phones, USB APs, etc. or APs which are away from RSSI measurement point will still not get classified as Rogue APs due to not meeting the RSSI threshold. Policy templates aid in the classification of APs. A new AP or an existing Authorized AP is compared against the templates to determine if it is a rogue or misconfigured AP. Any AP at a location that does not comply with the WLAN policy attached to that location, is not considered to be an authorized AP. You must apply the templates from the available list for the WLAN policy at that location. Authorized policy templates are used to identify authorized APs and constantly check that the actual Wi-Fi access parameters provisioned on the authorized APs meet the security policy. You can define multiple WLAN policy templates and assign them to each location. Any new AP that is added to a location is verified on the basis of the WLAN policy templates attached to that location. Any mismatch is used to detect misconfiguration of the Wi-Fi access network. The system uses the details of the authorized Wi-Fi setup at a particular location to detect the presence of misconfigured or rogue APs in your network. An AP is considered as being compliant to the Authorized WLAN Policy if: • It is not connected to a No Wi-Fi network for its location • Its SSID matches with one of the templates attached at that location • Is connected to one of the networks specified in that template • Conforms to the other settings in that template (except the Authentication Framework, as this setting is not a property of the AP itself but of the backend authentication system). Note: If the template specifies certain allowed AP capabilities (such as Turbo, 802.11n, and so on), the AP may or may not have those capabilities. However, if a capability is not selected, the AP must not have that capability to be considered as compliant. With location-based policies, you can apply different sets of policy templates for different locations. However, you cannot attach more than one template with the same SSID at any one location.

AirTight Management Console Configuration 95 Only the policy templates that are applied to a location are used for AP classification at that location. Other templates that are configured but not applied to the location, will not be used for AP classification, as they are not a part of the WLAN policy for that location. The authorized policy templates created at other locations can be applied to a selected location but cannot be edited or deleted. The edit and delete operations are possible only at the location where the template is created. A child location automatically inherits the authorized WLAN policy from its parent. You can customize the WLAN policy for a child location. You can also switch back to an inherited policy in case you have created a customized policy. Configure Authorized WLAN Policy To configure an authorized WLAN policy for a location, do the following. 1. Select the location from the location tree. 2. Go to Configuration>WIPS>Authorized WLAN Policy. 3. If Wi-Fi has been deployed at the location, select the Wi-Fi is deployed at this location check box. The Policy Template and Select "No Wi-Fi" Networks sections on this page are enabled on selecting this check box. 4. If you want to use an existing policy template, click the Applied icon for the existing policy template to be applied to the location. Alternatively, Click Add New Policy Template if no policy template exists, and add a new policy template. Refer to the Add Device Template or Edit Device Template subsection in the Manage Policy Templates section for details on how to add or edit a policy template. 5. If there are any networks at the location that are not allowed to have APs connected to them, a) Scroll down to the Select "No Wi-Fi" Networks section b) Click Add. The Add Networks dialog box appears. c) Enter the SSID or IP address of the network to add. 6. Define RSSI based classification, if the WIPS is intended for use in an isolated environment without much of a neighborhood activity like defense and military facilities. It is recommended to skip this section altogether in case of commercial or business district environments. Either of the following two mechanisms must be switched on to classify the APs. a) Enter the threshold RSSI value to use for preclassification of APs with signal strength stronger than this value as rogue or unauthorized APs. b) Select the Preclassify APs connected to monitored subnets as Rogue or Authorized APs to preclassify the APs connected to monitored subnets as rogue or authorized APs. 7. Click Save to save the changes. Edit Authorized WLAN Policy To edit an authorized WLAN policy for a location, do the following. 1. Select the location from the location tree. 1 Go to Configuration>WIPS>Authorized WLAN Policy. 2. If you want to apply an existing policy, click the Applied icon for that policy in the policy template list. 3. If you want to make changes to the policy template, click the policy template link in the policy template list. If you want to add a new policy template click Add New Policy Template, and add a new policy template. Refer to the Add Device Template or Edit Device Template subsections in the Manage Policy Templates section for details on how to add or edit a policy template. 4. If there are any networks at the location that are not allowed to have APs connected to them, a) Scroll down to the Select "No Wi-Fi" Networks section b) Click Add. The Add Networks dialog box appears.

AirTight Management Console User Guide 96 c) Enter the SSID or IP address of the network to add. 5. Define RSSI based classification, if the WIPS is intended for use in an isolated environment without much of a neighborhood activity like defense and military facilities. It is recommended to skip this section altogether in case of commercial or business district environments. Either of the following two mechanisms must be switched on to classify the APs. a) Enter the threshold RSSI value to use for preclassification of APs with signal strength stronger than this value as rogue or unauthorized APs. b)Select the Preclassify APs connected to monitored subnets as Rogue or Authorized APs to preclassify the APs connected to monitored subnets as rogue or authorized APs. 6. Click Save to save the changes. View High Availability Status for Server View the high availability status using the Configuration>System>HA Status page. High Availability (HA) mode allows two servers to be connected in a redundant configuration to form an HA cluster. One server acts as the Active server, while the other as a Standby server. If the Active server fails, the Standby server takes over. This screen shows the status of the servers in HA cluster. The HA Status page displays information about the high availability. This is read-only information. The following table describes the fields seen on the HA Status Page. Field Description HA Status Specifies the high availability status. It has the following possible values. Standalone: This state indicates that the server is in Standalone mode. Up: This state indicates that the HA Cluster is up and running. Other Server Not Reachable: This state indicates that the Standby server is not reachable over the HA interface link. Check whether the HA interfaces of both the servers are securely connected using a crossover Ethernet cable. Temporarily In Transition: This is an intermediate state. You need to wait for up to 30 minutes and then check the HA Status again. If this state persists, contact Technical Support. HA Setup In Progress: This state indicates that an HA setup is in progress using Config Shell or an earlier HA setup session was abnormally terminated. If you are sure HA setup is not in progress, reboot both the servers. After reboot, both the servers come up in the 'Standalone' mode. You need to wait for five minutes after the reboot and then login to these servers. Server Upgrade In Progress: This state indicates that server Upgrade is in progress or an earlier server Upgrade session was abnormally terminated. If you are sure server Upgrade is not in progress, reboot the server. After reboot, the server will come up in the 'Standalone' mode. You need to wait for five minutes after the reboot and then login to the server. Database Operation In Progress: This state indicates that some database operation is in progress. If you are sure no database operation is in progress, please contact Technical Support. Internal System Recovery In Progress: This state indicates that internal system recovery is in progress. If the same state persists for more than 30 minutes, please ensure that both the HA servers are up and the HA interfaces of these servers are securely connected using a crossover Ethernet cable. If the same state persists even after the above checks, please contact Technical Support. Error: This state indicates an error in HA state. Contact Technical Support. Cluster IP Address This IP Address can be used by the Console and Sensors to connect to the HA cluster. This is a virtual IP Address used to connect to the HA cluster. Cluster IP address is optional. It can not be used in Layer3 HA configuration. Data Sync State Displays the state of data synchronization from Active Server to Standby Server after enabling HA Service or after database operation such as database restore. Data Sync Link Data sync link is the link which carries data from the Active Server to Standby. HA

AirTight Management Console Configuration 97 interface or Network Interface can be used as ‘Data Sync Link’ between the servers. During HA setup, user can skip use of HA interface. This field indicates whether two servers are reachable over ‘Data Sync Link’ interface. HA Failover Mode This field Indicates whether the HA failover mode is automatic or manual. Active Server- Network IP Address This is the IP Address of the network interface of the Active server. Active Server- HA IP Address This is the IP Address of the HA interface of the Active server. Standby Server- Network IP Address This is the IP Address of the network interface of the standby server. Standby Server- HA IP Address This is the IP Address of the HA interface of the standby server. View/Upgrade License Details The Configuration>System Settings>License page displays information about the license, the list of licensed features enabled on the server. You can upgrade your current version to enable or disable features using a new license. To upgrade your license, do the following. 1. Go to Configuration>System Settings> License. 2. Under Change License, click Choose File under Change License, and select the path of the new license file. 3. Click Apply License to apply the new license. To apply the license effectively, log out and log on to the console. Current License Information displays the features available in AirTight Management Console through the currently applied license. The following table explains the fields seen on the License page under Current License Information. Field Description Expiry Date Expiry date of the AirTight Management Console license. Maximum AirTight devices allowed Maximum number of AirTight devices allowed per the current license. Allowable Conversions to AP Maximum number of AirTight devices that are allowed to be converted to function as access point, per the current license. Reports Specifies whether the Reports feature is available in the license. AirTight Mobile Specifies whether integration with AirTight Mobile is available in the license. Number of AirTight Mobile devices licensed The number of AirTight Mobile devices licensed, if AirTight Mobile integration is enabled. Performance Monitoring Specifies whether the performance monitoring feature is available in the license or not. Prevention Specifies whether the prevention feature is available in the license or not. Analytics Specifies whether the analytics feature is available in the license or not.

AirTight Management Console User Guide 98 Forensics Specifies whether the forensics feature is available in the license or not. Manage Look and Feel of Reports You can customize the look and feel of the AirTight Management Console reports, using the Configuration>System>Advanced Settings>Reports Look and Feel option. A report is divided into different sections such as header text, report summary and report sections specifying the details. You can customize each of these components. You can customize the text that is seen in various sections in the report. You can copy the look and feel settings from one server to another server when the source and destination server belong to the same server cluster. Customize Report Header Text You can customize the appearance of the header text, title text, report generation information and report description text in a report. To customize the appearance of the report header text, do the following. 1. Go to Configuration>System>Advanced Settings>Reports Look and Feel. 2. Select the use custom look and feel check box if you want to customize the reports look and feel. 3. To change the Left Aligned Header Text, enter a new value for the field. 4. To change the Right Aligned Header Text, enter a new value for the field. 5. To change the Title Text, enter a new value for the field. 6. To display the report generation information in a report, select the Display Report Generation Information check box. 7. To display the report description in a report, select the Display Report Description Text check box. 8. Click Save to save the changes. Customize Summary Table To customize the appearance of the summary table text, do the following. 1. Go to Configuration>System>Advanced Settings>Reports Look and Feel. 2. Select the use custom look and feel check box if you want to customize the reports look and feel. 3. To display summary information in a report, select the Report Summary check box. 4. To change Report Summary text in a report, enter a new value for the field. 5. To include sections with no results in a report, select the include section with zero results check box present under Summary Table. 6. To display the report summary table in a report, select the Display report summary table check box present under Summary Table Column Header Definition. 7. To display the section name in a report, select the Display section name check box present under Summary Table Column Header Definition. To display a different text instead of section name in the report, enter the changed text in Section Name. 8. To display the section description in a report, select the Display section description check box present under Summary Table Column Header Definition. To display a different text instead of section description in the report, enter the changed text in Section Description.

AirTight Management Console Configuration 99 9. To display the section query type in a report, select the Display Query Type check box present under Summary Table Column Header Definition. To display a different text instead of section query type in the report, enter the changed text in Section Query Type. 10. To display the result count in a report, select the Result Count check box present under Summary Table Column Header Definition. To display a different text instead of result count in the report, enter the changed text in Result Count. 11. To display the jump to hyperlink in a report, select the Jump to check box present under Summary Table Column Header Definition. To display a different text instead of jump to in the report, enter changed text in Jump To. 12. To display the report data in form of a pie chart or a bar chart in a report, select the appropriate option under Summary Charts. If you do not want any charts displayed in the report, select the Don't display charts option under Summary Charts. 13. Click Save to save the changes. Customize Section Results To customize the appearance of the section results text, do the following. 1. Go to Configuration>System>Advanced Settings>Reports Look and Feel. 2. Select the use custom look and feel check box if you want to customize the reports look and feel. 3. To change Section Name Title text in a report, enter a new value for the field. 4. To display section description text in a report, select the Display section description check box. 5. To display section query in a report, select the Display section query check box. 6. Click Save to save the changes. Restore Default Look and Feel Settings There is no customization for report look and feel, by default look and feel. The reports are structured according to the predefined AirTight Settings. To revert back to the default look and feel settings for reports, do the following. 1. Go to Configuration>System Settings>Advanced Settings>Reports Look and Feel 2. Click Restore Defaults. 3. Click Save to save the changes. Copy Reports Look and Feel Settings to Another Server You can copy the report look and feel settings from one server to another server when both servers are part of the same server cluster. You can copy report look and feel settings from child server to child server, parent server to child server, or child server to parent server. You must be a superuser or an administrator to copy policies from one server to another. To copy reports look and feel settings, do the following. 1. Go to Configuration>System Settings>Advanced Settings>Reports Look and Feel on the parent server. 2. Click Copy Policy. The Copy Policies dialog box appears. 3. Select the server from which the report look and feel settings is to be copied. 4. Select the server to which the report look and feel settings is to be copied. 5. Click OK to copy the report look and feel settings.

AirTight Management Console User Guide 100 Configure NTP NTP stands for network time protocol and is used for clock synchronization between computer systems. You can synchronize the AirTight server clock with an NTP server. You must be a super user to synchronize the server with an NTP server. You can specify an NTP server and find the time drift between the AirTight server and the NTP server. Check Time Drift between AirTight server and NTP server Before synchronizing the AirTight server clock with an NTP server, you check the time drift between the two servers. To synchronize with an NTP server, do the following. 1. Select the root location (topmost location) in the location tree. 2. Go to Admin>System Settings>NTP Configuration. 3. Select the Enable NTP check box. 4. Enter the server IP or the host name of the NTP server in NTP server. 5. Click Check Drift. The drift details are displayed in the text box adjacent to Check Drift. Synchronize AirTight Server Time with NTP Server Synchronization with NTP requires the web server on the AirTight server to restart. To synchronize with an NTP server, do the following. 1. Select the root location (topmost location) in the location tree. 2. Go to Admin>System Settings>NTP Configuration. 3. Select the Enable NTP check box. 4. Enter the server IP or the host name of the NTP server in NTP server. 5. Click Sync and Save. You are prompted to confirm restart of web server. 6. Click Yes to synchronize time and save. An appropriate message is displayed in the box adjacent to Sync and Save and you are logged out of AirTight Management Console. The AirTight server clock is synchronized with the NTP server. Disable NTP If you have enabled NTP and want to disable it, do the following. 1. Select the root location (topmost location) in the location tree. 2. Go to Admin>System Settings>NTP Configuration. 3. Deselect the Enable NTP check box. Alternatively, click Restore Defaults. 4. Click Save. Configure RF Propagation Settings Set the default AP, Client, and Sensor antenna gain values using the Configuration>System>Advanced Settings>RF Propagation option.

AirTight Management Console Configuration 101 Default RF Propagation Settings contains the following options: • Default Antenna Gain Values: Antenna gain is a characteristic of an antenna used for transmitting or receiving signal, defined as gain in power when signal is received (or transmitted) using the antenna. Note: If better antennas are used, you should increase the gain. • Transmitter Losses: Select the transmitter signal loss value suited to your environment. • If your environment has metal or concrete walls, select a higher signal value. • If your environment has large spaces where the signal can propagate without much obstruction, select a lower signal loss value When a device transmits, some loss in power occurs due to antenna connectors, electromagnetic, and environmental factors. This loss might be different in different frequency bands. You can also specify the approximate loss in each band. • Signal Decay Values: Signal propagation depends heavily on environment. The obstacles present in environment might impede signal propagation, limiting its range. It is very difficult to accurately model signal propagation in all kinds of environment, but by fine-tuning the following four constants, you can more or less characterize your environment for signal propagation. Note: The system uses the first set of parameters when the Planner file is imported; the second set for blank, gif, or jpeg files. • Minimum and Maximum Signal Decay Constants specify the range for the decay exponent, that is, the exponent at which signal decays with distance. Signal Decay Slope (Beta) and Signal Decay Inflection (Alpha) control how the decay exponent changes from its minimum value to maximum value. • For Nodes with imported AirTight Planner file you can specify the following: • Minimum Signal Decay Constant • Maximum Signal Decay Constant • Signal Decay Slope (Beta) • Signal Decay Inflection (Alpha) • For Nodes with GIF, JPEG or Blank layou, you can specify the following: • Minimum Signal Decay Constant • Maximum Signal Decay Constant • Signal Decay Slope (Beta) • Signal Decay Inflection (Alpha) Note: Planner models most significant objects; therefore Maximum Signal Decay Constant should be close to 2.0. To configure RF propagation, do the following. 1. Go to Configuration>System Settings>Advanced Settings>RF Propagation. 2. Specify the default sensor, AP, and Client antenna gain values. Field Description Sensor Antenna Gain (db) gain of antenna attached to the sensor AP Antenna Gain (db) gain of antenna attached to the AP Client Antenna Gain (db) gain of antenna attached to the client 3. Select the transmitter signal loss value suited to your environment. 4. Specify the loss at Source for 802.11a Transmitter (db) 5. Specify the loss at Source for 802.11b/g Transmitter (db)

AirTight Management Console User Guide 102 6. Specify the following for nodes imported with AirTight Planner- Minimum Signal Decay Constant, Maximum Signal Decay Constant, signal decay slope(beta), signal decay slope(alpha). 7. Specify the following for nodes with GIF, JPEG or blank layout- Minimum Signal Decay Constant, Maximum Signal Decay Constant, signal decay slope(beta), signal decay slope(alpha). 8. Click Save to save the changes. Restore RF Propagation Defaults You can restore the RF propagation fields to their default values. The default values for the RF propagation related fields are as mentioned in the following table. Sensor Antenna Gain 2.3 db AP Antenna Gain 2.3 db Client Antenna Gain 0 db Loss at Source for 802.11a Transmitter 10 db Loss at Source for 802.11b/g Transmitter 10 db For Nodes imported with AirTight Planner Minimum Signal Decay Constant 2 Maximum Signal Decay Constant 2 Signal Decay Slope(Beta) 0.08 Signal Decay Slope(Alpha) -4 For Nodes with GIF, JPEG or blank layout Minimum Signal Decay Constant 2 Maximum Signal Decay Constant 2.5 Signal Decay Slope(Beta) 0.08 Signal Decay Slope(Alpha) -4 To restore RF propagation settings, do the following. 1. Go to Configuration>System Settings>Advanced Settings>RF Propagation. 2. Click Restore Defaults. The fields are populated with their default values. 3. Click Save to save the changes. Copy RF Propagation Setting to Another Server You can copy the RF propagation settings from one server to another server when both servers are part of the same server cluster. You can copy RF propagation settings from child server to child server, parent server to child server, or child server to parent server. You must be a superuser or an administrator to copy policies from one server to another. To copy RF propagation settings settings, do the following. 1. Go to Configuration>System Settings>Advanced Settings>RF Propagation Setting on the parent server. 2. Click Copy Policy. The Copy Policies dialog box appears. 3. Select the server from which the RF propagation settings is to be copied. 4. Select the server to which the RF propagation settings is to be copied. 5. Click OK to copy the RF propagation settings.

AirTight Management Console Configuration 103 Configure Live RF View Setting Define the parameters that are used in live RF views using Configuration>System>Advanced Settings>Live RF View Setting option. These parameters are specific to each environment. Tuning the parameters enables you to see more accurate views. Under Intrusion Detection and Prevention Regions, specify the dbm values for which the system shows the intrusion detection and prevention regions in the sensor coverage views. Detection range is the area over which sensors can reliably detect wireless activity. Intrusion Detection Display Threshold determines the threshold for this range. Prevention range is the area over which sensors can prevent unauthorized wireless activity. Intrusion Prevention Display Threshold determines the threshold for this range. Both the detection and prevention ranges are affected by parameters in the RF Propagation section. Note: The reliability of the prevention also depends on the Intrusion Prevention Level selected on the Configuration>WIPS >Intrusion Prevention page. To configure live RF view setting, do the following. 1. Go to Configuration>System>Advanced Settings>Live RF View Setting. 2. Specify the Intrusion Detection Display Threshold. 3. Specify the Intrusion Prevention Display Threshold. 4. Click Save to save the changes. Restore Default Live RF View Settings The default value for intrusion detection display threshold is -85 dbm. The default value for intrusion prevention display threshold is -75 dbm. To restore default Live RF view settings, do the following. 1. Go to Configuration>System>Advanced Settings>Live RF View Setting. 2. Click Restore Defaults. 3. Click Save to save the changes. Copy Live RF View Setting to Another Server You can copy the live RF view settings from one server to another server when both servers are part of the same server cluster. You can copy live RF view settings from child server to child server, parent server to child server, or child server to parent server. You must be a superuser or an administrator to copy policies from one server to another. To copy live RF view settings settings, do the following. 1. Go to Configuration>System Settings>Advanced Settings>Live RF View Setting on the parent server. 2. Click Copy Policy. The Copy Policies dialog box appears. 3. Select the server from which the live RF view settings is to be copied. 4. Select the server to which the live RF view settings is to be copied. 5. Click OK to copy the live RF view settings.

AirTight Management Console User Guide 104 Configure Location Tracking The location of a particular device can be tracked using the Configuration->System->Advanced Settings->Location Tracking option. The system needs at least three sensors to perform location tracking. The Location Tracking screen enables you to define the parameters that control location tracking. Default Location Tracking Parameters contains the following options. • Maximum number of monitoring devices to use for location tracking: Select the maximum number of sensors used for location tracking. Sensors track down the location of a device and the system uses sensors that see the maximum values. A higher value is likely to give better results. (Minimum: 3; Maximum: 10; Default: 4) • Default Transmit Power of AP (mW): Location tracking needs as input the transmit power of the AP being located. When transmit power is unknown, the default value set here is used. (Minimum: 1 mW/0 dbm; Maximum: 100 mW/20 dbm; Default: 30 mW/15 dbm) • Default Transmit Power of Client (mW): Location tracking needs as input the transmit power of the Client being located. When transmit power is unknown, the default value set here is used. (Minimum: 1 mW/0 dbm; Maximum: 100 mW/20 dbm; Default: 10 mW/ dbm) • Signal Strength Monitoring Devices: Location tracking is based on the signal strength of the monitoring devices. This value can deviate from the actual values because of subtle variations in the RF environment. You can specify APs, AirTight Devices, and AirTight Devices and/or APs to be used to control location tracking. Using the system’s Application Programming Interface (API), APs can be reported as a source of signal strength. Information from these APs can be used for location tracking. Restore Location Tracking Configuration Defaults The default values for location tracking configuration are as follows. Maximum number of devices to use for location tracking 4 Default Transmit power of AP 30 Default Transmit power of Client 10 Signal Strength Monitoring Devices AirTight devices and/or APs To restore location tracking configuration defaults, do the following. 1. Go to Configuration>System Settings>Advanced Settings>Location Tracking Configuration. 2. Click Restore Defaults to restore the default values of the location tracking configuration fields on the page. 3. Click Save to save the changes. Copy Location Tracking Configuration to Another Server You can copy the location tracking configuration from one server to another server when both servers are part of the same server cluster. You can copy location tracking configuration from child server to child server, parent server to child server, or child server to parent server. You must be a superuser or an administrator to copy policies from one server to another.

AirTight Management Console Configuration 105 To copy location tracking configuration, do the following. 1. Go to Configuration>System Settings>Advanced Settings>Location Tracking Configuration on the parent server. 2. Click Copy Policy. The Copy Policies dialog box appears. 3. Select the server from which the location tracking configuration is to be copied. 4. Select the server to which the location tracking configuration is to be copied. 5. Click OK to copy the location tracking configuration, Manage Auto Location Tagging The Configuration>System>Advanced Settings>Auto Location Tagging page enables you to configure the settings for automatic tagging of devices discovered by AirTight Management Console and events generated by AirTight Management Console. A location tag that is attached to a device or an event helps identify the location of that event or device. AirTight Management Console automatically tags the devices and events to the locations where they have been detected. Auto Location Tagging Configuration contains the following options • Devices: Based on the initial location of the device, the APs and Clients are auto-tagged immediately upon discovery. You can select how the system should compute the initial location tag of the APs or Clients. The system never auto-tags an AP or Client, if it is tagged manually. To enable auto location tagging for a device, you must delete the device and let the system rediscover it. You must manually tag sensors. You can do one of the following  Choose the location tag of the sensor that sees the highest RSSI value for that device.  Choose the location tag of the selected number of sensors that see the highest RSSI values for that device. (Minimum: 2; Maximum: 10; Default: 2) You can also discard the sensors that see a lower RSSI after comparing the value with a sensor that reports a higher RSSI. (Minimum: 20 dB; Maximum: 40 dB; Default: 30 dB) • Events: The system tags events based on the location of the devices that participate in the events. The system initially identifies a primary device - AP, Client, or Sensor for each event. The system automatically tags the location of events based on the tag for the primary device associated with the event. Note: The system never tags an event more than once. You can tag the location of an event manually on the Events page by clicking the Change Location icon. Restore Auto Location Tagging Defaults The default values for auto location tagging are as follows. • Choose location tag that encompasses top 2 AirTight Devices that see the highest RSSI value for the device. • Discard AirTight Devices that see RSSI that is 30 db below the AirTight Device that sees the highest RSSI. To restore auto location tagging defaults, do the following.

AirTight Management Console User Guide 106 1. Go to Configuration>System Settings>Advanced Settings>Auto Location Tagging. 2. Click Restore Defaults to restore the default values of the auto location tagging fields on the page. 3. Click Save to save the changes. Copy Auto Location Tagging Settings to Another Server You can copy the auto location tagging settings from one server to another server when both servers are part of the same server cluster. You can copy auto location tagging settings from child server to child server, parent server to child server, or child server to parent server. You must be a superuser or an administrator to copy policies from one server to another. To copy location tracking configuration, do the following. 1. Go to Configuration>System Settings>Advanced Settings>Auto Location Tagging on the parent server. 2. Click Copy Policy. The Copy Policies dialog box appears. 3. Select the server from which the auto location tagging settings are to be copied. 4. Select the server to which the auto location tagging settings are to be copied. 5. Click OK to copy the auto location tagging settings,

AirTight Management Console Configuration 107 Set up and Manage Server Cluster A server cluster consists of 2 or more AirTight servers grouped together. One of these servers is the managing server and it manages one or more AirTight servers. Thus, multiple servers can be managed from a single server console in a server cluster. The managing server is called the parent server and the servers that are managed from the parent server are called the child servers. The parent server retrieves aggregated data from multiple child servers in the cluster and displays it on AirTight Management Console along with the parent server data. Benefits of Server Cluster Following are the benefits of server cluster vis-à-vis SpectraGuard Manager. • Eliminates the need for a separate product to manage multiple servers: SpectraGuard Manager is a separate product used to manage multiple servers. With the incorporation of the server cluster functionality in AirTight server, it is a lot easier to manage multiple servers using a single console without the need for a separate product. The server cluster is accessible through AirTight Management Console. Various templates and policies can be pushed to child server from the parent server location tree. • HTML 5 based product: AirTight Management Console is a HTML5 based console. Hence, it is possible to access it from any device that has an HTML5 compatible browser. • Connects with AirTight devices: AirTight Devices can connect to the AirTight Wi-Fi/AirTight WIPS server that acts as the parent server in the server cluster. • Ready availability of all AirTight Wi-Fi/AirTight WIPS features: All the AirTight Wi-Fi/AirTight WIPS features are available even when a server is a part of a server cluster. • Eliminates the need for certificate-based communication: There is no need to download a certificate for SGM and AMC communication as the functionality to manage multiple servers in a server cluster is provided in the same product. • Automatic synchronization of policies: There is no need to manually synchronize policies on child server if the child server is not available when the policies are being synchronized from a parent server. This is done automatically when the child server comes up the next time.

AirTight Management Console User Guide 108 • Replication of policies from one server to another server in server cluster: Replication of most policies from one server to another server in a server cluster is possible. This is regardless of whether the policies are being copied from parent server to child server or child server to parent server. • Aggregation of data in dashboard widgets: The number of dashboard widgets available in AirTight Management Console is a lot higher than those available on SpectraGuard Manager. Aggregated data from all active servers in the server cluster is seen in most of the dashboard widgets on AirTight Management Console. Create and Manage Server Cluster The creation of a server cluster and management of servers in the server cluster is done using the server command line interface (CLI). Viewing of the aggregated server cluster data and management of policies on the child servers from the parent server is done through AirTight Management Console of parent server. Following are the prerequisites to create a server cluster. • The AirTight Wi-Fi/AirTight WIPS servers that form a cluster must have the same software version and build installed. • A valid license must have been applied to all child servers to be added to the server cluster. • The child server must not be a part of any other server cluster. • If a firewall is active on the network, TCP port 22 and UDP port 1194 must be open on the firewall for cluster formation and parent-child communication. TCP port 22 is for incoming connections to child servers and UDP port 1194 is for incoming connections to parent server. You can perform five cluster-related operations from the server command line interface. They are as follows. 1. Set up a server cluster/assign parent server to a server cluster. 2. Add a child server to a server cluster. 3. Delete or remove a child server from a server cluster. 4. Delete an entire server cluster. 5. Check the status of servers in a cluster or check if a server is part of a cluster. The servers in a server cluster are assigned IDs when they become a part of the server cluster. A parent server is assigned 1 as ID in the cluster. As and when the child servers are added, they are assigned sequentially incrementing IDs. The child server added first is assigned 2 as ID, the next one is assigned 3 as ID and so on. After creating the cluster, you must mount the child servers on the parent server location tree, to be able to view aggregated server data on the UI or push policies from parent server to child server. The following figure illustrates the mapping of an existing location tree with child servers in a server cluster.

AirTight Management Console Configuration 109 Limitations of Server Cluster Following are the limitation of a server cluster. • A server (parent server or child server) can be a part of only one cluster at any given point. • A child server cannot be the parent of any other server in the cluster. Server Cluster related Commands You can set up a cluster comprising one parent and multiple child servers through the server command line interface. Following is the subset of server config shell commands that are specific to creation and management of server cluster. Command Description cluster set Sets a server as a parent server in a server cluster. This command must be executed on the server to be set as the parent server. cluster reset Deletes a server cluster or a child server from a cluster. When executed on a parent server, the entire cluster is destroyed and all servers in the cluster behave as standalone servers. This command can be executed on parent server or child server When executed on a child server, it eliminates the relationship between the child server and the parent server. The rest of the cluster remains intact. IMPORTANT! It is recommended to execute this command on parent server only. It can be executed on a child server ONLY when there is no other way to remove the child from a server cluster. cluster add child Adds a child to a server cluster. This command must be executed on

AirTight Management Console User Guide 110 the parent server in the server cluster. cluster delete child Deletes or removes a child from a server cluster. This command must be executed on the parent server in the server cluster. cluster show status Displays the status of a server cluster. Using this command you can check whether a server is in a cluster and/or the status of a server in a cluster. This command can be executed on any server regardless of whether it is in a server cluster or not. Set up Server Cluster Before setting up a server cluster, the parent or child servers can be in a standalone mode or in an HA pair configuration with other servers. Once a server cluster is set up, the HA mode can be enabled on the parent or child servers as and when required. The cluster set command is used to set up a cluster. This command must be executed on the command line interface of the server that you want to assign as the parent server in the server cluster. You can, optionally, choose to run the server cluster setup wizard to add child servers to the server cluster. You can check the status of the server by executing the cluster show status command. To set up a cluster, do the following. 1. Login to the server command line interface of the server that you want to set up as the parent server in a server cluster. Login to the server with 'config' user credentials. 2. Execute the command cluster set on the command line. The server is set as the parent server in the server cluster. 3. If you want to add child servers right away, enter ‘y’ when prompted to add child servers. Enter the name for the child server, IP address of the child server and password for the config user of the child server, to add a child server. Repeat this step to add more child servers. Note: If a parent server or child server is in HA mode, the active server is added to the server cluster. The standby HA server cannot be added to the server cluster. Before setting up a server cluster, a parent server or a child server can be in standalone mode or in HA pair configuration with other servers. Once the server cluster is set up, HA mode can be enabled at a later point on the parent server or child server, if required. Refer to the screenshot below for the cluster set command.

AirTight Management Console Configuration 111 Add Child Server to Server Cluster There are two ways to add a child server to a server cluster. 1. Use the server cluster setup wizard available after executing the cluster set command. This has been explained in the Set up Server Cluster section. 2. Execute cluster add child command. This command must be executed on the command line of the parent server. This is explained below. To add a child server to a server cluster using the cluster add child command, do the following. 1. Login to the server command line interface of the parent server with "config" user credentials. 2. Execute the command cluster add child on the command line. You are prompted to enter the name for the child server to be added to the server cluster. 3. Enter a suitable name for the child server. You are prompted to enter the hostname or IP address of the child server. 4. Enter the hostname or IP address of the child server. You are prompted to enter the "config" user password for the child server. 5. Enter the "config" user password. If all the data entered is correct, the server having the specified hostname/IP address is added as a child server in the server cluster. Refer to the screenshot below for the cluster add child command.

AirTight Management Console User Guide 112 Delete Child Server from Server Cluster A child server can be deleted from a server cluster using the cluster delete child command. When you delete a child server from a server cluster, the link between the parent server and the child server is broken. The rest of the server cluster continues to function as a cluster. To delete a child server from a server cluster, do the following. 1. Login to the server command line interface of the parent server with "config" user credentials. 2. Execute the command cluster delete child on the command line. You are prompted to enter the ID of the child server to delete from the server cluster. 3. Enter the ID of the child server to delete. You are prompted to confirm the deletion of the child server from the server cluster. 4. Enter y to delete the child server from the server cluster. The child server is deleted from the server cluster. Refer to the screenshot below for the cluster delete child command.

AirTight Management Console Configuration 113 Delete Server Cluster A server cluster can be deleted using the cluster reset command. This command must be executed on the parent server command line to delete the entire cluster. Note: When the cluster reset command is executed on a child server command line, it removes the child from the cluster. This action, however, is NOT recommended unless there is no other way to remove the child server from the cluster. Use the cluster delete child command to delete a child server from a server cluster. To delete a server cluster, do the following. 1. Login to the server command line interface of the parent server with "config" user credentials. 2. Execute the command cluster reset on the command line. You are prompted to confirm cluster reset. 3. Enter y to confirm cluster reset or deletion of the server cluster. The cluster is deleted. Refer to the screenshot below for the cluster reset command.

AirTight Management Console User Guide 114 Check Server Status with respect to Server Cluster You can check if a server is part of a server cluster using the cluster show status command. When a server is part of a server cluster, you can find out whether a server is a parent server or a child server using the cluster show status command. You can execute this command on a server that may or may not be in a server cluster, that is, you can execute this command on any active server. To check the status of a server, do the following. 1. Login to the server command line interface of the server with "config" user credentials 2. Execute the command cluster show status on the command line. The status of the server is returned by the command. Refer to the screenshots below for different server statuses. The following is a screenshot of the command executed on a child server. The following is a screenshot of the command executed on a parent server. For instructions on mounting the child servers and managing them from AirTight Management Console of the parent server, refer to Manage Child Servers from Parent Server in Server Cluster. Inherit Policy from Parent Server When a server cluster is created and a child server is mounted on a mount point, the child server retains the policies that were previously applied to it. It does not inherit the parent server policies, by default. If you want to apply the parent server policies to child servers, you must navigate to the individual policy and inherit the policy from the parent server. The following policies are location specific and they cannot be inherited. • Intrusion Prevention Activation • Location Time Zone

AirTight Management Console Configuration 115 • Event Activation • Device List Locking However, if you make changes these policies at the mount point of a child server and save these changes to be applied recursively, the changes are pushed to all the locations present directly under the mount point. To inherit a policy from the parent server, do the following. 1. Select the location on the child server where you want to inherit policies from the parent server. 2. Navigate to the policy to inherit. 3. Click the Inherit Policy link. A message asking for confirmation to inherit policies appears. 4. Click Yes on the confirmation message. The parent server policy is applied to the selected location on the child server. Manage Child Servers from Parent Server in Server Cluster A server cluster is a group of servers. A server cluster comprises a parent server and one or more child servers. A server cluster is created to manage multiple servers using a single server. This managing server is called the parent server and the servers that are managed from the parent server are called the child servers. The parent server retrieves aggregated data from multiple child servers in the cluster and displays it on the AirTight Management Console along with the parent server data. You can also push common policies onto multiple child servers from a parent server. A server (parent server or child server) can be a part of only one cluster at any given point. A child server cannot be the parent of any other server in the cluster. The creation of a server cluster and management of servers in the server cluster is done using the server command line console. Refer to the 'Set up and Manage Server Cluster' chapter for details on setting up server cluster and to 'Server Config Shell Commands' chapter for the server cluster commands, in the respective server installation guide . Viewing of the aggregated server cluster data and management of policies on the child servers from the parent server in the cluster is done through AirTight Management Console. You must be a superuser to be able to view server cluster related options and manage server cluster data and policies through AirTight Management Console. Once you are done with assigning a parent server to a server cluster and adding child servers to the server cluster, you can login to AirTight Management Console of the parent server, and then navigate to Configuration>System>Server Cluster. Create one or more locations, if they are not already present, to mount the child servers on the parent server location tree. If the locations have already been added, mount the child servers on to these locations. You can mount the child servers and also copy policies from one server to another server in the same server cluster. You can print a list of child servers in the server cluster. You can search for servers in the list. Mount Child Server on Parent Server Location tree You must mount the individual child servers on the parent server location tree to be able to manage policies on the child server through the parent server or to view the aggregated server data for the entire server cluster. A valid license must be applied on the child server before you can mount it on the parent server location tree. You cannot mount a child server on a parent server location tree in the following situations

AirTight Management Console User Guide 116 • If the parent server in an existing server cluster has been upgraded, and the parent server and child server versions do not match. Refer to Fix Version Mismatch between Parent Server and Child Server section to fix the version mismatch. • If a valid license has not been applied on the child server or the license on the child server has expired. Refer to Fix Invalid License State on Child Server section to fix the license error state. When a child server is mounted, the parent server policies are not inherited by the child server automatically. The child server continues to use the policies applied to it before being added to the server cluster. Individual policies on the child server can be inherited from parent servers. For details, refer to Inherit Policy from Parent Server To mount a child server on the parent server, do the following. 1. Go to Configuration>System>Server Cluster. 2. Select the root location of the parent server. The child servers are displayed. 3. Click the Not Mounted link for the child server to mount. The Select Locations dialog box is displayed. 4. Select an appropriate location to mount the child server. If the location has not been created, create the location first. 5. Click Save to mount the child server on the selected location. Change Mount Point of Child Server You can change the mount point of a child server whenever you want to. You cannot change the mount point of a child server if the license has not been applied on the child server or the license on the child server has expired.To change the mount point of a child server on a parent server location tree, do the following. 1. Go to Configuration>System>Server Cluster. 2. Select the root location of the parent server. The child servers are displayed. 3. Click the mount point link for the child server to mount. A message prompting you to change mount point, unmount server appears. 4. Click Change mount point. 5. Select an appropriate location to mount the child server. If the location has not been created, create the location first. 6. Click Save to mount the child server on the selected location. Unmount Server from Parent Location Tree You can unmount a child server from the parent location tree. To unmount a child server from a parent server location tree, do the following. 1. Go to Configuration>System>Server Cluster. 2. Select the root location of the parent server. The child servers are displayed. 3. Click the mount point link for the child server to mount. A message prompting you to change mount point, unmount server appears. 4. Click Unmount. 5. Click Save to unmount the child server from the parent location tree. Fix Version Mismatch between Parent Server and Child Server The parent server and the child servers in a server cluster must have the same software version numbers installed on them to function correctly when communicating with each other. If you have upgraded the

AirTight Management Console Configuration 117 parent server and there is a version mismatch between the parent server and a mounted child server, you are not allowed to access the child server locations from the parent server location tree. You must fix the version mismatch to be able to access the child server locations from the parent server location tree. When there is a version mismatch, the Fix version mismatch link is enabled. You can click this link to fix the version mismatch of the child server. The child server restarts after applying the upgrade. You must download the upgrade bundle from the AirTight support website before proceeding with fixing the version mismatch. To fix the version mismatch between a parent server and a child server, do the following. 1. Select the root location of the parent server. The child servers are displayed. 2. Go to Configuration>System>Server Cluster. The Fix link is enabled for the child server that has a version mismatch with the parent server. 3. Click the Fix link. The Fix version mismatch dialog box appears. 4. Click the Select File link and select the upgrade bundle file from the location at which it has been downloaded. 5. Click Upload and Upgrade to upload the upgrade bundle and upgrade the child server with the version mismatch. Fix Invalid License State of Child Server After a server cluster is created using the command line, a valid license must be applied to the child servers. This can be done from the parent server in the cluster. A child server is in an invalid license state when a valid license is yet to be applied on the child server or when the license has expired. To fix the invalid license state of a child server, do the following. 1. Select the root location of the parent server. The child servers are displayed. 2. Go to Configuration>System>Server Cluster. The Fix license link is enabled for the child server that has an invalid license. 3. Click the Select File link and select the license file from the location at which it has been downloaded. 4. Click Apply License to apply the license on the child server. The child server restarts on successful application of the license on it. Copy Policy Settings You can copy policy settings from one server to another in a server cluster. You can copy policy settings from child server to child server, parent server to child server, or child server to parent server. You must be a superuser to copy policies from one server to another. Policy settings related to the following can be copied. • Account Suspension • Password Policy • Login Configuration • Language Setting • Audit Logs • Vendor OUIs • RF Propagation • Auto Location Tagging • Auto Deletion • SMTP Configuration

AirTight Management Console User Guide 118 • RADIUS Configuration • Smart Device Type • Certificate Configuration • LDAP Configuration • Location Tracking Configuration • ArcSight Integration • Banned Device List - AP • Banned Device List - Client • Live RF View Settings • AirTight Mobile Settings • Reports Look and Feel • HotSpot SSIDs • Vulnerable SSIDs • Syslog Integration • SNMP To copy one or more policies from one server to another, do the following. 1. Go to Configuration>System>Server Cluster. 2. Click Copy. The Copy Policies dialog box appears. 3. Select the server from which policy settings are to be copied. 4. Select the server to which the policy settings are to be copied. 5. Select the policy settings to be copied. Click >. To copy all available policy settings, click >>. If you want to remove any policy from the list of policy settings to copy, select the policy in the right hand box and click Remove. 6. Click OK to copy the policy settings. Search Child Server You can search for child servers by server name or server IP address. To search a child server, do the following. 1. Select the root location 2. Go to Configuration>System>Server Cluster. 3. Enter the server name or the server IP address in the Quick Search box. 4. Press Enter key. 5. ">The servers with name or IP address matching the search string are displayed. The search string could be a substring of the name or the IP address. Print Child Server List You can print a list of child servers in a server cluster. To print a child server list for the root location of a parent server, do the following. 1. Go to Configuration>System>Server Cluster. 2. Select the root location of the parent server. 3. Select the columns that you want in the printed list. Click any column name to select or deselect columns. 4. Click the print icon. The print preview of the child server list appears. 5. >Click Print to print the child server list.

AirTight Management Console Configuration 119 Manage Vendor OUIs A list of popular vendors along with the individual MAC prefix can be seen and managed using the Configuration>System>Vendor OUIs option. A 3-byte MAC prefix identifies the vendor for any given 802.11 device. Add Vendor or MAC Prefix Click Add Vendor/MAC Prefix to add a new vendor-MAC prefix pair or a new prefix to an existing vendor name. Select an existing vendor and add a new MAC address for the vendor. Similarly, you can also add a new vendor and one or more MAC addresses corresponding to that vendor. Delete Vendor or MAC Prefix Click the respective Delete hyperlink for a MAC prefix, to delete it. Manage Device Template An AirTight device can operate as an AP or as a sensor or both AP and sensor (one radio configured as an AP and the other as a sensor), depending on the device model used. W-68 is a 2x2 802.11a/b/g/n/ac access point/sensor. C-65 is a dual radio access point/sensor with one 2x2 b/g/n radio and one 2x2 a/n/ac radio. C-75 is a dual-band, dual-radio 3x3 802.11a/b/g/n/ac device. You can configure C-75 to function either as an AP or as a WIPS sensor. At a given time, both radios must be configured either in the AP mode so that the device functions as an AP, or in the sensor mode so that the device functions as a sensor. C-75-E is a dual-band, dual-radio 3x3 802.11a/b/g/n/ac device. You can configure C-75-E to function either as an AP or as a WIPS sensor. At a given time, both radios must be configured either in the AP mode so that the device functions as an AP, or in the sensor mode so that the device functions as a sensor. SS-300-AT-O-70 is a dual-band dual-radio 3x3 802.11 b/g/n device that can be deployed outdoors. You can configure both radios to function either in AP mode or in WIPS sensor mode at any given point in time. SS-300-AT-C-60 is a concurrent dual-band, dual-radio 3x3 802.11a/b/g/n device that supports multiple modes of operation for Wi-Fi access and WIPS. You can separately configure the 2 radios, Radio 1 and Radio 2. You can configure SS-300-AT-C-60 and to function either as AP with or without background scanning, or as a WIPS sensor. When it functions as an AP with background scanning (dual mode), one radio is configured as an AP and the other is configured as WIPS sensor. SS-300-AT-C-50 is a dual-band, single radio 2x3 802.11a/b/g/n device that can operate exclusively as an AP or as a WIPS sensor at any given point in time. SS-300-AT-C-55 is a dual radio a/b/g/n device. Both the radios need to be configured to function either in AP mode only or in WIPS sensor mode only. You cannot configure one radio as an AP and the other as a sensor.

AirTight Management Console User Guide 120 SS-300-AT-C-55-E is a dual radio a/b/g/n device. Both the radios need to be configured to function either in AP mode only or in WIPS sensor mode only. You cannot configure one radio as an AP and the other as a sensor. SS-300-AT-C-10 is an 802.11a/b/g/n device. SS-200-AT-01 is an 802.11a/b/g device.SS-300-AT-C-10 and SS-200-AT-01 function as WIPS sensors only. They cannot be configured to function as APs. A device template is a set of configuration parameters such as settings for radio, channels to monitor, VLANs to monitor, offline sensor configuration, antenna selection and port assignment. This template can be applied to one or more AirTight devices. When you have multiple devices deployed in your organization, configuring each individual device could be monotonous, tedious and time-consuming. A device template is a convenient way of applying a standard set of Wi-Fi and/or WIPS settings on multiple AirTight devices simultaneously, thereby saving time and effort, and ensuring consistency. You can have a common device template for all the devices deployed at a location, by configuring the template as the default device template. See the image below for a graphical representation of the use of device templates. Manage device templates using the Configuration>Device Templates. You need administrator privileges to manage device templates. Device Template The server stores the default device configuration in a predefined template called System Template. The System Template can be modified. Whenever an AirTight device is added or discovered, AirTight Wi-Fi AirTight WIPS server automatically assigns the configuration settings in this template to the device. You can edit the default configuration settings in System Template to suit your need.

AirTight Management Console Configuration 121 You can configure a template as the default template for a location. This template will be applied to any new device tagged to that location. When you delete a user-defined device template, System Template is applied to all the devices associated with that template. You can manually override the template applied to an AirTight device from the Devices > AirTight Devices tab. If you customize the settings in the template, the new settings are applied to the AirTight devices to which this template is applied. To apply the customized settings, you need to push the new settings on to the AirTight device. Customize Policy/Device Template for Location A policy is a set of rules applicable to a location. This set of rules is represented by a device template. When you create a new location folder, it inherits the default policy or device template from the parent location folder. Location floors inherit the default device template from their immediate parent location folder. This means that all AirTight devices that connect to this location will use this default template. You can define your own device template and make it the default template for a location folder. This is called customizing the policy or device template at the selected location. You can customize the policy or device template at the location folder level. This customization is not available at the location floor level. When you change the device template at a location, all the AirTight devices connecting to the location after the change will use the newly applied device template. You can choose whether or not you want the devices existing at the location to use the changed device template or continue using the previous default device template. This can be done when you confirm the change in the default device template at the location. The Device Templates page lists the device templates that are available at all locations. For the selected location, you must apply a device template from the available list to create the WLAN policy at that location. This means that you must make the device template as the default template for the location. A new AP or an existing authorized AP is compared against the applied device template to determine if it is a rogue or misconfigured AP. Other templates could be available to be attached, but they are not part of the WLAN policy. Therefore, they will not be used for AP classification. To customize the policy at the selected location, do the following. 1. Click Customize at this location? link seen at the bottom of the Device Templates page. The Make default link is enabled for user-defined device templates in the Device Templates list seen under Configuration > Device Templates. 2. To change the default template for a location, click the Make Default link of the device template that you want to set as the default template. A confirmation message is displayed. 3. If you want to apply the new device template to existing devices at the location click Yes. If you want the existing devices to continue using the old default device template, click No. Revert to Inherited Device Template If you have defined a custom device template for a location and wish to inherit the parent device template, do the following. 1. Click the Inherit from parent location? link seen at the bottom of the Device Templates page. 2. Click Yes on the message that asks you to confirm that you want to inherit from parent location. Another confirmation message is displayed.

AirTight Management Console User Guide 122 3. If you want to apply the inherited device template to existing devices at the location click Yes. If you want the existing devices to continue using the customized default device template, click No. Add Device Template When adding a device template, you can specify the name and description of the device template and save the template. When the template is defined in this manner, without defining device settings and radio settings, and applied to a device, the device functions as a WIPS sensor. To add a new device template, do the following. 1. Click Add Device Template seen under Configuration>Device Configuration>Device Templates, to add a new device template. 2. Specify the following values. Field Description Template Name A unique name of the device template. The name can contain a maximum of 40 characters. Description A brief description of the device template. The description should not exceed 500 characters in length. Allow Device Specific Customization Select this check box to override the settings done through device template. Refer to Override Device Template Settings for further details. Operating Region Region or country of operation of the AirTight device. 3. Specify the device password under Device Settings > Device Password on the Add Device Template dialog box. 4. Click Save to save the device template settings. To configure the device settings for the device template, click Device Settings on the Add Device Template screen. Device settings are sensor-related settings. They are relevant to devices functioning as WIPS sensors, or APs with background scanning enabled on them. Refer to Device Settings explained below, for further details on configuring device settings for a device template. To configure the radio settings for the device template, click Radio Settings on the Add Device Template dialog box. Refer to Radio Settings explained below, for further details on configuring radio settings for a device template. Device Settings Device Settings are further sub-divided into VLAN monitoring, Device Password, Device Access Logs, Offline Configuration, Third Party Analytics Integration, and Channel Settings. Each of these is explained below. VLAN Monitoring VLAN monitoring is essential for the wired-side connection status detection, host name detection, smart device detection, rogue AP detection, and so on. Select Enable Additional VLAN Monitoring check box to enable the device to monitor additional VLANs. Include all the additional VLANs to be monitored as a comma-separated list. The VLAN used by the device to communicate with the server is always monitored and need not be specified here. The additional VLANs to be monitored must be configured on the switch port where the device is connected and must be DHCP enabled. A VLAN ID '0' indicates untagged VLAN on the switch port where the device is connected, irrespective of the actual VLAN number on the switch.

AirTight Management Console Configuration 123 IMPORTANT: If a VLAN is configured with a static IP address, then configure the VLAN from the CLI. If you want to customize the VLANs to be monitored for one or more specific devices to which a device template is applied, you can do it using the Devices > Device Properties. In order to override the additionally monitored VLANs, you must select the Allow Device Specific Customization check box. Device Password You can manage the password for the AirTight device Command Line Interface (CLI) user 'config' from the device template. By defining a password in the device template, you can manage the password for a group of devices without having to change it on each device separately. The password should be at least 6 characters long and it cannot contain spaces or your login ID. You must specify the new password for the 'config' user. Confirm the new password before saving. The new password is applied on all the devices associated with the device template. Device Access Logs AirTight Management Console provides you with a functionality to send the sensor access logs to the Syslog server. This functionality is useful for audit purposes and can be enabled or disabled for a device template. If enabled, specify Syslog server IP/Hostname to which the access logs are to be sent. Offline Configuration This feature provides some security coverage even when there is no connectivity between an AirTight device and the server. The feature is relevant to an AirTight device functioning as a sensor. The sensor provides some device classification and prevention capabilities when it is disconnected from the server. The sensor also raises events, stores them, and pushes them back to the server on reconnection. To enable this feature select Enable offline mode. In the time after which, if the sensor does not receive any communication from the Server and Enable offline Sensor mode is enabled, the sensor switches to the offline mode.(Minimum: 5 minutes; Maximum: 60 minutes; Default: 15 minutes) There are three sub-sections under Offline Configuration 1. AirTight Device Parameters: In AirTight Device Parameters section, you can specify the following. Number of APs to be stored: Maximum number of AP identities that the device will store in the Offline mode (Default: 128). Number of Clients to be stored: Maximum number of client identities that the device will store in the Offline mode (Default: 256). Number of events to be stored: Maximum number of raised events that the device will buffer in the Offline mode (Default: 256). This is maintained as a cyclic buffer. That is, if the events raised exceed this limit, the oldest events are overwritten. The buffered events are transferred to the console when the device reconnects to the server. Number of intrusion prevention records:Maximum number of prevention records that the sensor will buffer in Offline mode (Default:256). This is maintained as cyclic buffer. If the records exceed this limit, the oldest records are overwritten. The buffered records are transferred to the console when the device reconnects to the server. 2. Device Classification Policy: Specify how the sensor should classify APs and client devices when it is not connected to the server. Configure the AP classification policy the following way. • If you want to classify networked APs as rogue APs, select the Move networked APs to check box and select the Rogue option from the drop-down list next to this check box.

AirTight Management Console User Guide 124 • If you want to classify networked APs as authorized APs, select the Move networked APs to check box and select the Authorized option from the drop-down list next to this check box. • If you want to classify non-networked APs as external APs, select the Move non-networked APs to the External Folder check box. 3. Intrusion Prevention Policy: Specify the threats for which intrusion prevention is to be enabled on the sensor when it is not connected to the server. Select one or more check boxes for the threats that you want the sensor to prevent when in offline mode. The sensor can exercise intrusion prevention against the following threats: rogue APs, uncategorized APs connected to the network, APs categorized as authorized using no security mechanism, APs categorized as authorized using weak security mechanism, authorized client connection to external APs, unauthorized client connection to authorized APs, uncategorized client connection to authorized APs, authorized client participating in ad hoc network, and honey pot or evil twin APs. Third Party Analytics Integration This feature enables integration of AirTight Wi-Fi/AirTight WIPS with a third-party external server, and send the visibility analytics data to the third-party external server. To enable integration with third-party external server, do the following. 1. Select the Enable check box. 2. Enter the third-party external server URL or IP address in Server URL. 3. Enter the key for the AirTight device to authenticate with the third-party external server in Authorization Key. 4. Specify in Send Interval the time interval at which the AirTight device should send the client RSSI values to the third-party external server. Channel Settings Select the channel for the sensor to monitor from the list of available channels. These channels will differ according to your country of operation. Refer to the following table for the channel number, its protocol and respective frequency. Channel Protocol Frequency (GHz) Channel Protocol Frequency (GHz) Channel Protocol Frequency (GHz) 1 b/g/n 2.412 34 a/n/ac 5.17 116 a/n/ac 5.58 2 b/g/n 2.417 36 a/n/ac 5.18 120 a/n/ac 5.6 3 b/g/n 2.422 38 a/n/ac 5.19 124 a/n/ac 5.62 4 b/g/n 2.427 40 a/n/ac 5.2 104 a/n/ac 5.52 5 b/g/n 2.432 40 a/n/ac 5.2 108 a/n/ac 5.54 6 b/g/n 2.437 42 a/n/ac 5.21 112 a/n/ac 5.56 6 b/g/n 2.437 42 a/n/ac 5.21 116 a/n/ac 5.58 7 b/g/n 2.442 44 a/n/ac 5.22 120 a/n/ac 5.6 8 b/g/n 2.447 46 a/n/ac 5.23 124 a/n/ac 5.62 9 b/g/n 2.452 48 a/n/ac 5.24 128 a/n/ac 5.64

AirTight Management Console User Guide 126 Field Description Frequency Band The radio frequency band. The possible values are 2.4 GHz and 5 GHz. Default value is 2.4 GHz. Channel Width The channel width for the radio. Possible values are 20 MHz or 20 MHz /40 MHz. In case of a/n/ac devices, the 20/40/80 MHz option is available. The options are enabled for 2.4 GHz and 5 GHz modes. Operating Channel The operating channel for the radio. By default, the AP automatically selects the operating channel automatically (Auto). User can manually set the channel if desired. Select Manual, to set the operating channel. Based on the location selected in the left pane, a list of channel numbers presented for manual channel selection, is presented. If the manually selected channel is not present in the country of operation selected for the device in the applied AP template, the AP automatically reverts to Auto mode and selects a channel. Selection Interval This field is visible only when the Operating Channel is set to Auto. This field specifies the time interval, in hours, at which the channel selection happens. You can enter any value from 1 through 48. Channel Number This field is visible only when the Operating Channel set to Manual. This field specifies the operating channel number. The channel numbers seen in this box depend on the operating region selected. If you are defining channel number for APs in the mesh network, make sure that the channel number is the same for all the AirTight device models functioning as mesh APs. Background Scanning Select this check box to enable background scanning by the AP. IMPORTANT: Do not enable background scanning if the radio is being used for Voice over IP (VoIP). Radio Advanced Settings Custom Transmit Power This field enables you to control the transmission power of the AP. Select the custom transmit power check box and specify the transmission power of the AP in dbm. If the custom transmit check box is deselected, the maximum allowed transmit power allowed for the country of operation is set for the AP. Fragmentation Threshold The fragmentation threshold, in bytes. Permissible value for this field is from 256 through 2346 bytes. This field is applicable to 5 GHz and 2.4 GHz modes. RTS Threshold The threshold for Request to Send (RTS) in bytes. It specifies the threshold for the size of frame above which the AP should use Request to Send (RTS)/Clear to Send (CTS) handshake for transmission. This field is applicable to 5 GHz and 2.4 GHz modes. Note: If the threshold is set to very small value the wireless channel is not efficiently utilized. This threshold is meant to be used for large frames to avoid losing them due to collisions and causing channel resource wastage. Beacon Interval The time interval, in milliseconds, between AP beacon transmissions. The value is set to 100 milliseconds. It is not editable. DTIM Period DTIM (Delivery Traffic Indication Message) period is the time period after which clients connected to the AP should check for buffered data waiting on the AP. 802.11n/ac Guard Interval A time period at the end of each OFDM symbol to allow the signal to dissipate prior to transmitting the next signal. This prevents overlaps between two consecutive symbols. Legacy 802.11a/b/g devices use 800ns GI. GI of 400ns is optional for 802.11n. This field is 802.11n/ac specific. Half guard interval is not supported for SS-300-AT-C-50 when channel width is 20 MHz. Enable Frame Aggregation This field specifies the enabling or disabling of MAC protocol Data Unit (MPDU) aggregation. This field is 802.11n/ac specific. In case of 802.11 ac radio, frame aggregation is enabled, by default, and it cannot be disabled.

AirTight Management Console User Guide 128 5. Change the required settings and save the changes. Refer to Customize Device Template Settings for details on customizing these settings. Note: You can specify the customized settings at a later point, even if you enable per device configuration in the device template. Edit Device Template To edit a device template, do the following. 1. Go to Configuration>Device Configuration>Device Templates. 2. Click the link with the device template name. 3. Change one or more of the following values. Field Description Template Name A unique name of the device template. The name can contain a maximum of 40 characters. Description A brief description of the device template. The description should not exceed 500 characters in length. Allow Device Specific Customization Select this check box to override the settings done through device template. Refer to Override Device Template Settings for further details. Operating Region Region or country of operation of the AirTight device. 4. Click Device Settings to make changes, if any, to device settings. Refer to Device Settings for further details. 5. Click Radio Settings to make changes, if any, to radio settings. Refer to Radio Settings for further details. 6. Click Save to save the device template settings. IMPORTANT: You can edit a device template at a selected location, only if you have defined the device template at that location. Search Device Template You can search for device templates based on the template name. To search for a device template, do the following 1. Go to Configuration>Device Configuration>Device Templates. 2. On the Device Templates page, type in the keyword or search string for the template name Quick Search box on the top right corner. 3. Press Enter to filter the list of templates based on the keyword or the search string. The device templates matching the search criteria appear in the device template listing. Copy Device Template You can copy a device template to another location. A copied device template is editable at the new location. To copy a device template from one location to another, do the following.

AirTight Management Console Configuration 129 1. Go to Configuration>Device Configuration>Device Templates. 2. Select the device template. 3. Click the Move to icon. The Select Location dialog box appears. 4. Select the location where you want to copy the device template. 5. Click OK. Print Device Template List for Location You can print the list of device templates for a location. To print a list of device templates for a location, do the following. 1. Go to Configuration>Device Configuration>Device Templates. 2. Select the location for which you want to print the list of device templates. 3. Select the columns that you want in the printed list. Click any column name to select or deselect columns. 4. Click the print icon. The print preview of the device template list appears. 5. Click Print to print the list. Delete Device Template You can delete a device template at a selected location, only if you have defined the device template at that location. Deletion of a template results in assigning default device template to the AirTight Devices associated with this template. You cannot delete the System Template. To delete a device template, do the following 1. Go to Configuration>Device Configuration>Device Templates. 2. Select the location for which you want to delete the device template. 3. Select the check box for the device template you want to delete. 4. Click the delete icon. A confirmation message for deletion appears 5. Click Yes to confirm deletion of the device template. Configure SMTP Settings Configure the Simple Mail Transfer Protocol (SMTP) settings to send e-mails when events occur, using the Configuration>System Settings>SMTP Configuration option. You must have administrator privileges to configure SMTP settings. The fields on the SMTP Configuration page and their description is as follows. 'To configure SMTP settings, do the following. 1. Go to Configuration>System Settings>SMTP Configuration. 2. Enter the details. The following table describes the fields related to SMTP. Field Description SMTP Server IP Address/Hostname IP Address or the host name of the SMTP server used by the system for sending e-mail alerts. The default value is 127.0.0.1:25. Following are the authentication protocols for SMTP server

AirTight Management Console User Guide 130 • PLAIN (For sendmail 8.10 and above) • LOGIN (For sendmail 8.10 and above) • NTLM (Windows proprietary authentication method) Port Port number of the SMTP server used by the system for sending e-mail alerts. Email Address in From field source address from which e-mail alerts are sent Enforce use of StartTLS (TLSv1) STARTTLS is an extension to plain text communication protocols like SMTP that offers a way to upgrade a plain text connection to an encrypted (TLS or SSL) connection instead of using a separate port for encrypted communication. Select this check box if you want to enforce the use of STARTTLS to send e-mails in an encrypted format. Verify SMTP Server's Certificate Select this check box to verify SMTP server's certificate against built-in well-known CA certificates or uploaded CA certificate. When this check box is selected, an e-mail is not sent out if the certificate match fails. Set Certificate If an SMTP server's CA certificate is not present in the built-in well-known CA certificates packaged in the AirTight appliance, the test SMTP operation fails. In such cases, you can upload a private CA certificate of the SMTP server. Click this button and then click Choose to add a private CA certificate file to be used for SMTP server authentication. If a private certificate is uploaded only this certificate is used for authentication; the built-in certificates will not be used. If the uploaded file contains multiple entries only the first entry is used for verification. To delete a certificate, click Delete for the certificate and confirm deletion. Note that the server application is restarted after private certificate upload or delete operation. Authentication Required Select this check box to enable SMTP authentication. Username user name for SMTP server authentication, when SMTP server authentication is enabled. Password password for SMTP server authentication, when SMTP server authentication is enabled. 3. Change the server access URL, if required. 4. Click Save to save the changes Restore SMTP Configuration Defaults The default values for SMTP configuration are as follows. SMTP Server IP Address/Hostname 127.0.0.1 Port 25 Email Address in From field server@localhost.localdomain Authentication Required not selected Server Access URL https://wifi-security-server To restore SMTP configuration defaults, do the following.

AirTight Management Console Configuration 131 1. Go to Configuration>System Settings>SMTP Configuration. 2. Click Restore Defaults to restore the default values of the SMTP configuration fields . 3. Click Save to save the changes. Test SMTP Settings To test SMTP settings, you can send a test email. The SMTP configuration settings are used for this mail. The settings used for this mail are the SMTP settingsspecified by you. Make sure you have configured SMTP correctly before testing the settings. To test SMTP settings, do the following. 1. Go to Configuration>System Settings>SMTP Configuration. 2. To send a test e-mail, click Test SMTP Settings. An email is sent if the configuration is correct. Copy SMTP Configuration to Another Server You can copy the SMTP configuration from one server to another server when both servers are part of the same server cluster. You can copy SMTP configuration from child server to child server, parent server to child server, or child server to parent server. You must be a superuser or an administrator to copy policies from one server to another. To copy SMTP configuration, do the following. 1. Go to Configuration>System Settings>SMTP Configuration on the parent server. 2. Click Copy Policy. The Copy Policies dialog box appears. 3. Select the server from which the SMTP configuration is to be copied. 4. Select the server to which the SMTP configuration is to be copied. 5. Click OK to copy the SMTP configuration. View System Status The Configuration>System>System Status page displays information about the AirTight Wi-Fi / AirTight WIPS server. All the static server information is available under System Information. The current status of the server is displayed under Server Information. Information about backup files stored on the server is displayed under Backup Files stored on the server. The file name, The following table describes the static information seen on the System Status page. Field Description Server ID Specifies the unique identifier for the server appliance. If you have installed a single server appliance, then retainthe default server ID, that is, 1. AirTight Device Communication Port Specifies the AirTight device port number on which the AirTight Management Console server communicates with the device. Serial Number Specifies the hardware serial number of the AirTight Management

AirTight Management Console Configuration 133 Recommended: To upgrade the server to a newer version, ensure that you access the Console using a computer whose IP address has not been changed by Network Address Translation (NAT). If you access the Console, using a NATed IP, upgrade will continue in the background but you cannot view the upgrade progress messages. Upgrade Process 1. Click Browse to select the Upgrade Bundle. 2. Click Upgrade Now to transfer the Upgrade Bundle to the server. 3. On the Confirm Upgrade dialog, click Yes to proceed with the upgrade. 4. The Uploading Upgrade Bundle message with the progress bar appears. 5. You can cancel the upgrade by clicking Cancel anytime while the Upgrade Bundle upload is in progress. 6. After the Server Upgrade Bundle upload is complete, Server Upgrade starts automatically. 7. Close the current browser window. A new window, Server Upgrade Progress, is launched which displays the status of the Server Upgrade process. Follow the instructions displayed on the Server Upgrade Progress window. 8. After the server upgrade is successful, the server reboots automatically. 9. After you have read all instructions on the Server Upgrade Progress window, close all the Web browser windows including the Server Upgrade Progress window. 10. Wait for five minutes for the server to reboot. After this, you can access the server again. Note: You cannot abort or cancel the Server Upgrade process once the Server Upgrade Progress window is launched. Additionally, the Server Upgrade process continues even if the Server Upgrade Progress window is closed. Configure Auto Deletion Settings AirTight Management Console stores historical information about the devices visible to it and the events related to these devices. The rate of growth of this information is dependent on the volatility of the wireless environment at the deployed location. It is necessary to delete this information periodically, as it becomes obsolete after some time. This is done using the Configuration->System->Auto Deletion option. Based on the event-related configuration done by you, the system also raises and stores a number of events. If the configuration is such that there are significant number of events generated and stored, the stored event data size grows significantly faster. This event data also requires regular cleanup. Auto deletion allows you to specify values of various auto deletion parameters to control the frequency of deletion of information. The system generates an event for tracking the action of auto deletion. This event gives information only about device deletion. There is no event separately generated that indicates event deletion. The auto-deletion parameters are related to access point, client, network events. These are explained in detail below. Access Point Deletion Parameters: The available AP categories are Uncategorized, Rogue, External. Authorized APs are not deleting automatically from the system. If you want to delete inactive authorized APs, you have to delete them manually. Note: The control for some AP categories is available in specific deployments only. Select the AP categories for which you want to set the auto-delete duration. Specify the number of days of inactivity after which the AP related information is to be automatically deleted for the respective

AirTight Management Console User Guide 134 category. The minimum number of days of inactivity is 1 and the maximum number of days of inactivity is 30. Client Deletion Parameters: The available client categories are Uncategorized, Authorized, External, Rogue, Guest. Select the client categories for which you want to set the auto-delete duration. Select the appropriate check box and specify the number of days of inactivity after which the client-related information is to be automatically deleted for the respective category. The minimum number of days of inactivity is 1 and the maximum number of days of inactivity is 30. Network Deletion Parameters: Select the No. of days to retain exposed Networks check box and specify the duration, in days, for which the exposed networks are to be retained on the server. The default value is 30 days for this field. The minimum value for retention in the system is 1 day, and the maximum value is 90 days. Events Deletion Parameters: Specify the maximum number of security, performance and system events that should be retained on the server. The following table shows the event type along with the default, minimum, and maximum values. Event Type Default number of events Minimum number of events to store Maximum number of events to store Note Security 50,000 20,000 80,000 The maximum number of security events that can be retained for the SA-350 appliance is 0.7 million. Performance 10,000 5000 40000 The maximum number of performance events that can be retained for the SA-350 appliance is 0.25 million. System 1000 500 2000 The maximum number of system events that can be retained by can be retained by the SA-350 is 0.05milloin. Specify how long the events should be retained in the database: The default value is 30 days for this field. The minimum number of days to retain events is 1 day, and the maximum number of days to retain events is 365 days. Events older than the period specified will be purged from the database. You can track auto-deletion of inactive APs, Clients, and events, by monitoring the special event generated by the system. The system generates an event containing the summary of the actions performed during the auto-deletion operation, if and only if any physical deletion of information has actually taken place. Copy Auto Deletion Settings to Another Server You can copy the auto deletion settings from one server to another server when both servers are part of the same server cluster. You can copy auto deletion settings from child server to child server, parent server to child server, or child server to parent server. You must be a superuser or an administrator to copy policies from one server to another. To copy auto deletion settings, do the following. 1. Go to Configuration>System Settings>Auto Deletion on the parent server. 2. Click Copy Policy. The Copy Policies dialog box appears. 3. Select the server from which the auto deletion settings are to be copied.

AirTight Management Console Configuration 135 4. Select the server to which the auto deletion settings are to be copied. 5. Click OK to copy the auto deletion settings, Manage Audit Log Settings AirTight Management Console keeps a track of the user activity. The user action logs can be downloaded from the server for viewing purpose. This is done using the Configuration>System Settings>Audit Logs option. Only a super user has the privilege to download the user action logs. Audit logs are also called user action logs. Set Duration for Audit Log Download You can specify a time duration, using the From and To fields that indicate duration between the date from which and date up to which you want to download the user action logs. Alternatively, you can specify a duration indicating the number of lapsed hours for which you want to download the user action logs. You can select the type of log entries that can be downloaded. Use the For field to specify this. By default, records of all types are included in the downloaded log file. You can sort the log on the date and time, module, host address, user role, login name, type and status of the login attempt. Use the Ordered by field to select the sort field. The default sorting of log entries is done on date and time. To configure settings for user action logs to download, do the following. 1. Go to Configuration>System Settings>Audit Logs. 2. Select the type of action log to download. 3. Select the From and To date for which the user action log is to be downloaded. Alternatively, you can select Last and specify the number of elapsed days, months or years for which you want to download the user action logs. 4. Click Save to save the changes. Download Audit Logs You can download the user action logs after having set the duration and type of user action logs for the download. To download, do the following. 1. Go to Configuration>System Settings>Audit Logs. 2. Click Download. The user action log is downloaded as a CSV file. The contents of the log depends on the type of action log downloaded. Note: If the server is a parent server in a server cluster, the downloaded log is an aggregation of the parent server and child server log data. This means that the child server logs are also included in the parent server logs. In this case, the audit log contains an additional column 'Cluster Server'. For parent server log entries, the value in this column in 'Cluster Parent' and for child server log entries, the value in this column is the name of the child server itself. Restore Default User Action Log Download Settings 1. Go to Configuration>System Settings>Audit Logs. 2. Click Restore Defaults to restore the default values. 3. Click Save to save the changes.

AirTight Management Console User Guide 136 Copy Audit Log Settings to Another Server You can copy the audit log settings from one server to another server when both servers are part of the same server cluster. You can copy audit log settings from child server to child server, parent server to child server, or child server to parent server. You must be a superuser or an administrator to copy policies from one server to another. To copy audit log settings, do the following. 1. Go to Configuration>System Settings>Audit Logs on the parent server. 2. Click Copy Policy. The Copy Policies dialog box appears. 3. Select the server from which the audit log settings are to be copied. 4. Select the server to which the audit log settings are to be copied. 5. Click OK to copy the audit log settings.

AirTight Management Console Configuration 137 Configure Integration with Enterprise Security Management Servers You can configure AirTight Management Console to integrate with various enterprise security management (ESM) servers using the Configuration->ESM Integration page. AirTight Management Console integrates with ESM servers that collect, analyze, and display events. AirTight Management Console sends security events related information to these servers. AirTight Management Console integrates with SNMP, Syslog and Arcsight servers. To configure the integration settings for SNMP, see SNMP Integration. To configure the integration settings for Syslog, see Syslog Integration. To configure the integration settings for Arcsight, see Arcsight Integration. Syslog Integration You can configure the integration settings with communication with Syslog servers for AirTight WIPS to communicate and send log messages to Syslog servers. If Syslog integration is enabled, the system sends messages to the configured Syslog servers. Otherwise, Syslog integration services are shut off. Apart from events, you can also send audit logs from AirTight WIPS to a Syslog server. You must enable integration with Syslog for AirTight WIPS to send messages and audit logs to Syslog servers. Select the Enable Syslog Integration check box to enable integration of AirTight Management Console/AirTight WIPS with Syslog server. Current Status indicates the status of the Syslog server. It could be Running, Stopped or Error, depending on the state of the Syslog server. Error status is shown if the System server is stopped, if the hostname of an enabled syslog server cannot be resolved, or if an internal error occurs. In case of occurrence of an internal error, you need to contact Airtight Technical Support. Adding a Syslog Server To add a syslog server, do the following. 1. Go to Configuration>ESM Integration>Syslog Integration. 2. Under Manage Syslog Servers, click Add Syslog Server to add Syslog server details. 3. Specify the Syslog Server IP Address or Hostname to which the events should be sent. 4. Specify the port number of the Syslog server to which the system sends events. The default port number is 514. 5. Specify the format in which the event is sent, which is Intrusion Detection Message Exchange Format (IDMEF) or Plain text. the default format is plain text). 6. Select the Enabled check box if you want the events and/or audit logs to be sent to this Syslog server. It is enabled by default. 7. Select the Append BOM header check box if you want to append the byte order mark to the syslog server entry. This is relevant in case of plain text files. 8. Select the Forward Events check box to send events to the Syslog server. 9. Select the Forward Audit Logs check box to send audit logs to the Syslog server. You can forward audit logs in plain text format only. 10. Click OK to add the details for a new Syslog server.

AirTight Management Console User Guide 138 Edit Syslog Server To edit syslog server settings for a syslog server, do the following. 1. Go to Configuration>ESM Integration>Syslog Integration. 2. Click the Syslog server IP address and port hyperlink in the list of Syslog servers. 3. Make the necessary changes. 4. Click OK to save the changes. Delete a Syslog Server You can delete a syslog server from the list of syslog servers, Once deleted from the list, the entries will not be sent to this server. To delete a syslog server, do the following. 1. Go to Configuration>ESM Integration>Syslog Integration. 2. Click the Delete hyperlink for the Syslog server to delete the Syslog server. Copy Syslog Server Settings to Another Server You can copy the Syslog server settings from one server to another server when both servers are part of the same server cluster. You can copy syslog server settings from child server to child server, parent server to child server, or child server to parent server. You must be a superuser or an administrator to copy policies from one server to another. To copy syslog server settings, do the following. 1. Go to Configuration>ESM Integration>Syslog Integration on the parent server. 2. Click Copy Policy. The Copy Policies dialog box appears. 3. Select the server from which the syslog server settings are to be copied. 4. Select the server to which the syslog server settings are to be copied. 5. Click OK to copy the syslog server settings, Arcsight Integration Go to Configuration>ESM Integration>Arcsight Integration to configure the integration settings for communication with Arcsight server AirTight Management Console integrates with ArcSight’s Enterprise Security Management (ESM) infrastructure by sending events to the designated ArcSight server. The ArcSight server is configured to accept syslog messages having detailed event information in ArcSight’s Common Event Format (CEF). The system needs the IP Address or the hostname and the port on which the ArcSight server receives events. You can add more than one Arcsight servers to receive events from AirTight Management Console. Apart from events, you can also send audit logs from AirTight Management Console to an Arcsight server. Refer to the following figure for a graphical representation of Arcsight integration.

AirTight Management Console Configuration 139 Arcsight Integration Add Arcsight Server To add an Arcsight server, do the following. 1. Go to Configuration>ESM Integration>Arcsight Integration. 2. Click the Add Arcsight Server hyperlink. 3. Enter the Arcsight IP address, port number. 4. Select the Enabled check box if you want to enable sending CEF messages and/or audit logs generated by AirTight Wi-Fi/AirTight WIPS to this server. 5. Select the Forward Events check box to send CEF messages to the Arcsight server. 6. Select the Forward Audit Logs check box to send audit logs to the Arcsight server. 7. Click OK to save the changes. Edit Arcsight Server To edit Arcsight server details, do the following. 1. Go to Configuration>ESM Integration>Arcsight Integration. 2. Click the Arcsight server IP address and port hyperlink in the list of Arcsight servers. 3. Make the necessary changes. 4. Click OK to save the changes. Delete Arcsight Server To edit Arcsight server details, do the following. 1. Go to Configuration>ESM Integration>Arcsight Integration.

AirTight Management Console User Guide 140 2. Click the Delete hyperlink for the Arcsight server IP address and port to delete the Arcsight server. Once deleted from the list, the CEF messages will not be sent to this server. Copy Arcsight Server Settings to Another Server You can copy the Arcsight server settings from one server to another server when both servers are part of the same server cluster. You can copy Arcsight server settings from child server to child server, parent server to child server, or child server to parent server. You must be a superuser or an administrator to copy policies from one server to another. To copy Arcsight server settings, do the following. 1. Go to Configuration>ESM Integration>Arcsight Integration on the parent server. 2. Click Copy Policy. The Copy Policies dialog box appears. 3. Select the server from which the Arcsight server settings are to be copied. 4. Select the server to which the Arcsight server settings are to be copied. 5. Click OK to copy the Arcsight server settings, SNMP Integration Go to Configuration->ESM Integration->SNMP to configure the integration settings for communication with SNMP server The SNMP page enables the sending of events from AirTight Management Console, as SNMP traps to designated SNMP trap receivers. It also enables SNMP managers to query server operating parameters using IF-MIB, MIB-II, and Host Resources MIB. Select Enable SNMP Integration check box to enable the integration with SNMP servers. When SNMP integration is enabled, the system sends SNMP traps to the configured SNMP servers. Other systems can request for information about network entities from the SNMP server. Otherwise, SNMP integration services are shut off. Current Status displays the current status of the SNMP server. This can be Running or Stopped or Error, depending on the state of the SNMP server. Error status is shown if the System server is stopped or if an internal error occurs. In case of occurrence of an internal error, you need to contact Airtight Technical Support. Under SNMP Settings, configure SNMP Gets or Traps. Configure SNMP Get and SNMP Traps Select the SNMP Gets Enabled check box to allow SNMP managers to query server-operating parameters enlisted in IF-MIB, MIB-II, and Host Resources MIB. Deselect this check box to block queries related to all the MIBs. Alternatively, select SNMP v3 Parameters check box to configure SNMP v3 Get parameters, that is Username, Authentication Password, Privacy Password, Authentication Protocol and Privacy Protocol.(Default Username is admin; default Authentication Password is password, default Privacy Password is password, default Authentication Protocol is MD5 and default Privacy Protocol is DES.) Select the Show Key check box to display the password as is, without masking it. Select the SNMP Traps Enabled check box to allow SNMP traps to be sent to configured SNMP servers. Additionally, select the SNMP versions to be enabled and configure the relevant settings. The SNMP agent residing on the server uses the SNMP version parameters to deliver traps to the SNMP Trap receivers.

AirTight Management Console Configuration 141 Select SNMP v1,v2 check box to send traps to all Trap receivers accepting traps using SNMP v1, v2 protocol. You can change the Community String for the SNMP agent. All SNMP v1, v2 Trap receivers configured, should use this community string to receive traps.(Default: public). Select the SNMP v3 check box, to send traps to all Trap receivers accepting traps using SNMP v3 protocol. You can configure the individual parameters that is, Username, Authentication Password, Privacy Password, Authentication Protocol and Privacy Protocol, while adding the trap receivers/destinations. All SNMP v3 Trap receivers configured, should use these parameters to receive traps. Engine ID is not editable. Default Username is admin; default Authentication Password is password, default Privacy Password is password, default Authentication Protocol is MD5 and default Privacy Protocol is DES. Under SNMP MIBs, you can choose to query by enabling or disabling the following SNMP MIBs individually. • IF MIB • Host Resources MIB • AirTight-MIB: If selected, the system enables the external SNMP Trap receivers to receive traps. • MIB-II: If selected, configure the System Contact, System Name, and System Location. (Default System Name: Wi-Fi Security Server). Starting with version 6.7.U5, MIB-II ‘System Description (sysDescr)’ has been changed to ‘AirTight SpectraGuard Enterprise, Version xxx’ and MIB-2 ‘System Object ID (sysOID)’ has been changed to ‘.1.3.6.1.4.1.16901.1.1.1’. Apart from this, with version 6.7 U5, SNMP traps are generated whenever any monitoring service crashes, and this service is restarted successfully by the health-check daemon. Please refer to AirTight MIB for more details. IF MIB, Host Resources MIB, and MIB II are standard MIBs that you can download from the Internet. For AirTight-MIB, contact AirTight Technical Support. Add SNMP Trap Destination Server Under SNMP Trap Destination Servers, click Add to open SNMP Configuration dialog where you can add SNMP server details. Destination Server (IP Address/Hostname): Specifies the IP address or the hostname of the SNMP server to which events should be sent. SNMP Protocol Version: Specifies the SNMP protocol version for the SNMP agent. (Default: SNMP v3) Port Number: Specifies the port number on the receiving system to which the SNMP trap is sent. (Default: 162) Enabled?: Specifies if the SNMP server is enabled to receive SNMP traps. (Default: Enabled) User name: Specifies if the SNMP v3 user name. (Default:admin)> Authentication Password: Specifies if the SNMP v3 authentication password. (Default: password) Privacy Password: Specifies if the SNMP v3 privacy password. (Default: password) Authentication Protocol: Specifies if the SNMP v3 authentication protocol. (Default: MD5) Privacy Protocol: Specifies if the SNMP v3 privacy protocol. (Default: DES) Note: You must specify a different port number if another application uses the default port. For every combination of authentication and privacy protocol, you must specify a different user name for v3 get/trap parameter. Click Add to add the details for a new SNMP server.

AirTight Management Console User Guide 142 Edit SNMP Trap Destination Server Click the SNMP trap destination server IP address and port hyperlink in the list of SNMP trap desitnation servers. Make the necessary changes. Click OK to save the changes. Delete SNMP Trap Destination Server Click the Delete hyperlink for the SNMP trap destination server to delete the server. Once deleted from the list, the events will not be sent to this server. Copy SNMP Settings to Another Server You can copy the SNMP settings from one server to another server when both servers are part of the same server cluster. You can copy SNMP settings from child server to child server, parent server to child server, or child server to parent server. You must be a superuser or an administrator to copy policies from one server to another. To copy SNMP settings, do the following. 1. Go to Configuration>ESM Integration>SNMP on the parent server. 2. Click Copy Policy. The Copy Policies dialog box appears. 3. Select the server from which the SNMP settings are to be copied. 4. Select the server to which the SNMP settings are to be copied. 5. Click OK to copy the SNMP settings, Manage WLAN Integration WLAN Integration AirTight WIPS integrates with the underlying WLAN infrastructure. It supports integration with controller devices from Aruba, Cisco, Meru and HP. You must configure the integration parameters for the appropriate vendor so that AirTight WIPS is able to provide effective wireless intrusion prevention. On successful configuration, AirTight WIPS server fetches data from the configured controllers. This data includes list of managed and unauthorized devices (APs and Clients) and their association and RSSI values detected and maintained by the controllers. To enable integration with HP MSM and provide the parameters for integration with HP MSM controller, see Manage Integration with HP MSM Controller. To configure the parameters for integration with Cisco WLC, see Manage Integration with Cisco WLC. To configure the parameters for integration with Aruba Mobility Controllers, see Manage Integration with Aruba Mobility Controllers To configure the parameters for integration with Meru, see Manage Integration with Meru Manage Integration with Aruba Mobility Controllers You can configure AirTight Management Console to integrate with Aruba Mobility Controllers to fetch wireless device details and RSSI information from the Aruba Mobility Controllers and help to manage the WLAN infrastructure. This is done using the Configuration>WIPS>WLAN Integration>Aruba option.

$AirTight Management Console Configuration 143 The Aruba WLAN architecture consists of Aruba Mobility Controllers and APs. At any time, the Aruba Mobility Controller has all the information about the APs and devices seen/associated with these APs. Integration with Aruba allows the system to fetch this information from Aruba Mobility Controller. Using this information the system can automatically classify devices managed by Aruba Mobility Controllers, and do location tracking of devices seen by Aruba APs in sensor-less or sensor and AP mixed environment. Select Aruba Integration Enabled check box to integrate AirTight Management Console to obtain data from the configured mobility controllers, which are individually enabled. When you select the Aruba Integration Enabled check box, you can configure Automatic Synchronization Settings. The system disables a mobility controller, by default. However, automatically enables Aruba integration when you add a new Aruba Mobility Controller. Current Status displays the current status of the Aruba - Running, In Process or Stopped. An Error status is shown in one of the following cases. • One of the configured and enabled Aruba Mobility Controllers has a hostname, which cannot be resolved. • One of the configured and enabled Aruba Mobility Controllers is not reachable. • System server is stopped. • Internal error, in which case you need to contact Technical Support. The Imported APs percentage indicates total number of APs imported from enabled Aruba mobility controllers as a fraction of maximum allowed. The maximum allowed depends on type of appliance. The status displayed is as of the last synchronization event. It is recommended that the utilization remains below 80%. If the utilization exceeds 80%,the system performance may degrade and result in side effects such as sluggish UI and sensor disconnections. Under Automatic Synchronization Settings, select the System-Aruba Mobility Controller Synchronization Interval. Synchronization Interval (Minutes)specifies the interval for which the server synchronizes with the enabled Aruba mobility controllers. (Minimum: 15 minutes; Maximum: 60 minutes; Default: 30 minutes) Click Restore Defaults to restore the default values for the fields on the Aruba Integration dialog. Add Aruba Mobility Controller You can add one or more Aruba Mobility Controllers. AirTight WIPS communicates with these controllers and fetches wireless device details from them. To add an Aruba Mobility Controller, do the following. 1. Go to Configuration>WIPS>WLAN Integration>Aruba. 2. Select the location for which you want to add an Aruba Mobility Controller. 3. Click Add Controller. Enter the details as described in the table below. Field Description Controller (IP Address/Hostname) IP address or hostname of the Aruba Mobility Controller with which AirTight WIPS communicates. Port Number Port number of the Aruba Mobility Controller from which data is imported.$

AirTight Management Console User Guide 144 SNMP Version SNMP version. Select SNMPv2 if the v2 is the SNMP version. Select SNMPv3 if the v3 is the SNMP version. Community String User-defined community string using which AirTight WIPS communicates with Aruba Mobility Controller. Default value is 'public'. Data Import Enabled? Select the check box to enable import of data from Aruba Mobility Controller. Import Managed APs Select this check box to import managed APs from Aruba Mobility Controller. Import Managed Clients Select this check box to import clients associated with APs managed by Aruba Mobility Controller. Import Managed Client Associations Select this check box to import information related to AP-client association for APs managed by the Aruba Mobility Controller. Import Unmanaged APs Select this check box to import APs not managed by the Aruba Mobility Controller. Import Unmanaged Clients Select this check box to import clients associated with APs not managed by Aruba Mobility Controller. Import Unmanaged Client Associations Select this check box to import information related to AP-client association for APs not managed by the Aruba Mobility Controller. Import Signal Strength Information Select this check box to import APs not managed by the Aruba Mobility Controller. Note: Location Tracking results may vary depending on the Aruba AP models used in the network. 4. Click Save to save the changes. Edit Aruba Mobility Controller settings You can edit Aruba mobility Controller settings. To edit Aruba Mobility Controller settings, do the following. 1. Go to Configuration>WIPS>WLAN Integration>Aruba. 2. Select the location for which you want to edit the Aruba Mobility Controller. 3. Select the check box for the Aruba Mobility Controller to edit. 4. Click the edit icon. 5. Make the required changes. 6. Click Save to save the changes. Delete Aruba Mobility Controller You can delete the details of an Aruba Mobility Controller. Once deleted, AirTight WIPS will not retrieve any details from this Aruba Mobility Controller. To delete Aruba Mobility Controller details, do the following. 1. Go to Configuration>WIPS>WLAN Integration>Aruba. 2. Select the location for which you want to delete the Aruba Mobility Controller list. 3. Select the check box for the Aruba Mobility Controller to delete. 4. Click the delete icon to delete details of the Aruba mobility controller.

AirTight Management Console Configuration 145 Print Aruba Mobility Controller List for Location You can print a list of Aruba Mobility Controllers for a location. To print a list of Aruba Mobility Controllers, do the following. 5. Go to Configuration>WIPS>WLAN Integration>Aruba. 6. Select the location for which you want to print the Aruba Mobility Controller list. 7. Click the print icon to print the list of Aruba Mobility Controllers. A print preview appears. 8. Click Print to print the list. Configure Integration with HP MSM Controller The HP MSM Controller manages a collection of thin APs. Configure integration with HP MSM Controller using the Configuration>WIPS>WLAN Integration>HP MSM Controller option. The HP MSM architecture consists of MSM Controllers and the APs that are managed by these controllers. Integration with HP MSM Controller allows the AirTight WIPS server to fetch information about Synchronized APs. Using this information, the AirTight WIPS server automatically classifies these devices. Select the HP MSM Integration Enabled check box to enable integration for all configured controllers. Enabling the MSM Controller integration allows the system to obtain data from the configured controllers. Enabling / Disabling individual controllers is also possible. The Current Status displays Running if integration is enabled, and it displays Stopped if controller integration is switched off. The Status for each individual controller displays Error if • One of the configured and enabled MSM Controllers has a hostname which cannot be resolved • One of the configured and enabled MSM Controllers is not reachable • System server is stopped • Internal error (Contact Technical Support) Configure Automatic Synchronization Settings Under Automatic Synchronization Settings, select the Synchronization Interval. The Synchronization Interval specifies the interval after which the server synchronizes with the HP MSM Controller. The default value is 15 minutes. A maximum value that can be specified here is 60 minutes. Manage Client Certificate When the MSM Controller is configured to communicate with client programs using Secure HTTP and Client Authentication, a client certificate is uploaded into the MSM Controller’s Trusted CA Certificate Store. Click Download Client Certificate to download a pre-generated client certificate for AirTight Management Console. Note: To customize the client certificate refer to the CLI commands: get msmcontroller cert, get msmcontroller certreq, and set msmcontroller cert as described in Config Shell Commands in the Installation guide. Add HP MSM Controller You can add multiple HP MSM controllers to integrate with AirTight WIPS. To add a HP MSM controller, do the following.

AirTight Management Console User Guide 146 1. Go to Configuration>WIPS>WLAN Integration>HP MSM Controller. 1 Select the location for which you want to add a HP MSM Controller. 2. Click Add Controller. The MSM Controller dialog box appears. 3. Configure the fields in the MSM Controller dialog box as described in the table below. Field Description Controller Name Controller Name or IP address of the HP MSM Controller with which AirTight WIPS communicates. Port Number Port number of the HP MSM Controller from which data is imported. Authentication Type of authentication for MSM Controller. Select the Secure HTTP (SSL/TLS) option if the MSM Controller is configured to use HTTPS for authentication. Select the HTTP Authentication if HP MSM Controller requires HTTP authentication. Username User name for HP MSM Controller HTTP authentication. This field appears only when authentication is selected. Password Password for HP MSM Controller HTTP authentication. This field appears only when authentication is selected. Using Client Certificate Select this check box if client certificate is used. This field is valid only if secure HTTP authentication is selected. Note: If the MSM Controller is setup to use client authentication, ensure that the AirTight WIPS client certificate is uploaded into the HP MSM Controller's trusted CA certificate store. Data import enabled Select this check box to enable the import of data from HP MSM controller. 4. Click Save to save the details for the new HP MSM Controller. Check Connectivity with HP MSM Controller Once you have added the details for HP MSM Controllers, you can test connectivity of AirTight WIPS with each of these Controllers. Apart from this, you can check this connectivity at any time. To test connectivity with an HP MSM controller, do the following. 1. Go to Configuration>WIPS>WLAN Integration>HP MSM Controller. 2. Select the location for which you have added HP MSM Controller and want to test the connectivity. 3. Select the check box for the Controller for which you want to test the connectivity. 4. Click the Test Connectivity icon. The System will return Pass status if the HP MSM Controller has been correctly configured. The System will return Fail status if the HP MSM Controller has been not been correctly configured. Edit HP MSM Controller To edit a HP MSM controller, do the following. 1. Go to Configuration>WIPS>WLAN Integration>HP MSM Controller. 2. Select the location for which you want to edit the HP MSM Controller details. 3. Select the check box for the Controller to edit. 4. Click the edit icon in the toolbar. The MSM Controller dialog box appears. 5. Change the fields in the MSM Controller dialog box as described in the table below. Field Description Controller Name Controller Name or IP address of the HP MSM Controller with

AirTight Management Console Configuration 147 which AirTight WIPS communicates. Port Number Port number of the HP MSM Controller from which data is imported. Authentication Type of authentication for MSM Controller. Select the Secure HTTP (SSL/TLS) option if the MSM Controller is configured to use HTTPS for authentication. Select the HTTP Authentication if HP MSM Controller requires HTTP authentication. Username User name for HP MSM Controller HTTP authentication. This field appears only when authentication is selected. Password Password for HP MSM Controller HTTP authentication. This field appears only when authentication is selected. Using Client Certificate Select this check box if client certificate is used. This field is valid only if secure HTTP authentication is selected. Note: If the MSM Controller is setup to use client authentication, ensure that the AirTight WIPS client certificate is uploaded into the HP MSM Controller's trusted CA certificate store. Data import enabled Select this check box to enable the import of data from HP MSM controller. 6. Click Save to save the changes. Print HP MSM Controller List for Location You can print a list of HP MSM Controllers for a location. 1. To print the HP MSM controller, do the following. 2. Go to Configuration>WIPS>WLAN Integration>HP MSM Controller. 3. Select the location for which you want to print the list of HP MSM controllers. 4. Click the print icon in the toolbar. The print preview of the list of HP MSM controllers appears. 5. Click Print to print the list of HP MSM Controllers for the selected location. Delete HP MSM Controller To delete the HP MSM controller, do the following. 1. Go to Configuration>WIPS>WLAN Integration>HP MSM Controller. 2. Select the location for which you want to delete the list of HP MSM controllers. 3. Select the check box for the HP MSM Controller you want to delete. 4. Click the delete icon in the toolbar. A message asking to confirm deletion appears. 5. Click Yes to confirm deletion. Enable Integration with HP MSM Controllers To enable an HP MSM Controller, do the following. 1. Go to Configuration>WIPS>WLAN Integration>HP MSM Controller. 2. Select the location for which you want to enable integration with HP MSM Controllers. 3. Select the HP MSM Integration Enabled check box to enable integration with HP MSM Controllers. 4. Click Save to save the changes.

$AirTight Management Console User Guide 148 Disable Integration with HP MSM Controllers To disable integration with HP MSM Controller, do the following. 1. Go to Configuration>WIPS>WLAN Integration>HP MSM Controller. 2. Select the location for which you want to disable integration with the HP MSM Controllers. 3. Select the HP MSM Integration Enabled check box to enable integration with HP MSM Controllers. 4. Click Save to save the changes. Manage Integration with Cisco WLC Configure integration with Cisco wireless LAN Controller (WLC) using the Configuration>WIPS>WLAN Integration>Cisco WLC Integration option. The WLC governs a collection of thin AP. LWAPP defines the network protocol between the APs and WLC. The advantages of this solution are as follows. • Increased scalability • Simplified, centralized management • Zero-touch AP deployment and configuration • Network-wide monitoring The Cisco Unified WLAN architecture consists of Wireless LAN Controllers (WLC) and APs. The APs are managed using Light Weight Access Point Protocol (LWAPP). At any time, the WLC has all the information about the APs and devices seen or associated with these APs. Integration with Cisco WLC allows the system to fetch this information from WLC. Using this information the system can automatically classify devices managed by WLC and do location tracking of devices seen by LWAPP APs in sensor-less or sensor and AP mixed environment. Important!: Currently, the system supports the following managed APs: Cisco Aironet 1000 Series, Cisco Aironet 1100 Series, Cisco Aironet 1130 Series, Cisco Aironet 1140 Series, Cisco Aironet 1200 Series, Cisco Aironet 1230 AG Series, Cisco Aironet 1240 AG Series, Cisco Aironet 1250 Series, and Cisco Aironet 1300 Series. The system supports WLC version 4.2.x to 8.0. Select the WLC Integration enabled check box to enable AirTight Management Console to obtain data from the configured WLCs, which are individually enabled. If you select WLC Integration Enabled check box, you can configure Automatic Synchronization Settings. AirTight WIPS disables WLC by default. However, automatically enables WLC Integration when you add a new WLC. Current Status displays the Current Status of the WLC that is whether it is Running or Stopped. An Error status is shown in one of the following cases. • One of the configured and enabled WLCs has a hostname, which cannot be resolved. • One of the configured and enabled WLCs is not reachable. • System server is stopped. • Internal error, in which case you need to contact Technical Support. The Imported APs percentage indicates total number of APs imported from WLC(s) as a fraction of maximum allowed. The maximum allowed depends on type of appliance. The status displayed is as of the last synchronization event. It is recommended that the utilization remains below 80%. If the utilization$