Mojo Networks C-65 Access Point / Sensor User Manual AirTight Management Console User s Guide
AirTight Networks, Inc. Access Point / Sensor AirTight Management Console User s Guide
Contents
User Guide rev
User Guide
AirTight Management Console
Version 7.1 Update 5
This page is intentionally left blank
END USER LICENSE AGREEMENT
Please read the End User License Agreement before installing AirTight Management Console/AirTight
Wi-Fi/AirTight WIPS. The End User License Agreement is available at the following location
http://www.airtightnetworks.com/fileadmin/pdf/AirTight-EULA.pdf.
Installing AirTight Management Console/AirTight Wi-Fi/AirTight WIPS constitutes your acceptance of the
terms and conditions of the End User License Agreement.
DISCLAIMER
THE INFORMATION IN THIS GUIDE IS SUBJECT TO CHANGE WITHOUT ANY PRIOR NOTICE.
AIRTIGHT® NETWORKS, INC. IS NOT LIABLE FOR ANY SPECIAL, INCIDENTAL, INDIRECT, OR
CONSEQUENTIAL DAMAGES WHATSOEVER (INCLUDING, WITHOUT LIMITATION, DAMAGES FOR
LOSS OF BUSINESS PROFITS, BUSINESS INTERRUPTION, LOSS OF BUSINESS INFORMATION,
OR ANY OTHER PECUNIARY LOSS) ARISING OUT OF THE USE OF OR INABILITY TO USE THIS
PRODUCT.
THIS PRODUCT HAS THE CAPABILITY TO BLOCK WIRELESS TRANSMISSIONS FOR THE
PURPOSE OF PROTECTING YOUR NETWORK FROM MALICIOUS WIRELESS ACTIVITY. BASED
ON THE POLICY SETTINGS, YOU HAVE THE ABILITY TO SELECT WHICH WIRELESS
TRANSMISSIONS ARE BLOCKED AND, THEREFORE, THE CAPABILITY TO BLOCK AN EXTERNAL
WIRELESS TRANSMISSION. IF IMPROPERLY USED, YOUR USAGE OF THIS PRODUCT MAY
VIOLATE US FCC PART 15 AND OTHER LAWS. BUYER ACKNOWLEDGES THE LEGAL
RESTRICTIONS ON USAGE AND UNDERSTANDS AND WILL COMPLY WITH US FCC
RESTRICTIONS AS WELL AS OTHER GOVERNMENT REGULATIONS. AIRTIGHT IS NOT
RESPONSIBLE FOR ANY WIRELESS INTERFERENCE CAUSED BY YOUR USE OF THE PRODUCT.
AIRTIGHT NETWORKS, INC. AND ITS AUTHORIZED RESELLERS OR DISTRIBUTORS WILL
ASSUME NO LIABILITY FOR ANY DAMAGE OR VIOLATION OF GOVERNMENT REGULATIONS
ARISING FROM YOUR USAGE OF THE PRODUCT, EXCEPT AS EXPRESSLY DEFINED IN THE
INDEMNITY SECTION OF THIS DOCUMENT.
LIMITATION OF LIABILITY
AirTight Networks will not be liable to customer or any other party for any indirect, incidental, special,
consequential, exemplary, or reliance damages arising out of or related to the use of AirTight Wi-Fi,
AirTight WIPS, AirTight Cloud Services, and AirTight devices under any legal theory, including but not
limited to lost profits, lost data, or business interruption, even if AirTight Networks knows of or should
have known of the possibility of such damages. Regardless of the cause of action or the form of action,
the total cumulative liability of AirTight Networks for actual damages arising out of or related to the use of
AirTight Wi-Fi, AirTight WIPS, AirTight Cloud Services or AirTight devices will not exceed the respective
price paid for AirTight Wi-Fi, AirTight WIPS, AirTight Cloud Services, or AirTight devices.
Copyright © 2013-2015 AirTight® Networks, Inc. All Rights Reserved.
Powered by Marker PacketTM, Active ClassificationTM, Live EventsTM, VLAN Policy MappingTM, Smart
ForensicsTM, WEPGuardTM and WPAGuardTM. AirTight Networks and the AirTight Networks logo are
trademarks and AirTight is a registered trademark of AirTight Networks, Inc.
This product contains components from Open Source software. These components are governed by the
terms and conditions of the GNU Public License. To read these terms and conditions visit
http://www.gnu.org/copyleft/gpl.html.
Protected by one or more of U.S. patent Nos. 7,002,943; 7,154,874; 7,216,365; 7,333,800; 7,333,481;
7,339,914; 7,406,320; 7,440,434; 7,447,184; 7,496,094; 7,536,723; 7,558,253; 7,710,933; 7,751,393;
7,764,648; 7,804,808; 7,856,209; 7,856,656; 7,970,894; 7,971,253; 8,032,939; and international patents:
AU 200429804; GB 2410154; JP 4639195; DE 60 2004 038 621.9; and GB/NL/FR/SE 1976227. More
patents pending. For more information on patents, please visit: www.airtightnetworks.com/patents
i
Table of Contents
About This Guide .......................................................................................................................................... 1
Intended Audience ..................................................................................................................................... 1
Product and Documentation Updates ....................................................................................................... 1
Contact Information ................................................................................................................................... 1
Introduction.................................................................................................................................................... 3
AirTight Management Console Configuration ............................................................................................... 7
Configure Language Setting ...................................................................................................................... 7
Set System Language............................................................................................................................ 7
Set SSID encoding ................................................................................................................................. 7
Copy Language Setting to Another Server ............................................................................................ 8
Configure Time Zone and Tag for Location ............................................................................................... 8
Set Time Zone ....................................................................................................................................... 8
Edit Time Zone ....................................................................................................................................... 8
Set Location Tag ................................................................................................................................... 9
User Management ..................................................................................................................................... 9
Configure Password Policy .................................................................................................................. 12
Configure Account Suspension Setting ............................................................................................... 13
Configure Login Parameters ................................................................................................................ 14
User Authentication ................................................................................................................................. 16
Configure LDAP Server Parameters .................................................................................................... 16
Configure RADIUS Parameters ........................................................................................................... 18
Configure Parameters for Certificate-based authentication................................................................. 20
Wireless Intrusion Prevention System ..................................................................................................... 22
Manage Authorized WLAN Policy ........................................................................................................ 23
Configure AP Auto-classification Policy ............................................................................................... 25
Configure Client Auto-classification Policy .......................................................................................... 26
Intrusion Prevention ............................................................................................................................. 30
Activate Intrusion Prevention for Location ........................................................................................... 32
Import Device List ................................................................................................................................ 33
Manage Banned Device List ................................................................................................................ 35
Manage Hotspot SSIDs ....................................................................................................................... 36
Manage Vulnerable SSIDs .................................................................................................................. 38
Manage Smart Device Types .............................................................................................................. 39
Manage WiFi Access ............................................................................................................................... 41
Manage SSID Profiles.......................................................................................................................... 41
Manage Mesh Profiles ......................................................................................................................... 82
Configure Event Notification ................................................................................................................ 87
AirTight Management Console User Guide
ii
Activate Event Generation for Location ............................................................................................... 88
Configure Email Recipients ................................................................................................................. 89
Configure Device - Server Communication Settings ............................................................................... 89
Use Key for Device - Server Communication ...................................................................................... 89
Use Passphrase for Device - Server Communication ......................................................................... 89
Reset Communication Key .................................................................................................................. 89
Manage Policy Templates ....................................................................................................................... 90
Add Policy Template ............................................................................................................................ 90
Edit Policy Template ............................................................................................................................ 91
Search Policy Template ....................................................................................................................... 92
Copy Policy Template to Another Location ......................................................................................... 93
Save Policy Template with a Different Name ...................................................................................... 93
Print Policy Template List .................................................................................................................... 93
Delete Policy Template ........................................................................................................................ 93
Manage Authorized WLAN Policy ........................................................................................................... 94
Configure Authorized WLAN Policy ..................................................................................................... 95
Edit Authorized WLAN Policy .............................................................................................................. 95
View High Availability Status for Server .................................................................................................. 96
View/Upgrade License Details ................................................................................................................ 97
Manage Look and Feel of Reports .......................................................................................................... 98
Customize Report Header Text ........................................................................................................... 98
Customize Summary Table ................................................................................................................. 98
Customize Section Results .................................................................................................................. 99
Restore Default Look and Feel Settings .............................................................................................. 99
Copy Reports Look and Feel Settings to Another Server .................................................................... 99
Configure NTP ....................................................................................................................................... 100
Check Time Drift between AirTight server and NTP server............................................................... 100
Synchronize AirTight Server Time with NTP Server .......................................................................... 100
Disable NTP ....................................................................................................................................... 100
Configure RF Propagation Settings ....................................................................................................... 100
Restore RF Propagation Defaults ...................................................................................................... 102
Copy RF Propagation Setting to Another Server ............................................................................... 102
Configure Live RF View Setting ............................................................................................................ 103
Restore Default Live RF View Settings.............................................................................................. 103
Copy Live RF View Setting to Another Server ................................................................................... 103
Configure Location Tracking.................................................................................................................. 104
Restore Location Tracking Configuration Defaults ............................................................................ 104
Copy Location Tracking Configuration to Another Server ................................................................. 104
Manage Auto Location Tagging ............................................................................................................ 105
Table of Contents
iii
Restore Auto Location Tagging Defaults ........................................................................................... 105
Copy Auto Location Tagging Settings to Another Server .................................................................. 106
Set up and Manage Server Cluster ....................................................................................................... 107
Benefits of Server Cluster .................................................................................................................. 107
Create and Manage Server Cluster ................................................................................................... 108
Manage Child Servers from Parent Server in Server Cluster ............................................................ 115
Manage Vendor OUIs ............................................................................................................................ 119
Add Vendor or MAC Prefix ................................................................................................................ 119
Delete Vendor or MAC Prefix ............................................................................................................ 119
Manage Device Template...................................................................................................................... 119
Customize Policy/Device Template for Location ............................................................................... 121
Revert to Inherited Device Template ................................................................................................. 121
Add Device Template......................................................................................................................... 122
Edit Device Template ......................................................................................................................... 128
Search Device Template ................................................................................................................... 128
Copy Device Template....................................................................................................................... 128
Print Device Template List for Location ............................................................................................. 129
Delete Device Template..................................................................................................................... 129
Configure SMTP Settings ...................................................................................................................... 129
Restore SMTP Configuration Defaults ............................................................................................... 130
Test SMTP Settings ........................................................................................................................... 131
Copy SMTP Configuration to Another Server .................................................................................... 131
View System Status ............................................................................................................................... 131
Start/Stop Server ............................................................................................................................... 132
Upgrade Server ..................................................................................................................................... 132
Configure Auto Deletion Settings .......................................................................................................... 133
Copy Auto Deletion Settings to Another Server ................................................................................ 134
Manage Audit Log Settings ................................................................................................................... 135
Set Duration for Audit Log Download ................................................................................................ 135
Download Audit Logs ......................................................................................................................... 135
Restore Default User Action Log Download Settings ........................................................................ 135
Copy Audit Log Settings to Another Server ....................................................................................... 136
Configure Integration with Enterprise Security Management Servers .................................................. 137
Syslog Integration .............................................................................................................................. 137
Arcsight Integration ............................................................................................................................ 138
SNMP Integration ............................................................................................................................... 140
Manage WLAN Integration .................................................................................................................... 142
WLAN Integration ............................................................................................................................... 142
Manage Integration with Aruba Mobility Controllers .......................................................................... 142
AirTight Management Console User Guide
iv
Configure Integration with HP MSM Controller .................................................................................. 145
Manage Integration with Cisco WLC ................................................................................................. 148
Manage Integration with Meru ........................................................................................................... 151
Manage AirTight Mobile Clients ............................................................................................................ 152
AirTight Mobile Settings ..................................................................................................................... 152
Manage AirTight Mobile Clients ......................................................................................................... 153
Add AirTight Mobile Group Manually ................................................................................................. 157
Edit AirTight Mobile Group ................................................................................................................. 157
Attach Policy to AirTight Mobile Group .............................................................................................. 158
Overwrite Existing Policy for AirTight Mobile Group .......................................................................... 158
Detach Policy from AirTight Mobile Group......................................................................................... 158
View AirTight Mobile Group Policy in HTML Format ......................................................................... 158
View AirTight Mobile Group Policy in XML Format ............................................................................ 159
Activate Automatic Client Grouping ................................................................................................... 159
Apply Default Policy to New Groups .................................................................................................. 159
Print List of AirTight Mobile Groups for Location ............................................................................... 159
Delete AirTight Mobile Group ............................................................................................................ 160
Dashboard ................................................................................................................................................. 161
Add a page to dashboard ...................................................................................................................... 161
Delete a page from dashboard .............................................................................................................. 162
Print dashboard page ............................................................................................................................ 162
WIPS Widgets ....................................................................................................................................... 162
Network Widgets ................................................................................................................................... 163
Client Widgets ....................................................................................................................................... 165
Access Point Widgets ............................................................................................................................ 165
Devices ...................................................................................................................................................... 167
AirTight Devices .................................................................................................................................... 167
Device Properties ............................................................................................................................... 168
View Visible LANs .............................................................................................................................. 173
View Visible APs ................................................................................................................................ 173
View Visible Clients ............................................................................................................................ 173
View Active APs ................................................................................................................................. 173
View Active Clients ............................................................................................................................ 173
View AirTight Device Events .............................................................................................................. 173
View Channel Occupancy .................................................................................................................. 173
View Interference ............................................................................................................................... 174
View Mesh Network Links .................................................................................................................. 174
Search AirTight Devices .................................................................................................................... 174
Sort AirTight Devices ......................................................................................................................... 174
Table of Contents
v
Change Location ................................................................................................................................ 174
Print AirTight Device Information for Location ................................................................................... 174
Reboot Device ................................................................................................................................... 175
Troubleshoot Device .......................................................................................................................... 175
Upgrade or Repair Device ................................................................................................................. 178
Enable Pagination for AirTight Device Listing and Set Page Size .................................................... 178
Disable Pagination for AirTight Device Listing ................................................................................... 180
Add Custom Filter .............................................................................................................................. 180
Edit Custom Filter .............................................................................................................................. 180
Delete Custom Filter .......................................................................................................................... 181
Delete Device ..................................................................................................................................... 181
Monitor Clients ....................................................................................................................................... 181
View Client Properties........................................................................................................................ 183
View Recently Associated APs/Ad hoc networks .............................................................................. 185
View Events related to Client ............................................................................................................. 185
View Client Retransmission Rate Trend ............................................................................................ 185
View Devices Seeing Client ............................................................................................................... 185
View Client Average Data Rate ......................................................................................................... 186
View Client Traffic .............................................................................................................................. 186
Change Client Location...................................................................................................................... 186
Quarantine Client ............................................................................................................................... 186
Disable Auto Quarantine/Exclude Device from Intrusion Prevention Policy ...................................... 186
Add to banned list .............................................................................................................................. 187
Classify / Declassify as Smart Device ............................................................................................... 187
Change Client Category..................................................................................................................... 187
Reset Data Transmitted by Client ...................................................................................................... 187
Locate Client ...................................................................................................................................... 187
View Recently Probed SSIDs ............................................................................................................ 187
Troubleshoot Client ............................................................................................................................ 188
Debug Client Connection Problems ................................................................................................... 191
Download Connection Log ................................................................................................................. 192
Delete Connection Log History .......................................................................................................... 193
Enable Pagination for Client Listing and Set Page Size .................................................................... 194
Disable Pagination for Client Listing .................................................................................................. 194
Add Custom Filter .............................................................................................................................. 194
Edit Custom Filter .............................................................................................................................. 195
Delete Custom Filter .......................................................................................................................... 195
Print Client List for Location ............................................................................................................... 195
Delete Client ...................................................................................................................................... 196
AirTight Management Console User Guide
vi
Spectrogram .......................................................................................................................................... 196
Monitor Access Points (APs) ................................................................................................................. 196
View AP Properties ............................................................................................................................ 198
View Recently Associated Clients ..................................................................................................... 201
View AP Utilization ............................................................................................................................. 201
View AP Associated Clients ............................................................................................................... 202
View AP Traffic .................................................................................................................................. 202
View AP Average Data Rate .............................................................................................................. 202
View Devices Seeing AP ................................................................................................................... 202
View AP Events ................................................................................................................................. 202
Change AP Location .......................................................................................................................... 202
Locate AP .......................................................................................................................................... 203
Quarantine an AP .............................................................................................................................. 203
Change AP Category ......................................................................................................................... 203
Disable Auto Quarantine .................................................................................................................... 203
Add to banned list .............................................................................................................................. 203
Sort APs ............................................................................................................................................. 203
Filter AP Details ................................................................................................................................. 204
Search APs ........................................................................................................................................ 204
Enable Pagination for AP Listing and Set Page Size ........................................................................ 204
Disable Pagination for AP Listing ...................................................................................................... 205
Add Custom Filter .............................................................................................................................. 205
Edit Custom Filter .............................................................................................................................. 205
Delete Custom Filter .......................................................................................................................... 206
Print AP List for Location ................................................................................................................... 206
Merge APs ......................................................................................................................................... 206
Split AP .............................................................................................................................................. 207
Troubleshoot AP ................................................................................................................................ 207
Delete AP ........................................................................................................................................... 210
Monitor Networks ................................................................................................................................... 211
Manage Locations and Location Layout ................................................................................................... 215
Define Location Tree ............................................................................................................................. 215
Add Location .......................................................................................................................................... 217
Edit Location .......................................................................................................................................... 217
Move Location ....................................................................................................................................... 218
Delete Location ...................................................................................................................................... 218
Search Locations ................................................................................................................................... 218
Add Layout ............................................................................................................................................ 218
Edit Layout ............................................................................................................................................. 219
Table of Contents
vii
Delete Layout ........................................................................................................................................ 220
Show / Hide Location List ...................................................................................................................... 220
Show/Hide Devices on Location Layout ................................................................................................ 220
Place Devices/Locations on Location Layout ........................................................................................ 220
Remove Devices/Locations from Location Layout ................................................................................ 221
View RF Coverage / Heat Maps ............................................................................................................ 221
View AP Coverage ............................................................................................................................. 222
View AP Coverage by RSSI Value .................................................................................................... 222
View Sensor Coverage ...................................................................................................................... 222
View AP Link Speed .......................................................................................................................... 223
View AP Channel Coverage .............................................................................................................. 223
Calibrate RF Views ................................................................................................................................ 223
Zoom in / Zoom out Layout.................................................................................................................... 224
Adjust the Layout Opacity...................................................................................................................... 224
Add Note ................................................................................................................................................ 224
Edit Note ................................................................................................................................................ 225
Move Note ............................................................................................................................................. 225
Hide Notes ............................................................................................................................................. 225
Show Notes ........................................................................................................................................... 225
View Mesh Topology ............................................................................................................................. 226
Hide Mesh Topology .............................................................................................................................. 226
View and Manage Events ......................................................................................................................... 227
View Events for Location ....................................................................................................................... 228
View Deleted Events for Location ......................................................................................................... 228
Change Event Location ......................................................................................................................... 228
Acknowledge Event ............................................................................................................................... 229
Turn on Vulnerability Status for Event ................................................................................................... 229
Turn off Vulnerability Status for Event ................................................................................................... 229
Mark Event as Read .............................................................................................................................. 229
Mark Event for Deletion ......................................................................................................................... 229
Enable Pagination for Event Listing and Set Page Size ....................................................................... 230
Disable Pagination for Event Listing ...................................................................................................... 230
Add Custom Filter .................................................................................................................................. 230
Edit Custom Filter .................................................................................................................................. 231
Delete Custom Filter .............................................................................................................................. 231
Print Event List for Location................................................................................................................... 231
Forensics ................................................................................................................................................... 233
View AP based /Client based Threat Details......................................................................................... 233
View Event Summary......................................................................................................................... 234
AirTight Management Console User Guide
viii
View Participating Devices and Quarantine Status ........................................................................... 234
Locate Participating Device ............................................................................................................... 235
View Administration Action Logs for Event ........................................................................................ 236
Acknowledge Event ........................................................................................................................... 236
Change Location of the Event ........................................................................................................... 236
Turn Vulnerability On/Off ................................................................................................................... 237
Print Event List for Location ............................................................................................................... 237
Mark Event for Deletion ..................................................................................................................... 237
Mark Event as Read .......................................................................................................................... 237
Show/Hide Deleted Events ................................................................................................................ 238
Reports ...................................................................................................................................................... 239
Analytics ................................................................................................................................................ 248
Manage Report Archive ......................................................................................................................... 250
Fetch Archived Report ....................................................................................................................... 251
Rename Archived Report .................................................................................................................. 251
Print Archived Report List for Location .............................................................................................. 251
Delete Archived Report ...................................................................................................................... 251
Schedule Report Generation ................................................................................................................. 251
Send report by e-mail......................................................................................................................... 255
Archive report ..................................................................................................................................... 255
View Report Schedules ......................................................................................................................... 255
Glossary of Icons ...................................................................................................................................... 257
1
About This Guide
The AirTight Management Console User Guide explains how to configure and manage the AirTight
Management Console .
Important! Please read the EULA before installing AirTight WIPS or AirTight Wi-Fi. Installing AirTight
WIPS or AirTight Wi
-Fi constitutes your acceptance of the terms and conditions of the EULA mentioned
above in this document.
Intended Audience
This guide is intended for anyone who wants to configure and use AirTight WIPS or AirTight Wi-Fi or use
AirTight Cloud Services.
Product and Documentation Updates
To receive important news on product updates, please visit our website at
http://www.airtightnetworks.com.
We continuously enhance our product documentation based on customer feedback. To obtain a latest
copy of this document, visit http://www.airtightnetworks.com/home/support.html.
Contact Information
AirTight® Networks, Inc.
339 N, Bernardo Avenue, Suite #200,
Mountain View, CA 94043
Tel: (650) 961-1111
Fax: (650) 963-3388
For technical support, send an email to support@airtightnetworks.com
3
Introduction
AirTight Management Console is a HTML 5 based user interface using which you can configure and
monitor AirTight WIPS and/or AirTight Wi-Fi server to access the AirTight Cloud Services.
HTML 5 makes AirTight Management Console compatible with most browsers and operating systems.
AirTight Management Console is intuitive and easy to use. It can be configured with ease to suit your
WIPS and/or Wi-Fi needs.
The Console is divided into 7 sections - Dashboard, Locations, Devices, Events, Forensics,
Configuration, and Reports.
AirTight Management Console can be configured from the Configuration section. You can define and
manage users, configure and manage WIPS settings, Wi-Fi access settings, integration settings for
WLAN, integration settings for enterprise security management servers etc from the configuration section.
The Dashboard section provides a graphical view of the WIPS and/or Wi-Fi implementation. It offers you
the flexibility to choose from a good number of graphs related to the access points, clients on your
wireless network, as well as the networks detected by WIPS sensors. Details of wireless threats to the
network can be seen on the WIPS widgets.
Apart from the pie chart or bar graph representation, the widget data can be viewed as a tabular
representation by clicking the icon present on the top of widgets. You can alternate between tabular
view and pie chart/bar graph view. This means that if you are in the pie/graph view, you will see the
icon. If you are in the table view, you will see the or icon, depending on whether the alternate
view is represented as a pie chart or bar graph.
The widget data is presented in the last-viewed format when you log in to AirTight Management Console
the next time.
AirTight Management Console facilitates the creation of locations. These locations could be various
buildings in your campus or the different floors or levels in your office space. You can create and manage
your retail or office locations using the Locations section. You can attach a layout to each floor in the
office space. You can then define WIPS / Wi-Fi policies specific to these locations.
All APs, AirTight devices, sensors, smart devices are seen under the Devices section. Apart from the
actual devices, the devices section also displays a list of networks detected by the WIPS sensors.
The Events section displays the events detected by the WIPS implementation.
The Forensics section lists AP-based threats and client-based threats in a user friendly format. You can
drill down into the wireless threats using the forensics section.
The Reports section facilitates generation of various built-in and custom reports. These reports comprise
various compliance reports and reports related to devices in the network and events occurring in the
network. You can schedule reports and generate analytics data using the Reports section.
Following are the salient features of the AirTight Management Console.
•
Intuitive, portable and easy-to-use HTML5 UI
AirTight Management Console User Guide
4
HTML5 makes AirTight Management Console compatible with most browsers and operating
systems. It can be operated using tablets and other smart devices as well. The interface is intuitive
and can be used and configured without much effort.
•
Fully user-customizable dashboards and screens
The dashboard offers you the flexibility to choose from a good number of graphs displaying access
point, client, network, and WIPS statistics.
Graphs are seen in widgets. You can have multiple dashboards on the console. Each dashboard
can have multiple widgets based on your requirement, with widget repetition allowed.
The widget classification is very intuitive. The widgets are classified as network widgets, access
point widgets, client widgets and WIPS widgets.
In all other sections of the UI, you can filter the information or columns visible in the respective
section, based on your requirement.
You also have the option to view information in various text and graphical format in some of the
sections. For example, the Forensics section displays information in text and pie chart formats. In
the Reports section, you can customize the reports as required. Standard compliance reports are
also available.
You can customize filters on device and event listings under Devices and Events respectively.
You can add, edit and delete custom filters on device and event listings. You can define multiple
filters on devices and events listings and save them. These will be retained until you delete them.
When you apply a filter to device or event listing during a login session, the filtered list is retained
till the end of the session.
•
Innovative drill down with navigation trail on any event, chart or device
AirTight Management Console provides a unique feature with which you can delve deeper or drill
down to events or devices from any section of the console where they are visible. The devices and
events are seen as links across AirTight Management Console. You can click on the link to view
the details of the respective event or device and the related devices or events. You can also take
the required actions if you have the privilege to take those actions. Thus, you can hop across
different sections by clicking the links for devices and events. When you navigate across pages in
this way, a navigation trail is displayed at the top of the currently viewed page or screen. This is
extremely useful for you to understand the path you have taken to drill down to the desired page.
The navigation trail also makes it convenient for you to navigate back to one of the screens or
pages in the navigation trail.
See the image below for a sample drill down with a navigation trail.
Introduction
5
•
Rich Visualization of Heat maps
You can view radio frequency heat maps in various views. The AP coverage view is useful to find
out the available signal strength at each point. The sensor coverage view enables you to view the
detection and prevention zones of visibility for selected sensors. The color-coding scheme used
enhances the readability of the heat maps.
•
Hierarchical management architecture ideal for geographically distributed sites
AirTight Management Console provides for hierarchical management of geographically distributed
sites. You can create a hierarchy of locations or a location tree. Each location folder could
represent a country and a child location folder could represent a state. These location folders could
then have city locations as child location folders. One of more buildings in the city office campus
can be represented as child location folders under the respective city location folders. Individual
floors or levels in the office space can be represented by location floors under the location folders
that represent buildings.
You can then define Wi-Fi/WIPS policies specific to each location. You can apply a common policy
to the location folders. These policies are automatically inherited by the child locations. This makes
management of related locations easy and convenient at the click of a button.
•
Role-based administration and extensible configuration framework
The administration and operation of the Wi-Fi or WIPS solution through AirTight Management
Console is role-based. A user has restricted access to one or more locations that he is associated
with. He is able to view information and configure the console related to these locations only.
Information from other locations are not visible to him. A user is able to perform operations based
on his role. AirTight Management Console provides four distinct user roles-superuser,
administrator, operator and viewer.
•
Configuration Wizard
When a user logs in to AirTight Management Console, and navigates to Dashboard or Events for
the first time, a configuration wizard guides the user on how to use these functionalities. The
wizard is functional only during the first time view.
7
AirTight Management Console
Configuration
AirTight Management Console needs to be configured appropriately for use, before it can start monitoring
and/or protecting the network. Click Configuration to view the various options to configure in AirTight
Management Console.
The Configuration page displays various categories - Device Configuration, WIPS, User Accounts,
Events and System Settings, AirTight Mobile, ESM Integration.
Device Configuration: Configure and manage the SSID profiles using Device Configuration>SSID
Profiles. The SSID profiles can then be attached to the device templates.
Configure and manage the device templates using Device Configuration>Device Template. These
device templates can then be applied to various devices.
WIPS: Configure and manage the wireless intrusion prevention parameters using WIPS.
User Accounts: User management, password management, LDAP, RADIUS configuration, certificate
configuration, account suspension management is done using User Accounts.
Events: Configure and manage event related settings, e-mail notification on occurrence of certain critical
events using Events.
System Settings: Configure and manage AirTight server-related settings using System Settings.
AirTight Mobile: Configure AirTight Mobile integration settings using AirTight Mobile.
ESM Integration: Configure settings for integration with Enterprise Security Management software using
ESM Integration. AirTight Management Console integrates with SNMP, Syslog and Arcsight.
Configure Language Setting
Define the system language and the SSID encoding using the Configuration>Language Setting option.
This setting is used to set the language for email communication, Syslog messages etc.
You can copy language setting from one server to another when the servers are part of the same server
cluster.
Set System Language
The system language is the default language that the system will use to communicate via emails, syslog
messages etc. If you want to use a language other than English as the system language for AirTight
Management Console, the language of your choice should be defined under Language Setting. The
default value for System Language Preference is English.
Set SSID encoding
Parameters like SSID, when configured on the AP using page encoding (either non-English native
window or using a language pack), appear garbled if the page encoding does not match the encoding
selected here.
AirTight Management Console User Guide
8
Select the appropriate SSID encoding commonly used in your region, in order to correctly see the local
language SSIDs in the system.
The default value for SSID encoding is UTF-8. To select a different SSID encoding, do the following.
1. Go to Configuration>System Settings>Language Setting.
2. Under SSID Encoding, select the required SSID encoding.
3. Click Save to save the new SSID encoding.
Copy Language Setting to Another Server
You can copy the language setting from one server to another server when both servers are part of the
same server cluster. You can copy language setting from child server to child server, parent server to
child server, or child server to parent server. You must be a superuser or an administrator to copy policies
from one server to another.
To copy language settings, do the following.
1. Go to Configuration>System Settings>Language Setting on the parent server.
2. Click Copy Policy. The Copy Policies dialog box appears.
3. Select the server from which language setting is to be copied.
4. Select the server to which the ;language setting is to be copied.
5. Click OK to copy the language setting,
Configure Time Zone and Tag for Location
Set the appropriate time zone for the selected location using the Configuration>System
Settings>Location Specific Attributes page. The time zone settings are specific to individual locations
and cannot be inherited from the parent location. You need administrator privileges to configure the
location time zone for a location.
The time zone settings help in accurate analytics. Make sure to select the correct time zone for the
selected location.
Note that you cannot set a time zone for a location floor because a location floor represents a floor
location in the organization premises. The time zone set for the immediate parent location folder of a
location floor applies to the location floor.
In case you do not set the time zone for a location folder, the analytics data will show the server time
zone in the fields where local time zone is shown.
Set Time Zone
To set the time zone for a location, do the following.
1. Go to Configuration>System Settings>Location Specific Attributes.
2. Select the location for which you want to set the time zone.
3. Select the time zone.
4. Click Save to save the new time zone. Alternatively, if you want to cancel the operation, click Cancel.
Edit Time Zone
To edit the time zone for a location, do the following.
1. Go to Configuration>System Settings>Location Specific Attributes.
2. Select the location for which you want to edit the time zone.
3. Select the new time zone.
AirTight Management Console Configuration
9
4. Click Save to save the new time zone. The changed time zone is applied recursively to all the child
location folders.
Set Location Tag
A location tag is the location identifier that could be appended to the circuit ID when DHCP Option 82 is
enabled for an SSID profile configured for this location.
If '%l 'is used in the circuit ID, the AP replaces it with the location tag.
To set the location tag for a location, do the following.
1. Go to Configuration>System Settings>Location Specific Attributes.
2. Select the location for which you want to set the location tag.
3. Enter the location tag.
4. Click Save to save the changes.
User Management
There are four types of users in AirTight Wi-Fi/AirTight WIPS. They are Superuser, Administrator,
Operator and Viewer.
You can manage user-related operations through Configuration>User Accounts>Users. You can add,
edit, and delete users. You can search users, and print a list of users defined at a location.
You need administrator privileges to manage users in AirTight Management Console.
The following table details the role-wise rights in AirTight Management Console.
Operations
User Roles
Superuser
Administrator
Operator
Viewer
User account management
Set or modify identification and
authentication option (Password only,
Certificate only, Certificate and Password,
Certificate or Password)
Yes
No
No
No
Add and delete users
Yes
No
No
No
View and modify properties of any
user (User Management screens)
Yes
No
No
No
Define password strength, account locking
policy, maximum concurrent sessions for all
users
Yes
No
No
No
View and modify User Preferences (email,
password, session timeout)
Yes (self
only)
Yes (self
only)
Yes (self
only)
Yes (self
only)
User actions audit
Download user actions audit log
Yes
No
No
No
Modify user actions audit lifetime
Yes
No
No
No
System settings and operating policies
Modify system settings and operating
policies (all settings under Configuration tab
other than User Management, Logs, Login
configuration)
Yes
Yes
No
No
Events, devices and locations
View generated events
Yes
Yes
Yes
Yes
Modify and delete generated events
Yes
Yes
Yes
No
AirTight Management Console User Guide
10
View devices
Yes
Yes
Yes
Yes
Add, delete, and modify devices (APs,
Clients, Sensors)
Yes
Yes
Yes
No
View locations
Yes
Yes
Yes
Yes
Add, delete, and modify locations
Yes
Yes
Yes
No
Calibrate location tracking
Yes
Yes
Yes
No
Reports
Add, delete, modify Shared Report
Yes (all)
Yes (only
self created)
Yes
(only self
created)
No
Generate Shared Report
Yes
Yes
Yes
Yes
Schedule Shared Report
Yes
Yes
Yes
No
Add, delete, modify, generate, schedule My
Report
Yes (only
self
created)
Yes (only
self created)
Yes
(only self
created)
No
Add User
To add a user, do the following.
1. Go to Configuration>User Accounts>Users.
2. Select the location for which you want to add the user.
3. Click the Add User hyperlink. The Add New User dialog box appears.
The following table describes the fields on the Add New User page.
Field
Description
User Type
Specifies the type of user.
Login ID
Specifies the login id of the user.
Role
Specifies the role assigned to the user. Choose from
Viewer, Operator, Administrator and Super User.
First Name
Specifies the first name of the user.
Last Name
Specifies the last name of the user.
Password
Specifies the password of the user. Password should be
a combination of letters, numerals and special
characters.
Confirm
Password
Specifies the same password as typed in the password
field to confirm the password.
Email
Specifies the e-mail id of the user.
Allowed
Locations
Specifies the locations for which the user can operate.
Click Change hyperlink to modify the list of allowed
locations. A user can operate on one or more locations.
For instance, an administrator user could have rights to
multiple locations.
Pas
sword Expiry
Specifies if the password expires or does not expire. By
default, the password never expires. Click Change
hyperlink to set an expiry for the password.
Password Expiry
Duration
Specifies the duration in days from the time of change of
the password after which the password expires.
Password Expiry
Warning
Specifies the time in days before the password expiry to
prompt the user to change the password.
Session Timeout
Specifies the idle time interval after which the user's User
AirTight Management Console Configuration
11
Interface (UI) session should be timed out. Two options
are available. Select Never Expires
, if you don't want the
session to time out. Select Expires After and specify the
time in minutes (between 10 and 120 minutes) after
which the session should time out.
Time Zone
Specifies the time zone in which the user operates.
Language
Preference
Specifies the language in which the user wants to view
the UI text. The default value is English.
Multi lingual
Specifies if the UI should support multi-lingual font
support.
4. Click Save to save the changes.
Edit User
To edit a user, do the following.
1. Go to Configuration>User Accounts>Users.
2. Select the location for which you want to edit the user.
3. Click the login id hyperlink for the user that you want to edit. The Edit User Details dialog box
appears.
4. Edit the user details.
5. Click Save to save the changes.
Print User List for Location
You can print a list of users defined for a location.
To print a user list for a location, do the following.
1. Go to Configuration>User Accounts>Users.
2. Select the location for which you want to print the user list.
3. Select the columns that you want in the printed list. Click any column name to select or deselect
columns.
4. Click the print icon. The print preview of the user list appears.
5. Click Print to print the list.
Search User
You can search users using the login ID or name of the user.
To delete a user, do the following.
1. Go to Configuration>User Accounts>Users.
2. Select the location for which you want to search user.
3. Enter the login ID string or the name string in the Quick Search box.
4. Press Enter key.
5. The users with login IDs or names matching the search string are displayed. The search string could
be a substring of the login ID or name of the user.
AirTight Management Console User Guide
12
Delete User
To delete a user, do the following.
1. Go to Configuration>User Accounts>Users.
2. Select the location for which you want to delete the user. The user list appears.
3. Click the Delete hyperlink for the user to delete. A message to confirm delete appears.
4. Click Yes to confirm deletion of user.
Configure Password Policy
The Password Policy determines the minimum requirements for system passwords. This policy applies to
all user roles - super user, administrator, operator, and viewer. If you change this policy, older passwords
are not affected. Only passwords created after a policy change are subject to the new policy. This setting
applies only to local authentication and does not apply to LDAP and RADIUS authentication.
You can copy password policy from one server to another when the servers are part of the same server
cluster.
To configure password settings or password policy, do the following.
1. Go to Configuration>User Accounts>Password Policy.
2. Specify the number of characters required for the password. Minimum number of characters is 4,
maximum number of characters is 15.
3. If you want the password to contain at least one numerical character, select the At least one
numerical character required check box.
4. If you want the password to contain at least one special character, select the At least one special
character required check box.
5. Click Save to save the changes made to the page.
Restore Default Password Policy
The default password policy is as follows.
The password length as 6 characters and no numeric or special characters are required in the password.
To configure password settings or password policy, do the following.
1. Go to Configuration>User Accounts>Password Policy.
2. Click Restore Defaults to restore default password policy.
3. Click Save to save the changes.
Copy Password Policy to Another Server
You can copy the password policy from one server to another server when both servers are part of the
same server cluster. You can copy password policy from child server to child server, parent server to child
server, or child server to parent server.
You must be a superuser or an administrator to copy policies from one server to another.
To copy password policy, do the following.
1. Go to Configuration>User Account>Password Policy on the parent server.
2. Click Copy Policy. The Copy Policies dialog box appears.
3. Select the server from which the password policy is to be copied.
AirTight Management Console Configuration
13
4. Select the server to which the password policy is to be copied.
5. Click OK to copy the password policy,
Configure Account Suspension Setting
Account suspension protects the system from spurious logins through dictionary attacks. Define the
account suspension policy using the Configuration>User Accounts>Account Suspension option.
There are four roles available in the system- super user, administrator, viewer and operator. You can
configure different policies for each of these user roles. Configure the suspension time in minutes and the
number of failed login attempts during a specific time duration.
You can copy account suspension setting from one server to another when the servers are part of the
same server cluster.
To configure Account Suspension Setting for a user role, do the following.
1. Go to Configuration>User Accounts>Account Suspension.
1 Specify a suspension time between 5 minutes and 30 minutes, during which the consecutive failed
login attempts happen.
2 Specify the number of failed login attempts between 3 and 10.
3 Click Save to save the changes made to the page.
The following diagrammatic representation explains the account suspension settings.
AirTight Management Console User Guide
14
Account Suspension Settings
This policy is applicable on the root location only.
Copy Account Suspension Settings to Another Server
You can copy the account suspension settings from one server to another server when both servers are
part of the same server cluster. You can copy account suspension settings from child server to child
server, parent server to child server, or child server to parent server. You must be a superuser or an
administrator to copy policies from one server to another.
To copy account suspension settings, do the following.
1. Go to Configuration>User Accounts>Account Suspension on the parent server.
2. Click Copy Policy. The Copy Policies dialog box appears.
3. Select the server from which the account suspension settings are to be copied.
4. Select the server to which the account suspension settings are to be copied.
5. Click OK to copy the account suspension settings,
Configure Login Parameters
AirTight Management Console Configuration
15
You can specify the number of concurrent console logins that a user can have, along with the welcome
message that the user would see on logging on to AirTight Management Console. The user can have up
to 5 concurrent console logins.
You must have administrator privileges to configure login parameters.
You can copy the login configuration from one server to another server when both servers are part of the
same server cluster.
To configure login parameters, do the following.
1. Go to Configuration>System Settings>Login Configuration,
2. Enter the message that the user would see on the login screen, in Configure Login Message.
3. To display the message on the login screen, select the Enable Login Message check box.
4. Specify the number of concurrent sessions per user.
5. Click Save to save the settings.
Restore Defaults for Login Configuration
To restore default settings for login configuration, do the following.
1. Go to Configuration>System Settings>Login Configuration,
2. Click Restore Defaults. Default settings are restored.
3. Click Save to save the changes.
Copy Login Configuration to Another Server
You can copy the login configuration from one server to another server when both servers are part of the
same server cluster. You can copy login configuration from child server to child server, parent server to
child server, or child server to parent server. You must be a superuser or an administrator to copy policies
from one server to another.
To copy login configuration, do the following.
1. Go to Configuration>System Settings>Login Configuration on the parent server.
2. Click Copy Policy. The Copy Policies dialog box appears.
3. Select the server from which the login configuration is to be copied.
4. Select the server to which the login configuration is to be copied.
5. Click OK to copy the login configuration,
AirTight Management Console User Guide
16
User Authentication
Configure LDAP Server Parameters
AirTight Management Console enables you to configure an LDAP server for user authentication. After an
LDAP server is configured, users or groups defined in the LDAP server can login to AirTight Management
Console.
In LDAP configuration, you can configure the following details.
• LDAP Configuration parameters to be able to access the LDAP compliant directory
• LDAP authentication details to search records on the LDAP server
• Privileges for LDAP users- Here you specify the default role and the default locations assigned when
new LDAP users log in, for the case where the role and locations attributes are not provided by the
LDAP server. Note that the default values here apply to all users authenticated via LDAP. If the LDAP
server provides user role and locations attribute at the time of authentication, the attributes provided
by the LDAP server will override the default role and locations attributes.
You must have administrator privileges to configure the LDAP server access parameters.
Configure LDAP Server Access Parameters
To configure LDAP server access parameters, do the following.
1. Go to Configuration>User Accounts>LDAP Configuration option.
2. Select Enable LDAP to enable user authentication using an LDAP compliant directory. All the fields
related to LDAP are enabled on selecting this check box.
3. Enter the connection details as described in the following table.
Field
Description
Primary Server IP
Address/Hostname
The primary server IP address/Hostname of the LDAP
server.
(Primary Server) Port
The primary server port number of the LDAP
server.(Default:389).
Backup Server IP
Address/Hostname
The backup server IP address/Hostname of the LDAP
server.
(Backup Server) Port
The backup server port number of the LDAP server.
En
force Use of SSL/TLS
When this option is checked, only the SSL/TLS connection
to the LDAP server is allowed. When it is not checked,
either of the Open or SSL/TLS connection to the LDAP
server is allowed.
Verify LDAP Server’s Certificate
When this option is selected, the connection to the LDAP
server is not allowed unless the certificate check passes.
When this option is not selected, the connection to the
LDAP server is allowed without verifying the LDAP server
certificate.
4. If you have selected Verify LDAP Server's Certificate, you must add a certificate. Click Add
Certificate to add trusted root CA Certificate(s) for the LDAP server and choose the certificate.
5. Enter the LDAP configuration details as described in the following table.
AirTight Management Console Configuration
17
Field
Description
Base Distinguished Name
The base distinguished name of the directory to which you
want to connect, for example, o=democorp, c=au.
Distinguished Name is a unique identifier of an entry in the
Directory Information Tree (DIT). The name is the
concatenation of Relative Distinguished Names (RDNs)
from the top of the DIT down to the entry in question.
Filter String
This is a mandatory argument. It is a string specifying the
attributes (existing or new) that the LDAP server uses to
filter users. For example, IsUser=A. By specifying a filter
string you can allow or disallow login access to a particular
OU or Group of user defined in the AD.
You can specify a DN (Distinguish Name) of any particular
group to allow access to only those who are member of that
group. For example, memberOf=DC=GroupName,DC=com.
You can include members from multiple groups by using an
OR condition. For example, to allow access to users under
Base DN who are member of any of the two groups, Airtight
Admins OR Airtight Reviewer, you must include the
following filter string:
(|(memberOf=CN=AirTight
Admins,DC=AirTight,DC=Com)(memberOf=CN=Airtight
Reviewer,DC=AirTight,DC=Com))
Similarly, to allow access to users under Base DN who are
member of both Airtight Admins AND Airtight Reviewer
groups, you must include the following filter string:
(&(memberOf=CN=AirTight
Admins,DC=AirTight,DC=Com)(memberOf=CN=Airtight
Reviewer,DC=AirTight,DC=Com))
You can have alternative configurations in AD such as,
adding a new attribute, say ATNWIFI, to the users in AD
that are granted access and then set filter string to allow
users with that attribute only. For example, filter string =
ATNWIFI
You can also create a new group of users in AD with access
granted and include the group in filter string.
The most general filter string you can use is
'objectClass=*'.You can use this string when you do not
want to filter out any LDAP entry.
User ID Attribute
The string defined in the LDAP schema that the system
uses to identify the user.(Default: cn)
6. If the directory does not allow an anonymous search, you must configure user credentials to search
the LDAP compliant directory. Configure the user credentials as described in the following table.
Field
Description
Admin User DN
The DN of the admin user to be used to authenticate in to
the LDAP server.
Append User DN
Select this option if the base DN specified in the LDAP
Configuration Details must be appended to the admin user
DN
Password
The password for the admin user.
AirTight Management Console User Guide
18
•
7. Click Test Settings to test the authentication options.
8. Configure the default role and locations for new LDAP users. They are described in the following
table.
Field
Description
User Role Attribute
The user role attribute string that the system uses to identify
a user’s role, as defined in the LDAP schema.
User Role
The default role for the new LDAP users. You can select
one of the following four options- superuser, administrator,
operator, viewer.
User Location Attribute
The user location attribute string that the system uses to
identify the locations where the user is allowed access, as
defined in your LDAP schema.
Locations
The location to which a new LDAP user has access rights.
You can select another location by clicking Change.
9. Click Save to save the changes.
Edit LDAP Server Access Parameters
To configure LDAP server access parameters, do the following.
1. Go to Configuration>User Accounts>LDAP Configuration option.
2. Make the required changes.
3. If you have made changes to the connection settings or the configuration settings, click Test
Settings to ensure that the new details are valid.
4. Click Save to save the changes.
Copy LDAP Configuration to Another Server
You can copy the LDAP configuration from one server to another server when both servers are part of the
same server cluster. You can copy LDAP configuration from child server to child server, parent server to
child server, or child server to parent server. You must be a superuser or an administrator to copy policies
from one server to another.
Note: When an LDAP configuration is copied to another server, the value of the Locations field in the
replicated policy on the destination server is set to 'root' (location).
To copy LDAP configuration, do the following.
1. Go to Configuration>User Accounts>LDAP Configuration on the parent server.
2. Click Copy Policy. The Copy Policies dialog box appears.
3. Select the server from which the LDAP configuration is to be copied.
4. Select the server to which the LDAP configuration is to be copied.
5. Click OK to copy the LDAP configuration.
Configure RADIUS Parameters
AirTight Management Console can use a RADIUS server to facilitate user authentication. Configure the
RADIUS server access parameters using the Configuration->User Accounts->RADIUS Configuration
option.
AirTight Management Console Configuration
19
Select the Enable RADIUS Authentication check box to activate RADIUS authentication of users. You
can configure the Authentication,Accounting , and Advanced Settings after selecting this check box. Click
the respective option to view and edit the fields for the individual sections.
Configure Authentication Parameters
Configure access parameters for the RADIUS Authentication server using the Authentication section.
To configure access parameters for RADIUS authentication server, do the following.
1. Go to Configuration->User Accounts->RADIUS Configuration.
2. Specify the IP address/ hostname, port number and shared secret for the primary and/or secondary
RADIUS servers.
3. Click Test to test the connection to the RADIUS servers.
4. Select Enable RADIUS Integration for CLI login to enable CLI user authentication using RADIUS.
5. Select Enable RADIUS Integration for GUI login to enable GUI user authentication using RADIUS.
6. Select vendor specific attributes as appropriate. These are used when vendor specific attributes are
not defined for RADIUS server.
7. Click Save to save the changes.
Configure Accounting Parameters
Configure accounting parameters for the RADIUS Accounting server under the Accounting section.
To configure accounting parameters for RADIUS authentication server, do the following.
1. Go to Configuration->User Accounts->RADIUS Configuration.
2. Select the Enable RADIUS Accounting check box to enable RADIUS accounting.
3. Specify the IP address/ hostname, port number and shared secret for the primary and/or secondary
RADIUS accounting servers.
4. Click Save to save the changes.
Configure Advanced Settings
Configure the realm (domain) for the CLI and GUI users using the Advanced Settings section. You can
also specify how the real name is to be appended to the user name (prefix notation or postfix
notation). Select the Use Prefix Notation check box to use a prefix notation. Postfix notation is used
when this check box is not selected.
To configure advanced settings, do the following.
1. Go to Configuration->User Accounts->RADIUS Configuration.
2. Enter the realm for CLI users in CLI..
3. Enter the realm for GUI users in GUI.
4. Select the Use Prefix Notation check box to use a prefix notation. Postfix notation is used when this
check box is not selected.
5. Click Save to save the changes made.
Restore Default Settings
By default, RADIUS authentication is disabled. To restore this default setting, do the following.
1. Go to Configuration->User Accounts->RADIUS Configuration.
AirTight Management Console User Guide
20
2. Click Restore Defaults.
3. Click Save to save the changes.
Copy RADIUS Configuration to Another Server
You can copy the RADIUS configuration from one server to another server when both servers are part of
the same server cluster. You can copy RADIUS configuration from child server to child server, parent
server to child server, or child server to parent server. You must be a superuser or an administrator to
copy policies from one server to another.
Note: When a RADIUS configuration is copied to another server, the value of the Locations field in the
replicated policy on the destination server is set to 'root' (location).
To copy RADIUS configuration, do the following.
1. Go to Configuration>User Accounts>RADIUS Configuration on the parent server.
2. Click Copy Policy. The Copy Policies dialog box appears.
3. Select the server from which the RADIUS configuration is to be copied.
4. Select the server to which the RADIUS configuration is to be copied.
5. Click OK to copy the RADIUS configuration.
Configure Parameters for Certificate-based authentication
AirTight Management Console supports user authentication using digital certificates. Configure the
settings for user authentication using the Configuration>User Accounts>Certificate Configuration
option.
There are four ways to authenticate users - password only, certificate only, certificate and password and
certificate or password.
Password only: In this option, the user authentication is performed using the password. The user has to
enter the user name and the password at the login prompt. The password may be locally verified by the
system or may be verified using the external LDAP or RADIUS authentication service, as appropriate.
Certificate only: In this option, the user authentication is performed using the client certificate (such as
smart card). The user has to insert a smart card containing the client certificate in a reader attached to the
computer from where the console is accessed and then press the Login button. The system then verifies
the client certificate and obtains user identity (user name) from the certificate. Other attributes for the user
are retrieved either locally or from the external authentication services such as LDAP or RADIUS, as
appropriate. When this authentication option is set, the login screen appears as follows:
Certificate and Password: In this option, both the client certificate and the password are required for the
user authentication. The user has to insert a smart card containing the client certificate in a reader
attached to the computer from where the console is accessed, as well as enter the password at the login
prompt. The system verifies the password locally or using the external LDAP or RADIUS authentication
service, as appropriate. When this authentication option is set, the login screen appears as follows:
Certificate or Password: In this option, the user authentication is permitted either using the password or
using the client certificate. This option is appropriate for organizations which have only partially migrated
to using smart cards for authentication. At login prompt, the user can select certificate authentication by
checking the Use certificate for login box or continue with password authentication by entering login
name and password. When this authentication option is set, the login screen appears as follows:
AirTight Management Console Configuration
21
The required authentication option can be activated based on the various combinations of the Enable
certificate based authentication box, Allow access without certificate box, and Users must provide
password along with certificate box.
The following table describes the activation of the authentication options based on the check boxes
selected by the user.
Authentication option to activate
Check box to be selected
Enable certificate
based
authentication
Allow access without
certificate
Users must provide
password along with
certificate
Password only
No
-
-
Certificate only
Yes
No
No
Certificate and password
Yes
No
Yes
Certificate or password
Yes
Yes
No
Note: In order to use certificate based authentication, it is necessary that the GUI host is able to access
the server at TCP port 4433. If there is a firewall between the GUI host and the server, port 4433 must be
opened from the host to the server.
When either Certificate only, Certificate and Password, or Certificate or Password option is activated, the
additional details should be provided as follows
• The field in the client certificate from which user identity can be retrieved by AirTight
Management Console.
• Root CA certificates to facilitate the verification of the client certificate.
• Preferred method to check for certificate revocation.
Restore Certificate Configuration Defaults
By default, certificate-based authentication is disabled.
To restore this default value, do the following.
1. Go to Configuration>User Accounts>Certificate Configuration.
2. Click Restore Defaults.
3. Click Save to save the changes.
Copy Certificate Configuration to Another Server
You can copy the Certificate configuration from one server to another server when both servers are part
of the same server cluster. You can copy Certificate configuration from child server to child server, parent
server to child server, or child server to parent server. You must be a superuser or an administrator to
copy policies from one server to another.
To copy Certificate configuration, do the following.
1. Go to Configuration>User Accounts>Certificate Configuration on the parent server.
2. Click Copy Policy. The Copy Policies dialog box appears.
3. Select the server from which the certificate configuration is to be copied.
4. Select the server to which the certificate configuration is to be copied.
5. Click OK to copy the certificate configuration,
AirTight Management Console User Guide
22
Wireless Intrusion Prevention System
A Wi-Fi network is easy to set up by way of access points. Small plug-and-play devices can act as access
points. Smart phones and tablets that are now widely used, are also Wi-Fi enabled. They can act as
mobile hotspots. Wireless clients can connect to any such access points and easily access a network that
is not adequately protected against such wireless threats. Thus, a network can become vulnerable to
wireless attacks. It is therefore important to understand and control the authorized and unauthorized
access to networks.
A proper wireless intrusion prevention (WIPS) policy needs to be in place to prevent unauthorized access
to a network. The rules for wireless intrusion prevention into the network can be configured using
Configuration>WIPS.
You can set the rules for WIPS using the options seen under Configuration>WIPS.
AirTight Management Console provides you the flexibility to set a generic WIPS policy for all locations in
the organization, or a location-wise WIPS policy for individual locations. You can have WIPS activated at
some locations and deactivated at others.
Make sure that you have defined your location tree before you can proceed with WIPS configuration.
You must have administrator privileges to do the WIPS settings.
Specify the authorized WLAN policy templates to identify authorized APs, using
Configuration>WIPS>Authorized WLAN Policy. This is inherited, by default, from the parent location. It
can also be customized for a location.
Configure the policy to auto-classify the APs detected by AirTight WIPS, using Configuration>WIPS>AP
auto-classification. This is inherited, by default, from the parent location. It can also be customized for a
location.
Configure the policy to auto-classify clients detected by AirTight WIPS, using
Configuration>WIPS>Client auto-classification. This is inherited, by default, from the parent location. It
can also be customized for a location.
Define the intrusion prevention policy, using Configuration>WIPS>Intrusion Prevention. This is
inherited, by default, from the parent location. It can also be customized for a location.
Activate or deactivate intrusion prevention for the selected location, using
Configuration>WIPS>Intrusion Prevention Activation. This is location specific. You need to first select
the desired location from the location tree. Then you use the Intrusion Prevention Activation option to
activate or deactivate intrusion prevention for this location.
Import device lists that can be referred to for AP/Client classification, using Configuration>WIPS>Import
Devices. This is location specific. You need to first select the desired location from the location tree. Then
you use the Import Devices option to import devices for this location.
You can manage banned device list with the Configuration>WIPS>Banned Device List option.
You can manage hotspot SSID list with the Configuration>WIPS>Hotspot SSIDs option.
You can manage hotspot SSID list with the Configuration>WIPS>Vulnerable SSIDs option.
You can manage the smart device types used in smart device detection with the
Configuration>WIPS>Smart Device Types option.
You can lock the list of authorized AP and/or clients for a location using the
Configuration>WIPS>Device List Locking option.
AirTight Management Console Configuration
23
Manage Authorized WLAN Policy
Specify the Authorized WLAN policy templates for the selected location in the location hierarchy using
Configuration>WIPS>Authorized WLAN Policy.
Authorized WLAN policy for a location includes a set of one or more policy templates that define the
properties of one or more authorized wireless networks. A policy template is a collection of different
network related settings such as wireless network protocols, encryption protocol used, allowed network
SSIDs, security settings, authentication type used, allowed networks and so on. An authorized WLAN
policy also specifies what networks are restricted from having Wi-Fi APs on them. Apart from this, you
can also specify what APs to categorize as rogue or authorized APs based on their RSSI signal strength.
All these parameters together constitute an authorized WLAN policy.
The RSSI of a device is statistical parameter. Using the RSSI feature can cause legitimate neighborhood
APs to be classified as Rogues and subjected to containment if automatic prevention is enabled. This will
cause neighbor Wi-Fi disruption since clients, including the legitimate neighborhood clients, will NOT be
able to connect to the Rogue AP under containment.
Even if the intention is to use RSSI to identify APs that are within the facility, it will not always work since
low power APs such as soft APs, hotspot APs running on smart phones, USB APs, etc. or APs which are
away from RSSI measurement point will still not get classified as Rogue APs due to not meeting the RSSI
threshold.
Policy templates aid in the classification of APs. A new AP or an existing Authorized AP is compared
against the templates to determine if it is a rogue or misconfigured AP. Any AP at a location that does not
comply with the WLAN policy attached to that location, is not considered to be an authorized AP.
You must apply the templates from the available list for the WLAN policy at that location.
Authorized policy templates are used to identify authorized APs and constantly check that the actual Wi-
Fi access parameters provisioned on the authorized APs meet the security policy. You can define multiple
WLAN policy templates and assign them to each location. Any new AP that is added to a location is
verified on the basis of the WLAN policy templates attached to that location. Any mismatch is used to
detect misconfiguration of the Wi-Fi access network.
The system uses the details of the authorized Wi-Fi setup at a particular location to detect the presence
of misconfigured or rogue APs in your network.
An AP is considered as being compliant to the Authorized WLAN Policy if:
• It is not connected to a No Wi-Fi network for its location
• Its SSID matches with one of the templates attached at that location
• Is connected to one of the networks specified in that template
• Conforms to the other settings in that template (except the Authentication Framework, as this setting
is not a property of the AP itself but of the backend authentication system).
Note: If the template specifies certain allowed AP capabilities (such as Turbo, 802.11n, and so on), the
AP may or may not have those capabilities. However, if a capability is not selected, the AP must not have
that capability to be considered as compliant.
With location-based policies, you can apply different sets of policy templates for different locations.
However, you cannot attach more than one template with the same SSID at any one location.
Only the policy templates that are applied to a location are used for AP classification at that location.
Other templates that are configured but not applied to the location, will not be used for AP classification,
as they are not a part of the WLAN policy for that location.
AirTight Management Console User Guide
24
The authorized policy templates created at other locations can be applied to a selected location but
cannot be edited or deleted. The edit and delete operations are possible only at the location where the
template is created.
A child location automatically inherits the authorized WLAN policy from its parent. You can customize the
WLAN policy for a child location. You can also switch back to an inherited policy in case you have created
a customized policy.
Configure Authorized WLAN Policy
To configure an authorized WLAN policy for a location, do the following.
1. Select the location from the location tree.
2. Go to Configuration>WIPS>Authorized WLAN Policy.
3. If Wi-Fi has been deployed at the location, select the Wi-Fi is deployed at this location check box.
The Policy Template and Select "No Wi-Fi" Networks sections on this page are enabled on
selecting this check box.
4. If you want to use an existing policy template, click the Applied icon for the existing policy template to
be applied to the location. Alternatively, Click Add New Policy Template if no policy template exists,
and add a new policy template. Refer to the Add Device Template or Edit Device Template
subsection in the Manage Policy Templates section for details on how to add or edit a policy
template.
5. If there are any networks at the location that are not allowed to have APs connected to them,
a) Scroll down to the Select "No Wi-Fi" Networks section
b) Click Add. The Add Networks dialog box appears.
c) Enter the SSID or IP address of the network to add.
6. Define RSSI based classification, if the WIPS is intended for use in an isolated environment without
much of a neighborhood activity like defense and military facilities. It is recommended to skip this
section altogether in case of commercial or business district environments. Either of the following two
mechanisms must be switched on to classify the APs.
a) Enter the threshold RSSI value to use for preclassification of APs with signal strength stronger
than this value as rogue or unauthorized APs.
b)Select the Preclassify APs connected to monitored subnets as Rogue or Authorized APs to
preclassify the APs connected to monitored subnets as rogue or authorized APs.
7. Click Save to save the changes.
Edit Authorized WLAN Policy
To edit an authorized WLAN policy for a location, do the following.
1. Select the location from the location tree.
1 Go to Configuration>WIPS>Authorized WLAN Policy.
2. If you want to apply an existing policy, click the Applied icon for that policy in the policy template list.
3. If you want to make changes to the policy template, click the policy template link in the policy
template list. If you want to add a new policy template click Add New Policy Template, and add a
new policy template. Refer to the Add Device Template or Edit Device Template subsections in the
Manage Policy Templates section for details on how to add or edit a policy template.
4. If there are any networks at the location that are not allowed to have APs connected to them,
a) Scroll down to the Select "No Wi-Fi" Networks section
b) Click Add. The Add Networks dialog box appears.
c) Enter the SSID or IP address of the network to add.
5. Define RSSI based classification, if the WIPS is intended for use in an isolated environment without
much of a neighborhood activity like defense and military facilities. It is recommended to skip this
AirTight Management Console Configuration
25
section altogether in case of commercial or business district environments. Either of the following two
mechanisms must be switched on to classify the APs.
a) Enter the threshold RSSI value to use for preclassification of APs with signal strength stronger
than this value as rogue or unauthorized APs.
b)Select the Preclassify APs connected to monitored subnets as Rogue or Authorized APs to
preclassify the APs connected to monitored subnets as rogue or authorized APs.
6. Click Save to save the changes.
Configure AP Auto-classification Policy
The AP Auto-Classification policy function enables you to specify the AP classification policy for different
AP categories.
It is important to know about the authenticity of APs in the network as unauthorized APs can cause
irreparable damage to your network and business.
AP classification is of prime importance in WIPS implementation.
A diagrammatic representation of AP classification is shown below.
AP classification
Under External APs, AirTight recommends that you select Automatically move Potentially External APs in
the Uncategorized list to the External Folder. The system automatically removes an AP from the External
folder and moves it to an appropriate AP folder if it later detects that the AP is wired to the enterprise
network.
Under Rogue APs, AirTight recommends that you select Automatically move Potentially External APs in
the Uncategorized list to the Rogue folder.
Note: Once you move an AP to the Rogue folder, the system never automatically removes it from the
Rogue folder, even if it later detects that the AP is unwired from the enterprise network or its security
settings have changed.
AirTight Management Console User Guide
26
Configure Client Auto-classification Policy
The client auto-classification policy determines how clients are classified upon initial discovery and
subsequent associations with APs.
Client auto classification
Define how the system should automatically classify the detected wireless clients at the selected location
based on their initial discovery and subsequent AP associations. This policy is automatically inherited by
child locations of the selected location. The intrusion prevention actions enforced on the wireless clients
are based on their classification in the system.
If a client is ever manually classified, then it is never automatically classified by the system until it is
deleted from the system and rediscovered.
Under Initial Classification, select the Automatically classify newly discovered Clients at this
location as check box and specify if newly discovered clients at a particular location, which are
Uncategorized by default should be classified as External, Authorized or Guest.
Under Automatic Client Classification, select one or more options to enable the system automatically re-
classify Uncategorized and Unauthorized Clients based on their associations with APs. You can
categorize the following types of clients.
• Clients running AirTight Mobile
• All External Clients running AirTight Mobile are classified as Authorized
• All Uncategorized Clients running AirTight Mobile are classified as Authorized
• All Rogue Clients running AirTight Mobile are classified as Authorized
AirTight Management Console Configuration
27
• All Guest Clients running AirTight Mobile are classified as Authorized
• Clients connecting to Authorized APs
• All External Clients that connect to an Authorized AP are re-classified as Authorized
• All Uncategorized Clients that connect to an Authorized AP are reclassified as Authorized
• All Guest Clients that connect to an Authorized AP are reclassified as Authorized
You can select the following exceptions.
• Do not reclassify a Client connecting to a Misconfigured AP as Authorized
• Do not reclassify a Client if its wireless data packets are not detected on the wired network
(except if the connection is reported by WLAN controller).
Classification for clients connecting to Authorized APs
Click Advanced to configure the auto classification settings for clients connecting to guest APs and
external APs.
• Clients connecting to Guest APs
• All External Clients that connect to a Guest AP are reclassified as Guest
• All Uncategorized Clients that connect to a Guest AP are reclassified as Guest
You can select the following exceptions
• Do not re-classify a Client connecting to a Mis-configured AP as Guest
• Do not re-classify a Client as Guest if its wireless data packets are not detected on the wired
network (except if the connection is reported by WLAN controller)
AirTight Management Console User Guide
28
Classification for Clients connecting to Guest APs
• Clients connecting to External APs
• All Uncategorized Clients that connect to an External AP are reclassified as External
• All Uncategorized Clients that connect to a Potentially External AP are classified as External
• All Guest Clients that connect to an External AP are re-classified as External
• All Guest Clients that connect to a Potentially External AP are re-classified as External
AirTight Management Console Configuration
29
Classification of Clients connecting to External APs
• Clients connecting to Rogue APs
• All Clients other than Authorized Clients that connect to a Rogue AP are (re)classified as
Rogue
• All Clients other than Authorized Clients that connect to a Potentially Rogue AP are classified
as Rogue
Classsification of Clients connecting to Rogue APs
AirTight Management Console User Guide
30
• Bridging to the Corporate Network
• Classify any non-authorized Client as Rogue if it is detected as bridging Wi-Fi to the corporate
network
• RSSI Based Classification
You can enable RSSI based client classification for uncategorized clients and/or external clients
and configure RSSI based classification for them. Specify a RSSI threshold and the category for
such clients.
Classification of Clients bridging to corporate network and RSSI based classification
Intrusion Prevention
The Intrusion Prevention Policy determines the wireless threats against which the system protects the
network automatically. The system automatically moves such threat-posing APs and Clients to
quarantine. The system can protect against multiple threats simultaneously based on the selected
Intrusion Prevention level.
If the server quarantines an AP or Client based on the Intrusion Prevention policy, the Disable Auto-
quarantine option ensures that the system will not automatically quarantine this AP or Client (regardless
of the specified Intrusion Prevention policies).
AirTight Management Console can prevent any unwanted communication in your 802.11 network. It
provides you various levels of prevention-blocking mechanisms of varying effectiveness. Intrusion
AirTight Management Console Configuration
31
Prevention Level enables you to specify a trade-off between the desired level of prevention and the
desired number of multiple simultaneous preventions across radio channels.
The greater the number of channels across which simultaneous prevention is desired, the lesser is the
effectiveness of prevention in inhibiting unwanted communication. Scanning for new devices continues
regardless of the chosen prevention level.
You can select from the following intrusion prevention levels:
• Block: A single sensor can block unwanted communication on any one channel in the 802.11b/g band
and any one channel in the 802.11a band.
• Disrupt: A single sensor can disrupt unwanted communication on any two channels in the 802.11b/g
band and any two channels in the 802.11a band.
• Interrupt: A single sensor can interrupt unwanted communication on any three channels in the
802.11b/g band and any three channels in the 802.11a band.
• Degrade: A single sensor can degrade the performance of unwanted communication on any four
channels in 802.11b/g band and any four channels in the 802.11a band.
Block is the most powerful prevention level, that is, it can severely block almost all popular Internet
applications including ping, SSH, Telnet, FTP, HTTP, and the like. However, at this level, a single sensor
can simultaneously prevent unwanted communication on only one channel in the 802.11b/g band and
one channel in the 802.11a band. If you want the sensor to prevent unwanted communication on multiple
channels simultaneously in the 802.11 b/g and/or the 802.11a band, you must select other prevention
levels.
Note: Prevention Type determines the blocking strength to prevent communication from unwanted APs
and Clients. The system can prevent multiple APs and Clients on each channel. Prevention Type is not
applicable for Denial of Service (DoS) attacks or ad hoc networks. You must select a lower blocking level
to prevent devices on more channels. Choosing a lower blocking level means that some packets from the
blocked device may go through.
You can enable intrusion prevention against the following threats
• Rogue APs: APs connected to your network but not authorized by the administrator; an attacker can
gain access to your network through the Rogue APs. You can also automatically quarantine
uncategorized, indeterminate and banned APs connected to the network.
• Misconfigured APs: APs authorized by the administrator but do not conform to the security policy; an
attacker can gain access to your network through misconfigured APs. This could happen if the APs
are reset, tampered with, or if there is a change in the security policy.
• Client Misassociations: Authorized Clients that connect to rogue or external (neighboring) APs;
corporate data on the authorized client is under threat due to such connections. AirTight recommends
that you provide automatic intrusion prevention against authorized clients that connect to rogue or
external APs.
There is a special intrusion prevention policy for the smart devices that are not approved. Even if a
current client policy restricts authorized clients from connecting to a guest AP, an unapproved smart
device can still be allowed to do so. One needs to explicitly allow or restrict unapproved smart devices
from connecting to a guest AP.
Click Special Handling for Smart Devices to enable special handling for unapproved smart devices.
You can allow the unapproved smart device to connect to a guest AP only. To do this,
1. Select Enable Special Handling for Unapproved Smart Devices.
2. Select Allow connection to Guest AP, but not Authorized AP.
To disallow the unapproved smart device from connecting to both a guest AP as well as an authorized
AP, select Do not allow connection to Guest AP and Authorized AP.
AirTight Management Console User Guide
32
Wireless Threats
Following is a diagrammatic representation of the various wireless threats.
Wireless Threats
Non-authorized Associations: Non-authorized and Banned Clients that connect to Authorized APs; an
attacker can gain access to your network through Authorized APs if the security mechanisms are weak.
Non-authorized or Uncategorized Client connections to an Authorized AP using a Guest SSID are not
treated as unauthorized associations.
• Associations to Guest APs: External and Uncategorized Clients that connect to Guest APs are
classified as Guest Clients. The Clients connected to a wired network or a MisConfigured AP can be
specified as exceptions to this policy.
• Ad hoc Connections: Peer-to-peer connections between Clients; corporate data on the Authorized
Client is under threat if it is involved in an ad hoc connection.
• MAC Spoofing: An AP that spoofs the wireless MAC address of an Authorized AP; an attacker can
launch an attack through a MAC spoofing AP.
• Honeypot/Evil Twin APs: Neighboring APs that have the same SSID as an Authorized AP; Authorized
Clients can connect to Honeypot/Evil Twin APs. Corporate data on these Authorized Clients is under
threat due to such connections.
• Denial of Service (DoS) Attacks: DoS attacks degrade the performance of an official WLAN.
• WEPGuard TM: Active WEP cracking tools allow attackers to crack the WEP key and gain access to
confidential data in a matter of minutes or even seconds. Compromised WEP keys are used to gain
entry into the authorized WLAN by spoofing the MAC address of an inactive Authorized Client.
• Client Bridging/ICS: A Client with packet forwarding enabled between wired and wireless interfaces. An
authorized Client bridging and unauthorized/uncategorized bridging Client connected to enterprise
subnet is a serious security threat.
Activate Intrusion Prevention for Location
AirTight Management Console Configuration
33
Activate intrusion prevention for a location using the Configuration>WIPS>Intrusion Prevention
Activation option. The following figure explains intrusion prevention activation.
Intrusion Prevention Activation
The intrusion prevention policy is a location specific policy - it cannot be inherited from the parent
location.
Authorized APs should be in the Authorized folder before activating intrusion prevention. Their network
connectivity icon may show the status as Wired, Unwired, or Indeterminate.
If you deploy new Authorized APs later, you do not have to deactivate intrusion prevention. However, you
need to ensure that the newly deployed APs are moved to the Authorized folder.
AirTight recommends that you select the Activate Intrusion Prevention for <location> check box for
the selected location only after the deployment is stable and fully configured. If you are modifying a
deployment, clear the Activate Intrusion Prevention for <location> check box to avoid spurious activity
during the transient phase.
Click Save to the change. Click Cancel to cancel the change. Click Restore Defaults to restore the
default value.
Import Device List
AirTight Management Console User Guide
34
Importing an authorized AP List and an authorized or unauthorized client list is an efficient alternative to
manual movement of these devices into the authorized / unauthorized bins. After successfully importing
these lists, the system automatically classifies the APs and Clients in the respective lists as authorized or
unauthorized.
This is a location specific property and cannot be inherited from the parent location folder. You need
administrator rights to import a device list.
You can import authorized AP list, authorized client list, guest client list, rogue client list, and AirTight
device list into AirTight Management Console using the Configuration>WIPS>Import Devices option.
Format of the .txt or.csv file containing the AP/Client data
Each line has comma separated list of MAC Address, IP Address, Device Name. For example,
11:11:11:11:11:11,192.168.8.1,name1
11:11:11:11:11:12,192.168.8.2,name2
11:11:11:11:11:13,192.168.8.3,name3
11:11:11:11:11:14,192.168.8.4,name4
11:11:11:11:11:15,192.168.8.5,name5
11:11:11:11:11:16,192.168.8.6,name6
11:11:11:11:11:17,192.168.8.7,name7
Format of.txt or .csv file containing the AirTight Device data
Each line has comma separated list of MAC Address, Device Name. For example,
44:77:11:22:44:77, name1
44:77:11:22:11:12, name2
44:77:11:22:11:13, name3
44:77:11:22:11:14, name4
44:77:11:22:11:15, name5
Points to remember
• Once you move an AP to the Authorized folder, AirTight Management Console never removes it from
the Authorized folder automatically, even if the AP is unwired from the enterprise network.
• When you import APs from the list, policy settings in the Setup Wizard do not affect these APs.
• When you import sensors from the list, you can delete these sensors only from the Devices page.
• When you import clients from the list, policy settings in the Setup Wizard do not affect these clients.
To import devices, do the following.
1. Select the appropriate option from the Import list box, depending on whether you want to import an
authorized AP list, an authorized client list, a guest client list, a rogue client list, or a sensor list. The
text on the command button below the device list changes based on your selection. For instance, if
you select the option Import Authorized Client List from the list box, the text on the command
button changes to Import Authorized Client List.
2. Under the Auto Tag Devices area, select Auto tag Devices to automatically tag the device(s) to the
selected location. Select Manually Tag Devices to, to manually tag the device(s) to the selected
location.
3. Enter the MAC address, IP address and name of the AP or client. If the device is a sensor, enter the
MAC address and the name of the sensor. Alternatively, you can specify a filename containing the
AP/client/sensor data. Click Autofill using File, and select the .txt or .csv file containing the
AP/client/sensor data.
4. Click Import Authorized AP List to import the list of authorized APs. Click Import Authorized Client
List to import the list of authorized clients. Click Import Guest Client List to import the list of guest
AirTight Management Console Configuration
35
clients. Click Import Rogue Client List to import the lists of rogue clients. Click Import Sensor List
to import the list of sensors. The file has to be a text file or a csv file. Refer to the subsequent sections
for the text and csv file formats for the AP, client and sensor lists.
Once imported successfully, the devices are seen under their respective tabs on the Devices page. The
Dashboard page also reflects the activity of the newly imported sensors, APs, and clients.
Delete device details from device list
To delete the device details from the device list, do the following.
1. Select the AP/client/sensor row and click the corresponding Delete hyperlink.
2. Click Yes when asked to confirm deletion.
Manage Banned Device List
You can create and manage a list of banned APs and banned clients using the
Configuration>WIPS>Banned Device List option. If the devices from this list are detected, they are not
classified as rogue devices.
Create banned AP list
You can add the wireless MAC addresses of APs that are blacklisted in your organization. If APs with
these MAC addresses become visible, AirTight Management Console generates an alert.
You can either enter individual AP MAC addresses or to import a list of banned APs in to the database.
To add an individual AP MAC address, do the following.
1. Go to Configuration>WIPS>Banned Device List.
2. Click to expand Banned AP List.
3. Click Add MAC Address. The Add to Banned List dialog box appears.
4. Click Add MAC Address under Banned AP list and enter the MAC Address of a banned AP. You can
add one or more banned AP MAC addresses in this manner.
You can also import a list of AP MAC addresses from a file. The file containing the list of AP MAC
addresses must be a CSV file.
To import a file containing a list of AP MAC addresses, do the following.
1. Go to Configuration>WIPS>Banned Device List
2. Click to expand Banned AP List.
3. Click Add MAC Address. The Add to Banned List dialog box appears.
4. Click File Upload.
5. Click Choose File to choose the file and then click Upload to upload the selected file.
6. Click Add to add the imported AP MAC addresses to the banned device list.
Create banned Client list
You define the wireless MAC addresses of Clients that are blacklisted in your organization. For example,
such MAC addresses could belong to laptops of employees who are no longer with the organization. If
APs with these MAC addresses become visible, AirTight Management Console generates an alert.
AirTight Management Console User Guide
36
You can either enter individual client MAC addresses or to import a list of banned clients to the database.
To add an individual client MAC address, do the following.
1. Go to Configuration>WIPS>Banned Device List.
2. Click to expand Banned Client List.
3. Click Add MAC Address. The Add to Banned List dialog box appears.
4. Click Add Device link to add a MAC address manually.
5. Enter the MAC address to add. You can add one or more banned client MAC addresses in this
manner.
6. Click Add to add the devices to the banned device list.
You can also import a list of client MAC addresses. The file containing the list of client MAC addresses
must be a CSV file.
To import a file containing a list of client MAC addresses, do the following.
1. Go to Configuration>WIPS>Banned Device List.
2. Click to expand Banned Client List.
3. Click Add MAC Address. The Add to Banned List dialog box appears.
4. Click File Upload.
5. Click Choose File to choose the file and then click Upload to upload the selected file.
6. Click Add to add the imported client MAC addresses to the banned device list.
Delete Banned Device
1. Go to Configuration>WIPS>Banned Device List.
2. Click the Delete link for the device to be deleted. A confirmation message is displayed to confirm
deletion.
3. Click Yes to confirm deletion
Copy Banned Device List to Another Server
You can copy the banned device list from one server to another server when both servers are part of the
same server cluster. You can copy banned device list from child server to child server, parent server to
child server, or child server to parent server. You must be a superuser or an administrator to copy policies
from one server to another.
To copy banned device list, do the following.
1. Go to Configuration>WIPS>Banned Device List on the parent server.
2. Click Copy Policy. The Copy Policies dialog box appears.
3. Select the server from which the banned device list is to be copied.
4. Select the server to which the banned device list to be copied.
5. Click OK to copy the banned device list,
Manage Hotspot SSIDs
Configure and manage a list of hotspot SSIDs using the Configuration->WIPS-> Advanced Settings-
>Hotspot SSIDs option.
It is highly likely that hotspot APs are present in the enterprise neighborhood. If enterprise Client probes
for well known hotspot SSID, it is at risk of connecting to the hotspot AP without the user necessarily
knowing about it. Also if enterprise AP uses hotspot SSID on it, such an AP may attract undesirable
Clients to connect to it.
AirTight Management Console Configuration
37
If you consider an SSID to be vulnerable to hackers, you can open the Hotspot SSIDs screen and enter
the SSID under SSID (ASCII character string).
Add Hotspot SSIDs
The system lists commonly known SSIDs by default. To enter a blank SSID: that is, with no string, click
<Add> without entering any text. The list shows the SSID as NULL.
To add a hotpsot SSID, do the following.
1. Go to Configuration>WIPS>Advanced Settings>Hotspot SSID.
2. Click Add New Hotspot SSID. The Add New Hotspot SSID dialog box appears.
3. Enter a new hotspot SSID and click OK. If an AP with a hotspot SSID is detected, the system
generates an event.
Search Hotspot SSIDs
To search for hotspot IDs, do the following.
1. Go to Configuration>WIPS>Advanced Settings>Hotspot SSID.
2. Type in the search string in the search SSID box and press the Enter key. A list of hotspot SSIDs
matching the search criteria appears.
To clear the search string, click the x icon next to the search SSID box.
Delete Hotspot SSID
To delete hotspot SSIDs, do the following.
1. Go to Configuration>WIPS>Advanced Settings>Hotspot SSID.
2. click Delete link for the SSID to be deleted.
3. Click Yes on the confirmation message to confirm the deletion of the hotspot SSID.
Restore Default Hotspot SSID list
To restore the default hotspot SSID list, do the following.
1. Go to Configuration>WIPS>Advanced Settings>Hotspot SSIDs
2. Click Restore Defaults. A confirmation message prompting you to confirm the operation appears.
3. Click Yes. The default hotspot SSID list is restored.
Copy Hotspot SSID List to Another Server
You can copy the list of hotspot SSIDs from one server to another server when both servers are part of
the same server cluster. You can copy a list of hotspot SSIDs from child server to child server, parent
server to child server, or child server to parent server. You must be a superuser or an administrator to
copy policies from one server to another.
To copy a list of hotspot SSIDs, do the following.
1. Go to Configuration>WIPS>Advanced Settings>Hotspot SSIDs on the parent server.
2. Click Copy Policy. The Copy Policies dialog box appears.
3. Select the server from which the list of hotspot SSIDs is to be copied.
AirTight Management Console User Guide
38
4. Select the server to which the list of hotspot SSIDs is to be copied.
5. Click OK to copy the list of hotspot SSIDs.
Manage Vulnerable SSIDs
Configure and manage a list of vulnerable SSIDs using the Configuration>WIPS>Advanced
Settings>Vulnerable SSIDs option.
APs have well known default SSIDs and many users may not change these SSIDs when deploying the
APs. Therefore it is highly likely that APs using default SSIDs are present in the enterprise neighborhood.
If an enterprise Client probes for a default SSID, it is at risk of connecting to the neighborhood AP without
the user necessarily knowing about it. Also if an enterprise AP uses a default SSID, such an AP may
attract undesirable clients to connect to it.
Add Vulnerable SSID
If you consider an SSID to be vulnerable to hackers, you can add the SSID to the Vulnerable SSIDs list.
To add a vulnerable SSID, do the following.
1. Go to Configuration>WIPS>Advanced Settings>Vulnerable SSIDs.
2. Click Add New Vulnerable SSID.
3. Enter the SSID and click OK to add it to the list of vulnerable SSIDs. If an AP point with a vulnerable
SSID is detected, the system generates an event.
Note: Commonly known SSIDs are listed by default. To enter a blank SSID: no string, click Add without
entering any text. The list shows the SSID as NULL.
Search Vulnerable SSID
To search a vulnerable SSID, do the following.
1. Go to Configuration->WIPS-> Advanced Settings->Vulnerable SSIDs
2. Type in the search string in the search SSID box and press the Enter key. A list of vulnerable SSIDs
matching the search criteria is displayed.
To clear the search string, click the x icon next to the search SSID box.
Delete Vulnerable SSID
To delete a vulnerable SSID, do the following.
1. Go to Configuration->WIPS-> Advanced Settings->Vulnerable SSIDs
2. Click Delete link for the SSID to be deleted.
3. Click Yes on the confirmation message to confirm the deletion of the vulnerable SSID.
Restore Default Vulnerable SSID list
To restore the default vulnerable SSID list, do the following.
1. Go to Configuration>WIPS>Advanced Settings>Vulnerable SSIDs
2. Click Restore Defaults. A confirmation message prompting you to confirm the operation appears.
AirTight Management Console Configuration
39
3. Click Yes. The default vulnerable SSID list is restored.
Copy Vulnerable SSID List to Another Server
You can copy the list of vulnerable SSIDs from one server to another server when both servers are part of
the same server cluster. You can copy a list of vulnerable SSIDs from child server to child server, parent
server to child server, or child server to parent server.
You must be a superuser or an administrator to copy policies from one server to another.
To copy a list of vulnerable SSIDs, do the following.
1. Go to Configuration>WIPS>Advanced Settings>Vulnerable SSIDs on the parent server.
2. Click Copy Policy. The Copy Policies dialog box appears.
3. Select the server from which the list of vulnerable SSIDs is to be copied.
4. Select the server to which the list of vulnerable SSIDs is to be copied.
5. Click OK to copy the list of vulnerable SSIDs.
Manage Smart Device Types
You can view, add, and delete the smart device types using the Configuration->WIPS-> Advanced
Settings->Smart Device Type option.
The Smart Device Type page shows the system-defined smart device types, and the user-defined smart
device types, if any.
Add Smart Device Type
You can add to the list of predefined smart device types.
To add a new smart device type, do the following.
1. Go to Configuration>WIPS>Advanced Settings>Smart Device Type.
2. Click Add new smart device type. The Add new smart device type dialog box appears.
3. Enter the Smart Device Type.
4. Click OK to add the smart device type to the existing list of smart device types.
Delete Smart Device Type
You can delete only the smart device types that have been manually added. You cannot delete the
system-defined smart device types.
To delete a user-defined smart device type, do the following.
1. Go to Configuration>WIPS>Advanced Settings>Smart Device Type
2. Select the smart device type and click Delete. A message appears prompting you to confirm the
deletion.
3. Click Yes to confirm the deletion.
Copy Smart Device Types List to Another Server
You can copy the list of smart device types from one server to another server when both servers are part
of the same server cluster. You can copy a list of smart device types from child server to child server,
AirTight Management Console User Guide
40
parent server to child server, or child server to parent server. You must be a superuser or an
administrator to copy policies from one server to another.
To copy a list of smart device types, do the following.
1. Go to Configuration>WIPS>Advanced Settings>Smart Device Type on the parent server.
2. Click Copy Policy. The Copy Policies dialog box appears.
3. Select the server from which the list of smart device types is to be copied.
4. Select the server to which the list of smart device types is to be copied.
5. Click OK to copy the list of smart device types.
AirTight Management Console Configuration
41
Manage WiFi Access
Wi-Fi profiles are used to define the Wi-Fi configuration of an AirTight Device in access point (AP) mode.
Wi-Fi Profiles are applied onto a radio of a device. The radio and the device must support access point
configuration.
Wi-Fi Profiles can be created on any location.
Wi-Fi profile is a Wi-Fi network profile. The profile is a set of configuration parameters related to a
wireless or Wi-Fi network. It consists of security, network, captive portal, firewall, traffic shaping, QoS and
BYOD settings. A single Wi-Fi profile represents a VLAN. Multiple VLANs can be configured for a single
AP. Thus, you can have different VLANs to provide different services using a single AP.
Manage SSID Profiles
When an AirTight device is configured as an access point (AP), you can use the access point to provide
various services, in parallel. This means that you can divide a physical AP into multiple virtual APs. Each
virtual AP can provide a service independently, without interfering with the services provided by other
virtual APs on the same physical AP.
An AirTight device operating as an AP supports multiple VLANs created on the wired side.
A Wi-Fi Profile (or SSID profile) is a set of network properties that are configured on a virtual AP. One or
more Wi-Fi profiles could represent or map to a single VLAN.
Let us consider an example. You could have different VLANs configured on the wired side, of which one
is serving the general corporate network and ne is provisioning network access for guests. Using the
AirTight device that is configured to function as an AP, you can define 2 or more virtual APs mapping to
the properties of the VLANs on the wired side. The wireless clients wanting to connect to the corporate
network would use the Wi-Fi profile mapping to the corporate VLAN and the wireless clients wanting to
connect to the guest network would use the Wi-Fi profile mapping to the guest VLAN.
A virtual AP has the following features:
• Supports Open, WPA (TKIP), WPA2 (CCMP),WPA/WPA2 (TKIP+CCMP) or 802.1x security. Distinct
virtual APs can have different security modes.
• Can be used to provide distinct services that are independent of each other.
• Maps wireless traffic from virtual AP to a specific VLAN so that data transmitted and received by
wireless client will be seen on only the specified VLAN. It will not appear on other VLANs.
Starting with AirTight Management Console 7.1 U2, AirTight APs support Hotspot 2.0 Release 1.
Configuring the Hotspot 2.0 settings on an AirTight AP enables Passpoint-certified mobile devices to
seamlessly connect to the AirTight AP without the need for authentication.
Configure Wi-Fi Profiles using Configuration>Device Configuration>SSID Profiles.
Important: You cannot configure BYOD settings and captive portal settings on the same Wi-Fi profile.
Each should be configured on independent Wi-Fi profiles.
Add Wi-Fi Profile
You can add multiple Wi-Fi profiles for an AirTight device operating in the AP mode. When in AP mode, a
single physical AP device can be logically split up into multiple virtual APs. Each wireless profile
represents the configuration settings of a virtual AP. Multiple virtual APs can be configured on a single
radio. Up to 8 such virtual APs can be configured using the Add/Edit Wi-Fi Profiles dialog box.
AirTight Management Console User Guide
42
Each Wi-Fi profile has a set of WLAN settings. Configure the WLAN settings for an AP in the WLAN tab.
You can configure the following settings for a Wi-Fi profile.
• Security Settings: Security settings specify the type of security used by the AP to authenticate
wireless clients. For details on configuring security settings, refer to the Security Settings section.
• Network Settings: The VLAN and DHCP settings for the Wi-Fi profile are configured under network
settings. For details on configuring network settings, refer to the Network Settings section.
• Captive Portal Settings: To enable captive portal on the Wi-Fi profile for guest login, you must
configure the captive portal settings. These settings comprise splash page configuration, walled
garden settings, external portal parameters etc. For details on configuring captive portal settings,
refer to the Captive Portal Settings section.
• Firewall Settings: Firewall rules for the Wi-Fi profile are configured under the firewall settings. The
incoming and outgoing traffic through a virtual AP can be controlled by defining firewall rules. For
details on configuring the firewall rules, refer to the Firewall Settings section.
• SSID Scheduling Settings: If you want to limit the duration for which the SSID is active, you can
define a schedule for the SSID. You can also specify if an SSID is to be permanently active or valid
for only a limited time duration. For details on SSID scheduling, refer to the SSID Scheduling section.
• Traffic Shaping & QoS Settings: Effective utilization of network bandwidth can be achieved by
setting an upload and download limit for the network, restricting the number of client association,
band steering and defining QoS parameters. You can configure these settings under traffic shaping
and QoS settings. For details on configuring these settings, refer to the Traffic Shaping and QoS
Settings section.
• BYOD- Device Onboarding Settings: These settings govern whether the wireless clients can
connect to APs in a corporate network. For instance, if the employees get their own smart devices to
office, the SSID profile can be configured to allow or disallow such devices from connecting to the
corporate network. You can also restrict access for such devices with the device onboarding settings.
For details on configuring these settings, refer to BYOD-Device Onboarding section.
• Hotspot 2.0 Settings: If you want to deploy the AP in a Hotspot 2.0 operator's network such that the
AP functions as a Hotspot 2.0 AP, you must configure the Hotspot 2.0 settings as well. These are
configured in the Hotspot 2.0 tab. The Hotspot 2.0 settings are required only if you want to enable
hotspot 2.0 support on the AP; otherwise configuration of WLAN settings alone is sufficient. For
details, on configuring these settings, refer to the Hotspot 2.0 Settings section
You can choose to collect analytics data for reporting purpose about the client-AP association.
Association analytics and content analytics can be collected if you enable the collection of these analytics
in the Wi-Fi profile.
Association Analytics comprises the data related to the client - AP communication. The following data is
collected as association analytics.
• Client MAC address
• Protocol
• SSID of the network to which the client connects
• Location of the client
• Start time of client association with the AP (GMT)
• End time of client association with the AP (GMT)
• Start time of client association with the AP according to local time of the user
• End time of client association with the AP according to local time at the user
• Session duration
AirTight Management Console Configuration
43
• Data transfer from client device in bytes
• Data transfer to client device in bytes
• Data rate in Kbps
• Smart device type
• Local Time Zone
The following information is present for each internet domain as content analytics information.
• Domain name
• Data transferred to the domain (in bytes)
• Data received from the domain (in bytes)
To add a Wi-Fi profile, do the following.
1. Go to Configuration>Device Configuration>SSID Profiles.
2. Select the location for which the Wi-Fi profile is to be created.
3. Click Add New Wi-Fi Profile. The WLAN and Hotspot 2.0 tabs are displayed.
4. Enter the following details on the WLAN tab.
Field
Description
Profile
Name
Name of the Wi-Fi profile
SSID
SSID or network name of the Wi-Fi profile. This would be the SSID of
the wired network that the wireless user would connect to.
Broadcast
SSID
Enables or disables broadcast of SSID in the wireless packet.
Select the check box to broadcast the SSID with the wireless packets.
Leave it clear or deselect the check box if you do not want to
broadcast the SSID with the wireless packets.
Association
Analytics
Enables or disables association analytics in reports.
Select the check box to enable association analytics in reports.
Leave it clear or deselect the check box if you do not want association
analytics data in reports.
Content
Analytics
Enables or disables content analytics in reports. This check box is
visible only if you have selected the Association Analytics check box.
Content analytics capture information related to the Internet domains or
IP addresses accessed by the client associated with the AirTight APs.
Select the check box to collect internet domain access information as a
part of association analytics. This information is present in the CSV file
downloaded through Reports>Analytics.
Leave it clear or deselect the check box if you do not want content
analytics data in reports.
5. Fill in the other details based on how you want to configure the Wi-Fi profile. Refer to individual
sections on network settings, security settings, firewall settings, traffic shaping and QoS settings,
schedule SSID, captive portal settings, BYOD onboarding settings, Hotspot 2.0 Settings to configure the
respective settings.
6. Click Save to save and add the new Wi-Fi profile.
Replicate Wi-Fi Profile
If you have already created a Wi-Fi profile, you can create a similar Wi-Fi profile with minor changes.
To make a copy of an existing Wi-Fi profile with minor changes, do the following
1. Go to Configuration>Device Configuration>SSID Profiles.
2. Select the location.
3. Open the Wi-Fi profile to replicate.
4. Enter a new name for the Wi-Fi profile.
AirTight Management Console User Guide
44
5. Make the required changes to this profile.
6. Click Save As. A Wi-Fi profile is created with the new name.
Edit Wi-Fi Profile
The Wi-Fi profile can be edited only at the location where it has been created.
To edit a Wi-Fi profile, do the following
1. Go to Configuration>Device Configuration>SSID Profiles.
2. Select the location for which the Wi-Fi profile has been created.
3. Click the Wi-Fi profile name hyperlink to edit.
4. Make the required changes.
5. Click Save to save the changes to the Wi-Fi profile.
Copy Wi-Fi profile to another location
To make a copy of an existing Wi-Fi profile to another location, do the following.
1. Go to Configuration>Device Configuration>SSID Profiles.
2. Select the location for which the Wi-Fi profile has been created.
3. On the SSID Profile page, select the check box for the SSID profile to copy to another location.
4. Click the Copy to location icon. The Select Location dialog box appears.
5. Select the location to which the Wi-Fi profile is to be copied. A copy of the selected Wi-Fi profile is
created at the selected location.
Delete Wi-Fi Profile
You cannot delete a Wi-Fi profile, if it is used in a device template. You can delete a Wi-Fi profile at a
selected location, only if you have defined the Wi-Fi profile at that location.
To delete a Wi-Fi profile, do the following.
1. Go to Configuration>Device Configuration>SSID Profiles.
2. Select the location for which the Wi-Fi profile has been created.
3. Click the Delete icon for the Wi-Fi profile. A message to confirm deletion appears.
4. Click Yes to confirm the deletion of the Wi-Fi profile.
Print List of Wi-Fi Profiles for Location
You can print a list of Wi-Fi profiles that have been defined for a location.
To print a list of Wi-Fi profiles at a location, do the following.
1. Go to Configuration>Device Configuration>SSID Profiles.
2. Click the Wi-Fi Profiles tab.
3. Select the columns that you want in the printed list. Click any column name to select or deselect
columns.
4. Click the Print icon. A print preview of the list appears.
5. Click Print to print the list.
Security Settings
The security settings for a virtual AP could be either of the following:
• Open: Open means no security settings are to be applied. This is the default security setting.
• WEP: WEP stands for Wireless Equivalent Privacy. WEP is a deprecated security algorithm for
IEEE 802.11 networks. This has been provided for backward compatibility purpose only.
AirTight Management Console Configuration
45
• WPA2: WPA2 is the latest and more robust security protocol. It fully implements the IEEE
802.11i standard.
• WPA and WPA2 mixed mode: This stands for a mix of the WPA and WPA2 protocols.
PSK or Personal Shared key is generally used for small office networks.
In case of bigger enterprise networks, RADIUS authentication is used. Large enterprises, sometimes, use
RADIUS attributes to propagate network policies across multiple points of access. Users are divided into
groups and policies are applied to each group to effectively control access to network resources. Each
user group is redirected to a different VLAN based on the policies applicable to that user group.For
instance, sales personnel would have access to a VLAN that is different from the VLAN accessed by HR
personnel.
An AirTight AP can retrieve the VLAN associated with the RADIUS user from the RADIUS server. This
option is available only for WPA2, and WPA and WPA2 mixed mode when 802.1x is enabled on the Wi-Fi
profile.
Based on the VLAN returned by the RADIUS server, the AirTight AP dynamically redirects the network
traffic of a RADIUS-authenticated user to the VLAN that is associated with the group to which the user
belongs. Until the RADIUS server authenticates the user, the EAP packets will pass through the default
VLAN.
Note: The VLAN ID that is set in the Wi-Fi profile network settings is used as the default VLAN.
To enable RADIUS-based assignment of VLANs, you must enable dynamic VLANs on the Wi-Fi profile
and specify a list of dynamic VLANs that RADIUS users can be redirected to. If the VLAN specific to the
user group is not present, the default VLAN is used.
The following RADIUS attributes must be set on the RADIUS side for each user group for the RADIUS
server and AirTight AP communication.
Attribute
Value
Tunnel Type
Set this to VLAN.
Tunnel Medium Type
Set this to 802.
Tunnel Private Group ID
Enter the VLAN ID to be assigned to the user group.
AirTight Management Console User Guide
46
The following image illustrates security settings.
The following table explains the fields present on the Add/Edit Wi-Fi profile and in the Security
Settings. Click Security Settings to view fields under Security Settings.
Field
Description
Profile Name
This field specifies the name of the
profile.
SSID
This field specifies the SSID of the wireless profile. This is a
mandatory field.
Broadcast SSID
This check box indicates whether the SSID is to be broadcast or not
for this Virtual AP, in the beacon frames. If selected, the beacon for
this Virtual AP carries the SSID.
Client Isolation
This check box indicates whether communication between 2 wireless
clients of this virtual AP is enabled or disabled. If selected, wireless
client communication
is disabled for the virtual AP.
Enable P2P
Cross Connection
Select this check box to enable to P2P cross connection bit. When a
client
is connected to a Wi-Fi direct network and to an AirTight AP in
an infrastructure network it is possible to bridge these two networks.
When you enable the P2P cro
ss connection bit, the Wi-Fi Direct
network and the infrastructure network can be bridged by the client.
Otherwise, the AP instructs the client not to cross
-connect the
infrastructure network to the
Wi
-Fi Direct network, thus enhancing the security of the wireless
network. The P2P cross connection is disabled, by default.
AirTight Management Console Configuration
47
Limit number of associations
This field specifies the maximum number of clients that can associate
with the AP. You can select the check box and then specify the
number of clients.
Security Mode
This specifies the security mode applied to the virtual AP.
The possible values are Open, WEP, WPA, WPA2, WPA and WPA2
mixed mode.
Fields related to security mode WEP
Authentication Type
Select
Open if the type of authentication is open. In case of open
authentication, the key is used for encryption only.
Select
Shared if the authentication type is shared key. In case of
shared key authentication, the same key is used for both encryption
and authent
ication.
WEP Type
Select WEP40 if 40-bit WEP security is used.
Select WEP104 if 104-bit WEP security is used.
Key Type
Select
ASCII option if you are comfortable with ASCII format and
want to enter WEP key in that format. The Sensor/AP combo
converts it to hexadecimal internally.
Select
HEX option if you are comfortable with hexadecimal format
and want to enter WEP key in that format.
Key
WEP key is a sequence of hexadecimal digits.
If WEP Type is WEP40, enter the key as a 5 character ASCII key or a
10 digit hexadecimal key, depending on the Key Type selected by
you.
If WEP Type is WEP104, enter the key as a 13 character ASCII key
or
a 26 digit hexadecimal key, depending on the Key Type selected
by you.
Show Key
Select this check box to see the actual key on the screen. If this
check box is cleared, the key is masked.
Fields related to security mode WPA/WPA2/WPA and WPA2 Mixed Mode
PSK
Select the
PSK option if you want to use a personal shared key. The
Pass phrase
field is enabled when this option is selected.
Pass Phrase
Specify the shared key of length 8-63 ASCII characters for PSK
authentication
Show Key
Select this check box
to see the actual pass phrase on the screen. If
this check box is cleared, the key is masked.
802.1x
Select 802.1x option if you want to use a RADIUS server for
authentication. The fields on the
Authentication and Accounting
tabs are enabled on selecting this check boxYou can enable dynamic
VLANs after selecting this check box.
AirTight Management Console User Guide
48
Opportunistic Key Caching
Select the check box to enable client fast handoffs using opportunistic
key caching method. Note that the key caching works
within the same
subnet only and not across subnets.
Pre
-authentication
Select the
Pre-Authentication check box to enable client fast
handoffs using the Pre
-Authentication method.
NAS ID
This field is used when a network access server (NAS) serves as a
single point to access network resources. Generally, a NAS supports
hundreds of simultaneous users. When a RADIUS client connects to
a NAS, the NAS sends access request packets to the RADIUS
server. These packets must contain either the NAS IP address or the
NAS identifier. The NAS ID or the NAS
-Identifier is used to
authenticate RADIUS clients with the RADIUS server.
You can specify a string for the NAS ID. The default value is %m
-%s,
where
%m represents the Ethernet MAC address of the AP and %s
represents the SSID of the WLAN. This corresponds to the NAS
-
Identifier attribute on the RADIUS server. The attribute ID for the
NAS
-Identifier RADIUS attribute is 32.
Ensure that the NAS ID is not
the same as the shared secret
configured for the RADIUS server in the RADIUS Authentication
section.
Enable dynamic VLANs
Select the check box to enable the AP to accept the VLAN for the
current user from the RADIUS server. When dynamic VLANs are
enabled, BYOD, firewall, portal and NAT features are disabled
for the
Wi
-Fi profile.
When the check box is selected, you can ente
r a list of dynamic
VLANs in the box adjoining this check box. The list of dynamic VLANs
must be a comma
-separated list of VLAN IDs. If the RADIUS server
does not return a VLAN ID or returns a VLAN ID that is not in the list
of dynamic VLANs configured in
the Wi-Fi profile, the AirTight AP
redirects the user traffic to the default VLAN (that is, the VLAN ID
specified in the Wi-Fi profile network settings).
Fields in the Authentication Tab-Primary RADIUS Server area
Server IP
Enter the IP Address of the
primary RADIUS server here.
Port Number
Enter the port number at which primary RADIUS server listens for
client requests.
Shared Secret
Enter the secret shared between the primary RADIUS server and the
AP.
Fields in the
Authentication Tab- Secondary RADIUS Server area
Server IP
Enter the IP Address of the secondary RADIUS server here.
Port Number
Enter the port number at which secondary RADIUS server listens for
client requests.
Shared Secret
Enter the secret shared between the secondary RADIUS
server and
the AP.
Field in the
Accounting Tab
AirTight Management Console Configuration
49
Enable RADIUS Accounting
Select this check box to enable RADIUS Accounting. The other fields
on the Accounting tab are enabled on selecting this check box. Define
the primary RADIUS Server, and optionally se
condary RADIUS
Accounting server in the Accounting tab.
Fields in the
Accounting Tab- Primary Accounting Server area
Server IP
Enter the IP Address of the primary accounting server here.
Port Number
Enter the port number at which primary accounting server listens for
client requests.
Shared Secret
Enter the secret shared between the primary accounting server and
the AP.
Fields in the
Accounting Tab- Secondary Accounting Server area
Server IP
Enter the IP Address of the secondary accounting
server here.
Port Number
Enter the port number at which secondary accounting server listens
for client requests.
Shared Secret
Enter the secret shared between the secondary accounting server
and the AP.
Configure Network Settings for Wi-Fi Profile
Configure the VLAN and DHCP settings, to be used by the SSID profile, using the Network section.
The following image illustrates network settings
Network Settings
AirTight Management Console User Guide
50
A bridged network is used when the AP and the clients associating with the AP can be in the same
subnet.
Similarly, network Address Translation (NAT) must be used when you want to have the clients in a
separate subnet and the AP is in a separate subnet. With NAT, the clients can have a private IP address
pool and it is easier to add more clients to the network as they do not require a public IP address.
A wireless LAN, on which NAT is enabled, can be extended to the wired side using the second Ethernet
port present on the Access Point device. Create an isolated wired LAN with one or more wired devices
connected through layer-2 switches and connect the second Ethernet port of the Access Point to this
wired subnet. The wired LAN will be an extension of the wireless LAN of this SSID profile with NAT
enabled. All network settings like NAT and portal, configured on this SSID profile, are also applicable to
the wired devices.
Note: The second Ethernet port is available on some specific AirTight device models only.
When you are configuring NAT parameters, you must specify at least one DNS server. On successful
association, wireless clients will get the specified DNS servers. You can specify up to three such DNS
server IP addresses.
Generic Routing Encapsulation (GRE) is useful when you want to route network traffic from and to a
single end point and apply policies on this end point.
IMPORTANT: GRE works only when NAT is enabled.
To configure network address translation settings, do the following.
1. Specify the VLAN ID for which the bridging or NAT settings would be applicable.
2. Select the NAT check box if you want to enable NAT.
3. Specify the following NAT related settings if you have enabled NAT.
Field
Description
NAT
Select this check box to enable NAT (network address translation).
Enable NAT if you want to enable wired extension.
Start IP
address
The starting IP address of the DHCP address pool in the selected
network ID.
End IP
address
The end IP address of the DHCP address pool in the selected
network ID.
Local IP
address
An IP address in selected network ID outside of the DHCP address
pool. This address is used as the gateway address for the guest
wireless network.
Subnet Mask
The net mask for the selected network ID.
Lease Time
The DHCP lease time in minutes. Minimum value is 30
minutes,maximum value is 1440 minutes.
DNS Servers
The DNS servers that the wireless clients can make DNS queries to.
You can specify upto 3 DNS servers.
Enable
Wired
Extension
Select this check box to extend this wireless LAN to the wired side
using the second Ethernet port present on AirTight device functioning
as an access point.
4. Select GRE if you want to enable Generic Routing Encapsulation (GRE).
The following table describes the Generic Routing Encapsulation related fields
Field
Description
GRE
Select this check box to enable Generic Routing Encapsulation and to
AirTight Management Console Configuration
51
be able to define the GRE related parameters present on this page.
Tunnel IP
Address
IP address of the GRE tunnel interface on the access point. This IP
address should not conflict with any other network setting in the
access point.
Remote
Endpoint IP
Address
IP address of the remote endpoint of the GRE tunnel.
Key
Key in the GRE header. If configured, key should be same at both
ends of the tunnel. Key is not mandatory to be configured in GRE
tunnel.
Exempted
Host/Network
List
List of comma separated network and/or IP addresses that are
exempted from using the GRE tunnel.
5. Click Save to save the changes to the network settings.
Edit Network Settings
To edit network address translation settings, do the following.
1. Specify the VLAN ID for which the NAT settings would be applicable.
2. Deselect the NAT check box if you want to disable NAT and have a bridged network instead. In case
you want to continue using NAT and only want to edit NAT settings, edit them as required.
Field
Description
NAT
Select this check box to enable NAT (network address translation).
Start IP
address
The starting IP address of the DHCP address pool in the selected
network ID.
End IP
address
The end IP address of the DHCP address pool in the selected
network ID.
Local IP
address
An IP address in selected network ID outside of the DHCP address
pool. This address is used as the gateway address for the guest
wireless network.
Subnet Mask
The net mask for the selected network ID.
Lease Time
The DHCP lease time in minutes. Minimum value is 30
minutes,maximum value is 1440 minutes.
DNS Servers
The DNS servers that the guest clients can make DNS queries to.
Enable Wired
Extension
Select this check box to extend this wireless LAN to the wired side
using the second Ethernet port present on AirTight device functioning
as an access point.
3. Select the GRE check box if you want to enable Generic Routing Encapsulation (GRE).
The following table describes the Generic Routing Encapsulation related fields.
Field
Description
GRE
Select this check box to enable Generic Routing Encapsulation
and to be able to define the GRE related parameters present on
this page.
Tunnel IP Address
IP address of the GRE tunnel interface on the access point. This
IP address should not conflict with any other network setting in
the access point.
Remote Endpoint
IP address of the remote endpoint of the GRE tunnel.
AirTight Management Console User Guide
52
IP Address
Key
Key in the GRE header. If configured, key should be same at
both ends of the tunnel. Key is not mandatory to be configured in
GRE tunnel.
Exempted
Host/Network List
List of comma separated network and/or IP addresses that are
exempted from using the GRE tunnel.
In case you do not want to use GRE, disable the GRE check box.
4. Click Save to save the changes to the network settings.
Enable Layer 2 inspection and Filtering
L2 inspection and filtering prevents frames exchanged between two mobile devices from being delivered
by the Wi-Fi access network without first being inspected and filtered in either the hotspot operator
network or the Service Provider core network. Such processing provides some protection for mobile
devices against attack. The inspection and filtering mechanism is out of the scope of the Wi-Fi profile
settings,
If you want to inspect the packets exchanged between two clients in a Wi-Fi network on a wired side host,
do the following.
1. Select the Enable Layer 2 Traffic Inspection and Filtering check box.
2. Click Save to save the changes. You can use a packet capture tool to view the packets on the wired
side.
Inspection of layer 2 packets by AirTight AP is not supported.
Disable Downstream Group Addressed Forwarding
The purpose of the Downstream Group Addressed Forwarding (DGAF) Disable feature is to mitigate a
"hole-196” attack. By IEEE 802.11i design, all STAs in a BSS use the same GTK so forgery of group-
addressed frames is always possible. However, in some hotspots multicast service using group-
addressed frames is needed; in these cases, the DGAF Disable bit would be set to 0.
You must enable the proxy ARP setting to disable DGAF.
To disable DGAF and mitigate a hole-196 attack, do the following.
1. Select the Enable Proxy ARP Setting check box. The Disable DGAF check box is enabled.
2. Select the Disable DGAF check box to ensure future attacks that exploit the GTK can be mitigated.
3. Click Save to save the changes.
Enable/Disable DHCP Option 82
DHCP Option 82 is generally used in a distributed DHCP server environment where an AP inserts
additional information to identify the client point of attachment. The circuit ID represents the client point of
attachment. The DHCP Option 82 is available for a bridged SSID only.
When the DHCP option 82 is enabled and the AP receives DHCP packets from the client, a circuit ID is
appended by the AP to the DHCP packets from the client. It then forwards this DHCP request to the
DHCP server. Based on the circuit ID in the DHCP request, the DHCP server makes a decision on the IP
pool from which to assign an IP address to the client. When the DHCP assigns the IP address and
passes it to the AP, the AP passes it on to the client after stripping the circuit ID.
To enable DHCP Option 82 while creating or editing a Wi-Fi profile, do the following.
1. Under Network Settings, select the Bridged option.
AirTight Management Console Configuration
53
2. Select the DHCP Option 82 check box.
3. Enter the Circuit ID.
You can use special formats %s, %m and %l.
% s is replaced by AP with the SSID.
%m is replaced by AP with the AP MAC address.
%l is replaced by AP with the location tag configured for the location to which the AP is assigned.
The location tag can be configured from Configuration>System Settings>Location Specific Attributes.
4. Click Save to save the changes.
The following image presents a sample DHCP Option 82 configuration in a Wi-Fi profile. Here the circuit
ID is constructed by replacing %s with the SSID and %l with the respective location tag.
The following image illustrates DHCP Option 82 related configuration.
To disable DHCP option 82, do the following.
1. Under Network Settings for a Wi-Fi profile, deselect the DHCP Option 82 check box.
2. Click Save to save the changes.
Enable/Disable Remote Bridging
To channelize all wireless traffic to a remote endpoint or gateway through a tunnel, you must enable
remote bridging. The remote endpoint or gateway aggregates wireless frames from different access
points and forwards them to the appropriate network.
You must configure a network interface profile before you enable remote bridging so that you can assign
the network interface profile to the SSID profile. When you enable remote bridging and assign a network
interface profile to the SSID profile, the wireless traffic from the AP is bridged to the remote endpoint
configured in the network interface profile. The traffic is rerouted to the appropriate network from this
remote endpoint.
When you disable remote bridging, the AP stops diverting the wireless traffic to the remote endpoint
configured in the network interface profile that was selected when remote bridging was enabled.
Remote bridging does not work with NAT.
To enable remote bridging, do the following.
1. Under Network Settings for a Wi-Fi profile, select the Bridged option.
2. Select the Remote Bridging check box.
3. Select a network interface profile from the Network Interface Profile.drop-down box.
AirTight Management Console User Guide
54
4. Click Save to save the changes.
The figure below shows the remote bridging enabled and wireless traffic being diverted to a network
interface profile by the name ‘remote_us_nw’.
To disable remote bridging, do the following.
1. Under Network Settings for a Wi-Fi profile, deselect the Remote Bridging check box.
2. Click Save to save the changes.
Captive Portal Settings
A captive portal is a web page that a client on the network is directed to when the client wants to access
the Internet.
The client is authenticated on this page and is able to access the Internet after successful authentication.
A wireless profile can be configured to serve as a guest network to provide restricted wireless connectivity
(e.g., Internet only) to guest wireless clients. Multiple such guest networks are supported in AirTight Wi-Fi.
Supported Captive Portal Types
The following three types of captive portals are supported in AirTight Wi-Fi or AirTight WIPS.
1. AP hosted splash page with click through
2. External splash page for sign-in or click through
3. External splash page with RADIUS authentication
These are explained in detail below.
1. AP hosted splash page with click through: A ‘click-through’ splash page is a splash page where
authentication is not supported. The portal pages are hosted and served by the AP. The portal page can
be used to display the terms and conditions of accessing the guest network as well as any other
information as needed.
Steps involved in this type of access are as follows.
AirTight Management Console Configuration
55
(a) Wi-Fi user connects to the guest SSID and opens a URL from any web browser using the HTTP
protocol.
(b) AirTight AP intercepts this request and throws a portal page hosted on AP to guest user.
(c) Guest user will accept terms and condition and submits on portal page.
(d) AP will open gate for the client and client will be redirected to redirect URL (if any) or original
requested URL.
Following is a pictorial representation of AP hosted splash page with click through.
2. External Splash Page for Sign-In/Click-through: The portal is hosted on an external server.
The portal is either click-through without any authentication or has its own authentication mechanism
in place.
Steps involved in this type of access are as follows.
(a) Wi-Fi user connects to the guest SSID and opens a URL from any web browser using the HTTP
protocol.
(b) AirTight AP intercepts this request and redirects the browser to the configured external portal
page along with the request parameters as the GET parameters of the redirected URL.
(c) Portal will authenticate guest user by prompting sign-in or click-through splash page on wireless
user.
(d) After authentication, portal will redirect client to AP with success or failure reply. If AP and portal is
configured with shared secret. Portal will send validation code using which AP will validate reply
from Portal. Using shared secret between AP and portal would avoid fake user to get access using
spoofing attack.
(e) After successful validation AP will open gate for the client and client will be redirected to redirect
URL (if any) or original requested URL.
Following is a pictorial representation of External splash page for Sign-in/click-through
AirTight Management Console User Guide
56
3. External Splash Page with RADIUS Authentication: The guest user is redirected to a portal
hosted on an external server. The guest user is authenticated by a RADIUS server, when he logs in
to the external portal.
Steps involved in this type of access are as follows
(a) Wi-Fi user connects to the guest SSID and opens a URL from any web browser using the HTTP
protocol
(b) AirTight AP intercepts this request and redirects the browser to the configured external portal
page along with the request parameters as the GET parameters of the redirected URL.
(c) Portal will prompt the user with the splash page to enter username and password.
(d) User will submit username and password.
(e) Portal will redirect guest user to AP with username and encoded password using shared secret.
(f) Airtight AP will authenticate guest user by RADIUS server using username and decoded
password.
(g) RADIUS server will reply with Access Accept or Reject message for guest user.
(h) Airtight AP will open the Internet access for the client and redirect client to Redirect URL (if any) or
original requested URL.
Following is a pictorial representation of External splash page with RADIUS authentication.
AirTight Management Console Configuration
57
Set up Walled Garden
A walled garden is a method to provide restricted access to the Internet. Walled garden destination(s) can
be accessed at the specified port numbers without displaying the splash page. Domain (e.g. domain.com)
also covers its subdomains (e.g. subdomain.domain.com).
Configure a list of exempted domains, subdomains, IP address ranges and port numbers. (E.g.
192.168.1.0/24) . Services on these IP addresses can be accessed without redirection to the portal
page. If some part of the portal page (e.g., images) is placed on a web server, the web server’s IP
address must be included in this list for the content to be successfully displayed.
If the mode of authentication is External Splash page for Sign-in/Click-through, you can restrict access to
walled garden destinations unless the guest user accepts the terms and conditions specified on the
splash page.
Do the following to set up a walled garden.
1. Click Add. The Add Destination dialog opens.
2. Enter the details.
Field
Description
Destination
domain name, sub domain name, host name, subnet or IP address to
which the rule applies.
You can provide a comma-separated list of more than one host names
here. For example, 192.168.8.173,
www.facebook.com,192.168.121.0/24.
Port
port number.
You can provide a comma-separated list of port numbers or port ranges
here. For example, 20-22, 81, 443.
3. To delete an exempted destination, select the entry and click Remove.
Configure Captive Portal Settings
AirTight Management Console User Guide
58
To configure captive portal settings, do the following.
1. Select the Enable Captive Portal check box to display a portal page to be shown to the client on
using the guest network.
2. Select the mode of access to the Internet through the captive portal. Do one of the following:
(a) Select the AP Hosted Splash Page with click through option. You must create a .zip file of the
portal page along with any other files like images, style sheets etc and upload this file. The zip file
must satisfy the following requirements for the portal to work correctly.
a. The zip file should have a file with the name “index.html” at the root level (i.e., outside of
any other folder). This is the main portal page. It can have other files and folders, (and
folder within folders) at the root level that are referenced by the index.html file.
b. The total unzipped size of the files in the bundle should be less than 100 KB. In cas