Psion 9160RA2050 PSION TEKLOGIX WIRELESS GATEWAY 802.11a/b/g User Manual 9160 Wireless Gateway

Psion Inc PSION TEKLOGIX WIRELESS GATEWAY 802.11a/b/g 9160 Wireless Gateway

Manual

DRAFTISO 9001 CertifiedQuality Management System  9160Wireless GatewayUser ManualDecember 21, 2005 Part No. 8000009.A
© Copyright 2005 by Psion Teklogix Inc., Mississauga, OntarioThis document and the information it contains is the property of Psion Teklogix Inc.,is issued in strict confidence, and is not to be reproduced or copied, in whole or inpart, except for the sole purpose of promoting the sale of Psion Teklogix manufac-tured goods and services. Furthermore, this document is not to be used as a basis fordesign, manufacture, or sub-contract, or in any manner detrimental to the interests ofPsion Teklogix Inc.All trademarks are the property of their respective holders.
Return-To-Factory WarrantyPsion Teklogix warrants a return-to-factory warranty for a period of one year. Pleasecontact your local Psion Teklogix office for details. For a list of offices, please referto Appendix A: “Support Services And Worldwide Offices”. The warranty on PsionTeklogix manufactured equipment does not extend to any product that has beentampered with, altered, or repaired by any person other than an employee of anauthorized Psion Teklogix service organization. See Psion Teklogix terms andconditions of sale for full details.ServiceWhen requesting service, please provide information concerning the nature of thefailure and the manner in which the equipment was used when the failure occurred.Type, model, and serial number should also be provided. Before returning anyproducts to the factory, call the Customer Services Group for a ReturnAuthorization number. Support ServicesPsion Teklogix provides a complete range of product support services to itscustomers. For detailed information, please refer to Appendix A: “Support ServicesAnd Worldwide Offices”. DisclaimerEvery effort has been made to make this material complete, accurate, and up-to-date. In addition, changes are periodically added to the information herein; thesechanges will be incorporated into new editions of the publication. Psion Teklogix Inc. reserves the right to make improvements and/or changes in theproduct(s) and/or the program(s) described in this document without notice, andshall not be responsible for any damages, including but not limited to consequentialdamages, caused by reliance on the material presented, including but not limited totypographical errors.
Psion Teklogix 9160 Wireless Gateway User Manual iTABLE OF CONTENTSApprovals and Safety Summary ..........................xiiiChapter 1:  Introduction1.1 About This Manual.............................. 31.2 Online Help Features, Supported Browsers, And Limitations ........ 61.3 Text Conventions . . ............................. 71.4 Overview Of The 9160 Wireless Gateway . . ................ 71.5 Features and Benefits............................. 81.5.1 IEEE Standards Support And Wi-Fi Compliance. . . .......... 81.5.2 Wireless Features.............................91.5.3 Security Features .............................91.5.4 Out-of-the-Box Guest Interface......................101.5.5 Clustering And Auto-Management....................101.5.6 Networking................................111.5.7 SNMP Support . .............................111.5.8 Maintainability ..............................111.6 What’s Next?.................................11Chapter 2:  Installation Requirements2.1 Choosing The Right Location ........................152.1.1 Environment................................152.1.1.1 9160 Wireless Gateway . .......................152.1.2 Maintenance................................162.1.3 Radios...................................162.1.4 Power And Antenna Cables........................162.1.4.1 Power.................................162.1.4.2 Antennas ...............................172.2 Connecting To External Devices.......................18
Contentsii Psion Teklogix 9160 Wireless Gateway User Manual2.2.1 Ports................................... 182.2.2 LAN Installation: Overview.......................192.2.3 LAN Installation: Ethernet........................ 192.2.3.1 Ethernet Cabling........................... 192.2.4 Status Indicators (LEDs)......................... 202.2.5 Connecting A Video Display Terminal ................. 202.3 Changing The Configuration With A Web Browser............20Chapter 3:  PreLaunch Checklist3.1 The 9160 Wireless Gateway ........................ 233.1.1 Default Settings For The 9160 Wireless Gateway............ 233.1.2 What The Access Point Does Not Provide ............... 263.2 Administrator’s Computer ......................... 263.3 Wireless Client Computers......................... 273.4 Understanding Dynamic And Static IP Addressing On The 9160 Wireless Gateway................................... 283.4.1 How Does The Access Point Obtain An IP Address At Startup?.... 293.4.2 Dynamic IP Addressing.........................293.4.3 Static IP Addressing........................... 303.4.4 Recovering An IP Address........................ 30Chapter 4:  Quick Steps For Setup And Launch4.1 Unpack The 9160 Wireless Gateway . ................... 334.1.1 9160 Wireless Gateway Hardware And Ports . . ............ 334.1.2 What’s Inside The 9160 Wireless Gateway?. . . ............ 344.2 Connect The Access Point To Network And Power............ 344.2.1 A Note About Setting Up Connections For A Guest Network ..... 364.2.1.1 Hardware Connections For A Guest VLAN. ............ 364.3 Power On The Access Point ........................ 364.4 Run KickStart To Find Access Points On The Network .......... 374.5 Log On To The Administration Web Pages.................414.5.1 Viewing Basic Settings For Access Points................424.6 Configure ‘Basic Settings’ And Start The Wireless Network ....... 424.6.1 Default Configuration.......................... 44
Psion Teklogix 9160 Wireless Gateway User Manual iiiContents4.7 What’s Next?.................................444.7.1 Make Sure The Access Point Is Connected To The LAN.........444.7.2 Test LAN Connectivity With Wireless Clients..............444.7.3 Secure And Fine-tune The Access Point Using Advanced Features . . . 44Chapter 5:  Configuring Basic Settings5.1 Navigating To Basic Settings.........................475.2 Review / Describe The Access Point.....................485.3 Provide Administrator Password And Wireless Network Name.......495.4 Set Configuration Policy For New Access Points..............505.5 Update Basic Settings ............................515.6 Summary Of Settings.............................515.7 Basic Settings For A Standalone Access Point................525.8 Your Network At A Glance: Understanding Indicator Icons.........52Chapter 6:  Managing Access Points & Clusters6.1 Overview...................................556.2 Navigating To Access Points Management .................556.3 Understanding Clustering ..........................566.3.1 What Is A Cluster? ............................566.3.2 How Many APs Can A Cluster Support? . ................566.3.3 What Kinds Of APs Can Cluster Together?................566.3.4 Which Settings Are Shared As Part Of The Cluster Configuration And Which Are Not?..............................576.3.4.1 Settings Shared In The Cluster Configuration............576.3.4.2 Settings Not Shared By The Cluster .................586.3.5 Cluster Mode...............................586.3.6 Standalone Mode.............................586.3.7 Cluster Formation.............................596.3.8 Cluster Size And Membership ......................596.3.9 Intra-Cluster Security...........................606.3.10Auto-Synch Of Cluster Configuration ..................606.4 Understanding Access Point Settings ....................606.5 Modifying The Location Description ....................61
Contentsiv Psion Teklogix 9160 Wireless Gateway User Manual6.6 Removing An Access Point From The Cluster............... 616.7 Adding An Access Point To A Cluster................... 626.8 Navigating To Configuration Information For A Specific AP And Managing Standalone APs...............................636.8.1 Navigating To An AP By Using Its IP Address In A URL....... 63Chapter 7:  Managing User Accounts7.1 Overview.................................. 677.2 Navigating To User Management For Clustered Access Points...... 687.3 Viewing User Accounts........................... 687.4 Adding A User ...............................697.5 Editing A User Account........................... 707.6 Enabling And Disabling User Accounts .................. 707.6.1 Enabling A User Account........................717.6.2 Disabling A User Account ........................ 717.7 Removing A User Account.........................717.8 Backing Up And Restoring A User Database................ 717.8.1 Backing Up The User Database..................... 717.8.2 Restoring A User Database From A Backup File ............ 72Chapter 8:  Session Monitoring8.1 Navigating To Session Monitoring..................... 758.2 Understanding Session Monitoring Information.............. 768.3 Viewing Session Information For Access Points.............. 778.4 Sorting Session Information......................... 788.5 Refreshing Session Information....................... 78Chapter 9:  Channel Management9.1 Navigating To Channel Management.................... 819.2 Understanding Channel Management.................... 819.2.1 How It Works In A Nutshell.......................829.2.2 For The Curious: More About Overlapping Channels . . . ...... 829.2.3 Example: A Network Before And After Channel Management..... 829.3 Configuring And Viewing Channel Management Settings......... 84
Psion Teklogix 9160 Wireless Gateway User Manual vContents9.3.1 Stopping/Starting Automatic Channel Assignment . . ..........849.3.2 Viewing Current Channel Assignments And Setting Locks.......859.3.2.1 Update Current Channel Settings (Manual)..............869.3.3 Viewing Last Proposed Set Of Changes . ................869.3.4 Configuring Advanced Settings (Customizing And Scheduling Channel Plans)...................................869.3.4.1 Update Advanced Settings......................88Chapter 10:  Wireless Neighborhood10.1 Navigating To Wireless Neighborhood....................9110.2 Understanding Wireless Neighborhood Information. . . ..........9110.3 Viewing Wireless Neighborhood.......................9210.4 Viewing Details For A Cluster Member...................94Chapter 11:  The Ethernet (Wired) Interface11.1 Navigating To Ethernet (Wired) Settings...................9911.1.1Setting The DNS Name.........................10011.1.2 Enabling Or Disabling Guest Access . . . ...............10011.1.2.1Configuring An Internal LAN And A Guest Network.......10011.1.2.2Enabling Or Disabling Guest Access................10111.1.2.3Specifying A Virtual Guest Network................10111.1.3 Enabling / Disabling Virtual Wireless Networks On The AP. . . . . . 10211.1.4Configuring Internal Interface Ethernet Settings............10211.1.5Configuring Guest Interface Ethernet (Wired) Settings.........10411.1.6Updating Settings............................104Chapter 12:  Setting the Wireless Interface12.1 Navigating To Wireless Settings......................10712.2 Configuring 802.11d Regulatory Domain Support.............10812.3 Configuring The Radio Interface......................10812.4 Configuring “Internal” Wireless LAN Settings ..............11012.5 Configuring “Guest” Network Wireless Settings .............11112.6 Updating Settings..............................111
Contentsvi Psion Teklogix 9160 Wireless Gateway User ManualChapter 13:  Configuring Security13.1 Understanding Security Issues On Wireless Networks ...........11513.1.1How Do I Know Which Security Mode To Use?............11513.1.2 Comparison Of Security Modes For Key Management, Authentication And Encryption Algorithms .........................11613.1.2.1When To Use Plain-text.......................11713.1.2.2When To Use Static WEP......................11713.1.2.3 When To Use IEEE 802.1x . . ...................11813.1.2.4When To Use WPA/WPA2 Personal (PSK).............11913.1.2.5When To Use WPA/WPA2 Enterprise (RADIUS) .........12013.1.3Does Prohibiting The Broadcast SSID Enhance Security?.......12213.1.4How Does Station Isolation Protect The Network?...........12313.2 Configuring Security Settings: Broadcast SSID, Station Isolation, and Security Mode ....................................12413.2.1Plain-text.................................12613.2.1.1Guest Network............................12613.2.2Static WEP................................12613.2.2.1Rules To Remember For Static WEP................12913.2.2.2Example Of Using Static WEP...................12913.2.2.3Static WEP With Transfer Key Indexes On Client Stations.....13113.2.3 IEEE 802.1x ...............................13113.2.4WPA/WPA2 Personal (PSK).......................13313.2.5WPA/WPA2 Enterprise (RADIUS)...................13613.3 Updating Settings..............................139Chapter 14:  Setting up Guest Access14.1 Understanding The Guest Interface.....................14314.2 Configuring The Guest Interface......................14414.2.1Configuring A Guest Network On A Virtual LAN...........14414.2.2Configuring The Welcome Screen (Captive Portal)...........14514.3 Using The Guest Network As A Client...................14614.4 Deployment Example............................146
Psion Teklogix 9160 Wireless Gateway User Manual viiContentsChapter 15:  Configuring VLANs 15.1 Navigating To Virtual Wireless Network Settings.............14915.2 Configuring VLANs............................14915.3 Updating Settings..............................151Chapter 16:  Configuring Radio Settings16.1 Understanding Radio Settings.......................15516.2 Navigating To Radio Settings .......................15616.3 Configuring Radio Settings.........................15716.4 Updating Settings..............................160Chapter 17:  MAC Address Filtering17.1 Navigating To MAC Filtering Settings...................16317.2 Using MAC Filtering............................16417.3 Updating Settings..............................164Chapter 18:  Load Balancing18.1 Understanding Load Balancing.......................16718.1.1 Identifying Imbalance: Overworked Or Under-utilized Access Points . 16718.1.2 Specifying Limits For Utilization And Client Associations . . . . . . 16718.1.3Load Balancing And QoS........................16818.2 Navigating To Load Balancing Settings..................16818.3 Configuring Load Balancing........................16918.4 Updating Settings..............................170Chapter 19:  Quality of Service (QoS)19.1 Understanding QoS.............................17319.1.1QoS And Load Balancing........................17319.1.2 802.11e And WMM Standards Support. . ...............17319.1.3QoS Queues And Parameters To Coordinate Traffic Flow.......17419.1.3.1QoS Queues And Type Of Service (ToS) On Packets.......17419.1.3.2 EDCF Control Of Data Frames And Arbitration Interframe Spaces17619.1.3.3 Random Backoff And Minimum/Maximum Contention Windows 177
Contentsviii Psion Teklogix 9160 Wireless Gateway User Manual19.1.3.4Packet Bursting For Better Performance ..............17819.1.3.5 Transmission Opportunity (TXOP) Interval For Client Stations . . 17819.2 Configuring QoS Queues..........................17819.2.1Configuring AP EDCA Parameters...................18019.2.2Enabling/Disabling Wi-Fi Multimedia..................18219.2.3Configuring Station EDCA Parameters.................18319.3 Updating Settings..............................184Chapter 20:  Wireless Distribution System20.1 Understanding The Wireless Distribution System.............18720.1.1Using WDS To Bridge Distant Wired LANs..............18720.1.2 Using WDS To Extend Network Beyond The Wired Coverage Area. . 18820.1.3 Backup Links and Unwanted Loops In WDS Bridges . . . ......18920.1.4Security Considerations Related To WDS Bridges...........19020.2 Configuring WDS Settings.........................19020.2.1Example Of Configuring A WDS Link.................19420.3 Updating Settings..............................195Chapter 21:  Network Time Protocol Server21.1 Navigating To Time Protocol Settings...................19921.2 Enabling Or Disabling A Network Time Protocol (NTP) Server......20021.3 Updating Settings..............................200Chapter 22:  The Administrator Password22.1 Navigating To Administrator Password Setting ..............20322.2 Setting The Administrator Password....................20322.3 Updating Settings..............................204Chapter 23:  Maintenance And Monitoring23.1 Interfaces . . . ...............................20723.1.1Ethernet (Wired) Settings........................20823.1.2Wireless Settings.............................20823.2 Event Logs .................................20823.2.1Log Relay Host For Kernel Messages..................209
Psion Teklogix 9160 Wireless Gateway User Manual ixContents23.2.1.1 Understanding Remote Logging . . . ...............20923.2.1.2Setting Up The Log Relay Host...................21023.2.1.3 Enabling Or Disabling The Log Relay Host On The Status, Events Page.............................21123.2.2Events Log................................21223.3 Transmit/Receive Statistics . . . ......................21223.4 Associated Wireless Clients........................21423.4.1Link Integrity Monitoring........................21423.4.2 What Is The Difference Between An Association And A Session? . . 21523.5 Neighboring Access Points . . . ......................21523.6 Rebooting The Access Point . . ......................21823.7 Resetting The Configuration To Factory Defaults.............21823.8 Upgrading The Firmware..........................21923.8.1Update..................................22123.8.2Verifying The Firmware Upgrade....................221Chapter 24:  Backing Up The Configuration24.1 Navigating To Backup And Restore Settings ...............22524.2 Backing Up Configuration Settings For An Access Point................................22524.3 Restoring Access Point Settings To A Previous Configuration . . . . . . 226Chapter 25:  Specifications25.1 Physical Description............................22925.2 Environmental Requirements........................22925.3 AC Power Requirements..........................22925.4 Power Over Ethernet Requirements....................23025.5 Processor And Memory ..........................23025.6 Network Interfaces . ............................23025.7 Mini-PCI Card Radios...........................230
ContentsxPsion Teklogix 9160 Wireless Gateway User ManualAppendicesAppendix A:  Support Services And Worldwide OfficesA.1 Technical Support ..............................A-1A.2 Product Repairs ...............................A-1A.3 Worldwide Offices .............................A-2Appendix B:  Port Pinouts And Cable DiagramsB.1 Console Port.................................B-1B.2 Serial Cable Descriptions..........................B-2B.3 RJ-45 Connector Pinouts (10BaseT/100BaseT Ethernet)..........B-3Appendix C:  Configuring Security Settings On Wireless ClientsC.1 Network Infrastructure And Choosing Between Built-in Or External Authenti-cation Server.................................C-4C.1.1 Using The Built-in Authentication Server (EAP-PEAP)........C-4C.1.2 Using An External RADIUS Server With EAP-TLS Certificates Or EAP-PEAP .................C-4C.2 Make Sure The Wireless Client Software Is Up-to-Date..........C-5C.3 Accessing The Microsoft Windows Wireless Client Security Settings . . . C-5C.4 Configuring A Client To Access An Unsecure Network (Plain-text Mode)C-7C.5 Configuring Static WEP Security On A Client...............C-8C.6 Configuring IEEE 802.1x Security On A Client . . ...........C-11C.6.1 IEEE 802.1x Client Using EAP/PEAP ................C-11C.6.2 IEEE 802.1x Client Using EAP/TLS Certificate ...........C-14C.7 Configuring WPA/WPA2 Enterprise (RADIUS) Security On A Client . C-18C.7.1 WPA/WPA2 Enterprise (RADIUS) Client Using EAP/PEAP....C-19C.7.2 WPA/WPA2 Enterprise (RADIUS) Client Using EAP-TLS Certificate.........................C-23C.8 Configuring WPA/WPA2 Personal (PSK) Security On A Client................................C-27C.9 Configuring An External RADIUS Server To Recognize The 9160 Wireless Gateway..................................C-30
Psion Teklogix 9160 Wireless Gateway User Manual xiContentsC.10Obtaining A TLS-EAP Certificate For A Client............. C-34Appendix D:  TroubleshootingD.1 Wireless Distribution System (WDS) Problems And Solutions . . . . . . D-3D.2 Cluster Recovery..............................D-4D.2.1 Reboot Or Reset Access Point.....................D-4D.2.2 Stop Clustering And Reset Each Access Point In The Cluster . . . . . D-5Appendix E:  GlossaryIndex............................................I
Psion Teklogix 9160 Wireless Gateway User Manual xiiiAPPROVALS AND SAFETY SUMMARYDECLARATION OF CONFORMITYProduct: 9160 Wireless GatewayApplication of Council Directives: EMC Directive:89/336/EECLow Voltage Directive:73/23/EECR&TTE Directive: 1999/5/EECConformity Declared to Standards:  EN 55022: 2003 Class BEN 61000-3-2; EN 61000-3-3EN 55024:2003ETSI EN 300 328:2003ETSI EN 301 489-17:2002EN 60950-1: 2001Manufacturer: PSION TEKLOGIX INC.2100 Meadowvale Blvd.Mississauga, Ontario; Canada L5N 7J9Year of Manufacture: 2005Manufacturer’s Address in the European Community: PSION TEKLOGIX S.A.La Duranne135 Rue Rene Descartes; BP 42100013591 Aix-En-ProvenceCedex 3; FranceType of Equipment: Information Technology EquipmentEquipment Class: Commercial and Light Industrial
Approvals And Safety Summaryxiv Psion Teklogix 9160 Wireless Gateway User ManualFCC StatementFCC DECLARATION OF CONFORMITY (DOC)Applicant’s Name & Address: PSION TEKLOGIX2100 Meadowvale Blvd.Mississauga, Ontario, Canada L5N 7J9Telephone No.: (905) 813-9900US Representative’s Name & Address: Psion Teklogix Corp.1810 Airport Exchange Blvd., Suite 500Erlanger, Kentucky, 41018, USATelephone No.: (859) 372-4329Equipment Type/ Environment Use:  Computing DevicesTrade Name / Model No.:  9160 Wireless GatewayYear of Manufacture:  2005Standard(s) to which Conformity is Declared:The 9160 Wireless Gateway, supplied by Psion Teklogix, has been tested and found to comply with FCC PART 15, SUBPART B - UNINTENTIONAL RADIATORS, CLASS B COMPUTING DEVICES FOR HOME & OFFICE USE.Applicant: Psion Teklogix Inc.Mississauga, Ontario, CanadaLegal Representative in US: Psion Teklogix Corp.Erlanger, Kentucky, USAThe 9160 Wireless Gateway has been tested and found to comply with the specifica-tions for a Class B digital device, pursuant to Part 15 of the FCC Rules. Operation issubject to the following two conditions:1. This device may not cause harmful interference, and2. This device must accept any interference received, including interfer-ence that may cause undesired operation.
Psion Teklogix 9160 Wireless Gateway User Manual xvApprovals And Safety SummaryThese limits are designed to provide reasonable protection against harmful interfer-ence in a residential installation. This equipment generates, uses, and can radiateradio frequency energy and, if not installed and used according to the instructions,may cause harmful interference to radio communications. However, there is noguarantee that interference will not occur in a particular installation. If this equip-ment does cause harmful interference to radio or television reception, which isfound by turning the equipment off and on, the user is encouraged to try to correctthe interference by one or more of the following measures:• Reorient or relocate the receiving antenna.• Increase the separation between the equipment or devices.• Connect the equipment to an outlet other than the receiver's.• Consult a dealer or an experienced radio/TV technician for assistance.FCC Caution: Any change or modification to the product not expressly approved by Psion Teklogix could void the user's authority to operate the device.RF Radiation Exposure StatementTo comply with the FCC and ANSI C95.1 RF exposure limits, the antenna(s) forthis device must comply with the following:• All Access Point antennas must operate with a separation distance of at least 25 cm (9.8 in.) from all persons using the cable provided, and must not be co-located or operating in conjunction with any other antenna or transmitter.Note: Dual antennas used for diversity operation are not considered co-located.Industry Canada (IC) Department Of Communications NoticeThis Class B digital apparatus complies with Canadian ICES-003 and RSS-210.“To prevent radio interference to the licensed service, this device is intended to beoperated indoors and away from windows to provide maximum shielding. Equip-ment (or its transmit antenna) that is installed outdoors is subject to licensing.”Cet appareil numérique de la classe B est conforme à la norme NMB-003 et CNR-210 du Canada.“Pour empêcher que cet appareil cause du brouillage au service faisant l'objet d'unelicence, il doit être utilisé à l'intérieur et devrait être placé loin des fenêtres afin defournir un écran de blindage maximal. Si le matériel (ou son antenne d'émission) estinstallé à l'extérieur, il doit faire l'objet d'une licence.”
Approvals And Safety Summaryxvi Psion Teklogix 9160 Wireless Gateway User ManualSAFETY APPROVALSCSA, NRTL/C and CB.CE MARKINGWhen used in a residential, commercial or light industrial environment, the product andits approved UK and European peripherals fulfill all requirements for CE marking.R&TTE DIRECTIVE 1999/5/ECThis equipment complies with the essential requirements of EU Directive 1999/5/EC (Declaration available: www.psionteklogix.com).Cet équipement est conforme aux principales caractéristiques définies dans la Directive européenne RTTE 1999/5/CE. (Déclaration disponible sur le site: www.psionteklogix.com).Die Geräte erfüllen die grundlegenden Anforderungen der RTTE-Richtlinie (1999/5/EG). (Den Wortlaut der Richtlinie finden Sie unter: www.psionteklogix.com).Questa apparecchiatura è conforme ai requisiti essenziali della Direttiva Europea R&TTE 1999/5/CE. (Dichiarazione disponibile sul sito: www.psionteklogix.com).Este equipo cumple los requisitos principales de la Directiva 1995/5/CE de la UE, “Equipos de Terminales de Radio y Telecomunicaciones”. (Declaración disponible en: www.psionteklogix.com).Este equipamento cumpre os requisitos essenciais da Directiva 1999/5/CE do Parla-mento Europeu e do Conselho (Directiva RTT). (Declaração disponível no endereço: www.psionteklogix.com).Ο εξοπλισμός αυτός πληροί τις βασικές απαιτήσεις της κοινοτικής οδηγίας EU R&TTE 1999/5/EΚ. (Η δήλωση συμμόρφωσης διατίθεται στη διεύθυνση: www.psionteklogix.com)Deze apparatuur voldoet aan de noodzakelijke vereisten van EU-richtlijn betref-fende radioapparatuur en telecommunicatie-eindapparatuur 199/5/EG. (verklaring beschikbaar: www.psionteklogix.com).Dette udstyr opfylder de Væsentlige krav i EU's direktiv 1999/5/EC om Radio- og teleterminaludstyr. (Erklæring findes på: www.psionteklogix.com).
Psion Teklogix 9160 Wireless Gateway User Manual xviiApprovals And Safety SummaryDette utstyret er i overensstemmelse med hovedkravene i R&TTE-direktivet (1999/5/EC) fra EU. (Erklæring finnes på: www.psionteklogix.com).Utrustningen uppfyller kraven för EU-direktivet 1999/5/EC om ansluten teleutrust-ning och ömsesidigt erkännande av utrustningens överensstämmelse (R&TTE). (Förklaringen finns att läsa på: www.psionteklogix.com).Tämä laite vastaa EU:n radio- ja telepäätelaitedirektiivin (EU R&TTE Directive 1999/5/EC) vaatimuksia. (Julkilausuma nähtävillä osoitteessa:www.psionteklogix.com).Psion Teklogix tímto prohlašuje, že 9160 Wireless Gateway je ve shodě se základními  požadavky a dalšími příslušnými ustanoveními směrnice 1995/5/ES (NV č. 426/2000 Sb.) a Prohlášení o shodě je k dispozici na www.psionteklogix.com. Toto zarízení lze provozovat v České republice na základě generální licence č. GL-12/R/2000.Psion Teklogix týmto vyhlasuje, že 9160 Wireless Gateway spĺňa základné požiadavky a všetky príslušné ustanovenia Smernice 1995/5/ES (NV č. 443/2001 Z.z.) a Vyhlásenie o zhode je k dispozícii na www.psionteklogix.com. Toto zariadenie je možné prevádzkovat’ v Slovenskej republike na základe Všeobecného povolenia č. VPR-01/2001.IMPORTANT SAFETY INSTRUCTIONSThis safety information is for the protection of both operating and service personnel.• The 9160 must be installed by a qualified Psion Teklogix installer—failure to have the 9160 properly installed will void the Manufacturer’s warranty.• The mains power cord (if sold separately) shall comply with National safety regulations of the country where the equipment is to be used.• Use of an attachment not recommended or sold by manufacturer may result in fire, electric shock, or personal injury.• To reduce risk of damage to the electric plug and cord when unplugging the 9160, pull the plug rather than the cord.• Make sure the cord is positioned so that it is not stepped on, tripped over, or otherwise subjected to damage or stress.• Do not operate the 9160 with a damaged cord or plug. Replace immediately.• Do not operate the 9160 if it has received a sharp blow, been dropped, or other-wise damaged in any way; it should be inspected by qualified service personnel.• Do not disassemble the 9160; it should be repaired by qualified service per-sonnel. Incorrect reassembly may result in electric shock or fire.
Approvals And Safety Summaryxviii Psion Teklogix 9160 Wireless Gateway User Manual• To reduce risk of electric shock, unplug the 9160 from the outlet before attempting any maintenance or cleaning.• An extension cord should not be used unless absolutely necessary. Use of an improper extension cord could result in fire or electric shock. If an exten-sion cord must be used, make sure:• The plug pins on the extension cord are the same number, size, and shape as those on the adaptor.• The extension cord is properly wired, in good electrical condition, and that the wire size is larger than 16 AWG.• The 9160 is designed for indoor use only; do not expose the 9160 to rain or snow.DO NOT OPERATE IN AN EXPLOSIVE ATMOSPHEREOperating Psion Teklogix equipment where explosive gas is present mayresult in an explosion.DO NOT REMOVE COVERS OR OPEN ENCLOSURESTo avoid injury, the equipment covers and enclosures should only beremoved by qualified service personnel. Do not operate the equipmentwithout the covers and enclosures properly installed.DO NOT HOLD ANTENNATo avoid discomfort due to the local heating effect of radio frequencyenergy, do not touch the antenna when a 9160 is transmitting.CONNECTION TO OUTDOOR ANTENNAThe outdoor antenna shall only be installed by Psion Teklogix service professionals.WASTE ELECTRICAL AND ELECTRONIC EQUIPMENT (WEEE) DIRECTIVE 2002/96/ECThis Product, and its accessories, comply with the requirements of theWaste Electrical and Electronic Equipment (WEEE) Directive 2002/96/EC.If your end-of-life Psion Teklogix product or accessory was first placed onthe European Union market on or after August 13th, 2005, contact yourlocal country representative for details on how to arrange recycling.For a list of international subsidiaries, please go to www.psionteklogix.com.
Psion Teklogix 9160 Wireless Gateway User Manual 1INTRODUCTION 11.1  About This Manual .............................. 31.2  Online Help Features, Supported Browsers, And Limitations ........ 61.3  Text Conventions . . ............................. 71.4  Overview Of The 9160 Wireless Gateway . . ................ 71.5  Features and Benefits.............................81.5.1  IEEE Standards Support And Wi-Fi Compliance . . . . . . . . . . . 81.5.2  Wireless Features...........................91.5.3  Security Features...........................91.5.4  Out-of-the-Box Guest Interface...................101.5.5  Clustering And Auto-Management.................101.5.6  Networking.............................111.5.7  SNMP Support . . . . . . . . . . . . . . . . . . . . . . . . . . . 111.5.8  Maintainability ...........................111.6  What’s Next?..................................11
Psion Teklogix 9160 Wireless Gateway User Manual 3Chapter 1: IntroductionAbout This Manual1.1  About This ManualThis manual describes the setup, configuration, administration, and maintenance of one or more 9160 Wireless Gateways on a wireless network.Chapter 1: Introductionprovides an overview of this manual and 9160 Wireless Gateway features.Chapter 2: Installation Requirementsexplains the physical installation of the 9160 Wireless Gateway, and how to connect to the 9160 for diagnostics.Chapter 3: PreLaunch Checklistprovides a quick check of required hardware components, software, client con-figurations, and compatibility issues.Chapter 4: Quick Steps For Setup And Launchis a step-by-step guide to setting up your 9160 Wireless Gateways and the resulting wireless network.Chapter 5: Configuring Basic Settingsprovides instructions on configuring administrator access settings and new access point settings.Chapter 6: Managing Access Points & Clustersdescribes access point clusters and how to navigate to specific access points within clusters.Chapter 7: Managing User Accountsillustrates the user management capabilities for controlling client access to access points. Chapter 8: Session Monitoringdescribes real-time session monitoring information, including client association, data rates, transmit/receive statistics, signal strength, and idle time.Chapter 9: Channel Managementdescribes how the 9160 Wireless Gateway automatically assigns radio channels used by clustered access points to reduce mutual interference or interference with other access points outside of its cluster. Chapter 10: Wireless Neighborhoodprovides a detailed view of neighborhood access points, including identifying information, cluster status, and statistical information.
Chapter 1: IntroductionAbout This Manual4Psion Teklogix 9160 Wireless Gateway User ManualChapter 11: The Ethernet (Wired) Interfacedescribes how to configure the wired interface settings on the 9160 Wireless Gateway. Chapter 12: Setting the Wireless Interfacedescribes how to configure the wireless address and related settings on the 9160 Wireless Gateway. Chapter 13: Configuring Securityprovides a number of authentication and encryption schemes to ensure that your wireless infrastructure is accessed only by the intended users. The details of each security mode are described. Chapter 14: Setting up Guest Accessallows you to configure the 9160 Wireless Gateway for controlled guest access to an isolated network. Chapter 15: Configuring VLANsdescribes how to configure multiple wireless networks on Virtual LANs (VLANs).Chapter 16: Configuring Radio Settingsdescribes how to configure Radio Settings on the 9160 Wireless Gateway Chapter 17: MAC Address Filteringinstructs how you can use MAC address filtering to control client access to your wireless network. Chapter 18: Load Balancingdescribes how to configure Load Balancing on your wireless network, to allow you to balance the distribution of wireless client connections across multiple access points. Chapter 19: Quality of Service (QoS)provides instructions on configuring the parameters on multiple queues to improve the throughput and performance of differentiated wireless traffic. Chapter 20: Wireless Distribution Systemdescribes how to configure the Wireless Distribution System (WDS) on the 9160 Wireless Gateway, enabling you to connect multiple access points which can then communicate with one another wirelessly in a standardized way.
Psion Teklogix 9160 Wireless Gateway User Manual 5Chapter 1: IntroductionAbout This ManualChapter 21: Network Time Protocol Serverdescribes how to configure the 9160 Wireless Gateway to use a specified Network Time Protocol (NTP) server to synchronize computer clock times on your network.Chapter 22: The Administrator Passwordcontrols access to the Administration Web pages for the 9160 Wireless Gate-way. When the administration password is set and applied, the new password is updated and shared by all access points in the cluster.Chapter 23: Maintenance And Monitoringdescribes the maintenance and monitoring tasks for individual access points (not for cluster configurations).Chapter 24: Backing Up The Configurationshows how to backup a configuration file that can be used at a later date to restore the access point to the previously saved configuration. Chapter 25: Specificationsdetails the physical, environmental, and various operating specifications for the 9160 Wireless Gateway.Appendix A: Support Services And Worldwide Officespresents information for technical support, contacts, and the Psion Teklogix worldwide web address.Appendix B: Port Pinouts And Cable Diagramsincludes pinouts and diagrams of the ports and cables for the 9160.Appendix C: Configuring Security Settings On Wireless Clientsdetails how to configure security settings on the client to match the security mode being used by each network (AP) connection.Appendix D: Troubleshootingdescribes how to solve common problems possibly encountered while updating network configurations on networks served by multiple, clustered access points. Appendix E: Glossaryprovides definitions and further details on terms featured in bold italics through-out the manual.
Chapter 1: IntroductionOnline Help Features, Supported Browsers, And Limitations6Psion Teklogix 9160 Wireless Gateway User Manual1.2  Online Help Features, Supported Browsers, And LimitationsOnline Help for the 9160 Wireless Gateway provides information about all fields and features available on the user interface. The information in the Online Help is a subset of the information available in the full User Manual.Online Help information corresponds to each tab on the 9160 Wireless Gateway Administration user interface. Click the Help button on a tab or the “More. . .” link at the bottom of the online help panel on the UI for help information for the settings on the current tab.
Psion Teklogix 9160 Wireless Gateway User Manual 7Chapter 1: IntroductionText Conventions1.3  Text ConventionsNote: Notes highlight additional helpful information.Important: These statements provide particularly important instructions or additional information that is critical to the operation of the computer and other equipment.Warning: These statements provide important information that may prevent injury, damage to the equipment, or loss of data.An arrow next to field description information (usually in tables) indicates a recom-mended or suggested configuration setting for an option on the Access Point (AP).When you see a term written in bold italics, there is an entry for it in Appendix E: Glossary, providing a definition and further details. Not all terms are highlighted in the manual, but the Glossary is extensive, therefore please check there for any unfa-miliar words or expressions.1.4  Overview Of The 9160 Wireless GatewayThe 9160 Wireless Gateway provides continuous, high-speed access between your wireless and Ethernet devices. It is an advanced, standards-based solution for wire-less networking in small and medium-sized businesses. The 9160 Wireless Gateway enables zero-administration wireless local area network (WLAN) deployment while providing state-of-the-art wireless networking features.The 9160 Wireless Gateway provides best-of-breed security, ease-of-administration and industry standards—providing a standalone and fully-secured wireless network without the need for additional management and security server software.The 9160 Wireless Gateway is available as a single or dual-band access point with one or two radios.The single band access point can broadcast in the following modes.• IEEE 802.11b.• IEEE 802.11g.• Atheros Turbo 2.4 GHz.• Atheros Dynamic Turbo 2.4 GHz.Bold Italics
Chapter 1: IntroductionFeatures and Benefits8Psion Teklogix 9160 Wireless Gateway User ManualThe dual-band access point is capable of broadcasting in the following modes:• IEEE 802.11b mode.• IEEE 802.11g mode.• IEEE 802.11a mode.• Atheros Turbo 5 GHz.• Atheros Dynamic Turbo 5 GHz.• Atheros Turbo 2.4 GHz.• Atheros Dynamic Turbo 2.4 GHz.Important: Psion Teklogix terminals do not support Atheros Turbo modes and to prevent unnecessary radio overhead the use of Turbo mode is not recommended.Given these capabilities, various hardware configurations for the end product are possible. For example, a two-radio access point with dual-band capabilities is capable of broadcasting in two different IEEE 802.11 modes simultaneously.The following sections list features and benefits of the 9160 Wireless Gateway, and tell you what’s next when you’re ready to get started.1.5  Features and Benefits1.5.1  IEEE Standards Support And Wi-Fi Compliance• Support for IEEE 802.11a, IEEE 802.11b, IEEE 802.11g and IEEE 802.11a Turbo wireless networking standards.• Provides bandwidth of up to 54 Mbps for IEEE 802.11a or IEEE 802.11g (11 Mbps for IEEE 802.11b, 108 Mbps for IEEE 802.11a Turbo).• Wi-Fi certification.
Psion Teklogix 9160 Wireless Gateway User Manual 9Chapter 1: IntroductionWireless Features1.5.2  Wireless Features• Auto channel selection at startup.• Transmit power adjustment.• Wireless Distribution System (WDS) for connecting multiple access points wirelessly. Extends your network with less cabling and provides a seamless experience for roaming clients.• Quality of Service (QoS) for enhanced throughput and better performance of time-sensitive wireless traffic like Video, Audio, Voice over IP (VoIP) and streaming media. Our QoS Wi-Fi Multimedia (WMM) compliant.• Load Balancing.• Built-in support for multiple SSIDs (network names) and multiple BSSIDs (basic service set IDs) on the same access point.• Channel management for automatic coordination of radio channel assignments to reduce AP-to-AP interference on the network and maximize Wi-Fi bandwidth.• Neighboring access point detection (also known as “rogue” AP detection).• Support for multiple IEEE 802.11d Regulatory Domains (country codes for global operation).1.5.3  Security Features• Inhibit SSID Broadcast.• Ignore SSID Broadcast.• Weak IV avoidance.• Wireless Equivalent Privacy (WEP).• Wi-Fi Protected Access 2 (WPA2).• Advanced Encryption Standard (AES).• User-based access control with local authentication server.• Local user database and user lifecycle management.• MAC address filtering.
Chapter 1: IntroductionOut-of-the-Box Guest Interface10 Psion Teklogix 9160 Wireless Gateway User Manual1.5.4  Out-of-the-Box Guest Interface• Unique network name (SSID) for the Guest interface.• Captive portal to guide guests to customized, guest-only Web page.• VLAN and ethernet options.1.5.5  Clustering And Auto-Management• Automatic setup with Kickstart.• Provisioning and auto-configuration of APs through clustering and cluster rendezvous.The administrator can specify how new access points should be configured before they are added to the network. When new access points are added, they can automatically rendezvous with the cluster, and securely download the correct configuration. The process does not require manual intervention, but is under the control of the administrator.• Single universal view of clustered access points and cluster configuration settings.Configuration for all access points in a cluster can be managed from a single interface. Changes to common parameters are automatically reflected in all members of the cluster.• Self-managed access points with automatic configuration synchronization.The access points in a cluster periodically check that the cluster configura-tion is consistent, and check for the presence and availability of the other members of the cluster. The administrator can monitor this information through the user interface.• Enhanced local authentication using 802.1x without additional IT setup.A cluster can maintain a user authentication server and database stored on the access points. This eliminates the need to install, configure, and main-tain a RADIUS infrastructure, and simplifies the administrative task of deploying a secure wireless network.• Hardware watchdog.
Psion Teklogix 9160 Wireless Gateway User Manual 11Chapter 1: IntroductionNetworking1.5.6  Networking• Dynamic Host Configuration Protocol (DHCP) support for dynamically assigning network configuration information to systems on the LAN.• Virtual Local Area Network (VLAN) support.1.5.7  SNMP SupportRelease 1.1 of the 9160 Wireless Gateway ships with the following standard Simple Network Protocol (SNMP) Management Information Bases (MIB):• SNMP v1 and v2 MIBs.• IEEE802.11 MIB.• Two proprietary MIBs, based on the upcoming IEEE 802.11k MIB, support the 9160 Wireless Gateway client association list and AP detection table, respectively.1.5.8  Maintainability• Status, monitoring, and tracking views of the network including session monitoring, client associations, transmit/receive statistics, and event log.• Link integrity monitoring to continually verify connection to the client, regardless of network traffic activity levels.• Reset configuration option.• Firmware upgrade.• Backup and restore of access point configuration.• Backup and restore of user database for built-in RADIUS server (applicable with IEEE 802.1x and WPA/WPA2 Enterprise (RADIUS) security modes.1.6  What’s Next?Ready to get started with wireless networking? Once your 9160 Wireless Gateway is installed (see Chapter 2: “Installation Requirements”), read through Chapter 3: “PreLaunch Checklist” and then follow the steps in Chapter 4: “Quick Steps For Setup And Launch”.
Psion Teklogix 9160 Wireless Gateway User Manual 13INSTALLATION REQUIREMENTS 22.1  Choosing The Right Location.........................152.1.1  Environment.............................152.1.1.1  9160 Wireless Gateway...................152.1.2  Maintenance.............................162.1.3  Radios................................162.1.4  Power And Antenna Cables.....................162.1.4.1  Power............................162.1.4.2  Antennas..........................172.2  Connecting To External Devices .......................182.2.1  Ports.................................182.2.2  LAN Installation: Overview.....................192.2.3  LAN Installation: Ethernet.....................192.2.3.1  Ethernet Cabling......................192.2.4  Status Indicators (LEDs) ......................202.1.5  Connecting A Video Display Terminal . . . . . . . . . . . . . . . 202.2  Changing The Configuration With A Web Browser .............20
Psion Teklogix 9160 Wireless Gateway User Manual 15Chapter 2: Installation RequirementsChoosing The Right LocationWarning: The 9160 must be installed by qualified Psion Teklogix personnel.2.1  Choosing The Right LocationTypically, Psion Teklogix conducts a site survey in the plant and then recommends the preferred locations for the 9160s. These locations provide good radio coverage, minimize the distance to the host computer or network controller, and meet the environmental requirements.2.1.1  Environment2.1.1.1  9160 Wireless GatewayThe 9160 should be located in a well-ventilated area and should be protected from extreme temperature fluctuations (i.e. direct heater output, shipping doors or direct sunlight). If a protective cover is required, it must have enough ventilation to maintain the 9160’s surface at or near room temperature. Refer to Chapter 25: “Specifications” for a more detailed description of environ-mental requirements. Keep in mind that the long term stability of this equipment will be enhanced if the environmental conditions are less severe than those listed in this manual.The 9160 should be situated away from the path of vehicles and free from water or dust spray. The 9160 should only be mounted in the upright position, as shown in Figure 2.1 on page 16. This orientation minimizes the risk of water entering the 9160, should the unit accidentally be sprayed. The 9160 is attached to a vertical surface using four fasteners on the rear plate (type of fasteners are dependent on mounting surface). The top two holes in the rear plate are slots, allowing the unit to be hung in position before the remaining bolts are installed, thus easing installation. The bolts used for installation are SAE 1/4-20.
Chapter 2: Installation RequirementsMaintenance16 Psion Teklogix 9160 Wireless Gateway User ManualFigure 2.1 9160 Installation Position2.1.2  MaintenanceThe 9160 has no internal option switches and does not require physical access; all configuration settings are done remotely (see “Navigating To Basic Settings” on page 47). Environmental and radio communication considerations do still apply.2.1.3  RadiosMini-PCI 802.11g radio without integrated antenna (standard).Mini-PCI 802.11a/g radio without integrated antenna (optional second radio).2.1.4  Power And Antenna Cables2.1.4.1  PowerTo prevent accidental disconnection and stress on the 9160, antenna and power cables should be secured within 30 cm of the unit. Secure the cables with ties to the cable tie mounts on the 9160 (see Figure 2.1). A single phase power outlet (range 100 to 240 VAC rated 1.0A minimum) should be installed within one metre (3.1 feet) of the 9160. The 9160 automatically adjusts to input within that power range. The power cable is removable and is available in the power type specific to your location. The 9160 AC power supply has a universal input via a standard IEC320 connector.Mounting SlotCable Tie MountMounting Hole
Psion Teklogix 9160 Wireless Gateway User Manual 17Chapter 2: Installation RequirementsPower And Antenna CablesTo eliminate the need for AC wiring, the 9160 Wireless Gateway is compliant with IEEE 802.3af and can be powered over its Ethernet connection. For detailed infor-mation, please see “Power Over Ethernet Requirements” on page 230.Warning: To avoid electric shock, the power cord protective grounding conductor must always be connected to ground.2.1.4.2  AntennasThe type of antenna required for each installation depends on the coverage require-ments and the frequencies used. A maximum of four antenna elements can be used. These antennas can be a combination of reverse thread SMA “screw-on” diversity or high-gain WDS antennas. There are several omnidirectional antennas and special, directional antennas available from Psion Teklogix. Generally, a site survey deter-mines the appropriate antenna. Consult Psion Teklogix service personnel for more information.Warning: Never operate the 9160 without a suitable antenna or a dummy load. Connection To Outdoor Antenna (Kit P/N 1916641) The antenna must be installed by a qualified service person and installed according to local electrical installation codes. The antenna should be located such that it is always at least 15 ft (4.6 m) high and 10 ft (3 m) from the user and other people working in the area.For a 9160 connecting to an outdoor antenna, all the following notes are applicable:1. The shield of the outdoor antenna coaxial cable is to be connected to earth (independent of the 9160) in the building installation, provided the installation is acceptable to the authorities in the country of usage.2. A supplementary equipment earthing conductor is to be installed between the 9160 and earth—that is, in addition to the equipment earth-ing conductor in the power supply cord. 3. The supplementary equipment earthing conductor may not be smaller in size than the unearthed branch-circuit supply conductors (min 0.75 sq. mm nominal cross-sectional area or 18AWG). The supplementary equipment earthing conductor is to be connected to the 9160 at the ter-minal provided, and connected to earth in a manner that will retain the earth connection when the power supply cord is unplugged. The con-
Chapter 2: Installation RequirementsConnecting To External Devices18 Psion Teklogix 9160 Wireless Gateway User Manualnection to earth of the supplementary earthing conductor shall be in compliance with the appropriate rules for terminating bonding jumpers in the country of usage. Termination of the supplementary equipment earthing conductor is permitted to be made to building steel, to a metal electrical raceway system, or to any earthed item that is permanently and reliably connected to the electrical service equipment earthed.4. Bare, covered, or insulated earthing conductors are acceptable. A covered or insulated earthing conductor shall have a continuous outer finish that is either green (Canada and USA only), or green-and-yellow (all countries).5. Avoid servicing during an electrical storm. There may be a remote risk of electrical shock from lightning.6. For Finland, Norway, and Sweden, the equipment is to be used in a RESTRICTED ACCESS LOCATION where equipotential bonding has been applied. The permanently connected PROTECTIVE EARTH-ING CONDUCTOR is to be installed by a SERVICE PERSON. Warning: For RF safety considerations, users are not allowed to approach close to the antenna.Psion Teklogix supplies the coaxial cable required to connect the 9160 to the antenna. When determining the location of the antenna, coverage requirements of the antenna are considered in conjunction with the environmental requirements of the 9160. The coaxial cable must be routed and secured using wire anchors and/or coaxial nail clips. A few extra inches of cable are required near the antenna and the 9160 to make disconnection easier.2.2  Connecting To External DevicesThis section contains general guidelines for connecting the 9160 to external devices such as network controllers, base stations, host computers, PCs, and video display terminals.2.2.1  PortsFigure 2.2 on page 19 shows the locations of the port and power connectors on the base of the 9160. The port pinouts are described in Appendix B: “Port Pinouts And Cable Diagrams”.
Psion Teklogix 9160 Wireless Gateway User Manual 19Chapter 2: Installation RequirementsLAN Installation: OverviewFigure 2.2 9160 Port And LED Locations2.2.2  LAN Installation: OverviewBecause the 9160 provides Ethernet connectivity, it can be added to an existing LAN. Generally, LAN installations are handled with the help of the network administrators, as they are familiar with their network and its configuration. Once the 9160 is installed, connected and powered on, the system administrator can access the unit to check the configuration and to assign the 9160 its unique IP address. This may be done through the network (see “Changing The Configuration With A Web Browser” on page 20). Subsequent changes in the network, such as the addition of stations or users, would also require that the 9160 configuration be changed.Important: Once the 9160 is configured and rebooted the first time, the DHCP should be disabled unless the 9160 obtains its IP address from a server.2.2.3  LAN Installation: EthernetThe 9160 is a high-performance Access Point that supports 100Mb/s Fast Ethernet LANs, as well as 10Mb/s, with both full and half duplex operation. It comes equipped with: a 10BaseT/100BaseT card (using a category-5 twisted pair cable, an RJ-45 connector, running at a rate of 10 or 100Mb/s). For port pinouts, please refer to Appendix B: “Port Pinouts And Cable Diagrams”.Note: The 9160 does not support any connection type other than Ethernet 10BaseT and 100BaseT.2.2.3.1  Ethernet CablingThe maximum cable segment length allowed between repeaters for the 9160 (10BaseT/100BaseT Ethernet cabling) is 100 m. AC Power Socket10BaseT/100BaseT Ethernet AdaptorRS-232 Console PortLED: 1 4 5632Operating Status
Chapter 2: Installation RequirementsStatus Indicators (LEDs)20 Psion Teklogix 9160 Wireless Gateway User Manual2.2.4  Status Indicators (LEDs)The high-performance 9160 has six status indicators on the front of the enclosure, as shown in Figure 2.2 on page 19. The numbered and coloured LEDs on the front of the unit indicate the operating status for each port, as described in Table 2.1.2.1.5  Connecting A Video Display TerminalAn ANSI compatible video display terminal (e.g., DEC VT220 or higher), or a PC running terminal emulation, is used for diagnostic purposes.The terminal is connected to the RS-232 port on the 9160 (see Figure 2.2 on page 19). This port is normally set to operate at 115,200 baud, 8 bits, 1 stop bit, no parity. To comply with Part 15 of the FCC rules for a Class B computing device, only the cable supplied (P/N 19387) should be used.2.2  Changing The Configuration With A Web BrowserThe 9160 Flash memory can be reconfigured remotely via the network using a standard HTML Web Browser such as MS Internet Explorer (version 4.0 or later) or Firefox. See Chapter 4: “Quick Steps For Setup And Launch” for instructions on changing the parameters and general configuration settings.LEDNumber Name Function Colour1 Ethernet link  Link indicator for 10BaseT/100BaseT: ON = good link; OFF = no linkyellow*2 Ethernet activity  Ethernet LAN activity (Rx/Tx) green3 Radio 1 status Radio 1 activity (Rx/Tx) green4 Radio 2 status Radio 2 activity (Rx/Tx) green5 Not used Always off (unused) green6 Power LED On solid = Unit poweredLED Off = No power to unitgreen*LED 1 colour shows orientation of LEDs when viewed from a distance.Table 2.1  9160 LED Functions: Front Enclosure
Psion Teklogix 9160 Wireless Gateway User Manual 21PRELAUNCH CHECKLIST 33.1  The 9160 Wireless Gateway . . . .......................233.1.1  Default Settings For The 9160 Wireless Gateway . . . . . . . . . 233.1.2  What The Access Point Does Not Provide.............263.2  Administrator’s Computer...........................263.3  Wireless Client Computers ..........................273.4  Understanding Dynamic And Static IP Addressing On The 9160 Wireless Gateway....................................283.4.1  How Does The Access Point Obtain An IP Address At Startup? . . 293.4.2  Dynamic IP Addressing.......................293.4.3  Static IP Addressing.........................303.4.4  Recovering An IP Address.....................30
Psion Teklogix 9160 Wireless Gateway User Manual 23Chapter 3: PreLaunch ChecklistThe 9160 Wireless GatewayBefore you plug in and boot a new Access Point, review the following sections for a quick check of required hardware components, software, client configurations, and compatibility issues. Make sure you have everything you need ready to go for a suc-cessful launch and test of your new (or extended) wireless network.3.1  The 9160 Wireless GatewayThe 9160 Wireless Gateway is a wireless communications hub for devices on your network. It provides continuous, high-speed access between your wireless and Ethernet devices in IEEE 802.11a, 802.11b, 802.11g, and 802.11a Turbo modes.The 9160 Wireless Gateway offers an out-of-the-box Guest Interface feature that allows you to configure access points for controlled guest access of the wireless network using Virtual LANs . For more information on the Guest interface, see Chapter 14: “Setting up Guest Access” and “A Note About Setting Up Connections For A Guest Network” on page 36.3.1.1  Default Settings For The 9160 Wireless GatewayOption Default Settings Related InformationSystem Name9160PTX-Wireless-AP “Setting The DNS Name” on page 100 in “The Ethernet (Wired) Interface” on page 97User NameadminThe user name is read-only. It cannot be modified.Passwordadmin “Provide Administrator Password And Wireless Network Name” on page 49 in “Configuring Basic Settings” on page 45“Setting The Administrator Password” on page 203 in “The Administrator Password” on page 201Table 3.1 9160 Default Settings
Chapter 3: PreLaunch ChecklistDefault Settings For The 9160 Wireless Gateway24 Psion Teklogix 9160 Wireless Gateway User ManualNetwork Name (SSID)“TEKLOGIX” for the Internal interface“TEKLOGIX Guest” for the Guestinterface“Review / Describe The Access Point” on page 48 in “Configuring Basic Settings” on page 45“Configuring “Internal” Wireless LAN Settings” on page 110 in “Setting the Wireless Interface” on page 105“Configuring “Guest” Network Wireless Settings” on page 111 in “Setting the Wireless Interface” on page 105Network Time Proto-col (NTP)None “Network Time Protocol Server” on page 197IP Address192.168.1.10The default IP address is used if you do not use a Dynamic Host Configura-tion Protocol (DHCP) server. You can assign a new static IP address through the Administration Web pages.If you have a DHCP server on the net-work, then an IP address will be dynamically assigned by the server at AP startup.“Understanding Dynamic And Static IP Addressing On The 9160 Wireless Gateway” on page 28Connection TypeDynamic Host Configuration Protocol (DHCP) If you do not have a DHCP server on the Internal network and do not plan to use one, the first thing you must do after bringing up the access point is to change the Connection Type from “DHCP” to “Static IP”.The Guest network must have a DHCP server.“Understanding Dynamic And Static IP Addressing On The 9160 Wireless Gateway” on page 28For information on how to re-configure the Connec-tion Type, see “Configuring Internal Interface Ether-net Settings” on page 102.Subnet MaskNoneThis is determined by your network setup and DHCP server configuration.“The Ethernet (Wired) Interface” on page 97RadioOn “Configuring Radio Settings” on page 153Option Default Settings Related InformationTable 3.1 9160 Default Settings
Psion Teklogix 9160 Wireless Gateway User Manual 25Chapter 3: PreLaunch ChecklistDefault Settings For The 9160 Wireless GatewayIEEE 802.11 Mode802.11g or 802.11a+g “Configuring Radio Settings” on page 153802.11g ChannelAuto “Configuring Radio Settings” on page 153Beacon Interval100 “Configuring Radio Settings” on page 153DTIM Period2 “Configuring Radio Settings” on page 153Fragmentation Thresh-old2346 “Configuring Radio Settings” on page 153RTS Threshold2347 “Configuring Radio Settings” on page 153MAX Stations2007 “Configuring Radio Settings” on page 153Transmit Power100 percent “Configuring Radio Settings” on page 153Rate Sets Supported (Mbps)• IEEE 802.1a:  54, 48, 36, 24, 18, 12, 9, 6 • IEEE 802.1g:  54, 48, 36, 24, 18, 12, 11, 9, 6, 5.5, 2, 1• IEEE 802.1b:  11, 5.5, 2, 1“Configuring Radio Settings” on page 153Rate Sets (Mbps)(Basic/Advertised)•  IEEE 802.1a:  24, 12, 6• IEEE 802.1g: 11, 5.5, 2, 1• IEEE 802.1b:  2, 1“Configuring Radio Settings” on page 153Broadcast SSIDAllow “Configuring Security Settings: Broadcast SSID, Station Isolation, and Security Mode” on page 124.Security ModeNone (plain-text) “Configuring Security Settings: Broadcast SSID, Station Isolation, and Security Mode” on page 124.Authentication TypeNoneMAC FilteringAllow any station unless in list “MAC Address Filtering” on page 161Guest Login and ManagementDisabled “Setting up Guest Access” on page 141Load BalancingDisabled “Load Balancing” on page 165WDS SettingsNone “Wireless Distribution System” on page 185Option Default Settings Related InformationTable 3.1 9160 Default Settings
Chapter 3: PreLaunch ChecklistWhat The Access Point Does Not Provide26 Psion Teklogix 9160 Wireless Gateway User Manual3.1.2  What The Access Point Does Not ProvideThe 9160 Wireless Gateway is not designed to function as a Gateway to the Inter-net. To connect your Wireless LAN (WLAN) to other LANs or the Internet, you need a gateway device.3.2  Administrator’s ComputerConfiguration and administration of the 9160 Wireless Gateway is accomplished with the KickStart utility (which you run from the CD) and through a Web-based user interface (UI). The Table 3.2 describes the minimum requirements for the administrator’s computer.Required ComponentsDescriptionEthernet Connection to the First Access PointThe computer used to configure the first access point with KickStart must be con-nected to the access point (either directly or through a hub) by an Ethernet cable.For more information, see “Connect The Access Point To Network And Power” on page 34 in “Quick Steps For Setup And Launch”.Wireless Connection to the NetworkAfter initial configuration and launch of the first access points on your new wireless network, you can make subsequent configuration changes through the Administra-tion Web pages using a wireless connection to the “Internal” network. For wireless connection to the access point, your administration device will need Wi-Fi capability similar to that of any wireless client:• Portable or built-in Wi-Fi client adaptor that supports one or more of the IEEE 802.11 modes in which you plan to run the access point. (IEEE 802.11a, 802.11b802.11a, 802.11g802.11b, 802.11a Turbo802.11g 802.11a Turbo modes are supported.)• Wireless client software such as Microsoft® Windows® XP or Funk Odys-sey wireless client configured to associate with the 9160 Wireless Gateway.For more details on Wi-Fi client setup, see “Wireless Client Computers” on page 27.Table 3.2 Required AP Administrator Software And Hardware
Psion Teklogix 9160 Wireless Gateway User Manual 27Chapter 3: PreLaunch ChecklistWireless Client Computers3.3  Wireless Client ComputersThe 9160 Wireless Gateway provides wireless access to any client with a properly configured Wi-Fi client adaptor for the 802.11 mode in which the access point is running.Multiple client operating systems are supported. Clients can be laptops or desktops, personal digital assistants (PDAs), or any other hand-held, portable or stationary device equipped with a Wi-Fi adaptor and supporting drivers.In order to connect to the access point, wireless clients need the software and hard-ware described in Table 3.3, below.Web Browser / Operating SystemConfiguration and administration of the 9160 Wireless Gateway is provided through a Web-based user interface hosted on the access point. We recommend using one of the following supported Web browsers to access the access point Administration Web pages:• Microsoft Internet Explorer version 5.5 or 6.x (with up-to-date patch level for either major version) on Microsoft Windows XP or Microsoft Windows 2000•Netscape® Mozilla 1.7.x on Redhat Linux version 2.4The administration Web browser must have JavaScript enabled to support the inter-active features of the administration interface. It must also support HTTP uploads to use the firmware upgrade feature.KickStart Wizard onCD-ROMYou can run the KickStart CD-ROM on any Windows laptop or computer that is con-nected to the access point (via Wired or Wireless connection). It detects 9160 Wire-less Gateways on the network. The wizard steps you through initial configuration of new access points, and provides a link to the Administration Web pages where you finish up the basic setup process in a step-by-step mode and launch the network.For more about using KickStart, see “Run KickStart To Find Access Points On The Network” on page 37 in “Quick Steps For Setup And Launch” on page 31.CD-ROM DriveThe administrator’s computer must have a CD-ROM drive to run the KickStart CD.Security SettingsEnsure that security is disabled on the wireless client used to initially configure the access point.Required ComponentsDescriptionTable 3.2 Required AP Administrator Software And Hardware
Chapter 3: PreLaunch ChecklistUnderstanding Dynamic And Static IP Addressing On The 9160 Wireless Gateway28 Psion Teklogix 9160 Wireless Gateway User Manual3.4  Understanding Dynamic And Static IP Addressing On The 9160 Wireless Gateway9160 Wireless Gateways are designed to auto-configure, with very little setup required for the first access point and no configuration required for additional access points subsequently joining a pre-configured cluster.Required ComponentDescriptionWi-Fi Client AdaptorPortable or built-in Wi-Fi client adaptor that supports one or more of the IEEE 802.11 modes in which you plan to run the access point. (IEEE 802.11a, 802.11b, and 802.11g are supported.)Wi-Fi client adaptors vary considerably. The adaptor can be a PC card built in to the client device, a portable PCMCIA or PCI card (types of NICs), or an external device such as a USB or Ethernet adaptor that you connect to the client by means of a cable.The access point supports 802.11a/b/g modes, but you will probably make a decision dur-ing network design phase as to which mode to use. The fundamental requirement for cli-ents is that they all have configured adaptors that match the 802.11 mode for which your access point(s) is configured.Wireless Client SoftwareClient software such as Microsoft Windows Supplicant or Funk Odyssey wireless client con-figured to associate with the 9160 Wireless Gateway.Client Security SettingsSecurity should be disabled on the client used to do initial configuration of the access point.If the Security mode on the access point is set to anything other than plain-text, wireless cli-ents will need to set a profile to the authentication mode used by the access point and pro-vide a valid username and password, certificate, or similar user identity proof. Security modes are Static WEP, IEEE 802.1x, WPA with RADIUS server, and WPA2PSK.For information on configuring security on the access point, see “Configuring Security” on page 113.Table 3.3 Required AP Client Software And Hardware
Psion Teklogix 9160 Wireless Gateway User Manual 29Chapter 3: PreLaunch ChecklistHow Does The Access Point Obtain An IP Address At Startup?3.4.1  How Does The Access Point Obtain An IP Address At Startup?When you deploy the access point, it looks for a network DHCP server and, if it finds one, obtains an IP Address from the DHCP server. If no DHCP server is found on the network, the AP will continue to use its default Static IP Address (192.168.1.10) until you re-assign it a new static IP address (and specify a static IP addressing policy) or until a DHCP server is brought online.Notes: If you configure both an Internal and Guest network and plan to use a dynamic addressing policy for both, separate DHCP servers must be run-ning on each network.A DHCP server is a requirement for the Guest network.When you run KickStart, it discovers the 9160 Wireless Gateways on the network and lists their IP addresses and MAC addresses. KickStart also provides a link to the administration Web pages of each access point using the IP address in the URL. (For more information about the KickStart utility, see “Run KickStart To Find Access Points On The Network” on page 37.)3.4.2  Dynamic IP AddressingThe 9160 Wireless Gateway generally expects that a DHCP server is running on the network where the AP is deployed. Most home and small business networks already have DHCP service provided either via a gateway device or a centralized server. However, if no DHCP server is present on the Internal network, the AP will use the default Static IP Address for first time startup.Similarly, wireless clients and other network devices (such as printers) will receive their IP addresses from the DHCP server, if there is one. If no DHCP server is present on the network, you must manually assign static IP addresses to your wire-less clients and other network devices.The Guest network must have a DHCP server.
Chapter 3: PreLaunch ChecklistStatic IP Addressing30 Psion Teklogix 9160 Wireless Gateway User Manual3.4.3  Static IP AddressingThe 9160 Wireless Gateway ships with a default Static IP Address of 192.168.1.10. (See “Default Settings For The 9160 Wireless Gateway” on page 23.) If no DHCP server is found on the network, the AP retains this static IP address at first-time startup.After AP startup, you have the option of specifying a static IP addressing policy on 9160 Wireless Gateways and assigning static IP addresses to APs on the Internal network via the access point Administration Web pages. (See information about the Connection Type field and related fields in “Configuring Internal Interface Ether-net Settings” on page 102.)Important: If you do not have a DHCP server on the Internal network and do not plan to use one, the first thing you must do after bringing up the access point is change the Connection Type from DHCP to Static IP. You can either assign a new Static IP address to the AP or continue using the default address. We recommend assigning a new Static IP address so that if later you bring up another 9160 Wireless Gateway on the same network, the IP address for each AP will be unique.3.4.4  Recovering An IP AddressIf you experience trouble communicating with the access point, you can recover a Static IP Address by resetting the AP configuration to the factory defaults (see “Resetting The Configuration To Factory Defaults” on page 218), or you can get a dynamically assigned address by connecting the AP to a network that has DHCP.
Psion Teklogix 9160 Wireless Gateway User Manual 31QUICK STEPS FOR SETUP AND LAUNCH 44.1  Unpack The 9160 Wireless Gateway .....................334.1.1  9160 Wireless Gateway Hardware And Ports. . . . . . . . . . . . 334.1.2  What’s Inside The 9160 Wireless Gateway? . . . . . . . . . . . . 344.2  Connect The Access Point To Network And Power..............344.2.1  A Note About Setting Up Connections For A Guest Network . . . 364.2.1.1  Hardware Connections For A Guest VLAN . . . . . . . . 364.3  Power On The Access Point..........................364.4  Run KickStart To Find Access Points On The Network . ..........374.5  Log On To The Administration Web Pages..................414.5.1  Viewing Basic Settings For Access Points.............424.6  Configure ‘Basic Settings’ And Start The Wireless Network.........424.6.1  Default Configuration........................444.7  What’s Next?..................................444.7.1  Make Sure The Access Point Is Connected To The LAN. . . . . . 444.7.2  Test LAN Connectivity With Wireless Clients . . . . . . . . . . . 444.7.3  Secure And Fine-tune The Access Point Using Advanced Features 44
Psion Teklogix 9160 Wireless Gateway User Manual 33Chapter 4: Quick Steps For Setup And LaunchUnpack The 9160 Wireless GatewaySetting up and deploying one or more 9160 Wireless Gateways is in effect creating and launching a wireless network. The KickStart Wizard and corresponding Basic Settings Administration Web page simplify this process. Here is a step-by-step guide to setting up your 9160 Wireless Gateways and the resulting wireless network. Have the KickStart CD handy, and familiarize yourself with the Chapter 3: “Pre-Launch Checklist” if you haven’t already. The topics covered here are:• Step 1: Unpack The 9160 Wireless Gateway.• Step 2: Connect The Access Point To Network And Power.• Step 3: Power On The Access Point.• Step 4: Run KickStart To Find Access Points On The Network.• Step 5: Log On To The Administration Web Pages.• Step 6: Configure ‘Basic Settings’ And Start The Wireless Network.•What’s Next?4.1  Unpack The 9160 Wireless GatewayUnpack the 9160 Wireless Gateway and familiarize yourself with its hardware ports, associated cables, and accessories.4.1.1  9160 Wireless Gateway Hardware And PortsThe 9160 Wireless Gateway includes:• Ethernet port for connection to the Local Area Network (LAN) via Ethernet network cable.• Power port and power adaptor.• Power on/off switch.• Either one or two radios depending on which model of the product you have.
Chapter 4: Quick Steps For Setup And LaunchWhat’s Inside The 9160 Wireless Gateway?34 Psion Teklogix 9160 Wireless Gateway User Manual4.1.2  What’s Inside The 9160 Wireless Gateway?The 9160 Wireless Gateway, as an Access Point (AP), is a single-purpose computer designed to function as a wireless hub. Inside the access point is a Wi-Fi radio system and a microprocessor. The access point boots from FlashROM using powered firmware with the configurable, runtime features summarized in “Over-view Of The 9160 Wireless Gateway” on page 7.As new features and enhancements become available, you can upgrade the firmware to add new functionality and performance improvements to the access points that make up your wireless network. (See “Upgrading The Firmware” on page 219.)4.2  Connect The Access Point To Network And PowerThe next step is to set up the network and power connections.1. Do one of the following to create an Ethernet connection between the access point and the computer:Connect one end of an Ethernet cable to the network port on the access point and the other end to the same hub where your PC is connected. (See Figure 4.1 on page 35.)OrConnect one end of a crossover1 cable to the network port on the access point and the other end of the cable to the Ethernet port on the PC. (See Figure 4.2 on page 36.)Notes: If you use a hub, the device you use must permit broadcast signals from the access point to reach all other devices on the network. A standard hub should work fine. Some switches, however, do not allow directed or subnet broadcasts through. You may have to configure the switch to allow directed broadcasts.1If the access point hardware supports MDI and MDI-X auto functions, you can use a regular Ethernet cable for a direct connection from PC to AP. A crossover cable will work also, but is not necessary if you have MDI and MDI-X auto sensing.ports.
Psion Teklogix 9160 Wireless Gateway User Manual 35Chapter 4: Quick Steps For Setup And LaunchConnect The Access Point To Network And PowerFor initial configuration with a direct Ethernet connection and no DHCP server, be sure to set your PC to a static IP address in the same subnet as the default IP address on the access point. (The default IP address for the access point is 192.168.1.10.)If for initial configuration you use a direct Ethernet (wired) connection (via crossover cable) between the access point and the computer, you will need to reconfigure the cabling for subsequent startup and deployment of the access point so that the access point is no longer connected directly to the PC but instead is connected to the LAN (either via a Hub as shown in Fig-ure 4.1, or directly).It is possible to detect access points on the network (using Kickstart) with a wireless connection. However, we strongly advise against using this method. In most environments you may have no way of knowing whether you are actually connecting to the intended AP and also because many of the initial configuration changes required will cause you to lose connectiv-ity with the AP over a wireless connection.Figure 4.1 Ethernet Connections Using DHCPAdministrator ComputerAccess PointHUB to LANAP to HubAdmin PC to HubLANHUBETHERNET CONNECTIONS WHEN USING DHCP FOR INITIAL CONFIGURATION
Chapter 4: Quick Steps For Setup And LaunchA Note About Setting Up Connections For A Guest Network36 Psion Teklogix 9160 Wireless Gateway User ManualFigure 4.2 Ethernet Connections Using Static IP2. Connect the power adaptor to the power port on the back of the access point, and then plug the other end of the power cord into a power outlet (preferably, via a surge protector).4.2.1  A Note About Setting Up Connections For A Guest NetworkThe 9160 Wireless Gateway offers an out-of-the-box Guest Interface that allows you to configure an access point for controlled guest access to the network. The same access point can function as a bridge for two different wireless networks: a secure “Internal” LAN and a public “Guest” network. This can be done virtually, by defining two different Virtual LANs via the Administration UI.For information on configuring Guest interface settings on the Administration UI, see Chapter 14: “Setting up Guest Access”. 4.2.1.1 Hardware Connections For A Guest VLANIf you plan to configure a guest network using VLANs, do the following:• Connect a network port on the access point to a VLAN-capable switch.• Define VLANs on that switch.4.3  Power On The Access PointThe 9160 Wireless Gateway powers on and initializes when you plug it in.Administrator ComputerAccess PointCrossover CableETHERNET CONNECTIONS WHEN USING STATIC IP FOR INITIAL CONFIGURATION(This PC must have an IP address on the (or Ethernet cable if your APsupports auto MDI and MDI-X)same subnet as Access Point.)
Psion Teklogix 9160 Wireless Gateway User Manual 37Chapter 4: Quick Steps For Setup And LaunchRun KickStart To Find Access Points On The Network4.4  Run KickStart To Find Access Points On The NetworkKickStart is an easy-to-use utility for discovering and identifying new 9160 Wire-less Gateways. KickStart scans the network looking for access points, and displays ID details on those it finds.Notes: Keep in mind that KickStart (and the other Administration tools) recognizes and configures only 9160 Wireless Gateways. KickStart will not find or con-figure non Psion Teklogix Inc. access points. Kickstart will not find any other devices.Run Kickstart only in the subnet of the “Internal” network (SSID). Do not run Kickstart on the guest subnetwork.Kickstart will find only those access points that have IP addresses. IP addresses are dynamically assigned to APs if you have a DHCP server running on the network. Keep in mind that if you deploy the AP on a net-work with no DHCP server, the default static IP address (192.168.1.10) will be used.Important: Use caution with non-DHCP enabled networks: Do not deploy more than one new AP on a non-DHCP network because they will use the same default static IP addresses and conflict with each other. (For more information, see “Understanding Dynamic And Static IP Addressing On The 9160 Wireless Gateway” on page 28 and “How Does The Access Point Obtain An IP Address At Startup?” on page 29.)Run the KickStart CD-ROM on a laptop or computer that is connected to the same network as your access points and use it to step through the discovery process as follows:1. Insert the KickStart Wizard CD into the CD-ROM drive on your computer. The Kickstart window should display automatically. If not, navigate to the CD-ROM drive and run the CD using AutoPlay or the ks.jar executable.The KickStart Welcome screen is displayed.
Chapter 4: Quick Steps For Setup And LaunchRun KickStart To Find Access Points On The Network38 Psion Teklogix 9160 Wireless Gateway User ManualClick Next to search for access points.2. Wait for the search to complete, or until KickStart has found your new access points.
Psion Teklogix 9160 Wireless Gateway User Manual 39Chapter 4: Quick Steps For Setup And LaunchRun KickStart To Find Access Points On The NetworkNote: If no access points are found, Kickstart indicate this and presents some troubleshooting information about your LAN and power connections. Once you have checked hardware power and Ethernet connections, you can click the Kickstart Back button to search again for access points.3. Review the list of access points found.KickStart will detect the IP addresses of 9160 Wireless Gateways. Access points are listed with their locations, Media Access Control (MAC) addresses, and IP Addresses. If you are installing the first access point on a single-access-point network, only one entry will be displayed on this screenVerify the MAC addresses shown here against the hardware labels for each access point. This will be especially helpful later in providing or modifying the descriptive “Location” name for each access point.
Chapter 4: Quick Steps For Setup And LaunchRun KickStart To Find Access Points On The Network40 Psion Teklogix 9160 Wireless Gateway User ManualClick Next.4. Go to the Access Point Administration Web pages by taking the link provided on the KickStart page.
Psion Teklogix 9160 Wireless Gateway User Manual 41Chapter 4: Quick Steps For Setup And LaunchLog On To The Administration Web PagesNote: KickStart provides a link to the Administration Web pages via the IP address of the first access point of each model. (For more information about model types and clustering see “What Kinds Of APs Can Cluster Together?” on page 56.) The Administration Web pages are a centralized management tool that you can access via the IP address for any access point in a cluster. Once your other access points are configured, you can also link to the Administra-tion Web pages by using the IP address for any of the other 9160 Wireless Gateways in a URL (http://IPAddressOfAccessPoint).4.5  Log On To The Administration Web PagesWhen you follow the link from KickStart to the 9160 Wireless Gateway Adminis-tration Web pages, you are prompted for a user name and password.The defaults for user name and password are as follows.Enter the username and password and click OK.Field Default SettingUsernameadminPasswordadminThe user name is read-only. It cannot be modified.Table 4.3 Username And Password
Chapter 4: Quick Steps For Setup And LaunchViewing Basic Settings For Access Points42 Psion Teklogix 9160 Wireless Gateway User Manual4.5.1  Viewing Basic Settings For Access PointsWhen you first log in, the Basic Settings page for 9160 Wireless Gateway adminis-tration is displayed. These are global settings for all access points that are members of the cluster and, if automatic configuration is specified, for any new access points that are added later.4.6  Configure ‘Basic Settings’ And Start The Wireless NetworkProvide a minimal set of configuration information by defining the basic settings for your wireless network. These settings are all available on the Basic Settings page of the Administration Web interface, and are categorized into steps 1-4 on the Web page.
Psion Teklogix 9160 Wireless Gateway User Manual 43Chapter 4: Quick Steps For Setup And LaunchConfigure ‘Basic Settings’ And Start The Wireless NetworkFor a detailed description of these “Basic Settings” and how to properly configure them, please see Chapter 5: “Configuring Basic Settings”. Summarized briefly here, the steps are:1. Review Description of this Access Point.Provide IP addressing information. For more information, see “Review / Describe The Access Point” on page 48.2. Provide Network Settings.Provide a new administrator password for clustered access points. For more information, see “Provide Administrator Password And Wireless Network Name” on page 49.3. Set Configuration Policy for New Access Points.Choose to configure new access points automatically (as new members of the cluster) or ignore new access points.If you set a configuration policy to configure new access points automati-cally, new access points added to this network will join the cluster and be configured automatically based on the settings you defined here. Updates to the Network settings on any cluster member will be shared with all other access points in the group.If you chose to ignore new access points, then as you add new access points they will run in standalone mode. In standalone mode, an access point does not share the cluster configuration with other access points; it must be configured manually.You can always update the settings on a standalone access point to have it join the cluster. You can also remove an access point from a cluster thereby switching it to run in standalone mode.For more information, see “Set Configuration Policy For New Access Points” on page 50.4. Start Wireless Networking.Click the Update button to activate the wireless network with these new settings. For more information, see “Update Basic Settings” on page 51.
Chapter 4: Quick Steps For Setup And LaunchDefault Configuration44 Psion Teklogix 9160 Wireless Gateway User Manual4.6.1  Default ConfigurationIf you follow the steps above and accept all the defaults, the access point will have the default configuration described in “Default Settings For The 9160 Wireless Gateway” on page 23.4.7  What’s Next?Next, make sure the access point is connected to the LAN, bring up some wireless clients, and connect the clients to the network. Once you have tested the basics of your wireless network, you can enable more security and fine-tune by modifying advanced configuration features on the access point.4.7.1  Make Sure The Access Point Is Connected To The LANIf you configured the access point and administrator PC by connecting both into a network hub, then your access point is already connected to the LAN. That’s it—you’re up and running! The next step is to test some wireless clients.If you configured the access point using a direct wired connection via crossover cable from your computer to the access point, do the following:1. Disconnect the crossover cable from the computer and the access point.2. Connect a regular Ethernet cable from the access point to the LAN.3. Connect your computer to the LAN either via Ethernet cable or wire-less client card.4.7.2  Test LAN Connectivity With Wireless ClientsTest the 9160 Wireless Gateway by trying to detect it and associate with it from some wireless client devices. (See “Wireless Client Computers” on page 27 in the PreLaunch Checklist for information on requirements for these clients.)4.7.3  Secure And Fine-tune The Access Point Using Advanced FeaturesOnce you have the wireless network up and running and have tested against the access point with some wireless clients, you can add in more layers of security, add users, configure a Guest interface, and fine-tune performance settings.
Psion Teklogix 9160 Wireless Gateway User Manual 45CONFIGURING BASIC SETTINGS 55.1  Navigating To Basic Settings.........................475.2  Review / Describe The Access Point.....................485.3  Provide Administrator Password And Wireless Network Name.......495.4  Set Configuration Policy For New Access Points...............505.5  Update Basic Settings.............................515.6  Summary Of Settings.............................515.7  Basic Settings For A Standalone Access Point................525.8  Your Network At A Glance: Understanding Indicator Icons.........52
Psion Teklogix 9160 Wireless Gateway User Manual 47Chapter 5: Configuring Basic SettingsNavigating To Basic Settings5.1  Navigating To Basic SettingsTo configure initial settings, click Basic Settings.If you use Kickstart to link to the Administration Web pages, the Basic Settings page is displayed by default.Fill in the fields on the Basic Settings screen as described in “Review / Describe The Access Point” on page 48.
Chapter 5: Configuring Basic SettingsReview / Describe The Access Point48 Psion Teklogix 9160 Wireless Gateway User Manual5.2  Review / Describe The Access PointField DescriptionIP AddressShows IP address assigned to this access point. This field is not editable because the IP address is already assigned (either via DHCP, or statically through the Ethernet (wired) settings as described in “Configuring Guest Interface Ethernet (Wired) Settings” on page 104).MAC AddressShows the MAC address of the access point.A MAC address is a permanent, unique hardware address for any device that represents an inter-face to the network. The MAC address is assigned by the manufacturer. You cannot change the MAC address. It is provided here for informational purposes as a unique identifier for an interface.The address shown here is the MAC address for the bridge (br0). This is the address by which the AP is known externally to other networks.To see MAC addresses for Guest and Internal interfaces on the AP, see the Status, Interfaces tab.Firmware VersionVersion information about the firmware currently installed on the access point.As new versions of the 9160 Wireless Gateway firmware become available, you can upgrade the firmware on your access points to take advantages of new features and enhancements.For instructions on how to upgrade the firmware, see “Upgrading The Firmware” on page 219.LocationSpecify a location description for this access point.Table 5.1 Basic Settings Screen Options
Psion Teklogix 9160 Wireless Gateway User Manual 49Chapter 5: Configuring Basic SettingsProvide Administrator Password And Wireless Network Name5.3  Provide Administrator Password And Wireless Network NameNote:The 9160 Wireless Gateway is not designed for multiple, simultaneous configuration changes. If you have a network that includes multiple access points, and more than one administrator is logged on to the Administration Web pages and making changes to the configuration, all access points in the cluster will stay in synch but there is no guarantee that all configuration changes specified by multiple users will be applied.Field DescriptionAdministrator PasswordEnter a new administrator password. The characters you enter will be displayed as “ * ”char-acters to prevent others from seeing your password as you type.The Administrator password must be an alphanumeric string of up to 8 characters. Do not use special characters or spaces.As an immediate first step in securing your wireless network, we recommend that you change the administrator password from the default.Administrator Password (again)Re-enter the new administrator password to confirm that you typed it as intended.Wireless Network Name (SSID)Enter a name for the wireless network as a character string. This name will apply to all access points on this network. As you add more access points, they will share this SSID.The Service Set Identifier (SSID) is an alphanumeric string of up to 32 characters Note: If you are connected as a wireless client to the same AP that you are admin-istering, resetting the SSID will cause you to lose connectivity to the AP. You will need to reconnect to the new SSID after you save this new setting.Table 5.2 Administrator Password And Wireless Network
Chapter 5: Configuring Basic SettingsSet Configuration Policy For New Access Points50 Psion Teklogix 9160 Wireless Gateway User Manual5.4  Set Configuration Policy For New Access PointsField DescriptionNew Access PointsChoose the policy you want to put in effect for adding New Access Points to the network.• If you choose “are configured automatically”, then when a new access point is added to the network it automatically joins the existing cluster. The cluster configuration is copied to the new access point, and no manual configuration is required to deploy it.• If you choose “are ignored”, new access points will not join the cluster; they will be con-sidered standalone. You need to configure standalone access points manually via KickStart and the Administration Web pages residing on the standalone access points. (To get to the Web page for a standalone access point, use its IP address in a URL as follows: http://IPAddressOfAccessPoint.)Note: If you change the policy so that new access points “are ignored”, then any new access points you add to the network will not join the cluster. Existing clustered access points will not be aware of these standalone APs. Therefore, if you are viewing the Administration Web pages via the IP address of a clustered access point, the new standalone APs will not show up in the list of access points on the Cluster, Access Points tab. The only way to see a standalone AP is to browse to it directly by using its IP address in the URL.If you later change the policy back to the default so that new access points “are configured automatically”, all subsequent new APs will automatically join the cluster. Standalone APs, however, will stay in standalone mode until you explic-itly add them to the cluster.For information on how to add standalone APs to the cluster, see “Adding An Access Point To A Cluster” on page 62.Table 5.3 Configuration Policy For New Access Points
Psion Teklogix 9160 Wireless Gateway User Manual 51Chapter 5: Configuring Basic SettingsUpdate Basic Settings5.5  Update Basic SettingsWhen you have reviewed the new configuration, click Update to apply the settings and deploy the access points as a wireless network.5.6  Summary Of SettingsWhen you update the Basic Settings, a summary of the new settings is shown, along with information about next steps.At initial startup, no security is in place on the access point. An important next step is to configure security, as described in Chapter 13: “Configuring Security”.At this point if you click Basic Settings again, the summary of settings page is replaced by the standard Basic Settings configuration options.
Chapter 5: Configuring Basic SettingsBasic Settings For A Standalone Access Point52 Psion Teklogix 9160 Wireless Gateway User Manual5.7  Basic Settings For A Standalone Access PointThe Basic Settings tab for a standalone access point indicates only that the current mode is standalone and provides a button for adding the access point to a cluster (group). If you click on any of the Cluster tabs on the Administration pages for an access point in standalone mode, you will be re-directed to the Basic Settings page because Cluster settings do not apply to standalone APs.For more information see “Standalone Mode” on page 58 and “Adding An Access Point To A Cluster” on page 62.5.8  Your Network At A Glance: Understanding Indicator IconsAll the Cluster settings tabs on the Administration Web pages include visual indica-tor icons showing current network activity.Icon DescriptionWhen one or more APs on your network are available for service, the “Wireless Network Available” icon is shown. The clustering icon indicates whether the current access point is “Clustered” or “Not Clustered” (that is, standalone).For information about clustering, see “Understanding Clustering” on page 56.The number of access points available for service on this network is indicated by the “Access Points” icon.For information about managing access points, see Chapter 6: “Managing Access Points & Clusters”.Then number of client user accounts created and enabled on this network is indicated by the “User Accounts” icon.For information about setting up user accounts on the access point for use with the built-in authentication server, see Chapter 7: “Managing User Accounts”. See also “IEEE 802.1x” on page 131 and “WPA/WPA2 Enterprise (RADIUS)” on page 136, which are the two security modes that offer the option of using the built-in authentication server.Table 5.4 Indicator Icons
Psion Teklogix 9160 Wireless Gateway User Manual 53MANAGING ACCESS POINTS & CLUSTERS 66.1  Overview....................................556.2  Navigating To Access Points Management..................556.3  Understanding Clustering...........................566.3.1  What Is A Cluster? .........................566.3.2  How Many APs Can A Cluster Support? . . . . . . . . . . . . . . 566.3.3  What Kinds Of APs Can Cluster Together?. . . . . . . . . . . . . 566.3.4  Which Settings Are Shared As Part Of The Cluster Configuration And Which Are Not?...........................576.3.4.1  Settings Shared In The Cluster Configuration . . . . . . . 576.3.4.2  Settings Not Shared By The Cluster............586.3.5  Cluster Mode............................586.3.6  Standalone Mode..........................586.3.7  Cluster Formation..........................596.3.8  Cluster Size And Membership ...................596.3.9  Intra-Cluster Security........................606.3.10  Auto-Synch Of Cluster Configuration...............606.4  Understanding Access Point Settings.....................606.5  Modifying The Location Description.....................616.6  Removing An Access Point From The Cluster................616.7  Adding An Access Point To A Cluster ....................626.8  Navigating To Configuration Information For A Specific AP And Managing Standalone APs................................636.8.1  Navigating To An AP By Using Its IP Address In A URL . . . . . 63
Psion Teklogix 9160 Wireless Gateway User Manual 55Chapter 6: Managing Access Points & ClustersOverview6.1  OverviewThe 9160 Wireless Gateway shows current basic configuration settings for clustered access points (location, IP address, MAC address, status, and availability) and provides a way of navigating to the full configuration for specific APs if they are cluster members.Standalone access points or those which are not members of this cluster do not show up in this listing. To configure standalone access points, you must discover it via Kickstart, or know the IP address of the access point and use it in a URL (http://IPAddressOfAccessPoint).Note: The 9160 Wireless Gateway is not designed for multiple, simultaneous con-figuration changes. If you have a network that includes multiple access points, and more than one administrator is logged on to the Administration Web pages and making changes to the configuration, all access points in the cluster will stay in synch but there is no guarantee that all configuration changes specified by multiple users will be applied.6.2  Navigating To Access Points ManagementTo view or edit information on access points in a cluster, click the Cluster, Access Points tab.
Chapter 6: Managing Access Points & ClustersUnderstanding Clustering56 Psion Teklogix 9160 Wireless Gateway User Manual6.3  Understanding ClusteringA key feature of the 9160 Wireless Gateway is the ability to form a dynamic, configuration-aware group (called a cluster) with other 9160 Wireless Gateways in a network in the same subnet. Access points can participate in a self-organizing cluster which makes it easier for you to deploy, administer, and secure your wireless network. The cluster provides a single point of administration and lets you view the deployment of access points as a single wireless network rather than a series of sep-arate wireless devices.6.3.1  What Is A Cluster?A cluster is a group of access points which are coordinated as a single group via 9160 Wireless Gateway administration. You cannot create multiple clusters on a single wireless network (SSID). Only one cluster per wireless network is supported.6.3.2  How Many APs Can A Cluster Support?Up to eight access points are supported in a cluster at any one time. If a new AP is added to a network with a cluster that is already at full capacity, the new AP is added in standalone mode. Note that when the cluster is full, extra APs are added in stan-dalone mode regardless of the configuration policy in effect for new access points.For related information, see “Cluster Mode” on page 58, “Standalone Mode” on page 58, and “Set Configuration Policy For New Access Points” on page 50.6.3.3  What Kinds Of APs Can Cluster Together?A single 9160 Wireless Gateway can form a cluster with itself (a “cluster of one”) and with other 9160 Wireless Gateways of the same model. In order to be members of the same cluster, access points must be:• Of the same radio configuration (all one-radio APs or all two-radio APs).• Of the same band configuration (all single-band APs or all dual-band APs).•On the same LAN.Having a mix of APs on the network does not adversely affect 9160 Wireless Gateway clustering in any way. However, it is helpful to understand the clustering behaviour for administration purposes:
Psion Teklogix 9160 Wireless Gateway User Manual 57Chapter 6: Managing Access Points & ClustersWhich Settings Are Shared As Part Of The Cluster Configuration And Which Are Not?• Access points of the same model will form a cluster.• Access points of other brands will not join the cluster. These APs should be administered with their own associated Administration tools.6.3.4  Which Settings Are Shared As Part Of The Cluster Configuration And Which Are Not?Most configuration settings defined via the 9160 Wireless Gateway Administration Web pages will be propagated to cluster members as a part of the cluster configuration.6.3.4.1 Settings Shared In The Cluster ConfigurationThe cluster configuration includes:• Network name (SSID).• Administrator password.• Configuration policy.• User accounts and authentication.• Wireless interface settings.• Guest Welcome screen settings.• Network Time Protocol (NTP) settings.• Radio settings.Only Mode, Channel, Fragmentation Threshold, RTS Threshold, and Rate Sets are synchronized across the cluster. Beacon Interval, DTIM Period, Maximum Stations, and Transmit Power do not cluster.Note: When Channel Planning is enabled, the radio Channel is not synched across the cluster. See “Stopping/Starting Automatic Channel Assign-ment” on page 84• Security settings.•QoS queue parameters.• MAC address filtering.
Chapter 6: Managing Access Points & ClustersCluster Mode58 Psion Teklogix 9160 Wireless Gateway User Manual6.3.4.2 Settings Not Shared By The ClusterThe few exceptions (settings not shared among clustered access points) are the fol-lowing, most of which, by nature, must be unique:• IP addresses.• MAC addresses.• Location descriptions.• Load Balancing settings.• WDS bridges.• Ethernet (Wired) Settings.• Guest interface configuration.Settings that are not shared must be configured individually on the Administration pages for each access point. To get to the Administration pages for an access point that is a member of the current cluster, click on its IP Address link on the Cluster, Access Points page of the current AP.6.3.5  Cluster ModeWhen an access point is a cluster member, it is considered to be in cluster mode. You define whether you want new access points to join the cluster or not via the configu-ration policy you set in the Basic Settings. (See “Set Configuration Policy For New Access Points” on page 50.) You can re-set an access point in cluster mode to standa-lone mode. (See “Removing An Access Point From The Cluster” on page 61.)Note: When the cluster is full (eight APs is the limit), extra APs are added in stan-dalone mode regardless of the configuration policy in effect for new access points. See “How Many APs Can A Cluster Support?” on page 56.6.3.6  Standalone ModeThe 9160 Wireless Gateway can be configured in standalone mode. In standalone mode, an access point is not a member of the cluster and does not share the cluster configuration, but rather requires manual configuration that is not shared with other access points. (See “Set Configuration Policy For New Access Points” on page 50 and “Removing An Access Point From The Cluster” on page 61.)
Psion Teklogix 9160 Wireless Gateway User Manual 59Chapter 6: Managing Access Points & ClustersCluster FormationStandalone access points are not listed on the Cluster, Access Points tab in the Administration UIs of APs that are cluster members. You need to know the IP addresses for standalone access points in order to configure and manage them directly. (See “Navigating To An AP By Using Its IP Address In A URL” on page 63.)The Basic Settings tab for a standalone access point indicates only that the current mode is standalone and provides a button for adding the access point to a cluster (group). If you click on any of the Cluster tabs on the Administration pages for an access point in standalone mode, you will be redirected to the Basic Settings page because Cluster settings do not apply to standalone APs.Note: When the cluster is full (eight APs is the limit), extra APs are added in stan-dalone mode regardless of the configuration policy in effect for new access points. See “How Many APs Can A Cluster Support?” on page 56.You can re-enable cluster mode on a standalone access point. (See “Adding An Access Point To A Cluster” on page 62.)6.3.7  Cluster FormationA cluster is formed when the first 9160 Wireless Gateway is configured. (See Chapter 4: “Quick Steps For Setup And Launch” and Chapter 5: “Configuring Basic Settings”.)If a cluster configuration policy is in place, when a new access point is deployed, it attempts to rendezvous with an existing cluster.If it is unable to locate a cluster, then it establishes a new cluster on its own.If it locates a cluster but is rejected because the cluster is full, or the clustering policy is to ignore new access points, then the access point will deploy in standalone mode.6.3.8  Cluster Size And MembershipThe upper limit of a cluster is eight access points. The “Cluster” Web administration pages provides a real-time, visual indicator of the number of access points in the current cluster and warn when the cluster has reached capacity. (See “Configure ‘Basic Settings’ And Start The Wireless Network” on page 42.)If a cluster is present but is already full, new access points will deploy in standalone mode.
Chapter 6: Managing Access Points & ClustersIntra-Cluster Security60 Psion Teklogix 9160 Wireless Gateway User Manual6.3.9  Intra-Cluster SecurityTo ensure that the security of the cluster as a whole is equivalent to the security of a single access point, communication of certain data between access points in a cluster is done using Secure Sockets Layer (typically referred to as SSL) with private key encryption.Both the cluster configuration file and the user database are transmitted among access points using SSL.6.3.10  Auto-Synch Of Cluster ConfigurationIf you are making changes to the AP configuration that require a relatively large amount of processing (such as adding several new users), you may encounter a synchronization progress bar after clicking “Update” on any of the Administration pages. The progress bar indicates that the system is busy performing an auto-synch of the updated configuration to all APs in the cluster. The Administration Web pages are not editable during the auto-synch.Note that auto-synchronization always occurs during configuration updates that affect the cluster, but the processing time is usually negligible. The auto-synch progress bar is displayed only for longer-than-usual wait times.6.4  Understanding Access Point SettingsThe Access Points tab provides information about all access points in the cluster. From this tab, you can view location descriptions, IP addresses, enable (activate) or disable (deactivate) clustered access points, and remove access points from the clus-ter. You can also modify the location description for an access point.The IP address links provide a way to navigate to configuration settings and data on an access point. Standalone access points (those which are not members of the clus-ter) are not shown on this page.
Psion Teklogix 9160 Wireless Gateway User Manual 61Chapter 6: Managing Access Points & ClustersModifying The Location DescriptionTable 6.1 describes the access point settings and information display in detail.6.5  Modifying The Location DescriptionTo make modifications to the location description:1. Navigate to the Basic Settings tab.2. Update the Location description in section 1 under “Review Descrip-tion of this Access Point.”3. Click Update button to apply the changes.6.6  Removing An Access Point From The ClusterTo remove an access point from the cluster, do the following.1. Click the checkbox next to the access point so that the box is checked.Field DescriptionLocationDescription of where the access point is physically located.MAC AddressMedia Access Control (MAC) address of the access point.A MAC address is a permanent, unique hardware address for any device that represents an interface to the network. The MAC address is assigned by the manufacturer. You cannot change the MAC address. It is provided here for informational purposes as a unique identifier for the access point.The address shown here is the MAC address for the bridge (br0). This is the address by which the AP is known externally to other networks.To see MAC addresses for Guest and Internal interfaces on the AP, see the Status, Interfaces tab.IP AddressSpecifies the IP address for the access point. Each IP address is a link to the Administration Web pages for that access point. You can use the links to navigate to the Administration Web pages for a specific access point. This is useful for viewing data on a specific access point to make sure a cluster member is picking up cluster configuration changes, to configure advanced settings on a particular access point, or to switch a standalone access point to cluster mode.Table 6.1 Access Point Settings
Chapter 6: Managing Access Points & ClustersAdding An Access Point To A Cluster62 Psion Teklogix 9160 Wireless Gateway User Manual2. Click Remove from Cluster.The change will be reflected under Status for that access point; the access point will now show as standalone (instead of cluster).Note: In some situations it is possible for the cluster to become out of sync. If after removing an access point from the cluster, the AP list still shows the deleted AP or shows an incomplete display; refer to the information on Cluster Recovery in Appendix D: “Troubleshooting” .6.7  Adding An Access Point To A ClusterTo add an access point that is currently in standalone mode back into a cluster, do the following.1. Go to the Administration Web pages for the standalone access point. (See “Navigating To An AP By Using Its IP Address In A URL” on page 63.)The Administration Web pages for the standalone access point are dis-played.2. Click the Basic Settings tab in the Administration pages for the standa-lone access point. The Basic Settings tab for a standalone access point indicates that the current mode is standalone and provides a button for adding the access point to a cluster (group).Note: If you click on any of the Cluster tabs on the Administration pages for an access point in standalone mode, you will be redirected to the Basic Set-tings page because Cluster settings do not apply to standalone APs.3. Click the Join Cluster button.The access point is now a cluster member. Its Status (Mode) on the Clus-ter, Access Points tab now indicates “cluster” instead of “standalone”.Note: In some situations it is possible for the cluster to become out of sync. If after removing an access point from the cluster, the AP list still reflects the deleted AP or shows an incomplete display; refer to the information on Cluster Recovery in Appendix D: “Troubleshooting” .
Psion Teklogix 9160 Wireless Gateway User Manual 63Chapter 6: Managing Access Points & ClustersNavigating To Configuration Information For A Specific AP And Managing Standalone APs6.8  Navigating To Configuration Information For A Specific AP And Managing Standalone APsIn general, the 9160 Wireless Gateway is designed for central management of clus-tered access points. For access points in a cluster, all access points in the cluster reflect the same configuration. In this case, it does not matter which access point you actually connect to for administration.There may be situations, however, when you want to view or manage information on a particular access point. For example, you might want to check status informa-tion such as client associations or events for an access point. Or you might want to configure and manage features on an access point that is running in standalone mode. In these cases, you can navigate to the Administration Web interface for indi-vidual access points by clicking the IP address links on the Access Point’s tab.All clustered access points are shown on the Cluster, Access Points page. To navi-gate to clustered access points, you can simply click on the IP address for a specific cluster member shown in the list.6.8.1  Navigating To An AP By Using Its IP Address In A URLYou can also link to the Administration Web pages of a specific access point by entering the IP address for that access point as a URL directly into a Web browser address bar in the following form:http://IPAddressOfAccessPointwhere IPAddressOfAccessPoint is the address of the particular access point you want to monitor or configure.For standalone access points, this is the only way to navigate to their configuration information.If you do not know the IP address for a standalone access point, use Kickstart to find all the APs on the network and you should be able to derive which ones are standal-one by comparing KickStart findings with access points listed on the Cluster, Access Points tab. The APs that Kickstart finds that are not shown on the this tab are proba-bly standalone APs. (For more information on using Kickstart, see “Run KickStart To Find Access Points On The Network” on page 37.)
Psion Teklogix 9160 Wireless Gateway User Manual 65MANAGING USER ACCOUNTS 77.1  Overview....................................677.2  Navigating To User Management For Clustered Access Points........687.3  Viewing User Accounts............................687.4  Adding A User.................................697.5  Editing A User Account............................707.6  Enabling And Disabling User Accounts....................707.6.1  Enabling A User Account......................717.6.2  Disabling A User Account .....................717.7  Removing A User Account..........................717.8  Backing Up And Restoring A User Database.................717.8.1  Backing Up The User Database...................717.8.2  Restoring A User Database From A Backup File . . . . . . . . . . 72
Psion Teklogix 9160 Wireless Gateway User Manual 67Chapter 7: Managing User AccountsOverview7.1  OverviewThe 9160 Wireless Gateway includes user management capabilities for controlling client access to access points.User management and authentication must always be used in conjunction with the following two security modes, which require use of a RADIUS server for user authentication and management.• IEEE 802.1x mode (see “IEEE 802.1x” on page 131 in Chapter 13: “Con-figuring Security”).• WPA with RADIUS mode (see “WPA/WPA2 Enterprise (RADIUS)” on page 136 in Chapter 13: “Configuring Security”).You have the option of using either the internal RADIUS server embedded in the 9160 Wireless Gateway or an external RADIUS server that you provide. If you use the embedded RADIUS server, use the Administration Web page on the access point to set up and manage user accounts. If you are using an external RADIUS server, you will need to set up and manage user accounts on the Administrative interface for that server.On the User Management page, you can create, edit, remove, and view client user accounts. Each user account consists of a user name and password. The set of users specified here represent approved clients that can log in and use one or more access points to access local, and possibly external, networks via your wireless network.Note: Users specified here are clients of the access point(s) who use the APs as a connectivity hub, not administrators of the wireless network. Only those with the administrator username and password and knowledge of the administration URL can log in as an administrator and view or modify con-figuration settings.
Chapter 7: Managing User AccountsNavigating To User Management For Clustered Access Points68 Psion Teklogix 9160 Wireless Gateway User Manual7.2  Navigating To User Management For Clustered Access PointsTo set up or modify user accounts, click the Cluster, User Management tab.7.3  Viewing User AccountsUser accounts are shown at the top of the screen under User Accounts... . User name, real name, and status (enabled or disabled) are shown. You make modifica-tions to an existing user account by first selecting the checkbox next to a user name and then choosing an action. (See “Editing A User Account” on page 70.)
Psion Teklogix 9160 Wireless Gateway User Manual 69Chapter 7: Managing User AccountsAdding A User7.4  Adding A UserTo create a new user, do the following:1. Under Add a User..., provide information in the following fields.2. When you have filled in the fields, click Add Account to add the account.The new user is then displayed in the User Accounts... . The user account is enabled by default when you first create it.Note: A limit of 100 user accounts per access point is imposed by the Administra-tion user interface. Network usage may impose a more practical limit, depending upon the demand from each user. Field DescriptionUsernameProvide a user name.User names are alphanumeric strings of up to 237 characters. Do not use special characters or spaces.Real NameFor information purposes, provide the user’s full name.There is a 256 character limit on real names.PasswordSpecify a password for this user.Passwords are alphanumeric strings of up to 256 characters. Do not use special characters or spaces.Table 7.1 New User Fields
Chapter 7: Managing User AccountsEditing A User Account70 Psion Teklogix 9160 Wireless Gateway User Manual7.5  Editing A User AccountOnce you have created a user account, it is displayed under User Accounts... at the top of the User Management Administration Web page. To make modifications to an existing user account, first click the checkbox next to the user name so that the box is checked.Then, choose an action such Edit, Enable, Disable, or Remove.7.6  Enabling And Disabling User AccountsA user account must be enabled for the user to log on as a client and use the access point.You can Enable or Disable any user account. With this feature, you can maintain a set of user accounts and authorize or prevent users from accessing the network without having to remove or re-create accounts. This can come in handy in situa-tions where users have an occasional need to access the network. For example, contractors who do work for your company on an intermittent but regular basis might need network access for 3 months at a time, then be off for 3 months, and back on for another assignment. You can enable and disable these user accounts as needed, and control access as appropriate.
Psion Teklogix 9160 Wireless Gateway User Manual 71Chapter 7: Managing User AccountsEnabling A User Account7.6.1  Enabling A User AccountTo enable a user account, click the checkbox next to the user name and click Enable.A user with an account that is enabled can log on to the wireless access points in your network as a client.7.6.2  Disabling A User AccountTo disable a user account, click the checkbox next to the user name and click Disable.A user with an account that is disabled cannot log on to the wireless access points in your network as a client. However, the user remains in the database and can be enabled later as needed.7.7  Removing A User AccountTo remove a user account, click the checkbox next to the user name and click Remove. If you think you might want to add this user back in at a later date, you might con-sider disabling the user rather than removing the account altogether.7.8  Backing Up And Restoring A User DatabaseYou can save a copy of the current set of user accounts to a backup configuration file. The backup file can be used at a later date to restore the user accounts on the AP to the previously saved configuration.7.8.1  Backing Up The User DatabaseTo create a backup copy of the user accounts for this access point:1. Click the [backup or restore the user database] link.A File Download or Open dialog is displayed.2. Choose the Save option on this first dialog.This brings up a file browser.
Chapter 7: Managing User AccountsRestoring A User Database From A Backup File72 Psion Teklogix 9160 Wireless Gateway User ManualUse the file browser to navigate to the directory where you want to save the file, and click OK to save the file.You can keep the default file name (wirelessUsers.ubk) or rename the backup file, but be sure to save the file with a .ubk extension.7.8.2  Restoring A User Database From A Backup FileTo restore a user database from a backup file:1. Select the backup configuration file you want to use, either by typing the full path and file name in the Restore field or click Browse and select the file.(Only those files that were created with the User Database Backup func-tion and saved as .ubk backup configuration files are valid to use with Restore; for example, wirelessUsers.ubk.)2. Click the Restore button.When the backup restore process is complete, a message is shown to indi-cate that the user database has been successfully restored. (This process is not time-consuming; the restore should complete almost immediately.)Click the Cluster, User Management tab to see the restored user accounts.
Psion Teklogix 9160 Wireless Gateway User Manual 73SESSION MONITORING 88.1  Navigating To Session Monitoring......................758.2  Understanding Session Monitoring Information ...............768.3  Viewing Session Information For Access Points...............778.4  Sorting Session Information..........................788.5  Refreshing Session Information........................78
Psion Teklogix 9160 Wireless Gateway User Manual 75Chapter 8: Session MonitoringNavigating To Session MonitoringThe 9160 Wireless Gateway provides real-time session monitoring information, including which clients are associated with a particular access point, data rates, transmit/receive statistics, signal strength, and idle time.8.1  Navigating To Session MonitoringTo view session monitoring information, click the Cluster, Sessions tab.
Chapter 8: Session MonitoringUnderstanding Session Monitoring Information76 Psion Teklogix 9160 Wireless Gateway User Manual8.2  Understanding Session Monitoring InformationThe Sessions page shows information on client stations associated with access points in the cluster. Each client is identified by user name and user MAC address, along with the AP (location) to which it is currently connected.To view a particular statistic for client sessions, select an item from the Display drop-down list and click Go. You can view information on Idle Time, Data Rate, Signal, Utilization, and so on; all of which are described in detail in Table 8.1.A “session” in this context is the period of time in which a user on a client device (station) with a unique MAC address maintains a connection with the wireless net-work. The session begins when the client logs on to the network, and the session ends when the client either logs off intentionally or loses the connection for some other reason.Notes: A session is not the same as an association, which describes a client con-nection to a particular access point. A client network connection can shift from one clustered AP to another within the context of the same session. A client station can roam between APs and maintain the session.For information about monitoring associations and link integrity monitor-ing, see “Associated Wireless Clients” on page 214.Details about the session information shown is described below.Field DescriptionUser NameIndicates the client user name of IEEE 802.1x clients.Note: This field is relevant only for clients that are connected to APs using IEEE 802.1x security mode and local authentication server. (For more information about this mode, see “IEEE 802.1x” on page 131.) For clients of APs using IEEE 802.1x with RADIUS server or other security modes, no user name will be shown here.AP LocationIndicates the location of the access point.This is derived from the location description specified on the Basic Settings tab.User MAC AddressIndicates the MAC address of the user’s client device (station).A MAC address is a hardware address that uniquely identifies each node of a network. Table 8.1 Client Session Statistics
Psion Teklogix 9160 Wireless Gateway User Manual 77Chapter 8: Session MonitoringViewing Session Information For Access Points8.3  Viewing Session Information For Access PointsYou can view session information for all access points on the network at the same time, or set the display to show session information for a specified access point chosen from the drop-down menu at the top of the screen.To view information on all access points, select the Show all access points radio button at the top of the page.To view session information on a particular access point, select the Show only this access point radio button and choose the access point name from the drop-down menu.Idle TimeIndicates the amount of time this station has remained inactive.A station is considered to be “idle” when it is not receiving or transmitting data.Data RateThe speed at which this access point is transferring data to the specified client.The data transmission rate is measured in megabits per second (Mbps).This value should fall within the range of the advertised rate set for the IEEE 802.1x mode in use on the access point. For example, 6 to 54Mbps for 802.11a, SignalIndicates the strength of the radio frequency (RF) signal the client receives from the access point.The measure used for this is an IEEE 802.1x value known as Received Signal Strength Indica-tion (RSSI), and will be a value between 0 and 100.RSSI is determined by a an IEEE 802.1x mechanism implemented on the network interface card (NIC) of the client station.UtilizationUtilization rate for this station.For example, if the station is “active” (transmitting and receiving data) 90% of the time, and inac-tive 10% of the time, its “utilization rate” is 90%.Receive TotalIndicates number of total packets received by the client during the current session.Transmit TotalIndicates number of total packets transmitted to the client during this session.Error RateIndicates the percentage of time frames are dropped during transmission on this access point.Field DescriptionTable 8.1 Client Session Statistics
Chapter 8: Session MonitoringSorting Session Information78 Psion Teklogix 9160 Wireless Gateway User Manual8.4  Sorting Session InformationTo order (sort) the information shown in the tables by a particular indicator, click on the column label by which you want to order things. For example, if you want to see the table rows ordered by Utilization rate, click on the Utilization column label. The entries will be sorted by Utilization rate.8.5  Refreshing Session InformationYou can force an update of the information displayed on the Session Monitoring page by clicking the Refresh button.
Psion Teklogix 9160 Wireless Gateway User Manual 79CHANNEL MANAGEMENT 99.1  Navigating To Channel Management.....................819.2  Understanding Channel Management.....................819.2.1  How It Works In A Nutshell ....................829.2.2  For The Curious: More About Overlapping Channels . . . . . . . 829.2.3  Example: A Network Before And After Channel Management . . 829.3  Configuring And Viewing Channel Management Settings..........849.3.1  Stopping/Starting Automatic Channel Assignment . . . . . . . . . 849.3.2  Viewing Current Channel Assignments And Setting Locks . . . . 859.3.3  Viewing Last Proposed Set Of Changes . . . . . . . . . . . . . . 869.3.4  Configuring Advanced Settings (Customizing And Scheduling Channel Plans) ...........................86
Psion Teklogix 9160 Wireless Gateway User Manual 81Chapter 9: Channel ManagementNavigating To Channel Management9.1  Navigating To Channel ManagementTo view session monitoring information, click the Cluster, Channel Management tab.9.2  Understanding Channel ManagementWhen Channel Management is enabled, the 9160 Wireless Gateway automatically assigns radio channels used by clustered access points to reduce mutual interference (or interference with other access points outside of its cluster). This maximizes Wi-Fi bandwidth and helps maintain the efficiency of communication over your wireless network.(You must start channel management to get automatic channel assignments; it is disabled by default on a new AP. See “Stopping/Starting Automatic Channel Assignment” on page 84.)
Chapter 9: Channel ManagementHow It Works In A Nutshell82 Psion Teklogix 9160 Wireless Gateway User Manual9.2.1  How It Works In A NutshellAt a specified interval (the default is 1 hour) or on demand (click Update), the Channel Manager maps APs to channel use and measures interference levels in the cluster. If significant channel interference is detected, the Channel Manager auto-matically re-assigns some or all of the APs to new channels per an efficiency algo-rithm (or automated channel plan).9.2.2  For The Curious: More About Overlapping ChannelsThe radio frequency (RF) broadcast Channel defines the portion of the radio spec-trum that the radio on the access point uses for transmitting and receiving. The range of available channels for an access point is determined by the IEEE 802.11 mode (also referred to as band) of the access point.IEEE 802.11b/802.11g modes (802.11 b/g) support use of channels 1 through 11 inclusive, while IEEE 802.11a mode supports a larger set of non-consecutive chan-nels (36, 40, 44, 48, 52, 56, 60, 64, 149, 153, 157, 161, 165).Interference can occur when multiple access points within range of each other are broadcasting on the same or overlapping channels. The impact of this interference on network performance can intensify during busy times when a large amount of data and media traffic are competing for bandwidth.The Channel Manager detects which bands (b/g or a) clustered APs are on, and uses a predetermined collection of channels that will not mutually interfere. For the “b/g” radio band, the classical set of non-interfering channels is 1, 6, 11. Channels 1, 4, 8, 11 produce minimal overlap. A similar set of non-interfering channels is used for the “a” radio band, which includes all channels for that mode since they are not overlapping.9.2.3  Example: A Network Before And After Channel ManagementWithout automated channel management, channel assignments to clustered APs might be made on consecutive channels, which would overlap and cause interfer-ence. For example, AP1 could be assigned to channel 6, AP2 to channel 6, and AP3 to channel 5 as shown in Figure 9.1 on page 83.
Psion Teklogix 9160 Wireless Gateway User Manual 83Chapter 9: Channel ManagementExample: A Network Before And After Channel ManagementFigure 9.1 Without Automatic Channel ManagementWith automated channel management, APs in the cluster are automatically re-assigned to non-interfering channels as shown in Figure 9.2.Figure 9.2 With Channel Management EnabledAP3AP1Channel 6(802.11b)AP2Channel 6(802.11b)Channel 5(802.11b)Channel 6(802.11b)AP5Channel 7(802.11b)AP4Client Station Client StationInterference from APson same channel (6)Interference fromAPs on adjacent channels(5,6,7)AP2Channel 6(802.11b)AP1Channel 1(802.11b) Channel 1(802.11b)AP4AP3Channel 11(802.11b)AP5Channel 6(802.11b)Client StationClient Station
Chapter 9: Channel ManagementConfiguring And Viewing Channel Management Settings84 Psion Teklogix 9160 Wireless Gateway User Manual9.3  Configuring And Viewing Channel Management SettingsThe Channel Management page shows previous, current, and planned channel assignments for clustered access points. By default, automatic channel assignment is disabled. You can start channel management to optimize channel usage across the cluster on a scheduled interval.From this page, you can view channel assignments for all APs in the cluster, stop/start automatic channel management, and manually “update” the current channel map (APs to channels). On a manual update, the Channel Manager will assess channel usage and, if necessary, re-assign APs to new channels to reduce interference based on the current Advanced Settings.By using the Advanced settings you can modify the interference reduction potential that triggers channel re-assignment, change the schedule for automatic updates, and re-configure the channel set used for assignments.The following sections describe how to configure and use channel management on your network:• “Stopping/Starting Automatic Channel Assignment” on page 84.• “Viewing Current Channel Assignments And Setting Locks” on page 85.• “Update Current Channel Settings (Manual)” on page 86.• “Viewing Last Proposed Set Of Changes” on page 86.• “Configuring Advanced Settings (Customizing And Scheduling Channel Plans)” on page 86.• “Update Advanced Settings” on page 88.9.3.1  Stopping/Starting Automatic Channel AssignmentBy default, automatic channel assignment is disabled (off).•Click Start to resume automatic channel assignment.When automatic channel assignment is enabled, the Channel Manager peri-
Psion Teklogix 9160 Wireless Gateway User Manual 85Chapter 9: Channel ManagementViewing Current Channel Assignments And Setting Locksodically maps radio channels used by clustered access points and, if neces-sary, re-assigns channels on clustered APs to reduce interference (with cluster members or other APs outside the cluster).Note: Channel Management overrides the default cluster behaviour, which is to synchronize radio channels of all APs across a cluster. When Channel Man-agement is enabled, the radio Channel is not synched across the cluster to other APs. See the note under Radio Settings in “Settings Shared In The Cluster Configuration” on page 57.•Click Stop to stop automatic channel assignment. (No channel usage maps or channel re-assignments will be made. Only manual updates will affect the channel assignment.)9.3.2  Viewing Current Channel Assignments And Setting LocksThe Current Channel Settings shows a list of all access points in the cluster by IP Address. The display shows the band on which each AP is broadcasting (a or b), the current channel used by each AP, and an option to “lock” an AP on its current radio channel so that it cannot be re-assigned to another. Details about Current Channel Settings are provided below.Field DescriptionIP AddressSpecifies the IP Address for the access point.BandIndicates the band (b/g or a) on which the access point is broadcasting.CurrentIndicates the radio Channel on which this access point is currently broadcasting.LockedClick Locked if you want to this access point to remain on the current channel.When the “Locked” checkbox is checked (enabled) for an access point, automated channel management plans will not re-assign the AP to a different channel as a part of the optimization strategy. Instead, APs with locked channels will be factored in as requirements for the plan.If you click Update, you will see that locked APs show the same channel for “Current Channel” and “Proposed Channel”. Locked APs will keep their current channels.Table 9.3 Current Channel Settings
Chapter 9: Channel ManagementViewing Last Proposed Set Of Changes86 Psion Teklogix 9160 Wireless Gateway User Manual9.3.2.1 Update Current Channel Settings (Manual)You can run a manual channel management update at any time by clicking Update under the Current Channel Settings display.9.3.3  Viewing Last Proposed Set Of ChangesThe Last Proposed Set of Channel Changes shows the last channel plan. The plan lists all access points in the cluster by IP Address, and shows the current and pro-posed channels for each AP. Locked channels will not be re-assigned and the optimization of channel distribution among APs will take into account the fact that locked APs must remain on their current channels. APs that are not “Locked” may be assigned to different channels than they were previously using, depending on the results of the plan.9.3.4  Configuring Advanced Settings (Customizing And Scheduling Channel Plans)If you use Channel Management as provided (without updating Advanced Settings), channels are automatically fine-tuned once every hour if interference can be reduced by 25 percent or more. Channels will be re-assigned even if the network is busy. The appropriate channel sets will be used (‘b/g’ for APs using IEEE 802.11b/g and ‘a’ for APs using IEEE 802.11a).These defaults are designed to satisfy most scenarios where you would need to implement channel management.You can use Advanced Settings to modify the interference reduction potential that triggers channel re-assignment, change the schedule for automatic updates, and re-configure the channel set used for assignments.Field DescriptionIP AddressSpecifies the IP Address for the access point.CurrentIndicates the radio channel on which this access point is currently broadcasting.ProposedIndicates the radio channel to which this access point would be re-assigned if the Channel Plan is exe-cuted.Table 9.4 AP’s Channel Plan
Psion Teklogix 9160 Wireless Gateway User Manual 87Chapter 9: Channel ManagementConfiguring Advanced Settings (Customizing And Scheduling Channel Plans)Field DescriptionAdvancedClick the “Advanced” toggle to show / hide display settings that modify timing and details of the channel planning algorithm. By default, these settings are hidden. Change channels if interference is reduced by at least__Specify the minimum percentage of interference reduction a proposed plan must achieve in order to be applied. The default is 25 percent.Use the drop-down menu to choose percentages ranging from 25% to 75%.This setting lets you set a gating factor for channel re-assignment so that the network is not continually disrupted for minimal gains in efficiency.For example, if channel interference must be reduced by 75%, and the proposed channel assignments will only reduce interference by 30%, then channels will not be re-assigned. However; if you re-set the minimal channel interference benefit to 25% and click Update, the proposed channel plan will be implemented and channels re-assigned as needed.Determine if there is better set of channels every__Use the drop-down menu to specify the schedule for automated updates.A range of intervals is provided, from “1 Minute” to “6 Months”. The default is “1 Hour” (channel usage re-assessed and the resulting channel plan applied every hour).Use these channels when apply-ing channel assignmentsChoose a set of non-interfering channels on a particular band (“b/g” or “a”). The choices are:• b/g channels 1-6-11• b/g channels 1-4-8-11•AIEEE 802.11b/802.11g modes (802.11 b/g) support use of channels 1 through 11. For the “b/g” radio band, the classic set of non-interfering channels is 1, 6, 11. Channels 1, 4, 8, 11 produce minimal overlap.IEEE 802.11a mode supports a larger set of non-consecutive channels (36, 40, 44, 48, 52, 56, 60, 64, 149, 153, 157, 161, 165). All “a” band channels are non-interfering.Apply channel modifications even when the network is busyClick to enable or disable this setting.A checkmark indicates it is enabled and channel modifications will be applied even when the network is busy. If this is not checked, channel modifications will not be applied on a busy network.This setting (along with the interference reduction setting) is designed to help weigh the cost/benefit impact on network performance of re-assigning channels against the inherent disruption it can cause to clients during a busy time.Table 9.5 Advanced Settings
Chapter 9: Channel ManagementConfiguring Advanced Settings (Customizing And Scheduling Channel Plans)88 Psion Teklogix 9160 Wireless Gateway User Manual9.3.4.1 Update Advanced SettingsClick Update under Advanced Settings to apply these settings.Advanced Settings will take effect when they are applied, and influence how automatic channel management is performed. (The new interference reduction min-imum, scheduled tuning interval, channel set, and network busy settings will be taken into account for automated and manual updates.)
Psion Teklogix 9160 Wireless Gateway User Manual 89WIRELESS NEIGHBORHOOD 1010.1  Navigating To Wireless Neighborhood . . . ................9110.2  Understanding Wireless Neighborhood Information. . . ..........9110.3  Viewing Wireless Neighborhood.......................9210.4  Viewing Details For A Cluster Member...................94
Psion Teklogix 9160 Wireless Gateway User Manual 91Chapter 10: Wireless NeighborhoodNavigating To Wireless NeighborhoodThe Wireless Neighborhood screen shows those access points within range of any access point in the cluster. This page provides a detailed view of neighboring access points, including identifying information (SSIDs and MAC addresses) for each, cluster status (which are members and non-members), and statistical information such as the channel each AP is broadcasting on, signal strength, and so forth.10.1  Navigating To Wireless NeighborhoodTo view the Wireless Neighborhood, click the Cluster, Wireless Neighborhood tab.Figure 10.1 Neighbor APs Both In Cluster And Not In Cluster10.2  Understanding Wireless Neighborhood InformationThe Wireless Neighborhood view shows all access points within range of every member of the cluster, shows which access points are within range of which cluster members, and distinguishes between cluster members and non-members.
Chapter 10: Wireless NeighborhoodViewing Wireless Neighborhood92 Psion Teklogix 9160 Wireless Gateway User ManualFor each neighbor access point, the Wireless Neighborhood view shows identifying information (SSID or Network Name, IP Address, MAC address) along with radio statistics (signal strength, channel, beacon interval). You can click on an AP to get additional statistics about the APs in radio range of the currently selected AP. The Wireless Neighborhood view can help you:• Detect and locate unexpected (or rogue) access points in a wireless domain so that you can take action to limit associated risks.• Verify coverage expectations. By assessing which APs are visible at what signal strength from other APs, you can verify that the deployment meets your planning goals.• Detect faults. Unexpected changes in the coverage pattern are evident at a glance in the colour-coded table.10.3  Viewing Wireless NeighborhoodDetails about Wireless Neighborhood information shown is described below.Field DescriptionDisplay neighboring APsClick one of the following radio buttons to change the view:•In cluster - Shows only neighbor APs that are members of the cluster.•Not in cluster - Shows only neighbor APs that are not cluster members.•Both - Shows all neighbor APs (cluster members and non-members).ClusterThe “Cluster” list at the top of the table shows IP addresses for all access points in the cluster. (This is the same list of cluster members shown on the Cluster, Access Points tab described in “Navigating To Access Points Management” on page 55.)If there is only one AP in the cluster, only a single IP address column will be displayed here; indicating that the AP is “clustered with itself”.You can click on an IP address to view more details on a particular AP as shown in Figure 10.3 on page 94.Table 10.2 Wireless Neighborhood Statistics
Psion Teklogix 9160 Wireless Gateway User Manual 93Chapter 10: Wireless NeighborhoodViewing Wireless NeighborhoodNeighborsAccess points which are neighbors of one or more of the clustered APs are listed in the left column by SSID (Network Name). An access point which is detected as a neighbor of a cluster member can also be a cluster member itself. Neighbors who are also cluster members are always shown at the top of the list with a heavy bar above and include a location indicator.The coloured bars to the right of each AP in the Neighbors list shows the signal strength for each of the neighbor APs as detected by the cluster member whose IP address is shown at the top of the column:•Dark Blue Bar - A dark blue bar and a high signal strength number (for example 50) indicates good signal strength detected from the Neighbor seen by the AP whose IP address is listed above that column.•Lighter Blue Bar - A lighter blue bar and a lower signal strength number (for example 20 or lower) indicates medium or weak signal strength from the Neighbor seen by the AP whose IP address is listed above that column.•White Bar - A white bar and the number 0 indicates that a neighboring AP that was detected by one of the cluster members cannot be detected by the AP whose IP address is listed above that column.•Light Gray Bar - A light gray bar and no signal strength number indicates a Neighbor that is detected by other cluster members but not by the AP whose IP address is listed above that column.•Dark Gray Bar - A dark gray bar and no signal strength number indicates this is the AP whose IP address is listed above that column (since it is not applicable to show how well the AP can detect itself).Field DescriptionTable 10.2 Wireless Neighborhood StatisticsThis AP (a cluster member) can be seen by the AP whoseIP address is 10.10.100.246 (at a signal strength of 54) . . .. . . but not by the AP whose address is 10.10.100.223
Chapter 10: Wireless NeighborhoodViewing Details For A Cluster Member94 Psion Teklogix 9160 Wireless Gateway User Manual10.4  Viewing Details For A Cluster MemberTo view details on a cluster member AP, click on the IP address of a cluster member at the top of the page.Figure 10.3 Details For A Cluster Member AP
Psion Teklogix 9160 Wireless Gateway User Manual 95Chapter 10: Wireless NeighborhoodViewing Details For A Cluster MemberThe following table explains the details shown about the selected AP.Field DescriptionSSIDThe Service Set Identifier (SSID) for the access point.The SSID is an alphanumeric string of up to 32 characters that uniquely identifies a wireless local area network. It is also referred to as the Network Name.The SSID is set in Basic Settings (Chapter 5: “Configuring Basic Settings”) or in Advanced, Wireless Settings (Chapter 12: “Setting the Wireless Interface”.)A Guest network and an Internal network running on the same access point must always have two dif-ferent network names. MAC AddressShows the MAC address of the neighboring access point.A MAC address is a hardware address that uniquely identifies each node of a network. ChannelShows the channel on which the access point is currently broadcasting.The Channel defines the portion of the radio spectrum that the radio uses for transmitting and receiving.The channel is set in Advanced, Radio Settings. (See Chapter 16: “Configuring Radio Settings”.)RateShows the rate (in megabits per second) at which this access point is currently transmitting.The current rate will always be one of the rates shown in Supported Rates.SignalIndicates the strength of the radio signal emitting from this access point as measured in decibels (Db).Beacon IntervalShows the Beacon interval being used by this access point.Beacon frames are transmitted by an access point at regular intervals to announce the existence of the wireless network. The default behaviour is to send a beacon frame once every 100 milliseconds (or 10 per second).The Beacon Interval is set on Advanced, Radio Settings. (See Chapter 16: “Configuring Radio Set-tings”.)Last Beacon(Beacon Age)Shows the date and time of the most recent beacon was transmitted from the access point.Table 10.4 Access Point Statistics
Psion Teklogix 9160 Wireless Gateway User Manual 97THE E THERNET (WIRED) INTERFACE1111.1  Navigating To Ethernet (Wired) Settings...................9911.1.1  Setting The DNS Name......................10011.1.2  Enabling Or Disabling Guest Access ...............10011.1.2.1  Configuring An Internal LAN And A Guest Network . .10011.1.2.2  Enabling Or Disabling Guest Access . . . . . . . . . . .10111.1.2.3  Specifying A Virtual Guest Network . . . . . . . . . . .10111.1.3  Enabling / Disabling Virtual Wireless Networks On The AP . . .10211.1.4  Configuring Internal Interface Ethernet Settings .........10211.1.5  Configuring Guest Interface Ethernet (Wired) Settings . . . . . .10411.1.6  Updating Settings .........................104
Psion Teklogix 9160 Wireless Gateway User Manual 99Chapter 11: The Ethernet (Wired) InterfaceNavigating To Ethernet (Wired) SettingsEthernet (Wired) Settings describe the configuration of your Ethernet local area network (LAN).Note: The Ethernet Settings are not shared across the cluster. These settings must be configured individually on the Administration pages for each access point. To get to the Administration pages for an access point that is a mem-ber of the current cluster, click on its IP Address link on the Cluster, Access Points page of the current AP. For more information about which settings are shared by the cluster and which are not, see “Which Settings Are Shared As Part Of The Cluster Configuration And Which Are Not?” on page 57.The following sections describe how to configure “Wired” address and related set-tings on the 9160 Wireless Gateway:11.1  Navigating To Ethernet (Wired) SettingsTo set the wired address for an access point, navigate to the Advanced, Ethernet (Wired) Settings tab, and update the fields as described below.
Chapter 11: The Ethernet (Wired) InterfaceSetting The DNS Name100 Psion Teklogix 9160 Wireless Gateway User Manual11.1.1  Setting The DNS Name11.1.2  Enabling Or Disabling Guest AccessYou can provide controlled guest access over an isolated network and a secure inter-nal LAN on the same 9160 Wireless Gateway.11.1.2.1 Configuring An Internal LAN And A Guest NetworkA Local Area Network (LAN) is a communications network covering a limited area, for example, one floor of a building. A LAN connects multiple computers and other network devices like storage and printers. Ethernet is the most common technology implementing a LAN. Wi-Fi (IEEE) is another very popular LAN technology.The 9160 Wireless Gateway allows you to configure two different LANs on the same access point: one for a secure internal LAN and another for a public guest network with no security and little or no access to internal resources. To configure these networks, you need to provide both Wireless and Ethernet (Wired) settings.Information on how to configure the Ethernet (Wired) settings is provided in the sections below.(For information on how to configure the Wireless settings, see Chapter 12: “Setting the Wireless Interface”. For an overview of how to set up the Guest interface, see Chapter 14: “Setting up Guest Access”.)Field DescriptionDNS NameEnter the DNS name for the access point in the text box.This is the host name. It may be provided by your ISP or network administrator, or you can provide your own.The rules for system names are:• This name can be up to 20 characters long.• Only letters, numbers and dashes are allowed.• The name must start with a letter and end with either a letter or a number.Table 11.1 Setting DNS Name
Psion Teklogix 9160 Wireless Gateway User Manual 101Chapter 11: The Ethernet (Wired) InterfaceEnabling Or Disabling Guest Access11.1.2.2 Enabling Or Disabling Guest AccessThe 9160 Wireless Gateway ships with the Guest Access feature disabled by default. If you want to provide guest access on your AP, enable Guest access on the Ethernet (Wired) Settings tab.11.1.2.3 Specifying A Virtual Guest NetworkIf you enable Guest Access, you must create both an “Internal” and “Guest Net-work” on this access point virtually, by connecting the LAN port on the access point to a tagged port on a VLAN capable switch, and then defining two different Virtual LANs on this Administration page. (For more information, see Chapter 14: “Setting up Guest Access”.) Create the virtually separate internal and guest LANs as described in Table 11.3.Field DescriptionGuest AccessBy default, the 9160 Wireless Gateway ships with Guest Access disabled.• To enable Guest Access, click Enabled.• To disable Guest Access, click Disabled.Table 11.2 Enabling/Disabling Guest AccessField DescriptionGuest Access• Select Enabled to enable Guest Access. (If you choose this option, you must select VLANs on the next setting, For Guest access use, and then provide details on VLAN for the Guest Network on the rest of the page.)• Select Disabled to disable Guest Access.For Guest access, useSpecify a virtually separate guest network on this access point:• Since the access point is using only one physical connection to your internal LAN, choose VLAN on Ethernet Port 1 from the drop-down menu. This will enable the “VLAN” settings where you must provide a VLAN ID. See “Configuring Guest Interface Ethernet (Wired) Settings” on page 104.Important: If you reconfigure the Guest and Internal interfaces to use VLANs, you may lose connectivity to the access point. First, be sure to verify that the switch and DHCP server you are using can support VLANs per the IEEE 802.1Q standard. After con-figuring the VLAN on the Advanced, Ethernet (Wired) Settings page, physically reconnect the Ethernet cable on the switch to the tagged packet (VLAN) port. Then, re-connect via the Administration Web pages to the new IP address. (If necessary, check with the infrastructure support administrator regarding the VLAN and DHCP configurations.)Table 11.3 Specifying A Virtual Guest Network
Chapter 11: The Ethernet (Wired) InterfaceEnabling / Disabling Virtual Wireless Networks On The AP102 Psion Teklogix 9160 Wireless Gateway User Manual11.1.3  Enabling / Disabling Virtual Wireless Networks On The APIf you want to configure the Internal network as a VLAN (whether or not you have a Guest network configured), you can enable “Virtual Wireless Networks” on the access point.You must enable this feature if you want to configure additional virtual networks on VLANs on the Advanced > Virtual Wireless Networks tab as described in “Config-uring VLANs” on page 149.11.1.4  Configuring Internal Interface Ethernet SettingsTo configure Ethernet (wired) settings for the Internal LAN, fill in the fields as described in Table 11.4.Field DescriptionVirtual Wireless Networks(Using VLANs on Ethernet Port 1)•Select Enabled to enable VLANs for the Internal network and for additional networks. (If you choose this option, you can run the Internal network on a VLAN whether or not you have Guest Access configured and you can set up additional networks on VLANs using the Advanced > Virtual Wireless Networks tab as described in “Configuring VLANs” on page 149.)•Select Disabled to disable the VLAN for the Internal network, and for any additional virtual networks on this access point.Field DescriptionMAC AddressShows the MAC address for the Internal interface for the Ethernet port on this access point. This is a read-only field that you cannot change.VLAN IDIf you choose to configure Internal and Guest networks by “VLANs”, this field will be enabled.Provide a number between 1 and 4094 for the Internal VLAN.This will cause the access point to send DHCP requests with the VLAN tag. The switch and the DHCP server must support VLAN IEEE 802.1Q frames. The access point must be able to reach the DHCP server.Check with the Administrator regarding the VLAN and DHCP configurations.Table 11.4 Ethernet Settings For Internal LAN
Psion Teklogix 9160 Wireless Gateway User Manual 103Chapter 11: The Ethernet (Wired) InterfaceConfiguring Internal Interface Ethernet SettingsConnection TypeYou can select DHCP or Static IP.The Dynamic Host Configuration Protocol (DHCP) is a protocol specifying how a centralized server can provide network configuration information to devices on the network. A DHCP server “offers” a “lease” to the client system. The information supplied includes the IP addresses and net-mask, plus the address of its DNS servers and gateway. Static IP indicates that all network settings are provided manually. You must provide the IP address for the 9160 Wireless Gateway, its subnet mask, the IP address of the default gateway, and the IP address of at least one DNS nameserver.If you select DHCP, the 9160 Wireless Gateway will acquire its IP Address, subnet mask, and DNS and gateway information from the DHCP Servers.Otherwise, if you select Static IP, fill in the items described in Static IP Settings.Important: If you do not have a DHCP server on the Internal network and do not plan to use one, the first thing you must do after bringing up the AP is change the Connection Type from DHCP to Static IP. When you change the Connection Type to Static IP, you can either assign a new Static IP Address to the AP or continue using the default address. We recom-mend assigning a new address so that if later you bring up another 9160 Wireless Gateway on the same network, the IP addresses for the two APs will be unique.If you need to recover the default Static IP address, you can do so by resetting the AP to the fac-tory defaults as described in “Resetting The Configuration To Factory Defaults” on page 218.Static IP AddressIf you chose Static IP as the Connection Type, these fields will be enabled.Enter the Static IP Address in the text boxes.Subnet MaskEnter the Subnet Mask in the text boxes. You must obtain this information from your ISP or net-work administrator.Field DescriptionTable 11.4 Ethernet Settings For Internal LAN
Chapter 11: The Ethernet (Wired) InterfaceConfiguring Guest Interface Ethernet (Wired) Settings104 Psion Teklogix 9160 Wireless Gateway User Manual11.1.5  Configuring Guest Interface Ethernet (Wired) SettingsTo configure Ethernet (Wired) Settings for the “Guest” interface, fill in the fields as described below.11.1.6  Updating SettingsTo apply your changes, click Update. Default GatewayEnter the Default Gateway in the text boxes.DNS NameserversThe Domain Name Service (DNS) is a system that resolves the descriptive name (domainname) of a network resource (for example, www.psionteklogix.com) to its numeric IP address (for example, 66.93.138.219). A DNS server is called a Nameserver.There are usually two Nameservers; a Primary Nameserver and a Secondary Nameserver.You can choose Dynamic or Manual mode.• If you choose Manual, you should assign static IP addresses manually.• If you choose Dynamic, the IP addresses for the DNS servers will be assigned auto-matically via DHCP. (This option is only available if you specified DHCP for the Con-nection Type.)Field DescriptionMAC AddressShows the MAC address for the Guest interface for the Ethernet port on this access point. This is a read-only field that you cannot change.VLAN IDIf you choose to configure Internal and Guest networks by “VLANs”, this field will be enabled.Provide a number between 1 and 4094 for the Guest VLAN.SubnetShows the subnetwork address for the Guest interface. For example, 192.168.1.0.Table 11.5 Configuring Guest Interface Ethernet SettingsField DescriptionTable 11.4 Ethernet Settings For Internal LAN
Psion Teklogix 9160 Wireless Gateway User Manual 105SETTING THE WIRELESS INTERFACE1212.1  Navigating To Wireless Settings......................10712.2  Configuring 802.11d Regulatory Domain Support . . . .........10812.3  Configuring The Radio Interface......................10812.4  Configuring “Internal” Wireless LAN Settings..............11012.5  Configuring “Guest” Network Wireless Settings .............11112.6  Updating Settings..............................111
Psion Teklogix 9160 Wireless Gateway User Manual 107Chapter 12: Setting the Wireless InterfaceNavigating To Wireless SettingsWireless Settings describes aspects of the local area network (LAN) related specifi-cally to the radio device in the access point (802.11 Mode and Channel) and to the network interface to the access point (MAC address for access point and Wireless Network name, also known as SSID).The following sections describe how to configure the “Wireless” address and related settings on the 9160 Wireless Gateway.12.1  Navigating To Wireless SettingsTo set the wireless address for an access point, navigate to the Advanced, Wireless Settings tab, and update the fields as described below.Note: The following figure shows the Wireless settings page for a two-radio AP. The Administration Web page for the single-radio AP will look slightly different.
Chapter 12: Setting the Wireless InterfaceConfiguring 802.11d Regulatory Domain Support108 Psion Teklogix 9160 Wireless Gateway User Manual12.2  Configuring 802.11d Regulatory Domain SupportYou can enable or disable IEEE 802.11d Regulatory Domain Support to broadcast the access point country code information as described below.12.3  Configuring The Radio InterfaceThe radio interface allows you to set the radio Channel and 802.11 mode as described below.Note: On a two-radio AP, you must configure these radio interface settings for both Radio Interface One and Radio Interface Two.802.11d Regulatory Domain SupportEnabling support for IEEE 802.11d on the access point causes the AP to broadcast which coun-try it is operating in as a part of its beacons:• To enable 802.11d regulatory domain support click Enabled.• To disable 802.11d regulatory domain support click Disabled.Note: The IEEE 802.11d defines standard rules for the operation of IEEE 802.11 wireless LANs in any country without reconfiguration. IEEE 802.11d allows cli-ent stations to operate in any country without reconfiguration. The 9160 Wire-less Gateway must be configured by the Manufacturer via the command line interface (CLI) country codes for operation in a particular country.Table 12.1 802.11d Regulatory Domain SupportField DescriptionMAC Addresses(Shown on two-radio AP only)Indicates the Media Access Control () addresses for the interface.On the two-radio AP only, the MAC addresses for Radio Interface One (Internal/Guest) and Radio Interface Two (Internal/Guest) are shown.A MAC address is a permanent, unique hardware address for any device that represents an interface to the network. The MAC address is assigned by the manufacturer. You can-not change the MAC address. It is provided here for informational purposes as a unique identifier for an interface.Table 12.2 Radio Interface Settings
Psion Teklogix 9160 Wireless Gateway User Manual 109Chapter 12: Setting the Wireless InterfaceConfiguring The Radio InterfaceModeThe Mode defines the Physical Layer (PHY) standard being used by the radio.The 9160 Wireless Gateway is available as a single or dual-band access point with one or two radios. The configuration options for Mode differ depending on which product you have.Single-Band AP:For the Single-Band AP, select one of these modes:• IEEE 802.11b• IEEE 802.11gDual-Band AP:For the dual-band AP, select one of these modes: a mode for each Radio Interface.• IEEE 802.11b• IEEE 802.11g•IEEE 802.11aOne or Two-Radio AP:If you have a two-radio AP, select an IEEE 802.11 mode for each of the two radio inter-faces. (For a one-radio AP there is only one radio interface.)ChannelSelect the Channel. The range of channels and the default is determined by the Mode of the radio interface.The Channel defines the portion of the radio spectrum the radio uses for transmitting and receiving. Each mode offers a number of channels, dependent on how the spectrum is licensed by national and transnational authorities such as the Federal Communications Commission (FCC) or the International Telecommunication Union (ITU-R).The default is Auto, which picks the least busy channel at startup time.Field DescriptionTable 12.2 Radio Interface Settings
Chapter 12: Setting the Wireless InterfaceConfiguring “Internal” Wireless LAN Settings110 Psion Teklogix 9160 Wireless Gateway User Manual12.4  Configuring “Internal” Wireless LAN SettingsThe Internal Settings describe the MAC Address (read-only) and Network Name (also known as the SSID) for the internal Wireless LAN (WLAN) as described in Table 12.3.Field DescriptionMAC AddressShows the MAC address(es) for Internal interface for this access point. This is a read-only field that you cannot change.Although this access is point is physically a single device, it can be represented on the network as two or more nodes each with a unique MAC Address. This is accomplished by using multiple Basic Service Set Identifiers (BSSIDs) for a single access point.The MAC address(es) shown for the “Internal” access point is the BSSID(s) for the “Internal” interface.For the two-radio AP, two MAC addresses are shown: one for each Radio on the Internal interface.Wireless Network Name (SSID)Enter the SSID for the internal WLAN.The Service Set Identifier (SSID) is an alphanumeric string of up to 32 characters that uniquely identifies a wireless local area network. It is also referred to as the Network Name. There are no restrictions on the characters that may be used in an SSID.Table 12.3 Wireless LAN Settings
Psion Teklogix 9160 Wireless Gateway User Manual 111Chapter 12: Setting the Wireless InterfaceConfiguring “Guest” Network Wireless Settings12.5  Configuring “Guest” Network Wireless SettingsThe Guest Settings describe the MAC Address (read-only) and wireless network name (SSID) for the Guest Network as described in Table 12.4. Configuring an access point with two different network names (SSIDs) allows you to leverage the Guest interface feature on the 9160 Wireless Gateway. For more information, see Chapter 14: “Setting up Guest Access”.12.6  Updating SettingsTo apply your changes, click Update. Field DescriptionMAC AddressShows the MAC address for the Guest interface for this access point. This is a read-only field that you cannot change.Although this access is point is physically a single device, it can be represented on the network as two or more nodes each with a unique MAC Address. This is accomplished by using multiple Basic Service Set Identifiers (BSSID) for a single access point.The MAC address(es) shown for the “Guest” access point is the BSSID(s) for the “Guest” interface.For the two-radio AP, two MAC addresses are shown: one for each Radio on the Guest interface.Wireless Network Name (SSID)Enter the SSID for the guest network.The Service Set Identifier (SSID) is an alphanumeric string of up to 32 characters that uniquely identifies a wireless local area network. It is also referred to as the Network Name. There are no restrictions on the characters that may be used in an SSID.For the guest network, provide an SSID that is different from the internal SSID and easily identifi-able as the “guest” network.Table 12.4 Guest Network Wireless Settings
Psion Teklogix 9160 Wireless Gateway User Manual 113CONFIGURING SECURITY 1313.1  Understanding Security Issues On Wireless Networks ..........11513.1.1  How Do I Know Which Security Mode To Use? . . . . . . . . .11513.1.2  Comparison Of Security Modes For Key Management, Authentica-tion And Encryption Algorithms..................11613.1.2.1  When To Use Plain-text..................11713.1.2.2  When To Use Static WEP.................11713.1.2.3  When To Use IEEE 802.1x . . . . . . . . . . . . . . . .11813.1.2.4  When To Use WPA/WPA2 Personal (PSK). . . . . . . .11913.1.2.5  When To Use WPA/WPA2 Enterprise (RADIUS) . . . .12013.1.3  Does Prohibiting The Broadcast SSID Enhance Security? . . . .12213.1.4  How Does Station Isolation Protect The Network? . . . . . . . .12313.2  Configuring Security Settings: Broadcast SSID, Station Isolation, and Secu-rity Mode..................................12413.2.1  Plain-text..............................12613.2.1.1  Guest Network ......................12613.2.2  Static WEP.............................12613.2.2.1  Rules To Remember For Static WEP...........12913.2.2.2  Example Of Using Static WEP..............12913.2.3  IEEE 802.1x . . . . . . . . . . . . . . . . . . . . . . . . . . . .13113.2.4  WPA/WPA2 Personal (PSK)....................13313.2.5  WPA/WPA2 Enterprise (RADIUS)................13613.3  Updating Settings..............................139
Psion Teklogix 9160 Wireless Gateway User Manual 115Chapter 13: Configuring SecurityUnderstanding Security Issues On Wireless NetworksThe following sections describe how to configure Security settings on the 9160 Wireless Gateway.13.1  Understanding Security Issues On Wireless Networks Wireless mediums are inherently less secure than wired mediums. For example, an Ethernet NIC transmits its packets over a physical medium such as coaxial cable or twisted pair. A wireless NIC broadcasts radio signals over the air allowing a wireless LAN to be easily tapped without physical access or sophisticated equipment. A hacker equipped with a laptop, a wireless NIC, and a bit of knowledge can easily attempt to compromise your wireless network. One does not even need to be within normal range of the access point. By using a sophisticated antenna on the client, a hacker may be able to connect to the network from many miles away.The 9160 Wireless Gateway provides a number of authentication and encryption schemes to ensure that your wireless infrastructure is accessed only by the intended users. The details of each security mode are described in the sections below.See also the related topic, Appendix C: “Configuring Security Settings On Wire-less Clients”.13.1.1  How Do I Know Which Security Mode To Use?In general, we recommend that on your Internal network you use the most robust security mode that is feasible in your environment. When configuring security on the access point, you first must choose the security mode, then in some modes an authentication algorithm, and whether to allow clients not using the specified secu-rity mode to associate.Wi-Fi Protected Access (WPA) with Remote Authentication Dial-In User Service (RADIUS) using the CCMP (AES) encryption algorithm provides the best data pro-tection available and is clearly the best choice if all client stations are equipped with WPA supplicants. However, backward compatibility or interoperability issues with clients or even with other access points may require that you configure WPA with RADIUS with a different encryption algorithm or choose one of the other security modes.
Chapter 13: Configuring SecurityComparison Of Security Modes For Key Management, Authentication And Encryption Algorithms116 Psion Teklogix 9160 Wireless Gateway User ManualThat said, however, security may not be as much of a priority on some types of networks. If you are simply providing internet and printer access, as on a guest net-work, plain-text mode (no security) may be the appropriate choice. To prevent clients from accidentally discovering and connecting to your network, you can disable the broadcast SSID so that your network name is not advertised. If the network is sufficiently isolated from access to sensitive information, this may offer enough protection in some situations. This level of protection is the only one offered for guest networks, and also may be the right convenience trade-off for other scenar-ios where the priority is making it as easy as possible for clients to connect. (See “Does Prohibiting The Broadcast SSID Enhance Security?” on page 122)Following is a brief discussion of what factors make one mode more secure than another, a description of each mode offered, and when to use each mode.13.1.2  Comparison Of Security Modes For Key Management, Authentication And Encryption AlgorithmsThree major factors that determine the effectiveness of a security protocol are:• How the protocol manages keys. • Presence or absence of integrated user authentication in the protocol.• Encryption algorithm or formula the protocol uses to encode/decode the data.Following is a list of the security modes available on the 9160 Wireless Gateway, along with a description of the key management, authentication, and encryption algorithms used in each mode. We include some suggestions as to when one mode might be more appropriate than another.• “When To Use Plain-text” on page 117.• “When To Use Static WEP” on page 117.• “When To Use IEEE 802.1x” on page 118.• “When To Use WPA/WPA2 Personal (PSK)” on page 119.• “When To Use WPA/WPA2 Enterprise (RADIUS)” on page 120.
Psion Teklogix 9160 Wireless Gateway User Manual 117Chapter 13: Configuring SecurityComparison Of Security Modes For Key Management, Authentication And Encryption Algorithms13.1.2.1 When To Use Plain-textPlain-text mode by definition provides no security. In this mode, the data is not encrypted but rather sent as “plain-text” across the network. No key management, data encryption or user authentication is used.RecommendationsPlain-text mode is not recommended for regular use on the Internal network because it is not secure.Plain-text mode is the only mode in which you can run the Guest network, which is by definition an unsecure LAN always virtually or physically separated from any sensitive information on the Internal LAN.Therefore, use plain-text mode on the Guest network, and on the Internal network for initial setup, testing, or problem solving only.See AlsoFor information on how to configure plain-text mode, see “Plain-text” on page 126.13.1.2.2 When To Use Static WEPStatic Wired Equivalent Privacy (WEP) is a data encryption protocol for 802.11 wireless networks. All wireless stations and access points on the network are config-ured with a static 64-bit (40-bit secret key + 24-bit initialization vector (IV)) or 128-bit (104-bit secret key + 24-bit IV) Shared Key for data encryptionKey Management Encryption Algorithm User AuthenticationStatic WEP uses a fixed key that is provided by the adminis-trator. WEP keys are indexed in different slots (up to four on the 9160 Wireless Gateway). The client stations must have the same key indexed in the same slot to access data on the access point.An RC4 stream cipher is used to encrypt the frame body and cyclic redundancy checking (CRC) of each 802.11 frame.If you set the Authentication Algorithm to “Shared Key”, this protocol provides a rudi-mentary form of user authentication.However, if the Authentication Algorithm is set to “Open System”, no authentication is performed.If the algorithm is set to “Both”, only WEP clients are authenticated.Table 13.1 Static WEP Security Mode
Chapter 13: Configuring SecurityComparison Of Security Modes For Key Management, Authentication And Encryption Algorithms118 Psion Teklogix 9160 Wireless Gateway User ManualRecommendationsStatic WEP was designed to provide security equivalent of sending unencrypted data through an Ethernet connection, however it has major flaws and it does not provide even this intended level of security.Therefore, Static WEP is not recommended as a secure mode. The only time to use Static WEP is when interoperability issues make it the only option available to you and you are not concerned with the potential of exposing the data on your network.See AlsoFor information on how to configure Static WEP security mode, see “Static WEP” on page 126.13.1.2.3 When To Use IEEE 802.1xIEEE 802.1x is the standard for passing the Extensible Authentication Protocol (EAP) over an 802.11 wireless network using a protocol called EAP Encapsulation Over LANs (EAPOL). This is a newer, more secure standard than Static WEP.RecommendationsIEEE 802.1x mode is a better choice than Static WEP because keys are dynamically generated and changed periodically. However, the encryption algorithm used is the same as that of Static WEP and is therefore not as reliable as the more advanced encryption methods such as TKIP and CCMP (AES) used in Wi-Fi Protected Access (WPA) or WPA2.Key Management Encryption Algorithm User AuthenticationIEEE 802.1x provides dynamically-generated keys that are periodically refreshed.There are different Uni-cast keys for each station.An RC4 stream cipher is used to encrypt the frame body and cyclic redundancy checking (CRC) of each 802.11 frame.IEEE 802.1x mode supports a variety of authentication methods, like certificates, Kerberos, and public key authentication with a RADIUS server.You have a choice of using the 9160 Wireless Gateway embedded RADIUS server or an external RADIUS server. The embedded RADIUS server supports Protected EAP (PEAP) and MSCHAP V2.Table 13.2 IEEE 801.1x Security Mode
Psion Teklogix 9160 Wireless Gateway User Manual 119Chapter 13: Configuring SecurityComparison Of Security Modes For Key Management, Authentication And Encryption AlgorithmsAdditionally, compatibility issues may be cumbersome because of the variety of authentication methods supported and the lack of a standard implementation method.Therefore, IEEE 802.1x mode is not as secure a solution as Wi-Fi Protected Access (WPA) or WPA2. If you cannot use WPA because some of your client stations do not have WPA, then a better solution than using IEEE 802.1x mode is to use WPA/WPA2 Enterprise (RADIUS) mode instead and check the “Allow non-WPA IEEE 802.1x clients” checkbox to allow non-WPA clients. This way, you get the benefit of IEEE 802.1x key management for non-WPA clients along with even better data protection of TKIP and CCMP (AES) key management and encryp-tion algorithms for your WPA and WPA2 clients.See AlsoFor information on how to configure IEEE 802.1x security mode, see “IEEE 802.1x” on page 131.13.1.2.4 When To Use WPA/WPA2 Personal (PSK)Wi-Fi Protected Access 2 (WPA2) Personal Pre-Shared Key (PSK) is an implemen-tation of the Wi-Fi Alliance IEEE 802.11i standard, which includes Advanced Encryption Algorithm (AES), Counter mode/CBC-MAC Protocol (CCMP), and Temporal Key Integrity Protocol (TKIP) mechanisms. This mode offers the same encryption algorithms as WPA 2 with RADIUS but without the ability to integrate a RADIUS server for user authentication.This security mode is backwards-compatible for wireless clients that support only the original WPA.Key Management Encryption Algorithms User AuthenticationWPA/WPA2 Personal (PSK) provides dynami-cally-generated keys that are periodically refreshed.There are different Uni-cast keys for each station.• Temporal Key Integrity Protocol (TKIP).• Counter mode/CBC-MAC Proto-col (CCMP) Advanced Encryp-tion Standard (AES).The use of a Pre-Shared (PSK) key provides user authentication similar to that of shared keys in WEP.Table 13.3 WPA/WPA2 Personal (PSK) Security Mode
Chapter 13: Configuring SecurityComparison Of Security Modes For Key Management, Authentication And Encryption Algorithms120 Psion Teklogix 9160 Wireless Gateway User ManualRecommendationsWPA/WPA2 Personal (PSK) is not recommended for use with the 9160 Wireless Gateway when WPA/WPA2 Enterprise (RADIUS) is an option.We recommend that you use WPA/WPA2 Enterprise (RADIUS) mode instead, unless you have interoperability issues that prevent you from using this mode.For example, some devices on your network may not support WPA or WPA2 with EAP talking to a RADIUS server. Embedded printer servers or other small client devices with very limited space for implementation may not support RADIUS. For such cases, we recommend that you use WPA/WPA2 Personal (PSK).See AlsoFor information on how to configure this security mode, see “WPA/WPA2 Personal (PSK)” on page 133.13.1.2.5 When To Use WPA/WPA2 Enterprise (RADIUS)Wi-Fi Protected Access 2 (WPA2) with Remote Authentication Dial-In User Service (RADIUS) is an implementation of the Wi-Fi Alliance IEEE 802.11i stan-dard, which includes Advanced Encryption Standard (AES), Counter mode/CBC-MAC Protocol (CCMP), and Temporal Key Integrity Protocol (TKIP) mechanisms. This mode requires the use of a RADIUS server to authenticate users. WPA/WPA2 Enterprise (RADIUS) provides the best security available for wireless networks.This security mode also provides backwards-compatibility for wireless clients that support only the original WPA.Key Management Encryption Algorithms User AuthenticationWPA/WPA2 Enterprise (RADIUS) mode provides dynamically-generated keys that are periodically refreshed.There are different Uni-cast keys for each station.• Temporal Key Integrity Protocol (TKIP).• Counter mode/CBC-MAC Proto-col (CCMP) Advanced Encryp-tion Standard (AES).Remote Authentication Dial-In User Service (RADIUS)You have a choice of using the 9160 Wireless Gateway embedded RADIUS server or an external RADIUS server. The embedded RADIUS server supports Protected EAP (PEAP) and MSCHAP V2.Table 13.4 WPA/WPA2 Enterprise (RADIUS) Security Mode
Psion Teklogix 9160 Wireless Gateway User Manual 121Chapter 13: Configuring SecurityComparison Of Security Modes For Key Management, Authentication And Encryption AlgorithmsRecommendationsWPA/WPA2 Enterprise (RADIUS) mode is the recommended mode. The CCMP (AES) and TKIP encryption algorithms used with WPA modes are far superior to the RC4 algorithm used for Static WEP or IEEE 802.1x modes. Therefore, CCMP (AES) or TKIP should be used whenever possible. All WPA modes allow you to use these encryption schemes, so WPA security modes are recommended above the others when using WPA is an option.Additionally, this mode incorporates a RADIUS server for user authentication which gives it an edge over WPA/WPA2 Personal (PSK) mode.Use the following guidelines for choosing options within the WPA/WPA2 Enter-prise (RADIUS) security mode:1. The best security you can have to date on a wireless network is WPA/WPA2 Enterprise (RADIUS) mode using CCMP (AES) encryp-tion algorithm. AES is a symmetric 128-bit block data encryption tech-nique that works on multiple layers of the network. It is the most effective encryption system currently available for wireless networks. If all clients or other APs on the network are WPA/CCMP compatible, use this encryption algorithm. (If all clients are WPA2 compatible, choose to support only WPA2 clients.)2. The second best choice is WPA/WPA2 Enterprise (RADIUS) with the encryption algorithm set to “Both” (that is, both TKIP and CCMP). This lets WPA client stations without CCMP associate, uses TKIP for encrypting Multicast and Broadcast frames, and allows clients to select whether to use CCMP or TKIP for Unicast (AP-to-single-sta-tion) frames. This WPA configuration allows more interoperability, at the expense of some security. Client stations that support CCMP can use it for their Unicast frames. If you encounter AP-to-station interop-erability problems with the “Both” encryption algorithm setting, then you will need to select TKIP instead. (See next option.)3. The third best choice is WPA/WPA2 Enterprise (RADIUS) with the encryption algorithm set to TKIP. Some clients have interoperability issues with CCMP and TKIP enabled at same time. If you encounter this problem, then choose TKIP as the encryption algorithm. This is the
Chapter 13: Configuring SecurityDoes Prohibiting The Broadcast SSID Enhance Security?122 Psion Teklogix 9160 Wireless Gateway User Manualstandard WPA mode, and most interoperable mode with client Wireless software security features. TKIP is the only encryption algorithm that is being tested in Wi-Fi WPA certification.Notes: If there are older client stations on your network that do not support WPA or WPA2, you can configure WPA/WPA2 Enterprise (RADIUS) with Both, CCMP, or TKIP and check the “Allow non-WPA IEEE 802.1x clients” checkbox to allow non-WPA clients. This way, you get the benefit of IEEE 802.1x key management for non-WPA clients along with even better data protection of TKIP and CCMP (AES) key management and encryption algorithms for your WPA clients.A typical scenario is that one is upgrading a current 802.1x network to use WPA. You might have a mix of clients; some new clients that support WPA or WPA2 and some older ones that do not support any flavours of WPA. You might even have other access points on the network that support only 802.1x and some that support WPA with RADIUS or WPA2 Enterprise (RADIUS). For as long as this mix persists, use the “Allow non-WPA IEEE 802.1x clients” option.When all the stations have been upgraded to use WPA or better yet WPA2, you should disable the “Allow non-WPA IEEE 802.1x clients” option, and set “WPA Versions” option appropriately (“WPA”, “WPA2,” or “Both”).See AlsoFor information on how to configure this security mode, see “WPA/WPA2 Enter-prise (RADIUS)” on page 136.13.1.3  Does Prohibiting The Broadcast SSID Enhance Security?You can suppress (prohibit) this broadcast to discourage stations from automatically discovering your access point. When the AP’s broadcast SSID is suppressed, the network name will not be displayed in the List of Available Networks on a client station. Instead, the client must have the exact network name configured in the sup-plicant before it will be able to connect.Disabling the broadcast SSID is sufficient to prevent clients from accidentally con-necting to your network, but it will not prevent even the simplest of attempts by a hacker to connect, or monitor plain-text traffic.
Psion Teklogix 9160 Wireless Gateway User Manual 123Chapter 13: Configuring SecurityHow Does Station Isolation Protect The Network?This offers a very minimal level of protection on an otherwise exposed network (such as a guest network) where the priority is making it easy for clients to get a connection and where no sensitive information is available. (See also “Guest Network” on page 126.)13.1.4  How Does Station Isolation Protect The Network?When Station Isolation is enabled, the access point blocks communication between wireless clients. The access point still allows data traffic between its wireless clients and wired devices on the network, but not among wireless clients. The traffic blocking extends to wireless clients connected to the network via WDS links; these clients cannot communicate with each other when Station Isolationis on. See Chapter 20: “Wireless Distribution System” for more information about WDS.
Chapter 13: Configuring SecurityConfiguring Security Settings: Broadcast SSID, Station Isolation, and Security Mode124 Psion Teklogix 9160 Wireless Gateway User Manual13.2  Configuring Security Settings: Broadcast SSID, Station Isolation, and Security ModeTo set the security mode, navigate to the Advanced, Security tab, and update the fields as described below.The following configuration information explains how to configure security modes on the access point. Keep in mind that each wireless client that wants to exchange data with the access point must be configured with the same security mode and encryption key settings consistent with access point security.On a two-radio AP, these Security Settings apply to both radios.Note: Security modes other than Plain-text apply only to configuration of the “Internal” network. On the “Guest” network, you can use only Plain-text mode. (For more information about guest networks, see Chapter 14: “Set-ting up Guest Access”.)To configure security on the access point, select a security mode and fill in the related fields as described in Table 13.5.
Psion Teklogix 9160 Wireless Gateway User Manual 125Chapter 13: Configuring SecurityConfiguring Security Settings: Broadcast SSID, Station Isolation, and Security ModeNote: You can also allow or prohibit the Broadcast SSID and enable/disable Station Isolation as extra precautions as mentioned below.)Field DescriptionBroadcast SSIDSelect the Broadcast SSID setting by clicking the Allow or Prohibit radio button. By default, the access point broadcasts (allows) the Service Set Identifier (SSID) in its beacon frames.You can suppress (prohibit) this broadcast to discourage stations from automatically discovering your access point. When the AP’s broadcast SSID is suppressed, the network name will not be displayed in the List of Available Networks on a client station. Instead, the client must have the exact network name configured in the supplicant before it will be able to connect.Station IsolationSelect Off to disable Station Isolation or On to enable it.• When Station Isolation is Off, wireless clients can communicate with one another normally by sending traffic through the access point.• When Station Isolation is On, the access point blocks communication between wireless clients. The access point still allows data traffic between its wireless clients and wired devices on the network, but not among wireless clients. The traffic blocking extends to wireless clients connected to the network via WDS links; these clients cannot communicate with each other when Station Isolation is on. See Chapter 20: “Wireless Distribution System” for more information about WDS.Security ModeSelect the Security Mode. Select one of the following:• “Plain-text” on page 126.• “Static WEP” on page 126.• “IEEE 802.1x” on page 131.• “WPA/WPA2 Personal (PSK)” on page 133.• “WPA/WPA2 Enterprise (RADIUS)” on page 136.For a Guest network, only the “Plain-text” setting can be used. (For more information, see Chapter 14: “Setting up Guest Access”.)Security modes other than Plain-text apply only to configuration of the “Internal” network; on the Guest network, you can use only Plain-text mode.Table 13.5 Security Settings
Chapter 13: Configuring SecurityPlain-text126 Psion Teklogix 9160 Wireless Gateway User Manual13.2.1  Plain-textPlain-text means any data transferred to and from the 9160 Wireless Gateway is not encrypted. There are no further options for “Plain-text” mode.Plain-text mode can be useful during initial network configuration or for problem solving, but it is not recommended for regular use on the Internal network because it is not secure.13.2.1.1 Guest NetworkPlain-text mode is the only mode in which you can run the Guest network, which is by definition an easily accessible, unsecure LAN always virtually or physically sep-arated from any sensitive information on the Internal LAN. For example, the guest network might simply provide internet and printer access for day visitors.The absence of security on the Guest AP is designed to make it as easy as possible for guests to get a connection without having to program any security settings in their clients.For a minimum level of protection on a guest network, you can choose to suppress (prohibit) the broadcast of the SSID (network name) to discourage client stations from automatically discovering your access point. (See also “Does Prohibiting The Broadcast SSID Enhance Security?” on page 122).For more about the Guest network, see Chapter 14: “Setting up Guest Access”.13.2.2  Static WEPWired Equivalent Privacy (WEP) is a data encryption protocol for 802.11 wireless networks. All wireless stations and access points on the network are configured with a static 64-bit (40-bit secret key + 24-bit initialization vector (IV)) or 128-bit (104-bit secret key + 24-bit IV) Shared Key for data encryption.You cannot mix 64-bit and 128-bit WEP keys between the access point and its client stations.Static WEP is not the most secure mode available, but it offers more protection than plain-text mode as it does prevent an outsider from easily sniffing out unencrypted wireless traffic. (For more secure modes, see the sections on “IEEE 802.1x” on page 131, “WPA/WPA2 Personal (PSK)” on page 133.), or “WPA/WPA2 Enterprise (RADIUS)” on page 136.
Psion Teklogix 9160 Wireless Gateway User Manual 127Chapter 13: Configuring SecurityStatic WEPWEP encrypts data moving across the wireless network based on a static key. (The encryption algorithm is a “stream” cipher called RC4.) The access point uses a key to transmit data to the client stations. Each client station must use that same key to decrypt data it receives from the access point.Client stations can use different keys to transmit data to the access point. (Or they can all use the same key, but this is less secure because it means one station can decrypt the data being sent by another.)If you selected “Static WEP” Security Mode, provide the following on the access point settings: Field DescriptionTransfer Key IndexSelect a key index from the drop-down menu. Key indexes 1 through 4 are available. The default is 1.The Transfer Key Index indicates which WEP key the access point will use to encrypt the data it transmits.Key LengthSpecify the length of the key by clicking one of the radio buttons:• 64 bits• 128 bitsKey TypeSelect the key type by clicking one of the radio buttons:• ASCII•HexTable 13.6 Static WEP Security Settings
Chapter 13: Configuring SecurityStatic WEP128 Psion Teklogix 9160 Wireless Gateway User ManualCharacters RequiredIndicates the number of characters required in the WEP key. The number of characters required updates automatically based on how you set Key Length and Key Type.WEP KeysYou can specify up to four WEP keys. In each text box, enter a string of characters for each key.If you selected “ASCII”, enter any combination of integers and letters 0-9, a-z, and A-Z. If you selected “HEX”, enter hexadecimal digits (any combination of 0-9 and a-f or A-F).Use the same number of characters for each key as specified in the “Characters Required” field. These are the RC4 WEP keys shared with the stations using the access point.Each client station must be configured to use one of these same WEP keys in the same slot as specified here on the AP. (See “Rules To Remember For Static WEP” on page 129.)Authentication AlgorithmThe authentication algorithm defines the method used to determine whether a client station is allowed to associate with an access point when static WEP is the security mode. Specify the authentication algorithm you want to use by choosing one of the following from the drop-down menu:• Open System.•Shared Key.•Both.Open System authentication allows any client station to associate with the access point whether that client station has the correct WEP key or not. This is algorithm is also used in plain-text, IEEE 802.1x, and WPA modes. When the authentication algorithm is set to “Open System”, any client can associate with the access point.Note that just because a client station is allowed to associate does not ensure it can exchange traffic with an access point. A station must have the correct WEP key to be able to successfully access and decrypt data from an access point, and to transmit readable data to the access point.Shared Key authentication requires the client station to have the correct WEP key in order to associate with the access point. When the authentication algorithm is set to “Shared Key”, a sta-tion with an incorrect WEP key will not be able to associate with the access point.Both is the default. When the authentication algorithm is set to “Both”:• Client stations configured to use WEP in shared key mode must have a valid WEP key in order to associate with the access point.• Client stations configured to use WEP as an open system (shared key mode not enabled) will be able to associate with the access point even if they do not have the correct WEP key.Field DescriptionTable 13.6 Static WEP Security Settings
Psion Teklogix 9160 Wireless Gateway User Manual 129Chapter 13: Configuring SecurityStatic WEP13.2.2.1 Rules To Remember For Static WEP• All client stations must have the Wireless LAN (WLAN) security set to WEP and all clients must have one of the WEP keys specified on the AP in order to de-code AP-to-station data transmissions.• The AP must have all keys used by clients for station-to-AP transmit so that it can de-code the station transmissions.• The same key must occupy the same slot on all nodes (AP and clients). For example if the AP defines abc123 key as WEP key 3, then the client stations must define that same string as WEP key 3.• On some wireless client software (like Funk Odyssey), you can configure multiple WEP keys and define a client station “transfer key index”, and then set the stations to encrypt the data they transmit using different keys. This ensures that neighboring APs cannot decode each other’s transmissions.13.2.2.2 Example Of Using Static WEPFor a simple example, suppose you configure three WEP keys on the access point. In our example, the Transfer Key Index for the AP is set to 3. This means that the WEP key in slot “3” is the key the access point will use to encrypt the data it sends.Figure 13.7 Setting The AP Transfer Key On The Access Point
Chapter 13: Configuring SecurityStatic WEP130 Psion Teklogix 9160 Wireless Gateway User ManualYou must then set all client stations to use WEP and provide each client with one of the slot/key combinations you defined on the AP.For this example, we’ll set WEP key 1 on a Windows client.Figure 13.8 Providing A Wireless Client With A WEP KeyIf you have a second client station, that station also needs to have one of the WEP keys defined on the AP. You could give it the same WEP key you gave to the first station. Or for a more secure solution, you could give the second station a different WEP key (key 2, for example) so that the two stations cannot decrypt each other’s transmissions.
Psion Teklogix 9160 Wireless Gateway User Manual 131Chapter 13: Configuring SecurityIEEE 802.1x13.2.2.3 Static WEP With Transfer Key Indexes On Client StationsSome Wireless client software (like Funk Odyssey) lets you configure multiple WEP keys and set a transfer index on the client station, then you can specify differ-ent keys to be used for station-to-AP transmissions. (The standard Windows wire-less client software does not allow you to do this.)To build on our example, using Funk Odyssey client software you could give each of the clients WEP key 3 so that they can decode the AP transmissions with that key and also give client 1 WEP key 1 and set this as its transfer key. You could then give client 2 WEP key 2 and set this as its transfer key index.The Figure 13.9 illustrates the dynamics of the AP and two client stations using multiple WEP keys and a transfer key index.Figure 13.9 Example Of Using Multiple WEP Keys And Transfer Key Index On Client Stations13.2.3  IEEE 802.1xIEEE 802.1x is the standard defining port-based authentication and infrastructure for doing key management. Extensible Authentication Protocol (EAP) messages sent over an IEEE 802.11 wireless network using a protocol called EAP Encapsula-tion Over LANs (EAPOL). IEEE 802.1x provides dynamically-generated keys that are periodically refreshed. An RC4 stream cipher is used to encrypt the frame body and cyclic redundancy checking (CRC) of each 802.11 frame.This mode requires the use of a RADIUS server to authenticate users, and configu-ration of user accounts via the Cluster, User Management tab.Access Point transmits to both stations with same WEP keyClient Station 1Client Station 2(e.g., WEP key 3)WEP key 3WEP key 3WEP key 2WEP key 1can decrypt WEP key 3transmits in WEP key 1can decrypt WEP key 3transmits in WEP key 2
Chapter 13: Configuring SecurityIEEE 802.1x132 Psion Teklogix 9160 Wireless Gateway User ManualThe access point requires a RADIUS server capable of EAP, such as the Microsoft Internet Authentication Server or the 9160 Wireless Gateway internal authentication server. To work with Windows clients, the authentication server must support Pro-tected EAP (PEAP) and MSCHAP V2.When configuring IEEE 802.1x mode, you have a choice of whether to use the embedded RADIUS server or an external RADIUS server that you provide. The 9160 Wireless Gateway embedded RADIUS server supports Protected EAP (PEAP) and MSCHAP V2.If you use your own RADIUS server, you have the option of using any of a variety of authentication methods that the IEEE 802.1x mode supports, including certifi-cates, Kerberos, and public key authentication. Keep in mind, however, that the client stations must be configured to use the same authentication method being used by the access point. If you selected “IEEE 802.1x” Security Mode, provide the following: Field DescriptionAuthentication ServerSelect one of the following from the drop-down menu:•Built-in - To use the authentication server provided with the 9160 Wireless Gateway. If you choose this option, you do not have to provide the Radius IP and Radius Key; they are automatically provided.•External - To use an external authentication server. If you choose this option you must supply a Radius IP and Radius Key of the server you want to use.Note: The RADIUS server is identified by its IP address and UDP port numbers for the dif-ferent services it provides. On the current release of the 9160 Wireless Gateway, the RADIUS server User Datagram Protocol (UDP) ports used by the access point are not configurable. (The 9160 Wireless Gateway is hard-coded to use RADIUS server UDP port 1812 for authentication and port 1813 for accounting.Table 13.10 IEEE 802.1x Security Settings
Psion Teklogix 9160 Wireless Gateway User Manual 133Chapter 13: Configuring SecurityWPA/WPA2 Personal (PSK)13.2.4  WPA/WPA2 Personal (PSK)Wi-Fi Protected Access 2 (WPA2) with Pre-Shared Key (PSK) is a Wi-Fi Alliance IEEE 802.11i standard, which includes Advanced Encryption Algorithm (AES), Counter mode/CBC-MAC Protocol (CCMP), and Temporal Key Integrity Protocol (TKIP) mechanisms. The Personal version of WPA2 employs a pre-shared key (instead of using IEEE 802.1x and EAP as is used in the Enterprise WPA2 security mode). The PSK is used for an initial check of credentials only.This security mode is backwards-compatible for wireless clients that support the original WPA. Radius IPEnter the Radius IP in the text box.The Radius IP is the IP address of the RADIUS server.(The 9160 Wireless Gateway internal authentication server is 127.0.0.1.)For information on setting up user accounts, see Chapter 7: “Managing User Accounts”.Radius KeyEnter the Radius Key in the text box.The Radius Key is the shared secret key for the RADIUS server. The text you enter will be displayed as “ * ” characters to prevent others from seeing the RADIUS key as you type.(The 9160 Wireless Gateway internal authentication server key is secret.)This value is never sent over the network.Enable RADIUS AccountingClick “Enable RADIUS Accounting” if you want to track and measure the resources a particular user has consumed such system time, amount of data transmitted and received, and so on.Field DescriptionTable 13.10 IEEE 802.1x Security Settings
Chapter 13: Configuring SecurityWPA/WPA2 Personal (PSK)134 Psion Teklogix 9160 Wireless Gateway User ManualIf you selected “WPA/WPA2 Personal (PSK)” Security Mode, complete the settings as described in Table 13.11.Field DescriptionWPA VersionsSelect the types of client stations you want to support:•WPA•WPA2•BothWPA. If all client stations on the network support the original WPA but none support the newer WPA2, then select WPA.WPA2. If all client stations on the network support WPA2, we suggest using WPA2 which provides the best security per the IEEE 802.11i standard.Both. If you have a mix of clients, some of which support WPA2 and others which support only the original WPA, select “Both”. This lets both WPA and WPA2 client stations associate and authenticate, but uses the more robust WPA2 for clients who support it. This WPA configuration allows more interop-erability, at the expense of some security. Table 13.11 WPA/WPA2 Personal (PSK) Security Settings
Psion Teklogix 9160 Wireless Gateway User Manual 135Chapter 13: Configuring SecurityWPA/WPA2 Personal (PSK)Cipher SuitesSelect the cipher you want to use from the drop-down menu:•TKIP• CCMP (AES)•BothTemporal Key Integrity Protocol (TKIP) is the default.TKIP provides a more secure encryption solution than WEP keys. The TKIP process more frequently changes the encryption key used and better ensures that the same key will not be re-used to encrypt data (a weakness of WEP). TKIP uses a 128-bit “temporal key” shared by clients and access points. The temporal key is combined with the client's MAC address and a 16-octet initialization vector to produce the key that will encrypt the data. This ensures that each client station uses a different key to encrypt data. TKIP uses RC4 to perform the encryption, which is the same as WEP. But TKIP changes temporal keys every 10,000 packets and distributes them, thereby greatly improving the security of the network.Counter mode/CBC-MAC Protocol (CCMP) is an encryption method for IEEE 802.11i that uses the Advanced Encryption Algorithm (AES). It uses a CCM combined with Cipher Block Chaining Counter mode (CBC-CTR) and Cipher Block Chaining Message Authentication Code (CBC-MAC) for encryption and message integrity.When the authentication algorithm is set to “Both”, both TKIP and AES clients can associate with the access point. WPA clients must have one of the following to be able to associate with the AP:• A valid TKIP key• A valid CCMP (AES) keyClients not configured to use a WPA-PSK will not be able to associate with AP.KeyThe Pre-shared Key is the shared secret key for WPA-PSK. Enter a string of at least 8 characters to a maximum of 63 characters. Field DescriptionTable 13.11 WPA/WPA2 Personal (PSK) Security Settings
Chapter 13: Configuring SecurityWPA/WPA2 Enterprise (RADIUS)136 Psion Teklogix 9160 Wireless Gateway User Manual13.2.5  WPA/WPA2 Enterprise (RADIUS)Wi-Fi Protected Access 2 (WPA2) with Remote Authentication Dial-In User Service (RADIUS) is an implementation of the Wi-Fi Alliance IEEE 802.11i standard, which includes Advanced Encryption Standard (AES), Counter mode/CBC-MAC Protocol (CCMP), and Temporal Key Integrity Protocol (TKIP) mechanisms. The Enterprise mode requires the use of a RADIUS server to authenticate users, and configuration of user accounts via the Cluster, User Management tab.This security mode is backwards-compatible with wireless clients that support the original WPA.When configuring WPA2 Enterprise (RADIUS) mode, you have a choice of whether to use the built-in RADIUS server or an external RADIUS server that you provide. The 9160 Wireless Gateway built-in RADIUS server supports Protected EAP (PEAP) and MSCHAP V2.If you selected “WPA/WPA2 Enterprise (RADIUS)” Security Mode, complete the settings as described in Table 13.12 on page 137.
Psion Teklogix 9160 Wireless Gateway User Manual 137Chapter 13: Configuring SecurityWPA/WPA2 Enterprise (RADIUS)Field DescriptionWPA VersionsSelect the types of client stations you want to support:•WPA•WPA2•BothWPA. If all client stations on the network support the original WPA but none support the newer WPA2, then select WPA.WPA2. If all client stations on the network support WPA2, we suggest using WPA2 which provides the best security per the IEEE 802.11i standard.Both. If you have a mix of clients, some of which support WPA2 and others which support only the original WPA, select “Both”. This lets both WPA and WPA2 client stations associate and authenti-cate, but uses the more robust WPA2 for clients who support it. This WPA configuration allows more interoperability, at the expense of some security. Enable pre-authenticationIf for WPA Versions you select “WPA2” or “Both”, you can enable pre-authentication for WPA2 clients.Click Enable pre-authentication if you want WPA2 wireless clients to send a pre-authentication packet. The pre-authentication information will be relayed from the access point the client is currently using to the target access point. Enabling this feature can help speed up authentication for roaming clients who connect to multiple access points.This option does not apply if you selected “WPA” for WPA Versions because the original WPA does not support this feature.Table 13.12 WPA/WPA2 Enterprise (RADIUS) Security Settings
Chapter 13: Configuring SecurityWPA/WPA2 Enterprise (RADIUS)138 Psion Teklogix 9160 Wireless Gateway User ManualCipher SuitesSelect the cipher you want to use from the drop-down menu:•TKIP•CCMP (AES)•BothTemporal Key Integrity Protocol (TKIP) is the default.TKIP provides a more secure encryption solution than WEP keys. The TKIP process more frequently changes the encryption key used and better ensures that the same key will not be re-used to encrypt data (a weakness of WEP). TKIP uses a 128-bit “temporal key” shared by clients and access points. The temporal key is com-bined with the client's MAC address and a 16-octet initialization vector to produce the key that will encrypt the data. This ensures that each client station uses a different key to encrypt data. TKIP uses RC4 to perform the encryption, which is the same as WEP. But TKIP changes temporal keys every 10,000 packets and distributes them, thereby greatly improving the security of the network.Counter mode/CBC-MAC Protocol (CCMP) is an encryption method for IEEE 802.11i that uses the Advanced Encryption Algorithm (AES). It uses a CCM combined with Cipher Block Chaining Counter mode (CBC-CTR) and Cipher Block Chaining Message Authentication Code (CBC-MAC) for encryption and message integrity.When the authentication algorithm is set to “Both”, both TKIP and AES clients can associate with the access point. Client stations configured to use WPA with RADIUS must have one of the following to be able to associate with the AP:• A valid TKIP RADIUS IP address and valid shared Key.• A valid CCMP (AES) IP address and valid shared Key.Clients not configured to use WPA with RADIUS will not be able to associate with AP.Both is the default. When the authentication algorithm is set to “Both”, client stations configured to use WPA with RADIUS must have one of the following:• A valid TKIP RADIUS IP address and RADIUS Key.• A valid CCMP (AES) IP address and RADIUS Key.Field DescriptionTable 13.12 WPA/WPA2 Enterprise (RADIUS) Security Settings
Psion Teklogix 9160 Wireless Gateway User Manual 139Chapter 13: Configuring SecurityUpdating Settings13.3  Updating SettingsTo apply your changes, click Update. Authentication ServerSelect one of the following from the drop-down menu:•Built-in - To use the authentication server provided with the 9160 Wireless Gateway. If you choose this option, you do not have to provide the Radius IP and Radius Key; they are automatically provided.•External - To use an external authentication server. If you choose this option you must supply a Radius IP and Radius Key of the server you want to use.Note: The RADIUS server is identified by its IP address and UDP port numbers for the different services it provides. On the current release of the 9160 Wireless Gate-way, the RADIUS server User Datagram Protocol (UDP) ports used by the access point are not configurable. (The 9160 Wireless Gateway is hard-coded to use RADIUS server UDP port 1812 for authentication and port 1813 for accounting.Radius IPEnter the Radius IP in the text box.The Radius IP is the IP address of the RADIUS server.(The 9160 Wireless Gateway internal authentication server is 127.0.0.1.)For information on setting up user accounts, see Chapter 7: “Managing User Accounts”.Radius KeyEnter the Radius Key in the text box.The Radius Key is the shared secret key for the RADIUS server. The text you enter will be displayed as “ * ” characters to prevent others from seeing the RADIUS key as you type.(The 9160 Wireless Gateway internal authentication server key is secret.)This value is never sent over the network.Enable RADIUS AccountingClick Enable RADIUS Accounting if you want to enforce authentication for WPA client stations with user names and passwords for each station.See also Chapter 7: “Managing User Accounts”.Allow non-WPA ClientsClick the Allow non-WPA clients checkbox if you want to let non-WPA (802.11), un-authenticated client stations, use this access point.Field DescriptionTable 13.12 WPA/WPA2 Enterprise (RADIUS) Security Settings
Psion Teklogix 9160 Wireless Gateway User Manual 141SETTING UP GUEST ACCESS 1414.1  Understanding The Guest Interface....................14314.2  Configuring The Guest Interface......................14414.2.1  Configuring A Guest Network On A Virtual LAN . . . . . . . .14414.2.2  Configuring The Welcome Screen (Captive Portal) . . . . . . . .14514.3  Using The Guest Network As A Client ..................14614.4  Deployment Example ...........................146
Psion Teklogix 9160 Wireless Gateway User Manual 143Chapter 14: Setting up Guest AccessUnderstanding The Guest InterfaceOut-of-the-box Guest Interface features allow you to configure the 9160 Wireless Gateway for controlled guest access to an isolated network. You can configure the same access point to broadcast and function as two different wireless networks: a secure “Internal” LAN and a public “Guest” network. Guest clients can access the guest network without a username or password. When guests log in, they see a guest Welcome screen (also known as a “captive portal”).14.1  Understanding The Guest InterfaceYou can define unique parameters for guest connectivity and isolate guest clients from other more sensitive areas of the network. Important: No security is provided on the guest network; only plain-text security mode is allowed.Simultaneously, you can configure a secure internal network (using the same access point as your guest interface) that provides full access to protected information behind a firewall and requires secure logins or certificates for access.You can configure an 9160 Wireless Gateway for the Guest interface by using a single network with VLANs by setting up the guest interface configuration options on the Administration Web pages for the 9160 Wireless Gateway. (For details on how to set up this type of guest interface, see “Configuring A Guest Network On A Virtual LAN” on page 144.Notes: This method leverages multiple BSSID and Virtual LAN (VLAN) technol-ogies that are built-in to the 9160 Wireless Gateway. The Internal and Guest networks are implemented as multiple BSSIDs on the same access point, each with different network names (SSIDs) on the Wireless inter-face and different VLAN IDs on the Wired interface.On a two-radio access point, the Guest Management and Login settings apply to both Radio One and Radio Two.
Chapter 14: Setting up Guest AccessConfiguring The Guest Interface144 Psion Teklogix 9160 Wireless Gateway User Manual14.2  Configuring The Guest InterfaceTo configure the Guest interface on the 9160 Wireless Gateway, perform these steps:1. Configure the access point to represent two virtually separate networks as described in the section below, “Configuring A Guest Network On A Virtual LAN”.2. Set up the guest Wel come screen for the guest captive portal as described in the section, “Configuring The Welcome Screen (Captive Portal)” on page 145.Note: Guest Interface settings are not shared among access points across the cluster. These settings must be configured individually on the Administra-tion pages for each access point. To get to the Administration pages for an access point that is a member of the current cluster, click on its IP Address link on the Cluster, Access Points page of the current AP. For more infor-mation about which settings are shared by the cluster and which are not, see “Which Settings Are Shared As Part Of The Cluster Configuration And Which Are Not?” on page 57.14.2.1  Configuring A Guest Network On A Virtual LANNotes: If you want to configure the Guest and Internal networks on Virtual LAN (VLANs), the switch and DHCP server you are using must support VLANs.As a prerequisite step, configure a port on the switch for handling VLAN tagged packets as described in the IEEE 802.1Q standard.Guest Welcome Screen settings are shared among access points across the cluster. When you update these settings for one access point, the configura-tion will be shared with the other access points in the cluster. For more information about which settings are shared by the cluster and which are not, see “Which Settings Are Shared As Part Of The Cluster Configuration And Which Are Not?” on page 57.To configure Internal and Guest networks on Virtual LANs, do the following:1. Use only one wired connection from the network port on the access point to the LAN. (Make sure this port is configured to handle VLAN tagged packets.)
Psion Teklogix 9160 Wireless Gateway User Manual 145Chapter 14: Setting up Guest AccessConfiguring The Welcome Screen (Captive Portal)2. Configure Ethernet (wired) Settings for Internal and Guest networks on VLANs as described in the sections in Chapter 11: “The Ethernet (Wired) Interface”.(Start by enabling Guest Access and choosing “For Internal and Guest access, use two: VLANs” as described in “Specifying A Virtual Guest Network” on page 101.)3. Provide the radio interface settings and network names (SSIDs) for both Internal and Guest networks as described in Chapter 12: “Setting the Wireless Interface”.4. Configure the guest splash screen as described in “Configuring The Welcome Screen (Captive Portal)” on page 145.14.2.2  Configuring The Welcome Screen (Captive Portal)You can set up or modify the Welcome screen guest clients see when they open a Web browser or try to browse the Web. To set up the captive portal, do the following:1. Navigate to the Advanced, Guest Login tab.2. Choose Enabled to activate the Welcome screen.
Chapter 14: Setting up Guest AccessUsing The Guest Network As A Client146 Psion Teklogix 9160 Wireless Gateway User Manual3. In the Welcome Screen Text field, type the text message you would like guest clients to see on the captive portal.4. Click Update to apply the changes.14.3  Using The Guest Network As A ClientOnce the guest network is configured, a client can access the guest network as follows:1. A guest client enters an area of coverage and scans for wireless networks.2. The guest network advertises itself via a Guest SSID or some similar name, depending on how the guest SSID is specified in the Administra-tion Web pages for the Guest interface.3. The guest client chooses Guest SSID.4. The guest client starts a Web browser and receives a Guest Welcome screen.5. The Guest Welcome Screen provides a button for the client to click to continue.6. The guest client is now enabled to use the “guest” network.14.4  Deployment ExampleIn Figure 14.1 on page 146, the dotted lines indicate dedicated guest connections. All access points and all connections (including guests) are administered from the same 9160 Wireless Gateway Administration Web pages.Figure 14.1 Dedicated Guest ConnectionsAccess Point Access PointFirewallDSL/T1SwitchInternetSwitch Guest Client Station
Psion Teklogix 9160 Wireless Gateway User Manual 147CONFIGURING VLANS 1515.1  Navigating To Virtual Wireless Network Settings.............14915.2  Configuring VLANs............................14915.3  Updating Settings..............................151
Psion Teklogix 9160 Wireless Gateway User Manual 149Chapter 15: Configuring VLANsNavigating To Virtual Wireless Network SettingsThe following sections describe how to configure multiple wireless networks on Virtual LANs (VLANs).15.1  Navigating To Virtual Wireless Network SettingsTo set up multiple networks on VLANs, navigate to the Advanced, Virtual Wireless Networks tab, and update the fields as described below.15.2  Configuring VLANsNote: To configure additional networks on VLANs, you must first enable Virtual Wireless Networks on the Ethernet (wired) interface. See “Enabling / Dis-abling Virtual Wireless Networks On The AP” on page 102.Important: If you configure VLANs, you may lose connectivity to the access point. First, be sure to verify that the switch and DHCP server you are using can support VLANs per the IEEE 802.1Q standard. After configuring VLANs, physically reconnect the Ethernet cable on the switch to the tagged packet (VLAN) port. Then,
Chapter 15: Configuring VLANsConfiguring VLANs150 Psion Teklogix 9160 Wireless Gateway User Manualre-connect via the Administration Web pages to the new IP address. (If necessary, check with the infrastructure support administrator regarding the VLAN and DHCP configurations.)Field DescriptionVirtual Wireless NetworkChoose one of the following from the drop-down menu to identify an additional network to configure:•One•TwoStatusYou can enable or disable a configured network.• To enable the specified network, click On.• To disable the specified network, click Off.Wireless Network Name (SSID)Enter a name for the wireless network as a character string. This name will apply to all access points on this network. As you add more access points, they will share this SSID.The Service Set Identifier (SSID) is an alphanumeric string of up to 32 characters. Note: If you are connected as a wireless client to the same AP that you are adminis-tering, resetting the SSID will cause you to lose connectivity to the AP. You will need to reconnect to the new SSID after you save this new setting.VLAN IDProvide a number between 1 and 4094 for the Internal VLAN.This will cause the access point to send DHCP requests with the VLAN tag. The switch and the DHCP server must support VLAN IEEE 802.1Q frames. The access point must be able to reach the DHCP server.Check with the Administrator regarding the VLAN and DHCP configurations.Table 15.1 Virtual Wireless Network Settings
Psion Teklogix 9160 Wireless Gateway User Manual 151Chapter 15: Configuring VLANsUpdating Settings15.3  Updating SettingsTo apply your changes, click Update. Broadcast SSIDSelect the Broadcast SSID setting by clicking the Allow or Prohibit radio button. By default, the access point broadcasts (allows) the Service Set Identifier (SSID) in its beacon frames.You can suppress (prohibit) this broadcast to discourage stations from automatically discovering your access point. When the AP’s broadcast SSID is suppressed, the network name will not be displayed in the List of Available Networks on a client station. Instead, the client must have the exact network name configured in the supplicant before it will be able to connect.Note: The Broadcast SSID you set here is specifically for this Virtual Network (One or Two). Other networks continue to use the security modes already configured:• Your original Internal network (configured on the Advanced, Ethernet [Wired] tab) uses the Broadcast SSID set on Advanced, Security.• If a Guest network is configured, the Broadcast SSID is always allowed.Security ModeSelect the Security Mode for this VLAN. Select one of the following:•Plain-text•Static WEP•IEEE 802.1x•WPA/WPA2 Personal (PSK)•WPA/WPA2 Enterprise (RADIUS)Note: The Security mode you set here is specifically for this Virtual Network (One or Two). Other networks continue to use the security modes already configured:• Your original Internal network (configured on the Advanced, Ethernet [Wired] tab) uses the Security mode set on Advanced, Security.• If a Guest network is configured, it always using plain-text security mode.Field DescriptionTable 15.1 Virtual Wireless Network Settings

Navigation menu