Advanced Configuration

This chapter contains information on configuring settings in the following categories:

To configure the AP using the HTTP/HTTPS interface, you must first log in to a web browser. See Logging In for instructions.

You may also configure the AP using the command line interface. See Command Line Interface (CLI) for more information.

To configure the AP via HTTP/HTTPS:

  1. Click the Configure button located on the left-hand side of the screen.



    2. Figure 4-1 Configure Main Screen
  2. Click the tab that corresponds to the parameter you want to configure. For example, click Network to configure the Access Point's TCP/IP settings.

Each Configure tab is described in the remainder of this chapter.

System

You can configure and view the following parameters within the System Configuration screen:

Dynamic DNS Support

DNS is a distributed database mapping the user readable names and IP addresses (and more) of every registered system on the Internet. Dynamic DNS is a lightweight mechanism which allows for modification of the DNS data of host systems whose IP addresses change dynamically. Dynamic DNS is usually used in conjunction with DHCP for mapping meaningful names to host systems whose IP addresses change dynamically.

Access Points provide DDNS support by adding the host name (option 12) in DHCP Client messages, which is used by the DHCP server to dynamically update the DNS server.

Access Point System Naming Convention

The Access Point's system name is used as its host name. In order to prevent Access Points with default configurations from registering similar host names in DNS, the default system name of the Access Point is uniquely generated. Access Points generate unique system names by appending the last 3 bytes of the Access Point's MAC address to the default system name.

The system name must be compliant with the encoding rules for host name as per DNS RFC 1123. According to the encoding rules, the AP name:

Network

The Network tab contains the following sub-tabs:

IP Configuration

This tab is used to configure the internet (TCP/IP) settings for the access point.

These settings can be either entered manually (static IP address, subnet mask, and gateway IP address) or obtained automatically (dynamic).The DNS Client functionality can also be configured, so that host names used for configuring the access point can be resolved to their IP addresses.

Figure 4-3 IP Configuration

You can configure and view the following parameters within the IP Configuration sub-tab:

NOTE: You must reboot the AP in order for any changes to the Basic IP or DNS Client parameters to take effect.

Basic IP Parameters

DNS Client

If you prefer to use host names to identify network servers rather than IP addresses, you can configure the AP to act as a Domain Name Service (DNS) client. When this feature is enabled, the Access Point contacts the network's DNS server to translate a host name to the appropriate network IP address. You can use this DNS Client functionality to identify RADIUS servers by host name.

Advanced

DHCP Server

If your network does not have a DHCP Server, you can configure the AP as a DHCP server to assign dynamic IP addresses to Ethernet nodes and wireless clients.

NOTE: DHCP client functionality is not supported in a Mesh network.
CAUTION: Make sure there are no other DHCP servers on the network and do not enable the DHCP server without checking with your network administrator first, as it could disrupt normal network operation. Also, the AP must be configured with a static IP address before enabling this feature.

When the DHCP Server functionality is enabled, you can create one or more IP address pools from which to assign addresses to network devices.

Figure 4-4 DHCP Server Configuration Screen

You can configure and view the following parameters within the DHCP Server Configuration screen:

NOTE: You must reboot the Access Point before changes to any of these DHCP server parameters take effect.

DHCP Relay Agent

When enabled, the DHCP relay agent forwards DHCP requests to the set DHCP server.

Click the Configure > Network > DHCP R A to configure DHCP relay agent servers and enable the DHCP relay agent.

NOTE: At least one DHCP server must be enabled before DHCP Relay Agent can be enabled.
NOTE: If the DHCP relay agent is unable to reach the external DHCP Server specified in the DHCP Server IP Address Table, the requesting client will receive an IP address from the IP Pool table of the AP's internal DHCP Server, even if the internal DHCP Server is disabled.
NOTE: If a client requests an available IP address from the IP Pool table of the AP's internal DHPC Server, the client will receive this address, even if the DHCP server on the AP is disabled. To ensure that clients receive IP addresses only from the DHCP Relay Agent, disable all entries in the IP Pool table of the AP's internal DHCP server.

The DHCP Relay functionality of the AP supports Option 82 and sends the system name of the AP (as a NAS identifier) as a sub-option of Option 82.

The AP makes a DHCP Request for lease renewal five minutes ahead of the expiration of the Rebinding time as specified in the DHCP Offer from the DHCP server obtained during the last renewal.

Figure 4-5 DHCP Relay Agent

DHCP Server IP Address Table

The AP supports the configuration of a maximum of 10 server settings in the DHCP Relay Agents server table. At least one server must be configured to enable DHCP Relay.

To add entries to the table of DHCP Relay Agents, click Add in the DHCP Server IP Address Table; to edit existing entries, click Edit. The following window is displayed.

Figure 4-6 DHCP Server IP Address Table - Edit Entries

To add an entry, enter the IP Address of the DHCP Server and a comment (optional), and click OK.

To edit an entry, make changes to the appropriate entry. Enable or disable the entry by choosing Enable or Disable from the Status drop-down menu, and click OK.

Link Integrity

The Link Integrity feature checks the link between the AP and any nodes on the backbone. These nodes are listed by IP address in the Link Integrity IP Address Table. The AP periodically pings the nodes listed within the table. If the AP loses network connectivity (that is, the ping attempts fail), the AP disables its wireless interface(s). Note that this feature does not affect WDS links (if WDS links are configured and enabled).

NOTE: Link integrity cannot be configured when the AP is configured to function as a Mesh AP.

You can configure and view the following parameters within the Link Integrity Configuration screen:

SNTP (Simple Network Time Protocol)

SNTP allows a network entity to communicate with time servers in the network/internet to retrieve and synchronize time of day information. When this feature is enabled, the AP will attempt to retrieve the time of day information from the configured time servers (primary or secondary), and, if successful, will update the relevant time objects in the AP. Requests are sent every 10 seconds. If the AP fails to retrieve the information after three attempts, the AP will use the system uptime and update the relevant time objects. If this feature is disabled, the user can manually configure the date and time parameters.

Figure 4-8 SNTP Configuration Screen

You can configure and view the following parameters within the SNTP screen:

Interfaces

From the Interfaces tab, you configure the Access Point's operational mode settings, power control settings, wireless interface settings and Ethernet settings. You may also configure a Wireless Distribution System for AP-to-AP communications. The Interfaces tab contains the following sub-tabs:

Operational Mode

From this tab, you can configure and view the operational mode for the Wireless-A (802.11a/4.9 GHz radio) or Wireless-B (802.11b/g radio) Interface.

Figure 4-9 Operational Mode Screen

The Wireless-A interface operates only in 802.11a mode on the AP-4000/4000M and in either 802.11a mode or 4.9 GHz Public Safety mode on the AP-4900M. The Wireless-B interface can be configured to operate in the following modes:

In general, you should use either 802.11g only mode (if you want to support 802.11g devices only) or 802.11b/g mode to support a mix of 802.11b and 802.11g devices.

If you are using the AP-4900M in 4.9 Public Safety mode, you must also select a channel bandwidth. This option is shown in Figure 4-9; it is not configurable in the AP-4000/4000M. See Available Channels for a list of channels available with each bandwidth.

Super Mode and Turbo Mode

Super mode improves throughput between the access point and wireless clients that support this capability. For wireless clients that support this capability the AP will negotiate and treat them accordingly, for other clients that do not support super mode, the AP will treat them as normal wireless clients.

Super mode can be configured only when the wireless operational mode is one of the following:

Dynamic Turbo mode is supported in 802.11a mode in the FCC regulatory domain. Dynamic turbo mode supports turbo speeds at twice the standard data rates, and also dynamically switches between turbo mode speeds and normal speeds depending on the wireless client. If turbo mode is enabled, then this is displayed in the web UI and the transmit speeds and channels pull-down menus are updated with the valid values.

When Turbo mode is enabled, only a subset of the wireless channels in the 5.0 GHz spectrum can be used. If any wireless clients do not support turbo mode, the AP will fall back to normal mode.

Turbo mode can be configured only when Super mode has already been enabled.

Super mode is supported in the 2.4 GHz and 5 GHz frequency bands in all regulatory domains. Turbo mode is available in the 5 GHz frequency band in the FCC regulatory domain.

NOTE: Turbo mode and Mesh mode (either Mesh AP or Mesh Portal) can not be enabled on the same interface simultaneously.

IEEE 802.11d Support for Additional Regulatory Domains

The IEEE 802.11d specification allows conforming equipment to operate in more than one regulatory domain over time. IEEE 802.11d support allows the AP to broadcast its radio's regulatory domain information in its beacon and probe responses to clients. This allows clients to passively learn what country they are in and only transmit in the allowable spectrum. When a client enters a regulatory domain, it passively scans to learn at least one valid channel, i.e., a channel upon which it detects IEEE Standard 802.11 frames.

The beacon frame contains information on the country code, the maximum allowable transmit power, and the channels to be used for the regulatory domain.

The same information is transmitted in probe response frames in response to a client's probe requests. Once the client has acquired the information required to meet the transmit requirements of the regulatory domain, it configures itself for operation in the regulatory domain.

On some AP models, the regulatory domain and associated parameters are automatically configured when a country is selected on the System tab. On APs in which country selection is not available on the system tab, the regulatory domain is pre-programmed into the AP prior to shipment. Depending on the regulatory domain, a default country code is chosen that is transmitted in the beacon and probe response frames.

Configuring 802.11d Support

Perform the following procedure to enable 802.11d support and select the country code:

  1. Click Configure > Interfaces > Operational Mode.
  2. Select Enable 802.11d.
  3. Select the Country Code from the ISO/IEC 3166-1 CountryCode drop-down menu.
    4. NOTE: On APs with model numbers ending in -WD, -EU, or -UK, this object is not configurable.
  4. Click OK.
  5. Configure Transmit Power Control and transmit power level if required.

Transmit Power Control/Transmit Power Level

Transmit Power Control uses standard 802.11d frames to control transmit power within an infrastructure BSS. This method of power control is considered to be an interim way of controlling the transmit power of 802.11d enabled clients in lieu of implementation of 802.11h.

When an AP comes online, it automatically uses the maximum TX power allowed in the regulatory domain. The Transmit Power Control feature lets the user manually lower the transmit power level by setting a "back-off" value between between 0 and 35 dBm.

When Transmit Power Control is enabled, the transmit power level of the card in the AP is set to the maximum transmit power level minus the back-off value. This power level is advertised in Beacon and Probe Response frames as the 802.11d maximum transmit power level.

When an 802.11d-enabled client learns the regulatory domain related information from Beacon and Probe Response frames, it learns the power level advertised in Beacon and Probe response frames as the maximum transmit power of the regulatory domain and configures itself to operate with that power level.

As a result, the transmit power level of the BSS is configured to the power level set in the AP (assuming that the BSS has only 802.11d enabled clients and an 802.11d enabled AP).

Configuring TX Power Control

  1. Click Configure > Interfaces > Operational Mode.
  2. Select Enable Transmit Power Control.
  3. Enter the desired backoff from the maximum Transmit Power level (between 0 and 35 dBm) in the Wireless-A: Transmit Power Level Back-Off or Wireless-B: Transmit Power Level Back-Off field.
  4. Click OK.

Wireless-A (802.11a Radio) and Wireless-B (802.11b/g Radio)

Figure 4-10 Wireless Interface A

You can view and configure the following parameters for the Wireless-A and Wireless-B interfaces:

NOTE: You must reboot the Access Point before any changes to these parameters take effect.

Dynamic Frequency Selection/Radar Detection (DFS/RD)

In order to prevent interference with radar systems and other devices that occupy the 5 GHz band, 802.11a APs certified in the ETSI (Europe) and TELEC (Japan) regulatory domains (see Affected Countries) and operating in the middle frequency band select an operating channel through a combination of Auto Channel Select (ACS) and Dynamic Frequency Selection (DFS)/Radar Detection (RD).

During boot-up, ACS scans the available channels and selects the best channel. Once a channel is selected, the AP performs a channel availability check for 60 seconds to ensure that there is no radar on the channel and then commences normal operation. When the AP enters normal operation, DFS works in the background to detect radar interference on that channel. If interference is detected, the AP sends a trap, disassociates all clients, blacklists the channel, and reboots. After it reboots, ACS re-scans and selects a better channel that is free of interference.

If ACS is disabled, only channels in the lower frequency band are available for use:

Affected Countries

Japan is certified in the TELEC regulatory domain for operation in the 5 GHz band. The following countries are certified in the ETSI regulatory domain for operation in the 5 GHz band:

  • Austria
  • Greece
  • Norway
  • Belgium
  • Iceland
  • Poland
  • Brazil
  • Ireland
  • Portugal
  • Cyprus
  • Italy
  • Saudi Arabia
  • Denmark
  • Latvia
  • Spain
  • Estonia
  • Lithuania
  • Sweden
  • Finland
  • Luxembourg
  • Switzerland
  • France
  • Malta
  • Germany
  • Netherlands

 

RTS/CTS Medium Reservation

The 802.11 standard supports optional RTS/CTS communication based on packet size. Without RTS/CTS, a sending radio listens to see if another radio is already using the medium before transmitting a data packet. If the medium is free, the sending radio transmits its packet. However, there is no guarantee that another radio is not transmitting a packet at the same time, causing a collision. This typically occurs when there are hidden nodes (clients that can communicate with the Access Point but are out of range of each other) in very large cells.

When RTS/CTS occurs, the sending radio first transmits a Request to Send (RTS) packet to confirm that the medium is clear. When the receiving radio successfully receives the RTS packet, it transmits back a Clear to Send (CTS) packet to the sending radio. When the sending radio receives the CTS packet, it sends the data packet to the receiving radio. The RTS and CTS packets contain a reservation time to notify other radios (including hidden nodes) that the medium is in use for a specified period. This helps to minimize collisions. While RTS/CTS adds overhead to the radio network, it is particularly useful for large packets that take longer to resend after a collision occurs.

RTS/CTS Medium Reservation is an advanced parameter and supports a range between 0 and 2347 bytes. When set to 2347 (the default setting), the RTS/CTS mechanism is disabled. When set to 0, the RTS/CTS mechanism is used for all packets. When set to a value between 0 and 2347, the Access Point uses the RTS/CTS mechanism for packets that are the specified size or greater. You should not need to enable this parameter for most networks unless you suspect that the wireless cell contains hidden nodes.

Wireless Service Status

The user can shut down (or resume) the wireless service on the wireless interface of the AP through the CLI, HTTP, or SNMP interface. When the wireless service on a wireless interface is shut down, the AP will:

In shutdown state, AP will not transmit and receive frames from the wireless interface and will stop transmitting periodic beacons. Moreover, none of the frames received from the Ethernet interface will be forwarded to that wireless interface.

Wireless service on a wireless interface of the AP can be resumed through CLI/HTTP/SNMP management interface. When wireless service on a wireless interface is resumed, the AP will:

After wireless service resumes, the AP resumes beaconing, transmitting and receiving frames to/from the wireless interface and bridging the frames between the Ethernet and the wireless interface.

Traps Generated During Wireless Service Shutdown (and Resume)

The following traps are generated during wireless service shutdown and resume, and are also sent to any configured Syslog server.

When the wireless service is shut down on a wireless interface, the AP generates a trap called oriTrapWirelessServiceShutdown.

When the wireless service is resumed on a wireless interface, the AP generate a trap called oriTrapWirelessServiceResumed.

Channel Blacklist Table

The Channel Blacklist table contains all available channels (channels vary based on regulatory domain). It can be used to manually blacklist channels, and it also reflects channels that have been automatically blacklisted by the Dynamic Frequency Selection/Radar Detection (DFS/RD) function. In the ETSI (Europe) and TELEC (Japan) regulatory domains, channels are blacklisted automatically when radar is detected; when a channel has been automatically blacklisted, the Radar Detected status is set to True, and the channel will remain blacklisted for 30 minutes. Additionally, an administrator can blacklist channels manually to prevent their being used when ACS is enabled. To blacklist a channel manually:

  1. Click on Configure > Interfaces > Wireless A or Wireless B.
  2. Scroll down to the Channel Blacklist heading.



    3. Figure 4-11 Channel Blacklist Table
  3. Click Edit in the Channel Blacklist Table
  4. Set Blacklist Status to Enable.



    5. Figure 4-12 Channel Blacklist Table - Edit Screen
    NOTE: In the AP-4000/4000M/4900M, wireless service can be shut down/resumed on each wireless interface individually.

Wireless Distribution System (WDS)

A Wireless Distribution System (WDS) creates a link between two 4.9 Ghz, 802.11a, 802.11b, or 802.11b/g APs over their radio interfaces. This link relays traffic from one AP that does not have Ethernet connectivity to a second AP that has Ethernet connectivity. WDS allows you to configure up to six (6) ports per radio, or up to 12 ports on the AP-4000/4000M/4900M.

In the WDS example below, AP 1 and AP 2 communicate over a WDS link (represented by the blue line). This link provides Client 2 with access to network resources even though AP 2 is not directly connected to the Ethernet network. Packets destined for or sent by the client are relayed between the Access Points over the WDS link.

Figure 4-13 WDS Example

Bridging WDS

Each WDS link is mapped to a logical WDS port on the AP. WDS ports behave like Ethernet ports rather than like standard wireless interfaces: on a BSS port, an Access Point learns by association and from frames; on a WDS or Ethernet port, an Access Point learns from frames only. When setting up a WDS, keep in mind the following:

WDS Setup Procedure

NOTE: You must disable Auto Channel Select to create a WDS. Each Access Point that is a member of the WDS must have the same channel setting to communicate with each other.
NOTE: WDS and Mesh functionality cannot be enabled on the same radio when the AP is configured to function as a Mesh AP.

To setup a wireless backbone follow the steps below for each AP that you wish to include in the Wireless Distribution System.

  1. Confirm that Auto Channel Select is disabled.
  2. Write down the MAC Address of the radio that you wish to include in the Wireless Distribution System.
  3. Click on Configure > Interfaces > Wireless A or Wireless B.
  4. Scroll down to the Wireless Distribution System heading.



    5. Figure 4-14 WDS Configuration
  5. Click the Edit button to update the Wireless Distribution System (WDS) Table.



    6. Figure 4-15 Adding WDS Links
  6. Select whether to use encryption in the WDS by checking the Enable WDS Security Mode checkbox.
  7. If you enabled WDS Security Mode, enter the Encryption Key 0 used for encryption between the WDS links.
  8. Enter the MAC Address that you wrote down in Step 2 in one of the Partner MAC Address field of the Wireless Distribution Setup window.
  9. Set the Status of the device to Enable.
  10. Click OK.
  11. Reboot the AP.

Ethernet

Select the desired speed and transmission mode from the drop-down menu. Half-duplex means that only one side can transmit at a time and full-duplex allows both sides to transmit. When set to auto-duplex, the AP negotiates with its switch or hub to automatically select the highest throughput option supported by both sides.

Figure 4-16 Ethernet Sub-tab

For best results, Proxim recommends that you configure the Ethernet setting to match the speed and transmission mode of the device the Access Point is connected to (such as a hub or switch). If in doubt, leave this setting at its default, auto-speed-auto-duplex. Choose between:

Mesh (AP-4000M and AP-4900M Only)

Mesh functionality can be enabled on only one of the AP's wireless interfaces. When configured for Mesh, the AP's wireless interface simultaneously functions as a mesh link and as a radio to service clients.

Mesh is available only on AP-4000M and AP-4900M models. To convert an AP-4000 to an AP-4000M and enable Mesh capabilities, see ORiNOCO Mesh Creation Protocol Software Kit.

CAUTION: Mesh mis-configuration may cause problems in your wireless network. Before configuring an interface for Mesh functionality, see Mesh Network Configuration.

Basic Mesh Parameters

Figure 4-17 Basic Mesh Parameters (AP-4000M/4900M)

Configure the following basic parameters for Mesh functionality, and click OK.

NOTE: Changes to these parameters require a reboot in order to take effect.

Advanced Mesh Parameters

Figure 4-18 Advanced Mesh Parameters (AP-4000M/4900M)

The parameters on this page are preconfigured with default settings that optimize the type of network identified in the Mesh Mobility parameter on the previous page. Proxim recommends changing these values only if you have advanced knowledge of Mesh networking.

To reset these parameters to their default settings, click the Default button.

NOTE: Changes to these parameters require a reboot in order to take effect.

For more information on Mesh, see Mesh Networking (AP-4000M/4900M Only).

ORiNOCO Mesh Creation Protocol Software Kit

The ORiNOCO Mesh Creation Protocol (OMCP) Software Kit converts an AP-4000 unit into an AP-4000M unit that supports Mesh capabilities. The OMCP Software Kit is ordered through your reseller or distributor. Before you contact your reseller or distributor, you will need to gather specific information from your AP-4000 running software version 3.1 or later. If your AP is using a software version prior to version 3.1, you will need to upgrade your software to version 3.1 before proceeding. If your AP is already running software version 3.1 or later, follow the steps below:

  1. Click Configure > Interfaces > Mesh.
  2. Print the Mesh sub-tab page containing all the necessary conversion information: software version, serial number, Ethernet MAC address, and security ID.
  3. Repeat for any additional APs you wish to convert.



    4. Figure 4-19 Mesh Sub-tab (AP-4000)
  4. Contact your reseller or distributor to order the OMCP Software Kit.
  5. You will be asked for the information obtained above. Follow the instructions provided by your reseller or distributor to obtain the OMCP Software Kit for conversion. The kit will be provided to you electronically.

    6. Once you have received the necessary conversion tools, you can convert your AP-4000 to an AP-4000M from the AP's HTTP interface.

  6. Update the AP with the license file included in the OMCP Software Kit. See Update AP via TFTP or Update AP via HTTP.
  7. Reboot the AP. When the AP reboots, Mesh capabilities will be supported, and the AP can be configured to operate in a Mesh network.
  8. See the Mesh (AP-4000M and AP-4900M Only) section above to configure Mesh networking.

Management

The Management tab contains the following sub-tabs:

Passwords

You can configure the following passwords:

IP Access Table

The Management IP Access table limits in-band management access to the IP addresses or range of IP addresses specified in the table. This feature applies to all management services (SNMP, HTTP, and CLI) except for CLI management over the serial port. To configure this table, click Add and set the following parameters:

To edit or delete an entry, click Edit. Edit the information, or select Enable, Disable, or Delete from the Status pull-down menu.

Services

You can configure the following management services:

Secure Management

Secure Management allows the use of encrypted and authenticated communication protocols such as SNMPv3, Secure Socket Link (SSL), and Secure Shell (SSH) to manage the Access Point.

SNMP Settings

HTTP Access

HTTPS Access (Secure Socket Layer)

NOTE: SSL requires Internet Explorer version 6, 128 bit encryption, Service Pack 1, and patch Q323308.
NOTE: You need to reboot the AP after enabling or disabling SSL for the changes to take effect.

Accessing the AP through the HTTPS interface

The user should use a SSL intelligent browser to access the AP through the HTTPS interface. After configuring SSL, access the AP using https:// followed by the AP's management IP address.

Figure 4-20 Management Services Configuration Screen

Telnet Configuration Settings

Secure Shell (SSH) Settings

The AP supports SSH version 2, for secure remote CLI (Telnet) sessions. SSH provides strong authentication and encryption of session data.

The SSH server (AP) has host keys - a pair of asymmetric keys - a private key that resides on the AP and a public key that is distributed to clients that need to connect to the AP. As the client has knowledge of the server host keys, the client can verify that it is communicating with the correct SSH server. The client authentication is performed as follows:

SSH Session Setup

An SSH session is setup through the following process:

SSH Clients

The following SSH clients have been verified to interoperate with the AP's server. The following table lists the clients, version number, and the website of the client.

Clients
Version
Website
OpenSSH
V3.4-2
http://www.openssh.com
Putty
Rel 0.53b
http://www.chiark.greenend.org.uk
Zoc
5.00
http://www.emtec.com
Axessh
V2.5
http://www.labf.com

For key generation, OpenSSH client has been verified.

Configuring SSH

Perform the following procedure to set the SSH host key and enable or disable SSH:

  1. Click Configure > Management > Services
  2. Select the SSH Host Key Status from the drop down menu.
    3. NOTE: SSH Host Key Status can not be changed if SSH status or Secure Management is enabled.
  3. To enable/disable SSH, select Enable/Disable from the SSH (Secure Shell) Status drop-down menu.
    4. NOTE: When Secure Management is enabled on the AP, SSH will be enabled by default and cannot be disabled.

Host keys must either be generated externally and uploaded to the AP (see Uploading Externally Generated Host Keys), generated manually, or auto-generated at the time of SSH initialization if SSH is enabled and no host keys are present. There is no key present in an AP that is in a factory default state.

To manually generate or delete host keys on the AP:

CAUTION: SSH Host key creation may take 3 to 4 minutes during which time the AP may not respond.

Uploading Externally Generated Host Keys

Perform the following procedure to upload externally generated host keys to the AP. You must upload both the SSH public key and SSH private key for SSH to work.

  1. Verify that the host keys have been externally generated. The OpenSSH client has been verified to interoperate with AP's SSH server.
  2. Click Commands > Update AP > via HTTP (or via TFTP).



    3. Figure 4-21 Uploading an Externally Generated SSH Public Key and SSH Private Key
  3. Select SSH Public Key from the File Type drop-down menu.
  4. Click Browse, select the SSH Public Key file on your local machine.
  5. Click Open.
  6. to initiate the file transfer, click the Update AP button.
  7. Select SSH Private Key from the File Type drop-down menu.
  8. Click Browse, select the SSH Private Key on your local machine.
  9. Click Open.
  10. To initiate the file transfer, click the Update AP button.

The fingerprint of the new SSH public key will be displayed in the Management > Services page.

Serial Configuration Settings

The serial port interface on the AP is enabled at all times. See Setting IP Address using Serial Port for information on how to access the CLI interface via the serial port. You can configure and view the following parameters:

RADIUS Based Management Access

User management of APs can be centralized by using a RADIUS server to store user credentials. The AP cross-checks credentials using RADIUS protocol and the RADIUS server accepts or rejects the user.

HTTP/HTTPS and Telnet/SSH users can be managed with RADIUS. Serial CLI and SNMP cannot be managed by RADIUS. Two types of users can be supported using centralized RADIUS management:

When RADIUS Based Management is enabled, a local user can be configured to provide Telnet, SSH, and HTTP(S) access to the AP when RADIUS servers fail. The local user has super user capabilities. When secure management is enabled, the local user can only login using secure means (i.e., SSH or SSL). When the local user option is disabled the only access to the AP when RADIUS servers are down will be through serial CLI or SNMP.

The Radius Based Management Access parameters allows you to enable HTTP or Telnet Radius Management Access, to configure a RADIUS Profile for management access control, and to enable or disable local user access, and configure the local user password. You can configure and view the following parameters:

Automatic Configuration (AutoConfig)

The Automatic Configuration feature which allows an AP to be automatically configured by downloading a specific configuration file from a TFTP server during the boot up process.

Automatic Configuration is disabled by default. The configuration process for Automatic Configuration varies depending on whether the AP is configured for dynamic or static IP.

When an AP is configured for dynamic IP, the Configuration filename and the TFTP server IP address are contained in the DHCP response when the AP gets its IP address dynamically from the DHCP server. When configured for static IP, these parameters are instead configured in the AP interface.

After setting up automatic configuration you must reboot the AP. When the AP reboots it receives the new configuration information and must reboot one additional time. If Syslog is configured, a Syslog message will appear indicating the success or failure of the Automatic Configuration.

Auto Configuration and the CLI Batch File

The Auto Configuration feature allows download of the LTV (Length, Type, Value) format configuration file or the CLI Batch file. The LTV file contains parameters used by the AP; the CLI Batch file contains CLI executable commands used to set AP parameters. The AP detects whether the uploaded file is LTV format or a CLI Batch file. If the AP detects an LTV file, it stores the file in the AP's flash memory. If the AP detects a CLI Batch file (a file with an extension of .cli), the AP executes the commands contained in the file immediately. The AP will reboot after executing the CLI Batch file. Auto Configuration will not result in repeated reboots if the CLI Batch file contains rebootable parameters.

For more information, see the CLI Batch File section.

Set up Automatic Configuration for Static IP

Perform the following procedure to enable and set up Automatic Configuration when you have a static IP address for the TFTP server.

  1. Click Configure > Management > AutoConfig.
    The Automatic Configuration Screen appears.
  2. Check Enable Auto Configuration.
  3. Enter the Configuration Filename.
  4. Enter the IP address of the TFTP server in the TFTP Server Address field.
    5. NOTE: The default filename is "config". The default TFTP IP address is 169.254.128.133 for AP-4000/4000M/4900M.
  5. Click OK to save the changes.
  6. Reboot the AP. When the AP reboots it receives the new configuration information and must reboot one additional time. If a Syslog server was configured, the following messages can be observed on the Syslog server:
    • AutoConfig for Static IP
    • TFTP server address and configuration filename
    • AutoConfig Successful



      • Figure 4-22 Automatic Configuration Screen

Set up Automatic Configuration for Dynamic IP

Perform the following procedure to enable and set up Automatic Configuration when you have a dynamic IP address for the TFTP server via DHCP.

The Configuration filename and the TFTP server IP address are contained in the DHCP response when the AP gets its IP address dynamically from the DHCP server. A Syslog server address is also contained in the DHCP response, allowing the AP to send Auto Configuration success and failure messages to a Syslog server.

NOTE: The configuration filename and TFTP server IP address are configured only when the AP is configured for Static IP. If the AP is configured for Dynamic IP these parameters are not used and obtained from DHCP.
  1. Click Configure > Management > AutoConfig.
    The Automatic Configuration screen appears.
  2. Check Enable Auto Configuration.

    3. When the AP is Configured with Dynamic IP, the DHCP server should be configured with the TFTP Server IP address ("Boot Server Host Name", option 66) and Configuration file ("Bootfile name", option 67) as follows (note that this example uses a Windows 2000 server):

  3. Select DHCP Server > DHCP Option > Scope.
    The DHCP Options: Scope screen appears.



    4. Figure 4-23 DHCP Options: Setting the Boot Server Host Name
  4. Add the Boot Server Hostname and Boot Filename parameters to the Available Options list.
  5. Set the value of the Boot Server Hostname Parameter to the hostname or IP Address of the TFTP server. For example: 11.0.0.7.



    6. Figure 4-24 DHCP Options: Setting the Bootfile Name
  6. Set the value of the Bootfile Name parameter to the Configuration filename. For example: AP-Config.
  7. If using Syslog, set the Log server IP address (option 7, Log Servers).
  8. Reboot the AP. When the AP reboots it receives the new configuration information and must reboot one additional time. If a Syslog server was configured, the following messages can be observed on the Syslog server:
    • AutoConfig for Dynamic IP
    • TFTP server address and configuration filename
    • AutoConfig Successful

Hardware Configuration Reset (CHRD)

Hardware Configuration Reset Status is a parameter that defines the hardware configuration reset behavior of the AP (i.e., what effect pressing the reload button has on an AP operating in normal operating mode).

If a user loses or forgets the AP's HTTP/Telnet/SNMP password, the reset button on the AP provides a way to reset the AP to default configuration values to gain access to the AP. However, in AP deployments where physical access to the AP is not protected, an unauthorized person could reset the AP to factory defaults and thus gain control of the AP. The user can disable the hardware configuration reset functionality to prevent unauthorized access.

The hardware configuration reset feature operates as follows:

Configuration Reset via Serial Port During Bootup

If hardware configuration reset is disabled, the user gets prompted by a configuration reset option to reset the AP to factory defaults during boot up from the serial interface. By pressing a key sequence (ctrl-R), the user gets prompted to enter a configuration reset password before the configuration is reset.

NOTE: It is important to safely store the configuration reset password. If a user forgets the configuration reset password, the user will be unable to reset the AP to factory default configuration if the AP becomes inaccessible and the hardware configuration reset functionality is disable.

Configuring Hardware Configuration Reset

Perform the following procedure to configure Hardware Configuration Reset and to set the Configuration Reset Password. See Figure 4-25.

  1. Click Configure > Management > CHRD.



    2. Figure 4-25 Hardware Configuration Reset
  2. Check (enable) or uncheck (disable) the Enable Hardware Configuration Reset checkbox.
  3. Change the default Configuration Reset Password in the "Configuration Reset Password" and "Confirm" fields.
  4. Click OK.
  5. Reboot the AP.
    6. NOTE: It is important to safely store the configuration reset password. If a user forgets the configuration reset password, the user will be unable to reset the AP to factory default configuration if the AP becomes inaccessible and the hardware configuration reset functionality is disable.

Procedure to Reset Configuration via the Serial Interface

  1. During boot up, observe the message output on the serial interface.

    2. The AP prompts the user with the message: "Press ctrl-R in 3 seconds to choose configuration reset option."

  2. Enter ctrl-R within 3 seconds after being prompted.

    3. The AP prompts the user with "Press ctrl-Z to continue with normal boot up or enter password to reset configuration." If the user enters ctrl-Z, the AP continues to boot with the stored configuration.

  3. Enter the configuration reset password. The default configuration reset password is "public".

    4. When the correct configuration reset password is entered, the AP gets reset to factory defaults and displays the message "AP has been reset to Factory Default Settings." The AP continues to boot up. If an incorrect configuration reset password is entered, the AP shows an error message and reprompts the user. If the incorrect password is entered three times in a row, the AP proceeds to boot up.

Filtering

The Access Point's Packet Filtering features help control the amount of traffic exchanged between the wired and wireless networks. There are four sub-tabs under the Filtering heading:

Ethernet Protocol

The Ethernet Protocol Filter blocks or forwards packets based on the Ethernet protocols they support.

Follow these steps to configure the Ethernet Protocol Filter:

  1. Select the interface or interfaces that will implement the filter from the Ethernet Protocol Filtering drop-down menu.
    • Ethernet: Packets are examined at the Ethernet interface
    • Wireless-Slot A or Wireless-Slot B: Packets are examined at the Wireless A or B interfaces
    • All Interfaces: Packets are examined at both interfaces
    • Disabled: The filter is not used
  2. Select the Filter Operation Type.
    • If set to Passthru, only the enabled Ethernet Protocols listed in the Filter Table will pass through the bridge.
    • If set to Block, the bridge will block enabled Ethernet Protocols listed in the Filter Table.
  3. Configure the Ethernet Protocol Filter Table. This table is pre-populated with existing Ethernet Protocol Filters, however, you may enter additional filters by specifying the appropriate parameters.
    • To add an entry, click Add, and then specify the Protocol Number and a Protocol Name.
    • To edit or delete an entry, click Edit and change the information, or select Enable, Disable, or Delete from the Status drop-down menu.
    • An entry's status must be enabled in order for the protocol to be subject to the filter.

Static MAC

The Static MAC Address filter optimizes the performance of a wireless (and wired) network. When this feature is properly configured, the AP can block traffic between wired devices and wireless devices based on MAC address.

For example, you can set up a Static MAC filter to prevent wireless clients from communicating with a specific server on the Ethernet network. You can also use this filter to block unnecessary multicast packets from being forwarded to the wireless network.

NOTE: The Static MAC Filter is an advanced feature. You may find it easier to control wireless traffic via other filtering options, such as Ethernet Protocol Filtering.

Each static MAC entry contains the following fields:

Each MAC Address or Mask is comprised of 12 hexadecimal digits (0-9, A-F) that correspond to a 48-bit identifier. (Each hexadecimal digit represents 4 bits (0 or 1).)

Taken together, a MAC Address/Mask pair specifies an address or a range of MAC addresses that the AP will look for when examining packets. The AP uses Boolean logic to perform an "AND" operation between the MAC Address and the Mask at the bit level. However, for most users, you do not need to think in terms of bits. It should be sufficient to create a filter using only the hexadecimal digits 0 and F in the Mask (where 0 is any value and F is the value specified in the MAC address). A Mask of 00:00:00:00:00:00 corresponds to all MAC addresses, and a Mask of FF:FF:FF:FF:FF:FF applies only to the specified MAC Address.

For example, if the MAC Address is 00:20:A6:12:54:C3 and the Mask is FF:FF:FF:00:00:00, the AP will examine the source and destination addresses of each packet looking for any MAC address starting with 00:20:A6. If the Mask is FF:FF:FF:FF:FF:FF, the AP will only look for the specific MAC address (in this case, 00:20:A6:12:54:C3).

When creating a filter, you can configure the Wired parameters only, the Wireless parameters only, or both sets of parameters. Which parameters to configure depends upon the traffic that you want block:

A maximum of 200 entries can be created in the Static MAC filter table. To create an entry, click Add and enter the appropriate MAC addresses and Masks to setup a filter. The entry is enabled automatically when saved. To edit an entry, click Edit. To disable or remove an entry, click Edit and change the Status field from Enable to Disable or Delete.

Figure 4-26 Static MAC Configuration Screen

Static MAC Filter Examples

Consider a network that contains a wired server and three wireless clients. The MAC address for each unit is as follows:

Prevent Two Specific Devices from Communicating

Configure the following settings to prevent the Wired Server and Wireless Client 1 from communicating:

Result: Traffic between the Wired Server and Wireless Client 1 is blocked. Wireless Clients 2 and 3 can still communicate with the Wired Server.

Prevent Multiple Wireless Devices from Communicating with a Single Wired Device

Configure the following settings to prevent Wireless Clients 1 and 2 from communicating with the Wired Server:

Result: When a logical "AND" is performed on the Wireless MAC Address and Wireless Mask, the result corresponds to any MAC address beginning with the 00:20:2D prefix. Since Wireless Client 1 and Wireless Client 2 share the same prefix (00:02:2D), traffic between the Wired Server and Wireless Clients 1 and 2 is blocked. Wireless Client 3 can still communicate with the Wired Server since it has a different prefix (00:20:A6).

Prevent All Wireless Devices from Communicating with a Single Wired Device

Configure the following settings to prevent all three Wireless Clients from communicating with Wired Server 1:

Result: The Access Point blocks all traffic between Wired Server 1 and all wireless clients.

Prevent a Wireless Device from Communicating with the Wired Network

Configure the following settings to prevent Wireless Client 3 from communicating with any device on the Ethernet:

Result: The Access Point blocks all traffic between Wireless Client 3 and the Ethernet network.

Prevent Messages Destined for a Specific Multicast Group from Being Forwarded to the Wireless LAN

If there are devices on your Ethernet network that use multicast packets to communicate and these packets are not required by your wireless clients, you can set up a Static MAC filter to preserve wireless bandwidth. For example, if routers on your network use a specific multicast address (such as 01:00:5E:00:32:4B) to exchange information, you can set up a filter to prevent these multicast packets from being forwarded to the wireless network:

Result: The Access Point does not forward any packets that have a destination address of 01:00:5E:00:32:4B to the wireless network.

Advanced

You can configure the following advanced filtering options:

The following protocols are listed in the Advanced Filter Table:

The AP can filter these protocols in the wireless-to-Ethernet direction, the Ethernet-to-wireless direction, or in both directions. Click Edit and use the Status field to Enable or Disable the filter.

TCP/UDP Port

Port-based filtering enables you to control wireless user access to network services by selectively blocking TCP/UDP protocols through the AP. A user specifies a Protocol Name, Port Number, Port Type (TCP, UDP, or TCP/UDP), and filtering interfaces (Wireless only, Ethernet only, all interfaces, or no interfaces) in order to block access to services, such as Telnet and FTP, and traffic, such as NETBIOS and HTTP.

For example, an AP with the following configuration would discard frames received on its Ethernet interface with a UDP destination port number of 137, effectively blocking NETBIOS Name Service packets.

Protocol Type (TCP/UDP)
Destination Port Number
Protocol Name
Interface
Status (Enable/Disable)
UDP
137
NETBIOS Name Service
Ethernet
Enable

Adding TCP/UDP Port Filters

  1. Place a check mark in the box labeled Enable TCP/UDP Port Filtering.
  2. Click Add under the TCP/UDP Port Filter Table heading.
  3. In the TCP/UDP Port Filter Table, enter the Protocol Names to filter.
  4. Set the destination Port Number (a value between 1 and 65535) to filter. See the IANA Web site at http://www.iana.org/assignments/port-numbers for a list of assigned port numbers and their descriptions.
  5. Set the Port Type for the protocol: TCP, UDP, or both (TCP/UDP).
  6. Set the Interface to filter:
    • Ethernet
    • Wireless Slot A
    • Ethernet and Wireless Slot A
    • Wireless Slot B
    • Ethernet and Wireless Slot B
    • Wireless Slot A and B
    • All interfaces
  7. Click OK.

Editing TCP/UDP Port Filters

  1. Click Edit under the TCP/UDP Port Filter Table heading.
  2. Make any changes to the Protocol Name or Port Number for a specific entry, if necessary.
  3. In the row that defines the port, set the Status to Enable, Disable, or Delete, as appropriate.
  4. Select OK.

Alarms

The Alarms tab has the following sub-tabs:

Groups

Alarm groups can be enabled or disabled via the Web interface. Place a check mark in the box provided to enable a specific group. Remove the check mark from the box to disable the alarms. Alarm severity levels are as follows:

Configuration Trap Group

Trap Name
Description
Severity Level
oriTrapDNSIPNotConfigured
DNS IP address not configured
Major
oriTrapRADIUSAuthenticationNotConfigured
RADIUS Authentication not configured
Major
oriTrapRADIUSAccountingNotConfigured
RADIUS Accounting not configured
Major
oriTrapDuplicateIPAddressEncountered
Another network device with the same IP address exists
Major
oriTrapDHCPRelayServerTableNotConfigured
The DHCP relay agent server table is empty or not configured
Major
oriTrapVLANIDInvalidConfiguration
A VLAN ID configuration is invalid
Major
oriTrapAutoConfigFailure
Auto configuration failed
Minor
oriTrapBatchExecFailure
The CLI Batch execution fails for the following reasons:
  • Illegal Command is parsed in the CLI Batch file
  • Execution error is encountered while executing CLI Batch file
  • Bigger file size than 100 Kbytes
Minor
oriTrapBatchFileExecStart
The CLI Batch execution begins after file is uploaded
Minor
oriTrapBatchFileExecEnd
The execution of CLI Batch file ends.
Minor

Security Trap Group

Trap Name
Description
Severity Level
oriTrapInvalidEncryptionKey
Invalid encryption key has been detected.
Critical
oriTrapAuthenticationFailure
Client authentication failure has occurred. Authentication failures can range from:
  • MAC Access Control table
  • RADIUS MAC authentication
  • 802.1x authentication specifying the EAP-Type
  • WORP mutual authentication
  • SSID authorization failure specifying the SSID
  • VLAN ID authorization failure specifying the VLAN ID
Major
oriTrapUnauthorizedManagerDetected
Unauthorized manager has attempted to view and/or modify parameters
Major
oriTrapRADScanComplete
RAD scan is successfully completed
Informational
oriTrapRADScanResults
Provides information on the RAD Scan results
Informational
oriTrapRogueScanStationDetected
Rogue station detected
Informational
oriTrapRogueScanCycleComplete
Rogue scan successfully completed
Informational

Wireless Interface/Card Trap Group

Trap Name
Description
Severity Level
oriTrapWLCFailure
General failure wireless interface/card failure.
Critical
oriTrapWLCRadarInterferenceDetected
Radar interference detected on the channel being used by the wireless interface
Major
MIC Attack Detected
Supported in Web interface only
Major
MIC Attack Report Detected
Supported in Web interface only
Major

Operational Trap Group

Trap Name
Description
Severity Level
oriTrapUnrecoverableSoftwareErrorDetected
Unrecoverable software error detected. Causes software watch dog timer to expire, which in turn causes the device to reboot.
Critical
oriTrapRADIUSServerNotResponding
RADIUS server not responding to authentication requests sent from the RADIUS client in the device
Major
oriTrapModuleNotInitialized
Module (hardware or software) not initialized
Major
oriTrapDeviceRebooting
Device rebooting
Informational
oriTrapTaskSuspended
Task suspended
Critical
oriTrapBootPFailed
Response to the BootP request not received; device not dynamically assigned an IP address
Major
oriTrapDHCPFailed
Response to the DHCP client request not received; device not dynamically assigned an IP address
Major
oriTrapDNSClientLookupFailure
DNS client attempts to resolve a specified hostname (DNS lookup) and a failure occurs because either the DNS server is unreachable or there is an error for the hostname lookup. Trap specifies the hostname that was being resolved.
Major
oriTrapSSLInitializationFailure
SSL initialization failure
Major
oriTrapWirelessServiceShutdown
Wireless interface has shutdown services for wireless clients
Informational
oriTrapWirelessServiceResumed
Wireless interface has resumed service and is ready for wireless client connections
Informational
oriTrapSSHInitializationStatus
SSH initialization status
Major
oriTrapVLANIDUserAssignment
User is assigned a VLAN ID from the RADIUS server
Informational
oriTrapDHCPLeaseRenewal
AP requests DHCP renewal and receives new information from the DHCP server. Information includes the DHCP server IP address that replied to the DHCP client request, and the IP address, subnet mask, and gateway IP address returned from the DHCP server.
Informational

Flash Memory Trap Group

Trap Name
Description
Severity Level
oriTrapFlashMemoryEmpty
No data present in flash memory
Informational
Flash Memory Corrupted
Flash memory corrupted
Critical
oriTrapFlashMemoryRestoringLastKnownGoodConfiguration
Current/original configuration data file is found to be corrupted, and the device loads the last known good configuration file
Informational

TFTP Trap Group

Trap Name
Description
Severity Level
oriTrapTFTPFailedOperation
TFTP operation failed
Major
oriTrapTFTPOperationInitiated
TFTP operation Initiated
Informational
oriTrapTFTPOperationCompleted
TFTP operation completed
Informational

Image Trap Group

Trap Name
Description
Severity Level
oriTrapZeroSizeImage
Zero size image loaded onto device
Major
oriTrapInvalidImage
Invalid image loaded onto device
Major
oriTrapImageTooLarge
Image loaded on the device exceeds the size limitation of flash
Major
oriTrapIncompatibleImage
Incompatible image loaded onto device
Major
oriTrapInvalidImageDigitalSignature
Image with invalid digital signature is loaded onto device
Major

SNTP Trap Group

Trap Name
Description
Severity Level
oriTrapSNTPFailure
SNTP time retrieval failure
Minor
oriTrapSNTPFailure
SNTP sync-up failure
Minor

Generic Trap Group

Trap Name
Description
Severity Level
oriTrapGenericNotification (see following table)
Generic SNMP Trap
Variable

A generic SNMP trap may be sent for any of the following reasons:

Trap Reason/Type
Additional Trap Information
Severity Level
Mesh Connection Failure
Connection failure reason
Major
Link Integrity Failure
Target IP address of down link
Major
Topology Change
Ethernet MAC address of Mesh AP causing change; Mesh SSID
Informational

System Feature/License Group

Trap Name
Description
Severity Level
oriTrapIncompatibleLicenseFile
Incompatible license file
Major
oriTrapInvalidLicenseFile
Invalid license file
Major

In addition, the AP supports these standard traps, which are always enabled:

RFC 1215-Trap

Trap Name
Description
Severity Level
coldStart
AP is on or rebooted
Informational
linkUp
AP's Ethernet interface link is up (working)
Informational
linkDown
AP's Ethernet interface link is down (not working)
Informational

Bridge MIB (RFC 1493) Alarms

Trap Name
Description
Severity Level
New Root
AP has become the new root in the Spanning Tree network
Informational
topologyChange
Trap is not sent if a newRoot trap is sent for the same transition
Informational

All these alarm groups correspond to System Alarms that are displayed in the System Status Screen, including the traps that are sent by the AP to the SNMP managers specified in the Alarm Host Table.

Alarm Host Table

To add an entry and enable the AP to send SNMP trap messages to a Trap Host, click Add, and then specify the IP Address and Password for the Trap Host.

NOTE: Up to 10 entries are possible in the Alarm Host table.

To edit or delete an entry, click Edit. Edit the information, or select Enable, Disable, or Delete from the Status drop-down menu.

Syslog

The Syslog messaging system enables the AP to transmit event messages to a central server for monitoring and troubleshooting. The access point logs "Session Start (Log-in)" and "Session Stop (Log-out)" events for each wireless client as an alternative to RADIUS accounting.

See RFC 3164 at http://www.rfc-editor.org for more information on the Syslog standard.

Figure 4-27 Syslog Configuration Screen

Setting Syslog Event Notifications

Syslog Events are logged according to the level of detail specified by the administrator. Logging only urgent system messages will create a far smaller, more easily read log than a log of every event the system encounters. Determine which events to log by selecting a priority defined by the following scale:

Event
Priority
Description
LOG_EMERG
0
System is unusable
LOG_ALERT
1
Action must be taken immediately
LOG_CRIT
2
Critical conditions
LOG_ERR
3
Error conditions
LOG_WARNING
4
Warning conditions
LOG_NOTICE
5
Normal but significant condition
LOG_INFO
6
Informational
LOG_DEBUG
7
Debug-level messages

Configuring Syslog Event Notifications

You can configure the following Syslog settings from the HTTP interface:

Syslog Messages

The following messages are supported in the AP:

Syslog Message Name
Priority
Severity
Description
Auto Configuration using DHCP
6
Informational
Configuration filename and TFTP server address are obtained from DHCP when dynamic IP is configured on the device.
Auto Configuration using Static IP
6
Informational
Configured TFTP server address and configuration filename is used when Static IP is configured on the device.
TFTP Server IP and configuration filename not present in DHCP response
4
Minor
Configuration filename and/or TFTP server address is not present in the DHCP response when using DHCP.
TFTP Server IP Address used in AutoConfig feature
6
Informational
TFTP server IP address used for AutoConfig.
TFTP Server filename used in AutoConfig feature
6
Informational
TFTP filename used for AutoConfig.
Auto Configuration TFTP Download Failure
4
Minor
TFTP download of a configuration file for AutoConfig fails for the following reasons:
Incorrect or non-reachable TFTP server address
Incorrect or unavailable configuration filename
TFTP transfer timeout.
Image Compatibility Check, Invalid Image
2
Major
One of the following failures occurs:
Invalid Signature
Zero File Size
Large File
Non VxWork Image
Incompatible Image
AP Heartbeat Status
5
Informational
AP syslog keep alive message.
Client Login Authentication Status
6
Informational
Client logs in/authenticates. Message includes:
  • Client MAC Address
  • Authentication Type = None, ACL, RADIUS MAC, 802.1X
  • Cipher Type = None, WEP, TKIP, AES
  • Status = Allow, Deny
  • SSID to which client is connecting
Sample Message:
<client mac address> | Status = <value> | SSID = <value> | Auth Type = <value> | Cipher Type = <value>
Client De-Authentication Status
6
Informational
Client de-authenticates. Message includes:
  • Client MAC Address
  • Cipher Type = None, WEP, TKIP, AES
  • Status = De-authentication reason, which can be any of the following:
    • Unknown reason
    • Stale authentication information
    • Authenticated STA leaving BSS
    • Inactivity
    • Association error
    • Class 2 frame received from non-authenticated STA
    • Class 3 frame received from non-associated STA
    • Associated STA leaving BSS
    • STA requesting information, but not yet authenticated
    • Enhanced security (RSN) required
    • Enhanced security (RSN) used inconsistently
    • Invalid Information Element
    • MIC Failure
    • WPA module de-auth
  • SSID to which client was connected
Sample Message:
<client mac address> | Status = <value> | SSID = <value> | Cipher Type = <value>
RADIUS Accounting Start and Stop Messages
6
Informational
Start and Stop accounting messages for wireless clients.
CLI Configuration File Start Execution
6
Informational
CLI configuration file execution starts.
CLI Configuration File End Execution
6
Informational
CLI configuration file execution ends.
CLI Configuration File Execution Errors
4
Minor
There is an error in execution of the CLI configuration file. The message specifies the filename, line number, and error reason.
SSH Initialization Failure
3
Major
One of the following failures occurs:
Keys not present
Keys cannot be generated
Internal error (no available resources)
SSH Key Generation Successful
6
Informational
SSH Key generation is successful.
Wireless Service Shutdown
6
Informational
Wireless service is shutdown.
Wireless Service Resume
6
Informational
Wireless service resumes.
MIC Attack Occurred
4
Minor
MIC attack occurred; wireless interface is shut down for 60 seconds
MIC Attack from Wireless Station
4
Minor
A MIC attack is detected from a wireless station.
SNTP Time Retrieval Failure
4
Minor
SNTP Client in the AP fails to retrieve time information from the configured SNTP servers. Also included in message: IP Address of SNTP server.
SNTP Time Sync-Up Failure
4
Minor
SNTP Client in the AP fails to synchronize the time with the SNTP server it was communicating with. Also included in message: IP Address of SNTP server.
Incompatible license file
3
Major
Incompatible license file is stored in flash memory during initialization or license file download. Also included in message: incompatibility reason.
Invalid license file
3
Major
Invalid license file is stored in flash memory during initialization or license file download. The license file is found to be invalid if the signed checksum verification fails.
Mesh Connection Failure
3
Major
AP fails to connect with an uplink Mesh AP or Mesh portal. Also included in message: uplink Mesh portal/AP MAC address, Mesh SSID, and reason for connection failure.
Link Integrity Failure
3
Major
Link integrity feature determines that link integrity target is down. Also included in message: Link Integrity target IP address.
Topology Change
6
Informational
Mesh AP changes its uplink mesh connection. Also included in message: uplink Mesh AP/portal MAC address and Mesh SSID.

Rogue Scan

The Rogue Scan feature provides an additional security level for wireless LAN deployments. Rogue Scan uses the selected wireless interface(s) for scanning its coverage area for Access Points and clients.

A centralized Network Manager receives MAC address information from the AP on all wireless clients detected by the AP. The Network Manager then queries all wired switches to find out the inbound switch/port of these wireless clients. If the switch/port does not have a valid Access Point connected to it as per a pre-configured database, the Network Manager proceeds to block that switch/port and prevent the Rogue AP from connecting to the wired network.

Figure 4-28 Preventing Rogue AP Attacks

The figure above shows Client 1 connected to a Trusted AP and Client 2 connected to a Rogue AP. The Trusted AP scans the networks, detects Client 2, and notifies the Network Manager. The Network Manager uses SNMP/CLI to query the wired switch to find the inbound switch port of Client 2's packets. The Network Manager verifies that this switch/router and port does not have a valid Access Point as per the administrator's database. Thus it labels Client 2's AP as a Rogue AP and proceeds to prevent the Rogue AP attack by blocking this switch's port.

Multi-Band Scanning

Rogue Scan detects Rogue stations in all bands (i.e., 2.4 GHz and 5 GHz for interfaces that support 802.11a/g multi-band operation. During Rogue Scan the AP scans every channel in its configured regulatory domain; the AP scans both the 2.4 GHz and 5 GHz bands for wireless interfaces supporting 802.11a/g multi-band operation.

APs can be detected either by active scanning using 802.11 probe request frames or passively by detecting periodic beacons, or both. Wireless clients are detected by monitoring 802.11 connection establishment messages such as association/authentication messages or data traffic to or from the wireless clients.

There are two scanning modes available per wireless interface: continuous scanning mode and background scanning mode.

Continuous Scanning Mode

The continuous scanning mode is a dedicated scanning mode where the wireless interface performs scanning alone and does not perform the normal AP operation of servicing client traffic.

In continuous scanning mode the AP scans each channel for a channel scan time of one second and then moves to the next channel in the scan channel list. With a channel scan time of one second, the scan cycle time will take less than a minute (one second per channel). Once the entire scan channel list has been scanned the AP restarts scanning from the beginning of the scan channel list.

Background Scanning Mode

In background scanning mode the AP performs background scanning while performing normal AP operations on the wireless interface.

You can configure the scan cycle time between 1-1440 minutes (24 hours). The scan cycle time indicates how frequently a channel is sampled and defines the minimum attack period that can go unnoticed.

In background scanning mode the AP will scan one channel then wait for a time known as channel scan time. The channel scan time affects the amount of data collected during scanning and defines the maximum number of samples (possible detections) in one scan. This is increased to improve scanning efficiency; the tradeoff is that it decreases throughput. The optimum value for this parameter during background scanning mode is 20ms.The channel scan time is calculated from the scan cycle time parameter and the number of channels in the scan channel list as follows:

intra-channel scan time = (scan cycle time - (channel scan time * number of channels in the scan list))/number of channels in the scan list.

NOTE: If the AP is configured as a Mesh AP, the background scanning interval will be the same as the Mesh scanning interval (20 ms if there is no uplink, or 180 ms if there is an uplink).
NOTE: In Background Scanning mode, the Mesh AP may not immediately detect all APs entering the network. To ensure immediate detection of all APs entering the network, select Continuous Scanning mode.

Rogue Scan Data Collection

The AP stores information gathered about detected stations during scanning in a Rogue Scan result table. The Rogue Scan result table can store a maximum of 2000 entries. When the table fills, the oldest entry gets overwritten. The Rogue Scan result table lists the following information about each detected station:

The AP ages out older entries in the Rogue Scan result table if a detected station is inactive for more than the Scan Result Table Ageing Time.

Rogue Scan

Perform this procedure to enable Rogue Scan on a particular interface or interfaces and define the Scan Interval and Scan Interface. See Figure 4-29.

The Rogue Scan screen also displays the number of new access points and clients detected in the last scan on each wireless interface.

  1. Enable the Security Alarm Group. Select the Security Alarm Group link from the Rogue Scan screen. Configure a Trap Host to receive the list of access points (and clients) detected during the scan.
  2. Click Configure > Alarms > Rogue Scan.
  3. Enable Rogue Scan on a wireless interface by checking Enable Rogue Scan.
    4. NOTE: Rogue Scan cannot be enabled on a wireless interface when the Wireless Service Status on that interface is shutdown. First, resume service on the wireless interface.
    NOTE: Enabling Rogue Scan simultaneously with Broadcast SSID will cause a drift in the beacon interval and the occasional missing of beacons.
  4. Enter the Scan Mode. Select Background Scanning or Continuous Scanning. In Continuous Scanning mode the AP stops normal operation and scans continuously on that interface. In Background Scanning mode, the AP performs background scanning while doing normal AP operation on that interface.
  5. If the Scan Mode is Background Scanning, then enter the Scan Interval.
    • The Scan Interval specifies the time period in minutes between scans in Background Scanning mode and can be set to any value between 1 and 1440 minutes.
  6. Configure the Scan Result Table Ageing Time. The AP ages out older entries in the Rogue Scan result table if a detected station is inactive for more than this time. The valid range is from 60-7200 minutes, the default is 60 minutes.
  7. Configure the Scan Results Trap Notification Mode to control the notification behavior when APs or stations are detected in a scan:
    • No Notification
    • Notify AP
    • Notify Client
    • Notify All (Notify both AP and Client detection)
  8. Configure the Scan Results Trap Report Style to control the way detected stations are reported in the notification:
    • Report all detected stations since last scan (default)
    • Report all detected stations since start of scan
  9. Configure the second wireless interface, if required.
  10. Click OK.

The results of the Rogue Scan can be viewed in the Status page in the HTTP interface.

Figure 4-29 Rogue Scan Screen

Bridge

The AP is a bridge between your wired and wireless networking devices. As a bridge, the functions performed by the AP include:

Once the AP is connected to your network, it learns which devices are connected to it and records their MAC addresses in the Learn Table. The table can hold up to 10,000 entries. To view the Learn Table, click on the Monitor button in the web interface and select the Learn Table tab.

The Bridge tab has four sub-tabs:

Spanning Tree

A Spanning Tree is used to avoid redundant communication loops in networks with multiple bridging devices. Bridges do not have any inherent mechanism to avoid loops, because having redundant systems is a necessity in certain networks. However, redundant systems can cause Broadcast Storms, multiple frame copies, and MAC address table instability problems.

Complex network structures can create multiple loops within a network. The Spanning Tree configuration blocks certain ports on AP devices to control the path of communication within the network, avoiding loops and following a spanning tree structure.

For more information on Spanning Tree protocol, please see Section 8.0 of the IEEE 802.1d standard. The Spanning Tree configuration options are advanced settings. Proxim recommends that you leave these parameters at their default values unless you are familiar with the Spanning Tree protocol.

NOTE: Spanning Tree protocol does not run on Mesh ports.
NOTE: Spanning Tree protocol is disabled by default. When WDS is enabled, Spanning Tree protocol is automatically enabled. It may be manually disabled. If Spanning Tree protocol is enabled by WDS and WDS is subsequently disabled, Spanning tree will remain enabled until it is manually disabled.

Figure 4-30 Spanning Tree Sub-Tab

Storm Threshold

Storm Threshold is an advanced Bridge setup option that you can use to protect the network against data overload by:

The Storm Threshold parameters allow you to specify a set of thresholds for each interface of the AP, identifying separate values for the number of broadcast messages/second and Multicast messages/second.

When the number of frames for an interface or from a single network device exceeds the maximum value per second, the AP will ignore all subsequent messages in that second received on that interface or from that network device.

Intra BSS

The wireless clients (or subscribers) that associate with a certain AP form the Basic Service Set (BSS) of a network infrastructure. By default, wireless subscribers in the same BSS can communicate with each other. However, some administrators (such as wireless public spaces) may wish to block traffic between wireless subscribers that are associated with the same AP to prevent unauthorized communication and to conserve bandwidth. This feature enables you to prevent wireless subscribers within a BSS from exchanging traffic.

Although this feature is generally enabled in public access environments, Enterprise LAN administrators use it to conserve wireless bandwidth by limiting communication between wireless clients. For example, this feature prevents peer-to-peer file sharing or gaming over the wireless network.

To block Intra BSS traffic, set Intra BSS Traffic Operation to Block.

To allow Intra BSS traffic, set Intra BSS Traffic Operation to Passthru.

Packet Forwarding

The Packet Forwarding feature enables you to redirect traffic generated by wireless clients that are all associated to the same AP to a single MAC address. This filters wireless traffic without burdening the AP and provides additional security by limiting potential destinations or by routing the traffic directly to a firewall. You can redirect to a specific port (Ethernet or WDS) or allow the bridge's learning process (and the forwarding table entry for the selected MAC address) to determine the optimal port.

NOTE: The gateway to which traffic will be redirected should be node on the Ethernet network. It should not be a wireless client.

Configuring Interfaces for Packet Forwarding

Configure your AP to forward packets by specifying port(s) to which packets are redirected and a destination MAC address.

  1. Within the Packet Forwarding Configuration screen, check the box labeled Enable Packet Forwarding.
  2. Specify a destination Packet Forwarding MAC Address. The AP will redirect all unicast, multicast, and broadcast packets received from wireless clients to the address you specify.
  3. Select a Packet Forwarding Interface Port from the drop-down menu. You can redirect traffic to:
  4. Click OK to save your changes.

QoS

Wireless Multimedia Extensions (WME)/Quality of Service (QoS) Introduction

The AP supports Wireless Multimedia Enhancements, also known as Wi-Fi Multimedia (WMM), which defines an intermediate solution for QoS functionality until the IEEE 802.11e specification is formally approved. WME is based on a subset of the 802.11e standard, and defines enhancements to the MAC for wireless LAN applications with Quality of Service requirements, which include transport of voice traffic over IEEE 802.11 wireless LANs.

The enhancement are in the form of changes in protocol frame formats (addition of new fields and information elements), addition of new messages, definition of new protocol actions, channel access mechanisms (differentiated control of access to medium) and network elements (QoS/WME aware APs, STAs), and configuration management.

WME supports Enhanced Distributed Channel Access (EDCA) for prioritized QoS services. The WME/QoS feature can be enabled or disabled per wireless interface. For more information on QoS, see "Technical Bulletin 69504 Revision 2" at <http://keygen.proxim.com/support/orinoco/tb/tb69504_3wmm.pdf>.

Policy

Perform the following procedure to enable QoS and add QoS policies:

  1. Click Configure > QoS > Policy.



    2. Figure 4-31 QoS Policy Sub-Tab
  2. To enable QoS, check the Enable Quality of Service checkbox.
  3. Configure the QoS Maximum Medium Threshold for all Admission Controls. Admission will be granted if the new requested traffic stream and already admitted time is less than the medium maximum threshold.
  4. To add a QoS Policy, click the Add button in the "QoS Policies Table" box. The Add Entries box appears.



    5. Figure 4-32 Add QoS Policy
  5. Enter the Policy Name.
  6. Select the Policy Type:
    • inlayer2: inbound traffic direction, Layer 2 traffic type
    • inlayer3: inbound traffic direction, Layer 3 traffic type
    • outlayer2: outbound traffic direction, Layer 2 traffic type
    • outlayer3: inbound traffic direction, Layer 3 traffic type
    • spectralink: SpectraLink traffic
  7. Enter the Priority Mapping Index.

    8. For layer 2 policies, an index from the 802.1p to 802.1d mapping table should be specified. For layer 3 policies, an index from the 802.1p to IP DSCP mapping table should be specified. No mapping index is required for SpectraLink.

  8. Select whether to Enable QoS Marking.
  9. Click OK.

Priority Mapping

Use this page to configure QoS 802.1p to 802.1d priority mappings (for layer 2 policies) and IP DSCP to 802.1d priority mappings (for layer 3 policies). The first entry in each table contains the recommended priority mappings. Custom entries can be added to each table with different priority mappings.

  1. Click Configure > QoS > Priority Mapping.



    2. Figure 4-33 Priority Mapping
  2. Click Add in the 802.1p and 802.1d priority mapping table.



    3. Figure 4-34 Add Priority Mapping Entry
  3. Select the 802.1p Priority (from 0-7) for 802.1d Priorities 0-7.
  4. Click OK.
  5. Click Add in the IP Precedence/DSCP ranges and 802.1d Priority table.
  6. Select the IP DSCP Range for each 802.1d Priority.
  7. Click OK.
    8. NOTE: Changes to Priority Mapping require a reboot of the AP to take effect.

Enhanced Distributed Channel Access (EDCA)

WME uses Enhanced Distributed Channel Access, a prioritized CSMA/CA access mechanism used by WME-enabled clients/AP in a WME enabled BSS to realize different classes of differentiated Channel Access.

A wireless Entity is defined as all wireless clients and APs in the wireless medium contending for the common wireless medium. EDCA uses a separate channel access function for each of the Access Categories (Index) within a wireless entity. Each channel access function in a wireless entity that contends for the wireless medium as if it were a separate client contending for the wireless medium. Different channel access functions in a given Wireless Entity contend among themselves for access to the wireless medium in addition to contending with other clients.

STA EDCA Table and AP EDCA Table

This page is used to configure the client (STA) and AP Enhanced Distributed Channel Access (EDCA) parameters. You can modify the EDCA values for both Wireless A and Wireless B.

The EDCA parameter set provides information needed by the client stations for proper QoS operation during the wireless contention period. These parameters are used by the QoS enabled AP to establish policy, to change policies when accepting new stations or new traffic, or to adapt to changes in the offered load. The EDCA parameters assign priorities to traffic types where higher priority packets gain access to the wireless medium more frequently than lower priority packets.

NOTE: Default recommended values for EDCA parameters have been defined; Proxim recommends not modifying EDCA parameters unless strictly necessary.

Perform the following procedure to configure the Station and AP EDCA tables.

  1. Click Configure > QoS > EDCA.



    2. Figure 4-35 EDCA Tables
  2. Click Edit and configure the following parameters in each table:
    3. NOTE: Changes to EDCA parameters require a reboot of the AP to take effect.
    • Index: read-only. Indicates the index of the Access Category (1-4) being defined.
    • CWMin: minimum Contention Window. Configurable range is 0 to 255.
    • CWMax: maximum Contention Window. Configurable range is 0 to 65535.
    • AIFSN: Arbitration IFS per access category. Configurable range is 2 to 15.
    • Tx OP Limit: The Transmission Opportunity Limit. The Tx OP is an interval of time during which a particular QoS enhanced client has the right to initiate a frame exchange sequence onto the wireless medium. The Tx OP Limit defines the upper limit placed on the value of Tx OP a wireless entity can obtain for a particular access category. Configurable range is 0 to 65535.
    • MSDU Lifetime: specifies the maximum elapsed time between a MSDU transfer request and delivery to the destination, beyond which delivery becomes unnecessary. Configurable range is 0 to 500 seconds.
    • Admission Control Mandatory: Possible values are True or False. Admission control defines if an Access Point accepts or rejects a requested traffic stream with certain QoS specifications, based on available channel capacity and link conditions. Admission control can be configured for each Access Category (Index).

      • On the Policy sub-tab, the user can also configure a medium maximum threshold for all Admission Controls. Admission will be granted if the new requested traffic stream and already admitted time is less than the medium maximum threshold.

Radius Profiles

Configuring Radius Profiles on the AP allows the administrator to define a profile for RADIUS Servers used by the system or by a VLAN. The network administrator can define RADIUS Servers per Authentication Mode and per VLAN.

The AP communicates with the RADIUS server defined in a profile to provide the following features:

Also, RADIUS Based Management Access allows centralized user management.

The network administrator can configure default RADIUS authentication servers to be used on a system-wide basis, or in networks with VLANs enabled the administrator can also configure separate authentication servers to be used for MAC authentication, EAP authentication, or Accounting in each VLAN. You can configure the AP to communicate with up to six different RADIUS servers per VLAN/SSID:

The back-up servers are optional, but when configured, the AP will communicate with the back-up server if the primary server is off-line. After the AP has switched to the backup server, it will periodically check the status of the primary RADIUS server every five (5) minutes. Once the primary RADIUS server is again online, the AP automatically reverts from the backup RADIUS server back to the primary RADIUS server. All subsequent requests are then sent to the primary RADIUS server.

You can view monitoring statistics for each of the configured RADIUS servers.

RADIUS Servers per Authentication Mode and per VLAN

The user can configure separate RADIUS authentication servers for each authentication mode and for each SSID (VLAN). For example:

This figure shows a network with separate authentication servers for each authentication type and for each VLAN. The clients in VLAN 1 are authenticated using the authentication servers configured for VLAN 1. The type of authentication server used depends on whether the authentication is done for an 802.1x client or a non-802.1x client. The clients in VLAN 2 are authenticated using a different set of authentication servers configured for authenticating users in VLAN 2.

Authentication servers for each VLAN are configured as part of the configuration options for that VLAN. RADIUS profiles are independent of VLANs. The user can define any profile to be the default and associate all VLANs to that profile. Four profiles are created by default, "MAC Authentication", "EAP Authentication", Accounting", and "Management".

RADIUS Servers Enforcing VLAN Access Control

A RADIUS server can be used to enforce VLAN access control in two ways:

Configuring Radius Profiles

A RADIUS server Profile consists of a Primary and a Secondary RADIUS server that get assigned to act as either MAC Authentication servers, 802.1x/EAP Authentication servers, or Accounting Servers in the VLAN Configuration. See Configuring Security Profiles.

The RADIUS Profiles tab allows you to add new RADIUS profiles or modify or delete existing profiles.

Figure 4-37 RADIUS Server Profiles

Adding or Modifying a RADIUS Server Profile

Perform the following procedure to add a RADIUS server profile and to configure its parameters.

  1. Click Add to create a new profile. To Modify an existing profile, select the profile and click Edit. To delete an existing profile, select the profile and click Delete. You cannot delete a RADIUS server profile if it is applied to an SSID.
  2. Configure the following parameters for the RADIUS Server profile (see Figure 4-38):
    3. NOTE: This page configures only the Primary RADIUS Server associated with the profile. After configuring these parameters, save them by clicking OK. Then, to configure the Secondary RADIUS Server, edit the profile from the main page.



    Figure 4-38 Add RADIUS Server Profile
    • Server Profile Name: the profile name. This is the name used to associated a VLAN to the profile. See Configuring Security Profiles. The Server Profile Name is also used in the Configure > Management > Services page to specify the RADIUS profile to be used for RADIUS Based Management Access.
    • MAC Address Format Type: This parameter should correspond to the format in which the clients' 12-digit MAC addresses are listed within the RADIUS server. Available options are:
      • Dash delimited: dash between each pair of digits: xx-yy-zz-aa-bb-cc
      • Colon delimited: colon between each pair of digits: xx:yy:zz:aa:bb:cc
      • Single dash delimited: dash between the sixth and seventh digits: xxyyzz-aabbcc
      • No delimiters: No characters or spaces between pairs of hexadecimal digits: xxyyzzaabbcc
    • Accounting update interval: Enter the time interval (in minutes) for sending Accounting Update messages to the RADIUS server. A value of 0 (default) means that the AP will not send Accounting Update messages.
    • Accounting inactivity timer: Enter the accounting inactivity timer. This parameter supports a value from 1-60 minutes. The default is 5 minutes.
    • Authorization lifetime: Enter the time, in seconds, each client session may be active before being automatically re-authenticated. This parameter supports a value between 900 and 43200 seconds. The default is 0 (disabled).
    • Server Addressing Format: select IP Address or Name. If you want to identify RADIUS servers by name, you must configure the AP as a DNS Client. See DNS Client for details.
    • Server Name/IP Address: Enter the server's name or IP address.
    • Destination Port: Enter the port number which the AP and the server will use to communicate. By default, RADIUS servers communicate on port 1812.
    • Server VLAN ID: Indicates the VLAN that uses this RADIUS server profile. If VLAN is disabled, this field will be grayed out.
    • Shared Secret and Confirm Shared Secret: Enter the password shared by the RADIUS server and the AP. The same password must also be configured on the RADIUS server. The default password is "public."
    • Response Time (seconds): Enter the maximum time, in seconds, that the AP should wait for the RADIUS server to respond to a request. The range is 1-10 seconds; the default is 3 seconds.
    • Maximum Retransmissions (0-4): Enter the maximum number of times an authentication request may be transmitted. The range is 0 to 4, the default is 3.
    • Server Status: Select Enable from the drop-down box to enable the RADIUS Server Profile.
  3. Click OK.
  4. Select the Profile and click Edit to configure the Secondary RADIUS Server, if required.

MAC Access Control Via RADIUS Authentication

If you want to control wireless access to the network and if your network includes a RADIUS Server, you can store the list of MAC addresses on the RADIUS server rather than configure each AP individually. You can define a RADIUS Profile that specifies the IP Address of the server that contains a central list of MAC Address values identifying the authorized stations that may access the wireless network. You must specify information for at least the primary RADIUS server. The back-up RADIUS server is optional.

NOTE: Each VLAN can be configured to use a separate RADIUS server (and backup server) for MAC authentication. MAC access control can be separately enabled for each VLAN.
NOTE: Contact your RADIUS server manufacturer if you have problems configuring the server or have problems using RADIUS authentication.

802.1x Authentication using RADIUS

You must configure a primary EAP/802.1x Authentication server to use 802.1x security. A back-up server is optional.

NOTE: Each VLAN can be configured to use a separate RADIUS server (and backup server) for 802.1x authentication. 802.1x authentication ("EAP authentication") can be separately enabled for each VLAN.

RADIUS Accounting

Using an external RADIUS server, the AP can track and record the length of client sessions on the access point by sending RADIUS accounting messages per RFC2866. When a wireless client is successfully authenticated, RADIUS accounting is initiated by sending an "Accounting Start" request to the RADIUS server. When the wireless client session ends, an "Accounting Stop" request is sent to the RADIUS server.

NOTE: Each VLAN can be configured to use a separate RADIUS accounting server (and backup accounting server).

Session Length

Accounting sessions continue when a client reauthenticates to the same AP. Sessions are terminated when:

If the client roams from one AP to another, one session is terminated and a new session is begun.

NOTE: This feature requires RADIUS authentication using MAC Access Control or 802.1x. Wireless clients configured in the Access Point's static MAC Access Control list are not tracked.

Authentication and Accounting Attributes

Additionally, the AP supports a number of Authentication and Accounting Attributes defined in RFC2865, RFC2866, RFC2869, and RFC3580.

Authentication Attributes

Accounting Attributes

SSID/VLAN/Security

The AP provides several security features to protect your network from unauthorized access. This section gives an overview of VLANs and then discusses the SSID/VLAN/Security configuration options in the AP:

The AP also provides Broadcast SSID/Closed System and Rogue Scan to protect your network from unauthorized access. See the Wireless-A or Wireless-B and Rogue Scan sections from more information.

VLAN Overview

Virtual Local Area Networks (VLANs) are logical groupings of network hosts. Defined by software settings, other VLAN members or resources appear (to clients) to be on the same physical segment, no matter where they are attached on the logical LAN or WAN segment. They simplify traffic flow between clients and their frequently-used or restricted resources.

VLANs now extend as far as the reach of the access point signal. Clients can be segmented into wireless sub-networks via SSID and VLAN assignment. A Client can access the network by connecting to an AP configured to support its assigned SSID/VLAN.

AP devices are fully VLAN-ready; however, by default VLAN support is disabled. Before enabling VLAN support, certain network settings should be configured, and network resources such as a VLAN-aware switch, a RADIUS server, and possibly a DHCP server should be available.

Once enabled, VLANs are used to conveniently, efficiently, and easily manage your network in the following ways:

VLAN tagged data is collected and distributed through an AP's wireless interface(s) based on Network Name (SSID). An Ethernet port on the access point connects a wireless cell or network to a wired backbone. The access points communicate across a VLAN-capable switch that analyzes VLAN-tagged packet headers and directs traffic to the appropriate ports. On the wired network, a RADIUS server authenticates traffic and a DHCP server manages IP addresses for the VLAN(s). Resources like servers and printers may be present, and a hub may include multiple APs, extending the network over a larger area.

Figure 4-39 Components of a Typical VLAN

VLAN Workgroups and Traffic Management

Access Points that are not VLAN-capable typically transmit broadcast and multicast traffic to all wireless Network Interface Cards (NICs). This process wastes wireless bandwidth and degrades throughput performance. In comparison, a VLAN-capable AP is designed to efficiently manage delivery of broadcast, multicast, and unicast traffic to wireless clients.

The AP assigns clients to a VLAN based on a Network Name (SSID). The AP can support up to 16 SSIDs per radio, with a unique VLAN configurable per SSID.

The AP matches packets transmitted or received to a network name with the associated VLAN. Traffic received by a VLAN is only sent on the wireless interface associated with that same VLAN. This eliminates unnecessary traffic on the wireless LAN, conserving bandwidth and maximizing throughput.

In addition to enhancing wireless traffic management, the VLAN-capable AP supports easy assignment of wireless users to workgroups. In a typical scenario, each user VLAN represents a workgroup; for example, one VLAN could be used for an EMPLOYEE workgroup and the other for a GUEST workgroup.

In this scenario, the AP would assign every packet it accepted to a VLAN. Each packet would then be identified as EMPLOYEE or GUEST, depending on which wireless NIC received it. The AP would insert VLAN headers or "tags" with identifiers into the packets transmitted on the wired backbone to a network switch.

Finally, the switch would be configured to route packets from the EMPLOYEE workgroup to the appropriate corporate resources such as printers and servers. Packets from the GUEST workgroup could be restricted to a gateway that allowed access to only the Internet. A member of the GUEST workgroup could send and receive e-mail and access the Internet, but would be prevented from accessing servers or hosts on the local corporate network.

Typical User VLAN Configurations

VLANs segment network traffic into workgroups, which enable you to limit broadcast and multicast traffic. Workgroups enable clients from different VLANs to access different resources using the same network infrastructure. Clients using the same physical network are limited to those resources available to their workgroup.

The AP can segment users into a maximum of 16 different workgroups per radio, based on an SSID/VLAN grouping (also referred as a VLAN Workgroup or a Sub-network).

The primary scenarios for using VLAN workgroups are as follows:

  1. VLAN disabled: Your network does not use VLANs, and you cannot configure the AP to use multiple SSIDs.
  2. VLAN enabled, each VLAN workgroup uses a different VLAN ID Tag.
  3. VLAN enabled, a mixture of Tagged and Untagged workgroups exist.
  4. VLAN enabled, all VLANs untagged: VLAN is enabled in order to use SSID. (Note that typical use of SSIDs assumes actual use of VLANs.)
    5. NOTE: VLAN must be enabled to configure security per SSID.

Management VLAN

Figure 4-40 Mgmt VLAN

VLAN Tagging Management

Control Access to the AP

Management access to the AP can easily be secured by making management stations or hosts and the AP itself members of a common VLAN. Simply configure a non-zero management VLAN ID and enable VLAN to restrict management of the AP to members of the same VLAN.

CAUTION: If a non-zero management VLAN ID is configured then management access to the AP is restricted to wired or wireless hosts that are members of the same VLAN. Ensure your management platform or host is a member of the same VLAN before attempting to manage the AP.

  1. Click Configure > SSID/VLAN/Security > Mgmt VLAN.
  2. Set the VLAN Management ID to a value of between 1 and 4094. (A value of -1 disables VLAN Tagging).
  3. Place a check mark in the Enable VLAN Tagging box.

Provide Access to a Wireless Host in the Same Workgroup

The VLAN feature can allow wireless clients to manage the AP. If the VLAN Management ID matches a VLAN User ID, then those wireless clients who are members of that VLAN will have AP management access.

CAUTION: Once a VLAN Management ID is configured and is equivalent to one of the VLAN User IDs on the AP, all members of that User VLAN will have management access to the AP. Be careful to restrict VLAN membership to those with legitimate access to the AP.
  1. Click Configure > SSID/VLAN/Security > Mgmt VLAN.
  2. Set the VLAN Management ID to use the same VLAN ID as one of the configured SSIDs.
  3. Place a check mark in the Enable VLAN Tagging box.

Disable VLAN Tagging

  1. Click Configure > SSID/VLAN/Security > Mgmt VLAN.
  2. Remove the check mark from the Enable VLAN Tagging box (to disable all VLAN functionality) or set the VLAN Management ID to -1 (to disable VLAN Tagging only).
    3. NOTE: If you disable VLAN Tagging, you will be unable to configure security per SSID.

Security Profile

The AP supports the following security features:

WEP Encryption

The IEEE 802.11 standards specify an optional encryption feature, known as Wired Equivalent Privacy or WEP, that is designed to provide a wireless LAN with a security level equal to what is found on a wired Ethernet network. WEP encrypts the data portion of each packet exchanged on an 802.11 network using an Encryption Key (also known as a WEP Key).

When Encryption is enabled, two 802.11 devices must have the same Encryption Keys and both devices must be configured to use Encryption in order to communicate. If one device is configured to use Encryption but a second device is not, then the two devices will not communicate, even if both devices have the same Encryption Keys.

802.1x Authentication

IEEE 802.1x is a standard that provides a means to authenticate and authorize network devices attached to a LAN port. A port in the context of IEEE 802.1x is a point of attachment to the LAN, either a physical Ethernet connection or a wireless link to an Access Point. 802.1x requires a RADIUS server and uses the Extensible Authentication Protocol (EAP) as a standards-based authentication framework, and supports automatic key distribution for enhanced security. The EAP-based authentication framework can easily be upgraded to keep pace with future EAP types.

Popular EAP types include:

Different servers support different EAP types and each EAP type provides different features. See the documentation that came with your RADIUS server to determine which EAP types it supports.

NOTE: The AP supports the following EAP types when Security Mode is set to 802.1x, WPA, or 802.11i (WPA2): EAP-TLS, PEAP, EAP-TTLS, EAP-MD5, and EAP-SIM.

Authentication Process

There are three main components in the authentication process. The standard refers to them as:

  1. Supplicant (client PC)
  2. Authenticator (Access Point)
  3. Authentication server (RADIUS server)

When the Security Mode is set to 802.1x Station, WPA Station, or 802.11i Station you need to configure your RADIUS server for authentication purposes.

Prior to successful authentication, an unauthenticated client PC cannot send any data traffic through the AP device to other systems on the LAN. The AP inhibits all data traffic from a particular client PC until the client PC is authenticated. Regardless of its authentication status, a client PC can always exchange 802.1x messages in the clear with the AP (the client begins encrypting data after it has been authenticated).

Figure 4-41 RADIUS Authentication Illustrated

The AP acts as a pass-through device to facilitate communications between the client PC and the RADIUS server. The AP (2) and the client (1) exchange 802.1x messages using an EAPOL (EAP Over LAN) protocol (A). Messages sent from the client station are encapsulated by the AP and transmitted to the RADIUS (3) server using EAP extensions (B).

Upon receiving a reply EAP packet from the RADIUS, the message is typically forwarded to the client, after translating it back to the EAPOL format. Negotiations take place between the client and the RADIUS server. After the client has been successfully authenticated, the client receives an Encryption Key from the AP (if the EAP type supports automatic key distribution). The client uses this key to encrypt data after it has been authenticated.

For 802.11a and 802.11b/g clients that communicate with an AP, each client receives its own unique encryption key; this is known as Per User Per Session Encryption Keys.

Wi-Fi Protected Access (WPA/802.11i [WPA2])

Wi-Fi Protected Access (WPA) is a security standard designed by the Wi-Fi Alliance in conjunction with the Institute of Electrical and Electronics Engineers (IEEE). The AP supports 802.11i (WPA2), based on the IEEE 802.11i security standard.

WPA is a replacement for Wired Equivalent Privacy (WEP), the encryption technique specified by the original 802.11 standard. WEP has several vulnerabilities that have been widely publicized. WPA addresses these weaknesses and provides a stronger security system to protect wireless networks.

WPA provides the following new security measures not available with WEP:

The AP supports the following WPA security modes:

Authentication Protocol Hierarchy

There is a hierarchy of authentication protocols defined for the AP. The hierarchy is as follows, from highest to lowest:

If you have both 802.1x and MAC Access Control authentication enabled, the 802.1x authentication takes precedence because it is higher in the authentication protocol hierarchy. This is required in order to propagate the WEP/TKIP/AES keys to the clients in such cases. If you disable 802.1x on the AP, you will see the effects of MAC authentication.

In addition, setting MAC Access Control status to Strict will cause both MAC ACL settings and 802.1x settings to be applied.

For example, assume that the MAC Access Control List contains MAC addresses to block, and that WPA-PSK is configured to allow access to clients with the appropriate PSK Passphrase.

VLANs and Security Profiles

The AP-4000/4000M/4900M allows you to segment wireless networks into multiple sub-networks based on Network Name (SSID) and VLAN membership. A Network Name (SSID) identifies a wireless network. Clients associate with Access Points that share an SSID. During installation, the Setup Wizard prompts you to configure a Primary Network Name for each wireless interface.

After initial setup and once VLAN is enabled, the AP can be configured to support up to 16 SSIDs per wireless interface to segment wireless networks based on VLAN membership.

Each VLAN can associated to a Security Profile and RADIUS Server Profiles. A Security Profile defines the allowed wireless clients, and authentication and encryption types. See the following sections for configuration details.

Configuring Security Profiles

Security policies can be configured and applied on the AP as a whole, or on a per VLAN basis. When VLAN is disabled on the AP, the user can configure a security profile for each interface of the AP. When VLANs are enabled and Security per SSID is enabled, the user can configure a security profile for each VLAN.

The user defines a security policy by specifying one or more values for the following parameters:

Up to 16 security profiles can be configured per wireless interface.

NOTE: Mesh security is configured on the Mesh (AP-4000M and AP-4900M Only) tab.
  1. Click Configure > SSID/VLAN/Security > Security Profile.



    2. Figure 4-42 Security Profile Configuration
  2. Click Add in the Security Profile Table to create a new entry. To modify an existing profile, select the profile and click Edit. To delete an existing profile, select the profile and click Delete. You cannot delete a Security Profile used in an SSID. Also, the first Security Profile cannot be deleted.
  3. Configure one or more types of wireless stations (security modes) that are allowed access to the AP under the security profile. The WEP/PSK parameters are separately configurable for each security mode. To enable a security mode in the profile (Non Secure Station, WEP Station, 802.1x Station, WPA Station, WPA-PSK Station, 802.11i (WPA2) Station, 802.11i-PSK Station), check the box next to the mode. See Figure 4-43.

    4. If the security mode selected in a profile is WEP, WPA-PSK, or 802.11i-PSK, then you must configure the WEP or Pre-Shared Keys.

    NOTE: If an 802.1x client that has already been authenticated attempts to switch to WEP, or if a WEP client that has already been connected attempts to switch to 802.1x, the AP will not allow the client to switch immediately. If this happens, either reboot the AP or disable the client/roam to a new AP for five minutes, and then attempt to reconnect to the AP. If the client is still unable to connect after waiting five minutes, reboot the AP.
  4. Configure the parameters as follows for each enabled security mode. See Figure 4-43.
    • Non Secure Station:
      • Authentication Mode: None. The AP allows access to Stations without authentication.
        • Non secure station should be used only with WEP or 802.1x security mode.
      • Cipher: None
    • WEP Station:
      • Authentication Mode: None
      • Cipher: WEP
      • Encryption Key 0, Encryption Key 1, Encryption Key 2, Encryption Key 3
      • Encryption Key Length: 64, 128, or 152 Bits.
        • For 64-bit encryption, an encryption key is 10 hexadecimal characters (0-9 and A-F) or 5 ASCII characters (see ASCII Character Chart).
        • For 128-bit encryption, an encryption key is 26 hexadecimal characters or 13 ASCII characters.
        • For 152-bit encryption, an encryption key is 32 hexadecimal characters or 16 ASCII characters.
      • Encryption Transmit Key: select Key 0, Key 1, Key 2, or Key 3
    • 802.1x Station:
      • Authentication Mode: 802.1x
      • Cipher: WEP
      • Encryption Key Length: 64 or 128 Bits.
        • If 802.1x is enabled simultaneously with WEP, the 802.1x Station's encryption key length is determined by the WEP encryption key.
    • WPA Station:
      • Authentication Mode: 802.1x
      • Cipher: TKIP
    • WPA-PSK Station:
      • Authentication Mode: PSK
      • Cipher: TKIP
      • PSK Passphrase: an 8-63 character user-defined phrase. It is recommended a passphrase of at least 13 characters, including both letters and numbers, and upper and lower case characters, be used to ensure that the generated key cannot be easily deciphered by network infiltrators.
    • 802.11i Station:
      • Authentication Mode: 802.1x
      • Cipher: CCMP based on AES
    • 802.11i-PSK Station:
      • Authentication Mode: PSK
      • Cipher: CCMP based on AES
      • PSK Passphrase: an 8-63 character user-defined phrase. It is recommended a passphrase of at least 13 characters, including both letters and numbers, and upper and lower case characters, to ensure that the generated key cannot be easily deciphered by network infiltrators.
  5. When finished configuring all parameters, click OK.
  6. If you selected a Security Mode of 802.1x Station, WPA Station, or 802.11i Station, you must configure a RADIUS 802.1x/EAP server. See the Configuring Radius Profiles section.

    7. Security Profile 1 will be used by default for all wireless interfaces.

  7. Reboot the AP.



    8. Figure 4-43 Security Profile Table - Add Entries

MAC Access

The MAC Access sub-tab allows you to build a list of stations, identified by their MAC addresses, authorized to access the network through the AP. The list is stored inside each AP within your network. Note that you must reboot the AP for any changes to the MAC Access Control Table to take effect. Up to 1000 entries can be made in the table.

The "MAC ACL Status" parameter (configurable on the SSID/VLAN/Security > Wireless A or B sub-tab) is per VLAN if VLAN Management is enabled. All other parameters besides "MAC ACL Status" are configured per AP, even if VLAN is enabled.

The following list details the configurable MAC Access parameters.

NOTE: MAC Access Control status is enabled or disabled on the SSID/VLAN/Security > Wireless A or B sub-tab.

Wireless-A or Wireless-B

Each SSID can have its own Security Profile that defines its security mode, authentication mechanism, and encryption, so that customers can have multiple types of clients (non-WEP, WEP, 802.1x, WPA, WPA-PSK, 802.11i, 802.11i-PSK) on the same system separated per VLAN. See the Security Profile section for more information. Each SSID can support a unique VLAN. In order for the AP to support multiple SSID/VLANs, VLAN Tagging must be enabled. These parameters are configurable on the Wireless-A and Wireless-B screens.

Configuring an SSID/VLAN with VLAN Tagging Disabled

With VLAN tagging disabled (from the SSID/VLAN/Security > Mgmt VLAN tab), only one SSID can be configured per interface. All parameters set on the Wireless-A or Wireless-B tab will be applied to that SSID.

  1. Click SSID/VLAN/Security > Wireless-A or Wireless-B.

    2. The SSID, VLAN, and Security Configuration page is displayed.



    Figure 4-45 SSID, VLAN, and Security Configuration (VLAN Tagging Disabled)
  2. Enable or disable RADIUS accounting on the VLAN/SSID by selecting Enable or Disable from the Accounting Status drop-down menu.
  3. Control the functionality of RADIUS MAC Authentication on the VLAN/SSID by selecting one of the following from the the RADIUS Authentication Status drop-down menu.
    • Enable: MAC addresses in the MAC Access Control List stored on the RADIUS server are blocked or allowed, based on the MAC ACL settings. If a higher priority authentication protocol is also enabled, the higher-priority settings will override the MAC ACL settings. See Authentication Protocol Hierarchy.
    • Disable: RADIUS MAC ACL settings are disabled.
    • Strict: RADIUS MAC ACL settings are enabled. If a higher-priority authentication protocol is also enabled, RADIUS MAC ACL settings will be applied in addition to the higher priority authentication protocol settings. See Authentication Protocol Hierarchy.
  4. Control the functionality of the MAC Access Control List on the VLAN/SSID by selecting one of the following from the MAC ACL Status drop-down menu:
    • Enable: MAC addresses in the MAC Access Control List are blocked or allowed, based on the MAC ACL settings. If a higher priority authentication protocol is also enabled, the higher-priority settings will override the MAC ACL settings. See Authentication Protocol Hierarchy.
    • Disable: MAC ACL settings are disabled.
    • Strict: MAC ACL settings are enabled. If a higher-priority authentication protocol is also enabled, MAC ACL settings will be applied in addition to the higher priority authentication protocol settings. See Authentication Protocol Hierarchy.
  5. Enter Rekeying Interval in seconds (between 300 and 65525). When set to 0, this parameter is disabled. The default is 900 seconds.
  6. Enter the Security Profile used by the VLAN in the Security Profile field. See the Security Profile section for more information.
  7. Define the RADIUS Server Profile Configuration for the VLAN/SSID:
    • RADIUS MAC Authentication Profile
    • RADIUS EAP Authentication Profile
    • RADIUS Accounting Profile

      • If 802.1x, WPA, or 802.11i security mode is used, the RADIUS EAP Authentication Profile must have a value.

      A RADIUS Server Profile for authentication for each VLAN shall be configured as part of the configuration options for that VLAN. RADIUS profiles are independent of VLANs. The user can define any profile to be the default and associate all VLANs to that profile. Four profiles are created by default, "MAC Authentication", "EAP Authentication", Accounting", and "Management"

  8. If desired, scroll down to the scroll down to the SSID and VLAN Table and click Edit to modify the Network Name, VLAN ID, or QoS profile of the SSID/VLAN.
    9. NOTE: Because VLAN tagging is disabled, attempting to add a new SSID/VLAN will produce an error message.

    The Edit Entries screen will be displayed. See Figure 4-46.



    Figure 4-46 SSID/VLAN Edit Entries Screen (VLAN Tagging Disabled)
  9. Enter a unique Network Name (SSID) between 1 and 32 characters. This parameter is mandatory.
    10. NOTE: Do not use quotation marks (single or double) in the Network Name; this will cause the AP to misinterpret the name.
  10. Enter a unique VLAN ID. This parameter is mandatory.
    • A VLAN ID is a number from -1 to 4094. A value of -1 means that an entry is "untagged."
    • You can set the VLAN ID to "-1" or "untagged" if you do not want clients that are using a specific SSID to be members of a VLAN workgroup.
    • The VLAN ID must match an ID used by your network; contact your network administrator if you need assistance defining the VLAN IDs.
  11. Specify a QoS profile. See the Policy section for more information.
  12. Select the status of Closed System to control whether the SSID is advertised in the beacon and manage the way probe requests are handled, as follows:
    • Enable: The SSID is not advertised in the beacon, and the AP will respond to probe requests with an SSID only if the client has specified the SSID in the probe request. If the client sends a probe request with a null or "ANY" SSID, the AP will respond not respond.
    • Partial: The SSID is advertised in the beacon, and the AP will not respond to "ANY" SSID requests. The Partial setting reduces network traffic by eliminating the repeated broadcast of SSIDs in probe responses.
    • Disable: The SSID is advertised in the beacon, and the AP will respond with each configured SSID, whether or not an SSID has been specified in the probe request.
  13. Enable or disable Broadcast SSID using the drop-down menu. Broadcast SSID allows the broadcast of a up to four unique beacons when the AP is configured for multiple SSIDs. If you have more than four SSIDs configured, then three SSIDs will be broadcast in individual beacons; the fourth and subsequent SSIDs will be combined and broadcast in one beacon.
    14. NOTE: Enabling Broadcast SSID will lower the total throughput of the AP by 2-4%.
    NOTE: Enabling Broadcast SSID simultaneously with Rogue Scan will cause a drift in the beacon interval and the occasional missing of beacons.
  14. Set the 802.1p Priority given to packets tagged with this VLAN ID. Enter a number between 0-7.
  15. If editing an entry, enable or disable the parameters on this page by electing Enable or Disable from the Status drop-down menu. If adding a new entry, this drop-down menu will not appear.
  16. Click OK to return to Wireless-A or Wireless-B Security Configuration Screen.
  17. Reboot the AP.

Configuring SSID/VLANs with VLAN Tagging Enabled

With VLAN Tagging enabled (from the SSID/VLAN/Security > Mgmt VLAN tab), multiple SSID/VLANs are supported. Parameters set on the Wireless-A or Wireless-B tab can be enabled per SSID by choosing the Enable Security per SSID option.

  1. Click SSID/VLAN/Security > Wireless-A or Wireless-B.
  2. Select the Enable Security Per SSID option. The screen will update to the following:



    3. Figure 4-47 SSID/VLAN Configuration (VLAN Tagging Enabled)
    NOTE: If you disable (uncheck) the Enable Security per SSID option, you will be able to add multiple SSID/VLANs, but the same configuration parameters (described below) will applied to all of them.
  3. Click Add to configure additional SSIDs, VLANs, and their associated security profiles and RADIUS server profiles, or click Edit to modify existing SSIDs.

    4. The Add Entries or Edit Entries screen appears. See Figure 4-48.



    Figure 4-48 SSID/VLAN Edit Entries Screen (VLAN Tagging Enabled)
  4. Enter a unique Network Name (SSID) between 1 and 32 characters. This parameter is mandatory.
    5. NOTE: Do not use quotation marks (single or double) in the Network Name; this will cause the AP to misinterpret the name.
  5. Enter a unique VLAN ID. This parameter is mandatory.
    • A VLAN ID is a number from -1 to 4094. A value of -1 means that an entry is "untagged."
    • You can set the VLAN ID to "-1" or "untagged" if you do not want clients that are using a specific SSID to be members of a VLAN workgroup. Only one "untagged" VLAN ID is allowed per interface.
    • The VLAN ID must match an ID used by your network; contact your network administrator if you need assistance defining the VLAN IDs.
  6. Select the status of Closed System to control whether the SSID is advertised in the beacon and manage the way probe requests are handled, as follows:
    • Enable: The SSID is not advertised in the beacon, and the AP will respond to probe requests with an SSID only if the client has specified the SSID in the probe request. If the client sends a probe request with a null or "ANY" SSID, the AP will respond not respond.
    • Partial: The SSID is advertised in the beacon, and the AP will not respond to "ANY" SSID requests. The Partial setting reduces network traffic by eliminating the repeated broadcast of SSIDs in probe responses.
    • Disable: The SSID is advertised in the beacon, and the AP will respond with each configured SSID, whether or not an SSID has been specified in the probe request.
  7. Enable Broadcast SSID by checking the selection box. Broadcast SSID allows the broadcast of a up to four unique beacons when the AP is configured for multiple SSIDs. If you have more than four SSIDs configured, then three SSIDs will be broadcast in individual beacons; the fourth and subsequent SSIDs will be combined and broadcast in one beacon.
    8. NOTE: Enabling Broadcast SSID will lower the throughput of the AP by 2-4%.
    NOTE: Enabling Broadcast SSID simultaneously with Rogue Scan will cause a drift in the beacon interval and the occasional missing of beacons.
  8. Enable or disable the SSID Authorization status from the drop-down menu. SSID Authorization is the RADIUS-based authorization of the SSID for a particular client. The authorized SSIDs are sent as the tunnel attributes.
  9. Enable or disable RADIUS accounting on the VLAN/SSID under the Accounting Status drop-down menu.
  10. Enable or disable RADIUS MAC authentication status on the VLAN/SSID under the RADIUS Authentication Status drop-down menu.
  11. Enable or disable MAC Access Control List status on the VLAN/SSID under the MAC ACL Status drop-down menu.
  12. Enter the Rekeying Interval in seconds (between 300 and 65525). When set to 0, this parameter is disabled. The default is 900 seconds.
  13. Enter the Security Profile used by the VLAN in the Security Profile field.
    14. NOTE: If you have two or more SSIDs per interface using a Security Profile with a security mode of Non Secure, be aware that security being applied in the VLAN is not being applied in the wireless network.
  14. Define the RADIUS Server Profile Configuration for the VLAN/SSID:
    • RADIUS MAC Authentication Profile
    • RADIUS EAP Authentication Profile
    • RADIUS Accounting Profile

      • If 802.1x, WPA, or 802.11i security mode is used, the RADIUS EAP Authentication Profile must have a value.

      A RADIUS Server Profile for authentication for each VLAN shall be configured as part of the configuration options for that VLAN. RADIUS profiles are independent of VLANs. The user can define any profile to be the default and associate all VLANs to that profile. Four profiles are created by default, "MAC Authentication", "EAP Authentication", Accounting", and "Management".

  15. Specify a QoS Profile. See the Policy section for more information.
  16. Set the 802.1p Priority given to packets tagged with this VLAN ID. Enter a number between 0-7.
  17. If editing an entry, enable or disable the parameters on this page using Status drop-down menu. If adding a new entry, this drop-down menu will not appear.
  18. Reboot the AP.


www.proxim.com