If any of these items are missing or damaged, please contact your reseller or Technical Support (see Technical Support for contact information).

MiniPCI Upgrade Kits

Single-radio APs can be fitted with different radio types. MiniPCI upgrade kits are available for 802.11a/b/g and 802.11b/g wireless cards. Each kit is composed of a single miniPCI board with an integral antenna attached. The type of radio is indicated on the label on the antenna and instructions on how to open your AP to replace the radio are provided with the kit.

System Requirements

To begin using an AP, you must have the following minimum requirements:

Hardware Installation

Follow these steps to install a Single-radio AP:

1. Unpack the Access Point and accessories from the shipping box.

2. If you intend to install the unit free-standing or if you intend to mount it to the ceiling, use a Phillips screwdriver to attach the metal base to the underside of the unit. The metal base and screws are provided. See Mounting Options for additional information.

   

3. Press down on the cable-cover lock located in the front-center of the unit to release the cable cover.
   
   

4. Remove the cable cover from the unit.
   
   

5. Remove the front cover (the side with the LED indicators) from the unit.
   
   

6. Remove the back cover from the unit.
   
   

7. Connect one end of an Ethernet cable to the Access Point's Ethernet port. The other end of the cable should not be connected to another device until after the installation is complete.
   • Use a straight-through Ethernet cable if you intend to connect the Access Point to a hub, switch, patch panel, or Active Ethernet power injector.

   • Use a cross-over Ethernet cable if you intend to connect the Access Point to a single computer.

8. If you are not using Active Ethernet (or you want to connect the Access Point to Active Ethernet and AC power simultaneously), attach the AC power cable to the Access Point's power port.
   
   

9. Once attached, the power cable locks into place. To disconnect the power cable, slide back the black plastic fitting and gently pull the cable from the connector.

10. Connect the free end of the Ethernet cable to a hub, switch, patch panel, Active Ethernet power injector, or an Ethernet port on a computer.

11. If using AC power, connect the power cord to a power source (such as a wall outlet) to turn on the unit.

12. Configure and test the unit. See Initialization for details.

13. Download the latest software to the unit, if necessary. See Download the Latest Software for details.

14. Place the unit in the final installation location. See Mounting Options for mounting options and instructions.

15. Proxim recommends that you perform a Site Survey prior to determine the installation location for your AP units. For information about how to conduct a Site Survey, contact your local reseller.

16. Replace the back cover, front cover, and cable cover. Be careful to avoid trapping the power and Ethernet cables when replacing the cable cover.
    
    

17. If desired, you can attach a Kensington lock to secure the cable cover into place. This will protect the unit from unauthorized tampering. See Kensington Security Slot for details.

Initialization

Proxim provides two tools to simplify the initialization and configuration of an AP:

ScanTool is included on the Installation CD; the Setup Wizard launches automatically the first time you access the HTTP interface.

These initialization instructions describe how to configure an AP over an Ethernet connection using ScanTool and the HTTP interface. If you want to configure the unit over the serial port, see Setting IP Address using Serial Port for information on how to access the CLI over a serial connection and Using the Command Line Interface (CLI) for a list of supported commands.

ScanTool

ScanTool is a software utility that is included on the installation CD-ROM. ScanTool lets you find the IP address of an Access Point by referencing the MAC address in a Scan List, or to assign an IP address if one has not been assigned.

The tool automatically detects the Access Points installed on your network, regardless of IP address, and lets you configure each unit's IP settings. In addition, you can use ScanTool to download new software to an AP that does not have a valid software image installed (see Client Connection Problems).

To access the HTTP interface and configure the AP, the AP must be assigned an IP address that is valid on its Ethernet network. By default, the AP is configured to obtain an IP address automatically from a network Dynamic Host Configuration Protocol (DHCP) server during boot-up. If your network contains a DHCP server, you can run ScanTool to find out what IP address the AP has been assigned. If your network does not contain a DHCP server, the Access Point's IP address defaults to 169.254.128.132. In this case, you can use ScanTool to assign the AP a static IP address that is valid on your network.

ScanTool Instructions

Follow these steps to install ScanTool, initialize the Access Point, and perform initial configuration:

1. Locate the unit's Ethernet MAC address and write it down for future reference. The MAC address is printed on the product label. Each unit has a unique MAC address, which is assigned at the factory.

2. Confirm that the AP is connected to the same LAN subnet as the computer that you will use to configure the AP.

3. Power up, reboot, or reset the AP.

   - Result: The unit requests an IP Address from the network DHCP server.

4. Insert the Installation CD into the CD-ROM drive of the computer that you will use to configure the AP.

   - Result: The installation program will launch automatically.

5. Follow the on-screen instructions to install the Access Point software and documentation.

   The ORiNOCO Installation program supports the following operating systems:

   • Windows 98SE
   • Windows 2000
   • Windows NT
   • Windows ME
   • Windows XP

6. After the software has been installed, double-click the ScanTool icon on the Windows desktop to launch the program (if the program is not already running).

   - Result: ScanTool scans the subnet and displays all detected Access Points. The ScanTool's Scan List screen appears, as shown in the following example.

   If your computer has more than one network adapter installed, you will be prompted to select the adapter that you want ScanTool to use before the Scan List appears. If prompted, select an adapter and click OK. You can change your adapter setting at any time by clicking the Select Adapter button on the Scan List screen. Note that the ScanTool Network Adapter Selection screen will not appear if your computer only has one network adapter installed.

   

7. Locate the MAC address of the AP you want to initialize within the Scan List.

8. If your Access Point does not show up in the Scan List, click the Rescan button to update the display. If the unit still does not appear in the list, see Troubleshooting the AP-600 for suggestions. Note that after rebooting an Access Point, it may take up to five minutes for the unit to appear in the Scan List.

9. Do one of the following:
   • If the AP has been assigned an IP address by a DHCP server on the network, write down the IP address and click Cancel to close ScanTool. Proceed to Setup Wizard for information on how to access the HTTP interface using this IP address.

   • If the AP has not been assigned an IP address (in other words, the unit is using its default IP address, 169.254.128.132), follow these steps to assign it a static IP address that is valid on your network:
     1. Highlight the entry for the AP you want to configure.

     2. Click the Change button.

        - Result: the Change screen appears.

        

     3. Set IP Address Type to Static.

     4. Enter a static IP Address for the AP in the field provided. You must assign the unit a unique address that is valid on your IP subnet. Contact your network administrator if you need assistance selecting an IP address for the unit.

     5. Enter your network's Subnet Mask in the field provided.

     6. Enter your network's Gateway IP Address in the field provided.

     7. Enter the SNMP Read/Write password in the Read/Write Password field (for new units, the default SNMP Read/Write password is public).

        The TFTP Server IP Address and Image File Name fields are only available if ScanTool detects that the AP does not have a valid software image installed. See Client Connection Problems.

     8. Click OK to save your changes.

        - Result: The Access Point will reboot automatically and any changes you made will take effect.

     9. When prompted, click OK a second time to return to the Scan List screen.

     10. Click Cancel to close the ScanTool.

     11. Proceed to Setup Wizard for information on how to access the HTTP interface.

Setup Wizard

The first time you connect to an AP's HTTP interface, the Setup Wizard launches automatically. The Setup Wizard provides step-by-step instructions for how to configure the Access Point's basic operating parameter, such as Network Name, IP parameters, system parameters, and management passwords.

Setup Wizard Instructions

Follow these steps to access the Access Point's HTTP interface and launch the Setup Wizard:

1. Open a Web browser on a network computer.

   - The HTTP interface supports the following Web browser:  Microsoft Internet Explorer 6 with Service Pack 1 or later, and Netscape 6.1 or later

2. If necessary, disable the browser's Internet proxy settings. For Internet Explorer users, follow these steps:

   - Select Tools > Internet Options.

   - Click the Connections tab.

   - Click LAN Settings.

   - If necessary, remove the checkmark from the Use a proxy server box.

   - Click OK twice to save your changes and return to Internet Explorer.

3. Enter the Access Point's IP address in the browser's Address field and press Enter.

   - This is either the dynamic IP address assigned by a network DHCP server or the static IP address you manually configured. See ScanTool for information on how to determine the unit's IP address and manually configure a new IP address, if necessary.

   - Result: The Enter Network Password screen appears.

4. Enter the HTTP password in the Password field. Leave the User Name field blank. For new units, the default HTTP password is public.

   - Result: The Setup Wizard will launch automatically.

   

   

5. Click Setup Wizard to begin. If you want to configure the AP without using the Setup Wizard, click Exit and see Performing Advanced Configuration.

   The Setup Wizard supports the following navigation options:

   Save & Next Button: Each Setup Wizard screen has a Save & Next button. Click this button to submit any changes you made to the unit's parameters and continue to the next page. The instructions below describe how to navigate the Setup Wizard using the Save & Next buttons.

   Navigation Panel: The Setup Wizard provides a navigation panel on the left-hand side of the screen. Click the link that corresponds to the parameters you want to configure to be taken to that particular configuration screen. Note that clicking a link in the navigation panel will not submit any changes you made to the unit's configuration on the current page.

   Exit: The navigation panel also includes an Exit option. Click this link to close the Setup Wizard at any time.

   If you exit from the Setup Wizard, any changes you submitted (by clicking the Save & Next button) up to that point will be saved to the unit but will not take effect until it is rebooted.

6. Configure the System Configuration settings and click Save & Next. See System for more information.

7. Configure the Access Point's Basic IP address settings, if necessary, and click Save & Next. See Basic IP Parameters for more information.

8. Assign the AP new passwords to prevent unauthorized access and click Save & Next. Each management interface has its own password:

   - SNMP Read Password
   - SNMP Read-Write Password
   - SNMPv3 Authentication Password
   - SNMPv3 Privacy Password
   - CLI Password
   - HTTP (Web) Password

   By default, each of these passwords is set to public. See Passwords for more information.

9. Configure the basic wireless interface settings and click Save & Next.

   The following options are available for an 802.11a AP:

   - Primary Network Name (SSID): Enter a Network Name (between 1 and 32 characters long) for the wireless network. You must configure each wireless client to use this name as well.

   - Additional Network Names (SSIDs): The AP supports up to 16 SSIDs and VLANs per wireless interface (radio). Refer to the Advanced Configuration chapter for information on the detailed rules on configuring multiple SSIDs, VLANs, and security modes.

   - Auto Channel Select: By default, the AP scans the area for other Access Points and selects the best available communication channel, either a free channel (if available) or the channel with the least amount of interference. Remove the checkmark to disable this option. Note that you cannot disable Auto Channel Select for 802.11a products in Europe (see Dynamic Frequency Selection (DFS) for details).

   - Frequency Channel: When Auto Channel Select is enabled, this field is read-only and displays the Access Point's current operating channel. When Auto Channel Select is disabled, you can specify the Access Point's channel. If you decide to manually set the unit's channel, ensure that nearby devices do not use the same frequency. Available Channels vary based on regulatory domain. See 802.11a Channel Frequencies. Note that you cannot manually set the channel for 802.11a products in Europe (see Dynamic Frequency Selection (DFS) for details).

   - Transmit Rate: Use the drop-down menu to select a specific transmit rate for the AP. Choose between 6, 9, 12, 18, 24, 36, 48, 54 Mbps, and Auto Fallback. The Auto Fallback feature allows the AP to select the best transmit rate based on the cell size.

   The following options are available for an 802.11b AP:

   - Primary Network Name (SSID): Enter a Network Name (between 1 and 32 characters long) for the wireless network. You must configure each wireless client to use this name as well.

   - Additional Network Names (SSIDs): The AP supports up to 16 SSIDs and VLANs per wireless interface (radio). Refer to the Advanced Configuration chapter for information on the detailed rules on configuring multiple SSIDs, VLANs, and security modes.

   - Auto Channel Select: By default, the AP scans the area for other Access Points and selects the best available communication channel, either a free channel (if available) or the channel with the least amount of interference. Remove the checkmark to disable this option. If you are setting up a Wireless Distribution System (WDS), it must be disabled. See Wireless Distribution System (WDS) for more information.

   - Frequency Channel: When Auto Channel Select is enabled, this field is read-only and displays the Access Point's current operating channel. When Auto Channel Select is disabled, you can specify the Access Point's operating channel. If you decide to manually set the unit's channel, ensure that nearby devices do not use the same frequency (unless you are setting up a WDS). Available Channels vary based on regulatory domain. See 802.11b Channel Frequencies.

   - Distance Between APs: Set to Large, Medium, Small, Microcell, or Minicell depending on the site survey for your system. The distance value is related to the Multicast Rate (described next). In general, a larger distance between APs means that your clients operate a slower data rates (on average). This feature is available only if you are using an Orinoco Classic Gold card. See Distance Between APs for more information.

   - Multicast Rate: Sets the rate at which Multicast messages are sent. This value is related to the Distance Between APs parameter (described previously). The table below displays the possible Multicast Rates based on the Distance between APs. This feature is available only if you are using an Orinoco Classic Gold card. See Multicast Rate for more information.

   Distance between APs	Multicast Rate
   Large	1 and 2 Mbps
   Medium	1, 2, and 5.5 Mbps
   Small	1, 2, 5.5 and 11 Mbps
   Minicell	1, 2, 5.5 and 11 Mbps
   Microcell	1, 2, 5.5 and 11 Mbps

   The following options are available for an 802.11b/g AP:

   - Operational Mode: An 802.11b/g wireless interface can be configured to operate in the following modes:

   - 802.11b mode only
   - 802.11g mode only
   - 802.11g-wifi mode
   - 802.11b/g mode (default)

   - Primary Network Name (SSID): Enter a Network Name (between 1 and 32 characters long) for the wireless network. You must configure each wireless client to use this name as well.

   - Additional Network Names (SSIDs): The AP supports up to 16 SSIDs and VLANs per wireless interface (radio). Refer to the Advanced Configuration chapter for information on the detailed rules on configuring multiple SSIDs, VLANs, and security modes.

   - Auto Channel Select: By default, the AP scans the area for other Access Points and selects the best available communication channel, either a free channel (if available) or the channel with the least amount of interference. Remove the checkmark to disable this option.

   - Frequency Channel: When Auto Channel Select is enabled, this field is read-only and displays the Access Point's current operating channel. When Auto Channel Select is disabled, you can specify the Access Point's channel. If you decide to manually set the unit's channel, ensure that nearby devices do not use the same frequency. Available Channels vary based on regulatory domain. See 802.11g Channel Frequencies.

   - Transmit Rate: Select a specific transmit rate for the AP. The values available depend on the Operational Mode. Auto Fallback is the default setting; it allows the AP to select the best transmit rate based on the cell size.

   - For 802.11b only -- Auto Fallback, 1, 2, 5.5, 11 Mbps

   - For 802.11g only -- Auto Fallback, 6, 9, 12, 18, 24, 36, 48, 54 Mbps

   - For 802.11b/g and 802.11g-wifi-- Auto Fallback, 1, 2, 5.5, 6, 9, 11, 12, 18, 24, 36, 48, 54 Mbps

   Additional advanced settings are available in the Wireless Interface Configuration screen. See Wireless A (802.11a), Wireless (802.11b), or Wireless (802.11b/g) for details. See SSID/VLAN/Security for more information on security features.

10. Review the configuration summary. If you want to make any additional changes, use the navigation panel on the left-hand side of the screen to return to an earlier screen. After making a change, click Save & Next to save the change and proceed to the next screen.

11. When finished, click Reboot on the Summary screen to restart the AP and apply your changes.

Download the Latest Software

Proxim periodically releases updated software for the AP on its Web site at http://www.proxim.com. Proxim recommends that you check the Web site for the latest updates after you have installed and initialized the unit.

Three types of files can be downloaded to the AP from a TFTP server:

- image (AP software image or kernel)

- config (configuration file)

- UpgradeBSPBL (BSP/Bootloader firmware file)

Setup your TFTP Server

A Trivial File Transfer Protocol (TFTP) server lets you transfer files across a network. You can upload files from the AP for backup or copying, and you can download the files for configuration and AP Image upgrades. The Solarwinds TFTP server software is located on the ORiNOCO AP Installation CD-ROM. You can also download the latest TFTP software from Solarwind's Web site at http://www.solarwinds.net.

If a TFTP server is not available in the network, you can perform similar file transfer operations using the HTTP interface.

After the TFTP server is installed:

Download Updates from your TFTP Server using the Web Interface

1. Download the latest software from http://www.proxim.com.

2. Copy the latest software updates to your TFTP server.

3. In the Web Interface, click the Commands button and select the Update AP tab.

4. Enter the IP address of your TFTP server in the field provided.

5. Enter the File Name (including the file extension). Enter the full directory path and file name. If the file is located in the default TFTP directory, you need enter only the file name.

6. Select the File Type from the drop-down menu (use Img for software updates).

7. Select Update AP & Reboot from the File Operation drop-down menu.

8. Click Update.

9. The Access Point will reboot automatically when the download is complete.

Download Updates from your TFTP Server using the CLI Interface

1. Download the latest software from http://www.proxim.com.

2. Copy the latest software updates to your TFTP server.

3. Open the CLI interface via Telnet or a serial connection.

4. Enter the CLI password when prompted.

5. Enter the command: download <tftpaddr> <filename> img

   - Result: The download will begin. Be patient while the image is downloaded to the Access Point.

6. When the download is complete, type reboot 0 and press Enter.

   See Using the Command Line Interface (CLI) for more information.

Additional Hardware Features

Mounting Options

There are three mounting options for the AP, described below.

Desktop Mount

This is the standard installation for the AP. See Hardware Installation for instructions.

Wall Mount

Follow these steps to mount the AP on a wall:

1. Identify the location where you intend to mount the unit.

   For best results, mount the unit vertically. In other words, the antenna should be pointing up or down but not sideways.

2. Unplug the Access Point's power supply, if necessary.

3. Use a Phillips screwdriver to remove the metal base from the underside of the AP, if necessary.

4. Press down on the cable cover lock to release the cable cover.

5. Remove the cable cover from the unit.

6. Remove the front cover from the unit.

7. Remove the back cover from the unit.

8. Place the back cover on the mounting location and mark the center of the three mounting holes.

9. Remove the cover from the wall and drill a hole at each of the locations you marked above. Each hole should be wide enough to hold a mounting plug (which is 6 mm x 35 mm).

10. Insert a plug into each hole. The AP comes with four 6 mm x 35 mm plugs; you only need to use three of these when wall mounting the unit.

11. Insert a screw into each of the mounting holes molded into the back cover. The AP comes with four 3.5 mm x 40 mm pan-head screws; you only need to use three of these when wall mounting the unit.

12. Insert the screws into the wall plugs. Use a screwdriver to tighten the screws and attach the back cover to the wall. In the following example, the back cover is mounted upside down (the two holes are at the bottom).

    

13. Attach Ethernet and power cables to the AP unit, if necessary.

14. Snap the unit into the back cover. In the following example, the unit is mounted upside down and its antenna is facing down.

    

15. Replace the front cover.

16. Replace the cable cover.

17. Turn on the AP.

Ceiling Mount

Follow these steps to mount the AP to a ceiling:

1. Unplug the Access Point's power supply, if necessary.

2. Use a Phillips screwdriver to attach the metal base to the underside of the AP, if necessary. See Attach the Metal Base for an illustration.

3. Feed a mounting screw through each of the four rubber feet. The AP comes with four 3.5 mm x 40 mm pan-head screws.

4. Remove the screws from the rubber feet.

5. Turn the AP upside down position the base against the ceiling where you want to mount the unit.

6. Mark the center of the four mounting holes in the rubber feet.

7. Set the AP aside and drill a hole at each of the locations you marked above. Each hole should be wide enough to hold a mounting plug (which is 6 mm x 35 mm).

8. Insert a plug into each hole. The AP comes with four 6 mm x 35 mm plugs.

9. Insert the screws into the holes you made previously in the rubber feet.

10. Insert the screws into the wall plugs. Use a screwdriver to tighten the screws and attach the Access Point's metal base to the ceiling.

    

Installing the AP in a Plenum

In an office building, plenum is the space between the structural ceiling and the tile ceiling that is provided to help air circulate. Many companies also use the plenum to house communication equipment and cables. However, these products and cables must comply with certain safety requirements, such as Underwriter Labs (UL) Standard 2043: "Standard for Fire Test for Heat and Visible Smoke Release for Discrete Products and Their Accessories Installed in Air-Handling Spaces".

The AP has been certified under UL Standard 2043 and can be installed in the plenum only when the following conditions apply:

• The unit uses Active Ethernet (AE) to receive power over a plenum-rated Category 5 Ethernet cable (the power cable must not be connected to the unit).

• The unit's plastic covers have been removed (this includes the cable cover, the front cover, and the back cover).

Kensington Security Slot

The AP enclosure includes a Kensington Security Slot for use with a Kensington locking mechanism. When properly installed, a Kensington lock can prevent unauthorized personnel from stealing the AP. In addition, the Kensington locks secures the cable cover in place, which prevents tampering with the Ethernet and power cables.

The Kensington Security Slot is shown in the illustrations below (the figure on the left shows the slot with the cable cover attached; the figure on the right shows the slot with the cable cover removed). See http://www.kensington.com for information on Kensington security solutions.

Active Ethernet

An Active Ethernet-enabled AP is equipped with an 802.3af-compliant Active Ethernet module. Active Ethernet (AE) delivers both data and power to the access point over a single Ethernet cable. If you choose to use Active Ethernet, there is no difference in operation; the only difference is in the power source.

Also see Hardware Specifications.

The AP's 802.3af-compliant Active Ethernet module is backwards compatible with all ORiNOCO Active Ethernet hubs that do not support the IEEE 802.3af standard.

LED Indicators

The AP has four LED indicators. The LEDs are identified in LED Indicators Illustrated and exhibit the following behavior:

Related Topics

The Setup Wizard helps you configure the basic AP settings required to get the unit up and running. The AP supports many other configuration and management options. The remainder of this user guide describes these options in detail.

- See Monitoring the AP-600 for information on the statistics displayed within the Access Point's HTTP interface.

- See Performing Commands for information on the commands supported by the Access Point's HTTP interface.

- See Troubleshooting the AP-600 for troubleshooting suggestions.

- See Using the Command Line Interface (CLI) for information on the CLI interface and for a list of CLI commands.

Status Information

• Logging into the HTTP Interface

• System Status

Logging into the HTTP Interface

Once the AP has a valid IP Address and an Ethernet connection, you can use your web browser to monitor the system status.

Follow these steps to monitor an AP's operating statistics using the HTTP interface:

1. Open a Web browser on a network computer.

2. The HTTP interface supports the following Web browsers: Microsoft Internet Explorer 6 with Service Pack 1 or later, and Netscape 6.1 or later.

3. If necessary, disable the Internet proxy settings. For Internet Explorer users, follow these steps:

   - Select Tools > Internet Options....

   - Click the Connections tab.

   - Click LAN Settings....

   - If necessary, remove the checkmark from the Use a proxy server box.

   - Click OK twice to save your changes and return to Internet Explorer.

4. Enter the Access Point's IP address in the browser's Address field and press Enter.

   - Result: The Enter Network Password screen appears.

5. Enter the HTTP password in the Password field and click OK. Leave the User Name field blank. (By default, the HTTP password is public).

   - Result: The System Status screen appears.

   

System Status

System Status is the first screen to appear each time you connect to the HTTP interface. You can also return to this screen by clicking the Status button.

Each section of the System Status screen provides the following information:

- System Status: This area provides system level information, including the unit's IP address and contact information. See System for information on these settings.

- System Alarms: System traps (if any) appear in this area. Each trap identifies a specific severity level: Critical, Major, Minor, and Informational. See Alarms for a list of possible alarms.

Advanced Configuration

Configuring the AP Using the HTTP/HTTPS Interface: Configure an AP's operating settings using the Web Interface.

System: Configure specific system information such as system name and contact information.

Network: Configure IP settings, DNS client, DHCP server, and Link Integrity.

Interfaces: Configure the Access Point's interfaces: Wireless and Ethernet. Also describes configuring a Wireless Distribution System (WDS).

Management: Configure the Access Point's management Passwords, IP Access Table, and Services such as configuring secure or restricted access to the AP via SNMPv3, HTTPS, or CLI. Configure Secure Management, SSL, Secure Shell (SSH), and RADIUS Based Access Management. Set up Automatic Configuration for Static IP.

Filtering: Configure Ethernet Protocol filters, Static MAC Address filters, Advanced filters, and Port filters.

Alarms: Configure the Alarm (SNMP Trap) Groups, the Alarm Host Table, and the Syslog features.

Bridge: Configure the Spanning Tree Protocol, Storm Threshold protection, Intra BSS traffic, and Packet Forwarding.

RADIUS Profiles: Configure RADIUS features such as RADIUS Access Control and Accounting.

SSID/VLAN/Security: Configure security features such as MAC Access Control, WPA, WEP Encryption, and 802.1x. Configure up to 16 VLAN and SSID pairs per wireless interface, and assign Security and RADIUS Profiles for each pair.

Configuring the AP Using the HTTP/HTTPS Interface

Follow these steps to configure an Access Point's operating settings using the HTTP/HTTPS interface:

1. Open a Web browser on a network computer.

   The HTTP interface supports the following Web browsers: Microsoft Internet Explorer 6 with Service Pack 1 or later, and Netscape 6.1 or later.

2. If necessary, disable the Internet proxy settings. For Internet Explorer users, follow these steps:

   - Select Tools > Internet Options....

   - Click the Connections tab.

   - Click LAN Settings....

   - If necessary, remove the checkmark from the Use a proxy server box.

   - Click OK twice to save your changes and return to Internet Explorer.

3. Enter the Access Point's IP address in the browser's Address field and press Enter.

   - Result: The Enter Network Password screen appears.

4. Enter the HTTP password in the Password field and click OK. Leave the User Name field blank. (By default, the HTTP password is public).

   - Result: The System Status screen appears.

   

5. Click the Configure button located on the left-hand side of the screen.

   

6. Click the tab that corresponds to the parameter you want to configure. For example, click Network to configure the Access Point's TCP/IP settings. The parameters contained in each of the configuration categories are described later in this chapter.

7. Configure the Access Point's parameters as necessary. After changing a configuration value, click OK to save the change.

8. Reboot the Access Point for all of the changes to take effect.

System

You can configure and view the following parameters within the System Configuration screen:

Dynamic DNS Support

DNS is a distributed database mapping the user readable names and IP addresses (and more) of every registered system on the Internet. Dynamic DNS is a lightweight mechanism which allows for modification of the DNS data of host systems whose IP addresses change dynamically. Dynamic DNS is usually used in conjunction with DHCP for assigning meaningful names to host systems whose IP addresses change dynamically.

Access Points provide DDNS support by adding the host name (option 12) in DHCP Client messages, which is used by the DHCP server to dynamically update the DNS server.

Access Point System Naming Convention

The Access Point's system name is used as its host name. In order to prevent Access Points with default configurations from registering similar host names in DNS, the default system name of the Access Point is uniquely generated. Access Points generate unique system names by appending the last 3 bytes of the Access Point's MAC address to the default system name.

The system name must be compliant with the encoding rules for host name as per DNS RFC 1123. The DNS host name encoding rules are:

Image upgrades could cause the system to boot with an older system name format that is not DNS compliant. To prevent problems with dynamic DNS after an image upgrade, the system name will automatically be converted to a DNS compliant system name.

The rules of conversion of older system names are:

Network

The Network tab contains three sub-tabs.

IP Configuration

You can configure and view the following parameters within the IP Configuration screen:

You must reboot the Access Point in order for any changes to the Basic IP or DNS Client parameters take effect.

Basic IP Parameters

DNS Client

If you prefer to use host names to identify network servers rather than IP addresses, you can configure the AP to act as a Domain Name Service (DNS) client. When this feature is enabled, the Access Point contacts the network's DNS server to translate a host name to the appropriate network IP address. You can use this DNS Client function to identify RADIUS servers by host name. See RADIUS Profiles for details.

Advanced

DHCP Server

If your network does not have a DHCP Server, you can configure the AP as a DHCP server to assign dynamic IP addresses to Ethernet nodes and wireless clients.

Make sure there are no other DHCP servers on the network and do not enable the DHCP server without checking with your network administrator first, as it could bring down the whole network. Also, the AP must be configured with a static IP address before enabling this feature.

When the DHCP Server function is enabled, you can create one or more IP address pools from which to assign addresses to network devices.

You can configure and view the following parameters within the DHCP Server Configuration screen:

You cannot enable the DHCP Server function unless there is at least one IP Pool Table Entry configured.

You must reboot the Access Point before changes to any of these DHCP server parameters take effect.

Link Integrity

The Link Integrity feature checks the link between the AP and the nodes on the Ethernet backbone. These nodes are listed by IP address in the Link Integrity IP Address Table. The AP periodically pings the nodes listed within the table. If the AP loses network connectivity (that is, the ping attempts fail), the AP disables its wireless interface until the connection is restored. This forces the unit's wireless clients to switch to another Access Point that still has a network connection. Note that this feature does not affect WDS links (if applicable).

You can configure and view the following parameters within the Link Integrity Configuration screen:

Interfaces

The Interfaces tab contains the following sub-tabs:

From these sub-tabs, you configure the Access Point's operational mode, wireless interface settings and Ethernet settings. You may also configure a Wireless Distribution System (WDS) for AP-to-AP communications.

For the wireless interface configuration, refer to the wireless parameters below that correspond to your radio type.

Operational Mode

Operational Mode Selection

You can configure and view the following parameters within the Operational Mode screen.

IEEE 802.11d Support for Additional Regulatory Domains

The IEEE 802.11d specification allows conforming equipment to operate in more than one regulatory domain over time. IEEE 802.11d support allows the AP to broadcast its radio's regulatory domain information in its beacon and probe responses to clients. This allows clients to passively learn what country they are in and only transmit in the allowable spectrum. When a client enters a regulatory domain, it passively scans to learn at least one valid channel, i.e., a channel upon which it detects IEEE Standard 802.11 frames.

The beacon frame contains information on the country code, the maximum allowable transmit power, and the channels to be used for the regulatory domain.

The same information is transmitted in probe response frames in response to a client's probe requests. Once the client has acquired the information required to meet the transmit requirements of the regulatory domain, it configures itself for operation in the regulatory domain.

The Wireless NIC determines the regulatory domain the AP is operating in. Depending on the regulatory domain, a default country code is chosen that is transmitted in the beacon and probe response frames.

Configuring 802.11d Support

Perform the following procedure to enable 802.11d support, and select the country code:

1. Click Configure > Interfaces > Operational Mode.

2. Select Enable 802.11d.

3. Select the Country Code from the ISO/IEC 3166-1 CountryCode drop-down menu.

4. Click OK.

5. Configure Transmit Power Control and transmit power level if required.

TX Power Control

Transmit Power Control uses standard 802.11d frames to control transmit power within an infrastructure BSS. This method of power control is considered to be an interim way of controlling the transmit power of 802.11d enabled clients in lieu of implementation of 802.11h.

The Transmit Power Control feature lets the user configure the transmit power level of the wireless interface at one of four levels:

When Transmit Power Control is enabled, the transmit power level of the card in the AP is set to the configured transmit power level. The power level is advertised in Beacon and Probe Response frames as the 802.11d maximum transmit power level.

When an 802.11d-enabled client learns the regulatory domain related information from Beacon and Probe Response frames, it learns the power level advertised in Beacon and Probe response frames as the maximum transmit power of the regulatory domain and configures itself to operate with that power level.

As a result, the transmit power level of the BSS is configured to the power level set in the AP (assuming that the BSS has only 802.11d enabled clients and an 802.11d enabled AP).

Configuring TX Power Control

1. Click Configure > Interfaces > Operational Mode.

2. Select Enable Transmit Power Control.

3. Select the transmit power level for interface A from the Wireless-A: Transmit Power Level drop-down menu.

4. Click OK.

   

Wireless

Wireless A (802.11a)

You can configure and view the following parameters within the Wireless Interface Configuration screen for an 802.11a AP:

You must reboot the Access Point before any changes to these parameters take effect.

You cannot disable Auto Channel Select for 802.11a products in Europe (see Dynamic Frequency Selection (DFS) for details).

Dynamic Frequency Selection (DFS)

802.11a APs sold in Europe use a technique called Dynamic Frequency Selection (DFS) to automatically select an operating channel. During boot-up, the AP scans the available frequency and selects a channel that is free of interference. If the AP subsequently detects interference on its channel, it automatically reboots and selects another channel that is free of interference.

DFS only applies to 802.11a APs used in Europe (i.e., units whose regulatory domain is set to ETSI). The European Telecommunications Standard Institute (ETSI) requires that 802.11a devices use DFS to prevent interference with radar systems and other devices that already occupy the 5 GHz band.

If you are using an 802.11a AP in Europe, keep in mind the following:

• DFS is not a configurable parameter. It is always enabled and cannot be disabled.

• You cannot manually select the device's operating channel; you must let DFS select the channel.

• You cannot configure the Auto Channel Select option. Within the HTTP interface, this option always appears enabled.

RTS/CTS Medium Reservation

The 802.11 standard supports optional RTS/CTS communication based on packet size. Without RTS/CTS, a sending radio listens to see if another radio is already using the medium before transmitting a data packet. If the medium is free, the sending radio transmits its packet. However, there is no guarantee that another radio is not transmitting a packet at the same time, causing a collision. This typically occurs when there are hidden nodes (clients that can communicate with the Access Point but are out of range of each other) in very large cells.

When RTS/CTS occurs, the sending radio first transmits a Request to Send (RTS) packet to confirm that the medium is clear. When the receiving radio successfully receives the RTS packet, it transmits back a Clear to Send (CTS) packet to the sending radio. When the sending radio receives the CTS packet, it sends the data packet to the receiving radio. The RTS and CTS packets contain a reservation time to notify other radios (including hidden nodes) that the medium is in use for a specified period. This helps to minimize collisions. While RTS/CTS adds overhead to the radio network, it is particularly useful for large packets that take longer to resend after a collision occurs.

RTS/CTS Medium Reservation is an advanced parameter and supports a range between 0 and 2347 bytes. When set to 2347 (the default setting), the RTS/CTS mechanism is disabled. When set to 0, the RTS/CTS mechanism is used for all packets. When set to a value between 0 and 2347, the Access Point uses the RTS/CTS mechanism for packets that are the specified size or greater. You should not need to enable this parameter for most networks unless you suspect that the wireless cell contains hidden nodes.

Wireless Service Status

The user can shutdown (or resume) the wireless service on the wireless interface of the AP through the CLI, HTTP, or SNMP interface. When the wireless service on a wireless interface is shutdown, the AP will:

WSS disables only BSS ports; WDS ports are still operational.

In shutdown state, AP will not transmit and receive frames from the wireless interface and will stop transmitting periodic beacons. Moreover, none of the frames received from the Ethernet interface will be forwarded to that wireless interface.

Wireless service on a wireless interface of the AP can be resumed through CLI/HTTP/SNMP management interface. When wireless service on a wireless interface is resumed, the AP will:

After wireless service resumes, the AP resumes beaconing, transmitting and receiving frames to/from the wireless interface and bridging the frames between the Ethernet and the wireless interface.

Traps Generated During Wireless Service Shutdown (and Resume)

The following traps are generated during wireless service shutdown and resume, and are also sent to any configured Syslog server.

When the wireless service is shutdown on a wireless interface, the AP generates a trap called oriTrapWirelessServiceShutdown.

When the wireless service is resumed on a wireless interface, the AP generate a trap called oriTrapWirelessServiceResumed.

When the wireless service is shutdown on a wireless interface, the Wireless Interface Activity LED for that interface changes to an amber color.

When wireless service is resumed on a wireless interface, the Wireless Interface Activity LED for that interface maintains an OFF state while there is no wireless link activity and changes to green color when there is wireless link activity.

Wireless (802.11b)

You can configure and view the following parameters within the Wireless Interface Configuration screen for an 802.11b AP:

Distance Between APs

Distance Between APs defines how far apart (physically) your AP devices are located, which in turn determines the size of your cell. Cells of different sizes have different capacities and, therefore, suit different applications. For instance, a typical office has many stations that require high bandwidth for complex, high-speed data processing. In contrast, a typical warehouse has a few forklifts requiring low bandwidth for simple transactions.

Cell capacities are compared in the following table, which shows that small cells suit most offices and large cells suit most warehouses:

The number of Access Points in a set area determines the network coverage for that area. A large number of Access Points covering a small area is a high-density cell. A few Access Points, or even a single unit, covering the same small area would result in a low-density cell, even though in both cases the actual area did not change - only the number of Access Points covering the area changed.

In a typical office, a high density area consists of a number of Access Points installed every 20 feet and each Access Point generates a small radio cell with a diameter of about 10 feet. In contrast, a typical warehouse might have a low density area consisting of large cells (with a diameter of about 90 feet) and Access Points installed every 200 feet.

The Distance Between Cells parameter supports five values: Large, Medium, Small, Minicell, and Microcell.

The distance between APs should not be approximated. It is calculated by means of a manual Site Survey, in which an AP is set up and clients are tested throughout the area to determine signal strength and coverage, and local limits such as physical interference are investigated. From these measurements the appropriate cell size and density is determined, and the optimum distance between APs is calculated to suit your particular business requirements. Contact your reseller for information on how to conduct a Site Survey.

Multicast Rate

The multicast rate determines the rate at which broadcast and multicast packets are transmitted by the Access Point to the wireless network. Stations that are closer to the Access Point can receive multicast packets at a faster data rate than stations that are farther away from the AP. Therefore, you should set the Multicast Rate based on the size of the Access Point's cell. For example, if the Access Point's cell is very small (e.g., Distance Between APs is set to Microcell), you can expect that all stations should be able to successfully receive multicast packets at 11 Mbps so you can set Multicast Rate to 11 Mbps. However, if the Access Point's cell is large, you need to accommodate stations that may not be able to receive multicast packets at the higher rates; in this case, you should set Multicast Rate to 1 or 2 Mbps.

There is an inter-dependent relationship between the Distance between APs and the Multicast Rate. In general, larger systems operate at a lower average transmit rate. The variation between Multicast Rate and Distance Between APs is presented in the following table:

	1.0 Mbps	2.0 Mbps	5.5 Mbps	11 Mbps
Large	yes	yes
Medium	yes	yes	yes
Small	yes	yes	yes	yes
Minicell	yes	yes	yes	yes
Microcell	yes	yes	yes	yes

The Distance Between APs must be set before the Multicast Rate, because when you select the Distance Between APs, the appropriate range of Multicast values automatically populates the drop-down menu. This feature is not available if you are using an ORiNOCO ComboCard or a non-ORiNOCO client with the AP.

Wireless (802.11b/g)

You can configure the following radio parameters for an 802.11b/g AP:

You must reboot the Access Point before any changes to these parameters take effect.

Wireless (802.11a/g)

You can configure and view the following parameters within the Wireless Interface Configuration screen for an 802.11a/g AP:

You must reboot the Access Point before any changes to these parameters take effect.

You cannot disable Auto Channel Select for 802.11a products in Europe (see Dynamic Frequency Selection (DFS) for details).

Wireless Distribution System (WDS)

A Wireless Distribution System (WDS) creates a link between two 802.11a, 802.11b, or 802.11b/g APs over their radio interfaces. This link relays traffic from one AP that does not have Ethernet connectivity to a second AP that has Ethernet connectivity. WDS lets you configure up to six (6) point-to-point links between Access Points.

In the WDS Example below, AP 1 and AP 2 communicate over a WDS link (represented by the blue line). This link provides Client 1 with access to network resources even though AP 1 is not directly connected to the Ethernet network. Packets destined for or sent by the client are relayed between the Access Points over the WDS link.

WDS Example

Bridging WDS

Each WDS link is mapped to a logical WDS port on the AP. WDS ports behave like Ethernet ports rather than like standard wireless interfaces: on a BSS port, an Access Point learns by association and from frames; on a WDS or Ethernet port, an Access Point learns from frames only. When setting up a WDS, keep in mind the following:

WDS Setup Procedure

You must disable Auto Channel Select to create a WDS. Each Access Point that is a member of the WDS must have the same Channel setting to communicate with each other.

For radio cards that belong to the ETSI regulatory domain, ACS is enabled by default, and cannot be disabled. Therefore, it is not possible to set up a WDS link. This only applies to ETSI 802.11a wireless radios.

To setup a wireless backbone follow the steps below for each AP that you wish to include in the Wireless Distribution System.

1. Confirm that Auto Channel Select is disabled.

2. Write down the MAC Address of the radio that you wish to include in the Wireless Distribution System.

3. Click on Interfaces > Wireless.

4. Scroll down to the Wireless Distribution System heading.

5. Click the Edit button to update the Wireless Distribution System (WDS) Table.

   

   The WDS Configuration screen will be displayed.

   

6. If desired, enable security by checking the Enable WDS Security Mode box.

7. If security mode is enabled, enter a value for Encryption Key 0.

8. Click OK.

9. Enter the MAC Address that you wrote down in Step 2 in one of the Partner MAC Address field of the Wireless Distribution Setup window.

10. Set the Status of the device to Enable.

11. Click OK.

12. Reboot the AP.

Ethernet

Select the desired speed and transmission mode from the drop-down menu. Half-duplex means that only one side can transmit at a time and full-duplex allows both sides to transmit. When set to auto-duplex, the AP negotiates with its switch or hub to automatically select the highest throughput option supported by both sides.

For best results, Proxim recommends that you configure the Ethernet setting to match the speed and transmission mode of the device the Access Point is connected to (such as a hub or switch). If in doubt, leave this setting at its default, auto-speed-auto-duplex. Choose between:

Management

The Management tab contains five sub-tabs.

Passwords

The following passwords are configurable:

The default SNMPv3 username is administrator, with SHA authentication, and DES privacy protocol.

For security purposes Proxim recommends changing ALL PASSWORDS from the default public immediately, to restrict access to your network devices to authorized personnel. If you lose or forget your password settings, you can always perform the Reset to Factory Default Procedure.

IP Access Table

The Management IP Access table limits in-band management access to the IP addresses or range of IP addresses specified in the table. This feature applies to all management options (SNMP, HTTP, and CLI) except for CLI management over the serial port. To configure this table, click Add and set the following parameters:

To edit or delete an entry, click Edit. Edit the information, or select Enable, Disable, or Delete from the Status pull-down menu.

Services

You can configure the following management services:

You must reboot the Access Point if you change the HTTP Port or Telnet Port.

Secure Management

Secure Management allows the use of encrypted and authenticated communication protocols such as SNMPv3, and Secure Socket Link (SSL), to manage the Access Point.

SNMP Settings

HTTP Access

HTTPS Access

SSL requires Internet Explorer version 6, 128 bit encryption, Service Pack 1, and patch Q323308.

You must reboot the AP after enabling or disabling SSL for the changes to take effect.

Accessing the AP through the HTTPS interface

Telnet Configuration Settings

Secure Shell (SSH) Settings

The AP supports SSH version 2, for secure remote CLI (Telnet) sessions. SSH provides strong authentication and encryption of session data.

The SSH server (AP) has host keys - a pair of assymetric keys - a private key that resides on the AP and a public key that is distributed to clients that need to connect to the AP. As the client has knowledge of the server host keys, the client can verify that it is communicating with the correct SSH server. The client authentication can be performed in two ways:

SSH Session Setup

An SSH session is setup through the following process:

SSH Clients

The following SSH clients have been verified to interoperate with the AP's server. The following table lists the clients, version number, and the website of the client.

Clients	Version	Website
OpenSSH	V3.4-2	http://www.openssh.com
Putty	Rel 0.53b	http://www.chiark.greenend.org.uk
Zoc	5.00	http://www.emtec.com
Axessh	V2.5	http://www.labf.com

For key generation, OpenSSH client has been verified.

Configuring SSH

Perform the following procedure to enable or disable SSH and set the SSH host key:

1. Click Configure -> Management -> Services.

2. To enable SSH, select "Enable" from the Enable SSH (Secure Shell) drop down menu.

   When Secure Management is enabled on the AP, SSH will be enabled by default and cannot be disabled.

3. Select the SSH Host Key Status from the drop-down menu.

   Host keys must either be generated externally and uploaded to the AP (see Uploading Externally Generated Host Keys), generated manually, or auto-generated at the time of SSH initialization if SSH is enabled and no host keys are present. There is no key present in an AP that is in a factory default state.

   To manually generate or delete host keys on the AP:

4. Select Create to generate a new pair of host keys.

5. Select Delete to remove the host keys from the AP. If no host keys are present, the AP will not allows connections using SSH. When host keys are created or deleted, the AP updates the fingerprint information displayed on the Management -> Services page.

   SSH Host key creation can take 3 to 4 minutes during which time the AP may not respond.

Uploading Externally Generated Host Keys

Perform the following procedure to upload externally generated host keys to the AP. You must upload both the SSH public key and SSH private key for SSH to work.

1. Verify that the host keys have been externally generated. The OpenSSH client has been verify to interoperate with AP's SSH server.

2. Click Commands -> Update AP -> via HTTP (or via TFTP).

   

3. Select "SSH Public Key" from the File Type drop-down menu.

4. Click Browse, select the SSH Public Key file on your local machine.

5. Click Open.

6. to initiate the file transfer, click the Update AP button.

7. Select "SSH Private Key" from the File Type drop-down menu.

8. Click Browse, select the SSH Private Key on your local machine.

9. Click Open.

10. To initiate the file transfer, click the Update AP button.

    The fingerprint of the new SSH public key will be displayed in the Management -> Services page.

Serial Configuration Settings

The serial port interface on the AP is enabled at all times. See Setting IP Address using Serial Port for information on how to access the CLI interface via the serial port. You can configure and view following parameters:

RADIUS Based Management Access

User management of APs can be centralized by using a RADIUS server to store user credentials. The AP cross-checks credentials using RADIUS protocol and the RADIUS server accepts or rejects the user.

HTTP/HTTPS and Telnet/SSH users can be managed with RADIUS. Serial CLI and SNMP cannot be managed by RADIUS. Two types of users can be supported using centralized RADIUS management:

• Super User: The super user has access to all function of a management interface. A super user is configured in the RADIUS server by setting the filter-id attribute (returned in the RADIUS Accept packet) for the user to a value of “super user” (not case sensitive). A user is considered a super user if the value of the filter-id attribute returned in the RADIUS Accept packet for the user is “super user” (not case sensitive).

• Limited User: A limited user has access to only a limited set of function on a management interface. All users who are not super users are considered limited users. However, a limited user is configured in the RADIUS server by setting the filter-id attribute (returned in the RADIUS Accept packet) to “limited user” (not case sensitive). Limited users do not have access to the following configuration capabilities:

When RADIUS Based Management is enabled, a local user can be configured to provide Telnet, SSH, and HTTP(S) access to the AP when RADIUS servers fail. The local user has super user capabilities. When secure management is enabled, the local user can only login using secure means (i.e., SSH or SSL). When the local user option is disabled the only access to the AP when RADIUS servers are down will be through serial CLI or SNMP.

The Radius Based Management Access parameters lets you enable HTTP or Telnet Radius Management Access, to configure a RADIUS Profile for management access control, and to enable or disable local user access, and configure the local user password. You can configure and view the following parameters:

Automatic Configuration (AutoConfig)

The Automatic Configuration feature which allows an AP to be automatically configured by downloading a specific configuration file from a TFTP server during the boot up process.

Automatic Configuration is disabled by default. The configuration process for Automatic Configuration varies depending on whether the AP is configured for dynamic or static IP.

When an AP is configured for dynamic IP, the Configuration filename and the TFTP server IP address are contained in the DHCP response when the AP gets its IP address dynamically from the DHCP server. When configured for static IP, these parameters are instead configured in the AP interface.

After setting up automatic configuration you must reboot the AP. When the AP reboots it receives the new configuration information and must reboot one additional time. If Syslog is configured, a Syslog message will appear indicating the success or failure of the Automatic Configuration.

Auto Configuration and the CLI Batch File

The Auto Configuration feature allows download of the TLV (tag, length, value) format configuration file or the CLI Batch file. The AP detects whether the file uploaded is TLV format or a CLI Batch file. If the AP detects a CLI Batch file (a file with extension .cli), the AP executes the file immediately.

The AP will reboot after executing the CLI Batch file. Auto Configuration will not result in repeated reboots if the CLI Batch file contains rebootable parameters.

For more information, refer to CLI Batch File.

Set up Automatic Configuration for Static IP

Perform the following procedure to enable and set up Automatic Configuration when you have a static IP address for the TFTP server.

1. Click Configure > Management > AutoConfig.

   The Automatic Configuration Screen appears.

2. Check Enable Auto Configuration.

3. Enter the Configuration Filename.

4. Enter the IP address of the TFTP server in the TFTP Server Address field. The default filename is "config". The default TFTP IP address is "169.254.128.133" for AP-600.

5. Click OK to save the changes.

6. Reboot the AP. When the AP reboots it receives the new configuration information and must reboot one additional time. If a Syslog server was configured, the following messages can be observed on the Syslog server:
   • AutoConfig for Static IP

   • TFTP server address and configuration filename

   • AutoConfig Successful

   

Set up Automatic Configuration for Dynamic IP

Perform the following procedure to enable and set up Automatic Configuration when you have a dynamic IP address for the TFTP server via DHCP.

The Configuration filename and the TFTP server IP address are contained in the DHCP response when the AP gets its IP address dynamically from the DHCP server. A Syslog server address is also contained in the DHCP response, allowing the AP to send Auto Configuration success and failure messages to a Syslog server.

The configuration filename and TFTP server IP address are configured only when the AP is configured for Static IP. If the AP is configured for Dynamic IP these parameters are not used and obtained from DHCP.

1. Click Configure > Management > AutoConfig.

   The Automatic Configuration Screen appears.

2. Check Enable Auto Configuration.

   When the AP is Configured with Dynamic IP, the DHCP server should be configured with the TFTP Server IP address ("Boot Server Host Name", option 66) and Configuration file ("Bootfile name", option 67) as follows (note that this example uses a Windows 2000 server):

3. Select DHCP Server > DHCP Option > Scope.

   The DHCP Options: Scope Screen appears.

   

4. Add the Boot Server Host Name and Boot Filename parameters to the Active Options list.

5. Set the value of the Boot Server Host Name Parameter to the host name or IP Address of the TFTP server. For example: 11.0.0.7.

   

6. Set the value of the Bootfile Name parameter to the Configuration filename. For example: AP-Config

7. If using Syslog, set the Log server IP address (option 7, Log Servers).

8. Reboot the AP. When the AP reboots it receives the new configuration information and must reboot one additional time. If a Syslog server was configured, the following messages can be observed on the Syslog server:
   • AutoConfig for Dynamic IP

   • TFTP server address and configuration filename

   • AutoConfig Successful

Hardware Configuration Reset (CHRP)

Hardware Configuration Reset Status is a parameter that defines the hardware configuration reset behavior of the AP (i.e., what effect pressing the reload button has on an AP operating in normal operating mode).

If a user loses or forgets the AP's HTTP/Telnet/SNMP password, the reset button on the AP provides a way to reset the AP to default configuration values to gain access to the AP. However, in AP deployments where physical access to the AP is not protected, an unauthorized person could reset the AP to factory defaults and thus gain control of the AP. The user can disable the hardware configuration reset function to prevent unauthorized access.

The hardware configuration reset feature operates as follows:

Configuration Reset via Serial Port During Bootup

If hardware configuration reset is disabled, the user gets prompted by a configuration reset option to reset the AP to factory defaults during boot up from the serial interface. By pressing a key sequence (ctrl-R), the user gets prompted to enter a configuration reset password before the configuration is reset.

It is important to safely store the configuration reset password. If a user forgets the configuration reset password, the user will be unable to reset the AP to factory default configuration if the AP becomes inaccessible and the hardware configuration reset function is disabled.

Configuring Hardware Configuration Reset

Perform the following procedure to configure Hardware Configuration Reset and to set the Configuration Reset Password.

1. Click Configure -> Management -> CHRD.

2. Check (enable) or uncheck (disable) the Enable Hardware Configuration Reset checkbox.

3. Change the default Configuration Reset Password in the "Configuration Reset Password" and "Confirm" fields.

   It is important to safely store the configuration reset password. If a user forgets the configuration reset password, the user will be unable to reset the AP to factory default configuration if the AP becomes inaccessible and the hardware configuration reset function is disabled.

   

Procedure to Reset Configuration via the Serial Interface

1. During boot up, observe the message output on the serial interface.

   The AP prompts the user with the message: "Press ctrl-R in 3 seconds to choose configuration reset option."

2. Enter ctrl-R within 3 seconds after being prompted.

   The AP prompts the user with "Press ctrl-Z to continue with normal boot up or enter password to reset configuration." If the user enters ctrl-Z, the AP continues to boot with the stored configuration.

3. Enter the configuration reset password. The default configuration reset password is public.

   When the correct configuration reset password is entered, the AP gets reset to factory defaults and displays the message "AP has been reset to Factory Default Settings." The AP continues to boot up. If an incorrect configuration reset password is entered, the AP shows an error message and reprompts the user. If the incorrect password is entered three times in a row, the AP proceeds to boot up.

Filtering

The Access Point's Packet Filtering features help control the amount of traffic exchanged between the wired and wireless networks. There are four sub-tabs under the Filtering tab:

Ethernet Protocol

The Ethernet Protocol Filter blocks or forwards packets based on the Ethernet protocols they support.

Follow these steps to configure the Ethernet Protocol Filter:

1. Select the interface or interfaces that will implement the filter from the Ethernet Protocol Filtering drop-down menu.
   Ethernet: Packets are examined at the Ethernet interface

   Wireless: Packets are examined at the Wireless A interface

   All Interfaces: Packets are examined at both interfaces

   Disabled: The filter is not used

2. Select the Filter Operation Type.
   If set to Passthru, only the enabled Ethernet Protocols listed in the Filter Table will pass through the bridge.

   If set to Block, the bridge will block enabled Ethernet Protocols listed in the Filter Table.

3. Configure the Ethernet Protocol Filter Table. This table is pre-populated with existing Ethernet Protocol Filters, however, you may enter additional filters by specifying the appropriate parameters.
   To add an entry, click Add, and then specify the Protocol Number and a Protocol Name.

   - Protocol Number: Enter the protocol number. See http://www.iana.org/assignments/ethernet-numbers for a list of protocol numbers.

   - Protocol Name: Enter related information, typically the protocol name.

   To edit or delete an entry, click Edit and change the information, or select Enable, Disable, or Delete from the Status drop-down menu.

   An entry's status must be enabled in order for the protocol to be subject to the filter.

4. Reboot the AP for any changes to the Ethernet Protocol Filter Table to take effect.

Static MAC

The Static MAC Address filter optimizes the performance of a wireless (and wired) network. When this feature is properly configured, the AP can block traffic between wired devices and wireless devices based on MAC address.

For example, you can set up a Static MAC filter to prevent wireless clients from communicating with a specific server on the Ethernet network. You can also use this filter to block unnecessary multicast packets from being forwarded to the wireless network.

The Static MAC Filter is an advanced feature. You may find it easier to control wireless traffic via other filtering options, such as Ethernet Protocol Filtering.

Each static MAC entry contains the following fields:

• Wired MAC Address

• Wired Mask

• Wireless MAC Address

• Wireless Mask

• Comment: This field is optional.

• Status

Each MAC Address or Mask is comprised of 12 hexadecimal digits (0-9, A-F) that correspond to a 48-bit identifier. (Each hexadecimal digit represents 4 bits (0 or 1).)

Taken together, a MAC Address/Mask pair specifies an address or a range of MAC addresses that the AP will look for when examining packets. The AP uses Boolean logic to perform an "AND" operation between the MAC Address and the Mask at the bit level. However, for most users, you do not need to think in terms of bits. It should be sufficient to create a filter using only the hexadecimal digits 0 and F in the Mask (where 0 is any value and F is the value specified in the MAC address). A Mask of 00:00:00:00:00:00 corresponds to all MAC addresses, and a Mask of FF:FF:FF:FF:FF:FF applies only to the specified MAC Address.

For example, if the MAC Address is 00:20:A6:12:54:C3 and the Mask is FF:FF:FF:00:00:00, the AP will examine the source and destination addresses of each packet looking for any MAC address starting with 00:20:A6. If the Mask is FF:FF:FF:FF:FF:FF, the AP will only look for the specific MAC address (in this case, 00:20:A6:12:54:C3).

When creating a filter, you can configure the Wired parameters only, the Wireless parameters only, or both sets of parameters. Which parameters to configure depends upon the traffic that you want block:

- To prevent all traffic from a specific wireless MAC address from being forwarded to the wired network, configure only the Wireless MAC address and Wireless Mask (leave the Wired MAC Address and Wired Mask set to all zeros).

- To block traffic between a specific wired MAC address and a specific wireless MAC address, configure all four parameters.

To create an entry, click Add and enter the appropriate MAC addresses and Masks to setup a filter. The entry is enabled automatically when saved. To edit an entry, click Edit. To disable or remove an entry, click Edit and change the Status field from Enable to Disable or Delete.

Static MAC Filter Examples

Consider a network that contains a wired server and three wireless clients. The MAC address for each unit is as follows:

Prevent Two Specific Devices from Communicating

Configure the following settings to prevent the Wired Server and Wireless Client 1 from communicating:

Result: Traffic between the Wired Server and Wireless Client 1 is blocked. Wireless Clients 2 and 3 can still communicate with the Wired Server.

Prevent Multiple Wireless Devices From Communicating With a Single Wired Device

Configure the following settings to prevent Wireless Clients 1 and 2 from communicating with the Wired Server.

Result: When a logical "AND" is performed on the Wireless MAC Address and Wireless Mask, the result corresponds to any MAC address beginning with the 00:20:2D prefix. Since Wireless Client 1 and Wireless Client 2 share the same prefix (00:02:2D), traffic between the Wired Server and Wireless Clients 1 and 2 is blocked. Wireless Client 3 can still communicate with the Wired Server since it has a different prefix (00:20:A6).

Prevent All Wireless Devices From Communicating With a Single Wired Device

Configure the following settings to prevent all three Wireless Clients from communicating with Wired Server 1.

Result: The Access Point blocks all traffic between Wired Server 1 and all wireless clients.

Prevent A Wireless Device From Communicating With the Wired Network

Configure the following settings to prevent Wireless Client 3 from communicating with any device on the Ethernet.

Result: The Access Point blocks all traffic between Wireless Client 3 and the Ethernet network.

Prevent Messages Destined for a Specific Multicast Group from Being Forwarded to the Wireless LAN

If there are devices on your Ethernet network that use multicast packets to communicate and these packets are not required by your wireless clients, you can set up a Static MAC filter to preserve wireless bandwidth. For example, if routers on your network use a specific multicast address (such as 01:00:5E:00:32:4B) to exchange information, you can set up a filter to prevent these multicast packets from being forwarded to the wireless network:

Result: The Access Point does not forward any packets that have a destination address of 01:00:5E:00:32:4B to the wireless network.

Advanced

You can configure the following advanced filtering options:

The following protocols are listed in the Advanced Filter Table:

The AP can filter these protocols in the wireless-to-Ethernet direction, the Ethernet-to-wireless direction, or in both directions. Click Edit and use the Status field to Enable or Disable the filter.

TCP/UDP Port

Port-based filtering enables you to control wireless user access to network services by selectively blocking TCP/UDP protocols through the AP. A user specifies a Protocol Name, Port Number, Port Type (TCP, UDP, or TCP/UDP), and filtering interfaces (Only Ethernet, Only Wireless, All Interfaces) in order to block access to services, such as Telnet and FTP, and traffic, such as NETBIOS and HTTP.

For example, an AP with the following configuration would discard frames received on its Ethernet interface with a UDP destination port number of 137, effectively blocking NETBIOS Name Service packets.

Adding TCP/UDP Port Filters

1. Place a checkmark in the box labeled Enable TCP/UDP Port Filtering.

2. Click Add under the TCP/UDP Port Filter Table heading.

3. In the TCP/UDP Port Filter Table, enter the Protocol Names to filter.

4. Set the destination Port Number (a value between 1 and 65535) to filter. See the IANA Web site at http://www.iana.org/assignments/port-numbers for a list of assigned port numbers and their descriptions.

5. Set the Port Type for the protocol: TCP, UDP, or both (TCP/UDP).

6. Set the Interface to:
   • Only Ethernet
   • Only Wireless
   • All Interfaces

7. Click OK.

Editing TCP/UDP Port Filters

1. Click Edit under the TCP/UDP Port Filter Table heading.

2. Make any changes to the Protocol Name or Port Number for a specific entry, if necessary.

3. Modify the Port Type, Interface, and Status using the drop down menus, as appropriate.

4. Select OK.

Alarms

This tab has these sub-tabs.

Groups

The AP can be configured to generate and send alarms/notifications/traps as version 1 or a version 2c. Use the drop-down menu to select SNMP alarm type.

There are seven alarm groups that can be enabled or disabled via the Web interface. Place a checkmark in the box provided to enable a specific group. Remove the checkmark from the box to disable the alarms. Alarm Severity Levels vary.

In addition, the AP supports these standard traps, which are always enabled:

All these alarm groups correspond to System Alarms that are displayed in the System Status screen, including the traps that are sent by the AP to the SNMP managers specified in the Alarm Host Table.

Severity Levels

There are three severity levels for system alarms:

Critical alarms will often result in severe disruption in network activity or an automatic reboot of the AP

Major alarms are usually activated due to a breach in the security of the system. Clients cannot be authenticated or an attempt at unauthorized access into the AP has been detected.

Informational alarms are there to provide the network administrator with some general information about the activities the AP is performing.

Alarm Host Table

To add an entry and enable the AP to send SNMP trap messages to a Trap Host, click Add, and then specify the IP Address and Password for the Trap Host.

Up to 10 entries are possible in the Alarm Host table.

To edit or delete an entry, click Edit. Edit the information, or select Enable, Disable, or Delete from the Status drop-down menu.

Syslog

The Syslog messaging system enables the AP to transmit event messages to a central server for monitoring and troubleshooting. The AP can send messages to multiple Syslog servers. The access point logs "Session Start (Log-in)" and "Session Stop (Log-out)" events for each wireless client as an alternative to RADIUS accounting.

See RFC 3164 at http://www.rfc-editor.org for more information on the Syslog standard.

Setting Syslog Event Notifications

Syslog Events are logged according to the level of detail specified by the administrator. Logging only urgent system messages will create a far smaller, more easily read log then a log of every event the system encounters. Determine which events to log by selecting a priority defined by the following scale:

Event	Priority	Description
LOG_EMERG	0	system is unusable
LOG_ALERT	1	action must be taken immediately
LOG_CRIT	2	critical conditions
LOG_ERR	3	error conditions
LOG_WARNING	4	warning conditions
LOG_NOTICE	5	normal but significant condition
LOG_INFO	6	informational
LOG_DEBUG	7	debug-level messages

Configuring Syslog Event Notifications

You can configure the following Syslog settings from the HTTP interface:

Syslog Messages

The following messages are supported in the AP:

Message	Severity
Auto Configuration via DHCP	Informational
Auto Configuration for static IP	Informational
TFTP server IP/Config filename missing in DHCP response	Minor
AutoConfig TFTP server IP address used is <IP address>	Informational
AutoConfig filename used is <filename>	Informational
AutoConfig TFTP download failed	Minor
Image Error check, invalid image	Minor
AP Heartbeat status	Minor
Client Authentication State	Informational
Accounting	Informational
RADIUS Responses	Informational

Rogue Access Point Detection (RAD)

The Rogue AP Detection (RAD) feature provides an additional security level for wireless LAN deployments. Rogue AP detection provides a mechanism for detecting Rogue Access Points by utilizing the coverage of the trusted Access Point deployment.

The Rogue AP Scan employs background scanning using low-level 802.11 scanning functions for effective wireless detection of Access Points in its coverage area with minimal impact on the normal operation of the Access Point.

This RAD feature can be enabled on an Access Point via its HTTP, CLI, or SNMP Interfaces. The scan repetition duration is configurable. The Access Point will periodically scan the wireless network and report all the available Access Points within its coverage area using SNMP traps. For additional reliability the results are stored in the Access Point in a table, which can be queried via SNMP. The BSSID and Channel number of the detected Access Points are provided in the scan results.

The RAD scan is done on a channel list initialized based on the regulatory domain of the device. The RAD Scan then performs background scanning on all the channels in this channel list using 802.11 MAC scanning functions. It will either actively scan the network by sending probe requests or passively scan by only listening for beacons. The access point information is then gathered from the probe responses and beacons.

To minimize traffic disruption and maximize the scanning efficiency, the RAD feature employs an enhanced background-scanning algorithm and uses the CTS to Self mechanism to keep the clients silent. The scanning algorithm allows traffic to be serviced between each channel scan. Before start of every scan (except scan on the working channel) the CTS to self-mechanism is used to set the NAV values of clients to keep them silent during the scanning period. In addition, the scan repetition duration can also be configured to reduce the frequency of RAD scan cycles to maximize Access Point performance.

RAD Configuration Requirements

The RAD feature can be configured/monitored via the HTTP, CLI, or SNMP management interfaces.

The following management options are provided:

Example Rogue AP Detection Deployment

Additionally, the RAD scan results are maintained in a table that can be queried via SNMP. The system administrator has to enable RAD on the Access Points in the wireless network and also configure the Trap Host on all these Access Points to the IP address of the management station. The Access Points on detecting a new Access Point sends a RAD Scan Result Trap to the management station.

An example network deployment is shown. The Trusted AP has Rogue Access Detection enabled and the trap host is configured to be the management station. The Trusted AP on detecting the Rogue AP will send a trap to the management station with the Channel and BSSID of the Rogue Access Point.

Configuring RAD

Perform this procedure to enable and configure RAD.

The RAD screen also displays the time of the last scan and the number of new access points detected in the last scan.

1. Enable the Security Alarm Group. Select the Security Alarm Group link from the RAD screen. Configure a Trap Host to receive the list of access points detected during the scan.

2. Click Configure > Alarms > RAD.

3. Enable Rogue AP Detection.

4. Scan Interval.

   The Scan Interval specifies the time period in minutes between scans and can be set to any value between 15 and 1440 minutes.

5. Click OK.

   The results of the RAD scan be viewed in the Status page in the HTTP interface.

   

Bridge

The AP is a bridge between your wired and wireless networking devices. As a bridge, the functions performed by the AP include:

Once the AP is connected to your network, it learns which devices are connected to it and records their MAC addresses in the Learn Table. The table can hold up to 10,000 entries. To view the Learn Table, click on the Monitor tab and select the Learn Table tab.

The Bridge tab has four sub-tabs.

Spanning Tree

A Spanning Tree is used to avoid redundant communication loops in networks with multiple bridging devices. Bridges do not have any inherent mechanism to avoid loops, because having redundant systems is a necessity in certain networks. However, redundant systems can cause Broadcast Storms, multiple frame copies, and MAC address table instability problems.

Complex network structures can create multiple loops within a network. The Spanning Tree configuration blocks certain ports on AP devices to control the path of communication within the network, avoiding loops and following a spanning tree structure.

For more information on Spanning Tree protocol, see Section 8.0 of the IEEE 802.1d standard. The Spanning Tree configuration options are advanced settings. Proxim recommends that you leave these parameters at their default values unless you are familiar with the Spanning Tree protocol.

Storm Threshold

Storm Threshold is an advanced Bridge setup option that you can use to protect the network against data overload by:

The Storm Threshold parameters allow you to specify a set of thresholds for each port of the AP, identifying separate values for the number of broadcast messages/second and Multicast messages/second.

When the number of frames for a port or identified station exceeds the maximum value per second, the AP will ignore all subsequent messages issued by the particular network device, or ignore all messages of that type.

Intra BSS

The wireless clients (or subscribers) that associate with a certain AP form the Basic Service Set (BSS) of a network infrastructure. By default, wireless subscribers in the same BSS can communicate with each other. However, some administrators (such as wireless public spaces) may wish to block traffic between wireless subscribers that are associated with the same AP to prevent unauthorized communication and to conserve bandwidth. This feature enables you to prevent wireless subscribers within a BSS from exchanging traffic.

Although this feature is generally enabled in public access environments, Enterprise LAN administrators use it to conserve wireless bandwidth by limiting communication between wireless clients. For example, this feature prevents peer-to-peer file sharing or gaming over the wireless network.

To block Intra BSS traffic, set Intra BSS Traffic Operation to Block. To allow Intra BSS traffic, set Intra BSS Traffic Operation to Passthru.

Packet Forwarding (Pkt Fwd)

The Packet Forwarding feature enables you to redirect traffic generated by wireless clients that are all associated to the same AP to a single MAC address. This filters wireless traffic without burdening the AP and provides additional security by limiting potential destinations or by routing the traffic directly to a firewall. You can redirect to a specific port (Ethernet or WDS) or allow the bridge's learning process (and the forwarding table entry for the selected MAC address) to determine the optimal port.

The gateway to which traffic is to be redirected should be a node on the Ethernet network. It should not be a wireless client.

To configure interfaces for packet forwarding, specifying interface port(s) to which packets are redirected and a destination MAC address, as follows:

1. Within the Packet Forwarding Configuration screen, check the box labeled Enable Packet Forwarding.

2. Specify a destination Packet Forwarding MAC Address. The AP will redirect all unicast, multicast, and broadcast packets received from wireless clients to the address you specify.

3. Select a Packet Forwarding Interface Port from the drop-down menu. You can redirect traffic to:

   - Any Interface (traffic is redirected to a port based on the bridge learning process)

   - Ethernet

   - A WDS connection (see Wireless Distribution System (WDS) for details)

4. Click OK to save your changes.

QoS (Quality of Service)

This feature is not supported in the AP. Clicking on this tab displays the following message: "The Quality of Service (QoS) feature is not implemented on the AP-600 and AP-2000."

RADIUS Profiles

Configuring RADIUS Profiles on the AP define a profile for RADIUS Servers used by the system or by a VLAN. The network administrator can define RADIUS Servers per Authentication Mode and per VLAN.

The AP communicates with the RADIUS server defined in a profile to provide the following features:

Also, RADIUS Based Management Access allows centralized user management.

The network administrator can configure default RADIUS authentication servers to be used on a system-wide basis, or in networks with VLANs enabled the administrator can also configure separate authentication servers to be used for MAC authentication, EAP authentication, or Accounting in each VLAN. You can configure the AP to communicate with up to six different RADIUS servers per VLAN/SSID:

The back-up servers are optional, but when configured, the AP will communicate with the back-up server if the primary server is off-line. After the AP has switched to the backup server, it will periodically check the status of the primary RADIUS server every five (5) minutes. Once the primary RADIUS server is again online, the AP automatically reverts from the backup RADIUS server back to the primary RADIUS server. All subsequent requests are then sent to the primary RADIUS server.

You can view monitoring statistics for each of the configured RADIUS servers.

RADIUS Servers per Authentication Mode and per VLAN

• You can configure separate RADIUS authentication servers for each authentication mode and for each SSID (VLAN). For example:

• You can configure separate RADIUS servers for RADIUS MAC authentication and 802.1x authentication

• You can configure separate RADIUS servers for each VLAN: the Sales VLAN could support only WEP clients, whereas the Marketing VLAN could support 802.1x and WEP clients.

  

This figure shows a network with separate authentication servers for each authentication type and for each VLAN. The clients in VLAN 1 are authenticated using the authentication servers configured for VLAN 1. The type of authentication server used depends on whether the authentication is done for an 802.1x client or non-802.1x client. The clients in VLAN 2 are authenticated using a different set of authentication servers configured for authenticating users in VLAN 2.

Authentication servers for each VLAN are configured as part of the configuration options for that VLAN. You can also configure authentication servers on a system-wide basis; these are called the default authentication servers. For each VLAN, the user could opt to use the default authentication servers, or to configure separate authentication servers to be used for a particular authentication type in that VLAN.

RADIUS-based VLAN Assignment

Radius-based VLAN assignment

The AP currently supports two methods of assigning a wireless client a VLAN ID. The wireless client can either be assigned the static VLAN ID configured for the SSID the wireless client is associated to, or the wireless client can be assigned a VLAN ID which is returned by the RADIUS server during authentication.

A VLAN ID can only be assigned to a wireless client by a RADIUS server if they are associated to an SSID that is configured to a RADIUS-based authentication security mode/protocol (802.1X, WPA, 802.11i/WPA2, and RADIUS based MAC Address Authentication). If the wireless client is associated to an SSID that does not provide RADIUS-based authentication (such as None, WEP, WPA-PSK, and 802.11i/WPA2-PSK), then the wireless client will be assigned the static VLAN ID configured for respective SSID. See SSID/VLAN/Security for more information.

RADIUS Servers Enforcing VLAN Access Control

A RADIUS server can be used to enforce VLAN access control in two ways:

Assigning the user to a VLAN by specifying the VLAN membership information of the user.

Configuring RADIUS Profiles

A RADIUS server Profile consists of a Primary and a Secondary RADIUS server that get assigned to act as either MAC Authentication servers, 802.1x/EAP Authentication servers, or Accounting Servers in the VLAN Configuration. Refer to SSID/VLAN/Security.

The RADIUS Profiles tab lets you add new RADIUS profiles or modify or delete existing profiles.

Adding or Modifying a RADIUS Server Profile

Perform the following procedure to add a RADIUS server profile and to configure its parameters.

Click Add to create a new profile. To Modify an existing profile, select the profile and click Edit. To delete an existing profile, select the profile and click Delete. You cannot delete a RADIUS server profile if you are using it in an SSID. Also, the four default RADIUS server profiles cannot be deleted.

This page configures only the Primary RADIUS Server associated with the profile. After configuring these parameters, save them by clicking OK. Then, to configure the Secondary RADIUS Server, edit the profile from the main page.

1. Configure the following parameters for the RADIUS Server profile:
   • Server Profile Name: the profile name. This is the name used to associated a VLAN to the profile. Refer to SSID/VLAN/Security.

   • MAC Address Format Type: This parameter should correspond to the format in which the clients' 12-digit MAC addresses are listed within the RADIUS server. Available options are:
     Dash delimited: dash between each pair of digits: xx-yy-zz-aa-bb-cc

     Colon delimited: colon between each pair of digits: xx:yy:zz:aa:bb:cc

     Single dash delimited: dash between the sixth and seventh digits: xxyyzz-aabbcc

     No delimiters: No characters or spaces between pairs of hexidecimal digits: xxyyzzaabbcc

   • Accounting Inactivity Timer: Enter the accounting inactivity timer. This parameter supports a value from 1-60 minutes. The default is 5 minutes.

   • Authorization Lifetime: Enter the time, in seconds, each client session may be active before being automatically re-authenticated. This parameter supports a value between 900 and 43200 seconds. The default is 900 sec.

   • Server Addressing Format: select IP Address or Name. If you want to identify RADIUS servers by name, you must configure the AP as a DNS Client. See DNS Client for details.

   • Server Name/IP Address: Enter the server's name or IP address.

   • Destination Port: Enter the port number which the AP and the server will use to communicate. By default, RADIUS servers communicate on port 1812.

   • Server VLAN ID: Indicates the VLAN that uses this RADIUS server profile. If VLAN is disabled, the text "VLAN is disabled" will appear.

   • Shared Secret and Confirm Shared Secret: Enter the password shared by the RADIUS server and the AP. The same password must also be configured on the RADIUS server.

   • Response Time (seconds): Enter the maximum time, in seconds, that the AP should wait for the RADIUS server to respond to a request. The range is 1-10 seconds; the default is 3 seconds.

   • Maximum Retransmissions (0-4): Enter the maximum number of times an authentication request may be transmitted. The range is 0 to 4, the default is 3.

   • Server Status: Select Enable from the drop-down box to enable the RADIUS Server Profile.

2. Click OK.

3. Select the Profile and click Edit to configure the Secondary RADIUS Server, if required.

4. Reboot the AP.

MAC Access Control Via RADIUS Authentication

If you want to control wireless access to the network and if your network includes a RADIUS Server, you can store the list of MAC addresses on the RADIUS server rather than configure each AP individually. You can define a RADIUS Profile that specifies the IP Address of the server that contains a central list of MAC Address values identifying the authorized stations that may access the wireless network. You must specify information for at least the primary RADIUS server. The back-up RADIUS server is optional.

Each VLAN can be configured to use a separate RADIUS server (and backup server) for MAC authentication.

Contact your RADIUS server manufacturer if you have problems configuring the server or have problems using RADIUS authentication.

802.1x Authentication using RADIUS

You must configure a primary EAP/802.1x Authentication server to use 802.1x security. A back-up server is optional.

Each VLAN can be configured to use a separate RADIUS server (and backup server) for 802.1x authentication. 802.1x authentication ("EAP authentication") can be separately enabled for each VLAN.

RADIUS Accounting

Using an external RADIUS server, the AP can track and record the length of client sessions on the access point by sending RADIUS accounting messages per RFC2866. When a wireless client is successfully authenticated, RADIUS accounting is initiated by sending an "Accounting Start" request to the RADIUS server. When the wireless client session ends, an "Accounting Stop" request is sent to the RADIUS server.

Session Length

Accounting sessions continue when a client reauthenticates to the same AP. Sessions are terminated when:

If the client roams from one AP to another, one session is terminated and a new session is begun.

This feature requires RADIUS authentication using MAC Access Control or 802.1x. Wireless clients configured in the Access Point's static MAC Access Control list are not tracked.

SSID/VLAN/Security

The AP provides several security features to protect your network from unauthorized access.

Virtual Local Area Networks (VLANs) are logical groupings of network hosts. Defined by software settings, other VLAN members or resources appear (to clients) to be on the same physical segment, no matter where they are attached on the logical LAN or WAN segment. They simplify traffic flow between clients and their frequently-used or restricted resources.

The AP uses Security Profiles to define allowed wireless clients, and authentication and encryption types and RADIUS Profiles to define RADIUS Servers used by the system or by a VLAN.

The SSID/VLAN/Security tab contains the following sub-tabs:

Management VLAN

VLAN Overview

Virtual Local Area Networks (VLANs) are logical groupings of network hosts. Defined by software settings, other VLAN members or resources appear (to clients) to be on the same physical segment, no matter where they are attached on the logical LAN or WAN segment. They simplify traffic flow between clients and their frequently-used or restricted resources.

VLANs now extend as far as the reach of the access point signal. Clients can be segmented into wireless sub-networks via SSID and VLAN assignment. A Client can access the network by connecting to an AP configured to support its assigned SSID/VLAN.

AP devices are fully VLAN-ready; however, by default VLAN support is disabled. Before enabling VLAN support, certain network settings should be configured, and network resources such as a VLAN-aware switch, a RADIUS server, and possibly a DHCP server should be available.

Once enabled, VLANs are used to conveniently, efficiently, and easily manage your network in the following ways:

• Manage adds, moves, and changes from a single point of contact

• Define and monitor groups

• Reduce broadcast and multicast traffic to unnecessary destinations

• Improve network performance and reduce latency

• Increase security
  • Secure network restricts members to resources on their own VLAN

  • Clients roam without compromising security

VLAN tagged data is collected and distributed through an AP's wireless interface(s) based on Network Name (SSID). An Ethernet port on the access point connects a wireless cell or network to a wired backbone. The access points communicate across a VLAN-capable switch that analyzes VLAN-tagged packet headers and directs traffic to the appropriate ports. On the wired network, a RADIUS server authenticates traffic and a DHCP server manages IP addresses for the VLAN(s). Resources like servers and printers may be present, and a hub may include multiple APs, extending the network over a larger area.

In this figure, the numbered items correspond to the following components:

VLAN Workgroups and Traffic Management

Access Points that are not VLAN-capable typically transmit broadcast and multicast traffic to all wireless Network Interface Cards (NICs). This process wastes wireless bandwidth and degrades throughput performance. In comparison, VLAN-capable AP is designed to efficiently manage delivery of broadcast, multicast, and unicast traffic to wireless clients.

The AP assigns clients to a VLAN based on a Network Name (SSID). The AP can support up to 16 VLAN/SSID pairs per radio (based on model type).

The ability to configure up to 16 VLAN/SSID pairs and to configure a security profile per SSID is available only for AP-600a/b/g and AP-600b/g.

The AP matches packets transmitted or received to a network name with the associated VLAN. Traffic received by a VLAN is only sent on the wireless interface associated with that same VLAN. This eliminates unnecessary traffic on the wireless LAN, conserving bandwidth and maximizing throughput.

In addition to enhancing wireless traffic management, the VLAN-capable AP supports easy assignment of wireless users to workgroups. In a typical scenario, each user VLAN represents a workgroup; for example, one VLAN could be used for an EMPLOYEE workgroup and the other, for a GUEST workgroup.

In this scenario, the AP would assign every packet it accepted to a VLAN. Each packet would then be identified as EMPLOYEE or GUEST, depending on which wireless NIC received it. The AP would insert VLAN headers or "tags" with identifiers into the packets transmitted on the wired backbone to a network switch.

Finally, the switch would be configured to route packets from the EMPLOYEE workgroup to the appropriate corporate resources such as printers and servers. Packets from the GUEST workgroup could be restricted to a gateway that allowed access to only the Internet. A member of the GUEST workgroup could send and receive e-mail and access the Internet, but would be prevented from accessing servers or hosts on the local corporate network.

Typical User VLAN Configurations

VLANs segment network traffic into workgroups, which enable you to limit broadcast and multicast traffic. Workgroups enable clients from different VLANs to access different resources using the same network infrastructure. Clients using the same physical network are limited to those resources available to their workgroup.

The AP can segment users into a maximum of 16 different workgroups (32 if using two cards in a Dual-radio AP) based on an SSID/VLAN pair (also referred as a VLAN Workgroup or a Sub-network).

The ability to configure up to 16 VLAN/SSID pairs and to configure a security profile per SSID is available only for AP-600a/b/g and AP-600b/g.

The three primary scenarios for using VLAN workgroups are as follows:

1. VLAN disabled: Your network does not use VLANs, and you cannot configure the AP to use multiple SSIDs.

2. VLAN enabled, each VLAN workgroup uses a different VLAN ID Tag

3. VLAN enabled, a mixture of Tagged and Untagged workgroups

Enabling/Disabling VLAN Protocol

Control Access to the AP

Management access to the AP can easily be secured by making management stations or hosts and the AP itself members of a common VLAN. Simply configure a non-zero management VLAN ID and enable VLAN to restrict management of the AP to members of the same VLAN.

If a non-zero management VLAN ID is configured then management access to the AP is restricted to wired or wireless hosts that are members of the same VLAN. Ensure your management platform or host is a member of the same VLAN before attempting to manage the AP.

1. Click Configure > SSID/VLAN/Security.

2. Set the VLAN Management ID to a value between -1 and 4094 (a value of 0 disables VLAN management).

3. Place a checkmark in the Enable VLAN Protocol box.

Provide Access to a Wireless Host in the Same Workgroup

The VLAN feature can allow wireless clients to manage the AP. If the VLAN Management ID matches a VLAN User ID, then those wireless clients who are members of that VLAN will have AP management access.

Once a VLAN Management ID is configured and is equivalent to one of the VLAN User IDs on the AP, all members of that User VLAN will have management access to the AP. Be careful to restrict VLAN membership to those with legitimate access to the AP.

1. Click Configure > SSID/VLAN/Security.

2. Set the VLAN Management ID to use the same VLAN ID as one of the configured SSID/VLAN pairs. See Typical User VLAN Configurations for details.

3. Place a checkmark in the Enable VLAN Protocol box.

Disable VLAN Management

1. Click Configure > SSID/VLAN/Security.

2. Remove the checkmark from the Enable VLAN Protocol box to disable all VLAN function.

MAC Access

The MAC Access sub-tab lets you build a list of stations, identified by their MAC addresses, authorized to access the network through the AP. The list is stored inside each AP within your network. Note that you must reboot the AP for any changes to the MAC Access Control Table to take effect.

The "MAC ACL Status" parameter (configurable on the SSID/VLAN -> Wireless sub-tab) is per VLAN if VLAN Management is enabled. All other parameters besides "MAC ACL Status" are configured per AP, even if VLAN is enabled.

Configuring MAC Access

MAC Access Control status is enabled or disabled when configuring each Security Profile.

For larger networks that include multiple Access Points, you may prefer to maintain this list on a centralized location using the MAC Access Control Via RADIUS Authentication.

Security Profiles

The AP supports the following Security features:

WEP Encryption

The IEEE 802.11 standards specify an optional encryption feature, known as Wired Equivalent Privacy or WEP, that is designed to provide a wireless LAN with a security level equal to what is found on a wired Ethernet network. WEP encrypts the data portion of each packet exchanged on an 802.11 network using an Encryption Key (also known as a WEP Key).

When Encryption is enabled, two 802.11 devices must have the same Encryption Keys and both devices must be configured to use Encryption in order to communicate. If one device is configured to use Encryption but a second device is not, then the two devices will not communicate, even if both devices have the same Encryption Keys.

802.1x Authentication

IEEE 802.1x is a standard that provides a means to authenticate and authorize network devices attached to a LAN port. A port in the context of IEEE 802.1x is a point of attachment to the LAN, either a physical Ethernet connection or a wireless link to an Access Point. 802.1x requires a RADIUS server and uses the Extensible Authentication Protocol (EAP) as a standards-based authentication framework, and supports automatic key distribution for enhanced security. The EAP-based authentication framework can easily be upgraded to keep pace with future EAP types.

Popular EAP types include:

Different servers support different EAP types and each EAP type provides different features. Refer to the documentation that came with your RADIUS server to determine which EAP types it supports.

The AP supports the following EAP types when Authentication Mode is set to 802.1x, WPA or 802.11i (WPA2): EAP-TLS, PEAP, and EAP-TTLS. When Authentication Mode is set to Mixed, the AP supports the following EAP types: EAP-TLS, PEAP, EAP-TLLS, and EAP-MD5 (MD5 does not support automatic key distribution; therefore, if you choose this method you need to manually configure each client with the network's encryption key).

Authentication Process

There are three main components in the authentication process. The standard refers to them as:

When using Authentication Mode to 802.1x, WPA, Mixed mode (802.1x and WEP), or 802.11i, you need to configure your RADIUS server for authentication purposes.

Prior to successful authentication, an unauthenticated client PC cannot send any data traffic through the AP device to other systems on the LAN. The AP inhibits all data traffic from a particular client PC until the client PC is authenticated. Regardless of its authentication status, a client PC can always exchange 802.1x messages in the clear with the AP (the client begins encrypting data after it has been authenticated).

The AP acts as a pass-through device to facilitate communications between the client PC and the RADIUS server. The AP (2) and the client (1) exchange 802.1x messages using an EAPOL (EAP Over LAN) protocol (A). Messages sent from the client station are encapsulated by the AP and transmitted to the RADIUS (3) server using EAP extensions (B).

Upon receiving a reply EAP packet from the RADIUS, the message is typically forwarded to the client, after translating it back to the EAPOL format. Negotiations take place between the client and the RADIUS server. After the client has been successfully authenticated, the client receives an Encryption Key from the AP (if the EAP type supports automatic key distribution). The client uses this key to encrypt data after it has been authenticated.

For 802.11a and 802.11b/g clients that communicate with an AP, each client receives its own unique encryption key; this is known as Per User Per Session Encryption Keys.

Wi-Fi Protected Access (WPA)

Wi-Fi Protected Access (WPA) is a security standard designed by the Wi-Fi Alliance in conjunction with the Institute of Electrical and Electronics Engineers (IEEE). THE AP supports WPA2, based on the IEEE 802.11i security standard.

For Single-radio APs: WPA is available for AP-600a/b/g and AP-600b/g (or APs that have an 802.11a/b/g or 802.11b/g upgrade kit). WPA is NOT available for the AP-600a or AP-600b. Note that while you can select WPA on AP-600a units, WPA is not supported for the AP-600a unless you have installed an 802.11a/b/g upgrade kit.

WPA is a replacement for Wired Equivalent Privacy (WEP), the encryption technique specified by the original 802.11 standard. WEP has several vulnerabilities that have been widely publicized. WPA addresses these weaknesses and provides a stronger security system to protect wireless networks.

WPA provides the following new security measures not available with WEP:

For more information on WPA, see the Wi-Fi Alliance Web site at http://www.wi-fi.org.

The AP supports the following WPA authentication modes:

Authentication Protocol Hierarchy

There is a hierarchy of authentication protocols defined for the AP.

The hierarchy is as follows, from Highest to lowest:

If you have both 802.1x and MAC authentication enabled, the 802.1x results will take effect. This is required in order to propagate the WEP keys to the clients in such cases. Once you disable 802.1x on the AP, you will see the effects of MAC authentication.

VLANs and Security Profiles

The AP600 lets you segment wireless networks into multiple sub-networks based on Network Name (SSID) and VLAN membership. A Network Name (SSID) identifies a wireless network. Clients associate with Access Points that share an SSID. During installation, the Setup Wizard prompts you to configure a Primary Network Name for each wireless interface.

After initial setup and once VLAN is enabled, the AP can be configured to support up to 16 SSIDs per wireless interface to segment wireless networks based on VLAN membership.

Each VLAN can be associated to a Security Profile and RADIUS Server Profiles. A Security Profile defines the allowed wireless clients, and authentication and encryption types. Refer to VLANs and Security Profiles for configuration details.

The ability to configure up to 16 VLAN/SSID pairs and to configure a security profile per SSID is available only for AP-600a/b/g and AP-600b/g.

Configuring Security Profiles

Security policies can be configured and applied on the AP as a whole, or on a per VLAN basis. When VLAN is disabled on the AP, the user can configure a security profile for each interface of the AP. When VLANs are enabled and Security per SSID is enabled, the user can configure a security profile for each VLAN.

The user defines a security policy by specifying one or more values for the following parameters:

Up to 16 security profiles can be configured per wireless interface.

1. Click Configure -> SSID/VLAN/Security -> Security Profile.

   

2. Click Add in the Security Profile Table to create a new entry. To modify an existing profile, select the profile and click Edit. To delete an existing profile, select the profile and click Delete. You cannot delete a Security Profile used in an SSID. Also, the first Security Profile (index 1.1 to 1.7) cannot be deleted.

3. Configure one or more types of wireless stations (security modes) that are allowed access to the AP under the security profile. The WEP/PSK parameters are separately configurable for each security mode. To enable a security mode in the profile (Non Secure Station, WEP Station, 802.1x Station, WPA Station, WPA-PSK Station, 802.11i Station, 802.11i-PSK Station), check the box next to the mode. See Figure 4-29 on page 99.

   If the security mode selected in a profile is WEP, WPA-PSK, or 802.11i-PSK, then you must configure the WEP or Pre-Shared Keys.

4. Configure the parameters as follows for each enabled security mode.
   • Non Secure Station:
     • Authentication Mode: None. The AP allows access to Stations without authentication.

       Non secure station should be used only with WEP or 802.1x security mode.

     • Cipher: None

   • WEP Station:
     • Authentication Mode: None

     • Cipher: WEP

     • Encryption Key 0, Encryption Key 1, Encryption Key 2, Encryption Key 3

     • Encryption Transmit Key: select Key 0, Key 1, Key 2, or Key 3

   • 802.1x Station:
     Authentication Mode: 802.1x

     Cipher: WEP

     Encryption Key Length: 64 or 128 Bits.

     If 802.1x is enabled simultaneously with WEP, the 802.1x Station's encryption key length is determined by the WEP encryption key.

   • WPA Station:
     Authentication Mode: 802.1x

     Cipher: TKIP

   • WPA-PSK Station:
     Authentication Mode: PSK

     Cipher: TKIP

     PSK Passphrase: an 8-63 character user-defined phrase. It is recommended a passphrase of at least 13 characters, including both letters and numbers, and upper and lower case characters to ensure that the generated key cannot be easily deciphered by network infiltrators.

   • 802.11i Station:
     Authentication Mode: 802.1x

     Cipher: AES

   • 802.11i-PSK Station:
     Authentication Mode: PSK

     Cipher: AES

     PSK Passphrase: an 8-63 character user-defined phrase. It is recommended a passphrase of at least 13 characters, including both letters and numbers, and upper and lower case characters to ensure that the generated key cannot be easily deciphered by network infiltrators.

5. When finished configuring all parameters, click OK.

6. If you selected a Security Mode of 802.1x Station, WPA Station, or 802.11i Station, you must configure a RADIUS 802.1x/EAP server. Refer to the Configuring RADIUS Profiles section.

   Security Profile 1 will be used by default for all wireless interfaces.

7. Refer to the following section for advanced VLAN configuration options: Adding or Modifying an SSID/VLAN with VLAN Protocol Disabled and Adding or Modifying an SSID/VLAN with VLAN Protocol Enabled.

8. Reboot the AP.

   

Wireless

Each SSID/VLAN can have its own Security Profile that defines its security mode, authentication mechanism, and encryption, so that customers can have multiple types of clients (non-WEP, WEP, 802.1x, WPA) on the same system, but separated per VLAN. Refer to the Security Profiles section for more information. These parameters are configurable from the Wireless sub-tab.

Adding or Modifying an SSID/VLAN with VLAN Protocol Disabled

1. Click on SSID/VLAN/Security > Wireless-.

   This tab lets you select the index of the SSID/VLAN to be added or edited. It also lets you configure the RADIUS Accounting and Authentication Status, the MAC ACL Status, the Rekeying Interval, the Security Profile, and the RADIUS Server Profiles for the VLAN.

2. Scroll down to the SSID and VLAN table

3. Click Add to configure additional SSIDs, VLANs, and their associated security profiles and RADIUS server profiles, or click Edit to modify an existing VLAN/SSID.

   

   The Add Entry or Edit Entry screen appears. See Figure 4-31 and Figure 4-32 on page 101.

   

   

4. Enter a unique Network Name (SSID), between 1 and 32 characters. This parameter is mandatory.

5. Enter a unique VLAN ID. This parameter is mandatory.
   - You must specify a unique VLAN ID for each SSID on the interface. A VLAN ID is a number from -1 to 4094. A value of -1 means that an entry is "untagged."

   - You can set the VLAN ID to "-1" or "untagged" if you do not want clients that are using a specific SSID to be members of a VLAN workgroup. Only one "untagged" VLAN ID is allowed per interface.

   - The VLAN ID must match an ID used by your network; contact your network administrator if you need assistance defining the VLAN IDs.

6. If editing an entry, enable or disable the VLAN using the Status drop-down menu. If adding an entry, this field will not appear.

7. Click OK to return to Wireless Security Configuration Screen. See Figure 4-33 on page 102.

   

8. Enable or disable RADIUS accounting on the VLAN/SSID under the Accounting Status drop-down menu.

9. Enable or disable RADIUS MAC authentication status on the VLAN/SSID under the RADIUS Authentication Status drop-down menu.

10. Enable or disable MAC Access Control List status on the VLAN/SSID under the MAC ACL Status drop-down menu.

11. Enter the Rekeying Interval in seconds. The default interval is 900 seconds.

12. Enter the Security Profile used by the VLAN in the Security Profile field. Refer to the Security Profiles section for more information.

    If you have two or more SSIDs per interface using a security Profile with a security mode of Non Secure, be aware that security being applied in the VLAN is not being applied in the wireless network.

13. Define the RADIUS Server Profile Configuration for the VLAN/SSID:
    RADIUS MAC Authentication Profile

    RADIUS EAP Authentication Profile

    RADIUS Accounting Profile

    If 802.1x, WPA, or 802.11i security mode is used, the RADIUS EAP Authentication Profile must have a value.

    A RADIUS Server Profile for authentication for each VLAN shall be configured as part of the configuration options for that VLAN. RADIUS profiles are independent of VLANs. The user can define any profile to be the default and associate all VLANs to that profile. Four profiles are created by default, "MAC Authentication", "EAP Authentication", Accounting", and "Management".

14. Reboot the AP.

Adding or Modifying an SSID/VLAN with VLAN Protocol Enabled

1. Click SSID/VLAN/Security > Wireless.

   This tab lets you select the index of the SSID/VLAN to be added or edited. It also lets you enable Security Per SSID, and configure the RADIUS Accounting and Authentication Status, the MAC ACL Status, the Rekeying Interval, the Security Profile, and the RADIUS Server Profiles for the VLAN.

2. Select the Enable Security Per SSID option. The screen will update to the following:

   

3. Click Add to configure additional SSIDs, VLANs, and their associated security profiles and RADIUS server profiles, or click Edit to modify an existing VLAN/SSID.

   The Add Entry or Edit Entry screen appears.

   

   

4. Enter a unique Network Name (SSID), between 1 and 32 characters. This parameter is mandatory.

5. Enter a unique VLAN ID. This parameter is mandatory.

   - You must specify a unique VLAN ID for each SSID on the interface. A VLAN ID is a number from -1 to 4094. A value of -1 means that an entry is "untagged."

   - You can set the VLAN ID to "-1" or "untagged" if you do not want clients that are using a specific SSID to be members of a VLAN workgroup. Only one "untagged" VLAN ID is allowed per interface.

   - The VLAN ID must match an ID used by your network; contact your network administrator if you need assistance defining the VLAN IDs.

6. If editing an entry, enable or disable the VLAN using the VLAN Status drop-down menu. If adding, this drop-down menu will not appear.

7. Enable or disable the SSID Authorization status from the drop-down menu.

   SSID Authorization is the RADIUS based authorization of the SSID for a particular client. The authorized SSIDs are sent as the tunnel attributes.

8. Enable or disable RADIUS accounting on the VLAN/SSID under the Accounting Status drop-down menu.

9. Enable or disable RADIUS MAC authentication status on the VLAN/SSID under the RADIUS Authentication Status drop-down menu.

10. Enable or disable MAC Access Control List status on the VLAN/SSID under the MAC ACL Status drop-down menu.

11. Enter the Rekeying Interval in seconds. The default interval is 900 seconds.

12. Enter the Security Profile used by the VLAN in the Security Profile field.

    If you have two or more SSIDs per interface using a security Profile with a security mode of Non Secure, be aware that security being applied in the VLAN is not being applied in the wireless network.

13. Define the RADIUS Server Profile Configuration for the VLAN/SSID:
    RADIUS MAC Authentication Profile

    RADIUS EAP Authentication Profile

    RADIUS Accounting Profile

    If 802.1x, WPA, or 802.11i security mode is used, the RADIUS EAP Authentication Profile must have a value.

    A RADIUS Server Profile for authentication for each VLAN shall be configured as part of the configuration options for that VLAN. RADIUS profiles are independent of VLANs. The user can define any profile to be the default and associate all VLANs to that profile. Four profiles are created by default, "MAC Authentication", "EAP Authentication", Accounting", and "Management".

14. Reboot the AP.

Broadcast SSID and Closed System

Broadcast SSID allows the broadcast of a single SSID when the AP is configured for multiple SSIDs. Broadcast SSID may only be enabled for a single SSID. This object can only be configured using the CLI and SNMP using a MIB browser or network management application.

Closed System manages the way probe requests are handled. If enabled, the AP will respond to probe requests with an SSID only if the client has specified the SSID in the probe request. If the client sends a probe request with a null or "ANY" SSID, the AP will respond with a null SSID. If disabled, the AP will respond with each configured SSID, whether or not an SSID has been specified in the probe request. This option is disabled by default.

To enable Closed System, click on Interfaces > Wireless and check the Enable Closed System box.

For more information, on Broadcast SSID and Closed System, refer to Technical Bulletin 69680 at http://support.proxim.com.

Logging into the HTTP Interface

Once the AP has a valid IP Address and an Ethernet connection, you may use your web browser to monitor network statistics.

The Command Line Interface (CLI) also provides a method for viewing network statistics using Telnet or a serial connection. This section covers only use of the HTTP interface. For more information about viewing network statistics with the CLI, refer to Using the Command Line Interface (CLI).

Follow these steps to monitor an AP's operating statistics using the HTTP interface:

1. Open a Web browser on a network computer.
   The HTTP interface supports the following Web browsers: Microsoft Internet Explorer 6 with Service Pack 1 or later, and Netscape 6.1 or later.

2. If necessary, disable the Internet proxy settings. For Internet Explorer users, follow these steps:
   - Select Tools > Internet Options....

   - Click the Connections tab.

   - Click LAN Settings....

   - If necessary, remove the checkmark from the Use a proxy server box.

   - Click OK twice to save your changes and return to Internet Explorer.

3. Enter the Access Point's IP address in the browser's Address field and press Enter.
   - Result: The AP Enter Network Password screen appears.

4. Enter the HTTP password in the Password field and click OK. Leave the User Name field blank. (By default, the HTTP password is public).
   - Result: The System Status screen appears.

   

5. Click the Monitor button located on the left-hand side of the screen.

   

6. Click the tab that corresponds to the statistics you want to review. For example, click Learn Table to see the list of nodes that the AP has discovered on the network.

7. If applicable, click the Refresh button to update the statistics.

Version

From the HTTP interface, click the Monitor button and select the Version tab. The list displayed provides you with information that may be pertinent when calling Technical Support. With this information, your Technical Support representative can verify compatibility issues and make sure the latest software are loaded. This screen displays the following information for each Access Point component:

ICMP

This tab provides statistical information for both received and transmitted messages directed to the AP. Not all ICMP traffic on the network is counted in the ICMP (Internet Control Message Protocol) statistics.

IP/ARP Table

This tab provides information based on the Address Resolution Protocol (ARP), which relates MAC Address and IP Addresses.

Learn Table

This tab displays information relating to network bridging. It reports the MAC address for each node that the device has learned is on the network and the interface on which the node was detected. There can be up 10,000 entries in the Learn Table.

IAPP

This tab displays statistics relating to client handovers and communications between ORiNOCO Access Points.

RADIUS

This tab provides RADIUS authentication, EAP/802.1x authentication, and accounting information for both the Primary and Backup RADIUS servers.

RADIUS authentication and accounting must be enabled for this information to be valid.

Interfaces

This tab displays statistics for the Ethernet and wireless interfaces. The Operational Status can be up, down, or testing.

Station Statistics

This tab displays information on wireless clients attached to the AP and on Wireless Distribution System links.

Enabling and Viewing Station Statistics

To enable the monitoring of Stations Statistics, perform the following procedure:

1. Click on the Monitor tab on the left on the web page.

2. Click on the Station Statistics tab on the Monitor screen.

3. Enable the Monitoring Station Statistics feature (Station Statistics are disabled by default) by checking Enable Monitoring Station Statistics and click OK.

You do not need to reboot the AP for the changes to take effect. If clients are connected to the device or WDS links are configured for the device, the statistics will now be shown on the screen.

Refreshing Station Statistics

Click on the Refresh button in the browser window to view the latest statistics. If any new clients associate to the AP, you can see the statistics of the new clients after you click the refresh button.

Description of Station Statistics

Introduction to File Transfer via TFTP or HTTP: Describes the available file transfer methods.

Update AP via TFTP: Download files from a TFTP server to the AP.

Update AP via HTTP: Download files to the AP from HTTP.

Retrieve File via TFTP: Upload configuration files from the AP to a TFTP server.

Retrieve File via HTTP: Upload configuration files from the AP via HTTP.

Reboot: Reboot the AP in the specified number of seconds.

Reset: Reset all of the Access Point's configuration settings to factory defaults.

Help Link: Configure the location where the AP Help files can be found.

Logging into the HTTP Interface

Once the AP has a valid IP Address and an Ethernet connection, you may use your web browser to issue commands.

The Command Line Interface (CLI) also provides a method for issuing commands using Telnet or a serial connection. This section covers only use of the HTTP Interface. For more information about issuing commands with the CLI, refer to Using the Command Line Interface (CLI).

Follow these steps to view the available commands supported by the AP's HTTP interface:

1. Open a Web browser on a network computer.

   The HTTP interface supports the following Web browsers: Microsoft Internet Explorer 6 with Service Pack 1 or later, and Netscape 6.1 or later.

2. If necessary, disable the Internet proxy settings. For Internet Explorer users, follow these steps:
   - Select Tools > Internet Options....

   - Click the Connections tab.

   - Click LAN Settings....

   - If necessary, remove the checkmark from the Use a proxy server box.

   - Click OK twice to save your changes and return to Internet Explorer.

3. Enter the Access Point's IP address in the browser's Address field and press Enter.
   - Result: The Enter Network Password screen appears.

4. Enter the HTTP password in the Password field and click OK. Leave the User Name field blank. (By default, the HTTP password is public).
   - Result: The System Status screen appears.

   

5. Click the Commands button located on the left-hand side of the screen.

   

6. Click the tab that corresponds to the command you want to issue. For example, click Reboot to restart the unit.

Introduction to File Transfer via TFTP or HTTP

There are two methods of transferring files to or from the AP, TFTP or HTTP (or HTTPS if enabled).

The following procedures describe downloading Configuration, AP Image, Bootloader, Private Key, and Certificate files to the AP:

The following procedures describe uploading Configuration files from the AP:

TFTP File Transfer Guidelines

A TFTP server must be running and configured to point to the directory containing the file.

If you do not have a TFTP server installed on your system, install the TFTP server from the ORiNOCO CD.

HTTP File Transfer Guidelines

HTTP file transfer can be performed either with or without SSL enabled.

HTTP file transfers with SSL require enabling Secure Management and Secure Socket Layer. HTTP transfers that use SSL may take additional time.

SSL requires Internet Explorer version 6, 128 bit encryption, Service Pack 1, and patch Q323308.

Image Error Checking during File Transfer

The Access Point performs checks to verify that an image downloaded through HTTP or TFTP is valid. The following checks are performed on the downloaded image:

If any of the above checks fail on the downloaded image, the Access Point deletes the downloaded image and retains the old image. Otherwise, if all checks pass successfully, the AP deletes the old image and retains the downloaded image.

These checks are to ensure that the AP does not enter an invalid image state. The storage of the two images is only temporary to ensure the proper verification; the two images will not be stored in the AP permanently.

Image error checking functions automatically in the background. No user configuration is required.

Update AP via TFTP

Use the Update AP via TFTP tab to download Configuration, AP Image, Bootloader files, and Certificate and Private Key files to the AP. A TFTP server must be running and configured to point to the directory containing the file.

If you do not have a TFTP server installed on your system, install the TFTP server from the ORiNOCO CD. You can either install the TFTP server from the CD Wizard or run OEM-TFTP-Server.exe found in the CD's Xtras/SolarWinds sub-directory.

The Update AP via TFTP tab shows version information and lets you enter TFTP information as described below.

Update AP via HTTP

Use the Update AP via HTTP tab to download Configuration, AP Image, Bootloader files, and Certificate and Private Key files to the AP.

Once on the Update AP screen, click on the via HTTP tab.

The Update AP via HTTP tab shows version information and lets you enter HTTP information as described below.

Use the Browse button or manually type in the name of the file to be downloaded (including the file extension) in the File Name field. If typing the file name, you must include the full path and the file extension in the file name text box.

To initiate the HTTP Update operation, click the Update AP button.

A warning message gets displayed that advises the user that a reboot of the device will be required for changes to take effect.

Click OK to continue with the operation or Cancel to abort the operation.

An HTTP file transfer using SSL may take extra time.

If the operation did not complete successfully the following screen appears, and the reason for the failure is displayed.

Retrieve File via TFTP

Use the Retrieve File via TFTP tab to upload files from the AP to the TFTP server. The TFTP server must be running and configured to point to the directory to which you want to copy the uploaded file. We suggest you assign the file a meaningful name, which may include version or location information.

If you don't have a TFTP server installed on your system, install the TFTP server from the ORiNOCO CD. You can either install the TFTP server from the CD Wizard or run OEM-TFTP-Server.exe found in the CD's Xtras/SolarWinds sub-directory.

The Retrieve AP via TFTP tab shows version information and lets you enter TFTP information as described below.

Use the following procedure to retrieve a file from an AP to a TFTP server:

1. If retrieving a Configuration file, configure all the required parameters in their respective tabs. Reboot the device.

2. Retrieve and store the file. Click the Retrieve File button to initiate the upload of the file from the AP to the TFTP server.

3. If you retrieved a Configuration file, update the file as necessary.

4. If you retrieved a CLI Batch File or CLI Batch Log, you can examine the file using a standard text editor. For more information on CLI Batch Files, refer to CLI Batch File.

   

Retrieve File via HTTP

Use the Retrieve File via HTTP tab to retrieve configuration files, CLI Batch Files, or CLI Batch Logs from the AP. Select the type of file (Config, CLI Batch File, or CLI Batch Log) from the File Type drop-down menu.

For more information on CLI Batch Files and CLI Batch Logs refer to CLI Batch File.

A confirmation message gets displayed that asks if the user wants to proceed with retrieving the file. Click OK to continue with the operation or Cancel to abort the operation.

On clicking the Save button the following Save As window displays, where the user is prompted to choose the filename and location where the file is to be downloaded. Select an appropriate filename and location and click OK.

Reboot

Use the Reboot tab to save configuration changes (if any) and reset the AP. Entering a value of 0 (zero) seconds causes an immediate reboot. Note that Reset, described below, does not save configuration changes.

Rebooting the AP will cause all users who are currently connected to lose their connection to the network until the AP has completed the restart process and resumed operation.

Reset

Use the Reset tab to restore the AP to factory default conditions. The AP may also be reset from the RESET button located on the side of the unit. Since this will reset the Access Point's current IP address, a new IP address must be assigned. Refer to Recovery Procedures for more information.

Resetting the AP to its factory default configuration will permanently overwrite all changes that have made to the unit. The AP will reboot automatically after this command has been issued.

Help Link

To open Help, click the Help button on any display screen.

During initialization, the AP on-line help files are downloaded to the default location: C:/Program Files/ORiNOCO/AP/HTML/index.htm.

Use the forward slash character ("/") rather than the backslash character ("\") when configuring the Help Link location.

Add the AP's management IP address into the Internet Explorer list of Trusted Sites.

The ORiNOCO AP Help information is available in English, French, German, Italian, Spanish, and Japanese. The Help files are copied to your computer in one language only.

If you want to place these files on a shared drive, copy the Help Folder to the new location, and then specify the new path in the Help Link box.

Troubleshooting

This section helps you locate problems related to the AP device setup. For details about RADIUS, TFTP, serial communication programs (such as HyperTerminal), Telnet applications, or web browsers, please refer to the documentation that came with the application for assistance.

Troubleshooting Concepts

The following list identifies important troubleshooting concepts and topics. The most common initialization and installation problems relate to IP addressing. For example, you must have valid IP addresses for both the AP and the management computer to access the unit's HTTP interface.

Symptoms and Solutions

Connectivity Issues

Connectivity issues include any problem that prevents you from powering up or connecting to the AP.

AP Unit Will Not Boot - No LED Activity

1. Make sure your power source is operating.

2. Make sure all cables are connected to the AP correctly.

3. If you are using Active Ethernet, make sure you are using a Category 5, foiled, twisted pair cable to power the AP.

Serial Link Does Not Work

1. Make sure you are using a standard, straight-through, 9-pin serial cable.

2. Double-check the physical network connections.

3. Make sure your PC terminal program (such as HyperTerminal) is active and configured to the following values:
   - Com Port: (COM1, COM2, etc. depending on your computer);

   - Baud rate: 9600; Data bits: 8; Stop bits: 1; Flow Control: None; Parity: None;

   - Line Feeds with Carriage Returns

   (In HyperTerminal select:

   File -> Properties -> Settings -> ASCII Setup -> Send Line Ends with Line Feeds)

Ethernet Link Does Not Work

1. Double-check the physical network connections. Use a known-good unit to make sure the network connection is present. Once you have the AP IP address, you can use the "Ping" command over Ethernet to test the IP Address. If the AP responds to the Ping, then the Ethernet Interface is working properly.

2. By default, the Access Point will attempt to automatically detect the Ethernet settings. However, if you are having problems with the Ethernet link, manually configure the Access Point's Ethernet settings. For example, if your switch operates at 100 Mbps/Full Duplex, manually configure the Access Point to use these settings (see Ethernet). If you cannot access the unit over Ethernet, then use the CLI interface over the serial port to configure the Ethernet port (see Using the Command Line Interface (CLI) and Set Ethernet Speed and Transmission Mode).

3. Perform network infrastructure troubleshooting (check switches, routers, etc.).

Basic Software Setup and Configuration Problems

Lost AP, Telnet, or SNMP Password

Perform the Reset to Factory Default Procedure in this guide. This procedure resets system and network parameters, but does not affect the AP Image.

The default AP HTTP password is public, and the default Telnet password is also public.

Client Computer Cannot Connect

1. Client computers should have the same Network Name and security settings as the AP.

2. Network Names should be allocated and maintained by the Network Administrator.

3. Refer to the documentation that came with your client card for additional troubleshooting suggestions.

AP Has Incorrect IP Address

1. Default IP Address Assignment mode is dynamic (DHCP). If you do not have a DHCP server on your network, the default IP Address is 169.254.128.132. If you have more than one unintialized AP connected to the network, they will all have the same default IP address and you will not be able to communicate with them (due to an IP address conflict). In this case, assign each AP a static IP address via the serial cable or turn off all units but one and change the IP address using ScanTool one at a time.

2. The AP only contacts a DHCP server during boot-up. If your network's DHCP server is not available while the AP is booting, the device will retain the last IP Address it had. Reboot the AP once your DHCP server is on-line again or use the ScanTool to find the Access Point's current IP address.

3. To find the unit's current IP address if using DHCP, open the IP Client Table in the DHCP Server and match the Access Point's IP address to its MAC address (found on the product label). Alternatively, use ScanTool to identify an Access Point's current IP address.

4. Once you have the current IP address, use the HTTP or CLI Interface to change the unit's IP settings, if necessary.

5. If you use static IP Address assignments, and cannot access the unit over Ethernet, use the Initializing the IP Address using CLI procedure. Once the IP Address is set, you can use the Ethernet Interface to complete configuration.

6. Perform the Reset to Factory Default Procedure in this guide. This will reset the unit to "DHCP" mode. If there is a DHCP Server on the network, the DHCP Server will assign an IP Address to the AP.

HTTP (browser) or Telnet Interface Does Not Work

1. Make sure you are using a compatible browser: Microsoft Internet Explorer 6 with Service Pack 1 or later, or Netscape 6.1 or later.

2. Make sure you have the proper IP address. Enter your Access Point's IP Address in the browser address bar, similar to this example:

   http://192.168.1.100

   When the Enter Network Password window appears, leave the User Name field empty and enter the HTTP password in the Password field. The default HTTP password is public.

3. Use the CLI over the serial port to check the IP Access Table, which can be restricting access to Telnet and HTTP.

HTML Help Files Do Not Appear

1. Verify that the HTML Help files are installed in the default directory:

   C:\Program Files\ORiNOCO\AP\HTML\

2. If the Help files are not located in this folder, contact your network administrator to find out where the Help files are located on your server.

3. Perform the following steps to verify the location or to enter the pathname for the Help files:
   a. Click the Commands button in the HTTP interface.

   b. Select the Help tab located at the top of the screen.

   c. Enter the pathname where the Help files are located in the Help Link box.

   d. Click OK when finished.

Telnet CLI Does Not Work

1. Make sure you have the proper IP Address. Enter your AP IP address in the Telnet connection dialog, from a DOS prompt, type:

   C:\> telnet <AP IP Address>

2. Confirm that your computer has an IP address in the same IP subnet as your Access Point.

3. Use the CLI over the serial port to check the IP Access Table, which can be restricting access to Telnet and HTTP.

TFTP Server Does Not Work

1. Make sure the TFTP Server has been started.

2. Verify the IP address of the TFTP Server. The server may be local or remote, so long as it has a valid IP address.

3. Configure the TFTP Server to "point" to the folder containing the file to be downloaded (or to the folder in which the file is to be uploaded).

4. Verify that you have entered the proper AP Image file name (including the file extension) and directory path.

5. If you have a problem uploading a file, verify that the TFTP server is configured to allow uploads (typically the default setting is to allow only downloads).

Client Connection Problems

Client Software Finds No Connection

Make sure you have configured your client software with the proper Network Name and Security settings. Network Names and WEP Keys are typically allocated and maintained by your network administrator.

Client PC Card Does Not Work

1. Make sure you are using the latest PC Card driver software.

2. Download and install the latest ORiNOCO client software from http://www.proxim.com.

Intermittent Loss of Connection

1. Make sure you are within range of an active AP.

2. You can check the signal strength using the signal strength gauge on your client software.

Client Does Not Receive an IP Address - Cannot Connect to Internet

1. If the AP is configured as a DHCP server, open the Web-browser Interface and select the Configure button and then the Network tab to make sure the proper DHCP settings are being used.

2. If you are not using the DHCP server feature on the AP, then make sure that your local DHCP server is accessible from the Access Point's subnet.

3. From the client computer, use the "ping" network command to test the connection with the AP. If the AP responds, but you still cannot connect to the Internet, there may be a physical network configuration problem (contact your network support staff).

4. If using Active Ethernet, make sure you are not using a crossover Ethernet cable between the AP and the hub.

VLAN Operation Issues

Verifying Proper Operation of the VLAN Feature

The correct VLAN configuration can be verified by "pinging" both wired and wireless hosts from both sides of the AP device and the network switch. Traffic can be "sniffed" on both the wired (Ethernet) and wireless (WDS) backbones (if configured). Bridge frames generated by wireless clients and viewed on one of the backbones should contain IEEE 802.1Q compliant VLAN headers or tags. The VLAN ID in the headers should correspond to one of the VLAN User IDs configured for the AP.

16 VLAN/SSID pairs are available for the AP-600a/b/g, AP-600b/g, and APs that have an 802.11a/b/g or 802.11b/g Upgrade Kit installed. The AP-600a and AP-600b only support one VLAN/SSID pair.

VLAN Workgroups

The correct VLAN assignment can be verified by pinging the AP to ensure connectivity, by pinging the switch to ensure VLAN properties, and by pinging hosts past the switch to confirm the switch is functional. Ultimately, traffic can be "sniffed" on the Ethernet or WDS interfaces (if configured) using third-party packages. Most problems can be avoided by ensuring that 802.1Q compliant VLAN tags containing the proper VLAN ID have been inserted in the bridged frames. The VLAN ID in the header should correspond to the user's assigned network name.

What if network traffic is being directed to a nonexistent host?

- Workaround: you can configure the switch to mimic the nonexistent host

I have just configured the Management ID and now I can't manage the AP?

The manual override process disconnects all users and resets all values to factory defaults.

Active Ethernet (AE)

The AP Does Not Work

1. Verify that you are using a standard UTP Category 5 cable.

2. Try a different port on the same AE hub (remember to move the input port accordingly) - if it works, there is probably a faulty port or bad RJ-45 port connection.

3. If possible, try to connect the AP to a different AE hub.

4. Try using a different Ethernet cable - if it works, there is probably a faulty connection over the long cable, or a bad RJ-45 connection.

5. Check power plug and hub.

6. If the Ethernet link goes down, check the cable, cable type, switch, and hub.

There Is No Data Link

1. Verify that the indicator for the port is "on."

2. Verify that the AE hub is connected to the Ethernet network with a good connection.

3. Verify that the Ethernet cable is Category 5 or better and is less than 100 meters (approximately 325 feet) in length from the Ethernet source to the AP.

4. Try to connect a different device to the same port on the AE hub - if it works and a link is established, there is probably a faulty data link in the AP.

5. Try to re-connect the AP to a different output port (remember to move the input port accordingly) - if it works, there is probably a faulty output or input port in the AE hub or a bad RJ-45 connection.

"Overload" Indications

1. Verify that you are not using a cross-over cable between the AE output port and the AP.

2. Verify that there is no short over any of the twisted pair cables.

3. Move the device into a different output port - if it works, there is probably a faulty port or bad RJ-45 connection.

Recovery Procedures

The most common installation problems relate to IP addressing. For example, without the TFTP server IP Address, you will not be able to download a new AP Image to the AP. IP Address management is fundamental. We suggest you create a chart to document and validate the IP addresses for your system.

If the password is lost or forgotten, you will need to reset the AP to default values. The Reset to Factory Default Procedure resets configuration settings, but does not change the current AP Image.

If the AP has a corrupted software image, follow the Forced Reload Procedure to erase the current AP Image and download a new image.

Reset to Factory Default Procedure

Use this procedure to reset the network configuration values, including the Access Point's IP address and subnet mask. The current AP Image is not deleted. Follow this procedure if you forget the Access Point's password:

1. Press and hold the RELOAD button for 10 seconds.

   See RELOAD and RESET Buttons to identify the buttons. You need to use a pin or the end of a paperclip to press a button.

   Result: The AP reboots, and the factory default network values are restored.

2. If not using DHCP, use the ScanTool or CLI over a serial connection to set the IP address, subnet mask, and other IP parameters. See Using the Command Line Interface (CLI) for CLI information.

   

Forced Reload Procedure

Use this procedure to erase the current AP Image and download a new AP Image. In some cases, specifically when a missing or corrupted AP Image prevents successful booting, you may need to use ScanTool or the Bootloader CLI to download a new executable AP Image.

This does not delete the AP's configuration (in other words, the Forced Reload Procedure does not reset to device to factory defaults). If you need to force the AP to the factory default state after loading a new AP image, use the Reset to Factory Default Procedure above.

For this procedure, you will first erase the AP Image currently installed on the unit and then use either ScanTool or the Bootloader CLI (over the serial port) to set the IP address and download a new AP Image. Follow these steps:

1. While the unit is running, press the RESET button.

   See RELOAD and RESET Buttons to identify the buttons. You need to use a pin or the end of a paperclip to press a button.

   Result: The AP reboots and the indicators begin to flash.

   By completing Step 2, the firmware in the AP will be erased. You will need an Ethernet connection, a TFTP server, and a serial cable (if using the Bootloader CLI) to reload firmware.

2. Press and hold the RELOAD button for about 20 seconds until the POWER LED turns amber.
   Result: The AP deletes the current AP Image.

3. Follow one of the procedures below to load a new AP Image to the Access Point:
   - Download a New Image Using ScanTool

   - Download a New Image Using the Bootloader CLI

Download a New Image Using ScanTool

To download the AP Image, you will need an Ethernet connection to the computer on which the TFTP server resides and to a computer that is running ScanTool (this is either two separate computers connected to the same network or a single computer running both programs).

ScanTool detects if an Access Point does not have a valid software image installed. In this case, the TFTP Server and Image File Name parameters are enabled in the ScanTool's Change screen so you can download a new image to the unit. (These fields are grayed out if ScanTool does not detect a software image problem.)

Preparing to Download the AP Image

Before starting, you need to know the Access Point's IP address, subnet mask, the TFTP Server IP Address, and the AP Image file name. Make sure the TFTP server is running and configured to point to the folder containing the image to be downloaded.

Download Procedure

Follow these steps to use ScanTool to download a software image to an Access Point with a missing image:

1. Download the latest software from http://www.proxim.com.

2. Copy the latest software updates to your TFTP server.

3. Launch ScanTool.

4. Highlight the entry for the AP you want to update and click Change.

5. Set IP Address Type to Static.

   You must assign static IP information temporarily to the Access Point since its DHCP client function is not available when no image is installed on the device.

6. Enter an unused IP address that is valid on your network in the IP Address field. You may need to contact your network administrator to get this address.

7. Enter the network's Subnet Mask in the field provided.

8. Enter the network's Gateway IP Address, if necessary. You may need to contact your network administrator to get this address. You should only need to enter the default gateway address if the Access Point and the TFTP server are separated by a router.

9. Enter the IP address of your TFTP server in the field provided.

10. Enter the Image File Name (including the file extension). Enter the full directory path and file name. If the file is located in the default TFTP directory, you need enter only the file name.

11. Click OK.
    - Result: The Access Point will reboot and the download will begin automatically. You should see downloading activity begin after a few seconds within the TFTP server's status screen.

12. Click OK when prompted that the device has been updated successfully to return to the Scan List screen.

13. Click Cancel to close the ScanTool.

14. When the download process is complete, configure the AP as described in Getting Started and Performing Advanced Configuration.

Download a New Image Using the Bootloader CLI

To download the AP Image, you will need an Ethernet connection to the computer on which the TFTP server resides. This can be any computer on the LAN or connected to the AP with a cross-over Ethernet cable.

You must also connect the AP to a computer with a standard serial cable and use a terminal client, such as HyperTerminal. From the terminal, enter CLI Commands to set the IP address and download an AP Image.

Preparing to Download the AP Image

Before starting, you need to know the Access Point's IP address, subnet mask, the TFTP Server IP Address, and the AP Image file name. Make sure the TFTP server is running and configured to point to the folder containing the image to be downloaded.

Download Procedure

1. Download the latest software from http://www.proxim.com.

2. Copy the latest software updates to your TFTP server's default directory.

3. Use a straight-through serial cable to connect the Access Point's serial port to your computer's serial port.

   You must remove the Access Point's cable cover and front cover to access the serial port.

4. Open your terminal emulation program (like HyperTerminal) and set the following connection properties:
   Com Port: <COM1, COM2, etc., depending on your computer>

   Baud rate: 9600

   Data Bits: 8

   Stop bits: 1

   Flow Control: None

   Parity: None

5. Under File -> Properties -> Settings -> ASCII Setup, enable the Send line ends with line feeds option.
   Result: HyperTerminal sends a line return at the end of each line of code.

6. Press the RESET button on the AP.
   Result: The terminal display shows Power On Self Tests (POST) activity. After approximately 30 seconds, a message indicates: Sending Traps to SNMP manager periodically. After this message appears, press the ENTER key repeatedly until the following prompt appears:

   [Device name]>

7. Enter only the following statements:
   [Device name]> set ipaddrtype static

   [Device name]> set ipaddr <Access Point IP Address>

   [Device name]> set ipsubmask <IP Mask>

   [Device name]> set tftpipaddr <TFTP Server IP Address>

   [Device name]> set tftpfilename <AP Image File Name, including file extension>

   [Device name]> set ipgw <Gateway IP Address>

   [Device name]> show ip (to confirm your new settings)

   [Device name]> show tftp (to confirm your new settings)

   [Device name]> reboot 0

   Example:

   [Device name]> set ipaddrtype static

   [Device name]> set ipaddr 10.0.0.12

   [Device name]> set ipsubmask 255.255.255.0

   [Device name]> set tftpipaddr 10.0.0.20

   [Device name]> set tftpfilename MyImage.bin

   [Device name]> set ipgw 10.0.0.30

   [Device name]> show ip

   [Device name]> show tftp

   [Device name]> reboot 0

   Result: The AP will reboot and then download the image file. You should see downloading activity begin after a few seconds within the TFTP server's status screen.

8. When the download process is complete, configure the AP as described in Getting Started and Performing Advanced Configuration.

Setting IP Address using Serial Port

Use the following procedure to set an IP address over the serial port using the CLI. The network administrator typically provides the AP IP address.

Hardware and Software Requirements

Attaching the Serial Port Cable

1. Unlock and remove the cable cover from the AP.

2. Remove the front cover from the AP to reveal the serial port.

3. Connect one end of the serial cable to the AP and the other end to a serial port on your computer.

4. Power on the computer and AP, if necessary.

Initializing the IP Address using CLI

After installing the serial port cable, you may use the CLI to communicate with the AP. CLI supports most generic terminal emulation programs, such as HyperTerminal (which is included with the Windows operating systems). In addition, many web sites offer shareware or commercial terminal programs you can download. Once the IP address has been assigned, you can use the HTTP interface or the CLI over Telnet to complete configuration.

Follow these steps to assign the AP an IP address:

1. Open your terminal emulation program (like HyperTerminal) and set the following connection properties:
   Com Port: <COM1, COM2, etc., depending on your computer>

   Baud rate: 9600

   Data Bits: 8

   Stop bits: 1

   Flow Control: None

   Parity: None

2. Under File -> Properties -> Settings -> ASCII Setup, enable the Send line ends with line feeds option.
   Result: HyperTerminal sends a line return at the end of each line of code.

3. Press the RESET button on the AP (see RELOAD and RESET Buttons to identify the location of the RESET button).
   Result: The terminal display shows Power On Self Tests (POST) activity, and then displays a CLI prompt, similar to the example below. This process may take up to 90 seconds.

   [Device name]> Please enter password:

4. Enter the CLI password (default is public).
   Result: The terminal displays a welcome message and then the CLI Prompt:

   [Device name]>

5. Enter show ip. Result: Network parameters appear:

   

6. Change the IP address and other network values using set and reboot CLI commands, similar to the example below (use your own IP address and subnet mask). Note that IP Address Type is set to Dynamic by default. If you have a DHCP server on your network, you should not need to manually configure the Access Point's IP address; the Access Point will obtain an IP address from the network's DHCP server during boot-up.
   Result: After each entry the CLI reminds you to reboot; however wait to reboot until all commands have been entered.

   [Device name]> set ipaddrtype static

   [Device name]> set ipaddr <IP Address>

   [Device name]> set ipsubmask <IP Subnet Mask>

   [Device name]> set ipgw <Default Gateway IP Address>

   [Device name]> show ip (to confirm your new settings)

   [Device name]> reboot 0

7. After the AP reboots, verify the new IP address by reconnecting to the CLI and enter a show ip command. Alternatively, you can ping the AP from a network computer to confirm that the new IP address has taken effect.

8. When the proper IP address is set, use the HTTP interface or CLI over Telnet to configure the rest of the unit's operating parameters.