AP-51xx Access Point Product Reference Guide
Contents
1. OE ESS EALE TEET l Programmable SNMP v1 v2 v3 Trap Support ENEE OE ETA Power over Ethernet Support 0 2 0 2 ccc eee 1 16 MU MU Transmission Disallow ipeduddedreaeraecuednd aktie Voice Prioritization ES EEA E I NETT F Support for CAM and PSP MUs PE METETE EEEE ETE lae E e EE E E AAEE E A TETEN 1 18 Transmit Power Control 0 0 0 ccc cece eee eee 1 18 Advanced Event Logging Capability 00 eee eee 1 19 Configuration File Import Export Functionality 0 1 19 Default Configuration Restoration 20 00 0 0 ccc ee eee ee 1 19 DHF BUM ke E EENE SE N seed ean EOE 1 19 Multi Function LEDs 000 000 000 ccc cece eee cee eee 1 20 Mes WNE MOARN mo on ou docite deed niente eetek Seka eiebns babdads 1 20 Additional LAN Subnet 2 2 0 e0seceeseesecees anes 1 21 On board Radius Server Authentication 00 0000 cece eee 1 21 L NIUE ETE EIA T A quel E T E E 1 22 Routing Information Protocol RIP 0 000 000 cece eee eee 1 22 Manual Date and Time Settings 0 00 anera 1 23 Daami DE areire EE aa 1 23 AO Ts SC OT ne eee eee ee EA RE 1 23 Theory of Operations 0 0 0 0 ccc ene nee 1 23 POCA E e ATE E E EE E 1 24 MAC Layer Bridging ooann o 0 0 c ccc cece cence eee 1 25 Meda Vey ot here ise eheG hes eccheduishhedintidahadoessareshs 1 25 Direct Sequence Spread Spectrum 0 0 c cece eee eee 1 262. e c D p 2 g T rc 20 00 12 alis a D sJ E4 4 H oH 4 v WLANI C mudskipper 4 Cancel Help 4 Define up to 10 access policies for the selected group within the Time Based Access Policy field Use the drop down menus on the left hand side of the screen to define the day of the week for which each policy applies If continual access is required select the All Days option If continual access is required during Monday through Friday but not Saturday or Sunday select the Weekdays option Use the Start Time and End Time values to define the access interval in HHMM format for each access policy Each policy for a given group should have unique intervals Policies can be created for different intervals on the same day of the week Configuring Access Point Security 6 79 NOTE Groups have a strict start and end time as defined using the Edit Access Policy screen Only during this period of time can authentication requests from users be honored with no overlaps Any authentication request outside of this defined interval is denied regardless of whether a user s credentials match or not 5 Refer to the WLANs field to select existing WLANs to apply to the selected group s set of access permissions The group s existing WLANs are already selected within the Edit screen Select those additional WLANs requiring the access per
3. 0 00 0000 cece e eee 8 43 Network WAN VPN Commands 0 00 ccc eee e eee 8 49 AP51xx gt admin network wan content gt 0 0 ccc 8 58 Network WAN Dynamic DNS Commands 005 8 62 Network Wireless Commands 0 0 0000 cece cece eee eens 8 66 Network WLAN Commands 0 00 0000 ccc e cece eee eee 8 67 Network Security Commands 000 cece eee eens 8 80 Network ACL Commands 2 04 000 seesaccecdccucce sued un 8 88 x AP 51xx Access Point Product Reference Guide Network Radio Configuration Commands 0 0005 8 93 Network Quality of Service QoS Commands 8 110 Network Bandwith Management Commands 8 115 Network Rogue AP Commands 00 0 c cece cece 8 118 E o EEE IE EES E EEEE E EE 8 128 Network MU Locationing Commands 0000 8 131 Network Firewall Commands 0 00 00 cece cece eee eens 8 134 Network Router Commands eseis ssi ce adeetews tir ki SPEREN EINES 8 139 E e E E E EE EE 8 145 Adaptive AP Setup Commands co ciprcsrcsicrirrisibrcsriti bridas 8 151 System Access Commands 0 000 c cece c cece ences 8 155 System Certificate Management Commands 00005 8 158 System SNMP Commands 0 0000 cece eee eee eee ees 8 171 System SNMP Access Commands 0000 cc eevee es 8 172 System SNMP Traps Commands 0 0
4. 0 00 c cece eee eee 9 20 Scenario 1 Two Base Bridges and One Client Bridge 9 20 WE a So onc E EEEE TET T a Seow wel E dee soe 9 21 Conon API aie a ee er eS 9 26 LATING PEPE EES TE PEE P E E dahaddagea 9 27 Verifying Mesh Network Functionality for Scenario 1 9 30 Scenario 2 Two Hop Mesh with a Base and Client Bridge 9 31 Conon PNP ins dey seearneag 2 ach a Rd be 9 31 Contona st aie a err ERE 9 32 configuring APFS nici d araedn nach aodshabweaaind apap biawen ee 9 33 Verifying Mesh Network Functionality for Scenario 2 9 36 Mesh Networking Frequently Asked Questions 0000 ee 9 37 Chapter 10 Adaptive AP Adaptive AP OVVEW cacccccdcmcriercednarerreeadivddheoeeeeiearaines 10 1 Where to Go From Here x csccrkeseebengeacaNatnedeeqesaeacawea 10 2 Adaptive AP Management 2 2 0 0 0000 0c cede ese a ne ae k tiri 10 3 Types of Adaptive APs nnana annann aaan cece eee 10 3 E a Lieto Ae okie a Sut EE E A EAEE NETEN 10 4 e a AE E E E A AEE 10 4 Auto Discovery using DHCP 5 2 scccccsedorccaoradesasaracrecsecs 10 4 Manual Adoption Configuration 0 0 0 0 cee cece 10 5 Securing a Configuration Channel Between Switch and AP 10 6 Adaptive AP WLAN Topology 0 00 000 eee e eee eee eee 10 6 Configuration PUGS 3 icnexcuenos andes peadeaneaewaneraendcads 10 6 Securing Data Tunnels between the Switch and AAP
5. Goes to the root menu save Saves configuration to system flash quit Quits the CLI 8 225 AP51xx gt admin system logs gt show Description Displays the current access point logging settings Syntax show Displays the current access point logging configuration Example admin system logs gt show log level L6 Info syslog server logging enable syslog server ip address 192 168 0 102 For information on configuring logging settings using the applet GUI see Logging Configuration on page 4 47 8 226 AP 51xx Access Point Product Reference Guide AP51xx gt admin system logs gt set Description Sets log options and parameters Syntax set level mode ipadr lt level gt lt op mode gt lt ip gt Sets the level of the events that will be logged All events with a level at or above lt level gt LO L7 will be saved to the system log LO Emergency L1 Alert L2 Critical L3 Errors L4 Warning L5 Notice L6 Info default setting L7 Debug Enables or disables syslog server logging Sets the external syslog server IP address to lt ip gt a b c d admin system logs gt set mode enable admin system logs gt set level L4 admin system logs gt set ipadr 157 235 112 11 For information on configuring logging settings using the applet GUI see Logging Configuration on page 4 47 8 227 AP51xx gt admin system logs gt view Description Displays the access point system log f
6. i Goes to the parent menu Goes to the root menu save Saves the current configuration to the access point system flash quit Quits the CLI and exits the current session For an overview of the WAN configuration options using the applet GUI see Configuring WAN Settings on page 5 16 AP51xx gt admin network wan gt show Description Displays the access point WAN port parameters Syntax show Shows the general IP parameters for the WAN port along with settings for the WAN interface Example admin network wan gt show Status WAN DHCP Client Mode IP Address Network Mask Default Gateway Primary DNS Server Secondary DNS Server Auto negotiation Speed Duplex WAN WAN WAN WAN WAN WAN WAN IP IP IP IP IP IP IP PPPoE PPPoE PPPoE PPPoE PPPoE PPPoE PPPoE orn Ww AUD Mode User Name Password keepalive mode Idle Time Authentication Type State admin network wan gt For an overview of the WAN configuration options available using the applet GUI see Configuring WAN Settings on page 5 76 enable enable 157 235 112 32 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 disable 100M full disable disable disable disable disable disable disable enable JohnDoe KkKKKKK enable 600 chap 8 41 8 42 AP 51xx Access Point Product Reference Guide AP51xx gt admin network wan gt set Description Defines the configuration of the access point WAN port Synta
7. Adds an entry to the SNMP access control list with lt ip1 gt as the starting IP address and lt ip2 gt and as the ending IP address lt oid gt comm community string 1 to 31 characters access read write access ro rw oid string 1 to 127 chars E g 1 3 6 1 lt oid gt lt sec gt lt priv gt lt pass2 gt user username 1 to 31 characters access read write access ro rw oid string 1 to 127 chars E g 1 3 6 1 sec security none auth auth priv auth algorithm md5 sha1 required only if sec is auth auth priv pass1 auth password 8 to 31 chars required only if sec is auth auth priv priv algorithm des aes required only if sec is auth priv pass2 privacy password 8 to 31 chars required only if sec is auth priv The following parameters must be specified if lt sec gt is not none Authentication type lt auth gt set to md5 or shat Authentication password lt pass1 gt 8 to 31 chars The following parameters must be specified if lt sec gt is set to auth priv Privacy algorithm set to des or aes Privacy password lt pass2 gt 8 to 31 chars For information on configuring SNMP access settings using the applet GUI see Configuring SNMP Access Control on page 4 33 AP51xx gt admin system snmp access gt delete Description Deletes SNMP access entries for specific v1v2 and v3 user definitions Syntax delete acl lt
8. Configuring Access Point Security 6 75 6 14 5 Defining User Access Permissions by Group An external AAA server maintains the users and groups database used by the access point for access permissions Various kinds of access policies can be applied to each group With this latest 2 0 version access point firmware individual groups can be associated with their own time based access policy Each group s policy has a user defined interval defining the days and hours access is permitted Authentication requests for users belonging to the group are honored only during these defined hourly intervals Refer to the Access Policy screen to define WLAN access for the user group s defined within the Users screen Each group created within the Users screen displays in the Access Policy screen within the groups column Similarly existing WLANs can be individually mapped to user groups by clicking the WLANs button to the right of each group name For more information on creating groups and users see Managing the Local User Database on page 6 72 For information on creating a new WLAN or editing the properties of an existing WLAN see Creating Editing Individual WLANs on page 5 30 access point user permissions ensure UTC has been selected from the Date and Time Settings screen s Time Zone field If UTC is not selected time based authentication will not work properly For information on setting the time zone for the access point see Configuring Net
9. ML 2452 APA2 01 could render the AP 5131 s Rogue AP Detector Mode feature inoperable Contact your Motorola sales associate for specific information A CAUTION Using an antenna other than the Dual Band Antenna Part No A 4 1 1 2 4 GHz Antenna Matrix The following table describes each 2 4 GHz antenna approved for use with the AP 5131 Part Number Antenna Type Nominal Net Gain dBi ML 2499 11PNA2 01R Wide Angle Directional 8 5 ML 2499 HPA3 01R Omni Directional Antenna 3 3 ML 2499 BYGA2 01R Yagi Antenna 13 9 ML 2452 APA2 01 Dual Band 3 0 A 6 AP 51xx Access Point Product Reference Guide A 4 1 2 5 GHz Antenna Matrix The following table describes each 5 GHz antenna approved for use with the AP 5131 Part Number Antenna Type Nominal Net Gain dBi ML 5299 WPNA1 01R Panel Antenna 13 0 ML 5299 HPA1 01R Wide Band Omni Directional 5 0 Antenna ML 2452 APA2 01 Dual Band 40 A 4 1 3 AP 5131 Additional Antenna Components The following table lists the Motorola part number for various antenna accessories This table also includes the loss for each accessory at both 2 4 and 5 GHz Loss db Loss db Item Part Number Description 2 4 GHz 5 GHz 72PJ ML 1499 72PJ 01R Cable Extension 2 5 LAK1 ML 1499 LAK1 01R Lightning 0 75 Arrestor LAK2 ML 1499 LAK2 01R Lightning Arrestor 0 25 10JK ML 1499 10JK 01R Jumper
10. e Try re setting the shared secret password on the access point e Question 12 My tunnel works fine when use the LAN WAN Access page to configure my firewall Now that use Advanced LAN Access my VPN stops working What am I doing wrong VPN requires certain packets to be passed through the firewall Subnet Access automatically inserts these rules for you when you do VPN Advanced Subnet Access requires these rules to be in effect for each tunnel e An allow inbound rule Scr lt Remote Subnet IP range gt Dst lt Local Subnet IP range gt Transport ANY Scr port 1 65535 Dst port 1 65535 Rev NAT None e An allow outbound rule Scr lt Local Subnet IP range gt Dst lt Remote Subnet IP range gt Transport ANY Scr port 1 65535 Dst port 1 65535 NAT None e For IKE an allow inbound rule Scr lt Remote Subnet IP range gt Usage Scenarios B 19 Dst lt WAN IP address gt Transport UDP Scr port 1 65535 Dst port 500 Rev NAT None These three rules should be configured above all other rules default or user defined When Advanced LAN Access is used certain inbound outbound rules need to be configured to control incoming outgoing packet flow for IPSec to work properly with Advanced LAN Access These rules should be configured first before other rules are configured Question 13 Do I need to add any special routes on the access point to get my VPN tunnel to work No However clients could nee
11. 10 6 Adaptive AP Switch Failure 2 0 00 ccc eee es 10 7 Remote Site Survivability RSS 0 eee 10 7 Adaptive Mesh Support 5 4 20 5e 0e00endaeeseesarneadendewea 10 7 Supported Adaptive AP Topologies 0 00 c ccc eee 10 9 Topology Deployment Considerations 0 cece eee eee 10 9 Extended WLANS ONG r srrsrerrere de brk eRe EPERE ee 10 10 Independent WLANS ONY scccckecoekcereeseieetean eka enn ene 10 10 Extended WLANs with Independent WLANs 25 10 10 Extended WLAN with Mesh Networking 20005 10 11 How the AP Receives its Adaptive Configuration 0005 10 11 xi xii AP 51xx Access Point Product Reference Guide Establishing Basic Adaptive AP Connectivity 200 e eee 10 13 Adaptive AP Configuration eere rinn rer ere re eer EErEE RE EEES 10 13 Adopting an Adaptive AP Manually 0 10 13 Adopting an Adaptive AP Using a Configuration File 10 15 Adopting an Adaptive AP Using DHCP Options 10 15 Switch Configuration 0 cence eens 10 16 Adaptive AP Deployment Considerations 000005 10 19 Sample Switch Configuration File for IPSec and Independent WLAN 10 20 Appendix A Technical Specifications ane a cxdcacciudoccesberbavadsibestedsadesndeaseads AP 5131 Physical Characteristics sscssrosssscsiisintssssrsstdaadts AP S 181 Physical G
12. Each WLAN 16 WLANs available in total to an access point regardless of the model can have a separate security policy However more than one WLAN can use the same security policy Therefore to avoid confusion do not name security policies the same name as WLANs Once security policies have been created they are selectable within the Security field of each WLAN screen If the existing default security policy does not satisfy the data protection requirements of a specific WLAN a new security policy using the authentication and encryption schemes discussed above can be created To enable an existing WLAN security policy or create a new policy 1 Select Network Configuration gt Wireless gt Security from the access point menu tree The Security Configuration screen displays 2 lf anew security policy is required click the Create button The New Security Policy screen displays with the Manually Pre shared key No authentication and No Encryption options selected Naming and saving such a policy as is would provide no security and might only make sense in a guest network wherein no sensitive data is either transmitted or received 6 6 AP 51xx Access Point Product Reference Guide However selecting any other authetnication or encryption checkbox displays a configuration field for the selected security scheme within the New Security Policy screen NOTE An existing security policy can be edited from the Security Configuration s
13. IP address String String String String f Highlight Scope Options from the tree and select Configure Options g Go to the Advanced tab From under the Vendor Class AP51xx Options check all three options mentioned in the table above and enter a value for each option Copy the firmware and configuration files to the appropriate directory on the THP Server Restart the access point B 4 AP 51xx Access Point Product Reference Guide e Obtains and applies the expected IP Address from the DHCP Server e Downloads both the firmware and configuration files from the TFTP Server and updates both as needed Verify the file versions within the System Settings screen NOTE f the firmware files are the same the firmware will not get updated If the configuration file name matches the last used configuration file on the access point or if the configuration file versions are the same the access point configuration will not get updated B 1 1 2 Global Options Using Extended Standard Options The following are instructions for automatic firmware and configuration file updates via DHCP using extended options or standard options configured globally The setup example described in this section includes e 1 AP 5131 or AP 5181 model access point e 1 Microsoft Windows DHCP Server e 1 THP Server To configure Global options using extended standard options 1 Set the Windows DHCP Server and access point on the same Ethernet s
14. Refer to the Number of Responses value to assess the number of responses from the MU versus the number of ping packets transmitted by the access point Use the ratio of packets sent versus the number of packets received the link quality between the MU and the access point Click the OK button to exit the Echo Test screen and return to the MU Stats Summary screen 3 5 3 Where to Go from Here Once basic connectivity has been verified the access point can be fully configured to meet the needs of the network and the users it supports Refer to the following e For detailed information on access point device access SNMP settings network time importing exporting device configurations and device firmware updates see Chapter 4 System Configuration on page 4 1 e For detailed information on configuring access point LAN interface subnet and WAN interface see Chapter 5 Network Management on page 5 1 e For detailed information on configuring specific encryption and authentication security schemes for individual access point WLANs see Chapter 6 Configuring Access Point Security on page 6 1 e To view detailed statistics on the access point and its associated MUs see Chapter 7 Monitoring Statistics on page 7 1 3 16 AP 51xx Access Point Product Reference Guide System Configuration The access point contains a built in browser interface for system configuration and remote management using a standard Web browser such as Microsoft Inter
15. Syntax delete lt idx gt Deletes static switch address assignments by selecte index lt all gt Deletes all assignments Example admin system aap setup gt delete 1 admin system aap setup gt For information on configuring Adaptive AP using the applet GUI see Adaptive AP Setup on page 4 6 For an overview of adaptive AP functionality and its implications see Adaptive AP on page 10 1 8 4 2 System Access Commands AP51xx gt admin system gt access Description Displays the access point access submenu show Displays access point system access capabilities set Goes to the access point system access submenu 5 Goes to the parent menu Goes to the root menu save Saves the current configuration to the access point system flash quit Quits the CLI and exits the current session 8 155 8 156 AP 51xx Access Point Product Reference Guide AP51xx gt admin system access gt set Description Defines the permissions to access the access point applet CLI SNMP as well as defining their timeout values Syntax set applet app timeout cli ssh trusted host auth timout inactive timeout snmp admin auth server port secret mode msg lt minutes gt Defines the applet HTTP HTTPS access parameters Sets the applet timeout Default is 300 Mins Defines CLI Telnet access parameters Enables disables access from lan and wan Sets the CLI SSH access parameters lt mode gt lt range g
16. delete Deletes an MU ACL table entry including starting and ending MAC address ranges change Completes the changes made and exits the session Cancels the changes made and exits the session For information on configuring the ACL options available to the access point using the applet GUI see Configuring a WLAN Access Control List ACL on page 5 37 8 92 AP 51xx Access Point Product Reference Guide AP51xx gt admin network wireless acl gt delete Description Removes an MU ACL policy Syntax delete lt acl name gt Deletes a partilcular MU ACL policy all Deletes all MU ACL policies except for the default policy For information on configuring the ACL options available to the access point using the applet GUI see Configuring a WLAN Access Control List ACL on page 5 37 8 3 3 4 Network Radio Configuration Commands AP51xx gt admin network wireless radio gt Description Displays the access point Radio submenu The items available under this command include show set radio radio2 save quit Summarizes access point radio parameters at a high level Defines the access point radio configuration Displays the 802 11b g radio submenu Displays the 802 11a radio submenu Goes to the parent menu Goes to the root menu Saves the configuration to system flash Quits the CLI 8 93 8 94 AP 51xx Access Point Product Reference Guide AP51xx gt admin network wireless radio gt show Description Di
17. length Determines ping packet length in bytes 1 539 data Defines the particular packet data Example admin stats ping gt set station OOAOF843AABB admin stats ping gt set request 10 admin stats ping gt set length 100 admin stats ping gt set data 1 admin stats ping gt For information on Known AP tests using the applet GUI see Pinging Individual MUs on page 7 32 8 256 AP 51xx Access Point Product Reference Guide AP51xx gt admin stats echo gt start Description Initiates the ping test Syntax start Initiates the ping test Example admin stats ping gt start admin stats ping gt list Station Address OOAOF843AABB Number of Pings 10 Packet Length 100 Packet Data in HEX r Number of AP Responses 2 For information on Known AP tests using the applet GUI see Pinging Individual MUs on page 7 32 Configuring Mesh Networking 9 1 Mesh Networking Overview An AP 51xx can be configured in two modes to support the new mesh networking functionality The access point can be set to a client bridge mode and or a base bridge mode which accepts connections from client bridges Base bridge and client bridge mode can be used at the same time by an individual access point to optimally bridge traffic to other members of the mesh network and service associated MUs An access point in client bridge mode scans to locate other access points using the WLAP client s ESSID Then it is required to
18. motorola as now required with the 2 0 baseline If the shared secret password is not changed to motorola there will be a shared secret mis match resulting in MU authentication failures This password cannot be set using the access point Web UI and must be changed using the CLI For information on changing the shared secret password using the access point CLI see AP51xx gt admin network wireless security gt create on page 8 82 A CAUTION f importing a 1 1 baseline configuration onto this 2 2 baseline the 1 1 version access point Similarly a 1 1 baseline configuration file should not be imported to a 1 0 version access point Importing configuration files between different version access point s results in broken configurations since new features added to the 1 1 version access point cannot be supported in a 1 0 version access point CAUTION Motorola discourages importing a 1 0 baseline configuration file to a To create an importable exportable access point configuration file 1 Select System Configuration gt Config Import Export from the access point menu tree System Configuration 4 51 r FTP and TETP imporvexport Filename eget FIPIIFTP Server iP Address 192 168 0 10 Filepatn optenal ere OTP Usemame Rxkvvaneman Upload and Apply a Corfigurabon Fite l Popn urso changes Hon Lepout 2 Configure the FTP and TFTP Import Expo
19. 157 235 12 18 Cancel Help Enter Start IP and End IP addresses numerical addresses only no DNS names supported to specify a range of user that can access the access point SNMP interface An SNMP capable client can be set up whereby only the administrator for example can use a read write community definition Use just the Starting IP Address column to specify a single SNMP user Use both the Starting IP Address and Ending IP Address columns to specify a range of addresses for SNMP users To add a single IP address to the ACL enter the same IP address in the Start IP and End IP fields Leave the ACL blank to allow access to the SNMP interface from the IP addresses of all authorized users Click Add to create a new ACL entry Click Edit to revise an existing ACL entry Click Delete to remove a selected ACL entry for one or more SNMP users System Configuration 4 35 OK Click Ok to return to the SNMP Access screen Click Apply within the SNMP Access screen to save any changes made on the SNMP Access Control screen Cancel Click Cancel to undo any changes made on the SNMP Access Control screen This reverts all settings for this screen to the last saved configuration 4 5 2 Enabling SNMP Traps SNMP provides the ability to send traps to notify the administrator that trap conditions are met Traps are network packets containing data relating to network devices or SNMP agents that send the traps SNMP management applicatio
20. Click the Clear WAN Stats button to reset each of the data collection counters to zero in order to begin new data collections The RX TX Packets and RX TX Bytes totals remain at their present values and are not cleared Do not clear the WAN stats if currently in an important data gathering activity or risk losing all data calculations to that point Click Logout to securely exit the access point applet A prompt displays confirming the logout before the applet is closed 7 6 AP 51xx Access Point Product Reference Guide 7 2 Viewing LAN Statistics Use the LAN Stats screen to monitor the activity of the access point s LAN1 or LAN2 connection The Information field of the LAN Stats screen displays network traffic information as monitored over the access point LAN1 or LAN2 port The Received and Transmitted fields of the screen display statistics for the cumulative packets bytes and errors received and transmitted over the LAN1 or LAN2 port since it was last enabled or the access point was last restarted The LAN Stats screen is view only with no user configurable data fields To view access point LAN connection stats 1 Select Status and Statistics gt LAN Stats gt LAN1 Stats or LAN2 Stats from the access point menu tree AP 5131 Access Point j FS WAN Stats Status Enabled oa PERUN State Pasdess 157 2591137 mo LAN State Network Mask 255 255255 0 want __ STP Stats Ethernet Address 00 15 70 02 7A87 Tudshapper Sse
21. If deploying multiple independent WLANs mapped to different VLANs ensure the AP s LAN1 interface is connected to a trunk port on the L2 L3 switch and appropriate management and native VLANs are configured The WLAN used for mesh backhaul must always be an independent WLAN The switch configures an AAP If manually changing wireless settings on the AP they are not updated on the switch It s a one way configuration from the switch to the AP An AAP always requires a router between the AP and the switch An AAP can be used behind a NAT An AAP uses UDP port 24576 for control frames and UDP port 24577 for data frames Multiple VLANs per WLAN L3 mobility dynamic VLAN assignment NAC self healing rogue AP MU locationing hotspot on extended WLAN are some of the important wireless features not supported in an AAP supported deployment 10 19 10 20 AP 51xx Access Point Product Reference Guide 10 4 4 Sample Switch Configuration File for IPSec and Independent WLAN The following constitutes a sample RFS7000 switch configuration file supporting an AAP IPSec with Independent WLAN configuration Please note new AAP specific CLI commands in red and relevant comments in blue The sample output is as follows configuration of RFS7000 RFS7000 1 version 1 1 0 0 016D version 1 0 aaa authentication login default none service prompt crash info hostname RFS7000 1 username admin password 1 8e67bb26b358e2ed20fe552ed6th8
22. KkKKKKKKK disable disable disable Default For information on displaying WLAN infromation using the applet GUI see Enabling Wireless LANs WLANs on page 5 27 8 69 AP51xx gt admin network wireless wlan gt create Description Defines the parameters of a new WLAN Syntax create show wlan lt number gt set ess lt essid gt wlan name lt name gt 11a lt mode gt 11bg lt mode gt mesh lt mode gt hotspot lt mode gt max mu lt number gt idle timeout lt number gt security lt name gt acl lt name gt passwd lt ascii string gt no mu mu lt mode gt sbeacon lt mode gt bcast lt mode gt qos lt name gt add wlan Example Displays newly created WLAN and policy number Defines the ESSID for a target WLAN Determines the name of this particlular WLAN 1 32 Enables or disables access to the access point 802 11a radio Enables or disables access to the access point 802 11b g radio Enables or disables the Client Bridge Mesh Backhaul option Enables or disables the Hotspot mode Defines the maximum number of MU able to operate within the WLAN default 127 MUs Sets the MU idle tmeout in minutes The default value is 30 minutes Sets the security policy to the WLAN 1 32 Sets the MU ACL policy to the WLAN 1 32 Defines a Kerberos password used if the WLAN s security policy uses a Kerberos server based authentication scheme Enables or disables MUs associated to the same WLAN to not communica
23. Use the checkbox to enable Point to Point over Ethernet PPPoE for a high speed connection that supports this protocol Most DSL providers are currently using or deploying this protocol PPPoE is a data link protocol for dialup connections PPPoE allows a host PC to use a broadband modem DSL for access to high speed data networks Specify a username entered when connecting to the ISP When the Internet session begins the ISP authenticates the username Specify a password entered when connecting to the ISP When the Internet session starts the ISP authenticates the password Displays the current connection state of the PPPoE client When a PPPoE connection is established the status displays Connected When no PPPoE connection is active the status displays Disconnected Select the Keep Alive checkbox to maintain the WAN connection indefinitely no timeout interval Some ISPs terminate inactive connections Enabling Keep Alive keeps the access point s WAN connection active even when there is no traffic If the ISP drops the connection after an idle period the access point automatically re establishes the connection to the ISP Enabling Keep Alive mode disables grays out the Idle Time field Network Management 5 21 Idle Time seconds Specify an idle time in seconds to limit how long the access point s WAN connection remains active after outbound and inbound traffic is not detected The Idle Time field is grayed out if Keep
24. checkbox to enable the server to listen for incoming syslog messages and decode the messages into a log for viewing Syslog server IP If the Enable logging to an external syslog server checkbox is address selected the numerical non DNS name IP address of an external syslog server is required in order to route the syslog events to that destination 3 Click Apply to save any changes to the Logging Configuration screen Navigating away from the screen without clicking the Apply button results in all changes to the screen being lost System Configuration 4 49 4 Click Undo Changes if necessary to undo any changes made Undo Changes reverts the settings displayed on the Logging Configuration screen to the last saved configuration 5 Click Logout to securely exit the access point Access Point applet A prompt displays confirming the logout before the applet is closed 4 8 Importing Exporting Configurations All of the configuration settings for an access point can be obtained from another access point in the form of a text file Additionally all of the access point s settings can be downloaded to another access point Use the file based configuration feature to speed up the setup process significantly at sites using multiple access points Another benefit is the opportunity to save the current AP configuration before making significant changes or restoring the default configuration All options on the access point are deleted and updat
25. gt For information on configuring the Hotspot options available to the access point using the applet GUI see Configuring WLAN Hotspot Support on page 5 46 8 79 AP51xx gt admin network wireless wlan hotspot gt white list Description Goes to the hotspot white list menu Syntax white list add lt rule gt clear show save quit I Example Adds hotspot whitelist rules by index 1 16 for specified IP address Clears hotspot whitelist rules for specified index 1 16 Shows hotspot whitelist rules for specified index 1 16 Saves the updated hotspot configuration to flash memory Quits the CLI session Goes to the parent menu Goes to the root menu admin network wireless wlan hotspot whitelist gt add rule 1 157 235 21 21 admin network wireless wlan hotspot whitelist gt show white rule 1 WLAN 1 Hotspot Mode WhiteList Rules 157 235 21 21 For information on configuring the Hotspot options available to the access point using the applet GUI see Configuring WLAN Hotspot Support on page 5 46 8 80 AP 51xx Access Point Product Reference Guide 8 3 3 2 Network Security Commands AP51xx gt admin network wireless security gt Description Displays the access point wireless security submenu The items available under this command include show Displays the access point s current security configuration set Sets security parameters create Defines the parameters of a security policy edit Ed
26. see Configuring Router Settings on page 5 71 8 141 AP51xx gt admin network router gt set Description Shows the access point route table Syntax set auth Sets the RIP authentication type dir Sets RIP direction id Sets MD5 authetication ID key Sets MD5 authetication key passwd Sets the password for simple authentication type Defines the RIP type dgw iface Sets the default gateway interface For information on configuring the Router options available to the access point using the applet GUI see Configuring Router Settings on page 5 71 8 142 AP 51xx Access Point Product Reference Guide AP51xx gt admin network router gt add Description Adds user defined routes Syntax add lt dest lt netmask gt lt gw gt lt iface gt lt metric gt Adds a route with destination IP address lt dest gt IP netmask lt netmask gt destination gateway IP address lt gw gt interface LAN1 LAN2 or WAN lt iface gt and metric set to lt metric gt 1 65536 Example admin network router gt add 192 168 3 0 255 255 255 0 192 168 2 1 LAN1 1 admin network router gt list index destination netmask gateway interface metric 1 192 168 3 0 255 255 255 0 192 168 2 1 lanl 1 For information on configuring the Router options available to the access point using the applet GUI see Configuring Router Settings on page 5 71 8 143 AP51xx gt admin network router gt delete Description Deletes user defin
27. selected WLAN The number in black represents MU noise for the last 30 seconds and the number in blue represents MU noise for the last hour If MU noise is excessive consider moving the MU closer to the access point or in area with less conflicting network traffic Displays the average Signal to Noise Ratio SNA for all MUs associated with the selected WLAN The Signal to Noise Ratio is an indication of overall RF performance on your wireless networks Refer to the Errors field to view MU association error statistics for the WLAN selected from the access point menu tree Avg Num of Retries Displays the average number of retries for all MUs associated with the selected WLAN The number in black represents average retries for the last 30 seconds and the number in blue represents average retries for the last hour 7 20 AP 51xx Access Point Product Reference Guide Dropped Packets Displays the percentage of packets which the AP gave up on for all MUs associated with the selected WLAN The number in black represents this statistic for the last 30 seconds and the number in blue represents this statistic for the last hour of Undecryptable Displays the percentage of undecryptable packets for all MUs Pkts associated with the selected WLAN The number in black represents undecryptable pkts for the last 30 seconds and the number in blue represents undecryptable pkts for the last hour NOTE The Apply and Undo Changes buttons are not a
28. 1 3 6 1 security level auth priv auth algorithm md5 auth password z RRKKKKKE privacy algorithm des privacy password L ee EEE For information on configuring SNMP access settings using the applet GUI see Configuring SNMP Access Control on page 4 33 8 177 8 4 4 2 System SNMP Traps Commands AP51xx gt admin system snmp traps Description Displays the SNMP traps submenu The items available under this command are shown below show Shows SNMP trap parameters set Sets SNMP trap parameters add Adds SNMP trap entries delete Deletes SNMP trap entries list Lists SNMP trap entries i Goes to the parent menu Goes to the root menu save Saves the configuration to system flash quit Quits the CLI 8 178 AP 51xx Access Point Product Reference Guide AP51xx gt admin system snmp traps gt show Description Shows SNMP trap parameters Syntax show trap Shows SNMP trap parameter settings rate trap Shows SNMP rate trap parameter settings Example admin system snmp traps gt show trap SNMP MU Traps mu associated enable mu unassociated disable mu denied association disable mu denied authentication disable SNMP Traps snmp authentication failure disable snmp acl violation disable SNMP Network Traps physical port status change enable denial of service enable denial of service trap rate limit 10 seconds SNMP System Traps system cold start disable system config changed
29. 1 6 AP 51xx Access Point Product Reference Guide 1 1 12 Radius Time Based Authentication An external server maintains a users and groups database used by the access point for access permissions Various kinds of access policies can be applied to each group Individual groups can be configured with their own time based access policy Each group s policy has a user defined interval defining the days and hours access is permitted Authentication requests for users belonging to the group are honored only during these defined hourly intervals For more information on defining access point access policies by group see Defining User Access Permissions by Group on page 6 76 1 1 13 QBSS Support Each access point radio can be configured to optionally allow the access point to communicate channel usage data to associated devices and define the beacon interval used for channel utilization transmissions The OBSS load represents the percentage of time the channel is in use by the access point and the access point s station count This information is very helpful in assessing the access point s overall load on a channel its availability for additional device associations and multi media traffic support For information on enabling OBSS and defining the channel utilization transmission interval see Configuring the 802 11a or 802 11b g Radio on page 5 56 1 2 Feature Overview The access point has the following features carried forward from previous
30. AP51xx gt admin network lan type filter gt delete Description Removes an Ethernet Type Filter entry individually or the entire Type Filter list Syntax delete lt LAN idx gt lt entry idx gt Deletes the specified Ethernet Type entry index 1 through 16 lt LAN idx gt all Deletes all Ethernet entries currently in list Example admin network lan type filter gt delete 1 1 admin network lan type filter gt show 1 Ethernet Type Filter mode allow index ethernet type 0806 0800 8782 admin network lan type filter gt delete 2 all admin network lan type filter gt show 2 Ethernet Type Filter mode allow For information on configuring the type filter settings using the applet GUI see Setting the Type Filter Configuration on page 5 15 8 39 8 40 AP 51xx Access Point Product Reference Guide 83 2 Network WAN Commands AP51xx gt admin network wan gt Description Displays the WAN submenu The items available under this command are shown below show Displays the access point WAN configuration and the access point s current PPPoE configuration set Defines the access point s WAN and PPPoE configuration nat Displays the NAT submenu wherein Network Address Translations NAT can be defined vpn Goes to the VPN submenu where the access point VPN tunnel configuration can be set content Goes to the outbound content filtering menu dyndns Displays the Dynamic DNS submenu wherein dyndns settings can be defined
31. An AP 5181 model access point houses four LEDs on the bottom back side of the unit For detailed information on the access point LEDs and their functionality see AP 5737 LED Indicators on page 2 23 or AP 5181 LED Indicators on page 2 29 1 2 24 Mesh Networking Utilize the new mesh networking functionality to allow the access point to function as a bridge to connect two Ethernet networks or as a repeater to extend your network s coverage area without additional cabling Mesh networking is configurable in two modes It can be set in a wireless client bridge mode and or a wireless base bridge mode which accepts connections from client bridges These two modes are not mutually exclusive In client bridge mode the access point scans to find other access points using the selected WLAN s ESSID The access point must go through the association and authentication process to establish a wireless connection The mesh networking association process is identical to the access point s MU association process Once the association authentication process is complete the wireless client adds the connection as a port on its bridge module This causes the access point in client bridge mode to begin forwarding configuration packets to the base bridge An access point in base bridge mode allows the access point radio to accept client bridge connections The two bridges communicate using the Spanning Tree Protocol STP The spanning tree determines the path to
32. Auto Update Enabled Auto Update Enabled Auto Update Enabled 255 255 255 0 Default Gateway Default Gateway Default Gateway DHCP Server Enabled Ethernet Port Enabled Ethernet Port Enabled Ethernet Port Enabled LAN2 Not applicable in 1 0 Static IP 192 168 1 1 Disabled Disabled release no LAN2 Static Mask support 255 255 255 0 DHCP Server Enabled Access HTTPS SSH SNMP HTTP HTTPS SSH HTTP HTTPS SSH HTTP HTTPS SSH via WAN Enabled SNMP Telnet SNMP Telnet SNMP Telnet port Enabled Enabled Enabled 3 4 AP 51xx Access Point Product Reference Guide 3 4 Initially Connecting to the Access Point NOTE The procedures described below assume this is the first time you are connecting to either an AP 5131 or AP 5181 model access point 3 4 1 Connecting to the Access Point using the WAN Port To initially connect to the access point using the access point s WAN port 1 Connect AC power to the access point as Power Over Ether support is not available on the access point s WAN port 2 Start a browser and enter the access point s static IP WAN address 10 1 1 1 The default password is motorola 3 Refer to Basic Device Configuration on page 3 5 for instructions on the initial basic configuration of the access point 3 4 2 Connecting to the Access Point using the LAN Port To initially connect to the access point using the access point s LAN port 1 The LAN port default is set to DHC
33. Click the Create button to configure a new QoS policy or select a policy and click the Edit button to modify an existing QoS policy The access point supports a maximum of 16 QoS policies 5 42 AP 51xx Access Point Product Reference Guide New QoS Policy Policy Name demo room Support Voice prioritization Multicast MaskjAddress1 Multicast MaskjAddress2 Enable Wi Fi Multimedia WMM QoS Extensions g ag default v Access cw cw AIFSN TXOPs Time TXOPs Time Category Minimum Maximum 32usec ms Background 15 m 11023 FA Tr 0o 00 BestEfon 15 r 1255 ic 34 20 064 Video 7 f 115 I 24 94 3 008 Voice 3 m 7 a 2 47 1 504 Cancel Help 3 Assign a name to the new or edited QoS policy that makes sense to the access point traffic receiving priority More than one WLAN can use the same Qos policy 4 Select the Support Voice prioritization checkbox to allow legacy voice prioritization Certain products may not receive priority over other voice or data traffic Consequently ensure the Support Voice Prioritization checkbox is selected if using products that do not support Wi Fi Multimedia WMM to provide preferred queuing for these VOIP products If the Support Voice Prioritization checkbox is selected the access point will detect non WMM capable legacy phones that connect to the access point and provide priority queueing for their traffic over normal data NOTE Wi fi functionality requires both the access point and its associated cl
34. D4 A8 239 209 06 FC 19 20D 12 BD 29 60 90 27 06 6D 64 Flags Mask qgqQadnqaaaaaaaa Iface ixp1 ixp1 ixp1 ixp1 ixp1 ixp1 ixp1 ixp1 ixp1 ixp1 8 151 8 4 1 Adaptive AP Setup Commands AP51xx gt admin system gt aap setup Description Displays the Adaptive AP submenu show Displays Adaptive AP information set Defines the Adaptive AP configuration delete Deletes static switch address assignments 5 Goes to the parent menu Goes to the root menu save Saves the current configuration to the access point system flash quit Quits the CLI and exits the current session For information on configuring adaptive AP using the applet GUI see Adaptive AP Setup on page 4 6 For an overview of adaptive AP functionality and its implications see Adaptive AP on page 10 1 8 152 AP 51xx Access Point Product Reference Guide AP51xx gt admin system aap setup gt show Description Displays the access point s Adaptive AP configuration Syntax show Displays the access point s Adaptive AP configuration Example admin system aap setup gt show Auto Discovery Mode disable Switch Interface lanl Switch Name greg Static IP Port 24576 Static IP Address IP Address 1 IP Address IP Address IP Address IP Address IP Address IP Address IP Address IP Address 9 IP Address 10 IP Address 11 IP Address 12 oro uf WD oo0oo0oo0o00000000 oo0oo0oo0o00000000 oo0oo0oo0
35. Destination IP Displays the destination IP address for each tunnel configured to use IKE for automatic key exchange Remaining Life Lists the remaining life of the current IKE key for each tunnel When the remaining life on the IKE key reaches 0 IKE initiates a negotiation for a new key IKE keys associated with a renegotiated tunnel 5 Click Logout to securely exit the access point applet A prompt displays confirming the logout before the applet is closed 6 12 Configuring Content Filtering Settings Content filtering allows system administrators to block specific commands and URL extensions from going out through the access point s WAN port Therefore content filtering affords system administrators selective control on the content proliferating the network and is a powerful data and network screening tool Content filtering allows the blocking of up to 10 files or URL extensions and allows blocking of specific outbound HTTP SMTP and FIP requests 6 52 AP 51xx Access Point Product Reference Guide To configure content filtering for the access point 1 Select Network Configuration gt WAN gt Content Filtering from the access point menu tree SI Adapove AP Setup Ge AP SIMK Access l ortt ate amt 2 Configure the HTTP field to configure block Web proxies and URL extensions Block Outbound HTTP HyperText Transport Protocol HTTP is the protocol used to transfer information to and from Web sites HTTP Blocking al
36. Displays the list of inbound NAT entries For an overview of the NAT options available using the applet GUI see Configuring Network Address Translation NAT Settings on page 5 21 AP51xx gt admin network wan nat gt delete Description Deletes NAT entries Syntax delete lt idx gt lt entry gt Deletes a specified NAT index entry lt entry gt associated with the WAN lt idx gt all Deletes all NAT entries associated with the WAN Example admin network wan nat gt list 1 index name prot start port end port internal ip translation port 1 special tcp 20 21 192 168 42 16 21 admin network wan nat gt delete 1 1 A admin network wan nat gt list 1 index name prot start port end port internal ip translation port Related Commands add Adds entries to the list of inbound NAT entries list Displays the list of inbound NAT entries For an overview of the NAT options available using the applet GUI see Configuring Network Address Translation NAT Settings on page 5 21 8 48 AP 51xx Access Point Product Reference Guide AP51xx gt admin network wan nat gt list Description Lists access point NAT entries for the specified index Syntax list lt idx gt Lists the inbound NAT entries associated with the WAN index 1 8 Example admin network wan nat gt list 1 index name transport start port end port internal ip translation port 1 special tcp 20 21 192 168 42 16 21 Related Commands 1 de
37. For information on importing exporting access point configurations using the applet GUI see mporting Exporting Configurations on page 4 49 8 232 AP 51xx Access Point Product Reference Guide AP51xx gt admin system config gt partial Description Restores a partial factory default configuration The access point s LAN WAN and SNMP settings are uneffected by the partial restore Syntax default Restores a partial access point configuration Example admin system config gt partial Are you sure you want to partially default AP 51xx lt yes no gt For information on importing exporting access point configurations using the applet GUI see mporting Exporting Configurations on page 4 49 8 233 AP51xx gt admin system config gt show Description Displays import export parameters for the access point configuration file Syntax show Shows all import export parameters Example admin system config gt show cfg filename cfg txt cfg filepath ftp tftp server ip address 192 168 0 101 ftp user name myadmin ftp password z RRKKKEKR For information on importing exporting access point configurations using the applet GUI see Importing Exporting Configurations on page 4 49 8 234 AP 51xx Access Point Product Reference Guide AP51xx gt admin system config gt set Description Sets the import export parameters Syntax set file lt filename gt Sets the configuration file name 1 to 39 charac
38. QBSS Load Element Mode indoor 00A0F8715920 802 11a user selection 44 153 161 full 5 dbm 4 mW 6 12 24 6 9 12 18 24 36 48 54 100 K usec 10 beacon intvls 10 beacon intvls 10 beacon intvls 10 beacon intvls 2341 bytes 0 miles 10 beacon intvls enable 8 105 admin network wireless radio 802 1la gt show gos Radio QOS Parameter Set lla default Access Category CWMin CWMax AIFSN TXOPs 32 sec TXOPs ms Background 15 1023 7 0 0 000 Best Effort 15 63 3 31 0 992 Video 7 15 1 94 3 008 Voice 3 7 1 47 1 504 For information on configuring Radio 2 Configuration options available to the access point using the applet GUI see Configuring the 802 11a or 802 11b g Radio on page 5 56 8 106 AP 51xx Access Point Product Reference Guide AP51xx gt admin network wireless radio 802 11a gt set Description Defines specific 802 11a radio parameters Syntax set placement ch mode channel acs exception list antenna power rates beacon dtim rts range qos qbss beacon qbss mode Defines the access point radio placement as indoors or outdoors Determines how the radio channel is selected Defines the actual channel used by the radio Sets the radio antenna power Defines the radio antenna power transmit level Sets the supported radio transmit rates Sets the beacon interval used by the radio Defines the DTIM interval by index used by the radio Defines the RTS Threshold value for the radio Sets the
39. See the following sections for more details on viewing statistics for the access point e Viewing WAN Statistics e Viewing LAN Statistics e Viewing Wireless Statistics e Viewing Radio Statistics Summary e Viewing MU Statistics Summary e Viewing the Mesh Statistics Summary e Viewing Known Access Point Statistics e CPU and Memory Statistics 7 1 Viewing WAN Statistics Use the access point WAN Stats screen to view real time statistics for monitoring the access point activity through its Wide Area Network WAN port The Information field of the WAN Stats screen displays basic WAN information generated from settings on the WAN screen The Received and Transmitted fields display statistics for the cumulative packets bytes and errors received and transmitted through the WAN interface since it was last enabled or the AP was last rebooted The access point WAN Stats screen is view only with no configurable data fields To view access point WAN Statistics 1 Select Status and Statistics gt WAN Stats from the access point menu tree Monitoring Statistics 7 3 AP 5131 Access Point Status Enabled HW Address 00157007 TA66 IP Address 0000 Mask 0000 Link Down Speed NA Duplex NA Received Transmited RX Errors 0 TKErrors 0 RX Packets 0 RK Dropped 0 TXPackets 0 TX Dropped 0 RX Byes 0 RX Overruns 0 TROfes 0 TX Overrums 0 RX Frame TX Canter 0 ee 2 Refer to the Information field to reference the following access p
40. The CLI follows the same configuration conventions as the device user interface with a few documented exceptions For details on using the CLI to manage the access point see CL Reference on page 8 1 Getting Started 3 3 e Config file Readable text file Importable Exportable via FTP THP and HTTP Configuration settings for an access point can be downloaded from the current configuration of another access point meeting the import export requirements For information on importing or exporting configuration files see mporting Exporting Configurations on page 4 49 e MIB Management Information Base accessing the access point SNMP functions using a MIB Browser The access point download package contains the following 2 MIB files e Symbol CC WS2000 MIB 2 0 e Symbol AP 5131 MIB can be used for both an AP 5131 and AP 5181 model access point an AP 5181 does not have its own MIB 3 3 Default Configuration Changes for the Access Point The following table illustrates the changes made to the access point default configuration from its initial 1 0 release through this most recent 2 2 release Version 1 0 Version 1 1 Version 1 1 1 0 Version 2 0 2 1 amp 2 2 amp 1 1 2 0 WAN DHCP client Static IP 10 1 1 1 Static IP 10 1 1 1 Static IP 10 1 1 1 Auto Update Enabled Static Mask 255 0 0 0 Static Mask 255 0 0 0 Static Mask 255 0 0 0 LAN1 Static IP 192 168 0 1 DHCP Client DHCP Client DHCP Client Static Mask
41. This value must be set correctly to ensure the certificate is properly generated Enter the IP address of this access point as you are using the access point s onbard Radius server Use the drop down menu to select the signature algorithm used for the certificate Options include e MD5 RSA Message Digest 5 algorithm in combination with RSA encryption e SHA1 RSA Secure Hash Algorithm 1 in combination with RSA encryption Defines the length of the key Possible values are 512 1024 and 2048 Motorola recommends setting this value to 1024 to ensure optimum functionality 4 24 AP 51xx Access Point Product Reference Guide 4 5 Complete as many of the optional values within the Certificate Request screen as possible When the form is completed click the Generate button from within the Certificate Request screen The Certificate Request screen disappears and the ID of the generated certificate request displays in the drop down list of certificates within the Self Certificates screen NOTE A Warning screen may display at this phase stating key information could be lost if you proceed with the certificate request Click the OK button to continue as the certificate has not been signed yet Click the Generate Request button from within the Self Certificates screen The certificate content displays within the Self Certificate screen Click the Copy to clipboard button Save the certificate content to a secure l
42. e Cellular Coverage e MAC Layer Bridging e Content Filtering e DHCP Support e Media Types e Direct Sequence Spread Spectrum e MU Association Process e Operating Modes e Management Access Options e AP 51xx MAC Address Assignment 1 3 1 Cellular Coverage An access point establishes an average communication range with MUs called a Basic Service Set BSS or cell When in a particular cell the MU associates and communicates with the access point supporting the radio coverage area of that cell Adding access points to a single LAN establishes more cells to extend the range of the network Configuring the same ESS D Extended Service Set Identifier on all access points makes them part of the same Wireless LAN Access points with the same ESSID define a coverage area A valid ESSID is an alphanumeric case sensitive identifier up to 32 characters An MU searches for an access point with a matching ESSID and synchronizes associates to establish communications This device association allows MUs within the coverage area to move about or roam As the MU roams from cell to cell it associates with a different access point The roam occurs when the MU analyzes the reception quality at a location and determines a different access point provides better signal strength and lower MU load distribution Introduction If the MU does not find an access point with a workable signal it can perform a scan to find any AP As MUs switch APs the AP upd
43. model access point also must use an RJ 45 to Serial cable to establish a serial connection to a host computer Additionally an AP 5181 model access point cannot downgrade to 1 1 0 x or earlier firmware The access point AP provides a bridge between Ethernet wired LANs or WANs and wireless networks It provides connectivity between Ethernet wired networks and radio equipped mobile units MUs MUs include the full line of terminals adapters PC cards Compact Flash cards and PCI adapters and other devices The access point provides a maximum 54Mbps data transfer rate via each radio It monitors Ethernet traffic and forwards appropriate Ethernet messages to MUs over the network It also monitors MU radio traffic and forwards MU packets to the Ethernet LAN 1 2 AP 51xx Access Point Product Reference Guide If you are new to using an access point for managing your network refer to Theory of Operations on page 1 23 for an overview on wireless networking fundamentals 1 1 New Features The following new features have been introduced since the 2 0 release e P Filtering e DHCP Lease Information e Configurable MU Idle Timeout e Auto Channel Select ACS Smart Scan e Enhanced Statistics Support e WIPS Support e Trusted Host Management e Apache Certificate Management e Adaptive AP e Rogue AP Enhancements e Bandwidth Management Enhancements e Radius Time Based Authentication e OBSS Support Legacy users can upgrade their firmware image
44. on page 4 43 8 220 AP 51xx Access Point Product Reference Guide AP51xx gt admin system ntp gt show Description Displays the NTP server configuration Syntax show Shows all NTP server settings Example admin system ntp gt show current time UTC Time Zone ntp mode preferred Time server ip preferred Time server port first alternate server ip first alternate server port second alternate server ip second alternate server port synchronization interval 2006 07 31 14 35 20 enable 203 21 37 18 123 203 21 37 19 123 0 0 0 0 123 15 minutes For information on configuring NTP using the applet GUI see Configuring Network Time Protocol NTP on page 4 43 8 221 AP51xx gt admin system ntp gt date zone Description Show date time and time zone Syntax date zone Show date time and time zone Example admin system ntp gt date zone Date Time Sat 1970 Jan 03 20 06 22 0000 UTC Time Zone UTC For information on configuring NTP using the applet GUI see Configuring Network Time Protocol NTP on page 4 43 8 222 AP 51xx Access Point Product Reference Guide AP51xx gt admin system ntp gt zone list Description Displays an extensive list of time zones for countries around the world Syntax zone list Displays list of time zone indexes for every known zone Example admin system ntp gt zone list For information on configuring NTP using the applet GUI see Configur
45. tcectscate moet Set Cershcates AP 5131 Access Point Retry Count 6 10 Timeout 5 Seconds 3 6 Sutu Radus Server iP Pon Shared Secret Refer to the Proxy Configuration field to define the proxy server s retry count and timeout values Retry Count Enter a value between 3 and 6 to indicate the number of times the access point attempts to reach a proxy server before giving up Timeout Enter a value between 5 and 10 to indicate the number of elapsed seconds causing the access point to time out on a request to a proxy server Use the Add button to add a new proxy server Define the following information for each entry Suffix Enter the domain suffix such as myisp com or mycompany com of the users sent to the specified proxy server RADIUS Server IP Specify the IP address of the Radius server acting as a proxy server Configuring Access Point Security 6 71 Port Enter the TCP IP port number for the Radius server acting as a proxy server The default port is 1812 Shared Secret Set a shared secret used for each suffix used for authentication with the Radius proxy server 4 To remove a row select the row and click the Del Delete button 5 Click Apply to save any changes to the Proxy screen Navigating away from the screen without clicking Apply results in all changes to the screen being lost 6 Click Undo Changes if necessary to undo any changes made Undo Changes reverts the settings disp
46. 0 0 is entered in the Remote Subnet field in the VPN configuration page can the AP access multiple subnets on the other end of a VPN concentrator for the APs LAN WAN side No Using a 0 0 0 0 wildcard is an unsupported configuration In order to access multiple subnets the steps in Question 1 must be followed Usage Scenarios B 15 Question 3 Can the AP be accessed via its LAN interface of AP 1 from the local subnet of AP 2 and vice versa Yes Question 4 Will the default Manual Key Exchange settings work without making any changes No Changes need to be made Enter Inbound and Outbound ESP Encryption keys on both APs Each one should be of 16 Hex characters depending on the encryption or authentication scheme used The VPN tunnel can be established only when these corresponding keys match Ensure the Inbound Outbound SPI and ESP Authentication Keys have been properly specified Question 5 Can a tunnel between an AP 5131 and WS2000 be established Yes Question 6 Can an IPSec tunnel over a PPPoE connection be established such as a PPPoE enabled DSL link Yes The access point supports tunneling when using a PPPoE username and password Question 7 Can setup an access point so clients can access both the WAN normally and only use the VPN when talking to specific networks B 16 AP 51xx Access Point Product Reference Guide Yes Only packets that match the VPN Tunnel Settings will be sent through the VPN t
47. 0 00 e eee 1 8 1 10 6 18 L ANDOM so cc ccc c2ecc8eidapecldedkieadedees ahs 1 5 LAN to WAN SCRBSS 2 uta sacsdwiiewsegee ees 6 30 LAR E EEE E AE TTE EE 5 1 AN SAES ip inde amit Gow Raha Toeni ae 7 6 LAN TMGOUE cies eardedehiey insesi etninis 5 3 LED MACAO 4 iacectim donee amin ttini 1 17 Ee EE E EE EEEE ATANT 1 17 2 24 aeee o EE ETETE 4 42 ea EE hie Be de lb ple EET 3 5 4 1 M MAC layer bridging 0 005 1 22 management options 0 1 25 1 27 SNMP xc 2c gtk ieeencaeecas dehoedeasls 1 12 meda WR Sic 3 8 cs ote ik Muay eae ete Ch ie 1 22 mesh networking Cual ad o APSIS eronireissresreanniinsa 9 3 Sl si laid pias TE T ETE A TTT 9 4 LOE i ai 5 4c deinakncrboad Deteeeudelaeads 9 5 MEST OVENS W ati 44esee cade anerenw Onis 9 1 DHE IPEE ET aes Poke eencne tame hens 3 3 ML 2499 11PNAZO1 Wc ceca sues deess 2 8 2 9 A 7 ML 2499 BYGA2 01 0 0 0002005 2 8 ML 2499 HPA3 01 0 0 0 0 0 000 2 8 2 9 A 7 ML 5299 WBPBX1 01 0 2005 2 8 A 6 ML O2SS WPNATOT 2 ccssachccsyarsesenens 2 8 A 6 monitoring statistics 7 1 9 1 10 1 MOU ANA Sel opto x saeran ceeeee pocancnae 2 25 MOUNTING OPNONS ys 2s0 0sdsdeeewyeesieeeaenees 1 6 mounting the AP 5131 00005 2 14 MU E AEI PEE EE EA eearemias 1 15 JaA ECNO ees ki p rtars teiar 1 9 data encryption 0 22 22 ssas rseiceicas 1 7 MU association 0 20 0020 0c eens 1 23 MU association pr
48. 1 and cannot be used for the external Radius server Radius Port Specify the port on which the Radius accounting server is listening Shared Secret Specify a shared secret for accounting authentication for the hotspot The shared secret is required to match the shared secret on the external Radius accounting server Timeout Set the timeout value in seconds 1 255 used to timeout users accessing the Radius Accounting server if they have not successfully accessed the Accounting Server Retries Define the number of retries 1 10 the user is allowed to access the Radius Accounting Server if the first attempt fails The default is 1 5 50 AP 51xx Access Point Product Reference Guide 8 Refer to the Radius Configuration field to define a primary and secondary Radius server port and shared secret password Select mode Pri Server IP Pri Port Pri Secret Sec Server IP Sec Port Sec Secret Use the Select mode drop down menu to define whether an Internal or External server is to be used for the primary server Define the IP address of the primary Radius server This is the address of your first choice for Radius server Enter the TCP IP port number for the server acting as the primary Radius server The default port is 1812 Enter the shared secret password used with the primary Radius Server Define the IP address of the secondary Radius server This is the address of your second choice for Radius server Enter the
49. 20mm Type D Self Tapping screw e Two wall anchors e Security cable optional To mount the AP 5131 on a wall 1 Orient the AP 5131 on the wall by its width or length 2 Using the arrows on one edge of the case as guides move the edge to the midline of the mounting area and mark points on the midline for the screws 3 At each point drill a hole in the wall insert an anchor screw into the anchor the wall mounting screw and stop when there is 1mm between the screw head and the wall 2 16 AP 51xx Access Point Product Reference Guide If pre drilling a hole the recommended hole size is 2 8mm 0 11in if the screws are going directly into the wall and 6mm 0 23in if wall anchors are being used 4 f required install and attach a security cable to the AP 5131 lock port 5 Place the large corner of each of the mount slots over the screw heads 6 Slide the AP 5131 down along the mounting surface to hang the mount slots on the screw heads 7 Attach the radio antennae to their correct connectors antenna connectors On the Dual Radio AP 5131 a single dot on the antenna connector indicates the primary antenna for both Radio 1 2 4 GHz and Radio 2 5 GHz Two dots designate the secondary antenna for both Radio 1 and Radio 2 On Single Radio models a single dot on the antenna connector indicates the primary antenna for Radio 1 and two dots designate the secondary antenna for Radio 1 A CAUTION Both the Dual and Single
50. 240 250 interface vlan1 ip address dhcp To attach a Crypto Map to a VLAN Interface l crypto map AAP CRYPTOMAP sole ip route 157 235 0 0 16 157 235 92 2 ip route 172 0 0 0 8 157 235 92 2 ntp server 10 10 10 100 prefer version 3 Adaptive AP 10 25 line con 0 line vty 0 24 l end 10 26 AP 51xx Access Point Product Reference Guide Technical Specifications This appendix provides technical specifications in the following areas e Physical Characteristics e Flectrical Characteristics e Radio Characteristics e Antenna Specifications e Country Codes A 1 Physical Characteristics For more information see e AP 5131 Physical Characteristics e AP 5181 Physical Characteristics A 2 AP 51xx Access Point Product Reference Guide A 1 1 AP 5131 Physical Characteristics The AP 5131 has the following physical characteristics Dimensions Housing Weight Operating Temperature Storage Temperature Altitude Vibration Humidity Electrostatic Discharge Drop 5 32 inches long x 9 45 inches wide x 1 77 inches thick 135 mm long x 240 mm wide x 45 mm thick Metal Plenum Housing UL2043 1 95 Ibs 0 88 Kg single radio model 2 05 Ibs 0 93 Kg dual radio model 20 to 50 Celsius 40 to 70 Celsius 8 000 feet 2438 m 28 Celsius operating 15 000 feet 4572 m 12 Celsius storage Vibration to withstand 02g2 Hz random sine 20 2k Hz 5 to 95 operating 5 t
51. 254 LAN2 Information LAN Name LAN2 LAN Interface disable 802 11q Trunking disable LAN IP mode DHCP server IP Address 192 168 1 1 8 13 8 14 AP 51xx Access Point Product Reference Guide Network Mask gt 255 255 255 255 Default Gateway 192 168 1 1 Domain Name Primary DNS Server 192 168 0 2 Secondary DNS Server 192 168 0 3 WINS Server 192 168 0 255 admin network lan gt For information on displaying LAN information using the applet GUI see Configuring the LAN Interface on page 5 1 AP51xx gt admin network lan gt set Description Sets the LAN parameters for the LAN port Syntax set lan name ethernet port lan timeout trunking auto negotiation speed duplex username passwd ip mode ipadr mask dgw domain dns wins Example admin network admin network admin network admin network admin network admin network admin network admin network admin network admin network admin network admin network admin network admin network admin network lt mode gt Enables or disables the access point LAN interface lt idx name gt Defines the LAN name by index lt idx gt Defines which LAN LAN1 or LAN2 is active on the Ethernet port lt seconds gt Sets the interval in seconds the access point uses to terminate its LAN interface if no activity is detected for the specified interval lt mode gt Enables or disables 802 11q Trunking over th
52. 3 7 The export function will always export the encrypted Admin User password The import function will import the Admin Password only if the access point is set to factory default If the access point is not configured to factory default settings the Admin User password WILL NOT get imported NOTE Though the access point can have its basic settings defined using a number of different screens Motorola recommends using the access point Quick Setup screen to set the correct country of operation and define its minimum required configuration from one convenient location 3 5 1 Configuring Device Settings Configure a set of minimum required device settings within the Quick Setup screen The values defined within the Quick Setup screen are also configurable in numerous other locations within the menu tree When you change the settings in the Quick Setup screen the values also change within the screen where these parameters also exist Additionally if the values are updated in these other screens the values initially set within the Quick Setup screen will be updated To define a basic access point configuration 1 Select System Configuration gt Quick Setup from the menu tree if the Quick Setup screen is not already displayed 2 Enter a System Name for the access point 3 8 AP 51xx Access Point Product Reference Guide AP 5131 Access Point gt E Rogue AP Detection b Adve APs H GY AP SDX Access Pl Canicas mgmt
53. AP 5181 from wind and rain damage resulting from driving rain S Hardware Installation 2 5 NOTE Though the AP 5181 can use the Power Injector solution Part No AP PSBIAS 1P2 AFR Motorola recommends using the AP 5181 Power Tap Part No AP PSBIAS 5181 01R designed specifically for outdoor deployments 2 3 Requirements The minimum installation requirements for a single cell peer to peer network regardless of access point model e An AP 5131 either a dual or single radio model or AP 5181 model access point e 48 Volt Power Supply Part No 50 14000 243R AP 5131 models only or Power Injector Part No AP PSBIAS 1P2 AFR or AP PSBIAS 5181 01R e A power outlet e Dual Band Antennae NOTE AnAP 5131 or AP 5181 model access point optimally uses 2 antennae for the single radio model and 4 antenna for the dual radio model The AP 5181 uses an antenna suite designed primarily for outdoor usage For more information see Antenna Specifications on page A 5 2 4 Access Point Placement For optimal performance install the access point regardless of model away from transformers heavy duty motors fluorescent lights microwave ovens refrigerators and other industrial equipment Signal loss can occur when metal concrete walls or floors block transmission Install the access point in open areas or add access points as needed to improve coverage Antenna coverage is analogous to lighting Users might fin
54. AP 51xx Access Point Product Reference Guide End Port Enter the ending port number for a port range If the protocol uses a single port leave the field blank A new entry might use Web Traffic for its name TCP for its protocol and 80 for its port number Click Apply to save any changes to the Subnet Access screen Navigating away from the screen without clicking the Apply button results in all changes to the screens being lost Click Undo Changes if necessary to undo any changes made Undo Changes reverts the settings displayed on the Subnet Access screen to the last saved configuration Click Logout to securely exit the Access Point applet A prompt displays confirming the logout before the applet is closed 6 10 1 1 Available Protocols Protocols that are not pre configured can be specified using the drop down list within the Transport column within the Subnet Access and Advanced Subnet Access screens They include ALL Enables all of the protocol options displayed in the drop down menu as described below TCP Transmission Control Protocol is a set of rules for sending data as message units over the Internet TCP manages individual data packets Messages are divided into packets for efficient routing through the Internet UDP User Datagram Protocol is used for broadcasting data over the Internet Like TCP UDP runs on top of Internet Protocol IP networks Unlike TCP IP UDP IP provides few error recovery services UDP offers a
55. AU SSShCiat i PCE S abu kigeneecdrde eee erendedredes cee EE 1 27 PENIS T nee Rin oki deedaedaedep EEE 1 28 Management Access Options c c ser0e0000eneereveereesenees 1 28 AP 51xx MAC Address Assignment 0 0 00 cece eee eee ees 1 30 Chapter 2 Hardware Installation ice ILING eae meter et eae en ener Cie Cae meter tira rire tee war ar tre eee te 2 2 Available Product Configurations 0 00 c cece cece eee siari 2 2 AP S131 Configurations oc sccccaacdardcaarrenandanhapdcaderannne 2 2 APSIS1 CONMQUIATIONS essrrsrereerr e trr Enket rE rr o ERT EANA 2 4 EN E E NEEE E ET A AEE SEI ENEN E EET E TOETST 2 5 Aocess Point PACENIEN 2c cascgeeeoraeberdcedaseescew eden aenea Ei 2 5 O PE E TN E TN NEE NT 2 6 PEMA NOM E E EE tac E E E EE E I NT 2 6 AF5131 Antenna VOUS cs occcr2cceieereerneerseeaeraaied ons 2 6 AP 5181 Antenna Options 2 0 0 ccc cece cece ees 2 8 a LAL EE PO E E EE E E E E S 2 9 BET TOT Power OPUS ss ieriererierairir ikia EANA dee name 2 9 BPS IGN Powar OPU er rercsrerreriskireirt dtir iri EErEE ri 2 10 Power Injector and Power Tap Systems s 4 lt 2c 2s5 c2ss005s0e0sess0ces 2 10 Installing the Power Injector or Power Tap 0 0000 cece uee 2 11 Preparing for swe Installation sse sceccsaveddoucewsddseeoni ands 2 11 Cabling the Power Injector and Power Tap 0 0005 2 11 vi AP 51xx Access Point Product Reference Guide Power Injector LED MAEatOrS ocd yocc as eed eeure
56. Add button The Add Ethernet Type screen displays Use this screen to add one type filter option at a time for a list of up to 16 entries Add Ethernet Type Select an ethernet type Or 0x0806 ARP Enter the hexadecimal value Cancel Help Packet types supported for the type filtering function include 16 bit DIX Ethernet types as well as Motorola proprietary types Select an Ethernet type from the drop down menu or enter the Ethernet type s hexadecimal value See your System Administrator if unsure of the implication of adding or omitting a type from the list for either LAN1 or LAN2 4 To optionally delete a type filtering selection from the list highlight the packet type and click the Delete button 5 Click Apply to save any changes to the LAN1 or LAN2 Ethernet Type Filter Configuration screen Navigating away from the screen without clicking Apply results in all changes to the screens being lost 6 Click Undo Changes to securely exit the LAN1 or LAN2 Ethernet Type Filter Configuration screen without saving your changes 7 Click Logout to securely exit the Access Point applet A prompt displays confirming the logout before the applet is closed 5 2 Configuring WAN Settings A Wide Area Network WAN is a widely dispersed telecommunications network The access point includes one WAN port The access point WAN port has its own MAC address In a corporate environment the WAN port might connect to a larger corporate netwo
57. Algonthm Key Lifetime Oie Hetiman Group Question 9 am using a direct cable connection between my two VPN gateways for testing and cannot get a tunnel established yet it works when I set them up across another network or router Why The packet processing architecture of the access point VPN solution requires the WAN default gateway to work properly When connecting two gateways directly you don t need a default gateway when the two addresses are on the same subnet As a workaround point the access point s WAN default gateway to be the other VPN gateway and vice versa Question 10 I have setup my tunnel and the status still says Not Connected What should do now VPN tunnels are negotiated on an as needed basis If you have not sent any traffic between the two subnets the tunnel will not get established Once a packet is sent between the two subnets the VPN tunnel setup occurs Question 11 still can t get my tunnel to work after attempting to initiate traffic between the two subnets What now Try the following troubleshooting tips B 18 AP 51xx Access Point Product Reference Guide e Verify you can ping each of the remote Gateway IP addresses from clients on either side Failed pings can indicate general network connection problems e Pinging the internal gateway address of the remote subnet should run the ping through the tunnel as well Allowing you to test even if there are no clients on the remote end
58. Allowed APs table within the Active APs screen Only use this option if you are sure all of the devices detected and displayed within the Scan Results table are non hostile APs Configuring Access Point Security 6 63 5 Highlight a different MU from the Rogue AP enabled MUs field as needed to scan for additional rogue APs 6 Click Logout to return to the Rogue AP Detection screen 6 14 Configuring User Authentication The access point can work with external Radius and LDAP Servers AAA Servers to provide user database information and user authentication 6 14 1 Configuring the Radius Server The Radius Server screen enables an administrator to define data sources and specify authentication information for the Radius Server To configure the Radius Server 1 Select System Configuration gt User Authentication gt Radius Server from the menu tree AP 5131 Access Point FEA Rogue AP Detecson pr Active APs MU Stan Hag AP SIMK Access Gl emticate mgmt Ser Comtcates CA Coritcates L Apache Corte ates gt GR User Aumentcatory H User Database t Radus AA r Radius Server 6 64 AP 51xx Access Point Product Reference Guide 2 From within the Data Source Configuration field use the Data Source drop down menu to select the data source for the Radius server Local An internal user database serves as the data source Use the User Database screen to enter the user data For more inform
59. Configurator t Hun LANI gt Svan RF Standby MU Scs i HEB nar CIRF On Channel detecton Rogue AP Detection VPN Status RF Scan by Detector Radio gt ED Mireiess Allowed AP list Hig Security LI Autnorice Any AP Having Motorota Defined MAC Address HO MU ACL MAC information ESSID information H amp oos Arny MAC MAC Any ESSO ESSID p Y Raco Configuraton a l Rado11802141 d9 Rado202 tal H GD Bangawan Managemera a Rogue AP Detecton b Acsve APs MU Scan th wis p ER Firewant bd Router Aad F ew rine soe gt Sp fBysteen Contguraon i t Oidek Astin hdj e byatem Name AP Stm_ ttt 6 56 AP 51xx Access Point Product Reference Guide 2 Configure the Detection Method field to set the detection method MU or access point and define the 802 11a or 802 11b g radio to conduct the rogue AP search RF Scan by MU RF On Channel Detection RF Scan by Detector Radio RF A BG Scan Select the RF Scan by MU checkbox to enable MUs to scan for potential rogue APs within the network Define an interval in the Scan Interval field for associated MUs to beacon in an attempt to locate a rogue AP Set the interval to a value sooner than the default if a large volume of device network traffic is anticipated within the coverage area of the target access point The Scan Interval field is not available unless the RF Scan by MU checkbox is selected Motorola clients must be associated and have rogue AP detec
60. DNS name IP address of the access point The first two sets of numbers specify the network domain the next set specifies the subset of hosts within a larger network These values help divide a network into subnetworks and simplify routing and data transmission The subnet mask defines the size of the subnet The Default Gateway parameter defines the numerical non DNS name IP address of a router the access point uses on the Ethernet as its default gateway Enter the name assigned to the primary DNS server Enter the Primary DNS numerical non DNS name IP address 5 12 AP 51xx Access Point Product Reference Guide Secondary DNS Server WINS Server Mesh STP Configuration 3 Refer to the IP Filtering field to optionally enable the IP filtering feature and if enabled Motorola recommends entering the numerical IP address of an additional DNS server if available used if the primary DNS server goes down A maximum of two DNS servers can be used Enter the numerical non DNS name IP address of the WINS server WINS is a Microsoft NetBIOS name server Using a WINS server eliminates the broadcasts needed to resolve computer names to IP addresses by providing a cache or database of translations Click the Mesh STP Configuration button to define bridge settings for this specific LAN Each of the access point s two LANs can have a separate mesh configuration As the Spanning Tree Protocol STP mentions each mesh network main
61. For information on configuring User Database permissions using the applet GUI see Defining User Access Permissions by Group on page 6 76 8 187 AP51xx gt admin system userdb user gt clearall Description Removes all existing user IDs from the system Syntax clearall Removes all existing user IDs from the system Example admin system userdb user gt clearall admin system userdb user gt For information on configuring User Database permissions using the applet GUI see Defining User Access Permissions by Group on page 6 76 8 188 AP 51xx Access Point Product Reference Guide AP51xx gt admin system userdb user gt set Description Sets a password for a user Syntax set lt userid gt Sets a password for a specific user lt passwd gt Example admin system userdb user gt set george password admin system userdb user gt For information on configuring User Database permissions using the applet GUI see Defining User Access Permissions by Group on page 6 76 8 189 8 4 5 2 Adding and Removing Groups from the User Databse AP51xx gt admin system userdb gt group Description Adds and remvoves groups from the user database Syntax create Creates a group name delete Deletes a group name clearall Removes all existing group names from the system add Adds a user to an existing group remove Removes a user from an existing group show Displays existing groups save Saves the configuratio
62. Goes to the root menu save Saves the configuration to system flash quit Quits the CLI 8 135 AP51xx gt admin network firewall gt show Description Displays the access point firewall parameters Syntax show Shows all access point s firewall settings Example admin network firewall gt show Firewall Status disable NAT Timeout 10 minutes Configurable Firewall Filters ftp bounce attack filter enable syn flood attack filter enable unaligned ip timestamp filter enable source routing attack filter enable winnuke attack filter enable seq num prediction attack filter enable mime flood attack filter enable max mime header length 8192 bytes max mime headers 16 headers For information on configuring the Firewall options available to the access point using the applet GUI see Configuring Firewall Settings on page 6 27 8 136 AP 51xx Access Point Product Reference Guide AP51x x gt admin network firewall gt set Description Defines the access point firewall parameters Enables or disables the firewall Defines the NAT timeout value Enables or disables SYN flood attack check Enables or disables source routing check Enables or disables Winnuke attack check Enables or disables FIP bounce attack check Enables or disables IP unaligned timestamp check Enables or disables sequence number prediction check Enables or disables MIME flood attack check Sets the max header leng
63. Kit 0 75 1 6 25JK ML 1499 25JK 01R Jumper Kit 1 9 3 5 50JK ML 1499 50JK 01R Jumper Kit 3 75 6 6 100JK ML 1499 100JK 01R Jumper Kit 75 12 8 A 4 1 4 AP 5131 Antenna Accessory Connectors Cable Type and Length The following table describes each antenna accessory s connector and cable type plus the length Item Connector1 Connector2 Length meters Cable Type 72PJ RPBNC F RPBNC M 1 83 RG 58 Technical Specifications A 7 Item Connector1 Connector2 Length meters Cable Type LAK1 RPBNC F N F 0 305 RG 58 LAK2 N F N M 10JK N M N M 3 05 RG 8 255K N M N M 7 62 RG 8 50JK N M N M 15 24 RG 8 100JK N M N M 30 48 RG 8 A 4 2 AP 5181 Antenna Specifications The AP 5181 2 4 GHz antenna suite includes the following models Nominal Net Gain Part Number Antenna Type dBi Description ML 2499 FHPA5 01R Omni Directional Antenna 5 0 2 4 GHz Type N connector no pigtail ML 2499 FHPA9 01R Omni Directional Antenna 9 0 2 4 GHz Type N connector no pigtail ML 2452 PNA7 01R Panel Antenna Dual Band 8 0 2 4 2 5 4 9 5 99 GHz 66 deg 60 deg Type N connector with pigtail ML 2452 PNA5 01R Sector Antenna Dual Band 6 0 2 3 2 4 4 9 5 9 GHz 120 deg Sector Type N connector with pigtail A 8 AP 51xx Access Point Product Reference Guide The AP 5181 5 GHz antenna suite includes the following mod
64. Name Attribue Group Membership Filter 0 0 0 0 389 cn manager o trion O trion uid Stripped User Name User Name userPassword en amp objectClass GroupOfNames member Ldap objectClass GroupOfUniqueNames uniquemember Ldap UserDn LDAP Group Membership Attribute admin system radius 1ldap gt radiusGroupName For information on configuring a Radius LDAP server using the applet GUI see Configuring LDAP Authentication on page 6 67 8 209 8 210 AP 51xx Access Point Product Reference Guide 8 4 6 4 AP51xx gt admin system radius gt proxy Description Goes to the Radius proxy server submenu Syntax add Adds a proxy realm delete Deletes a proxy realm clearall Removes all proxy server records set Sets proxy server parameters show Displays current Radius proxy server parameters save Saves the configuration to system flash quit Quits the CLI 5 Goes to the parent menu Goes to the root menu For information on configuring Radius proxy server values using the applet GUI see Configuring a Proxy Radius Server on page 6 70 8 211 AP51xx gt admin system radius proxy gt add Description Adds a proxy Syntax add Adds a proxy realm name lt name gt Realm name ip1 lt ip1 gt Authentication server IP address port lt port gt Authentication server port sec lt sec gt Shared secret password Example admin system radius proxy g
65. PPP over Ethernet checkbox to enable Point to Point over Ethernet PPPoE for a high speed connection that supports this protocol Most DSL providers are currently using or deploying this protocol PPPoE is a data link protocol for dialup connections PPPoE will allow the access point to use a broadband modem DSL cable modem etc for access to high speed data networks a Select the Keep Alive checkbox to enable occasional communications over the WAN port even when client communications to the WAN are idle Some ISPs terminate inactive connections while others do not In either case enabling Keep Alive maintains the WAN connection even when there is no traffic If the ISP drops the connection after the idle time the access point automatically reestablishes the connection to the ISP Specify the Username entered when connecting to the ISP When the Internet session begins the ISP authenticates the username Specify the Password entered when connecting to the ISP When the Internet session starts the ISP authenticates the password For additional access point WAN port configuration options see Configuring WAN Settings on page 5 16 7 Click the LAN tab to set a minimum set of parameters to use the access point LAN interface a Select the Enable LAN Interface checkbox to forward data traffic over the access point s LAN connection The LAN connection is enabled by default Use the This Interface drop down menu to specify how ne
66. Point applet A prompt displays confirming the logout before the applet is closed CLI Reference The access point Command Line Interface CLI is accessed through the serial port or a Telnet session The access point CLI follows the same conventions as the Web based user interface The CLI does however provide an escape sequence to provide diagnostics for problem identification and resolution The CLI treats the following as invalid characters gt space lt gt amp In order to avoid problems when using the CLI these characters should be avoided 8 2 AP 51xx Access Point Product Reference Guide 8 1 Connecting to the CLI 8 1 1 Accessing the CLI through the Serial Port To connect to the access point CLI through the serial port 1 Connect one end of a null modem serial cable to the access point s serial connector NOTE If using an AP 5131 model access point a null modem cable is required If using an AP 5181 model access point an RJ 45 to Serial cable is required to make the connection 2 Attach the other end of the null modem serial cable to the serial port of a PC running HyperTerminal or a similar emulation program 3 Set the HyperTerminal program to use 19200 baud 8 data bits 1 stop bit no parity no flow control and auto detect for terminal emulation Press lt ESC gt or lt Enter gt to enter into the CLI Enter the default username of admin and the default password of motorola
67. Policy Create IP Filtering IP Filtering 7 Enable IP Filtering C Enabie Finering IP Finering aoon cancer Hein 3 Set the parameters in the Configuration field as required for the WLAN ESSID Enter the Extended Services Set Identification ESS D associated with the WLAN The WLAN name is auto generated using the ESSID until changed by the user The maximum number of characters that can be used for the ESSID is 32 5 32 AP 51xx Access Point Product Reference Guide Name Available On Maximum MUs Mu Idle Timeout Enable Client Bridge Backhaul Define or revise the name for the WLAN The name should be logical representation of WLAN coverage area engineering marketing etc The maximum number of characters that can be used for the name is 31 Use the Available On checkboxes to define whether the WLAN you are creating or editing is available to clients on either the 802 114 or 802 11b g radio or both radios The Available On checkbox should only be selected for a mesh WLAN if this target access point is to be configured as a base bridge or repeater base and client bridge on the radio If the radio for the WLAN is to be defined as a client bridge only the Available On checkbox should not be selected For more information on defining a WLAN for mesh support see Configuring a WLAN for Mesh Networking Support on page 9 9 Use the Max MUs field to define the number of MUs permitted to
68. Pre Shared Key PSK Y ME Auera ation Aigorttim MDS WE AutherScaton Patipniase FFFFFF WE Encrypbon Agorithm AES 126 34 7 Key Uteame fi oe DifSe Heliman Group Group 2 1024 baw oO Cane Help deve Applet Window 13 Select Pre Shared Key PSK from the IKE Authentication Mode drop down menu 14 Enter a Passphrase Passphrases must match on both VPN devices NOTE Ensure the IKE authentication Passphrase is the same as the Pre shared key on the Cisco PIX device 15 Select AES 128 bit as the IKE Encryption Algorithm 16 Select Group 2 as the Diffie Hellman Group Click OK This will take you back to the VPN screen 17 Click Apply to make the changes 18 Check the VPN Status screen Notice the status displays NOT_ACTIVE This screen automatically refreshes to get the current status of the VPN tunnel Once the tunnel is active the IKE_STATE changes from NOT_CONNECTED to SA_MATURE 19 On access point 2 Device 2 repeat the same procedure However replace access point 2 information with access point 1 information 20 Once both tunnels are established ping each side of the tunnel to ensure connectivity Usage Scenarios B 13 B 2 2 Configuring a Cisco VPN Device This section includes general instructions for configuring a Cisco PIX Firewall 506 series device For the usage scenario described in this section you will require the following e 1 Cisco VPN device e 1 PC connected to the LAN side of the a
69. Product Reference Guide 8 3 3 3 Network ACL Commands AP51xx gt admin network wireless acl gt Description Displays the access point Mobile Unit Access Control List ACL submenu The items available under this command include show Displays the access point s current ACL configuration create Creates an MU ACL policy edit Edits the properties of an existing MU ACL policy delete Removes an MU ACL policy i Goes to the parent menu Goes to the root menu save Saves the configuration to system flash quit Quits the CLI AP51xx gt admin network wireless acl gt show Description Displays the access point s current ACL configuration Syntax show summary Displays the list of existing MU ACL policies policy lt index gt Displays the requested MU ACL index policy Example admin network wireless acl gt show summary ACL Policy Name Associated WLANs 1 Default Front Lobby WLAN1 2 Admin Administration 3 Demo Room Customers admin network wireless acl gt show policy 1 Policy Name Default Policy Mode allow index start mac end mac 1 O00A0F8348787 00A0F8348798 For information on configuring the ACL options available to the access point using the applet GUI see Configuring a WLAN Access Control List ACL on page 5 37 8 89 8 90 AP 51xx Access Point Product Reference Guide AP51xx gt admin network wireless acl gt create Description Creates an MU ACL policy Syntax create show
70. Radio model AP 5131s use RSMA type 8 Cable the AP 5131 using either the Power Injector solution or an approved line cord and power supply NOTE The access point must be mounted with the RJ45 cable connector V oriented upwards to ensure proper operation CAUTION Do not supply power to the AP 5131 until the cabling of the unit is complete For Power Injector installations a Connect a RJ 45 Ethernet cable between the network data supply host and the Power Injector Data In connector b Connect a RJ 45 Ethernet cable between the Power Injector Data amp Power Out connector and the AP 5131 LAN port c Ensure the cable length from the Ethernet source host to the Power Injector and AP 5131 does not exceed 100 meters 333 ft The Power Injector has no On Off power switch The Power Injector receives power as soon as AC power is applied For more information on using the Power Injector see Power Injector and Power Tap Systems on page 2 10 Hardware Installation 2 17 For standard 48 Volt Power Adapter Part No 50 14000 243R and line cord installations a vapo Connect RJ 45 Ethernet cable between the network data supply host and the AP 5131 LAN port Verify the power adapter is correctly rated according the country of operation Connect the power supply line cord to the power adapter Attach the power adapter cable into the power connector on the AP 5131 Plug the power adapter into an
71. Range QBSS Channel Util Beacon Intervl QBSS Load Element Mode indoor 00A0F8715920 802 11b g off user selection full 5 dbm 4 mW B Only 1 2 5 5 11 1 2 5 5 11 100 K usec 10 beacon intvls 10 beacon intvls 10 beacon intvls 10 beacon intvls disable 2341 bytes 0 miles 10 beacon intvls enable 8 97 8 98 AP 51xx Access Point Product Reference Guide admin network wireless radio radiol gt show gos Radio QOS Parameter Set 11g default Access Category CWMin CWMax AIFSN TXOPs 32 usec TXOPs ms Background 15 1023 7 0 0 000 Best Effort 15 63 3 31 0 992 Video 7 15 1 94 3 008 Voice 3 7 1 47 1 504 be changed to 50 To change individual DTIMs for BSSIDs specify the BSS Index number for example CAUTION f you do NOT include the index number for example set dtim 50 the DTIMs for all four BSSIDs will set dtim 2 50 This will change the DTIM for BSSID 2 to 50 For information on configuring the Radio 1 Configuration options available to the access point using the applet GUI see Configuring a WLAN Access Control List ACL on page 5 37 8 99 AP51xx gt admin network wireless radio 802 11bg gt set Description Defines specific 802 11b g radio parameters Syntax set placement ch mode channel acs exception list antenna power bg mode rates beacon dtim preamble rts range qos qbss beacon qbss mode Example admin network admin network admin network admin
72. Root column 4 Click the Logout button to securely exit the Access Point applet There will be a prompt confirming logout before the applet is closed 7 2 2 Viewing Subnet Lease Statistics When either or both of the access point s LAN interfaces are configured as a DHCP server a client s IP address lease assignment can now be monitored in respect to its lease period and expiration time To set the access point s LAN1 or LAN2 interfaces as a DHCP server refer to Configuring the LAN Interface on page 5 1 The available range of IP addresses that can be assigned is also defined from within the LAN1 or LAN2 interface NOTE Manually statically assigned client IP addresses cannot be tracked for expiration within the Subnet Lease Stats screen only those assigned from the access point DHCP server To view access point LAN DHCP lease statistics 1 Select Status and Statistics gt LAN Stats from the access point menu tree Monitoring Statistics 7 13 AP 5131 Access Point __wPadeess Range Mac Asaress Lite Let see 192 106 0 738 192 168 0 730 192 168 0 240 100 40 96 AE EC 16 ji 6307 192 168 0232 192 168 0230 192 168 0 240 09408 505058 96306 1921680235 1921680 230 192 E8020 061302060753 26304 1921680233 192 168 0230 192 168 0240 001302 CECECE 96305 1921680236 11921680230 19216802460 00120207028 66301 GR AP SIXK Access 1921080234 1921680230192 1880240 COAOGOAITEAS
73. The Wireless Intrusion Prevention System screen displays NOTE Atleast one radio is required to be set to WIPS within the Wireless Intrusion Prevention System screen to support WIPS on the access point If using the access point s CLI interface to define WIPS support go to the network gt wireless gt radio context and issue a set rf function lt radio idx gt wips command 5 70 AP 51xx Access Point Product Reference Guide AP 5131 Access Point B petwork Contiguraton Wireless Intrusion Prevention System WPS Status VPN Status Feadios 802 iid WLAN wires H Content Fotering l R dio24802 11a Owan amp MPS HGJ oos WIPS configuraton y Radio Configuration f Readio1f902 1 10g 2 Within the WIPS Status field define whether the access point s 802 11a or 802 11b g radio is servicing its coverage area as a typical access point or as a WIPS sensor Selecting the WLAN checkbox defines the radio as a typical access point Selecting the WIPS checkbox defines the radio as a WIPS sensor 3 Define a primary and alternate WIPS server IP Address within the WIPS Server 1 and WIPS Server 2 fields This is the address of the WIPS console server 4 Click Apply to save any changes to the WIPS screen Navigating away from the screen without clicking Apply results in all changes to the screens being lost 5 Click Undo Changes if necessary to undo any changes made Undo Changes reverts the settings
74. The selected tunnel s configuration displays ina VPN Tunnel Config field To configure a VPN tunnel on the access point 1 Select Network Configuration gt WAN gt VPN from the access point menu tree gt System Settings EI Adapave AP Setup Gy AP 51X Access 192 168 01 Detant Osteway Manu Key Exchange 2 Use the VPN Tunnels field to add or delete a tunnel to the list of available tunnels list tunnel network address information and display key exchange information for each tunnel Add Del Click Add to add a VPN tunnel to the list To configure a specific tunnel select it from the list and use the parameters within the VPN Tunnel Config field to set its properties Click Del to delete a highlighted VPN tunnel There is no confirmation before deleting the tunnel Configuring Access Point Security 6 37 Tunnel Name The Tunne Name column lists the name of each VPN tunnel on the access point Remote Subnet The Remote Subnet column lists the remote subnet for each tunnel The remote subnet is the subnet the remote network uses for connection Remote Gateway The Remote Gateway column lists a remote gateway IP address for each tunnel The numeric remote gateway is the gateway IP address on the remote network the VPN tunnel connects to Ensure the address is the same as the WAN port address of the target gateway AP or switch Key Exchange Type The Key Exchange Type column lists the k
75. VLAN_3 4 4 VLAN_4 admin network lan wlan mapping gt show vlan cfg Management VLAN Tag 1 Native VLAN Tag 2 WLAN WLAN1 mapped to VLAN VLAN 2 VLAN Mode static admin network lan wlan mapping gt show lan wlan WLANs on LAN1 WLAN1 WLAN2 WLAN3 WLANs on LAN2 8 22 AP 51xx Access Point Product Reference Guide admin network lan wlan mapping gt show wlan WLAN1 WLAN Name WLAN1 ESSID 101 Radio VLAN Security Policy Default QoS Policy Default For information on displaying the VLAN screens using the applet GUI see Configuring VLAN Support on page 5 5 8 23 AP51xx gt admin network lan wlan mapping gt set Description Sets VLAN parameters for the access point Syntax set mgmt tag lt d gt Defines the Management VLAN tag 1 4095 native tag lt ic gt Sets the Native VLAN tag 1 4095 mode lt wlan idx gt Sets WLAN VLAN mode WLAN 1 16 to either dynamic or static Example admin network lan wlan mapping gt set mgmt tag 1 admin network lan wlan mapping gt set native tag 2 admin network lan wlan mapping gt set mode 1 static admin network lan wlan mapping gt show vlan cfg Management VLAN Tag iL Native VLAN Tag 22 WLAN WLAN1 mapped to VLAN VLAN 2 VLAN Mode static For information on configuring VLANs using the applet GUI see Configuring VLAN Support on page 5 5 8 24 AP 51xx Access Point Product Reference Guide AP51xx gt admin network lan wlan mapping gt cre
76. WEP WPA is designed for corporate networks and small business environments where more wireless traffic allows quicker discovery of encryption keys by an unauthorized person The encryption method is Temporal Key Integrity Protocol TKIP TKIP addresses WEP s weaknesses with a re keying mechanism a per packet mixing function a message integrity check and an extended initialization vector Wi Fi Protected Access 2 WPA2 is an enhanced version of WPA WPA2 uses the Advanced Encryption Standard AES instead of TKIP AES supports 128 bit 192 bit and 256 bit keys WPA WPA2 also provide strong user authentication based on 802 1x EAP To configure WPA WPA2 encryption on the access point 1 Select Network Configuration gt Wireless gt Security from the access point menu tree If security policies supporting WPA TKIP exist they appear within the Security Configuration screen These existing policies can be used as is or their properties edited by clicking the Edit button To configure a new security policy supporting WPA TKIP continue to step 2 2 Click the Create button to configure a new policy supporting WPA TKIP The New Security Policy screen displays with no authentication or encryption options selected 3 Select the WPA WPA2 TKIP radio button The WPA TKIP Settings field displays within the New Security Policy screen 4 Ensure the Name of the security policy entered suits the intended configuration or function of the polic
77. WEP 128 104 bit key Radius Port KeyOuard Radius Shared Secret seseessess WPAWPA TKIP WPA2ICCMP 02110 6 12 AP 51xx Access Point Product Reference Guide 6 Configure the Server Settings field as required to define address information for the authentication server The appearance of the Server Settings field varies depending on whether Internal or External has been selected from the Radius Server drop down menu Radius Server If using an External Radius Server specify the numerical non DNS Address IP address of a primary Remote Dial In User Service Radius server Optionally specify the IP address of a secondary server The secondary server acts as a failover server if the primary server cannot be contacted An ISP or a network administrator provides these addresses Radius is a client server protocol and software enabling remote access clients to communicate with a server used to authenticate users and authorize access to the requested system or service This setting is not available if Internal has been selected from the Radius Server drop down menu RADIUS Port If using an External Radius Server specify the port on which the primary Radius server is listening Optionally specify the port of a secondary failover server Older Radius servers listen on ports 1645 and 1646 Newer servers listen on ports 1812 and 1813 Port 1645 or 1812 is used for authentication Port 1646 or 1813 is used for accounting The ISP or a
78. WLAN Mapping L QI Bangun Management L Rogue AP Detection Lti wes LAN Enernet Timeout gt ER Firewall H Rowter Ethernet Port Timeout Oisabled X Sec F i Finer e amp gt Oystem Conbgurasoni ab Quick Setup 802 1x Port Authentcaton Port Semings f S System Setings ED Adagtve AP Setup m vj Muto Negotiabon l Ge AP SIXK Access Username asmin T CA eeretcate somt Password rrsssers UB User Autnertc ator Z gt fy SNMP Access Enable LAN Nome ERhemet Port Enable 802 1q Trunking H M Logging Consiguraton Heip Lopou configuration and the AAP is set for switch auto discovery primary standby the access point will un adopt from its switch after a few moments To remedy this problem ensure LAN1 has 802 1q trunking enabled and the correct management VLAN defined CAUTION f deploying the access point as an AAP with a remote layer 3 2 Network Management 5 3 Configure the LAN Settings field to enable the access point LAN1 and or LAN2 interface assign a timeout value enable 802 1q trunking configure WLAN mapping and enable 802 1x port authentication Enable LAN Name Ethernet Port Enable 802 1q Trunking VLAN Name WLAN Mapping Select the LAN1 and or LAN2 checkbox to allow the forwarding of data traffic over the specified LAN connection The LAN1 connection is enabled by default but both LAN interfaces can be enabled simultaneously The LAN2 setting is disabled by d
79. access mode enable Following trusted host s have access to the system via snmp ssh http https and telnet trusted host s 1 10 1 1 1 10 1 1 10 trusted host s 2 0 0 0 0 0 0 0 0 trusted host s 3 0 0 0 0 0 0 0 0 trusted host s 4 0 0 0 0 0 0 0 0 trusted host s 5 0 0 0 0 0 0 0 0 trusted host s 6 0 0 0 0 0 0 0 0 trusted host s 7 0 0 0 0 0 0 0 0 trusted host s 8 0 0 0 0 0 0 0 0 http s timeout 0 ssh server authetnication timeout 120 ssh server inactivity timeout 120 admin authetnication mode local Login Message Mode disable Login Message Related Commands set Defines the access point system access capabilities and timeout values For information on configuring access point access settings using the applet GUI see Configuring Data Access on page 4 9 8 158 AP 51xx Access Point Product Reference Guide 8 4 3 System Certificate Management Commands AP51xx gt admin system gt cmgr Description Displays the Certificate Manager submenu The items available under this command include genreq Generates a Certificate Request delself Deletes a Self Certificate loadself Loads a Self Certificate signed by CA listself Lists the self certificate loaded loadca Loads trusted certificate from CA delca Deletes the trusted certificate listca Lists the trusted certificate loaded showreq Displays a certificate request in PEM format delprivkey Deletes the private key listprivkey Lists names of private keys expcert Exports t
80. and wall plugs 3 Secure the bracket to the wall 4 Attach the square mounting plate to the bridge with the supplied screws Attach the bridge to the plate on the pole 2 28 AP 51xx Access Point Product Reference Guide Use the included nuts to tightly secure the wireless bridge to the bracket Fit the edges of the V shaped clamp into the slots on the flat side of the rectangular plate Attach the radio antenna to their correct connectors Cable the AP 5181 using either the AP 5181 Power Tap Part No AP PSBIAS 5181 01R or the Power Injector Part No AP PSBIAS 1P2 AFR NOTE Once ready for the final positioning of the access point ensure the RJ45 cable connectors are oriented upwards to ensure proper operation CAUTION Do not supply power to the AP 5181 Power Tap or Power Injector until the cabling of the access point is complete CAUTION For Power Tap installations an electrician is required to open the Power Tap unit feed the power cable through the Line AC connector secure the power cable to the unit s three screw termination block and tighten the unit s Line AC clamp by hand to ensure the power cable cannot be pulled from the Power Tap enclosure Only a certified electrician should conduct the installation gt EA a Connect a RJ 45 Ethernet cable between the network data supply host and the Power Tap s DATA IN connector or the Power Injector s D
81. as the AP s single radio must process both mesh network traffic with other access points and MU traffic with its associated devices 1 Select Network Configuration gt Wireless gt Radio Configuration from the AP 5131 menu tree AP 5131 Access Point SS Radio 1 Configuration w Endis VPN Status Radio Funcson WLAN Rado Radio Status ewe i rerio 4 RF Band of Operation 8021109 240H2 wus connected D EB eeeiess 7 Base Bridge 5 Security Mesh Base Broze Setings HJ oos Maximum no of Client Bridges 12 CBs Connectea F Radiot 1002 1 1g 7 Chert Brisge Radi02802 11a g Mesh Client Bridge Settings amp Lb Rogue AP Oetecton Mean Network Name none ER Firewall yesoses BBs Visible f Sere Mesh Timeout Oisavies v GBs Connected ff t Prem Contigurason jH Quick Setup ERAR fz ungo changes Heip Logout n N r ET ee 2 Enable the radio s using the Enable checkbox es for both Radio 1 and Radio 2 Refer to RF Band of Operation parameter to ensure you are enabling the correct 802 11a or 802 11b g radio After the settings are applied within this Radio Configuration screen the Configuring Mesh Networking 9 15 Radio Status and MUs connected values update If this is an existing radio within a mesh network these values update in real time WLAN expecting the radio to be operating when you have forgotten It A CAUTION If a radio is disabled be careful not to accidentally con
82. associated access point The access point responds to the poll request with buffered VoIP stream frame s NOTE The access point ships with the U APSD feature disabled by default It is automatically enabled when WMM is enabled for a WLAN Thus U APSD is only functional when WMM is enabled If WMM is disabled then U APSD is disabled as well 5 46 AP 51xx Access Point Product Reference Guide 5 3 1 4 Configuring WLAN Hotspot Support The access point enables hotspot operators to provide user authentication and accounting without a special client application The access point uses a traditional Internet browser as a secure authentication device Rather than rely on built in 802 11security features to control access point association privileges configure a WLAN with no WEP an open network The access point issues an IP address to the user using a DHCP server authenticates the user and grants the user to access the Internet When a user visits a public hotspot and wants to browse to a Web page they boot up their laptop and associate with the local Wi Fi network by entering the correct SSID They then start a browser The hotspot access controller forces this un authenticated user to a Welcome page from the hotspot Operator that allows the user to login with a username and password The access point hotspot functionality requires the following e HTTP Redirection Redirects unauthenticated users to a specific page specified by the Hotsp
83. c C p Uy U W i SAFETY CABLE m GROUND Power Status Solid white indicates the access point is adequately powered Solid red indicates the access point is experiencing a problem condition Error Conditions requiring immediate attention Ethernet Activity Flashing white indicates data transfers and Ethernet activity Flickering amber indicates beacons and data transfers over the access point 802 11a Radio Activity 802 11a radio Flickering green indicates beacons and data transfers over the access point 802 11b g Radio Activity 802 11b g radio Hardware Installation 2 31 2 11 Setting Up MUs For a discussion of how to initially test the access point to ensure it can interoperate with the MUs intended for its operational environment see Basic Device Configuration on page 3 5 and specifically Testing Connectivity on page 3 14 Refer to the LA 5030 amp LA 5033 Wireless Networker PC Card and PCI Adapter Users Guide available from the Motorola Web site for installing drivers and client software if operating in an 802 11a g network environment Refer to the Spectrum24 LA 4121 PC Card LA 4123 PCI Adapter amp LA 4137 Wireless Networker User Guide available from the Motorola Web site for installing drivers and client software if operating in an 802 11b network environment Use the default values for the ESSID and other configuration parameters until the network connection is verified MUs attach to the network and interact wi
84. channel If the user selects multiple base bridges on different channels the access point will only be able to connect to those bridges on the same channel and the others will not be able to join this particular mesh network 9 Click Refresh at any time to update the list of available Base Bridge devices available to the access point 10 Use the gt gt button to move a selected base bridge MAC address from Available Base Bridge List 11 Refer to the Preferred Base Bridge List for a prioritized list of base bridges the mesh network s client bridge uses to extend the mesh network s coverage area and potentially provide redundant links If a device does not appear on the Available Base Bridge List there is no way it can be moved to Preferred Base Bridge List as the device has not yet been seen However if you know the MAC Address corresponding to that Base Bridge you can add that to the Preferred List using the add button 9 18 AP 51xx Access Point Product Reference Guide Highlight a MAC address from the Preferred Base Bridge List and click the Up button to assign that device s MAC address a higher priority and a greater likelihood of joining the mesh network if an association with another device is lost If a MAC address is not desirable as others but still worthy of being on the preferred list select it and click the Down button to decrease its likelihood of being selected as a member of the mesh network If a device MAC a
85. deleted there is no capability to edit a group name Click the Add button and enter the name of the group in the new blank field in the Groups table To remove a group select the group from the table and click the Del Delete key The Users table displays the entire list of users Up to 100 users can be entered here The users are listed in the order added Users can be added and deleted but there is no capability to edit the name of a group To add a new user click the Add button at the bottom of the Users area In the new line type a User ID username Click the Password cell A small window displays Enter a password for the user and click OK to return to the Users screen Configuring Access Point Security 6 73 7 Click the List of Groups cell A new screen displays enabling you to associate groups with the user For more information on mapping groups with a user see Mapping Users to Groups on page 6 74 8 Click Apply to save any changes to the Users screen Navigating away from the screen without clicking Apply results in all changes to the screen being lost 9 Click Undo Changes if necessary to undo any changes made Undo Changes reverts the settings displayed on the Users screen to the last saved configuration 10 Click Logout to securely exit the Access Point applet A prompt displays confirming the logout before the applet is closed 6 14 4 1 Mapping Users to Groups Once users have been created within the Use
86. detection area can be significantly extended To use associated rogue AP enabled MUs to scan for rogue APs 1 Select Network Configuration gt Wireless gt Rogue AP Detection gt MU Scan from the access point menu tree The On Demand MU Sean screen displays with associated MUs with rogue AP detection enabled 6 62 AP 51xx Access Point Product Reference Guide AP 5131 Access Point Racha 802 1 1 b gl i i Ramio77e02 1 1 af GY Bangman Management gt 4h Rogue AP Detecton l Active APs L bead Oiri Ratin iv utters j Logot Piem Name AP Stio 111 2 Highlight an MU from within the Rogue AP enabled MUs field and click the scan button The target MU begins scanning for rogue devices using the detection parameters defined within the Rogue AP Detection screen To modify the detection parameters see Configuring Rogue AP Detection on page 6 55 Those devices detected as rogue APs display within the Scan Result table Use the displayed AP MAC ESSID and RSSI values to determine the device listed in the table is truly a rogue device or one inadvertently detected as a rogue AP 3 If necessary highlight an individual MU from within the Scan Result field and click the Add to Allowed AP List button to move the AP into the Allowed APs table within the Active APs screen 4 Additionally if necessary click the Add All to Allowed APs List button to move every device within the Scan Result table into the
87. dhcp gt list Description Lists static DHCP address assignments Syntax list lt LAN idx gt lt cr gt Lists the static DHCP address assignments for the specified LAN 1 LAN1 2 LAN2 Example admin network lan dhcp gt list 1 Index MAC Address IP Address 1 00A0F8112233 10 1 2 4 2 00A0F8102030 10 10 1 2 3 00A0F8112234 10 1 2 3 4 00A0F8112235 192 160 24 6 5 00A0F8112236 192 169 24 7 admin network lan dhcp gt For information on listing client MAC and IP address information using the applet GUI see Configuring Advanced DHCP Server Settings on page 5 13 8 3 1 4 Network Type Filter Commands AP51xx gt admin network lan type filter gt Description Displays the access point Type Filter submenu The items available under this command include show set add delete save quit Displays the current Ethernet Type exception list Defines Ethernet Type Filter parameters Adds an Ethernet Type Filter entry Removes an Ethernet Type Filter entry Goes to the parent menu Goes to the root menu Saves the configuration to system flash Quits the CLI 8 36 AP 51xx Access Point Product Reference Guide AP51xx gt admin network lan type filter gt show Description Displays the access point s current Ethernet Type Filter configuration Syntax show lt LAN idx gt Displays the existing Type Filter configuration for the specified LAN Example admin network lan type filter gt show 1 Ethernet T
88. disable rogue ap detection disable ap radar detection disable wpa counter measure disable mu hotspot status disable vlan disable lan monitor disable DynDNS Update enable For information on configuring SNMP traps using the applet GUI see Enabling SNMP Traps on page 4 35 AP51xx gt admin system snmp traps gt set Description Sets SNMP trap parameters Syntax set mu assoc mu unassoc mu deny assoc mu deny auth snmp auth snmp acl port dos attack dyndns update interval cold cfg rogue ap ap radar wpa counter enable disable enable disable enable disable enable disable enable disable enable disable enable disable enable disable enable disable lt rate gt enable disable enable disable enable disable enable disable enable disable hotspot mu status enable disable vian lan monitor rate min pkt enable disable enable disable lt rate gt lt pkt gt lt scope gt lt value gt 8 179 Enables disables the MU associated trap Enables disables the MU unassociated trap Enables disables the MU association denied trap Enables disables the MU authentication denied trap Enables disables the authentication failure trap Enables disables the SNMP ACL violation trap Enables disables the physical port status trap Enables disables the denial of service trap Enables disables dyndns update trap Sets denial of service trap interval Enables disables the system cold star
89. displayed on the WIPS screen to the last saved configuration 6 Click Logout to securely exit the access point applet A prompt displays confirming the logout before the applet is closed 5 5 Configuring Router Settings Network Management 5 71 The access point router uses routing tables and protocols to forward data packets from one network to another The access point router manages traffic within the network and directs traffic from the WAN to destinations on the access point managed LAN Use the Router screen to view the router s connected routes To access the Router screen 1 Select Network Configuration gt Router from the access point menu tree AP 5131 Access Point Radio Comiguraton Radiot 802 11 tig Radio2 002 11 a BD Garamam Management t Rogue AP Detection gt Active APs i MU Scan oh wes HR Frowa F Subevet Access Advanced Subnet access Route LF Pre Bystem Configurator H gt Quik Setup Syitern Semngs HER Adaptive AP setup beca AP SINY Arrear AP 51 X Route Table Subnet Mask 255 255 255 0 10000 Oestnaton 192 168 0 0 0000 Use Default Gateway vet User Defines Routes Dettraton Subnet Mack i192 16801 Ontewey Metric 0 tehertace s 0000 LAN an i RIP Contiguraton Merk a intertace s er rep Logout istem Name AP 51o 111 The access point Router Table field displays a list of connec
90. displays the average total packets per second sent on the MU The number in black represents Pkts per second for the last 30 seconds and the number in blue represents Pkts per second for the last hour Throughput Avg Bit Speed of Non unicast pkts Monitoring Statistics 7 31 The Total column displays the average total packets per second crossing the selected MU The Rx column displays the average total packets per second received on the MU The Tx column displays the average total packets per second sent on the MU The number in black represents throughput for the last 30 seconds the number in blue represents throughput for the last hour The Total column displays the average bit speed in Mbps for a given time period on the MU This includes all packets sent and received The number in black represents average bit speed for the last 30 seconds and the number in blue represents average bit speed for the last hour Consider increasing the data rate of the AP if the current bit speed does not meet network requirements For more information see Configuring the 802 114 or 802 11b g Radio on page 5 56 The associated MU must also be set to the higher rate to interoperate with the access point at that data rate Displays the percentage of the total packets for the selected mobile unit that are non unicast Non unicast packets include broadcast and multicast packets The number in black represents packets for the last 30 seconds and the num
91. following as invalid characters thus they should not be used in the creation of an ESSID or other gt space lt gt amp For information on creating a WLAN using the applet GUI see Creating Editing Individual WLANs on page 5 30 AP51xx gt admin network wireless wlan gt edit Description Edits the properties of an existing WLAN policy Syntax edit lt idx gt Edits the sequence number index in the WLAN summary For information on editing a WLAN using the applet GUI see Creating Editing Individual WLANs on page 5 30 8 72 AP 51xx Access Point Product Reference Guide AP51xx gt admin network wireless wlan gt delete Description Deletes an existing WLAN Syntax delete lt wlan name gt Deletes a target WLAN by name supplied all Deletes all WLAN configurations For information on deleting a WLAN using the applet GUI see Creating Editing Individual WLANs on page 5 30 AP51xx gt admin network wireless wlan hotspot gt Description Displays the Hotspot submenu The items available under this command include show Show hotspot parameters redirection Goes to the hotspot redirection menu radius Goes to the hotspot Radius menu white list Goes to the hotspot white list menu save Saves the configuration to system flash quit Quits the CLI F Goes to the parent menu Goes to the root menu For information on configuring the Hotspot options available to the using the applet GUI see Confi
92. for MU interoperability 3 5 2 Testing Connectivity Verify the access point s link with an MU by sending Wireless Network Management Protocol WNMP ping packets to the associated MU Use the Echo Test screen to specify a target MU and configure the parameters of the test The WNMP ping test only works with Motorola MUs Only use a Motorola MU to test access point connectivity using WNMP NOTE Before testing for connectivity the target MU needs to be set to the same ESSID as the access point Since WEP 128 has been configured for the access point the MU also needs to be configured for WEP 128 and use the same WEP keys Ensure the MU is associated with the access point before testing for connectivity To ping a specific MU to assess its connection with an access point 1 Select Status and Statistics gt MU Stats from the menu tree 2 Select the Echo Test button from within the MU Stats Summary screen 3 Define the following parameters for the test Station Address The station address is the IP address of the target MU Refer to the MU Stats Summary screen for associated MU IP address information Number of pings Defines the number of packets to be transmitted to the MU The default is 100 Getting Started 3 15 Packet Length Specifies the length of each packet transmitted to the MU during the test The default length is 100 bytes 4 Click the Ping button to begin transmitting packets to the specified MU address
93. gt T129 cfa txt lt Confiquration file gt B 8 AP 51xx Access Point Product Reference Guide Using options sa bf and 136 AP 5131 ha 00a0f88aa6d8 lt LAN MAC Address gt sm 255 255 255 0 lt Subnet Mask gt Ip 157 235 93 128 lt IP Address gt gw 157 235 93 2 lt gateway gt a 157 235 93 250 lt TFTP Server IP gt bf tftpboot cfg txt lt Configuration file gt T136 tftpoboot lt TFTP root directory gt NOTE The bf option prefixes a forward slash to the configuration file name The forward slash may not be supported on Windows based TFP Servers 3 Copy the firmware and configuration files to the appropriate directory on the TFP Server By default auto update is enabled on the access point since the LAN Port is a DHCP Client out of the box auto update support is on the LAN Port Restart the access point While the access point boots verify the access point e Sends a true BootP request e Obtains and applies the expected IP Address from the BootP Server e Downloads both the firmware and configuration files from the TFTP Server and updates them as required Verify the file versions within the System Settings screen Whenever a configuration file is specified the access point will tftp the config file parse it and use the firmware file name in the config file If T136 is provided by the server the access point strips off the THP root directory from the fully qualified configura
94. gt lt mode gt lt ip gt lt time gt lt timeout gt lt time gt 8 83 Sets the EAP shared secret lt secret gt 1 63 characters for server lt sidx gt 1 primary or 2 secondary The default password is now motorola instead of symbol Be cognizant of this when importing a configuration from 1 1 to 2 1 as this shared secret will have to be changed to motorola after the import to avoid MU authentication failures This change can only be made using the access point CLI Enables or disables EAP reauthentication Sets the reauthentication period lt period gt in seconds 30 9999 Sets the maximum number of reauthentication retries lt retry gt 1 99 Enable or disable Radius accounting Set external Radius server IP address Set external Radius server port number Set external Radius server shared secret password Defines MU timout period in seconds 1 255 Sets the maximum number of MU retries to lt retry gt 1 10 Enable or disable syslog messages Defines syslog server IP address Set the EAP MU supplicant quiet period to lt time gt seconds 1 65535 Sets the EAP MU supplicant timeout in seconds 1 255 Sets the EAP MU supplicant TX period lt time gt in seconds 1 65535 8 84 AP 51xx Access Point Product Reference Guide enc lt idx gt wep keyguard passkey index hex key ascii key mixed mode tkip rotate mode interval allow wpa2
95. gt ser Autnendc ator f User Database Radius Server gt Ey SNMP Access HO DaterTiene tH E Logging Contigurason j 2 Contig imponEpon LQ Firmware Upaste gt E Status 4 Statstcs besten Name AP S1 t11 Q Banana Management AP 51XX Quick Setup AP 51XX System Setings Radio Configuration System Name postest RF ef Country Unted States us 802 1 1t s 24 GHD Tene Server 102 168 O 100 802 11a 5 GHe WAN LAN WLAN T WANE WANES WAAN Ft w Enable WAN interface This interface is a DHCP Cllent bummer tummer S02 11a w B21 hig WRA2 EAP v Create ce The System Name is useful if multiple devices are being administered 3 Select the Country for the access point s country of operation from the drop down menu The access point prompts the user for the correct country code on the first login A warning message also displays stating that an incorrect country settings may result in illegal radio operation Selecting the correct country is central to legally operating the access point Each country has its own regulatory restrictions concerning electromagnetic emissions and the maximum RF signal strength that can be transmitted To ensure compliance with national and local laws be sure to set the country accurately CLI and MIB users cannot configure their access point until a two character country code for example United States us is set Refer to Appendix A Country Codes on page A
96. idx gt Deletes entry lt idx gt 1 10 from the access control list all Deletes all entries from the access control list viv2e lt idx gt Deletes entry lt idx gt 1 10 from the v1 v2 configuration list all Deletes all entries from the v1 v2 configuration list v3 lt idx gt Deletes entry lt idx gt 1 10 from the v3 user definition list all Deletes all entries from the v3 user definition list Example admin system snmp access gt list acl index start ip end ip 1 209 236 24 1 209 236 24 46 admin system snmp access gt delete acl all admin system snmp access gt list acl index start ip end ip For information on configuring SNMP access settings using the applet GUI see Configuring SNMP Access Control on page 4 33 8 175 8 176 AP 51xx Access Point Product Reference Guide AP51xx gt admin system snmp access gt list Description Lists SNMP access entries Syntax list acl Lists SNMP access control list entries viv2c Lists SNMP v1 v2c configuration v3 lt idx gt Lists SNMP v3 user definition with index lt idx gt all Lists all SNMP v3 user definitions Example admin system snmp access gt list acl index start ip end ip 1 209 236 24 1 209 236 24 46 admin system snmp access gt list vlv2c index community access oid 1 public read only 1 3 6 1 2 private read write 1 3 6 1 admin system snmp access gt list v3 2 index 7 2 username judy access permission read write object identifier
97. in the location s HTTP header To host a Login page on the external Web server the IP address of the Web server should be in the White list list of IP addresses allowed to access the server configuration Ensure the Login page is designed so the submit action always posts the login data on the access point To define the White List for a target WLAN Click the White List Entries button from within the WLAN s Hotspot Config screen Click the Add button to define an IP address for an allowed destination IP address Select a White List entry and click the De button to remove the address from the White List Click OK to return to the Hotspot Config screen where the configuration can be saved by clicking the Apply button Now user enters his her credentials on Login page and submits the page Login Handler will execute a CGI script which will use this data as input oY gt 5 Click Cancel to return to the Hotspot Config screen without saving any of the White List entries defined within the White List Entries screen 5 52 AP 51xx Access Point Product Reference Guide 5 3 2 Setting the WLAN s Radio Configuration Each access point WLAN can have a separate 802 11a or 802 11b g radio configured and mapped to that WLAN The first step is to enable the radio One of two possible radio configuration pages are available on the access point depending on which model SKU is purchased If the access point is a single radio model the Radio Conf
98. information on displaying VPN information using the applet GUI see Viewing VPN Status on page 6 50 AP51xx gt admin network wan vpn gt reset Description Resets all of the access point s VPN tunnels Syntax reset Resets all VPN tunnel states Example admin network wan vpn gt reset VPN tunnels reset admin network wan vpn gt For information on configuring VPN using the applet GUI see Configuring VPN Tunnels on page 6 36 8 56 AP 51xx Access Point Product Reference Guide AP51xx gt admin network wan vpn gt stats Description Lists statistics for all active tunnels Syntax stats Display statistics for all VPN tunnels Example admin network wan vpn gt stats Eng2EngAnnex Not Active SJSharkey Not Active For information on displaying VPN information using the applet GUI see Viewing VPN Status on page 6 50 AP51xx gt admin network wan vpn gt ikestate Description Displays statistics for all active tunnels using Internet Key Exchange IKE Syntax ikestate Displays status about Internet Key Exchange IKE for all tunnels In particular the table indicates whether IKE is connected for any of the tunnels it provides the destination IP address and the remaining lifetime of the IKE key Example admin network wan vpn gt ikestate Eng2EngAnnex Not Connected SJSharkey Not Connected admin network wan vpn gt For information on configuring IKE using the appl
99. intend to adopt 10 1 5 Switch Discovery For an AP 51XX to function as an AAP regardless of mode it needs to connect to a switch to receive its configuration There are two methods of switch discovery e Auto Discovery using DHCP e Manual Adoption Configurationv NOTE To support switch discovery a WS5100 model switch must be running firmware version 3 1 or higher whereas a RFSW6000 or RFS7000 model switch must be running firmware version 1 1 or higher The access point must running firmware version 2 0 or higher 10 1 5 1 Auto Discovery using DHCP Extended Global Options 189 190 191 192 can be used or Embedded Option 43 Vendor Specific options can be embedded in Option 43 using the vendor class identifier MotorolaAP 51xx V2 0 0 Code Data Type List of Switch IP addresses 188 String separate by comma semi colon or space delimited Switch FODN 190 String AP 51XX Encryption IPSec Passphrase Hashed 191 String AP 51XX switch discovery mode 192 String 1 auto discovery enable 2 auto discover enabled using IPSec The AP 51xx uses an encryption key to hash passphrases and security keys To obtain the encryption passphrase configure an AP 51xx with the passphrase and export the configuration file Adaptive AP 10 5 enc admin passud dz System Configuration system set name AP Sixx set loc O set email 0 set cc us system aap setup Ad
100. leave both of the Available On radio options unselected Configuring Mesh Networking 9 29 D Ai 51 31 Synhel Access Point Micrasoft Internet Explorer Q O Bo Po y kitess B hetpi 57 295 92 MAjappiet1 1 2 0 002htmi ESSO uosn Name Mesh ss Avdlable On 80211a Radio C 862 1 1hig Radio Maximum Ws 127 7 Enatie Chent Bridge Blackhat C Enatee Hotspot Security Securty Poiky PsK Aes ccMP x crea MU Access Control Dots Create Kerberos UserName Mesh C Disatow MU To MU Commmunicabon _0 Use Secure Beaton _ Accegt Brosscast ESSO H ag APS Access Quaity Of Service Policy MESH_Q09 gt Create HE Contesto mgmt amp GP riser Autheracadoeg z ee cos i he Loma 4 Select the C Client Bridge checkbox to enable client bridge functionality on the 802 11a radio Use the Mesh Network Name drop down menu to select the name of the WLAN created in step 3 NOTE You don t need to configure channel settings on the client bridge AP 3 It automatically finds the base bridges AP 1 and AP 2 and uses the channel assigned to them 9 30 AP 51xx Access Point Product Reference Guide 25 Radio Configuration Radiot Radio Radio 2 Configurates 7 Enatte Radio Staras facto RF Band of Operation 602 112 5 GH MUs connected p C Base Bridge Radio 0021159 Mesh Base Bridge Semngs Readio2 202 1 taf QD Banawi Management E Rogue AP Detac
101. lt acl name gt Displays the parameters of a new ACL policy set acl name lt index gt Sets the MU ACL policy name mode lt acl mode gt Sets the ACL mode for the defined index 1 16 Allowed MUs can access the access point managed LAN Options are deny and allow add addr lt mac1 gt or Adds specified MAC address to list of ACL MAC addresses lt mac1 gt lt mac2 gt delete lt index gt lt all gt Removes either a specified ACL index or all ACL entries Completes the policy creation and exits the CLI add policy Example admin network wireless Policy Name Policy Mode Cancels the creation of the ACL and exits the CLI acl create gt show Front Lobby allow start mac end mac OOA0F8334455 OOA0OF8334455 OOAOF8400000 OOAOF8402001 admin network admin network admin network admin network wireless wireless wireless acl create gt set acl name engineering acl create gt set mode deny acl create gt add addr OOAOF843AABB wireless acl create gt add policy For information on configuring the ACL options available to the access point using the applet GUI see Configuring a WLAN Access Control List ACL on page 5 37 AP51xx gt admin network wireless acl edit gt Description Edits the properties of an existing MU ACL policy Syntax show Displays MU ACL policy and its parameters set Modifies the properties of an existing MU ACL policy add addr Adds an MU ACL table entry
102. lt ipadr gt Removes a specified Radius client by IP address from those available to the Radius server Example admin system radius client gt delete 157 235 132 11 admin system radius client gt For information on configuring Radius client values using the applet GUI see Configuring the Radius Server on page 6 64 8 217 8 218 AP 51xx Access Point Product Reference Guide AP51xx gt admin system radius client gt show Description Displays a list of configured Radius clients Syntax show Removes a specified Radius client from those available to the Radius server Example admin system radius client gt show 1 157 235 132 11 255 255 255 225 REAR admin system radius client gt For information on configuring Radius client values using the applet GUI see Configuring the Radius Server on page 6 64 8 219 8 4 7 System Network Time Protocol NTP Commands AP51xx gt admin system gt ntp Description Displays the NTP menu The correct network time is required for numerous functions to be configured accurately on the access point Syntax show Shows NTP parameters settings date zone Show date time and time zone zone list Displays list of time zones set Sets NTP parameters Goes to the parent menu Goes to the root menu save Saves the configuration to system flash quit Quits the CLI For information on configuring NTP using the applet GUI see Configuring Network Time Protocol NTP
103. mapping gt lan map wlanl lanl For information on mapping VLANs using the applet GUI see Configuring VLAN Support on page 5 5 8 28 AP 51xx Access Point Product Reference Guide AP51xx gt admin network lan wlan mapping gt vlan map Description Maps an access point VLAN to a WLAN Syntax vlan map lt wlan name gt Maps an existing WLAN to an enabled LAN All names and IDs are case sensitive lt vlan name gt Defines the existing VLAN name All names and IDs are case sensitive admin network lan wlan mapping gt vlan map wlanl vlani For information on mapping VLANs using the applet GUI see Configuring VLAN Support on page 5 5 8 3 1 3 Network LAN DHCP Commands AP51xx gt admin network lan dhep gt Description Displays the access point DHCP submenu The items available are displayed below show Displays DHCP parameters set Sets DHCP parameters add Adds static DHCP address assignments delete Deletes static DHCP address assignments list Lists static DHCP address assignments i Goes to the parent menu Goes to the root menu save Saves the configuration to system flash quit Quits the CLI and exits the session 8 29 8 30 AP 51xx Access Point Product Reference Guide AP51xx gt admin network lan dhcp gt show Description Shows DHCP parameter settings Syntax show Displays DHCP parameter settings for the access point These parameters are defined with the set command Example admin n
104. maximum number of headers allowed at least 12 headers without clicking the Apply button results in all changes to the screens being lost 6 Click Undo Changes if necessary to undo any changes made Undo Changes reverts the settings displayed on the Firewall screen to the last saved configuration 7 Click Logout to securely exit the Access Point applet A prompt displays confirming the logout before the applet is closed Configuring Access Point Security 6 29 6 10 1 Configuring LAN to WAN Access The access point LAN can be configured to communicate with the WAN side of the access point Use the Subnet Access screen to control access from the LAN1 or LAN2 interfaces to the WAN interface This access level will function as an ACL in a router to allow deny certain IP addresses or subnets to access certain interfaces or subnets belonging to those interfaces by creating access policies It also functions as a filter to allow deny access for certain protocols such as HTTP Telnet FP etc To configure access point subnet access 1 Select Network Configuration gt Firewall gt Subnet Access from the access point menu tree 2 Refer to the Overview field to view rectangles representing subnet associations The three possible colors indicate the current access level as defined for each subnet association Color Access Type Description Green Full Access No protocol exceptions rules are specified All traffic may pass b
105. mode lt bw mode gt Defines bandwidth share mode of First In First Out lt fifo gt Round Robin lt rr gt or Weighted Round Robin lt wrr gt weight lt num gt Assigns a bandwidth share allocation for the WLAN lt index 1 16 gt when Weighted Round Robin lt wrr gt is selected The weighting is from 1 10 For information on configuring the Bandwidth Management options available to the access point using the applet GUI see Configuring Bandwidth Management Settings on page 5 65 8 118 AP 51xx Access Point Product Reference Guide 8 3 3 7 Network Rogue AP Commands AP51xx gt admin network wireless rogue ap gt Description Displays the Rogue AP submenu The items available under this command include show Displays the current access point Rogue AP detection configuration set Defines the Rogue AP detection method mu scan Goes to the Rogue AP mu uscan submenu allowed list Goes to the Rogue AP Allowed List submenu active list Goes the Rogue AP Active List submenu rogue list Goes the Rogue AP List submenu Goes to the parent menu Goes to the root menu save Saves the configuration to system flash quit Quits the CLI 8 119 AP51xx gt admin network wireless rogue ap gt show Description Displays the current access point Rogue AP detection configuration Syntax show Displays the current access point Rogue AP detection configuration Example admin network wireless rogue ap gt show MU Scan d
106. mporting a CA Certificate on page 4 16 8 166 AP 51xx Access Point Product Reference Guide AP51xx gt admin system cmgr gt showreg Description Displays a certificate request in PEM format Syntax showreq lt lDname gt Displays a certificate request named lt IDname gt generated from the genreq command 7 characters maximum For information on configuring certificate settings using the applet GUI see mporting a CA Certificate on page 4 16 8 167 AP51xx gt admin system cmgr gt delprivkey Description Deletes a private key Syntax delprivkey lt IDname gt Deletes private key named lt IDname gt For information on configuring certificate settings using the applet GUI see Creating Self Certificates for Accessing the VPN on page 4 18 8 168 AP 51xx Access Point Product Reference Guide AP51xx gt admin system cmgr gt listprivkey Description Lists the names of private keys Syntax listprivkey Lists all private keys and their associated certificates For information on configuring certificate settings using the applet GUI see mporting a CA Certificate on page 4 16 AP51xx gt admin system cmgr gt expcert Description Exports the certificate file to a user defined location Syntax expcert Exports the access point s CA or Self certificate file To export certificate information from an AP 5131 or AP 5181 model access point admin system cmgr gt expcert lt type gt lt file name gt
107. network administrator needs to confirm the appropriate primary and secondary port numbers for authentication This setting is not available if Internal has been selected from the Radius Server drop down menu RADIUS Shared Specify a shared secret for authentication on the Internal or Secret Primary Radius server External Radius Server only The shared secret is required to match the shared secret on the Radius server Optionally specify a shared secret for a secondary failover server Use shared secrets to verify Radius messages with the exception of the Access Request message sent by a Radius enabled device configured with the same shared secret Apply the qualifications of a well chosen password to the generation of a shared secret Generate a random case sensitive string using letters and numbers Verify the shared secret is at least 22 characters to protect the Radius server from brute force attacks An example of a strong and secure shared secret is 8d gt 9fq4bV H7 a3 2E13sW Configuring Access Point Security 6 13 7 Select the Accounting tab as required to define a timeout period and retry interval Syslog for MUs interoperating with the access point and EAP authentication server The items within this tab could be enabled or disabled depending on whether Internal or External has been selected from the Radius Server drop down menu External Radius Specify the IP address of the external Radius server used to provide Server Addre
108. network wireless Description Displays the access point wireless submenu The items available under this command include wlan security acl radio qos bandwidth rogue ap wips mu locationing save quit Displays the WLAN submenu used to create and configure up to 16 WLANs per access point Displays the security submenu used to create encryption and authentication based security policies for use with access point WLANs Displays to the Access Control List ACL submenu to restrict or allow MU access to access point WLANs Displays the radio configuration submenu used to specify how the 802 11a or 802 11b g radio is used with specific WLANs Displays the Quality of Service QoS submenu to prioritize specific kinds of data traffic within a WLAN Displays the Bandwidth Management submenu used to configure the order data is processed by an access point radio Displays the Rogue AP submenu to configure devices located by the access point as friendly or threatening for interoperablity Goes to the WLAN Intrusion Prevention submenu Displays the MU locationing submenu Goes to the parent menu Goes to the root menu Saves the configuration to system flash Quits the CLI 8 3 3 1 Network WLAN Commands AP51xx gt admin network wireless wlan gt Description Displays the access point wireless LAN WLAN submenu The items available under this command include show Displays the access point s current WLAN configur
109. not be triggered unless both the Enable f CAUTION f using a Linux server configured to support the BootP bf option an Automatic Firmware Update and Enable Automatic Configuration Update options are selected If the Configuration Update option is disabled the access point will not download the configuration file Without the configuration file the access point cannot parse for the firmware file name required to trigger the firmware update If updating the access point manually configure the Update Firmware fields as required to set a filename and target firmware file upload location for firmware updates 4 Specify the name of the target firmware file within the Filename field System Configuration 4 59 5 If the target firmware file resides within a directory specify a complete path for the file within the Filepath optional field 6 Enter an IP address for the FIP or TFIP server used for the update Only numerical IP address names are supported no DNS can be used 7 Select FIP or TFP to define whether the firmware file resides on a FIP or THP server 8 Set the following FIP or TFTP parameters e Username Specify a username for the FIP server login e Password Specify a password for FIP server login Default is motorola A blank password is not supported NOTE Click Apply to save the settings before performing the firmware update The user is not able to navigate the access point user interface while t
110. of MUs currently associated with each access point radio T put Displays the total throughput in Megabits per second Mbps for each access point radio listed To adjust the data rate for a specific radio see Configuring the 802 11a or 802 11b g Radio on page 5 56 ABS Displays the Average Bit Speed ABS in Megabits per second Mbps for each access point radio RF Util Displays the approximate RF Utilization for each access point radio 7 22 AP 51xx Access Point Product Reference Guide NU Displays the percentage of the total packets that are non unicast Non unicast packets include broadcast and multicast packets Retries Displays the average number of retries per packet on each radio A high number could indicate network or hardware problems 3 Click the Clear All Radio Stats button to reset each of the data collection counters to zero in order to begin new data collections Do not clear the radio stats if currently in an important data gathering activity or risk losing all data calculations to that point For information on viewing radio statistics particular to the access point radio type displayed within the AP Stats Summary screen see Viewing Radio Statistics on page 7 22 4 Click the Logout button to securely exit the Access Point applet 7 4 1 Viewing Radio Statistics Refer to the Radio Stats screen to view detailed information for the access point radio either 802 11a or 802 11b g displayed within the Radio Su
111. on installing the AP 5181 to a pole see AP 5787 Pole Mounted Installations on page 2 24 e For instructions on installing the AP 5181 to a wall see AP 5787 Wall Mounted Installations on page 2 27 For information on the 802 11a and 802 11b g radio antenna suite available to the access point see Antenna Options on page 2 6 For more information on using a Power Injector to combine Ethernet and power in one cable to an AP 5131 model access point see Power Injector and Power Tap Systems on page 2 10 To verify AP 5131 LED behavior once installed see AP 5737 LED Indicators on page 2 23 To verify the behavior of the AP 5181 LEDs once installed see AP 5787 LED Indicators on page 2 29 3 2 Configuration Options Once installed and powered an AP 5131 or AP 5181 can be configured using one of several connection techniques Managing the access point includes viewing network statistics and setting configuration options The access point requires one of the following connection methods to manage the network e Secure Java Based WEB Ul use Sun Microsystems JRE 1 5 or higher available from Sun s Web site Disable Microsoft s Java Virtual Machine if installed For information on using the Web UI to set access point default configuration see Basic Device Configuration on page 3 5 or chapters 4 through 7 of this guide e Command Line Interface CLI via Serial Telnet and SSH The access point CLI is accessed through the RS232 port via Telnet or SSH
112. on the finished side of the tile where the light pipe is to be located Create a light pipe path hole in the target position on the ceiling tile Use a drill to make a hole in the tile the approximate size of the AP 5131 LED light pipe Hardware Installation 2 21 surface of the ceiling tile when creating the light pipe hole and A CAUTION Motorola recommends care be taken not to damage the finished installing the light pipe 7 Remove the light pipe s rubber stopper before installing the light pipe 8 Connect the light pipe to the bottom of the AP 5131 Align the tabs and rotate approximately 90 degrees Do not over tighten OO l jl f Light Pipe Decal lt Badge 9 Snap the clips of the light pipe into the bottom of the AP 5131 10 Fit the light pipe into hole in the tile from its unfinished side 11 Place the decal on the back of the badge and slide the badge onto the light pipe from the finished side of the tile 12 Attach the radio antennae to their correct connectors en SST _ Ceiling Tile antenna connectors On the Dual Radio AP 5131 a single dot on the antenna connector indicates the primary antenna for both Radio 1 2 4 GHz and Radio 2 5 GHz Two dots designate the secondary antenna for both Radio 1 and Radio 2 On Single Radio models a single dot on the antenna connector indicates the primary antenna for Radio 1 and two dots designate the se
113. page 1 30 The Radio Type parameter simply displays the radio type as 802 114 or 802 11b g This field is read only and always displays the radio type selected from the access point menu tree under the Radio Configuration item Extended Rate PHY ERP allows 802 11g MUs to interoperate with 802 11b only MUs ERP Protection is managed automatically by the access point and informs users when 802 11b MUs are present within the access point s coverage area The presence of 802 11b MUs within the 802 1 1g coverage area negatively impacts network performance so this feature should looked to as an indicator of why network performance has been degraded transmit power level and data rate Channel Setting Antenna Diversity Power Level Network Management The following channel setting options exist User Selection If selected use the drop down menu to specify the legal channel for the intended country of operation The drop down menu is not available if this option is not selected Automatic Selection When the access point is booted the access point scans non overlapping channels listening for beacons from other access points For 802 11b it scans channels 1 6 and 11 For 802 11a all channels are non overlapping After the channels are scanned it will select the channel with the fewest access points In the case of multiple access points on the same channel it will select the channel with the lowest average power level S
114. point radio to accept client bridge connections from other access points in client bridge mode The base bridge is the acceptor 5 54 AP 51xx Access Point Product Reference Guide of mesh network data from those client bridges within the mesh network and never the initiator 4 f the Base Bridge checkbox has been selected use the Max Client Bridges parameter to define the client bridge load on a particular base bridge The maximum number of client bridge connections per radio is 12 with 24 representing the maximum for dual radio models CAUTION An access point is Base Bridge mode logs out whenever a Client A N Bridge associates to the Base Bridge over the LAN connection This problem is not experienced over the access point s WAN connection If this situation is experienced log in to the access point again Once the settings within the Radio Configuration screen are applied for an initial deployment the current number of client bridge connections for this specific radio displays within the CBs Connected field If this is an existing radio within a mesh network this value updates in real time available on an Outdoor Client Bridge s list of available channels As long as an Outdoor Client Bridge has the Indoor Base Bridge channel in its available list of channels it can associate to the Base Bridge f CAUTION A problem could arise if a Base Bridge s Indoor channel is not 5 Select the Client Bridge check
115. public hotspot and wants to browse a Web page they boot their laptop and associate with a local Wi Fi network by entering a valid SSID They start a browser and the hotspot s access controller forces the un authenticated user to a Welcome page from the hotspot operator that allows the user to login with a username and password In order to send a redirected page a login page a TCP termination exists locally on the access point Once the login page displays the user enters their credentials The access point connects to the Radius server and determines the identity of the connected wireless user Thus allowing the user to access the Internet once successfully authenticated For detailed information on configuring the access point for Hotspot support see Configuring WLAN Hotspot Support on page 5 46 1 2 28 Routing Information Protocol RIP RIP is an interior gateway protocol that specifies how routers exchange routing table information The parent Router screen also allows the administrator to select the type of RIP and the type of RIP authentication used For detailed information on configuring RIP functionality as part of the access point s Router functionality see Setting the RIP Configuration on page 5 72 Introduction 1 2 29 Manual Date and Time Settings As an alternative to defining a NTP server to provide access point system time the access point can now have its date and time set manually A new Manual Date Time Setting scre
116. radio s extended range from 0 50 miles Defines the cwmin cwmax aifsn and txops levels for the QoS policy used for the radio Sets the QBSS Channel Util Beacon Interval in kilo usec 10 200 Enables disables the OBSS load element Example admin network wireless radio 802 11a gt admin network wireless radio 802 1la gt set placement indoor admin network admin network admin network admin network admin network admin network admin network admin network admin network admin network admin network admin network admin network admin network admin network wireless wireless wireless wireless wireless wireless wireless wireless wireless wireless wireless wireless wireless wireless wireless radio radio radio radio radio radio radio radio radio radio radio radio radio radio radio 802 1la gt set 802 1la gt set 802 11la gt set 802 1la gt set 802 1la gt set 802 11a gt set 802 11la gt set 802 11la gt set 802 1la gt set 802 1la gt set 802 1la gt set 802 1la gt set 802 1la gt set 802 1la gt set 802 1la gt set ch mode user channel 1 acs exception list 44 153 161 antenna full power 4 rates beacon 100 dtim 1 10 2341 cwmin rts 125 255 aifsn 7 qos qos cwmax qos qos txops 0 qbss beacon 110 qbss mode enable For information on configuring the Radio 2 Configur
117. retain the settings made on the IKE Settings screen 5 Click Cancel to return to the VPN screen without retaining the changes made to the IKE Settings screen 6 11 4 Viewing VPN Status Use the VPN Status screen to display the status of the tunnels configured on the access point as well as their lifetime transmit and receive statistics The VPN Status screen is read only with no configurable parameters To configure a VPN tunnel use the VPN configuration screen in the WAN section of the access point menu tree To view VPN status 1 Select Network Configuration gt WAN gt VPN gt VPN Status from the access point menu tree System Settings 2 Reference the Security Associations field to view the following Tunnel Name Status Outb SPI Inb SPI 6 50 AP 51xx Access Point Product Reference Guide Tuneei Name Stetvs Ovm sp ind SP UseTime Teves Re Bytes Reset vPras Tunnet Name KE State DesSnaton IP Remaining Lite The Tunne Name column lists the names of all the tunnels configured on the access point For information on configuring a tunnel see Configuring VPN Tunnels on page 6 36 The Status column lists the status of each configured tunnel When the tunnel is not in use the status reads NOT_ACTIVE When the tunnel is connected the status reads ACTIVE The Outb SP column displays the outbound Security Parameter Index SPI for each tunnel The SPI is used loc
118. saving your changes 5 80 AP 51xx Access Point Product Reference Guide Configuring Access Point Security Security measures for the access point and its WLANs are critical Use the available access point security options to protect the access point LAN from wireless vulnerabilities and safeguard the transmission of RF packets between the access point and its associated MUs WLAN security can be configured on an ESS by ESS basis on the access point Sixteen separate ESSIDs WLANs can be supported on an access point and must be managed if necessary between the 802 11a and 802 11b g radio The user has the capability of configuring separate security policies for each WLAN Each security policy can be configured based on the authentication Kerberos 802 1x EAP or encryption WEP KeyGuard WPA TKIP or WPA2 CCMP scheme best suited to the coverage area that security policy supports The access point can also create VPN tunnels to securely route traffic through a IPSEC tunnel and block transmissions with devices interpreted as Rogue APs 6 2 AP 51xx Access Point Product Reference Guide NOTE Security for the access point can be configured in various locations throughout the access point menu structure This chapter outlines the security options available to the access point and the menu locations and steps required to configure specific security measures 6 1 Configuring Security Options To configure the data protection
119. screen The Apply button does not execute the firmware only saves the update settings entered Click Undo Changes if necessary to undo any changes made Undo Changes reverts the settings displayed on Firmware Update screen to the last saved configuration Click Logout to securely exit the access point Access Point applet A prompt displays confirming the logout before the applet is closed 4 9 1 Upgrade Downgrade Considerations When upgrading or downgrading access point configurations between the 1 0 0 0 xx or 1 0 1 0 xx and 1 1 0 0 xx baselines the following should be taken into consideration as certain functionalities may not be available to the user after an upgrade downgrade ensure the access point s current configuration has been exported to a A CAUTION Prior to upgrading downgrading the access point s configuration secure location Having the configuration available is recommended in case errors occur in the upgrade downgrade process When downgrading from 1 1 1 1 1 to 1 0 the access point is configured to default values After a downgrade from 1 1 1 1 0 to 1 0 x x WLANs mapped to LAN2 would still be usable but now only available on LAN1 Once upgraded back those WLANs previously available on LAN2 would still be mapped to LAN2 If downgraded to the 1 0 0 0 xx baseline and a restore factory defaults function is performed only 1 0 0 0 xx default values are restored to their factory default values The featur
120. show lt idx gt lt cr gt Displays access point NAT parameters for the specified NAT index Example admin network wan nat gt show 2 WAN IP Mode enable WAN IP Address gt 157 235 91 2 NAT Type 1 to many Inbound Mappings Port Forwarding unspecified port forwarding mode enable unspecified port fwd ip address 111 223 222 1 one to many nat mapping 157 235 91 2 157 235 91 2 admin network wan nat gt For an overview of the NAT options available using the applet GUI see Configuring Network Address Translation NAT Settings on page 5 21 AP51xx gt admin network wan nat gt set Description Sets NAT inbound and outbound parameters Syntax set type lt index gt lt type gt ip lt index gt lt ip gt inb lt index gt lt ip gt lt mode gt outb lt index gt lt ip gt lt from gt lt to gt Example Sets the type of NAT translation for WAN address index lt idx gt 1 8 to lt type gt none 1 to 1 or 1 to many Sets NAT IP mapping associated with WAN address lt idx gt to the specified IP address lt ip gt Sets inbound IP address for specified index lt index gt lt ip address gt Sets inbound mode for specified index lt index gt lt enable disable gt Sets outbound IP address for specified index lt index gt lt ip address gt Sets outbound NAT destination lt LAN1 or LAN2 gt lt WAN ip 1 8 or None gt admin network wan nat gt set type 2 1 to many admin network wan nat g
121. the CA Certificates screen by clicking the Paste from Clipboard button The certificate is now ready to be loaded into the access point s flash memory 17 Click the Import root CA Certificate button from within the CA Certificates screen 18 Verify the contents of the certificate file display correctly within the CA Certificates screen 19 Open the certificate file and copy its contents into the Self Certificates screen by clicking the Paste from Clipboard button 20 Click the Load Certificate button 21 Verify the contents of the certificate file display correctly within the Self Certificates screen The certificate for the onboard Radius authentication of MUs has now been generated and loaded into the access point s flash memory 4 4 4 Apache Certificate Management Apache certificate management allows the update and management of security certificates for an Apache HTTP server This allows users to upload a trusted certificate to their AP When a client attaches to it with a browser a warning message pertaining to the certificate no longer displays Apache certificate management utilizes the access point s existing Certificate Manager for the creation of certificates and keys The certificate can then be loaded into the Apache file system To import or export an Apache certificate 1 Select System Configuration gt Certificate Mgmt gt Apache Certificates from the access point menu tree The Apache Certificate Import Expo
122. the Security Level area to specify a security level of noAuth no authorization AuthNoPriv authorization without privacy or AuthPriv authorization with privacy The NoAuth setting specifies no login authorization or encryption for the user The AuthNoPriv setting requires login authorization but no encryption The AuthPriv setting requires login authorization and uses the Data Encryption Standard DES protocol 4 32 AP 51xx Access Point Product Reference Guide OID Passwords Access Use the OID Object Identifier area to specify a setting of All or enter a Custom OID Select All to assign the user access to all OIDs in the MIB The OID field uses numbers expressed in dot notation Select Passwords to display the Password Settings screen for specifying authentication and password settings for an SNMP v3 user The maximum password length is 11 characters Use the Authentication Algorithm drop down menu to specify MD5 or SHA1 as the authentication algorithm Use the Privacy Algorithm drop down menu to define an algorithm of DES or AES 128bit When entering the same username on the SNMP Traps and SNMP Access screens the password entered on the SNMP Traps page overwrites the password entered on the SNMP Access page To avoid this problem enter the same password on both pages Use the Access pull down list to specify read only R access or read write RW access for a user Read only access permits a user to retrieve access po
123. the associated WAN IP address 5 Click OK to return to the NAT screen Within the NAT screen click Apply to save any changes made on the Port Forwarding screen 6 Click Cancel to undo any changes made on Port Forwarding screen This reverts all settings for the Port Forwarding screen to the last saved configuration 5 2 2 Configuring Dynamic DNS The access point supports the Dynamic DNS service Dynamic DNS or DynDNS is a feature offered by www dyndns com which allows the mapping of domain names to dynamically assigned IP addresses via the WAN port When the dynamically assigned IP address of a client changes the new IP address is sent to the DynDNS service and traffic for the specified domain s is routed to the new IP address NOTE DynDNS supports only the primary WAN IP address To configure dynamic DNS for the access point 1 Select Network Configuration gt WAN gt DynDNS from the access point menu tree 5 26 AP 51xx Access Point Product Reference Guide AP 5131 Access Point Show Update Response Fa aAP S Acess L Sloni ate tomit Name AP S1oL1IT 2 Select the Enable checkbox to allow domain name information to be updated when the IP address associated with that domain changes A username password and hostname must be specified for domain name information to be updated NOTE The username password and hostname are required to be registered at http Awww dyndns com En
124. the current WLAN Intrusion Prevention configuration set Sets WLAN Intrusion Prevention parameters i Goes to the parent menu Goes to the root menu save Saves the configuration to system flash quit Quits the CLI AP51xx gt admin network wireless wips gt show Description Shows the WLAN Intrusion Prevention configuration Syntax show Displays the WLAN Intrusion Prevention configuration Example admin network wireless wips gt show WIPS Server 1 IP Address 192 168 0 21 WIPS Server 2 IP Address 10 10 1 1 admin network wireless wips gt 8 129 8 130 AP 51xx Access Point Product Reference Guide AP51xx gt admin network wireless wips gt set Description Sets the WLAN Intrusion Prevention configuration Syntax set lt idx 1 and 2 gt lt ip gt Defines the WLAN Intrusion Prevention Server IP Address for server IPs 1 and 2 Example admin network wireless wips gt set server 1 192 168 0 21 admin network wireless wips gt 8 3 3 9 Network MU Locationing Commands AP51xx gt admin network wireless mu locationing gt Description Displays the MU Locationing submenu The items available under this command include show Displays the current MU Locationing configuration set Defines MU Locationing parameters ss Goes to the parent menu Goes to the root menu save Saves the configuration to system flash quit Quits the CLI 8 131 8 132 AP 51xx Access Point Product Reference
125. the following for the antenna options available to an AP 5181 model access point The AP 5181 2 4 GHz antenna suite includes the following models Nominal Net Gain Part Number Antenna Type dBi Description ML 2499 FHPA5 01R Omni Directional Antenna 5 0 2 4 GHz Type N connector no pigtail ML 2499 FHPA9 01R Omni Directional Antenna 9 0 2 4 GHz Type N connector no pigtail Hardware Installation 2 9 Nominal Net Gain Part Number Antenna Type dBi Description ML 2452 PNA7 01R Panel Antenna Dual Band 8 0 2 4 2 5 4 9 5 99 GHz 66 deg 60 deg Type N connector with pigtail ML 2452 PNA5 01R Sector Antenna Dual Band 6 0 2 3 2 4 4 9 5 9 GHz 120 deg Sector Type N connector with pigtail The AP 5181 5 GHz antenna suite includes the following models Nominal Net Gain Part Number Antenna Type dBi Description ML 5299 FHPA6 01R Omni Directional Antenna 7 0 4 900 5 850 GHz Type N connector no pigtail ML 5299 FHPA10 01R Omni Directional Antenna 10 0 5 8 GHz Type N connector no pigtail 2 5 Power Options 2 5 1 AP 5131 Power Options The power options for the AP 5131 include e Power Injector Part No AP PSBIAS 1P2 AFR e 48 Volt Power Supply Part No 50 14000 243R e Any 802 3af midspan device 2 10 AP 51xx Access Point Product Reference Guide 2 5 2 AP 5181 Power Options The power options for the AP 5181 inc
126. the system log file via FIP to a location specified with the set command Refer to the command set under the system fwupdate command for information on setting up an FIP server and login information Example admin system logs gt send File transfer In progress File transfer Done admin system logs gt For information on configuring logging settings using the applet GUI see Logging Configuration on page 4 47 8 230 AP 51xx Access Point Product Reference Guide 84 9 System Configuration Update Commands AP51xx gt admin system config gt Description Displays the access point configuration update submenu Syntax default Restores the default access point configuration partial Restores a partial default access point configuration show Shows import export parameters set Sets import export access point configuration parameters export Exports access point configuration to a designated system import Imports configuration to the access point s Goes to the parent menu Goes to the root menu save Saves the configuration to access point system flash quit Quits the CLI 8 231 AP51xx gt admin system config gt default Description Restores the full access point factory default configuration Syntax default Restores the access point to the original factory configuration Example admin system config gt default Are you sure you want to default the configuration lt yes no gt
127. time should be greater than the start time system gt radius gt policy gt access time set access days lt group gt lt day selector keyword gt group Valid group name day selector keyword The allowed values are Mo Tu We Th Fr Sa Su Weekdays Weekends all 8 205 8 206 AP 51xx Access Point Product Reference Guide AP51xx gt admin system radius policy gt show Description Displays a group s access policy Syntax show Displays a group s access policy Example admin system radius policy gt show List of Access Policies engineering 16 marketing 10 demo room 73 test demo No Wlans admin system radius policy gt For information on configuring Radius WLAN policy values using the applet GUI see Configuring User Authentication on page 6 64 8 207 8 4 6 3 AP51xx gt admin system radius gt Idap Description Goes to the LDAP submenu Syntax set Defines the LDAP parameters show Displays existing LDAP parameters command must be supplied as show all save Saves the configuration to system flash quit Quits the CLI Goes to the parent menu Goes to the root menu For information on configuring a Radius LDAP server using the applet GUI see Configuring LDAP Authentication on page 6 67 8 208 AP 51xx Access Point Product Reference Guide AP51xx gt admin system radius Idap gt set Description Defines the LDAP parameters Syntax set Defi
128. tkip preauth mu retry lt count gt lt time gt svr timeout svr retry lt count gt lt type gt lt passkey gt lt key index gt lt kidx gt lt key string gt lt kidx gt lt key string gt lt mode gt lt mode gt lt time gt lt mode gt lt mode gt Sets the EAP maximum number of MU retries to lt count gt 1 10 Sets the server timeout lt time gt in seconds 1 255 Sets the maximum number of server retries to lt count gt 1 255 Note The WEP authentication mechanism saves up to four different keys one for each WLAN It is not requirement to set all keys but you must associate a WLAN with the same keys Sets the encryption type to lt type gt one of none wep40 wep104 keyguard tkip or ccmp for WLAN lt idx gt The passkey used as a text abbreviation for the entire key length 4 32 Selects the WEP KeyGuard key from one of the four potential values of lt key index gt 1 4 Sets the WEP KeyGuard key for key index lt kidx gt 1 4 for WLAN lt kidx gt to lt key string gt Sets the WEP KeyGuard key for key index lt kidx gt 1 4 for WLAN lt kidx gt to lt key string gt Enables or disables interoperation with WEP128 clients Note TKIP parameters are only affected if tkip is selected as the encryption type Enables or disabled the broadcast key Sets the broadcast key rotation interval to lt time gt in seconds 300 604800 Enables o
129. to be enabled see Enabling Authentication and Encryption Schemes on page 6 5 Encryption Type Displays the encryption method defined for the WLAN If the encryption type does not match the desired scheme for the WLAN or needs to be enabled see Enabling Authentication and Encryption Schemes on page 6 5 Num Associated MUs Displays the total number of MUs currently associated with the WLAN If this number seems excessive consider segregating MU s to other WLANs if appropriate 3 Refer to the Traffic field to view performance and throughput information for the WLAN selected from the access point menu tree Pkts per second The Total column displays the average total packets per second crossing the selected WLAN The Rx column displays the average total packets per second received on the selected WLAN The Tx column displays the average total packets per second sent on the selected WLAN The number in black represents this statistic for the last 30 seconds and the number in blue represents this statistic for the last hour Throughput The Total column displays average throughput in Mbps for a given time period on the selected WLAN The Rx column displays average throughput in Mbps for packets received on the selected WLAN The Tx column displays average throughput for packets sent on the selected WLAN The number in black represents statistics for the last 30 seconds and the number in blue represents statistics for the last hour Use this inf
130. to import the security Key certificate from the server with the assigned filename and login information Export Certificate and Click the Export Certificate and Key button to export the security Key certificate from the server with the assigned filename and login information 3 Refer to the Status field to review the progress of an import or export operation When an import operation Is in progress an importing certificate and key message displays Once completed an indication of the import or export operation s success or failure displays 4 Click Apply to save any changes to the Apache certificate import export configuration Navigating away from the screen without clicking Apply results in all changes to the screen being lost 5 Click Undo Changes if necessary to undo any changes made Undo Changes reverts the settings within the screen to the last saved configuration 6 Click Logout to securely exit the Access Point applet A prompt displays confirming the logout before the applet is closed 4 5 Configuring SNMP Settings Simple Network Management Protocol SNMP facilitates the exchange of management information between network devices SNMP uses Management Information Bases MIBs to manage the device configuration and monitor Internet devices in potentially remote locations MIB information accessed via SNMP is defined by a set of managed objects called object identifiers OIDs An object identifier OID is used to un
131. to verify Radius messages with the exception of the Access Request message sent by a Radius enabled device configured with the same shared secret Apply the qualifications of a well chosen password to the generation of a shared secret Generate a random case sensitive string using letters and numbers The default is motorola 8 Update the Administrator Access field to change the administrative password used to access the configuration settings Change Admin Password Click the Change Admin Password button to display a screen for updating the AP administrator password Enter and confirm a new administrator password as required System Configuration 4 13 9 Refer to the Login Message field to optionally define a message displayed to the customer as they login into the access point Message Settings Click the Message Settings button to display a screen used to create a text message Once displayed select the Enable Login Message checkbox to allow your customized message to be displayed when the user is logging into the access point If the checkbox is not selected as is the case by default the user will encounter the login screen with no additional message When the login message function is enabled the user can enter a 511 character maximum message describing any usage caveat required such as the authorization disclaimer displayed on the following page Thus the login message can serve an important function by discouraging
132. to version to benefit from the new features described in this section For information on upgrading the access point s firmware image see Updating Device Firmware on page 4 54 1 1 1 IP Filtering IP filtering determines which IP packets are processed normally and which are discarded If discarded the packet is deleted and completely ignored as if never received Optionally apply different criteria to better refine which packets to filter IP filtering supports the creation of up to 18 filter rules enforced at layer 3 Once defined using the access point s SNMP GUI or CLI filtering rules can be enforced on the access point s LAN1 LAN2 and WLAN interfaces An additional default action is also available denying traffic when the filter rules fail Lastly imported and exported configurations retain their defined IP filtering configurations For information on configuring the access point s IP filtering functionality see Configuring IP Filtering on page 5 75 Introduction 1 3 1 1 2 DHCP Lease Information This release of the access point firmware provides an enhancement to the access point s existing DHCP server functionality allowing a network administrator to monitor IP address usage When either or both of the access point s LAN interfaces are configured as a DHCP server a client s IP address lease assignment can now be monitored in respect to its lease period and expiration time The access point s GUI and CLI interfaces su
133. traffic from applications such as Web browsers file transfers or email but is inadequate for multimedia applications Voice over Internet Protocol VoIP video streaming and interactive gaming are highly sensitive to latency increases and throughput reductions These forms of higher priority data traffic can significantly benefit from the QoS implementation The WiFi Multimedia QOS Extensions WMM implementation used by the access point shortens the time between transmitting higher priority data traffic and is thus desirable for multimedia applications In addition U APSD WMM Power Save is also supported WMM defines four access categories voice video best effort and background to prioritize traffic for enhanced multimedia support For detailed information on configuring QoS support see Setting the WLAN Quality of Service QoS Policy on page 5 40 Introduction 1 11 1 2 8 Industry Leading Data Security The access point supports numerous encryption and authentication techniques to protect the data transmitting on the WLAN The following authentication techniques are supported e Kerberos Authentication e FAP Authentication The following encryption techniques are supported e WEP Encryption e KeyGuard Encryption e Wi Fi Protected Access WPA Using TKIP Encryption e WPA2 CCMP 802 111 Encryption In addition the access point supports the following additional security features e Firewall Security e VPN Tunne
134. unauthorized users from illegally managing the access point As your message is entered the character usage counter is updated to allow you to visualize how close you are coming to the maximum allowed number of characters Click the Clear button at any time to remove the contents of the message and begin a new one Once you have finished creating your message click the OK button to return to the AP 51XX access screen 4 14 AP 51xx Access Point Product Reference Guide AUTHORIZATION DISCLAIMER 10 Click Apply to save any changes to the access point Access screen Navigating away from the screen without clicking the Apply button results in all changes to the screen being lost 11 Click Undo Changes if necessary to undo any changes made Undo Changes reverts the settings displayed on the access point Access screen to the last saved configuration 12 Click Logout to securely exit the access point Access Point applet A prompt displays confirming the logout before the applet is closed 4 3 1 Defining Trusted Hosts AP 51xx access can be restricted to up 8 specific IP addresses Trusted Host management restricts LAN1 LAN2 and WAN access via SNMP HTTP HTTPS Telnet and SSH Only hosts with IP addresses matching those defined within the Trusted Host Access field are able to access the access point Enabling the feature denies access from any subnet IP address not defined as trusted To restrict AP access to a set of user defined IP
135. use for the selected security protocol If you specify an ESP protocol in a transform set specify just an ESP encryption transform or both an ESP encryption transform and an ESP authentication transform When the particular transform set is used during negotiations for IPSec SAs the entire transform set the combination of protocols algorithms and other settings must match a transform set at the remote end of the gateway Use the Manual Key Settings screen to specify the transform sets used for VPN access To configure manual key settings for the access point 1 Select Network Configuration gt WAN gt VPN from the access point menu tree 2 Refer to the VPN Tunnel Config field select the Manual Key Exchange radio button and click the Manual Key Settings button 6 40 AP 51xx Access Point Product Reference Guide Manual Key Settings AH Authentication D5 lw Enter 32 Hexadecimal characters Inbound AH Authentication Key eteterererrcrrrecrrrcerecerrete Outbound AH Authentication Key eetertttetetererrteesecerssse inbound SPI Hex 100 Outbound SPI Hex 101 ESP Type ESP i ESP Encryption Algorithm AES 12 bit v Enter 32 Hexadecimal characters inbound ESP Encryption Key eeeeeeeceseeeee Outbound ESP Encryption Key eeeeerereeeere inbound SPI Hex 102 Outbound SP1 Hex 103 OK Cancel Help 3 Configure the Manual Key Settings screen to modify the following NOTE Whenentering
136. way to directly connect and then send and receive datagrams over an IP network ICMP Internet Control Message Protocol is tightly integrated with IP ICMP messages are used for out of band messages related to network operation ICMP packet delivery is unreliable Hosts cannot count on receiving ICMP packets for a network problem AH Authentication Header is one of the two key components of IP Security Protocol IPsec The other key component is Encapsulating Security Protocol ESP AH provides authentication proving the packet sender really is the sender and the data really is the data sent AH can be used in transport mode providing security between two end points Also AH can be used in tunnel mode providing security like that of a Virtual Private Network VPN ESP Encapsulating Security Protocol is one of two key components of IP Security Protocol IPsec The other key component is Authentication Header AH ESP encrypts the packets and provides authentication services ESP can be used in transport mode providing security Configuring Access Point Security 6 33 between two end points ESP can also be used in tunnel mode providing security like that of a Virtual Private Network VPN e GRE General Routing Encapsulation supports VPNs across the Internet GRE is a mechanism for encapsulating network layer protocols over any other network layer protocol Such encapsulation allows routing of IP packets between private IP netwo
137. 00 e seca eee 8 177 System User Database Commands 0 00 00 eee eee ees 8 183 SSE Radius Commands 60 cre cns ees raer at rites oeddetaates 8 196 System Network Time Protocol NTP Commands 8 219 System Log Commande eeceririrritinrie kr Er RRE EENES ENESE 8 224 System Configuration Update Commands o naasna aoaaa 8 230 Firmware Update Commands 0 000 cece cece eee ees 8 237 Statistics Commands srs 65 05 ces cece eer ceearneeetnarnerannarntents 8 241 Chapter 9 Configuring Mesh Networking Mesh Networking Overview nunnan c cece cece cece een e ees 9 1 The AP 51xx Client Bridge Association Process 000 000s 9 3 Client Bridge Configuration Process Example 00 9 4 Spanning Tree Protocol STP 0 00 c cece eee cece eee nes 9 4 Defimng the Mesh Topoly 21 0 45h064s diarsir ond tnisihonakeiediaads 9 5 Mesh Networking and the AP 51xx s Two Subnets 05 9 5 Nownal Operati cick cneccrheriecdedecedsbacedcetaansendedese 9 6 Impact of Importing Exporting Configurations to a Mesh Network 9 6 Configuring Mesh Networking Support 0 000 c cece eee eee ee 9 6 Setting the LAN Configuration for Mesh Networking Support 9 6 Configuring a WLAN for Mesh Networking Support 0 9 9 Configuring the Access Point Radio for Mesh Support 9 13 Mesh Network Deployment Quick Setup
138. 02 1x onh WPRA2ICCMP 802 11 Seve Agglet Window Allow WPAMWIPA2 ThOP cents Appt f Cancel Help 5 Configure the Key Rotation Settings field as required to set Broadcast Key Rotation and the update interval Broadcast Key Rotation Update broadcast keys every 300 604800 seconds Select the Broadcast Key Rotation checkbox to enable or disable broadcast key rotation When enabled the key indices used for encrypting decrypting broadcast traffic will be alternatively rotated on every interval specified in the Broadcast Key Rotation Interval Enabling broadcast key rotation enhances the broadcast traffic security on the WLAN This value is disabled by default Specify a time period in seconds to rotate the key index used for the broadcast key Set the interval to a shorter duration like 3600 seconds for tighter broadcast traffic security on the wireless LAN Set the interval to a longer duration like 86400 seconds for less broadcast traffic security requirements Default value is 86400 secs 6 Configuring Access Point Security 6 25 Configure the Key Settings area as needed to set an ASCII Passphrase and 128 bit key ASCII Passphrase 256 bit Key To use an ASCII passphrase and not a hexadecimal value select the checkbox enter an alphanumeric string of 8 to 63 characters The string allows character spaces The access point converts the string to a numeric value This passphrase saves the administra
139. 1 dot11i phrase 0 Symbol123 wlan 2 enable wlan 2 ssid qs5 tkip wlan 2 vlan 210 wlan 2 encryption type tkip wlan 2 dot11i phrase 0 Symbol123 wlan 3 enable wlan 3 ssid qs5 wep128 wlan 3 vlan 220 wlan 3 encryption type wep128 10 22 AP 51xx Access Point Product Reference Guide wlan 4 enable wlan 4 ssid qs5 open wlan 4 vlan 230 wlan 5 enable wlan 5 ssid Mesh wlan 5 vlan 111 wlan 5 encryption type ccmp wlan 5 dot11i phrase 0 Symbol123 To configure a WLAN as an independent WLAN wlan 5 independent wlan 5 client bridge backhaul enable wlan 6 enable wlan 6 ssid test mesh wlan 6 vlan 250 radio add 1 00 15 70 00 79 30 11bg aap5131 radio 1 bss 13 radio 1 bss 2 4 radio 1 bss 3 2 radio 1 channel power indoor 11 8 radio 1 rss enable radio add 2 00 15 70 00 79 30 11a aap5131 radio 2 bss 15 radio 2 bss 2 1 radio 2 bss 3 2 radio 2 channel power indoor 48 8 radio 2 rss enable radio 2 base bridge max clients 12 radio 2 base bridge enable radio add 3 00 15 70 00 79 12 11bg aap5131 radio 3 bss 13 radio 3 bss 2 4 radio 3 bss 3 2 radio 3 channel power indoor 6 8 radio 3 rss enable radio add 4 00 15 70 00 79 12 11a aap5131 radio 4 bss 15 Adaptive AP 10 23 radio 4 bss 2 6 radio 4 channel power indoor 48 4 radio 4 rss enable radio 4 client bridge bridge select mode auto radio 4 client bridge ssid Mesh radio 4 client bridge mesh timeout 0 radio 4 client bridge enable radio default 11a rss enable radio d
140. 11a or 802 11b g radio depending on which radio has been enabled MAC Address 001570283780 Radio Type 802 11big ERP Protecton On Beacon Setings Beacon interval 100 K usec 8SSO OTIM interval 1 10 Beacon interaks 2 10 Beacon intervan s s211 mode Banao x 3 10 Beacon interais g izl 4 10 Beacon interaks _ emrun d Performance OBSS Load Element Seting C Support Short Preambte Ondy Z Enable OBSS load etement RTS Threshold 2347 Bytes OBSS Beacon interval 10 Beacon Time Sat RF QoS meae 2 Configure the Properties field to assign a name and placement designation for the radio Placement Use the Placement drop down menu to specify whether the radio is located outdoors or indoors Default placement depends on the country of operation selected for the access point 5 58 AP 51xx Access Point Product Reference Guide MAC Address Radio Type ERP Protection 3 Configure the Radio Settings field to assign a channel antenna diversity setting radio The access point like other Ethernet devices has a unique hardware encoded Media Access Control MAC or IEEE address MAC addresses determine the device sending or receiving data A MAC address is a 48 bit number written as six hexadecimal bytes separated by colons For example 00 A0 F8 24 9A C8 For additional information on access point MAC address assignments see AP 51xx MAC Address Assignment on
141. 11b g radios if using a dual radio sku access point A rogue detection interval is the user defined interval the access point waits to search for rogue APs Additionally the access point does not detect rogue APs on illegal channels channels not allowed by the regulatory requirements of the country the access point is operating in Configuring Access Point Security 6 55 The rogue detection interval is used in conjunction with Motorola MUs that identify themselves as rogue detection capable to the access point The detection interval defines how often the access point requests these MUs to scan for a rogue AP A shorter interval can affect the performance of the MU but it will also decrease the time it takes for the access point to scan for a rogue AP A longer interval will have less of an impact to the MU s but it will increase the amount of time used to detect rogue APs Therefore the interval should be set according to the perceived risk of rogue devices and the criticality of MU performance ML 2452 APA2 01 could render the access point s Rogue AP Detector Mode feature inoperable Contact your Motorola sales associate for specific information f CAUTION Using an antenna other than the Dual Band Antenna Part No To configure Rogue AP detection for the access point 1 Select Network Configuration gt Wireless gt Rogue AP Detection from the access point menu tree AP 5131 Access Point AA P BB pietwork
142. 1b g radio Use the QoS page to enable voice prioritization for devices to receive the transmission priority they may not normally receive over other data traffic Voice prioritization allows the access point to assign priority to voice traffic over data traffic and if necessary assign legacy voice supported devices non WMM supported voice devices additional priority For detailed information on configuring voice prioritization over other voice enabled devices see Setting the WLAN Quality of Service QoS Policy on page 5 40 1 18 AP 51xx Access Point Product Reference Guide 1 2 16 Support for CAM and PSP MUs The access point supports both CAM and PSP powered MUs CAM Continuously Aware Mode MUs leave their radios on continuously to hear every beacon and message transmitted These systems operate without any adjustments by the access point A beacon is a uniframe system packet broadcast by the AP to keep the network synchronized A beacon includes the ESSID MAC address Broadcast destination addresses a time stamp a DTIM Delivery Traffic Indication Message and the TIM Traffic Indication Map PSP Power Save Polling MUs power off their radios for short periods When a MU in PSP mode associates with an access point it notifies the access point of its activity status The access point responds by buffering packets received for the MU PSP mode is used to extend an MU s battery life by enabling the MU to sleep during periods
143. 3 L VPN Status Radio Function WLAN Radio Radio Status Active ER Content Fatering RF Band of Operation 8021109 24H MUs connected D od DONS 5 amp ER veeeiess 7 Base Bridge l g Security Mesh Base Bridge Semngs Q MU ACL HE 00g Maximum no of Client Bridges 12 CBs Connected f t 7 Radio Configuraton l Radiol 002 1 1ta iii 7 Chert Brisge Radio2002 1 1a m Mesh Chant Bridge Setings GD Banama Management L Rogue AP Detection Mesh Network Name None Gry mon ER Firewan Aoreacea j Bes vince P pacea Mesh Timeout Oisavies v BBs Connected fi gt SP Errem Configurator Quick Setup J Been unao Changes nei topou 2 Enable the radio s using the Enable checkbox es Review the Radio Function to determine if this radio is currently functioning as a WLAN radio typical access point functionality or has been dedicated as a WIPS sensor Refer to RF Band of Operation parameter to ensure you are enabling the correct 802 11a or 802 11b g radio After the settings are applied within this Radio Configuration screen the Radio Status and MUs connected values update If this is an existing radio within a mesh network these values update in real time WLAN expecting the radio to be operating when you have forgotten it CAUTION f a radio is disabled be careful not to accidentally configure a new was disabled 3 Select the Base Bridge checkbox to allow the access
144. 31 or AP 5181 model access point admin system cmgr gt impcert lt type gt lt file name gt https lt cr gt type ftp tftp file name Certificate file name https If set to import apache certificate and key Server options for this file are the same as that for the configuration file admin system cmgr gt impcert tftp AP 51x1certs txt To configue AP 5131 or AP 5181 certificate management settings while conducting a firmware update or restoring a factory default configuratrion admin system cmgr gt genreq generate a certificate request delself deletes a signed certificate loadself loads a signed certficiate signed by the CA listself lists the loaded signed self certificate loadca loads the root CA certificate delca deletes the root CA certificate listca lists the loaded root CA certificate showreq displays certificate request in PEM format delprivkey deletes the private key listprivkey lists the names of the private keys expcert exports the target certficate file impcert imports the target certficate file lt goes to the parent menu goes to the root menu save saves the configuration to system flash quit quits the CLI session For information on configuring certificate settings using the applet GUI see mporting a CA Certificate on page 4 16 8 4 4 System SNMP Commands AP51xx gt admin system gt snmp Description Displays the SNMP submenu The items available under this command are shown b
145. 31 system configurations see System Configuration on page 4 1 NOTE f installing the AP 5181 in an outdoor area prone to high winds and rain Motorola recommends using the AP 5181 Heavy Weather Kit Part No KT 5181 HW 01R This kit shields an AP 5181 from high winds and water damage as a result of driving rain 2 10 AP 5181 LED Indicators The AP 5181 utilizes four LED indicators Five LEDs display within four LED slots on the back of the access point The five LEDs have the following display and functionality 2 30 AP 51xx Access Point Product Reference Guide Power and error conditions split LED Data over Ethernet 802 11a radio activity 802 11b g radio activity oe oe N imme me et L 1 nen TAAA M M A qr C gt am ni EPE gt c Z S S gt
146. 32f397a507d username admin privilege superuser username operator password 1 fe96dd39756ac41b 74283a9292652d366d73931f To configure the ACL to be used in the CRYPTO MAP ip access list extended AAP ACL permit ip host 10 10 10 250 any rule precedence 20 spanning tree mst cisco interoperability enable spanning tree mst config name My Name country code us logging buffered 4 logging console 7 logging host 157 235 92 97 logging syslog 7 snmp server sysname RFS7000 1 Adaptive AP 10 21 snmp server manager v2 snmp server manager v3 snmp server user snmptrap v3 encrypted auth md5 Ox7be2cb56f6060226f15974c936e2739b snmp server user snmpmanager v3 encrypted auth md5 0x7be2cb56f6060226f15974c936e2739b snmp server user snmpoperator v3 encrypted auth md5 0x49c451c7c6893ffcede0491bbd0a12c4 To configure the passkey for a Remote VPN Peer 255 255 255 255 denotes all AAPs 12345678 is the default passkey If you change on the AAP change here as well crypto isakmp key 0 12345678 address 255 255 255 255 ip http server ip http secure trustpoint default trustpoint ip http secure server ip ssh no service pm sys restart timezone America Los_Angeles license AP XYXYXYXYXYXYXYXYXYXYXYXYXYXYXYXYXYXYXVXYXYXYXYXYXYXYXVXYXYXYXYXYXYXYXYXYXYXYXYXYXYXYXXYXYXYX wireless no adopt unconf radio enable manual wlan mapping enable wlan 1 enable wlan 1 ssid qs5 ccmp wlan 1 vlan 200 wlan 1 encryption type ccmp wlan
147. 415161718191A1B1C Key2 202122232425262728292A2B2C Key 3 303132333435363738393A3B3C Key 4 404142434445464748494A4B4C 6 Click the Apply button to save any changes made within the WEP 64 Setting or WEP 128 Setting field of the New Security Policy screen 7 Click the Cancel button to undo any changes made within the WEP 64 Setting or WEP 128 Setting field and return to the WLAN screen This reverts all settings to the last saved configuration 6 7 Configuring KeyGuard Encryption KeyGuard is a proprietary encryption method developed by Motorola KeyGuard is Motorola s enhancement to WEP encryption and was developed before the finalization of WPA TKIP This encryption implementation is based on the IEEE Wireless Fidelity Wi Fi standard 802 111 WPA2 CCMP not KeyGuard offers the highest level of security among the encryption methods available with the access point 6 18 AP 51xx Access Point Product Reference Guide 1 Select Network Configuration gt Wireless gt Security from the access point menu tree If security policies supporting KeyGuard exist they appear within the Security Configuration screen These existing policies can be used as is or their properties edited by clicking the Edit button To configure a new security policy supporting KeyGuard continue to step 2 2 Click the Create button to configure a new policy supporting KeyGuard The New Security Policy screen displays with no authentication or encryption option
148. 48Vdc 170mA Nom 48Vdc A 3 Radio Characteristics The AP 5131 and AP 5181 access points have the following radio characteristics Operating Channels 802 11a radio Channels 34 161 5170 5825 MHz 802 11b g radio Channels 1 13 2412 2472 MHz 802 11b g radio Channel 14 2484 MHz Japan only Actual operating frequencies depend on regulatory rules and certification agencies Receiver Sensitivity 802 11a Radio 802 11b g Radio 6 Mbps 88 11 Mbps 84 9 Mbps 87 5 5 Mbps 88 12 Mbps 85 2 Mbps 90 18 Mbps 81 1 Mbps 94 24 Mbps 79 36 Mbps 75 48 Mbps 70 54 Mbps 68 all values in dBm Technical Specifications A 5 Radio Data Rates 802 11a radio 6 9 12 18 24 36 48 and 54 Mbit Sec 802 11g radio 6 9 12 18 24 36 48 and 54 Mbit Sec 802 11b radio 1 2 5 5 11 Mbps Wireless Medium Direct Sequence Spread Spectrum DSSS Orthogonal Frequency Division Multiplexing OFDM A 4 Antenna Specifications The antenna suite differs between the AP 5131 and AP 5181 model access points Ensure your have selected the correct model antenna before deploying the access point For more information see e AP 5131 Antenna Specifications e AP 5181 Antenna Specifications A 4 1 AP 5131 Antenna Specifications model access point and its intended indoor deployment They are not CAUTION The antenna models described below are rated just for the AP 5131 intended for outdoor use with an AP 5181 model access point
149. 5131 Access Point 2 Click the Create button to configure a new ACL policy or select a policy and click the Edit button to modify an existing ACL policy The access point supports a maximum of 16 MU ACL policies Network Management 5 39 New MU ACL Policy Name demo room Mobile Unit Access Control List Allow access for all Mobile Units except Start MAC End MAC OOAOFS 31 61 01 OOADFS316121 Apply Cancel Help Either the New MU ACL Policy or Edit MU ACL Policy screens display Assign a name to the new or edited ACL policy that represents an inclusion or exclusion policy specific to a particular type of MU traffic you may want to use with a single or group of WLANs More than one WLAN can use the same ACL policy Configure the parameters within the Mobile Unit Access Control List field to allow or deny MU access to the access point The MU adoption list identifies MUs by their MAC address The MAC address is the MU s unique Media Access Contro number printed on the device for example 00 09 5B 45 9B 07 by the manufacturer A maximum of 200 MU MAC addresses can be added to the New Edit MU ACL Policy screen Access for the listed Use the drop down list to select Allow or Deny This rule applies Mobile Units to the MUs listed in the table For example if the adoption rule is to Allow access is granted for all MUs except those listed in the table 5 40 AP 51xx Access Point Product Reference Guide Add Clic
150. 8 AP 51xx Access Point Product Reference Guide NOTE Though the Rogue AP and Firewall features appear after the Bandwidth mY Management features within the access point menu tree they are described in Chapter 6 Configuring Access Point Security on page 6 1 as both items are data protection functions More specifically see Configuring Firewall Settings on page 6 27 and Configuring Rogue AP Detection on page 6 55 5 4 Configuring WIPS Server Settings An access point radio can function as a Wireless Intrusion Protection System WIPS sensor and upload sensor mode operation information to its parent WIPS Server Either or both of the access point s radios can be set as a WIPS sensor When an access point radio is functioning as a WIPS sensor it is able to scan in sensor mode across all available channels NOTE WIPS support requires a Motorola AirDefense WIPS Server on the network WIPS functionality is not provided by the access point alone The access point works in conjunction with a dedicated WIPS server Additionally use the WIPS screen to define a primary and alternate WIPS server to submit event information for use within the WIPS console for device management and potential threat notification Network Management 5 69 A AP Sensor Motorola AirDefense WIPS Rogue AP To define the attributes of the WIPS Server 1 Select Network Configuration gt Wireless gt WIPS from the access point menu tree
151. 85301 E banade i PB User Anenscavon Gy SNMP Access Osteltine E Logging Contiguration L Contig Imporemped L Q Firmware Update EJ Status amp Statistics F VAN Stats EF LAN Stats see no Lopa the following to discern the leased IP information supported by the selected access point LAN IP Address Displays the IP address provided by the access point s DHCP server to the requesting client This IP address remains valid for the duration of the lease time Range Lists the range of numerical non DNS name IP addresses reserved for mapping client MAC addresses to IP addresses This range was defined when setting the AP to function as a DHCP server within the LAN1 or LAN2 screen For more information see Configuring LAN and LAN2 Settings on page 5 9 If a manually static mapped IP address is within the IP address range specified that IP address could still be assigned to another client To avoid this ensure all statically mapped IP addresses are outside of the IP address range assigned to the DHCP server MAC Lists the factory provided MAC address of the requesting client 7 144 AP 51xx Access Point Product Reference Guide Life Left sec Displays the time remaining for IP address lease This value is displayed in seconds 3 Periodically select the Refresh button to update the IP address lease information including the time remaining on each listed lease 7 3 Viewing Wireless Statistics Use the WLAN Statistics Sum
152. 9 for the two character country codes Settings screen Refer to Configuring System Settings on page 4 2 if NOTE The System Name and Country are also configurable within the System necessary to set a system location and admin email address for the access point or to view other default settings Getting Started 3 9 4 Optionally enter the IP address of the server used to provide system time to the access point within the Time Server field NOTE DNS names are not supported as a valid IP address The user is required to enter a numerical IP address Once the IP address is entered the access point s Network Time Protocol NTP functionality is engaged automatically Refer to the access point Product Reference Guide for information on defining alternate time servers and setting a synchronization interval for the access point to adjust its displayed time Refer to Configuring Network Time Protocol NTP on page 4 43 if necessary for information on setting alternate time servers and setting a synchronization interval for the access point to adjust its displayed time 5 Click the WAN tab to set a minimum set of parameters for using the WAN interface a Select the Enable WAN Interface checkbox to enable a connection between the access point and a larger network or outside world through the WAN port Disable this option to effectively isolate the access point s WAN connection No connections to a larger network o
153. 99 secs Set the EAP reauthentication period to a shorter interval for tighter security on the WLAN s connections Set the EAP reauthentication period to a longer time interval at most 9999 seconds to relax security on wireless connections The default interval of 3600 seconds is recommended 6 14 AP 51xx Access Point Product Reference Guide Max Retries 1 99 retries Define the maximum number of MU retries to reauthenticate after failing to complete the EAP process Failure to reauthenticate in the specified number of retries results in a terminated connection The default is 2 retries NOTE The default values described are the recommended values Do not change these values unless consulted otherwise by an administrator 9 Select the Advanced Settings tab as required to specify a MU quiet period timeout interval transmit period and retry period for MUs and the authentication server The items within this tab are identical regardless of whether Internal or External is selected from the Radius Server drop down menu MU Quiet Period 1 65535 secs MU Timeout 1 255 secs MU Tx Period 1 65635 secs MU Max Retries 1 10 retries Server Timeout 1 255 secs Server Max Retries 1 255 retries Specify an idle time in seconds between MU authentication attempts as required by the authentication server The default is 10 seconds Define the time in seconds for the access point s retransmission
154. A or DES certificates For additional information on configuring VPN tunnels see Configuring VPN Tunnels on page 6 36 4 4 3 Creating a Certificate for Onboard Radius Authentication The access point can use its on board Radius Server to generate certificates to authenticate MUs for use with the access point In addition a Windows 2000 or 2003 Server is used to sign the certificate before downloading it back to the access point s on board Radius server and loading the certificate for use with the access point Both a CA and Self certificate are required for Onboard Radius Authentication For information on CA Certificates see Importing a CA Certificate on page 4 16 Ensure the certificate is ina Base 64 Encoded format or risk loading an invalid certificate access point user permissions ensure the access point s time is f CAUTION f using the Radius time based authentication feature to authenticate synchronized with the CA server used to generate certificate requests CLI interfaces No functionality exists for creating a self certificate CAUTION Self certificates can only be generated using the access point GUI and A N using the access point s SNMP configuration option To create a self certificate for on board Radius authentication 1 Select System Configuration gt Certificate Mgmt gt Self Certificates from the access point menu tree 2 Click on the Add button to create the certificate request The Cer
155. AC MAC Address Any ESSID ESSID Configuring Access Point Security 6 57 Click Add to display a single set of editable MAC address and ESS address values Click the Delete button to remove the highlighted line from the Rule Management field The MAC and ESS address information previously defined is no longer applicable unless the previous configuration is restored Click the Delete All button to remove all entries from the Rule Management field All MAC and ESS address information previously defined is no longer applicable unless the previous configuration is restored Select the Any MAC checkbox to prevent a device s MAC address whether it is a known device MAC address or not from being considered a rogue device Click Add and enter the device MAC address to be excluded from classification as a rogue device Select the Any ESSid checkbox to prevent a device s ESSID whether it is a known device ESSID or not from being considered a rogue device Click Add and enter the name of a device ESSid to be excluded from classification as a rogue device Click Apply to save any changes to the Rogue AP Detection screen Navigating away from the screen without clicking Apply results in all changes to the screens being lost Click Undo Changes if necessary to undo any changes made Undo Changes reverts the settings displayed on the Rogue AP Detection screen to the last saved configuration Click Logout to securely exit the Access P
156. AN7Z is used to establish a client bridge connection then the mesh network connection resides on LAN1 Therefore depending upon the WLAN to LAN mapping the access point could have multiple mesh connections on either LAN1 or LAN2 9 6 AP 51xx Access Point Product Reference Guide 9 1 5 Normal Operation Once the mesh network is defined all normal access point operations are still allowed MUs are still allowed to associate with the access point as usual The user can create WLANs security polices and VLANs as with any other access point DHCP services function normally and all layer 3 communications are allowed WNMP is used to send information about each mesh network so information can be displayed to the user from any access point on the system WNMP messages are AP AP info messages used to send system status 9 1 6 Impact of Importing Exporting Configurations to a Mesh Network When using the access point s Configuration Import Export screen to migrate an access point s configuration to other access points mesh network configuration parameters will get sent or saved to other access points However if using the Known AP Statistics screen s Send Cfg to APs functionality auto select and preferred list settings do not get imported configuration do not import a base bridge configuration into an existing client bridge as this could cause the mesh configuration to break A CAUTION When using the Import Export screen t
157. AP 5131 or AP 5181 2 B 20 Appendix C Customer Support Index xiii xiv AP 51xx Access Point Product Reference Guide About This Guide Introduction This guide provides configuration and setup information for the AP 5131 and AP 5181 model access points For the purposes of this guide the devices will be called AP 51xx or the generic term access point when identical configuration activities are applied to both models Document Conventions The following document conventions are used in this document NOTE Indicate tips or special requirements viii AP 51xx Access Point Product Reference Guide A CAUTION Indicates conditions that can cause equipment damage or data loss WARNING Indicates a condition or procedure that could result in personal injury or equipment damage Notational Conventions The following notational conventions are used in this document e italics are used to highlight specific items in the general text and to identify chapters and sections in this and related documents e Bullets indicate e action items e lists of alternatives e lists of required steps that are not necessarily sequential e Sequential lists those describing step by step procedures appear as numbered lists Service Information If a problem is encountered with the access point contact Customer Support Refer to Appendix C for contact information Before calling have th
158. Alive is enabled Authentication Type Use the Authentication Type menu to specify the authentication protocol s for the WAN connection Choices include None PAP or CHAP PAP or CHAP Password Authentication Protocol PAP and Challenge Handshake Authentication Protocol CHAP are competing identify verification methods PAP sends a username and password over a network to a server that compares the username and password to a table of authorized users If the username and password are matched in the table server access is authorized WatchGuard products do not support the PAP protocol because the username and password are sent as clear text that a hacker can read CHAP uses secret information and mathematical algorithms to send a derived numeric value for login The login server knows the secret information and performs the same mathematical operations to derive a numeric value If the results match server access is authorized After login one of the numbers in the mathematical operation is changed to secure the connection This prevents any intruder from trying to copy a valid authentication session and replaying it later to log in 5 Click Apply to save any changes to the WAN screen Navigating away from the screen without clicking the Apply button results in all changes to the screen being lost 6 Click Undo Changes if necessary to undo any changes made Undo Changes reverts the settings displayed on the WAN screen to the last saved co
159. Content filtering allows the blocking of up to 10 files or URL extensions and allows blocking of specific outbound HTTP SMTP and FIP requests For detailed information on configuring content filtering support see Configuring Content Filtering Settings on page 6 52 1 2 9 VLAN Support A Virtual Local Area Network VLAN can electronically separate data on the same AP from a single broadcast domain into separate broadcast domains By using a VLAN you can group by logical function instead of physical location There are 16 VLANs supported on the access point An administrator can map up to 16 WLANs to 16 VLANs and enable or disable dynamic VLAN assignment In addition to these 16 VLANs the access point supports dynamic user based VLANs when using EAP authentication VLANs enable organizations to share network resources in various network segments within large areas airports shopping malls etc A VLAN is a group of clients with a common set of requirements independent of their physical location VLANs have the same attributes as physical LANs but they enable administrators to group clients even when they are not members of the same network segment For detailed information on configuring VLAN support see Configuring VLAN Support on page 5 5 1 2 10 Multiple Management Accessibility Options The access point can be accessed and configured using one of the following methods e Java Based Web Ul e Human readable config file imported v
160. Database permissions using the applet GUI see Defining User Access Permissions by Group on page 6 76 8 196 AP 51xx Access Point Product Reference Guide 8 4 6 System Radius Commands AP51xx gt admin system gt radius Description Goes to the Radius system submenu Syntax eap Goes to the EAP submenu policy Goes to the access policy submenu Idap Goes to the LDAP submenu proxy Goes to the proxy submenu client Goes to the client submenu set Sets Radius parameters show Displays Radius parameters save Saves the configuration to system flash quit Quits the CLI g Goes to the parent menu Goes to the root menu For information on configuring Radius using the applet GUI see Configuring User Authentication on page 6 64 AP51xx gt admin system radius gt set show Description Sets or displays the Radius user database Syntax set Sets the Radius user database show all Displays the Radius user database Example admin system radius gt set database local admin system radius gt show all Database local admin system radius gt For information on configuring Radius using the applet GUI see Configuring User Authentication on page 6 64 8 197 8 198 AP 51xx Access Point Product Reference Guide 8 4 6 1 AP51xx gt admin system radius gt eap Description Goes to the EAP submenu Syntax peap Goes to the Peap submenu ttls Goes to the TTLS submenu import Imports the requeste
161. Enable Client Bridge Backhaul _ Enabie Hotspot r Security f Security Policy Default v Create Kerberos UserName 101 Kerberos Password Advanced iv Disallow MU To MU Commmunication L Use Secure Beacon v Accept Broadcast ESSID Quality Of Service Policy Default Create canai Heip 3 Assign an ESSID and Name to the WLAN that each access point will share when using this WLAN within their mesh network Motorola recommends assigning a unique name to a WLAN supporting a mesh network to differentiate it from WLANs defined for non mesh support The name assigned to the WLAN is what is selected from the Radio Configuration screen for use within the mesh network Configuring Mesh Networking 9 11 NOTE Itis possible to have different ESSID and WLAN assignments within a single mesh network one set between the Base Bridge and repeater and another between the repeater and Client Bridge However for ease of management and to not waste network bandwidth Motorola recommends using the same ESSID across the entire mesh network 4 Use the Available On checkboxes to specify the access point radio s used with the target WLAN within the mesh network The Available On checkboxes are for making this WLAN available for base bridges or repeaters to connect to The Available On checkbox should only be selected for a mesh WLAN if this target access point is to be configured as a base bridge or repeater on
162. Encryption is a bad idea in a mesh network since mesh networks are typically not guest networks wherein public assess is more important than data protection Motorola also discourages user based authentication schemes such as Kerberos and 802 1x EAP as these authentication schemes are not supported within a mesh network 9 12 AP 51xx Access Point Product Reference Guide If none of the existing policies are suitable select the Create button to the right of the Security Policy drop down menu and configure a policy suitable for the mesh network For information on configuring a security using the authentication and encryption techniques available to the access point see Enabling Authentication and Encryption Schemes on page 6 5 ACL policies should be configured to allow or deny a range of MAC addresses from interoperating with the WLAN used with the mesh network ACLs should be defined based on the client bridge and repeater an access point defined as both a base and client bridge association requirements within the mesh network For information on defining an ACL for use with the WLAN assigned to the mesh network see Configuring a WLAN Access Control List ACL on page 5 37 NOTE The Kerberos User Name and Kerberos Password fields can be ignored as Kerberos is not supported as a viable authentication scheme within a mesh network Select the Disallow MU to MU Communication checkbox to restrict MUs from interacting with eac
163. Export TFTP Example config gt set config gt set config gt set config gt set server 192 168 22 12 user myadmin file config txt passwd config gt export ftp ion ion Started Done In progress Done e ee ee e Done admin system config gt set server 192 168 0 101 admin system config gt set file config txt admin system config gt export tftp Export operat Building configuration file File transfer File transfer Export Operat ion ion Started Done In progress Done m m m m m Done exporting the access point s configuration as you will want a valid version available in case errors are A CAUTION Make sure a copy of the access point s current configuration is exported to a secure location before encountered with the configuration export For information on importing exporting access point configurations using the applet GUI see mporting Exporting Configurations on page 4 49 8 235 8 236 AP 51xx Access Point Product Reference Guide AP51xx gt admin system config gt import Description Imports the access point configuration to the access point Errors could display as a result of invaid configuration parameters Correct the sepcified lines and import the file again until the import operation is error free Syntax import ftp Imports the access point configuration file from the FIP server Use the set command to set the ser
164. FREDFOSS7Q0F TTR 40SFALGEFAD 2 84968047 16035EECH0ISS7IAFT WEP 128 104 b key Key 2 8496804716035EEC6025971AF Keye3 1A874928062515E017010268FO KeyGuard Key 4 COBC 2462840647 WPAWPA2 TROP WPA2ICCMP 802 110 Apply Cancel Heip 4 Configure the WEP 128 Settings field as required to define the Pass Key used to generate the WEP keys Pass Key Specify a 4 to 32 character pass key and click the Generate button The access point other proprietary routers and MUs use the same algorithm to convert an ASCII string to the same hexadecimal number Non Motorola clients and devices need to enter WEP keys manually as hexadecimal numbers The access point and its target client s must use the same pass key to interoperate 3 14 AP 51xx Access Point Product Reference Guide Keys 1 4 Use the Key 1 4 fields to specify key numbers The key can be either a hexidecimal or ASCII depending on which option is selected from the drop down menu For WEP 64 40 bit key the keys are 10 hexadecimal characters in length or 5 ASCII characters For WEP 128 104 bit key the keys are 26 hexadecimal characters in length or 13 ASCII characters Select one of these keys for activation by clicking its radio button The access point and its target client s must use the same key to interoperate 5 Click the Apply button to save the security policy and return to the access point Quick Setup screen At this point you can test the access point
165. FSN Arbitrary Inter Frame Space Number and TXOPs Time opportunity to transmit for each Access Category Their values are explained as follows CW Min The contention window minimum value is the least amount of time the MU waits before transmitting when there is no other data traffic on the network The longer the interval the lesser likelihood of collision This value should be set to a smaller increment for higher priority traffic Reduce the value when traffic on the WLAN is anticipated as being smaller CW Max The contention window maximum value is the maximum amount of time the MU waits before transmitting when there is no other data traffic on the network The longer the interval the lesser likelihood of collision but the greater propensity for longer transmit periods AIFSN The AIFSN is the minimum interframe space between data packets transmitted for the selected Access Category This value should be set to a smaller increment for higher priority traffic to reduce packet delay time TXOPs Time 32usec The TXOPs Time is the interval the transmitting MU is assigned for transmitting The default for Background traffic is 0 The same TXOPs values should be used for either the 802 11a or 802 11b g radio there is no difference Network Management 5 45 TXOPs Time ms TXOP times range from 0 2 ms background priority to 3 ms video priority in a 802 11a network and from 1 2 ms to 6 ms in an 802 11b g network The TXOP bursting capabi
166. Guide AP51xx gt admin network wireless mu locationing gt show Description Displays the MU probe table configuration Syntax show Displays the MU probe table configuration Example admin network wireless mu locationing gt show MU Probe Table Mode disable MU Probe Table Size 200 admin network wireless mu locationing gt 8 133 AP51xx gt admin network wireless mu locationing gt set Description Defines the MU probe table configuration used for locating MUs Syntax set Defines the MU probe table configuration mode Enables disables a mu probe scan for the purposes of MU locationing size Defines the number of MUs in the table the maximum allowed is 200 Example admin network wireless mu locationing gt set admin network wireless mu locationing gt set mode enable admin network wireless mu locationing gt set size 200 admin network wireless mu locationing gt 8 134 AP 51xx Access Point Product Reference Guide 8 3 4 Network Firewall Commands AP51xx gt admin network firewall gt Description Displays the access point firewall submenu The items available under this command include show Displays the access point s current firewall configuration set Defines the access point s firewall parameters access Enables disables firewall permissions through the LAN and WAN ports advanced Displays interoperaility rules between the LAN and WAN ports g Goes to the parent menu
167. HCP and BOOTP servers must be on the same Management VLAN as well Define a Native VLAN Tag for LAN1 and LAN2 A trunk port configured with 802 10 tagging can receive both tagged and untagged traffic By default the access point forwards untagged traffic with the native VLAN configured for the port The Native VLAN is VLAN 1 by default Motorola suggests leaving the Native VLAN set to 1 as other layer 2 devices also have their Native VLAN set to 1 Use the LAN drop down menu to map one of the two LANs to the WLAN listed to the left With this assignment the WLAN uses this assigned LAN interface Select the Dynamic checkboxes under the Mode column to configure the VLAN mapping as a dynamic VLAN Using Dynamic VLAN assignments a VMPS VLAN Management Policy Server dynamically assigns VLAN ports The access point uses a separate server as a VMPS server When a Network Management 5 9 frame arrives on the access point it queries the VMPS for the VLAN assignment based on the source MAC address of the arriving frame If statically mapping VLANs leave the Dynamic checkbox specific to the target WLAN and its intended VLAN unselected The administrator is then required to configure VLAN memberships manually The Dynamic checkbox is enabled only when a WLAN is having EAP configured Otherwise the checkbox is disabled 12 Use the VLAN drop down menu to select the name of the target VLAN to map to the WLAN listed on the left hand
168. I see Updating Device Firmware on page 4 54 8 239 AP51xx gt admin system fw update gt set Description Defines access point firmware update settings and user permissions Syntax set fw auto lt mode gt cfg auto lt mode gt file lt name gt path lt path gt server lt ip gt user lt name gt passwd lt password gt admin system admin system admin system admin system admin system admin system admin system When enabled updates device firmware each time the firmware versions are found to be different between the access point and the specified firmware on the remote system When enabled updates device configuration file each time the confif file versions are found to be different between the access point and the specified LAN or WAN interface Defines the firmware file name 1 to 39 characters Specifies a path for the file 1 to 39 characters The IP address for the FIP TFIP server used for the firmware and or config file update fw update gt set fw update gt set fw update gt set fw update gt set fw update gt set fw update gt set fw update gt set Specifies a username for FIP server login 1 to 39 characters Specifies a password for FIP server login 1 to 39 characters Default is motorola fw auto enable cfg auto enable file 2 0 0 0 29D path c fw server 157 235 111 22 user mudskipper passwd muddy For information on updating access point device firmware
169. If this is your first time logging into the access point you are unable to access any of the access point s commands until the country code is set A new password will also need to be created 8 1 2 Accessing the CLI via Telnet To connect to the access point CLI through a Telnet connection 1 If this is your first time connecting to your access point keep in mind the access point uses a static IP WAN address 10 1 1 1 Additionally the access point s LAN port is set as a DHCP client 2 Enter the default username of admin and the default password of motorola If this is your first time logging into the access point you are unable to access any of the access point s commands until the country code is set A new password will also need to be created 8 2 Admin and Common Commands AP51xx gt admin gt Description Displays admin configuration options The items available under this command are shown below Syntax help Displays general user interface help passwd Changes the admin password summary Shows a system summary network Goes to the network submenu system Goes to the system submenu stats Goes to the stats submenu si Goes to the parent menu Goes to the root menu save Saves the configuration to system flash quit Quits the CLI 8 3 8 4 AP 51xx Access Point Product Reference Guide AP51xx gt admin gt help Description Displays general CLI user interface help Syntax help Displays command line
170. Inbound or Outbound encryption or authentication keys an error message could display stating the keys provided are weak Some WEP attack tools invoke a dictionary to hack WEP keys based on commonly used words To avoid entering a weak key try to not to produce a WEP key using commonly used terms and attempt to mix alphabetic and numerical key attributes when possible Configuring Access Point Security 6 41 AH Authentication AH provides data authentication and anti replay services for the VPN tunnel Select the required authentication method from the drop down menu e None Disables AH authentication The rest of the fields are not active e MD5 Enables the Message Digest 5 algorithm requiring 128 bit 32 character hexadecimal keys e SHA1 Enables Secure Hash Algorithm 1 requiring 160 bit 40 character hexadecimal keys Inbound AH Configure a key for computing the integrity check on inbound traffic Authentication Key with the selected authentication algorithm The key must be 32 40 for MD5 SHA1 hexadecimal 0 9 A F characters in length The key value must match the corresponding outbound key on the remote security gateway Outbound AH Configure a key for computing the integrity check on outbound Authentication Key traffic with the selected authentication algorithm The key must be 32 40 for MD5 SHA1 hexadecimal 0 9 A F characters in length The key value must match the corresponding inbound key on the rem
171. Injector For an overview on the optional antennae for the AP 5131 see Antenna Options on page 2 6 For detailed specifications on the 2 4 GHz and 5 GHz antenna suite see 2 4 GHz Antenna Matrix on page A 5 and 5 GHz Antenna Matrix on page A 6 ML 2452 APA2 01 could render the AP 5131 s Rogue AP Detector Mode feature inoperable Contact your sales associate for specific information A CAUTION Using an antenna other than the Dual Band Antenna Part No 2 2 2 AP 5181 Configurations Unlike the AP 5131 an AP 5181 is only available in a dual radio configuration There is one mechanical version of the AP 5181 providing one SKU option with both 802 11a and 802 11g radios in the access point The following is the AP 5181 orderable SKU Part No Description AP 5181 13040 WWR 1 AP 5181 802 11a g Dual Radio Access Point 1 AP 5181 Install Guide 1 WEEE Regulatory Addendum 1 set of cable connectors 3 antenna dust cover 2 connector cover AP67 jack plus chain_LTW M9 14 SB NOTE To mount the AP 5181 access point to a pole 1 5 18 inches in diameter an AP 5181 Mounting Kit Part No KT 5181 WP 01R can be separately ordered This kit contains the brackets and accessories required to mount the AP 5181 to a pole or wall S NOTE f installing the AP 5181 in an outdoor area prone to high winds and rain Motorola recommends using the AP 5181 Heavy Weather Kit Part No KT 5181 HW 01R This kit shields an
172. L 2499 HPA3 01R Omni Directional Antenna 3 3 ML 2499 BYGA2 01R Yagi Antenna 13 9 ML 2452 APA2 01 Dual Band 3 0 NOTE An additional adapter is required to use ML 2499 11PNA2 01 and ML 2499 BYGA2 01 model antennae Please contact Motorola for more information Radio 1 The AP 5131 5 GHz antenna suite includes the following models Part No Antenna Type Nominal Net Gain dBi ML 5299 WPNA1 01R Panel Antenna 13 0 ML 5299 HPA1 01R Wide Band Omni Directional 5 0 Antenna ML 2452 APA2 0 Dual Band 40 2 8 AP 51xx Access Point Product Reference Guide Radio 2 For detailed specifications on the 2 4 GHz and 5 GHz antennae mentioned in this section see section 2 4 GHz Antenna Matrix on page A 5 and section 5 GHz Antenna Matrix on page A 6 2 4 2 2 AP 5181 Antenna Options Both Radio 1 and Radio 2 require one antenna and can optimally use two antennae per radio 4 antennae total Antenna connectors for Radio 1 are located in a different location from the Radio 2 antenna connectors Two antennae per radio provides diversity that can improve performance and signal reception Motorola supports two antenna suites for the AP 5181 One antenna suite supporting the 2 4 GHz band and another antenna suite supporting the 5 GHz band Select an antenna model best suited to the intended operational environment of your AP 5181 Refer to
173. L Radke Corau Use Extemal URL External URL n Select mode External x WhiteList Configuration moes a PriSererlP 157 235 134 White List Entries Pri Port _ 1812 Hotspot User Timeout PriSecret eeeee v Enable Hotspot User Timeout Timeout 15 15 180 min Note Applicable only if internal RADIUS Server is used for Hotspot Authentication Sec Secret FFFFFFEFFA Sec SereriP 157 235 134 Sec Port 4812 ox canca 3 Refer to the HTTP Redirection field to specify how the Login Welcome and Fail pages are maintained for this specific WLAN The pages can be hosted locally or remotely Use Default Files Select the Use Default Files checkbox if the login welcome and fail pages reside on the access point 5 48 AP 51xx Access Point Product Reference Guide Use External URL Select the Use External URL checkbox to define a set of external URLs for hotspot users to access the login welcome and fail pages To create a redirected page you need to have a TCP termination locally On receiving the user credentials from the login page the access point connects to a radius server determines the identity of the connected wireless user and allows the user to access the Internet based on successful authentication 4 Use the External URL field to specify the location of the login page welcome page and fail page used for hotspot access Defining these settings is requir
174. LAN stops beaconing WLAN stops beaconing NOTE Fora dependant AAP independent WLANs continue to beacon for three days in the absence of a switch 10 1 12 Adaptive Mesh Support An AAP can extend an AP51x1 s existing mesh functionality to a switch managed network All mesh APs are configured and managed through the wireless switch APs without a wired connection form a mesh backhaul to a repeater or a wired mesh node and then get adopted to the switch Mesh nodes with existing wired access get adopted to the switch like a wired AAP Mesh AAPs apply configuration changes 300 seconds after the last received switch configuration message When the configuration is applied on the Mesh AAP the radios shutdown and re initialize this process takes less than 2 seconds forcing associated MUs to be deauthenticated and the Mesh link will go down MUs are able to quickly associate but the Mesh link will need to be re established 10 7 10 8 AP 51xx Access Point Product Reference Guide before MUs can pass traffic This typically takes about 90 to 180 seconds depending on the size of the mesh topology NOTE When mesh is used with AAPs the ap timeout value needs to be set to a higher value for example 180 seconds so Mesh AAPs remain adopted to the switch during the period when the configuration is applied and mesh links are re established a a P Be Be ben to p st i y LLL p lt f lale n F Brrr For an overview o
175. NMP Access screen to the last saved configuration 8 Click Logout to securely exit the access point Access Point applet A prompt displays confirming the logout before the applet is closed For additional SNMP configuration information see e Configuring SNMP Access Control e Enabling SNMP Traps e Configuring Specific SNMP Traps e Configuring SNMP FF Trap Thresholds 4 5 1 Configuring SNMP Access Control Use the SNMP Access Control screen as launched from the SNMP Access screen to specify which users can read SNMP generated information and if capable modify related settings from an SNMP capable client Use the SNMP Access Control screen s Access Control List ACL to limit by Internet Protocol IP address who can access the access point SNMP interface NOTE The ACL applies to both SNMP v3 user definitions and SNMP v1 v2c community definitions on the access point SNMP Access screen To configure SNMP user access control for the access point 1 Select System Configuration gt SNMP Access from the access point menu tree Click on the SNMP Access Control button from within the SNMP Access screen 4 34 AP 51xx Access Point Product Reference Guide 2 Configure the SNMP Access Control screen to add the IP addresses of those users receiving SNMP access Access Control List Add Edit Delete SNMP Access Control Enter IP Address Ranges to allow Leave the table blank to allow any IP End IP
176. P Connect the access point s LAN port to a DHCP server The access point will receive its IP address automatically 2 Toview the IP address connect one end of a null modem serial cable to the access point and the other end to the serial port of a computer running HyperTerminal or similar emulation program NOTE If using an AP 5131 model access point a null modem cable is required If using an AP 5181 model access point an RJ 45 to Serial cable is required to make the connection 3 Configure the following settings e Baud Rate 19200 e Data Bits 8 e Stop Bits 1 e No Parity e No Flow Control Getting Started 3 5 Press lt ESC gt or lt Enter gt to access the access point CLI Enter the default username of admin and the default password of motorola As this is the first time you are logging into the access point you are prompted to enter a new password and set the county code Refer to Country Codes on page A 9for a list of each available countries two digit country code At the CLI prompt admin gt type summary The access point s LAN IP address will display Using a Web browser use the access point s IP address to access the access point Refer to Basic Device Configuration on page 3 5 for instructions on the initial basic configuration of the access point 3 5 Basic Device Configuration For the basic setup described in this section the Java based Web UI will be used to configure t
177. PA2 01 Accessories Bag AP 5131 40020 WW AP 5131 802 11a g Single Radio Access Point AP 5131 Install Guide Software and Documentation CD ROM Accessories Bag AP 5131 40021 WWR AP 5131 802 11a g Single Radio Access Point AP 5131 Install Guide Software and Documentation CD ROM Power Injector Part No AP PSBIAS 1P2 AFR Accessories Bag AP 5131 40022 WW AP 5131 802 11a g Single Radio Access Point AP 5131 Install Guide Software and Documentation CD ROM 2 Dual Band Antennae Part No ML 2452 APA2 01 Accessories Bag AP 5131 40023 WWR AP 5131 802 11a g Single Radio Access Point AP 5131 Install Guide Software and Documentation CD ROM Power Injector Part No AP PSBIAS 1P2 AFR 2 Dual Band Antennae Part No ML 2452 APA2 01 Accessories Bag AP 5131 13040 D WR Dependent AP 5131 Dual Radio Switch Required AP 5131 40020 D WR Dependent AP 5131 Single Radio Switch Required Verify the model indicated on the bottom of the AP 5131 is correct Contact the Support Center to report missing or improperly functioning items The Power Injector Part No AP PSBIAS 1P2 AFR is included in certain orderable configurations but can be added to any configuration For more information on the Power Injector see Power Injector and Power Tap Systems on page 2 10 2 4 AP 51xx Access Point Product Reference Guide NOTE A standard 48 Volt Power Adapter Part No 50 14000 243R is recommended with AP 5131 product SKUs that do not include the Power
178. PEAP and or TTLS Authentication Type for EAP to use Authentication Type from the drop down menu to the right of each checkbox item PEAP options include e GTC EAP Generic Token Card GTC is a challenge handshake authentication protocol using a hardware token card to provide the response string e MSCHAP V2 Microsoft CHAP MSCHAP V2 is an encrypted authentication method based on Microsoft s challenge response authentication protocol TTLS options include e PAP Password Authentication Protocol sends a username and password over a network to a server that compares the username and password to a table of authorized users If the username and password are matched in the table server access is authorized WatchGuard products do not support the PAP protocol because the username and password are sent as clear text that a hacker can read e MD5 This option enables the MD5 algorithm for data verification MD5 takes as input a message of arbitrary length and produces a 128 bit fingerprint The MD5 algorithm is intended for digital signature applications in which a large file must be compressed in a secure manner before being encrypted with a private secret key under a public key cryptographic system e MSCHAP V2 Microsoft CHAP MSCHAP V2 is an encrypted authentication method based on Microsoft s challenge response authentication protocol Server Certificate If you have a server certificate from a CA and wish to use it on the Radius
179. Priority of 50000 In this example different values are used to force AP 1 to be the forwarding link since it s a small mesh network of only three APs with AP within close proximity of one another RJ NOTE Ina typical deployment each base bridge can be configured for a Mesh KS NOTE Ensure AP 1 and AP 2 use the same channel for each 802 11a radio or x the APs will not be able to hear each other over different channels S Configuring Mesh Networking 9 27 9 3 1 3 Configuring AP 3 To define the configuration for AP 3 a client bridge connecting to both AP 1 and AP 2 simultaneously 1 Provide a known IP address for the LAN1 interface This intertace is a OHCP Client This interface is a Bootp Cent This interface uses statt IP Address 1B This intertace Is a DHCP Sener Aarances OHCP server Address AssignmerdRange 1 1 100 blti t 1 288 i Primoy ONS Serer 192 169 O Network Mask 255 255 255 0 ons S 308 FEH r T Defaut ateway 1 1 1 1 SS 2 Assign the maximum value 65535 for the Mesh STP Priority 9 28 AP 51xx Access Point Product Reference Guide a pName aP StetMe SH WoT COM Boewer 10 10 10 125 Mesh STP Configuration Dooce non coop ree ora 3 Create a mesh supported WLAN with the Enable Client Bridge Backhaul option selected NOTE This WLAN should not be mapped to any radio Therefore
180. Product Reference Guide AP 51xx Access Point MOTOROLA and the Stylized M Logo are registered in the US Patent amp Trademark Office Symbol is a registered trademark of Symbol Technologies Inc All other product or service names are the property of their respective owners 2009 Motorola Inc All rights reserved AP 51xx Access Point Product Reference Guide 72E 124688 01 May 2009 Contents About This Guide Introduction Sees oer Sheds eae E ene eee aes vii Document Conventions PE ENT TENE EE ape dies een eee Vil Notational Conventions vee PEETER PIETET ETET T rere vill Service Information eaten EIE TT CEEP IE EPE NN Vill Chapter 1 Introduction New Features ATERA Y Tere E neces Lianne 1 2 IP Filtering eseese EREE PE IEAS TIATA TETTE TERET 1 2 DHCP Lease Information ee ee AT E E ere ere 1 3 Configurable MU Idle Timeout EALEN EA PI EEE ET 1 3 Auto Channel Select ACS Smart Scan SO Sedai ORCS 1 3 Enhanced Statistics Support 20 0 cece eee eee 1 3 WUIPS SURO ASE EEE EEEE E N ETEEN E ETTE 1 4 Trusted Host Management lt lt 2 4254 lt 02as04 20525 400b8esd pid hed Raden 1 4 Apache Certificate Management 2 0 0 0 000 cece cece eee 1 4 iv AP 51xx Access Point Product Reference Guide PAG EE E AEETI ES deereee Pekeeeah Peewee tear iee Rogue AP Enhancements LG dig ae eaheend pepe irere aae ea Bandwidth Mana
181. RESET allow VRFY allow EXPN allow admin network wan content gt list ftp FTP Commands Storing Files deny Retreiving Files allow Directory Files allow Create Directory allow Change Directory allow Passive Operation allow 8 61 8 62 AP 51xx Access Point Product Reference Guide 8 3 2 4 Network WAN Dynamic DNS Commands AP51xx gt admin network wan dyndns gt Description Displays the Dynamic DNS submenu The items available under this command include set Sets Dynamic DNS parameters update Sets key exchange parameters show Shows the Dynamic DNS configuration a Goes to the parent menu Goes to the root menu save Saves the configuration to system flash quit Quits the CLI For an overview of the Dynamic DNS options available using the applet GUI see Configuring Dynamic DNS on page 5 25 8 63 AP51xx gt admin network wan dyndns gt set Description Sets the access point s Dynamic DNS configuration Syntax set mode enable disable username lt name gt password lt password gt hostname lt host gt Example admin network wan admin network wan admin network wan admin network wan Enables or disbales the Dynamic DNS service for the access point Enter a 1 32 character username for the account used for the access point Enter a 1 32 character password for the account used for the access point Enter a 1 32 character hostname for the account used for the acce
182. Root Port Number Identifies the root bridge by listing its 2 byte priority followed by its 6 byte ID Monitoring Statistics 7 11 Root Path Cost Bridge message traffic contains information identifying the root bridge and the sending bridge The root path cost represents the distance cost from the sending bridge to the root bridge Bridge Max Msg Age The Max Msg Age measures the age of received protocol information recorded for a port and to ensure the information is discarded when it exceeds the value set for the Maximum Message age timer For information on setting the Maximum Message Age For information on setting the Bridge Max Msg Age see Setting the LAN Configuration for Mesh Networking Support on page 9 6 Bridge Hello Time The Bridge Hello Time is the time between each bridge protocol data unit sent This time is equal to 2 seconds sec by default but can tuned between 1 and 10 sec For information on setting the Bridge Hello Time see Setting the LAN Configuration for Mesh Networking Support on page 9 6 The 802 1d specification recommends the Hello Time be set to a value less than half of the Max Message age value Bridge Forward Delay The Bridge Forward Delay value is the time spent in a listening and learning state This time is equal to 15 sec by default but you can tune the time to be between 4 and 30 sec For information on setting the Bridge Forward Delay see Setting the LAN Configuration for Mesh Networking Support o
183. S Policy Paasen 16 1 10000 Detaut T opw oc eect p gt Router LE Pre f E nA gt Quick Setup System Setings 1 tomes _ Lee encore Het Logout item NomeaPStottt H a 2 Select either the Radio 1 802 11b q or Radio 2 802 Ta tab to diola the WLANs enabled for the selected radio and their existing configurations The WLANs displaying for the selected radio were assigned when the WLAN was created or modified A single WLAN can be assigned to either radio and if necessary have different bandwidth management configurations To modify a WLAN to radio assignment see Creating Editing Individual WLANs on page 5 30 3 Use the Bandwidth Share Mode drop down menu to define the order enabled WLANs receive access point services Select one of the following three options First In First Out WLANSs receive services from the access point on a first come first served basis This is the default setting Round Robin Each WLAN receives access point services in turn as long the access point has data traffic to forward Network Management 5 67 Weighted Round If selected a weighting prioritization scheme configured within Robin the OoS Configuration screen is used to define which WLANs receive access point resources first Configure the Bandwidth Share for Each WLAN field to set a raw weight for WLANs using the Weighted Round Robin option for each WLAN The weight changes as the weight is enter
184. SSID probes from other mobile units 12 If there are certain requirements for the types of data proliferating the mesh network select an existing policy or configure a new QoS policy best suiting the requirements of the mesh network To define a new QoS policy select the Create button to the right of the Quality Of Service Policy drop down menu For detailed information on configuring a QoS policy see Setting the WLAN Quality of Service QoS Policy on page 5 40 13 Click Apply to save the changes made to the mesh network configured WLAN An access point radio is now ready to be configured for use with this newly created mesh WLAN 9 2 3 Configuring the Access Point Radio for Mesh Support An access point radio intended for use within a mesh network requires configuration attributes unique from a radio intended for non mesh support This section describes how to configure an access point radio for mesh network support 9 14 AP 51xx Access Point Product Reference Guide To configure the access point radio for mesh networking support NOTE The dual radio model access point affords users better optimization of the J mesh network feature by allowing the access point to transmit to other access points in base or client bridge mode using one independent radio and transmit with its associated devices using the second independent radio A single radio access point has its channel utilization and throughput degraded in a mesh network
185. STP Configuration and return to the LAN1 or LAN2 screen Once the Mesh STP Configuration is defined the access point s radio can be configured for base and or client bridge support Configuring Mesh Networking 9 9 9 2 2 Configuring a WLAN for Mesh Networking Support Each access point comprising a particular mesh network is required to be a member of the same WLAN Therefore each base bridge client bridge or repeater within the mesh network must use the same WLAN in order to share the same ESSID radio designation security policy MU ACL and Quality of Service policy If intending to use the access point for mesh networking support Motorola recommends configuring at least one WLAN of the 16 WLANs available specifically for mesh networking support To define the attributes of the WLAN shared by the members of the mesh network 1 Select Network Configuration gt Wireless from the AP 5131 menu tree The Wireless Configuration screen displays with those existing WLANs displayed within the table 2 Select the Create button to configure a new WLAN specifically to support mesh networking An existing WLAN can be modified or used as is for mesh networking support by selecting it from the list of available WLANs and clicking the Edit button 9 10 AP 51xx Access Point Product Reference Guide New WLAN aa Configuration Essio 101 Name demo room Available On v 802 11a Radio C 802 1 1b g Radio Maximum MUs 127 7
186. Security Policy screen if any Configure encryption or authentication supported security policies by referring to the following access point authentication e To create a security policy supporting Kerberos see Configuring Kerberos Authentication on page 6 8 e To define a security policy supporting 802 1x EAP see Configuring 802 1x EAP Authentication on page 6 11 access point encryption e To create a security policy supporting WEP see Configuring WEP Encryption on page 6 16 e To define a security policy supporting KeyGuard see Configuring KeyGuard Encryption on page 6 18 e To configure a security policy supporting WPA TKIP see Configuring WPA WPAZ Using TKIP on page 6 21 e To create a security policy supporting WPA2 CCMP see Configuring WPA2 CCMP 802 111 on page 6 24 6 8 AP 51xx Access Point Product Reference Guide 7 Click Cancel to return to the target WLAN screen without keeping any of the changes made within the New Security Policy screen 6 4 Configuring Kerberos Authentication Kerberos designed and developed by MIT provides strong authentication for client server applications using secret key cryptography Using Kerberos a client must prove its identity to a server and vice versa across an insecure network connection Once a client and server use Kerberos to prove their identity they can encrypt all communications to assure privacy and data integrity Kerberos can only be used on the access poin
187. Select System Configuration gt Adaptive AP Setup from the menu tree System Configuration 4 7 ControlPort 24576 1 65535 SwikhFOON A PSK serssess Ato Discovery Enabie D Switch interface LANI lv Enable AP Switth Tunnel _ Keep alive Period 5 1 10 Current Swikh 0 0 0 0 AP Adoption State TBO cen enone olo oe eo 09 o a ello Ble fi fl fh ol ollo olojo ol 2 Define the following to prioritize a switch connection scheme and AP interface used to adopt to the switch Control Port Define the port used by the switch FQDN to transmit and receive with the AAP The default control port is 24576 Switch FQDN Add a complete switch fully qualified domain name FQDN to add a switch to the 12 available switch IP addresses available for connection The access point resolves the name to one or more IP addresses if a DNS IP address is present This method is used when the access point fails to obtain an IP address using DHCP PSK Before the access point sends a packet requesting its mode and configuration the switch and the access point require a secure link using a pre shared key 4 8 AP 51xx Access Point Product Reference Guide Auto Discovery Enable When the Auto Discovery Enable checkbox is selected the access point begins the switch discovery adoption process using DHCP first then a user provided domain name lastly using static IP addresses This setting is disabled b
188. Statistics The access point has the capability of detecting and displaying the properties of other Motorola access points located within its coverage area Detected access point s transmit a WNMP message indicating their channel IP address firmware version etc This information is used to create a known AP list The list has field indicating the properties of the access point discovered points located on the same subnet NOTE The Known AP Statistics screen only displays statistics for access To view detected access point statistics 1 Select Status and Statistics gt Known AP Stats from the access point menu tree 7 36 AP 51xx Access Point Product Reference Guide AP 5131 Access Point Known AP Statistics Known AP Surenacy P E Status amp Statsdes e j FS wari stats IP Address l MAC Aderess Mus j Vra Name l t92 168 0111 001570286497 2 AP Stoc 111 PERLAN Stats 192 168 0116 POISTOOTTAS 0 AP 51_ 116 amp LANT Stats gt 5p Wireless Stats summer Stats 10 Stats HEP Raco Stats H g MU Stats EP mean stats Clear Known AP Stats Deta f Send Ctp APs r Flash Al LEDs izan Fast stop Fin Leip Logout Mma PSN The Known AP Statistics screen displays the following information IP Address The network assigned Internet Protocol address of the located AP MAC Address The unique 48 bit hard coded Media Access Control address known as the devices station identifier Th
189. TCP IP port number for the server acting as the secondary Radius server The default port is 1812 Enter the shared secret password used with the secondary Radius Server 9 Click OK to save any changes to the Hotspot Configuration screen Navigating away from the screen without clicking Apply results in all changes to the screens being lost 10 Click Cancel if necessary to undo any changes made Cancel reverts the settings displayed on the Hotspot Configuration screen to the last saved configuration Defining the Hotspot White List To host a Login Welcome or Fail page on the external Web server the IP address of that Web server should be in access point s White List NOTE If using an external Web Server over the WAN port and the hotspot s HTTP pages login or welcome redirect to the access point s WAN IP address for CGI scripts the IP address of the external Web server and the access point s WAN IP address should be entered in the White List Network Management 5 51 White List Entries Yalled Garden IP 157 235 a mrasaa OK Cancel Heip Java Applet Window When a client requests a URL from a Web server the login handler returns an HTTP redirection status code for example 301 Moved Permanently which indicates to the browser it should look for the page at another URL This other URL can be a local or remote login page based on the hotspot configuration The login page URL is specified
190. The preamble length for 802 11a and 802 11g transmissions is the same with no long or short preamble lengths RTS Threshold RTS allows the access point to use RTS Request To Send on frames longer than the specified length The default is 2341 bytes Network Management 5 63 Set RF QoS Click the Set RF QoS button to display the Set RF QOS screen to set QoS parameters for the radio Do not confuse with the QoS configuration screen used for a WLAN The Set RF QoS screen initially appears with default values displayed Select manual from the Select Parameter set drop down menu to edit the CW min and CW max contention window AIFSN Arbitrary Inter Frame Space Number and TXOPs Time for each Access Category These are the QoS policies for the 802 11a or 802 11b g radio not the QoS policies configured for the WLAN as created or edited from the Quality of Service Configuration screen Motorola recommends only advanced users manually set these values If the type of data traffic is known use the drop down menu to select a 11g wifi 11b wifi 11g default 11b default 11g voice or 11b voice option Wifi represents multimedia traffic default is typical data traffic and voice is for Voice Over IP supported wireless devices Click OK to implement the selected QoS values and return to the 802 114 or 802 11b g radio configuration screen Clicking Cancel reverts the screen to the last saved configuration Select Parameter set manua
191. WAN connection If this situation is experienced log in to the access point again A CAUTION An access point is Base Bridge mode logs out whenever a Client 9 4 AP 51xx Access Point Product Reference Guide The access point in client bridge mode attempts to establish up to 3 simultaneous wireless connections The second and third connections are established in the background while the system is running The first connection needs to be established before the system starts bridging traffic The dual radio model access point affords users better optimization of the mesh networking feature by allowing the access point to transmit to other access points in base or client bridge mode using one independent radio and transmit with its associated MUs using the second independent radio A single radio access point has its channel utilization and throughput degraded in a mesh network as the access point s single radio must process both mesh network traffic with other access points and MU traffic with its associated devices 9 1 1 1 Client Bridge Configuration Process Example In this example two access points are described with the following configurations e AP 1 base bridge e AP 2 repeater both a base and client bridge In the case of amesh enabled radio the client bridge configuration always takes precedence over the base bridge configuration Therefore when a radio is configured as a repeater AP 2 the base bridge configuration takes
192. WLAN the WLAN will need to be tied to a VLAN The access point assignment of VLANs can be implemented using Static or Dynamic assignments often referred to as memberships for individual WLANs Both methods have their advantages and disadvantages Static VLAN membership is perhaps the most widely used method because of the relatively small administration overhead and security it provides With Static VLANs you manually assign individual WLANs to individual VLANs Although static VLANs are the most common form of VLAN assignments dynamic VLAN assignment is possible per WLAN Configuring dynamic VLANs entail the access point sending a DHCP request for device information such as an IP address Additional information such as device MAC address 5 6 AP 51xx Access Point Product Reference Guide information is sent to the access point The access point sends this MAC address to a host housing a copy of the Dynamic VLAN database This database houses the records of MAC addresses and VLAN assignments The VLAN database looks up the MAC to determine what VLAN is assigned to it If itis not in the database it simply uses a default VLAN assignment The VLAN assignment is sent to the access point The access point then maps the target WLAN for the assigned VLAN and traffic passes normally allowing for the completion of the DHCP request and further traffic To create new VLANs or edit the properties of an existing VLAN 1 Select Network Conf
193. a Mesh STP Priority of 40000 to LAN1 Interface 9 22 AP 51xx Access Point Product Reference Guide ONS Sener 10 10 10 125 DNS Server 10 10 10 100 ox cancer Hain WINS Server 10 10 10 264 3 Define a mesh supported WLAN Configuring Mesh Networking 9 23 ESSO west Aewtable On z 802 118 Radio O S021103 Radio C Enabee Client Bridge Backhast Eaa aa coana sco Pe Mu Access Control Dets w create Kerberos User Name MESH Hes Logot 4 Enable base bridge functionality on the 802 11a radio Radio 2 Bi 9 24 AP 51xx Access Point Product Reference Guide Radio 2 Configurators wo Enatte Rato Statas Actve RF Band of Operation 802 11a 5 GHD MUs commected DO v Base Bridge Radig s02 tt al i 4 Bandwidth Management Mesh Base Bridge Semngs SA Rogue AP Detecton J amp ER frowa Maximum no of Chert Badges 12 CBs Connected P Rover P gt System Contguratces Chert Bridge Qukk Setup Mosh Caent Bridge Setings gt System Setngs H Gl AP SUXX Access gt iB fuser Autne B gt fy SNMP Access p me Qy Fierrweare Up Hep Logowt 5 Define a channel of operation for the 802 11a radio Configuring Mesh Networking 9 25 Performance RTS Threshold 2347 Bytes Set RF 00S 6 If needed create another WLAN mapped to the 802 1 1bg radio if 802 11bg supp
194. a screen wherein the parameters of the hotspot can be defined For information on configuring a target WLAN for hotspot support see Configuring WLAN Hotspot Support on page 5 46 For an overview of what a hotspot is and what it can provide your wireless network see Hotspot Support on page 1 22 CAUTION A WLAN cannot be enabled for both mesh and hotspot support at the same time Only one of these two options can be enabled at one time as the GUI and CLI will prevent both from being enabled use a Kerberos supported security policy SI NOTE If 802 114 is selected as the radio used for the WLAN the WLAN cannot 4 Configure the Security field as required to set the data protection requirements for the WLAN 802 1x EAP security policy defined for it as these two authentication NOTE A WLAN configured to support Mesh should not have a Kerberos or schemes are not supported within a Mesh network Security Policy Use the scroll down Security Policies menu to select the security scheme best suited for the new or revised WLAN Click the Create button to jump to the New Security Policy screen where a new policy can be created to suit the needs of the WLAN For more information see Configuring WLAN Security Policies on page 5 35 MU Access Control Select an ACL policy suiting the WLAN s MU introperability requirements from the drop down menu If the existing ACL policies do not satisfy the requirements of th
195. aap setup access cmgr snmp userdb radius ntp logs config fw update save quit Restarts the access point Shows access point system parameter settings Defines access point system parameter settings Displays last debug password Goes to a Linux command menu Dispalys the access point s arp table Goes to the Adaptive AP Settings submenu Goes to the access point access submenu where access point access methods can be enabled Goes the Certificate Manager submenu Goes to the SNMP submenu Goes to the user database submenu Goes to the Radius submenu Goes to the Network Time Protocol submenu Displays the log file submenu Goes to the configuration file update submenu Goes to the firmware update submenu Goes to the parent menu Goes to the root menu Saves the configuration to system flash Quits the CLI 8 145 8 146 AP 51xx Access Point Product Reference Guide AP51xx gt admin system gt restart Description Restarts the access point access point Syntax restart Restarts the access point Example admin system gt restart k k k k k k k k k k k k k k k k k k k k k k k k k k k KKK KKWARNINGE K k KKK KKK k k k k k k k k k k k k k k k k k k k k k k k k k Unsaved configuration changes will be lost when the access point is reset x Please be sure to save changes before resetting kkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkk Are you sure you want to
196. able packets for the last 30 seconds and the number in blue represents the percentage of undecryptable packets for the last hour 8 Click OK to exit the screen 7 5 2 Pinging Individual MUs The access point can verify its link with an MU by sending WNMP ping packets to the associated MU Use the Echo Test screen to specify a target MU and configure the parameters of the ping test NOTE Anecho test initiated from the access point MU Stats Summary screen uses WNMP pings Therefore target clients that are not Motorola MUs are unable to respond to the echo test To ping a specific MU to assess its connection with an access point 1 Select Status and Statistics gt MU Stats from the access point menu tree 2 Select the Echo Test button from within the MU Stats Summary screen 3 Specify the following ping test parameters Station Address The IP address of the target MU Refer to the MU Stats Summary screen for associated MU IP address information Number of ping Specify the number of ping packets to transmit to the target MU The default is 100 Packet Length Specify the length of each data packet transmitted to the target MU during the ping test The default is 100 bytes Packet Data Defines the data to be transmitted as part of the test Monitoring Statistics 7 33 4 Click the Ping button to begin transmitting ping packets to the station address specified Refer to the Number of Responses parameter to assess the n
197. addresses 1 Select System Configuration gt AP 51xx Access from the menu tree System Configuration 4 15 AP 5131 Access Point AA d Ey SNMP Access b gt SNMP Trap Configuration AP 51XX Access ir Trusted Hosts Trusted Host Access Enter IP Address Ranges to allow Bin WN hoa Eat Desete Applet Timeout Admin Autventcabon HTTPYS Timeout 0 Mins Stout Onas Secure Shea Select the Trusted Hosts checkbox The Trusted Host Access field displays The remaining portion of the Access screen not related to Trusted Host support can be accessed using the scroll bar on the right hand side of the AP 51XX Access screen Click the Add button and define an IP address in the subsequent pop up screen Individually define up to 8 addresses using the Add function Each address defined will be granted permission to access point resources Select an existing IP address and click the Edit button to modify the address if no longer relevant If you are near the capacity of 8 allowed IP addresses or an address becomes obsolete consider selecting an existing address and click the Delete button to remove an address Click Apply to save any changes to the Access screen s Trusted Host configuration Navigating away from the screen without clicking Apply results in all changes to the screen being lost 4 16 AP 51xx Access Point Product Reference Guide 7 Click Undo Changes if necessar
198. adio model AP 5131 s use RSMA type antenna connectors On the Dual Radio AP 5131 a single dot on the antenna connector indicates the primary antenna for both Radio 1 2 4 GHz and Radio 2 5 GHz Two dots designate the secondary antenna for both Radio 1 and Radio 2 On Single Radio models a single dot on the antenna connector indicates the primary antenna for Radio 1 and two dots designate the secondary antenna for Radio 1 3 Remove the backings from the four 4 rubber feet and attach them to the four rubber feet recess areas on the AP 5131 4 Cable the AP 5131 using either the Power Injector solution or an approved line cord and power supply AN CAUTION Do not supply power to the AP 5131 until the cabling of the unit is complete For Power Injector installations a b Connect a RJ 45 Ethernet cable between the network data supply host and the power injector Data In connector Connect a RJ 45 Ethernet cable between the Power Injector Data amp Power Out connector and the AP 5131 LAN port Ensure the cable length from the Ethernet source host to the Power Injector and AP 5131 does not exceed 100 meters 333 ft The Power Injector has no On Off power switch The Power Injector receives power as soon as AC power is applied For more information on using the Power Injector see Power Injector and Power Tap Systems on page 2 10 Hardware Installation 2 15 For standard 48 Vol
199. ady to demonstrate Associate an MU on the WLANs configured on the 802 1 1bg radio for each AP and pass traffic among the members of the mesh network Configuring Mesh Networking 9 37 9 4 Mesh Networking Frequently Asked Questions The following scenarios represent issues that could be encountered and resolved when defining an AP 5131 or AP 5181 mesh configuration Mesh Deployment Issue 1 Client Bridge can only connect to one of two Base Bridges You have two access points configured as base bridges AP1 AP2 and one access point defined as a as a client bridge AP3 However the client bridge is able to connect to only one of the base bridges Resolution Check the mesh backhaul radio channel configuration on both base bridges AP1 AP2 They need to use the same channel so the client bridge can connect to both simultaneously Mesh Deployment Issue 2 Faulty Client Bridge Connectivity You have configured three access points in mesh mode one base bridge AP1 one client bridge base bridge AP2 and one client bridge AP3 However the client bridge AP3 is connecting to both AP1 and AP2 and using its link to base bridge AP1 to forward traffic Resolution This is valid behavior you see this when your mesh APs are close enough in proximity so the client bridge can see both the base bridges AP1 AP2 in which case it forms two links one each to AP1 and AP2 Since the link to AP1 is the shortest path in terms of number of
200. ain Name for the Wireless Switch gt 191 String lt Hashed IPSec Passkey configure on 1 AP and export to get hashed key gt 192 String lt Value of 1 denotes Non IPSec Mode and 2 denotes IPSec Mode gt NOTE Options 189 and 192 are mandatory to trigger adoption using DHCP options Unlike an AP300 option 189 alone won t work These options can be embedded in Vendor Specific Option 43 and sent in the DHCP Offer 10 16 AP 51xx Access Point Product Reference Guide 10 4 2 Switch Configuration Both a WS5100 running firmware version 3 1 or later or a RFS6000 RFS7000 running firmware version 1 1 or later require an explicit adaptive configuration to adopt an access point if IPSec is not used for adoption The same licenses currently used for AP300 adoption can be used for an AAP Disable the switch s Adopt unconfigured radios automatically option and manually add AAPs requiring adoption or leave as default In default mode any AAP adoption request is honored until the current switch license limit is reached To disable automatic adoption on the switch 1 Select Network gt Access Port Radios from the switch main menu tree 2 Select the Configuration tab should be displayed be default and click the Global Settings button Network gt Access Ports gt Global Global Adoption Preference lD 1 1 65535 2 Adopt unconfigured radios automatically Configure Port Authentication 3 Ensure the Adopt unconfigu
201. al ID Type Local ID Data Remote ID Type Remote ID Data Configuring Access Point Security 6 47 The Phase protocols of IKE are based on the ISAKMP identity protection and aggressive exchanges IKE main mode refers to the identity protection exchange and IKE aggressive mode refers to the aggressive exchange e Main Standard IKE mode for communication and key exchange e Aggressive Aggressive mode is faster but less secure than Main mode Identities are not encrypted unless public key encryption is used The authentication method cannot be negotiated if the initiator chooses public key encryption Select the type of ID to be used for the access point end of the SA e IP Select IP if the local ID type is the IP address specified as part of the tunnel e FQDN Use FQDN if the local ID is a fully qualified domain name such as sj motorola com e UFODN Select UFODN if the local ID is a user fully qualified email such as johndoe motorola com Specify the FQDN or UFODN based on the Local ID type assigned Select the type of ID to be used for the access point end of the tunnel from the Remote ID Type drop down menu e IP Select the IP option if the remote ID type is the IP address specified as part of the tunnel e FQDN Select FQDN if the remote ID type is a fully qualified domain name such as sj motorola com The setting for this field does not have to be fully qualified however it must match the setting for the Certif
202. al location already exists the AAP does not require IPSec be configured for adoption For sites with no secure link to the central location an AAP can be configured to use an IPSec tunnel with AES 256 encryption for adoption The tunnel configuration is automatic on the AAP side and requires no manual VPN policy be configured On the switch side configuration updates are required to adopt the AAP using an IPSec tunnel Adaptive AP To review a sample AAP configuration see Sample Switch Configuration File for IPSec and Independent WLAN on page 10 20 10 1 10 Adaptive AP Switch Failure In the event of a switch failure an AAP s independent WLAN continues to operate without disruption The AAP attempts to connect to other switches if available in background Extended WLANs are disabled once switch adoption is lost When a new switch is discovered and a connection is secured an extended WLAN can be enabled If a new switch is located the AAP synchronizes its configuration with the located switch once adopted If Remote Site Survivability RSS is disabled the independent WLAN is also disabled in the event of a switch failure 10 1 11 Remote Site Survivability RSS RSS can be used to turn off RF activity on an AAP if it loses adoption connection to the switch RSS State Independent WLANs Extended WLANs RSS Enabled WLAN continues beaconing WLAN continues beaconing but AP does allow clients to associate on that WLAN RSS Disabled W
203. ally by the access point to identify a security association There are unique outbound and inbound SPIs The Inb SPI column displays the inbound SPI Security Parameter Index SPI for each of the tunnels The SPI is used locally by the access point to identify a security association There are unique outbound and inbound SPls Configuring Access Point Security 6 51 Life Time Use the Life Time column to view the lifetime associated with a particular Security Association SA Each SA has a finite lifetime defined When the lifetime expires the SA can no longer be used to protect data traffic The maximum SA lifetime is 65535 seconds Tx Bytes The Tx Bytes column lists the amount of data in bytes transmitted through each configured tunnel Rx Bytes The Rx Bytes column lists the amount of data in bytes received through each configured tunnel 3 Click the Reset VPNs button to reset active VPNs Selecting Reset VPNs forces renegotiation of all the Security Associations and keys Users could notice a slight pause in network performance 4 Reference the IKE Summary field to view the following Tunnel Name Displays the name of each of the tunnels configured to use IKE for automatic key exchange IKE State Lists the state for each of the tunnels configured to use IKE for automatic key exchange When the tunnel is not active the IKE State field displays NOT_CONNECTED When the tunnel is active the IKE State field displays CONNECTED
204. ame security policy It is generally a bad idea to have WLANs with different security policies on the same BSSID as this will result in warning or error messages NOTE f using a single radio access point there are 4 BSSIDs available If using a dual radio access point 4 BSSIDs for the 802 11b g radio and 4 BSSIDs for the 802 11a radio are available Network Management 5 65 WLAN Lists the WLAN names available to the 802 11a or 802 11b g radio that can be assigned to a BSSID BSSID Assign a BSSID value of 1 through 4 to a WLAN in order to map the WLAN to a specific BSSID BC MC Cipher A read only field displaying the downgraded BC MC Broadcast Multicast cipher for a WLAN based on the BSSID and VLAN ID to which it has been mapped Status Displays the following color coded status Red Error Invalid Configuration Yellow Warning Broadcast Downgrade Green Good Configuration is OK Message Displays the verbal status of the WLAN and BSSID assignments If the Status column displays green the Message will typically be Configuration is OK If yellow a description of invalid configuration displays 8 Use the Primary WLAN drop down menu to select a WLAN from those WLANs sharing the same BSSID The selected WLAN is the primary WLAN for the specified BSSID 9 Click Apply to save any changes to the Radio Settings and Advanced Settings screens Navigating away from the screen without clicking Apply results in cha
205. an optimally use two antennae per radio 4 antennae total for dual radio models Two antennae per radio provides diversity that can improve performance and signal reception Motorola supports two antenna suites for the AP 5131 One antenna suite supporting the 2 4 GHz band and another antenna suite supporting the 5 GHz band Select an antenna model best suited to the intended operational environment of your AP 5131 NOTE Ona single radio AP 5131 Radio 1 can be configured to be either a 2 4 GHz or 5 GHz radio On a dual radio model Radio 1 refers to the AP 5131 s 2 4 GHz radio and Radio 2 refers to the AP 5131 5 GHz radio However there could be some cases where a dual radio AP 5131 is performing a Rogue AP detector function In this scenario the AP 5131 is receiving in either 2 4 GHz or 5 GHz over the Radio 1 or Radio 2 antennae depending on which radio is selected for the scan Antenna connectors for Radio 1 are located in a different location from the Radio 2 antenna connectors On single radio versions the R SMA connectors can support both bands and should be connected to a R SMA dual band antenna or an appropriate single band antenna If necessary a R SMA to R BNC adapter Part No 25 72178 01 can be purchased separately The AP 5131 2 4 GHz antenna suite includes the following models Hardware Installation 2 7 Part No Antenna Type Nominal Net Gain dBi ML 2499 11PNA2 01R Wide Angle Directional 8 5 M
206. an overview of the access point s mesh networking options using the applet GUI see Configuring Mesh Networking on page 9 1 8 19 8 20 AP 51xx Access Point Product Reference Guide 8 3 1 2 Network LAN WLAN Mapping Commands AP51xx gt admin network lan wlan mapping gt Description Displays the WLAN Lan Vlan Mapping submenu show Displays the VLAN list currently defined for the access point set Sets the access point VLAN configuration create Creates a new access point VLAN edit Edits the properties of an existing access point VLAN delete Deletes a VLAN lan map Maps access point existing WLANs to an enabled LAN vlan map Maps access point existing WLANs to VLANs n Moves to the parent menu Goes to the root menu save Saves the configuration to system flash quit Quits the CLI and exits the session For an overview of the access point s VLAN configuration options using the applet GUI see Configuring VLAN Support on page 5 5 AP51xx gt admin network lan wlan mapping gt show Description Displays the VLAN list currently defined for the access point These parameters are defined with the set command Syntax show name Displays the existing list of VLAN names vian cfg Shows WLAN VLAN mapping and VLAN configuration lan wlan Displays a WLAN LAN mapping summary wlan Displays the WLAN summary list Example admin network lan wlan mapping gt show name Index VLAN ID VLAN Name 1 1 VLAN_1 2 2 VLAN_2 3 3
207. and SNMP All APs whether they are supporting mesh or not periodically exchange ID messages notifying their presence to one another Review the Known AP Table on any mesh supported AP to determine if you have all required APs connected to the mesh topology Mesh Deployment Issue 7 Can MUs roam within a mesh topology Can MUs connected to a mesh AP roam seemlessly among other MUs and wired access points Resolution Yes MUs on a mesh APs can roam seemlessly throughout the mesh network as well as with non mesh access points on the wired network Mesh Deployment Issue 8 Can mesh between an AP 5131 and an AP 5181 Can you mesh between an AP 5131 and an AP 5181 Configuring Mesh Networking 9 39 Resolution Yes both the AP 5131 and AP 5181 model access points are identical from a software deployment standpoint so it is a supported configuration for AP 5131s and AP 5181s to exist in a single topology Mesh Deployment Issue 9 Can mesh between and an access point and an AP300 Can you mesh between a AP 5131 AP 5181 and an AP300 model access port Resolution No an AP300 does not support mesh networking so you won t be able to mesh between two AP300s or between an AP300 and an AP 5131 or AP 5181 Mesh Deployment Issue 10 Can mesh between an AP 5131 AP 5181 and an AP 4131 Can mesh between a newer AP 5131 AP 5181 and a legacy AP 4131 model access point Resolution No an AP 4131 only supports wireless bridging like Cisc
208. and can coexist or interoperate with BOOTP Configure the access point to send out a DHCP request searching for a DHCP BOOTP server to acquire HTML firmware or network configuration files when the access point boots Because BOOTP and DHCP interoperate whichever responds first becomes the server that allocates information The access point can be set to only accept replies from DHCP or BOOTP servers or both this is the default setting Disabling DHCP disables BOOTP and DHCP and requires network settings to be set manually If running both DHCP and BOOTP do not select BOOTP Only BOOTP should only be used when the server is running BOOTP exclusively 1 19 1 20 AP 51xx Access Point Product Reference Guide The DHCP client automatically sends a DHCP request at an interval specified by the DHCP server to renew the IP address lease as long as the access point is running this parameter is programmed at the DHCP server For example Windows 2000 servers typically are set for 3 days 1 2 23 Multi Function LEDs An AP 5131 model access point has seven LED indicators Four LEDs exist on the top of the and are visible from wall ceiling and table top orientations Three of these four LEDs are single color activity LEDs and one is a multi function red and white status LED Two LEDs exist on the rear of the access point and are viewable using a single customer installed extended light pipe adjusted as required to suit above the ceiling installations
209. aptive AP menu set auto discovery disable set interface lanl set name 0 set port 24576 delete all E ted P h to b d in DHCP Opti set enc passphrase b 0819993a702 39 eRe ee ee es set ac keepalive 5 set tunnel to svitch enable System Access menu system access set applet lan 1 enable set applet slan 1 enable set cli lan 1 enable set ssh lan 1 enable set snmp lan 1 enable 10 1 5 2 Manual Adoption Configuration A manual switch adoption of an AAP can be conducted using e Static FQDN A switch fully qualified domain name can be specified to perform a DNS lookup and switch discovery e Static IP addresses Up to 12 switch IP addresses can be manually specified in an ordered list the AP can choose from When providing a list the AAP tries to adopt based on the order in which they are listed from 1 12 NOTE An AAP can use it s LAN or WAN Ethernet interface to adopt The LAN is PoE and DHCP enabled by default The WAN has no PoE support and has a default static AP address of 10 1 1 1 8 10 6 AP 51xx Access Point Product Reference Guide 10 1 6 Securing a Configuration Channel Between Switch and AP Once an access point obtains a list of available switches it begins connecting to each The switch can be either on the LAN or WAN side of the access point to provide flexibility in the deployment of the network If the switch is on the access point s LAN ensure the LAN subnet is on a secure channel Th
210. art the AP To configure System Settings for the access point 1 Select System Configuration gt System Settings from the access point menu tree System Configuration 4 3 AP 5131 Access Point System Name AP Ste tt System Locaton Admin Email Address County United States us 7 AP 51xx Version 22 0 0 0010 System Uptme 0 days 18 hours 13 minutes 17 seconds E Adaptive AP Setup AP Mose independent Mode AP GR AP SIM Access C iceetecate wont Restore Detaut Contiguraton Restore Partal Detault Configuraten j 2 Configure the access point System Settings field to assign a system name and location set the country of operation and view device version information System Name Specify a device name for the access point Motorola recommends selecting a name serving as a reminder of the user base the access point supports engineering retail etc System Location Enter the location of the access point The System Location parameter acts as a reminder of where the AP can be found Use the System Name field as a specific identifier of device location Use the System Name and System Location fields together to optionally define the AP name by the radio coverage it supports and specific physical location For example second floor engineering Admin Email Address Specify the AP administrator s email address 4 4 AP 51xx Access Point Product Reference Guide Country AP 51xx Version Sy
211. as been defined The WLAN names can be modified within individual WLAN configuration screens See Creating Editing Individual WLANs on page 5 30 to change the name of a WLAN ESSID Displays the Extended Services Set Identification ESSID associated with each WLAN The ESSID can be modified within individual WLAN configuration screens See Creating Editing Individual WLANs on page 5 30 to change the ESSID of a specific WLAN Network Management 5 29 Radio The Radio field displays the name of the access point radio the WLAN is mapped to either the 802 11a radio or the 802 11b g radio To change the radio designation for a specific WLAN see Creating Editing Individual WLANs on page 5 30 VLAN The VLAN field displays the specific VLAN the target WLAN is mapped to For information on VLAN configuration for the WLAN see Configuring VLAN Support on page 5 5 Security Policy The Security Policy field displays the security profile configured for the target WLAN For information on configuring security for a WLAN see Enabling Authentication and Encryption Schemes on page 6 5 QoS Policy The QoS Policy field displays the quality of service currently defined for the WLAN This policy outlines which data types receive priority for the user base comprising the WLAN For information on QoS configuration for the WLAN see Setting the WLAN Quality of Service QoS Policy on page 5 40 Click the Create button if necessary to launch the New WLAN scr
212. ata In connector b Connect a RJ 45 Ethernet cable between the Power Tap s DATA PWR OUT connector or the Power Injector s Data amp Power Out connector and the AP 5181 LAN port Hardware Installation 2 29 c For Power Tap installations have a certified electrician open the Power Tap enclosure feed the power cable through the unit s LINE AC connector secure the power cable to the unit s three screw termination block and tighten the unit s LINE AC clamp by hand to ensure the power cable cannot be pulled from the unit d For Power Tap installations attach a ground cable between the EARTH GROUND connector on the back of the unit to a suitable earth ground connection as defined by your local electrical code e Ensure the cable length from the Ethernet source host to the Power Tap or Power Injector and AP 5181 does not exceed 100 meters 333 ft Neither the Power Tap or Power injector has an On Off power switch Each receives power as soon as AC power is applied For more information on using the see Power Injector and Power Tap Systems on page 2 10 8 Use the supplied cable connector to cover the AP 5181 s Console LAN PoE and WAN connectors 9 Once power has been applied Verify the behavior of the AP 5181 LEDs For more information see AP 5181 LED Indicators on page 2 29 The AP 5181 is ready to configure For information on an AP 5181 default configuration see Getting Started on page 3 1 For specific details on AP 51
213. ate Description Creates a VLAN for the access point Syntax create vian id lt dd gt Defines the VLAN ID 1 4095 vlan name lt name gt Specifies the name of the VLAN 1 31 characters in length Example admin network 1lan wlan mapping gt admin network lan wlan mapping gt create 5 vlan 5 For information on creating VLANs using the applet GUI see Configuring VLAN Support on page 5 5 AP51xx gt admin network lan wlan mapping gt edit Description Modifies a VLAN s name and ID Syntax edit name lt name gt Modifies an exisiting VLAN name 1 31 characters in length id lt i gt Modifies an existing VLAN ID 1 4095 characters in length For information on editing VLANs using the applet GUI see Configuring VLAN Support on page 5 5 8 26 AP 51xx Access Point Product Reference Guide AP51xx gt admin network lan wlan mapping gt delete Description Deletes a specific VLAN or all VLANs Syntax delete lt VLANic amp gt Deletes a specific VLAN ID 1 16 all Deletes all defined VLANs For information on deleting VLANs using the applet GUI see Configuring VLAN Support on page 5 5 AP51xx gt admin network lan wlan mapping gt lan map Description Maps an access point VLAN to a WLAN Syntax lan map lt wlanname Maps an existing WLAN to an enabled LAN All names and IDs are case sensitive lt an name gt Defines enabled LAN name All names and IDs are case sensitive admin network lan wlan
214. ates its association statistics The user can configure the ESSID to correspond to up to 16 WLANs on each 802 11a or 802 11b g radio A Wireless Local Area Network WLAN is a data communications system that flexibly extends the functionalities of a wired LAN A WLAN does not require lining up devices for line of sight transmission and are thus desirable Within the WLAN roaming users can be handed off from one access point to another like a cellular phone system WLANs can therefore be configured around the needs of specific groups of users even when they are not in physical proximity 1 3 2 MAC Layer Bridging The access point provides MAC layer bridging between its interfaces The access point monitors traffic from its interfaces and based on frame address forwards the frames to the proper destination The access point tracks source and destination addresses to provide intelligent bridging as MUs roam or network topologies change The access point also handles broadcast and multicast messages and responds to MU association requests The access point listens to all packets on its LAN and WAN interfaces and builds an address database using MAC addresses An address in the database includes the interface media that the device uses to associate with the access point The access point uses the database to forward packets from one interface to another The bridge forwards packets addressed to unknown systems to the Default Interface Ethernet T
215. ati P e Speed 100 Mbps Duplex fat dup ex H EA Mern Stats aP known AP Stats Receted Transeited RK Errors 0 TX Errors 0 RX Packets 126764 RX Dropped 0 TX Packets 10320 TXOropped 0 RX Bytes 25876209 RXOvernuns 0 TXO es 4990090 TXOvemuns 0 RX Frame 0 TX Carrier 0 Cinar LAN Stats Litt ji Loges 2 Refer to the Information field to view the following access point device address information Status IP Address Network Mask Ethernet Address Link Speed Duplex WLANs Mapped Refer to the Received field to view data received over the access point LAN port RX Packets RX Bytes Monitoring Statistics Displays whether this particular LAN has been enabled as viable subnet from within the LAN Configuration screen The nternet Protocol IP addresses for the access point LAN port The first two sets of numbers specify the network domain the next set specifies the subset of hosts within a larger network These values help divide a network into subnetworks and simplify routing and data transmission The Media Access Control MAC address of the access point The MAC address is hard coded at the factory and cannot be changed For more information on how access point MAC addresses are assigned see AP 51xx MAC Address Assignment on page 1 30 The Link parameter displays Up if the LAN connection is active between the access point and network and Down if the LAN connection is interrupted or lost Use this i
216. ation create Defines the parameters of a new WLAN edit Modifies the properties of an existing WLAN delete Deletes an existing WLAN hotspot Displays the WLAN hotspot menu ipfpolicy Goes to the WLAN IP Filter Policy menu si Goes to the parent menu Goes to the root menu save Saves the configuration to system flash quit Quits the CLI For an overview of the Wireless configuration options available to the using the applet GUI see Enabling Wireless LANs WLANs on page 5 27 8 68 AP 51xx Access Point Product Reference Guide AP51xx gt admin network wireless wlan gt show Description Displays the access point s current WLAN configuration Syntax show summary wlan lt number gt Example Displays the current configuration for existing WLANs Displays the configuration for the requested WLAN WLAN 1 through 16 admin network wireless wlan gt show summary WLAN1 WLAN Name ESSID Radio VLAN Security Policy QoS Policy Lobby 101 lla 11b g Default Default admin network wireless wlan gt show wlan 1 ESS Identifier WLAN Name 802 11a Radio 802 11b g Radio Client Bridge Mesh Backhaul Hotspot Maximum MUs MU Idle Timeout Security Policy MU Access Control Kerberos User Name Kerberos Password Disallow MU to MU Communication Use Secure Beacon Accept Broadcast ESSID QoS Policy 101 Lobby available not available available not available 127 30 Default Default 101
217. ation see Managing the Local User Database on page 6 72 LDAP If LDAP is selected the switch will use the data in an LDAP server Configure the LDAP server settings on the LDAP screen under Radius Server on the menu tree For more information see Configuring LDAP Authentication on page 6 67 NOTE When using LDAP only PEAP GTC and TTLS PAP are supported 3 Use the TTLS PEAP Configuration field to specify the Radius Server default EAP type EAP authentication type and a Server or CA certificate if used FAP Type Use the EAP Type checkboxes to enable the default EAP type s for the Radius server Options include e PEAP Select the PEAP checkbox to enable both PEAP types GTC and MSCHAP V2 available to the access point PEAP uses a TLS layer on top of EAP as a carrier for other EAP modules PEAP is an ideal choice for networks using legacy EAP authentication methods e TTLS Select the TTLS checkbox to enable all three TTLS types MD5 PAP and MSCHAP V2 available to the access point TTLS is similar to EAP TLS but the client authentication portion of the protocol is not performed until after a secure transport tunnel is established This allows EAP TTLS to protect legacy authentication methods used by some RADIUS servers e TLS The TLS checkbox is selected but disabled by default and resides in the background as it does not contain user configurable parameters Configuring Access Point Security 6 65 Default Specify a
218. ation is helpful when using the access point in an environment where different devices are connected and disconnected on a regular basis Selecting Auto Negotiate disables the Mbps and duplex checkbox options Select this option to establish a 100 Mbps data transfer rate for the selected half duplex or full duplex transmission over the access point s WAN port This option is not available if Auto Negotiation is selected Select this option to establish a 10 Mbps data transfer rate for the selected half duplex or full duplex transmission over the access point s WAN port This option is not available if Auto Negotiation is selected 5 20 AP 51xx Access Point Product Reference Guide half duplex full duplex Select this option to transmit data to and from the access point but not at the same time Using a half duplex transmission the access point can send data over its WAN port then immediately receive data from the same direction in which the data was transmitted Like a full duplex transmission a half duplex transmission can carry data in both directions just not at the same time Select this option to transmit data to and from the access point at the same time Using full duplex the access point can send data over its WAN port while receiving data as well 4 Configure the PPP over Ethernet field to enable high speed dial up connections to the access point WAN port Enable Username Password PPPoE State Keep Alive
219. ation on configuring the Rogue AP options available to the access point using the applet GUI see Configuring Rogue AP Detection on page 6 55 8 123 AP51xx gt admin network wireless rogue ap mu scan gt show Description Displays the results of an MU scan Syntax show Displays all APs located by the MU scan For information on configuring the Rogue AP options available to the access point using the applet GUI see Configuring Rogue AP Detection on page 6 55 8 124 AP 51xx Access Point Product Reference Guide AP51xx gt admin network wireless rogue ap allowed list gt Description Displays the Rogue AP allowed list submenu show Displays the rogue AP allowed list add Adds an AP MAC address and ESSID to the allowed list delete Deletes an entry or all entries from the allowed list bs Goes to the parent menu Goes to the root menu save Saves the configuration to system flash quit Quits the CLI AP51xx gt admin network wireless rogue ap allowed list gt show Description Displays the Rogue AP allowed List Syntax show Displays the rogue AP allowed list Example admin network wireless rogue ap allowed list gt show Allowed AP List 00 A0 F8 71 59 20 00 A0 F8 33 44 55 00 A0 F8 40 20 01 For information on configuring the Rogue AP options available to the access point using the applet GUI see Configuring Rogue AP Detection on page 6 55 101 Marketing 8 125 8 126 AP 51xx Access Poin
220. ation options available to the access point using the applet GUI see Configuring the 802 11a or 802 11b g Radio on page 5 56 8 107 AP51xx gt admin network wireless radio 802 11a advanced gt Description Displays the advanced submenu for the 802 11a radio The items available under this command include Syntax show Displays advanced radio settings for the 802 11a radio set Defines advanced parameters for the 802 11a radio 3 Goes to the parent menu Goes to the root menu save Saves the configuration to system flash quit Quits the CLI 8 108 AP 51xx Access Point Product Reference Guide AP51xx gt admin network wireless radio 802 11a advanced gt show Description Displays the BSSID to WLAN mapping for the 802 11a radio Syntax show advanced Displays advanced settings for the 802 11a radio wlan Displays WLAN summary list for 802 114 radio Example admin network wireless radio 802 1la advanced gt show advanced WLAN BSS ID BC MC Cipher Status Message Lobby 1 Open good configuration is ok HR 2 Open good configuration is ok Office 3 Open good configuration is ok BSSID Primary WLAN 1 Lobby 2 HR Office admin network wireless radio 802 11bg advanced gt show wlan WLAN 1 WLAN name WLAN1 ESS ID 101 Radio lla 11b g VLAN lt none gt Security Policy Default QoS Policy Default For information on configuring the Radio 2 Configuration options available to the access point using the apple
221. authenticated when changes are made to the characteristics of a hotspot enabled WLAN as MUs within the WLAN will be dropped from device association Use the New WLAN and Edit WLAN screens as required to create modify a WLAN To create a new WLAN or edit the properties of an existing WLAN 1 Select Network Configuration gt Wireless from the access point menu tree The Wireless Configuration screen displays 2 Click the Create button to configure a new WLAN or highlight a WLAN and click the Edit button to modify an existing WLAN Either the New WLAN or Edit WLAN screen displays Network Management 5 31 ESSIO mudskiper Name mudsiiper Name lid Available On v 802113 Radio Available On v 802 114 Radio _ 802 1 1b g Radio v 802 11big Radio Maximum MUs 127 Maximum MUs 127 MU Idle Timeout 1 MU idie Timeout 1 Y Enable Client Bridge Backhaul C Enable Client Bridge Backhaul C Enable Hotspot Configure Hotspot C Enable Hotspot r Security r Security Security Policy create Security Policy Create MU Access Control Create MU Access Control Kerberos UserName mudskiper Kerberos UserName 1d Kerberos Password Kerberos Password Advanced Advanced C Disallow MU To MU Commmunication C Disallow MU To MU Commmunication C Use Secure Beacon C Use Secure Beacon v Accept Broadcast ESSID v Accept Broadcast ESSID Quality Of Service Policy Create Quality Of Service
222. ber in blue represents packets for the last hour Refer to the RF Status field to view MU signal and signal disturbance information Avg MU Signal Avg MU Noise Avg MU SNR Displays RF signal strength in dBm for the target MU The number in black represents signal information for the last 30 seconds and the number in blue represents signal information for the last hour Displays RF noise for the target MU The number in black represents noise for the last 30 seconds the number in blue represents noise for the last hour Displays the Signal to Noise Ratio SNR for the target MU The Signal to Noise Ratio is an indication of overall RF performance on your wireless network Refer to the Errors field to view MU retry information and statistics on packets not transmitted 7 32 AP 51xx Access Point Product Reference Guide Avg Num of Retries Displays the average number of retries for the MU The number in black represents average retries for the last 30 seconds and the number in blue represents average retries for the last hour Dropped Packets Displays the percentage of packets the AP gave up as not received on for the selected MU The number in black represents the percentage of packets for the last 30 seconds and the number in blue represents the percentage of packets for the last hour of Undecryptable Displays the percentage of undecryptable packets for the MU The Pkts number in black represents the percentage of undecrypt
223. ble to the access point using the applet GUI see Setting the WLAN Quality of Service QoS Policy on page 5 40 8 115 8 3 3 6 Network Bandwith Management Commands AP51xx gt admin network wireless bandwidth gt Description Displays the access point Bandwidth Management submenu The items available under this command include show Displays Bandwidth Management information for how data is processed by the access point set Defines Bandwidth Management parameters for the access point Goes to the parent menu Goes to the root menu save Saves the configuration to system flash quit Quits the CLI 8 116 AP 51xx Access Point Product Reference Guide AP51xx gt admin network wireless bandwidth gt show Description Displays the access point s current Bandwidth Management configuration Syntax show lt summary gt Displays the current Bandwidth Management configuration summary or for defined WLANs lt wlan gt as well as how they are weighted Example admin network wireless bandwidth gt show summary Bandwidth Share Mode 1 First In First Out Bandwidth Share Mode 2 First In First Out For information on configuring the Bandwidth Management options available to the access point using the applet GUI see Configuring Bandwidth Management Settings on page 5 65 8 117 AP51xx gt admin network wireless bandwidth gt set Description Defines the access point Bandwidth Management configuration Syntax set
224. box to enable the access point radio to initiate client bridge connections with other mesh network supported access point s using the same WLAN If the Client Bridge checkbox has been selected use the Mesh Network Name drop down menu to select the WLAN ESS the client bridge uses to establish a wireless link The default setting is WLAN1 Motorola recommends creating and naming a WLAN specifically for mesh networking support to differentiate the Mesh supported WLAN from non Mesh supported WLANs with a Kerberos or EAP 802 1x based security scheme as these authentication types secure user credentials not the mesh network itself f CAUTION An access point in client bridge mode cannot use a WLAN configured Network Management 5 55 NOTE Ensure you have verified the radio configuration for both Radio 1 and Radio 2 before saving the existing settings and exiting the Radio Configuration screen Once the settings within the Radio Configuration screen are applied for an initial deployment the current number of base bridges visible to the radio displays within the BBs Visible field and the number of base bridges currently connected to the radio displays within the BBs Connected field If this is an existing radio within a mesh network these values update in real time 6 Click the Advanced button to define a prioritized list of access points to define Mesh Connection links For a detailed overview on mesh networki
225. ccess Point Product Reference Guide Advanced DHCP server DHCP Lease Time Seconds 86400 Reserved Clients Client MAC IP Address AAD3E2 AA 13 20 167 235 124 12 a 1123CCASDEC2 157 235 2111 Specify a lease period in seconds for available IP addresses using the DHCP Lease Time Seconds parameter An IP address is reserved for re connection for the length of time you specify The default interval is 86400 seconds Click the Add button to create a new table entry within the Reserved Clients field If a statically mapped IP address is within the IP address range in use by the DHCP server that IP address may still be assigned to another client To avoid this ensure all statically mapped IP addresses are outside of the IP address range assigned to the DHCP server If multiple entries exist within the Reserved Clients field use the scroll bar to the right of the window to navigate Click the Del delete button to remove a selected table entry Click OK to return to the LAN1 or LAN2 page where the updated settings within the Advanced DHCP Server screen can be saved by clicking the Apply button Click Cancel to undo any changes made Undo Changes reverts the settings displayed to the last saved configuration Network Management 5 15 5 1 2 2 Setting the Type Filter Configuration Each access point LAN either LAN1 or LAN2 can keep a list of frame types that it forwards or discards The Type Filtering feature prevents specif
226. ccess point and the Cisco PIX NOTE The Cisco PIX device configuration should match the access point VPN configuration in terms of Local WAN IP PIX WAN Remote WAN Gateway access point WAN IP Remote Subnet access point LAN Subnet and the Remote Subnet Mask The Auto Key Settings and the IKE Settings on the Cisco PIX should match the access point Key and IKE settings Below is how the access point VPN Status screen should look if the entire configuration is setup correctly once the VPN tunnel is active The status field should display ACTIVE D ramen s VPN Status Az 5 B 14 AP 51xx Access Point Product Reference Guide B 2 3 Frequently Asked VPN Questions The following are common questions that arise when configuring a VPN tunnel Question 1 Does the access point IPSec tunnel support multiple subnets on the other end of a VPN concentrator Yes The access point can access multiple subnets on the other end of the VPN Concentrator from the access point s Local LAN Subnet by e Creating multiple VPN Tunnels The AP supports a maximum of 25 tunnels e When using the Remote Subnet IP Address with an appropriate subnet mask the AP can access multiple subnets on the remote end For example If creating a tunnel using 192 168 0 0 16 for the Remote Subnet IP address the following subnets could be accessed 192 168 1 x 192 168 2 x 192 168 3 x etc Question 2 Even if a wildcard entry of 0 0
227. ccess point s menu tree to configure Radius server authentication and configure the local user database and access policies A new Radius Server screen allows an administrator to define the data source authentication type and 1 21 1 22 AP 51xx Access Point Product Reference Guide associate digital certificates with the authentication scheme The LDAP screen allows the administrator to configure an external LDAP Server for use with the access point A new Access Policy screen enables the administrator to set WLAN access based on user groups defined within the User Database screen Each user is authorized based on the access policies applicable to that user Access policies allow an administrator to control access to a user groups based on the WLAN configurations For detailed information on configuring the access point for AAA Radius Server support see Configuring User Authentication on page 6 64 1 2 27 Hotspot Support The access point allows hotspot operators to provide user authentication and accounting without a special client application The access point uses a traditional Internet browser as a secure authentication device Rather than rely on built in 802 11security features to control access point association privileges you can configure a WLAN with no WEP an open network The access point issues an IP address to the user using a DHCP server authenticates the user and grants the user to access the Internet If a tourist visits a
228. ccess policy WLAN name dilimited by a space lt wlan s gt Example admin system radius policy gt set engineering 16 admin system radius policy gt For information on configuring Radius WLAN policy values using the applet GUI see Configuring User Authentication on page 6 64 AP51xx gt admin system radius policy gt access time Description set Goes to the time based login submenu Syntax set show save quit l Example lt group gt lt access time gt format Displays the group s access time rule Saves the configuration to system flash Quits the CLI Goes to the parent menu Goes to the root menu admin system radius policy access time gt show List of Access Policies 10 12 For information on configuring Radius WLAN policy values using the applet GUI see Configuring User Authentication on page 6 64 Defines a target group s access time permissions Access time is in DayDDDD DDDD Tue0830 2200 We2000 2300 Th1100 1930 Any0000 2359 Any0000 2359 Any0000 2359 Context Command Description system gt radius gt policy gt access time set start time lt group gt lt value gt group Valid group name value 4 digit value representing HHMM 0000 2359 allowed system gt radius gt policy gt access time set end time lt group gt lt value gt group Valid group name value 4 digit value representing HHMM 0000 2359 allowed The end
229. ce the likelihood of hacking into the WLAN Accept Broadcast Select the Accept Broadcast ESSID checkbox to associate an ESSID MU that has a blank ESSID regardless of which ESSID the access point is currently using Sites with heightened security requirements may want to leave the checkbox unselected and configure each MU with an ESSID The default is unselected thus not allowing the acceptance of broadcast ESSIDs Quality of Service If QoS policies are undefined none select the Create button to Policy launch the New QoS Policy screen Use this screen to create a QoS policy wherein data traffic for the new or revised WLAN can be prioritized to best suit the MU transmissions within that WLAN For more information see Setting the WLAN Quality of Service QoS Policy on page 5 40 Network Management 5 35 6 Refer to the IP Filtering field to optionally enable the IP filtering feature and if enabled apply existing IP filters and their rules and permissions to a WLAN Enable IP Filtering Selecting this checkbox allows the WLAN to employ filter policies and rules to determine which IP packets are processed normally within the WLAN and which are discarded If discarded a packet is deleted and ignored as if never received IP Filtering Select the IP Filtering button to display a screen where existing IP filter policies can be applied to this specific WLAN and allow or deny IP packets in either an incoming or outgoing direction base
230. cenario 2 the mesh WLAN is mapped to BSS1 on the 802 112 radio if each AP The Radio MAC Address the BSSID 1 MAC Address is used for the AP 2 Preferred Base Bridge List Ensure both the AP 1 and AP 2 Radio MAC Addresses are in the Available Base Bridge List Add the AP 2 MAC Address into the Preferred Base Bridge List konn undo canges rep Lopes Configuring Mesh Networking 9 35 AP 5131 Access Point oA Radio Configuration 90 20 MAC 10013 7009 i EFI Osshian 6 Otntintinnt hd Anny ungo cnanges ree Lopest 3 Determine the Radio MAC Address and BSSID MAC Addresses 9 36 AP 51xx Access Point Product Reference Guide AP 5131 Access Point we sa Y Radio Configuration MAC Address 00 15 70 2B 34 00 Radiol 802 1 1b g Radio2 802 11a wy Bandwidth Management __ Base Radio MAC Address BSSID 1 Radio Type 802 114 To find BSSID E Rogue AP Detection Eassipet 00 15 70 28 34 00 EB Firewall BSSID 2 00 15 70 2B 34 D1 BSSID 3 00 15 70 28 34 D2 Router BSSID 4 00 15 70 28 34 03 amp System Configuration gt Quick Setup U1IM Interval P System Settings 10 Beacon intervals Gy AP 51XX Access certificate Mgmt 10 Beacon Intervai s User Authentication 10 Beacon intervals co 10 Beacon interval s F Logging Configuration 9 3 2 4 Verifying Mesh Network Functionality for Scenario 2 You now have a three AP demo multi hop mesh network re
231. cess Point Product Reference Guide AP51xx gt admin network wan content gt delcmd Description Deletes control commands to block outbound traffic Syntax delcmd web Deletes WEB commands to block outbound traffic proxy Deletes a Web proxy command activex Deletes activex files file Deletes Web URL extensions 10 files maximum smtp Deletes SMTP commands to block outbound traffic helo helo command mail mail command rcpt rcpt command data data command quit quit command send send command saml saml command reset reset command vrty vrfy command expn expn command ftp Deletes FIP commands to block outbound traffic put store command get retreive command Is directory list command mkdir create directory command cd change directory command pasv passive mode command Example admin network wan content gt delcmd web proxy admin network wan content gt delcmd smtp data admin network wan content gt delcmd ftp put AP51xx gt admin network wan content gt list Description Lists application control commands Syntax list web Lists WEB application control record smtp Lists SMTP application control record ftp Lists FIP application control record Example admin network wan content gt list web HTTP Files Commands Web Proxy deny ActiveX allow filename admin network wan content gt list smtp SMTP Commands HELO deny MAIL allow RCPT allow DATA deny QUIT allow SEND allow SAML allow
232. checkbox and click the Auto Key Settings button to open a screen where AH authentication and ESP encryption authentication can be configured For more information see Configuring Auto Key Settings on page 6 44 Configuring Access Point Security 6 39 IKE Settings After selecting Auto IKE Key Exchange click the IKE Settings button to open a screen where IKE specific settings can be configured For more information see Configuring IKE Key Settings on page 6 47 4 Click Apply to save any changes to the VPN screen as well as changes made to the Auto Key Settings IKE Settings and Manual Key Settings screens Navigating away from the screen without clicking the Apply button results in all changes to the screens being lost 5 Click Undo Changes if necessary to undo any changes made Undo Changes reverts the settings displayed on the VPN Auto Key Settings IKE Settings and Manual Key Settings screens to the last saved configuration 6 Click Logout to securely exit the Access Point applet A prompt displays confirming the logout before the applet is closed 6 11 1 Configuring Manual Key Settings A transform set is a combination of security protocols and algorithms applied to IPSec protected traffic During security association SA negotiation both gateways agree to use a particular transform set to protect data flow A transform set specifies one or two IPSec security protocols either AH ESP or both and specifies the algorithms to
233. cies have been defined they can then be applied to traffic on either of the two access point LAN ports or any of the 16 access point WLANs The procedure for applying a filtering policy is the same as both the LAN1 LAN2 and WLAN screens display the same IP Filtering sub screen for this operation For more information see Applying a Filter to LAN1 LAN2 or a WLAN 1 16 on page 5 78 3 If necessary select an existing policy and select the Del button to permanently remove the filtering policy from those available 4 Click Apply to save any changes to the IP Filtering screen Navigating away from the screen without clicking Apply results in all changes to the screens being lost Click Undo Changes to securely exit the IP Filtering screen without saving your changes 6 Click Logout to securely exit the Access Point applet A prompt displays confirming the logout before the applet is closed 5 6 1 Applying a Filter to LAN1 LAN2 or a WLAN 1 16 Once filter polices are defined they must be applied to a LAN or WLAN within the LAN1 or LAN2 screens or within the WLAN s New Edit screens not from within the main IP Filtering menu To apply an existing IP filter policy to LAN1 LAN2 or a WLAN 1 Display the IP Filtering menu From the LAN1 or LAN2 screen a Select Network Configuration gt LAN gt LAN1 or LAN2 from the access point menu tree b Select the Enable IP Filtering button in the lower right hand side of the scr
234. ckup KDCs are referred to as slave servers The slave server periodically synchronizes its database with the primary or master KDC Remote KDC Optionally specify a numerical non DNS IP address and port for a remote KDC Kerberos implementations can use an administration server allowing remote manipulation of the Kerberos database This administration server usually runs on the KDC Port Specify the ports on which the Primary Backup and Remote KDCs reside The default port number for Kerberos Key Distribution Centers is Port 88 6 Click the Apply button to return to the WLAN screen to save any changes made within the Kerberos Configuration field of the New Security Policy screen 7 Click the Cancel button to undo any changes made within the Kerberos Configuration field and return to the WLAN screen This reverts all settings for the Kerberos Configuration field to the last saved configuration 6 5 Configuring 802 1x EAP Authentication The IEEE 802 1x standard ties the 802 1x EAP authentication protocol to both wired and wireless LAN applications The EAP process begins when an unauthenticated supplicant client device tries to connect with an authenticator in this case the authentication server The access point passes EAP packets from the client to an authentication server on the wired side of the access point All other packet types are blocked until the authentication server typically a Radius server verifies the MU s identi
235. col uses TCP port 80 e TELNET TELNET is the terminal emulation protocol of TCP IP TELNET uses TCP to achieve a virtual connection between server and client then negotiates options on both sides of the connection TELNET uses TCP port 23 e FIP File Transfer Protocol FIP is an application protocol using the Internet s TCP IP protocols FIP provides an efficient way to exchange files between computers on the Internet FTP uses TCP port 21 e SMTP Simple Mail Transfer Protocol is a TCP IP protocol for sending and receiving email Due to its limited ability to queue messages at the receiving end SMTP is often used with POP3 or IMAP SMTP sends the email and POP3 or IMAP receives the email SMTP uses TCP port 25 e POP Post Office Protocol is a TCP IP protocol intended to permit a workstation to dynamically access a maildrop ona server host A workstation uses POP3 to retrieve email that the server is holding for it e DNS Domain Name Service protocol searches for resources using a database distributed among different name servers Click Add to create a new table entry Click Del Delete to remove a selected list entry Specify a name for a newly configured protocol Select a protocol from the drop down menu For a detailed description of the protocols available see Available Protocols on page 6 33 Enter the starting port number for a range of ports If the protocol uses a single port enter that port in this field 6 32
236. condary antenna for Radio 1 CAUTION Both the Dual and Single Radio model AP 5131s use RSMA type 2 22 AP 51xx Access Point Product Reference Guide 14 15 Attach safety wire if used to the AP 5131 safety wire tie point or security cable if used to the AP 5131 s lock port Align the ceiling tile into its former ceiling space Cable the AP 5131 using either the Power Injector solution or an approved line cord and power supply complete A CAUTION Do not supply power to the AP 5131 until the cabling of the unit is For Power Injector installations a Connect a RJ 45 Ethernet cable between the network data supply host and the Power Injector Data In connector b Connect a RJ 45 Ethernet cable between the Power Injector Data amp Power Out connector and the AP 5131 LAN port c Ensure the cable length from the Ethernet source host to the Power Injector and AP 5131 does not exceed 100 meters 333 ft The Power Injector has no On Off power switch The Power Injector receives power as soon as AC power is applied For more information on using the Power Injector see Power Injector and Power Tap Systems on page 2 10 For standard 48 Volt Power Adapter Part No 50 14000 243R and line cord installations a Connecta RJ 45 Ethernet cable between the network data supply host and the AP 5131 LAN port Verify the power adapter is correctly rated according the country of operation Connect the power supply
237. connection between the access point and one or more specified NTP servers A preferred first alternate and second alternate NTP server cannot be defined unless this checkbox is selected Disable this option uncheck the checkbox if Kerberos is not in use and time synchronization is not necessary Preferred Time Server Specify the numerical non DNS name IP address and port of the primary NTP server The default port is 123 First Alternate Time Optionally specify the numerical non DNS name IP address and Server port of an alternative NTP server to use for time synchronization if the primary NTP server goes down Second Alternate Optionally specify the numerical non DNS name and port of yet Time Server another NTP server for the greatest assurance of uninterrupted time synchronization Synchronization Define an interval in minutes the access point uses to synchronize Interval its system time with the NTP server A synchronization interval value from 15 minutes to 65535 minutes can be specified For implementations using Kerberos a synchronization interval of 15 minutes default interval or sooner is recommended Click Apply to save any changes to the Date and time Settings screen Navigating away from the screen without clicking the Apply button results in all changes to the screen being lost Click Undo Changes if necessary to undo any changes made Undo Changes reverts the settings displayed on Date and Time Settings screen t
238. creen by selecting an existing policy and clicking the Edit button Use the Edit Security Policy screen to edit the policy For more information on editing an existing security policy refer to security configuration sections described in steps 4 and 5 3 Use the Name field to define a logical security policy name Remember multiple WLANs can share the same security policy so be careful not to name security policies after specific WLANs or risk defining a WLAN to single policy Motorola recommends naming the policy after the attributes of the authentication or encryption type selected for example WPA2 Allow TKIP Enable and configure an Authentication option if necessary for the target security policy Manually Pre Shared Select this button to disable authentication This is the default Key No Authentication Kerberos 802 1x EAP value for the Authentication field Select the Kerberos button to display the Kerberos Configuration field within the New Security Policy screen For specific information on configuring Kerberos see Configuring Kerberos Authentication on page 6 8 Select the 802 1x EAP button to display the 802 1x EAP Settings field within the New Security Policy screen For specific information on configuring EAP see Configuring 802 1x EAP Authentication on page 6 11 Enable and configure an Encryption option if necessary for the target security policy No Encryption WEP 64 40 bit key If No E
239. ct Reference Guide B bandwidth management 04 5 63 basic device configuration 00005 3 5 DOGO Oi cen obi EEEE EEES EO ETET 1 15 CAM Stating i 225 c22 c2ecoidededscednsds 1 15 PSP SISUONS 2826 odsd ceo ta E een weed 1 15 E E 23 ote EAI E E I A T 1 6 bullets USE OF nn oo cio cena earaeseeeeeemens viii C CA COMME se sadiri erka ihera 4 14 E EEE ENEA LEE A EE AEE 1 15 ellular Cete riss cgnariaesceeneraesoas 1 21 certificate authority 0 0020 02020 4 14 certificate management 000 4 14 Ch ACL COMMGNGS 2sscicdceeencddhebianpoarade 8 88 CLI bandwith management 8 115 CLI common commands 0 0 0005 8 3 GW Gomto seo E Ea 8 2 CLI firewall commands 000 8 131 CLI firmware update 0 00 8 234 CLI log commands aaan 8 221 CLI network commands 00 00 00 8 11 CLI network LAN commands 8 12 CLI network LAN DHCP commands 8 29 CLI network wireless commands 8 66 CU INTE E E A LA E IEE 8 216 HURDo E E A A E ETET ES E 8 110 CLI radio configuration an n aeaaea 8 93 CLI rogue AP commands 8 118 CLI router commands 00 0005 8 136 CLI security commands 8 80 CLI serial port 0 0 0 0 0 02 8 2 CU SNMP a0 S or oy eee eed 8 169 CLL SNMP command E o ersarirstoererrisrre
240. cters Use the Authentication Algorithm drop down menu to specify MD5 or SHA as the authentication algorithm Use the Privacy Algorithm drop down menu to define an algorithm of DES or AES 128bit If entering the same username on the SNMP Traps and SNMP Access screens the password entered on the SNMP Traps page overwrites the password entered on the SNMP Access page To avoid this problem enter the same password on both pages 4 Click Apply to save any changes to the SNMP Trap Configuration screen Navigating away from the screen without clicking the Apply button results in all changes being lost 4 38 AP 51xx Access Point Product Reference Guide 5 Click Undo Changes if necessary to undo any changes made Undo Changes reverts the settings displayed on SNMP Trap Configuration screen to the last saved configuration 6 Click Logout to securely exit the access point Access Point applet A prompt displays confirming the logout before the applet is closed 4 5 3 Configuring Specific SNMP Traps Use the SNIVIP Traps screen to enable specific traps on the access point Motorola recommends defining traps to capture unauthorized devices operating within the access point coverage area Trap configuration depends on the network machine that receives the generated traps SNMP v1 v2c and v3 trap configurations function independently In a mixed SNMP environment traps can be sent using configurations for both SNMP v1 v2c and v3 To configure specif
241. cting to the access point The Power Injector s single DC and Ethernet data cable creates a modified Ethernet cabling environment on the access point s LAN port eliminating the need for separate Ethernet and power cables For detailed information on using the Power Injector see Power Injector and Power Tap Systems on page 2 10 The AP 5181 Power Tap is also a single port 802 3af compliant Power over Ethernet hub combining low voltage DC with Ethernet data in a single cable connecting to the access point However the Power Tap is designed and ruggedized for use with an AP 5181 s outdoor deployment For detailed information on using the Power Tap see Power Injector and Power Tap Systems on page 2 10 1 2 14 MU MU Transmission Disallow The access point s MU MU Disallow feature prohibits MUs from communicating with each other even if on the same WLAN assuming one WLAN is configured to disallow MU MU communication Therefore if an MU s WLAN is configured for MU MU disallow it will not be able to communicate with any other MUs connected to this access point For detailed information on configuring an WLAN to disallow MU to MU communications see Creating Editing Individual WLANs on page 5 30 1 2 15 Voice Prioritization Each access point WLAN has the capability of having its QoS policy configured to prioritize the network traffic requirements for associated MUs A WLAN QoS page is available for each enabled WLAN on both the 802 11a and 802 1
242. ction Active APS MU Scan Configuring Access Point Security 6 27 Z SYN Flood Attack Check ir Source Rowing Check ir Vinnie Attack Check Z FTP Bounce Attack Check ir P Unsigned Timestame Check i7 Sequence Number Prodicdon Check Ir Mime Fiod Attack Check Max Header Lengin gt 256 8192 bytes Mac Headers 12 16 headers Refer to the Global Firewall Disable field to enable or disable the access point firewall Disable Firewall Select the Disable Firewall checkbox to disable all firewall functions on the access point This includes firewall filters NAT VP content filtering and subnet access Disabling the access point firewall makes the access point vulnerable to data attacks and is not recommended during normal operation if using the WAN port Refer to the Timeout Configuration field to define a timeout interval to terminate IP address translations NAT Timeout Network Address Translation NAT converts an IP address in one network to a different IP address or set of IP addresses in a different network Set a NAT Timeout interval in minutes the access point uses to terminate the IP address translation process if no translation activity is detected after the specified interval 6 28 AP 51xx Access Point Product Reference Guide 4 Refer to the Configurable Firewall Filters field to set the following firewall filters SYN Flood Attack Check Source Routing Check Winnuke Attack C
243. d on the rules defined for the policy NOTE For an overview of IP Filtering and how to create a filter see Configuring IP Filtering on page 5 75 For information on applying an existing filter to the IP packet flow of a WLAN see Applying a Filter to LANT LAN2 or a WLAN 1 16 on page 5 78 7 Click Apply to save any changes to the WLAN screen Navigating away from the screen without clicking Apply results in all changes to the screens being lost 8 Click Cancel to securely exit the New WLAN or Edit WLAN screen and return to the Wireless Configuration screen 5 3 1 1 Configuring WLAN Security Policies As WLANs are being defined for an access point a security policy can be created or an existing policy edited using the Create or Edit buttons within the Security Configuration screen to best serve the security requirements of the WLAN Once new policies are defined they are available within the New WLAN or Edit WLAN screens and can be mapped to any WLAN A single security policy can be used by more than one WLAN if its logical to do so For example there may be two or more WLANs within close proximity of each other requiring the same data protection scheme To create a new security policy or modify an existing policy 1 Select Network Configuration gt Wireless gt Security from the access point menu tree The Security Configuration screen appears with existing policies and their attributes displayed 5 36 AP 51xx Acc
244. d 129 for the configuration file the AP uses the file name configured for option 188 B 2 Configuring an IPSEC Tunnel and VPN FAQs The access point has the capability to create a tunnel between an access point and a VPN endpoint The access point can also create a tunnel from one access point to another access point The following instruction assumes the reader is familiar with basic IPSEC and VPN terminology and technology e Configuring a VPN Tunnel Between Two Access Points e Configuring a Cisco VPN Device B 10 AP 51xx Access Point Product Reference Guide e Frequently Asked VPN Questions B 2 1 Configuring a VPN Tunnel Between Two Access Points The access point can connect to a non AP device supporting IPSec such as a Cisco VPN device labeled as Device 2 For this usage scenario the following components are required e 2 access points either an AP 5131 or AP 5181 model e 1PC oneach side of the access point s LAN To configure a VPN tunnel between two access points 1 Ensure the WAN ports are connected via the internet 2 On access point 1 select WAN gt VPN from the main menu tree 3 Click Add to add the tunnel to the list 4 Enter a tunnel name tunnel names do not need to match AP 5131 Access Point men THRO Nang aN Subnet Borate Orren Key Exchange Type pina pp ee aA CT PEANAS n a D asaj Loe VPN Tunnel Coedg Tunnel Name funnel Deta Oxteway 192 168 0 1 rex i Inte
245. d EAP certificates set Defines EAP parameters show Displays the EAP configuration save Saves the configuration to system flash quit Quits the CLI Goes to the parent menu Goes to the root menu For information on configuring EAP Radius using the applet GUI see Configuring User Authentication on page 6 64 8 199 AP51xx gt admin system radius eap gt peap Description Goes to the Peap submenu Syntax set Defines Peap parameters show Displays the Peap configuration save Saves the configuration to system flash quit Quits the CLI 7 Goes to the parent menu Goes to the root menu For information on configuring PEAP Radius using the applet GUI see Configuring User Authentication on page 6 64 8 200 AP 51xx Access Point Product Reference Guide AP51xx gt admin system radius eap peap gt set show Description Defines and displays Peap parameters Syntax set Sets the Peap authentication lt type gt show Displays the Peap authentication type Example admin system radius eap peap gt set auth gtc admin system radius eap peap gt show PEAP Auth Type gtc For information on configuring EAP PEAP Radius values using the applet GUI see Configuring User Authentication on page 6 64 8 201 AP51xx gt admin system radius eap gt ttls Description Goes to the TTLS submenu Syntax set Defines TTLS parameters show Displays the TTLS configuration save Saves the configuration t
246. d an area lit from far away to be not bright enough An area lit sharply might minimize coverage and create dark areas Uniform antenna placement in an area like even placement of a light bulb provides even efficient coverage Place the access point using the following guidelines e Install the access point at an ideal height of 10 feet from the ground e Orient the access point antennae vertically for best reception e Point the access point antenna s downward if attaching to the ceiling 2 6 AP 51xx Access Point Product Reference Guide To maximize the access point s radio coverage area Motorola recommends conducting a site survey to define and document radio interference obstacles before installing the access point 2 4 1 Site Surveys A site survey analyzes the installation environment and provides users with recommendations for equipment and placement The optimum placement of 802 11a access points differs from 802 1 1b g access points because the locations and number of access points required are different to support the radio coverage area Motorola recommends conducting a new site survey and developing a new coverage area floor plan when switching from 2 or 11Mbps access points AP 3021 or AP 4131 models to 54Mbps access points AP 5131 and AP 5181 models as the device placement requirements are significantly different 2 4 2 Antenna Options 2 4 2 1 AP 5131 Antenna Options Both Radio 1 and Radio 2 require one antenna and c
247. d extra routing information Clients on the local LAN side should either use the access point as their gateway or have a route entry tell them to use the access point as the gateway to reach the remote subnet B 20 AP 51xx Access Point Product Reference Guide B 3 Replacing an AP 4131 with an AP 5131 or AP 5181 The access point s modified default configuration enables an AP 5131o0r AP 5181 to not only operate in a single cell environment but also function as a replacement for legacy AP 4131 model access points You cannot port an AP 4131 s configuration file to an AP 5131 or AP 5181 but you can configure an AP 5131 or AP 5181 similarly and provide an improved data rate and feature set An AP 4131 has only one LAN port and it is defaulted to DHCP BOOTP enabled The AP 5131 and AP 5181 are optimized for single cell deployment so the customer to use either as a drop in replacement for an existing AP 4131 deployment However to optimally serve as a replacement for existing AP 4131 deployments an AP 5131 and AP 5181 s out of box defaults are now set as follows e The LAN1 port must default to DHCP client mode e The LAN2 port must default to DHCP server mode e The WAN port must default to Static mode e The default gateway now defaults to LAN1 e The interface parameter has been removed from the Auto Update configuration feature e The WAN interface now has http telnet https ssh connectivity enabled by default Customer Suppo
248. d mW 5 59 5 60 AP 51xx Access Point Product Reference Guide 802 11 b g mode Set Rates Specify b only g only or b and g to define whether the 802 11b g radio transmits in the 2 4 Ghz band exclusively for 802 11b legacy clients or transmits in the 2 4 Ghz band for 802 11g clients Selecting b and g enables the access point to transmit to both b and g clients if legacy clients 802 11b partially comprise the network Select accordingly based on the MU requirements of the network This parameter does not apply to access point 802 11a radios Click the Set Rates button to display a window for selecting minimum and maximum data transmit rates for the radio At least one Basic Rate must be selected as a minimum transmit rate value Supported Rates define the data rate the radio defaults to if a higher selected data rate cannot be maintained Click OK to implement the selected rates and return to the 802 11a or 802 11b g radio configuration screen Clicking Cancel reverts the Set Rates screen to the last saved configuration Motorola recommends using the default rates unless qualified to understand the performance risks of changing them The appearance of the Set Rates screen varies depending on the 802 114 or 802 11b g used as the dates rates available to the two radios are different mm x Exclude Channels 1 d Cancel Help Java Applet Window Network Management Set Rates a Basic Rates Sup
249. d upwards to ensure proper operation CAUTION Do not supply power to the AP 5181 Power Tap or Power Injector until the cabling of the access point is complete gt gt Nl CAUTION For Power Tap installations an electrician is required to open the Power Tap unit feed the power cable through the Line AC connector secure the power cable to the unit s three screw termination block and tighten the unit s Line AC clamp by hand to ensure the power cable cannot be pulled from the Power Tap enclosure Only a certified electrician should conduct the installation Connect a RJ 45 Ethernet cable between the network data supply host and the Power Tap s DATA IN connector or the Power Injector s Data In connector Connect a RJ 45 Ethernet cable between the Power Tap s DATA PWR OUT connector or the Power Injector s Data amp Power Out connector and the AP 5181 LAN port For Power Tap installations have a certified electrician open the Power Tap enclosure feed the power cable through the unit s LINE AC connector secure the power cable to the unit s three screw termination block and tighten the unit s LINE AC clamp by hand to ensure the power cable cannot be pulled from the unit For Power Tap installations attach a ground cable between the EARTH GROUND connector on the back of the unit to a suitable earth ground connection as defined by your local electrical code Ensure the cable length from the Etherne
250. dadatadnacande sio pence M addresses Symbol 0 000000 eee eee Vii administrator access poi paaagae ale SENNA ET el ccc ckaeeprmdadsesadieaseldas 1 6 antenna 2A GH 2 2 0vhin sae desu eseddiatea ee A 5 AP STS BCCBSS on nce cs secgensesuincemocdue doe 49 AP SISI Fea 2 24 cncedeideedicscceceiaced 1 4 AP 5131 Firmware 0 2 c cece eee eee 1 12 AP 5131 management options 1 12 AP 5131 operating modes 1 24 AP 5131 7 F S AP 5131 statistical displays arira N AP 5131 version E AA E TET TAN 4 4 AP 5131 13040 WW P TEETE 22 24 Index AP 5131 13041 WW 0 0 eee 2 2 AP 5131 13042 WW 00 0020002 2002 22 AP 5131 13048 WW ca cineeadirievvayrdigivi eee 2 AP 5131 40020 WW 0 00220022 23 AP 5131 40021 WW 20 0 0 23 AP 5131 A0022 WW o ccaciearacssnvecseanaac 20 AP 5131 40023 WW EER ONET AP 5181 Antenna Specifications E ey ee A 7 AP 5181 LED Indicators 2 30 AP 5181 physical characteristics A 3 AP 5181 Pole Mounted Installations 2 25 AP 5181 Wall Mounted Installations 2 28 association process DEACON rers ehki nE dodaee wes 1 15 RSSI Peery Terry Linedienidegead denne automatic firmware update EEEE 4 53 available AP 5131 product configurations 2 2 available protocols 0020005 6 33 IN 6 AP 51xx Access Point Produ
251. ddress is on the Preferred Base Bridge List and constitutes a threat as a potential member of the mesh network poor RSSI etc select it and click the Remove button to exclude it from the preferred list If all of the members of the Preferred Base Bridge List constitute a risk as a member of the mesh network click the Remove All button This is not recommended unless the preferred list can be re populated with more desirable device MAC addresses from the Available Base Bridge List Click Ok to return to the Radio Configuration screen Within the Radio Configuration screen click Apply to save any changes made within the Advanced Client Bridge Settings screen Click Cancel to undo any changes made within the Advanced Client Bridge Settings screen This reverts all settings for the screen to the last saved configuration If using a dual radio model access point refer to the Mesh Timeout drop down menu from within the Radio Configuration screen to define whether one of the access point s radio s beacons on an existing WLAN or if a client bridge radio uses an uplink connection The Mesh Timeout value is not available on a single radio access point since the radio would have to stop beaconing and go into scan mode to determine if a base bridge uplink is lost The following drop down menu options are available Disabled When disabled both radios are up at boot time and beaconing If one radio radio 1 does not have a mesh connectio
252. decimal characters of erder 13 ASCH chars Mexadecimal v Kerl FSEDFOLS790F77BLOSFALIEFA Key 2 84968047 16035EECH025971AF7 Key 3 1A874928062515E01 7010268FO Key 4 COBC 2462840647 Apply Cancel Help 5 Configure the WEP 64 Settings or WEP 128 Settings field as required to define the Pass Key used to generate the WEP keys These keys must be the same between the access point and its MU to encrypt packets between the two devices Pass Key Specify a 4 to 32 character pass key and click the Generate button The pass key can be any alphanumeric string The access point other proprietary routers and Motorola MUs use the algorithm to convert an ASCII string to the same hexadecimal number MUs without Motorola adapters need to use WEP keys manually configured as hexadecimal numbers Configuring Access Point Security 6 17 Keys 1 4 Use the Key 1 4 areas to specify key numbers The key can be either a hexadecimal or ASCII depending on which option is selected from the drop down menu For WEP 64 40 bit key the keys are 10 hexadecimal characters in length or 5 ASCII characters For WEP 128 104 bit key the keys are 26 hexadecimal characters in length or 13 ASCII characters Select one of these keys for activation by clicking its radio button Default hexadecimal keys for WEP 64 include Key 1 1011121314 Key 2 2021222324 Key 3 3031323334 Key 4 4041424344 Default hexadecimal keys for WEP 128 include Key 1 101112131
253. der e QUIT Tells the receiver to respond with an OK reply and terminate communication with the sender e SEND Initiates a mail transaction where mail is sent to one or more remote terminals e SAML Send and Mail Initiates a transaction where mail data is sent to one or more local mailboxes and remote terminals e RESET Cancels mail transaction and informs the recipient to discard data sent during transaction e VAFY Asks receiver to confirm the specified argument identifies a user If argument does identify a user the full name and qualified mailbox is returned e EXPN Expand Asks receiver to confirm a specified argument identifies a mailing list If the argument identifies a list the membership list of the mailing list is returned 4 Configure the FTP field to block or restrict various FIP traffic on the network 6 54 AP 51xx Access Point Product Reference Guide Block Outbound FTP File Transfer Protocol FTP is the Internet standard for host to host Actions mail transport FTP generally operates over TCP port 20 and 21 FTP filtering allows the blocking of any or all outgoing FIP functions Check the box next to the command to disable the command when using FTP across the access point s WAN port e Storing Files Blocks the request to transfer files sent from the client across the AP s WAN port to the FIP server e Retrieving Files Blocks the request to retrieve files sent from the FIP server across the AP s WAN po
254. dge radio 1 to roam without dropping the MU s associated to radio 2 The disadvantage is that radio 2 may beacon for the timeout period and have to drop associated MU s because radio 1 could not establish its uplink The default timeout period is 45 seconds 5 56 AP 51xx Access Point Product Reference Guide NOTE The Mesh Time Out variable overrides the Ethernet Port Time Out EPTO setting on the LAN page when the access point Is in bridge mode As long as the mesh is down the access point acts in accordance to the Mesh Time Out setting regardless of the state of the Ethernet However if the Ethernet goes down and the mesh link is still up the EPTO takes effect For a detailed overview on mesh networking and how to configure the radio for mesh networking support see Configuring Mesh Networking Support on page 9 6 8 Click Apply to save any changes to the Radio Configuration screen Navigating away from the screen without clicking Apply results in all changes to the screens being lost CAUTION When defining a Mesh configuration and changes are saved the A N mesh network temporarily goes down The Mesh network is unavailable because the access point radio is reconfigured when applying changes This can be problematic for users making changes within a deployed mesh network If updating the mesh network using a LAN connection the access point applet loses connection and the connection must be re instated If updating the m
255. dify the following Add Click Add to create a local map that includes the name transport protocol start port end port IP address and Translation Port for incoming packets Delete Click Delete to remove a selected local map entry Name Enter a name for the service being forwarded The name can be any alphanumeric string and is used for identification of the service Transport Use the Transport pull down menu to specify the transport protocol used in this service The choices are ALL TCP UDP ICMP AH ESP and GRE Network Management 5 25 Start Port and End Port Enter the port or ports used by the port forwarding service To specify a single port enter the port number in the Start Port area To specify a range of ports use both the Start Port and End Port options to enter the port numbers For example enter 110 in the Start Port field and 115 in the End Port field IP Address Enter the numerical non DNS name IP address to which the specified service is forwarded This address must be within the specified NAT range for the associated WAN IP address Translation Port Specify the port number used to translate data for the service being forwarded Forward all Use the Forward all unspecified ports to checkbox to enable unspecified ports to port forwarding for incoming packets with unspecified ports In the adjacent area enter a target forwarding IP address for incoming packets This number must be within the specified NAT range for
256. dio 802 11bg gt set 802 11bg gt set 802 11bg gt set 802 11bg gt set 802 11bg gt set 802 11bg gt set 802 11bg gt set 802 11bg gt set 802 11bg gt set 802 11bg gt set 802 11bg gt set 802 11bg gt set 802 11bg gt set 802 11bg gt set 802 11bg gt set 802 11bg gt set 802 11bg gt set placement indoor ch mode user channel 1 acs exception list 10 antenna full power 4 bg mode enable rates beacon 100 dtim 1 40 preamble disable 2341 cwmin 125 rts qos qos cwmax 255 gos aifsn 7 gos txops 0 qbss beacon 110 qbss mode enable For information on configuring the Radio 1 Configuration options available to the access point using the applet GUI see Configuring the 802 11a or 802 11b g Radio on page 5 56 A CAUTION If you do NOT include the index number for example set dtim 50 the DTIMs for all four BSSIDs will be changed to 50 To change individual DTIMs for BSSIDs specify the BSS Index number for example set dtim 2 50 This will change the DTIM for BSSID 2 to 50 8 100 AP 51xx Access Point Product Reference Guide AP51xx gt admin network wireless radio 802 11bg advanced gt Description Displays the advanced submenu for the 802 11b g radio The items available under this command include Syntax show Displays advanced radio settings for the 802 11b g radio set Defines advanced parameters for the 802 11b g radio Goes to the parent menu Goes to the root
257. dio see Configuring the 802 1 1a or 802 11b g Radio on page 5 56 3 Refer to the Received field to reference data received over the access point WAN port RX Packets RX Bytes RX Errors RX Dropped RX Overruns RX packets are data packets received over the WAN port The displayed number is a cumulative total since the WAN interface was last enabled or the access point was last restarted RX bytes are bytes of information received over the WAN port The displayed number is a cumulative total since the WAN interface was last enabled or the access point was last restarted To restart the access point to begin a new data collection see Configuring System Settings on page 4 2 RX errors include dropped data packets buffer overruns and frame errors on inbound traffic The number of RX errors is a total of AX Dropped RX Overruns and RX Carrier errors Use this information to determine performance quality of the current WAN connection The RX Dropped field displays the number of data packets that fail to reach the WAN interface If this number appears excessive consider a new connection to the device RX overruns are buffer overruns on the WAN connection RX overruns occur when packets are received faster than the WAN port can handle them If RX overruns are excessive consider reducing the data rate for more information see Configuring the 802 114 or 802 11b g Radio on page 5 56 Monitoring Statistics 7 5 RX Frame The RX F
258. dvanced gt set wlan demoroom 1 admin network wireless radio 802 11bg advanced gt set bss 1 demoroom For information on configuring Radio 1 Configuration options available to the access point using the applet GUI see Configuring the 802 11a or 802 11b g Radio on page 5 56 8 103 AP51xx gt admin network wireless radio radio2 gt Description Displays a specific 802 11a radio submenu The items available under this command include Syntax show Displays 802 11a radio settings set Defines specific 802 11a radio parameters delete Deletes the ACS exception channels advanced Displays the Advanced radio settings submenu mesh Goes to the Wireless AP Connections submenu bs Goes to the parent menu Goes to the root menu save Saves the configuration to system flash quit Quits the CLI 8 104 AP 51xx Access Point Product Reference Guide AP51xx gt admin network wireless radio 802 11a gt show Description Displays specific 802 11a radio settings Syntax show radio Displays specific 802 114 radio settings qos Displays specific 802 11a radio WMM QoS settings Example admin network wireless radio 802 11a gt show radio Radio Setting Information Placement MAC Address Radio Type Channel Setting ACS Exception Channel List Antenna Diversity Power Level Basic Rates Supported Rates Beacon Interval DTIM Interval per BSSID 1 2 3 4 RTS Threshold Extended Range QBSS Channel Util Beacon Intervl
259. dvanced DHCP serrer Address AssignmertRange 1 t 100 bl 1i 1 1 235 WAsoess 1 1 3 8 Network Mask 255 255 255 0 DefoutGateway 1 1 71 1 Primy ONS Server 192 168 O 1 Secondary ONS Serer 192 180 O 1 WINS Sewer 192 168 0 254 b Ge AP SDO Access Lan SIE Cootoursten L Enable P Fitering Cc Fitanng HG Cen cato Mgmt re User Authentic abon amp by SNMP Access f BD i L LA Naana iv asen tele J Logout lyetem Name AP 5p f a 2 Configure the DHCP Configuration field to define the DHCP settings used for the LAN NOTE Motorola recommends the WAN and LAN ports should not both be configured as DHCP clients This interface Is a Select this button to enable DHCP to set network address DHCP Client information via this LAN1 or LAN2 connection This is recommended if the access point resides within a large corporate network or the Internet Service Provider ISP uses DHCP This setting is enabled for LAN1 by default DHCP is a protocol that includes mechanisms for IP address allocation and delivery of host specific configuration parameters from a DHCP server to a host If DHCP Client is selected the first DHCP or BOOTP server to respond sets the IP address and network address values since DHCP and BOOTP are interoperable This interface is a BOOTP Client This interface uses static IP Address This interface is a DHCP Server Address Assignment Range Advanced DHCP Ser
260. e 8 3 1 Network LAN Commands AP51xx gt admin network lan gt Description Displays the LAN submenu The items available under this command are shown below show set bridge wlan mapping dhcp type filter ipfpolicy save quit Shows current access point LAN parameters Sets LAN parameters Goes to the mesh configuration submenu Goes to the WLAN Lan Vlan Mapping submenu Goes to the LAN DHCP submenu Goes to the Ethernet Type Filter submenu Goes to the LAN IP Filtering Policy submneu Goes to the parent menu Goes to the root menu Saves the configuration to system flash Quits the CLI For an overview of the LAN configuration options using the applet GUI see Configuring the LAN Interface on page 5 1 AP51xx gt admin network lan gt show Description Displays the access point LAN settings Syntax show Shows the settings for the access point LAN1 and LAN2 interfaces Example admin network lan gt show LAN On Ethernet Port LAN1 LAN Ethernet Timeout disable 802 1x Port Authentication Username admin Password kkkkkkkk Auto negoitation disable Speed 100M Duplex full xx LAN1 Information LAN Name LAN1 LAN Interface 802 11q Trunking LAN IP mode enable disable DHCP client IP Address 192 168 0 1 Network Mask 255 255 255 255 Default Gateway 192 168 0 1 Domain Name Primary DNS Server 192 168 0 1 Secondary DNS Server 192 168 0 2 WINS Server 192 168 0
261. e 802 114 or 802 1 1g radio 11b voice Use this setting for Voice Over IP traffic over the 802 1 1b radio intended radio traffic within the WLAN Once an option is selected you do not need to adjust the values for the Access Categories unless qualified to do so Changing the Access Category default values could negatively impact the performance of the access point CAUTION Motorola recommends using the drop down menu to define the 7 Select the Enable Wi Fi Multimedia WMM QoS Extensions checkbox to configure the access point s QoS Access Categories The Access Categories are not configurable unless the checkbox is selected Access Categories include 5 44 AP 51xx Access Point Product Reference Guide Background Backgrounds traffic is typically of a low priority file transfers print jobs ect Background traffic typically does not have strict latency arrival and throughput requirements Best Effort Best Effort traffic includes traffic from legacy devices or applications lacking QoS capabilities Best Effort traffic is negatively impacted by data transfers with long delays as well as multimedia traffic Video Video traffic includes music streaming and application traffic requiring priority over all other types of network traffic Voice Voice traffic includes VoIP traffic and typically receives priority over Background and Best Effort traffic 8 Configure the CW min and CW max contention windows AI
262. e 4 14 To configure access for the access point 1 Select System Configuration gt AP 51xx Access from the menu tree The Trusted Hosts field appears at the top of the screen but the remainder of the screen can be viewed by using the scroll bar on the right hand side of the screen 4 10 AP 51xx Access Point Product Reference Guide AP 5131 Access Point E Rogue AP Detecton AP 51XX Access Ate APs MU Scan J Trusted Hosts L hi wee HE Firewan E Subnet Access AGa os Seema Access From LAN From LAN fom WAN Applet HTTP pect 60 w wi m2 AppletHTTPS pot uy w x CU TELNET pon 22 w w x CU SSH pon 22 w i y SNMP port 161 x a Admin Authert lt ation 0 Mins Stew O Redus Radius Server for Admin Authentic ston Sec a m Login Message mal 2 Select the Trusted Hosts checkbox to display a field where up to 8 IP addresses can be haved Secret Lj Hate topos defined for exclusive access to the AP For more information see Defining Trusted Hosts on page 4 14 3 Use the access point Access field checkboxes to enable disable the following on the access point s LAN1 LAN2 or WAN interfaces Applet HTTP port 80 Select the LAN1 LAN2 and or WAN checkboxes to enable access to the access point configuration applet using a Web browser Applet HTTPS port Select the LAN1 LAN2 and or WAN checkboxes to enable access 443 to the access point configuration appl
263. e AP 5181 Power Tap Part No AP PSBIAS 5181 01R is ordered separately and is intended for AP 5181 outdoor deployments NOTE Though an AP 5181 can use the Power Injector solution Part No AP PSBIAS 1P2 AFR Motorola recommends using the AP 5181 Power Tap Part No AP PSBIAS 5181 01R designed especially for outdoor deployments Hardware Installation 2 11 including non Motorola power sources However using the wrong solution including a POE system used on a legacy Motorola access point could severely damage the access point and void the product warranty A CAUTION The access point supports a 802 3af compliant power source A separate Power Injector or Power Tap is required for each access point comprising the network 26 1 Installing the Power Injector or Power Tap Refer to the following sections for information on planning installing and validating the installation e Preparing for Site Installation e Cabling the Power Injector and Power Tap e Power Injector LED Indicators 2 6 1 1 Preparing for Site Installation The Power Injector or Power Tap can be installed free standing on an even horizontal surface or wall mounted using the unit s wall mounting key holes The following guidelines should be adhered to before cabling the Power Injector or Power Tap to an Ethernet source and an access point e Do not block or cover airflow to the Power Injector or Power Tap e Keep the unit away from excessive heat
264. e AP will connect to the switch and request a configuration 10 1 7 Adaptive AP WLAN Topology An AAP can be deployed in the following WLAN topologies e Extended WLANs Extended WLANs are the centralized WLANs created on the switch e Independent WLANs Independent WLANs are local to an AAP and can be configured from the switch You must specify a WLAN as independent to stop traffic from being forwarded to the switch Independent WLANs behave like WLANs on a standalone access point e Both Extended and independent WLANs are configured from the switch and operate simultaneously NOTE Fora review of some important considerations impacting the use of extended and independent WLANs within an AAP deployment see Adaptive AP Deployment Considerations on page 10 19 10 1 8 Configuration Updates An AAP receives its configuration from the switch initially as part of its adoption sequence Subsequent configuration changes on the switch are reflected on an AAP when applicable An AAP applies the configuration changes it receives from the switch after 30 seconds from the last received switch configuration message When the configuration is applied on the AAP the radios shutdown and re initialize this process takes less than 2 seconds forcing associated MUs to be deauthenticated MUs are quickly able to associate 10 1 9 Securing Data Tunnels between the Switch and AAP If a secure link site to site VPN from a remote site to the centr
265. e Authorize Any AP with a Motorola MAC address option Sets the approved AP age out time Sets the rogue AP age out time rogue ap gt rogue ap gt set mu scan enable rogue ap gt set interval 10 rogue ap gt set rogue ap gt set rogue ap gt set rogue ap gt set rogue ap gt set rogue ap gt set rogue ap gt sho Auto Authorize Motorola APs Approved AP age out Rogue AP age out on channel disable detector scan disable ABG scan disable motorola ap enable applst ageout 10 roglst ageout 10 w enable 10 minutes disable disable enable 10 minutes 10 minutes For information on configuring the Rogue AP options available to the access point using the applet GUI see Configuring Rogue AP Detection on page 6 55 8 121 AP51xx gt admin network wireless rogue ap mu scan gt Description Displays the Rogue AP mu scan submenu Syntax add Add all or just one scan result to Allowed AP list show Displays all APs located by the MU scan start Initiates scan immediately by the MU e Goes to the parent menu Goes to the root menu save Saves the configuration to system flash quit Quits the CLI 8 122 AP 51xx Access Point Product Reference Guide AP51xx gt admin network wireless rogue ap mu scan gt start Description Initiates an MU scan for a user provided MAC address Syntax start lt mu mac gt Initiates MU scan from user provided MAC address For inform
266. e CLI For information on configuring the encryption and authentication options available to the access point using the applet GUI see Configuring Security Options on page 6 2 8 86 AP 51xx Access Point Product Reference Guide AP51xx gt admin network wireless security edit gt Description Edits the properties of a specific security policy Syntax show Displays the new or modified security policy parameters set lt index gt Edits security policy parameters change Completes policy changes and exits the session Cancels the changes made and exits the session Example admin network wireless security gt edit 1 admin network wireless security edit gt show Policy Name Default Authentication Manual Pre shared key No Authentication Encryption type no encryption For information on configuring the encryption and authentication options available to the access point using the applet GUI see Configuring Security Options on page 6 2 AP51xx gt admin network wireless security gt delete Description Deletes a specific security policy Syntax delete lt sec name gt Removes the specified security policy from the list of supported policies lt all gt Removes all security policies except the default policy For information on configuring the encryption and authentication options available to the access point using the applet GUI see Configuring Security Options on page 6 2 8 88 AP 51xx Access Point
267. e Kerberos Configuration field displays within the New Security Policy screen Configuring Access Point Security 6 9 4 Ensure the Name of the security policy entered suits the intended configuration or function of the policy New Security Policy Manually Pre shared key No authentication a Kerderos 802 1 EAP Ercrypson WEP 126 104 bit key KeyGuard Kerberos Configuraton Realm Name smono gun PrimaryKDC 1457 235 178 23 Backup KDC Remote KDC Appa Cancel Help 5 Setthe Kerberos Configuration field as required to define the parameters of the Kerberos authentication server and access point Realm Name Specify a realm name that is case sensitive for example MOTOROLA COM The realm name is the name domain realm name of the KDC Server Arealm name functions similarly toa DNS domain name In theory the realm name is arbitrary However in practice a Kerberos realm is named by uppercasing the DNS domain name that is associated with hosts in the realm 6 10 AP 51xx Access Point Product Reference Guide Primary KDC Specify a numerical non DNS IP address and port for the primary Key Distribution Center KDC The KDC implements an Authentication Service and a Ticket Granting Service whereby an authorized user is granted a ticket encrypted with the user s password The KDC has a copy of every user password Backup KDC Optionally specify a numerical non DNS IP address and port for a backup KDC Ba
268. e List Ma RES HANN MA 7 Select the Automatic Link Selection checkbox to allow the access point to select the links used by the client bridge to populate the mesh network Selecting this checkbox prohibits Configuring Mesh Networking 9 17 the user from selecting the order base bridges are added to the mesh network when one of the three associated base bridges becomes unavailable NOTE Auto link selection is based on the RSSI and load The client bridge will select the best available link when the Automatic Link Selection checkbox is selected Motorola recommends you do not disable this option as when enabled the access point will select the best base bridge for connection 8 Refer to the Available Base Bridge List to view devices located by the access point using the WLAN selected from the Radio Configuration screen Refer the following for information on located base bridges MAC The MAC field displays the factory set hard coded MAC address that serves as a device identifier RSSI The Relative Signal Strength Indicator RSSI displays the located device s signal strength with the associated access point in client bridge mode Use this information as criteria on whether to move a particular device from the available list to the preferred list CHANN The CHANN displays the name of the channel that both the access point and base bridge use A client bridge can only connect to access points Base Bridges on the same
269. e RF utilization of the access point radio This value is calculated as throughput divided by average bit speed The number in black represents this statistic for the last 30 seconds and the number in blue represents this statistic for the last hour Displays the percentage of total radio packets that are non unicast Non unicast packets include broadcast and multicast packets The number in black represents packets for the last 30 seconds and the number in blue represents packets for the last hour Monitoring Statistics 7 25 4 Refer to the RF Status field to view the following MU signal noise and performance information for the target access point 802 11a or 802 11b g radio Avg MU Signal Displays the average RF signal strength in dBm for all MUs associated with the radio The number in black represents the average signal for the last 30 seconds and the number in blue represents the average signal for the last hour If the signal is low consider mapping the MU to a different WLAN if a better functional grouping of MUs can be determined Avg MU Noise Displays the average RF noise for all MUs associated with the access point radio The number in black represents MU noise for the last 30 seconds and the number in blue represents MU noise for the last hour If MU noise is excessive consider moving the MU closer to the access point or in area with less conflicting network traffic Avg MU SNR Displays the average Signal to Noise Ratio SNA
270. e RX Dropped field displays the number of data packets failing to reach the LAN port If this number appears excessive consider a new connection to the device RX Overruns RX overruns are buffer overruns on the access point LAN port RX overruns occur when packets are received faster than the LAN connection can handle them If RX overruns are excessive consider reducing the data rate for more information see Configuring the 802 114 or 802 11b g Radio on page 5 56 RX Frame The RX Frame field displays the number of TCP IP data frame errors received 4 Refer to the Transmitted field to view statistics transmitted over the access point LAN port TX Packets TX packets are data packets sent over the access point LAN port The displayed number is a cumulative total since the LAN connection was last enabled or the access point was last restarted To begin a new data collection see Configuring System Settings on page 4 2 TX Bytes TX bytes are bytes of information sent over the LAN port The displayed number is a cumulative total since the LAN Connection was last enabled or the access point was last restarted To begin a new data collection see Configuring System Settings on page 4 2 TX Errors TX errors include dropped data packets buffer overruns and carrier errors on outbound traffic The displayed number of TX errors is a total of TX Dropped TX Overruns and TX Carrier errors Use this information to re assess AP location and transmit s
271. e WLAN a new ACL policy can be created by pressing the Create button For more information see Configuring a WLAN Access Control List ACL on page 5 37 Kerberos User Name Displays the read only Kerboros User Name used to associate the wireless client This value is the ESSID of the access point 5 34 AP 51xx Access Point Product Reference Guide Kerberos Password Enter a Kerberos password if Kerberos has been selected as the security scheme from within the Security Policies field The field is grayed out if Kerberos has not been selected for the WLAN For information on configuring Kerberos see Configuring Kerberos Authentication on page 6 8 5 Configure the Advanced field as required to set MU interoperability permissions secure beacon transmissions broadcast ESSID acceptance and Quality of Service QoS policies Disallow MU to MU The MU MU Disallow feature prohibits MUs from communicating Communication with each other even if they are on different WLANs assuming one of the WLANs is configured to disallow MU MU communication Therefore if an MU s WLAN is configured for MU MU disallow it will not be able to communicate with any other MUs connected to this access point Use Secure Beacon Select the Use Secure Beacon checkbox to not transmit the access point s ESSID If a hacker tries to find an ESSID via an MU the ESSID does not display since the ESSID is not in the beacon Motorola recommends keeping the option enabled to redu
272. e YET 6 61 Routing Information Protocol RIP 1 19 S secuirty WPA o cecississirsoreninidsnnrink shi 6 21 C ENN EER EEEE EEE EEE ETEEN 1 9 GECPTION boss edocs eine ddseda sends 1 9 security content filtering 2 0 6 52 security firewall n ananunua nananana 6 27 security KeyGuard 0 0055 6 18 security rogue AP detection 6 55 SOOUNIIG VP Neue igdaeur sande eas TERET ONTT 6 36 SEO AWAN s serer kerr ristini LEE E EL 3 12 security WPAZ CCMP TETTE 6 24 Seh COCE S ee oirrn rdr dreki iE Nnr A 4 16 serial number EREEREER PE PETE AE 44 service information 0 02000e0 eee vill SINGIE SKU E cee een eee 1 5 SES EET es ae ener a eee mere tee es 2 1 OME os tak E ENE EA N waa 1 13 SNMP Access 0 00 0000 eee e cece e eee 4 25 SNMP access control 2 0005 4 29 SNMP settings MEAE ENET 4 23 SNMP NIINE aenep Er EEG 4 26 SNMP v1 v2 v3 trap support SMereaes ee 1 13 BRIE VA EE ETE E T EE E E ned 4 27 SNMP access control TEATE ETT 4 29 SNMP BF irap thresholds scrrstscrsessrsrsrtess 4 37 SNMP specific traps 0 0 00005 4 34 SNIP aps kee eee dhe Mesya pee dead 4 31 SNMP VIAE oo cee agacranedanereaninenta ahs 4 32 SNMP v3 user definitions neq eee 4 27 gatens APB c2c cus etic eE 7 33 statisties LAN 3 es oe cccatcekecdeneahace edna 7 6 Statist
273. e access point LAN port lt mode gt Enables or disables auto negotiation for the access point LAN port lt mbps gt Defines the access point LAN port speed as either 10 Mbps or 100 Mbps lt mode gt Defines the access port LAN port duplex as either half or full lt name gt Specifies the user name for 802 1x port authentication over the LAN interface lt password gt The 0 32 character password for the username for the 802 1x port lt ip gt Defines the access point LAN port IP mode lt ip gt Sets the IP address used by the LAN port lt ip gt Defines the IP address used for access point LAN port network mask lt ip gt Sets the Gateway IP address used by the LAN port lt name gt Specifies the domain name used by the access point LAN port lt ip gt Defines the IP address of the primary and secondary DNS servers used by the LAN port lt ip gt Defines the IP address of the WINS server used by the LAN port lan gt lan gt set lan 1 enable lan gt set name 1 engineering lan gt set ethernet port lan 1 lan gt set timeout 45 lan gt set trunking 1 disable lan gt set auto negotiation disable lan gt set speed 100M lan gt set lan gt set lan gt set lan gt set lan gt set lan gt set lan gt set duplex full dns 1 192 168 0 1 dns 2 192 168 0 2 wins 1 192 168 0 254 trunking disable username phil passwd ea0258c1 8 16 AP 51xx Access Point Product Reference Guide Related Commands show Shows the current s
274. e applet GUI see Setting the WLAN s Radio Configuration on page 5 52 8 96 AP 51xx Access Point Product Reference Guide AP51xx gt admin network wireless radio radio1 gt Description Displays a specific 802 11b g radio submenu The items available under this command include Syntax show Displays 802 11b g radio settings set Defines specific 802 11b g radio parameters delete Deletes the channels defined within the ACS exception list advanced Displays the Adavanced radio settings submenu mesh Goes to the Wireless AP Connections submenu P Goes to the parent menu Goes to the root menu save Saves the configuration to system flash quit Quits the CLI For information on configuring Radio 1 Configuration options available to the access point using the applet GUI see Setting the WLANs Radio Configuration on page 5 52 AP51xx gt admin network wireless radio radio1 gt show Description Displays specific 802 11b g radio settings Syntax show radio Displays specific 802 11b g radio settings qos Displays specific 802 11b g radio WMM QoS settings Example admin network wireless radio radiol gt show radio Radio Setting Information Placement MAC Address Radio Type ERP Protection Channel Setting ACS Exception Channel List Antenna Diversity Power Level 802 11b g mode Basic Rates Supported Rates Beacon Interval DTIM Interval per BSSID 1 2 3 4 short preamble RTS Threshold Extended
275. e model number and serial number at hand If the problem cannot be solved over the phone you may need to return your equipment for servicing If that is necessary you will be given specific instructions Motorola is not responsible for any damages incurred during shipment if the approved shipping container is not used Shipping the units improperly can possibly void the warranty If the original shipping container was not kept contact Motorola to have another sent to you Introduction This AP 51xx Product Reference Guide contains setup and advanced configuration instructions for both the AP 5131 and AP 5181 model access points Both the AP 5131 and AP 5181 model access points share the same Web UI CLI and MIB interfaces There are no differences in how the devices are configured using the instructions within this guide even though the Web UI displays AP 5131 or AP 5181 specifically However there are several differences between the two models you should be aware of The AP 5181 is constructed to support outdoor installations while the AP 5131 model is constructed primarily for indoor deployments The AP 5131 is available in numerous single and dual radio SKUs while an AP 5181 is available in only a dual radio SKU An AP 5181 cannot use the AP 5131 s 48 volt power supply Part No 50 14000 243R and therefore is recommended to use the AP 5181 Power Tap Part No AP PSBIAS 5181 01R designed specifically for outdoor deployments An AP 5181
276. e set unique to 1 1 1 1 1 can only be restored to factory default when the access point is running 1 1 0 0 xx firmware An AP 5181 model access point does not support firmware prior to 1 1 1 0 System Configuration 4 61 e Export either a CA or Self Certificate to a safe and secure location before upgrading or downgrading your access point firmware If the certificate is not saved it will be discarded and not available to the user after the upgrade or downgrade If discarded a new certificate request would be required NOTE Fora discussion on the implications of replacing an existing AP 4131 deployment with an AP 5131 or AP 5181 see Replacing an AP 4131 with an AP 5131 or AP 5187 on page B 20 e Upgrading from v1 0 x x to 1 1 x x 1 1 1 is a two step process requiring the same upgrade procedure to be repeated twice The first upgrade will result in a bootloader change and the second upgrade will result in a firmware change For subsequent upgrades a single download will suffice Using Auto Update the access point will automatically update itself twice when upgrading Upgrading from v1 0 to v1 1 v1 1 1 retains existing settings Motorola recommends that users export their 1 0 configuration for backup purposes prior to upgrading When downloading from v1 1 1 v1 1 to v1 0 all configuration settings are lost and the access point returns to factory default settings 4 62 AP 51xx Access Point Product Reference Guide Network Mana
277. eate a new SNMP v1 Vv2c Trap Configuration entry Use the SNMP Version drop down menu to specify v1 or v2 Some SNMP clients support only SNMP v1 traps while others support SNMP v2 traps and possibly both verify the correct traps are in use with clients that support them 3 Configure the SNMP v3 Trap Configuration field if SNMP v3 Traps are used to modify the following Add Delete Destination IP Port Username Security Level Passwords Click Add to create a new SNMP v3 Trap Configuration entry Select Delete to remove an entry for an SNMP v3 user Specify a numerical non DNS name destination IP address for receiving the traps sent by the access point SNMP agent Specify a destination User Datagram Protocol UDP port for receiving traps Enter a username specific to the SNMP capable client receiving the traps Use the Security Level drop down menu to specify a security level of noAuth no authorization AuthNoPriv authorization without privacy or AuthPriv authorization with privacy The NoAuth setting specifies no login authorization or encryption for the user The AuthNoPriv setting requires login authorization but no encryption The AuthPriv setting requires login authorization and uses the Data Encryption Standard DES Select Passwords to display the Password Settings screen for specifying authentication and password settings for an SNMP v3 user The maximum password length is 11 chara
278. ec box default is 30 seconds Selecting Disabled allows the LAN to use the Ethernet port for an indefinite timeout period Select the Hardware Detect option to use the physical LAN port to detect activity If the LAN port does not detect a physical connection the radio is unavailable to the access point 5 4 AP 51xx Access Point Product Reference Guide 4 Refer to the 802 1x Port Authentication field if using port authentication over the access point s LAN port The access point only supports 802 1x authentication over its LAN port The access point behaves as an 802 1x supplicant to authenticate to a server on the network If using 802 1x authentication enter the authentication server user name and password The default password is motorola For information on enabling and configuring authentication schemes on the access point see Enabling Authentication and Encryption Schemes on page 6 5 5 Use the Port Settings field to define how the access point manages throughput over the LAN port Auto Negotiation Select the Auto Negotiation checkbox to enable the access point to automatically exchange information over its LAN port about data transmission speed and duplex capabilities Auto negotiation is helpful when using the access point in an environment where different devices are connected and disconnected on a regular basis Selecting Auto Negotiate disables the Mbps and duplex checkbox options 100 Mbps Select this option to e
279. ecifiec index 1 16 for specified page login welcome fail and target URL show Shows hotspot http redirection details save Saves the updated hotspot configuration to flash memory quit Quits the CLI session i Goes to the parent menu Goes to the root menu Example admin network wireless wlan hotspot gt set page loc 1 www sjsharkey com admin network wireless wlan hotspot gt set exturl 1 fail www sjsharkey com For information on configuring the Hotspot options available to the access point using the applet GUI see Configuring WLAN Hotspot Support on page 5 46 8 76 AP 51xx Access Point Product Reference Guide AP51xx gt admin network wireless wlan hotspot gt radius Description Goes to the hotspot Radius menu Syntax set Sets the Radius hotspot configuration show Shows Radius hotspot server details save Saves the configuration to system flash quit Quits the CLI S Goes to the parent menu Goes to the root menu For information on configuring the Hotspot options available to the access point using the applet GUI see Configuring WLAN Hotspot Support on page 5 46 AP51xx gt admin network wireless wlan hotspot radius gt set Description Sets the Radius hotspot configuration Syntax lt idx gt lt idx gt lt idx gt lt idx gt set server port secret acct mode lt srvr_type gt lt ipadr gt lt srvr_type gt lt port gt lt srvr_type gt lt secret gt lt mode gt acct ser
280. ed If a WLAN has not been enabled from the Wireless screen it is not configurable using the Bandwidth Management screen To enable a specific WLAN see Enabling Wireless LANs WLANs on page 5 27 WLAN Name Displays the name of the WLAN This field is read only To change the name of the WLAN see Creating Editing Individual WLANs on page 5 30 Weight This column is not available unless Weighted Round Robin is selected Assign a weight to each WLAN This percentage equals the access point bandwidth share for that WLAN when network traffic is detected Weight This column is automatically updated with the appropriate WLAN bandwidth share when the Weight is modified QoS Policy Displays the name of the QoS policy defined for each WLAN within the Quality of Service for WLAN screen If no policy has been set the WLAN uses the default policy For information on assigning QoS policies for specific WLANs see Setting the WLAN Quality of Service QoS Policy on page 5 40 Click Apply to save any changes to the Bandwidth Management screen Navigating away from the screen without clicking Apply results in all changes to the screens being lost Click Undo Changes if necessary to undo any changes made Undo Changes reverts the settings displayed on the Bandwidth Management screen to the last saved configuration Click Logout to securely exit the Access Point applet A prompt displays confirming the logout before the applet is closed 5 6
281. ed e SHA1 Enables Secure Hash Algorithm 1 No keys are required to be manually provided Configuring Access Point Security 6 45 ESP Type ESP provides packet encryption optional data authentication and anti replay services for the VPN tunnel Use the drop down menu to select the ESP type e None Disables ESP The rest of the fields are not active e ESP Enables ESP for this tunnel e ESP with Authentication Enables ESP with authentication ESP Encryption Use this menu to select the encryption and authentication Algorithm algorithms for this VPN tunnel e DES Selects the DES algorithm No keys are required to be manually provided e 3DES Selects the 3DES algorithm No keys are required to be manually provided e AES 128 bit Selects the Advanced Encryption Standard algorithm with 128 bit No keys are required to be manually provided e AES 192 bit Selects the Advanced Encryption Standard algorithm with 192 bit No keys are required to be manually provided e AES 256 bit Selects the Advanced Encryption Standard algorithm with 256 bit No keys are required to be manually provided ESP Authentication Use this menu to select the authentication algorithm to be used Algorithm with ESP This menu is only active when ESP with Authentication was selected for the ESP type e MD5 Enables the Message Digest 5 algorithm requiring 128 bit No keys are required to be manually provided e SHA1 Enables Secure Hash Algo
282. ed by the imported file Therefore the imported configuration is not a merge with the configuration of the target access point The exported file can be edited with any document editor if necessary NOTE Use the System Settings screen as necessary to restore an access point s default configuration For more information on restoring configurations see Configuring System Settings on page 4 2 The export function will always export the encrypted Admin User password The import function will import the Admin Password only if the access point is set to factory default If the access point is not configured to factory default settings the Admin User password WILL NOT get imported NOTE When modifying the text file manually and spaces are used for wireless security MU policy names etc ensure you use 20 between the spaces For example Second 20Floor 20Lab When imported the name would display as Second Floor Lab CAUTION A single radio model access point cannot import export its A N configuration to a dual radio model access point In turn a dual radio model access point cannot import export its configuration to a single radio access point 4 50 AP 51xx Access Point Product Reference Guide Use the Config Import Export screen to configure an import or export operation for access point configuration settings 802 1x EAP Radius shared secret password will remain symbol instead of
283. ed mesh network If utilizing a mesh network Motorola recommends considering a dual radio model to optimize channel utilization and throughput CAUTION Only Motorola AP 5131 or AP 5181 model access points can be used 9 1 1 The AP 51xx Client Bridge Association Process An access point in client bridge mode performs an active scan to quickly create a table of the access points nearby The table contains the access points matching the ESS of the client bridge AP s WLAN The table is used to determine the best access point to connect to based on signal strength load and the user s configured preferred connection list The association and authentication process is identical to the MU association process The client access point sends 802 11 authentication and association frames to the base access point The base access point responds as if the client is an actual mobile unit Depending on the security policy the two access point s engage in the normal handshake mechanism to establish keys After device association the two access points are connected and the system can establish the bridge and run the spanning tree algorithm In the meantime the access point in client bridge mode continues to scan in the background attempts to establish an association with other access points using the same ESS on the same channel Bridge associates to the Base Bridge over the LAN connection This problem is not experienced over the access point s
284. ed of an apacahe certificate and keys For information on configuring self certificate settings using the applet GUI see Creating Self Certificates for Accessing the VPN on page 4 18 8 162 AP 51xx Access Point Product Reference Guide AP51xx gt admin system cmgr gt listself Description Lists the loaded self certificates Syntax listself Lists all self certificates that are loaded For information on configuring self certificate settings using the applet GUI see Creating Self Certificates for Accessing the VPN on page 4 18 8 163 AP51xx gt admin system cmgr gt loadca Description Loads a trusted certificate from the Certificate Authority Syntax loadca Loads the trusted certificate in PEM format that is pasted into the command line For information on configuring certificate settings using the applet GUI see mporting a CA Certificate on page 4 16 8 164 AP 51xx Access Point Product Reference Guide AP51xx gt admin system cmgr gt delca Description Deletes a trusted certificate Syntax delca lt Dname gt Deletes the trusted certificate For information on configuring certificate settings using the applet GUI see mporting a CA Certificate on page 4 16 8 165 AP51xx gt admin system cmgr gt listca Description Lists the loaded trusted certificate Syntax listca Lists the loaded trusted certificates For information on configuring certificate settings using the applet GUI see
285. ed routes Syntax delete lt idx gt Deletes the user defined route lt idx gt 1 20 from list all Deletes all user defined routes Example admin network router gt list index destination netmask gateway interface metric 1 192 168 2 0 255 255 255 0 192 168 0 1 lanl 1 2 192 168 1 0 255 255 255 0 0 0 0 0 lan2 0 3 192 168 0 0 255 255 255 0 0 0 0 0 lan2 0 admin network router gt delete 2 admin network router gt list 1 192 168 2 0 255 255 255 0 0 0 2 192 168 0 0 255 255 255 0 0 0 admin network router gt For information on configuring the Router options available to the access point using the applet GUI see Configuring Router Settings on page 5 71 8 144 AP 51xx Access Point Product Reference Guide AP51xx gt admin network router gt list Description Lists user defined routes Syntax list Displays a list of user defined routes Example admin network router gt list index destination netmask gateway interface metric 1 192 168 2 0 255 255 255 0 192 168 0 1 lanl 1 2 192 168 1 0 255 255 255 0 0 0 0 0 lan2 0 3 192 168 0 0 255 255 255 0 0 0 0 0 lanl 0 For information on configuring the Router options available to the access point using the applet GUI see Configuring Router Settings on page 5 71 8 4 System Commands AP51xx gt admin system gt Description Displays the System submenu The items available under this command are shown below restart show set lastpw exec arp
286. ed when the Use External URL checkbox has been selected within the HTTP Redirection field NOTE Ifan external URL is used the external Web pages are required to forward user credentials to the access point which in turn forwards them to the authentication Server either onboard or external server in order to grant users Web access Login Page URL Welcome Page URL Fail Page URL Define the complete URL for the location of the Login page The Login screen will prompt the hotspot user for a username and password to access the Welcome page Define the complete URL for the location of the Welcome page The Welcome page asserts the hotspot user has logged in successfully and can access the Internet Define the complete URL for the location of the Fail page The Fail screen asserts the hotspot authentication attempt failed you are not allowed to access the Internet and you need to provide correct login information to access the Internet 5 Select the Enable Hotspot User Timeout checkbox to define a timeout interval forcing users when exceeded to re establish their login credentials to continue using the access point supported hotspot Leaving the checkbox unselected is not recommended unless you plan to provide unlimited hotspot support to users If this option is selected enter an interval between 15 and 180 minutes When the provided interval is exceeded the user is logged out of their hotspot session and forced to
287. ee AP 51xx MAC Address Assignment on page 1 30 1 2 3 Multiple Mounting Options The access point rests on a flat surface attaches to a wall mounts under a ceiling or above a ceiling attic Choose a mounting option based on the physical environment of the coverage area Do not mount the access point in a location that has not been approved in an either an AP 5131 or outdoor AP 5181 radio coverage site survey For detailed information on the mounting options available see Mounting an AP 5137 on page 2 13 or Mounting an AP 5181 on page 2 24 1 2 4 Antenna Support for 2 4 GHz and 5 GHz Radios The access point supports several 802 11a and 802 11b g radio antennas Select the antenna best suited to the radio transmission requirements of your coverage area For an overview of the Radio 1 2 4 GHz and Radio 2 5 GHz antennas supported on the access point s connectors see Antenna Specifications on page A 5 The AP 5181 model access point uses an antenna suite primarily suited for outdoor use Introduction 1 2 5 Sixteen Configurable WLANs A Wireless Local Area Network WLAN is a data communications system that flexibly extends the functionalities of a wired LAN A WLAN does not require lining up devices for line of sight transmission and are thus desirable for wireless networking Roaming users can be handed off from one access point to another like a cellular phone system WLANs can therefore be configured around the needs of specific gr
288. een c Select the IP Filtering button From the Wireless screen a Select Network Configuration gt Wireless from the access point menu tree b Click the Create button to apply the filter to anew WLAN or highlight an existing WLAN and click the Edit button Either the New WLAN or Edit WLAN screen displays c Select the Enable IP Filtering button in the lower portion of the screen d Select the IP Filtering button Network Management 5 79 Filter name Direction udp Incoming Deny a AE v Jincoming Deny Action Add Del y Default Incoming Deny y Default Outgoing Deny Cancel Help Java Applet Window The screen displays with both the Default Incoming Deny and Default Outgoing Deny checkboxes selected by default Consequently if you enable IP filtering but do not apply any filters that allow IP traffic then no IP traffic will be forwarded as the default deny settings have precedence Use the Filter name drop menu to select an existing filter Set the Direction as Incoming or Outgoing as required Apply an Action of Allow or Deny to permit or restrict the rules of this filter in the direction selected Select Add to apply the filter s and their rules and permissions to the LAN or WLAN Click OK add the IP filter to the LAN or WLAN Navigating away from the screen without clicking OK results in all changes to the screens being lost Click Cancel to securely exit the IP Filtering screen without
289. een Use the New WLAN screen to define the properties of anew WLAN that would display and be selectable within the Wireless Configuration screen For additional information see Creating Editing Individual WLANs on page 5 30 Click the Edit button if necessary to launch the Edit WLAN screen Use the Edit WLAN screen to revise the properties of an existing WLAN that would continue display and be selectable within the Wireless Configuration screen For additional information see Creating Editing Individual WLANs on page 5 30 Consider using the Delete button to remove an existing WLAN if it has become outdated and is no longer required or if you are coming close the maximum 16 WLANs available per access point Click Logout to securely exit the Access Point applet A prompt displays confirming the logout before the applet is closed 5 30 AP 51xx Access Point Product Reference Guide 5 3 1 Creating Editing Individual WLANs If the WLANs displayed within the Wireless Configuration screen do not satisfy your network requirements you can either create a new WLAN or edit the properties of an existing WLAN NOTE Before editing the properties of an existing WLAN ensure it is not being used by an access point radio or is a WLAN that is needed in its current configuration Once updated the previous configuration is not available unless saved CAUTION When using the access point s hotspot functionality ensure MUs are re
290. efault Use the LAN Name field to modify the existing LAN name LAN1 and LAN2 are the default names assigned to the LANs until modified by the user The Ethernet Port radio buttons allow you to select one of the two available LANs as the LAN actively transmitting over the access point s LAN port Both LANs can be active at any given time but only one can transmit over the access point s physical LAN connection thus the selected LAN has priority Select the Enable 802 1q Trunking checkbox to enable the LAN to conduct VLAN tagging If selected click the WLAN Mapping button to configure mappings between WLANs and LANs If enabled the access point requires connection to a trunked port Click the VLAN Name button to launch the VLAN Name screen to create VLANs and assign them VLAN IDs For more information see Configuring VLAN Support on page 5 5 Click the WLAN Mapping button to launch the VLAN Configuration screen to map existing WLANSs to one of the two LANs and define the WLAN s VLAN membership up to 16 mappings are possible per access point For more information see Configuring VLAN Support on page 5 5 Refer to the LAN Ethernet Timeout field to define how LAN Ethernet inactivity is processed by the access point Use the Ethernet Port Timeout drop down menu to define how the access point interprets inactivity for the LAN assigned to the Ethernet port When Enabled is selected the access point uses the value defined in the S
291. efault 11bg rss enable radio default 11b rss enable no ap ip default ap switch ip radius server local is create an IPSEC Transform Set crypto ipsec transform set AAP TFSET esp aes 256 esp sha hmac mode tunnel To create a Crypto Map add a remote peer set the mode add a ACL rule to match and transform and set to the Crypto Map crypto map AAP CRYPTOMAP 10 ipsec isakmp set peer 255 255 255 255 set mode aggressive match address AAP ACL set transform set AAP TFSET interface ge1 switchport mode trunk switchport trunk native vian 1 switchport trunk allowed vlan none switchport trunk allowed vlan add 1 9 100 110 120 130 140 150 160 170 switchport trunk allowed vlan add 180 190 200 210 220 230 240 250 static channel group 1 interface ge2 switchport access vlan 1 10 24 AP 51xx Access Point Product Reference Guide interface ge3 switchport mode trunk switchport trunk native vlan 1 switchport trunk allowed vlan none switchport trunk allowed vlan add 1 9 100 110 120 130 140 150 160 170 switchport trunk allowed vlan add 180 190 200 210 220 230 240 250 static channel group 1 interface ge4 switchport access vlan 1 interface me1 ip address dhcp interface sal switchport mode trunk switchport trunk native vlan 1 switchport trunk allowed vlan none switchport trunk allowed vlan add 1 9 100 110 120 130 140 150 160 170 switchport trunk allowed vlan add 180 190 200 210 220 230
292. effect only after the client bridge connection to AP 1 is established Thus AP 2 keeps scanning to find the base bridge form the uplink and start beaconing as a base bridge for downstream client bridge connection This is by design as there is no reason to use a partially broken connection with no uplink to a base bridge 9 1 2 Spanning Tree Protocol STP The access point performs mesh networking using STP as defined in the 802 1d standard NOTE The Motorola AP 4131 access point uses a non standard form of 802 1d STP and is therefore not compatible as a base bridge or client bridge within an access point managed network Once device association is complete the client and base bridge exchange Configuration Bridge Protocol Data Units BPDUs to determine the path to the root STP also determines whether a given port is a redundant connection or not Configuring Mesh Networking 9 5 9 1 3 Defining the Mesh Topology When a user wants to control how the spanning tree determines client bridge connections they need to control the mesh configuration The user must be able to define one node as the root Assigning a base bridge the lowest bridge priority defines it as the root NOTE Motorola recommends using the Mesh STP Configuration screen to define a base bridge as a root Only advanced users should use the Advanced Client Bridge Settings screen s Preferred List to define the mesh topology as omitting a bridge from the pref
293. egment 2 Configure the Windows based DHCP Server as follows a Highlight the Server Domain Name for example apfw motorola com From the Action menu select Set Predefined Options b Add the following 3 new options under DHCP Standard Options class Extended Options Code Data type Access point THP Server IP Address 181 IP address Note Use any one option 186 String Access point Firmware File Name 187 String Access point Config File Name 129 String Note Use any one option 188 String Standard Options Code Data type Access point TFIP Server IP Address 66 String Usage Scenarios B 5 Standard Options Code Data type Access point Firmware File Name 67 String NOTE f using Standard Options and the configuration of the access point needs to be changed use option 129 or 188 as specified in the Extended Options table Standard options 66 and 67 are already present in the DHCP Standard Options Class by default c Highlight Scope Options and select Configure Options d Under the General tab check all 3 options mentioned within the Extended Options table and enter a value for each option 3 Copy both the firmware and configuration files to the appropriate directory on the TFTP Server By default auto update is enabled on the access point since the LAN Port is a DHCP Client out of the box auto update support is on the LAN Port 4 Restart the access point 5 While the access point boots up verify the acce
294. elect the Exclude Channels button to display a screen used to prohibit 802 11a or 802 11b g channels from operating with this radio When channel exceptions are defined the access point skips the channels specified When the Automatic Selection feature is enabled up to 3 separate channels can be excluded Imported and exported configurations retain their defined exception list configurations The channels selected for exclusion display beneath the Uniform Spreading button This option is disabled by default It s important to note that excluded channels do not apply to sensor scans or rogue detection configurations Additionally country of operation blocks are not impacted by the channels selected for exclusion A reboot is required when enabling or disabling this feature The Uniform Spreading option is available and is the default setting for the 802 114 radio To comply with Dynamic Frequency Selection DFS requirements in the European Union the 802 114 radio uses a randomly selected channel each time the access point is powered on Specifies the antenna selection for the 802 114 radio Options include Primary Only Secondary Only and Full Diversity The default setting is Primary However Diversity can improve performance and signal reception in areas where interference is significant and is recommended when two antennas are supported Defines the transmit power of the 802 11a or 802 11b g antenna s The values are expressed in dBm an
295. eletes LAN to WAN access exception rules list Displays LAN to WAN access exception rules 33 Goes to parent menu Goes to root menu save Saves configuration to system flash quit Quits and exits the CLI session Example admin network firewall lan wan access gt list index from 1 lan 2 lan 3 lan 4 lan 5 lan wan wan wan wan wan HTTP abc 123456 654321 abc 80 0 1440 2048 100 2048 2048 1000 For information on configuring the Firewall options available to the access point using the applet GUI see Configuring Firewall Settings on page 6 27 8 137 8 138 AP 51xx Access Point Product Reference Guide AP51xx gt admin network firewall gt advanced Description Displays whether an access point firewall rule is intended for inbound traffic to an interface or outbound traffic from that interface Syntax show Shows advanced subnet access parameters set Sets advanced subnet access parameters import Imports rules from subnet access inbound Goes to the Inbound Firewall Rules submenu outbound Goes to the Outbound Firewall Rules submenu Goes to the parent menu Goes to the root menu save Saves the configuration to flash memory quit Quits and exits the CLI session Example admin network firewall adv lan access gt inbound admin network firewall adv lan access inb gt list Idx SCR IP Netmask Dst IP Netmask TP SPorts DPorts Rev NAT Action 1 1 2 3 4 2 2 2 2 al
296. elow access Goes to the SNMP access submenu traps Goes to the SNMP traps submenu y Goes to the parent menu Goes to the root menu save Saves the configuration to system flash quit Quits the CLI 8 171 8 172 AP 51xx Access Point Product Reference Guide 8 4 4 1 System SNMP Access Commands AP51xx gt admin system snmp access Description Displays the SNMP Access menu The items available under this command are shown below show Shows SNMP v3 engine ID add Adds SNMP access entries delete Deletes SNMP access entries list Lists SNMP access entries Goes to the parent menu Goes to the root menu save Saves the configuration to system flash quit Quits the CLI AP51xx gt admin system snmp access gt show Description Shows the SNMP v3 engine ID Syntax show eid Shows the SNMP v3 Engine ID Example admin system snmp access gt show eid access point snmp v3 engine id admin system snmp access gt For information on configuring SNMP access settings using the applet GUI see Configuring SNMP Access Control on page 4 33 000001846B8B4567F871AC68 8 173 8 174 AP 51xx Access Point Product Reference Guide AP51xx gt admin system snmp access gt add Description Adds SNMP access entries for specific v1v2 and v3 user definitions Syntax add acl lt ip1 gt viv2e lt comm gt v3 lt user gt lt auth gt lt ip2 gt lt aCCeSss gt lt access gt lt pass1 gt
297. els Nominal Net Gain Part Number Antenna Type dBi Description ML 5299 FHPA6 01R Omni Directional Antenna 7 0 4 900 5 850 GHz Type N connector no pigtail ML 5299 FHPA10 01R Omni Directional Antenna 10 0 5 8 GHz Type N connector no pigtail Technical Specifications A 9 A 5 Country Codes The following list of countries and their country codes is useful when using the access point configuration file CLI or the MIB to configure the access point Country Code Country Code Argentina AR Mexico MX Australia AU Montenegro ME Austria AT Morocco MA Bahamas BS Netherlands NL Bahrain BH Netherlands Antilles AN Barbados BB New Zealand NZ Belarus BY Nicaragua Nl Bermuda BM Norfolk Island NF Belgium BE Norway NO Bolivia BO Oman OM Botswana BW Panama PA Botznia Herzegovina BA Pakistan PK Brazil BR Paraguay PY Bulgaria BG Peru PE Canada CA Philippines PH Cayman Islands KY Poland PL Chile CL Portugal PT China CN Puerto Rico PR Christmas Islands CX Qatar OA Colombia CO Romania RO Costa Rica CR Russian Federation RU Croatia HR Saudi Arabia SA A 10 AP 51xx Access Point Product Reference Guide Cypress Czech Rep Denmark Dominican Republic Ecuador El Salvador Estonia Egypt Falkland Islands Finland France Germany Greece Guam Guatemala Guinea Haiti Honduras Hong Kong Hungary Iceland India Indonesia Ireland Israel Italy Jamaica Serbia Singapore Slovak Republic Sloven
298. emote security gateway Configuring Access Point Security 6 43 Inbound SPI Hex Define an up to six character maximum hexadecimal value to identify the inbound security association created by the encryption algorithm The value must match the corresponding outbound SPI value configured on the remote security gateway Outbound SPI Hex Enter an up to six character maximum hexadecimal value to identify the outbound security association created by the encryption algorithm The value must match the corresponding inbound SPI value configured on the remote security gateway The Inbound and Outbound SPI settings are required to be interpolated to function correctly For example e AP1 Inbound SPI 800 e AP1 Outbound SPI 801 e AP2 Inbound SPI 801 e AP2 Outbound SPI 800 4 Click Ok to return to the VPN screen Click Apply to retain the settings made on the Manual Key Settings screen 5 Click Cancel to return to the VPN screen without retaining the changes made to the Manual Key Settings screen 6 11 2 Configuring Auto Key Settings The access point s Network Management System can automatically set encryption and authentication keys for VPN access Use the Auto Key Settings screen to specify the type of encryption and authentication without specifying the keys To manually specify keys cancel out of the Auto Key Settings screen select the Manual Key Exchange radio button and set the keys within the Manual Key Setting scre
299. en To configure auto key settings for the access point 1 Select Network Configuration gt WAN gt VPN from the access point menu tree 2 Refer to the VPN Tunnel Config field select the Auto IKE Key Exchange radio button and click the Auto Key Settings button 6 44 AP 51xx Access Point Product Reference Guide Auto Key Settings Use Perfect Forward Secrecy Yes v Security Association Life Time 300 sec AH Authentication ESP Type lw ESP Encryption Algorithm AES 256 bit v OK Cancel Help 3 Configure the Auto Key Settings screen to modify the following Use Perfect Forward Forward secrecy is a key establishment protocol guaranteeing the Secrecy discovery of a session key or long term private key does not compromise the keys of other sessions Select Yes to enable Perfect Forward Secrecy Select No to disable Perfect Forward Secrecy Security Association The Security Association Life Time is the configurable interval used Life Time to timeout association requests that exceed the defined interval The available range is from 300 to 65535 seconds The default is 300 seconds AH Authentication AH provides data authentication and anti replay services for the VPN tunnel Select the desired authentication method from the drop down menu e None Disables AH authentication No keys are required to be manually provided e MOD5 Enables the Message Digest 5 algorithm No keys are required to be manually provid
300. en can be used to set the time using a Year Month Day HH MM SS format For detailed information on manually setting the access point s system time see Configuring Network Time Protocol NTP on page 4 43 1 2 30 Dynamic DNS The access point supports the Dynamic DNS service Dynamic DNS or DynDNS is a feature offered by www dyndns com which allows the mapping of domain names to dynamically assigned IP addresses When the dynamically assigned IP address of a client changes the new IP address is sent to the DynDNS service and traffic for the specified domain s is routed to the new IP address For information on configuring the Dynamic DNS feature see Configuring Dynamic DNS on page 5 25 1 2 31 Auto Negotiation Auto negotiation enables the access point to automatically exchange information over either its LAN or WAN port about data transmission speed and duplex capabilities Auto negotiation is helpful when using the access point in an environment where different devices are connected and disconnected on a regular basis For information on configuring the auto negotiation feature see Configuring the LAN Interface on page 5 1 or Configuring WAN Settings on page 5 16 1 3 Theory of Operations To understand access point management and performance alternatives users need familiarity with functionality and configuration options The access point includes features for different interface connections and network management The access point
301. encryption and user authentication WPA addresses the weaknesses of WEP by including e a per packet key mixing function e amessage integrity check e an extended initialization vector with sequencing rules e are keying mechanism 1 13 1 14 AP 51xx Access Point Product Reference Guide WPA uses an encryption method called Temporal Key Integrity Protocol TKIP WPA employs 802 1X and Extensible Authentication Protocol EAP For detailed information on WPA using TKIP configurations see Configuring WPA WPAZ2 Using TKIP on page 6 21 1 2 8 6 WPA2 CCMP 802 111 Encryption WPAZ is a newer 802 111 standard that provides even stronger wireless security than Wi Fi Protected Access WPA and WEP Counter mode CBC MAC Protocol CCMP is the security standard used by the Advanced Encryption Standard AES AES serves the same function TKIP does for WPA TKIP CCMP computes a Message Integrity Check MIC using the proven Cipher Block Message Authentication Code CBC MAC technique Changing just one bit in a message produces a totally different result WPA2 CCMP is based on the concept of a Robust Security Network RSN which defines a hierarchy of keys with a limited lifetime similar to TKIP Like TKIP the keys the administrator provides are used to derive other keys Messages are encrypted using a 128 bit secret key and a 128 bit block of data The end result is an encryption scheme as secure as any the provides For detailed information
302. enree needs 6 36 VPN IKE key settings 20205 6 47 VPN manual key settings 0 6 40 Ui eral s Sete enh cee atea cea cben mente 6 50 WwW wall mounting ELETE TTT ended 2 16 WAN port VEEE SEEE TET ANY hat edusheaes 15 WAN COMNGUING lt 5cccc crctardgicneccsiceas 5 16 WAN port forwarding 00008 5 23 WAN SIPTISIGS 6c oust ono tt ce eyes We Deke 7 2 WE EATR aces A IEAI AT TTE 1 9 WEP encryption ssi iccrcririrerrerrissdditi 1 8 1 9 Wi Fi Protected Access WPA 1 10 WLAN ACL ss ccidosineneare ys seine heat edbdibbdde BOO WLAN creating rere EE T 5 30 WLAN editing ERINES EPE 5 30 WLAN naD ereet ar 5 27 WLAN security 0 00 ccc eee eee 5 34 WLAN Statistics 0 0 00 0 002002 000005 7 12 WPA aida r sedan eee E 6 21 WPACEMP cesecpocraopiiig vada ee riike 1 11 6 24 WPA2Z COMP 802 111 20 2002es00ee sas 1 11 WPA CCMP 802 11i eee eee enhance renege WPRP pcccsreeuresneanecds EEEE IENS 18 WPA 256 bit keys be erty Lekiheenes DAN IN 9 IN 10 AP 51xx Access Point Product Reference Guide MOTOROLA INC 1303 E ALGONQUIN ROAD SCHAUMBURG IL 60196 http www motorola com 72E 124688 01 Revision A May 2009
303. er MUs without Motorola adapters need to use WEP keys manually configured as hexadecimal numbers Keys 1 4 Use the Key 1 4 areas to specify key numbers The key can be either a hexadecimal or ASCII depending on which option is selected from the drop down menu The keys are 26 hexadecimal characters in length or 13 ASCII characters Select one of these keys for activation by clicking its radio button Default hexadecimal keys for KeyGuard include Key 1 101112131415161718191A1B1C Key2 202122232425262728292A2B2C Key 3 303132333435363738393A3B3C Key 4 404142434445464748494A4B4C 6 Select the Allow WEP128 Clients checkbox from within the KeyGuard Mixed Mode field to enable WEP128 clients to associate with an access point s KeyGuard supported WLAN The WEP128 clients must use the same keys as the KeyGuard clients to interoperate within the access point s KeyGuard supported WLAN 7 Click the Apply button to save any changes made within the KeyGuard Setting field of the New Security Policy screen 8 Click the Cancel button to undo any changes made within the KeyGuard Setting field and return to the WLAN screen This reverts all settings to the last saved configuration 6 20 AP 51xx Access Point Product Reference Guide 6 8 Configuring WPA WPAZ Using TKIP Wi Fi Protected Access WPA is a robust encryption scheme specified in the IEEE Wireless Fidelity Wi Fi standard 802 111 WPA provides more sophisticated data encryption than
304. er the GUI or CLI After a p CAUTION Loaded and signed CA certificates will be lost when changing the certificate has been successfully loaded export it to a secure location to ensure its availability after a firmware update If restoring the access point s factory default firmware you must export the certificate file BEFORE restoring the access point s factory default configuration Import the file back after the updated firmware is installed For information on using the access point CLI to import and export the access point s configuration see AP51xx gt admin system cmgr gt impcert on page 8 170 and AP51xx gt admin system cmgr gt expcert on page 8 169 If a firmware update is required use the Firmware Update screen to specify a filename and define a file location for updating the firmware NOTE The firmware file must be available from an FIP or TFIP site to perform the update before updating the firmware f CAUTION Make sure a copy of the access point s configuration is exported To conduct a firmware update on the access point iF 2 Export the access point current configuration settings before updating the firmware to have the most recent settings available after the firmware is updated Refer to mporting Exporting Configurations on page 4 49 for instructions on exporting the access point s current configuration to have it available after the firmware is updated Select System Configu
305. erial link supports a direct serial connection assuming a DB9 connector is used The access point is a Data Terminal Equipment DTE device with male pin connectors for the RS 232 port Connecting the access point to a PC requires a null modem serial cable 1 3 4 Direct Sequence Spread Spectrum Spread spectrum broadband uses a narrowband signal to spread the transmission over a segment of the radio frequency band or spectrum Direct sequence is a spread spectrum technique where the transmitted signal is spread over a particular frequency range The access point uses Direct Sequence Spread Spectrum DSSS for radio communication Direct sequence systems communicate by continuously transmitting a redundant pattern of bits called a chipping sequence Each bit of transmitted data is mapped into chips by the access point and rearranged into a pseudorandom spreading code to form the chipping sequence The chipping sequence is combined with a transmitted data stream to produce the output signal MUs receiving a direct sequence transmission use the spreading code to map the chips within the chipping sequence back into bits to recreate the original data transmitted by the access point Intercepting and decoding a direct sequence transmission requires a predefined algorithm to associate the spreading code used by the transmitting access point to the receiving MU This algorithm is established by IEEE 802 11 specifications The bit redundancy within the ch
306. erred list could break connections within the mesh network The access point can manipulate the path cost assigned to a bridge connection based on that connection s RSSI This results in the spanning tree selecting the optimal path for forwarding data when redundant paths exist However this can be overridden using the preferred list When using the preferred list the user enters a priority for each bridge resulting in the selection of the forwarding link Limit the wireless client s connections to reduce the number of hops required to get to the wired network Use each radio s preferred base bridge list to define which access points the client bridge connects to For more information see Configuring Mesh Networking Support on page 9 6 9 1 4 Mesh Networking and the AP 51xx s Two Subnets The access point now has a second subnet on the LAN side of the system This means wireless clients communicating through the same radio can reside on different subnets The addition of this feature adds another layer of complexity to the access point s mesh networking functionality With a second LAN introduced the LAN s Ethernet port and any of the 16 WLANs could be assigned to one of two different subnets From a layer 2 perspective the system has two different bridge functionalities each with its own STP The WLAN assignment controls the subnet LAN1 or 2 upon which a given connection resides If WLANZ2 is assigned to LAN1 and WL
307. ers and the authentication type set to one of none auth or auth priv The following parameters must be specified if lt sec gt is not none Authentication type lt auth gt set to md5 or shal Authentication password lt pass1 gt 8 to 31 chars The following parameters must be specified if lt sec gt is set to auth priv Privacy algorithm set to des or aes Privacy password lt pass2 gt 8 to 31 chars e admin system snmp traps gt add viv2 203 223 24 2 333 mycomm vl admin system snmp traps gt list viv2c index dest ip dest port community version admin system snmp traps gt add v3 201 232 24 33 555 BigBoss none md5 admin system snmp traps gt list v3 all index UL destination ip 201 232 24 33 destination port 555 username BigBoss security level none auth algorithm md5 auth password 1 kkkkkkkk privacy algorithm des privacy password WEEKE REK For information on configuring SNMP traps using the applet GUI see Configuring SNMP RF Trap Thresholds on page 4 41 8 181 AP51xx gt admin system snmp traps gt delete Description Deletes SNMP trap entries Syntax delete viv2c lt idx gt all v3 lt idx gt all Example Deletes entry lt idx gt from the v1v2c access control list Deletes all entries from the v1v2c access control list Deletes entry lt idx gt from the v3 access control list Deletes all entries from the v3 access control list admin system snmp traps gt delete vi
308. es Syntax create show set sec name lt name gt auth lt authtype gt kerb realm lt name gt server lt sidx gt lt ip gt port lt sidx gt lt port gt eap server lt sidx gt lt ip gt port lt sidx gt lt port gt Defines the parameters of a security policy Displays new or existing security policy parameters Sets the name of the security policy Sets the authentication type for WLAN lt idx gt to lt type gt none eap or kerberos Note Kerberos parameters are only in affect if kerberos is specified for the authentication method set auth lt type gt Sets the Kerberos realm Sets the Kerberos server lt sidx gt 1 primary 2 backup or 3 remote to KDC IP address Sets the Kerberos port to lt port gt KDC port for server lt ksidx gt 1 primary 2 backup or 3 remote Note EAP parameters are only in affect if eap is specified for the authentication method set auth lt type gt Sets the radius server 1 primary or as 2 secondary IP address lt ip gt Sets the radius server lt sidx gt 1 primary or 2 secondary lt port gt 1 65535 secret reauth accounting adv lt sidx gt mode period retry mode server port secret timeout retry syslog ip mu quiet mu timeout mu tx lt secret gt lt mode gt lt time gt lt number gt lt mode gt lt ip gt lt port gt lt secret gt lt period gt lt number
309. es made Undo Changes reverts the settings displayed on the System Settings screen to the last saved configuration 4 6 AP 51xx Access Point Product Reference Guide 7 Click Logout to securely exit the access point Access Point applet A prompt displays confirming the logout before the applet is closed 4 2 Adaptive AP Setup An access point needs settings defined to discover and adopt an available switch and establish a connection and data tunnel It s through this switch adoption that the access point receives its adaptive AP AAP configuration A new screen has been added to define the mechanisms used to adopt a switch and route AAP configuration information NOTE Foran AAP overview and a theoretical discussion of how an access point discovers a switch to creates a secure data tunnel for adaptive AP operation see Adaptive AP on page 10 1 NOTE AAP functionality is only supported on a Motorola WS5100 model switch running firmware version 3 1 or higher and a Motorola RFS6000 RFS7000 model switch running firmware version 1 1 or higher NOTE The Adaptive AP Setup screen does not display the AAP s adoption status or adopted switch This information is available using the access point s CLI To review AAP adoption status and adopted switch information see AP51xx gt admin system aap setup gt show on page 8 152 SESS To configure the access point s switch discovery method and connection medium 1
310. es the data type used with the qos policy and mesh network When set to a value other then manual editing the access category values is not necessary Options include 11g default 11b default 11g wifi 11b wifi 11g voice 11b voice or manual for advanced users cwmin lt access lt index gt Defines Minimum Contention Window CW Min for specified category gt access categoiry and index cwmax lt access lt index gt Defines Maximum Contention Window CW Max for specified category gt access categoiry and index aifsn lt access lt index gt Sets Arbitrary Inter Frame Space Number AIFSN for specified category gt access categoiry and index txops lt access lt index gt Configures Opportunity to Transmit Time TXOPs Time for category gt specified access categoiry and index default lt index gt Defines CWMIN CWMAX AIFSN and TXOPs default values change Completes the policy edit and exits the session Cancels the changes and exits For information on configuring the WLAN QoS options available to the access point using the applet GUI see Setting the WLAN Quality of Service QoS Policy on page 5 40 8 114 AP 51xx Access Point Product Reference Guide AP51xx gt admin network wireless qos gt delete Description Removes a QoS policy Syntax delete lt qos name gt Deletes the specified QoS polciy index or all of the policies except default policy lt all gt For information on configuring the WLAN QoS options availa
311. es you to configure one radio for 802 11a support and the other for 802 11b g support For detailed information see Setting the WLAN Radio Configuration on page 5 52 1 8 AP 51xx Access Point Product Reference Guide 1 2 2 Separate LAN and WAN Ports The access point has one LAN port and one WAN port each with their own MAC address The access point must manage all data traffic over the LAN connection carefully as either a DHCP client BOOTP client DHCP server or using a static IP address The access point can only use a Power over Ethernet device when connected to the LAN port For detailed information on configuring the LAN port see Configuring the LAN Interface on page 5 1 A Wide Area Network WAN is a widely dispersed telecommunications network In a corporate environment the WAN port might connect to a larger corporate network For a small business the WAN port might connect to a DSL or cable modem to access the Internet Regardless network address information must be configured for the s intended mode of operation For detailed information on configuring the access point s WAN port see Configuring WAN Settings on page 5 16 The LAN and WAN port MAC addresses can be located within the LAN and WAN Stats screens For detailed information on locating the access point s MAC addresses see Viewing WAN Statistics on page 7 2 and Viewing LAN Statistics on page 7 6 For information on access point MAC address assignments s
312. esh network using a WAN connection the access point applet does not lose connection but the mesh network is unavailable until the changes have been applied 9 Click Undo Changes if necessary to undo any changes made Undo Changes reverts the settings displayed on the Radio Configuration screen to the last saved configuration 10 Click Logout to securely exit the Access Point applet A prompt displays confirming the logout before the applet is closed Once the target radio has been enabled from the Radio Configuration screen configure the radio s properties by selecting it from the access point menu tree For more information see Configuring the 802 11a or 802 11b g Radio on page 5 56 5 3 2 1 Configuring the 802 11a or 802 11b g Radio Configure an 802 1 1a or 802 11b g radio by selecting the radio s name as defined using the 802 11a or 802 11b g radio configuration screen described below as a sub menu item under the Radio Configuration menu item Use the radio configuration screen to set the radio s placement properties define the radio s threshold and QoS settings set the radio s channel and antenna settings and define beacon and DTIM intervals To configure the access point s 802 11a or 802 11b g radio Network Management 5 57 1 Select Network Configuration gt Wireless gt Radio Configuration gt Radio default name from the access point menu tree On a single radio model Radio could either be an 802
313. ess Mapping Symbol CC WS2000 MIB 2 0 MU ACL Configuration Symbol AP 5131 MIB VPN Tunnel Symbol CC WS2000 MIB 2 0 Configuration QOS Configuration Symbol AP 5131 MIB VPN Tunnel status Symbol CC WS2000 MIB 2 0 Radio Configuration Symbol AP 5131 MIB Content Filtering Symbol CC WS2000 MIB 2 0 Bandwidth Symbol AP 5131 MIB Rogue AP Detection Symbol CC WS2000 MIB 2 0 Management SNMP Trap Selection Symbol AP 5131 MIB Firewall Configuration Symbol CC WS2000 MIB 2 0 SNMP RF Trap Symbol AP 5131 MIB LAN to WAN Access Symbol CC WS2000 MIB 2 0 Thresholds Config Import Export Symbol AP 5131 MIB AdvancedLANAccess Symbol CC WS2000 MIB 2 0 MU Authentication Symbol AP 5131 MIB Router Configuration Symbol CC WS2000 MIB 2 0 Stats System Configuration 4 29 WNMP Ping Symbol AP 5131 MIB System Settings Symbol CC WS2000 MIB 2 0 Configuration Known AP Stats Symbol AP 5131 MIB AP 5131 Access Symbol CC WS2000 MIB 2 0 Flash LEDs Symbol AP 5131 MIB Certificate Mgt Symbol CC WS2000 MIB 2 0 Automatic Update Symbol AP 5131 MIB SNMP Access Symbol CC WS2000 MIB 2 0 Configuration SNMP Trap Symbol CC WS2000 MIB 2 0 Configuration NTP Server Symbol CC WS2000 MIB 2 0 Configuration Logging Configuration Symbol CC WS2000 MIB 2 0 Firmware Update Symbol CC WS2000 MIB 2 0 Wireless Stats Symbol CC WS2000 MIB 2 0 Radio Stats Symbol CC WS2000 MIB 2 0 MU Stats Symbol CC WS2000 MIB 2 0 Automatic Update Symbol CC WS2000 MIB 2 0 SNMP allows a network ad
314. ess Point Product Reference Guide AP 5131 Access Point AA t BB Pietwork Contigurasorg 12 Security Configuration Hun ai Polity Name Aufhenbs adon __Enerypton Associated WLANs Defaun Marwatlly Pro shared key No authentc sbon No Enx rypaon 10 t Gan oF oh wips Create j gt Quick Setup H SP System Settings 2 Adaptive AP Setup Po GR AP SIMK Access r F SfE orite ate sant izj Lep ji Logos yitem Name AP Simx_t1 i NOTE When the access point is first launched a single security policy default is available and mapped to WLAN 1 It is anticipated numerous additional security policies will be created as the list of WLANs grows Configuring a WLAN security scheme with a discussion of all the authentication and encryption options available is beyond the scope of this chapter See Chapter 6 Configuring Access Point Security on page 6 1 for more details on configuring access point security For detailed information on the authentication and encryption options available to the access point and how to configure them see to Configuring Security Options on page 6 2 and locate the section that describes your intended security scheme 2 Click Logout to exit the Security Configuration screen Network Management 5 37 5 3 1 2 Configuring a WLAN Access Control List ACL An Access Control List ACL affords a system administrator the ability to grant or restrict MU access b
315. ess Point applet A prompt displays confirming the logout before the applet is closed 5 1 1 Configuring VLAN Support A Virtual Local Area Network VLAN is a means to electronically separate data on the same access point from a single broadcast domain into separate broadcast domains The access point can group devices on one or more WLANs so that they can communicate as if they were attached to the same wire when in fact they are located on a different LAN segment Because VLANs are based on logical instead of physical connections they are extremely flexible By using a VLAN you can group by logical function instead of physical location A maximum of 16 VLANs can be supported on the access point regardless of the access point being single or dual radio model An administrator can map 16 WLANs to 16 VLANs and enable or disable dynamic VLAN assignment VLANs enable organizations to share network resources in various network segments within large areas airports shopping malls etc A VLAN is a group of clients with a common set of requirements independent of their physical location VLANs have the same attributes as physical LANs but they enable system administrators to group MUs even when they are not members of the same network segment NOTE A WLAN supporting a mesh network does not need to be assigned to a particular VLAN as all the traffic proliferating the mesh network is already trunked However if MUs are to be connected to the Mesh
316. et GUI see Configuring IKE Key Settings on page 6 47 8 58 AP 51xx Access Point Product Reference Guide 8 3 2 3 AP51xx gt admin network wan content gt Description Displays the Outbound Content Filtering menu The items available under this command include addcmd Adds control commands to block outbound traffic delcmd Deletes control commands to block outbound traffic list Lists application control commands sf Goes to the parent menu Goes to the root menu save Saves the configuration to system flash quit Quits the CLI AP51xx gt admin network wan content gt addcmd Description Adds control commands to block outbound traffic Syntax addcmd web Adds WEB commands to block outbound traffic proxy Adds a Web proxy command activex Adds activex files file Adds Web URL extensions 10 files maximum smtp Adds SMTP commands to block outbound traffic helo helo command mail mail command rcpt rcpt command data data command quit quit command send send command saml saml command reset reset command vrfy vrfy command expn expn command ftp Adds FTP commands to block outbound traffic put store command get retreive command Is directory list command mkdir create directory command cd change directory command pasv passive mode command Example admin network wan content gt addcmd web proxy admin network wan content gt addcmd smtp data admin network wan content gt addcmd ftp put 8 59 8 60 AP 51xx Ac
317. et access rules port forwarding and 1 to many mappings from the system Only enable advanced subnet access rules if your configuration requires rules that cannot be configured within the Subnet Access screen Import rules from Select this checkbox to import existing access rules NAT packet Subnet Access forwarding VPN rules etc into the Firewall Rules field This rule import overrides any existing rules configured in the Advanced Subnet Access screen A warning box displays stating the operation cannot be undone Configure the Firewall Rules field as required add insert or delete firewall rules into the list of advanced rules Inbound or Outbound Select Inbound or Outbound from the drop down menu to specify if a firewall rule is intended for inbound traffic to an interface or outbound traffic from that interface Add Click the Add button to insert a new rule at the bottom of the table Click on a row to display a new window with configuration options for that field Insert Click the Insert button to insert a new rule directly above a selected rule in the table Clicking on a field in the row displays a new window with configuration options Del Delete Click Del to remove the selected rule from the table The index numbers for all the rows below the deleted row decrease by 1 Move Up Clicking the Move Up button moves the selected rule up by one row in the table The index numbers for the affected rows adjust to reflect the new o
318. et using a Secure Sockets Layer SSL for encrypted HTTP sessions CLI TELNET port 23 Select the LAN1 LAN2 and or WAN checkboxes to enable access to the access point CLI via the TELNET terminal emulation TCP IP protocol CLI SSH port 22 SNMP port 161 System Configuration 4 11 Select the LAN1 LAN2 and or WAN checkboxes to enable access to the access point CLI using the SSH Secure Shell protocol Select the LAN1 LAN2 and or WAN checkboxes to enable access to the access point configuration settings from an SNMP capable client Refer to the Applet Timeout field to set an HTTPS timeout interval HTTP S Timeout Disables access to the access point if no data activity is detected over Applet HTTPS port 443 after the user defined interval Default is 0 Mins Use the Admin Authentication buttons to specify the authentication server connection method Local Radius The access point verifies the authentication connection Designates that a Radius server is used in the authentication credential verification If using this option the connected PC is required to have its Radius credentials verified with an external Radius server Additionally the Radius Server s Active Directory should have a valid user configured and have a PAP based Remote Access Policy configured for Radius Admin Authentication to work Configure the Secure Shell field to set timeout values to reduce network inactivity Authentication Time
319. ettings for the access point LAN port For information on configuring the LAN using the applet GUI see Configuring the LAN Interface on page 5 1 8 3 1 1 Network LAN Bridge Commands AP51xx gt admin network lan bridge gt Description Displays the access point Bridge submenu show Displays the mesh configuration parameters for the access point s LANs set Sets the mesh configuration parameters for the access point s LANs Moves to the parent menu Goes to the root menu save Saves the configuration to system flash quit Quits the CLI and exits the session For an overview of the access point s mesh networking options using the applet GUI see Configuring Mesh Networking on page 9 1 8 18 AP 51xx Access Point Product Reference Guide AP51xx gt admin network lan bridge gt show Description Displays the mesh bridge configuration parameters for the access point s LANs Syntax show Displays the mesh bridge configuration parameters for the access point s LANs Example admin network lan bridge gt show LAN1 Bridge Configuration Bridge Priority 732768 Hello Time seconds 2 Message Age Time seconds 20 Forward Delay Time seconds 15 Entry Ageout Time seconds 300 LAN2 Bridge Configuration Bridge Priority 32768 Hello Time seconds 2 Message Age Time seconds 20 Forward Delay Time seconds 15 Entry Ageout Time seconds 300 For an overview of the access poin
320. etween these two areas Yellow Limited Access One or more protocol rules are specified Specific protocols are either enabled or disabled between these two areas Click the table cell of interest and look at the exceptions area in the lower half of the screen to determine the protocols that are either allowed or denied Red No Access All protocols are denied without exception No traffic will pass between these two areas 6 30 AP 51xx Access Point Product Reference Guide AP 5131 Access Point 3 Configure the Rules field as required to allow or deny access to selected enabled protocols Allow or Deny all protocols except Use the drop down menu to select either Allow or Deny The selected setting applies to all protocols except those with enabled checkboxes and any traffic that is added to the table For example if the adoption rule is to Deny access to all protocols except those listed access is allowed only to those selected protocols Pre configured Rules Add Del Delete Name Transport Start Port Configuring Access Point Security 6 31 The following protocols are preconfigured with the access point To enable a protocol check the box next to the protocol name e HTTP Hypertext Transfer Protocol is the protocol for transferring files on the Web HTTP is an application protocol running on top of the TCP IP suite of protocols the foundation protocols for the Internet The HTTP proto
321. etwork lan dhcp gt show LAN1 DHCP Information DHCP Address Assignment Range Starting IP Address 192 168 0 100 Ending IP Address 192 168 0 254 Lease Time 86400 LAN2 DHCP Information DHCP Address Assignment Range Starting IP Address 192 168 0 100 Ending IP Address 192 168 0 254 Lease Time 86400 For information on configuring DHCP using the applet GUI see Configuring the LAN Interface on page 5 1 AP51xx gt admin network lan dhcp gt set Description Sets DHCP parameters for the LAN port Syntax set range lt LAN idx lt ip1 gt lt ip2 gt Sets the DHCP assignment range from IP address lt ip1 gt to IP address lt ip2 gt for the specified LAN lease lt LAN idx gt lt lease gt Sets the DHCP lease time lt lease gt in seconds 1 999999 for the specified LAN Example admin network lan dhcp gt set range 1 192 168 0 100 192 168 0 254 admin network lan dhcp gt set lease 1 86400 admin network lan dhcp gt show kLAN1 DHCP Information DHCP Address Assignment Range Starting IP Address 192 168 0 100 Ending IP Address 192 168 0 254 Lease Time 86400 For information on configuring DHCP using the applet GUI see Configuring the LAN Interface on page 5 1 8 32 AP 51xx Access Point Product Reference Guide AP51xx gt admin network lan dhep gt add Description Adds static DHCP address assignments Syntax add lt LAN idx gt lt mac gt lt ip gt Adds a reserved static IP add
322. example www motorola com into an IP address that networks can use Secondary DNS Server More IP Addresses Refresh Network Management 5 19 Specify the address of a secondary DNS server if one is used A secondary address is recommended if the primary DNS server goes down Click the More IP Addresses button to specify additional static IP addresses for the access point Additional IP addresses are required when users within the WAN need dedicated IP addresses or when servers need to be accessed addressed by the outside world The More IP Addresses screen allows the administrator to enter up to seven additional WAN IP addresses for the access point WAN Only numeric non DNS names can be used If PPP over Ethernet is enabled from within the WAN screen the VPN WAN IP Configuration portion of the More IP Addresses screen is enabled Enter the IP address and subnet mask used to provide the PPPoE connection over the access point s WAN port Ensure the IP address is a numerical non DNS name Click the Refresh button to update the network address information displayed within the WAN IP Configuration field Use the Port Settings field to define how the access point manages throughput over the WAN port Auto Negotiation 100 Mbps 10 Mbps Select the Auto Negotiation checkbox to enable the access point to automatically exchange information over its WAN port about data transmission speed and duplex capabilities Auto negoti
323. ey exchange type for passing keys between both ends of a VPN tunnel If Manual Key Exchange is selected this column displays Manual If Auto IKE Key Exchange is selected the field displays Automatic NOTE When creating a tunnel the remote subnet and remote subnet mask must be that of the target device s LAN settings The remote gateway must be that of the target device s WAN IP address If access point 1 has the following values e WAN IP address 20 1 1 2 e LAN IP address 10 1 1 1 e Subnet Mask 255 0 0 0 Then the VPN values for access point 2 should be e Remote subnet 10 1 1 0 or 10 0 0 0 e Remote subnet mask 255 0 0 0 e Remote gateway 20 1 1 2 3 Ifa VPN tunnel has been added to the list of available access point tunnels use the VPN Tunnel Config field to optionally modify the tunnel s properties Tunnel Name Enter a name to define the VPN tunnel The tunnel name is used to uniquely identify each tunnel Select a name best suited to that tunnel s function so it can be selected again in the future if required in a similar application 6 38 AP 51xx Access Point Product Reference Guide Interface name Local WAN IP Remote Subnet Remote Subnet Mask Remote Gateway Default Gateway Manual Key Exchange Manual Key Settings Auto IKE Key Exchange Auto Key Settings Use the drop down menu to specify the LAN1 LAN2 or WAN connection used for routing VPN traffic Remember only one LAN connec
324. f mesh networking and how to configure an AP 5131 or AP 5181 to support mesh see Configuring Mesh Networking on page 9 1 TEEN Adaptive AP 10 9 10 2 Supported Adaptive AP Topologies For this version 2 0 release of the access point firmware the following AAP topologies are supported Extended WLANs Only Independent WLANs Only Extended WLANs with Independent WLANs Extended WLAN with Mesh Networking 10 2 1 Topology Deployment Considerations When reviewing the AAP topologies describes in the section be cognizant of the following considerations to optimize the effectiveness of the deployment An AAP firmware upgrade will not be performed at the time of adoption from the wireless switch Instead the firmware is upgraded using the AP 51x1 s firmware update procedure manually or using the DHCP Auto Update feature An AAP can use its LAN1 interface or WAN interface for adoption The default gateway interface is set to LAN1 If the WAN Interface is used explicitly configure WAN as the default gateway interface Motorola recommends using the LAN1 interface for adoption in multi cell deployments If you have multiple independent WLANs mapped to different VLANs the AAP s LAN1 interface requires trunking be enabled with the correct management and native VLAN IDs configured Additionally the AAP needs to be connected to a 802 1q trunk port on the wired switch Be aware IPSec Mode supports NAT Traversal NAT T 10 10 AP 51xx Acce
325. fault value indicates an AP can remain on the rogue AP list permanently 4 Highlight an AP from within the Rogue APs table and click the Add to Allowed APs List button to move the device into the list of Allowed APs 5 Click the Add All to Allowed APs List button to move each of the APs displayed within the Rogue APs table to the list of allowed APs 6 Highlight a rogue AP and click the Details button to display a screen with device and detection information specific to that rogue device This information is helpful in determining if a rogue AP should be moved to the Allowed APs table For more information on the displaying information on detected rogue APs see Displaying Rogue AP Details on page 6 60 7 To remove the Rogue AP entries displayed within the e Rogue APs field click the Clear Rogue AP List button Motorola only recommends clearing the list of Rogue APs when the devices displaying within the list do not represent a threat to the access point managed network 8 Click Apply to save any changes to the Active APs screen Navigating away from the screen without clicking Apply results in all changes to the screen being lost 9 Click Undo Changes if necessary to undo any changes made Undo Changes reverts the settings displayed on the Active APs screen to the last saved configuration 10 Click Logout to securely exit the Access Point applet A prompt displays confirming the logout before the applet is closed 6 13 1 1 D
326. figure a new was disabled 3 Select the Base Bridge checkbox to allow the access point radio to accept client bridge connections from other access points in client bridge mode The base bridge is the acceptor of mesh network data from those client bridges within the mesh network and never the initiator available on an Outdoor Client Bridge s list of available channels As long as an Outdoor Client Bridge has the Indoor Base Bridge channel in its available list of channels it can associate to the Base Bridge f CAUTION A problem could arise if a Base Bridge s Indoor channel is not 4 f the Base Bridge checkbox has been selected use the Max Client Bridges parameter to define the client bridge load on a particular base bridge The maximum number of client bridge connections per access point radio is 12 with 24 representing the maximum for dual radio models Bridge associates to the Base Bridge over the LAN connection This problem is not experienced over the access point s WAN connection If this situation is experienced log in to the access point again CAUTION An access point in Base Bridge mode logs out whenever a Client Once the settings within the Radio Configuration screen are applied for an initial deployment the current number of client bridge connections for this specific radio displays within the CBs Connected field If this is an existing radio within a mesh network this value updates in rea
327. for all MUs associated with the access point radio The Signal to Noise Ratio is an indication of overall RF performance on your wireless network 5 Refer to the Errors field to reference retry information as well as data transmissions the target access point 802 11a or 802 11 b g radio either gave up on could not decrypt Avg Num of Retries Displays the average number of retries for all MUs associated with the access point 802 11a or 802 11b g radio The number in black represents retries for the last 30 seconds and the number in blue represents retries for the last hour Dropped Packets Displays the percentage of packets the AP gave up on for all MUs associated with the access point 802 11a or 802 11b g radio The number in black represents this statistic for the last 30 seconds and the number in blue represents this statistic for the last hour of Undecryptable Displays the percentage of undecryptable packets for all MUs Pkts associated with the 802 11a or 802 11b g radio The number in black represents packets for the last 30 seconds and the number in blue represents packets for the last hour 6 Click the Clear Radio Stats button to reset each of the data collection counters to zero in order to begin new data collections 7 26 AP 51xx Access Point Product Reference Guide 7 Click the Logout button to securely exit the Access Point applet 7 4 1 1 Retry Histogram Refer to the Retry Histrogram screen for an overview of the retr
328. formation of the client until it roams to the other access point This enables the roaming client to start sending and receiving data sooner by not having to do 802 1x authentication after it roams This feature is only supported when 802 1x EAP authentication and WPA2 TKIP is enabled NOTE PMK key caching is enabled internally by default for WPA2 TKIP when 802 1x EAP authentication is enabled Configuring Access Point Security 6 23 9 Click the Apply button to save any changes made within this New Security Policy screen 10 Click the Cancel button to undo any changes made within the WPA TKIP Settings field and return to the WLAN screen This reverts all settings to the last saved configuration 6 9 Configuring WPA2 CCMP 802 11i WPAZ is a newer 802 11i standard that provides even stronger wireless security than Wi Fi Protected Access WPA and WEP CCMP is the security standard used by the Advanced Encryption Standard AES AES serves the same function TKIP does for WPA TKIP CCMP computes a Message Integrity Check MIC using the proven Cipher Block Chaining CBC technique Changing just one bit in a message produces a totally different result WPA2 CCMP is based on the concept of a Robust Security Network RSN which defines a hierarchy of keys with a limited lifetime similar to TKIP Like TKIP the keys the administrator provides are used to derive other keys Messages are encrypted using a 128 bit secret key and a 128 bi
329. formation on importing exporting access point configurations using the applet GUI see mporting Exporting Configurations on page 4 49 8 237 8 4 10 Firmware Update Commands AP51xx gt admin system gt fw update Description Displays the firmware update submenu The items available under this command are shown below NOTE The access point must complete the reboot process to successfully update the device firmware regardless of whether the reboot is conducted uing the GUI or CLI interfaces show Displays the current access point firmware update settings set Defines the access point firmware update parameters update Executes the firmware update Goes to the parent menu Goes to the root menu save Saves the current configuration to the access point system flash quit Quits the CLI and exits the current session 8 238 AP 51xx Access Point Product Reference Guide AP51xx gt admin system fw update gt show Description Displays the current access point firmware update settings Syntax show Shows the current system firmware update settings for the access point Example admin system fw update gt show automatic firmware upgrade enable automatic config upgrade enable firmware filename APFW bin firmware path tftpboot ftp tftp server ip address 168 197 2 2 ftp user name jsmith ftp password gt kekk kkk For information on updating access point device firmware using the applet GU
330. from extended WLANs go back to the switch and traffic from independent WLANs is bridged locally by the AP All local WLANs are mapped to LAN1 and all extended WLANs are mapped to LAN2 Adaptive AP 10 11 10 2 5 Extended WLAN with Mesh Networking Mesh networking is an extension of the existing wired network There is no special configuration required with the exceptions of setting the mesh and using it within one of the two extended VLAN configurations and defining an access point radio as a preferred base bridge NOTE The mesh backhaul WLAN must be an independent WLAN mapped to LAN1 The switch enforces the WLAN be defined as an independent WLAN by automatically setting the WLAN to independent when backhaul is selected The AP ensures the backhaul WLAN be put on LAN1 10 3 How the AP Receives its Adaptive Configuration An AAP does not require a separate local or running configuration Once enabled as an AAP the AP obtains its configuration from the switch If the AP s WAN link fails it continues to operate using the last valid configuration until its link is re established and a new configuration is pushed down from the switch There is no separate file based configuration stored on the switch Only WLAN VLAN extension and radio configuration items are defined for the AAP by its connected switch None of the other access point configuration items RADIUS DHCP NAT Firewall etc are configurable from the connected switc
331. from one access point to another like a cellular phone system WLANs can therefore be configured around the needs of specific groups of users even when they are not in physical proximity Use the access point s Wireless Configuration screen to create new WLANs edit the properties of existing WLANs or delete a WLAN to create space for a new WLAN Sixteen WLANs are available on the access point regardless of single or dual radio model To configure WLANs on the access point 1 Select Network Configuration gt Wireless from the access point menu tree 5 28 AP 51xx Access Point Product Reference Guide AP 5131 Access Point AA PBB ietwork Contiguraton Wireless Configuration pHs bu WLAN Name ESSO Rado VLAN Security Posey 008 Policy jvax 1a td 0211 00211 Oofautt Oefaut HES nar gt og VPN L VPN Status i LR Content Fimering nisead 8g Security H MU ACL LCreste j Eat Ostete H Gy AP SIX Access i L Al irectite ato Mamit is Hele j Logout If a WLAN is defined that WLAN displays within the Wireless Configuration screen When the access point is first booted WLAN1 exists as a default WLAN available immediately for connection 2 Refer to the information within the Wireless Configuration screen to view the name ESSID access point radio designation VLAN ID and security policy of existing WLANs WLAN Name The Name field displays the name of each WLAN that h
332. g Output voltage source is out of range The Power Injector is overloaded or has a short circuit For more information and device specifications for the Power Injector refer to the Power Injector Quick Install Guide Part No 72 70762 01 available from the Motorola Web site 2 7 Mounting an AP 5131 The AP 5131 can rest on a flat surface attach to a wall mount under a suspended T Bar or above a ceiling plenum or attic Choose one of the following mounting options based on the physical environment of the coverage area Do not mount the AP 5131 ina location that has not been approved in a site survey Refer to the following depending on how you intend to mount the AP 5131 e Desk Mounted Installations e Wall Mounted Installations e Suspended Ceiling T Bar Installations e Above the Ceiling Plenum Installations 27 1 Desk Mounted Installations The desk mount option uses rubber feet allowing the unit to sit on most flat surfaces The four 4 round rubber feet can be found in the AP 5131 main box in a separate plastic bag To install the AP 5131 in a desk mount orientation 1 Turn the AP 5131 upside down 2 Attach the radio antennae to their correct connectors The antenna protection plate cannot be used in a desk mount configuration as the plate only allows antennas to be positioned in a downward orientation 2 14 AP 51xx Access Point Product Reference Guide AN CAUTION Both the Dual and Single R
333. g Access Point Security 6 3 6 2 Setting Passwords Before setting the access point security parameters verify an administrative password for the access point has been created to restrict access to the device before advanced device security is configured To password protect and restrict access point device access Connect a wired computer to the access point LAN port using a standard CAT 5 cable 2 Setup the computer for TCP IP DHCP network addressing and make sure the DNS settings are not hardcoded 3 Start Internet Explorer with Sun Micro Systems Java Runtime Environment JRE 1 5 or higher installed and type in the default IP address in the address field To connect to the access point the IP address is required If connected to the access point using the WAN port the default static IP address is 10 1 1 1 The default password is motorola If connected to the access point using the LAN port the default setting is DHCP client The user is required to know the IP address to connect to the access point using a Web browser The access point Login screen displays NOTE For optimum compatibility use Sun Microsystems JRE 1 5 or higher available from Sun s Web site and be sure to disable Microsoft s Java Virtual Machine if it is installed NOTE DNS names are not supported as a valid IP address for the access point The user is required to enter a numerical IP address SI IA 4 Login using t
334. gateway gt Example admin network wan vpn gt add 2 SJSharkey 209 235 44 31 206 107 22 46 299 295 255 224 206 107 22 1 If tunnel type is Manual proper SPI values and Keys must be configured after adding the tunnel admin network wan vpn gt For information on configuring VPN using the applet GUI see Configuring VPN Tunnels on page 6 36 AP51xx gt admin network wan vpn gt set Description Sets VPN entry parameters Syntax set type lt name gt lt tunnel type gt authalgo lt name gt lt authalgo gt authkey lt name gt lt dir gt lt authkey gt esp type lt name gt lt esptype gt esp encalgo lt name gt lt escalgo gt esp enckey lt name gt lt dir gt lt enckey gt esp authalgo lt name gt lt authalgo gt esp authkey lt name gt lt dir gt lt authkey gt spi lt name gt lt algo gt lt dir gt lt value gt usepfs lt name gt lt mode gt Sets the tunnel type lt name gt to Auto or Manual for the specified tunnel name Sets the authentication algorithm for lt name gt to None MD5 or SHA1 Sets the AH authentication key if type is Manual for tunnel lt name gt with the direction set to IN or OUT and the manual authentication key set to lt authkey gt The key size is 32 hex characters for MD5 and 40 hex characters for SHA1 Sets the Encapsulating Security Payload ESP type Options include None ESP or ESP AUTH Sets the ESP encryption algorithm Options incl
335. ge 6 76 8 184 AP 51xx Access Point Product Reference Guide 8 4 5 1 Adding and Removing Users from the User Databse AP51xx gt admin system userdb gt user Description Adds and remvoves users from the user database and defines user passwords Syntax add Adds a new user delete Deletes an existing user ID clearall Removes all existing user IDs from the system set Sets a password for a user show Displays the current user database configuration save Saves the configuration to system flash P Goes to the parent menu Goes to the root menu For information on configuring User Database permissions using the applet GUI see Defining User Access Permissions by Group on page 6 76 8 185 AP51xx gt admin system userdb user gt add Description Adds a new user to the user database Syntax add lt name gt Adds a new user and password to the user database lt password gt Example admin system userdb user gt add george password admin system userdb user gt For information on configuring User Database permissions using the applet GUI see Defining User Access Permissions by Group on page 6 76 8 186 AP 51xx Access Point Product Reference Guide AP51xx gt admin system userdb user gt delete Description Removes a new user to the user database Syntax delete Removes a user ID string from the user database Example admin system userdb user gt delete george admin system userdb user gt
336. ge 7 32 8 251 8 252 AP 51xx Access Point Product Reference Guide AP51xx gt admin stats gt ping Description Defines the ping test values used to conduct a ping test to an AP with the same ESSID Syntax ping show Shows Known AP Summary details list Defines ping test packet length set Determines ping test packet data start Begins pinging the defined station Goes to parent menu Goes to root menu quit Quits CLI session For information on Known AP tests using the applet GUI see Pinging Individual MUs on page 7 32 8 253 AP51xx gt admin stats ping gt show Description Shows Known AP Summary Details Syntax show Shows Known AP Summary Details Example admin stats ping gt show 1 192 168 2 0 00 A0F8 72 57 83 3 0 access point 8 254 AP 51xx Access Point Product Reference Guide AP51xx gt admin stats ping gt list Description Lists ping test parameters and results Syntax list Lists ping test parameters and results Example admin stats ping gt list Station Address OOAOF8213434 Number of Pings 10 Packet Length 10 Packet Data in HEX 55 admin stats ping gt For information on Known AP tests using the applet GUI see Pinging Individual MUs on page 7 32 8 255 AP51xx gt admin stats ping gt set Description Defines the parameters of the ping test Syntax set station Defines the AP target MAC address request Sets number of ping packets to transmit 1 539
337. gement Refer to the following for network management configuration activities supported by the access point user interface Configuring the LAN Interface Configuring WAN Settings Enabling Wireless LANs WLANs Configuring WIPS Server Settings Configuring Router Settings Configuring IP Filtering 5 1 Configuring the LAN Interface The access point has one physical LAN port supporting two unique LAN interfaces The access point LAN port has its own MAC address The LAN port MAC address is always the value of the access point WAN port MAC address plus 1 The LAN and WAN port MAC addresses can be located within the LAN and WAN Stats screens 5 2 AP 51xx Access Point Product Reference Guide For information on locating the access point s MAC addresses see Viewing WAN Statistics on page 7 2 and Viewing LAN Statistics on page 7 6 Use the LAN Configuration screen to enable one or both of the access point s LAN interfaces assign them names define which LAN is currently active on the access point Ethernet port and assign a timeout value to disable the LAN connection if no data traffic is detected within a defined interval To configure the access point LAN interface 1 Select Network Configuration gt LAN from the access point menu tree AP 5131 Access Point PBB Network Contiguraton LAN Configuration HHE LANI co rl t FP eweless L 4 Secun y LANI OR mu ace Ch kar HEI oos y Radio Configuration
338. gement Ehancenents EMEI EP EEA EEEN TTN Radius Time Based Authentication pe gape cn ETEA eee OSS E so scan oss niesewicheecvv4ayies a cb Feature Overview EFATE FATTES PAR Single or Dual Mode Radio Options Cr Reieedade eh eer Segidinasebwegpanas 1 7 Separate LAN and WAN Ports 0 00 000 c eee e eee e ees 1 8 Multiple Mounting OptON8 2c c24s cceseaicacntubsradeseudnd 1 8 Antenna Support for 2 4 GHz and 5 GHz Radios 005 1 8 Sixteen Configurable WLANS 2 0 0 occ cece eee ene 1 9 Support for 4 BSSIDS per Radio 0 scaccreeescaccaeveeareananaecn lS Quality of Service QoS Support 0 00 0000000000002 eee 1 10 Industry Leading Data Security 0c c eee e eee eee eee ee INT Kerberos Authentication 0 0 0 cece cece cece eeeeeeeee 1 11 EAP Authentication 00 0 0 cece cece cece eee eee ee D12 WEP EAGT OUI cco 4 25 42e dinadak ii ddegepbaxtdeede dade 1 12 KeyGtard ENCYPION 2 20sc0c dcascaeescdosagesgacrsaaeneana 1 13 Wi Fi Protected Access WPA Using TKIP Encryption 1 13 WPA2 CCMP 802 111 Encryption naet renee cere eer PCS Soum arraren gh onan nerd yee aa ge name Eaa NEE VPN Tunnels eee ee tree er een Peer tema Temes Content Filtering E E NAE TEE PESAT TIET taken 1 15 VLAN SUPPO scissa iris aranan ENORA adeow ee IREEN 1 15 Multiple Management Accessibility Options o oo naaus 1 15 Updatable Firmware
339. ght of the Security Policy item The New Security Policy screen displays with the Manually Pre shared key No authentication and No Encryption options selected Naming and saving such a policy as is would provide no security and might only make sense in a guest network wherein no sensitive data is either transmitted or received Consequently at a minimum a basic security scheme in this case WEP 128 is recommended in a network environment wherein sensitive data is transmitted NOTE For information on configuring the other encryption and authentication options available to the access point see Configuring Security Options on page 6 2 2 Ensure the Name of the security policy entered suits the intended configuration or function of the policy Multiple WLANs can share the same security policy so be careful not to name security policies after specific WLANs or risk defining a WLAN to single policy Motorola Getting Started 3 13 recommends naming the policy after the attributes of the authentication or encryption type selected 3 Select the WEP 128 104 bit key checkbox The WEP 128 Settings field displays within the New Security Policy screen New Security Policy n Manually Pre shared key No authertcaton Kerberos Enter 4 32 characters 802 1 EAP Pass Key Just the2ofus Generate Encrypton Enter 26 hexadecimal charactors of erder 13 ASCE chars No Encrypton Mexacecimal LY WEP 64 40 bit key Key
340. go through the association and authentication process to establish wireless connections with the located devices This association process is identical to the access point s current MU association process Once the association and authentication process is complete the wireless client adds the connection as a port on its bridge module This causes the client bridge to begin forwarding packets to the base bridge node The base bridge realizes it is talking to a wireless client bridge It then adds that connection as a port on its own bridge module The two bridges at that point are communicating using the Spanning Tree Protocol STP 9 2 AP 51xx Access Point Product Reference Guide access points configured as both a base and a client bridge function as repeaters to transmit data with associated MUs in their coverage area client bridge mode as well as forward traffic to other access points in the mesh network base bridge mode The number of access points and their intended function within the mesh network dictate whether they should be configured as base bridges client bridges or both repeaters The spanning tree determines the path to the root and detects if the current connection is part of a network loop with another connection in the system Each bridge can be configurable so the administrator can control the spanning tree to define the root bridge and what the forwarding paths are Once the spanning tree converges both access points begin
341. grade will result in a bootloader change and the second upgrade will result in the actual firmware update For subsequent upgrades a single download will suffice Using Auto Update the access point will automatically update itself twice when upgrading Upgrading to a new access point firmware baseline does not retain the configuration of the previous lower version firmware Motorola recommends users export their 1 0 configuration for backup purposes prior to upgrading When downloading to a lower firmware version all configuration settings are lost and the access point returns to factory default settings of the lower version automatically reverts to default settings of the lower version regardless of whether you are downloading the firmware manually or using the automatic download feature The automatic feature allows the user to download the configuration file at the same time but since the firmware reverts to the default settings of the lower version the configuration file is ignored NOTE An AP 5181 does not support any firmware versions prior to 1 1 1 0 For detailed update scenarios involving both a Windows DHCP and a Linux BootP server configuration see Configuring Automatic Updates using a DHCP or Linux BootP Server on page B 1 A CAUTION If downgrading firmware from to a lower version the access point 4 56 AP 51xx Access Point Product Reference Guide access point s firmware version using eith
342. gs Only an installation professional should reset the access point s password and promptly define a new restrictive password To contact Motorola Support in the event of a password reset requirement go to http Avww symbol com contactsupport Configuring Access Point Security 6 5 access point s radio and power management configuration in the CAUTION Only a qualified installation professional should set or restore the event of a password reset 6 3 Enabling Authentication and Encryption Schemes To complement the built in firewall filters on the WAN side of the access point the WLAN side of the access point supports authentication and encryption schemes Authentication is a challenge response procedure for validating user credentials such as username password and sometimes secret key information The access point provides two schemes for authenticating users 802 1x EAP and Kerberos Encryption applies a specific algorithm to alter its appearance and prevent unauthorized reading Decryption applies the algorithm in reverse to restore the data to its original form Sender and receiver must employ the same encryption decryption method to interoperate Wired Equivalent Privacy WEP is available in two encryption modes 40 bit also called WEP 64 and 104 bit also called WEP 128 The 104 bit encryption mode provides a longer algorithm better security that takes longer to decode hack than the 40 bit encryption mode
343. guring WLAN Hotspot Support on page 5 46 8 73 8 74 AP 51xx Access Point Product Reference Guide AP51xx gt admin network wireless wlan hotspot gt show Description Displays the current access point Rogue AP detection configuration Syntax show hotspot lt idx gt Shows hotspot parameters per wlan index 1 16 Example admin network wireless wlan hotspot gt show hotspot 1 WLAN1 Hotspot Mode Hotspot Page Location External Login URL External Welcome URL External Fail URL Primary Server Ip adr enable default www sjsharkey com 7157 235 21 21 Primary Server Port 71812 Primary Server Secret men a Secondary Server Ip adr 2157 235 32 12 Secondary Server Port 71812 Secondary Server Secret pRREKER Accounting Mode disable Accounting Server Ip adr 0 0 0 0 Accounting Server Port 1813 Accounting Server Secret ikkkkkkkk Accoutning Timeout 10 Accoutning Retry count 3 Session Timeout Mode enable Session Timeout 15 Whitelist Rules Idx IP Address 1 157 235 121 12 For information on configuring the Hotspot options available to the access point using the applet GUI see Configuring WLAN Hotspot Support on page 5 46 AP51xx gt admin network wireless wlan hotspot gt redirection Description Goes to the hotspot redirection menu Syntax redirection set lt page loc gt Sets the hotspot http re direction by index 1 16 for the specified URL lt exturl gt Shows hotspot http redirection details for sp
344. h After the AP downloads a configuration file from the switch it obtains the version number of the image it should be running The switch does not have the capacity to hold the access point s firmware image and configuration The access point image must be downloaded using a means outside the switch If there is still an image version mismatch between what the switch expects and what the AAP is running the switch will deny adoption Adaptive AP Pre requisites Converting an AP 5131 or AP 5181 model access point into an AAP requires e Aversion 2 0 or higher firmware running on the access point e A Motorola WS5100 running firmware version 3 1 or later or a RFS6000 RFS7000 running firmware version 1 1 or later switch e The appropriate switch licenses providing AAP functionality on the switch e The correct password to authenticate and connect the adaptive to the switch Configuring the Adaptive AP for Adoption by the Switch 1 An AAP needs to find and connect to the switch To ensure this connection 10 12 AP 51xx Access Point Product Reference Guide 2 e Configure the switch s IP address on the AAP e Provide the switch IP address using DHCP option 189 on a DHCP server The IP address is a comma delimited string of IP addresses For example 157 235 94 91 10 10 10 19 There can be a maximum of 12 IP addresses e Configure the switch s FQDN on the AAP The AAP can use this to resolve the IP address of the switch Use the sw
345. h its mesh connection after saving the configuration Mesh Deployment Issue 14 Will an existing client bridge see a new base bridge or repeater If add a new base bridge or repeater to an existing mesh topology will my current client bridges see it and connect to it Resolution Yes all client bridges perform periodic background scanning both passively by sniffing the air for beacons and actively by sending Probe Requests Therefore a client bridge automatically detects the presence of a new base bridge or repeater added to the mesh network topology and forms a seam less connection without affecting current operation Mesh Deployment Issue 15 Can a mesh supported AP react to changing RF conditions If RF conditions change will a mesh supported AP automatically detect and re route traffic on its backup link or look for new links if all current links are exhausted Resolution Yes all mesh nodes have built in dynamic link switching and auto recovery mechanisms that ensure they adapt to changing RF conditions Adaptive AP 10 1 Adaptive AP Overview An adaptive AP AAP is an AP 51xx access point that can adopt like an AP300 L3 The management of an AAP is conducted by the switch once the access point connects to a Motorola WS5100 RFS6000 or RFS7000 model switch and receives its AAP configuration An AAP provides e local 802 11 traffic termination e ocal encryption decryption e local traffic bridging e t
346. h other both within this WLAN as well as other WLANs Selecting this option could be a good idea if restricting device chatter improves mesh network performance If base bridges and client bridges are added at any given time to extent the coverage are of a mesh network the data going back and forth amongst just those radios could be compromised by network interference Adding mesh device traffic could jeopardize network throughput If however MU to MU communication is central to the organization for example scanners sharing data entry information then this checkbox should remain unselected Configuring Mesh Networking 9 13 10 Select the Use Secure Beacon checkbox to not transmit the ESSID amongst the access points and devices within the mesh network If a hacker tries to find an ESSID via an MU the access point s ESSID does not display since the ESSID is not in the beacon Motorola recommends keeping the option enabled to reduce the likelihood of hacking into the WLAN 11 Select the Accept Broadcast ESSID checkbox to associate an MU that has a blank ESSID regardless of which ESSID the access point is currently using Traffic within a mesh network probably consists of known devices so you may want to leave the checkbox unselected and configure each MU with an ESSID The default is selected However for WLANs used within a mesh network Motorola recommends unselecting this option as it would prevent the AP from answering to blank E
347. hapter 5 Network Management Configuring the LAN Interface 62 cece eee es 5 1 Configuring VLAN SUpport ssis 0 0 0 0 c cece cece eee een ene 5 5 Configuring LAN1 and LAN2 Settings 00 ccc cece eee ee 5 9 Configuring Advanced DHCP Server Settings 5 13 Setting the Type Filter Configuration 0005 5 15 P WAM SONGS ccc ecie sche E A bee dneeaen dX 5 16 Configuring Network Address Translation NAT Settings 5 21 Configuring Port Forwarding 1 os cesseehside deedarwescanes aad ed 5 23 Configuring Dynamit DNS cscscoscciaacncadtnad mde ree ako ane een ano ks 5 25 Enabling Wireless LANs WLANS 2 0 0 0 000 c ccc c cece cece eens 5 27 Creating Editing Individual WLANS 0 0 0 0 0 cece eee eee 5 30 Configuring WLAN Security Policies 0 00 00 eee ee 5 35 Configuring a WLAN Access Control List ACL 5 37 Setting the WLAN Quality of Service QoS Policy 5 40 Configuring WLAN Hotspot Support 0 00 eee 5 46 Setting the WLAN s Radio Configuration 000 e cee ee 5 52 Configuring the 802 114 or 802 11b g Radio 0 5 56 Configuring Bandwidth Management Settings 2 00 5 65 Configuring WIPS Server Settings n naaa 00 0 c cece cece eee ees 5 68 Configuring Router Settings ss cscrivaseaoeneereeeaiwerpduredearennaes 5 71 Setting the RIP Configurati
348. haractenSUles c0cxccscroraceiwanecacorenraendend Electrical Characteristics 0 0 0 een Radio CraracierigiiCS cn cockdscaccavadecnourapadeoiuawemrepacacsaaenad Antenna Specifications ow cia ce deen tear aneatdaretnaraneanbarbeenne AP 5131 Antenna Specifications cess cee ee besa re seed eke ed eeees 2 4 GHz Antenna Matrix 0 0 0 000 c ccc ncn eens SO GHEANONIA MaK creer cee hi dandr eerie nia iaetee tvs AP 5131 Additional Antenna Components 05 AP 5131 Antenna Accessory Connectors Cable Type and Length AP 5181 Antenna SOCciMCAHONS lt 4 ces eedea beeedda de iiai edian UU Codes hb he baked hp cece tok den Gehcacech ENEA Appendix B Usage Scenarios Configuring Automatic Updates using a DHCP or Linux BootP Server Windows DHCP Server Configuration 0 0 0 e cece eee Embedded Options Using Option 43 asori reriisriirissrisrrsassa Global Options Using Extended Standard Options Pa ea E EEE E E N T E E E Linux BootP Server Configuration 0 0 00 ccc cece eee eee a e E EE S E T kee as BOGH FriDMtled lt 443 ceehedcehes eaaet Era erai Configuring an IPSEC Tunnel and VPN FAQs 0 000 c cece eens Configuring a VPN Tunnel Between Two Access Points B 10 Configuring a Cisco VPN Device 2 eee ene B 13 Frequently Asked VPN Questions 00 0 0000 cece eee e eee B 14 Replacing an AP 4131 with an
349. he admin as the default Username and motorola as the default Password If the default login is successful the Change Admin Password window displays Change the default login and password to significantly decrease the likelihood of hacking 6 4 AP 51xx Access Point Product Reference Guide Change Admin Password Enter ADMINISTRATOR Password Enter New Password 0 11 characters Re Type New Password 0 11 characters Apply Cancel Help changes the administrative password back to motorola If restoring the configuration back to default settings be sure you change the administrative password accordingly CAUTION Restoring the access point s configuration back to default settings 5 Enter the previous password and the new admin password in the two fields provided Click the Apply button Once the admin password has been created updated the System Settings screen displays If the access point has not had its System Settings device name location etc configured see Configuring System Settings on page 4 2 Once the password has been set refer back to Configuring Security Options on page 6 2 to determine which access point security feature to configure next 6 2 1 Resetting the Access Point Password The access point has a means of restoring its password to its default value Doing so also reverts the access point s security radio and power management configuration to their default settin
350. he access point Use the access point s LAN interface for establishing a link with the access point Configure the access point as a DHCP client For optimal screen resolution set your screen resolution to 1024 x 768 pixels or greater 1 Log in using admin as the default Username and motorola as the default Password Use your new password if it has been updated from default There is no difference in the login method between the AP 5131 and AP 5181 model access points However each model displays a login screen unique in appearance with a different model name Additionally each model access point displays a banner on top of each menu screen unique to the AP 5131 or AP 5181 model supported NOTE For optimum compatibility use Sun Microsystems JRE 1 5 or higher available from Sun s Website and be sure to disable Microsoft s Java Virtual Machine if installed 3 6 AP 51xx Access Point Product Reference Guide 2 AP 5181 Access Point Password If the default login is successful the Change Admin Password window displays Change the password Change Admin Password Enter ADMINISTRATOR Password Enter New Password 0 11 characters Re Type New Password 0 11 characters Enter the current password and a new admin password in fields provided Click Apply Once the admin password has been updated a warning message displays stating the access point must be set to a country Getting Started
351. he firmware update is in process 9 Click the Perform Update button to initiate the update Upon confirming the firmware update the AP reboots and completes the update NOTE The access point must complete the reboot process to successfully update the device firmware regardless of whether the reboot is conducted using the GUI or CLI interfaces 10 After the AP reboots return to the Firmware Update screen Check the Status field to verify whether the firmware update was successful If an error occurs one of the following error messages will display FA FA FA FAIL exceed memory limit FA FAIL connection time out L auto fw update check L network activity time out L firmware check authentication FAIL control channel error FAIL data channel error FA FA FA L channel closed unexpected establish data channel L accept data channel 4 60 AP 51xx Access Point Product Reference Guide 14 FAIL user interrupted FAIL no valid interface found FAIL conflict ip address FAIL command exchange time out FAIL invalid subnet number Confirm the access point configuration is the same as it was before the firmware update If they are not restore the settings Refer to mporting Exporting Configurations on page 4 49 for instructions on exporting the configuration back to the access point Click Apply to save the filename and filepath information entered into the Firmware Update
352. he WAN IP addresses on the NAT screen are dynamically generated from address settings applied on the WAN screen Network Management 5 23 NAT Type Specify the NAT Type as 1 to 1 to map a WAN IP address to a single host local IP address 1 to 1 mapping is useful when users need dedicated addresses and for public facing servers connected to the access point Set the NAT Type as 1 to Many to map a WAN IP address to multiple local IP addresses This displays the mappings button in the adjacent Outbound Mappings field This button displays a screen for mapping the LAN IP addresses that are associated with each subnet Define the NAT Type as none when routable IP addresses are used on the internal network Outbound Mappings When 1 to 1 NAT is selected a single IP address can be entered in the Outbound Mappings area This address provides a 1 to 1 mapping of the WAN IP address to the specified IP address When 1 to Many is selected as the NAT Type the Outbound Mappings area displays a mappings button Click the button to select the LAN1 or LAN2 IP address used to set the outbound IP address or select none to exclude the IP address If none is selected as the NAT Type The Outbound Mappings area is blank Inbound Mappings When 1 to 1 or 1 to Many is selected the Inbound Mappings option displays a Port Forwarding button Port Forwarding Click the Port Forwarding button to display a screen of port forwarding parameters for inbound traffic fro
353. he access point internal stack interface handles all messages directed to the access point Each stores information on destinations and their interfaces to facilitate forwarding When a user sends an ARP Address Resolution Protocol request packet the access point forwards it over all enabled interfaces except over the interface the ARP request packet was received On receiving the ARP response packet the access point database keeps a record of the destination address along with the receiving interface With this information the access point forwards any directed packet to the correct destination Transmitted ARP request packets echo back to other MUs The access point removes from its database the destination or interface information that is not used for a specified time The AP refreshes its database when it transmits or receives data from these destinations and interfaces 1 3 3 Media Types The access point radio interface conforms to IEEE 802 11a b g specifications The interface operates at a maximum 54Mbps 802 114 radio using direct sequence radio technology The access point 1 25 1 26 AP 51xx Access Point Product Reference Guide supports multiple cell operations with fast roaming between cells Within a direct sequence system each cell can operate independently Adding cells to the network provides an increased coverage area and total system capacity The RS 232 serial port provides a Command Line Interface CLI connection The s
354. he certificaqte file impcert Imports the certificate file Goes to the parent menu Goes to the root menu save Saves the configuration to system flash quit Quits the CLI 8 159 AP51xx gt admin system cmgr gt genreg Description Generates a certificate request Syntax genregq lt IDname gt lt Subject gt ou lt OrgUnit gt on lt OrgName gt cn lt City gt st lt State gt ae void p lt PostCode gt cc lt CCode gt e lt Email gt d lt Domain gt i lt IP gt sa lt SAlgo gt Generates a self certificate request for a Certification Authority CA where lt IDname gt The private key ID Name up to 7 chars lt Subject gt Subject Name up to 49 chars ou lt Department gt Organization Unit up to 49 chars on lt OrgName gt Organization Name up to 49 chars en lt City gt City Name of Organization up to 49 chars st lt State gt State Name up to 49 chars p lt PostCode gt Postal code 9 digits cc lt CCode gt Country code 2 chars e lt Email gt E mail Address up to 49 chars d lt Domain gt Domain Name up to 49 chars lt IP gt IP Address a b c d sa lt SAlgo gt Signature Algorithm one of MD5 RSA or SHA1 RSA k lt KSize gt Key size in bits one of 512 1024 or 2048 Note The parameters in square brackets are optional Check with the CA to determine what fields are necessary For example most CAs require an email address and an IP add
355. he power supply line cord to the power adapter Attach the power adapter cable into the power connector on the AP 5131 Plug the power adapter into an outlet Verify the behavior of the AP 5131 LEDs For more information see AP 5137 LED Indicators on page 2 23 Align the bottom of the ceiling T bar with the back of the AP 5131 Hardware Installation 2 19 7 Orient the AP 5131 chassis by its length and the length of the ceiling T bar 8 Rotate the AP 5131 chassis 45 degrees clockwise or about 10 o clock 9 Push the back of the AP 5131 chassis on to the bottom of the ceiling T bar installation is securely fastened to the building structure in order to A CAUTION Ensure the safety wire and cabling used in the T Bar AP 5131 provide a safe operating environment 10 Rotate the AP 5131 chassis 45 degrees counter clockwise The clips click as they fasten to the T bar 11 The AP 5131 is ready to configure For information on an AP 5131 default configuration see Getting Started on page 3 1 For specific details on AP 5131 system configurations see System Configuration on page 4 1 NOTE f the AP 5131 is utilizing remote management antennae a wire cover can be used to provide a clean finished look to the installation Contact Motorola for more information 2 20 AP 51xx Access Point Product Reference Guide 2 7 4 Above the Ceiling Plenum Installations An AP 5131 above the ceiling installation requires p
356. he tunneling of centralized traffic to the wireless switch An AAP s switch connection can be secured using IP UDP or IPSec depending on whether a secure WAN link from a remote site to the central site already exists The switch can be discovered using one of the following mechanisms e DHCP e Switch fully qualified domain name FQDN e Static IP addresses 10 2 AP 51xx Access Point Product Reference Guide The benefits of an AAP deployment include Centralized Configuration Management amp Compliance Wireless configurations across distributed sites can be centrally managed by the wireless switch or cluster WAN Survivability Local WLAN services at a remote sites are unaffected in the case of a WAN outage Securely extend corporate WLAN s to stores for corporate visitors Small home or office deployments can utilize the feature set of a corporate WLAN from their remote location Maintain local WLAN s for in store applications WLANs created and supported locally can be concurrently supported with your existing infrastructure 10 1 1 Where to Go From Here Refer to the following for a further understanding of AAP operation Adaptive AP Management Types of Adaptive APs Licensing Switch Discovery Securing a Configuration Channel Between Switch and AP Adaptive AP WLAN Topology Configuration Updates Securing Data Tunnels between the Switch and AAP Adaptive AP Switch Failure Remote Site Survivability RSS Adaptive Mesh S
357. heck FIP Bounce Attack Check IP Unaligned Timestamp Check Sequence Number Prediction Check Mime Flood Attack Check Max Header Length gt 256 Max Headers gt 12 5 Click Apply to save any changes to the Firewall screen Navigating away from the screen A SYN flood attack requests a connection and then fails to promptly acknowledge a destination host s response leaving the destination host vulnerable to a flood of connection requests A source routing attack specifies an exact route for a packet s travel through a network while exploiting the use of an intermediate host to gain access to a private host A Win nuking attack uses the IP address of a destination host to send junk packets to its receiving port An FIP bounce attack uses the PORT command in FTP mode to gain access to arbitrary ports on machines other than the originating client An IP unaligned timestamp attack uses a frame with the IP timestamp option where the timestamp is not aligned on a 32 bit boundary A sequence number prediction attack establishes a three way TCP connection with a forged source address The attacker guesses the sequence number of the destination host response A MIME flood attack uses an improperly formatted MIME header in sendmail to cause a buffer overflow on the destination host Use the Max Header Length field to set the maximum allowable header length at least 256 bytes Use the Max Headers field to set the
358. heckbox enables DHCP for the access point WAN connection This is useful if the larger corporate network or Internet Service Provider ISP uses DHCP DHCP is a protocol that includes mechanisms for IP address allocation and delivery of host specific configuration parameters from a DHCP server to a host Some of these parameters are IP address network mask and gateway If DHCP client mode is enabled the other WAN IP configuration parameters are grayed out Specify a numerical non DNS name IP address for the access point s WAN connection This address defines the AP s presence on a larger network or on the Internet Obtain a static dedicated IP address from the ISP or network administrator An IP address uses a series of four numbers expressed in dot notation for example 190 188 12 1 Specify a subnet mask for the access point s WAN connection This number is available from the ISP for a DSL or cable modem connection or from an administrator if the access point connects to a larger network A subnet mask uses a series of four numbers expressed in dot notation similar to an IP address For example 255 255 255 0 is a valid subnet mask Specify the gateway address for the access point s WAN connection The ISP or a network administrator provides this address Specify the address of a primary Domain Name System DNS server The ISP or a network administrator provides this address A DNS server translates a domain name for
359. help using combinations of function keys for navigation Example admin gt help Restriction of lt ctrl q gt lt ctrl p gt Note admin gt display command help Eg show s 2 after a function argument is treated as an argument Eg admin lt network lan gt set lan enable Here is an invalid extra argument because it is after the argument enable go backwards in command history go forwards in command history 1 commands can be incomplete Eg sh sho show 2 introduces a comment and gets no resposne from CLI 8 5 AP51xx gt admin gt passwd Description Changes the password for the admin login Syntax passwd Changes the admin password for access point access This requires typing the old admin password and entering a new password and confirming it Passwords can be up to 11 characters The access point CLI treats the following as invalid characters gt space lt gt 6 amp In order to avoid problems when using the access point CLI these characters should be avoided Example admin gt passwd Old Admin Password New Admin Password 0 11 characters Verify Admin Password 0 11 characters Password successfully updated For information on configuring passwords using the applet GUI see Setting Passwords on page 6 3 8 6 AP 51xx Access Point Product Reference Guide AP51xx gt admin gt summary Descr
360. her access point using the applet GUI see Viewing Known Access Point Statistics on page 7 35 8 244 AP 51xx Access Point Product Reference Guide AP51xx gt admin stats gt send cfg all Description Copies the access point s configuration to all of the access points within the known AP table Syntax send cfg all Copies the access point s configuration to all of the access points within the known AP table Example admin stats gt send cfg all admin stats gt NOTE The send cfg all command copies all existing configuration parameters except Mesh settings LAN IP data WAN IP data and DHCP Server parameter information For information on copying the access point config to another access point using the applet GUI see Viewing Known Access Point Statistics on page 7 35 AP51xx gt admin stats gt clear Description Clears the specified statistics counters to zero to begin new data calculations Syntax clear wan lan all rf all wlan wlan all radio radio radio2 all mu mu known ap Clears WAN statistics counters Clears LAN statistics counters for specified LAN index either clear lan 1 or clear lan 2 Clears all RF data Clears all WLAN summary information Clears individual WLAN statistic counters Clears access point radio summary information Clears statistics counters specific to radio1 Clears statistics counters specific to radio2 Clears all MU statistic counters Clears MU statis
361. his gives the user the freedom to configure their topology in a variety of ways without limitations This is important when configuring multiple access points for base bridge support in areas like a shipping yard where a large radio coverage area is required For more information on configuring the access point in respect to specific usage scenarios see Mesh Network Deployment Quick Setup on page 9 20 NOTE Since each access point can establish up to 3 simultaneous wireless connections some of these connections could be redundant If this is the case the STP algorithm defines which links are the redundant links and disables those links from forwarding Configuring Mesh Networking 9 3 If an access point is configured as a base bridge but not as a client bridge it operates normally at boot time The base bridge supports connections made by other client bridges The dual radio model access point affords users better optimization of the mesh networking feature by enabling the access point to transmit to other mesh network members using one independent radio and transmit with associated MUs using the second independent radio A single radio access point has its channel utilization and throughput degraded in a mesh network as the AP s single radio must process both mesh network traffic with other access points and MU traffic with its associated devices as base bridges client bridges or repeaters within an access point support
362. hops AP3 uses that link to forward traffic Mesh Deployment Issue 3 Cannot select a WLAN name for a Client Bridge You created a WLAN for mesh backhaul on an AP needed as a client bridge but you don t get to select the WLAN name in the Mesh Network Name drop down menu Why Resolution Check the WLAN configuration to ensure you have enabled the Enable Client Bridge Backhaul option 9 38 AP 51xx Access Point Product Reference Guide Mesh Deployment Issue 4 Do I need to map a WLAN to a radio when configuring mesh backhaul on a Client Bridge When creating a mesh backhaul WLAN on a client bridge only AP do you need to map the WLAN on a radio Resolution No a client bridge only AP behaves just like an MU It scans for base bridges and forms connections to them It doesn t need to beacon on that WLAN Therefore while creating a mesh backhaul WLAN on a client bridge only AP just enable the Enable Client Bridge Backhaul option Mesh Deployment Issue 5 Do need to use secure beacons on a mesh backhaul supported WLAN Can use secure beacons on the mesh backhaul supported WLAN Resolution Yes you can enable a secure beacon on a mesh backhaul supported WLAN In fact it is a Motorola recommended practice Mesh Deployment Issue 6 Is my mesh topology complete How can determine if all my mesh APs are connected and the mesh topology is complete Resolution Each mesh AP has a Known AP Table available in the applet CLI
363. https lt cr gt type ftp tftp file name Certificate file name https If set to export apache certificate and key Server options for this file are the same as that for the configuration file admin system cmgr gt expcert tftp AP 5lxlicerts txt To configue AP 5131 or AP 5181 certificate management settings while conducting a firmware update or restoring a factory default configuratrion admin system cmgr gt genreq generate a certificate request delself deletes a signed certificate loadself loads a signed certficiate signed by the CA listself lists the loaded signed self certificate loadca loads the root CA certificate delca deletes the root CA certificate listca lists the loaded root CA certificate showreq displays certificate request in PEM format delprivkey deletes the private key listprivkey lists the names of the private keys expcert exports the target certficate file impcert imports the target certficate file goes to the parent menu goes to the root menu save saves the configuration to system flash quit quits the CLI session For information on configuring certificate settings using the applet GUI see mporting a CA Certificate on page 4 16 8 169 8 170 AP 51xx Access Point Product Reference Guide AP51xx gt admin system cmgr gt impcert Description Imports the target certificate file Syntax impcert Imports the target certificate file To import certificate information from an AP 51
364. humidity vibration and dust e The Power Injector and Power Tap are not repeaters and do not amplify the Ethernet data signal For optimal performance ensure the unit is placed as close as possible to the network data port 2 6 1 2 Cabling the Power Injector and Power Tap To install a Power Injector or Power Tap to an Ethernet data source and access point Power Tap unit feed the power cable through the Line AC connector secure the power cable to the unit s three screw termination block and tighten the unit s Line AC clamp by hand to ensure the power cable cannot be pulled from the Power Tap enclosure Only a certified electrician should conduct the installation CAUTION For Power Tap installations an electrician is required to open the 2 12 AP 51xx Access Point Product Reference Guide AP 5181 installations using an AC cable with an appropriate ground A CAUTION Ensure AC power is supplied to the Power Injector or Power Tap for connection approved for the country of operation 1 Connect an RJ 45 Ethernet cable between the network data supply host and the Power Injector s Data In or the Power Tap s DATA IN connector 2 Connect an RJ 45 Ethernet cable between the Power Injector s Data amp Power Out connector or the Power Tap s DATA PWR OUT connector and the access point s LAN port access point non operational Only use a Power Injector or Power Tap A CAUTION Cabling the Power Injector t
365. ia South Africa South Korea Spain Sri Lanka Sweden Switzerland Taiwan Thailand Trinidad and Tobago Turkey Ukraine UAE United Kingdom USA Uruguay Virgin Islands British Virgin Islands US Vietnam Venezuela Ec SS lt n A mm gt Japan Jordan Kazakhstan Kuwait Latvia Lebanon Liechtenstein Lithuania Luxembourg Macedonia Malaysia Malta Martinique JP JO KZ KW LV LB LI LT LU MK MY MT MQ Technical Specifications A 11 A 12 AP 51xx Access Point Product Reference Guide Usage Scenarios This appendix provides practical usage scenarios for many of the access point s key features This information should be referenced as a supplement to the information contained within this Product Reference Guide The following scenarios are described B 1 Configuring Automatic Updates using a DHCP or Linux BootP Server This section provides specific details for configuring either a DHCP or Linux BootP Server to send firmware or configuration file updates to an access point The AutoUpdate feature updates the access point firmware and or configuration automatically when the access point is reset or does a DHCP request The update process is conducted over the LAN or B 2 AP 51xx Access Point Product Reference Guide WAN port depending on which server responds first to the access point s request for an automatic update The firmware is automatically updated each time firmware versions are fo
366. ia FIP or TFTP e MIB Management Information Base e Command Line Interface CLI accessed via RS 232 or Telnet Use the AP 5131 s DB 9 serial port for direct access to the command line interface from a PC 1 15 1 16 AP 51xx Access Point Product Reference Guide 1 2 11 Updatable Firmware Motorola periodically releases updated versions of device firmware to the Motorola Web site If the firmware version displayed on the System Settings page see Configuring System Settings on page 4 2 is older than the version on the Web site Motorola recommends updating the access point to the latest firmware version for full feature functionality An AP 5181 model access point does not support firmware earlier than 1 1 1 0 For detailed information on updating the firmware using FIP or TFP see Updating Device Firmware on page 4 54 1 2 12 Programmable SNMP v1 v2 v3 Trap Support Simple Network Management Protocol SNMP facilitates the exchange of management information between network devices SNMP uses Management Information Bases MIBs to manage the device configuration and monitor Internet devices in remote locations MIB information accessed via SNMP is defined by a set of managed objects called Object Identifiers OIDs An object identifier OID is used to uniquely identify each object variable of a MIB SNMP allows a network administrator to configure the access point manage network performance find and solve network problems and plan for
367. ial of service DOS attempts Send trap every Generates a trap whenever the status changes on the access point The physical port status changes when a link is lost between the access point and a connected device Generates a trap whenever domain name information is updated as a result of the IP address associated with that domain being modified Generates a trap whenever a Denial of Service DOS attack is detected by the access point firewall A new trap is sent at the specified interval until the attack has stopped Defines the interval in seconds the access point uses to generate a trap until the Denial of Service attack is stopped Default is 10 seconds 5 Configure the System Traps field to generate traps when the access point re initializes during transmission saves Its configuration file When a trap is enabled a trap is sent every 5 seconds until the condition no longer exists System Cold Start Configuration Changes Rogue AP Detection AP Radar Detection WPA Counter Measure MU Hotspot Status VLAN LAN Monitor Generates a trap when the access point re initializes while transmitting possibly altering the SNMP agent s configuration or protocol entity implementation Generates a trap whenever changes to the access point s configuration file are saved Generates a trap if a Rogue AP is detected by the access point Generates a trap if an AP is detected using a form of radar detection Generates a tra
368. ic a potentially unneccesary frames from being processed by the access point in order to improve throughput These include certain broadcast frames from devices that consume bandwidth but are unnecessary to access point operations Use the Ethernet Type Filter Configuration screen to build a list of filter types and configure them as either allowed or denied for use with the this particular LAN To configure type filtering on the access point 1 Select Network Configuration gt LAN gt LAN1 or LAN2 gt Type Filter from the access point menu tree The Ethernet Type Filter Configuration screen displays for the LAN No Ethernet types are displayed by default when the screen is first launched AP 5131 Access Point Petwo Cor quraton 21 LAN1 Ethernet Type Fitter Configuration gt tant Atiow all ethernet ypes except ____ Etnemet Type Bran 018035 Reverse ARP HES nar 010800 Internet P OF v4 oven Or0806 ARP H Content Fimering 018700 WMP Diag Syrmbol OuS7 01 WNMP C onfg Syrmdol PESU 018782 Wireless AP Symbo P Y Radio Cortguraton Radiol 802 1 ttyl Radio2 902 11a no cneges te ues j Ss ____ Sef a 5 16 AP 51xx Access Point Product Reference Guide 2 Use the all ethernet types except drop down menu to designate whether the Ethernet Types defined for the LAN are allowed or denied for use by the access point 3 To add an Ethernet type click the
369. ic SNMP traps on the access point 1 Select System Configuration gt SNMP Access gt SNMP Traps from the menu tree AP 5131 Access Point BB pretwork Configurator p SP Bystem Cortiguration j Quick Setup H SP System Settings H SB Adaptve AP Setup bl MY Bepecines b Gi AP SIXK Access CIMU unassociated f C Cermscate mort MU dented association System Traps Seir Certicates L CA Certificates IMU denied authentication C System Cold Start iennigen C Condiguration Changes P UR SNMP Access Network Traps Trap aoe LJ Rogue AP detection j SNMP Traps AP Radar Detecbon L SNMP RF Trap Threshoids LAT ANENA oon CSS onan WPA Counter Measure HO DaterTime J MONS Update MU Hotspot Staty j 5 H E Logging Configuration C Denisi of senice DOS atempts H L Contig InporExport IAN Send tap every Sew amp Firreware Upaate C LAN Monitor gt E Status amp Stassdes Set Al Traps Enatie Aa Disable As Aoo unao changes neip Logout System Name AP Stxe onfigure the MU Traps field to generate traps for MU associations MU association denials and MU authentication denials When a trap is enabled a trap is sent every 10 seconds until the condition no longer exists System Configuration 4 39 MU associated Generates a trap when an MU becomes associated with one of the access point s WLANs MU unassociated Generates a trap when an MU becomes unassociated with or gets dropped from
370. ic leaving the access point s LAN1 LAN2 or WLAN 1 16 in route to a client is classified as Outgoing traffic To filter packets to better segregate desired versus undesired data traffic 1 Select Network Configuration gt IP Filtering from the access point menu tree AP 5131 Access Point s IP Filtering 1P Fater tabio Fiternaene Protocol Ponstan PoneEng Sesan Sen iep cr 23 jioa 0 0 00 000 000 usg AH 23 ALL 3333 ists EEK 41 1 1 100 A161 AMT p23 AL i eu 11116 KEKEC EEK RAN PALL ALL joooo 0000 000 Th mA ieee Loa ea Aon unao Changes Help Lopou When the IP Filtering screen is initially displayed there are no default filtering policies and they must be created NOTE With IP Filtering users can only define a destination port not a source port 2 Network Management 5 77 Click the Add button to define the attributes of a new IP Filtering policy The following policy or filtering rule attributes require definition Filter name Create a name for the filter policy unique to its function in order to differentiate it from others that may have somewhat similar configurations Protocol Specify the protocol used for the filter policy The options are ALL TCP UDP ICMP PIM GRE RSVP IDP PUP EGP IPIP ESP AH IGMP IPVG COMPR_H and RAW_ P The protocol number can also be used as the protocol name This allows the use or protocols that are not within the drop dow
371. icate Authority e UFODN Select this item if the remote ID type is a user unqualified email address such as johndoe motorola com The setting for this field does not have to be unqualified it just must match the setting of the field of the Certificate Authority If FODN or UFODN is selected specify the data either the qualified domain name or the user name in the Remote ID Data field IKE Authentication Mode IKE Authentication Algorithm IKE Authentication Passphrase IKE Encryption Algorithm Key Lifetime 6 48 AP 51xx Access Point Product Reference Guide Select the appropriate IKE authentication mode e Pre Shared Key PSK Specify an authenticating algorithm and passcode used during authentication e RSA Certificates Select this option to use RSA certificates for authentication purposes See the CA Certificates and Self certificates screens to create and import certificates into the system IKE provides data authentication and anti replay services for the VPN tunnel Select an authentication methods from the drop down menu e MD5 Enables the Message Digest 5 algorithm No keys are required to be manually provided e SHA1 Enables Secure Hash Algorithm No keys are required to be manually provided If you selected Pre Shared Key as the authentication mode you must provide a passphrase Select the encryption and authentication algorithms for the VPN tunnel from the drop down menu e DES Uses the DES enc
372. ics gt LAN Stats gt LAN1 Stats or LAN2 Stats gt STP Stats from the access point menu tree 7 10 AP 51xx Access Point Product Reference Guide LAN1 STP Statistics Spanning Tree State Disables Designated Root 8000 001570027A87 Bridge O 9000 001570027A87 Root Port Number 0 Root Path Cost 0 Bridge Max Msg Age 20 sec Bridge Heto Time 2 sec Bridge Forward Detay 15 sec Port intertace Table Pon State PamCost Designatedrcct Designated Bridge Designated Por Ovetanatee Cost Radiol Forwarding 1100 8000 00170027A87 8000 001 570027467 8001 jo Radio Forwarging 1100 10000 001570027A67 8090 001 570027A57 8002 jo Ememet Forwarding 19 8000 001570027A87 8000 00157002767 18003 io 2 Refer to the Spanning Tree Info field to for details on spanning tree state and root access point designation Spanning Tree State Displays whether the spanning tree state is currently enabled or disabled The spanning tree state must be enabled for a unique spanning tree calculation to occur when the bridge is powered up or when a topology change is detected Designated Root Displays the access point MAC address of the bridge defined as the root bridge in the Bridge STP Configuration screen For information on defining an access point as a root bridge see Setting the LAN Configuration for Mesh Networking Support on page 9 6 Bridge ID The Bridge ID identifies the priority and ID of the bridge sending the message
373. ics MU 22 2 ee eee 7 25 siatstes radiD 52 Unica ce teed Lise ees tide 7 18 SIGTISHCS WAN cot oie deat ieee see eet blen 7 2 statistics WLAN occ ccusaworccanensnaces geiis 7 12 suspended T Bar installations E 2 18 SUPPO CEMT so atinndcaideliaheriawesdaacdis viii system information GENES cc ccracceneae REECE EE EINE 4 1 system COnN i 02 sc2cciesraerreeaoanrs 4 1 system location 222255 20cc0eccecentesces yaiki 4 3 System NAME eee eee 4 3 system settings 0 cece eee eee 4 2 system settings configuration 4 2 system UptiMe 0 cee eee ee ee 4 4 T technical support ae shieapesnaans vill testing AP 5131 connectivity 5 3 14 TESTING CONNECTIVITY scccceceacrantaceanscane 3 14 theory OF operating siriasi iecnekinadees awane 1 20 TE EEIT EEA VAE AE E 1 10 transmit power control 0 00 0c eae 1 15 type filter configuration 000 5 14 V VLAN support 20 200020020 cee eee eee 1 12 VLAN configuring 20 e eee eee 5 5 VLAN management tag 000008 5 8 MAN MANNE oc 3 ro srne ch oeee edadoe ni etwas oe 5 3 VLAN native tag errr sean PE 5 8 Voice PHONUZANON eii cierrseriatissresrsi riets 1 14 i EET EET ETETE TAN ENESA OT POETEI 1 11 YPN TUNE E eer sense seeeieneeramsweneen tears 1 11 VPN auto key settings SERD Shans 6 44 6 45 VPN COMMGUNING 2 2654 3uerrseabieer
374. ients are WMM capable and have WMM enabled WMM enabled devices can take advantage of their QoS functionality only if using applications that support WMM and can assign an appropriate priority level to the traffic streams they generate Network Management 5 43 5 Use the two Multicast Address fields to specify one or two MAC addresses to be used for multicast applications Some VoIP devices make use of multicast addresses Using this mechanism ensures that the multicast packets for these devices are not delayed by the packet queue 6 Use the drop down menu to select the radio traffic best representing the network requirements of this WLAN Options include manual Select the manual option if intending to manually set the Access Categories for the radio traffic within this WLAN Only advanced users should manually configure the Access Categories as setting them inappropriately could negatively impact the access point s performance 11ag wifi Use this setting for high end multimedia devices that using the high rate 802 11a or 802 11g radio 11b wifi Use this setting for high end devices multimedia devices that use the 802 11b radio 11ag default Use this setting for typical data centric MU traffic over the high rate 802 11a or 802 11g radio 11b default Use this setting for typical data centric MU traffic over the 802 11b radio 11ag voice Use this setting for Voice Over IP traffic over the high rat
375. ies Displays the IP address of each of the associated MU Displays the MAC address of each of the associated MU Displays the WLAN name each MU is interoperating with Displays the name of the 802 11a or 802 11b g radio each MU is associated with Displays the total throughput in Megabits per second Mbps for each associated MU Displays the Average Bit Speed ABS in Megabits per second Mbps for each associated MU Displays the average number of retries per packet A high number retries could indicate possible network or hardware problems Monitoring Statistics 7 29 Hotspot Displays whether this radio is currently supporting a hotspot 3 Click the Refresh button to update the data collections displayed without resetting the data collections to zero 4 Click the Echo Test button to display a screen for verifying the link with an associated MU For detailed information on conducting a ping test for an MUs see Pinging Individual MUs on page 7 32 NOTE Anecho test initiated from the access point MU Stats Summary screen uses WNMP pings Therefore target clients that are not Motorola MUs are unable to respond to the echo test 5 Click the MU Authentication Statistics button to display a screen with detailed authentication statistics for the an MU For information on individual MU authentication statistics see MU Authentication Statistics on page 7 33 6 Click the MU Details button to display a screen with detai
376. ies transmitted by an access point radio and whether those retries contained any data packets Use this information in combination with the error fields within a Radio Stats screen to assess overall radio performance To display a Retry Histogram screen for an access point radio 1 Select Status and Statistics gt Radio Stats gt Radio1 802 11b g Stats gt Retry Histogram from the access point menu tree A Radio Histogram screen is available for each access point radio regardless of single or dual radio model AP 5131 Access Point aA o BB ietwork Contigueadon Radio1 802 11b g Retry Histogram Sp System Consigurator C dy Status amp Stabstcs SY wan Stats PERLAN Stats Sp Weeless Stats EF Rado Stats Rector 902 1 bil Stats Roty Histogram amp Ep Radio 2002 41 aj Stats H g MU Stats gt SD wesn seats aP Known AP Stats atststateast WOGA elses i OD 12 E jis tsts sisis ase The table s first column shows 0 under Retries The value under the Packets column directly to the right shows the number of packets transmitted by this access point radio that required 0 retries delivered on the first attempt As you go down the table you can see the Monitoring Statistics 7 27 number of packets requiring 1 retry 2 retries etc Use this information to assess whether an abundance of retries warrants reconfiguring the access point radio to achieve better performa
377. ificate Request Certificate Request Key ID required radius Subject required radius mu authentication Depariment engineering Organization wireless dmsion City san jose State ca Postal Code 95119 Country Code 01 Email kipper95119 yahoo com Domain Name mudskipper IP Address 157 235 102 13 Signature Algorithm MDS RSA v Key Length 1512 v Generate Clear Cancel Help The Certificate Request screen displays 3 Complete the request form with the pertinent information Only 4 values are required the others optional 4 20 AP 51xx Access Point Product Reference Guide Key ID Enter a logical name for the certificate to help distinguish between certificates The name can be up to 7 characters in length Subject The required Subject value contains important information about the certificate Contact the CA signing the certificate to determine the content of the Subject parameter Signature Algorithm Use the drop down menu to select the signature algorithm used for the certificate Options include e MD5 RSA Message Digest 5 algorithm in combination with RSA encryption e SHA1 RSA Secure Hash Algorithm 1 in combination with RSA encryption Key Length Defines the length of the key Possible values are 512 1024 and 2048 4 When the form is completed click the Generate button The Certificate Request screen disappears and the ID of the generated certificate request displays in the drop dow
378. iguration gt LAN from the access point menu tree 2 Ensure the Enable 802 1g Trunking button is selected from within the LAN Setting field Trunk links are required to pass VLAN information between destinations A trunk port is by default a member of all the VLANs existing on the access point and carry traffic for all those VLANs Trunking is a function that must be enabled on both sides of a link 3 Select the VLAN Name button VLAN Name VLAN Name VLAN ID engineering 1 demo room marketing sales 4 Add OK Cancel Help Network Management 5 7 The VLAN name screen displays The first time the screen is launched a default VLAN name of 1 and a default VLAN ID of 1 display The VLAN name is auto generated once the user assigns a VLAN ID However the user has the option of re assigning a name to the VLAN using New VLAN and Edit VLAN screens To create a new VLAN click the Add button to edit the properties of an existing VLAN click the Edit button New VLAN Edit VLAN VLAN ID F VLAN ID VLAN Name VLAN_2 VLAN Name damo room Cancel Help ancel Help Java Applet Window Java Applet Window Assign a unique VLAN ID from 1 to 4095 to each VLAN added or modified The VLAN ID associates a frame with a specific VLAN and provides the information the access point needs to process the frame across the network Therefore it may be practical to assign a name to a VLAN representative or the area or type of net
379. iguration 4 31 Configure the SNMP v1 v2 Configuration field if SNMP v1 v2 is used to add or delete community definitions name the community specify the OID and define community access Add Delete Community OID Access Click Add to create a new SNMP v1 v2c community definition Select Delete to remove a SNMP v1 v2c community definition Use the Community field to specify a site appropriate name for the community The name is required to match the name used within the remote network management software Use the OID Object Identifier pull down list to specify a setting of All or a enter a Custom OID Select All to assign the user access to all OIDs in the MIB The OID field uses numbers expressed in dot notation Use the Access pull down list to specify read only R access or read write RW access for the community Read only access allows a remote device to retrieve access point information while read write access allows a remote device to modify access point settings Configure the SNIVIP v3 User Definitions field if SNMP v3 is used to add and configure SNMP v3 user definitions SNMP v3 user definitions allow read only or read write access to management information as appropriate Add Delete Username Security Level Click Add to create a new entry for an SNMP v3 user Select Delete to remove an entry for an SNMP v3 user Specify a username by typing an alphanumeric string of up to 31 characters Use
380. iguration screen enables you to configure the single radio for either 802 114 or 802 11b g use The Radio Configuration screen contains two radio buttons whose selection is mutually exclusive If the access point is a dual radio model the Radio Configuration screen enables you to configure one radio for 802 11a use and the other for 802 11b g no other alternatives exist for the dual radio model Using a dual radio access point individual 802 11a and 802 11b g radios can be enabled or disabled using the Radio Configuration screen checkboxes NOTE This section describes mesh networking setting the radio s base and client bridge configuration at a high level For a detailed overview on the theory of mesh networking see Mesh Networking Overview on page 9 1 For detailed information on the implications of setting the mesh network configuration see Configuring Mesh Networking Support on page 9 6 To review mesh network deployment scenarios see Mesh Network Deployment Quick Setup on page 9 20 The Radio Configuration screen displays with two tabs One tab each for the access point s radios Verify both tabs are selected and configured separately to enable the radio s and set their mesh networking definitions To set the access point radio configuration this example is for a dual radio access point 1 Select Network Configuration gt Wireless gt Radio Configuration from the access point menu tree Network Management 5 5
381. ile Syntax view Displays the entire access point system log file Example admin system logs gt view Jan 16 14 00 none syslogd 1 4 1 restart remote reception Jan 16 14 10 none klogd ps log fc queue maintenance 7 7 Jan 7 16 14 41 none klogd ps log fc queue maintenance 7 7 Jan 16 15 43 none last message repeated 2 times Jan 16 16 01 none CC 4 16pm up 6 days 16 16 load average 0 00 0 01 0 00 Jan 7 16 16 01 none CC Mem 62384 32520 29864 0 0 Jan 7 16 16 01 none CC 0000077e 0012e95b 0000d843 00000000 00000003 0000121 e 00000000 00000000 0037ebf7 000034dc 00000000 00000000 00000000 Jan 7 16 16 13 none klogd ps log fc queue maintenance Jan 7 16 16 44 none klogd ps log fc queue maintenance Jan 7 16 17 15 none klogd ps log fc queue maintenance Jan 7 16 17 15 none klogd ps log fc queue maintenance For information on configuring logging settings using the applet GUI see Logging Configuration on page 4 47 8 228 AP 51xx Access Point Product Reference Guide AP51xx gt admin system logs gt delete Description Deletes the log files Syntax delete Deletes the access point system log file Example admin system logs gt delete For information on configuring logging settings using the applet GUI see Logging Configuration on page 4 47 8 229 AP51xx gt admin system logs gt send Description Sends log and core file to an FIP Server Syntax send Sends
382. imum threshold for the total throughput in Mbps Megabits per second Average Bit Speed Enter a minimum threshold for the average bit speed in Mbps Megabits per second Average Signal Enter a minimum threshold for the average signal strength in dBm for each device System Configuration 4 43 Average Retries Set a maximum threshold for the average number of retries for each device Dropped Enter a maximum threshold for the total percentage of packets dropped for each device Dropped packets can be caused by poor RF signal or interference on the channel Undecryptable Define a maximum threshold for the total percentage of packets undecryptable for each device Undecryptable packets can be the result of corrupt packets bad CRC checks or incomplete packets Associated MUs Set a maximum threshold for the total number of MUs associated with each device 3 Configure the Minimum Packets field to define a minimum packet throughput value for trap generation Minimum number of Enter the minimum number of packets that must pass through the packets required fora device before an SNMP rate trap is sent Motorola recommends trap to fire using the default setting of 1000 as a minimum setting for the field 4 Click Apply to save any changes to the SNMP FF Traps screen Navigating away from the screen without clicking the Apply button results in all changes to the screen being lost 5 Click Undo Changes if necessary to undo any change
383. ing Apply results in all changes to the screens being lost mesh network temporarily goes down The mesh network is A CAUTION When defining a Mesh configuration and changes are saved the unavailable because the access point radio goes down when applying the changes This can be problematic for users making changes within a deployed mesh network If updating the mesh network using a LAN connection the access point applet loses connection and the connection must be re instated If updating the mesh network using a WAN connection the applet does not lose connection but the mesh network is unavailable until the changes have been applied 18 19 Click Undo Changes if necessary to undo any changes made Undo Changes reverts the settings displayed on the Radio Configuration screen to the last saved configuration Click Logout to securely exit the access point applet A prompt displays confirming the logout before the applet is closed Once the target radio has been enabled from the Radio Configuration screen configure the radio s properties by selecting it from the AP 5131 menu tree For additional information on configuring the access point s radio see Configuring the 802 114 or 802 11b g Radio on page 5 56 For two fictional deployment scenarios see Mesh Network Deployment Quick Setup on page 9 20 9 20 AP 51xx Access Point Product Reference Guide 9 3 Mesh Network Deployment Quick Setup This section provides ins
384. ing Network Time Protocol NTP on page 4 43 8 223 AP51xx gt admin system ntp gt set Description Sets NTP parameters for access point clock synchronization Syntax set mode lt ntp mode gt Enables or disables NTP server lt idx gt lt ip gt Sets the NTP sever IP address port lt idx gt lt port gt Defines the port number intrvl lt period gt Defines the clock synchronization interval used between the access point and the NTP server in minutes 15 65535 time lt time gt Sets the current system time yyyy year mm month dd day of the month hh hour of the day mm minute ss second zone idx Index of the zone zone lt zone gt Defines the time zone by index for the target country Example admin system ntp gt set mode enable admin system ntp gt set server 1 203 21 37 18 admin system ntp gt set port 1 123 admin system ntp gt set intrvl 15 admin system ntp gt set zone 1 For information on configuring NTP using the applet GUI see Configuring Network Time Protocol NTP on page 4 43 8 224 AP 51xx Access Point Product Reference Guide 8 4 8 System Log Commands AP51xx gt admin system gt logs Description Displays the access point log submenu Logging options include Syntax show Shows logging options set Sets log options and parameters view Views system log delete Deletes the system log send Sends log to the designated FIP Server is Goes to the parent menu
385. ing as well as details on configuring the access point s mesh networking functionality see Configuring Mesh Networking on page 9 1 1 2 25 Additional LAN Subnet In a typical retail or small office environment wherein a wireless network is available along with a production WLAN it is frequently necessary to segment a LAN into two subnets Consequently a second LAN is necessary to segregate wireless traffic The access point has a second LAN subnet enabling administrators to segment the access point s LAN connection into two separate networks The main access point LAN screen allows the user to select either LAN1 or LAN2 as the active LAN over the access point s Ethernet port Both LANs can still be active at any given time but only one can transmit over the access point s physical LAN connection Each LAN has a separate configuration screen called LAN 1 and LAN 2 by default accessible under the main LAN screen The user can rename each LAN as necessary Additionally each LAN can have its own Ethernet Type Filter configuration and subnet access HTTP SSH SNMP and telnet configuration For detailed information on configuring the access point for additional LAN subnet support see Configuring the LAN Interface on page 5 1 1 2 26 On board Radius Server Authentication The access point has the ability to work as a Radius Server to provide user database information and user authentication Several new screens have been added to the a
386. ings page see Configuring System Settings on page 4 2 is older than the version on the Web site Motorola recommends updating the access point to the latest firmware version for full feature functionality The access point s automatic update feature updates the access point s firmware and configuration file automatically when the access point is reset or when the access point initiates a DHCP request The firmware is automatically updated each time firmware versions are found to be different between what is running on the access point and the firmware file located on the server The configuration file is automatically updated when the configuration file name on the server is different than the name of the file previously loaded on the access point or when the file version on the server is different than the version currently in use on the access point System Configuration 4 55 Additionally the configuration version can be manually changed in the text file to cause the configuration to be applied when required The parameter name within the configuration file is cfg version 1 1 01 The access point only checks the two characters after the third hyphen 01 when making a comparison Change the last two characters to update the access point s configuration The two characters can be alpha numeric Upgrading from a legacy to a new firmware version is a two step process requiring the same upgrade procedure to be repeated twice The first up
387. int information while read write access allows a user to modify access pointsettings 4 Specify the users who can read and optionally modify the SNMP capable client SNMP Access Control Click the SNMP Access Control button to display the SNMP Access Control screen for specifying which users can read SNMP generated information and potentially modify related settings from an SNMP capable client The SNMP Access Control screen s Access Control List ACL uses Internet Protocol IP addresses to restrict access to the AP s SNMP interface The ACL applies to both SNMP v3 user definitions and SNMP v1 v2c community definitions For detailed instructions of configuring SNMP user access and modification privileges see Configuring SNMP Access Control on page 4 33 5 If configuring SNMP v3 user definitions set the SNMP v3 engine ID AP 51xx SNMP v3 Engine ID The access point SNMP v3 Engine ID field lists the unique SNMP v3 Engine ID for the access point This ID is used in SNMP v3 as the source for a trap response or report It is also used as the destination ID when sending get getnext getbulk set or inform commands System Configuration 4 33 6 Click Apply to save any changes to the SNMP Access screen Navigating away from the screen without clicking the Apply button results in all changes to the screen being lost 7 Click Undo Changes if necessary to undo any changes made Undo Changes reverts the settings displayed on the S
388. interoperate within the new or revised WLAN The maximum and default is 127 However each access point can only support a maximum 127 MUs spanned across its 16 available WLANs If you intend to define numerous WLANs ensure each is using a portion of the 127 available MUs and the sum of the supported MUs across all WLANs does not exceed 127 Define an MU idle interval in minutes for this individual WLAN If the idle timeout is exceeded and the selected radio s does hear the MU the MU must re establish its login credentials to continue using the WLAN s resources Any MU traffic resets the clock including broadcast and multicast MU traffic Imported and exported configurations retain their defined MU idle timeout configurations The default MU idle timeout is 30 minutes for each WLAN Select the Enable Client Bridge Backhaul checkbox to make the WLAN available in the WLAN drop down menu within the Radio Configuration screen This checkbox can be ignored for WLANs not supporting mesh networking to purposely exclude them from the list of WLANs available in the Radio Configuration page selected specifically for mesh networking support Only WLANs defined for mesh networking support should have this checkbox selected Network Management 5 33 Enable Hotspot Select the Enable Hotspot checkbox to allow this WLAN whether it be a new or existing WLAN to be configured for hotspot support Clicking the Configure Hotspot button launches
389. ipping sequence enables the receiving MU to recreate the original data pattern even if bits in the chipping sequence are corrupted by interference The ratio of chips per bit is called the spreading ratio A high spreading ratio increases the resistance of the signal to interference A low spreading ratio increases the bandwidth available to the user The access point uses different modulation schemes to encode more bits per chip at higher data rates The access point is capable of a maximum 54Mbps data transmission rate 802 114 radio but the coverage area Is less than that of an access point operating at lower data rates since coverage area decreases as bandwidth increases Introduction 1 3 5 MU Association Process An access point recognizes MUs as they begin the association process An access point keeps a list of the MUs it services MUs associate with an access point based on the following conditions e Signal strength between the access point and MU e Number of MUs currently associated with the access point e MUs encryption and authentication capabilities e MUs supported data rate MUs perform pre emptive roaming by intermittently scanning for access point s and associating with the best available access point Before roaming and associating MUs perform full or partial scans to collect statistics and determine the direct sequence channel used by the access point Scanning is a periodic process where the MU sends out probe messages
390. iption Displays the access point s system summary Syntax summary Displays a summary of high level characteristics and settings for the WAN LAN and WLAN Example admin gt summary AP 51xx firmware version 2 2 0 0 xxx country code us ap mode independent serial number OOAOF8716A74 WLAN 1 WLAN Name WLAN1 ESS ID 101 Radio lla 11b g VLAN VLAN1 Security Policy Default QoS Policy Default LAN1 Name LAN1 LAN1 Mode enable LAN1 IP 0 0 0 0 LAN1 Mask 0 0 0 0 LAN1 DHCP Mode server LAN2 Name LAN2 LAN2 Mode enable LAN2 IP 192 235 1 1 LAN2 Mask 255 255 255 0 LAN2 DHCP Mode server WAN Interface IP Address Network Mask Default Gateway DHCP Client enable 172 20 23 10 255 255 255 192 172 20 23 20 enable For information on displaying a system summary using the applet GUI see Basic Device Configuration on page 3 5 AP51xx gt admin gt Description Displays the parent menu of the current menu This command appears in all of the submenus under admin In each case it has the same function to move up one level in the directory structure Example admin network lan gt admin network gt 8 7 8 8 AP 51xx Access Point Product Reference Guide AP51xx gt admin gt Description Displays the root menu that is the top level CLI menu This command appears in all of the submenus under admin In each case it has the same function to move up to the top level in the directory structure Example admin
391. iquely identify each object variable of a MIB The AP 5131 MIB can be used with an AP 5181 model access point there is no separate MIB for an AP 5181 model access point The access point Web download package contains the following 2 MIB files e Symbol CC WS2000 MIB 2 0 common MIB file e Symbol AP 5131 MIB AP 5131 specific MIB file 4 28 AP 51xx Access Point Product Reference Guide NOTE The Symbol AP 5131 MIB contains the majority of the information contained within the Symbol CC WS2000 MIB 2 0 file This feature rich information has been validated with the Motorola WS2000 and proven reliable The remaining portion of the Symbol AP 5131 MIB contains supplemental information unique to the access point feature set If using the Symbol CC WS2000 MIB 2 0 and or Symbol AP 5131 MIB to configure the AP 5131 use the table below to locate the MIB where the feature can be configured Feature MIB Feature MIB LAN Configuration Symbol AP 5131 MIB Subnet Configuration Symbol CC WS2000 MIB 2 0 VLAN Configuration Symbol AP 5131 MIB DHCP Server Symbol CC WS2000 MIB 2 0 Configuration 802 1x Port Symbol AP 5131 MIB Advanced DHCP Symbol CC WS2000 MIB 2 0 Authentication Server configuration Ethernet Type Filter Symbol AP 5131 MIB WAN IP Configuration Symbol CC WS2000 MIB 2 0 Configuration Wireless Symbol AP 5131 MIB PPP Over Ethernet Symbol CC WS2000 MIB 2 0 Configuration Security Configuration Symbol AP 5131 MIB NAT Addr
392. is used to measure the age of the received protocol information recorded for a port and to ensure the information is discarded when it exceeds the value set for the Maximum Message age timer The Hello Time is the time between each bridge protocol data unit sent This time is equal to 2 seconds sec by default but you can tune the time to be between 1 and 10 sec If you drop the hello time from 2 sec to 1 sec you double the number of bridge protocol data units sent received by each bridge The 802 1d specification recommends the Hello Time be set to a value less than half of the Max Message age value The Forward Delay is the time spent in the listening and learning state This time is equal to 15 sec by default but you can tune the time to be between 4 and 30 sec The 802 1d specification recommends the Forward Delay be set to a value greater than half the Max Message age timeout value The Forwarding Table Parameter value defines the length of time an entry will remain in the a bridge s forwarding table before being deleted due to lack of activity If the entry replenishments a destination generating continuous traffic this timeout value will never be invoked However if the destination becomes idle the timeout value represents the length of time that must be exceeded before an entry is deleted from the forwarding table Configuration can be saved by clicking the Apply button 7 Click Cancel to discard the changes made to the Mesh
393. is value is hard coded at the factory by the manufacturer and cannot be changed MUs The number MUs associated with the located access point Unit Name Displays the name assigned to the access point using the System Settings screen For information on changing the unit name see Configuring System Settings on page 4 2 2 Clickthe Clear Known AP Stats button to reset each of the data collection counters to zero in order to begin new data collections 3 Click the Details button to display access point address and radio information Monitoring Statistics 7 37 ESS NAME Send Cfg Status Radio 1 Mesh mode Radio 2 Mesh mode Radiot Radio2 Base Bridges Connected 00 15 70 02 7A 67 157 235 91 78 0 0 0 802 1 thig i 802 11a 153 AP 5131 2 0 0 0 002D AP 51x 101 NIA NIA NIA The Known AP Details screen displays the target AP s MAC address IP address radio channel number of associated MUs packet throughput per second radio type s model firmware version ESS and client bridges currently connected to the AP radio Use this information to determine whether this AP provides better MU association support than the locating access point or warrants consideration as a member of a different mesh network Click the Ping button to display a screen for verifying the link with a highlighted access point 7 38 AP 51xx Access Point Product Reference Guide NOTE A ping test initiated from the access
394. isable MU Scan Interval 60 minutes On Channel disable Detector Radio Scan enable Auto Authorize Motorola APs disable Approved APs age out 0 minutes Rogue APs age out 0 minutes For information on configuring the Rogue AP options available to the access point using the applet GUI see Configuring Rogue AP Detection on page 6 55 8 120 AP 51xx Access Point Product Reference Guide AP51xx gt admin network wireless rogue ap gt set Description Defines the access point ACL rogue AP method Syntax set mu scan lt mode gt interval lt minutes gt on channel lt mode gt detector scan lt mode gt ABG scan lt mode gt motorola ap lt mode gt applst ageout lt minutes gt roglst ageout lt minutes gt Example admin network admin network admin network admin network admin network admin network admin network admin network admin network admin network MU Scan wireless wireless wireless wireless wireless wireless wireless wireless wireless wireless MU Scan Interval On Channel Detector Radio Scan Enables or disables to permit MUs to scan for rogue APs Define an interval for associated MUs to beacon in attempting to locate rogue APs Value not available unless mu scan is enabled Enables or disables on channel detection Enables or disables AP detector scan dual radio model only Enables or disables A BG Detector Scan Mode Enables or disables th
395. isplaying Rogue AP Details Before moving a rogue AP into the list of allowed APs within the Active APs screen the device address and rogue detection information for that AP should be evaluated To evaluate the properties of a rogue AP 1 Select Network Configuration gt Wireless gt Rogue AP Detection gt Active APs from the access point menu tree 2 Highlight a target rogue AP from within Rogue APs table and click the Details button The Detail screen displays for the rogue AP 6 60 AP 51xx Access Point Product Reference Guide 3 Detail Rogue AP Detail BSSIDIMAC 00 30 AB 27 E4 15 ESSID symbol RSSI 14 Rogue Detector Detail Finders MAC O0 A0 F8 71 59 20 Detection Method Detector AP First Heard days hrs min 00 00 00 Last Heard days hrs min 00 00 00 Channel 1 OK Cancel Help Refer to the Rogue AP Detail field for the following information BSSID MAC ESSID RSSI Displays the MAC address of the rogue AP This information could be useful if the MAC address is determined to be a Motorola MAC address and the device is interpreted as non hostile and the device should be defined as an allowed AP Displays the ESSID of the rogue AP This information could be useful if the ESSID is determined to be non hostile and the device should be defined as an allowed AP Shows the Relative Signal Strength RSSI of the rogue AP Use this information to assess how close the rogue AP Is The higher the RSSI
396. itch s secret password on the AAP for the switch to authenticate it For additional information on defining the connection medium used by the access point t to receive an AAP configuration see Adaptive AP Setup on page 4 6 To avoid a lengthy broken connection with the switch Motorola recommends generating an SNMP trap when the AAP loses adoption with the switch NOTE For additional information in greater detail on the AP configuration activities described above see Adaptive AP Configuration on page 10 13 Configuring the Switch for Adaptive AP Adoption The tasks described below are configured on a Motorola WS5100 or a RFS6000 RFS7000 model switch For information on configuring the switch for AAP support see http support symbol com support product manuals do To adopt an AAP on a switch i 2 Ensure enough licenses are available on the switch to adopt the required number of AAPs As soon as the AAP displays in the adopted list Adjust each AAP s radio configuration as required This includes WLAN radio mappings and radio parameters WLAN VLAN mappings and WLAN parameters are global and cannot be defined on a per radio basis WLANs can be assigned to a radio as done today for an AP300 model access port Optionally configure WLANs as independent and assign to AAPs as needed Configure each VPN tunnel with the VLANs to be extended to it If you do not attach the target VLAN no data will be forwarded to
397. itration 0 00 gt Non unicast pkis 000 s RF Status Errors Avg MU Signal oo 00 68m Avy Num of Retries 0 00 0 00 eg MU Noise 00 00 dam Dropped Packets 0 00 00 Avy MU SNR 00 00 dB Windecryptatie Prts 0 00 100 a test 30 seconde a last hour Clear Radio Stats I0 2 Refer to the Information field to view the access point 802 11a or 802 11b g radio s MAC address placement and transmission information HW Address Radio Type Power Active WLANs The Media Access Control MAC address of the access point housing the 802 11a radio The MAC address is set at the factory and can be found on the bottom of the access point For more information on how access point MAC addresses are assigned see AP 51xx MAC Address Assignment on page 1 30 Displays the radio type either 802 11a or 802 11b g The power level in milliwatts mW for RF signal strength To change the power setting for the radio see Configuring the 802 114 or 802 11b g Radio on page 5 56 Lists the access point WLANs adopted by the 802 11a or 802 11b g radio 7 24 AP 51xx Access Point Product Reference Guide Placement Current Channel Num Associated MUs Lists whether the access point radio is indoors or outdoors To change the placement setting see Configuring the 802 11a or 802 11b g Radio on page 5 56 Indicates the channel for communications between the access point radio and its associated MUs To change the channel setting see Configuri
398. its the properties of an existing security policy delete Removes a specific security policy s Goes to the parent menu Goes to the root menu save Saves the configuration to system flash quit Quits the CLI For information on the security configuration options available to the access point using the applet GUI see Configuring Security Options on page 6 2 AP51xx gt admin network wireless security gt show Description Displays the access point s current security configuration Syntax show summary Displays list of existing security policies 1 16 policy lt id gt Displays the specified security policy lt id gt Example admin network wireless security gt show summary Secu Policy Name Authen Encryption Associated WLANs 1 Default Manual no encrypt Lobby 2 WEP Demo Manual WEP 64 2nd Floor 3 Open Manual no encrypt lst Floor WPA Countermeasure enable admin network wireless security gt show policy 1 Policy Name Default Authentication Manual Pre shared key No Authentication Encryption type no encryption Related Commands create Defines security parameters for the specified WLAN For information displaying existing WLAN security settings using the applet GUI see Enabling Authentication and Encryption Schemes on page 6 5 8 82 AP 51xx Access Point Product Reference Guide AP51xx gt admin network wireless security gt create Description Defines the parameter of access point security polici
399. k layer facility The IP filtering mechanism does not know anything about the application using the network connections only the connections themselves For example you can deny user access to an internal network on the default telnet port but if you rely on IP filtering alone you cannot stop people from using the telnet program with a port you allow to pass through your firewall There are a couple of important rules a packet adheres to when its compared with the filter policy list e Packets are always filtered in sequential order filtering always begins with the first filter policy displayed in the IP Filtering screen then the second third and so on The IP Filtering screen Is invoked for LANs within the LAN1 or LAN2 screen and for WLANs within the New WLAN or Edit WLAN screen It s from this screen that allow or deny designations are set for IP filtering e Packets are compared with lines of the filter policy list until a match is made Once a packet matches a line of the list it s acted upon and no further comparisons take place If inspected packets are determined to not be IP packets it permitted by the access point for its inbound or outbound destination Once you create a filter policy apply it to an interface in either an incoming or outgoing direction 5 76 AP 51xx Access Point Product Reference Guide e Traffic entering the access point s LAN1 LAN2 or WLAN 1 16 from a client is classified as Incoming traffic e Traff
400. k the Add button to create a new entry using only the Start MAC column to specify a MAC address or uses both the Start MAC and End MAC columns to specify a range of MAC addresses Delete Click the Delete button to remove a selected list entry 5 Click Apply to save any changes to the New MU ACL Policy or Edit MU ACL Policy screen and return to the Mobile Unit Access Control List Configuration screen Navigating away from the screen without clicking Apply results in changes to the screens being lost 6 Click Cancel to securely exit the New MU ACL Policy or Edit MU ACL Policy screen and return to the Mobile Unit Access Control List Configuration screen 7 Click Logout within the Mobile Unit Access Control List Configuration screen to securely exit the Access Point applet A prompt displays confirming the logout before the applet is closed 5 3 1 3 Setting the WLAN Quality of Service QoS Policy The access point can keep a list of QoS policies that can be used from the New WLAN or Edit WLAN screens to map to individual WLANs Use the Quality of Service Configuration screen to configure WMM policies that can improve the user experience for audio video and voice applications by shortening the time between packet transmissions for higher priority multimedia traffic Use the Quality of Service Configuration screen to define the QoS policies for advanced network traffic management and multimedia applications support If the existing QoS policie
401. l v Access Ow Cw TXOPs Time TXOPs Time Category Minimum 32usec ms Background i5 HH hss H 781 oH o0 Bestemot 15 HH lea Hp 3H 3H 0 992 Video 7 Hhs HII H a4 3 008 voice 3 Hf H H a7 1 504 Java Applet Window 7 Select the Advanced Settings tab to strategically map BSSIDs to WLANs in order to define them as primary WLANs 5 64 AP 51xx Access Point Product Reference Guide AP 5131 Access Point P BB pietwork Configurator TN denpa Radio 1002 1 10i Settings Advanced Settings b Gan PI Miretess b 8g Securty Q MU ACL WLAN BSSID BCAC Cipher Status Message La oos summer 2 wranceap E Corsiguration is ok T T Radio Configuration 19 15 Open E contigueation is ok Radiot p021 10g L Perne a amp Priten Contigurabon gt j gt Quick Setup g i SP Srem Sonrgi H SB Adaptive AP Setup Ha APSO Access t G emtcate Mgmt B User Aumentc abort Lieto Logosa b ditare Natahate haiam Mama AD fiw ttt Defining Primary WLANs allows an administrator to dedicate BSSIDs 4 BSSIDs are available for mapping to WLANs From that initial BSSID assignment Primary WLANs can be defined from within the WLANs assigned to BSSID groups 1 through 4 Each BSSID beacons only on the primary WLAN The user should assign each WLAN to its own BSSID In cases where more than four WLANs are required WLANs should be grouped according to their security policies so all of the WLANs on a BSSID have the s
402. l 1 I 0 0 0 0 deny 255 0 0 0 255 0 0 0 65535 65535 nat port 33 2 33 3 0 0 10 10 1 1 tcp 1 1 11 11 1 0 allow 255 255 255 0 255 255 255 0 65535 65535 nat port 0 For information on configuring the Firewall options available to the access point using the applet GUI see Configuring Firewall Settings on page 6 27 8 3 5 Network Router Commands AP51xx gt admin network router gt Description Displays the router submenu The items available under this command are show Displays the existing access point router configuration set Sets the RIP parameters add Adds user defined routes delete Deletes user defined routes list Lists user defined routes g Goes to the parent menu Goes to the root menu save Saves the configuration to system flash quit Quits the CLI 8 139 8 140 AP 51xx Access Point Product Reference Guide AP51xx gt admin network router gt show Description Shows the access point route table Syntax show Shows the access point route table Example admin network router gt show routes index destination netmask gateway interface metric 1 192 168 2 0 255 255 255 0 0 0 0 0 lanl 0 2 192 168 1 0 255 255 255 0 0 0 0 0 lan2 0 3 192 168 0 0 255 255 255 0 0 0 0 0 lanl 0 4 192 168 24 0 255 255 255 0 0 0 0 0 wan 0 5 157 235 19 5 255 255 255 0 192 168 24 1 wan 1 Default gateway Interface lanl For information on configuring the Router options available to the access point using the applet GUI
403. l time 5 Select the Client Bridge checkbox to enable the access point radio to initiate client bridge connections with other mesh network supported access points radios on the same WLAN 9 16 AP 51xx Access Point Product Reference Guide If the Client Bridge checkbox has been selected use the Mesh Network Name drop down menu to select the WLAN ESS the client bridge uses to establish a wireless link The default setting is WLAN1 Motorola recommends creating and naming a WLAN specifically for mesh networking support to differentiate the Mesh supported WLAN from non Mesh supported WLANs For more information see Configuring a WLAN for Mesh Networking Support on page 9 9 Once the settings within the Radio Configuration screen are applied for an initial deployment the current number of base bridges visible to the radio displays within the BBs Visible field and the number of base bridges currently connected to the radio displays within the BBs Connected field If this is an existing radio within a mesh network these values update in real time NOTE Ensure you have verified the radio configuration for both Radio 1 and Radio 2 before saving the existing settings and exiting the Radio Configuration screen v 6 Click the Advanced button to define a prioritized list of access points to define mesh connection links Radio 1 Advanced Client Bridge Settings Ai format Link Detector Avetatee Base Breage List Preferred Base Bdg
404. lacing the AP 5131 above a suspended ceiling and installing the provided light pipe under the ceiling tile for viewing the rear panel status LEDs of the unit An above the ceiling AP 5131 installation enables installations compliant with drop ceilings suspended ceilings and industry standard tiles from 625 to 75 inches thick NOTE The AP 5131 is Plenum rated to UL2043 and NEC1999 to support above the ceiling installations CAUTION Motorola does not recommend mounting the AP 5131 directly to any suspended ceiling tile with a thickness less than 12 7mm 0 5in or a suspended ceiling tile with an unsupported span greater than 660mm 26in Motorola strongly recommends fitting the AP 5131 with a safety wire suitable for supporting the weight of the device The safety wire should be a standard ceiling suspension cable or equivalent steel wire between 1 59mm 062in and 2 5mm 10in in diameter The mounting hardware required to install the AP 5131 above a ceiling consists of Light pipe Badge for light pipe Decal for badge Safety wire strongly recommended Security cable optional To install the AP 5131 above a ceiling Ox Ol eS oe If possible remove the adjacent ceiling tile from its frame and place it aside Install a safety wire between 1 5mm 06in and 2 5mm 10in in diameter in the ceiling space If required install and attach a security cable to the AP 5131 s lock port Mark a point
405. layed on the Proxy screen to the last saved configuration 7 Click Logout to securely exit the Access Point applet A prompt displays confirming the logout before the applet is closed 6 14 4 Managing the Local User Database Use the User Database screen to create groups for use with the Radius server The database of groups is employed if Local is selected as the Data Source from the Radius Server screen For information on selecting Local as the Data Source see Configuring the Radius Server on page 6 64 To add groups to the User database NOTE Each group can be configured to have its own access policy using the Access Policy screen For more information see Defining User Access Permissions by Group on page 6 76 1 Select System Configuration gt User Authentication gt User Database from the menu tree AP 51xx Access Point Product Reference Guide AP 5131 Access Point peers L MU Scan L EA wires E3 Firewaii fp Sonetaccess Advanced Subset Access H gt Router HE P Fme H f P aysien Contgurasion f gt Quick Setup ie Users H Gy AP SIXX Access tG Kersticate Mgmt User O Paseweed Ust of Groups Ber Cote ates exon Apache Conticates Lasa NOTE User should belong to at least one group for RADIUS to work Refer to the Groups field for a list of all groups in the local Radius database The groups are listed in the order added Although groups can be added and
406. le the system time displays the access point uptime starting at 1970 01 01 00 00 00 with the time and date advancing 3 Select the Set Date Time button to display the Manual Date Time Setting screen This screen enables the user to manually enter the access point s system time using a Year Month Day HH MM SS format This option is disabled when the Enable NTP checkbox has been selected and therefore should be viewed as a second means to define the access point system time 4 fusing the Manual Date Time Setting screen to define the access point s system time refer to the Time Zone field to select the time used to use as complimentary information to the information entered within the Manual Date Time Setting screen 4 46 AP 51xx Access Point Product Reference Guide access point user permissions ensure UTC has been selected from f CAUTION If using the Radius time based authentication feature to authenticate the Time Zone field If UTC is not selected time based authentication will not work properly For information on configuring Radius time based authentication see Defining User Access Permissions by Group on page 6 76 5 If using an NTP server to supply system time to the access point configure the NTP Server Configuration field to define the server network address information required to acquire the access point network time Enable NTPonaccess Select the Enable NTP on access point checkbox to allow a point
407. learning which destinations reside on which side of the network This allows them to forward traffic intelligently After the client bridge establishes at least one wireless connection if configured to support mobile users it begins beaconing and accepting wireless connections If configured as both a client bridge and a base bridge it begin accepting client bridge connections Therefore the mesh network could connect simultaneously to different networks in a manner whereby a network loop is not created and then the connection is not blocked Once the client bridge establishes at least one wireless connection it begins establishing other wireless connections as it finds them available Thus the client bridge is able to establish simultaneous redundant links A mesh network must use one of the two access point LANs If intending to use the access point for mesh networking support Motorola recommends configuring at least one WLAN of the 16 WLANs available specifically for mesh networking support The client bridge creates up to three connections if it can find base bridges for connection If the connections are redundant on the same network then one connection will be forwarding and the others blocked However if each of the connections links to a different wired network then none are redundant and all are forwarding Thus the bridge automatically detects and disables redundant connections but leaves non redundant connections forwarding T
408. led statistics for a selected MU For detailed information on individual MU authentication statistics see Viewing MU Details on page 7 29 7 Click the Clear All MU Stats button to reset each of the data collection counters to zero in order to begin new data collections 8 Click the Logout button to securely exit the Access Point applet A prompt displays confirming the logout before the applet is closed 7 5 1 Viewing MU Details Use the MU Details screen to display throughput signal strength and transmit error information for a specific MU associated with the access point The MU Details screen is separated into four fields MU Properties MU Traffic MU Signal and MU Errors The MU Properties field displays basic information such as hardware address IP address and associated WLAN and AP Reference the MU Traffic field for MU FF traffic and throughput data Use the RF Status field to reference information on RF signal averages from the target MU The Error field displays RF traffic errors based on retries dropped packets and undecryptable packets The MU Details screen is view only with no user configurable data fields To view details specific to an individual MU 7 30 AP 51xx Access Point Product Reference Guide FCO DS Select Status and Statistics gt MU Stats from the access point menu tree Highlight a specific MU Select the MU Details button Refer to the MU Properties field to view MU address information IP Addre
409. less admin network wireless admin network wireless admin network wireless admin network wireless admin network wireless admin network wireless Radio Configuration Radio 1 Name Radio Mode RF Band of Operation Enables or disables the access point s 802 11a radio Enables or disables the access point s 802 11b g radio Sets the WLAN or WIPS sensor mode for the specifiec radio index lt idx gt Enables or disables base bridge mode Sets the maximum number of wireless bridge clients Enables or Disables client bridge mode Sets the client bridge link timeout for the radio index Defines the client bridge WLAN name Defines dot11 level authentication algorithm to either open system only ot shared key allowed radio gt set radio gt set radio gt set radio gt set radio gt set radio gt set radio gt set radio gt set radio gt set lla disable 11lbg enable rf function 1 wlan mesh base enable mesh max 11 mesh client disable mesh timeout 1 45 mesh wlan wlanl doti1l auth shared key allowed radio gt show Wireless AP Configuration Base Bridge Mode Max Wireless AP Clients Client Bridge Mode Clitn Bridge WLAN Mesh Connection Timeout Dot11 Auth Algorithm Radio 1 enable 802 11b g 2 4 GHz enable 11 disable WLAN1 45 sec shared key allowed For information on configuring the Radio Configuration options available to the access point using th
410. lete Deletes inbound NAT entries from the list add Adds entries to the list of inbound NAT entries For an overview of the NAT options available using the applet GUI see Configuring Network Address Translation NAT Settings on page 5 21 8 3 2 2 Network WAN VPN Commands AP51xx gt admin network wan vpn gt Description Displays the VPN submenu The items available under this command include add set delete list reset stats ikestate save quit Adds VPN tunnel entries Sets key exchange parameters Deletes VPN tunnel entries Lists VPN tunnel entries Resets all VPN tunnels Lists security association status for the VPN tunnels Displays an Internet Key Exchange IKE summary Goes to the parent menu Goes to the root menu Saves the configuration to system flash Quits the CLI For an overview of the VPN options available using the applet GUI see Configuring VPN Tunnels on page 6 36 8 49 8 50 AP 51xx Access Point Product Reference Guide AP51xx gt admin network wan vpn gt add Description Adds a VPN tunnel entry Syntax add lt name gt lt subnet idx gt lt local WAN IP gt lt remote subnet gt lt remote subnet mask gt lt remote gateway gt Creates a tunnel lt name gt 1 to 13 characters to gain access through local WAN IP lt local WAN IP gt from the remote subnet with IP address lt remote subnet gt and subnet mask lt remote subnet mask gt using the remote gateway lt remote
411. line cord to the power adapter Attach the power adapter cable into the power connector on the AP 5131 e Plug the power adapter into an outlet 2 9p o Verify the behavior of the AP 5131 LED lightpipe For more information see AP 5737 LED Indicators on page 2 23 Place the ceiling tile back in its frame and verify it is secure The AP 5131 is ready to configure For information on an AP 5131 default configuration see Getting Started on page 3 1 For specific details on AP 5131 system configurations see System Configuration on page 4 1 Hardware Installation 2 23 2 8 AP 5131 LED Indicators The AP 5131 utilizes seven LED indicators Five LEDs display within four LED slots on the front of the AP 5131 on top of the AP 5131 housing and two LEDs for above the ceiling installations are located on the back of the device the side containing the LAN WAN and antenna connectors Power and Error Conditions Split LED Data Over Ethernet 802 11a Radio Activity 802 11b g Radio Activity cc V B a The five LEDs on the top housing of the AP 5131 are clearly visible in table top wall and below ceiling installations The five AP 5131 top housing LEDs have the following display and functionality Power Status Solid white indicates the AP 5131 is adequately powered Solid red indicates the AP 5131 is experiencing a problem condition requi
412. lity greatly enhances the efficiency for high data rate traffic such as streaming video 9 Click Apply to save any changes to the New QoS Policy or Edit QoS Policy screen to return to the Quality of Service Configuration screen Navigating away from the screen without clicking Apply results in all changes to the screens being lost 10 Click Cancel to securely exit the New QoS Policy or Edit QoS Policy screen and return to the Quality of Service Configuration screen 11 Click Logout within the Quality of Service Configuration screen to securely exit the Access Point applet A prompt displays confirming the logout before the applet is closed U APSD WMM Power Save Support The access point now supports Unscheduled Automatic Power Save Delivery U APSD often referred to as WMM Power Save U APSD provides a periodic frame exchange between a voice capable MU and the access point during a VoIP call while legacy power management is still utilized for typical data frame exchanges The access point and its associated MU activate the new U APSD power save approach when a VoIP traffic stream is detected The MU then buffers frames from the voice traffic stream and sends a VoIP frame with an implicit poll request to its associated access point The access point responds to the poll request with buffered VoIP stream frame s When a voice enabled MU wakes up at a designated VoIP frame interval it sends a VoIP frame with an implicit poll request to its
413. ll not work properly For information on configuring Radius time based authentication see Defining User Access Permissions by Group on page 6 76 f CAUTION f using the Radius time based authentication feature to authenticate To manage clock synchronization on the access point 1 Select System Configuration gt Date Time from the access point menu tree System Configuration 4 45 AP 5131 Access Point AA amp BB pretwork Contguzaton P erste Configurator gt Quick Setup Tine Zone P Syston Semngs Aine alAtidjan 8D Adaptive AP Setup iach EEN asic T wa labicatAcera a Gy APS Access Renesn contain Mgent c wApETS i Teeraa Aine wAsmeta Set Cortcates Manusi Time Sefings Ain aBamako I ee cence Aine aBangui ston Aine DB araw y amp Ge SNMP Access J Datertiene O Logging Contguraton NTP Server Configuraton fae n Re a A Enable NTP on APLSINX amp td Status amp Stabstcs IP Address Port detsut 123 Prefered Time Server 0 0 0 123 First Aternate Time Server O 0 o 0 12 Second AltemateTimeSever 0 0 0 0 123 Synchronization interval 1S Minutes unaa Changes Hein Logout Name AP Stix i 2 From within the Current Time field click the Refresh button to update the time since the screen was displayed by the user The Current Time field displays the current time based on the access point system clock If NTP is disabled or if there are no servers availab
414. llow AAP configuration data to reach a switch using a secure VPN tunnel If using IPSec as the tunnel resource enter the IPSec Passkey to ensure IPSec connectivity lop Adaptive AP 10 15 7 Click Apply to save the changes to the AAP setup NOTE The manual AAP adoption described above can also be conducted using the access point s CLI interface using the admin system aapsetup gt command 10 4 1 2 Adopting an Adaptive AP Using a Configuration File To adopt an AAP using a configuration file 1 Refer to Adopting an Adaptive AP Manually and define the AAP switch connection parameters 2 Export the AAP s configuration to a secure location Either import the configuration manually to other APs or the same AP later if you elect to default its configuration Use DHCP option 186 and 187 to force a download of the configuration file during startup when it receives a DHCP offer For instruction on how to use the access point s configuration import export functionality see mporting Exporting Configurations on page 4 49 For information on updating the access point s firmware see Updating Device Firmware on page 4 54 10 4 1 3 Adopting an Adaptive AP Using DHCP Options An AAP can be adopted to a wireless switch by providing the following options in the DHCP Offer Option Data Type Value 189 String lt Switch IP Address or Range of IP addresses separated by lt space gt gt 190 String lt Fully qualified Dom
415. login to the hotspot again to access to the hotspot supported WLAN The default timeout interval is 15 minutes Network Management 5 49 NOTE The Enable Hotspot User Timeout option is only available if using the access point s internal Radius Server for user authentication 6 Click the White List Entries button within the WhiteList Configuration field to create a set of allowed destination IP addresses These allowed destination IP addresses are called a White List Ten configurable IP addresses are allowed for each WLAN For more information see Defining the Hotspot White List on page 5 50 NOTE f using an external Web Server over the WAN port and the hotspot s af HTTP pages login or welcome redirect to the access point s WAN IP address for CGI scripts the IP address of the external Web server and the access point s WAN IP address should be entered in the White List 7 Refer to the Radius Accounting field to enable Radius accounting and specify the a timeout and retry value for the Radius server Enable Accounting Select the Enable Accounting checkbox to enable a Radius Accounting Server used for Radius authentication for a target hotspot user Server Address Specify an IP address for the external Radius Accounting server used to provide Radius accounting for the hotspot If using this option an internal Radius server cannot be used The IP address of the internal Radius server is fixed at 127 0 0
416. lows for blocking of specific HTTP commands going outbound on the access point WAN port HTTP blocks commands on port 80 only The Block Outbound HTTP option allows blocking of the following user selectable outgoing HTTP requests e Web Proxy Blocks the use of Web proxies by clients e ActiveX Blocks all outgoing ActiveX requests by clients Selecting ActiveX only blocks traffic scripting language with an ocx extension Configuring Access Point Security 6 53 Block Outbound URL Enter a URL extension or file name per line in the format of Extensions filename ext An asterisk can be used as a wildcard in place of the filename to block all files with a specific extension 3 Configure the SMTP field to disable or restrict specific kinds of network mail traffic Block Outbound SMTP Simple Mail Transport Protocol SMTP is the Internet standard for Commands host to host mail transport SMTP generally operates over TCP on port 25 SMTP filtering allows the blocking of any or all outgoing SMTP commands Check the box next to the command to disable that command when using SMTP across the access point s WAN port e HELO Hello Identifies the SMTP sender to the SMTP receiver e MAIL Initiates a mail transaction where data is delivered to one or more mailboxes on the local server e CPT Recipient Identifies a recipient of mail data e DATA Tells the SMTP receiver to treat the following information as mail data from the sen
417. ls e Content Filtering For an overview on the encryption and authentication schemes available refer to Configuring Access Point Security on page 6 1 1 2 8 1 Kerberos Authentication Authentication is a means of verifying information transmitted from a secure source If information is authentic you know who created it and you know it has not been altered in any way since originated Authentication entails a network administrator employing a software supplicant on their computer or wireless device Authentication is critical for the security of any wireless LAN device Traditional authentication methods are not suitable for use in wireless networks where an unauthorized user can monitor network traffic and intercept passwords The use of strong authentication methods that do not disclose passwords is necessary The access point uses the Kerberos authentication service protocol specified in RFC 1510 to authenticate users clients in a wireless network environment and to securely distribute the encryption keys used for both encrypting and decrypting A basic understanding of RFC 1510 Kerberos Network Authentication Service V5 is helpful in understanding how Kerberos functions By default WLAN devices operate in an open system network 1 12 AP 51xx Access Point Product Reference Guide where any wireless device can associate with an AP without authorization Kerberos requires device authentication before access to the wired network is per
418. lude recommended 48 Volt Power Supply Part No 50 14000 243R Motorola recommends the AP PSBIAS 5181 01R Power Tap for use an AP 5181 and its intended outdoor deployment A CAUTION An AP 5181 model access point cannot use the AP 5131 e Power Injector Part No AP PSBIAS 1P2 AFR e Power Tap Part No AP PSBIAS 5181 01R e Any 802 3af midspan device 2 6 Power Injector and Power Tap Systems An AP 5131 or AP 5181 access point can receive power via an Ethernet cable connected to the access point s LAN port using 802 3af When users purchase a WLAN solution they often need to place access points in obscure locations In the past a dedicated power source was required for each access point in addition to the Ethernet infrastructure This often required an electrical contractor to install power drops at each access point location The Power Injector and Power Tap solutions merge power and Ethernet into one cable reducing the burden of installation and allow optimal access point placement in respect to the intended radio coverage area Both the Power Injector and Power Tap are integrated AC DC converters requiring 110 220 VAC power to combine low voltage DC with Ethernet data in a single cable connecting to the access point The access point can only use a Power Injector or Power Tap when connecting the unit to the access point s LAN port The Power Injector Part No AP PSBIAS 1P2 AFR is included in certain AP 5131 kits Th
419. m the associated WAN IP address for information on configuring port forwarding see Configuring Port Forwarding on page 5 23 3 Click Apply to save any changes to the NAT screen Navigating away from the screen without clicking the Apply button results in all changes to the screens being lost 4 Click Undo Changes if necessary to undo any changes made Undo Changes reverts the settings displayed on the NAT screen to the last saved configuration 5 Click Logout to securely exit the Access Point applet A prompt displays confirming the logout before the applet is closed 5 2 1 1 Configuring Port Forwarding Use the Port Forwarding screen to configure port forwarding parameters for inbound traffic from the associated WAN IP address 5 24 AP 51xx Access Point Product Reference Guide To configure port forwarding for the access point 1 Select Network Configuration gt WAN gt NAT from the access point menu tree 2 Select 1 to 1 or 1 to Many from the NAT Type drop down menu 3 Click on the Port Forwarding button within the Inbound Mappings area 167 235 91 128 Port Fowarding Name Transpor Start Port End Pon IP Address Transtation Port JALL i i 157 235 124 131 10 TCP 1 157 235 189 21 10 Ads Z Forward all unspecified ports to 157 235 124 213 Note Forwarding of ports used for AP 51XX management limits remote access Cancel Help 4 Configure the Port Forwarding screen to mo
420. management of an AAP is conducted by a switch once the access point connects to a Motorola WS5100 RFS6000 or RFS7000 model switch and receives its AAP configuration An AAP provides e local 802 11 traffic termination e local encryption decryption e local traffic bridging e the tunneling of centralized traffic to the wireless switch For a information overview of the adaptive AP feature as well as how to configure it refer to Adaptive AP on page 10 1 1 1 10 Rogue AP Enhancements The access point now has the option to scan for rogues over all channels on both of the access point s 11a and 11bg radio bands The switching of radio bands is based on a timer with no user intervention required For information on configuring the access point for Rogue AP support see Configuring Rogue AP Detection on page 6 55 1 1 11 Bandwidth Management Enhancements Use the Bandwidth Management screen to control the network bandwidth allotted to individual WLANs Define a weighted scheme as needed when WLAN traffic supporting a specific network segment becomes critical Bandwidth management is configured on a per WLAN basis However a separate tab has been created for each access point radio With this new segregated radio approach bandwidth management can be configured uniquely for individual WLANs on different access point radios For information on configuring bandwidth management see Configuring Bandwidth Management Settings on page 5 65
421. mary screen to view overview statistics for active enabled WLANs on the access point The WLAN Summary field displays basic information such as number of Mobile Units MUs and total throughput for each of the active WLANs The Total RF Traffic section displays basic throughput information for all RF activity on the access point The WLAN Statistics Summary screen is view only with no user configurable data fields If a WLAN is not displayed within the Wireless Statistics Summary screen see Enabling Wireless LANs WLANs on page 5 27 to enable the WLAN For information on configuring the properties of individual WLANs see Creating Editing Individual WLANs on page 5 30 To view access point WLAN Statistics 1 Select Status and Statistics gt Wireless Stats from the access point menu tree Monitoring Statistics 7 15 WLAN Statistics Summary Nene Ms Tout ABS Taw ig i 6 as7ee 4 14109079 LALLE loo Clear a8 WLAN State Total AP RF Trafic Total pkts per second Pps Total bits por second 646 67 bps Total associated MUs Cinar all RF State Name Displays the names of all the enabled WLANs on the access point For information on enabling a WLAN see Enabling Wireless LANs WLANs on page 5 27 MUs Displays the total number of MUs currently associated with each enabled WLAN Use this information to assess if the MUs are properly grouped by function within each enabled WLAN To adjust the maximum
422. menu Goes to the root menu Saves the current configuration to system flash Quits the CLI 8 241 8 242 AP 51xx Access Point Product Reference Guide AP51xx gt admin stats gt show Description Displays access point system information Syntax show For in wan leases lan stp wlan s wlan radio s radio retry hgram mu s mu auth mu wlap s wlap known ap cpu mem Displays stats for the access point WAN port Displays the leases issued by the AP 51xx Displays stats for the access point LAN port Displays LAN Spanning Tree Status Displays WLAN status and statistics summary Displays status and statistics for an individual WLAN Displays a radio statistics transmit and receive summary Displays radio statistics for a single radio Displays a radio s retry histogram statistics Displays all mobile unit MU status Displays status and statistics for an individual MU Displays single MU Authentication statistics Displays Wireless Bridge Statistics statistics summary Displays single Wirless Bridge statistics Displays a Known AP summary Displays memory and CPU usage statistics ormation on displaying WAN port statistics using the applet GUI see Viewing WAN Statistics on page 7 2 For information on displaying LAN port statistics using the applet GUI see Viewing LAN Statistics on page 7 6 For in ormation on displaying Wireless statistics using the applet GUI see Viewing Wirele
423. menu save Saves the configuration to system flash quit Quits the CLI AP51xx gt admin network wireless radio 802 11bg advanced gt show Description Displays the BSSID to WLAN mapping for the 802 11b g radio Syntax show advanced Displays advanced settings for the 802 11b g radio wlan Displays WLAN summary list for the 802 11b g radio Example 8 101 admin network wireless radio 802 11bg advanced gt show advanced configuration is ok configuration is ok configuration is ok WLAN BSS ID BC MC Cipher Status Lobby 1 Open good HR 2 Open good Office 3 Open good BSSID Primary WLAN Lobby HR Office admin network wireless radio 802 WLAN 1 WLAN name ESS ID Radio VLAN Security Policy QoS Policy 11bg advanced gt show wlan WLAN1 101 1la 11b g lt none gt Default Default For information on configuring Radio 1 Configuration options available to the access point using the applet GUI see Configuring the 802 11a or 802 11b g Radio on page 5 56 8 102 AP 51xx Access Point Product Reference Guide AP51xx gt admin network wireless radio 802 11bg advanced gt set Description Defines advanced parameters for the target 802 11b g radio Syntax set wlan lt wlan name gt lt bssid gt Defines advanced WLAN to BSSID mapping for the target radio bss lt bss id gt lt wlan name gt Sets the BSSID to primary WLAN definition Example admin network wireless radio 802 11bg a
424. ministrator to manage network performance find and solve network problems and plan for network growth The access point supports SNMP management functions for gathering information from its network components communicating that information to specified users and configuring the access point All the fields available within the access point are also configurable within the MIB The access point SNMP agent functions as a command responder and is a multilingual agent responding to SNMPv1 v2c and v3 managers command generators The factory default configuration maintains SNMPv1 2c support of the community names hence providing backward compatibility SNMP v1 v2c community definitions and SNMP v3 user definitions work independently and both use the Access Control List ACL of the SNMP Access Control sub screen Use the SNMP Access screen to define SNMP v1 v2c community definitions and SNMP v3 user definitions SNMP version 1 v1 provides a strong network management system but its security is relatively weak The improvements in SNMP version 2c v2c do not include the attempted security enhancements of other version 2 protocols Instead SNMP v2c defaults to SNMP standard 4 30 AP 51xx Access Point Product Reference Guide community strings for read only and read write access SNMP version 3 v3 further enhances protocol features providing much improved security SNMP v3 encrypts transmissions and provides authentication for users generating
425. missions specified in options 1 10 within the Time Based Access Policy field 6 Click Apply to save any changes to the Edit Access Policy screen Navigating away from the screen without clicking Apply results in all changes to the screen being lost 7 Click Cancel if necessary to undo any changes made Undo Changes reverts the settings displayed on the Edit Access Policy screen to the last saved configuration 6 80 AP 51xx Access Point Product Reference Guide Monitoring Statistics The access point has functionality to display robust transmit and receive statistics for its WAN and LAN port Wireless Local Area Network WLAN stats can also be displayed collectively for each enabled WLAN as well as individually for up to 16 specific WLANs Transmit and receive statistics can also be displayed for the access point s 802 11a and 802 11b g radios An advanced radio statistics page is also available to display retry histograms for specific data packet retry information Associated MU stats can be displayed collectively for associated MUs and individually for specific MUs An echo ping test is also available to ping specific MUs to assess the strength of the AP association Finally the access point can detect and display the properties of other APs detected within the access point radio coverage area The type of AP detected can be displayed as well as the properties of individual APs 7 2 AP 51xx Access Point Product Reference Guide
426. mitted For detailed information on Kerbeors configurations see Configuring Kerberos Authentication on page 6 8 1 2 8 2 EAP Authentication The Extensible Authentication Protocol EAP feature provides access points and their associated MU s an additional measure of security for data transmitted over the wireless network Using EAP authentication between devices is achieved through the exchange and verification of certificates EAP is a mutual authentication method whereby both the MU and AP are required to prove their identities Like Kerberos the user loses device authentication if the server cannot provide proof of device identification Using EAP a user requests connection to a WLAN through the access point The access point then requests the identity of the user and transmits that identity to an authentication server The server prompts the AP for proof of identity supplied to the by the user and then transmits the user data back to the server to complete the authentication process An MU is not able to access the network if not authenticated When configured for EAP support the access point displays the MU as an EAP station EAP is only supported on mobile devices running Windows XP Windows 2000 using Service Pack 4 and Windows Mobile 2003 Refer to the system administrator for information on configuring a Radius Server for EAP 802 1x support For detailed information on EAP configurations see Configuring 802 1x EAP Authe
427. mmary screen There are four fields within the screen The Information field displays device address and location information as well as channel and power information The Traffic field displays statistics for cumulative packets bytes and errors received and transmitted The Traffic field does not add retry information to the stats displayed Refer to the RF Status field for an average MU signal noise and signal to noise ratio information Finally the Errors field displays retry information as well as data transmissions the access point radio either dropped or could not decrypt The information within the 802 11a Radio Statistics screen is view only with no configurable data fields To view detailed radio statistics 1 Select Status and Statistics gt Radio Stats gt Radio1 802 11b g Stats from the access point menu tree Monitoring Statistics 7 23 AP 5131 Access Point PBF Peetwork Contiguratce P SP System Contiguration PE Status amp Staseses cece gt E LAN Stats p ED viretess Stats i Raaciot 002 1 1 Stats S Racio 2902 11 9 Stats g MU Stats L a Known AP Stats Radio1 802 11big Statistics HW Address 001570035940 Radio Type 802 11big Current Channet 5111 Power 20 Ben Mum Associated Chents 0 WANI CIO WMANS since Tratic Total Rx Tx Packets per second 0 Pos o 0 Pps 3 Pps Twrougput 000 500 Mbps 000 000 Mops 0 00 000 Mbps Avg Bt Spoed 000 0 Approximate RF Ut
428. mporting Exporting Configurations on page 4 49 1 30 AP 51xx Access Point Product Reference Guide 1 3 8 AP 51xx MAC Address Assignment For both an AP 5131 and AP 5181 model access point MAC address assignments are as follows WAN The access point MAC address can be found underneath the access point chassis LAN1 WAN MAC address 1 LAN2 A virtual LAN not mapped to the LAN Ethernet port This address is the lowest of the two radio MAC addresses Radio1 802 11bg Random address located on the Web UI CLI and SNMP interfaces Radio2 802 11a Random address located on the Web UI CLI and SNMP interfaces The access point s BSS virtual AP MAC addresses are calculated as follows BSS1 The same as the corresponding base radio s MAC address BSS2 Base radio MAC address 1 BSS3 Base radio MAC address 2 BSS4 Base radio MAC address 3 Hardware Installation An access point installation includes mounting the access point connecting the access point to the network LAN or WAN port connection connecting antennae and applying power Installation procedures vary for different environments See the following sections for more details Precautions Requirements Access Point Placement Power Options Power Injector and Power Tap Systems Mounting an AP 5131 AP 5131 LED Indicators Mounting an AP 5181 AP 5181 LED Indicators Setting Up MUs A 2 2 AP 51xx Access Point Product Reference Guide installi
429. ms This feature is only supported when 802 1x EAP authentication is enabled 6 26 AP 51xx Access Point Product Reference Guide NOTE PMK key caching is enabled internally by default when 802 1x EAP authentication is enabled 9 Click the Apply button to save any changes made within this New Security Policy screen 10 Click the Cancel button to undo any changes made within the WPA2 CCMP Settings field and return to the WLAN screen This reverts all settings to the last saved configuration 6 10 Configuring Firewall Settings The access point s firewall is a set of related programs located in the gateway on the WAN side of the access point The firewall uses a collection of filters to screen information packets for known types of system attacks Some of the access point s filters are continuously enabled others are configurable Use the access point s Firewall screen to enable or disable the configurable firewall filters Enable each filter for maximum security Disable a filter if the corresponding attack does not seem a threat in order to reduce processor overhead Use the WLAN Security screens WEP Kerberos etc as required for setting user authentication and data encryption parameters To configure the access point firewall settings 1 Select Network Configuration gt Firewall from the access point menu tree AP 5131 Access Point 2 panai Radio2i802 11a Q Banamatn Management E Rogue AP Dete
430. n ESS D and name associated with the WLAN For additional information on creating and editing up to 16 WLANs per access point see Creating Editing Individual WLANs on page 5 30 b Use the Available On checkboxes to define whether the target WLAN is operating over the 802 1 1a or 802 11b g radio Ensure the radio selected has been enabled see step 8 c Even an access point configured with minimal values must protect its data against theft and corruption A security policy should be configured for WLAN1 as part of the basic configuration outlined in this guide A security policy can be configured for the WLAN from within the Quick Setup screen Policies can be defined over time and saved to be used as needed as security requirements change Motorola recommends you familiarize yourself with the security options available on the access point before defining a security policy Refer to Configuring WLAN Security Settings on page 3 12 Click Apply to save any changes to the access point Quick Setup screen Navigating away from the screen without clicking Apply results in all changes to the screens being lost Click Undo Changes if necessary to undo any changes made Undo Changes reverts the settings displayed on the access point Quick Setup screen to the last saved configuration Configuring WLAN Security Settings To configure a basic security policy for a WLAN le From the access point Quick Setup screen click the Create button to the ri
431. n the other radio radio 2 is not affected Radio 2 continues to beacon and associate MUs but MU s can only communicate amongst themselves using the access point Disabled is the default value Upload Detect When Uplink Detect is selected the access point only boots up the radio configured as a client bridge The access point boots up the second radio as soon as the first mesh connection is established However if the client bridge radio loses its uplink connection the second radio shuts down immediately Configuring Mesh Networking 9 19 Enabled If the mesh connection is down on one radio radio 1 the other radio radio 2 is brought down and stops beaconing after the timeout period 45 seconds This allows the client bridge radio 1 to roam without dropping the MU s associated to radio 2 The disadvantage is that radio 2 may beacon for the 45 second timeout period and have to drop associated MU s because radio 1 could not establish its uplink NOTE The Mesh Time Out variable overrides the Ethernet Port Time Out EPTO setting on the LAN page when the access point Is in bridge mode As long as the mesh is down the access point acts in accordance to the Mesh Time Out setting regardless of the state of the Ethernet However if the Ethernet goes down and the mesh link is still up the EPTO takes effect 17 Click Apply to save any changes to the Radio Configuration screen Navigating away from the screen without click
432. n list of certificates within the Self Certificates screen 5 Click the Generate Request button System Configuration 4 21 Self Certificates Generate CSR and import Signed Cermticates o C Te as oe ig l Generate Request Copyto cupooara Crear Paste rom cupooaea Load Censcate View Signed Certdcates oe File wae ers The generated certificate request displays in Self Certificates screen text box 6 Click the Copy to Clipboard button The content of certificate request is copied to the clipboard Create an email to your CA paste the content of the request into the body of the message and send it to the CA The CA signs the certificate and will send it back Once received copy the content from the email into the clipboard 7 Click the Paste from clipboard button The content of the email displays in the window Click the Load Certificate button to import the certificate and make it available for use as a VPN authentication option The certificate ID displays in the Signed list 4 22 AP 51xx Access Point Product Reference Guide NOTE If the access point is restarted after a certificate request has been generated but before the signed certificate is imported the import will not execute properly Do not restart the access point during this process 8 Touse the certificate for a VPN tunnel first define a tunnel and select the IKE settings to use either RS
433. n menu Port Start Defines the socket number or port number representing the beginning protocol port range either allowed or denied permission to the target LAN1 LAN2 or WLAN Port End Defines the socket number or port number representing the ending protocol port range either allowed or denied permission to the target LAN1 LAN2 or WLAN Src Start Creates a range beginning source IP address to be either allowed or denied IP packet forwarding The source address is where the packet originated Setting the Src End value the same as the Src Start allows or denies just this address without defining a range Src End Providing this address completes a range of source data origination addresses than can either be allowed or denied access to the LAN1 LAN2 or WLAN Dst Start Creates a range beginning destination IP address to be either allowed or denied IP packet forwarding Setting the Dst End value the same as the Dst Start allows or denies just this address without defining a range Dst End Providing this address completes a range of destination addresses than can either be allowed or denied access to the LAN1 LAN2 or WLAN In Use Displays YES if the listed filter policy is currently being utilized by LAN1 LAN2 or a WLAN NO is displayed if the listed policy is currently not be utilized by either of the LAN ports or any of the access point s 16 WLANs 5 78 AP 51xx Access Point Product Reference Guide NOTE Once filter poli
434. n page 9 6 Refer to the Port Interface Table to assess the state of the traffic over the ports listed within the table for the root and bridge and designated bridges Port ID Identifies the port from which the configuration message was sent State Displays whether a bridge is forwarding traffic to other members of the mesh network over this port or blocking traffic Each viable member of the mesh network must forward traffic to extent the coverage area of the mesh network Path Cost The root path cost is the distance cost from the sending bridge to the root bridge Designated Root Displays the MAC address of the access point defined with the lowest priority within the Mesh STP Configuration screen 7 12 AP 51xx Access Point Product Reference Guide Designated Bridge Designated Port Designated Cost There is only one root bridge within each mesh network All other bridges are designated bridges that look to the root bridge for several mesh network timeout values For information on root and bridge designations see Setting the LAN Configuration for Mesh Networking Support on page 9 6 Each designated bridge must use a unique port The value listed represents the port used by each bridge listed within the table to route traffic to other members of the mesh network Displays the unique distance between each access point MAC address listed in the Designated Bridge column and the access point MAC address listed in the Designated
435. n to create a new table entry b Highlight an entry and click the Del delete button to remove an entry c Specify the destination IP address subnet mask and gateway information for the internal static route d Select an enabled subnet from the Interface s column s drop down menu to complete the table entry Information in the Metric column is a user defined value from 1 to 65535 used by router protocols to determine the best hop routes 6 Click the Apply button to save the changes 7 Click Logout to securely exit the access point applet A prompt displays confirming the logout before the applet is closed 5 5 1 Setting the RIP Configuration To set the RIP configuration 1 From within the RIP Configuration field select the RIP Type from the drop down menu The following options are available No RIP The No RIP option prevents the access point s router from exchanging routing information with other routers Routing information may not be appropriate to share for example if the access point manages a private LAN RIP v1 RIP v2 v1 compat RIP v2 Network Management 5 73 RIP version 1 is a mature stable and widely supported protocol It is well suited for use in stub networks and in small autonomous systems that do not have enough redundant paths to warrant the overhead of a more sophisticated protocol RIP version 2 compatible with version 1 is an extension of RIP v1 s capabilities but it is still compatible
436. n to system flash e Goes to the parent menu Moves back to root menu For information on configuring User Database permissions using the applet GUI see Defining User Access Permissions by Group on page 6 76 8 190 AP 51xx Access Point Product Reference Guide AP51xx gt admin system userdb group gt create Description Creates a group name Once defined users can be added to the group Syntax create Creates a group name Once defined users can be added to the group Example admin system userdb group gt create 2 admin system userdb group gt For information on configuring User Database permissions using the applet GUI see Defining User Access Permissions by Group on page 6 76 8 191 AP51xx gt admin system userdb group gt delete Description Deletes an existing group Syntax delete Deletes an existing group Example admin system userdb group gt delete 2 admin system userdb group gt For information on configuring User Database permissions using the applet GUI see Defining User Access Permissions by Group on page 6 76 8 192 AP 51xx Access Point Product Reference Guide AP51xx gt admin system userdb group gt clearall Description Removes all existing group names from the system Syntax clearall Removes all existing group names from the system Example admin system userdb group gt clearall admin system userdb group gt For information on configuring User Database permi
437. nboard Radius server s database The group configured within the onboard Radius server is used for group policy configuration to support a new Time Based Rule restriction feature NOTE The LDAP screen displays with unfamiliar alphanumeric characters if new to LDAP configuration Motorola recommends only qualified administrators change the default values within the LDAP screen AP 5131 Access Point AA P D pretwork Contiguraton gt Hus gt vw amp SD wiresess b EB Firwat H Subnet Access Advanced Subset Access H O Router F writer PP Srs Cor guraton Login Atrmute ie Wd User Naene H gt Quick Setup SY Srem Setings f FI Adaptive AP Setup Bind Distinguished Name cn Manager ortnon po Gy AP S1XK Access G tertticate Mgmt t E User aumente stood Base Distinguished Name osmon User Database Gis P Radus Server _ t Prowy Server Group Fitter s uniquemembers WL dap UierOn fi Password Atibute wierPassword aai Group Membership Afribule 0us Oroup Name Access Policy t EQ Seam Access F SNMP Trap Configuraton gt SNMP Traps SNMP RF Trap Tesholds Fajra e Help Logout 2 Enter the appropriate information within the LDAP Configuration field to allow the access point to interoperate with the LDAP server Consult with your LDAP server administrator for details on how to define the values in this screen LDAP Server IP Enter the IP address of the external LDAP server acting as
438. nce 2 Click Apply to save any changes to the Radio Histogram screen Navigating away from the screen without clicking Apply results in changes to the screens being lost 3 Click Undo Changes if necessary to undo any changes made to the screen Undo Changes reverts the settings to the last saved configuration 4 Click Logout to securely exit the Access Point applet A prompt displays confirming the logout before the applet is closed 7 5 Viewing MU Statistics Summary Use the MU Stats Summary screen to display overview statistics for mobile units MUs associated with the access point The MU List field displays basic information such as IP Address and total throughput for each associated MU The MU Stats screen is view only with no user configurable data fields However individual MUs can be selected from within the MU Stats Summary screen to either ping to assess interoperability or display authentication statistics To view access point overview statistics for all of the MUs associated to the access point 1 Select Status and Statistics gt MU Stats from the access point menu tree 7 28 AP 51xx Access Point Product Reference Guide LEEI Radio2pul 9091497 40 100777 109 Rao 002 11D 1 3630999E 4 24 163293 10 0 LATTES E 2 Refer to the MU List field to reference associated MU address throughput and retry information IP Address MAC Address WLAN Radio T put ABS Retr
439. nce SNMP RF Traps are sent when RF traffic exceeds defined limits set in the RF Trap Thresholds field of the SNMP RF Traps screen Thresholds are displayed for the access point WLAN selected radio and the associated MU To configure specific SNMP RF Traps on the access point 1 Select System Configuration gt SNMP Access gt SNMP RF Trap Thresholds from the menu tree 4 42 AP 51xx Access Point Product Reference Guide AP 5131 Access Point AccessPoint WLAN 80211b 802113 PET IREAS Paters gresterthan 293999 s000 ses099 soo999 Pps gt G erttcate Mont TA ve amp GF riser Autmentc aon Throughout greater than 100 100 100 Mbps P Gy SNMP access Average BA Speed jess than 1 30 40 a0 Mbps SNMP Trap Configurator f m L sr Tee Non Unicast greater than m SNMP RF Trap Thresholds Average Signal less than 100 100 38m Daterine f m Average Revies greater Man 15 15 1 Reties E Logging Contgurason E Contig impervExpedt Dropped Qreater than 100 100 100 LQ Firmware Update Undecryptatie greater han 100 100 100 Status amp Stated ai wr n ra a s Associated MUs grealerhan 50 10 25 25 NOTE Average Bit Speed of Non Unicast Average Signal Average Retries Dropped and Undecryptable are not access point statistics Pkts s Enter a maximum threshold for the total throughput in Pps Packets per second Throughput Set a max
440. ncryption is selected encryption is disabled for the security policy If security is not an issue this setting avoids the overhead an encryption protocol causes on the access point No Encryption is the default value for the Encryption field Select the WEP 64 40 bit key button to display the WEP 64 Settings field within the New Security Policy screen For specific information on configuring WEP 64 see Configuring WEP Encryption on page 6 16 Configuring Access Point Security 6 7 WEP 128 104 bit key Select the WEP 128 104 bit key button to display the WEP 128 Settings field within the New Security Policy screen For specific information on configuring WEP 128 see Configuring WEP Encryption on page 6 16 KeyGuard Select the KeyGuard button to display the KeyGuard Settings field within the New Security Policy screen For specific information on configuring KeyGuard see Configuring KeyGuard Encryption on page 6 18 WPA WPA2 TKIP Select the WPA WPA2 TKIP button to display the WPA TKIP Settings field within the New Security Policy screen For specific information on configuring WPA WPAZ TKIP see Configuring WPA WPA2 Using TKIP on page 6 21 WPA2 CCMP Select the WPA2 CCIVIP 802 11 button to display the WPA2 802 111 CCIVIP Settings field within the New Security Policy screen For detailed information on configuring WPA2 CCMP see Configuring WPA2 CCMP 802 11i on page 6 24 6 Click Apply to keep changes made within the New
441. ndecryptable packets The WLAN Stats screen is view only with no user configurable data fields To view statistics for an individual WLAN 1 Select Status and Statistics gt Wireless Stats gt WLANx Stats x target WLAN from the access point menu tree AP 5131 Access Point P BS petwork Consquration WLAN1 Statistics amp SP System Configuration gt Gi Status amp Statistics j FS Wan Stats ESS 10 Rados 080211a 6802119 PERLAN Stats Athemtication Type No Authenticaten Encryption Type No Encryption LANT State Num Associated Chents 0 Srp stats t FE veveless stats Tees WLAN State Total Foe Ix Sp veapscotaars Packets per second s P 0 0 Pps i Pps ipea Throughput 00 00000 Mbps 00 00 Mbps 00 mops L amp D mesh stats An BA Speed 00 Mbps D Known AP Stats Nonunicast pits 00 RF States Erroen LHelp j Logout Snemna Asia SSS 2 Refer to the Information field to view specific WLAN address MU and security scheme information for the WLAN selected from the access point menu tree 7 18 AP 51xx Access Point Product Reference Guide ESSID Displays the Extended Service Set ID ESS D for the target WLAN Radio s Displays the name of the 802 11a or 802 11b g radio the target WLAN is using for access point transmissions Authentication Type Displays the authentication type 802 1x EAP or Kerberos defined for the WLAN If the authentication type does not match the desired scheme for the WLAN or needs
442. nes the LDAP parameters ipadr Sets LDAP IP address port Sets LDAP server port binddn Sets LDAP bind distinguished name basedn Sets LDAP base distinguished name passwd Sets LDAP server password login Sets LDAP login attribute pass_attr Sets LDAP password attribute groupname Sets LDAP group name attribute filter Sets LDAP group membership filter membership Sets LDAP group membership attribute Example admin system radius ldap gt set ipadr 157 235 121 12 admin system radius ldap gt set port 203 21 37 18 admin system radius ldap gt set binddn 123 admin system radius ldap gt set basedn 203 21 37 19 admin system radius ldap gt set passwd mudskipper admin system radius ldap gt set login muddy admin system radius ldap gt set pass_attr 123 admin system radius ldap gt set groupname 0 0 0 0 admin system radius ldap gt set filter 123 admin system radius ldap gt set membership radiusGroupName admin system radius ldap gt For information on configuring a Radius LDAP server using the applet GUI see Configuring LDAP Authentication on page 6 67 AP51xx gt admin system radius Idap gt show all Description Displays existing LDAP parameters Syntax show all Example admin system radius ldap gt show all LDAP LDAP LDAP LDAP LDAP LDAP LDAP LDAP Displays existing LDAP parameters Server IP Server Port Bind DN Base DN Login Attribute Password attribute Group
443. net Explorer Netscape Navigator or Mozilla Firefox version 0 8 or higher is recommended The browser interface also allows for system monitoring of the access point Web management of the access point requires either Microsoft Internet Explorer 5 0 or later or Netscape Navigator 6 0 or later NOTE For optimum compatibility use Sun Microsystems JRE 1 5 or higher available from Sun s Web site and be sure to disable Microsoft s Java Virtual Machine if installed To connect to the access point an IP address is required If connected to the access point using the WAN port the default static IP address is 10 1 1 1 The default password is If connected to the access point using the LAN port the default setting is DHCP client The user is required to know the IP address to connect to the access point using a Web browser 4 2 AP 51xx Access Point Product Reference Guide System configuration topics include e Configuring System Settings e Adaptive AP Setup e Configuring Data Access e Managing Certificate Authority CA Certificates e Configuring SNMP Settings e Configuring Network Time Protocol NTP e logging Configuration e mporting Exporting Configurations e Updating Device Firmware 4 1 Configuring System Settings Use the System Settings screen to specify the name and location of the access point assign an email address for the network administrator restore the AP s default configuration or rest
444. network admin network admin network admin network admin network admin network admin network admin network admin network admin network admin network admin network admin network admin network admin network Defines the access point radio placement as indoors or outdoors Determines how the radio channel is selected Defines the actual channel used by the radio Sets the ACS exception list for auto selection only for up to 3 channels Sets the radio antenna power Defines the radio antenna power transmit level Enables or disables 802 11bg radio mode support Sets the supported radio transmit rates Sets the beacon interval used by the radio Defines the DTIM interval by index used by the radio Enables or disables support for short preamble for the radio Defines the RTS Threshold value for the radio Sets the radio s extended range in miles 0 50 Defines the cwmin cwmax aifsn and txops levels for the QoS policy used for the radio Sets the QBSS Channel Util Beacon Interval in kilo usec 10 200 Enables disables the OBSS load element wireless wireless wireless wireless wireless wireless wireless wireless wireless wireless wireless wireless wireless wireless wireless wireless wireless wireless radio radio radio 802 11bg gt set radio radio radio radio radio radio radio radio radio radio radio radio radio radio ra
445. network lan gt admin gt AP51xx gt admin gt save Description Saves the configuration to system flash The save command appears in all of the submenus under admin In each case it has the same function to save the current configuration Syntax save Saves configuration settings The save command works at all levels of the CLI The save command must be issued before leaving the CLI for updated settings to be retained Example admin gt save admin gt 8 9 8 10 AP 51xx Access Point Product Reference Guide AP51xx gt admin gt quit Description Exits the command line interface session and terminates the session The quit command appears in all of the submenus under admin In each case it has the same function to exit out of the CLI Once the quit command is executed the login prompt displays again Example admin gt quit 8 3 Network Commands AP51xx gt admin network gt Description Displays the network submenu The items available under this command are shown below lan Goes to the LAN submenu wan Goes to the WAN submenu wireless Goes to the Wireless Configuration submenu firewall Goes to the firewall submenu router Goes to the router submenu ipfilter Goes to the IP Filtering submenu T Goes to the parent menu Goes to the root menu save Saves the current configuration to the system flash quit Quits the CLI and exits the current session 8 12 AP 51xx Access Point Product Reference Guid
446. network growth The access point supports SNMP management functions for gathering information from its network components The access point s download site contains the following 2 MIB files e Symbol CC WS2000 MIB 2 0 standard MIB file e Symbol AP 5131 MIB both the AP 5131 and AP 5181 use the same MIB there is no specific MIB for an AP 5181 The access point s SNMP agent functions as a command responder and is a multilingual agent responding to SNMPv1 v2c and v3 managers command generators The factory default configuration maintains SNMPv1 2c support of community names thus providing backward compatibility For detailed information on configuring SNMP traps see Configuring SNMP Settings on page 4 27 1 2 13 Power over Ethernet Support When users purchase a Motorola WLAN solution they often need to place access points in obscure locations In the past a dedicated power source was required for each access point in addition to the Ethernet infrastructure This often required an electrical contractor to install power drops at each access point location Introduction 1 17 An approved power injector solution merges power and Ethernet into one cable reducing the burden of installation and allows optimal access point placement in respect to the intended radio coverage area The AP 5131 Power Injector is a single port 802 3af compliant Power over Ethernet hub combining low voltage DC with Ethernet data in a single cable conne
447. nfiguration 7 Click Logout to securely exit the Access Point applet A prompt displays confirming the logout before the applet is closed 5 2 1 Configuring Network Address Translation NAT Settings Network Address Translation NAT converts an IP address in one network to a different IP address or set of IP addresses in another network The access point router maps its local inside network addresses to WAN outside IP addresses and translates the WAN IP addresses on incoming packets to local IP addresses NAT is useful because it allows the authentication of incoming and outgoing 5 22 AP 51xx Access Point Product Reference Guide requests and minimizes the number of WAN IP addresses needed when a range of local IP addresses is mapped to each WAN IP address NAT can be applied in one of two ways e One to one mapping with a private side IP address The private side IP address can belong to any of the private side subnets e One to many mapping with a configurable range of private side IP addresses Ranges can be specified from each of the private side subnets To configure IP address mappings for the access point 1 Select Network Configuration gt WAN gt NAT from the access point menu tree AP 5131 Access Point b gt GP AP SIX Access Ll Ge cron te amet ait 2 Configure the Address Mappings field to generate a WAN IP address define the NAT type and set outbound inbound NAT mappings WAN IP Address T
448. nformation to assess the current connection status of LAN 1 or LAN2 The LAN 1 or LAN 2 connection speed is displayed in Megabits per second Mbps for example 54Mbps If the throughput speed is not achieved examine the number of transmit and receive errors or consider increasing the supported data rate To change the data rate of the 802 114 or 802 11b g radio see Configuring the 802 1 1a or 802 11b g Radio on page 5 56 Displays whether the current LAN connection is full or half duplex The WLANs Mapped table lists the WLANs mapped to this LAN either LAN1 or LAN2 as their LAN interface RX packets are data packets received over the access point LAN port The number is a cumulative total since the LAN connection was last enabled or the access point was last restarted To begin a new data collection see Configuring System Settings on page 4 2 RX bytes are bytes of information received over the LAN port The value is a cumulative total since the LAN connection was last enabled or the access point was last restarted To begin a new data collection see Configuring System Settings on page 4 2 7 7 7 8 AP 51xx Access Point Product Reference Guide RX Errors RX errors include dropped data packets buffer overruns and frame errors on inbound traffic The number of RX errors is a total of AX Dropped RX Overruns and RX Carrier errors Use this information to determine performance quality of the current LAN connection RX Dropped Th
449. ng an access point A site survey is an excellent method of documenting areas of radio interference and providing a tool for device placement A CAUTION Motorola recommends conducting a radio site survey prior to 2 1 Precautions Before installing an AP 5131 or AP 5181 model access point verify the following e Do not install in wet or dusty areas without additional protection Contact a Motorola representative for more information e Verify the environment has a continuous temperature range between 20 C to 50 C 2 2 Available Product Configurations 2 2 1 AP 5131 Configurations An AP 5131 can be ordered in the following access point and accessory combinations Part No Description AP 5131 13040 WW AP 5131 802 11a g Dual Radio Access Point AP 5131 Install Guide Software and Documentation CD ROM Accessories Bag AP 5131 13041 WWR AP 5131 802 11a g Dual Radio Access Point AP 5131 Install Guide Power Injector Part No AP PSBIAS 1P2 AFR Software and Documentation CD ROM Accessories Bag AP 5131 13042 WW AP 5131 802 11a g Dual Radio Access Point AP 5131 Install Guide Software and Documentation CD ROM 4 Dual Band Antennae Part No ML 2452 APA2 01 Accessories Bag Hardware Installation 2 3 Part No Description AP 5131 13043 WWR AP 5131 802 11a g Dual Radio Access Point AP 5131 Install Guide Software and Documentation CD ROM Power Injector Part No AP PSBIAS 1P2 AFR 4 Dual Band Antennae Part No ML 2452 A
450. ng and how to configure the radio for mesh networking support see Configuring Mesh Networking Support on page 9 6 7 If using a dual radio model access point refer to the Mesh Timeout drop down menu to define whether one of the radio s beacons on an existing WLAN or if a client bridge radio uses an uplink connection The Mesh Timeout value is not available on a single radio access point since the radio would have to stop beaconing and go into scan mode to determine if a base bridge uplink is lost The following drop down menu options are available Disabled When disabled both radios are up at boot time and beaconing If one radio radio 1 does not have a mesh connection the other radio radio 2 is not affected Radio 2 continues to beacon and associate MUs but MU s can only communicate amongst themselves using the access point Disabled is the default value Uplink Detect When Uplink Detect is selected the access point only boots up the radio configured as a client bridge The access point boots up the second radio as soon as the first mesh connection is established However if the client bridge radio loses its uplink connection the second radio shuts down immediately Uplink detect is the recommended setting within a multi hop mesh network Enabled If the mesh connection is down on one radio radio 1 the other radio radio 2 is brought down and stops beaconing after the timeout period 45 65535 seconds This allows the client bri
451. ng the 802 11a or 802 11b g Radio on page 5 56 Lists the number of mobile units MUs currently associated with the access point 802 11a or 802 11b g radio 3 Refer to the Traffic field to view performance and throughput information for the target access point 802 11a or 802 11b g radio Pkts per second Throughput Avg Bit Speed Approximate RF Utilization Non unicast pkts The Total column displays the average total packets per second crossing the radio The Rx column displays the average total packets per second received The Tx column displays the average total packets per second transmitted The number in black represents this statistic for the last 30 seconds and the number in blue represents this statistic for the last hour The Total column displays average throughput on the radio The Rx column displays average throughput in Mbps for packets received The Tx column displays average throughput for packets transmitted The number in black represents statistics for the last 30 seconds and the number in blue represents statistics for the last hour Use this information to assess whether the current throughput is sufficient to support required network traffic The Total column displays the average bit speed in Mbps for the radio This includes all packets transmitted and received The number in black represents statistics for the last 30 seconds and the number in blue represents statistics for the last hour The approximat
452. nges to the screens being lost 10 Click Undo Changes if necessary to undo any changes made to the screen and its sub screens Undo Changes reverts the settings to the last saved configuration 11 Click Logout to securely exit the Access Point applet A prompt displays confirming the logout before the applet is closed 5 3 3 Configuring Bandwidth Management Settings The access point can be configured to grant individual WLAN s network bandwidth priority levels Use the Bandwidth Management screen to control the network bandwidth allotted to individual WLANs Define a weighted scheme as needed when WLAN traffic supporting a specific network segment becomes critical Bandwidth management is configured on a per WLAN basis However with this latest version 2 0 release of access point firmware a separate tab has been created for each access point radio With this new segregated radio approach bandwidth management can be configured uniquely for individual WLANs on different access point radios 5 66 AP 51xx Access Point Product Reference Guide 1 Select Network Configuration gt Wireless gt Bandwidth Management from the access point menu tree AP 5131 Access Point ON Bandwidth Management P D Petwork Contiguratcey Hus UN Radiot 802 1 1b RadioX 802 11 Eman Bandwidth Share Mode LO MU ACL uoce Robin E oos 1 ai nadia CONA Bandwidth Share for Each WLAN Recon 02 114 WLAN Name Weight Weight Qo
453. ngs on page 5 68 1 1 7 Trusted Host Management Trusted subnet management restricts AP 51x1 LAN1 LAN2 and WAN interface access via SNMP HTTP HTTPS Telnet and SSH to a set of user defined trusted host or subnets Only hosts with matching subnet or IP addresses are able to access the access point Enabling the feature denies access from any subnet not defined as trusted Once a set of trusted hosts is defined and applied the settings can be imported and exported as a part of the access point s configuration import export functionality For information on defining a set of trusted hosts for exclusive access point access see Defining Trusted Hosts on page 4 14 1 1 8 Apache Certificate Management Apache certificate management allows the update and management of security certificates for an Apache HTTP server This allows users to upload a trusted certificate to their AP When a client attaches to it with a browser a warning message pertaining to the certificate no longer displays Apache certificate management utilizes the access point s existing Certificate Manager for the creation of certificates and keys The certificate can then be loaded into the apache file system using a command Introduction 1 5 For information on defining the Apache certificate management configuration see Apache Certificate Management on page 4 25 1 1 9 Adaptive AP An adaptive AP AAP is an AP 51XX access point that can adopt like an AP300 L3 The
454. nize to the access point 1 27 1 28 AP 51xx Access Point Product Reference Guide The scanning and association process continues for active MUs This process allows the MUs to find new access points and discard out of range or deactivated access points By testing the airwaves the MUs can choose the best network connection available 1 3 6 Operating Modes The access point can operate in a couple of configurations e Access Point As an Access Point the access point functions as a layer 2 bridge The wired uplink can operate as a trunk and support multiple VLANs Up to 16 WLANs can be defined and mapped to XX WLANs Each WLAN can be configured to be broadcast by one or both radios unlike the AP 4131 model access point An AP 5131 or AP 5181 can operate in both an Access Point mode and Wireless Gateway Router mode simultaneously The network architecture and access point configuration define how the Access Point and Wireless Gateway Router mode are negotiated e Wireless Gateway Router f operating as a Wireless Gateway Router the access point functions as a router between two layer 2 networks the WAN uplink the ethernet port and the Wireless side The following options are available providing a solution for single cell deployment e PPPoE The WAN interface can terminate a PPPoE connection thus enabling the access point to operate in conjunction with a DSL or Cable modem to provide WAN connectivity e NAT Network Address Transla
455. nnel entries Syntax delete all Deletes all VPN entries lt name gt Deletes VPN entries by supplied name Example admin network wan vpn gt list Eng2EngAnnex Manual 192 168 32 2 24 192 168 33 1 192 168 24 198 SJSharkey Manual 206 107 22 45 27 206 107 22 2 209 235 12 55 admin network wan vpn gt delete Eng2EngAnnex admin network wan vpn gt list SJSharkey Manual 206 107 22 45 27 206 107 22 2 209 235 12 55 admin network wan vpn gt For information on configuring VPN using the applet GUI see Configuring VPN Tunnels on page 6 36 8 53 8 54 AP 51xx Access Point Product Reference Guide AP51xx gt admin network wan vpn gt list Description Lists VPN tunnel entries Syntax list lt cr gt Lists all tunnel entries lt name gt Lists detailed information about tunnel named lt name gt Note that the lt name gt must match case with the name of the VPN tunnel entry Example admin network wan vpn gt list Eng2EngAnnex Manual 192 168 32 2 24 192 168 33 1 192 168 24 198 SJSharkey Manual 206 107 22 45 27 206 107 22 2 209 235 12 55 admin network wan vpn gt list SJSharkey Name SJSharkey Local Subnet 7 l Tunnel Type Manual Remote IP 206 107 22 45 Remote IP Mask 255 255 255 224 Remote Security Gateway 206 107 22 2 Local Security Gateway 209 239 160 55 AH Algorithm None Encryption Type ESP Encryption Algorithm DES ESP Inbound SPI 0x00000100 ESP Outbound SPI 0x00000100 For
456. not able to obtain IP addresses the access point attempts to resolve the switch s Domain Name if provided within the Switch FADN parameter However if the access point receives one or more IP addresses from the DHCP server it will not solicit an IP address from a user provided domain name Lastly provide static manually provided IP addresses to the list as long as there is room The access point will defer to these addresses if DHCP and a provided domain address fail to secure a switch adoption 4 Click Apply to save any changes to the Adaptive AP Setup screen Navigating away from the screen without clicking the Apply button results in all changes to the screen being lost System Configuration 4 9 5 Click Undo Changes if necessary to undo any changes made Undo Changes reverts the settings displayed on the Adaptive AP Setup screen to the last saved configuration 6 Click Logout to securely exit the access point Access Point applet A prompt displays confirming the logout before the applet is closed 4 3 Configuring Data Access Use the AP 51XX Access screen to allow deny management access to the access point from different subnets LAN1 LAN2 or WAN using different protocols such as HTTP HTTPS Telnet SSH or SNMP The access options are either enabled or disabled It is not meant to function as an ACL in routers or other firewalls where you can specify and customize specific IPs to access specific interfaces Use the access poi
457. ns can receive and interpret these packets and optionally can perform responsive actions SNMP trap generation is programmable on a trap by trap basis Use the SNMP Traps Configuration screen to enable traps and to configure appropriate settings for reporting this information Trap configuration depends on the network machine that receives the generated traps SNMP v1 v2c and v3 trap configurations function independently In a mixed SNMP environment generated traps can be sent using configurations for both SNMP v1 v2c and v3 To configure SNMP traps on the access point 1 Select System Configuration gt SNMP Access gt SNMP Trap Configuration from the access point menu tree 4 36 AP 51xx Access Point Product Reference Guide AP 5131 Access Point 2 Configure the SNMP v1 v2c Trap Configuration field if SNMP v1 v2c Traps are used to modify the following Add Click Add to create a new SNMP v1 V2c Trap Configuration entry Delete Click Delete to remove a selected SNMP v1 v2c Trap Configuration entry Destination IP Specify a numerical non DNS name destination IP address for receiving the traps sent by the access point SNMP agent Port Specify a destination User Datagram Protocol UDP port for receiving traps The default is 162 Community Enter a community name specific to the SNMP capable client that receives the traps Add SNMP Version System Configuration 4 37 Click Add to cr
458. ns for configuring 9 32 AP 51xx Access Point Product Reference Guide AP 1 see Configuring AP 1 on page 9 21 Once completed return to Configuring AP 2 on page 9 32 within this section 9 3 2 2 Configuring AP 2 AP 2 requires the following modifications from AP 2 in the previous scenario to function in base bridge client bridge repeater mode 1 Enable client bridge backhaul on the mesh supported WLAN Q O WAH Powe 3 Addess B hetpi Yt57 235 92 MAfapolet1 1 2 0026 hom Googe Ce Sorp MOR haik o a dto ETNO A ESSO Mesh O lt A 131 Access Point AS hesh io Avtable On y 802 119 Rado C 802 1103 Radio Configuring Mesh Networking 9 33 2 Enable client and base bridge functionality on the 802 11a radio AP 5131 Access Point Radio Stas tanning SSS RF Band of Operation 802 113 5 OHJ leis pb 7 Base Bridge Mesh Base Bridge Setings Maximum no of Client Beddges 12 CBs Connected D acpi undo cmsages Herp Lopa 9 3 2 3 Configuring AP 3 To define AP 3 s configuration 1 The only change needed on AP 3 with respect to the configuration used in scenario 1 is to disable the Auto Link Selection option Click the Advanced button within the Mesh Client Bridge Settings field 9 34 AP 51xx Access Point Product Reference Guide 2 Add the 802 11a Radio MAC Address In s
459. nt s Access screen checkboxes to enable or disable LAN1 LAN2 and or WAN access using the protocols and ports listed If access is disabled this effectively locks out the administrator from configuring the access point using that interface To avoid jeopardizing the network data managed by the access point Motorola recommends enabling only those interfaces used in the routine daily management of the network and disabling all other interfaces until they are required The AP 51XX Access screen also has a facility allowing customers to create a login message with customer generated text When enabled using either the access point Web UI or CLI the login message displays when the user is logging into the access point If the login message Is disabled the default login screen displays with no message AP access can be restricted to specific IP addresses Trusted Host subnet management restricts LAN1 LAN2 and WAN interface access via SNMP HTTP HTTPS Telnet and or SSH to a set of up to 8 user defined trusted hosts or subnets Only hosts with matching IP addresses can access the access point Enabling the feature denies access from any subnet IP address not defined as trusted Once a set of trusted hosts is defined and applied the settings can be imported and exported as a part of the access point s configuration import export functionality For information on defining trusted hosts for exclusive AP access see Defining Trusted Hosts on pag
460. ntication on page 6 11 1 2 8 3 WEP Encryption All WLAN devices face possible information theft Theft occurs when an unauthorized user eavesdrops to obtain information illegally The absence of a physical connection makes wireless links particularly vulnerable to this form of theft Most forms of WLAN security rely on encryption to various extents Encryption entails scrambling and coding information typically with mathematical formulas called a gorithms before the information is transmitted An algorithm is a set of instructions or formula for scrambling the data A key is the specific code used by the algorithm to encrypt or decrypt the data Decryption is the decoding and unscrambling of received encrypted data Introduction The same device host computer or front end processor usually performs both encryption and decryption The transmit or receive direction determines whether the encryption or decryption function is performed The device takes plain text encrypts or scrambles the text typically by mathematically combining the key with the plain text as instructed by the algorithm then transmits the data over the network At the receiving end another device takes the encrypted text and decrypts or unscrambles the text revealing the original message An unauthorized user can know the algorithm but cannot interpret the encrypted data without the appropriate key Only the sender and receiver of the transmitted data know the key Wired E
461. number of MUs permissible per WLAN see Creating Editing Individual WLANs on page 5 30 T put Displays the total throughput in Megabits per second Mbps for each active WLAN ABS Displays the Average Bit Speed ABS in Megabits per second Mbps for each active WLAN displayed 7 16 AP 51xx Access Point Product Reference Guide NU Retries Clear All WLAN Stats 3 Refer to the Total AP RF Traffic field to view throughput information for the access point and WLAN Total pkts per second Total bits per second Total associated MUs Clear all RF Stats 4 Click the Clear RF Stats button to reset each of the data collection counters to zero in order Displays a percentage of the total packets for each active WLAN that are non unicast Non unicast packets include broadcast and multicast packets Displays the average number of retries per packet An excessive number could indicate possible network or hardware problems Click this button to reset each of the data collection counters to zero in order to begin new data collections Do not clear the WLAN stats if currently in an important data gathering activity or risk losing all data calculations to that point Displays the average number of RF packets sent per second across all active WLANs on the access point The number in black represents packets for the last 30 seconds and the number in blue represents total pkts per second for the last hour Displays the average bits
462. o 85 storage 15kV air 50 rh 8kV contact 50 rh Bench drop 36 inches to concrete excluding side with connectors Technical Specifications A 3 A 1 2 AP 5181 Physical Characteristics The AP 5181 has the following physical characteristics Dimensions Housing Weight Operating Temperature Storage Temperature Altitude Vibration Humidity Electrostatic Discharge Drop Wind Blown Rain Rain Drip Spill Dust 12 inches long x 8 25 inches wide x 3 5 inches thick Aluminum 4 Ibs 30 to 55 Celsius 40 to 85 Celsius 8 000 feet 2438 m 28 Celsius operating 15 000 feet 4572 m 12 Celsius storage Vibration to withstand 02g Hz random sine 20 2k Hz 5 to 95 operating 5 to 95 storage 15kV air 50 rh 8kV contact 50 rh Bench drop 36 inches to concrete 40 MPH 0 1inch minute 15 minutes IPX5 Spray 4L minute 10 minutes IP6X 20mb vacuum max 2 hours stirred dust 88g m 3 concentration 35 RH A 4 AP 51xx Access Point Product Reference Guide A 2 Electrical Characteristics Both the AP 5131 and the AP 5181 access points have the following electrical characteristics recommended Motorola 48 Volt Power Supply Part No 50 14000 243R However Motorola does recommend the AP PSBIAS 5181 01R model power supply for use the AP 5181 A CAUTION An AP 5181 model access point cannot use the AP 5131 Operating Voltage 48Vdc Nom Operating Current 200mA Peak
463. o IOS APs Consequently an AP 4131 is not compatible with an AP 5131 or AP 5181 supported mesh deployment Mesh Deployment Issue 11 Can update firmware configuration files across a mesh backhaul Can update device firmware over the mesh backhaul on a client bridge or repeater AP with no wired connectivity Resolution Yes both the AP 5131 and AP 5181 support wireless firmware updates Mesh Deployment Issue 12 Can I perform firmware configuration file updates with DHCP options Can use the AP s Automatic Firmware Configuration update functionalities with DHCP Options on the AP for mesh nodes as well Resolution Yes mesh nodes also support Automatic Firmware Configuration updates using DHCP Options Make sure you create DHCP reservations for each mesh node and add an appropriate configuration file to 9 40 AP 51xx Access Point Product Reference Guide each one of them If you don t the base bridge configuration file could get applied on a client bridge or repeater and you will loose connectivity to that AP Mesh Deployment Issue 13 Why do I lose connectivity when updating configurations When make a configuration change and apply the changes on a client bridge or repeater momentarily loose connectivity to that AP why Resolution That is expected behavior when you make a configuration change on a mesh supported AP it brings the radio driver down and then back up again Consequently the AP needs to re establis
464. o be a valid system name loc lt loc gt Sets the access point system location to lt loc gt 1 to 59 characters email lt email gt Sets the access point admin email address to lt email gt 1 to 59 characters cc lt code gt Sets the access point country code using two letters lt code gt For information on configuring System Settings using the applet GUI see Configuring System Settings on page 4 2 Refer to Appendix A for information on the two character country codes 8 149 AP51xx gt admin system gt lastpw Description Displays last expired debug password Example admin system gt lastpw AP 51xx MAC Address is 00 15 70 02 7A 66 Last debug password was motorola Current debug password used 0 times valid 4 more time s admin system gt 8 150 AP 51xx Access Point Product Reference Guide AP51xx gt admin system gt arp Description Dispalys the access point s arp table Example admin system gt arp Address 157 235 92 210 157 235 92 179 157 235 92 248 157 235 92 180 157 235 92 3 157 235 92 181 157 235 92 80 157 235 92 95 157 235 92 161 157 235 92 126 admin system gt HWtype ether ether ether ether ether ether ether ether ether ether HWaddress 00 00 00 00 00 00 00 00 00 00 11 14 14 25 22 11 OD DO 15 11 2B C5 25 22 06 11 14 F3 25 60 B2 DO A0 Oc B2 F9 5B 25 97 B2 61 D7
465. o gt lt lifetime gt lt group gt Defines the name of the tunnnel lt name gt the Security Association Life Time lt 300 65535 gt applies to in seconds Sets the Operation Mode of IKE for lt name gt to Main or Aggressive Sets the Local ID type for IKE authentication for lt name gt 1 to 13 characters to lt idtype gt IP FQDN or UFODN Sets the Remote ID type for IKE authentication for lt name gt 1 to 13 characters to lt idtype gt IP FQDN or UFODN Sets the Local ID data for IKE authentication for lt name gt to lt idtype gt This value is not required when the ID type is set to IP Sets the Local ID data for IKE authentication for lt name gt to lt idtype gt This value is not required when the ID type is set to IP Sets the IKE Authentication type for lt name gt to lt authtype gt PSK or RSA Sets the IKE Authentication Algorithm for lt name gt to MD5 or SHAT Sets the IKE Authentication passphrase for lt name gt to lt phrase gt Sets the IKE Encryption Algorithm for lt name gt to lt encalgo gt one of DES 3DES AES128 AES192 or AES256 Sets the IKE Key life time in seconds for lt name gt to lt lifetime gt Sets the IKE Diffie Hellman Group for lt name gt to either G768 or G1024 For information on configuring VPN using the applet GUI see Configuring VPN Tunnels on page 6 36 AP51xx gt admin network wan vpn gt delete Description Deletes VPN tu
466. o import a mesh supported 9 2 Configuring Mesh Networking Support Configuring the access point for Mesh Bridging support entails e Setting the LAN Configuration for Mesh Networking Support e Configuring a WLAN for Mesh Networking Support e Configuring the Access Point Radio for Mesh Support 9 2 1 Setting the LAN Configuration for Mesh Networking Support At least one of the two access point LANs needs to be enabled and have a mesh configuration defined to correctly function as a base or client bridge within a mesh network This section describes the configuration activities required to define a mesh network s LAN configuration Configuring Mesh Networking 9 7 As the Spanning Tree Protocol STP mentions each mesh network maintains hello forward delay and max age timers The base bridge defined as the root imposes these settings within the mesh network The user does not necessarily have to change these settings as the default settings will work However Motorola encourages the user to define an access point as a base bridge and root using the base bridge priority settings within the Bridge STP Configuration screen Members of the mesh network can be configured as client bridges or additional base bridges with a higher priority value NOTE For an overview on mesh networking and some of the implications on using the feature with the access point see Configuring Mesh Networking on page 9 1 To define a LAN s Mesh STP C
467. o system flash quit Quits the CLI 3 Goes to the parent menu Goes to the root menu For information on configuring EAP TTLS Radius values using the applet GUI see Configuring User Authentication on page 6 64 8 202 AP 51xx Access Point Product Reference Guide AP51xx gt admin system radius eap ttls gt set show Description Defines and displays TTLS parameters Syntax set Sets the TTLS authentication lt type gt show Displays the TTLS authentication type Example admin system radius eap ttls gt set auth pap admin system radius eap ttls gt show TTLS Auth Type pap For information on configuring EAP TTLS Radius values using the applet GUI see Configuring User Authentication on page 6 64 8 4 6 2 AP51xx gt admin system radius gt policy Description Goes to the access policy submenu Syntax set Sets a group s WLAN access policy access time Goes to the time based login submenu show Displays the group s access policy save Saves the configuration to system flash quit Quits the CLI m Goes to the parent menu Goes to the root menu For information on configuring Radius access policies using the applet GUI see Configuring User Authentication on page 6 64 8 203 8 204 AP 51xx Access Point Product Reference Guide AP51xx gt admin system radius policy gt set Description Defines the group s WLAN access policy Syntax set lt group gt Defines the group s lt group name gt WLAN a
468. o the access point s WAN port renders the with the access point s LAN port Ensure the cable length from the Ethernet source host to the Power Tap or Power Injector and access point does not exceed 100 meters 333 ft Neither the Power Tap or Power Injector has an On Off switch Each receives power as soon as AC power is applied 3 For Power Tap installations have a certified electrician open the Power Tap enclosure feed the power cable through the unit s LINE AC connector secure the power cable to the unit s three screw termination block and tighten the unit s LINE AC clamp by hand to ensure the power cable cannot be pulled from the unit and is protected from the elements 4 For Power Tap installations attach a ground cable between the EARTH GROUND connector on the back of the unit to a suitable earth ground connection as defined by your local electrical code 5 Verify all cable connections are complete before supplying power to the access point 2 6 1 3 Power Injector LED Indicators NOTE The AP 5181 Power Tap Part No AP PSBIAS 5181 01R does not have LED indicators The Power Injector demonstrates the following LED behavior under normal and or problematic operating conditions Hardware Installation 2 13 LED AC Main Port Green Steady Power Injector is receiving power from an Indicates a device is connected to the AC outlet Power Injector s outgoing Data amp Power cable Green Blinkin
469. o the last saved configuration System Configuration 4 47 8 Click Logout to securely exit the access point Access Point applet A prompt displays confirming the logout before the applet is closed 4 7 Logging Configuration The access point provides the capability for periodically logging system events that prove useful in assessing the throughput and performance of the access point or troubleshooting problems on the access point managed Local Area Network LAN Use the Logging Configuration screen to set the desired logging level standard syslog levels and view or save the current access point system log To configure event logging for the access point 1 Select System Configuration gt Logging Configuration from the access point menu tree AP 5131 Access Point P B pietwork Contigurasory Logging Configuration P SP lorito Cortiquraton f gt Quick Setup H SP System Settings H B Adapto AP Setup View Log Kid f GR AP SIXK Access 6 e gt G tertticate Mgmt Logging Level Log Level 6 indo x gt GP fuser Autrentc asord 7 p E SNMP Access w Enatie logging to an external syslog server SNMP Trap Configuration TE ET E sup toe Syslog Serer iP address 157 235 124 11 L SNMP RF Trap Theeshoids f DateTime j E Logging Configuration F Lab Contig imporvExport Qy Firmware Upsate S T Status Statsdce Avon unao Changes Heip Lopout 2 Configure the Log Options field
470. o00000000 oo0oo0oo0o00000000 Tunnel to Switch disable AC Keepalive oo Current Switch 157 235 22 11 AP Adoption State TBD admin system aap setup gt NOTE The access point CLI is only the only AP interface that displays the adaptive AP s adoption status and AP run state This information does not appear within the Adaptive AP Setup screen For information on configuring adaptive AP using the applet GUI see Adaptive AP Setup on page 4 6 For an overview of adaptive AP functionality and its implications see Adaptive AP on page 10 1 8 153 AP51xx gt admin system aap setup gt set Description Sets access point s Adaptive AP configuration Syntax set auto discovery Sets the switch auto discovery mode enable disable interface Defines the tunnel interface ipadr Defines the switch IP address used name Defines the switch name for DNS lookups port Sets the port passphrase Defines the pass phrase or key for switch connection tunnel to switch Enables disables the tunnel between switch and access point ac keepalive Defines the keepalive interval For information on configuring adaptive AP using the applet GUI see Adaptive AP Setup on page 4 6 For an overview of adaptive AP functionality and its implications see Adaptive AP on page 10 1 8 154 AP 51xx Access Point Product Reference Guide AP51xx gt admin system aap setup gt delete Description Deletes static switch address assignments
471. oS policy index specified Defines the data type used with the qos policy and mesh network When set to a value other then manual editing the access category values is not necessary Options include 11g default 11b default 11g wifi 11b wifi 11g voice 11b voice or manual for advanced users Defines Minimum Contention Window CW Min for specified access categoiry and index Defines Maximum Contention Window CW Max for specified access categoiry and index Sets Arbitrary Inter Frame Space Number AIFSN for specified access categoiry and index Configures Opportunity to Transmit Time TXOPs Time for specified access categoiry and index Defines CWMIN CWMAX AIFSN and TXOPs default values Completes the policy edit and exits the session Cancels the changes and exits For information on configuring the WLAN QoS options available to the access point using the applet GUI see Setting the WLAN Quality of Service QoS Policy on page 5 40 8 113 AP51xx gt admin network wireless qos edit gt Descripton Edits the properties of an existing QoS policy Syntax show Displays QoS policy parameters set qos name lt index gt Sets the QoS name for the specified index entry vop lt index gt Enables or disables support by index for legacy VOIP devices mcast lt mac gt Defines primary and secondary Multicast MAC address wmm qos lt index gt Enables or disables the QoS policy index specified param set lt set name gt Defin
472. oTe r e E E AEE OET T 1 16 DHCP advanced settings 0 5 12 direct sequence spread spectrum 1 23 document conventions 2 20 5 1 vii dual Tadio SkY iii toe cecede eseebiseddadewedate 1 5 E e EE EE ALEA E E A EEEE TEATAS 1 8 1 9 EAP authentication 2 0 20000 1 9 electrical characteristics 005 A 4 event IMDGNG as eck asero i Beeedsiacyasaeeaes 1 16 F USO se tyne shaded Wied npne eat Rusa jae abies 1 11 Firewall SEY ocr inc onawieeeganseearsei eens 1 11 Newall COMMUNI sidpeeignieesecsaeneass 6 27 DCU 22 See een cee eed wee eter arate rn 1 12 firmware update 2 cee eee eee 4 51 firmware updates 00 c cece 4 49 H hardware installation 2 005 2 1 l importing certificates 000 00 n 4 14 importing exporting configurations 4 44 IMITALLONNGCHAN 0 6224 2 h2ctaacecededaed ce ves 3 4 IStalATON COMME woe once tees exec ues 2 21 installation ceiling T Bar 000 2 18 installation desk mounting 2 14 installation wall mounting 2 16 J dava Based WEBM ci isepacaes ia eneacwabes nan 3 2 K REIQEO5 io 25400c8 danse seneer ames eeenderes 1 8 AUNEMUCAUON o0 05vsccarecneegeorndonnata 1 9 implementa Ys c2n ey det ds SoS eee ete teed 1 8 Kerberos authentication 2 2 1 8 KeyGuard
473. ocation Connect to the Windows 2000 or 2003 server used to sign the certificate Select the Request a certificate option Click Next to continue Select the Advanced request checkbox from within the Choose Request Type screen and click Next to continue From within the Advanced Certificate Requests screen select the Submit a certificate request using a base 64 encoded PKCS 10 file or a renewal request using a base64 encoded PKCS file option Click Next to continue Paste the content of certificate in the Saved Request field within the Submit a Saved Request screen NOTE An administrator must make sure the Web Server option is available as a selectable option for those without administrative privileges If you do not have administrative privileges ensure the Web Server option has been selected from the Certificate Template drop down menu Click Submit Select the Base 64 encoded checkbox option from within the Certificate Issued screen and select the Download CA Certificate link A File Download screen displays prompting the user to select the download location for the certificate 14 Click the Save button and save the certificate to a secure location System Configuration 4 25 15 Load the certificates on the access point CAUTION Ensure the CA Certificate is loaded before the Self Certificate or risk AN an invalid certificate load 16 Open the certificate file and copy its contents into
474. ocess 0 05 1 23 MU MU transmission disallow 1 14 N NAT COnNGUNNO 3 s0cc c ocanmertreeeedanon pad 5 21 Network Time Protocol NTP 0 4 39 notational conventions 0 04 1 viii notational conventions 20055 vil EEEE E A E T E E TA 4 39 ANAE Ine Ca A E E E TATE 4 39 0 OPEN AUG MOJE oun cues Ae ees Mee ee ws 1 24 P phone numbers Symbol o n anaana anaa viii physical characteristics 004 A 2 A 3 power injector cabling 000 2 12 power injector LEDS 2 i lt 2sicccyarscsneesenes 2 13 POWE ODONI c2g4 corart eeeberaseeeeneench ies 2 10 PEP Over ENGINE enar nape pears teen 5 20 PECAUNGNS darier Seeideadpani ace aani eaves 2 2 product configurations 0 eee ee 2 2 programmable SNMP trap 1 5 Por TEIE EPE EEE VEEE ESTAITT 1 15 PoPa aasia beets 1 15 r ea cc E E E EE ded 1 15 Peso ar e E eos 1 15 IN 7 IN 8 AP 51xx Access Point Product Reference Guide Q OOS N eai E r G 1 7 Quality of Service QoS ETA 1 7 R peeo oiei A E E EE EEEE 1 5 radio retry histogram 2 00 eee ae 7 24 ERA ok eect ge ct eee eee ead 7 18 restore default configuration 4 5 roaming across routers WD ETE E AE T EEE TTE 1 15 rogue AP detection ALIE Radi 6 55 rogue AP detection allowed APs 6 59 fogue AP detali cccsecnccadaracnen ea
475. of EAP Request packets The default is 10 seconds Specify the time period in seconds for the access point s retransmission of the EAP Identity Request frame The default is 5 seconds Specify the maximum number of times the access point retransmits an EAP Request frame to the client before it times out the authentication session The default is 2 retries Specify the time in seconds for the access point s retransmission of EAP Request packets to the server The default is 5 seconds If this time is exceeded the authetnication session is terminated Specify the maximum number of times for the access point to retransmit an EAP Request frame to the server before it times out the authentication session The default is 2 retries Click the Apply button to save any changes made within the 802 1x EAP Settings field including all 5 selectable tabs of the New Security Policy screen Click the Cancel button to undo any changes made within the 802 1x EAP Settings field and return to the WLAN screen This reverts all settings for the 802 1x EAP Settings field to the last saved configuration Configuring Access Point Security 6 15 6 6 Configuring WEP Encryption Wired Equivalent Privacy WEP is a security protocol specified in the EEE Wireless Fidelity Wi Fi standard WEP is designed to provide a WLAN with a level of security and privacy comparable to that of a wired LAN WEP may be all that a small business user needs for the
476. of inactivity 1 2 17 Statistical Displays The access point can display robust transmit and receive statistics for the WAN and LAN ports WLAN stats can be displayed collectively and individually for enabled WLANs Transmit and receive statistics are available for the access point s 802 11a and 802 11b g radios An advanced radio statistics page is also available to display retry histograms for specific data packet retry information Associated MU stats can be displayed collectively and individually for specific MUs An echo ping test is also available to ping specific MUs to assess association strength Finally the access point can detect and display the properties of other APs detected within the access point s radio coverage area The type of AP detected can be displayed as well as the properties of individual APs For detailed information on available access point statistical displays and the values they represent see Monitoring Statistics on page 7 1 1 2 18 Transmit Power Control The access point has a configurable power level for each radio This enables the network administrator to define the antenna s transmission power level in respect to the access point s placement or network requirements as defined in the site survey For detailed information on setting the radio transmit power level see Configuring the 802 11a or 802 11b g Radio on page 5 56 Introduction 1 2 19 Advanced Event Logging Capability The access point pro
477. oint WAN data Status The Status field displays Enabled if the WAN interface is enabled on the WAN screen If the WAN interface is disabled on the WAN screen the WAN Stats screen displays no connection information and statistics To enable the WAN connection see Configuring WAN Settings on page 5 16 HW Address The Media Access Control MAC address of the access point WAN port The WAN port MAC address is hard coded at the factory and cannot be changed For more information on how access point MAC addresses are assigned see AP 51xx MAC Address Assignment on page 1 30 IP Addresses The displayed nternet Protocol IP addresses for the access point WAN port 7 4 AP 51xx Access Point Product Reference Guide Mask Link Speed The Mask field displays the subnet mask number for the access point s WAN connection This value is set on the WAN screen Refer to Configuring WAN Settings on page 5 16 to change the subnet mask The Link parameter displays Up if the WAN connection is active between the access point and network and Down if the WAN connection is interrupted or lost Use this information to assess the current connection status of the WAN port The WAN connection speed is displayed in Megabits per second Mbps for example 54Mbps If the throughput speed is not achieved examine the number of transmit and receive errors or consider increasing the supported data rate To change the data rate of the 802 114 or 802 11b g ra
478. oint applet A prompt displays confirming the logout before the applet is closed 6 58 AP 51xx Access Point Product Reference Guide 6 13 1 Moving Rogue APs to the Allowed AP List The Active APs screen enables the user to view the list of detected rogue APs and if necessary select and move an AP into a list of allowed devices This is helpful when the settings defined within the Rogue AP Detection screen inadvertently detect and define a device as a rogue AP To move detected rogue APs into a list of allowed APs 1 Select Network Configuration gt Wireless gt Rogue AP Detection gt Active APs from the access point menu tree AP 5131 Access Point 2i Active APs MAC ESSO AP MAC ji ESSO i Fest Heard Last Heard Cheat Rogue AP List gt System Contigurason roon PAN The Active APs screen displays with detected rogue devices displayed within the Rogue APs table 2 Enter a value in minutes in the Allowed APs Age Out Time field to indicate the number of elapsed minutes before an AP will be removed from the approved list and reevaluated A zero 0 for this value default value indicates an AP can remain on the approved AP list permanently Configuring Access Point Security 6 59 3 Enter a value in minutes in the Rogue APs Age Out Time field to indicate the number of elapsed minutes before an AP will be removed from the rogue AP list and reevaluated A zero 0 for this value de
479. on Gy SNMP access ciear Passe tom Cepdoars import root CA Certticate 2 Copy the content of the CA Certificate message using a text editor such as notepad and click on Paste from Clipboard The content of the certificate displays in the Import a root CA Certificate field 3 Click the Import root CA Certificate button to import it into the CA Certificate list 4 Once in the list select the certificate ID within the View Imported root CA Certificates field to view the certificate issuer name subject and certificate expiration data 5 To delete a certificate select the Id from the drop down menu and click the Del button 4 4 2 Creating Self Certificates for Accessing the VPN The access point requires two kinds of certificates for accessing the VPN CA certificates and self certificates Self certificates are certificate requests you create send to a Certificate Authority CA to be signed then import the signed certificate into the management system System Configuration 4 19 CLI interfaces No functionality exists for creating a self certificate CAUTION Self certificates can only be generated using the access point GUI and nN using the access point s SNMP configuration option To create a self certificate 1 Select System Configuration gt Certificate Mgmt gt Self Certificates from the access point menu tree 2 Click on the Add button to create the certificate request Cert
480. on s sss sssrsssssssirisssstosssssa ritin 5 72 Eo oaa E EEE 5 75 Applying a Filter to LAN1 LAN2 or a WLAN 1 16 nananana 5 78 vii AP 51xx Access Point Product Reference Guide Chapter 6 Configuring Access Point Security Configunng Securty LIPUIENS 23 5 6 oncde eeddeidasee dieti ey debreated Sad 6 2 Setting PASSWONES 65 2504064 bs deedewesgwienada qoee yee heb ads deua des 6 3 Resetting the Access Point Password 02 00 cee ee eens 6 4 Enabling Authentication and Encryption Schemes 0000 0005 6 5 Configuring Kerberos Authentication 00 00 ccc cece eee eee 6 8 Configuring 802 1x EAP Authentication 2 2sce002cescaseeeesens 6 11 Configuring WEP Encryption 0 0 0 c cece eects 6 16 Configuring KeyGuard Entryption 2 22 c s scsscsseccssuassaceseaseaces 6 18 Configuring WPA WPA2 Using TKIP 2 0 0 ccc cece eee e eee es 6 21 Configuring WPAZ COMP B02 11 cescccecsiascee ers arsereriae deed eceys 6 24 Configuring Firewall Settings ss iaccsac pacar aepctacpecrap ri ainun eda ey 6 27 Configuring LAN to WAN Access 0 0 000 cece cece eee 6 30 PUGS PIOMOOS co ocieciuscenrededereeergederdeseearsans 6 33 Configuring Advanced Subnet Access 0 0 000 cece eee aes 6 34 Configuring VPN TUANBIS 00 s00 0c0ds a0 radereearaeeagaraansreaaoancs 6 36 Configuring Manual Key Settings 0 2 0 00 c cece eee eee 6 40 Configuring Auto Key Settings srrserre
481. on WPA2 CCMP see Configuring WPA2 CCMP 802 111 on page 6 24 1 2 8 7 Firewall Security A firewall keeps personal data in and hackers out The firewall prevents suspicious Internet traffic from proliferating the access point managed network The access point performs Network Address Translation NAT on packets passing to and from the WAN port This combination provides enhanced security by monitoring communication with the wired network For detailed information on configuring the access point s firewall see Configuring Firewall Settings on page 6 27 1 2 8 8 VPN Tunnels Virtual Private Networks VPNs are IP based networks using encryption and tunneling providing users remote access to a secure LAN In essence the trust relationship is extended from one LAN across the public network to another LAN without sacrificing security A VPN behaves like a private network however because the data travels through the public network it needs several layers of security The access point can function as a robust VPN gateway For detailed information on configuring VPN security support see Configuring VPN Tunnels on page 6 36 Introduction 1 2 8 9 Content Filtering Content filtering allows system administrators to block specific commands and URL extensions from going out through the WAN port Therefore content filtering affords system administrators selective control on the content proliferating the network and is a powerful screening tool
482. on all channels defined by the country code The statistics enable an MU to reassociate by synchronizing its channel to the access point The MU continues communicating with that access point until it needs to switch cells or roam MUs perform partial scans at programmed intervals when missing expected beacons or after excessive transmission retries In a partial scan the MU scans s classified as proximate on the access point table For each channel the MU tests for Clear Channel Assessment CCA The MU broadcasts a probe with the ESSID and broadcast BSS_ID when the channel is transmission free It sends an ACK to a directed probe response from the and updates the table An MU can roam within a coverage area by switching access points Roaming occurs when e Unassociated MU attempts to associate or reassociate with an available access point e Supported rate changes or the MU finds a better transmit rate with another access point e RSSI received signal strength indicator of a potential access point exceeds the current access point e Ratio of good transmitted packets to attempted transmitted packets falls below a threshold An MU selects the best available access point and adjusts itself to the access point direct sequence channel to begin association Once associated the access point begins forwarding frames addressed to the target MU Each frame contains fields for the current direct sequence channel The MU uses these fields to resynchro
483. on and memory usage to analyze performance and make better determinations on how to use the access point s remaining resources For information on reviewing the access point s CPU and memory usage see CPU and Memory Statistics on page 7 39 1 4 AP 51xx Access Point Product Reference Guide 1 1 6 WIPS Support An access point can radio can function as a Wireless Intrusion Protection System WIPS sensor and upload sensor mode operation information to a dedicated WIPS server Either one or both of the access point radios can be configured as WIPS supported radio WIPS is not supported on a WLAN basis rather WIPS is supported on the access point radio s available to each WLAN WIPS protects your wireless network mobile devices and traffic from attacks and unauthorized access WIPS provides tools for standards compliance and around the clock 802 11a b g wireless network security in a distributed environment WIPS allows administrators to identify and accurately locate attacks rogue devices and network vulnerabilities in real time and permits both a wired and wireless lockdown of wireless device connections upon acknowledgement of a threat NOTE WIPS support requires a Motorola AirDefense WIPS Server on the network WIPS functionality is not provided by the access point alone The access point works in conjunction with a dedicated WIPS server For use in configuring the access point for WIPS support see Configuring WIPS Server Setti
484. one of the access point s WLANs MU denied Generates a trap when an MU is denied association to a access association point WLAN Can be caused when the maximum number of MUs for a WLAN is exceeded or when an MU violates the access point s Access Control List ACL MU denied Generates a trap when an MU is denied authentication on one of authentication the AP s WLANs Can be caused by the MU being set for the wrong authentication type for the WLAN or by an incorrect key or password Configure the SNMP Traps field to generate traps when SNMP capable MUs are denied authentication privileges or are subject of an ACL violation When a trap is enabled a trap is sent every 5 seconds until the condition no longer exists SNMP authentication Generates a trap when an SNMP capable client is denied access failures to the access point s SNMP management functions or data This can result from an incorrect login or missing incorrect user credentials SNMP ACL violation Generates a trap when an SNMP client cannot access SNMP management functions or data due to an Access Control List ACL violation This can result from a missing incorrect IP address entered within the SNMP Access Control screen 4 40 AP 51xx Access Point Product Reference Guide 4 Configure the Network Traps field to generate traps when the access point s link status changes or when the AP s firewall detects a DOS attack Physical port status change DynDNS Update Den
485. onfiguration 1 Select Network Configuration gt LAN from the AP 5131 menu tree 2 Enable the LAN used to support the mesh network Verify the enabled LAN is named appropriately in respect to Its intended function in supporting the mesh network 3 Select Network Configuration gt LAN gt LAN1 or LAN2 from the AP 5131 menu tree 4 Click the Mesh STP Configuration button on the bottom off the screen 5 Define the properties for the following parameters within the mesh network Mesh STP Configuration Priority Maximum Message age Hello Time Forward Delay Forwarding Table Ageout 100 Sec OK Cancel Help 9 8 AP 51xx Access Point Product Reference Guide Priority Maximum Message age Hello Time Forward Delay Forwarding Table Ageout 6 Click OK to return to either the LAN1 or LAN2 screen where updates to the Mesh STP Set the Priority as low as possible for a to force other devices within the mesh network to defer to this client bridge as the bridge defining the mesh configuration commonly referred to as the root Motorola recommends assigning a Base Bridge AP with the lowest bridge priority so it becomes the root in the STP If a root already exists set the Bridge Priorities of new APs accordingly so the root of the STP doesn t get altered Each access point starts with a default bridge priority of 32768 The Maximum Message age timer is used with the Message Age timer The Message Age timer
486. onfigured for embedded and global options the embedded options take precedence B 1 2 Linux BootP Server Configuration See the following sections for information on these BootP server configurations in the Linux environment e BootP Options e BootP Priorities Usage Scenarios B 7 B 1 2 1 BootP Options This section contains instructions for the automatic update of the access point firmware and configuration file using a BootP Server The setup example described in this section includes e 1 AP 5131 or AP 5181 model access point e 1 Linux Unix BOOTP Server e 1 TFP Server To configure BootP options using a Linux Unix BootP Server 1 Set the Linux Unix BootP Server and access point on the same Ethernet segment 2 Configure the bootptab file etc bootptab on the Linux Unix BootP Server in any one of the formats that follows Using options 186 187 and 188 AP 5131 ha 00a0f88aa6d8 lt LAN MAC Address gt sm 255 255 255 0 lt Subnet Mask gt ip 157 235 93 128 lt IP Address gt gw 157 235 93 2 lt gateway gt 1186 157 235 93 250 lt TFTP Server IP gt T187 apfw bin lt Firm ware file gt T188 cfg txt lt Configuration file gt Using options 66 67 and 129 AP 5131 ha 00a0f88aa6d8 lt LAN MAC Address gt sm 255 255 255 0 lt Subnet Mask gt ip 157 235 93 128 lt IP Address gt gw 157 235 93 2 lt gateway gt T66 157 235 93 250 lt TFTP Server IP gt T67 apfw bin lt Firmware file
487. options available on the access point refer to the following To set an administrative password for secure access point logins see Setting Passwords on page 6 3 To display security policy screens used to configure the authetication and encryption schemes available to the access point see Enabling Authentication and Encryption Schemes on page 6 5 These security policies can be used on more than one WLAN To create a security policy supporting 802 1x EAP see Configuring 802 1x EAP Authentication on page 6 11 To define a security policy supporting Kerberos see Configuring Kerberos Authentication on page 6 8 To create a security policy supporting WEP see Configuring WEP Encryption on page 6 16 To configure a security policy supporting KeyGuard see Configuring KeyGuard Encryption on page 6 18 To define a security policy supporting WPA TKIP see Configuring WPA WPAZ2 Using TKIP on page 6 21 To create a security policy supporting WPA2 CCMP see Configuring WPA2 CCMP 802 111 on page 6 24 To configure the access point to block specific kinds of HTTP SMTP and FIP data traffic see Configuring Firewall Settings on page 6 27 To create VPN tunnels allowing traffic to route securely through a IPSEC tunnel to a private network see Configuring VPN Tunnels on page 6 36 To configure the access point to block transmissions with devices detected as Rogue AP s hostile devices see Configuring Rogue AP Detection on page 6 55 Configurin
488. or information on locating the access point MAC addresses see Viewing WAN Statistics on page 7 2 and Viewing LAN Statistics on page 7 6 Displays the access point s mode of operation to convey whether the access point is functioning as a standalone access point Independent mode or in Adaptive thin AP mode If in Adaptive mode the access point attempts to discover a switch through one or more of several mechanisms DNS DHCP ICMP CAPWAP or a statically programmed IP address For information on adaptive AP see Adaptive AP on page 10 1 3 Refer to the Factory Defaults field to restore either a full or partial default configuration changes the administrative password back to motorola If restoring f CAUTION Restoring the access point s configuration back to default settings the configuration back to default settings be sure you change the administrative password accordingly System Configuration 4 5 Restore Default Select the Restore Default Configuration button to reset the Configuration AP s configuration to factory default settings If selected a message displays warning the user the current configuration will be lost if the default configuration is restored Before using this feature Motorola recommends using the Config Import Export screen to export the current configuration for safekeeping see Importing Exporting Configurations on page 4 49 Restore Partial Select the Restore Partial Default Configura
489. ormation on MU Echo and Ping tests using the applet GUI see Pinging Individual MUs on page 7 32 8 249 AP51xx gt admin stats echo gt list Description Lists echo test parameters and results Syntax list Lists echo test parameters and results Example admin stats echo gt list Station Address 00A0F8213434 Number of Pings 10 Packet Length 10 Packet Data in HEX 55 admin stats echo gt For information on MU Echo and Ping tests using the applet GUI see Pinging Individual MUs on page 7 32 8 250 AP 51xx Access Point Product Reference Guide AP51xx gt admin stats echo gt set Description Defines the parameters of the echo test Syntax set station lt mac gt Defines MU target MAC address request lt num gt Sets number of echo packets to transmit 1 539 length lt num gt Determines echo packet length in bytes 1 539 data lt hex gt Defines the particular packet data For information on MU Echo and Ping tests using the applet GUI see Pinging Individual MUs on page 7 32 AP51xx gt admin stats echo gt start Description Initiates the echo test Syntax start Initiates the echo test Example admin stats echo gt start admin stats echo gt list Station Address OOAOF843AABB Number of Pings 10 Packet Length 100 Packet Data in HEX Hab Number of MU Responses 2 For information on MU Echo and Ping tests using the applet GUI see Pinging Individual MUs on pa
490. ormation to assess whether the current access point data rate is sufficient to support required network traffic Avg Bit Speed Non unicast pkts Monitoring Statistics 7 19 The Total column displays the average bit speed in Mbps for a given time period on the selected WLAN This includes all packets that are sent and received The number in black represents statistics for the last 30 seconds and the number in blue represents statistics for the last hour If the bit speed is significantly slower than the selected data rate refer to the RF Statistics and Errors fields to troubleshoot Displays the percentage of the total packets that are non unicast Non unicast packets include broadcast and multicast packets The number in black represents packets for the last 30 seconds and the number in blue represents packets for the last hour Refer to the RF Status field to view the following MU signal noise and performance information for the WLAN selected from the access point menu tree Avg MU Signal Avg MU Noise Avg MU SNR Displays the average RF signal strength in dBm for all MUs associated with the selected WLAN The number in black represents this statistic for the last 30 seconds and the number in blue represents this statistic for the last hour If the signal is low consider mapping the MU to a different WLAN if a better functional grouping of MUs can be determined Displays the average RF noise for all MUs associated with the
491. ort is required for MUs on that 802 11 band 9 26 AP 51xx Access Point Product Reference Guide Q O WAG Px ed 3 New WLAN AE het 057 235 92 BAfappiet1 1 2 0 002 hto Google Ge GLG MR Configuration ESSO AP Choent Access Name APP Aratadie On AP 5131 Access Point Chern Access 802 112 Radio p BF piotwork Configuration Hun w 802 11 tig Radio gt Bran a Madmum MUs 127 gt aa Yoretess l gA Securty Enat e Chant Bridge Backhau f Q MU ACL Enable Hotspot GD o08 Security Securty Polky Detevt J create Y Radio Contguraton H Radiot 802 1 tag L Readio 902 1a GJ Banewiar Management MU Access Control Defeat iz Create a Rogue AP Detection Kerberos UserName AP 1 Chent Access f 3 ten Kerberos Password Rover Sp Oyatem Contgurabeet Advanced H Ouxk Setup Otsatiow MU To MU Commmunicaton gt Syste Semngs GY AP SUX Access SG Kenta Mgmt d P poser autnerdcanory gt GR SNMP Access DaaiTine M Logging Configuration Lh Contig ImeorsEsport amp Firwat Update Use Secure Beaton v Accert Broadcast ESSO Quality Of Serace Policy Detest 9 3 1 2 Configuring AP 2 AP 2 can be configured the same as AP 1 with the following exceptions e Assign an IP Address to the LAN1 Interface different than that of AP 1 e Assign a higher Mesh STP Priority 50000 to the AP 2 LAN1 Interface STP
492. ot provider e User authentication Authenticates users using a Radius server e Walled garden support Enables a list of IP address not domain names accessed without authentication e Billing system integration Sends accounting records to a Radius accounting server re authenticated when changes are made to the characteristics of a hotspot enabled WLAN as MUs within the WLAN will be dropped CAUTION When using the access point s hotspot functionality ensure MUs are from access point device association To configure hotspot functionality for an access point WLAN 1 Ensure the Enable Hotspot checkbox is selected from within the target WLAN screen and ensure the WLAN is properly configured Any of the sixteen WLANs on the access point can be configured as a hotspot For hotspot enabled WLANs DHCP DNS HTTP and HTTP S traffic is allowed before you login to the hotspot while TCP IP packets are redirected to the port on the subnet to which the WLAN is mapped For WLANs not hotspot enabled all packets are allowed 2 Click the Configure Hotspot button within the WLAN screen to display the Hotspot Configuration screen for that target WLAN Network Management 5 47 HTTP Redirection Radius Accounting Use Default Files tenabie necounts ServerAddress 157 235 156 242 Radius Port 1813 Shared Secret Login Page URL Timeout 10 1 255 Sec Welcome Page URL Reties 3 1 10 retries Fail Page UR
493. ote security gateway Inbound SPI Hex Enter an up to six character hexadecimal value to identify the inbound security association created by the AH algorithm The value must match the corresponding outbound SPI value configured on the remote security gateway Outbound SPI Hex Provide an up to six character hexadecimal value to identify the outbound security association created by the AH algorithm The value must match the corresponding inbound SPI value configured on the remote security gateway ESP Type ESP provides packet encryption optional data authentication and anti replay services for the VPN tunnel Use the drop down menu to select the ESP type Options include e None Disables ESP The rest of the fields are not be active e ESP Enables ESP for the tunnel e ESP with Authentication Enables ESP with authentication 6 42 AP 51xx Access Point Product Reference Guide ESP Encryption Algorithm Inbound ESP Encryption Key Outbound ESP Encryption Key ESP Authentication Algorithm Inbound ESP Authentication Key Outbound ESP Authentication Key Select the encryption and authentication algorithms for the VPN tunnel using the drop down menu e DES Uses the DES encryption algorithm requiring 64 bit 16 character hexadecimal keys e 3DES Uses the 3DES encryption algorithm requiring 192 bit 48 character hexadecimal keys e AES 128 bit Uses the Advanced Encryption Standard algorithm with 128 bit 32 character he
494. otorola recommends importing configuration files using the CLI If errors occur during the import process they display all at once and are easier to troubleshoot The access point GUI displays errors one at a time and troubleshooting can be a more time consuming process S NOTE When importing the configuration a xxxxxbytes loaded status message indicates the file was downloaded successfully An Incompatible Hardware Type Error message indicates the configuration was not applied due to a hardware compatibility issue between the importing and exporting devices S 5 Click Apply to save the filename and Server IP information The Apply button does not execute the import or export operation only saves the settings entered 6 Click Undo Changes if necessary to undo any changes made Undo Changes reverts the settings displayed on Config Import Export screen to the last saved configuration 7 Click Logout to securely exit the access point Motorola Access Point applet A prompt displays confirming the logout before the applet is closed NOTE Fora discussion on the implications of replacing an existing AP 4131 deployment with an AP 5131 or AP 5181 see Replacing an AP 4131 with an AP 5131 or AP 5187 on page B 20 4 9 Updating Device Firmware Motorola periodically releases updated versions of the access point device firmware to the Motorola Web site If the access point firmware version displayed on the System Sett
495. otspot C KeyGuard Authentication oa Clweawra2 ThI No Authendcation EI WPA2 CCMP le NOTE Additionally a WLAN can be defined as independent using the wlan lt index gt independent command from the config wireless context 10 18 AP 51xx Access Point Product Reference Guide Once an AAP is adopted by the switch it displays within the switch Access Port Radios screen under the Network parent menu item as an AP 5131 or AP 5181 within the AP Type column gt Access Port Radios Unconfigured radios are automatically adopted use Global Settings to change this option Filtering is disabled Page 1 of 1 loaded Properties Desired Channel Random Desired Power dBm 20 Placement Indoors Actual Channel W Actual Power 20 Last Adopted 01545 Eon Coert asa Croas J cionar semngs Hen Adaptive AP 10 4 3 Adaptive AP Deployment Considerations Before deploying your switch AAP configuration refer to the following usage caveats to optimize its effectiveness If deploying the access point as an AAP with a remote layer 3 configuration and the AAP is set for switch auto discovery primary standby the access point will un adopt from its switch after a few moments To remedy this problem ensure LAN1 has 802 1q trunking enabled and the correct management VLAN defined Extended WLANs are mapped to the AP s LAN2 interface and all independent WLANs are mapped to the AP s LAN1 Interface
496. oups of users even when they are not in physical proximity Sixteen WLANs are configurable on each access point To enable and configure WLANs on an access point radio see Enabling Wireless LANs WLANs on page 5 27 1 2 6 Support for 4 BSSIDs per Radio The access point supports four BSSIDs per radio Each BSSID has a corresponding MAC address The first MAC address corresponds to BSSID 1 The MAC addresses for the other three BSSIDs BSSIDs 2 3 4 are derived by adding 1 2 3 respectively to the radio MAC address 1 9 1 10 AP 51xx Access Point Product Reference Guide If the radio MAC address displayed on the Radio Settings screen is 00 A0 F8 72 20 DC then the BSSIDs for that radio will have the following MAC addresses BSSID MAC Address Hexadecimal Addition BSSID 1 00 A0 F8 72 20 DC Same as Radio MAC address BSSID 2 00 A0 F8 72 20 DD Radio MAC address 1 BSSID 3 00 A0 F8 72 20 DE Radio MAC address 2 BSSID 4 00 A0 F8 72 20 DF Radio MAC address 3 For detailed information on strategically mapping BSSIDs to WLANs see Configuring the 802 11a or 802 11b g Radio on page 5 56 For information on access point MAC address assignments see AP 51xx MAC Address Assignment on page 1 30 1 2 7 Quality of Service QoS Support The QoS implementation provides applications running on different wireless devices a variety of priority levels to transmit data to and from the access point Equal data transmission priority is fine for data
497. out SSH Keepalive Interval Defines the maximum time between 30 120 seconds allowed for SSH authentication to occur before executing a timeout The minimum permissible value is 30 seconds The SSH Keepalive Interval defines a period in seconds after which if no data has been received from a client SSH sends a message through the encrypted channel to request a response from the client The default is 0 and no messages will be sent to the client until a non zero value is set Defining a Keepalive interval is important otherwise programs running on a server may never notice if the other end of a connection is rebooted Use the Radius Server if a Radius server has been selected as the authentication server Enter the required network address information 4 12 AP 51xx Access Point Product Reference Guide Radius Server IP Port Shared Secret Specify the numerical non DNS name IP address of the Remote Authentication Dial In User Service Radius server Radius is a client server protocol and software enabling remote access servers to communicate with a server used to authenticate users and authorize access to the requested system or service Specify the port on which the server is listening The Radius server typically listens on ports 1812 default port Define a shared secret for authentication on the server The shared secret is required to be the same as the shared secret defined on the Radius server Use shared secrets
498. outlet NOTE Ifthe AP 5131 is utilizing remote management antennae a wire cover can be used to provide a clean finished look to the installation Contact Motorola for more information 9 Verify the behavior of the AP 5131 LEDs For more information see AP 5131 LED Indicators on page 2 23 The AP 5131 is ready to configure For information on an AP 5131 default configuration see Getting Started on page 3 1 For specific details on AP 5131 system configurations see System Configuration on page 4 1 2 7 3 Suspended Ceiling T Bar Installations A suspended ceiling mount requires holding the AP 5131 up against the T bar of a suspended ceiling grid and twisting the AP 5131 chassis onto the T bar The mounting hardware and tools customer provided required to install the AP 5131 on a ceiling T bar consists of e Safety wire recommended e Security cable optional To install the AP 5131 on a ceiling T bar 1 If required loop a safety wire with a diameter of at least 1 01 mm 04 in but no more than 0 158 mm 0625 in through the tie post above the AP 5131 s console connector and secure the loop 2 lf required install and attach a security cable to the AP 5131 lock port 3 Attach the radio antennae to their correct connectors 2 18 AP 51xx Access Point Product Reference Guide A CAUTION Both the Dual and Single Radio model AP 5131s use RSMA type antenna connectors On a Dual Radio AP 5131 a single do
499. p if an attack is detected against the WPA Key Exchange Mechanism Generates a trap when a change to the status of MU hotspot member is detected Generates a trap when a change to a VLAN state is detected Generates a trap when a change to the LAN monitoring state is detected System Configuration 4 41 6 Refer to the Set All Traps field to use a single location to either enable or disable each trap listed within the SNMP Traps screen Enable All Select this button to enable each trap defined within the SNMP Traps screen Once the changes are applied each event listed will generate a trap upon its occurrence Disable All Select this button to disable each trap defined within the SNMP Traps screen Once the changes are applied none of the events listed will generate a trap upon their occurrence 7 Click Apply to save any changes to the SNMP Traps screen Navigating away from the screen without clicking the Apply button results in all changes to the screen being lost 8 Click Undo Changes if necessary to undo any changes made Undo Changes reverts the settings displayed on SNMP Traps screen to the last saved configuration 9 Click Logout to securely exit the access point Access Point applet A prompt displays confirming the logout before the applet is closed 4 5 4 Configuring SNMP RF Trap Thresholds Use the SNMP RF Trap Threshold screen as a means to track RF activity and the access point s radio and associated MU performa
500. peed TX Dropped The TX Dropped field displays the number of data packets that fail to get sent from the access point LAN port TX Overruns TX overruns are buffer overruns on the LAN port TX overruns occur when packets are sent faster than the LAN connection can handle If TX overruns are excessive consider reducing the data rate for more information see Configuring the 802 114 or 802 11b g Radio on page 5 56 Monitoring Statistics 7 9 TX Carrier The TX Carrier field displays the number of TCP IP data carrier errors 5 Click the Clear LAN Stats button to reset each of the data collection counters to zero in order to begin new data collections The RX TX Packets and RX TX Bytes totals remain at their present values and are not cleared 6 Click the Logout button to securely exit the Access Point applet There will be a prompt confirming logout before the applet is closed 7 2 1 Viewing a LAN s STP Statistics Each access point LAN has the ability to track its own unique STP statistics Refer to the LAN STP Stats page when assessing mesh networking functionality for each of the two access point LANs Access points in bridge mode exchange configuration messages at regular intervals typically 1 to 4 seconds If a bridge fails neighboring bridges detect a lack of configuration messaging and initiate a spanning tree recalculation when spanning tree is enabled To view access point LAN STP statistics 1 Select Status and Statist
501. ply results in all changes to the screen being lost 4 Click Undo Changes if necessary to undo any changes made Undo Changes reverts the settings displayed on the LDAP screen to the last saved configuration 5 Click Logout to securely exit the Access Point applet A prompt displays confirming the logout before the applet is closed Configuring Access Point Security 6 69 6 14 3 Configuring a Proxy Radius Server The access point has the capability to proxy authentication requests to a remote Radius server based on the suffix of the user ID such as myisp com or company com The access point supports up to 10 proxy servers field within the Radius server screen must be set to Local If set to LDAP the proxy server will not be successful when performing the authentication To verify the existing settings see Configuring the Radius Server on page 6 64 f CAUTION f using a proxy server for Radius authentication the Data Source name is a Fully Qualified Domain Name FQDN or it cannot be authenticated by the access point s proxy server For example ap5131 2kserver FUSCIA com CAUTION When configuring the credentials of an MU ensure its login or user To configure the proxy Radius server for the access point 1 Select System Configuration gt User Authentication gt RADIUS Server gt Proxy from the menu tree 6 70 AP 51xx Access Point Product Reference Guide 2 GY AP 51XX Access G
502. point Known AP Statistics screen uses WNMP pings Therefore target devices that are not Motorola access points are unable to respond to the ping test 5 Click the Send Cfg to APs button to send the your access point s configuration to other access point s The recipient access point must be the same single or dual radio model as the access point sending the configuration The sending and recipient access point s must also be running the same major firmware version i e 1 1 to 1 1 configuration to other access points it is important to keep in mind f CAUTION When using the Send Cfg to APs function to migrate an access point s mesh network configuration parameters do not get completely sent to other access points The Send Cfg to APs function will not send the auto select and preferred list settings Additionally LAN1 and LAN2 IP mode settings will only be sent if the sender s AP mode is DHCP or BOOTP The WANs IP mode will only be sent if the sender s IP mode is DHCP Click the Start Flash button to flash the LEDs of other access points detected and displayed within the Known AP Statistics screen Use the Start Flash button to determine the location of the devices displayed within the Known AP Statistics screen When an access point is highlighted and the Start Flash button is selected the LEDs on the selected access point flash When the Stop Flash button is selected the LEDs on the selected acce
503. policy Syntax show summary Displays all exisiting QoS policies that have been defined policy lt index gt Displays the configuration for the requested QoS policy Example admin network wireless qos gt show summary QOS Policy Name Associated WLANs 1 Default WLAN1 mudskipper 2 IP Phones Audio Dept 3 Video Vidio Dept admin network wireless qos gt show policy 1 Policy Name IP Phones Support Legacy Voice Mode disable Multicast Mask Address 1 01005E000000 Multicast Mask Address 2 09000E000000 WMM QOS Mode disable For information on configuring the WLAN QoS options available to the access point using the applet GUI see Setting the WLAN Quality of Service QoS Policy on page 5 40 8 111 8 112 AP 51xx Access Point Product Reference Guide AP51xx gt admin network wireless qos create gt Description Defines an access point QoS policy Syntax show set qos name lt index gt vop lt index gt mcast lt mac gt wmm qos lt index gt param set lt set name gt cwmin lt access category gt cwmax lt access category gt aifsn lt access category gt txops lt access category gt default add policy lt index gt lt index gt lt index gt lt index gt lt index gt Displays QoS policy parameters Sets the QoS name for the specified index entry Enables or disables support by index for legacy VOIP devices Defines primary and secondary Multicast MAC address Enables or disables the Q
504. ported Rates vi 2 v55 G 4 Refer to the Beacon Settings field to set the radio beacon and DTIM intervals Beacon Interval DTIM Interval The beacon interval controls the performance of power save stations A small interval may make power save stations more responsive but it will also cause them to consume more battery power A large interval makes power save stations less responsive but could increase power savings The default is 100 Avoid changing this parameter as it can adversely affect performance The DTIM interval defines how often broadcast frames are delivered for each of the four access point BSSIDs If a system has an abundance of broadcast traffic and it needs to be delivered quickly Motorola recommends decreasing the DTIM interval for that specific BSSID However decreasing the DTIM interval decreases the battery life on power save stations The default is 10 for each BSSID Motorola recommends using the default value unless qualified to understand the performance risks of changing it 9 61 5 62 AP 51xx Access Point Product Reference Guide 5 Refer to the OBSS Load Element Setting field to optionally allow the access point to communicate channel usage data to associated devices and define the beacon interval used for channel utilization transmissions The QBSS load represents the percentage of time the channel is in use by the access point and its station count This information is very helpful in asses
505. pport this feature To review the lease time and expiration time of a DHCP leased IP address see Viewing Subnet Lease Statistics on page 7 12 1 1 3 Configurable MU Idle Timeout The configurable MU idle timeout allows a MU timeout to be defined separately for individual WLANs The MU timeout value can be defined using the access point s CLI GUI and SNMP interfaces Imported and exported configurations retain their defined MU idle timeout configurations The default MU idle timeout is 30 minutes for each WLAN For additional information on setting a WLAN s MU idle timeout interval see Creating Editing Individual WLANs on page 5 30 1 1 4 Auto Channel Select ACS Smart Scan The access point supports a new Auto Channel Select ACS feature allowing users to specify an exception list for channel usage When channel exceptions are defined the access point skips the channels specified in the list When the smart scan feature is enabled it s disabled by default up to 3 separate channels can be excluded The exception list is configurable using the access points CLI GUI and SNMP interfaces Imported and exported configurations retain their defined exception list configurations For additional information on defining a channel exception list see Configuring the 802 11a or 802 11b g Radio on page 5 56 1 1 5 Enhanced Statistics Support With the new version of the access point firmware users can monitor the access point s CPU utilizati
506. prompts are ignored Network Management 5 13 5 Click Undo Changes if necessary to undo any changes made Undo Changes reverts the settings displayed on the LAN1 or LAN2 screen to the last saved configuration 6 Click Logout to securely exit the Access Point applet A prompt displays confirming the logout before the applet is closed 5 1 2 1 Configuring Advanced DHCP Server Settings Use the Advanced DHCP Server screen to specify reserve static or fixed IP addresses for specific devices Every wireless 802 11x standard device has a unique Media Access Control MAC address This address is the device s hard coded hardware number shown on the bottom or back An example of a MAC address is 00 A0 F8 45 9B 07 The DHCP server can grant an IP address for as long as it remains in active use The lease time is the number of seconds an IP address is reserved for re connection after its last use Using very short leases DHCP can dynamically reconfigure networks in which there are more computers than available IP addresses This is useful for example in education and customer environments where MU users change frequently Use longer leases if there are fewer users To generate a list of client MAC address to IP address mappings for the access point 1 Select Network Configuration gt LAN gt LAN1 or LAN2 from the access point menu tree 2 Click the Advanced DHCP Server button from within the LAN1 or LAN2 screen 5 14 AP 51xx A
507. ptive AP Setup from the access point s menu tree A CAUTION f deploying the access point as an AAP with a remote layer 3 configuration and the AAP is set for switch auto discovery primary standby the access point will un adopt from its switch after a few moments To remedy this problem ensure LAN1 has 802 1q trunking enabled and the correct management VLAN defined 10 14 AP 51xx Access Point Product Reference Guide AP 5131 Access Point GR AP SIXK Access amp GQ trertsicate mgmt H E ser Aumenscasoey A GY SNMP Access ControlPod 24576 1 605535 Datamime Swich FODN 4 a z Up Contig imponExport L Qy Firmware Update amp E States amp Stadstcs Current Swikh 00 00 AP Adopton State TBO Ble Ele fh Pie ol ollo olo 2 Select the Auto Discovery Enable checkbox Enabling auto discovery will allow the AAP to be detected by a switch once its connectivity medium has been configured by completing steps 3 6 3 Enter up to 12 Switch IP Addresses constituting the target switches available for AAP connection The AAP will begin establishing a connection with the first addresses in the list If unsuccessful the AP will continue down the list in order until a connection is established 4 f anumerical IP address is unknown but you know a switch s fully qualified domain name FODN enter the name as the Switch FODN value 5 Select the Enable AP Switch Tunnel option to a
508. quivalent Privacy WEP is an encryption security protocol specified in the IEEE Wireless Fidelity Wi Fi standard 802 11b and supported by the AP WEP encryption is designed to provide a WLAN with a level of security and privacy comparable to that of a wired LAN The level of protection provided by WEP encryption is determined by the encryption key length and algorithm An encryption key is a string of case sensitive characters used to encrypt and decrypt data packets transmitted between a mobile unit MU and the access point An access point and its associated wireless clients must use the same encryption key typically 1 through 4 to interoperate For detailed information on WEP see Configuring WEP Encryption on page 6 16 1 2 8 4 KeyGuard Encryption Use KeyGuard to shield the master encryption keys from being discovered through hacking KeyGuard negotiation takes place between the access point and MU upon association The access point can use KeyGuard with Motorola MUs KeyGuard is only supported on Motorola MUs making it a Motorola proprietary security mechanism For detailed information on KeyGuard configurations see Configuring KeyGuard Encryption on page 6 18 1 2 8 5 Wi Fi Protected Access WPA Using TKIP Encryption Wi Fi Protected Access WPA is a security standard for systems operating with a Wi Fi wireless connection WEP s lack of user authentication mechanisms is addressed by WPA Compared to WEP WPA provides superior data
509. r AP 5181 model access point e 1 Microsoft Windows DHCP Server e 1 THP Server Note the following caveats regarding this procedure before beginning e Ensure the LAN Interface is configured as a DHCP Client To configure the DHCP Server for automatic updates 1 2 3 4 5 While the access point boots verify the access point Usage Scenarios B 3 If the existing and update firmware files are the same the firmware will not get updated Set the Windows DHCP Server and access point on the same Ethernet segment Configure the Windows based DHCP Server as follows a Highlight the Server Domain Name for example apfw motorola com From the Action menu select Define Vendor Classes b Create a new vendor class For example AP51xx Options c Enter the vendor class Identifier MotorolaAP 51xx V1 1 1 Enter the value in ASCII format the server converts it to hex automatically Use the chart below to determine which vendor class ID to use based on the firmware AP Firmware 1 1 or older 1 1 1 x Symbol AP 51 xx V1 1 1 1 1 2 x MotorolaAP51xx V1 1 2 2 0 MotorolaAP 51xx V2 0 0 Vendor Class ID SymbolAP 5131 V1 1 d From the Action menu select Set Predefined Options e Add the following 3 new options under AP51xx Options class Code Access point TFIP Server IP Address 181 Note Use any one option 186 Access point Firmware File Name 187 Access point Config File Name 129 Note Use any one option 188 Data type
510. r disables the interoperation with wpa2 tkip clients Enables or disables preauthentication fast roaming type lt key type gt key lt 256 bit key gt phrase lt ascii phrase gt ccmp rotate mode lt mode gt interval lt time gt type lt key type gt phrase lt ascii phrase gt key lt 256 bit key gt mixed mode lt mode gt preauth lt mode gt add policy Sets the TKIP key type Sets the TKIP key to lt 256 bit key gt Sets the TKIP ASCII pass phrase to lt ascii phrase gt 8 63 characters Enables or disabled the broadcast key Sets the broadcast key rotation interval to lt time gt in seconds 300 604800 Sets the CCMP key type Sets the CCMP ASCII pass phrase to lt ascii phrase gt 8 63 characters Sets the CCMP key to lt 256 bit key gt Enables or disables mixed mode allowing WPA TKIP clients Enables or disables preauthentication fast roaming Adds the policy and exits Disregards the policy creation and exits the CLI session will remain symbol instead of motorola as now required with the 2 0 or later baseline f CAUTION If importing a 1 1 or earlier baseline configuration the 802 1x EAP Radius shared secret password If the shared secret password is not changed to motorola there will be a shared secret mis match resulting in MU authentication failures This password cannot be set using the access point Web UI and must be changed using th
511. r the Internet will be possible MUs cannot communicate beyond the configured subnets Select the This Interface is a DHCP Client checkbox to enable DHCP for the access point s WAN connection This is useful if the larger corporate network or Internet Service Provider ISP uses DHCP DHCP is a protocol that includes mechanisms for IP address allocation and delivery of host specific configuration parameters from a DHCP server to a host Some of these parameters are IP address network mask and gateway NOTE Motorola recommends that the WAN and LAN ports should not both be configured as DHCP clients Specify an IP address for the access point s WAN connection An IP address uses a series of four numbers expressed in dot notation for example 190 188 12 1 no DNS names supported Specify a Subnet Mask for the access point s WAN connection This number is available from the ISP for a DSL or cable modem connection or from an administrator if the access point connects to a larger network A subnet mask uses a series of four numbers expressed in dot notation For example 255 255 255 0 is a valid subnet mask 3 10 AP 51xx Access Point Product Reference Guide e f Define a Default Gateway address for the access point s WAN connection The ISP or a network administrator provides this address Specify the address of a Primary DNS Server The ISP or a network administrator provides this address 6 Optionally use the Enable
512. rame field displays the number of TCP IP data frame errors received Refer to the Transmitted field to reference data received over the access point WAN port TX Packets TX packets are data packets sent over the WAN connection The displayed number is a cumulative total since the WAN was last enabled or the access point was last restarted To begin a new data collection see Configuring System Settings on page 4 2 TX Bytes TX bytes are bytes of information sent over the WAN connection The displayed number is a cumulative total since the WAN interface was last enabled or the access point was last restarted To begin a new data collection see Configuring System Settings on page 4 2 TX Errors TX errors include dropped data packets buffer overruns and carrier errors on outbound traffic The displayed number of TX errors is the total of TX Dropped TX Overruns and TX Carrier errors Use this information to assess access point location and transmit speed TX Dropped The TX Dropped field displays the number of data packets that fail to get sent from the WAN interface TX Overruns TX overruns are buffer overruns on the WAN connection TX overruns occur when packets are sent faster than the WAN interface can handle If TX overruns are excessive consider reducing the data rate for more information see Configuring the 802 114 or 802 11b g Radio on page 5 56 TX Carrier The TX Carrier field displays the number of TCP IP data carrier errors
513. rary length and produces a 128 bit fingerprint The MD5 setting activates the RIP v2 Authentication settings for keys below If the Simple authentication method is selected specify a password of up to 15 alphanumeric characters in the Password Simple Authentication area Network Management 5 75 5 If the MD5 authentication method is selected fill in the Key 1 field Key 2 is optional Enter any numeric value between 0 and 256 into the IVID5 ID area Enter a string consisting of up to 16 alphanumeric characters in the MD5 Auth Key area 6 Click the OK button to return to the Router screen From there click Apply to save the changes 5 6 Configuring IP Filtering Use the access point s IP filtering functionality to determine which IP packets are processed normally by the access point and which are discarded If discarded a packet is deleted and ignored as if never received The allow deny mechanism used by IP filtering makes it similar to an access control list ACL IP filtering supports the creation of up to 18 filter rules enforced at layer 3 Once defined using the access point s SNMP GUI or CLI filtering rules can be enforced on the access point s LAN1 or LAN2 interfaces and within any of the 16 access point WLANs An additional default action is also available denying traffic when filter rules fail Lastly imported and exported configurations retain their defined IP filtering configurations IP filtering is a networ
514. ration gt Firmware Update from the access point menu tree System Configuration 4 57 AP 5131 Access Point AA f Q y Firmware Update BD Adaptive AP Setup OHCP Options GY AP SIMX Access Gi tcetscate moet Salt Cerstcates CA Certticates Apache Certticates GR user Aumente abont User Database Radius Server v Enable Autcenatic Firmware Update Update Firmware AP 51XX Version 220 0000 Filename bin FTPITFTP Server iP Address 192 169 0 100 Username anonymous Password seseresee sms F WAN Stats Ep LAN Stats SSS K Weoless Stats se Lieto j Logout Byatem Name AP Sta_111 a 3 Configure the DHCP Options checkboxes to enable disable automatic firmware and or configuration file updates DHCP options are used for out of the box rapid deployment for Motorola wireless products The following are the two options available on the access point e Enable Automatic Firmware Update e Fnable Automatic Configuration Update Both DHCP options are enabled by default These options can be used to update newer firmware and configuration files on the access point For more information on how to configure a DHCP or BootP Server for the automatic upgrade process see Usage Scenarios on page B 1 The update is conducted over the LAN or WAN port depending on which server responds first to the access point s request for an automatic update 4 58 AP 51xx Acces
515. rations are being introduced allowing customers to take advantage of the adaptive AP architecture and to reduce deployment costs These dependent mode AP configurations are a software variant of the AP 5131 and will be functional only after the access point is adopted by a wireless switch After adoption the dependent mode AP receives Its configuration from the switch and starts functioning like other adaptive access points For ongoing operation the dependent mode AP 5131 needs to maintain connectivity with the switch If switch connectivity is lost the dependent mode AP 5131 continues operating as a stand alone access point for a period of 3 days before resetting and executing the switch discovery algorithm again A dependent mode AP cannot be converted into a standalone AP 51XX through a firmware change Refer to AP 51xx Hardware Software Compatibility Matrix within the release notes bundled with the access point firmware AP 5131 13040 D WR Dependent AP 5131 Dual Radio Switch Required AP 5131 40020 D WR Dependent AP 5131 Single Radio Switch Required 10 3 10 4 AP 51xx Access Point Product Reference Guide 10 1 4 Licensing An AAP uses the same licensing scheme as a thin access port This implies an existing license purchased with a switch can be used for an AAP deployment Regardless of how many AP300 and or AAPs are deployed you must ensure the license used by the switch supports the number of radio ports both AP300s and AAPs you
516. rder Move Down Clicking the Move Down button moves the selected rule down by one row in the table The index numbers for the affected rows adjust to reflect the new order Index The index number determines the order firewall rules are executed Rules are executed from the lowest number to the highest number Configuring Access Point Security 6 35 Source IP The Source IP range defines the origin address or address range for the firewall rule To configure the Source IP range click on the field A new window displays for entering the IP address and range Destination IP The Destination IP range determines the target address or address range for the firewall rule To configure the Destination IP range click on the field A new window displays for entering the IP address and range Transport Select a protocol from the drop down list For a detailed description of the protocols available see Available Protocols on page 6 33 Src Ports Source The source port range determines which ports the firewall rule Ports applies to on the source IP address Click on the field to configure the source port range A new window displays to enter the starting and ending port ranges For rules where only a single port is necessary enter the same port in the start and end port fields Dst Ports Destination The destination port range determines which ports the firewall rule Ports applies to on the destination IP address Click on the field to config
517. red radios automatically option is NOT selected When disabled there is no automatic adoption of non configured radios on the network Additionally default radio settings will NOT be applied to access ports when automatically adopted NOTE For IPSec deployments refer to Sample Switch Configuration File for IPSec and Independent WLAN on page 10 20 and take note of the CLI commands in red and associated comments in green Any WLAN configured on the switch becomes an extended WLAN by default for an AAP 4 Select Network gt Wireless LANs from the switch main menu tree Adaptive AP 10 17 5 Select the target WLAN you would like to use for AAP support from those displayed and click the Edit button 6 Select the Independent Mode AAP Only checkbox Selecting the checkbox designates the WLAN as independent and prevents traffic from being forwarded to the switch Independent WLANs behave like WLANs as used on aa standalone access point Leave this option unselected as is by default to keep this WLAN an extended WLAN a typical centralized WLAN created on the switch Network gt Wireless LANs Configuration Shakistices WMM NAC Indude NAC Exclude Show Filtering Options 1 of 9 Go gt gt gt Independent QOS Index Enabled ESSID Description Autherticabon Encryption Mode Weight ESSID qs5 ccmp VLAN ID 200 C Dynamic Assignment Authentication Encryption 8021X EAP C WEP 64 O Kerberos Clwer 128 O H
518. reen displays the following information Conn Type Displays whether the bridge has been defined as a base bridge or a client bridge For information on defining configuring the access point as either a base or client bridge see Configuring Mesh Networking Support on page 9 6 MAC Address WLAN Radio T put ABS Retries Monitoring Statistics 7 35 The unique 48 bit hard coded Media Access Control address known as the devices station identifier This value is hard coded at the factory by the manufacturer and cannot be changed Displays the WLAN name each wireless bridge is interoperating with Displays the name of the 802 11a or 802 11b g radio each bridge is associated with Displays the total throughput in Megabits per second Mbps for each associated bridge Displays the Average Bit Speed ABS in Megabits per second Mbps for each associated bridge Displays the average number of retries per packet A high number retries could indicate possible network or hardware problems 2 Click the Refresh button to update the display of the Mesh Statistics Summary screen to the latest values 3 Click the Details button to display address and radio information for those access points in a client bridge configuration with this detecting access point 4 Click the Logout button to securely exit the Access Point applet A prompt displays confirming the logout before the applet is closed 7 7 Viewing Known Access Point
519. releases e Single or Dual Mode Radio Options e Separate LAN and WAN Ports e Multiple Mounting Options e Antenna Support for 2 4 GHz and 5 GHz Radios e Sixteen Configurable WLANs e Support for 4 BSSIDs per Radio e Quality of Service QoS Support e Industry Leading Data Security e VLAN Support e Multiple Management Accessibility Options Introduction 1 7 e Updatable Firmware e Programmable SNMP v1 v2 v3 Trap Support e Power over Ethernet Support e MU MU Transmission Disallow e Voice Prioritization e Support for CAM and PSP MUs e Statistical Displays e Transmit Power Control e Advanced Event Logging Capability e Configuration File Import Export Functionality e Default Configuration Restoration e DHCP Support e Multi Function LEDs e Mesh Networking e Additional LAN Subnet e On board Radius Server Authentication e Hotspot Support e outing Information Protocol RIP e Manual Date and Time Settings e Dynamic DNS e Auto Negotiation 1 2 1 Single or Dual Mode Radio Options One or two possible configurations are available on the access point depending on which model is purchased If the access point is manufactured as a single radio access point the access point enables you to configure the single radio for either 802 1 1a or 802 11b g However an AP 5181 model access point is only available in a dual radio model If the access point is manufactured as a dual radio access point the access point enabl
520. requests To configure SNMP v1 v2c community definitions and SNMP v3 user definitions for the access point 1 Select System Configuration gt SNMP Access from the access point menu tree AP 5131 Access Point Ea nte S SNMP Access Bystern Corfiguraton a SNMP viNv2 Configuraton t Sp Sem Setings Comenunity O10 Access H SB Anapo AP Setup public E G H Gp AP SIXK Access preste 1364 RAW gt G trertiicate mgmt i E User Auten snort gt Ge SNMP Access HO Oaterrime Uses H El Logging Contigurason H gb Config imponEmon SNMP v3 User Definitions be er Username Securty Level oD Passwords Access aie oaa 6 eee Stewehtinwe i jaer aN Joes ActtiNoPriv 1361 Passwords RAN Ada Det SNMP Access Control AP S1XX SNMP 3 Engine ID SNMP Access Control 000001 84388F EC 3070027A86 unde Changes Hes Lopo SNMP v1 v2c community definitions allow read only or read write access to access point management information The SNMP community includes users whose IP addresses are specified on the SNMP Access Control screen A read only community string allows a remote device to retrieve information while a read write community string allows a remote device to modify settings Motorola recommends considering adding a community definition using a site appropriate name and access level Set up a read write definition at a minimum to facilitate full access by the access point administrator 2 System Conf
521. res 8 168 HURAI e E E E TET 8 174 HAR ce 1e EE E EEO 8 238 CLI system access commands 8 152 HNE EEEa De E EE ies 8 142 HUE l e E EE T E EOE 8 2 CLI type filter commands 2 2 8 35 CLI WAN commands 0 00200 00 8 40 CLI WAN NAT commands 5 8 43 CLI WAN VLAN Commands 8 49 8 62 Command Line Interface CLI EEN LEUE r x 2 i2 sos poe a biden was Beek 1 21 command line interface CLI 0 00 3 2 CONGO cic i cc ecccds daa eyeesteniesiesuaene 3 3 config import export 00 cece ee eae 4 45 configuration i ache IN ENE PEATA A E E 1 21 configuration file import export n auaa 1 16 configuration options 0 cece eee ee 3 2 configuration restoration eee 1 16 CONTE NENG ec ce ewe nei weeagsicerevaaaaas 6 52 conventions notational 205 5 vil COUNTY CONES sc Gather eves budeeideseunee ns 4 4 A 9 CUSIOME SUPPOT 22 eas ee ec ded ews eee viii B 1 D data access configuring 005 4 9 data decryption n naano nunua eee eee eee 1 9 data ENGR ANON icc oo eee ethleueeadinracs ee 1 7 data SECUMIY occ concrcsrniciiscnciirenkensniids 1 7 default configuration changes 3 3 ESK MOM e 4 acic p biuret ated der Etna 2 14 device firmware 0 00 raS eee 4 49 HEVC SEUINGS 03 2 c5es caadeSnaainerenneraaedan 3 7 Balaa
522. ress g If using the DHCP Server option use the Address Assignment Range parameter to specify a range of IP address reserved for mapping clients to IP addresses If a manually static mapped IP address is within the IP address range specified that IP address could still be assigned to another client To avoid this ensure all statically mapped IP addresses are outside of the IP address range assigned to the DHCP server For additional access point LAN port configuration options see Configuring the LAN Interface on page 5 1 8 Enable the radio s using the Enable checkbox es within the Radio Configuration field If using a single radio access point enable the radio then select either 2 4 GHz or 5 GHz from the RF Band of Operation field Only one RF band option at a time is permissible in a single radio model If using a dual radio model the user can enable both RF bands For additional radio configuration options see Configuring the 802 11a or 802 11b g Radio on page 5 56 9 Select the WLAN 1 tab WLANs 1 4 are available within the Quick Setup screen to define its ESSID and security scheme for basic operation NOTE A maximum of 16 WLANs are configurable within the Wireless Configuration screen The limitation of 16 WLANs exists regardless of whether the access point is a single or dual radio model 3 12 AP 51xx Access Point Product Reference Guide 10 11 3 5 1 1 a Enter the Extended Services Set Identificatio
523. ress but not the address of the organization Example admin system cmgr gt genreq MyCert2 MySubject ou MyDept on MyCompany Please wait It may take some time Generating the certificate request Retreiving the certificate request The certificate request is MIHZMIGeAgEAMDkxE jJAQBGNVBAoTCU1502 9t cGFue TEPMAOGA1UECxMGTX1EZXBO MRIWEAYDVQQDEw1NeVN1 Ymp1Y3QwXDANBgkqhkiG9wOBAQEFAANLADBIAkKEAtKcxX plKFCFAJymTFX71lyuxY1fdS7UEhKjJBsH7pdqnJUnsASK6Z0GAger jpKScWV1mzyYn4 1q2 mgGnCvaZU1Io7wIDAQABoAAwDOYJKoZIhvcNAQEEBQADQQCC1Q5LHdbG C1 Bj8AszttSo bA4dcX3vHvhhJcmuuW09LHS2imPA3xhx d6 Q1SMbs tG4RPO1RSr iWDyuvwx For information on configuring certificate management settings using the applet GUI see Managing Certificate Authority CA Certificates on page 4 16 8 160 AP 51xx Access Point Product Reference Guide AP51xx gt admin system cmgr gt delself Description Deletes a self certificate Syntax delself lt IDname gt Deletes the self certificate named lt IDname gt Example admin system cmgr gt delself MyCert2 For information on configuring self certificate settings using the applet GUI see Creating Self Certificates for Accessing the VPN on page 4 18 8 161 AP51xx gt admin system cmgr gt loadself Description Loads a self certificate signed by the Certificate Authority Syntax loadself lt IDname gt https Load the self certificate signed by the CA with name lt IDname gt 7 characters HTTPS is need
524. ress to a MAC address for the specified LAN Example admin network lan dhcp gt add 1 OOA0F8112233 192 160 24 6 admin network lan dhcp gt add 1 00A0F1112234 192 169 24 7 admin network lan dhcp gt list 1 Index MAC Address IP Address 1 OOAOF8112233 192 160 24 6 2 OOAOF8112234 192 169 24 7 For information on adding client MAC and IP address information using the applet GUI see Configuring Advanced DHCP Server Settings on page 5 13 AP51xx gt admin network lan dhcp gt delete Description Deletes static DHCP address assignments Syntax delete lt LAN idx gt lt idx gt lt entry gt Deletes the static DHCP address entry for the specified LAN 1 LAN1 2 LAN2 and DHCP entry index 1 30 lt LAN idx gt all Deletes all static DHCP addresses Example admin network lan dhcp gt list 1 Index MAC Address IP Address 1 00A0F8112233 10 1 2 4 2 00A0F8102030 10 10 1 2 3 00A0F8112234 10 1 2 3 4 00A0F8112235 192 160 24 6 5 00A0F8112236 192 169 24 7 admin network lan dhcp gt delete 1 index mac address ip address 1 00A0F8102030 10 10 1 2 2 00A0F8112234 10 1 2 3 3 00A0F8112235 192 160 24 6 4 00A0F8112236 192 169 24 7 admin network lan dhcp gt delete 1 all index mac address ip address For information on deleting client MAC and IP address information using the applet GUI see Configuring Advanced DHCP Server Settings on page 5 13 8 34 AP 51xx Access Point Product Reference Guide AP51xx gt admin network lan
525. restart the AP 51xx yes no AP 51xx Boot Firmware Version 2 2 0 0 XXX Copyright c Motorola 2007 All rights reserved Press escape key to run boot firmware Power On Self Test testing ram pass testing nor flash pass testing nand flash pass testing ethernet pass For information on restarting the access point using the applet GUI see Configuring System Settings on page 4 2 AP51xx gt admin system gt show Description Displays high level system information helpful to differentiate this access point Syntax show Displays access point system information Example admin system gt show system name BldgC system location Atlanta Field Office admin email address johndoe mycompany com system uptime 0 days 4 hours 41 minutes AP 51xx firmware version 2 2 0 0 XXX country code us ap mode independent serial number 05224520500336 admin system gt For information on displaying System Settings using the applet GUI see Configuring System Settings on page 4 2 8 147 8 148 AP 51xx Access Point Product Reference Guide AP51xx gt admin system gt set Description Sets access point system parameters Syntax set name lt name gt Sets the access point system name to lt name gt 1 to 59 characters The access point does not allow intermediate space characters between characters within the system name For example AP51xx sales must be changed to AP51xxsales t
526. ring Error Conditions immediate attention Ethernet Activity Flashing white indicates data transfers and Ethernet activity Flickering amber indicates beacons and data transfers over the AP 5131 802 11a Radio Activity 802 11a radio Flickering green indicates beacons and data transfers over the AP 5131 802 11b g Radio Activity 802 11b g radio 2 24 AP 51xx Access Point Product Reference Guide The LEDs on the rear of the AP 5131 are viewed using a single customer installed extended lightpipe adjusted as required to suit above the ceiling installations The LEDs displayed using the lightpipe have the following color display and functionality Boot and Power Status Solid white indicates the AP 5131 is adequately powered Solid red indicates the AP 5131 is experiencing a problem condition requiring Error Conditions immediate attention Power and Error Blinking red indicates the AP 5131 Rogue AP Detection feature has located a Conditions rogue device 2 9 Mounting an AP 5181 The AP 5181 can be connected to a pole or attach to a wall Choose one of the following mounting options based on the physical environment of the coverage area Do not mount the AP 5181 in a location that has not been approved in a site survey Refer to the following depending on how you intend to mount the AP 5181 e AP 5187 Pole Mounted Installations e AP 5187 Wall Mounted Installations 2 9 1 AP 5181 Pole Mounted Installations Complete the following s
527. rirserrerirserierirreri 6 44 Configuring IKE Key Settings 2 0 ccc cece cee eee ee 6 47 Wewitig VPN SWS oc ci0e babe ee de Kae ve eded ede ar r Iri EEn r 6 50 Configuring Content Filtering Settings 0 0 0 0 ccc cece eee ees 6 52 Configuring Rogue AP Detection 00 0 c cece eee 6 55 Moving Rogue APs to the Allowed AP List 2 005 6 59 Displaying Rogue AP Details 00 200220005 6 60 Using MUs to Detect Rogue Devices 20 00 200 eee 6 62 Configuring User Authentication 2 200000 0c cece ccc eee ees 6 64 Configuring the Radius Server 0 0 0 2 0 0 c ccc cece eee eee eens 6 64 Configuring LDAP Authentication 0 2 00 c cece 6 67 Configuring a Proxy Radius Server 0 0 00 c cece cece 6 70 Managing the Local User Database 00200005 6 72 Mapping Users to Groups cc4 0 40eaca5 cd eeaceeegceancees 6 74 Defining User Access Permissions by Group 000005 6 76 Editing Group Access Permissions 000 cece eee euee 6 78 Chapter 7 Monitoring Statistics Viewing WAN Statisti s se o 2o24cesagueaeedceroeke ceuedieereeteeeends 7 2 VICWANDILAN SISSIES ice iced tierie kre trik reindeer EERENS 7 6 Viewing a LAN s STP Statistics 00 cee ene 7 9 Viewing Subnet Lease Statistics n on onnaa nna 7 12 Viewing Wireless Statistics 2 ccsscesseescsedsrdessceavacseedoeads 7 14 Viewing WLAN S
528. rithm No keys are required to be manually provided 4 Click Ok to return to the VPN screen Click Apply to retain the settings made on the Auto Key Settings screen 5 Click Cancel to return to the VPN screen without retaining the changes made to this screen 6 46 AP 51xx Access Point Product Reference Guide 6 11 3 Configuring IKE Key Settings The nternet Key Exchange IKE is an IPsec standard protocol used to ensure security for VPN negotiation and remote host or network access IKE provides an automatic means of negotiation and authentication for communication between two or more parties In essence IKE manages IPSec keys automatically for the parties To configure IKE key settings for the access point 1 Select Network Configuration gt WAN gt VPN from the access point menu tree 2 Refer to the VPN Tunnel Config field select the Auto IKE Key Exchange radio button and click the IKE Settings button IKE Settings Operation Mode Local ID Type Local ID Data Remote ID Type Remote ID Data IKE Authentication Mode IKE Authentication Algorithm IKE Authentication Passphrase IKE Encryption Algorithm Key Lifetime Diffie Hellman Group FQDN v Itunnelt Pre Shared Key PSK v IDES Main Mode v tunnell FQDN v ISHAI lv EREEREER x 3600 sec Group 1 768bit v Cancel Help 3 Configure the IKE Key Settings screen to modify the following Operation Mode Loc
529. rk For a small business the WAN port might connect to a DSL or cable modem to access the Internet Network Management 5 17 Use the WAN screen to set the WAN IP configuration and Point to Point Protocol over Ethernet PPPoE parameters To configure WAN settings for the access point 1 Select Network Configuration gt WAN from the access point menu tree AP 5131 Access Point Usename Keep Ave Password kite Time seconds 600 PPPOE State pppoe disabled Authentication Type PAP or CHAP v Note Enatiing PPPOE Chent will set the Detaull Gateway interface as WAN 5 aeon Unao changes sete Logout 2 Refer to the WAN IP Configuration field to enable the WAN interface and set network address information for the WAN connection NOTE Motorola recommends that the WAN and LAN ports should not both be configured as DHCP clients 5 18 AP 51xx Access Point Product Reference Guide Enable WAN Interface Select the Enable WAN Interface checkbox to enable a This interface is a DHCP Client IP Address Subnet Mask Default Gateway Primary DNS Server connection between the access point and a larger network or outside world through the WAN port Disable this option to effectively isolate the access point s WAN No connections to a larger network or the Internet are possible MUs cannot communicate beyond the LAN By default the WAN port is static with an IP address of 10 1 1 1 This c
530. rks across an Internet using globally assigned IP addresses 6 10 2 Configuring Advanced Subnet Access Use the Advanced Subnet Access screen to configure complex access rules and filtering based on source port destination port and transport protocol To enable advanced subnet access the subnet access rules must be overridden However the Advanced Subnet Access screen allows you to import existing subnet access rules into the advanced subnet access rules To configure access point Advanced Subnet Access 1 Select Network Configuration gt Firewall gt Advanced Subnet Access from the access point menu tree AP 5131 Access Point BB pretwork Contigurancey Advanced Subnet Access ra yj Overnde Subnet Access setings import rules froen Subnetaccess L VPN Status Firewall Rules OyndNg Inbound index Sources Destination iP Transport Sre Porte Ost Ports Hi Securty i ponon Hoon me kee kss l P Y Raco Configuration Radio 2021 1b gt B Frowa insert j Loe Move vp Move Down boca oon umoo cranes Hew Logout 6 34 AP 51xx Access Point Product Reference Guide 2 Configure the Settings field as needed to override the settings in the Subnet Access screen and import firewall rules into the Advanced Subnet Access screen Override Subnet Select this checkbox to enable advanced subnet access rules and Access settings disable existing subn
531. roxy gt set count 5 admin system radius proxy gt For information on configuring Radius proxy server values using the applet GUI see Configuring a Proxy Radius Server on page 6 70 8 215 8 4 6 5 AP51xx gt admin system radius gt client Description Goes to the Radius client submenu Syntax add Adds a Radius client to list of available clients delete Deletes a Radius client from list of available clients show Displays a list of configured clients save Saves the configuration to system flash quit Quits the CLI A Goes to the parent menu Goes to the root menu For information on configuring Radius client values using the applet GUI see Configuring the Radius Server on page 6 64 8 216 AP 51xx Access Point Product Reference Guide AP51xx gt admin system radius client gt add Description Adds a Radius client to those available to the Radius server Syntax add Adds a proxy ip lt ip gt Client s IP address mask lt ip1 gt Network mask address of the client secret lt sec gt Shared secret password Example admin system radius client gt add 157 235 132 11 255 255 255 225 muddy admin system radius client gt For information on configuring Radius client values using the applet GUI see Configuring the Radius Server on page 6 64 AP51xx gt admin system radius client gt delete Description Removes a specified Radius client from those available to the Radius server Syntax delete
532. rs screen their access privileges need to be configured for inclusion to one some or all of the groups also created within the Users screen To map users to groups for group authentication privileges 1 If you are not already in the Users screen select System Configuration gt User Authentication gt User Database from the menu tree Existing users and groups display within their respective fields If user or group requires creation or modification make your changes before you begin to map them 2 Refer to the Users field and select the List of Groups column for the particular user you wish to map to one or more groups The Users Group Setting screen displays with the groups available for user inclusion displayed within the Available column 6 74 AP 51xx Access Point Product Reference Guide Users Group Setting Groups Selection Assigned Available 2nd floor soft demo ricom guests test and valida lt Add Delete OK Cancel Help 3 To add the user to a group select the group in the Available list on the right and click the lt Add button Assigned users will display within the Assigned table Map one or more groups as needed for group authentication access for this particular user 4 Toremove the user from a group select the group in the Assigned list on the left and click the Delete gt button 5 Click the OK button to save your user and group mapping assignments and return to the Users screen
533. rt Comprehensive on line support is available at the Support Central site at http www symbol com support Support Central provides our customers with a wealth of information and online assistance including developer tools software downloads product manuals and online repair requests When contacting the Motorola Support Center please provide the following information e serial number of unit e mode number or product name e software type and version number C 2 AP 51xx Access Point Product Reference Guide North American Contacts Support for warranty and service information telephone 1 800 653 5350 fax 631 738 5410 Email emb support motorola com International Contacts Outside North America Motorola inc Symbol Place Winnersh Triangle Berkshire RG41 5TP United Kingdom 0800 328 2424 Inside UK 44 118 945 7529 Outside UK Customer Support C 3 Web Support Sites Product Downloads http support symbol com support product softwaredownloads do Manuals http support symbol com support product manuals do Additional Information Obtain additional information by contacting Motorola at 1 800 722 6234 inside North America 1 516 738 5200 in outside North America http Avww motorola com C 4 AP 51xx Access Point Product Reference Guide A SUCRE o LNO PEE EEE ENATS T EET INTES 1 25 access point CAM eraikina AEEA ES AEE TETTE le encryption ere ae DEP sonens ate is sinc wna
534. rt field to import export configuration settings Filename Specify the name of the configuration file to be written to the FTP or THP server FIP TFIP Server IP Enter the numerical non DNS name IP address of the destination Address FIP or THP server where the configuration file is imported or exported Filepath optional Defines the optional path name used to import export the target configuration file FIP Select the FTP radio button if using an FIP server to import or export the configuration TFTP Select the TFTP radio button if using an FTP server to import or export the configuration 4 52 AP 51xx Access Point Product Reference Guide Username Password Import Configuration Export Configuration 3 Configure the HTTP Import Export field to import export access point configuration settings using HTTP Specify a username to be used when logging in to the FTP server A username is not required for TFP server logins Define a password allowing access to the FIP server for the import or export operation Click the Import Configuration button to import the configuration file from the server with the assigned filename and login information The system displays a confirmation window indicating the administrator must log out of the access point after the operation completes for the changes to take effect Click Yes to continue the operation Click No to cancel the configuration file import Click the Export Configuration b
535. rt screen displays 4 26 AP 51xx Access Point Product Reference Guide AP 5131 Access Point F Router LE w Finer gt Bystem Coetgurabon gt Quick Setup H P Sytem Senenge BP Asacowe AP Setup Ge AP SIXX Access C teernscate Mgmt Eeteen Certticate Name no extension server cr FTPITFTP Serve iP Address 192 168 0 10 Fsepamiopsons 5 Srm OTP Password import Censcate ang Ker Expo Cerstcate ana Key an Apache HTTP server Certificate Name no Specify the name of the certificate file to be written to the FIP or extension FIP TFIP Server IP Address Filepath optional FIP TFTP THP server Do not enter the file s extension Enter the numerical non DNS name IP address of the destination FTP or THP server where the security certificate is imported or exported Defines the optional path name used to import export the target security certificate Select the FTP radio button if using an FIP server to import or export the security certificate Select the TFTP radio button if using an FTP server to import or export the security certificate System Configuration 4 27 Username Specify a username to be used when logging in to the FTP server A username is not required for THP server logins Password Define a password allowing access to the FIP server for the import or export operation Import Certificate and Click the Import Certificate and Key button
536. rt to the client e Directory List Blocks requests to retrieve a directory listing sent from the client across the AP s WAN port to the FIP server e Create Directory Blocks requests to create directories sent from the client across the AP s WAN port to the FIP server e Change Directory Blocks requests to change directories sent from the client across the AP s WAN port to the FIP server e Passive Operation Blocks passive mode FIP requests sent from the client across the AP s WAN port to the FIP server 5 Click Apply to save any changes to the Content Filtering screen Navigating away from the screen without clicking the Apply button results in all changes to the screens being lost 6 Click Undo Changes if necessary to undo any changes made Undo Changes reverts the settings displayed on the Content Filtering screen to the last saved configuration 7 Click Logout to securely exit the Access Point applet A prompt displays confirming the logout before the applet is closed 6 13 Configuring Rogue AP Detection It is possible that not all of the devices identified by the access point are operating legitimately within the access point s radio coverage area A rogue AP is a device located nearby an authorized Motorola access point but recognized as having properties rendering its operation illegal and threatening to the access point and the LAN Rogue AP detection can be configured independently for both access point 802 11a and 802
537. rtace name fuan Manus Key Exchange Local WAN IP 0 0 0 0 Manual Key Setings Remote Subnet o 0 0 90 Q Asto OKE Key Exchange SP Adaptive AP Setup ja APSA Access Usage Scenarios B 11 5 Enter the WAN port IP address of AP 1 for the Local WAN IP 6 Within the Remote Subnet and Remote Subnet Mask fields enter the LAN IP subnet and mask of AP 2 Device 2 7 Enter the WAN port IP address of AP 2 Device 2 for a Remote Gateway 8 Click Apply to save the changes NOTE For this example Auto IKE Key Exchange is used Any key exchange can be used depending on the security needed as long as both devices on each end of the tunnel are configured exactly the same 9 Select the Auto IKE Key Exchange radio button 10 Select the Auto Key Settings button x Auto Key Settings Use Perfoct Forward Secrecy No Security Association Life Time 300 sec AH Authen cation None v ESP Type ESP with authentic ation ESP Encryption Algorithm IAES 128 bil ESP Authentication Algoranm MDS Cancel Help 11 For the ESP Type select ESP with Authentication and use AES 128 bit as the ESP encryption algorithm and MDB5 as the authentication algorithm Click OK 12 Select the IKE Settings button B 12 AP 51xx Access Point Product Reference Guide SE i SC IKE Settings Operation Mode Main Mode Ms Local ID Type IP Remote IO Type IP IKE Authenacaton Mode
538. ryption algorithm No keys are required to be manually provided e 3DES Enables the 3DES encryption algorithm No keys are required to be manually provided e AES 128 bit Uses the Advanced Encryption Standard algorithm with 128 bit No keys are required to be manually provided e AES 192 bit Enables the Advanced Encryption Standard algorithm with 192 bit No keys are required to be manually provided e AES 256 bit Uses the Advanced Encryption Standard algorithm with 256 bit No keys are required to be manually provided The number of seconds the key is valid At the end of the lifetime the key is renegotiated The access point forces renegotiation every 3600 seconds There is no way to change the renegotiation value If the IKE Lifetime is greater than 3600 the keys still get renegotiated every 3600 seconds Configuring Access Point Security 6 49 Diffie Hellman Group Select a Diffie Hellman Group to use The Diffie Hellman key agreement protocol allows two users to exchange a secret key over an insecure medium without any prior secrets Two algorithms exist 768 bit and 1024 bit Select one of the following options e Group 1 768 bit Somewhat faster than the 1024 bit algorithm but secure enough in most situations e Group 2 1024 bit Somewhat slower than the 768 bit algorithm but much more secure and a better choice for extremely sensitive situations 4 Click Ok to return to the VPN screen Click Apply to
539. s For additional information on configuring VPN tunnels see Configuring VPN Tunnels on page 6 36 CAUTION Loaded and signed CA certificates will be lost when changing the access point s firmware version using either the GUI or CLI After a certificate has been successfully loaded export it to a secure location to ensure its availability after a firmware update If restoring the access point s factory default firmware you must export the certificate file BEFORE restoring the access point s factory default configuration Import the file back after the updated firmware is installed For information on using the access point CLI to import and export the access point s configuration see AP51xx gt admin system cmgr gt impcert on page 8 170 and AP51xx gt admin system cmgr gt expcert on page 8 169 Refer to your network administrator to obtain a CA certificate to import into the access point NOTE Verify the access point device time is synchronized with an NTP server before importing a certificate to avoid issues with conflicting date time stamps For more information see Configuring Network Time Protocol NTP on page 4 43 To import a CA certificate 1 Select System Configuration gt Certificate Mgmt gt CA Certificates from the menu tree 4 18 AP 51xx Access Point Product Reference Guide H Gy AP SIXX Access HG certtcate Mgmt f Set Cet ates CACemticates L Apache Corut ates amp iP User Autnerocab
540. s broadcast traffic security requirements Default value is 86400 secs 6 22 AP 51xx Access Point Product Reference Guide 6 Configure the Key Settings area as needed to set an ASCII Passphrase and key values ASCII Passphrase To use an ASCII passphrase and not a hexadecimal value select the checkbox and enter an alphanumeric string of 8 to 63 characters The alphanumeric string allows character spaces The access point converts the string to a numeric value This passphrase saves the administrator from entering the 256 bit key each time keys are generated 256 bit Key To use a hexadecimal value and not an ASCII passphrase select the checkbox and enter 16 hexadecimal characters into each of the four fields displayed Default hexadecimal 256 bit keys for WPA TKIP include 1011121314151617 18191A1B1C1D1E1F 2021222324252627 28292A2B2C2D2E2F Enable WWPA2 TKIP Support as needed to allow WPA2 and TKIP client interoperation Allow WPA2 TKIP WPA2 TKIP support enables WPA2 and TKIP clients to operate clients together on the network Configure the Fast Roaming 802 1x only field as required to enable additional access point roaming and key caching options This feature is applicable only when using 802 1x EAP authentication with WPA2 TKIP Pre Authentication Selecting this option enables an associated MU to carry out an 802 1x authentication with another access point before it roams to it The access point caches the keying in
541. s selected 3 Select the KeyGuard radio button The KeyGuard Settings field displays within the New Security Policy screen 4 Ensure the Name of the security policy entered suits the intended configuration or function of the policy New Security Policy Name keyguard Ind foor Aerdt aon Authentcaton Encryption i a Manualy Pre shared koy KerGuard Setings No autnent lt aon Enter 4 32 characters 2 Kerberos Pass Key lmudshipper f Generate gt 8021x EAP Erter 26 hexadecimal chatacters or enter 13 ASCII chars Encrpton Hexadecinal xl p No Encryption Key 4E6OB11AECSI7AOFERSSONIGCO O WEP 64 40 bit key G Keya DC98C4591 C4A60BD8 2EA81487F 5 Key 3 ASBFCECBEASSTE 1ABCAENS8C9 gt WEP 128 104 bit key sae gt Keyes B0ASSCECTOCECEF 1757F FEF 190 KeyOuard KeyOuard Mired Mode nve 7 Atow WEP 128 Chents H i WRA2ICCMP 802 110 a LY Ty Aeon cance nei Configuring Access Point Security 6 19 5 Configure the KeyGuard Settings field as required to define the Pass Key used to generate the WEP keys used with the KeyGuard algorithm These keys must be the same between the access point and its MU to encrypt packets between the two devices Pass Key Specify a 4 to 32 character pass key and click the Generate button The pass key can be any alphanumeric string The access point other proprietary routers and Motorola MUs use the algorithm to convert an ASCII string to the same hexadecimal numb
542. s Point Product Reference Guide Enable Automatic Firmware Update Enable Automatic Configuration Update Enable this checkbox to allow an automatic firmware update when firmware versions are found to be different between what is running on the access point and the firmware that resides on the server A firmware update will only occur if the access point is reset or when the access point does a DHCP request This feature is used in conjunction with DHCP BootP options configured on a DHCP or BootP server For more information see Usage Scenarios on page B 1 If this checkbox is not enabled the firmware update is required to be conducted manually Select this checkbox to allow an automatic configuration update when the configuration filenames are found to be different between the filename loaded on the access point and the configuration filename that resides on the server or when the configuration file versions are found to be different between the configuration file version loaded on the access point and the configuration file that resides on server A configuration update will only occur if the access point is reset or when the access point does a DHCP request This feature is used in conjunction with DHCP BootP options configured on a DHCP or BootP server For more information see Usage Scenarios on page B 1 If this checkbox is not enabled the configuration update is required to be done manually automatic firmware update is
543. s are insufficient a new policy can be created or an existing policy can be modified using the New QoS Policy or Edit QoS Policy screens Once new policies are defined they are available for use within the New WLAN or Edit WLAN screens to assign to specific WLANs based on MU interoperability requirements Motorola recommends using the New QoS Policy and Edit QoS Policy screens strategically to name and configure QoS policies meeting the requirements of the particular WLANs they may to However be careful not to name policies after specific WLANs as individual QoS policies can be used by more than one WLAN For detailed information on assigning QoS policies to specific WLANs see Creating Editing Individual WLANs on page 5 30 To configure QoS policies 1 Select Network Configuration gt Wireless gt QoS from the access point menu tree The Quality of Service Configuration screen displays with existing QoS policies and their current WLAN if mapped to a WLAN Network Management 5 41 NOTE When the access point is first launched a single QoS policy default is available and mapped to WLAN 1 It is anticipated additional QoS policies will be created as the list of WLANs grows AP 5131 Access Point lt Quality of Service Configuration Poacy Name Deteun rummer t0 o A Creata FD Asap AP Setup GR AP SO Access eee BY ser Atment lt adon j Logout L tirar Matahaee Mp Hon Lopes 2
544. s field for a progress indicator and messages about the success or errors in executing the Import Export operation Possible status messages include ambiguous input before marker line lt number gt unknown input before marker line lt number gt ignored input after marker line lt number gt additional input required after marker line lt number gt invalid input length line lt number gt error reading input line lt number gt import file from incompatible hardware type line lt number gt 0 Import operation done 1 Export operation done 2 Import operation failed 3 Export operation failed 4 File transfer in progress 5 File transfer failed 6 File transfer done Auto cfg update Error in applying config Auto cfg update Error in getting config file Auto cfg update Aborting due to fw update failure The lt number gt value appearing at the end of some messages relates to the line of the configuration file where an error or ambiguous input was detected message displays defining the line number where the error occurred CAUTION f errors occur when importing the configuration file a parsing The configuration is still imported except for the error Consequently it is possible to import an invalid configuration The user is required to fix the problem and repeat the import operation until an error free import takes place 4 54 AP 51xx Access Point Product Reference Guide NOTE M
545. s made Undo Changes reverts the settings displayed on SNMP RF Traps screen to the last saved configuration 6 Click Logout to securely exit the access point Access Point applet A prompt displays confirming the logout before the applet is closed 4 6 Configuring Network Time Protocol NTP Network Time Protocol NTP manages time and or network clock synchronization in the access point managed network environment NTP is a client server implementation The access point an NTP client periodically synchronizes its clock with a master clock an NTP server For example the access point resets its clock to 07 04 59 upon reading a time of 07 04 59 from its designated NTP server 4 44 AP 51xx Access Point Product Reference Guide Time synchronization is recommended for the access point s network operations For sites using Kerberos authentication time synchronization is required Use the Date and Time Settings screen to enable NTP and specify the IP addresses and ports of available NTP servers NOTE The current time is not set accurately when initially connecting to the access point Until a server is defined to provide the access point the correct time or the correct time is manually set the access point displays 1970 01 01 00 00 00 as the default time access point user permissions ensure UTC has been selected from the Date and Time Settings screen s Time Zone field If UTC is not selected time based authentication wi
546. s or 100 Mbps Defines the access port WAN port duplex as either half or full Enables or disables PPPoE Sets PPPoE user name Defines the PPPoE password Enables or disables PPPoE keepalive Sets PPPoE idle time Sets PPPoE authentication type ipadr 157 169 22 5 dgw 157 169 22 1 dns 1 157 169 22 2 auto negotiation disable speed 10M duplex half mask 255 255 255 000 pppoe mode enable pppoe type chap pppoe user jk pppoe passwd S goodpassword pppoe ka enable pppoe idle 600 For an overview of the WAN configuration options available using the applet GUI see Configuring WAN Settings on page 5 16 8 3 2 1 Network WAN NAT Commands AP51xx gt admin network wan nat gt Description Displays the NAT submenu The items available under this command are shown below show Displays the access point s current NAT parameters for the specified index set Defines the access point NAT settings add Adds NAT entries delete Deletes NAT entries list Lists NAT entries as Goes to the parent menu Goes to the root menu save Saves the configuration to system flash quit Quits the CLI For an overview of the NAT configuration options available using the applet GUI see Configuring Network Address Translation NAT Settings on page 5 21 8 43 8 44 AP 51xx Access Point Product Reference Guide AP51xx gt admin network wan nat gt show Description Displays access point NAT parameters Syntax
547. saa des deanna 2 12 MounMmo ASPB erres a a eA E brs aedea Rebus 2 13 Desk Mounted Installations o ouau 00 0 ccc cece 2 13 Wall Mounted Installations 05 0s000 lt 000040s0400d err EE 2 15 Suspended Ceiling T Bar Installations 00 cece eee eee 2 17 Above the Ceiling Plenum Installations 0 0 0 0002000 2 20 AP 5131 LED Wats 4 6 badcccns de bek aroha bbedahhoeakesbehedoudes 2 23 Mounting an AP 5181 eee eee 2 24 AP 5181 Pole Mounted Installations 0 000 c eee eee eee 2 24 AP 5181 Wall Mounted Installations 0 0 0 eee eee 2 27 PP SIE LED INACIO oni 26ine oy doin eee dard trir irei airea e 2 29 HIS E E T ATE E P Rade ake dhe nea Rede T 2 31 Chapter 3 Getting Started istallo ME ACCESS POME eurrien EEEE ESAE DERAT 3 1 Conmiguraton OPNS rerreririsririrtitrki rtt hr EErEE IET eee 3 2 Default Configuration Changes for the Access Point 0 00 3 3 Initially Connecting to the Access Point 00 0 c cece eee es 3 4 Connecting to the Access Point using the WAN Port 5 3 4 Connecting to the Access Point using the LAN Port 05 3 4 Pasic Device Coniigwrahon 44 2000046 ska rented cecak dena aseaasies 3 5 Configuring Device Settings 0 ccs cea crce veneer nea cnaraerenrab nara 3 7 Configuring WLAN Security Settings 0 00 cee 3 12 TEST a ica kn E EE E EE ETE 3 14 Where to Go TOM HEC po iser
548. sent per second across all active WLANs on the access point The number in black displays this statistic for the last 30 seconds and the number in blue displays this statistic for the last hour Displays the current number of MUs associated with the active WLANs on the access point If the number is excessive reduce the maximum number of MUs that can associate with the access point for more information see Creating Editing Individual WLANs on page 5 30 Click the Clear all RF Stats button to reset statistic counters for each WLAN and the Total AP RF totals to 0 Do not clear RF stats if currently in an important data gathering activity or risk losing all data calculations to that point to begin new data collections 5 Click the Logout button to securely exit the access point applet A prompt displays confirming the logout before the applet is closed Monitoring Statistics 7 17 7 3 1 Viewing WLAN Statistics Use the WLAN Stats screen to view detailed statistics for individual WLANs The WLAN Stats screen is separated into four fields nformation Traffic RF Status and Errors The Information field displays basic information such as number of associated Mobile Units ESSID and security information The Traffic field displays statistics on RF traffic and throughput The RF Status field displays information on RF signal averages from the associated MUs The Error field displays RF traffic errors based on retries dropped packets and u
549. server select it from the drop down menu Only certificates imported to the access point are available in the menu For information on creating a certificate see Creating Self Certificates for Accessing the VPN on page 4 18 CA Certificate You can also choose an imported CA Certificate to use on the Radius server If using a server certificate signed by a CA import that CA s root certificate using the CA certificates screen for information see Importing a CA Certificate on page 4 16 After a valid CA certificate has been imported it is available from the CA Certificate drop down menu 6 66 AP 51xx Access Point Product Reference Guide be saved when updating the access point s firmware Export your certificates before upgrading the access point s firmware From the access point CLI use the admin system cmgr gt expcert command to export the certificate to a secure location WARNING If you have imported a Server or CA certificate the certificate will not 4 Use the Radius Client Authentication table to configure multiple shared secrets based on the subnet or host attempting to authenticate with the Radius server Use the Add button to add entries to the list Modify the following information as needed within the table Subnet Host Defines the IP address of the subnet or host that will be authenticating with the Radius server If a WLAN has been created to support mesh networking then enter the IP address of mesh clien
550. side of the screen Motorola recommends mapping VLANs strategically in order to keep VLANs tied to the discipline they most closely match For example If WLAN1 is comprised of MUs supporting the sales area then WLAN1 should be mapped to sales if a sales VLAN has been already been created 13 Click Apply to return to the VLAN Name screen Click OK to return to the LAN screen Once at the LAN screen click Apply to re apply your changes 5 1 2 Configuring LAN1 and LAN2 Settings Both LAN1 and LAN2 have separate sub screens to configure the DHCP settings used by the LAN1 and LAN2 interfaces Within each LAN screen is a button to access a sub screen to configure advanced DHCP settings for that LAN For more information see Configuring Advanced DHCP Server Settings on page 5 13 Additionally LAN1 and LAN2 each have separate Type Filter submenu items used to prevent specific an potentially unneccesary frames from being processed for more information see Setting the Type Filter Configuration on page 5 15 To configure unique settings for either LAN1 or LAN2 1 Select Network Configuration gt LAN gt LAN1 or LAN2 from the access point menu tree 5 10 AP 51xx Access Point Product Reference Guide AP 5131 Access Point AA ANILAN DHCP Configuration PBF Petwork Contguraoni Huw This intertace is a OHCP Cilent This interface js Bootp Caent O This interface uses statt IP Address B Tr s interface is AOHCP Server A
551. simple encryption of wireless data However networks that require more security are at risk from a WEP flaw The existing 802 11 standard alone offers administrators no effective method to update keys To configure WEP on the access point 1 Select Network Configuration gt Wireless gt Security from the access point menu tree If security policies supporting WEP exist they appear within the Security Configuration screen These existing policies can be used as is or their properties edited by clicking the Edit button To configure a new security policy supporting WEP continue to step 2 2 Click the Create button to configure a new policy supporting WEP The New Security Policy screen displays with no authentication or encryption options selected 3 Select either the WEP 64 40 bit key or WEP 128 104 bit key radio button The WEP 64 Settings or WEP 128 Settings field displays within the New Security Policy screen 4 Ensure the Name of the security policy entered suits the intended configuration or function of the policy 6 16 AP 51xx Access Point Product Reference Guide New Security Policy Name wepi er Authenbcaton Manually Pre shared key No authentication Kerberos 602 1 EAP Encryption No Encrypton WEP 64 40 bit key WEP 128 104 bit key KeyGuard WPAWPA TOP WPA2ICCMP 802 110 Encryption WEP 128 Settings Enter 4 32 characters Pass Key Justtine2ofus Generare Enter 26 hexa
552. sing the access point s overall load on the channel its availability for additional device associations and multi media traffic support Select the Enable OBSS load element checkbox its selected by default to enable the access point to communicate channel usage to MUs Access points with high channel usage may not be able to process real time traffic effectively Therefore VOIP phones can use the OBSS value to determine whether a different access point association can provide better wireless support since the QBSS network load is reduced as additional access points are added If OBSS is enabled define a QBSS Beacon Interval to define the beacon time in seconds the access point uses to broadcast channel utilization information This information should be periodically accessed as the access point s network load will fluctuate throughout the day 6 Configure the Performance field to set the preamble thresholds values and QoS values for the radio Support Short The preamble is approximately 8 bytes of packet header generated Preamble by the access point and attached to the packet prior to transmission from the 802 11b radio The preamble length for 802 1 1b transmissions is data rate dependant The short preamble is 50 shorter than the long preamble Leave the checkbox unselected if in a mixed MU AP environment as MUs and the access point are required to have the same RF Preamble settings for interoperability The default is Disabled
553. splays the access point s current radio configuration Syntax show Displays the access point s current radio configuration Example admin network wireless radio gt show Radio Configuration Radio 1 Name Radio 1 Radio Mode enable RF Band of Operation 802 11b g 2 4 GHz RF Function WLAN Wireless Mesh Configuration Base Bridge Mode enable Max Wireless AP Clients 6 Client Bridge Mode disable Clitn Bridge WLAN WLAN1 Mesh Connection Timeout enable Radio 2 Name Radio 2 Radio Mode enable RF Band of Operation 802 11la 5 GHz RF Function WLAN Wireless Mesh Configuration Base Bridge Mode enable Max Wireless AP Clients 7 5 Client Bridge Mode disable Client Bridge WLAN WLAN1 Mesh Connection Timeout enable Dot11 Auth Algorithm open system only For information on configuring the Radio Configuration options available to the access point using the applet GUI see Setting the WLANs Radio Configuration on page 5 52 8 95 AP51xx gt admin network wireless radio gt set Description Enables an access point Radio and defines the RF band of operation Syntax set 11a lt mode gt 11bg lt mode gt rf function lt mode gt mesh base lt mode gt mesh max mesh client lt mode gt mesh timeout lt period gt mesh wlan lt name gt dot11 auth lt auth algorithm gt Example admin network wireless admin network wireless admin network wireless admin network wire
554. ss WLAN Association PSP State HW Address Radio Association QoS Client Type Encryption Displays the IP address of the MU Displays the name of the WLAN the MU is associated with Use this information to assess whether the MU is properly grouped within that specific WLAN Displays the current PSP state of the MU The PSP Mode field has two potential settings PSP indicates the MU is operating in Power Save Protocol mode In PSP the MU runs enough power to check for beacons and is otherwise inactive CAM indicates the MU is continuously aware of all radio traffic Motorola recommends CAM for those MUs transmitting with the AP frequently and for periods of time of two hours Displays the Media Access Control MAC address for the MU Displays the name of the AP MU is currently associated with If the name of the access point requires modification see Configuring System Settings on page 4 2 Displays the data type transmitted by the mobile unit Possible types include Legacy Voice WMM Baseline and Power Save For more information see Setting the WLAN Quality of Service QoS Policy on page 5 40 Displays the encryption scheme deployed by the associated MU Refer to the Traffic field to view individual MU RF throughput information Packets per second The Total column displays average total packets per second crossing the MU The Rx column displays the average total packets per second received on the MU The Tx column
555. ss Point Product Reference Guide 10 2 2 Extended WLANs Only An extended WLAN configuration forces all MU traffic through the switch No wireless traffic is locally bridged by the AAP Each extended WLAN is mapped to the access point s virtual LAN2 subnet By default the access point s LAN2 is not enabled and the default configuration is set to static with IP addresses defined as all zeros If the extended VLAN option is configured on the switch the following configuration updates are made automatically e The AAP s LAN2 subnet becomes enabled e All extended VLANs are mapped to LAN2 NOTE MUs on the same WLAN associated to the AAP can communicate locally at the AP Level without going through the switch If this scenario Is undesirable the access point s MU to MU disallow option should be enabled To enable the access point s MU to MU disallow option see Creating Editing Individual WLANs on page 5 30 10 2 3 Independent WLANs Only An independent WLAN configuration forces all MU traffic be bridged locally by the AAP No wireless traffic is tunneled back to the switch Each extended WLAN is mapped to the access point s LAN1 interface The only traffic between the switch and the AAP are control messages for example heartbeats statistics and configuration updates 10 2 4 Extended WLANs with Independent WLANs An AAP can have both extended WLANs and independent WLANs operating in conjunction When used together MU traffic
556. ss Radius accounting External Radius Port Specify the port on which the Radius server is listening The default port is 1813 External Radius Specify a shared secret for authentication The shared secret is Shared Secret required to match the shared secret on the Radius server MU Timeout Specify the time in seconds for the access point s retransmission of EAP Request packets The default is 10 seconds If this time is exceeded the authentication session is terminated Retries Specify the number of retries for the MU to retransmit a missed frame to the Radius server before it times out of the authentication session The default is 2 retries Enable Syslog Select the Enable Syslog checkbox to enable Radius accounting syslog messages relating to EAP events to be written to the specified syslog server Syslog Server IP Enter the IP address of the destination syslog server to be used to Address log EAP events 8 Select the Reauthentication tab as required to define authentication connection policies intervals and maximum retries The items within this tab are identical regardless of whether Internal or External is selected from the Radius Server drop down menu Enable Select the Enable Reauthentication checkbox to configure a Reauthentication wireless connection policy so MUs are forced to reauthenticate periodically Periodic repetition of the EAP process provides ongoing security for current authorized connections Period 30 99
557. ss Statistics on page 7 14 For information on displaying individual WLAN statistics using the applet GUI see Viewing WLAN Statistics on page 7 17 For in ormation on displaying Radio statistics using the applet GUI see Viewing Radio Statistics Summary on page 7 20 For information on displaying MU statistics using the applet GUI see Viewing MU Statistics Summary on page 7 27 For in ormation on displaying Mesh statistics using the applet GUI see Viewing the Mesh Statistics Summary on page 7 34 For information on displaying Known AP statistics using the applet GUI see Viewing Known Access Point Statistics on page 7 35 For information on displaying memory and CPU statistics using the applet GUI see CPU and Memory Statistics on page 7 39 8 243 AP51xx gt admin stats gt send cfg ap Description Copies the access point s configuration to another access point within the known AP table Syntax send cfg ap lt idx gt Copies the access point s configuration to the access points within the known AP table Mesh configuration attributes do not get copied using this command and must be configured manually Example admin stats gt send cfg ap 2 admin stats gt NOTE The send cfg ap command copies all existing configuration parameters except Mesh settings LAN IP data WAN IP data and DHCP Server parameter information For information on copying the access point config to anot
558. ss point dyndns gt set dyndns gt set dyndns gt set dyndns gt set mode enable username percival password mudskipper host greengiant For an overview of the Dynamic DNS options available using the applet GUI see Configuring Dynamic DNS on page 5 25 8 64 AP 51xx Access Point Product Reference Guide AP51xx gt admin network wan dyndns gt update Description Updates the access point s current WAN IP address with the DynDNS service Syntax update Updates the access point s current WAN IP address with the DynDNS service when DynDNS is enabled Example admin network wan dyndns gt update IP Address 157 235 91 231 Hostname greengiant For an overview of the Dynamic DNS options available using the applet GUI see Configuring Dynamic DNS on page 5 25 AP51xx gt admin network wan dyndns gt show Description Shows the current Dynamic DNS configuration Syntax show Shows the access point s current Dynamic DNS configuration Example admin network wan dyndns gt show DynDNS Configuration Mode enable Username percival Password zo Akk k k kk k Hostname greengiant DynDNS Update Response IP Address 157 235 91 231 Hostname greengiant Status OK For an overview of the Dynamic DNS options available using the applet GUI see Configuring Dynamic DNS on page 5 25 8 66 AP 51xx Access Point Product Reference Guide 8 3 3 Network Wireless Commands AP51xx gt admin
559. ss point e Obtains and applies the expected IP Address from the DHCP Server e Downloads the firmware and configuration files from the TFTP Server and updates both as required Verify the file versions within the System Settings screen NOTE f the firmware files are the same the firmware will not get updated If the configuration file name matches the last used configuration file on the access point or if the configuration file versions are the same the access point configuration will not get updated NOTE The update process is conducted over the LAN or WAN port depending on which Server responds first to the access point s request for an automatic update B 1 1 3 DHCP Priorities The following flowchart indicates the priorities used by the access point when the DHCP server is configured for multiple options B 6 AP 51xx Access Point Product Reference Guide Priority 1 Embedded Options using Option 43 overrides 2 l Global Extended Options overrides 3 Global Standard Options Priority TFTP Server Firmware File Config File 3 we 2 iid 3 66 overrides If the DHCP Server is configured for options 186 and 66 to assign TFTP Server IP addresses the access point uses the IP address configured for option 186 Similarly ifthe DHCP Server is configured for options 187 and 67 for the firmware file the access point uses the file name configured for option 187 If the DHCP Server is c
560. ss point go back to normal operation Click the Logout button to securely exit the Access Point applet A prompt displays confirming the logout before the applet is closed Monitoring Statistics 7 39 7 8 CPU and Memory Statistics With this new 2 2 version release of the access point firmware users can monitor the access point s CPU utilization and memory usage to analyze performance and assess whether the access point is overly stressed To assess the access point s memory usage and CPU load averages 1 Select Status and Statistics gt CPU and Memory Stats from the access point menu tree AP 5131 Access Point Quick Setup P System Setengs ARo one GR AP SIXK Access Memory Usage 97 6 60Mb of 61M gt Umits0 CPU Load Averages 11min 19 0 Smin 21 0 15min 18 0 Umit 99 er yen NameAPStmtil SSS 2 Refer to the following to discern the access point s current memory usage and CPU load Memory Usage Displays the total available memory and used memory An event log entry is generated when memory usage reaches 90 utilization 7 40 AP 51xx Access Point Product Reference Guide CPU Load Averages Displays load averages for the access point s CPU The loads are reflected as the number of active processing jobs averaged over 1 5 and 15 minutes An event log entry is generated when CPU Utilization reaches 99 over 1 5 or 15 minutes 3 Click the Logout button to securely exit the Access
561. ssions using the applet GUI see Defining User Access Permissions by Group on page 6 76 8 193 AP51xx gt admin system userdb group gt add Description Adds a user to an existing group Syntax add lt userid gt lt group gt Adds a user lt userid gt to an existing group lt group gt Example admin system userdb group gt add lucy group x admin system userdb group gt For information on configuring User Database permissions using the applet GUI see Defining User Access Permissions by Group on page 6 76 8 194 AP 51xx Access Point Product Reference Guide AP51xx gt admin system userdb group gt remove Description Removes a user from an existing group Syntax remove lt userid gt lt group gt Removes a user lt userid gt from an existing group lt group gt Example admin system userdb group gt remove lucy group x admin system userdb group gt For information on configuring User Database permissions using the applet GUI see Defining User Access Permissions by Group on page 6 76 8 195 AP51xx gt admin system userdb group gt show Description Displays existing groups Syntax show Displays existing groups and users users Displays configured user IDs for a group groups Displays configured groups Example admin system userdb group gt show groups List of Group Names engineering marketing demo room admin system userdb group gt For information on configuring User
562. stablish a 100 Mbps data transfer rate for the selected half duplex or full duplex transmission over the access point s LAN port This option is not available if Auto Negotiation is selected 10 Mbps Select this option to establish a 10 Mbps data transfer rate for the selected half duplex or full duplex transmission over the access point s LAN port This option is not available if Auto Negotiation is selected half duplex Select this option to transmit data to and from the access point but not at the same time Using a half duplex transmission the access point can send data over its LAN port then immediately receive data from the same direction in which the data was transmitted Like a full duplex transmission a half duplex transmission can carry data in both directions just not at the same time full duplex Select this option to transmit data to and from the access point at the same time Using full duplex the access point can send data over its LAN port while receiving data as well Network Management 5 5 6 Click Apply to save any changes to the LAN Configuration screen Navigating away from the screen without clicking the Apply button results in all changes to the screen being lost if the prompts are ignored 7 Click Undo Changes if necessary to undo any changes made Undo Changes reverts the settings displayed on the LAN configuration screen to the last saved configuration 8 Click Logout to securely exit the access point Acc
563. stem Uptime Serial Number AP Mode The access point prompts the user for the correct country code after the first login A warning message also displays stating that an incorrect country setting will lead to an illegal use of the access point Use the pull down menu to select the country of operation Selecting the correct country is extremely important Each country has its own regulatory restrictions concerning electromagnetic emissions channel range and the maximum RF signal strength transmitted To ensure compliance with national and local laws be sure to set the Country field correctly If using the access point configuration file CLI or MIB to configure the access point s country code see Country Codes on page A 9 The displayed number is the current version of the device firmware Use this information to determine if the access point is running the most recent firmware available from Motorola Use the Firmware Update screen to keep the AP s firmware up to date For more information see Updating Device Firmware on page 4 54 Displays the current uptime of the access point defined in the System Name field System Uptime is the cumulative time since the access point was last rebooted or lost power Displays the access point Media Access Control MAC address The access point MAC address is hard coded at the factory and cannot be modified The LAN and WAN port MAC addresses can be located within the LAN and WAN Stats screens F
564. t Enables Disables global management access snmp http https telnet and lt clear gt lt seconds gt lt minutes gt lt ip gt lt port gt lt pw gt lt mode gt ssh for up to 8 addresses hosts Disables the radio interface if no data activity is detected after the interval defined Default is 120 seconds Inactivity interval resulting in the AP terminating its connection Default is 120 minutes Sets SNMP access parameters Designates a Radius server is used in the authentication verification Specifies the IP address the Remote Dial In User Service RADIUS server Specifies the port on which the RADIUS server is listening Default is 1812 Defines the shared secret password for RADIUS server authentication Enables disables the access point message mode Defines the access point login message text For information on configuring access point access settings using the applet GUI see Configuring Data Access on page 4 9 AP51xx gt admin system access gt show Description 8 157 Displays the current access point access permissions and timeout values Syntax show Shows all of the current system access settings for the access point Example admin system access gt set trusted host mode enable admin system access gt set trusted host range 1 10 1 1 1 10 1 1 10 Warning Only trusted hosts can access the AP through snmp http https telnet ssh admin system access gt show trusted host
565. t GUI see Configuring the 802 11a or 802 11b g Radio on page 5 56 8 109 AP51xx gt admin network wireless radio 802 11a advanced gt set Description Defines advanced parameters for the target 802 11a radio Syntax set wlan lt wlan name gt lt bssid gt Defines advanced WLAN to BSSID mapping for the target radio bss lt bss id gt lt wlan name gt Sets the BSSID to primary WLAN definition Example admin network wireless radio 802 1la advanced gt set wlan demoroom 1 admin network wireless radio 802 1la advanced gt set bss 1 demoroom For information on configuring Radio 2 Configuration options available to the access point using the applet GUI see Configuring the 802 11a or 802 11b g Radio on page 5 56 8 110 AP 51xx Access Point Product Reference Guide 8 3 3 5 Network Quality of Service QoS Commands AP51xx gt admin network wireless qos gt Description Displays the access point Quality of Service QoS submenu The items available under this command include show Displays access point QoS policy information create Defines the parameters of the QoS policy edit Edits the settings of an existing QoS policy delete Removes an existing QoS policy i Goes to the parent menu Goes to the root menu save Saves the configuration to system flash quit Quits the CLI AP51xx gt admin network wireless qos gt show Description Displays the access point s current QoS policy by summary or individual
566. t Product Reference Guide AP51xx gt admin network wireless rogue ap allowed list gt add Description Adds an AP MAC address and ESSID to existing allowed list Syntax add lt mac addr gt Adds an AP MAC address and ESSID to existing allowed list lt ess id gt tff means any MAC Use a for any ESSID Example admin network wireless rogue ap allowed list gt add OOAOF83161BB 103 admin network wireless rogue ap allowed list gt show index ap essid 1 00 A0 F8 71 59 20 2 00 A0 F8 33 44 55 ffffFfFffffff 3 00 A0 F8 40 20 01 Marketing 4 00 A0 F8 31 61 BB 103 For information on configuring the Rogue AP options available to the access point using the applet GUI see Configuring Rogue AP Detection on page 6 55 8 127 AP51xx gt admin network wireless rogue ap allowed list gt delete Description Deletes an AP MAC address and ESSID to existing allowed list Syntax delete lt idx gt Deletes a specified AP MAC address and ESSID index 1 50 from the allowed list lt all gt The optiona also exists to remove all indexes For information on configuring the Rogue AP options available to the access point using the applet GUI see Configuring Rogue AP Detection on page 6 55 8 128 AP 51xx Access Point Product Reference Guide 8 3 3 8 WIPS Commands AP51xx gt admin network wireless wips gt Description Displays the wips Locationing submenu The items available under this command include show Displays
567. t add lancelot 157 235 241 22 1812 muddy admin system radius proxy gt For information on configuring Radius proxy server values using the applet GUI see Configuring a Proxy Radius Server on page 6 70 8 212 AP 51xx Access Point Product Reference Guide AP51xx gt admin system radius proxy gt delete Description Adds a proxy Syntax delete lt realm gt Deletes a specified realm name Example admin system radius proxy gt delete lancelot admin system radius proxy gt For information on configuring Radius proxy server values using the applet GUI see Configuring a Proxy Radius Server on page 6 70 8 213 AP51xx gt admin system radius proxy gt clearall Description Removes all proxy server records from the system Syntax clearall Removes all proxy server records from the system Example admin system radius proxy gt clearall admin system radius proxy gt For information on configuring Radius proxy server values using the applet GUI see Configuring a Proxy Radius Server on page 6 70 8 214 AP 51xx Access Point Product Reference Guide AP51xx gt admin system radius proxy gt set Description Sets Radius proxy server parameters Syntax set Sets Radius proxy server parameters delay Defines retry delay time in seconds for the proxy server count Defines retry count value for the proxy server Example admin system radius proxy gt set delay 10 admin system radius p
568. t block of data The end result is an encryption scheme as secure as any the access point provides To configure WPA2 CCMP on the access point 1 Select Network Configuration gt Wireless gt Security from the access point menu tree If security policies supporting WPA2 CCMP exist they appear within the Security Configuration screen These existing policies can be used as is or their properties edited by clicking the Edit button To configure a new security policy supporting WPA2 CCMP continue to step 2 2 Click the Create button to configure a new policy supporting WPA2 CCMP The New Security Policy screen displays with no authentication or encryption options selected 3 Select the WPA2 CCMP 802 111 checkbox The WPA2 CCMIP Settings field displays within the New Security Policy screen 4 Ensure the Name of the security policy entered suits the intended configuration or function of the policy 6 24 AP 51xx Access Point Product Reference Guide New Security Policy Authent lt adon Acittvertie atut Encryption Manually Pre shared key YYPAZ CCMP Sefings No authentication Key Rotation Settings Kerberos Broadcast Key Rotaton 802 1x EAP Encryption Key Semngs No Encrypton WEP 64 40 Dit key ASCH Passphwase e 256 be Key WEP 128 104 bit key 1011121314151617 191GIATBICIOIEIF 5 2021222324252627 28292A2B2C2OIE2F KeyOusd cat Enter 16 hex characters per feld VWPAWPA TKIP WPA2 CCMP Moved Mode Fast Roaming 8
569. t bridge in order for the MU to authenticate with a base bridge Netmask Defines the netmask subnet mask of the subnet or host authenticating with the Radius server Shared Secret Click the Passwords button and set a shared secret used for each host or subnet authenticating against the RADIUS server The shared secret can be up to 7 characters in length 5 Click Apply to save any changes to the Radius Server screen Navigating away from the screen without clicking Apply results in all changes to the screen being lost 6 Click Undo Changes if necessary to undo any changes made Undo Changes reverts the settings displayed on the Radius Server screen to the last saved configuration 7 Click Logout to securely exit the Access Point applet A prompt displays confirming the logout before the applet is closed 6 14 2 Configuring LDAP Authentication When the Radius Data Source is set to use an external LDAP server see Configuring the Radius Server on page 6 64 the LDAP screen is used to configure the properties of the external LDAP server To configure the LDAP server 1 Select System Configuration gt User Authentication gt RADIUS Server gt LDAP from the menu tree Configuring Access Point Security 6 67 NOTE For the onboard Radius server to work with Windows Active Directory or open LDAP as the database the user has to be present in a group within the organizational unit The same group must be present within the o
570. t on the antenna connector indicates the primary antenna for both Radio 1 2 4 GHz and Radio 2 5 GHz Two dots designate the secondary antenna for both Radio 1 and Radio 2 On Single Radio models a single dot on the antenna connector indicates the primary antenna for Radio 1 and two dots designate the secondary antenna for Radio 1 4 Cable the AP 5131 using either the Power Injector solution or an approved line cord and power supply AN CAUTION Do not supply power to the AP 5131 until the cabling of the unit is complete 6 For Power Injector installations a Connect a RJ 45 Ethernet cable between the network data supply host and the Power Injector Data In connector Connect a RJ 45 Ethernet cable between the Power Injector Data amp Power Out connector and the AP 5131 LAN port Ensure the cable length from the Ethernet source host to the Power Injector and AP 5131 does not exceed 100 meters 333 ft The Power Injector has no On Off power switch The Power Injector receives power as soon as AC power is applied For more information on using the Power Injector see Power Injector and Power Tap Systems on page 2 10 For standard 48 Volt Power Adapter Part No 50 14000 243R and line cord installations a won o o Connect RJ 45 Ethernet cable between the network data supply host and the AP 5131 LAN port Verify the power adapter is correctly rated according the country of operation Connect t
571. t power adapter Part No 50 14000 243R and line cord installations a 2 p o e Connect RJ 45 Ethernet cable between the network data supply host and the AP 5131 LAN port Verify the power adapter is correctly rated according the country of operation Connect the power supply line cord to the power adapter Attach the power adapter cable into the power connector on the AP 5131 Plug the power adapter into an outlet 5 Verify the behavior of the AP 5131 LEDs For more information see AP 5131 LED Indicators on page 2 23 6 Return the AP 5131 to an upright position and place it in the location you wish it to operate Ensure the AP 5131 is sitting evenly on all four rubber feet The AP 5131 is ready to configure For information on an AP 5131 default configuration see Getting Started on page 3 1 For specific details on AP 5131 system configurations see System Configuration on page 4 1 27 2 Wall Mounted Installations Wall mounting requires hanging the AP 5131 along its width or length using the pair of slots on the bottom of the unit and using the AP 5131 itself as a mounting template for the screws The AP 5131 can be mounted onto any plaster or wood wall surface The mounting hardware and tools customer provided required to install the AP 5131 on a wall consists of e Two Phillips pan head self tapping screws ANSI Standard 6 18 X 0 875in Type A or AB Self Tapping screw or ANSI Standard Metric M3 5 X 0 6 X
572. t s mesh networking options using the applet GUI see Configuring Mesh Networking on page 9 1 AP51xx gt admin network lan bridge gt set Description Sets the mesh configuration parameters for the access point s LANs Syntax set priority lt LAN idx gt hello lt LAN idx gt msgage lt LAN idx gt fwddelay lt AN id gt ageout lt LAN idx gt Example admin network admin network admin network admin network admin network admin network lt seconds gt lt seconds gt lt seconds gt lt seconds gt lt seconds gt Sets bridge priority time in seconds 0 65535 for specified LAN Sets bridge hello time in seconds 0 10 for specified LAN Sets bridge message age time in seconds 6 40 for specified LAN Sets bridge forward delay time in seconds 4 30 for specified LAN Sets bridge forward table entry time in seconds 4 3600 for specified LAN lan bridge gt set priority 2 32768 lan bridge gt set hello 2 2 lan bridge gt set msgage 2 20 lan bridge gt set fwddelay 2 15 lan bridge gt set ageout 2 300 lan bridge gt show LAN1 Mesh Configuration Bridge Priority 32768 Hello Time seconds 2 Message Age Time seconds 20 Forward Delay Time seconds 15 Entry Ageout Time seconds 300 LAN2 Mesh Configuration Bridge Priority 32768 Hello Time seconds 2 Message Age Time seconds 20 Forward Delay Time seconds 15 Entry Ageout Time seconds 300 For
573. t set ip 2 10 1 1 1 this command is used when NAT is 1 to 1 admin network wan nat gt show 2 WAN IP Mode WAN IP Address NAT Type Inbound Mappings unspecified port forwarding mode unspecified port fwd ip address one to many nat mapping enable 157 235 91 2 1 to many Port Forwarding enable 111 223 222 1 157 235 91 2 10 1 1 1 For an overview of the NAT options available using the applet GUI see Configuring Network Address Translation NAT Settings on page 5 21 8 46 AP 51xx Access Point Product Reference Guide AP51xx gt admin network wan nat gt add Description Adds NAT entries Syntax add lt idx gt lt name gt lt tran gt lt port1 gt lt port2 gt lt ip gt lt dst_port gt Sets an inbound network address translation NAT for WAN address lt idx gt where lt name gt is the name of the entry 1 to 7 characters lt tran gt is the transport protocol one of tcp udp icmp ah esp gre or all lt port1 gt is the starting port number in a port range lt port2 gt is the ending port number in a port range lt ip gt is the internal IP address and lt dst_port gt is the optional internal translation port Example admin network wan nat gt add 1 indoors udp 20 29 10 10 2 2 admin network wan nat gt list 1 index name prot start port end port internal ip translation port Related Commands delete list Deletes one of the inbound NAT entries from the list
574. t source host to the Power Tap or Power Injector and AP 5181 does not exceed 100 meters 333 ft Neither the Power Tap or Power injector has an On Off power switch Each receives power as soon as AC power is applied For more information on using the see Power Injector and Power Tap Systems on page 2 10 8 Use the supplied cable connector to cover the AP 5181 s Console LAN PoE and WAN connectors Hardware Installation 2 27 9 Once power has been applied Verify the behavior of the AP 5181 LEDs For more information see AP 5181 LED Indicators on page 2 29 The AP 5181 is ready to configure For information on an AP 5181 default configuration see Getting Started on page 3 1 For specific details on AP 5131 system configurations see System Configuration on page 4 1 NOTE f installing the AP 5181 in an outdoor area prone to high winds and rain Motorola recommends using the AP 5181 Heavy Weather Kit Part No KT 5181 HW 01R This kit shields an AP 5181 from high winds and water damage as a result of driving rain 29 2 AP 5181 Wall Mounted Installations Complete the following steps to mount the AP 5181 to a wall using the supplied wall mounting bracket 1 Attach the bracket to a wall with flat side flush against the wall see the illustration below Position the bracket in the intended location and mark the positions of the four mounting screw holes 2 Drill four holes in the wall that match the screws
575. t trap Enables disables a configuration changes trap Enables disables a trap when a rogue ap is detected Enables disables the AP Radar Detection trap Enables disables the WPA counter measure trap Enables disables the hotspot mu status trap Enables disables VLAN traps Enables disables LAN monitor traps Sets the particular lt rate gt to monitor to lt value gt given the indicated lt scope gt See table below for information on the possible values for lt rate gt lt scope gt and lt value gt Sets the minimum number of packets required for rate traps to fire 1 65535 For information on configuring SNMP traps using the applet GUI see Configuring Specific SNMP Traps on page 4 38 8 180 AP 51xx Access Point Product Reference Guide AP51xx gt admin system snmp traps gt add Description Adds SNMP trap entries Syntax add viv2 lt ip gt lt port gt lt comm gt lt vel gt v3 Exampl Adds an entry to the SNMP v1 v2 access list with the destination IP address set to lt ip gt the destination UDP port set to lt port gt the community string set to lt comm gt 1 to 31 characters and the SNMP version set to lt ver gt lt ip gt lt port gt lt usel gt lt sec gt lt auth gt lt pass1 gt lt priv gt lt pass2 gt Adds an entry to the SNMP v3 access list with the destination IP address set to lt ip gt the destination UDP port set to lt port gt the username set to lt user gt 1 to 31 charact
576. t with Motorola 802 1 1b clients that it is running on a trusted host with an untrusted network If host A CAUTION Kerberos makes no provisions for host security Kerberos assumes security is compromised Kerberos is compromised as well Kerberos uses the Network Time Protocol NTP for synchronizing the clocks of its Key Distribution Center KDC server s Use the NTP Servers screen to specify the IP addresses and ports of available NTP servers Kerberos requires the Enable NTP on checkbox be selected for authentication to function properly See Configuring Network Time Protocol NTP on page 4 43 to configure the NTP server NOTE If 802 114 is selected as the radio used for a specific WLAN the WLAN cannot use a Kerberos supported security policy as no Motorola 802 11a clients can support Kerberos To configure Kerberos on the access point 1 Select Network Configuration gt Wireless gt Security from the access point menu tree If security policies supporting Kerberos exist they appear within the Security Configuration screen These existing policies can be used as is or their properties edited by clicking the Edit button To configure a new security policy supporting Kerberos continue to step 2 2 Click the Create button to configure a new policy supporting Kerberos The New Security Policy screen displays with no authentication or encryption options selected 3 Select the Kerberos radio button Th
577. tains hello forward delay and max age timers These settings can be used as is using the current default settings or be modified However if these settings are modified they need to be configured for the LAN connecting to the mesh network WLAN For information on mesh networking capabilities see Configuring Mesh Networking on page 9 1 If new to mesh networking and in need of an overview see Mesh Networking Overview on page 9 1 apply existing IP filters and their rules and permissions to LAN1 or LAN2 Enable IP Filtering IP Filtering Selecting this checkbox allows the LAN to employ filter policies and rules to determine which IP packets are processed normally over the LAN and which are discarded If discarded a packet is deleted and ignored as if never received Select the IP Filtering button to display a screen where existing IP filter policies can be applied to the LAN to allow or deny IP packets in either an incoming or outgoing direction based on the rules defined for the policy NOTE For an overview of IP Filtering and how to create a filter see Configuring IP Filtering on page 5 75 For information on applying an existing filter to the IP packet flow of a WLAN see Applying a Filter to LAN1 LAN2 or a WLAN 1 16 on page 5 78 4 Click Apply to save any changes to the LAN1 or LAN2 screen Navigating away from the screen without clicking the Apply button results in all changes to the screen being lost if the
578. tatistics 0 0 0 0 00 0 cece cece ee eee eee ne enee 7 17 Viewing Radio Statistics Summary 0 0 0 00000 cece eee ees 7 20 Viewing Radio Statistics 2 0 7 22 Ret ARTOA eei ep Ei 7 26 Viewing MU Statistics Summary nanana nananana rea 7 27 vipwing MU Detaili 3 eicsrsrniier rte niorreriera eeen ereer di 7 29 Pinging maridwal MUE 5 ceca cand eceeeciethed taai 7 32 MU Authentication Statistics 0 0 00 cee ee 7 33 Viewing the Mesh Statistics Summary 000 0 0000 cece eee eee es 7 34 Viewing Known Access Point Statistics 0 2 0 c eee eee 7 35 CPU and Memory SUSIE cir srreeieer ceed ha eerioennsaxdresreaeun 7 39 Chapter 8 CLI Reference P CEA a aoc iinad crude ed eves pales bee bade ieaiedcetde ben 8 2 Accessing the CLI through the Serial Port 0 0 0 e eee 8 2 Accessing Mme UL wis Tenet casceccansieeb ead etantdebedee cadens 8 2 Admin and Common Commands 0 00 00 ccc cece cee ee eee 8 3 Nerwork Comma sc neds deine decdedne hub ded peded deka bardaeh bones 8 11 Network LAN Commands 00 0000 c ccc ccc cece eens 8 12 Network LAN Bridge Commands 0 00000 eevee 8 17 Network LAN WLAN Mapping Commands 5 8 20 Network LAN DHCP Commands 0 000 0 c0 eee eee 8 29 Network Type Filter Commands 00000 e cece eee es 8 35 Network WAN Commands 0 0 00000 c ccc e eee eee 8 40 Network WAN NAT Commands
579. te with each other Enables or disables the AP 51xx from transmitting the ESSID in the beacon Enables or disables the access point from accepting broadcast IDs from Mus Broadcast IDs are transmitted without security Defines the index name representing the QoS policy used with this WLAN Apply the changes to the modified WLAN and exit admin network wireless wlan create gt show wlan ESS Identifier WLAN Name 802 11a Radio 802 11b g Radio Client Bridge Mesh Backhaul Hotspot Maximum MUs MU Idle Timeout Security Policy MU Access Control Kerberos User Name Kerberos Password Disallow MU to MU Communication available not available not available not available 127 30 Default Default kkkkkkkk disable 8 70 AP 51xx Access Point Product Reference Guide Use Secure Beacon disable Accept Broadcast ESSID disable QoS Policy Default admin network wireless wlan create gt show security Secu Policy Name Authen Encryption Associated WLANs 1 Default Manual no encrypt Front Lobby 2 WEP Demo Manual WEP 64 2nd Floor 3 Open Manual no encrypt lst Floor WPA Countermeasure enable admin network wireless wlan create gt show acl ACL Policy Name Associated WLANs 1 Default Front Lobby 2 Admin 3rd Floor 3 Demo Room 5th Floor admin network wireless wlan create gt show gos QOS Policy Name Associated WLANs 1 Default Front Lobby 2 Voice Audio Dept 3 Video Video Dept The CLI treats the
580. ted routes between an enabled subnet and the router These routes can be changed by modifying the IP address and subnet masks of the enabled subnets The information in the access point Router Table is dynamically generated from settings applied on the WAN screen The destination for each subnet is its IP address The subnet mask or network mask and gateway settings are those belonging to each subnet Displayed 5 72 AP 51xx Access Point Product Reference Guide interfaces are those associated with destination IP addresses To change any of the network address information within the WAN screen see Configuring WAN Settings on page 5 16 3 From the Use Default Gateway drop down menu select the WAN or either of the two LANs if enabled to server as the default gateway to forward data packets from one network to another 4 To set or view the RIP configuration click the RIP Configuration button Routing Information Protocol RIP is an interior gateway protocol that specifies how routers exchange routing table information The Router screen also allows the administrator to select the type of RIP and the type of RIP authentication used by the switch For more information on configuring RIP see Setting the RIP Configuration on page 5 72 5 Use the User Defined Routes field to add or delete static routes The User Defined Routes field allows the administrator to view add or delete internal static dedicated routes a Click the Add butto
581. teps to mount the AP 5181 to a 1 5 to 18 inch diameter steel pole or tube using the mounting bracket Fit the edges of the V shaped clamp parts into the slots on the flat side of the rectangular plate 2 Place the V shaped bracket clamp parts around the pole and tighten the nuts just enough to hold the bracket to the pole The bracket may need to be rotated around the pole during the antenna alignment process Hardware Installation 2 25 Fit the edges of the V shaped part into the slots TE Tighten the securing bolts 3 Attach the square mounting plate to the bridge with the supplied screws Attach the square plate to the bridge io 4 Attach the AP 5181 and mounting plate to the bracket already fixed to the pole 5 Secure the AP 5181 to the pole bracket using the provided nuts NOTE The AP 5181 tilt angle may need to be adjusted during the antenna alignment process Verify the antenna polarization angle when installing ensure the antennas are oriented correctly in respect to the AP 5181 s coverage area 6 Attach the radio antenna to their correct connectors 2 26 AP 51xx Access Point Product Reference Guide 7 Cable the AP 5181 using either the AP 5181 Power Tap Part No AP PSBIAS 5181 01R or the Power Injector Part No AP PSBIAS 1P2 AFR NOTE The access point must be mounted with the RJ45 cable connectors oriente
582. ter the DynDNS Username for the account you wish to use for the access point Enter the DynDNS Password for the account you wish to use for the access point Provide the Hostname for the DynDNS account you wish to use for the access point Click the Update DynDNS button to update the access point s current WAN IP address with the DynDNS service desir uno cnanges ten ropou om E E amp Network Management 5 27 NOTE DynDNS supports devices directly connected to the Internet Having VPN enabled and the DynDNS Server on the other side of the VPN is not supported 7 Once the DynDNS configuration has been updated click the Show Update Response button to open a sub screen displaying the hostname IP address and any messages received during an update from the DynDNS Server 8 Click Apply to save any changes to the Dynamic DNS screen Navigating away from the screen without clicking the Apply button results in all changes to the screens being lost 9 Click Undo Changes if necessary to undo any changes made Undo Changes reverts the settings displayed on the screen to the last saved configuration 5 3 Enabling Wireless LANs WLANs A Wireless Local Area Network WLAN is a data communications system that flexibly extends the functionalities of a wired LAN A WLAN does not require lining up devices for line of sight transmission and are thus desirable Within the WLAN roaming users can be handed off
583. ters in length path lt path gt Defines the path used for the configuration file upload server lt ipaddress gt Sets the FIP TFIP server IP address user lt username gt Sets the FIP user name 1 to 39 characters in length passwd lt pswd gt Sets the FIP password 1 to 39 characters in length Example admin system config gt set server 192 168 22 12 admin system config gt set user myadmin admin system config gt set passwd georges admin system config gt show cfg filename cfg txt cfg filepath ftp tftp server ip address 192 168 22 12 ftp user name myadmin ftp password z kkkkkkk For information on importing exporting access point configurations using the applet GUI see Importing Exporting Configurations on page 4 49 AP51xx gt admin system config gt export Description Exports the configuration from the system Syntax export ftp Exports the access point configuration to the FIP server Use the set command to set the server user password and file name before using this command tftp Exports the access point configuration to the THP server Use the set command to set the IP address for the THP server before using the command terminal Exports the access point configuration to a terminal Example Export FTP Example admin system admin system admin system admin system admin system Export operat Building configuration file File transfer File transfer Export Operat
584. th in bytes as specified by lt length gt with value in range 256 34463 Sets the max number of headers as specified in lt count gt with value in range 12 34463 Syntax set mode lt mode gt nat timeout lt interval gt syn lt mode gt src lt mode gt win lt mode gt ftp lt mode gt ip lt mode gt seq lt mode gt mime filter len lt length gt hdr lt count gt Example admin network admin network admin network admin network admin network admin network admin network admin network firewall gt set firewall gt set firewall gt set firewall gt set firewall gt set firewall gt set firewall gt set mode enable ftp enable ip enable seq src syn win firewall gt show Firewall Status Override LAN to WAN Access Configurable Firewall Filters ftp bounce attack filter syn flood attack filter unaligned ip timestamp filter source routing attack filter winnuke attack filter seq num prediction attack filter mime flood attack filter max mime header length max mime headers enable enable enable enable enable disable enable enable enable enable enable enable enable 8192 16 AP51xx gt admin network firewall gt access Description Enables or disables firewall permissions through LAN to WAN ports Syntax show Displays LAN to WAN access rules set Sets LAN to WAN access rules add Adds LAN to WAN exception rules delete D
585. th the AP transparently 2 32 AP 51xx Access Point Product Reference Guide Getting Started The access point should be installed in an area tested for radio coverage using one of the site survey tools available to the field service technician Once an installation site has been identified the installer should carefully follow the hardware precautions requirements mounting guidelines and power options outlined in See the following sections for more details e 3 1 Installing the Access Point Make the required cable and power connections before mounting the access point in its final operating position Test the access point with an associated MU before mounting and securing the access point Carefully follow the mounting instructions in one of the following sections to ensure the access point is installed correctly 3 2 AP 51xx Access Point Product Reference Guide For installing an AP 5131 model access point e For instructions on installing the AP 5131 on a table top see Desk Mounted Installations on page 2 13 e For instructions on mounting an AP 5131 to a wall see Wal Mounted Installations on page 2 15 e For instructions on mounting an AP 5131 to a ceiling T bar see Suspended Ceiling T Bar Installations on page 2 17 e For instructions on installing the AP 5131 in an above the ceiling attic space see Above the Ceiling Plenum Installations on page 2 20 For installing an AP 5181 model access point e For instructions
586. the radio If the WLAN is to be defined for client bridge support only the Available On checkbox should not be selected Instead it only needs to have the Enable Client Bridge Backhaul option selected 5 Use the Maximum MUs field to define the number of MUs allowed to associate with this WLAN This number should be defined based on the number of client bridge and repeaters within this mesh network This value can be increased as the mesh network grows and devices are added Only advanced users should define the number of devices allowed to associate with the WLAN as setting the value too low could restrict devices from joining an expanding mesh network and setting it too high could prohibit other WLANs from granting access to the all the devices needed 6 Select the Enable Client Bridge Backhaul checkbox to make this WLAN available in the Mesh Network Name drop down menu within the Radio Configuration screen Only WLANs defined for mesh networking support should have this checkbox selected in order to keep the list of WLANs available within the Radio Configuration screen restricted to just WLANs configured specifically with mesh attributes 7 Refer to the Security Policy drop down menu to select the security policy used within this WLAN and mesh network A security policy for a mesh network should be configured carefully since the data protection requirements within a mesh network differ somewhat compared to a typical wireless LAN No
587. the AAP only control traffic required to adopt and configure the AP NOTE For additional information in greater detail on the switch configuration activities described above see Switch Configuration on page 10 16 Adaptive AP 10 13 10 4 Establishing Basic Adaptive AP Connectivity This section defines the activities required to configure basic AAP connectivity with a WS5100 RFS6000 or RFS7000 model switch In establishing a basic AAP connection both the access point and switch require modifications to their respective default configurations For more information see e Adaptive AP Configuration e Switch Configuration NOTE Refer to Adaptive AP Deployment Considerations on page 10 19 for usage and deployment caveats that should be considered before defining the AAP configuration Refer to Sample Switch Configuration File for IPSec and Independent WLAN on page 10 20 if planning to deploy an AAP configuration using IPSec VPN and an extended WLAN 10 4 1 Adaptive AP Configuration An AAP can be manually adopted by the switch adopted using a configuration file consisting of the adaptive parameters pushed to the access point or adopted using DHCP options Each of these adoption techniques is described in the sections that follow 10 4 1 1 Adopting an Adaptive AP Manually To manually enable the access point s switch discovery method and connection medium required for adoption 1 Select System Configuration gt Ada
588. the closer the rogue AP If multiple access point s have detected the same rogue AP RSSI can be useful in triangulating the location of the rogue AP Refer to the Rogue Detector Detail field for the following information Finders MAC The MAC address of the access point detecting the rogue AP Detection Method First Heard days hrs min Last Heard days hrs min Channel Configuring Access Point Security 6 61 Displays the RF Scan by MU RF On Channel Detection or RF Scan by Detector Radio method selected from the Rogue AP screen to detect rogue devices For information on detection methods see Configuring Rogue AP Detection on page 6 55 Defines the time in days hrs min that the rogue AP was initially heard by the detecting AP Defines the time in days hrs min that the rogue AP was last heard by the detecting AP Displays the channel the rogue AP is using 5 Click OK to securely exit the Detail screen and return to the Active APs screen 6 Click Cancel if necessary to undo any changes made and return to the Active APs screen 6 13 2 Using MUs to Detect Rogue Devices The access point can use an associated MU that has its rogue AP detection feature enabled to scan for rogue APs Once detected the rogue AP s can be moved to the list of allowed devices if appropriate within the Active APs screen When adding an MU s detection capabilities with the access point s own rogue AP detection functionality the rogue
589. the data source for the Radius server The LDAP server must be accessible from the WAN port or from the access point s active subnet Port Enter the TCP IP port number for the LDAP server acting as a data source for the Radius The default port is 389 Login Attribute Specify the login attribute used by the LDAP server for authentication In most cases the default value should work Windows Active Directory users must use sAMAccountName as their login attribute to successfully login to the LDAP server Password Attribute Enter the password used by the LDAP server for authentication Bind Distinguished Specify the distinguished name used to bind with the LDAP server Name Password Enter a valid password for the LDAP server Base Distinguished Enter a name that establishes the base object for the search The Name base object is the point in the LDAP tree at which to start searching Group Attribute Define the group attribute used by the LDAP server Group Filter Specify the group filters used by the LDAP server Group Member Enter the Group Member Attribute sent to the LDAP server when Attribute authenticating users 6 68 AP 51xx Access Point Product Reference Guide CAUTION Windows Active Directory users must set their Login Attribute to sAMAccountName in order to successfully login to the LDAP server AN 3 Click Apply to save any changes to the LDAP screen Navigating away from the screen without clicking Ap
590. the root and detects if the current connection is part of a network loop with another connection Once the spanning tree converges both access points begin learning which destinations reside on which side of the network This allows them to forward traffic intelligently After the access point in client bridge mode establishes at least one wireless connection it will begin beaconing and accepting wireless connections if configured to support mobile users If the Introduction access point is configured as both a client bridge and a base bridge it begins accepting client bridge connections In this way the mesh network builds itself over time and distance Once the access point in client bridge mode establishes at least one wireless connection it establishes other wireless connections in the background as they become available In this way the access point can establish simultaneous redundant links An access point in client bridge mode can establish up to 3 simultaneous wireless connections with other AP 5131s or AP 5181s A client bridge always initiates the connections and the base bridge is always the acceptor of the mesh network data proliferating the network Since each access point can establish up to 3 simultaneous wireless connections some of these connections may be redundant In that case the STP algorithm determines which links are the redundant links and disables the links from forwarding For an overview on mesh network
591. tics counters Clears Known AP statistic counters 8 245 8 246 AP 51xx Access Point Product Reference Guide AP51xx gt admin stats gt flash all leds Description Starts and stops the illumination of a specified access point s LEDs Syntax flash all leds lt idx gt Defines the Known AP index number of the target AP to flash lt action gt Starts or stops the flash activity Example admin stats gt admin stats gt flash all leds 1 start Password kkkkkkkk admin stats gt flash all leds 1 stop admin stats gt For information on flashing access point LEDs using the applet GUI see Viewing Known Access Point Statistics on page 7 35 8 247 AP51xx gt admin stats gt echo Description Defines the echo test values used to conduct a ping test to an associated MU Syntax show Shows the Mobile Unit Statistics Summary list Defines echo test parameters and result set Determines echo test packet data start Begins echoing the defined station 5 Goes to parent menu Goes to root menu quit Quits CLI session For information on MU Echo and Ping tests using the applet GUI see Pinging Individual MUs on page 7 32 8 248 AP 51xx Access Point Product Reference Guide AP51xx gt admin stats echo gt show Description Shows Mobile Unit Statistics Summary Syntax show Shows Mobile Unit Statistics Summary Example admin stats echo gt show 1 192 168 2 0 00 A0F8 72 57 83 demo lla For inf
592. tificate Request screen displays 3 Complete the request form with the pertinent information Key ID required Enter a logical name for the certificate to help distinguish between certificates The name can be up to 7 characters in length Subject required Department Organization City State Postal Code Country Code Email Domain Name IP Address Signature Algorithm Key Length System Configuration 4 23 The required Subject value contains important information about the certificate Contact the CA signing the certificate to determine the content of the Subject parameter Optionally enter a value for your organizations s department name if needing to differentiate the certificate from similar certificates used in other departments within your organization Optionally enter the name of your organization for supporting information for the certificate request Optionally enter the name of the City where the access point using the certificate resides Optionally enter the name of the State where the access point using the certificate resides Optionally enter the name of the Postal Zip Code where the access point using the certificate resides Optionally enter the access point s Country Code Enter a organizational email address avoid using a personal address if possible to associate the request with the proper requesting organization Ensure the Domain name is the name of the CA Server
593. tion on the Wireless interface Using NAT the router is able to manage a private IP scheme NAT allows translation of private addresses to the WAN IP address e DHCP On the wireless and LAN side the access point can assign private IP addresses e Firewall A Firewall protects against a number of known attacks 1 3 7 Management Access Options Managing the access point includes viewing network statistics and setting configuration options Statistics track the network activity of associated MUs and data transfers on the AP interfaces The access point requires one of the following connection methods to perform a custom installation and manage the network e Secure Java Based WEB Ul use Sun Microsystems JRE 1 5 or higher available from Sun s Web site and be sure to disable Microsoft s Java Virtual Machine if installed e Command Line Interface CLI via Serial Telnet and SSH Introduction 1 29 e Config file Human readable Importable Exportable via FIP and TFTP e MIB Management Information Base accessing the access point SNMP function using a MIB Browser The AP 5131 or AP 5181 downloads site contains the following 2 MIB files e Symbol CC WS2000 MIB 2 0 standard MIB file e Symbol AP 5131 MIB AP 5131 AP 5181 MIB file Make configuration changes to access points individually Optionally use the access point import export configuration function to download settings to other access points For detailed information see
594. tion button to Default Configuration restore a default configuration with the exception of the current LAN WAN SNMP settings and IP address used to launch the browser If selected a message displays warning the user all current configuration settings will be lost with the exception of WAN and SNMP settings Before using this feature Motorola recommends using the Config Import Export screen to export the current configuration for safekeeping see mporting Exporting Configurations on page 4 49 4 Use the Restart access point field to restart the AP if necessary Restart AP 51xx Click the Restart access point button to reboot the AP Restarting the access point resets all data collection values to zero Motorola does not recommend restarting the AP during significant system uptime or data collection activities if a LAN Interface is set to DHCP Client The entries can be retrieved once the reboot is done by performing an Apply operation from the WEB UI or a save operation from the CLI f CAUTION After a reboot static route entries disappear from the AP Route Table 5 Click Apply to save any changes to the System Settings screen Navigating away from the screen without clicking the Apply button results in all changes to the screen being lost NOTE The Apply button is not needed for restoring the access point default configuration or restarting the access point 6 Click Undo Changes if necessary to undo any chang
595. tion can be active on the access point Ethernet port at a time The LAN connection specified from the LAN screen to receive priority for Ethernet port connectivity may be the better subnet to select for VPN traffic Enter the WAN s numerical non DNS IP address in order for the tunnel to pass traffic to a remote network Specify the numerical non DNS IP address for the Remote Subnet Enter the subnet mask for the tunnel s remote network for the tunnel The remote subnet mask is the subnet setting for the remote network the tunnel connects to Enter a numerical non DNS remote gateway IP address for the tunnel The remote gateway IP address is the gateway address on the remote network the VPN tunnel connects to Displays the WAN interface s default gateway IP address Selecting Manual Key Exchange requires you to manually enter keys for AH and or ESP encryption and authentication Click the Manual Key Settings button to configure the settings Select Manual Key Exchange and click the Manual Key Settings button to open a screen where AH authentication and ESP encryption authentication can be configured and keys entered For more information see Configuring Manual Key Settings on page 6 40 Select the Auto IKE Key Exchange checkbox to configure AH and or ESP without having to manually enter keys The keys automatically generate and rotate for the authentication and encryption type selected Select the Auto IKE Key Exchange
596. tion enabled Select the RF On Channel Detection checkbox to enable the access point to detect rogue APs on its current legal channel setting If the access point is a dual radio model select the RF Scan by Detector Radio checkbox to enable the selected 11a or 11b g radio to scan for rogue APs For example if 11b g is selected the existing 11a radio would act as the detector radio scanning on all 11b g channels while the existing 11b g radio continues to service MUs The assumption is when planning to do an all channel scan on one band the MUs would also be on that band The radio on the other band is used as the detector radio Select this checkbox to scan for rouges over all channels on both of the access point s 11a and 11bg radio bands The switching of radio bands is based on a timer with no user intervention required This option provides a good opportunity to detect rogues as rogues often roam from one association to a stronger one regardless of the current operating channel 3 Use the Allowed AP List field to restrict Motorola AP s from Rogue AP detection and create a list of device MAC addresses and ESSID s approved for interoperability with the access point Authorize Any AP Having Motorola Select this checkbox to enable all access points with a Motorola MAC address to interoperate with the access point conducting a Defined MAC Address scan for rogue devices Add Del Delete Delete All Any M
597. tion file name to obtain a relative file name For example if using bf opt tftpdir ftp dist ap cfg and T136 opt tftpdir the config file name is ftp dist ap cfg T136 is only used for this purpose It is NOT used to append to the config file name or the firmware file name If T136 is not specified the access point uses the entire bf field as the contig file name NOTE The update process is conducted over the LAN or WAN port depending on which Server responds first to the access point s request for an automatic update Usage Scenarios B 9 NOTE f the firmware files are the same the firmware will not get updated If the configuration file name matches the last used configuration file on the access point or if the configuration file versions are the same the access point configuration will not get updated The LAN Port needs to be configured as a BootP client There s no BootP support on the WAN Port The WAN supports only DHCP B 1 2 2 BootP Priorities The following flowchart displays the priorities used by the access point when the BootP server is configured for multiple options Priority TFTP Server Firmware File Config File 1 186 187 188 2 66 67 129 overrides If the BootP Server is configured for options 186 and 66 to assign TFIP server IP addresses the access point uses the IP address configured for option 186 Similarly if the BootP Server is configured for options 188 an
598. to save event logs set the log level and optionally port the access point s log to an external server 4 48 AP 51xx Access Point Product Reference Guide View Log Click View to save a log of events retained on the access point The system displays a prompt requesting the administrator password before saving the log After the password has been entered click Get File to display a dialogue with buttons to Open or Save the log txt file Click Save and specify a location to save the log file Use the WordPad application to view the saved log txt file on a Microsoft Windows based computer Do not view the log file using Notepad as the Notepad application does not properly display the formatting of the access point log file Log entries are not saved in the access point While the AP is in operation log data temporarily resides in memory AP memory is completely cleared each time the AP reboots Logging Level Use the Logging Level drop down menu to select the desired log level for tracking system events Eight logging levels 0 to 7 are available Log Level 6 Info is the access point default log level These are the standard UNIX LINUX syslog levels The levels are as follows 0 Emergency 7 Alert 2 Critical 3 Errors 4 Warning 5 Notice 6 Info 7 Debug Enable logging toan The access point can log events to an external syslog system log external syslog server server Select the Enable logging to an external syslog server
599. ton roo Apon Undo Cangas Hei Logat 5 If needed create another WLAN mapped to the 802 11bg radio if 802 11bg support is required for MUs on that 802 11 band 9 3 1 4 Verifying Mesh Network Functionality for Scenario 1 You now have a three AP mesh network ready to demonstrate Associate a single MU on each AP WLAN configured for 802 11bg radio support Once completed pass traffic among the three APs comprising the mesh network Configuring Mesh Networking 9 31 9 3 2 Scenario 2 Two Hop Mesh Network with a Base Bridge Repeater and a Client Bridge BASE BRIDGE pr GATEWAY NODE CLIENT BRIDGE APH BASE BRIDGE y REPEATER NODE CLIENT BRIDGE i By default the mesh algorithm runs an automatic link selection algorithm to determine the best possible active and redundant links If member APs are not far apart in physical distance the algorithm intelligently chooses a single hop link to forward data To force APs to use multiple hops for demonstrations use manual links In scenario 2 the following three AP configurations comprise the mesh network e AP 1 is a base bridge e AP 2 is a repeater client bridge base bridge combination e AP 3 is a client b ridge 9 3 2 1 Configuring AP 1 The setup of AP 1 within this usage scenario is exactly the same as the AP 1 configuration within Scenario 1 Two Base Bridges and One Client Bridge for step by step instructio
600. tor from entering the 256 bit key each time keys are generated To use a hexadecimal value and not an ASCII passphrase select the checkbox and enter 16 hexadecimal characters into each of the four fields displayed Default hexadecimal 256 bit keys for WP2A CCMP include 1011121314151617 18191A1B1C1D1E1F 2021222324252627 28292A2B2C2D2E2F Configure the WPA2 CCMP Mixed Mode field as needed to allow WPA and WPAZ TKIP client interoperation Allow WPA WPA2 TKIP clients WPA2 CCMP Mixed Mode enables WPA2 CCMP WPA TKIP and WPA2 TKIP clients to operate together on the network Enabling this option allows backwards compatibility for clients that support WPA TKIP and WPA2 TKIP but do not support WPA2 CCMP Motorola recommends enabling this feature if WPA TKIP or WPA2 TKIP supported MUs operate within a WLAN populated by WPA2 CCMP enabled clients Configure the Fast Roaming 802 1x only field as required to enable additional access point roaming and key caching options This feature is applicable only when using 802 1x EAP authentication with WPA2 CCMP Pre Authentication Selecting this option enables an associated MU to carry out an 802 1x authentication with another access point before it roams to it The access point caches the keying information of the client until it roams to the other access point This enables the roaming client to start sending and receiving data sooner by not having to do 802 1x authentication after it roa
601. tructions on how to quickly setup and demonstrate mesh functionality using three access points Two following two deployment scenarios will be addressed e Scenario 1 Two base bridges redundant and one client bridge e Scenario 2 A two hop mesh network with a base bridge repeater combined base bridge and client bridge mode and a client bridge 9 3 1 Scenario 1 Two Base Bridges and One Client Bridge oa Dm BASE BRIDGE 1 BASE BRIDGE 2 GATEWAY NODE GATEWAY NODE y CLIENT BRIDGE EDGE NODE In scenario 1 the following three access point configurations will be deployed within the mesh network e AP 1 An active base bridge e AP 2 A redundant base bridge e AP 3 A client bridge connecting to both AP 1 and AP 2 simultaneously AP 1 and AP 2 will be configured somewhat the same However there are some important yet subtle differences Therefore the configuration of each access point will be described separately Configuring Mesh Networking 9 21 9 3 1 1 Configuring AP 1 1 Provide a known IP address for the LAN1 interface Waceess 1 1 1 tt CEE aE eO A Mask 1258 255 055 0 ONS Server 192 168 0 1 EE e TE WINS Server 192 168 O 254 oP Fitering Hean BTP coe ee Cense Fimeing iP Freerng NOTE Enable the LAN1 Interface of AP 1 as a DHCP Server if you intend to associate MUs and require them to obtain an IP address via DHCP 2 Assign
602. twork address information is defined over the access point s LAN connection Select DHCP Client if the larger corporate network uses DHCP DHCP is a protocol that includes mechanisms for IP address allocation and delivery of host specific configuration parameters from a DHCP server to a host Some of these parameters are IP address network mask and gateway Select DHCP Server to use the access point as a DHCP server over the LAN connection Select the Bootp client option to enable a diskless system to discover its own IP address NOTE Motorola recommends that the WAN and LAN ports should not both be configured as DHCP clients Getting Started 3 11 c If using the static or DHCP Server option enter the network assigned IP Address of the access point NOTE DNS names are not supported as a valid IP address for the access point The user is required to enter a numerical IP address d The Subnet Mask defines the size of the subnet The first two sets of numbers specify the network domain the next set specifies the subset of hosts within a larger network These values help divide a network into subnetworks and simplify routing and data transmission e If using the static or DHCP Server option enter a Default Gateway to define the numerical IP address of a router the access point uses on the Ethernet as its default gateway f If using the static or DHCP Server option enter the Primary DNS Server numerical IP add
603. ty To configure 802 1x EAP authentication on the access point 1 Select Network Configuration gt Wireless gt Security from the access point menu tree If security policies supporting 802 1x EAP exist they appear within the Security Configuration screen These existing policies can be used as is or their properties edited Configuring Access Point Security 6 11 by clicking the Edit button To configure a new security policy supporting 802 1x EAP continue to step 2 2 Click the Create button to configure a new policy supporting 802 1x EAP The New Security Policy screen displays with no authentication or encryption options selected 3 Select the 802 1x EAP radio button The 802 1x EAP Settings field displays within the New Security Policy screen 4 Ensure the Name of the security policy entered suits the intended configuration or function of the policy 5 If using the access point s Internal Radius server leave the Radius Server drop down menu in the default setting of Internal If an external Radius server is used select External from the drop down menu New Security Policy Name eap derno roorn Aert adon Authentication Enciyptan Manually Pre shared key 902 1xEAP Setings No suthenscaton Radius Server Exemal v Kerberos Server Settings Accounting Resuthentication Advanced Settings External Server Semings 802 1x EAP Encrypton Promary WEP 64 40 bit key Radius ServerAddress 147 235 132
604. ude DES 3DES AES128 AES192 or AES256 Sets the Manual Encryption Key in ASCII for tunnel lt name gt and direction IN or OUT to the key lt enc key gt The size of the key depends on the encryption algorithm 16 hex characters for DES 48 hex characters for 3DES 32 hex characters for AES128 48 hex characters for AES192 64 hex characters for AES256 Sets the ESP authentication algorithm Options include MD5 or SHA1 Sets ESP Authentication key lt name gt either for IN or OUT direction to lt auth key gt an ASCII string of hex characters If authalgo is set to IVID5 then provide 32 hex characters If authalgo is set to SHA provide 40 hex characters Sets 6 character IN bound or QUT bound for AUTH Manual Authentication or ESP for lt name gt to lt spi gt a hex value more than OxFF lt value gt Enables or disables Perfect Forward Secrecy for lt name gt 8 52 AP 51xx Access Point Product Reference Guide salife lt name gt ike opmode myidtype remidtype myiddata remiddata authtype authalgo phrase encalgo lifetime group lt lifetime gt lt name gt lt name gt lt name gt lt name gt lt name gt lt name gt lt name gt lt name gt lt name gt lt name gt lt name gt lt opmode gt lt idtype gt lt idtype gt lt idtype gt lt idtype gt lt authtype gt lt authalgo gt lt phrase gt lt encalg
605. umber of responses from the target MU versus the number of pings transmitted by the access point Use the ratio of packets sent versus packets received to assess the link quality between MU and the access point Click the Ok button to exit the Echo Test screen and return to the MU Stats Summary screen 7 5 3 MU Authentication Statistics The access point can access and display authentication statistics for individual MUs To view access point authentication statistics for a specific MU 1 2 3 Select Status and Statistics gt MU Stats from the access point menu tree Highlight a target MU from within the MU List field Click the MU Authentication Statistics button Use the displayed statistics to determine if the target MU would be better served with a different access point WLAN or access point radio Click Ok to return to the MU Stats Summary screen 7 34 AP 51xx Access Point Product Reference Guide 7 6 Viewing the Mesh Statistics Summary The access point has the capability of detecting and displaying the properties of other access points in mesh network either base bridges or client bridges mode This information is used to create a list of known wireless bridges To view detected mesh network statistics 1 Select Status and Statistics gt Mesh Stats from the access point menu tree AP 5131 Access Point Conn Type MACAdGess WAN Rago Tp ABS Reties at Tame APS The Mesh Statistics Summary sc
606. und to be different between what is running on the access point and the firmware file that resides on the server The configuration file is automatically applied when the configuration filename is found to be different between what resides on the access point and the filename residing on the server or when the configuration version is found to be different between what resides on the access point and the configuration version residing on the server The configuration version can be modified in the text file to cause the configuration to be applied when required The parameter name in the file is cfg version 1 1 01 The access point only checks the two characters after the third hyphen 01 when making a comparison Change the last two characters to update the configuration The two characters can be alpha numeric NOTE A Motorola AP 5181 model access point does not support firmware prior to version 1 1 1 x B 1 1 Windows DHCP Server Configuration See the following sections for information on these DHCP server configurations in the Windows environment e Embedded Options Using Option 43 e Global Options Using Extended Standard Options e DHCP Priorities B 1 1 1 Embedded Options Using Option 43 This section provides instructions for automatic update of firmware and configuration file via DHCP using extended options or standard options configured globally The setup example described in this section includes e 1 AP 5131 o
607. unnel All other packets will be handled by whatever firewall rules are set e Question 8 How do I specify which certificates to use for an IKE policy from the access point certificate manager When generating a certificate to use with IKE use one of the following fields IP address Domain Name or Email address Also make sure you are using NTP when attempting to use the certificate manager Certificates are time sensitive Configure the following on the IKE Settings page Local ID type refers to the way that IKE selects a local certificate to use e P tries the match the local WAN IP to the IP addresses specified in a local certificate e FQDN tries to match the user entered local ID data string to the domain name field of the certificate e UFODN tries to match the user entered local ID data string to the email address field of the certificate Remote ID type refers to the way you identify an incoming certificate as being associated with the remote side e P tries the match the remote gateway IP to the IP addresses specified in the received certificate e FQDN tries to match the user entered remote ID data string to the domain name field of the received certificate e UFQDN tries to match the user entered remote ID data string to the email address field of the received certificate Usage Scenarios B 17 IKE Settings Operaton Mode Local iD Type Remote iD Type IKE Authentic adon Mode IKE Encryption
608. upport For an understanding of how AAP support should be configured for the access point and its connected switch see How the AP Receives its Adaptive Configuration on page 10 11 For an overview of how to configure both the access point and switch for basic AAP connectivity and operation see Establishing Basic Adaptive AP Connectivity on page 10 13 To configure the access point s switch discovery method and connection medium see Adaptive AP Setup on page 4 6 Adaptive AP 10 1 2 Adaptive AP Management An AAP can be adopted configured and managed like a thin access port from the wireless switch NOTE To support AAP functionality a WS5100 model switch must be running firmware version 3 1 or higher whereas a RFS6000 or RFS7000 model switch must be running firmware version 1 1 or higher The access point must running firmware version 2 0 or higher to be converted into an AAP NOTE An AAP cannot support a firmware download from the wireless switch Once an access point connects to a switch and receives its AAP configuration its WLAN and radio configuration is similar to a thin access port An AAP s radio mesh configuration can also be configured from the switch However non wireless features DHCP NAT Firewall etc cannot be configured from the switch and must be defined using the access point s resident interfaces before its conversion to an AAP 10 1 3 Types of Adaptive APs Two low priced AP 5131 SKU configu
609. ure the destination port range A new window displays to enter the starting and ending ports in the range For rules where only a single port is necessary enter the same port in the start and end port fields 4 Click Apply to save any changes to the Advanced Subnet Access screen Navigating away from the screen without clicking Apply results in all changes to the screens being lost 5 Click Undo Changes if necessary to undo any changes made Undo Changes reverts the settings displayed on the Advanced Subnet Access screen to the last saved configuration 6 Click Logout to securely exit the Access Point applet A prompt displays confirming the logout before the applet is closed 6 11 Configuring VPN Tunnels The access point allows up to 25 VPN tunnels to either a VPN endpoint or to another access point VPN tunnels allow all traffic on a local subnet to route securely through a IPSEC tunnel to a private network A VPN port is a virtual port which handles tunneled traffic When connecting to another site using a VPN the traffic is encrypted so if anyone intercepts the traffic they cannot see what it is unless they can break the encryption The traffic is encrypted from your computer through the network to the VPN At that point the traffic is decrypted 6 36 AP 51xx Access Point Product Reference Guide Use the VPN screen to add and remove VPN tunnels To configure an existing VPN tunnel select it from the list in the VPN Tunnels field
610. use of a hotspot timeout interval for the specified wlan index 1 16 Sets the Radius hotspot server timeout interval for the specified index 1 16 between 15 180 minutes radius gt set server 1 primary 157 235 121 1 radius gt set port 1 primary 1812 radius gt set secret 1 primary sjsharkey acct mode 1 enable acct server 1 157 235 14 14 acct port 1 1812 radius gt set radius gt set radius gt set radius gt set acct secret londonfog radius gt set acct timeout 1 25 radius gt set acct retry 1 10 radius gt set sess mode 1 enable radius gt set sess timeout 1 15 the access ointusing the applet GUI see Configuring WLAN Hotspot 8 78 AP 51xx Access Point Product Reference Guide AP51xx gt admin network wireless wlan hotspot radius gt show Description Shows Radius hotspot server details Syntax show radius lt idx gt Displays Radius hotspot server details per index 1 16 Example admin network wireless wlan hotspot radius gt show radius 1 WLAN 1 Hotspot Mode Primary Server Ip adr Primary Server Port Primary Server Secret Secondary Server Ip adr Secondary Server Port Accounting Mode Accounting Server Ip adr Accounting Server Port Accounting Server Secret Accounting Timeout Accounting Retry count Session Timeout Mode enable 157 235 12 12 1812 KkKKKKK 0 0 0 0 1812 enable 157 235 15 16 1813 KkkKKKK 10 3 enable admin network wireless wlan hotspot radius
611. uses electromagnetic waves to transmit and receive electric signals without wires Users communicate with the network by establishing radio links between mobile units MUs and access points The access point uses DSSS direct sequence spread spectrum to transmit digital data from one device to another A radio signal begins with a carrier signal that provides the base or center frequency The digital data signal is encoded onto the carriers using a DSSS chipping algorithm The radio signal propagates into the air as electromagnetic waves A receiving antenna on the MU in the path of the waves absorbs the waves as electrical signals The receiving MU interprets 1 23 1 24 AP 51xx Access Point Product Reference Guide demodulates the signal by reapplying the direct sequence chipping code This demodulation results in the original digital data The access point uses its environment the air and certain objects as the transmission medium The access point can either transmit in the 2 4 to 2 5 GHz frequency range 802 11b g radio or the 5 GHz frequency range 802 114 radio the actual range is country dependent Motorola devices like other Ethernet devices have unique hardware encoded Media Access Control WAC or IEEE addresses MAC addresses determine the device sending or receiving data A MAC address is a 48 bit number written as six hexadecimal bytes separated by colons For example 00 A0 F8 24 9A C8 Also see the following sections
612. using the applet GUI see Updating Device Firmware on page 4 54 8 240 AP 51xx Access Point Product Reference Guide AP51xx gt admin system fw update gt update Description Executes the access point firmware update over the WAN or LAN port using either ftp or tftp Syntax update lt mode gt Defines the ftp ot tftp mode used to conduct the firmware update Specifies whether the update is executed over the access point s WAN LAN1 or LAN2 interface lt iface gt NOTE The access point must complete the reboot process to successfully update the device firmware regardless of whether the reboot is conducted uing the GUI or CLI interfaces admin system fw update gt update ftp For information on updating access point device firmware using the applet GUI see Updating Device Firmware on page 4 54 8 5 Statistics Commands AP51xx gt admin stats Description Displays the access point statistics submenu The items available under this command are show send cfg ap send cfg all clear flash all leds echo ping save quit Displays access point WLAN MU LAN and WAN statistics Sends a config file to another access point within the known AP table Sends a config file to all access points within the known AP table Clears all statistic counters to zero Starts and stops the flashing of all access point LEDs Defines the parameters for pinging a designated station Iniates a ping test Moves to the parent
613. utton to export the configuration file from the server with the assigned filename and login information If the IP mode is set to DHCP Client IP address information is not exported true for both LAN1 LAN2 and the WAN port For LAN1 and LAN2 IP address information is only exported when the IP mode is set to either static or DHCP Server For the WAN port IP address information is only exported when the This interface is a DHCP Client checkbox is not selected For more information on these settings see Configuring the LAN Interface on page 5 1 and Configuring WAN Settings on page 5 16 The system displays a confirmation window prompting the administrator to log out of the access point after the operation completes for the changes to take effect Click Yes to continue the operation Click No to cancel the configuration file export must be disabled CAUTION For HTTP downloads exports to be successful pop up messages Upload and Apply A Configuration File Download Configuration File Click the Upload and Apply A Configuration File button to upload a configuration file to this access point using HTTP Click the Download Configuration File button to download this access point s configuration file using HTTP System Configuration 4 53 4 Refer to the Status field to assess the completion of the import export operation Status After executing an operation by clicking any of the buttons in the window check the Statu
614. v2 all For information on configuring SNMP traps using the applet GUI see Configuring SNMP Settings on page 4 27 8 182 AP 51xx Access Point Product Reference Guide AP51xx gt admin system snmp traps gt list Description Lists SNMP trap entries Syntax list viv2c Lists SNMP v1 v2c access entries v3 lt idx gt Lists SNMP v3 access entry lt idx gt all Lists all SNMP v3 access entries Example admin system snmp traps gt add viv2 203 223 24 2 162 mycomm vl admin system snmp traps gt list viv2c index dest ip dest port community version admin system snmp traps gt add v3 201 232 24 33 555 BigBoss none md5 admin system snmp traps gt list v3 all index ane i destination ip 201 232 24 33 destination port 555 username BigBoss security level none auth algorithm md5 auth password z RRKKKKEKE privacy algorithm des privacy password E KERKERAK For information on configuring SNMP traps using the applet GUI see Configuring SNMP RF Trap Thresholds on page 4 41 8 183 8 4 5 System User Database Commands AP51xx gt admin system gt userdb Description Goes to the user database submenu Syntax user Goes to the user submenu group Goes to the group submenu save Saves the configuration to system flash x Goes to the parent menu Goes to the root menu For information on configuring User Database permissions using the applet GUI see Defining User Access Permissions by Group on pa
615. vaeiveesregeiesdeiae inners eel eed reis 3 15 Chapter 4 System Configuration Configuring System SONGS ess rssrrsre rietra epr Er EErEE A r EARNER 4 2 Adaptive AP Set cc cer csr cus crane ristir aneupacsepeuneunanaune 4 6 CONGUE DS ARCS bide ered rhe irerriskirr iri rir iris pirkiri ri 4 9 Defining Trusted HOSE 24s ose vaorenchadonar sewer peet Era EEN 4 14 Managing Certificate Authority CA Certificates 0000 4 16 Imporing a CA CertihCalE 10 ccapreraseddcherreeramesrdebesecies 4 16 Creating Self Certificates for Accessing the VPN n a naana aana 4 18 Creating a Certificate for Onboard Radius Authentication 4 22 Apache Certificate Management 0 0 000 c ccc cece eee 4 25 Configuring SNMP Setting S e errererre rerekee iri kerek errr eee 4 27 Configuring SNMP Access Control 200 cece eee eee 4 33 Enabling SNMP Traps cccsccccdeks woken needed deamewegeranadands 4 35 Configuring Specific SNMP Traps 2 0 2s20s0 ce0seeetecseeoeeeaies 4 38 Configuring SNMP RF Trap Thresholds 0 00 0 cece eee 4 41 Configuring Network Time Protocol NTP 00 00 cc cece eee eens 4 43 Logging Configuration s 02s0ea0ece eevesea seed usacebendeues 4 47 Importing Exporting Configurations 2 0 0 0 0 cece cece eee nee es 4 49 Updating Device Firmware 2 00 0 0 02 eee eee 4 54 Upgrade Downgrade Considerations 0 0 00 c cece eee ees 4 60 C
616. vailable on the WLAN Statistics screen as this screen is view only with no configurable data fields 6 Click the Clear WLAN Stats button to reset each of the data collection counters to zero in order to begin new data collections Do not clear the WLAN stats if currently in an important data gathering activity or risk losing all data calculations to that point 7 Click the Logout button to securely exit the access point applet A prompt displays confirming the logout before the applet is closed 7 4 Viewing Radio Statistics Summary Select the Radio Stats Summary screen to view high level information radio name type number of associated MUs etc for the radio s enabled on an access point Individual radio statistics can be displayed as well by selecting a specific radio from within the access point menu tree To view high level access point radio statistics 1 Select Status and Statistics gt Radio Stats from the access point menu tree Monitoring Statistics 7 21 AP 5131 Access Point E E Sny J 0 loo 7717178 L 1a Stats E Radiol 802 1 1tg Stats S E Radi024002 1 1a Stats CALIN a 2 Refer to the Radio Summary field to reference access point radio information Type Displays the type of radio either 802 11a or 802 11b g currently deployed by the access point To configure the radio type see Setting the WLAN s Radio Configuration on page 5 52 MUs Displays the total number
617. ver IP Address Network Mask Default Gateway Domain Name Primary DNS Server Network Management Select this button to enable BOOTP to set access point network address information via this LAN1 or LAN2 connection When selected only BOOTP responses are accepted by the access point If both DHCP and BOOTP services are required do not select BOOTP Client Select the This interface uses static IP Address button and manually enter static network address information in the areas provided The access point can be configured to function as a DHCP server over the LAN1 or LAN2 connection Select the This interface is a DHCP Server button and manually enter static network address information in the areas provided Use the address assignment parameter to specify a range of numerical non DNS name IP addresses reserved for mapping client MAC addresses to IP addresses If a manually static mapped IP address is within the IP address range specified that IP address could still be assigned to another client To avoid this ensure all statically mapped IP addresses are outside of the IP address range assigned to the DHCP server Click the Advanced DHCP Server button to display a screen used for generating a list of static MAC to IP address mappings for reserved clients A separate screen exists for each of the LANs For more information see Configuring Advanced DHCP Server Settings on page 5 13 The network assigned numerical non
618. ver lt idx gt lt ipadr gt acct port lt idx gt lt port gt acct secret lt idx gt lt secret gt acct timeout lt idx gt lt timeout gt acct retry lt idx gt lt retry_count gt sess mode lt idx gt lt mode gt sess timeout lt idx gt lt timeout gt Example admin network wireless wlan hotspot admin network wireless wlan hotspot admin network wireless wlan hotspot admin network wireless wlan hotspot admin network wireless wlan hotspot admin network wireless wlan hotspot admin network wireless wlan hotspot admin network wireless wlan hotspot admin network wireless wlan hotspot admin network wireless wlan hotspot admin network wireless wlan hotspot For information on configuring the Hotspot options available to Support on page 5 46 Sets the Radius hotpost server IP address per wlan index 1 16 Sets the Radius hotpost server port per wlan index 1 16 Sets the Radius hotspot server shared secret password Sets the Radius hotspot server accounting mode enable disable Sets the Radius hotspot accounting server IP address per wlan index 1 16 Sets the Radius hotspot accounting server port per wlan index 1 16 Sets the Radius hotspot server shared secret password per wlan index 1 16 Sets the Radius hotspot server accounting timeout period in seconds 1 25 Sets the Radius hotspot server accounting accounting retry interval 1 10 Enables or disbales the
619. ver user password and file tftp Imports the access point configuration from the THP server Use the set command to set the server and file Example Import FIP Example admin system config gt set server 192 168 22 12 admin system config gt set user myadmin admin system config gt set file config txt admin system config gt set passwd mysecret admin system config gt import ftp Import operation Started File transfer In progress File transfer Done Import operation Done Import THP Example admin system config gt set server 192 168 0 101 admin system config gt set file config txt admin system config gt import tftp Import operation Started File transfer In progress File transfer Done Import operation Done point In turn a dual radio model access point cannot import export its configuration to a single radio CAUTION A single radio model access point cannot import export its configuration to a dual radio model access access point Similarly a 1 1 baseline configuration file should not be imported to a 1 0 version access point Importing configurations between different version access point s results in broken configurations since new features added to the 1 1 version access point cannot be supported in a 1 0 version access point A CAUTION Motorola discourages importing a 1 0 baseline configuration file to a 1 1 version access point For in
620. vides the capability for periodically logging system events Logging events is useful in assessing the throughput and performance of the access point or troubleshooting problems on the access point managed Local Area Network LAN For detailed information on access point events see Logging Configuration on page 4 47 1 2 20 Configuration File Import Export Functionality Configuration settings for an access point can be downloaded from the current configuration of another access point This affords the administrator the opportunity to save the current configuration before making significant changes or restoring the default configuration For detailed information on importing or exporting configuration files see mporting Exporting Configurations on page 4 49 1 2 21 Default Configuration Restoration The access point has the ability to restore its default configuration or a partial default configuration with the exception of current WAN and SNMP settings Restoring the default configuration is a good way to create new WLANs if the MUs the access point supports have been moved to different radio coverage areas For detailed information on restoring a default or partial default configuration see Configuring System Settings on page 4 2 1 222 DHCP Support The access point can use Dynamic Host Configuration Protocol DHCP to obtain a leased IP address and configuration information from a remote server DHCP is based on the BOOTP protocol
621. with RIP version 1 RIP version 2 increases the amount of packet information to provide the a simple authentication mechanism to secure table updates RIP version 2 enables the use of a simple authentication mechanism to secure table updates More importantly RIP version 2 supports subnet masks a critical feature not available in RIP version 1 This selection is not compatible with RIP version 1 support Select a routing direction from the RIP Direction drop down menu Both for both directions Rx only receive only and TX only transmit only are available options 5 74 AP 51xx Access Point Product Reference Guide 3 RIP Configuration RIP Configuration RIP Type IRIP v2 v1 compat Y RIP Direction Both v RIP v2 Authentication Authentication Type Key 1 MDS ID 1 256 1 MD5 Auth Key 16 Characters eeereeerreeere Key 2 MD5 ID 1 256 MD5 Auth Key 16 Characters Cancel Help If RIP v2 or RIP v2 v1 compat is the selected RIP type the RIP v2 Authentication field becomes active Select the type of authentication to use from the Authentication Type drop down menu Available options include None Simple MD5 This option disables the RIP authentication This option enable RIP version 2 s simple authentication mechanism This setting activates the Password Simple Authentication field This option enables the MD5 algorithm for data verification MD5 takes as input a message of arbit
622. work Time Protocol NTP on page 4 43 f CAUTION If using the Radius time based authentication feature to authenticate 1 Select User Authentication gt Radius Server gt Access Policy from the menu tree 6 76 AP 51xx Access Point Product Reference Guide f AP 5131 Access Point j Gy AP S1XX Access a HG tCertscate mgmt H Seif Cemtic ates l CA Corf ates Apache Certificates HR User Autnentc ation H User Omtabase rc P Readius Server Access Policy Gy SNMP Access LO fem Proxy Server LDAP Server yrn eres Access Policy Groups Time of Access Associated WLAN Arytay 0000 2359 The Access Policy screen displays the following fields Groups Time of Access Associated WLANs The Groups field displays the names of those existing groups that can have access intervals applied to them Click the Edit button to display a screen designed to create access intervals for specific days and hours A mechanism also exists for mapping specific WLANs to these intervals For more information see Editing Group Access Permissions on page 6 78 For information on creating a new group see Managing the Local User Database on page 6 72 The Time of Access field displays the days of the week and the hours defined for group access to access point resources This data is defined for the group by selecting the Edit button from within the groups field The Associated WLANs field displa
623. work traffic it represents A business may have offices in different locations and want to extend an internal LAN between the locations An access point managed infrastructure could provide this connectivity but it requires VLAN numbering be managed carefully to avoid conflicts between two VLANs with the same ID Define a 32 ASCII character maximum VLAN Name Enter a unique name that identifies members of the VLAN Motorola recommends selecting the name carefully as the VLAN name should signify a group of clients with a common set of requirements independent of their physical location Click Apply to save the changes to the new or modified VLAN From the LAN Configuration screen click the WLAN Mapping button The Mapping Configuration screen displays 5 8 AP 51xx Access Point Product Reference Guide 8 Mapping Configuration LAN VLAN WLAN Mapping LAN Management Native VLAN Tag VLAN Tag LANI 1 1 LAN2 1 1 WLAN LAN Mode VLAN WLANI LANI v y Oynamic engineering v Cancel Heip Enter a Management VLAN Tag for LAN1 and LAN2 The Management VLAN uses a default tag value of 1 The Management VLAN is used to distinguish VLAN traffic flows for the LAN The trunk port marks the frames with special tags as they pass between the access point and its destination these tags help distinguish data traffic Authentication servers such as Radius and Kerberos must be on the same Management VLAN Additionally D
624. x set wan enable disable dhcp enable disable ipadr lt idx gt mask lt a b c d gt dgw lt a b c d gt dns lt idx gt auto enable disable negotiation speed lt mbps gt duplex lt mode gt pppoe mode user passwd ka idle type Example admin network admin network admin network admin network admin network admin network admin network admin network admin network admin network admin network admin network admin network admin network admin network wan gt wan gt set wan gt set wan gt set wan gt set wan gt set wan gt set wan gt set wan gt set wan gt set wan gt set wan gt set wan gt set wan gt set wan gt set lt a b c d gt lt a b c d gt enable disable lt name gt lt password gt enable disable lt time gt lt auth type gt dhcp disable Enables or disables the access point WAN port Enables or disables WAN DHCP Client mode Sets up to 8 using lt indx gt from 1 to 8 IP addresses lt a b c d gt for the access point WAN interface Sets the subnet mask for the access point WAN interface Sets the default gateway IP address to lt a b c d gt Sets the IP address of one or two DNS servers where lt indx gt indicates either the primary 1 or secondary 2 server and lt a b c d gt is the IP address of the server Enables or disables auto negotiation for the access point WAN port Defines the access point WAN port speed as either 10 Mbp
625. xadecimal keys e AES 192 bit Uses the Advanced Encryption Standard algorithm with 192 bit 48 character hexadecimal keys e AES 256 bit Uses the Advanced Encryption Standard algorithm with 256 bit 64 character hexadecimal keys Enter a key for inbound traffic The length of the key is determined by the selected encryption algorithm The key must match the outbound key at the remote gateway Define a key for outbound traffic The length of the key is determined by the selected encryption algorithm The key must match the inbound key at the remote gateway Select the authentication algorithm to use with ESP This option is available only when ESP with Authentication was selected for the ESP type Options include e MOD5 Enables the Message Digest 5 algorithm which requires 128 bit 32 character hexadecimal keys e SHA7 Enables Secure Hash Algorithm 1 which requires 160 bit 40 character hexadecimal keys Define a key for computing the integrity check on the inbound traffic with the selected authentication algorithm The key must be 32 40 for MD5 SHA1 hexadecimal 0 9 A F characters in length The key must match the corresponding outbound key on the remote security gateway Enter a key for computing the integrity check on outbound traffic with the selected authentication algorithm The key must be 32 40 for MD5 SHA1 hexadecimal 0 9 A F characters in length The key must match the corresponding inbound key on the r
626. y Configuring Access Point Security 6 21 New Security Policy Ar Aloerntic mor Encryption Manually Pre shared key WPATHIP Setings No autnentcation Key Rotation Settings Kerberos y Broadcast Key Rotaton 802 1K EAP Update broadcast keys every 86400 300 604800 seconds Encrypiion Key Semngs No Encryption ASCII Passphrase WEP 64 40 bat key 256 bit Key WEP 126 106 bet key 11121314151617 021222324252627 Enter 16 hex characters per Seld WPAWPA2 TOP WPA2 TKIP Support Fast Roaming 602 tx ont KeyGuard WPA2ICCMP 802 110 wi Mw WPA2 THIP cents Appi Cancel Help 5 Configure the Key Rotation Settings area as needed to broadcast encryption key changes to MUs and define the broadcast interval Broadcast Key Select the Broadcast Key Rotation checkbox to enable or disable Rotation broadcast key rotation When enabled the key indices used for encrypting decrypting broadcast traffic will be alternatively rotated on every interval specified in the Broadcast Key Rotation Interval Enabling broadcast key rotation enhances the broadcast traffic security on the WLAN This value is disabled by default Update broadcast Specify a time period in seconds to rotate the key index used for the keys every 300 broadcast key Set the interval to a shorter duration like 3600 604800 seconds seconds for tighter broadcast traffic security on the wireless LAN Set the interval to a longer duration like 86400 seconds for les
627. y to undo any changes made Undo Changes reverts the Trusted Host settings within the Access screen to the last saved configuration 8 Click Logout to securely exit the access point Access Point applet A prompt displays confirming the logout before the applet is closed 4 4 Managing Certificate Authority CA Certificates Certificate management includes the following sections e Importing a CA Certificate e Creating Self Certificates for Accessing the VPN e Apache Certificate Management 4 4 1 Importing a CA Certificate A certificate authority CA is a network authority that issues and manages security credentials and public keys for message encryption The CA signs all digital certificates that it issues with its own private key The corresponding public key is contained within the certificate and is called a CA certificate A browser must contain this CA certificate in its Zrusted Root Library so it can trust certificates signed by the CA s private key Depending on the public key infrastructure the digital certificate includes the owner s public key the certificate expiration date the owner s name and other public key owner information The access point can import and maintain a set of CA certificates to use as an authentication option for Virtual Private Network VPN access To use the certificate for a VPN tunnel define a tunnel and System Configuration 4 17 select the IKE settings to use either RSA or DES certificate
628. y default When disabled the AP functions as a standalone access point without trying to adopt a switch Consequently the access point will not be able to obtain an AAP configuration For an overview of AAP and instructions on how to setup the AP and switch see Adaptive AP Overview Switch Interface Use the Switch Interface drop down menu to specify the interface used by the switch for connectivity with the access point Options include LAN1 LAN2 and WAN The default setting is LANI Enable AP Switch This setting is required to enable an IPSec VPN from the AAP to the Tunnel wireless switch Keep alive Period The Keepalive interval defines a period in seconds the AAP uses to terminate its connection to the switch if no data is received Current Switch Displays the IP address of the connected switch This is the switch from which the access point receives its adaptive configuration AP Adoption State Displays whether the access point has been adopted by the switch whose IP address is listed in the Current Switch parameter The access point cannot receive its adaptive configuration without association 3 Refer to the 12 available Switch IP Addresses to review the addresses the access point uses to adopt with a switch The access point contacts each switch on the list from top to bottom until a viable switch adoption is made The access point first populates the list with the IP addresses received from its DHCP resource If DHCP is
629. y specifying a MU MAC address or range of MAC addresses to either include or exclude from access point connectivity Use the Mobile Unit Access Control List Configuration screen to create new ACL policies using the New MU ACL Policy sub screen or edit existing policies using the Edit MU ACL Policy sub screen Once new policies are defined they are available for use within the New WLAN or Edit WLAN screens to assign to specific WLANs based on MU interoperability requirements Motorola recommends using the New MU ACL Policy or Edit MU ACL Policy screens strategically to name and configure ACL policies meeting the requirements of the particular WLANs they may map to However be careful not to name policies after specific WLANs as individual ACL policies can be used by more than one WLAN For detailed information on assigning ACL policies to specific WLANs see Creating Editing Individual WLANs on page 5 30 To create or edit ACL policies for WLANs 1 Select Network Configuration gt Wireless gt MU ACL from the access point menu tree The Mobile Unit Access Control List Configuration screen displays with existing ACL policies and their current WLAN if mapped to a WLAN NOTE When the access point is first launched a single ACL policy default is available and mapped to WLAN 1 It is anticipated numerous additional ACL policies will be created as the list of WLANs grows 5 38 AP 51xx Access Point Product Reference Guide AP
630. ype Filter mode allow index ethernet type 1 8137 For information on displaying the type filter configuration using the applet see Setting the Type Filter Configuration on page 5 15 AP51xx gt admin network lan type filter gt set Description Defines the access point Ethernet Type Filter configuration Syntax set mode lt LAN idx gt lt filter mode gt Allows or denies the access point from processing a specified allow deny Ethernet data type for the specified LAN Example admin network lan type filter gt set mode 1 allow For information on configuring the type filter settings using the applet GUI see Setting the Type Filter Configuration on page 5 15 8 38 AP 51xx Access Point Product Reference Guide AP51xx gt admin network lan type filter gt add Description Adds an Ethernet Type Filter entry Syntax add lt LAN idx gt lt type gt Adds entered Ethernet Type to list of data types either allowed or denied access point processing permissions for the specified LAN either LAN1 or LAN2 Example admin network lan type filter gt admin network wireless type filter gt add 1 8137 admin network wireless type filter gt add 2 0806 admin network wireless type filter gt show 1 Ethernet Type Filter mode allow index ethernet type 1 8137 2 0806 3 0800 4 8782 For information on configuring the type filter settings using the applet GUI see Setting the Type Filter Configuration on page 5 15
631. ys the WLANs assigned the user group access permissions listed within the filters and grid fields Add additional WLANs to a group by selecting the Edit button within the groups field Configuring Access Point Security 6 77 Timeline Displays a bar graph of the selected group s access privileges Access times are displayed ina grid format with the the days of the week and hours users access is available displayed in green Revise the selected group s privileges as needed 2 Review the existing access intervals assigned to each group by selecting the group from amongst those displayed To modify a group s permissions see Editing Group Access Permissions on page 6 78 3 Click Logout to securely exit the access point applet A prompt displays confirming the logout before the applet is closed 6 14 5 1 Editing Group Access Permissions The Access Policy screen provides a mechanism for modifying an existing group s access permissions A group s permissions can be set for any day of the week and include any hour of the day Ten unique access intervals can be defined for each existing group To update a group s access permissions 1 Select User Authentication gt Radius Server gt Access Policy from the menu tree 2 Select an existing group from within the groups field 3 Select the Edit button The Edit Access Policy screen displays 6 78 AP 51xx Access Point Product Reference Guide Time Based Access Policy Start Time osh 30
Download Pdf Manuals
Related Search