Configuring the Access Point
Contents
1. TCP IP Settings Submit Changes 802 11g Radio al 302 11a Radio Frequency Dynamic 11a now 36 z Advanced Configuration 5 On Primoy Swi 3 a Tae Allow Wireless Access Points On Primary Telnet Gateway Ethernet Node Type SSID Network Name ate ae Primary Master x ATILAN Configure security settings for this service set Security Secondary 1 Disabled x ATILAN_1 Configure security settings for this service set Lanai Secondary 2 Disabled x ATILAN_2 Configure security settings for this service set Secondary 3 Disabled x ATILAN_3 Configure security settings for this service set Fz b Make sure the Allow Wireless Access Points field is On Primary c In the Primary service set Node Type field choose Master d In the Primary service set SSID Network Name field type the SSID In this example the SSID is Manufacturing e Click Submit Changes AT WA7500 and AT WA7501 Installation and User s Guide 7 Configure the spanning tree settings for the point to point bridge on the primary LAN a From the main menu click Spanning Tree Settings The Spanning Tree Settings screen appears b In the Root Priority field enter a number other than 0 c In the Secondary LAN Bridge Priority field enter 0 d In the Secondary LAN Flooding field choose Disabled 8 If the roaming end devices will be roaming across an IP router you must configure IP tunne2. Example This example shows you how to use customizable filters to allow only the wireless end devices DHCP clients communicating with the access point DHCP server to receive TCP IP settings This example prevents the wireless end devices from receiving TCP IP settings from another DHCP server on the Ethernet network It also prevents the access point from providing TCP IP settings to DHCP clients on the wired network For this example set these customizable subtype filters AVE Allied Telesyn Access Point Configuration Simply connecting the world d Changes U Logout Save Discar ipgrade Software Distributed Network Upgrade File Import Export Help Ethernet Customizable Subtype Filters TCP IP Settings Submit Changes Ga 802 11g Radio rd eee l la A ee Allow Pass SubType Value Telnet Gateway fl e DXIP TCP Pon x 00 43 eres oe 2 r DXIP TCP Pot x a0 44 Frame pe Fiers 3 r DKAIP TCP Por z Joo 00 Predefined Subtype Filters a le orton ooo B Customizable Subtype Filters Advanced Filters 5 W DIX IP TCP Port 00 00 ra nee Aas 6 F DIXIP TCP Por a0 00 etwork Management a Security 7 v DMAP TCP Por 0000 E Maintenance x3 mz AIM ID TOM Mad nanan z 87 Chapter 3 Configuring the Ethernet Network 88 Table 8 Example Customizable Subtype Filter Filter Paramet
3. a Spanning Tree Settings Enable IGMP I Telnet Gateway Ga Ethernet a IP Tunnels Frame Type Filters Predefined Subtype Filters Customizable Subtype Filters Ga Network Management Ga Security Maintenance 2 Configure the IP tunnels parameters For help see the next table 3 Click Submit Changes to save your changes To activate your changes from the menu bar click Save Discard Changes and then click Save Changes and Reboot For help see Saving Configuration Changes on page 45 Table 3 IP Tunnel Parameter Descriptions Parameter Explanation Mode Choose the mode Originate if Root Lets the root access point and root candidates originate the IP tunnel if they are functioning as the root access point for the network Listen Configures access points that are designated bridges or designated bridge candidates for their remote IP subnets to serve as the endpoint of an IP tunnel Disabled Disables the IP tunnel port 148 Configuring the IP Address List AT WA7500 and AT WA7501 Installation and User s Guide Table 3 IP Tunnel Parameter Descriptions Continued Parameter Explanation Allow IP Multicast Appears only if Mode parameter is Originate if Root Determines if the root access point should forward IP multicast frames through its IP tunnels Check this check box if you have a DHCP server issuing TCP IP information to end devices Enable IGMP
4. Note If you enable this parameter on the root or designated bridge but you disable it on all other access points on the same IP subnet then Ethernet bridging is disabled on the IP subnet This means that data link tunneling is enabled on the IP subnet Secondary LAN Bridge Priority Determines when this access point can become the designated bridge in a secondary LAN The access point that meets all the other requirements and has the highest secondary LAN bridge priority becomes the designated bridge The secondary LAN bridge priority can be a value from 0 to 7 If you set this value to 0 the access point can never become the designated bridge For help deciding if this access point should become the designated bridge see the selection criteria listed in About Secondary LANs and Designated Bridges on page 132 AT WA7500 and AT WA7501 Installation and User s Guide Table 2 Spanning Tree Parameter Descriptions Continued Parameter Explanation Secondary LAN Appears for Designated Bridge only Flooding Outbound Specifies the types of frames it forwards from the primary LAN to the secondary LAN Disabled No flooding occurs unless the root access point in the Global Flooding screen enables the Multicast or Unicast Outbound to Secondary LANs parameter Enabled Multicast and unicast flooding occurs unless the root access point in the Global Flooding screen disables multi
5. Preferred Protocol If TLS and TTLS are enabled this field specifies which protocol is sent to the authentication server when it sends an unsupported protocol User Name Enter the user name of the access point when it uses TTLS to authenticate to the network Password Enter the password of the access point when it uses TTLS to authenticate to the network Verify CA Certificate Determines if you want to verify that the access point is connected to the correct authentication server The server certificate signature is verified against the CA certificate and the server common name is verified against the authentication server common names that are configured in the access point 200 Configuring Wi Fi Protected Access WPA Security AT WA7500 and AT WA7501 Installation and User s Guide Wi Fi Protected Access WPA is a strongly enhanced interoperable Wi Fi security that addresses many of the vulnerabilities of Wired Equivalent Privacy WEP WPA bundles authentication key management data encryption message integrity checks and counter measures in the event of a message attack into one implementation standard WPA provides stronger RC4 encryption over standard WEP with the Temporal Key Integrity Protocol TKIP In addition the Michael algorithm provides forgery protection and message integrity A four way handshake between the client and access point ensures the reliable and secure dist
6. AT WA7500 and AT WA7501 Installation and User s Guide Creating a Secure Spanning Tree When you configure a radio to use 802 1x security you automatically enable spanning tree security which can be used for both wired and wireless access points WAPs However if you configure a radio to use another security solution you may want to still create a secure spanning tree A secure spanning tree has two functions 1 To require authentication of any access point attempting to join the spanning tree 2 To provide encryption of critical Inter Access Point Protocol IAPP frames There are three authentication methods that you can use to secure the spanning tree Simple Wireless Authentication Protocol SWAP TTLS or TLS SWAP is an proprietary protocol that is based on the EAP MD5 challenge Since it requires less processing power it requires less memory and you can use it on all access points Also SWAP does not require an authentication server so it is easier to configure With these advantages SWAP is sufficient for most users TTLS and TLS are industry standard protocols However they require more administrative support When deciding on which type of spanning tree security to use the supplicant access point and the authenticator will negotiate an authentication method that can be used by both If the Allow SWAP check box is checked on both access points SWAP will always be used If the Allow SWAP check box is cleared
7. MV Allied Telesyn Access Point Configuration Simply connecting the world Logout Save Discard Changes Upgrade Software Distributed Network Upgrade File Import Export Help TCP IP Settings E TCP IP Settings Submit Changes 802 11g Radio Ga 802 11a Radio IP Address 10 150 1 97 Spanning Tree Settings Telnet Gateway TP Subnet Mask 255 255 255 0 Ethernet TP Router Gateway 0 0 0 0 TP Tunnels Networte Management DNS Address 1 0 0 0 0 a Maintenance DNS Address 2 0 0 0 0 DNS Suffix 1 Po DNS Suffix 2 DHCP Mode Use DHCP if IP Address is Zero gt DHCP Server Name DHCP User Class DHCP Vendor Class DHCP for Access Point Network Use Any Available DHCP Server z Auto ARP Minutes 5 i 2 Verify that the IP Address field IP Subnet Mask field and IP Router field are configured For help see Configuring the TCP IP Settings on page 66 3 Configure the DHCP parameters to make this access point a DHCP server For help see the next table Table 3 DHCP Server Parameter Descriptions Parameter Explanation DHCP Mode Choose This AP is a DHCP Server The access point must have a valid IP address and subnet mask DHCP Server Enter the name for this access point as a DHCP Name server AT 7500 and AT WA7501 Installation and User s Gui Table 3 DHCP Server Parameter Descriptions Continued de Parameter Explanation DHCP User Cl
8. AVE Allied Telesyn Access Point Configuration Simply connecting the world Upgrade Soft Logout Save Discard Changes a oftware Distributed Network Upgrade File Import Export Help Security 802 11g Radio a Submit Changes Enable ACL Chent Authorization TCP IP Settings Ga 802 112 Radio 802 11a Radio G2 Spanning Tree Settings Telnet Gateway VLAN Ga Ethernet I IP Tunnels Network Management Security Passwords Bi 802 112 Radio 802 11a Radio RADIUS Server List Spanning Tree Security Embedded Authentication Server Certificate Details Security Events Maintenance Security Level Dynamic WEP 802 1x WPA PSK WPA 802 1x AT WA7500 and AT WA7501 Installation and User s Guide 3 Click Submit Changes to save your changes This screen appears MVE Allied Telesyn Access Point Configuration Simply connecting the world Upgrade Soft Logout Save Discard Changes Upgra oftware Distributed Network Upgrade File Import Export Help Security 802 11g Radio TCP IP Settings Submit Changes 802 11g Radio Ga 802 11a Radio Enable ACL Client Authorization Spanning Tree Settings Telnet Gateway VLAN 1 Ethernet G2 LP Tunnels Network Management Secunty Level Static WEP gt fa Security WEP Transmit Key Passwords E 802 112 Radio WEP Key 802 11a Radio WEP Key 2 RADIUS Server List WEP Key 3 E Spanning Tree Security Embedded Authentication Server GE
9. Power bridge To Ethernet Figure 3 Power Over Ethernet To connect power over Ethernet 1 Install the power bridges For help see the documentation that shipped with the power bridge 2 Use an Ethernet cable to connect the power bridge to the Ethernet port of the access point 59 Chapter 2 Installing the Access Points External Antenna Placement Guidelines 60 Note Currently the 802 11g radio with software release 2 2 does not support antenna diversity Depending on which radio slots contain radios you only connect antennas to the primary connectors 2 and 4 Antennas and their placement play a vital role when installing a wireless network Every wireless network environment presents its own unique obstacles Therefore the exact range that you will achieve with each access point is difficult to determine Allied Telesyn recommends that you allow an Allied Telesyn certified RF specialist to perform a site survey before you install a wireless network For more information contact your local Allied Telesyn representative Radio signals may reflect off some obstacles and be absorbed by others For example two radios may achieve up to 305 m 1 000 ft of range if positioned outdoors within line of sight with no obstacles between them However the same two radios may only achieve 152 m 500 ft of range when the RF signal has to travel through items such as cubicles If the signal must penetrate o
10. 160 Example 3 Example 4 If you have a DHCP server on a Windows NT server and you want to use this DHCP server to assign TCP IP parameters to end devices on a remote IP subnet you need to set these filters to allow for the necessary IP tunneling 1 On the root access point set these filters o On the IP Tunnels screen check the Allow IP Multicast check box o Inthe IP Tunnel Frame Type Filter table configure DIX IP UDP Ports to pass all frames 2 On the access point at the endpoint of the IP tunnel set this filter O Inthe IP Tunnel Frame Type Filter table configure DIX IP UDP Ports to pass all frames If you have a Linux or Unix DHCP server and want to use this DHCP server to assign TCP IP parameters to end devices on a remote subnet you need to set this filter to allow for the necessary IP tunneling O Inthe IP Tunnel Frame Type Filter table configure DIX IP UDP Port to pass all frames AT WA7500 and AT WA7501 Installation and User s Guide Comparing IP Tunnels to Mobile IP The AT WA7500 and AT WA7501 access points support IP tunneling which allows end devices to roam across different subnets routers without having to change IP addresses IP tunneling supports IETF RFC 1701 using GRE and the same encapsulation technique as mobile IP IP tunnels technology is designed primarily to operate in local environments where handheld or vehicle mounted devices may move rapidly between access point coverage a
11. 54 Mbps High 12 or 6 Mbps Allow Data Check Clear Check Rate Fallback Basic Rate 24 12 6 Mbps 6 Mbps Low 325 Appendix B Default Settings 326 Parameter Name Range Default Your Site Reservation Threshold 2347 to Disable 1 to 65535 2347 Fragmentatio n Threshold 256 to 2346 2346 Disallow Network Name of ANY Check Clear Clear Beacon Period 20 to 1000 TU 100 DTIM Period Inbound Filters 1to5 Allow IAPP Check Clear Check Allow Wireless Transport Protocol WTP Check Clear Check Allow UDP Plus UDP IP Port 5555 Check Clear Check Allow DHCP Check Clear Check Allow All Other Protocols Check Clear Check AT WA7500 and AT WA7501 Installation and User s Guide Spanning Tree Settings Menu Defaults enlists Range Default Your Site ame AP Name 0 to 16 access point characters serial number LAN ID 0 to 254 0 Domain Root Priority 0to7 1 Enable Check Clear Check Ethernet Bridging Enable GVRP Check Clear Clear for VLAN Secondary LAN 0 to 7 0 Bridge Priority SecondaryLAN Enabled Disabled Flooding Multicast Unicast Disabled 327 Appendix B Default Settings Global Flooding Menu Defaults 328 Parameter Range Default Your Site Name Multicast Univer
12. O Inthe EAS database in the Type field choose the authentication type and then enter the information for each end device For help see Chapter 7 Configuring the Embedded Authentication Server EAS on page 207 O For help configuring an external RADIUS server see the documentation that came with your server You need to enter each authenticator s IP address and the shared secret key In the database you need to enter the information for each end device 197 Chapter 6 Configuring Security 198 Enabling Secure Communications Between Access Points When you configure a radio to use 802 1x security you automatically enable spanning tree security which can be used for both wired access points and WAPs A secure spanning tree has two functions 1 To require authentication of any access point attempting to join the spanning tree 2 To provide encryption of critical Inter Access Point Protocol IAPP frames There are three authentication methods that you can use to secure the spanning tree SWAP TTLS or TLS When the Access Point Is the Supplicant By default TTLS is enabled If you want to use TTLS you must also enter a user name and password This login must match an entry in the authentication server database When the access point is acting as a supplicant and the authentication server offers the TTLS protocol the access point sends its user name and password You can also enable TLS as the authentication
13. Spanning Tree Settings Telnet Gateway Ethernet TP Tunnels Network Management Enable ACL Client Authorization VLAN Security Level a Security Passwords E 802 112 Radio 802 11a Radio RADIUS Server List Spanning Tree Security Embedded Authentication Server Certificate Details Security Events Maintenance Dynamic WE WPA PSK WPA 802 1x AVE Alied Telesyn Access Point Configuration Simply connecting the world g Mi g pg istri pg ile Import Exp p Security 802 11g Radio TCP IP Settings a 802 11g Radio amp 802 11a Radio Spanning Tree Settings Telnet Gateway Ethernet IP Tunnels Network Management S Security Passwords E 802 11g Radio 802 11a Radio RADIUS Server List Spanning Tree Security Embedded Authentication Server Certificate Details Security Events Maintenance Submit Changes Enable ACL Client Authorization Security Level Dynamic WEP 802 1x Key Rotation Period Minutes 5 Select a RADIUS server for 802 1x authentication VLAN ld 4 Inthe Key Rotation Period Minutes field enter how often in minutes the access point generates a new WEP key to distribute to the end devices Simply connecting the AT WA7500 and AT WA7501 Installation and User s Guide 5 Click Submit Changes to save your changes To activate your changes from the menu bar click Save Discard Changes and then cl
14. Spanning Tree Settings Telnet Gateway Ethernet a IP Tunnels Network Management Security Maintenance B Submit Changes Frequency Channel 06 2437 MHz Node Type SSID Network Name Member Limit Primary Master z ATILAN 128 Configure security settings for this service set Secondary 1 Disabled z ATILAN_1 100 Configure security settings for this service set Secondary 2 Disabled x ATILAN_2 00 Configure security settings for this service set Secondary 3 Disabled x Configure security settings for this service set ATILAN_3 100 101 Chapter 4 Configuring the Radios If your screen does not look like the previous one your primary service set may be configured as station instead of master so that the secondary service sets are not available as shown next MVE Alied Telesyn Access Point Configuration Simply connecting the world Logout Save Discard Changes Upgrade Software Distributed Network Upgrade File Import Export Help 802 11g Radio TCP IP Settings Submit Changes a 802 112 Radio nfigur i oo ae akon Node Type SSID Network Name Member Limit Ein ning Tree Settings Primary Station gt ATILAN fi 28 Configure security settings for this service set Telnet Gateway Ethernet IP Tunnels Network Management Security Maintenance H
15. TCP IP Settings amp 802 11 Radio amp 302 11a Radio Spanning Tree Settings Telnet Gateway Ethernet G2 IP Tunnels Network Management Security Passwords 802 11g Radio 802 11a Radio RADIUS Server List Spanning Tree Security Embedded Authentication Server Certificate Details Security Events Ga Maintenance Submit Changes Browser Access Allow Telnet Access Port 23 Allow SNMP Access Port 161 162 Allow TFTP Access Read Only Allow ICMP Configuration Allow Avalanche Access Enabled Port 80 443 Vv Vv Vv Vv r 2 Enable or disable the access methods that users can use to connect to the access point For help see the next table 3 Click Submit Changes to save your changes To activate your changes from the menu bar click Save Discard Changes and then click Save Changes and Reboot For help see Saving Configuration Changes on page 45 Table 2 Security Parameter Descriptions Parameter Description Browser Access Determines if users can use a web browser to configure or manage this access point Browser access is through either port 80 or port 443 Choose Secure Only if you want to force users to log in using the secure web browser HTTPS interface Secure only access is through port 443 177 Chapter 6 Configuring Security Setting Up Logins 178 Table 2 Security Parameter Descriptions Continued Parameter
16. 802 11g radios can be configured to communicate with other 802 11g and or 802 11b radios with the same SSIDs You need to assign the same SSID to the wireless end devices that will connect to the radio Member Limit Controls the maximum number of devices that can be associated with this enabled service set AT WA7500 and AT WA7501 Installation and User s Guide Table 2 Worldwide Frequencies for 802 11g and 802 11b Radios Channel FCC ETSI France Japan Israel 1 2412 2412 2412 2 2417 2417 2417 3 2422 default 2422 default 2422 default 2422 default 4 2427 2427 2427 5 2432 2432 2432 6 2437 2437 2437 7 2442 2442 2442 8 2447 2447 2447 9 2452 2452 2452 10 2457 2457 2457 2457 11 2462 2462 2462 default 2462 12 2467 2467 2467 13 2472 2472 2472 14 2484 The 802 11g and 802 11b channels that are allowed in a given country may change without notice Be sure you use only those frequencies that are permissible in the given country Note the following o FCC countries include the United States Canada China Taiwan India Thailand Indonesia Malaysia Hong Kong and most South American countries O ETSI countries include all European Union countries except France It also includes Switzerland Iceland Norway Czech Republic Slovenia Slovakia Turkey Russia and the United Arab Emirates O France Mexico and Singapor
17. AT WA7500 and AT WA7501 Installation and User s Guide Configuring the EAS Enabling the EAS Once you decide which access point will be configured to use its EAS you need to enable the EAS on that access point and configure its database To configure the EAS 1 Install any certificates For help see Installing and Uninstalling Certificates on page 211 2 On the access point that will contain the EAS enable the EAS For help see Enabling the EAS in the next section 3 Configure the EAS database For help see Configuring the Database on page 215 4 Make sure that all access points that are using this EAS as a password server ACL authentication server etc are configured with this access point s IP address in the appropriate RADIUS server IP Address field For help see o Configuring the Access Point to Use a Password Server on page 179 o Using an Access Control List ACL on page 186 0 Configuring the Access Point as an Authenticator on page 195 In both AT WA7500 and AT WA7501 access points the default secret key is the same By having the same default secret key you can verify that all access points can communicate with the EAS Then for more security you should change the secret key to prevent unauthorized access points from communicating with your network If you want to use the same secret key for communications between the EAS and all access points in th
18. LED On LED Off 4 LED Flashing Using a Communications Program or a Telnet Session If you are communicating with the access point using a communications program or a telnet session an error message may appear on your PC after the access point reboots or when a session is saved The error messages are described in the following table Contact your local Allied Telesyn representative to help you correct the problem In this table Radio A refers to the radio in slot 1 and Radio B refers to the radio in slot 2 These error messages may appear for either radio Table 13 Radio Error Messages Error Message Explanation Couldn t read The radio may be faulty country code from radio A Invalid country The country code in the configuration matrix code in string for string does not match the country code in the radio A radio in the access point Radio A has The radio may have been configured incorrectly unknown country at the factory code Radio string When this error message appears additional doesn t match radio information also appears on the screen for installed example Expected 504 000 but found 491 in slot A nothing in slot B may appear The radio may be faulty Using Radio MAC Ping 802 11g and 802 11b Radios Radio MAC Ping runs at the MAC sublayer of the Data Link layer thus allowing you to ping any 802 11b device that is connected to the access point R
19. Use global RF parameters to set various parameters on the access points If you are configuring the root access point and you check the Set Globally check box the value for that parameter is set globally for all access points and wireless end devices in the network If you are configuring the root access point and you clear the Set Globally check box or if you are not configuring the root access point each device uses its local setting To configure global RF parameters 1 From the menu click Spanning Tree Settings gt Global RF Parameters The Global RF Parameters screen appears MV Allied Telesyn Access Point Configuration Simply connecting the world Logout Save Discard Changes Upgrade Software Distributed Network Upgrade File Import Export Help Spanning Tree Settings Global RF Parameters TCP IP Settings 802 11g Radio GM 802 11a Radio Spanning Tree Settings Global Flooding Global RF Parameters 5 UHF Rfp Threshold S UHE Frag Size 902 MHz Frag Size UHF 902 MHz Awake Time RFC1042 Types to Pass Through Telnet Gateway Ethernet Ea IP Tunnels Network Management Security Maintenance Submit Changes Perform RFC1042 DIX Conversion WM z 2 Configure the global RF parameters Click the links in the Global RF Parameters menu to set more parameters For help see the next table 167 Chapter 5 Configuring the Spanning Tree 168 3 Click Submit Changes to sa
20. 2 Configure the parameters for the radio For help see the next table 3 Configure the advanced parameters for the radio For help see Configuring 802 11g Radio Advanced Parameters on page 106 4 Master only Configure inbound filters For help see Configuring 802 11g Radio Inbound Filters on page 108 5 Click Submit Changes to save your changes To activate your changes from the menu bar click Save Discard Changes and then click Save Changes and Reboot For help see Saving Configuration Changes on page 45 6 Optional Configure security by clicking Configure security settings for this service set For help see Chapter 6 Configuring Security on page 171 102 AT WA7500 and AT WA7501 Installation and User s Guide Table 1 802 11g Radio Parameter Descriptions Parameter Explanation Frequency Choose the frequency that this access point uses Master radio only to transmit and receive frames The available frequencies depend on the country and the radio option configured on the access point See the Table 2 Worldwide Frequencies for 802 11g and 802 11b Radios on page 105 You may want to use a single frequency to isolate the installation to part of the band for example use a single frequency if other wireless networks or microwave ovens are in the area For optimal performance of master radios in access points that are in range of each other configure the frequencies t
21. 2 Resolve any error messages listed under the heading Possible Configurations Errors For help see Using the Configuration Error Messages on page 245 3 Verify that all your configuration changes appear in the Pending Changes box 4 Click Save Changes and Reboot to reboot the access point and immediately use your new active configuration Or click Save Changes without Reboot The access point saves the changes to its current configuration and continues to run its active configuration You need to reboot the access point when you want the current configuration to become the active configuration Using a Telnet Session AT WA7500 and AT WA7501 Installation and User s Guide To discard the changes o 1 Click Discard Pending Changes From the Access Point Configuration menu choose Save Configuration Choose Reboot to reboot the access point and immediately use your new active configuration 47 Chapter 1 Getting Started 48 Chapter 2 Installing the Access Points Section Basic Features This chapter explains how to install the Allied Telesyn AT WA7500 and AT WA7501 access points in your data collection network provides some tips on how to position access points to improve your network performance and provides some external antenna guidelines This chapter covers these topics Installation Guidelines on page 50 Installing the AT WA7501 on page 52 Installing the AT WA7500 o
22. AT 7500 and AT WA7501 Installation and User s Guide Table 9 Filter Expressions Parameter Descriptions Continued Parameter Explanation Mask Applies a data pattern to the frame If the data pattern in the mask matches the frame then the specific action is performed The mask indicates the bits that are significant at the specified offset A bit is significant if a bit in the mask is set to one If this field is empty the length of the field is determined by the longest value in the Filter Values menu for the specified value ID The mask values are entered in 0 to 8 hexadecimal pairs Op Operation Performs a logical operation when a data pattern matches a value in the Filter Values menu to determine if the specified action should be taken Valid operations include EQ equal NE not equal GT greater than LT less than or equal Value ID Represents a value in the Filter Values menu The bytes after the frame offset are compared to the data pattern indicated by the value Value ID can be from 0 to 255 and must match one or more value IDs in the Filter Values menu Action Sets the action to Pass Drop or And If you set the action to And the filter expression with the next highest sequence is applied Example 1 This example shows you how to use Ethernet filters to filter all traffic that passes through the access point to the wireless network except for traffic for specified MAC addr
23. An EAP authentication type that only requires a certificate on the authentication server End devices have a user name and password that proves that they are authorized to communicate with the network triangular routing The routing logic used for a mobile IP end device that has roamed to a foreign network Frames destined for a mobile end device are always sent to the home subnet of the end device If the end device has roamed to another subnet the frame must be forwarded to the remote subnet where the end device currently resides AT WA7500 and AT WA7501 Installation and User s Guide unicast address A unique Ethernet address assigned to a single device on the network VLAN virtual LAN A network of wireless end devices that behave as if they are connected to the same wire even though they may actually be physically located on different segments of a local area network You can group all wireless users on a particular VLAN in order to manage the IP address space differently Or you can use VLANs to separate secure and non secure traffic WAP Wireless Access Point Also called a repeater This access point does not have any connections on its Ethernet port It forwards data between the access point and the secondary LAN WEP Wired Equivalent Privacy encryption A feature that can be enabled in the IEEE 802 11b or 802 11a radio that allows data encryption for wireless communications wireless bridge Also called a poi
24. Chapter 3 Configuring the Ethernet Network 94 You must enter a filter expression for each Value ID in the Filter Values menu In this example only the ExprSeq value and the Value ID value change Example 2 This example shows how to use Ethernet filters to discard all DIX IP multicast frames except those from selected devices Three entries have a value ID of 3 to demonstrate how to enter a list All entries with the same value ID belong to the same list For this example set these filter values MVM Allied Telesyn Access Point Configuration Simply connecting the world amp 302 11g Radio 802 11a Radio Geant aap Geers Value ID Value Telnet Gateway l n jos o0 Ethernet Eal f Sees 2 2 01 Address Table i Frame Type Filters 3 3 00 c0 b2 000001 Predefined Subtype Filters l4 Bo foocob20o0002 Customizable Subtype Filters aa Advanced Filters 5 43 00 cO b2 00 00 03 B Fiter Values as eared 6 Filter Expressions et i IP Tunnels jj Network Management ial ee Security E le Maintenance 9 jo Table 12 Example 2 Filter Values Value ID Value Description 1 08 00 Check for a DIX IP frame 2 01 Check for a multicast frame 3 00 c0 b2 00 00 01 Check for these specific MAC device addresses 00 c0 b2 00 00 02 00 c0 b2 00 00 03 You must enter a filter expression for each Value ID in the Filter Values menu In thi
25. Configuring the Spanning Tree 164 Configure the Global Flooding parameters For help see the next table Click Submit Changes to save your changes To activate your changes from the menu bar click Save Discard Changes and then click Save Changes and Reboot For help see Saving Configuration Changes on page 45 Table 7 Global Flooding Parameter Descriptions Parameter Explanation Multicast Flooding Determines the flooding structure when this access point receives inbound multicast frames on non root ports with unknown destination addresses Disabled You do not want the access point to flood any inbound multicast frames Universal The access point forwards the multicast frame to every port This option uses more bandwidth Use this option if the root access point is supporting more than one wireless hop to ensure that ARP requests and multicast traffic are distributed Hierarchical The access point forwards the multicast frame only to the port to which the root access point is attached Multicast Outbound Appears only if Multicast Flooding is enabled to Secondary LANs Specifies if outbound multicast frames with unknown destination addresses are flooded toward secondary LANs Enabled The root access point controls flooding for all the designated bridges on secondary LANs Enabling this parameter makes managing secondary LANs easier because you do not need to set secondary LAN flooding param
26. DNS Suffix 2 DHCP Mode Use DHCP if IP Address is Zero 7 DHCP Server Name DHCP User Class DHCP Vendor Class DHCP for Access Point Network Use Any Available DHCP Server x Auto ARP Minutes Your web browser session is established Note Although you can use several different methods to manage the access point remotely this manual assumes you are using a web browser Using a Telnet After you have configured the IP address you can configure manage and Session troubleshoot the access point from a remote location using a telnet session Only one session can be active with the access point at a time If you session terminates abruptly or a new login screen appears someone else may have accessed the access point Also your session terminates if you do not use it for 15 minutes To use a telnet session 1 Determine the IP address of the access point If a DHCP server assigned the IP address you must get the IP address from the DHCP server 43 Chapter 1 Getting Started 2 From a command prompt type telnet Paddress where Paddress is the IP address of the access point Command Prompt Microsoft Windows 2000 Version 5 66 2195 lt C Copyright 1985 2060 Microsoft Corp C gt telnet 16 156 1 97_ 3 Press Enter 4 If necessary enter the user name and press Enter Then enter the password and press Enter The default user name is atilan and the default password is atilan
27. For example you can configure primary service set for WPA PSK secondary 1 service set for WPA 802 1x and VLAN 13 secondary 2 service set for static WEP and an ACL secondary 3 service set for Dynamic WEP 802 1x and VLAN 150 QOaQ0Q0 0 Most clients do not support a mixed security environment using multiple SSIDs which means o if any type of security is set on the primary service set then the secondary service sets should also use some type of security O if no security is set on the primary service set then the secondary service sets cannot use any type of security For example on an access point with an 802 11a radio you configure the primary service set for WPA PSK and you do not configure any security for the secondary 1 service set An end device with an 802 11a radio is configured with no security and is expected to associate with the secondary 1 service set However because the end device recognizes that it does not have any security enabled when it receives the beacon from the access point which indicates that some type of security is being used the end device does not try to associate with the access point Note The newer 802 11g radios available in newer end devices should work properly in a mixed security environment For help contact your local Allied Telesyn representative Another important consideration is that the service set that has wireless hops enabled should have the strongest security
28. Problem Question Possible Solution Answer The Wireless 1 Wireless 2 and or Wired LAN LEDs are on solid at the end of the boot process An error occurred during the booting process Consult the previous section to determine which test failed Connect the access point to a PC with an RS 232 cable reboot the access point and watch the error messages The access point may have a hardware problem Contact Allied Telesyn Technical Support The Power LED is not on 1 Make sure the power cable is firmly plugged into the AT WA7501 access point and the power source Or make sure the Ethernet cable is firmly plugged into the AT WA7500 access point and the power over Ethernet bridge Verify that the power injector has power and will work with another access point at the port in question Make sure all eight wires in the Ethernet cable are connected or the power over Ethernet option won t work Unplug the access point and then plug it back into the power source After the access point boots verify that the Power LED remains on The access point may have a hardware problem Contact Allied Telesyn Technical Support AT WA7500 and AT WA7501 Installation and User s Guide Table 11 General Troubleshooting Continued Problem Question Possible Solution Answer You cannot connect to the 1 Verify that you are using a null access point using the modem cable to connect the access s
29. The list includes the Apple Talk protocol type value 80F3 Values entered in this parameter represent the protocol types of frames that will be passed without conversion to DIX format 169 Chapter 5 Configuring the Spanning Tree 170 Chapter 6 Configuring Security This chapter explains how to use different security solutions to ensure that you have a secure wireless network This chapter covers these topics o Understanding Security on page 172 Controlling Access to Access Point Menus on page 176 m 0 Creating a Secure Spanning Tree on page 183 m Enabling Secure Communications Between Access Points and End Devices on page 186 Section Basic Features 171 Chapter 6 Configuring Security Understanding Security 172 The AT WA7500 and AT WA7501 access points provide many different security features and solutions that you can use to create a secure wireless network To create a secure wireless network you need to be concerned about o securing your backbone Only authorized users should be able to communicate with your network O keeping your data private Make it difficult for an eavesdropper such as a rogue access point to monitor your data o authenticating wireless end devices End devices must prove who they are before they are allowed to communicate with your network Depending on the radios in the access point and the amount of security you need in you
30. blank Class class identifier as defined in RFC 2132 DHCP Vendor DHCP vendor blank Class class identifier as defined in RFC 2132 AT WA7500 and AT WA7501 Installation and User s Guide Parameter N Range Default Your Site ame DHCP for Use Any Use Any Access Point Available Available Network DHCP Server DHCP Server Only Use Access Point DHCP Server Auto ARP 0 to 120 5 Minutes 319 Appendix B Default Settings DHCP Server Setup Menu Defaults 320 Parameter Range Default Your Site Name Low 4 nodes 0 to 255 10 10 10 100 Address High 4 nodes 0 to 255 10 10 10 199 Address Lease Time days hours minute 0 00 20 Ss Permanently Check Clear Clear Save IP Address Mappings IP Subnet 4 nodes 0 to 255 255 255 255 0 Mask AT WA7500 and AT WA7501 Installation and User s Guide IEEE 802 11g Radio Menu Defaults Parameter N Range Default Your Site ame Frequency Channel 1 to Channel 03 11 2412 to 2422 MHz 2462 MHz Node Type Master Station Master Disabled SSID Network 0 to 32 atilan Name characters Member Limit 128 or 100 128 for Primary 100 for Secondary Advanced Configuration Client Type 11b 11g with 11b 11g with Performance range reliability range reliability Not Wi FI Not Wi FI 11b 11g with Wi Fi compatible rates Wi Fi 11g only for better throughput W
31. database 2 Click Accept Selected Entries Clearing the Rejected List To clear the rejected list you can either reboot the access point or perform these steps 1 Click Select All Entries A check box appears next to all entries 2 Click Clear Selected Entries Note Allied Telesyn recommends that you use the secure web browser interface HTTPS when you export and import databases Otherwise the information in the databases is sent in the clear The EAS database is simply a comma separated text file You can create the database offline using Microsoft Excel or Notepad and then import it The file must have the following format ACL 11 22 33 44 55 66 TTLS username password TLS Ccommonname LOGIN username password RADIUS 0 0 0 0 secretkey Note PEAP entries are imported and exported as TTLS entries since they require the same parameters 219 Chapter 7 Configuring the Embedded Authentication Server EAS You should export the database so you have a backup version You may also want to create the database in the primary RADIUS server and then export it to a file that you can import to a backup RADIUS server To export a database 1 Log in to the access point whose EAS you are using 2 From the menu bar click File Import Export gt Read or write the EAS RADIUS database The EAS Database Import Export screen appears 3 If you are not using the secure web browser click A secure sessio
32. include multiple IP subnets Roaming support for non Configurable using IP filters None IP protocols Scalability No practical limitations using Has no inherent limitations IGMP 161 Chapter 5 Configuring the Spanning Tree 162 Table 6 IP Tunnels and Mobile IP Comparison Continued Issue IP Tunneling Mobile IP Special network software Standard network feature No additional network software is required Requires home and foreign agents located on each network or subnetwork AT WA7500 and AT WA7501 Installation and User s Guide Configuring Global Parameters Global parameters are configured on the root access point and on any other access point that is a root candidate does not have a root priority of 0 The root access point sends these settings to all other access points in the spanning tree You should set the same global parameters for the root access point and its backup candidates Any global parameters you set on the root access point will override those you set in other access points Configuring When the destination address is unknown most bridges flood frames on Global Flooding all ports Most wireless end devices operate at lower speeds than the Ethernet can support therefore indiscriminate flooding from a busy Ethernet network can consume a substantial portion of the available wireless bandwidth and reduce system performance On the access
33. on page 224 Maintaining the Access Points on page 231 Troubleshooting the Access Points on page 245 QQ0Q0 0 Upgrading the Access Points on page 266 223 Chapter 8 Managing Troubleshooting and Upgrading Access Points Managing the Access Points Using the Wavelink Avalanche Client 224 Management System There are several methods that you can use to manage the access points Wavelink Avalanche client management system You can install the Wavelink Avalanche system to help you manage your wireless network To use Avalanche you need Avalanche Manager v3 0 or later For help see Using the Wavelink Avalanche Client Management System on page 224 MobileLAN manager You can purchase this software to make it easy for you to support your wireless network without having expert knowledge of access points or MIBs It works with the access point s event driven notification method instead of traditional polling processes to maintain real time status on all access points It also helps you troubleshoot your network by providing you with multiple views of your network including what end devices are connected to which access point Web browser For help see Using a Web Browser Interface on page 41 Communications program such as HyperTerminal For help see Using a Communications Program on page 39 Telnet session Go to an MS DOS prompt and type telnet Paddress where IPaddress
34. point See the Table 9 Worldwide Frequencies for the 802 11a Radio on page 123 If the radio is a mid range radio you can only choose 52 56 60 or 64 You may want to use a single frequency to isolate the installation to part of the band for example use a single frequency if other wireless networks or microwave ovens are in the area Allow Wireless Choose which service set provides connection for Access Points wireless access points On Primary The primary service set connects to wireless access points On Secondary n The secondary service set n where n is 1 2 or 3 connects to wireless access points Do not allow wireless access points No service set connects to wireless access points You can block access points from forming a wireless hop to this radio entirely 121 Chapter 4 Configuring the Radios 122 Table 8 802 11a Radio Parameter Descriptions Continued Parameter Explanation Node Type Configure the 802 11a radio to master station or disabled Master The radio operates in Master mode when it sees the root access point on its Ethernet port If it cannot see the root it operates in Master Station mode and tries to find the root through its radio port Station The radio always operates in Station mode Disabled The radio is disabled You can create up to four service sets for this radio by setting the Node Type as follows O If the primary service s
35. within this BSS Short Slot Indicates that short slot timing is being used on this service set If this field is not present then longer slot timing is being used for backward compatibility CFPoll Access point uses point coordination function for delivery and polling CFRea Access point uses point coordination function for delivery but does not support polling 236 Viewing Port Statistics AT WA7500 and AT WA7501 Installation and User s Guide The Port Statistics screen shows the total number of frames and bytes that the access point has received and transmitted since it was last booted You can also view graphs of inbound and outbound packets for the port To view port statistics o From the menu click Maintenance gt Port Statistics The Port Statistics screen appears This screen is read only MV Allied Telesyn Access Point Configuration Simply connecting the world Logout Save Discard Changes Upgrade Software Distributed Network Upgrade File Import Export Help Maintenance Port Statistics TCP IP Settings ese Received Frames k g hago Spanning Tree Settings Unicast Non Unicast Relayed Discarded Errors Telnet Gateway a Ethernet Ethernet 588023 2222229 2686650 0 2 TP Tunnels Network Management a Q g 9 g ae 802 11g Radio 459108 15188 472656 0 0 aintenance AP Connections AP Neighb
36. 1 FD Purpose Displays the flash file system directory including information about the boot file and the file type E executable D data and T transparent For information about transparent files see Understanding Transparent Files on page 271 Syntax FD Example To display the contents of the flash memory segment enter FD To display the contents of the memory card enter FD APP FDEL Purpose Deletes a particular file Note When you use the FDEL command the file is marked as invalid and remains in the file system To reclaim the file space you must erase the entire segment Use the FE command to erase a segment Syntax FDEL Ff s where f is the name of the file to be deleted s is the optional segment location of the file AT WA7500 and AT WA7501 Installation and User s Guide Examples To delete the file AP824X PRG from the flash memory segment enter FDEL 1 AP824X PRG To delete the file FILE DAT from the optional memory card on an AT WA7500 enter FDEL APP FILE DAT FE Purpose Erases all the files in a particular segment including those that have been deleted with FDEL To recover the files after they have been erased you must reload them from another source Note You must execute this command before you execute a TFTP transfer Syntax FE s where s indicates segment to be erased You can use any segment number or name 1 2 3 4 id i
37. 10 Sec 1 Min Pings per refresh None Choose pings per refresh None 25 100 1 2 55 1 6 9 12 1 2 36 48 4 802 11b rates Extended 802 11 rates The recent activity is computed over the last few hundred transmissions or receptions Every type of transmission from this AP to the remote is incorporated in the Local activity The Remote Tx activity is computed based on frames successfully received by this AP If the received frame is marked as aretry we count one error at the received rate It is possible that the Frame Error Rate FER associated with a receive rate was actually caused by an earlier transmission at another rate It is likely that the Rx FER is understated because there is no way to record errors on undelivered frames or multiple errors on successful frames By default the Refresh Mode is Manual To configure the software to refresh automatically at a set interval click 10 Sec or 1 Min By default the Pings per refresh is None To increase the number of pings that occur after each refresh click 25 or 100 258 AT WA7500 and AT WA7501 Installation and User s Guide 3 Click the X in the upper right corner of the window to return to the AP Connections screen Using ICMP Echo ICMP Internet Control Message Protocol echo lets you ping devices using their IP address ICMP echo can only be used if the access point has determined the IP address of the end device or another access point If the access point is
38. 192 168 49 29 sdvars set scriptfilename Purpose Sets the internal variable scriptfilename to a specified string The specified string should be the filename of the script to be retrieved from the TFTP server Syntax sdvars set scriptfilename fore7gnfi ename where foreignfilename is a script filename on the TFTP server 293 Chapter 9 Additional Access Point Features 294 Example To set the scriptfilename to SCRIPT DAT enter sdvars set scriptfilename script dat sdvars set starttime Purpose Sets the internal variable starttime Starttime is a countdown time that is when zero is reached the software download process begins Set this variable to reflect how far into the future the access point is to begin downloading and executing the script file from the TFTP server When the timer reaches 0 the access point uses the values in serveripaddress and scriptfilename to get the script file that is to be executed If either serveripaddress or scriptfilename contains no value an error is noted in the status variable and the software download process is terminated Syntax sdvars set starttime dd hh mm ss where dd hh mmiss is how far in the future the reboot is to begin and dd is days hh is hours mm is minutes ss is seconds Example To begin the script file download in 5 minutes enter sdvars set starttime 00 00 05 00 Note If you need to stop the download you can do so by setting starttime to 0
39. AT WA7500 to Your Wired LAN and POWED cecceeeeeceeeeeeeeceeeeeeeeaeeeeaaeeeseeeeeeaeeeseaaeeseneaeeenaeeeeaaes 54 Connecting to Your Fiber Optic NetW rK s is iania eea aeaaea aa eiaeaen 55 Using and Purchasing the Required Patch Cord and Adapter sseeeseeesesssissssiieriiresinserirsritterinttinnninnniinneinnrrnnnte nnt 55 Connecting to an MT RJ Network ccccecececceeececeeeceeeceeaeeeecesenaeeeecescaeeeeeeeeceaaaeeseeeseaaeeeeeeseaaeaeeeseneeeeeesnenaeeeeeneesaees 56 Connecting toan SC Network osmini ane a ctel coh vGecdeaacd asd Sel a a a a hi lived dl duceies does 56 Connecting toan ST Network cc08 cyan ei edn an a ee eed ones cide wien en ees 58 Connecting Power Over Ethernet iss 2c ex ceeee ceges const gees soeecsndesantbhecececewescueascetubeecenteceenssecaelietbaeatteneetgesgsrnasidecesscoeuh dl exbesadbibed 59 Contents External Antenna Placement Guidelin s sccsacis lt cescceccczesSeceuetaesbetteetes etipti tekei reste edad aiee e accu seated 60 Positioning Antennas for 802 11g 802 11b and 802 11a Radios ccecececce cee eeeeeceeeeeeeeceeeeeeeeeeaeeeeeeeneaeeeeesenaaees 61 Chapter 3 Configuring the Ethernet Network ooo ccc cere cere ee eeeee erence eeaaeeeseeeeeeeaeeeeeeaeeeseaeeesaeeeeeaeeseeeaeeenneeesseaeeseenaeesnneeees 65 Configuring the TOP P SOtMGS vsat nisasie esate SnnapaedesinccpenscSbeese deters db anaana danas songs ong inaa aiaeei daii Ee cone 66 Configuring the Access Point as a DHCP Cli
40. Appendix A Specificatlons soi s 6 ihis Mi lohene det dastiatge EE anata etiysdieel besten ate bi heue ieeeetelincneelyeoaeenebstaincatictueioaer aes 309 AT 500 ACCeSS POI NTE EEE EE TEAT 309 AT 7501 ACCESS POINTE esnai eie a a a N aa E NS 311 RadiO S PECIICATIONS 5 25 85 aa a a a a aaa Ea steve gue a AE E a E E E n aii 313 ha 0A 1G E E E E E E E a E E E ETS 313 IEEE 8021 bni e a e atra ae an E Mode Pend EEE E E E T E ead ae 313 IEEE 802Z a oa a aee a aaa ae e a e aaae aaa 314 Appendix B Default SettihgS cicania i ai bakin Salen ee aoe ia aa Bataan da eared 317 TCP IP Settings Menu De taultS ss iini secccag dat etacce a a a de eubebede sabeousdececcesdcasceuedncbeubcededpetesaagiize 318 DHCP Server Setup Menu DefaultS visisreiseriit nienn ineen eaaa Ea AEA RENEK DAVA STA ERES VNE AnA E a a EE AEEA NTa 320 IEEE 802 11g Radio Menu Defaults 0 eee eeceeeeeeeeeeenneeeeneeeeeaeeceaaeeeceeeeeeaaeeeeeaaeeseeeeeeeaeeeeeaaeeseneeeesaeeseaeessneeeeenaeeseeaas 321 IEEE 802 11b Radio Menu Defaults 2 s lt ce ccccccetevsueiscceiceevdsecvseneedgecbacbesd ooa e raini e e ae Ea ET 323 IEEE 802 114 Radio Menu Defaults z sranane aaee aeaea a aaae EEE aa a a aa A aaa E aE iraina disi 325 Spanning Tree Settings Menu Defaults eeiiiissiiiriurriirinanrennereiicriuenituieaenurnadien knea uidaineietac inin raiar bance tiacrbkacaacacabnee ta 327 Global Flooding Menu Defaults sisien adido iude e Ea a EE a E e Eae eE ENE 328 Glo
41. Changes and then click Save Changes and Reboot For help see Saving Configuration Changes on page 45 7 Repeat Steps 1 through 6 for each access point in your spanning tree All access points must have the same IAPP secret key to communicate with each other In the access point that contains the master radio click Maintenance gt AP Connections The AP Connections screen lists the station radios including ones in other access points that are communicating with the master radio For help see Viewing AP Connections on page 231 185 Chapter 6 Configuring Security Enabling Secure Communications Between Access Points and End Devices 186 Using an Access Control List ACL There are several ways that you can ensure secure communications between access points and wireless end devices in your network Use an access control list ACL Configure virtual LANs VLANs Configure WEP 64 128 152 security Implement an 802 1x security solution Configure Wi Fi Protected Access WPA OQ0Q00Q00 The next sections explain how to configure these methods You can use an access control list ACL that contains the MAC addresses that are authorized to communicate with the network through the access point The end devices do not need any special client software To use the ACL you must have o a RADIUS server on the network that contains the ACL You can either use an external RADIUS server or you can configu
42. Description Allow Telnet Determines if users can use a telnet session or Access Port 23 communications program to configure or manage this access point Do not clear this check box if you plan to configure the Telnet Gateway and allow wireless clients to upgrade the access point over the telnet port For details see page 210 Allow SNMP Determines if users can use MobileLAN manager Access Port 161 or another SNMP management station to 162 configure or manage this access point Allow TFTP Access Determines if users can use TFTP clients to Read Only exchange files with the access point Allow ICMP Determines if users can use another program that Configuration uses ICMP echo PING to set the IP address or restore factory defaults on this access point To ensure login security for configuring or maintaining the access points you should either use a password server typically an EAS or another RADIUS server or change the default user name and password To use the password server you must have a password server on the network that contains the user name password database For help see Configuring the Access Point to Use a Password Server on page 179 You can either configure an EAS or you can use an external RADIUS server as a password server access points which are the RADIUS clients If you use a password server you enable RADIUS for login authorization That is when a user attemp
43. Ga Ethernet IP Tunnels Ga Network Management Ga Security Maintenance Note This login session is not secure A secure session is available Some features such as importing certificates are only available through the secure interface To only allow secure login and avoid ever seeing this message change the 1 Browser Access option under the Security menu to Secure Only Warning Do not close or navigate away from this page during upload import export Enter or select the name of the database file to import Browse Impor Database Ezport the EAS database from this access point 2 To import a file enter of select the name of the database file to import and click Import Database Note For details about the purpose and format of import files scroll down this screen and read the help text 3 To export a database click Export the EAS database from this access point The export link can be used to extract the current database from the access point into a comma separated text file format This file can be used to propagate the database to another access point 802 1x PEAP entries are exported as type 802 1x TTLS entries AT WA7500 and AT WA7501 Installation and User s Guide Transferring To transfer files to the access point using your web browser pues Usma vonr 1 Click Transfer files to this device using your browser The File Import Web Browser screen appears AT Alied Te
44. If you select Unlisted then frames are passed or dropped only if the frame type is not listed in the predefined or customizable tables 151 Chapter 5 Configuring the Spanning Tree To use IP tunnel frame type filters 1 From the main menu click IP Tunnels gt Frame Type Filters The Frame Type Filters screen appears j J MVE Allied Telesyn Access Point Configuration Simply connecting the world g Mi g pg istril pg ile Import Exp p E TCP IP Settings Submit Changes B g 802 11g Radio e m Allow Pass Scope Telnet Gateway DIX IP TCP Ports a Unlisted Ethernet DIX IP UDP Ports T Unlisted gt IP Tunnels IP Addresses DNS Names DDCIP Other Protocols I Unlisted El Frame Type Filters DIX IPX Sockets Unlisted z Predefined Subtype Filters a A E DIX Other EtherTypes E Unlisted Network Management SNAP IP TCP Ports D Unlisted ae SNAP IP UDP Pors F Unlisted SNAP IP Other Protocols Unlisted SNAP IPX Sockets B Unlisted SNAP Other EtherTypes I Unlisted z 802 3 IPX Sockets L Unlisted 802 2 IPX Sockets r Unlisted 802 2 Other SAPs r Unlisted al 2 For each frame type field check or clear the check box to configure if the frame types are passed or are dropped If you check the check box the frame type is allowed to pass For each frame type field set the Scope field to Unlisted or All For help see the n
45. Port Description Power Not AT WA7500 Used with an appropriate power cable optional AT WA7501 this port connects the access point to an AC power source Serial Used with an RS 232 null modem cable this port connects the access point to a terminal or PC to perform configuration Ethernet 10BaseT 100BaseTx port Used with an appropriate cable this port connects the access point to your Ethernet network The access point auto negotiates with the device it is communicating with so that the data rate is set at the highest rate at which both devices can communicate Fiber optic Not Optional 100BaseFX port You must use a AT WA7500 optional patch cable with a female MT RJ AT WA7501 connector to connect the access point to your MT RJ SC or ST fiber optic network To access the ports on the AT WA7501 you must remove the cable access door To remove the AT WA7501 cable access door 1 Unscrew the two thumbscrews on the cable access door 2 Remove the door Chapter 1 Getting Started This illustration shows the ports that are on the AT WA7501 For help understanding these ports see the Port Descriptions table on page 19 Power port optional S 10BaseT 100BaseTx Fiber optic Ethernet port Port optional Figure 4 AT WA7501 Ports 20 AT WA7500 and AT WA7501 Installation and User s Guide The AT WA7500 ports are located on the bottom of the access point This illustrati
46. Time 0 0 0 0 00 Next Power Up Time 0 0 0 0 00 Start Last Download Status Success Last Checkpoint 0 306 AT WA7500 and AT WA7501 Installation and User s Guide In the Server IP Address field type the IP address of an active TFTP server from which the software download script file will be retrieved In the Script File Name field type the name of a file on the TFTP server that contains the commands that define the download process In the Start Time field enter the time in the format dd hh mm ss days hours minutes seconds When this timer expires the access point performs a TFTP get to read the script file from the server and begins execution of the software download script In the Next Power Up Time field enter the time in the format dd hh mm ss days hours minutes seconds When this timer expires the access point will reboot allowing the new firmware to take affect Click Start 307 Chapter 9 Additional Access Point Features 308 Appendix A Specifications This appendix contains AT WA7500 and AT WA7501 specifications for reference purposes only Actual product performance and compliance with local telecommunications regulations may vary from country to country Allied Telesyn only ships products that are type approved in the destination country AT 7500 Access Point Table 1 AT 7500 Technical Specifications Dimensions Weight HxLxW 4 6 cm x 25 0 cm x 15 9 cm 1 8 in x9 8
47. You can configure the 802 11g radio to communicate with other 802 119 and 802 11b radios that have the same o SSID Network Name 0 Security For each radio you can assign up to four service sets creating one primary service set and up to three secondary service sets Each service set shares the same Advanced Configuration and Inbound Filters settings but you can customize the security settings However most clients do not support a mixed security environment using multiple service sets 0 If you configure security on the primary service set then you should also configure security on the secondary service sets o If you do not configure security on the primary service set then you cannot configure security on the secondary service sets For details see When You Specify the Security Options for Multiple SSIDs per Radio on page 175 Multiple service sets are used primarily to allow one physical radio to support multiple virtual LANs VLANs For details about VLANs see Configuring VLANs on page 189 To configure the 802 11g radio 1 From the main menu click 802 11g Radio The 802 11g Radio screen appears MV Allied Telesyn Simply connecting the world Logout Save Discard Changes Upgrade Software Distributed Network Upgrade File Import Export Help 802 11g Radio Access Point Configuration TCPAP Settings aa 802 112 Radio Advanced Configuration Ga 802 11a Radio
48. You can define a user name and password For help see Setting Up Logins on page 178 The Access Point Configuration menu appears Command Prompt telnet 10 150 1 97 Access Point Configuration TCP IP Settings 862 11g Radiol 862 11a Radio Spanning Tree Settings Ethernet CIP Tunnels Network Management Security Maintenance Save Configuration Reboot Your telnet session is established 44 Saving Configuration Changes AT WA7500 and AT WA7501 Installation and User s Guide When you are done configuring the access point you may want to activate your changes immediately or you may want to save the changes now and activate them later If you choose to activate the changes later they will become active the next time the access point is booted Table 11 Access Point Configuration Files Configuration File Description Default This configuration file is the factory default configuration For help see Restoring the Access Point to the Default Configuration on page 243 Current When you click Submit Changes the access point updates the current configuration file The access point does not change the active configuration file You can see a list of pending changes when you click Save Discard Changes Having separate files for the current and active configurations lets you make changes while the access point is running without interrupting communication A
49. acting as an ARP server it will determine the IP addresses of the end devices that are attached to it and allow you to use ICMP echo on the wireless network The access point always knows the IP address of all access points in the spanning tree To use ICMP echo 1 From the menu click Maintenance gt AP Connections The AP Connections screen appears AV Alied Telesyn Access Point Configuration Simply connecting the world a TCP IP Settings 802 11a Radio Spanning Tree 802 11g Radio Connection Status Spanning Tree Settings Telnet Gateway Ethernet a IP Tunnels 802 1x MAC Address Type Port Age Next Hop IPAddress a Network Management a Security Pass 00 09 5b 45 44 60 Term 2 o 136 179 85 152 ea Maintenance El AP Connections AP Neighbors Port Statistics DHCP Status Events Log About This Access Point Wireless Stations Access Points Ethernet Hosts This access point is root 1 0 0 259 Chapter 8 Managing Troubleshooting and Upgrading Access Points Troubleshooting 260 Security 2 Click an IP address hyperlink The access point pings the device and then the Ping Utility screen appears showing the results AV Alied Telesyn Access Point Configuration Simply connecting the world Logout Save Discard Changes Upgrade Software Distributed Network Upgrade File Import Export Ping Utility Ga
50. attacks from rogue supplicants as it is easier to break SWAP than TLS or TTLS Configuring Spanning Tree Security Note If you are implementing an 802 1x security solution secure APP and secure wireless hops are automatically enabled 1 From the main menu click Security gt Spanning Tree Security The Spanning Tree Security screen appears AVE Allied Telesyn Access Point Configuration Simply connecting the world Security Events Maintenance TCP IP Settings Submit Changes 802 11g Radio G2 802 11a Radio Secure LAPP Vv Ga Spanning Tree Settings praa ore a Telnet Gateway En Ethernet TP Tunnels Allow SWAP Vv Network Management Allow TLS rc amp Security Allow TILS g Passwords MSCHAPv2 802 11g Radio Preferred Protocol TEES 802 11a Radio EADS Server List User Name anonymo O panning Tree Security Embedded Authentication Server Password Certificate Details Verify CA Certificate L Install certificates in the certificate store E 2 Inthe IAPP Secret Key field enter a secret key This secret key must be between 16 and 32 bytes 3 Choose which authentication methods you want to use to authorize the access point to communicate with the network For help see the next table 4 Check the Verify CA Certificate check box and enter the authentication server common names to verify that the access point is connecting to the correct authentication server Allied Tele
51. configuration possible for your environment Do not enable wireless hops on the port that has no security The security concern is that wireless access points WAPs configured on the other service sets will hear the unencrypted hellos on the wireless hop port and those WAPs will attach even though they should not 175 Chapter 6 Configuring Security Controlling Access to Access Point Menus 176 Enabling Access Methods There are several ways that you can manage who can configure and manage the access points in your network o Enable disable access methods O Set up individual logins o Change the default logins and create a read only login The next sections explain how to implement these strategies There are five access methods that you can enable or disable depending on how you want users to be able to configure or manage the access points O Web browser interface HTTP or HTTPS 0 Telnet session O Intermec s MobileLAN manager or any other SNMP management station o TFTP O Programs that uses ICMP echo All access methods are enabled by default You may want to disable any of these methods that you will not use to prevent access by an unauthorized method AT WA7500 and AT WA7501 Installation and User s Guide To enable or disable access methods 1 From the main menu click Security The Security screen appears AVE Allied Telesyn Access Point Configuration Simply connecting the world
52. device needs to have an IP address from the root IP subnet secondary bridging Ethernet bridging on a non root port An access point that is the designated bridge for a secondary LAN uses secondary bridging to bridge frames to and from the secondary LAN on a non root port secondary LAN Any LAN that is reached by routing traffic through an access point Wireless end devices that are communicating through a WAP comprise a secondary LAN A remote IP subnet is a type of secondary LAN service set A logical not physical radio You can create up to four service sets for each physical 802 11g and 802 11a radio in an access point Each service set shares the same physical radio configuration including the parameters set for Advanced Configuration and Inbound Filters Each service set has a unique SSID network name and you may customize its security configuration and member limit Multiple service sets are used primarily to allow one radio to support multiple VLANs SNAP A protocol extension typically used by AppleTalk networks SNMP Simple Network Management Protocol SNMP is a popular network management protocol in the TCP IP and SPX IPX protocol suite SNMP allows TCP IP and SPX IPX sites to exchange configuration and status information It uses management programs called agents to monitor network traffic SNMP stores the information it collects in the Management Information Base MIB Your network administrator can us
53. end device is known to be attached to an access point on a remote IP subnet 0 the frame type is configured to pass IP and ARP frames are never forwarded outbound through an IP tunnel unless the destination IP address belongs to the root IP subnet Usually these frames are destined for wireless end devices that have roamed away from their root IP subnet Unicast frames are not flooded Unicast frames are only forwarded outbound through an IP tunnel if the destination address identifies an end device that has roamed to a remote IP subnet End devices attach to the root access point which maintains entries for these devices in its forwarding database The database entries indicate the correct subnet for outbound forwarding 145 Chapter 5 Configuring the Spanning Tree 146 For TCP IP applications IP and ARP frames must be forwarded through IP tunnels An IP or ARP frame is only forwarded outbound if the destination address identifies an end device on the root IP subnet Usually ARP requests which are multicast frames that originate on the root IP subnet are forwarded outbound to all devices on the network including through IP tunnels to remote IP subnets However if you enable ARP flooding ARP frames are only sent through the IP tunnel to the destination end device MAC frames that are forwarded outbound are encapsulated in the root access point forwarded through the network unencapsulated by the access point at the remot
54. for Antenna Diversity Location Recommended Antenna Separation Highly reflective 0 33 m 13 in or 0 64 m 25 in warehouse environment Moderately reflective 0 64 m 25 in 1 22 m 4 ft or 1 83 m 6 warehouse environment ft Open Office environment 1 22 m 4 ft to 3 05 m 10 ft Positioning Antennas for Dual Radio Access Points The recommendations in the previous table apply to omni antennas if you are using directional antennas you should increase the recommended separation between the antennas O If your access point has two 802 11g two 802 11b or two 802 11a radios position the antennas for one radio at least 3 05 m 10 ft from the antennas for the other radio O If your access point has at least one 802 11g one 802 11b or one 802 11a radio the other radio may be any radio cable the antennas for the radio at least 3 05 m 10 ft from the access point If your access point has an 802 11a full range radio and either an 802 11g radio or an 802 11b radio cable the antennas for the 802 11g or 802 11b at least 3 05 m 10 ft from the access point O If your access point has an 802 11a mid range radio and either an 802 11g radio or an 802 11b radio cable the antennas for one of the radios at least 3 05 m 10 ft from the access point 61 Chapter 2 Installing the Access Points 62 Stacked Antenna Positioning for Dual Radio Access Points As an alternative to the physical separation of omn
55. from DHCP or BOOTP servers Preference is given to DHCP servers If a BOOTP reply is received before a DHCP offer the access point waits 4 seconds If a DHCP offer is received within the 4 seconds the DHCP offer is used and the BOOTP reply is ignored BOOTP offers are treated like infinite DHCP leases Note You cannot configure the access point as both a DHCP server anda DHCP client Note If you are using the embedded authentication server feature do not configure the access point as a DHCP client AT 7500 and AT WA7501 Installation and User s Guide To configure the access point as a DHCP client 1 From the menu click TCP IP Settings The TCP IP Settings screen appears MVE Allied Telesyn Access Point Configuration Simply connecting the world g Di g pg istri pg ile ImportiExp p E TCP IP Settings Submit Changes 802 11g Radio 802 11a Radio IP Address 10 150 1 97 Spanning Tree Settings Telnet Gateway TP Subnet Mask 255 255 255 0 Ethernet IP Router Gateway 0 0 0 0 amp IP Tunnels pool RN DNS Address 1 0 0 0 0 a Security Maintenance DNS Address 2 0 0 0 0 DNS Suffix 1 DNS Suffix 2 DHCP Mode Use DHCP ifIP Address is Zero x DHCP Server Name DHCP User Class DHCP Vendor Class DHCP for Access Point Network Use Any Available DHCP Server E Auto ARP Minutes 5b 2 Configure the DHCP parameters to make this access point a DHCP client For he
56. has the form x x x x and x is a number from 0 to 255 For more help see Using a Communications Program on page 39 The interface looks similar SNMP management station For help see Using Simple Network Management Protocol SNMP on page 229 The Wavelink Avalanche client management system uses three main components to help you easily manage your wireless network Table 1 Wavelink Avalanche Components Component Description Enabler Resides on all devices managed by the Avalanche system It communicates information about the device to the Avalanche Agent and manages software applications on the device Agent Automatically detects and upgrades all devices in the Avalanche system and manages the daily processing functions AT WA7500 and AT WA7501 Installation and User s Guide Table 1 Wavelink Avalanche Components Continued Component Description Console The administrative user interface that lets you configure and communicate with the Avalanche Agent From the console you can configure and monitor devices and build and install software packages and software collections The enabler is already installed on access points with software release 2 0 or later You can install the agent and the console on the same PC Avalanche uses a hierarchical file system organized into software packages and software collections o Software packages are groups of files for an applica
57. in x 6 3 in 526 g 1 16 Ib POE Electrical Rating x 48V 315 mA Operating temperature 20 C to 55 C 4 F to 131 F Storage temperature 40 C to 70 C 40 F to 158 F Humidity non condensing 10 to 90 Architecture Transparent bridge Ethernet interfaces 10Base T 100Base TX twisted pair Ethernet compatibility Ethernet frame types and Ethernet addressing Ethernet data rate 10 Mbps 100 Mbps Ethernet 309 Appendix A Specifications Table 1 AT 7500 Technical Specifications Radios supported IEEE 802 119 IEEE 802 11b IEEE 802 11a Media Access protocol CSMA CD Filters protocol IP IPX NetBEUI DECNET AppleTalk Filters others IP ARP Novell RIP SAP LSP Serial port maximum 115 200 bps data rate Management interfaces Web browser based manager text based menu system serial port Telnet SNMP SNMP agent RFC 1213 MIB 2 RFC 1398 dot3 RFC 1493 Bridge 802 11 802 1x Regulatory Approvals EN 550022 CISPR 22 Class A FCC Part 15 amp ICES 003 Class A C tick Marked AS 3548 CE Market Compliant with RTT amp E EMC LVD directives See separate radio approvals UL Listed 1950 amp IEC 60529 IP53 CSA Certified C22 2 950 amp C22 3 94 ENC 3 5 TUV Licensed EN 60950 amp EN 60529 IP53 NYCE Certified NOM 19 plenum rated 310 AT 7501 Access Point AT WA7500 and AT WA7501 Insta
58. interface while multicast specifies a group of Ethernet addresses Broadcast is a variation of multicast in which a multicast is received by all interfaces MIB Management Information Base This repository stores network traffic information that SNMP management programs collect Your network administrator can use management software interacting with the MIB to obtain information about network AT WA7500 and AT WA7501 Installation and User s Guide activity The MIB for the access point is available from the Allied Telesyn web site at www alliedtelesyn com multicast address A form of broadcast address through which copies of the frame are delivered to a subset of all possible destinations that have a common multicast address NAT Network Address Translation A mechanism for reducing the need for different IP addresses NAT allows an organization with IP addresses that are not unique to connect to the network by translating those addresses into routable address space The access point can act as a DHCP NAT server non bridging secondary LAN A secondary LAN that does not have a designated bridge A non bridging secondary LAN is used to interconnect access points without using wireless hops omni antenna An antenna that transmits and receives RF signals in all directions equally on a horizontal plane This radiation pattern is similar to a doughnut with the antenna being in the center of the doughnut hole These antennas pro
59. is unlikely to occur TFTP opcode not read or write request This error should not occur under normal operating conditions This error indicates that the TFTP client does not conform to the protocol Invalid opcode during read This error should not occur under normal operating conditions This error indicates that the TFTP client does not conform to the protocol Using sdvars Commands AT WA7500 and AT WA7501 Installation and User s Guide Error Message Explanation Invalid opcode during write This error should not occur under normal operating conditions This error indicates that the TFTP client does not conform to the protocol Use sdvars commands to manipulate certain software download variables Sdvars commands support both GET and SET arguments You can enter sdvars commands to GET a software download object and then issue the sdvars command using the SET argument to assign the object a specified value This section describes the sdvars commands using the SET argument To execute an sdvars command using the GET argument omit the variable from the end of the command sdvars set serveripaddress Purpose Sets the internal variable called serveripaddress to a specified address Syntax sdvars set serveripaddress 7paddress where ipaddress is the address of the TFTP server Example To set the IP address of the server to 192 168 49 29 enter sdvars set serveripaddress
60. line in the script file must be terminated by an LF or CR You can only have one command per line QOQQ0Q0 0 Any file that is to be uploaded by script must have a file header This does not include the script file itself o You can include comments on a line by using the pound sign all characters after a pound sign are ignored To test a script file log onto an access point and type each of the script file commands This new sample script upgrades an AT WA7500 or AT WA7501 access point This script is based on upnopath dnl which is included in the AP upgrade package A header file is not required All files are copied into segment 1 on the access point Sample script file for upgrading an access point file sdvars set checkpoint 1 file fe 1 file sdvars set checkpoint 2 file tftp get software ap824x dnl1 1 file tftp get software boot824x dnl 1 file tftp get software act dnl 1 file tftp get software ap3890 dnl1 1 file tftp get software applets dnl 1 file tftp get software cert dnl 1 AT WA7500 and AT WA7501 Installation and User s Guide file tftp get software closed dnl 1 file tftp get software discinca dnl 1 file tftp get software easdb dnl1 1 file tftp get software echo dnl 1 file tftp get software favicon dnl 1 file tftp get software file dnl 1 file tftp get software fileimp dnl 1 file tftp get software filemenu dnl 1 file tftp get software fpga8245 dnl1 1
61. method You must install a server certificate on each access point that will use this method to authenticate to the network When the access point is acting as a supplicant and the authentication server offers the TLS protocol the access point sends its certificate credentials If you choose to use both TTLS and TLS you must choose which protocol the access point offers first and the access point must have a login configured and a server certificate By default Secure Wireless Authentication Protocol SWAP is also enabled The access point tells the authenticator that it can perform SWAP If the authenticator allows SWAP SWAP is used SWAP allows access points to authenticate using an EAP MD5 challenge If the supplicant or the authenticator does not allow SWAP the authentication must happen at the authentication server using TTLS or TLS When the Access Point Is the Authenticator If the Allow SWAP check box is cleared the access point that is acting as the authenticator will not perform any authentications using SWAP Supplicants will need to authenticate with the authentication server using TTLS or TLS However older access points do not support these authentication methods If the Allow SWAP check box is checked the access point that is acting as the authenticator will authenticate any supplicants that offer AT WA7500 and AT WA7501 Installation and User s Guide SWAP Note that SWAP authentication is susceptible to downgrade
62. multicast addresses O Only one IP tunnel can be created for each IP unicast address in the list o One IP directed broadcast address can be used to create a practically unlimited number of tunnels to a single remote IP subnet An IP directed broadcast address is typically used to specify all hosts on a single remote subnet O One IP multicast address can be used to create a practically unlimited number of tunnels to remote IP subnets For help see Using One IP Multicast Address for Multiple IP Tunnels on page 143 Once you have configured the IP tunnels the root access point sends IP hello messages to each IP address in its IP address list An IP tunnel is automatically established when an access point on a remote IP subnet receives this hello message This access point then transmits IP hello messages on its subnet so that other access points on the same subnet that do not receive hello messages can also attach to the spanning tree To create a unicast IP tunnel 1 Make sure that end devices that will roam between the root IP subnet and the remote IP subnet have IP addresses from the root IP subnet and have their default router set the same as the root access point There are no address restrictions for non IP end devices Using One IP Multicast Address for Multiple IP Tunnels AT WA7500 and AT WA7501 Installation and User s Guide Make sure that the root access point and the access point at the endpoint of the IP
63. number 5 Period If Security Level is WPA PSK Multicast TKIP TKIP Encryption Type Pre share Key 256 32 byte blank hexadecimal value or an ASCII pass phrase Key Rotation Any number 5 Period If Security Level is WPA 802 1x Multicast WEP TKIP TKIP Encryption Type Key Rotation Any number 5 Period Parameter Range Default Your Site Name IP Address 4 nodes 0 to 0 0 0 0 DNS name 255 or DNS name Secret Key 16 to 32 bytes factory default Port 1 65535 1812 Recommended range is 49152 65535 802 1x Check Clear Clear except Servers 5 and 6 ACL Check Clear Clear except Servers 3 and 4 Spanning Tree Security Menu Defaults Embedded Authentication Server Menu Defaults AT WA7500 and AT WA7501 Installation and User s Guide Parameter N Range Default Your Site ame Login Check Clear Clear except Servers 1 and 2 ee Range Default Your Site ame Secure IAPP Check Clear Check If 802 1x security or Secure IAPP is enabled IAPP Secret 16 to 32 bytes factory default Key Allow SWAP Check Clear Check Allow TLS Check Clear Clear Allow TTLS Check Clear Check Preferred SWAPY TLS TTLS Protocol TTLS User Name 1 to 31 anonymous characters Password 1 to 31 anonymous characters Verify CA Check Clear Clear Certificate er tha Range Default Your Site ame Enable Server Check Clear Clear If Enab
64. on a PC with an open serial port For help see Using a Communications Program on page 39 This manual assumes that you are using a communications program for your initial configuration and then using a web browser interface to perform all other configurations You can also continue to use a communications program or you can start a telnet session to configure the access point You can use a communications program such as HyperTerminal to set the initial IP address for the access point After you configure the IP address you can continue to use the communications program to set other parameters or you can use a web browser or a telnet session to complete the configuration To use a communications program you must have 0 a terminal or PC with an open serial port and the communications program o an RS 232 null modem cable One end of this cable must be a 9 pin socket connector to connect to the serial port on the access point To use a communications program 1 Use the RS 232 null modem cable to connect the serial port on the access point to a serial port on your PC You may need to remove the serial port plug 2 Start the communications program and configure the serial port communications parameters on your PC and then click OK You should configure the serial port communications parameters to 0 Bits per second 9600 0 Data bits 8 o Parity None 0 Stop bit 1 0 Flow control None 3 Connect the access point to
65. on one or both of the access points either TTLS or TLS will be used depending on the setting of the Preferred Protocol field of the supplicant access point Note these potential problems If you enable secure IAPP on a root access point that is running software release 1 80 or later and other access points in your network are running an earlier software release than 1 80 the access points with the earlier software release will not attach to the root The access points with the earlier software release do not support secure IAPP If you want to use secure IAPP upgrade all access points to software release 1 80 O If you enable secure IAPP on a non root access point and the root access point has secure IAPP disabled the access points will form separate spanning trees with the same LAN ID If you want to use secure IAPP enable secure IAPP on all access points 183 Chapter 6 Configuring Security To create a secure spanning tree Note You do not need to perform this procedure if you are implementing an 802 1x security solution 802 1x authentication automatically enables secure IAPP and secure wireless hops See Implementing an 802 1x Security Solution on page 194 1 From the main menu click Security gt Spanning Tree Security The Spanning Tree Security screen appears i AVE Allied Telesyn Access Point Configuration Simply connecting the world TCPAP Settings Submit Ch
66. page 136 802 11g and 802 11b Configure the station radio in the WAP a From the main menu click the link corresponding to the station radio The radio screen appears b In the Primary service set Node Type field choose Station c Inthe Primary service set SSID Network Name field type the SSID In this example the SSID is Manufacturing d Click Submit Changes to save your changes The screen updates To activate your changes from the menu bar click Save Discard Changes and then click Save Changes and Reboot For help see Saving Configuration Changes on page 45 Configure the master radio in the WAP to communicate with the end devices For help see Chapter 4 Configuring the Radios on page 99 AT WA7500 and AT WA7501 Installation and User s Guide 6 Configure the master radio in the access point a From the main menu click the link corresponding to the master radio The radio screen appears MV Allied Telesyn Access Point Configuration Simply connecting the world Logout Save Discard Changes Upgrade Software Distributed Network Upgrade File Import Export Help 802 11a Radio TCP IP Settings Submit Changes 802 11g Radio al 302 11a Radio Frequency Dynamic 11a now 36 Advanced Configuration All low Wireless Access Points On PI gt Spanning Tree Settings tl Telnet Gateway Ethernet Node Type SSID Network Name TP Tu
67. point you can set flooding control options for both unicast and multicast frames to free up bandwidth and improve system performance Access points try to forward frames to the port with the shortest path to the destination address When the access point has not learned the direction of the shortest path you can configure it to flood the frames in certain directions to try to locate the destination address ARP requests are multicast frames that are periodically sent out to all devices on the Ethernet network An ARP cache is a table of known MAC addresses and their IP addresses that the access point maintains When an access point receives an ARP request it checks its ARP cache to determine if the destination end device s IP address is known To configure global flooding 1 From the main menu click Spanning Tree Settings gt Global Flooding The Global Flooding screen appears MV Allied Telesyn Access Point Configuration Simply connecting the world Spanning Tree Settings Global Flooding TCPAP Settings Submit Changes amp 302 11g Radio Ga 802 11a Radio Multicast Flooding Hierarchical Inbound v eee z Tire Se s Multicast Outbound to Secondary LANs Set locally gt fa Global RE Parameters Allow Multicast Outbound to Terminals Vv Telnet Gateway Ga Ethernet Unicast Flooding Disabled 7 Ea IP Tunnels Network Management Enable ARP Flooding Vv Security Maintenance 163 Chapter 5
68. radios must support WEP encryption All access points and wireless end devices Security on a particular network must use the same WEP encryption type and the same WEP transmit key You should periodically change this WEP transmit key to prevent an unauthorized person with a sniffing tool from monitoring your network and discovering the WEP key 191 Chapter 6 Configuring Security 192 Since static WEP keys can be difficult to update the AT WA7500 and AT WA7501 access products let you enter up to four WEP keys and then pick a WEP transmit key 1 4 It is easier to rotate the WEP transmit key than to individually change all the WEP keys 802 11g and 802 11b radios support WEP 64 128 security and 802 11a radios supports 64 128 152 security O WEP 64 has four 40 bit encryption keys and one 24 bit initialization vector IV key Enter five ASCII characters or five hex pairs for the WEP keys O WEP 128 provides a higher degree of encryption protection It has four 104 bit encryption keys and one 24 bit IV key Enter 13 ASCII characters or hex pairs O WEP 152 provides the highest degree of encryption protection It has four 128 bit encryption keys and one 24 bit IV key Enter 16 ASCII characters or hex pairs To configure WEP 64 128 152 security 1 From the main menu click Security and then click the radio service set you are configuring The appropriate radio screen appears 2 Inthe Security Level field select Static WEP
69. screen see the next table MAW Alied Telesyn Access Point Configuration Simply connecting the world g Mi g pg il pgri i port Exp p Maintenance AP Connections TCP P Settings a 802 11a Radio Spanning Tree 802 11g Radio Connection Status Spanning Tree Settings Telnet Gateway Ethernet a IP Tunnels 802 1x MAC Address Type Port Age Next Hop IPAddress Network Management Security Pass 00 09 5b 45 44 60 Term 2 0 136 179 85 152 Maintenance E AP Connections AP Neighbors Port Statistics DHCP Status Events Log About This Access Point Wireless Stations Access Points Ethernet Hosts This access point is root 1 0 0 231 Chapter 8 Managing Troubleshooting and Upgrading Access Points Table 4 AP Connections Screen Fields Display Field Description Spanning Tree Connection Status Indicates the current status of this access point in relation to the spanning tree This access point is root This access point has formed a spanning tree and is serving as root Connected to root This access point is participating in a spanning tree as a child directly connected to the root access point Or this access point has found a spanning tree and is negotiating with the root access point to join the tree Connected to non root This access point is participating in a spanning tree as a child that is not directly conn
70. separated by spaces colons or hyphens 3 Click Submit Changes to save your changes To activate your changes from the menu bar click Save Discard Changes and then click Save Changes and Reboot For help see Saving Configuration Changes on page 45 You can set both Ethernet and IP tunnel filters and you can create protocol filters for both predefined and user defined protocol types In addition you can define arbitrary frame filters based on frame content Setting Ethernet filters prevents the Ethernet port from sending out unnecessary traffic to the wireless network Ethernet frame type filter and predefined subtype filter settings override customizable subtype filter settings However Allied Telesyn recommends that when creating customizable subtype filters you do not duplicate existing frame type or predefined subtype filters or unexpected results may occur 81 Chapter 3 Configuring the Ethernet Network 82 For more examples of using Ethernet filters and for help configuring IP filters see Configuring IP Tunnel Filters on page 150 Using Ethernet Frame Type Filters You can define filters for common networking protocols such as IP Novell IPX and 802 2 LLC You can also set filters that will pass only those Ethernet frame types found on your network You can set the default action for general and specific frame types For example you cannot pass the DIX Other EtherTypes frame parameter and then use the s
71. set you are configuring The appropriate radio screen appears 201 Chapter 6 Configuring Security 202 2 Inthe Security Level field choose either WPA PSK or WPA 802 1x MV Alied Telesyn Access Point Configuration Simply connecting the world g Mi g pg istri pg ile ImportExp p Security 802 11g Radio TCP IP Settings 802 11g Radio 802 11a Radio Spanning Tree Settings Telnet Gateway Ethernet IP Tunnels Network Management Security Passwords Bi 802 112 Radio 802 11a Radio RADIUS Server List Spanning Tree Security Embedded Authentication Server Certificate Details Security Events Maintenance Submit Changes Enable ACL Client Authorization VLAN Security Level None 7 None Static WEP Dynamic WEP 802 1x WPA PSK WPA 802 1x z 3 Click Submit Changes to save your changes The screen changes depending on the security level you choose For help see one of the next two screens Fill in the fields For help see one of the next two tables 5 Click Submit Changes to save your changes To activate your changes from the menu bar click Save Discard Changes and then click Save Changes and Reboot For help see Saving Configuration Changes on page 45 AT WA7500 and AT WA7501 Installation and User s Guide To continue configuring WPA security for WPA 802 1x mode 6 Configure the RADIUS server by clicking Sele
72. table To use the LEDs to help troubleshoot the radios see Troubleshooting the Radios on page 256 Table 2 LED Descriptions Icon LED Description Power Remains on when power is applied Wireless 1 Blinks when a frame is transmitted or received on the radio port for the radio installed in radio slot 1 Wireless 2 Blinks when a frame is transmitted or received on the radio port for the radio installed in radio slot 2 if a second radio is installed Wired LAN Blinks when a frame is transmitted or received on the Ethernet port Root error Blinks if this device is configured as the root It remains on if an error is detected O r Ee EK Chapter 1 Getting Started This illustration shows the LEDs that are on the AT WA7501 access point For help understanding these LEDs see the LED Descriptions table on page 17 Allied Telesyn Wireless Wireless Readiness Power 1 2 Wired LAN Indicator Figure 2 AT WA7501 LEDs This illustration shows the LEDs that are on the AT WA7500 access point For help understanding these LEDs see the LED Descriptions table on page 17 i Tp Wireless 2 unouanooanwowoaoaioe Allied Telesyn Readiness Wired LAN Indicator US Figure 3 AT WA7500 LEDs AT WA7500 and AT WA7501 Installation and User s Guide Understanding The access point may have up to four ports the Ports Table 3 Port Descriptions
73. the world Access Point Configuration Logout Save Discard Changes Upgrade Software Distributed Network Upgrade File Import Export Help 802 119 Radio Advanced Configuration Apply Hot Settings TCP IP Settings 802 119 Radio Advanced Configuration Inbound Filters Primary Only B Apply Hot Settings 802 11a Radio Spanning Tree Settings Telnet Gateway Ethernet TP Tunnels Network Management Security Maintenance Hot Settings Applied Control Setting Output Power Level Maximum Mixed Mode Performance Optimize Mixed 802 11b and 802 11g 111 Chapter 4 Configuring the Radios Configuring the 802 11b Radio 112 The 802 11b radio will communicate with other 802 11b radios that have the same o SSID Network Name O Security To configure the 802 11b radio 1 From the main menu click 802 11b Radio The 802 11b Radio screen appears MVM Allied Telesyn Simply connecting the world Access Point Configuration Logout Save Discard Changes Upgrade Software Distributed Network Upgrade File Import Export Help 802 11b Radio Submit Changes a Advanced Co a Configuration Node Type Master Ca 802 11a Radio Pa Spanning Tree Settings SSID Network Name ATILAN Frequency Channel 03 2422 MHz gt Co security settings for this radio etwork Management aintenance zl 2 Configure the
74. the Allied Telesyn multicast address 224 0 1 65 7 On the access point at the end of the IP tunnel check the Enable IGMP check box 8 Click Submit Changes to save your changes To activate your changes from the menu bar click Save Discard Changes and then click Save Changes and Reboot For help see Saving Configuration Changes on page 45 The access point maintains a forwarding database of all MAC addresses and it knows the correct port for each MAC address The access point updates this database by monitoring source addresses on each port backward learning by receiving explicit attachment messages and by examining messages exchanged between access points when end devices roam The database also includes the power management status of each end device which allows the access point to support the pending message feature of the network The forwarding database allows the Ethernet bridging software to make efficient forwarding decisions Any frame that is sent through an IP tunnel is addressed to the unicast IP address of the access point at the other end of the tunnel An access point at the remote end of the tunnel learns the unicast IP address of the root access point by listening to IP hello messages The root access point learns the unicast IP address of a remote access point when the access point attaches to the network Outbound Frames Frames are forwarded outbound to a secondary LAN through an IP tunnel if o an
75. three secondary service sets Each service set shares the same Advanced Configuration and Inbound Filters settings but you can customize the security settings However most clients do not support a mixed security environment using multiple service sets o If you configure security on the primary service set then you should also configure security on the secondary service sets o If you do not configure security on the primary service set then you cannot configure security on the secondary service sets For details see When You Specify the Security Options for Multiple SSIDs per Radio on page 175 Multiple service sets are used primarily to allow one physical radio to support multiple virtual LANs VLANs For details about VLANs see Configuring VLANs on page 189 The 802 11a radio ships with either the full range 5 15 to 5 35 GHz option or the mid range 5 25 to 5 35 GHz option The full range option can only be used indoors and with the integrated antenna If you configure an 802 11a radio as a master radio it provides simultaneous master and station support This feature means that not only do you only need one radio in WAPs and point to multipoint bridges but also it can heal itself If the access point can no longer communicate with the Ethernet network it will try to wirelessly connect to the root through another access point Any access point that may become a WAP should have a root priority set to 0 an
76. undesirable results if not properly executed you should contact Technical Support for assistance if you are unsure about the proper procedure to use To enter CAM mode 1 Type CAM and press Enter 2 Enter a password The default password is EV98203C case sensitive When you are in CAM mode the CAM prompt CAM gt appears To exit CAM mode O At the CAM prompt type X and press Enter You return to the ap prompt 275 Chapter 9 Additional Access Point Features Enter password sses M gt d To display CAM commands O Type any letter or number other than B and press Enter The CAM commands appear on the screen Add Entry Show Status register Delete Entry Show Config register Find Entry Tests CAM FPGA Execute CAM command Exit Show Register Value Using Test Mode 276 Commands Within the AP monitor Test mode lets you perform certain test functions Because the commands can cause undesirable results if not properly executed you should contact Technical Support for assistance if you are unsure about the proper procedure to use To enter Test mode 1 Type TEST and press Enter 2 Enter a password The default password is EV98203T case sensitive When you are in Test mode the test prompt test gt appears To exit Test mode O Atthe test prompt type X and press Enter You return the ap prompt AT WA7500 and AT WA7501 Installation and User s Guide To display test commands O Type any
77. with the network Enter the login name and password of all end devices that are authorized to communicate with the 802 1x enabled network For more security you should delete the user name anonymous and the password anonymous MAC address End device login name None End device login password 802 1x TLS Enter the client certificate common name of all end devices that are authorized to communicate with the 802 1x enabled network Client certificate common name None 217 Chapter 7 Configuring the Embedded Authentication Server EAS 218 Using the Rejected List The Rejected List screen displays the users and devices that have been rejected by the EAS You can use this list to discover which users and devices may need to be added to the database When using the web browser interface you can immediately add previously rejected end devices to the database You do not need to click Submit Changes or reboot the access point Note When you reboot the access point the rejected list is cleared To view the rejected list 1 Log in to the access point whose EAS you are using 2 From the main menu click Security gt Embedded Authentication Server gt Rejected List The Rejected List screen appears 3 Determine which users and devices you need to add to the database For help understanding the list see the next table 4 Add users and devices to the dat
78. 0 The designated bridge must have at least one radio set to Station mode or the designated bridge must be the endpoint of an IP tunnel as defined in About IP Tunnels on page 140 If more than one access point meets these requirements the access point with the highest secondary LAN bridge priority is the designated bridge If two access points have the same secondary LAN bridge priority the access point with the highest Ethernet address becomes the designated bridge If the designated bridge goes offline the remaining access points negotiate to determine which access point becomes the new designated bridge To configure a designated bridge 1 Using the selection criteria listed earlier in this section determine which access point to configure as the designated bridge 2 On that access point from the main menu click Spanning Tree Settings The Spanning Tree Settings screen appears 3 Configure the LAN ID All access points that want to participate in the spanning tree must have the same LAN ID 4 Set the Root Priority parameter to zero All access points on the secondary LAN should have a root priority of zero 5 Verify that the Enable Ethernet Bridging check box is checked 6 Set the Secondary LAN Bridge Priority to be the highest number of all access points on the secondary LAN The range is 1 to 7 The value 1 is the highest priority 7 Set the Secondary LAN Flooding parameter to Enabled 8 Click Submit Changes t
79. 1 Chapter 6 Configuring Security 182 Table 3 Password Parameter Descriptions Continued Parameter Description User Name Enter the user name you need to use to log in to this access point This parameter can be from 0 to 16 characters long If you leave the user name and password fields blank a user will not need to log in to the access point Password Enter the password you need to use to log in to this access point This password gives you read and write access to the access point configuration This parameter can be from 0 to 16 characters long If you leave the user name and password fields blank a user will not need to log in to the access point Read Only Password Allow Service Password Enter the password you need to use to log in to this access point This password gives the user read only access to the access point This user is able to view the configuration and execute diagnostics but cannot perform any tasks that affect the operation of the access point such as changing configuration options rebooting or downloading software To disable this password delete it If the user enters a login that does not match either the user name and password or the read only password check this check box to allow the login to be checked against the service password Allied Telesyn Technical Support may use this service password if they need to troubleshoot this access point
80. 10 Configuring the 802 1 1B RAGIO rs sssini ae cadena ceesboutes svbcedu aus susebeeres conan aeeesaubaneeostasietebestipustceenteecanwecetehiee 112 Configuring 802 11b Radio Advanced Parameters 00 eecceeeeseeeceeeeeeeneeeceaeeeeneeeeesaeeeeeeaeeseeeeeeaaeeseeeeeeeneeennaeeseenaees 114 Configuring 802 11b Radio Inbound Filters ccccccecececeeceeeeeeeee ee eeeceeaaee see ceeaeceeeeseceaeeeeesecqneeeeseeeeeeseeeaeeseeseesaees 117 Configuring the 802 1 1a Radiovisie nenen aa ana aE detested AEKA ENE Eaa deceay EEEE EEEa aE AAEE TAEA TENA AEE ERT ERETNA ETEEN 119 Configuring 802 11a Radio Advanced Parameters 000 0 eecccesseeeceeeeeeneeeeenaeeeeeeeeeenaeeeeeaeeeeeeeeeeseeeseaeeseeeeeenaeeeneaas 124 Configuring 802 11a Radio Inbound Filters e eee eee eeeeeeeeeaeeeeeeeeeeaaeeeeaaeeeeeeeesaeeeeeaaeeseeeeeesaeeaaeeseeeeeeenaeeeeeaas 126 Chapter 5 Configuring the Spanning Tree oo cece eeceeeeeeeneeeeeeeeeeeeeeeeeaaeeeseaaeessaaeeeesaeeeseaaeesseeeeesnaeeeseaaeeseeeaeeeseeesenaeeseaees 129 About the Access Point Spanning Tr6 s cctieceeyiccneeddeestececsiued incdenes sbhdecsacpeethedubeledesdipcstencsids aaa a aaa aa i 130 About the Primary LAN and the Root Access POiNt cc eeecececseeeeneeseneeeeeeeeeseeeeeeaeeeseeeeesaeeeeeaaeeseseesneeeesaeeeeenaees 131 About Secondary LANs and Designated Bridges eeececeecceeeneeeeeeneeeeeeeeeeaeeeseaaeeseeeaeesaeeeeeaaeeseeeeeesieeeenaeeseenaees 132 About Ethernet Bridging Data
81. 11b radios to implement multiple VLANs You configure each radio or each service set as a master radio with a unique SSID and security solution Then you distribute the SSID of the secure network to your end devices and the SSID of the non secure network to your customers The access points support the 802 1Q standard for VLAN tagging When the access point receives a frame from an end device it applies the appropriate VLAN tag to the frame and then bridges the VLAN tagged frame to the wired network If you configure the VLAN field to 1 no VLAN tag will be applied and the frames will be put on the wired network as normal Ethernet frames A VLAN capable Ethernet switch receives the VLAN tagged frame and routes it appropriately Only VLAN aware devices understand frames with VLAN tags end devices only understand and accept frames that are meant for them that do not have a VLAN tag In order for the spanning tree to work all access points must be on the same Native port on the Ethernet switch The switch must be able to support a hybrid VLAN which means the switch can support both VLAN tagged and normal Ethernet frames on the switch port The access point only encapsulates wireless traffic Any communication with the access point across the wired network is always normal Ethernet traffic 189 Chapter 6 Configuring Security 190 To configure a VLAN 1 From the main menu click Spanning Tree Settings The Spanning Tree Settin
82. 11g Access Point Table 5 802 11g Access Point Parameter Settings Screen Parameter Access Point 802 11g Radio Node Type Master SSID Network Manufacturing Name Spanning Tree Root Priority 5 TENNIS Ethernet Bridging Checked Enabled Allied Telesyn recommends that you always implement some type of security For larger or more complex environments you can install multiple access points so wireless end devices can roam from one access point to another Multiple access points establish coverage areas or cells similar to those of a cellular telephone network End devices can connect with any access point that is within range and belongs to the same wireless network AT WA7500 and AT WA7501 Installation and User s Guide This illustration shows a wireless network with multiple access points Wireless end devices can roam between the access points to communicate with the host and other end devices Figure 8 Multiple Access Points with Roaming End Devices An end device initiates a roam when it attaches to a new access point The access point sends an attach message to the root access point which in turn forwards a detach message to the previous access point allowing each access point to update its forwarding database Intermediate access points monitor these exchanges and update their forwarding databases With the access point s multichannel architecture you can have more than one access
83. 136 When you configure the spanning tree parameters you identify the access point as part of the spanning tree That is you specify if this access point is a root or a candidate to become a root or a designated bridge or a candidate to become a designated bridge You also specify if the access point uses Ethernet bridging to forward frames between the wired and wireless networks Allied Telesyn recommends that you use Ethernet bridging on all access points unless you meet the criteria listed in About Ethernet Bridging Data Link Tunneling on page 134 Note On the designated bridge if you disable Ethernet bridging or if you set the Secondary LAN Bridge Priority to 0 wireless traffic is encapsulated on the secondary LAN which eliminates communication from wired devices on the secondary LAN To configure the spanning tree parameters 1 From the main menu click Spanning Tree Settings The Spanning Tree Settings screen appears MV Allied Telesyn Access Point Configuration Simply connecting the world Log aveDi istri i i A Spanning Tree Settings SSS SSS E 2 TCP IP Settings SubmitChanges E TCPAP Settings g Gi 802 11g Radio a 802 11a Radio AP Name 12345678901 aa Spanning Tree Settings A Global Floodi LAN ID Domain 0 Global RF Parameters Root Priority 1 Telnet Gateway Enable GVRP for VLAN P e Enable Ethernet Bridging A E Network Management Secondary LAN Bridge Priority 0 Ga Secu
84. 2 11a Radio Inbound Filter Descriptions Parameter Description Allow IAPP Determines if this radio accepts IAPP Inter Access Point Protocol frames from other access point station radios The IAPP frames must match Ethernet protocol 875c Allow Wireless Determines if this radio accepts WTP frames Transport Protocol from end devices The WTP frames must match WTP Ethernet protocol 875b Allow UDP Plus Determines if this radio accepts UDP Plus frames UDP IP Port 5555 from end devices The UDP Plus frames must match the UDP network port 5555 on the DCS 30X Allied Telesyn Gateway or ARP 127 Chapter 4 Configuring the Radios 128 Table 11 802 11a Radio Inbound Filter Descriptions Continued Parameter Description Allow DHCP Determines if this radio accepts DHCP frames The DHCP frames must match UDP destination port 67 and ARP Check this check box if the end devices are DHCP clients Allow All Other Determines if this radio accepts all other Protocols protocols that are not filtered by one of the filters in this screen Multicast Filter Determines if this radio can receive and send multicast frames File Name Specifies the name of the radio s driver software Allied Telesyn recommends that you change this name only when directed to do so by Allied Telesyn Technical Support Hello Period Controls how frequently the access point broadcasts hello message
85. 36 3 802 11g and 802 11b Configure the station radio in the point to point bridge on the secondary LAN a From the main menu click the link corresponding to the station radio The radio screen appears b In the Primary service set Node Type field choose Station c In the Primary service set SSID Network Name field type the SSID In this example the SSID is Manufacturing d Click Submit Changes The screen updates 33 Chapter 1 Getting Started 34 4 Configure the spanning tree settings for the point to point bridge on the secondary LAN a d From the main menu click Spanning Tree Settings The Spanning Tree Settings screen appears In the Root Priority field enter 0 In the Secondary LAN Bridge Priority field enter a number other than zero In the Secondary LAN Flooding field choose Enabled Click Submit Changes to save your changes To activate your changes from the menu bar click Save Discard Changes and then click Save Changes and Reboot For help see Saving Configuration Changes on page 45 Configure the master radio in the point to point bridge on the primary LAN a From the main menu click the link corresponding to the master radio The radio screen appears MV Allied Telesyn Simply connecting the world Access Point Configuration Logout Save Discard Changes Upgrade Software Distributed Network Upgrade File Import Export Help 802 11a Radio
86. 4 128 152 security You can configure up to four different WEP keys on the access point and most wireless end devices and then you specify which key is being used to encrypt data You should periodically change which WEP key these devices use 802 11g and 802 11b radios support WEP 64 128 security and 802 11a radios support 64 128 152 security For help see Configuring WEP 64 128 152 Security on page 191 Use an 802 1x security solution 802 1x security provides a framework to authenticate user traffic to a protected wireless network Using 802 1x security provides secure data transmission by creating a secure spanning tree and dynamically rotating the WEP keys You configure the access point as an authenticator For the authentication server you can either use an external RADIUS server or you can use the access point s embedded authentication server EAS For help see Implementing an 802 1x Security Solution on page 194 Use Wi Fi Protected Access WPA security WPA is a strongly enhanced interoperable Wi Fi security that addresses many of the vulnerabilities of Wired Equivalent Privacy WEP For help see Configuring Wi Fi Protected Access WPA Security on page 201 For help troubleshooting security see Troubleshooting Security on page 260 You can use multiple RADIUS servers to act as password servers to support ACLs and to use in an 802 1x security solution When you configure each of these security sol
87. 5b454460 Events Log About This Access Point DHCP Server Status 239 Chapter 8 Managing Troubleshooting and Upgrading Access Points Viewing the The Events Log screen shows a the events that have been logged by this Events Log access point These events are cleared when the access point loses power or is rebooted To view the Events Log O From the menu click Maintenance gt Events Log The Events Log screen appears For help understanding the events on this read only screen see the next table AV Alied Telesyn Access Point Configuration Simply connecting the world Logout Save Discard Changes Upgrade Software Distributed Network Upgrade File Import Export Help Maintenance Events Log TCP IP Settings Export this event log from this access point 802 11a Radio a ete ae Mac Address IP Address Priority Trap Count Type panning Lree Settings Telnet Gateway Additional Data Age d h m s Ethernet TP Tunnels 0000c084b80d 136 179 385 151 Informative No 24 DHCP Server Error Network Management eee Management The DHCP server has run out of addresses 5 21 27 49 aa Maintenance AP Connections AP Neighbors Port Statistics DHCP Status Bi Events Log About This Access Point Table 6 Events Log Description Column Description MAC Address Indicates the Ethernet MAC address of the device that caused
88. 6 IGMP Internet Group Management Protocol A standard protocol that lets you originate multiple IP tunnels using one IP multicast address IGMP allows IP multicast frames to be routed to remote IP subnets that have hosts participating in the multicast group By enabling IGMP access points can act as IP hosts and participate in an IP multicast group inbound frames Frames moving toward the primary LAN IP router A software and hardware connection between two or more subnetworks that permits traffic to be routed from one network to another on the basis of the intended destinations IP subnet A single member of the collection of hardware networks that comprise an IP network Host addresses on a given subnet share an IP network number with hosts on all other subnets of the IP network The local address is divided into subnet number and host number fields to indicate which subnet a host is on IP tunneling IP tunneling is used on networks with routers IP tunneling allows wireless end devices to roam across IP subnet boundaries without losing connection IP tunneling encapsulates standard IP frames with Generic Routing Encapsulation GRE and forwards the frames from the root access point on a home IP subnet to another access point on a remote IP subnet IP tunneling is done through the access points logical IP ports MAC address There are two types of MAC addresses unicast and broadcast Unicast specifies a single Ethernet
89. 802 11g radio primary service 802 11g Radio set These settings are shared by any secondary service sets defined for the radio You can filter different types of wireless traffic that it may Inbound Filters receive You may want to use this feature by itself or with an access control list ACL to help secure your network If you clear all the check boxes the radio cannot communicate with any other radios You need to check the Allow IAPP check box if you want the access point to be able to communicate with other access points and participate in the spanning tree 108 AT WA7500 and AT WA7501 Installation and User s Guide You can use this feature to form a secure wireless hop Clear all check boxes except for the Allow IAPP check box Or you may want to use this feature in a terminal emulation environment when you know the end devices are sending only UDP Plus or Wireless Transport Protocol WTP frames Check the Allow UDP Plus check box or the Allow Wireless Transport Protocol check box and clear all other check boxes except the Allow IAPP check box The access point master radio will only accept the UDP Plus or WTP frames and discard all other frames which can make a more secure network Note If any of the devices are also DHCP clients you need to check the Allow DHCP check box To configure 802 11g radio inbound filters 1 From the main menu click 802 11g Radio gt Advanced Configuration gt Inbound Filters Pri
90. AT WA7500 or AT WA7501 This command is included here for backward compatibility with older scripts only Syntax FB bootsegment datasegment AT WA7500 and AT WA7501 Installation and User s Guide where bootsegment is the name or number of the boot segment to be activated datasegment is the optional name or number of the data segment to be activated Example These examples apply to non AT WA7500 and AT WA7501products and are included for your reference only To make segment 2 the active boot segment and segment 4 the active data segment enter FB 2 4 You can use an asterisk instead of a segment name if you want to leave that segment unchanged For example to leave the active boot segment unchanged and make segment 4 the active data segment you could enter FB 4 After loading software into the access point a common task is to activate the new software To activate the new software enter FB IB ID This command activates the inactive boot and data segments You do not need to know which of the boot and data segment numbers the flash is loaded into FC Purpose Compacts the files in a particular segment Syntax FC s where s indicates the segment to be compacted You can use any segment number or name to specify the one flash memory segment on the access point 279 Chapter 9 Additional Access Point Features 280 Example To compact the contents of the flash memory segment enter FC
91. Access Points AT WA7500 AT WA7501 Installation and User s Guide VERSION 2 2 MV Allied Telesyn Copyright 2004 Allied Telesyn Inc 3200 North First Street San Jose CA 95134 USA All rights reserved No part of this publication may be reproduced without prior written permission from Allied Telesyn Inc Microsoft is a registered trademark of Microsoft Corporation Netscape Navigator is a registered trademark of Netscape Communications Corporation All other product names company names logos or other designations mentioned herein are trademarks or registered trademarks of their respective owners Intermec is a registered trademark and MobileLAN is a trademark of Intermec Technologies Corporation Allied Telesyn Inc reserves the right to make changes in specifications and other information contained in this document without prior written notice The information provided herein is subject to change without notice In no event shall Allied Telesyn Inc be liable for any incidental special indirect or consequential damages whatsoever including but not limited to lost profits arising out of or related to this manual or the information contained herein even if Allied Telesyn Inc has been advised of known or should have known the possibility of such damages Contents Prefac sic csoieccutes shee neice chowtesdeneesdyere seucaretco stan sil wu A E EAA T NAE Eo EREE E AAE NEE AREA TA AONE A G Ea EAN A AAEE EE E
92. Allow Pass check box to configure if the subtypes are allowed to pass or are dropped If you check the check box the subtype is allowed to pass 3 In the SubType field choose the customizable frame subtype For help see the next table 4 In the Value field enter the two hex pairs For help see the next table 5 Click Submit Chan changes from the ges to save your changes To activate your menu bar click Save Discard Changes and then click Save Changes and Reboot For help see Saving Configuration Changes on page 45 Table 7 Subtype Filter Descriptions SubType Value DIX IP TCP Port Port value in hexadecimal DIX IP UDP Port Port value in hexadecimal DIX IP Protocol Protocol number in hexadecimal DIX IPX Socket Socket value in hexadecimal AT 7500 and AT WA7501 Installation and User s Guide Table 7 Subtype Filter Descriptions Continued SubType Value DIX EtherType Specify the registered DIX type in hexadecimal SNAP IP TCP Port Port value in hexadecimal SNAP IP UDP Port Port value in hexadecimal SNAP IP Protocol Port value in hexadecimal SNAP IPX Socket Socket value in hexadecimal SNAP EtherType SNAP type in hexadecimal To filter on both SNAP type and OUI use advanced filters 802 3 IPX Socket Socket value in hexadecimal 802 2 IPX Socket Socket value in hexadecimal 802 2 SAP 802 2 SAP in hexadecimal
93. Appears only if Mode parameter is Listen Determines if IGMP is enabled or disabled Multicast Address Appears only if Enable IGMP check box is checked Enter the Class D IP multicast address You also need to enter this IP address in the root access point s IP address list The Internet Assigned Numbers Authority has allocated 224 0 1 65 for Allied Telesyn s inter access point protocol IAPP On the root access point and root candidates the IP address list contains the IP addresses of all the access points at the endpoint of the IP tunnels To configure the IP address list 1 From the main menu click IP Tunnels gt IP Addresses DNS Names The IP Addresses DNS Names screen appears MV Allied Telesyn Access Point Configuration Simply connecting the world TCPAP Settings Submit Changes G2 802 11g Radio 2 802 11a Radio IP Address DNS Name 1 GQ Spanning Tree Settings Tone IP Address DNS Name 2 Ga Ethernet IP Address DNS Name 3 fan TP Tunnels IP Address DNS Name 4 BLP Addresses DNS Names Frame Type Filters IP Address DNS Name 5 Predefined Subtype Filters IP Address DNS Name 6 E Customizable Subtype Filters Oa Webware Wanacement IP Address DNS Name 7 Ga Securit IP Address DNS Name 8 pecurity Maintenance E Chapter 5 Configuring the Spanning Tree 150 Configuring IP Tunnel Filters 2 If you enabled IGMP enter the Class D IP multicast address Th
94. Clear this check box to allow these end devices to associate with this radio Although this setting is 802 11 compliant it is not very secure Check this check box to prevent end devices with an SSID of ANY or are left blank from associating with this radio DTIM Period Master radio only Specifies the number of beacon frames to skip before including a DTIM delivery traffic indication message in a beacon frame Setting a higher DTIM period may conserve battery life in an end device but it may increase response time Configuring 802 11b Radio Inbound Filters AT WA7500 and AT WA7501 Installation and User s Guide When configuring a master radio you can filter different types of wireless traffic that it may receive You may want to use this feature by itself or with an access control list ACL to help secure your network If you clear all the check boxes the radio cannot communicate with any other radios You should check the Allow IAPP check box so the access point can communicate with other access points and participate in the spanning tree You can use this feature to form a secure wireless hop Clear all check boxes except for the Allow IAPP check box Or you may want to use this feature in a terminal emulation environment when you know the end devices are sending only UDP Plus or Wireless Transport Protocol WTP frames Check the Allow UDP Plus check box or the Allow Wireless Transport Protocol check b
95. E Certificate Details Security Events Maintenance iz 4 Configure the parameters for WEP configuration To ensure maximum security configure each WEP key with a different WEP code For help see the next table 5 Click Submit Changes to save your changes To activate your changes from the menu bar click Save Discard Changes and then click Save Changes and Reboot For help see Saving Configuration Changes on page 45 Table 4 WEP Security Parameter Descriptions Parameter Explanation Security Level Select Static WEP from the drop down menu to use WEP 64 128 152 security WEP Transmit Key Determines which of the four WEP keys this access point uses to transmit data WEP Key 1 For WEP 64 enter five ASCII characters or five WEP Key 2 hex pairs For WEP 128 enter 13 ASCII WEP Key 3 characters or hex pairs For WEP 152 enter 16 WEP Key 4 ASCII characters or hex pairs To enter a hexadecimal key prefix it with Ox For example the ASCII key ABCDE is equivalent to 0x4142434445 193 Chapter 6 Configuring Security Implementing an 194 802 1x Security Solution You can implement 802 1x security in your network The IEEE 802 1x standard provides an authentication protocol for 802 11 LANs 802 1x provides strong authentication access control and key management and lets wireless networks scale by allowing centralized authentication of wireless end device
96. EEa ETAETA En EANAN 7 Document Conventions soisi neer onea eects dee dalaes detpends ccendvtnedsdes d ehade cael sues Suse odeutccugeddees a due Dies sstedhedede ceelsenes TE 8 Where to Find Web based Guides initin aai a eaa Ea aa eaa ear a araa aia 9 Contacting Allied TelesSynsqrroninnennipeii e i nine E eee e E a ga A EE T N ee 10 Online SUPPLE rasieren peiie peia iardiau eei ea i aa t eadair iii etiaai idee eio eniad i igneis 10 Email and Telephone Support s cc sce iccc eceeccee sence ti e a eae ieaiaia eE Na naai ieii ea aiaa a 10 Ret uming ProdUCtS iita r ee ead a aaaea aaaea ana e e a aeaa p aa eaaa i ai rara aaar atei 10 For Sales or Corporate Information cece ceeseeceeeeceeseeeeeeneeeseeeeeeneeeeseaeeeseeaeeesaeeeenaaeeseeeeeesaeeeseaeeeseaaeeesneeesnnaeeesenaees 10 Management Software Updates eee ceecceeeeeeeeeenneeeeneeeeeeeeceeeeesaeeeeeaaeeeeeeaeeseaeeeseaeeeseeeeeesieeeseaeeeseeeeeesieeeenaeeseeneees 10 Chapter 1 Getting Started aiina tne iosa apa a aaea eaa gb doteaSsachapdebenguedeaparsphegtdenscobas aut choshoe iaeiiai 11 Which Allied Telesyn Access Products Does This Manual Support sssessesrsesiisssiiesiiresisserirssiitesinnsiintirtniineeinnrinnnennt 12 Overview of the AT WA7500 and AT WA7501 Access Point Products ecceeeeceecesneeeeeeeeeeeneeeeeeeeenneeeeeeeeeeeaeeeeneeeneaa 13 Features 2 2 00 Aiea Sie Mei ait ae ee ed i ve ee Me i 15 What s New for Software Releases 2 2 oo ecececceesneeeeeceeenneeeeeneeeeee
97. For help see Recovering a Failed Access Point on page 263 The Ping Utility screen does not appear when you click a MAC address or an IP address in the AP Connections screen The web browser you are using does not have Java support Allied Telesyn recommends that you use Internet Explorer v3 0 or later or Netscape Communicator v4 0 or later You cannot connect to the access point using MobileLAN manager or another SNMP management station Verify that you did not disable the SNMP Access field in the Security screen The end device cannot connect to the network O From the Maintenance menu choose AP Connections and verify that the MAC address of your end device appears on your PC screen If it does not appear your end device is not communicating with the access point Check your radio configuration settings O Verify that the access point is not filtering out the type of traffic you are trying to pass through it The end device cannot synch to the access point Verify that the end device and the access point have the same SSID network name and security AT WA7500 and AT WA7501 Installation and User s Guide Table 11 General Troubleshooting Continued Problem Question Possible Solution Answer The end devices are unable to roam from one access point to another The switches in your network may not support backward learning Use data link tunneling to forc
98. In each access point you need to configure one radio s node type as a Master which communicates with the wireless end devices and configure the other radio s node type as a Station which communicates to another access point with a master radio and within range 37 Chapter 1 Getting Started In this example AP3 is a dual radio access point It may be located ona loading dock or other remote location During normal operations AP3 functions as a normal access point transmitting frames to and from the host However if the Ethernet connection is disrupted AP3 can function as a WAP and continue operations by transmitting frames to a master radio in AP1 AP3 must be within range of AP 1 Ethernet Figure 16 Dual Radio Access Points To install dual radio access points for redundancy O Follow the instructions for installing a simple wireless network with a WAP on page 27 38 AT WA7500 and AT WA7501 Installation and User s Guide Configuring the Access Point Setting the IP Address Using a Communications Program The access point will work out of the box if you are using a DHCP server to assign it an IP address By default the access point is configured to be a DHCP client and will respond to offers from any DHCP server However if you are not using a DHCP server to assign an IP address you can use a communications program such as HyperTerminal which also configures other parameters This program must be installed
99. Link TUNNELING eee ce eeeeeeeeeeeeeneeeeeeaeeeeeeeeeeeaeeeeeaaeeceneeeesaeeeeesaeeesneeeesieeeenaeeseenaees 134 About Routable and Non Routable Network Protocols ccceeseeeeeneeeeeeeeeeeeeeeeeeaeeeeeeeeesaeeeeeeaeeeseeeeessnaeeenaeeeennaees 135 Configuring the Spanning Tree Parameters cee ceecceceseeeeeeneeeeeeeeeeeaeeeeeaeeeceeeeesaaeeseeaaeeceeeeeesieeeeseeeeseeeeeesieeeensaeeseneaees 136 ABOUT TUMMOIS E EE EA E de Sosccpntag th sdorsddy sbeecewde edeedsnagubeeedsnd cuieenhdersdebasedss EE 140 Creating IP Tunnels hreinir a a a aa S n desea cae noe tebe decane Sendud e ei ERER 142 Using One IP Multicast Address for Multiple IP Tunnels sesseeeeeesisssiissiresirrssrinrtirsiiitsiinueinstinntittninnernnntnnnnnnn 143 How Frames Are Forwarded Through IP Tunnels ce eececeeeceeeeeeeeeeeeeeeeeeeesaeeeseaaeeeeeeeeeeaeeeesaaeesseeeeeseaeessnaeeseneaees 145 Configuring IP Tunnel S i cinei e e e eiiie idade aeiia adete diao divai iia 148 Configuring the IP Address BiISt iiaii eitia ae eiiiai ie i guin 149 Configuring IP Tunnel Filters arree nie eal ha A A i Sie eee 150 Filter EXAMples E E E EEE E E E ys Basten A anette tacts s0ewe htpeupade E E E A 157 Example A E i A E E A EA E Ae eet ae 157 EE NA E TA T E A EET 158 SEM a E T EE E E E E E bed aad Se A ait 160 E E E E EE AEA A E E dass teste E E E E E A EATE 160 Comparing IP Tunnels to Mobile P nirien ieai iraa Tee iii ish cvdse E EE nt 161 Configurifig Global Par
100. P frames with the following types are always forwarded Echo Request Echo Reply Destination Unreachable Source Quench Redirect Alternate Host Address Time Exceeded Parameter Problem Time Stamp Time Stamp Reply Oaogoaogoaqgdgaadada ou Address Mask Request AT WA7500 and AT WA7501 Installation and User s Guide o Address Mask Reply o Trace Route IP and ARP frames are never forwarded inbound through an IP tunnel to the root IP subnet unless the source IP address belongs to the root IP subnet Frames are only forwarded inbound if the source IP address in the IP or ARP frame identifies an end device that has roamed away from its root IP subnet IP and ARP frames are never forwarded outbound through an IP tunnel by the root access point unless the destination IP address belongs to the root IP subnet Frames are only forwarded outbound to end devices that have roamed away from the root IP subnet For detailed information about other frame types that are never forwarded see Frame Types That Are Never Forwarded on page 146 You can set the default action and scope for general and specific frame types Allow Pass Check or clear this check box Check this check box to pass all frames of the type Clear this check box to drop all frames of the type Scope Set scope to Unlisted or All If you select All then all frames of that type are unconditionally passed or dropped depending on the action you specified
101. PP FILE DAT FE Purpose Erases all the files in a particular segment including those that have been deleted with FDEL To recover the files after they have been erased you must reload them from another source Note You must execute the FE command before you execute a TFTP transfer Syntax FE s where s is the segment to be erased You can use any segment number or name 1 2 3 4 id ib ad or ab to specify the one flash memory segment on the access point Example To erase the contents of the flash memory segment enter FE 1 To erase the contents of the memory card enter FE app SCRIPT Purpose Executes a specified file as a list of console commands You can create a script file to automate a software download Syntax SCRIPT f 287 Chapter 9 Additional Access Point Features 288 Using TFTP Commands where f is the name of the script file to be executed For more information about using the script command see Creating Script Files on page 298 TFTP commands are file transfer commands An access point can act as either a client or server in the TFTP environment As a server the access point can service read and write requests from an access point client As a client the access point can read files from and write files to any TFTP server on the network Both the client and server must operate in octet or 8 bit mode When executing a script file the access point retri
102. Save Discard changes and then click Save Changes without Reboot You can also create a database using Microsoft Excel or Notepad and then import it Or you can configure one database export it and import it to an EAS in another RADIUS server For help see Exporting and Importing Databases on page 219 Note Allied Telesyn recommends that when you are done configuring the database you export it and save the file in a safe place If you restore the access point to its default configuration the database is not saved For help see Exporting and Importing Databases on page 219 To configure the database 1 Log in to the access point whose EAS you are using 215 Chapter 7 Configuring the Embedded Authentication Server EAS 216 2 From the main menu click Security gt Embedded Authentication Server gt Database The Database screen appears MV Allied Telesyn Simply connecting the world Access Point Configuration TCP IP Settings Submit Changes 302 11g Radio PR TA m l Type User Name Password a oneal a 802 1x TTLS PEAP anonymous Network Management Client llon H Co m Security 2 Passwords Client 802 11g Radio 3 Login HI 802 11g Radio Secondary 1 GE 802 11g Radio Secondary2 ent agin z 302 11g Radio Secondary 3 802 11a Radio Client logn x cel ti COCO RADIUS Server List 2 Spanning Tree Security Client Lo
103. Seq Offset Mask Op Value ID Action panning Lree Settings i Telnet Gateway 1 fio fo fret te EQ yj 1 Pass T ee 2 feo fo Ma EQ 7 2 Pass E ess Table Frame Type Filters 3 fo fo fie ter tf ff Eaz 3 Pass 7 Predefined Subtype Filters 4 Eo Doo O i EQ And gt Customizable Subtype Filters Advanced Filters 5 fo fo EQ gt 0 And z Filter Values e bt Eaz And B Filter Expressions a 0 ae ve Ga IP Tunnels 7 p fo EQ 7 0 And gt ase E eO OO O ea fe Maintenance 9 fo fo EQ l llo And gt Table 11 Example 1 Filter Expressions Parameter Value Explanation ExprSeq 10 The order that you want the expressions executed You must have an expression for each Value ID that is listed in the Filter Values menu Offset 0 Since the filter is applied to the destination address which is the first value in the frame the offset is 0 Mask ff ff ff ff ff ff Compares the entire 6 byte destination address for an exact match Op EQ Compares the value after the offset and mask are applied to the value of the Value ID from the Filter Values menu to see if they are equal If the value at the offset equals the specified value on the Filter Values menu the frame is multicast Value ID 1 This filter expression applies to value ID 1 from the Filter Values menu Action Pass If this filter expression is true continue to the next expression 93
104. Seq Offset Mask Op Value ID Action if fe fe feo ef 2fe 0 freee feof An sE fe of feof fo Ana sh PO Of feo fo fs sk fe of feo fo An sh fe fff fo An re b f Ap fa eh fe feof fo Ant oew fe feo fo ant a Table 14 Example 2 Second Filter Expression Parameter Value Explanation ExprSeq 2 The second expression that is executed Offset 12 Checks for the DIX IP frame type which starts 12 bytes from the destination address Mask ff ff Checks the 2 byte DIX IP frame type for an exact match AT 7500 and AT WA7501 Installation and User s Guide Table 14 Example 2 Second Filter Expression Continued Parameter Value Explanation Op Value ID 1 EQ Compares the value after the offset and mask are applied to the value of the Value ID from the Filter Values menu to see if they are equal If the value at the offset equals the specified value on the Filter Values menu the frame is DIX IP This filter expression applies to value ID 1 from the Filter Values menu Action And If this filter expression is true continue to the next expression Set the third filter expression as shown below Simply connecting AV Allied Telesyn the world Access Point Configuration TCP IP Settings Ga 802 112 Radio GM 802 11a Radio Spanning Tree Settings Telnet Gateway aa Ethernet Address Table Frame Type Filters Predefined Subty
105. Server List screen appears MV Alied Telesyn Access Point Configuration Simply connecting the world ges Upgrade Si Logout Save Discard Change je Software Distributed Network Upgrade File Import Export Help Security RADIUS Server List TCP IP Settings Ga 802 112 Radio G9 802 11a Radio 2 Spanning Tree Settings Telnet Gateway Ga Ethernet G2 IP Tunnels Ga Network Management a Security Passwords 802 11g Radio 802 11a Radio E RADIUS Server List Spanning Tree Security Embedded Authentication Server Certificate Details Security Events Maintenance 188 Submit Changes IP Address DNS Name _ Secret Key z sq Server 1 Server 2 Server 3 Server 4 OO Oo Server 5 Server 6 xI id 8 For each RADIUS server enter the IP address or DNS name enter the shared secret key port number and check the ACL or Login check box Note If you enter more than one server see page 132 for a description of how the access point uses the servers 9 Configure the database Enter the MAC address for each end device radio that is allowed to communicate with the network O Inthe EAS database in the Type field choose ACL and then enter the MAC address for each end device radio Or if you checked the Alternative Method ACL check box in the Type field choose Login and then enter the MAC address for each end dev
106. Subtype Filters DOO Network Management SNAP IP TCP Ports Security SNAP IP UDP Ports Maintenance SNAP IP Other Protocols SNAP IPX Sockets SNAP Other EtherTypes 802 3 IPX Sockets 802 2 IPX Sockets 802 2 Other SAPs a All ha a All a CCE Unlisted v a Unlisted Al Al a a Unlisted v a Unlisted v a Unlisted v a Unlisted v a Unlisted v a Unlisted v In the Predefined Subtype Filters screen set the 802 2 IPX RIP field to drop 802 2 DIX and 802 3 frames MVE Alied Telesyn Access Point Configuration Simply connecting the world ange Logout Save Discard Ch s Upgrade Software Distributed Network Upgrade Import Export Help IP Tunnels Predefined Subtype Filters TCP IP Settings Submit Changes 802 11g Radio e a Allow Pass SubType Value Spanning Lree Settings Telnet Gateway DIX ARP Vv DDC EtherType 08 06 Ethernet SNAP ARP Vv SNAP EtherType 08 06 ir NSN 802 2 IPX RIP F 802 2 IPX Socket 04 53 ESSES ames Frame Type Filters 802 2 IPX SAP M 802 2 IPX Socket 04 52 E Predefined Subtype Filters NNL Vv DIX EtherType 87 5b Customizable Subtype Filters NETBIOS z 302 2 SAP oo Network Management Security ICMP v DIX IP Protocol 00 01 Maintenance DIX AirF ortress DIX EtherType 88 95 ia 159 Chapter 5 Configuring the Spanning Tree
107. TCP P Settings Ping Results For 136 179 85 152 802 11a Radio Packet Size bytes 2 802 11g Radio Timeout milliseconds 1000 Spanning Tree Settings Telnet Gateway Packet Summary Round Trip Times E Ethemet Sent es Minimum 0 IP Tunnels cece E ce a Network Management aia eh fa Securi Lost fo Average 1 Maintenance Signal Noise Bit Rate Inbound 0 Inbound Outbound Outbound 0 Return to connections 5 Note The information on this screen varies with the type of request sent and the capabilities of the medium through which it is sent Echo requests sent through different radios may report different results 3 Click Return to connections to return to the AP Connections screen This section helps you troubleshoot problems you may have while installing and configuring security in your network For more help troubleshooting 802 1x security refer to the documentation for the MobileLAN secure 802 1x security solution the Odyssey server and the end devices Viewing the Security Events Log The access point logs a variety of 802 1x events in its Security Events log Only the access point that generates the security event displays it in its Security Events log To see all the 802 1x events in your network you need to use MobileLAN manager or another SNMP management station or network management tool AT WA7500 and AT WA7501 Installation and User s Guide To view the Security Events log O Fro
108. Troubleshooting and Upgrading Access Points Troubleshooting 256 the Radios Table 11 General Troubleshooting Continued Problem Question Possible Solution Answer The throughput seems slow O Verify that your antennas are well placed and that metal or other obstacles do not block them O You may want to add a second access point and implement roaming if you move the antenna closer to the device and throughput increases O You may be able to set filters to eliminate Ethernet traffic on the wireless network For help see Configuring IP Tunnel Filters on page 150 The radio coverage is less than you expected it to be Verify that the antennas or antenna cables are plugged into the correct connectors by reading the label on the access point If you are having problems communicating with your wireless network you can use the access point LEDs error messages Radio MAC Ping or ICMP Echo to troubleshoot any radio problems Using LEDs If the access point LEDs show the following pattern after it boots the radio may be faulty or the configuration matrix string is incorrect Contact your local Allied Telesyn representative to help you correct the problem Table 12 AT WA7500 and AT WA7501 LEDs fo OC O O Blinks for wired data traffic Blinks if the AP becomes root AT WA7500 and AT WA7501 Installation and User s Guide
109. Type Indicates the nature of the connection Root Parent or Parent Indicates an access point serving as root access point or parent to which this access point is connected Pending Root Indicates that this access point has found a suitable spanning tree and is attempting to join the tree AP Indicates an access point linked to this root access point via the Ethernet AP Wireless Indicates an access point bridging for a wireless secondary LAN linked to this access point AP Tunnel Indicates an access point bridging for an IP tunnel linked to this root access point AP Remote Indicates an access point serving as a child on a secondary LAN Term Indicates a wireless end device connected to a radio port on this access point EHost Indicates a secondary LAN Ethernet device for which this access point provides bridging to the spanning tree 233 Chapter 8 Managing Troubleshooting and Upgrading Access Points 234 Viewing AP Neighbors Table 4 AP Connections Screen Fields Continued Display Field Description Port Displays the port through which the connection is established E Ethernet port 1 1 1 1 2 or 1 3 First radio slot primary secondary 1 secondary 2 or secondary 3 2 2 1 2 2 or 2 3 Second radio slot primary secondary 1 secondary 2 or secondary 3 I IP tunnel port Age Displays the number of minutes since last contact with this device N
110. What s New for Software Releases 2 2 Table 1 Access Point Feature Comparison Continued Feature AT WA7500 AT WA7501 NEMA 4 IP 54 Protection No Yes Power Supply No AC Power Over Ethernet Yes Yes Heater Option No Yes Currently the 802 11g radio does not support wireless bridging and wireless hops The 802 11g radio is sometimes referred to as the 802 11b g radio because it can be configured to communicate with any 802 11b and 802 11g radios that have the same SSID and security settings For details see About the Radios on page 100 Other features of all access points include O the ability to be managed by the Wavelink Avalanche client management system Allied Telesyn manager a web browser telnet and SNMP the ability to be a DHCP server or client and a NAT server the ability to be an ARP server easy software distribution advanced filtering of wired data traffic enhanced power management for wireless end devices fast roaming reliability for wireless end devices load balancing basic WEP 64 WEP 128 or WEP 152 security for 802 119 802 11b or 802 11a radios OaQg0Q0Q00600dmQd UO n New features include these items 802 11g radio This radio can communicate with other 802 11g and 802 11b radios The 802 11g radio is also called the 802 11b g radio Currently this radio does not support wireless hops and wireless bridging It does not support antenna d
111. a root priority of 0 For help deciding if this access point should be a candidate to become root see About the Primary LAN and the Root Access Point on page 131 Enable GVRP for The access point uses GARP VLAN Registration VLAN Protocol GVRP to request a VLAN capable Ethernet switch to forward traffic for specific VLANs Enabling this parameter lets the switch exchange VLAN configuration information with other GVRP switches prune unnecessary broadcast prune unknown unicast traffic and dynamically create and manage VLANs on switches connected through 802 1Q trunk ports A switch may also be configured statically to always forward specific VLANs to specific ports You should clear this check box for a static configuration 137 Chapter 5 Configuring the Spanning Tree 138 Table 2 Spanning Tree Parameter Descriptions Continued Parameter Explanation Enable Ethernet Bridging Determines how frames from end devices are moved between the wired and wireless networks For more details see About Ethernet Bridging Data Link Tunneling on page 134 Check this check box if you want frames to be forwarded directly to the Ethernet network Allied Telesyn recommends that you enable this parameter on all access points Clear this check box if you meet the selection criteria listed in About Ethernet Bridging Data Link Tunneling on page 134 and you want to use data link tunneling
112. abase For help see Adding Entries to the Database on page 218 Table 4 Rejected List Values Column Description Type Lists the type of authentication that failed The type can be Login ACL TTLS PAP TTLS CHAP TTLS EAP TTLS MSCHAP TTLS MSCHAP V2 PEAP MSCHAP V2 PEAP GTC or TLS User Name Lists the value that was passed in the User Name field of the RADIUS server database during the failed attempt Last Time Indicates how long ago the last authentication was attempted Count Indicates how many times the authentication failed NAS IP Displays the IP address of the RADIUS server that Address rejected the client Adding Entries to the Database When you accept TTLS PAP and PEAP GTC entries they are added to the database and require no further configuration If the authentication type does not allow the EAS to learn the password of the rejected client such as TTLS CHAP only the user name is added to Exporting and Importing Databases AT WA7500 and AT WA7501 Installation and User s Guide the database You need to manually enter the password into the database click Submit Changes gt Save Discard Changes gt Save Changes without Reboot To add all entries to the database 1 Click Select All Entries A check box appears next to all entries 2 Click Accept Selected Entries To add one entry to the database 1 Check the check box next to the entry you want to add to the
113. access point via wireless hops Wireless hops are formed when data from end devices move from one access point to another access point through the radio ports The master radio in the point to point bridge on the primary LAN transmits hello messages which allow the bridge on the secondary LAN to attach to the spanning tree in the same way as access points How many radios do you need in each access point o If you have an 802 11a network each access point only needs one radio o If you have an 802 11g or 802 11b network and the access points are simply acting as point to point bridges each access point only needs one radio O If you have an 802 11g or 802 11b network and you want the designated bridge to also communicate with wireless end devices point to multipoint the designated bridge must have two radios The designated bridge master radio must match the end device radios and the station radio must match the root master radio Note Currently 802 11g networks cannot use point to point bridges because this radio does not support wireless bridging AT WA7500 and AT WA7501 Installation and User s Guide Data from wireless end devices should not go through more than three wireless hops before it gets to an access point on the primary LAN You need to set the root priorities and secondary LAN bridge priorities for the bridge on the primary LAN and for the bridge on the secondary LAN O On the primary LAN bridge set t
114. ack which prevents the access point from falling back to 1 Mbps when trying to retransmit radio frames when 2 4 GHz interference is present 115 Chapter 4 Configuring the Radios 116 Table 6 802 11b Radio Advanced Parameter Descriptions Continued Parameter Description Enable Load Determines if end devices can distribute their Balancing connections across multiple access points Enable Medium Density Distribution Determines if these access point parameters Enable Medium Reservation Distance Between APs Enable Microwave Oven Robustness are distributed to end devices that support this feature Data Voice Settings Master radio only Choose the setting that optimizes the wireless network Data Traffic Only The access point transmits only data traffic Data and SpectraLink Traffic The access point transmits both data and voice traffic SpectraLink telephone frames are sent in the high priority queue Frames in the high priority queue are sent ahead of frames in the normal priority queue No special filtering SpectraLink Traffic Only The access point transmits only voice traffic SpectraLink telephone frames are sent with a priority setting All other multicast broadcast frames are dropped Disallow SSID Network Name of ANY Master radio only Determines if end devices that have their SSID Network Name set to ANY or are left blank can associate with this radio
115. adio MAC Ping can help you determine the connectivity and signal strength of an 802 11b radio 257 Chapter 8 Managing Troubleshooting and Upgrading Access Points To use radio MAC ping 1 From the menu click Maintenance gt AP Connections The AP Connections screen appears All devices that support a radio MAC ping will have their MAC address listed with a hyperlink MAW Alied Telesyn Access Point Configuration Simply connecting the world Maintena AP Connections TCP IP Settings 802 11a Radio Spanning Tree 802 11g Radio Connection Status Spanning Tree Settings Telnet Gateway Ethernet a P Tunnels 802 1x MAC Address Type Port Age NextHop IPAddress Network Management Security Pass 00 09 5b 45 44 60 Term 2 0 136 179 85 152 aa Maintenance E AP Connections AP Neighbors Port Statistics DHCP Status Events Log About This Access Point Wireless Stations Access Points Ethernet Hosts This access point is root il 0 0 2 Click a MAC address hyperlink The access point pings the device and then this screen appears showing the results Station Statistics for 00 09 Sh 45 44 60 Recent Local Tx Rates Recent Remote Tx Rates 136 179 85 152 Signal Bm 32 Noise dBm 90 Average SNR dB 53 Local Tx fragments 235 Remote Tx fragments 200 Refresh mode Manual Data Not Available For This Radio Choose Refresh Mode Manual
116. aeeseeaaeesaeeeeeaaeeeeeeeesieeeensaeeseenaees 341 Embedded Authentication Server Menu Defaults cece cesneeceeeeeeeneeeeeeaeeeeeeeesaeeeceaaeesaeeeenaaeeseeeesneeeensaeesennaees 341 Appendix C GOSS T A AREE E EE E reset haere elated cada os decane toouhengen eck lagen aduclaoehs bee cob a ee he ea LE oes adams 343 Preface This manual provides you with information about the features of the Allied Telesyn AT WA7500 and AT WA7501 access points with software release 2 0 or later This manual also describes how to install configure operate maintain and troubleshoot the access points Preface Document Conventions This document uses the following conventions Note Notes provide additional information Caution Cautions inform you that performing or omitting a specific action may result in equipment damage or loss of data Warning Warnings inform you that performing or omitting a specific action may result in bodily injury AT WA7500 and AT WA7501 Installation and User s Guide Where to Find Web based Guides The installation and user guides for all Allied Telesyn products are available in Portable Document Format PDF from on our web site at www alliedtelesyn com You can view the documents on line or download them onto a local workstation or server Preface Contacting Allied Telesyn Online Support Email and Telephone Support Returning Products For Sales or Corporate Inform
117. ameter Name Range Default Your Site SubType DIX IP TCP Port DIX IP UDP Port DIX IP Protocol DIX IPX Socket DIX EtherType SNAP IP TCP Port SNAP IP UDP Port SNAP IP Protocol SNAP IPX Socket SNAP EtherType 802 3 IPX Socket 802 2 IPX Socket 802 2 SAP DIX IP TCP Port Value Two sets of hexadecimal pairs 00 through FF 00 00 AT WA7500 and AT WA7501 Installation and User s Guide Network Management Menu Defaults Instant On Menu Defaults Parameter Name Range Default Your Site SNMP Read 1 to 15 public Community characters SNMP Write 1 to 15 CR52401 Community characters SNMP Secret 1 to 15 Secret Community characters Avalanche Agent IP address or blank Name DNS name Parameter Name Range Default Your Site Enable Instant On Check Clear Clear Server Enable Secure Check Clear Clear Credential Creation Appears if Enable Instant On Server is enabled 337 Appendix B Default Settings Security Menu Defaults Passwords Menu 338 Defaults Parameter N Range Default Your Site ame Browser Secure Only Enabled Port Access Port 443 80 443 Enabled Port 80 443 Disabled Allow Telnet Check Clear Check Access Port 23 Allow SNMP Check Clear Check Access Port 161 162 Allow TFTP Check Clear Check Acc
118. ameters meni e e ai aa a E aa E a a a aa A aa aire i a a 163 Configuring Global FIOOGUING issis sack elon ented cptngeh ni taani deene aatri cdpea cent sazongelieeydecgeydcdivedages Qoeesuebleedededeects 163 Configuring Global RF Parameters uii ei ia eei e dake etia eaii 167 Chapter 6 Configuring Security Understanding Security When You Include Multiple RADIUS Servers on the RADIUS Server List 0 0 0 eee eecsseeesneeeeeeeeeeeeeeeeeeeeseaeeeneeee 174 When You Specify the Security Options for Multiple SSIDS per Radio 00 0 ee eeee eee cette ee eeeeeeenneeeeeaeeeeeeaeeeneeenea 175 Controlling Access to Access Point Menus ee cceeececesneeceeneeenneeeeeaeeeeeeaaeesneeeeesaeeeeeaaeeeseeeeesaeeseeaeeeseeaeeeseeesenaeeeeeaaees 176 Enabling Access Method 3 2 004 c02h ci ocie eee bevaendesh n a Alieb in ede eect ainsi ated ned toa ve beveeniens 176 Setting Up Mero In KoE A EEEE aie eRe oe Sebi es es i tS es at BS ace A tae STA TET 178 Creating a Secure Spanning Tree svescccessscesceccedavcsctessceteostedeauyes aiaeeiiee iatna Phase dbeuslanstlecshibeondeaadenesd 183 AT WA7500 and AT 7501 Installation and User s Guide Enabling Secure Communications Between Access Points and End DeVICES ce eeeeceeeeeeeeeeeeeeenneeeeeeeeeeneeeeeteeeneaees 186 Using an Access Control List ACL 00 cece eeeeceeenne cece ee ee sees eeeaeeeseeeeeeaaeeeeeaaeeseneaeesaeeeenaeeseeeaessieeesenaeeseeneeeenneeened 186 Configuring VLANS vc isis T TEE T ca
119. and Indonesia Malaysia Hong Kong and most South American countries The 802 11a channels that are allowed in a given country may change without notice Be sure you use only those frequencies that are permissible in the given country 123 Chapter 4 Configuring the Radios Configuring 802 11a Radio Advanced Parameters 124 1 From the main menu click 802 11a Radio gt Advanced Configuration The Advanced Configuration screen appears MV Allied Telesyn Access Point Configuration Simply connecting the worl Logout Save Discard Changes Upgrade Software Distributed Network Upgrade File Import Export Help 802 11a Radio Advanced Configuration TCP IP Settings G2 802 112 Radio aa 802 11a Radio Advanced Configuration Inbound Filters Spanning Tree Settings Telnet Gateway Ethernet IP Tunnels Network Management Security Maintenance Submit Changes Power Output Level Maximum gt Data Rate 54 Mbps gt Allow Data Rate Fallback Vv Basic Rate 6 Mbps gt Reservation Threshold 2347 to Disable 2347 Fragmentation Threshold j3 Range Multiplier i Disallow SSID Network Name of ANY P Beacon Period 100 DTIM Period i id 2 Configure the advanced parameters For help see the next table 3 Click Submit Changes to save your changes To activate your changes from the menu bar click Save Discard Changes and then click Save Changes and Reboot For help see Savin
120. and halts the countdown process Note You should use caution when using this command If the script file is being downloaded or executed setting this variable interrupts the processing and can leave the access point in an undetermined state that may require user intervention Syntax sdvars set terminate 295 Chapter 9 Additional Access Point Features 296 sdvars set setactivepointers Purpose Sets the setactivepointers command to change inactive segments to active segments the next time the access point is rebooted This command is usually used with the nextpoweruptime command Syntax sdvars set setactivepointers none boot data both where none does not change the active segments The default is none Also when the reboot is completed the access point resets this value to none boot changes the inactive boot segment to the active boot segment data changes the inactive data segment to the active data segment both changes both the boot and data inactive segments to the active segments Example To change the inactive boot and data segments to active at the next reboot enter sdvars set setactivepointers both sdvars set nextpoweruptime Purpose Sets the nextpoweruptime command to set the internal variable nextpoweruptime to a countdown time so that when 0 is reached the access point will reboot When the nextpoweruptime counter reaches 0 the access point checks the value of the setactivepoint
121. anges Ga 302 11g Radio 802 11a Radio Secure LAPP Vv Spanning Tree Settings paseen Telnet Gateway pip GQ Ethernet IP Tunnels Allow SWAP Vv Ga Network Management Allow TLS B aa Security Allow TTLS r Passwords MSCHAPv2 802 11g Radio Preferred Protocol TILS 802 11a Radio RADIUS Server List User Name anonymous B Spanning Tree Security Embedded Authentication Server Password Certificate Details Verify CA Certificate m Security Events Install certificates in the certificate store E Maintenance l 2 Check the Secure IAPP check box 3 Click Submit Changes to save your changes 4 Inthe IAPP Secret Key field enter a secret key This secret key must be between 16 and 32 bytes 5 Determine how the access points authenticate to the network 0 Check the Allow SWAP check box if you have older access points or you are not implementing an 802 1x security solution O Check the Allow TLS check box if you are implementing an 802 1x security solution and you want to use TLS The access point must have a server certificate loaded on it O Check the Allow TTLS MSCHAPv2 check box if you are implementing an 802 1x security solution and you want to use 184 AT WA7500 and AT WA7501 Installation and User s Guide TTLS You must also enter a User Name and Password that matches an entry in the authentication server 6 Click Submit Changes to save your changes To activate your changes from the menu bar click Save Discard
122. ansmitted or received through the Ethernet or radio port Wireless end devices may use power management to maintain battery life These end devices periodically wake up to receive frames that arrived while their radio was powered down The access point automatically AT WA7500 and AT WA7501 Installation and User s Guide provides a pending message delivery service that holds frames until the end device is ready to receive them Features This table lists the features of the access points Table 1 Access Point Feature Comparison Feature AT WA7500 AT WA7501 Access Point Yes Yes Point to Point Bridge Wireless Yes Yes Bridge Wireless Access Point WAP or Yes Yes Repeater Secure Wireless Hops SWAP Yes Yes Secure Wireless Hops TLS or Yes Yes TTLS Radios 802 119 802 119 802 11b 802 11b 802 11a 802 11a Dual Radio Support Yes Yes Wi Fi Compliant Yes Yes Wi Fi Protected Access WPA for Yes Yes 802 1x mode or PSK mode 802 1x Authenticator Yes Yes 802 1x Authentication Server Yes Yes Access Control List ACL Server Yes Yes Password Server Yes Yes Secure Web Browser Interface Yes Yes HTTPS 10BaseT 100BaseTx Yes Yes Fiber Optics Option No Yes Serial Port Yes Yes Data Link Tunneling Yes Yes IP Tunneling Yes Yes Antenna Diversity Not yet Not yet Non incentive Antenna System Yes Yes 15 Chapter 1 Getting Started
123. ar the Enable Ethernet Bridging check box 4 Make sure that the Root Priority parameter for all other access points is less than the root access point The range is 1 to 7 The value 1 is the highest priority To enable data link tunneling on the secondary LAN 1 Make sure that all access points have the same LAN ID as the ones on the primary LAN 2 On the designated bridge on the Spanning Tree Settings screen verify that the Enable Ethernet Bridging check box is checked 3 On all other access points on the secondary LAN clear the Enable Ethernet Bridging check box 4 Make sure that the Secondary LAN Bridge Priority parameter for all other access points is less than the designated bridge If you use data link tunneling on the secondary LAN and end devices have IP addresses on the secondary LAN network monitoring tools and other network components cannot detect their MAC IP addresses For more information see About IP Tunnels on page 140 Hosts that use a routable network protocol such as IP or IPX may be located on any IP subnet however triangular routing can be minimized if servers are located on the root IP subnet Note that this is also true for standard mobile IP You should be able to use default flooding and spanning tree settings if you are using routable protocols even if hosts are located on remote IP subnets 135 Chapter 5 Configuring the Spanning Tree Configuring the Spanning Tree Parameters
124. ary LAN o Because the root distributes parameters to the child access points the root should have the latest version of software available In a mixed network of an AT WA7500 or AT WA7501 access point with AT WL2411 access points choose an AT WA7500 or AT WA7501 access point with software release 2 2 or later as the root O The root should be an access point that does not handle a large volume of wireless traffic The root is elected from a group of access points that are designated as root candidates access points that are powered on active and do not have a root priority of 0 The access point with the highest root priority is the root Root priority can range from 0 off to 7 The value 1 is the highest priority for a participating access point The election process also occurs in the event of a root access point failure Besides the root you should have two or three access points with a non zero root priority Use the selection criteria listed earlier in this section to determine which access points should be root candidates If two access points have the same root priority the access point with the highest Ethernet address becomes the root You should configure your network with overlapping coverage so that the network can automatically recover from any single point of failure After the root access point is elected it transmits hello messages on all enabled ports The spanning tree forms as other access points receive
125. ass DHCP Vendor Class Leave the field blank if you want this access point to respond to requests from any client Or enter the DHCP user class identifier as defined in RFC 3004 When this access point acts as a DHCP server the access point offers addresses to client requests only when the client requests contain a matching user class identifier Leave the field blank if you want this access point to respond to requests from any client Or enter the DHCP vendor class identifier as defined in RFC 2132 When this access point acts as a DHCP server the access point offers addresses to client requests only when the client requests contains a matching vendor class identifier DHCP for Access Point Network Determines which DHCP servers may be used by access points and wireless devices Use Any Available DHCP Server Access points and wireless devices may receive DHCP responses and addresses from any available DHCP server Only Use Access Point DHCP Server Access points and any associated wireless devices may receive DHCP responses and addresses only from an access point DHCP server Currently the DHCP server must be located in the root access point If this option is selected and the root access point does not have a DHCP server enabled access points and wireless devices will not be able to receive a DHCP address You can use this option in combination with a DHCP user class to segment a network that has an existi
126. ata segment numbers the flash is loaded into 285 Chapter 9 Additional Access Point Features 286 FD Purpose Displays the flash file system directory which includes information about the boot file and file type E executable D data and T transparent Use this command to ensure that the correct version of the file is in the active boot segment For information about transparent files see Understanding Transparent Files on page 271 Syntax FD Example To display the files loaded in the flash memory segment enter FD 1 Note If the flash memory segment contains no files when you reboot the access point the access point enters the AP monitor and you will no longer be able to telnet to it during this session If this occurs you must access the access point through its serial port to correct the problem To show the files loaded in the memory card enter FD app FDEL Purpose Deletes a particular file Note When you use the FDEL command the file is marked as invalid and remains in the file system To reclaim the file space you must erase the entire segment Use the FE command to erase a segment Syntax FDEL f where f is the name of the file to be deleted AT WA7500 and AT WA7501 Installation and User s Guide Example To delete the file AP824X PRG from the flash memory segment enter FDEL 1 AP824xX PRG To delete the file FILE DAT from the memory card enter FDEL A
127. ating IP Tunnels When an access point at the endpoint of the IP tunnel receives data from an end device it uses a standard IP protocol called Generic Router Encapsulation GRE to encapsulate the data into a frame These encapsulated IP GRE frames use normal IP routing to pass through IP routers to the root access point The root access point unencapsulates the frame and forwards it to the host When the root access point receives data on the Ethernet network for an end device that is communicating ona remote IP subnet it reverses this process IP tunneling also allows non routable traffic such as WTP and NNL to roam across routers The end devices using these protocols are not IP based but they work in the same way Data traffic that is not passed by routers since they are not IP will be tunneled from the remote IP subnet to the root subnet It will be dumped on the Ethernet on the root subnet where it belongs and everything works properly An IP tunnel is established when an access point on a remote IP subnet attaches to the root access point through its IP tunnel port The number of IP tunnels the root access point can originate is practically unlimited However currently the IP address list can only contain eight entries which effectively limits the number of tunnels that can be created if you want to use unicast and directed broadcast IP addresses The IP address list can contain any combination of IP unicast IP broadcast or IP
128. ation Management Software Updates This section provides Allied Telesyn contact information for technical support as well as sales or corporate information You can request technical support online by accessing the Allied Telesyn Knowledge Base from the following web site www alliedtelesyn com kb You can use the Knowledge Base to submit questions to our technical support staff and review answers to previously asked questions For Technical Support via email or telephone refer to the Support amp Services section of the Allied Telesyn web site www alliedtelesyn com Products for return or repair must first be assigned a Return Materials Authorization RMA number A product sent to Allied Telesyn without a RMA number will be returned to the sender at the sender s expense To obtain a RMA number contact Allied Telesyn s Technical Support at our web site www alliedtelesyn com You can contact Allied Telesyn for sales or corporate information at our web site www alliedtelesyn com To find the contact information for your country select Contact Us gt Worldwide Contacts You can download new releases of management software for our managed products from either of the following Internet sites Q Allied Telesyn web site www alliedtelesyn com Q Allied Telesyn FTP server ftp ftp alliedtelesyn com To download new software from the Allied Telesyn FTP server using your workstation s command prompt you need FTP cli
129. ation Spanning Tree Settings Node Type SSID Network Name Telnet Gateway Station 7 ATILAN Configure security settings for this service set Ethernet TP Tunnels Network Management Security Maintenance lt 2 Configure the parameters for the radio For help see the next table 3 Configure the advanced parameters for the radio For help see Configuring 802 11a Radio Advanced Parameters on page 124 4 Master only Configure inbound filters For help see Configuring 802 11a Radio Inbound Filters on page 126 AT WA7500 and AT WA7501 Installation and User s Guide 5 Click Submit Changes to save your changes To activate your changes from the menu bar click Save Discard Changes and then click Save Changes and Reboot For help see Saving Configuration Changes on page 45 6 Optional Configure security by clicking Configure security settings for this radio For help see Chapter 6 Configuring Security on page 171 Table 8 802 11a Radio Parameter Descriptions Parameter Explanation Frequency Choose the frequency within the 5 15 to 5 35 Master radio only GHz range that this access point uses to transmit and receive frames You can also set the frequency to Dynamic which lets the access point choose the best available channel to use The available frequencies depend on the country and the radio option configured on the access
130. ay Ethernet Address Table Frame Type Filters Predefined Subtype Filters Customizable Subtype Filters fa Advanced Filters E Fiter Values Filter Expressions TP Tunnels Network Management Submit Changes 3 5 1 2 3 4 5 6 Fi Q TELAT 2 Enter up to 22 value IDs and values 3 Setting Filter Expressions Click Submit Changes to save your changes To activate your changes from the menu bar click Save Discard Changes and then click Save Changes and Reboot For help see Saving Configuration Changes on page 45 You can set filter expressions by specifying parameters for frame filters You can also create a filter expression which is executed in ascending order based on the ExprSeq values until the access point determines whether to pass or drop the frame To set filter expressions 1 From the main menu click Ethernet gt Advanced Filters gt Filter Expressions The Filter Expressions screen appears 89 Chapter 3 Configuring the Ethernet Network 90 MAW Alied Telesyn Access Point Configuration Simply connecting the world Logout Save Discard Changes Upgrade Software Distributed Network Upgrade File Import Export Help Ethernet Advanced Filters Filter Expressions Submit Changes TCP IP Settings amp 802 11 Radio amp 802 11a Radio S Spanning Tree Sett
131. b ad or ab to specify the one flash memory segment on the access point Example To erase the contents of the flash memory segment enter FE 1 To erase the contents of the memory card enter FE APP FFR Purpose Runs a program f from a location s Syntax FFR F CS 281 Chapter 9 Additional Access Point Features 282 where f is the program name Ss is the optional segment location of the program Example To run program UAPBOOT PRG from the flash memory segment enter FFR UAPBOOT PRG 1 FI Purpose Reinitializes the access point file system If the access point file system or a file segment becomes corrupt use this command to reset it Syntax FI s where s is the optional number of the segment to be reinitialized You can use any segment number 1 2 3 or 4 to specify the one flash memory segment on the access point FX Purpose Downloads a file using Ymodem batch protocol into the flash segment that is specified by s Syntax FX s where s is destination segment You can use any segment number 1 2 3 or 4 to specify the one flash memory segment on the access point HDW Purpose Loads the FPGA configuration file into the access point If you are directed to change the FPGA firmware in the access point use this command Syntax HDW F S AT WA7500 and AT WA7501 Installation and User s Guide where f is the FPGA configuration filename Ss is the optional seg
132. bal RF Parameters Menu Defaults iiiter eingedenk ik a aa 329 Telnet Gateway Configuration Menu Defaults 22 ce eee eeeneeceeeeeecneeeeeaeeeeeaeeceeeeesaeeeseaaeeeeeeessaaeeseeeeseeeeeeseeeessaeeseenaees 331 Ethernet Configuration Menu Defaults ec eceeceeenneeceeeeeeeeaeeeeeeeeeceeeeeeeaaeeseeaeeeseeeeeeseeeseaaeeseneeensaeeeeeaeeseneeeeseaeesseaas 332 Ethernet Advanced Filters Menu Defaults 0 cee ceeseceeeeceeeneeeeeeneeeseeaeeeeeeeeeeaaeeeseeaeeseeeeeesaeeseeaaeeseeeeeesneeeessaeesennaees 332 IP Tunnels MentisDetatlltsct 2 sects e a 222 0e bees steel ca a aaa a ed ie aee cadet Ub adh sa vee eS ccc aa eaea areata iiis 335 Tunnels Filter Menu Default runana e a ae E A a eae A e A iia aaa Aa Traa ARARAS ENRE ER 335 Network Management Menu Defaults ecceeceeeeceenneeceeeeeeeaeeceaeeeceeeeeesaeeeeeaaeeseeeeesaeeeseaeeeseeeeeeseeeeeaeessneeeesnaeeeseaas 337 Instant On Menu Defaults v ir iiine iaa iiaa a e e sar cvdeu lees tobeseduievebdontustockedeiens 337 Securty M nu D fa lts ziyoten i a a a a a a E a aeaa a a a E iR 338 Passwords Menu Defaults iisi an eaaa Ea aKT ea Eaa aaea aa Eana Aa Eara NNa AAE AEA iasan 338 IEEE 802 11 b or a Radio Security Menu Defaults 00 0 ee eee ce eeneeeeeeeeeeneeeeeaaeeeseeeeeeaaeeeenaaeeseeeeeesaeeesenaeeseenaees 339 RADIUS Server List Ment Defaults saasina eea aaaea eaaa a a a a a teed ideaetiess 340 Spanning Tree Security Menu Defaults eee eeeceeenceeeeneeeeeeaeeeeeeeeeesaeeeeeaaeecaeeeesa
133. ble 3 Embedded Authentication Server Entry Descriptions on page 217 You have elected to verify the server certificate but no CA certificate is installed in the certificate store You need to install a trusted CA certificate For help see Installing and Uninstalling Certificates on page 211 You have elected to verify the server certificate but the authentication server common name is blank You have enabled Secure Credential Creation for Instant On but no 802 1x enabled RADIUS servers have been selected 249 Chapter 8 Managing Troubleshooting and Upgrading Access Points Table 8 Alphabetized List of Configuration Error Messages Continued Configuration Error Message Additional Information You have enabled the embedded authentication server but you have not installed a server certificate to identify this device You need to install a server certificate For help see Installing and Uninstalling Certificates on page 211 You have enabled TLS authentication but you have not installed a server certificate to identify this device You need to install a server certificate For help see Installing and Uninstalling Certificates on page 211 You have enabled WPA pre shared key for a radio port but the pre shared key for that port is empty For help see the Table 6 WPA PSK Security Parameter Descriptions on page 204 Troublesho
134. c EAP authentication type For more information on the availability of 802 1x enabled end devices contact your local Allied Telesyn representative O A trusted certificate authority CA which issues digital authentication certificates Allied Telesyn and others can provide the service of acting as a CA and can issue certificates For more information contact your local Allied Telesyn representative O The authentication server and end devices with supplicants need certificates A CA certificate is the root certificate or public key A server certificate sometimes referred to as the client certificate is the private key For more details see About Certificates on page 209 o The authentication server must have both a CA certificate and a server certificate installed on it o An end device with an EAP TTLS supplicant or a child access point using secure IAPP TTLS needs only the CA certificate AT WA7500 and AT WA7501 Installation and User s Guide o Any device with an EAP TLS supplicant end device or child access point needs both the CA certificate and the server certificate o If the child access point is using SWAP and is an authenticator it does not need any certificates loaded on it Only the authentication server and supplicants need certificates If the access point has two radios or if the access point contains one 802 11g or 802 11a radio with multiple service sets as described on pages 74 and 89 you can i
135. cast or unicast flooding Multicast Multicast flooding occurs unless the root access point in the Global Flooding screen disables multicast flooding Unicast Unicast flooding occurs unless the root access point in the Global Flooding screen disables unicast flooding 139 Chapter 5 Configuring the Spanning Tree About IP Tunnels 140 The physical boundary of a network is usually defined by the existence of an IP router Before IP tunnels technology was developed wireless end devices could only operate within the limited coverage area of their own network and could not roam across IP subnet boundaries Using IP tunnel technology end devices can roam across IP subnet boundaries IP tunnel technology safely and transparently coexists with routed IP installations while supporting mobility for end devices IP tunnels do the following o Enable access points on different remote IP subnets to belong to the same wireless network O Support fast roaming of end devices between access points that are on different IP subnets without losing network connections O Support end devices using both IP and other routable or nonroutable protocols Only one IP tunnel can exist between the root access point and an access point usually the designated bridge on a remote IP subnet The root access point has a one to one relationship with each wireless network All roaming end devices must have an IP address from the root IP subn
136. ccess This password can be from 1 to 15 characters and is case sensitive The default is public 229 Chapter 8 Managing Troubleshooting and Upgrading Access Points 230 Table 3 SNMP Community Parameter Descriptions Continued Parameter Description SNMP Write Specify a password that provides read and write Community access This password can be from 1 to 15 characters and is case sensitive The default is CR52401 SNMP Secret Specify a password that provides read and write Community access and lets the user change the community strings This password can be from 1 to 15 characters and is case sensitive The default is Secret AT WA7500 and AT WA7501 Installation and User s Guide Maintaining the Access Points Viewing AP Connections The Maintenance menu lets you view different parameters configured for the access point including connections port statistics and a configuration summary This information may be needed when you contact Allied Telesyn Technical Support You can also view security events that are in the Security Events log and then you can export them to a file The AP Connections screen shows information about the spanning tree status and the devices connected through the spanning tree To view AP connections O From the menu click Maintenance gt AP Connections The AP Connections screen appears For help interpreting the information on this read only
137. ccess point The EAS can act as O a password server that maintains a list of logins of users who can configure and manage the access point 0 a RADIUS server that maintains an ACL which is a list of MAC addresses that can connect to the network a a RADIUS server that maintains a list of RADIUS clients usually access points that are authorized to connect to the network g a RADIUS server that authorizes TLS TTLS and PEAP clients to connect to the network If you use the EAS you may not need to buy an external RADIUS server An EAS supports up to 128 database entries If you need more database entries you may be able to use the EAS on different access points for different purposes For example you can use the EAS on one access point as a password server and another EAS on another access point as the authentication server This table lists the maximum number of end devices that an EAS supports if you turn on the end devices at the same time However if you turn on the end devices in groups the EAS supports 128 clients with unique security credentials Table 1 Maximum Number of Simultaneous Authentications Supported Maximum TPS ot RADIUS Server Authentications Password server 128 ACL authentication server 128 802 1x authentication 60 server About Certificates AT WA7500 and AT WA7501 Installation and User s Guide Understanding Which Access Points Need Certificates Certif
138. cddens Soden inebyGocea cute TENT dace dea taeapeeanntaeeee 213 Enabling the BAS is e e aena ae rena AA EENEN E E A aE E aa Aea chen cele Aa e aa Daaa euthannetedenczaavedondensineiduleensts 213 Configuring the Datab se ioiei e ai e iada iania Ea e iTe ias 215 Using the Rejected List c0 ceniva ete n eae a a lee aa 218 Exporting and Importing Databases oe cence ennee inai iaai e E d T E aa 219 Chapter 8 Managing Troubleshooting and Upgrading Access Points 0 00 00 ecceeeeeecenee teens eee eaeeeeeaaeeeeeeeeeenaeeeneeeeeneaees 223 Managing the Access PONS E a a eel bec a cede a a E e E a Ea TAE RaR e NENT EEEREN 224 Using the Wavelink Avalanche Client Management System eee eeeeeeeeneeeeeeeeeeeeneeeeeaeeseeeeeesneeeeneaeeeenneeeeneeeenaa 224 Using Simple Network Management Protocol SNMP ceeeseeceeeceeeeeeeeeeneeeeeeeeeeeaeeeeeaaeeseeeeeesneeeeeeeeesnaeeeeneeeenaa 229 Maintaining the A eese PONS a T ar a a E a ll ca ice ces shaddeedteas dock a EA iaa a pN 231 Viewing AP COnNeCtOns si issiria adanida ieoa iea daa kaet adocit Ti eat intake iedeen iidieu inaid 231 Viewing AP NeighbofS siino in ei e dese chee NEKE dae e daoedd Eaa Eae diaaa iaai e 234 Viewing Port Statistics soisin a lee iate ara raea a aaa a e aaia 237 Viewing DHCP Status eee Mi eee Ve ee Ae ee E A 239 Viewing the Events L0G asc ccssctscscrceesi ipasara tasapintaiset oraaa iiad aeei idees adriaan ta a a 240 Viewing the About This Access Point SCre N wi cecc
139. ceeeereeeeneeeceeeeeesneeeceaaeeeeaeeeesaeeeseaaeeesneeeensaeeseeeesesnneeeeeneeeeeeaees 241 Using the LEDs to Locate Access Points ccccccccceeceeeeeeeceeeeeeeaeceeeeeecaeceeeeecaaeeeeeesesaaeeeeeeseaaeeeseseeaeeeeesennneeees 242 Restoring the Access Point to the Default Configuration eee eeeceeeeeeeeeneeeeeeeeeeneeeeeaeeseeeeeesneeeeeeeeseeaeeenneeened 243 Troubleshooting the Access Points cccccccecceceeeeeeeeeceeeeeeeaaeeseeeeeaaeeceeecaaaeaeeeecesaeaeeeeeeseaaeeeeeeseaaeaeeeeseaaeaeeeeseeeeaeeeeeeeaea 245 Using the Configuration Error MeSS Qe S eccceeseeceeeeeeeeneeeeenaeeeeeeeeeeaeeeseaaeeeseeeeeseaeeeseeaeeesneaeenaeeseaeeseneeeensaeeesenas 245 Troubleshooting With the LEDS EEE faethe ite wits E Niae tention avian aA 250 General Troubleshooting tee t a etebthst ceca beth ds aby el ae coed le a a gisele aape a aa a mEt REEE 252 Troubleshooting the RAGIOS ss ccccs cceseetesescee sedan sdececcen estate dec eeee ie ia eia daea E E aaea aE ANE e iieiaei ea 256 Troubleshooting Security ysa a i a a dh sold neuen suk a a A a aaa 260 Recovering a Failed Acce ss Point cccviintan ei A Sie ie vielen haven eee E EE iene 263 Upgrading the Access POINTS ss ecckeegcecns c aeons extueeesenucteselt inns east Aa ai padaan veaa aat ra ne REA aeara ii ainean 266 Using a Web Browser nterf ce iimis aeiiao aa iadaa ido derie a iaaiiai aaie 266 Troubleshooting the Upgrade sasoi igisiiian eala areata a a i g a
140. cepts WTP frames from end devices The WTP frames must match Ethernet protocol 875b Allow UDP Plus UDP IP Port 5555 Determines if this radio accepts UDP Plus frames from end devices The UDP Plus frames must match the UDP network port 5555 on the DCS 30X Allied Telesyn Gateway or ARP Allow DHCP Determines if this radio accepts DHCP frames The DHCP frames must match UDP destination port 67 and ARP Check this check box if the end devices are DHCP clients Allow All Other Determines if this radio accepts all other Protocols protocols that are not filtered by one of the filters in this screen You can hot set the Power Output Level and Mixed Mode Performance parameters for the 802 11g radio which means that the new settings can be immediately activated without rebooting the access point To apply hot settings 1 From the main menu click 802 11g Radio gt Advanced Configuration and change the parameters as needed 2 Click Submit Changes to save your changes to the current configuration file as defined in Saving Configuration Changes on page 45 AT WA7500 and AT WA7501 Installation and User s Guide 3 From the main menu click Apply Hot Settings to save your changes to the active configuration file as defined in Saving Configuration Changes on page 45 The Apply Hot Settings screen appears This screen is read only MV Allied Telesyn Simply connecting
141. cimal DIX IP UDP Port Port value in hexadecimal 155 Chapter 5 Configuring the Spanning Tree 156 Table 5 Subtype Filter Descriptions Continued Subtype Value DIX IP Protocol Protocol number in hexadecimal DIX IPX Socket Socket value in hexadecimal DIX EtherType Specify the registered DIX type in hexadecimal SNAP IP TCP Port Port value in hexadecimal SNAP IP UDP Port Port value in hexadecimal SNAP IP Protocol Port value in hexadecimal SNAP IPX Socket Socket value in hexadecimal SNAP EtherType SNAP type in hexadecimal To filter on both SNAP type and OUI use advanced filters 802 3 IPX Socket Socket value in hexadecimal 802 2 IPX Socket Socket value in hexadecimal 802 2 SAP 802 2 SAP in hexadecimal Filter Examples AT WA7500 and AT WA7501 Installation and User s Guide These examples illustrate how to set both Ethernet and IP tunnel filters to optimize network performance The next illustration includes QOQQ0Q0 0 DIX and 802 3 SNAP frames wireless end devices using TCP IP to communicate with other devices a secondary LAN containing IP and IPX hosts linked by AP2 and AP4 an IPX router connecting to another Novell network This illustration shows a typical network that will be used in the next examples IP Host Novell Server oe ili im Root AP3 p AP1 Eo E IPX r
142. ct a RADIUS server for 802 1x authentication The RADIUS Server List screen appears TCPAP Settings Ea 802 11 Radio 802 11a Radio Spanning Tree Settings Telnet Gateway Ethernet a P Tunnels a Network Management a Security E Passwords E 802 119 Radio E 802 11a Radio EI RADIUS Server List E Spanning Tree Security E Embedded Authentication Server E Certificate Details E Security Events amp Maintenance 7 AT Alied Telesyn Access Point Configuration Simply connecting the world Logout Save Discard Changes Upgrade Software Distributed Network Upgrade File Import Export Help Security RADIUS Server List Ji Submit Changes IP Address DNS Name Secret Key Port 802 1lx ACL Login Server 1 C raosna O faz a cr iW Sever Ciacci Mga Server 3 rr iaeano O paz B MEN e A a ele E Server Sf emery fate Server 6 rt raosan O faz v m m lt For each authentication server enter the IP address or DNS name enter the shared secret key port number and check the 802 1x check box Note If you enter more than one authentication server see page 132 for a description of how the access point uses the servers Configure the database Depending on the authentication type enter the information for each end device that is allowed to communicate with the 802 1x network O Inthe EAS database in t
143. ctive When you click Save Discard Changes gt Save Changes and Reboot the access point copies the current configuration file to the active configuration file The active configuration file is the file that the access point uses Note For the 802 11g radio when you configure some of the advanced configuration parameters you can immediately activate the changes without rebooting the access point For instructions see Applying Hot Settings on page 110 Using a Web 1 Browser On the menu bar click Save Discard Changes Logout Save Discard Changes Upgrade Software Distributed Network Upgrade File Import Export Help Interface TCP IP Settings 45 Chapter 1 Getting Started 46 This screen appears Select to use new configuration Select to use new configuration settings immediately settings the next time you reboot the access point Save Changes and Reboot Discard Changes and Reboot Save Changes without Reboot lt Note Only Embedded Authentication Server database changes are activated immediately All other changes require a reboot Discard Pending Changes Restore Factory Defaults Possible Configuration Errors gt _ gt The login password has not been changed from its default value Pending Changes 3 a Internet Ai Lists possible configuration Lists configuration changes changes that still need that have been made to be made
144. d Choose the rate at which the access point transmits multicast and beacon frames In general higher speeds mean shorter range and lower speeds mean longer range Do not set this rate higher than the maximum rate at which your end devices can receive multicast frames You can set this rate to 24 12 or 6 Mbps This parameter should usually be left at the default of 6 Mbps Reservation Threshold You may need to set a threshold value which is the largest data frame that can be transmitted without reserving airtime Airtime is normally reserved to help prevent collisions with other transmitters If you set this threshold to 2347 this parameter is disabled Fragmentation Threshold Specifies the largest data frame that can be transmitted without fragmentation On certain radios the fragmentation does not occur unless the radio detects interference Larger frame sizes can improve throughput on a reliable connection Smaller frame sizes can improve throughput on a poor connection 125 Chapter 4 Configuring the Radios 126 Configuring 802 11a Radio Inbound Filters Table 10 802 11a Radio Advanced Parameter Descriptions Continued Parameter Description Disallow SSID Determines if end devices that have their SSID Network Name of Network Name set to ANY or are left blank can ANY associate with this access point Master radio only Clear this check box to allow these end devic
145. d Minutes 5 Selecta RADIUS server for WPA 802 1x authentication r 205 Chapter 6 Configuring Security 206 Table 7 WPA 802 1x Security Parameter Descriptions Parameter Explanation Multicast Encryption Type Allows you to select the data encryption method for broadcast and multicast for this radio port A station connected to this port may not select a weaker encryption method to exchange unicast frames Key Rotation Period Minutes Allows you to specify the key rotation policy for encryption keys when using WEP in 802 1x and for TKIP group keys when using WPA The value represents key duration in minutes The default value is 5 minutes Chapter 7 Configuring the Embedded Authentication Server EAS This chapter explains how to configure the embedded authentication server EAS in your access point for different security solutions to ensure that you have a secure wireless network This chapter covers these topics o About the Embedded Authentication Server EAS on page 208 0 About Certificates on page 209 Oo Configuring the EAS on page 213 207 Chapter 7 Configuring the Embedded Authentication Server EAS About the Embedded Authentication Server EAS 208 The AT WA7500 and AT WA7501 access points have an embedded authentication server EAS which is an internal RADIUS server In your network you can use the EAS on any a
146. d Changes Upgrade Software Distributed Network Upgrade File Import Export TFTP Server E TOPA Settings The TFTP server is running read only a 802 11g Radio 802 11a Radio Stop Server Spanning Tree Settings Telnet Gateway Ethernet IP Tunnels Network Management Security Maintenance zi 2 Click Stop Server to stop the TFTP server Or click Start Server to start the TFTP server You can also use the TFTP SERVER START and STOP commands described on page 291 to start and stop the TFTP server Automatically To automatically upgrade software in a network with older access point Upgrading software Software 4 Click Upgrade software using automated software download The Automated Software Download screen appears MV Allied Telesyn Access Point Configuration Simply connecting the world Logout Save Discard Changes Upgrade Software Distributed Network Upgrade File Import Export Automated Software Download TCP IP Settings This feature is provided for backward compatiblity with older versions of access point software There are a 802 11g Radio newer methods that make upgrading access point software much easier Click on Upgrade Software or Ga 802 11a Radio Distributed Network Upgrade above to access the improved upgrade methods Spanning Tree Settings Telnet Gateway Ethernet IP Tunnels Server IP Address tis a Network Management Management Seript File Name o Start
147. d Reboot For help see Saving Configuration Changes on page 45 ARP requests are multicast frames which means they are sent to all devices on the Ethernet network You can configure the access point to periodically send an unsolicited ARP request to the IP router so that all routers can update their routing tables This ARP request lets a network management program learn about the access point on the network by querying routers The auto ARP minutes parameter controls the time interval between ARP requests If the address of the IP router is 0 0 0 0 then the access point sends an ARP request to its own IP address Without this option an access point might not use its IP address for extended periods of time and the IP address would expire from the router ARP table If the IP address expires the network management program must ping all potential addresses on a subnet to locate active IP addresses or require the user to enter a list You should not let the IP address for the access point expire To set the auto ARP period 1 From the menu click TCP IP Settings The TCP IP Settings screen appears 77 Chapter 3 Configuring the Ethernet Network 2 Inthe Auto ARP Minutes field enter a time period from 1 to 120 minutes To disable this parameter enter 0 3 Click Submit Changes to save your changes To activate your changes from the menu bar click Save Discard Changes and then click Save Changes and Reboot For help see Sa
148. d have a secondary LAN bridge priority 119 Chapter 4 Configuring the Radios To configure the 802 11a radio 1 From the main menu click 802 11a Radio The 802 11a Radio screen appears MV Allied Telesyn Simply connecting the world Access Point Configuration TCP IP Settings Submit Changes 802 11g Radio 802 11a Radio Frequency Dynamic 11a now 36 v ee anon Allow Wireless Access Points On Primary 7 fa Spanning Tree Settings Telnet Gateway Ethernet Node Type SSID Network Name IP Tunnels 2 rn 5 F Reser Primary Master ATILAN Configure security settings for this service set Security Secondary 1 Disabled gt ATILAN_1 Configure security settings for this service set Maintenance Secondary 2 Disabled gt ATILAN_2 Configure security settings for this service set Secondary 3 Disabled x ATILAN_3 Configure security settings for this service set zl 120 If your screen does not look like the previous one your primary service set may be configured as station instead of master so that the secondary service sets are not available as shown next MV Allied Telesyn Simply connecting the world Access Point Configuration Logout Save Discard Changes Upgrade Software Distributed Network Upgrade File Import Export Help E TCP P Settings Submit Changes a 302 11g Radio ea 802 11a Radio Advanced Configur
149. dary LAN which is an Ethernet segment containing access points that join the primary LAN network through a wireless connection A remote IP subnet which is connected via an IP tunnel Table 1 Comparison of Wireless Secondary LANS and Remote IP Subnets Wireless Secondary LANs Remote IP Subnets Any access point can provide a Only the root access point can wireless link to another access originate an IP tunnel to another point access point A wireless link provides a transparent bridge for both wired transparent bridge for wireless end and wireless devices devices on a remote IP subnet An IP tunnel provides a The access point that is responsible for bridging data between a secondary LAN and the primary LAN is called the designated bridge Consider these selection criteria when choosing which access point to be the designated bridge o The designated bridge should have the latest version of software available In a mixed network of AT WA7500 and AT WA7501 access points with AT WL2411 access points choose a AT WA7500 or AT WA7501 access point with software release 2 2 or later as the designated bridge The designated bridge must be installed on the secondary LAN and within radio coverage of an access point on the primary LAN AT WA7500 and AT WA7501 Installation and User s Guide 0 The designated bridge must be configured so that the Secondary LAN Bridge Priority value is a non zero number
150. dded Authentication Server Database Certificate Details Security Events Maintenance Fe Optional In the Default Secret Key field enter a default secret key that is used between the EAS and all access points This secret key can be from 1 to 32 characters in ASCII or in hexadecimal To enter a hexadecimal key it must start with Ox In the UDP Port field enter the UDP port number on which the EAS listens Port number assignments are administered by the Internet Assigned Number Authority IANA If you change this value you should choose a number between 49152 and 65535 In the Authorization Time field enter the amount of time that RADIUS clients access points remain authorized by the server before they need to be reauthorized The format is d hh mm where d is days hh is hours and mm is minutes If you enter Os the RADIUS server will only authenticate a RADIUS client the first time it connects Configuring the Database AT WA7500 and AT WA7501 Installation and User s Guide 8 Click Submit Changes to save your changes To activate your changes from the menu bar click Save Discard Changes and then click Save Changes and Reboot For help see Saving Configuration Changes on page 45 The EAS database contains up to 128 clients that this access point authorizes for logins RADIUS clients ACL clients and 802 1x clients This screen is hot settable that is to activate a change you click
151. dio 2 in the WAP Wireless end devices can roam between the WAP and the access point Ethernet eres point Figure 11 802 11b WAP with Roaming End Devices Table 7 802 11b Access Point and WAP Parameter Settings Access WAP WAP Screen Parameter Point 802 11b 802 11b 802 11b Radio 1 Radio 2 802 11b Allow On Primary not Radio Wireless applicable Access Points Node Type Master Master Station SSID ATILAN ATILAN ATILAN Spanning LAN ID 11 11 11 T Settings Root 5 0 not Priority applicable Ethernet Checked Checked not Bridging applicable Enabled You need to configure the wireless end devices to have the same SSID LAN ID and frequency as the WAP master radio 802 11b Radio 1 You do not need to configure any secondary LAN settings because the WAP is not connected to a secondary LAN Allied Telesyn recommends that you always implement some type of security AT WA7500 and AT WA7501 Installation and User s Guide Example Configuring an 802 11a WAP With Roaming End Devices In this example there is one 802 11a radio in the access point and there is one 802 11a radio in the WAP Wireless end devices can roam between the WAP and the access point Host ith Ethernet Figure 12 802 11a WAP with Roaming End Devices Table 8 802 11a Access Point and WAP Parameter Settings Access Screen Parameter Poin
152. e Applying Hot Settings on page 110 AT WA7500 and AT WA7501 Installation and User s Guide Table 3 802 11g Radio Advanced Parameter Descriptions Parameter Description Client Specifies if this radio will communicate Type Performance with 802 11b and or 802 11g radios Power Output Level 11b 11g with range reliability Not Wi Fi Allows clients with 802 11b or 802 11g radios Parameters are adjusted for longer range Basic rates are 1 or 2 Mbps Extended rates are 6 12 or 24 Mbps Data rates are 1 2 5 5 or 11 Mbps and extended data rates are 6 9 12 18 24 36 48 or 54 Mbps 11b 11g with Wi Fi compatible rates Allows clients with 802 11b or 802 11g radios Basic rates are 1 2 5 5 or 11 Mbps Data rates are 1 2 5 5 or 11 Mbps Extended data rates are 6 9 12 18 24 36 48 or 54 Mbps 11g only for better throughput Wi Fi Allows clients with 802 11g radios only Basic rates are 1 2 5 5 or 11 Mbps Extended data rates are 6 9 12 18 24 36 48 or 54 Mbps Clients without extended rates capabilities are rejected Set the transmitted power level Maximum Sets the output power to the highest level supported by the radio Medium Sets the output power to 3 dB lower than the highest level supported by the radio Low Sets the output power to a level higher than the lowest level supported by the radio Minimum Sets the output power to the lowest level supported by th
153. e default is 224 0 1 65 3 Enter the IP addresses or DNS names of all the access points that can be the endpoints of IP tunnels 4 Click Submit Changes to save your changes To activate your changes from the menu bar click Save Discard Changes and then click Save Changes and Reboot For help see Saving Configuration Changes on page 45 You can set both Ethernet and IP tunnel filters and you can create protocol filters for predefined protocol types In addition you can define arbitrary frame filters based on frame content By default all IP tunnel traffic except NNL traffic is dropped IP tunnel filters are only outbound filters That is when you configure IP tunnel filters in the root access point you are only defining what type of traffic the root will send through the tunnel The root will receive anything sent to it by the access point at the endpoint of the tunnel The access point at the endpoint of the tunnel acts the same way In order for a particular type of traffic to pass you need to set the same filters to pass in both in the root access point and in the access point at the endpoint of a tunnel For help configuring Ethernet filters see Configuring Ethernet Filters on page 81 Using IP Tunnel Frame Type Filters The IP tunnel port automatically provides some filtering for wireless end devices You can define permanent IP tunnel port filters to prevent unwanted frame forwarding through an IP tunnel ICM
154. e DNS names If this access point is a DHCP server this DNS address will be distributed to DHCP clients You can enter up to two DNS addresses to be delivered to DHCP clients DNS Address 2 Enter the IP address of a domain name server that the access point uses to resolve DNS names if the DNS server at DNS Address 1 is not responding If this access point is a DHCP server this DNS address will be distributed to DHCP clients 67 Chapter 3 Configuring the Ethernet Network Configuring the Access Point as a 68 DHCP Client Table 1 TCP IP Settings Descriptions Continued Parameter Explanation DNS Suffix 1 Enter a domain name suffix that will be appended to DNS names that cannot be resolved If the access point is a DHCP server this is the only DNS suffix that is delivered to DHCP clients For example enter a suffix of UVW COM When you try to resolve ABC the DNS will look for ABC UVW COM DNS Suffix 2 Enter a domain name suffix that will be appended to DNS names that cannot be resolved either by themselves or using DNS suffix 1 For example enter a suffix of XYZ COM When you try to resolve ABC the DNS will first look for ABC UVW COM and then it will look for ABC XYZ COM You can use a DHCP server to automatically assign an IP address and other TCP IP settings to your access point that is the access point can act as a DHCP client A DHCP client accepts offers
155. e Embedded Authentication Server screen enter the default secret key For each access point in the RADIUS Server List screen enter the EAS IP address enter the default secret key and check the 802 1x check box If you want to use a different secret key for communications between the EAS and each access point you need to add each access point to the EAS database as a RADIUS client For each access point in the RADIUS Server List enter the EAS IP address enter the secret key and check the 802 1x check box To enable the EAS 1 Log in to the access point whose EAS you are enabling 213 Chapter 7 Configuring the Embedded Authentication Server EAS 214 5 From the main menu click Security gt Embedded Authentication Server The Embedded Authentication Server screen appears Check the Enable Server check box Click Submit Changes to save your changes MAW Alied Telesyn Access Point Configuration Simply connecting the world Security Embedded Authentication Server TCP IP Settings Submit Changes Gi 302 11g Radio 802 11a Radio Enable Server M Spanning Tree Settings Default Secret Key an Telnet Gateway Ethernet UDP Port 1812 IP Tunnels Authorization Time 0 01 00 Ea Network Manag t 5 ee Install certificates in the certificate store a Security Passwords Import or Export the EAS RADIUS database 802 11g Radio 802 11a Radio RADIUS Server List Spanning Tree Security Embe
156. e access point localfilename is the name you wish to call the file on the access point The name must begin with a segment number or name followed by a colon You may or may not have to specify a filename after the colon if the file has a header the filename is optional if the file does not have a header the filename is required Example If the file has a header you do not have to include a filename as part of the localfilename because the filename is set to the filename embedded in the file header on the server TFTP GET file dat 1 If the file is a transparent file without a header you must include a filename as part of the localfilename TFTP GET file dat 1 file dat The following command gets file UAP DNL from a directory on a PC server with IP address 1 2 3 4 and stores it in the flash memory segment on the access point TFTP GET 1 2 3 4 C STARTUP UAP DNL 1 The access point may generate these error messages when it issues a TFTP GET command Other error messages may be returned from the server and displayed by the access point See your server documentation for additional information Error Message Explanation Can t write file The file may be too big The file may not have an access point file header filehdr exe The file name may be incorrectly formed The file may already exist in the segment and cannot be overwritten You must erase the file first 289 Chapter 9 Addi
157. e all wireless traffic through a fixed point so that roaming is transparent to the bridges or switches The end devices must have IP addresses from the root IP subnet For help see About Ethernet Bridging Data Link Tunneling on page 134 The end devices are unable to roam between a MobileLAN access product and 011X devices Set the Unicast Flood Mode to Hierarchical For help see Configuring Global Flooding on page 163 You cannot originate an IP tunnel to an access point on a remote IP subnet 1 Verify that the IP Router Gateway address is correct 2 Verify that the access points on the ends of the tunnel have the same LAN ID 3 On the root access point verify that the IP address of the access point at the endpoint of the IP tunnel appears in the IP Addresses list You need to verify the static WEP keys You cannot verify the WEP keys The keys are encrypted after you enter them and are never displayed again You may need to reconfigure your access points and end devices to reset the WEP keys The filters are not filtering properly Check all of your filter settings Conflicts may exist between the various filters You need to confirm which master radio a WAP is connected to To verify that a WAP is communicating with a particular radio view the AP Connections screen for the access point Click Maintenance gt AP Connections 255 Chapter 8 Managing
158. e end of the IP tunnel and forwarded to the appropriate access point if necessary for delivery to the destination end device Inbound Frames Frames are forwarded inbound to the primary LAN through an IP tunnel if o an end device is known to be attached to an access point on a remote IP subnet o the frame type is configured to pass IP and ARP frames are only forwarded inbound through the IP tunnel if the source IP address belongs to the root IP subnet Usually these frames originate from wireless end devices that have roamed away from their root IP subnet Frames transmitted by servers or wired devices that are connected to a remote IP subnet are not forwarded inbound through IP tunnels if the IP address does not belong to the root IP subnet MAC frames that are forwarded inbound are encapsulated by the access point at the remote end of the IP tunnel forwarded through the IP tunnel to the root access point unencapsulated and placed on the network Frame Types That Are Never Forwarded Certain frame types are never forwarded through IP tunnels Frame types that are never forwarded include IP frames used for coordinating routers and MAC frames used for coordinating bridges Other frame types that are never forwarded include 0 802 1d bridge frames o Proprietary VLAN switch frames o IP frames with a broadcast or multicast Ethernet address o AT WA7500 and AT WA7501 Installation and User s Guide IP frames with t
159. e management software such as MobileLAN manager interacting with the MIB to obtain information about network activity 349 Appendix C Glossary 350 spanning tree A form of network organization in which each device on the network has only one path to the root The access points automatically configure into a self organized network that provides efficient loop free forwarding of frames through the network splitter A splitter converts 48V input power to 5V or 3 3V output power If you want to use power over Ethernet you plug the access point into the splitter and then you plug the splitter into a power bridge The AT WA7500 and AT WA7501 do not use a splitter SWAP Secure Wireless Authentication Protocol This protocol creates secure wireless hops if you enable secure IAPP It forces access points to authenticate each other using an EAP MD5 challenge Telnet Gateway A software feature in Release 2 1 that allows the access point to keep telnet sessions alive even when the wireless client is idle or disconnected for any reason because the client has roamed out of range been powered off lost battery power etc TLS Transport Layer Security An EAP authentication type that not only requires a certificate on the authentication server but also one on the end device There is both server and client side authentication before the end device can communicate with the network TTLS Tunneled Transport Layer Security
160. e number of radios required in the WAP depends on the type of radio installed O If you have an 802 11a radio the WAP only needs one radio because this radio can simultaneously be a master and a station This radio will create wireless hops automatically when it cannot communicate to the wired network O If you have an 802 11g or 802 11b radio the WAP must contain two radios one configured as master and one as station The WAP master radio must match the end devices radios and the WAP station radio must match the master radio in the access point Note Currently 802 11g networks cannot use WAPs because this radio does not support wireless hops 27 Chapter 1 Getting Started 28 WAPs must be on the same IP subnet as the access point Also data from wireless end devices should not go through more than three wireless hops before it gets to an access point on the primary LAN The following procedure explains how to install a simple wireless network with a WAP and no roaming end devices For help installing a simple wireless network with a WAP and roaming end devices see the two examples in the next sections To install a simple wireless network with a WAP and no roaming end devices 1 Follow the instructions for installing a simple wireless network in the section Using One Access Point in a Simple Wireless Network on page 22 Configure the LAN ID For help see Configuring the Spanning Tree Parameters on
161. e of the database If you use the CSV extension you can import it into Microsoft Excel which recognizes it as a comma separated text file 7 Click Save To import a database Note As soon as you import the database it is active 1 Log in to the access point whose EAS you are using 2 From the menu bar click File Import Export gt Read or write the EAS RADIUS database The EAS Database Import Export screen appears ATZ Alied Telesyn Secure Access Point Simply connecting the world Configuration EAS Database Import Export TCP IP Settings Warning Do not close or navigate away from this page during 802 112 Radio upload import export 802 11a Radio Spanning Tree Settings Enter or select the name of the database file to import Ethernet l Browse IP Tunnels Network Management Import Database Security Si EAS database from this access point Maintenance 221 Chapter 7 Configuring the Embedded Authentication Server EAS 3 If you are not using the secure web browser click A secure session is available Repeat Steps 1 and 2 4 Enter the path and filename of the database Or click Browse to locate the file 5 Click Import Database 222 Chapter 8 Managing Troubleshooting and Upgrading Access Points This chapter explains how to manage maintain troubleshoot and upgrade the access products This chapter covers these topics Managing the Access Points
162. e radio Lowering the power output level reduces the radio coverage for this area and reduces the range for this radio 107 Chapter 4 Configuring the Radios Table 3 802 11g Radio Advanced Parameter Descriptions Continued Parameter Description Mixed Mode Performance Gives more time to higher rate frames to maximize throughput in the presence of low rate clients Range is 0 to 2000 Optimized for 802 11g clients 802 11g transmissions are maximized Optimized for 802 11g clients 802 11b transmissions are maximized Optimize Mixed 802 11b and 802 119 Allows an optimal mix of 802 11g and 802 11b transmissions Disallow SSID Network Determines if end devices that have their Name of ANY SSID set to ANY or are left blank empty Master radio only can associate with this radio Clear this check box to allow these end devices to associate with this radio Although this setting is 802 11 compliant it is not very secure Check this check box to prevent end devices with an SSID of ANY or are left blank from associating with this radio DTIM Period Specifies the number of beacon periods to Master radio only skip before including a DTIM delivery traffic indication message in a beacon frame Range is 1 to 65535 Setting a higher DTIM period may conserve battery life in an end device but it may increase response time Configuring You can configure inbound filters for the
163. e the access point as a DHCP server see Configuring the Access Point as a DHCP Server on page 71 66 4 AT 7500 and AT WA7501 Installation and User s Guide If you want to configure the access point as a NAT server see About Network Address Translation NAT on page 76 If you want to configure the access point to send ARP requests see Configuring the Access Point to Send ARP Requests on page 77 Click Submit Changes to save your changes To activate your changes from the menu bar click Save Discard Changes and then click Save Changes and Reboot For help see Saving Configuration Changes on page 45 Table 1 TCP IP Settings Descriptions Parameter Explanation IP Address Enter the IP address of the access point The IP address has the form x x x x where x is a number from 0 to 255 IP Subnet Mask Enter the subnet mask that matches the other devices in your network The subnet mask has the form x x x x where x is a number from 0 to 255 If you use DHCP to obtain an IP address for this access point the subnet mask that is obtained from DHCP will supersede this one IP Router Enter the IP address of the router that will forward Gateway frames if the access point will communicate with devices on another subnet The IP address has the form x x x x where x is a number from 0 to 255 DNS Address 1 Enter the IP address of a domain name server that the access point uses to resolv
164. e use the same channels 105 Chapter 4 Configuring the Radios Configuring 802 11g Radio Advanced Parameters 106 You can configure advanced parameters for the 802 11g radio primary service set These settings are shared by any secondary service sets defined for the radio To configure advanced parameters 1 From the main menu click 802 11g Radio gt Advanced Configuration The Advanced Configuration screen appears MV Allied Telesyn Simply connecting the world Access Point Configuration TCP IP Settings Submit Changes al 302 11g Radio Advanced Configuration Client Type Performance 116 119 with range reliability NotWi Fi gt Inbound Filters Primary Only Power Output Level Maximum E Apply Hot Settings Mixed Mode Perf r fa 202 11a Radio e ode Performance Optimize Mixed 802 11b and 802 119 Spanning Tree Settings Disallow SSID of ANY 5 Telnet Gateway DTIM Period fi Ethernet TP Tunnels Network Management Security Maintenance l 2 Configure the advanced parameters For help see the next table 3 Click Submit Changes to save your changes To activate your changes from the menu bar click Save Discard Changes and then click Save Changes and Reboot For help see Saving Configuration Changes on page 45 Note If the field name is marked with an asterisk you can immediately activate the changes without rebooting For help se
165. eb browser screen updates every 30 seconds as the upgrade progresses and shows the final status when all upgrades are complete If you checked the Reboot selected Access Points after successful upgrade check box the web browser disconnects Click the Refresh button to log in again Errors may occur during the upgrade process or during the final reboot If an error occurs an explanation appears on the web browser screen If an error occurs during the upgrade none of the access points reboot You should 1 Recheck the access points where the error occurred 2 Click Start Upgrade to attempt the upgrade again If the upgrade is successful and you checked the Reboot selected Access Points after successful upgrade check box the access points will reboot If an error occurs during the final reboot you should 1 Wait 5 minutes for the access points that did not reboot to refresh 2 Refresh your web browser screen and check the access points that are not running the new version 3 Click Start Upgrade to attempt the upgrade again If the upgrade is successful and you checked the Reboot selected Access Points after successful upgrade check box the access points will reboot according to your Reboot selection If you need to downgrade an access point to an earlier release contact Allied Telesyn Technical Support 267 Chapter 8 Managing Troubleshooting and Upgrading Access Points 268 Chapter 9 Additional Access Point Feature
166. ected to the root Or this access point has found a spanning tree and is negotiating with a non root to join the tree Not connected This access point is currently searching for a spanning tree cannot find a spanning tree or is unable to form its own spanning tree Wireless Stations Displays the number of devices for which this access point provides connectivity via its radio ports Access Points Displays the number of other access points to which this access point has a direct link in the spanning tree Ethernet Hosts ACL 802 1x Displays the number of Ethernet devices for which this access point is bridging if this access point is providing bridging for an IP tunnel or wireless LAN segment via its Ethernet network Indicates which devices are passed or blocked if you are using an ACL or 802 1x security If an access point or WAP is blocked and should be allowed to pass you need to re enter the IAPP secret key in both devices 232 AT WA7500 and AT WA7501 Installation and User s Guide Table 4 AP Connections Screen Fields Continued Display Field Description MAC Address Shows the address of the connected device If another access point is connected to this access point you see the Ethernet MAC address If a WAP is connected to this access point you see the radio MAC address Click the hyperlink to perform a MAC ping or display a radio link statistics screen
167. eed to set secondary LAN flooding parameters Set Locally The designated bridges control flooding on their LANs Allow Unicast Outbound to Terminals Appears only if Unicast Flooding is enabled Determines if outbound unicast frames with unknown destination addresses are flooded toward end devices 165 Chapter 5 Configuring the Spanning Tree 166 Table 7 Global Flooding Parameter Descriptions Continued Parameter Explanation Enable ARP Check this check box to enable ARP flooding Flooding When an access point receives an ARP request it checks its ARP cache to determine if the destination end device s IP address is known If you enable ARP flooding and o the destination end device is known the access point translates the ARP request into a unicast frame which is only forwarded to the destination end device Therefore all end devices do not need to wake up to listen to the ARP request which saves battery life the destination end device is not known the access point forwards the ARP request based on its flooding and filtering settings If you disable ARP flooding the access point ignores ARP requests for destination end devices that are not in its ARP cache You should only use this option if you have no IP devices in your wireless network Configuring Global RF Parameters Click to set the global RF AT WA7500 and AT WA7501 Installation and User s Guide
168. eed to configure them to communicate with your network Connecting the AT WA7501 to Your Wired LAN Connecting the AT WA7501 to Power AT WA7500 and AT WA7501 Installation and User s Guide Unless you are using the AT WA7501 as a WAP you need to connect it to your Ethernet or fiber optic network To connect the AT WA7501 to your fiber optic network you must have a AT WA7501 with the fiber optic option For help see Connecting to Your Fiber Optic Network on page 55 To connect the AT WA7501 to the Ethernet network Attach one end of the Ethernet cable to the 10BaseT 100BaseTx port on the AT WA7501 and attach the other end to your Ethernet network or a power bridge if you are using power over Ethernet a Cisco power bridge or another 802 3af compliant power bridge If your AT WA7501 has the internal power supply option you can use a power cord to connect the AT WA7501 directly to an AC power outlet A Caution You must use the appropriate Allied Telesyn power supply with these devices or equipment damage may occur Attention Vous devez utiliser la source d alimentation Allied Telesyn ad quate avec cet appareil sinon vous risquez d endommager l quipement If you are using the power over Ethernet option you must have the power bridge or another 802 3af compliant power bridge For help see Connecting Power Over Ethernet on page 59 and the documentation that came with your power bridge To con
169. eeeesaeeeeeaeeseeeeeeeneeeeeeeeeseeaeeesneeeeseesenaeeenneeenea 16 Understanding the LEDS 1 c2 c ccc ieescgvencecccduceesetece ceesecnleneces bleh ede dathegnceseudgedigeech AE ead i E daei aide dea da eddau tee iaaa 17 Wriderstanding the Ports v aei a eeh erais Zapoa aaea aaa e aE E E a ceeds hea ATE heed 19 How the Access Point Fits in Your Network 0 cccceeeceeeseeeecenneeeceeeeeeaaeeeeeaaeesaeeeesaaeeseeeaeesaaeeeeeaeeeseeeesseeeeeaeeseeeeeeeneeeseaes 22 Using One Access Point in a Simple Wireless Network esssssiiessiiesissssisssriresiiietinntrrstitteiinntinnnttntnrnnnrunnrnnnnn nnt 22 Using Multiple Access Points and Roaming Wireless End Devices 000 00 eeeceeeeeeceeneeeceeeeeeeneeeseaeeeseeeeeesneeeeneaeenenaees 24 Using an Access Point asia WARM a e e ge ocd cae re a ae tondch pikes cag aae a a a aa aa aent aait 27 Using Access Points to Create a Point to Point Bridge eee eeeecesneeeeereeeeeneeeeeaeeeeeeeeesaeeeeeaeeesneaeesieeesenaeeeseeeees 32 Using Dual Radio Access Points for Redundancy cee ceeeeeeeeeee ener eeeeaeeceeeeeeseeeeeaaeeseeeaeeeaaeeeseaaeeseeeeetneeesenaeeeseaeegs 37 Configuring the Access Point Setting the IP Address o00 eee eeeeeeeeereeeeenneeeeeeeeeeaeeeeeaeeeseeeeeeeaeeeseeaeeseneeeesaeeseeaeeesneeeeaa 39 Using a Communications Programm icc slecsscvesececueieceeseckevpsstee videcebe E E A E leneooeeeeceetesdeuheecteevedneess 39 Using a Web Browser Interface is ccs enni sodita dahi aad a de ate a
170. eld in the other access points If you enable IGMP on the root access point the root access point uses a Class D IP multicast address to send IP hello messages through IP routers to access points on other subnets If you enable IGMP on remote IP subnets intermediate IP routers will forward the IP hello messages to those subnets Normally you should enable IGMP and configure the IP multicast address in at least one access point on each remote IP subnet Some routers can provide proxy IGMP services for IP hosts To create a multicast IP tunnel 1 Make sure that end devices that will roam between the root IP subnet and the remote IP subnet have IP addresses from the root IP subnet and their default router is set the same as the root access point There are no address restrictions for non IP end devices 2 Make sure that your routers are configured to pass multicast frames 3 Make sure that the root access point and the access point at the endpoint of the IP tunnel have the same LAN ID 4 On the root access point set the Mode parameter to Originate if Root For help configuring a root access point see About the Primary LAN and the Root Access Point on page 131 5 On the access point at the endpoint of the IP tunnel set the Mode parameter to Listen How Frames Are Forwarded Through IP Tunnels AT WA7500 and AT WA7501 Installation and User s Guide 6 On the root access point click IP Tunnels gt IP Addresses Enter
171. elesyn Simply connecting the world Access Point Configuration Logout Save Discard Changes Upgrade Software Distributed Network Upgrade File Import Export Help Security Passwords TCP IP Settings 802 11g Radio 802 11a Radio Spanning Tree Settings Telnet Gateway Ethernet TP Tunnels Network Management al Security B Passwords 802 11g Radio RADIUS Server List Spanning Tree Security Embedded Authentication Server Certificate Details Security Events Maintenance cleared Submit Changes Use RADIUS for Login Authorization User Name Password Read Only Password Allow Service Password Click Submit Changes to save your changes Verify that the Use RADIUS for Login Authorization check box is Configure the parameters For help see the next table Click Submit Changes to save your changes To activate your changes from the menu bar click Save Discard Changes and then click Save Changes and Reboot For help see Saving Configuration Changes on page 45 Once the changes are activated you must enter these new values when you use a web browser or telnet to connect to this access point Table 3 Password Parameter Descriptions Parameter Description Use RADIUS for Login Authorization Determines if you are using a password server to authenticate end devices that can communicate with this access point Clear this check box 18
172. ennas and work best for covering large narrow areas or on point to point bridges distribution LAN Any Ethernet LAN attached to access points that are bridging between the Ethernet LAN and the radio network At any given time only one access point in a distribution LAN provides access to the Ethernet LAN for a given node in the domain DIX A standardized Ethernet frame format developed by Digital Equipment Corporation Intel Corporation and Xerox Another frame format is 802 3 EAP Extensible Authentication Protocol Used in 802 1x enabled networks A standard mechanism for support of different authentication methods EAP authentication types provide devices with secure connections to the network as well as protect credentials and data privacy See also TLS and TTLS AT WA7500 and AT WA7501 Installation and User s Guide Ethernet bridging When an access point receives wireless traffic and the destination address is known it forwards frames to the port with the shortest path to the destination address When the access point has not learned the direction of the shortest path for the destination address it forwards frames based on flooding settings to try to locate the destination address flooding A frame is flooded when the destination location is unknown The destination location of a multicast frame is never known Unicast and multicast flooding parameters determine how a flooded frame is forwarded hello p
173. ent 0 eee eee ee eeneeeeneeeeeneeeeeeaeeeseeeeenaaeeeseaaeesaeeeseaaeeeeeeseseeeeenaeeesenaees 68 Configuring the Access Point as a DHCP Servet eee ceeeceeeeeeceeneeeceaeeeeeeeeeeaeeeeeaaeeceeeeeesaeeeesaaeeseeeeesneeesenaeeeeeeaees 71 Configuring the Access Point to Send ARP Requests c ceecceeeseeeceeneeeeeeeeeesaeeeeeaaeeeseeeeesaeeeeeaaeeseeeeesseeeseaeeeeneaees 77 Configuring Other Ethernet or Fiber Optic Settings 20 00 eee eeceecesneeeeeeeeeeeneeeseaaeeseeeeeensaeeeeeaaeeeeneeeesaeeeseaeesseeeeessneeeeaas 79 Configuring the Ethernet Address Table 2 2 2 ccsccccesceeeedeceeceseteeeseceetedeesedendensotecsedaeendesssdescbdensesedendedendedandateetedenters 80 Configuring Ethernet Filters sce vec e 3 ce sccdeccs caveat sed cop essa caideeaegleeadeceiae esate deka he ee eae Eia E a ER Re 81 Chapter 4 Configuring the Radios ssis iieii a eee Alesse da eitba a beeline ara esi eared 99 About the Radios 3 28 needed lal eine di ei ie ee ie tebe ie a E 100 Configuring the 802 11 g RAGIO cscsccesccecssonetaysdenwe ehh odgore niriana aaa ageet ei aaa aaa aaa pitied eros 101 Configuring 802 11g Radio Advanced Parameters 00 ce eecceceeseeeeeeeeeeeeeeceaaeeeceeeeeeaaeeseeaaeeceeeeeeaaeeeeeaeeeeneeeeaeeeeenaees 106 Configuring 802 11g Radio Inbound Filters oo eee cece escent eeeneeeeeaaeeeeeaeeeceeeeeeaaeeeseaaeesaeeeseaseeeeesneeeeneaeesennaees 108 Applying Hot Settings ersen ele eee ie ote ie eee neil eel een eee ee 1
174. ent software and you must log in to the server Enter anonymous as the user name and your email address for the password Chapter 1 Getting Started This chapter introduces the Allied Telesyn AT WA7500 and AT WA7501 access points explains their features and describes how you can use them to expand your data collection network This chapter covers these topics o Which Allied Telesyn Access Products Does This Manual Support on page 12 0 Overview of the AT WA7500 and AT WA7501 Access Point Products on page 13 o How the Access Point Fits in Your Network on page 22 0 Configuring the Access Point Setting the IP Address on page 39 o Saving Configuration Changes on page 45 Chapter 1 Getting Started Which Allied Telesyn Access Products Does This Manual Support This system manual supports the AT WA7500 and AT WA7501 access points with software release 2 2 AT WA7500 and AT WA7501 Installation and User s Guide Overview of the AT WA7500 and AT WA7501 Access Point Products wi CERTIFIED The Allied Telesyn AT WA7500 and AT WA7501 access points deliver reliable and seamless wireless performance to almost any operational environment They are designed for standards based connectivity and they support industry standard IEEE 802 11g 802 11b and 802 11a wireless technologies The AT WA7500 and AT WA7501 access points with an IEEE 802 11g radio installed are Wi Fi certified
175. eq 1 The first expression that is executed You must have an expression for each Value ID that is listed in the Filter Values menu Offset 0 Since the filter is applied to the destination address which is the first value in the frame the offset is 0 Mask 01 Checks only the Ethernet multicast bit Op EQ Compares the value after the offset and mask are applied to the value of the Value ID from the Filter Values menu to see if they are equal If the value at the offset equals the specified value on the Filter Values menu the frame is multicast 95 Chapter 3 Configuring the Ethernet Network 96 Table 13 Example 2 First Filter Expression Continued Parameter Value Explanation Value ID 2 This filter expression applies to value ID 2 from the Filter Values menu Action And If this filter expression is true continue to the next expression Set the second filter expression as shown below MV Allied Telesyn Simply connecting the world Access Point Configuration E TCPAP Settings Submit Changes 802 11g Radio amp 302 11a Radio Spanning Tree Settings Telnet Gateway aa Ethernet Address Table Frame Type Filters Predefined Subtype Filters Customizable Subtype Filters Advanced Filters Filter Values B Filter Expressions IP Tunnels Network Management Security Maintenance Expr
176. er Value Explanation 1 Allow Pass Clear drop This filter drops DHCP Subtype DIX IP UDP responses to Port wireless end Value 00 43 devices communicating with this access point 2 Allow Pass Clear drop This filter drops DHCP requests Subtype DIXIP UDP eo DCP Port clients on the Value 00 44 Ethernet network Configuring Advanced Filters You can configure advanced filters if you need more flexibility in your filtering Settings for advanced filters execute after those for other filters that is advanced filters are only applied if the frame has passed the other filters You can use filter values and filter expressions to minimize network traffic over the wireless links however Allied Telesyn recommends that you use advanced Ethernet filters only if you have an extensive understanding of network frames and their contents Use other existing filters whenever possible Setting Filter Values You can associate an ID with a pattern value by selecting a filter and then entering an ID and a value All values with the same value ID belong to the same list To set the value ID and value 1 From the main menu click Ethernet gt Advanced Filters The Filter Values screen appears AT 7500 and AT WA7501 Installation and User s Guide MV Allied Telesyn Access Point Confi Simply connecting the world guration TCP IP Settings amp 302 11g Radio 802 11a Radio Spanning Tree Settings Telnet Gatew
177. erial port point to your terminal or PC 2 Verify that you are communicating through the correct serial port 3 Verify that your terminal or PC is set to 9600 N 8 1 no flow control Verify that the baud rate is not 115200 4 Your system may be in autobaud mode Reboot and press a key once per second until the sign on screen appears You cannot connect to the 1 Verify that you are not using a access point using a web crossover cable if connected to a hub browser or a switch Verify that you are using a crossover cable if connected directly to the PC or server 2 Verify that you did not disable the Browser Access field in the Security screen 3 If you access the Internet through a proxy server be sure you have added the IP address of the access point to the Exceptions list 4 Depending on the security configuration of your network your PC may need to be located on the same subnet as the access point 253 Chapter 8 Managing Troubleshooting and Upgrading Access Points 254 Table 11 General Troubleshooting Continued Problem Question Possible Solution Answer You cannot ping or telnet to an access point 1 You must set an IP address and subnet mask using a communications program before you can remotely connect to the access point 2 Verify that you did not disable the Telnet Access field in the Security screen 3 The access point may have lost its files
178. eriod A time increment usually 1 2 or 3 seconds that determines how often the access point sends out a type of multicast frame so that it can dynamically discover and test connections to other devices in the network Once this information is learned the access point and routers can exchange routing information home IP subnet Also called the root IP subnet and primary LAN The IP subnet that contains the root access point If wireless end devices need to roam between IP subnets each end device needs to have an IP address from the home IP subnet TAPP Inter Access Point Protocol Access points use this protocol to communicate with each other For example when a wireless end device roams to a new access point the new access point informs the old access points via the root access point that any traffic for the end device needs to be routed to the new access point This protocol also allows 802 1x ready devices to roam seamlessly through the network without having to reauthenticate after each roam IAPP distributes security credentials throughout the network When an end device roams from one access point to another its credentials are also transferred Secure IAPP prevents unauthorized Allied Telesyn access products from joining the spanning tree and it encrypts IAPP frames If you enable secure IAPP access points will use SWAP to create secure wireless hops when communicating with each other 345 Appendix C Glossary 34
179. ers variable takes the appropriate action and then reboots Note If you need to terminate the reboot you can set nextpoweruptime to 0 if it has not already been reached by the countdown By resetting nextpoweruptime to 0 the timer stops so the access point does not reboot AT WA7500 and AT WA7501 Installation and User s Guide Syntax sdvars set nextpoweruptime dd hh mm ss where dd hh mmiss is how far in the future the reboot is to begin and dd is days hh is hours mm is minutes Ss is seconds Example To reboot the access point 2 hours from now enter sdvars set nextpoweruptime 00 02 00 00 297 Chapter 9 Additional Access Point Features Creating Script Files 298 New Sample Script for Upgrading an Access Point You can create a script file that executes a series of commands For example when you upgrade the access point you typically need to erase the flash memory segment download the new files and reboot using the new software You can create a script file to perform these commands Script files are ASCII text files with a 32 byte file system header appended You may need to contact your local representative for a copy of the header file called FILEHDR EXE Follow these rules when creating script files o The total file size including the header must be less than 4096 bytes which is the size of the RAM file segment Each line in the script file must have fewer than 80 characters Each
180. ert a female MT RJ Do not insert a male connector into the MT RJ connector into fiber optic port the fiber optic port Figure 1 Patch Cord Note Inserting a male MT RJ connector into the fiber optic port may result in unreliable operation because there is no internal mechanism to ensure the alignment of the fiber when using male to male connectors Such a connection may temporarily provide some level of connectivity despite a high level of signal loss However any movement of the cable or change in cable tension could cause complete loss of signal Both the connector at the other end of the patch cord and the adapter you select depend on the type of network to which the access point is connected MT RJ SC or ST Patch cords and adapters are available from many different manufacturers For help choosing the proper patch cord and adapter contact your local Allied Telesyn representative 55 Chapter 2 Installing the Access Points Note All cables must be multimode 62 5 125 um Connecting to an To connect to an MT RJ network you need MT RJ Network O a patch cord with a female MT RJ connector to insert into the access point s male MT RJ fiber optic port and another female MT RJ connector to insert into the MT RJ adapter O an adapter for connecting the patch cord to the MT RJ network To connect to an MT RJ network 1 Remove any cable protectors attached to the patch cord and adapter 2 Connect the access po
181. es to associate with this access point Although this setting is 802 11 compliant it is not very secure Check this check box to prevent end devices with an SSID of ANY or are left blank from associating with this access point Beacon Period Specifies how often the access point sends out a beacon frame This rate is in TU A TU is 1024 ms and is often considered to be equivalent to 1 ms DTIM Period Specifies the number of beacon periods to skip before including a DTIM delivery traffic indication message in a beacon frame Setting a higher DTIM period may conserve battery life in an end device but it may increase response time When configuring a master radio you can filter different types of wireless traffic that it may receive You may want to use this feature by itself or with an access control list ACL to help secure your network If you clear all the check boxes the radio cannot communicate with any other radios You check the Allow IAPP check box so the access point can communicate with other access points and participate in the spanning tree You can use this feature to form a secure wireless hop Clear all check boxes except for the Allow IAPP check box Or you may want to use this feature in a terminal emulation environment when you know the end devices are sending only UDP Plus or Wireless Transport Protocol WTP frames Check the Allow UDP Plus check box or the Allow Wireless Transport Prot
182. es TFTP client commands get and put until the command is successfully completed If the first attempt fails the access point retries after a one minute delay With each successive failure the retry time doubles until it reaches eight minutes Once this limit is reached it remains at eight minutes until the command is completed In general TFTP client sessions should fail only if the server is not responding either because it is busy serving other clients or because it has not been started In either case the access point backoff algorithm should prevent excessive network traffic when many access points are trying to contact a TFTP server TFTP GET Purpose TFTP client requests a file from the TFTP server Note You must use the FE command to erase the segment before you execute a TFTP GET command If you do not erase the segment you may get a can t write file error Syntax TFTP GET IPaddress foreignfilename localfilename where IPaddress is the IP address or DNS name of the server You can use an asterisk here if you want to use the value in the internal variable serveripaddress as defined on page 293 AT WA7500 and AT WA7501 Installation and User s Guide foreignfilename is the name of the file on the server The filename can contain directory path information and must be in the format required by the server operating system The file must already have the appropriate file header before the transfer to th
183. ess Read Only Allow ICMP Check Clear Check Configuration ee Range Default Your Site ame Use RADIUS Check Clear Clear for Login Authorization User Name 1 to 32 atilan characters Not case sensitive Password 1 to 32 atilan characters Not case sensitive Read Only 1 to 32 blank Password characters Not case sensitive IEEE 802 11 b or a Radio Security Menu Defaults AT WA7500 and AT WA7501 Installation and User s Guide Parameter Range Default Your Site Name Allow Service Check Clear Check Password Parameter Range Default Your Site Name Enable ACL Check Clear Clear Client Authorization Enable Check Clear Clear Alternative Method ACL ACL RADIUS 1 to 31 wireless Client characters Password Appears if Must match the Enable ACL password Client configured in Authorization is the external enabled RADIUS server VLAN 1 4094 1 Disabled Security Level None Static None WEP Dynamic WEP 802 1x WPA PSK WPA 802 1x If Security Level is Static WEP WEP Transmit 1 2 3 or 4 1 Key WEP Key 1to 5ASCII 80211 4 characters or hex pairs to 16 ACSII characters or hex pairs If Security Level is Dynamic WEP 802 1x 339 Appendix B Default Settings 340 RADIUS Server List Menu Defaults Parameter Range Default Your Site Name Key Rotation Any
184. ess Point Configuration Simply connecting the worl Logout Save Discard Changes Upgrade Software Distributed Network Upgrade File Import Export Help IP Tunnels Customizable Subtype Filters TCP P Settings Submit Changes 302 11g Radio ra oS ae Allow Pass SubType Value Telnet Gateway SIC DIx IP TCP Port 0000 TP Tunel 2 oeren x oo unnels TP Addresses DNS Names 3 E DIX4P TCP Port x foo 00 Frame Type Filters f frame ype titers MJC DIx P TCP Port x 00 00 Predefined Subtype Filters B Customizable Subtype Filters 5 m DIX IP TCP Port 00 00 ED Network Management eee 6 r ODAP TCP Pon z foo 00 Maintenance R IC DRIP TCPPot 0o00 I f ee ia 2 For each frame subtype field check or clear the Allow Pass check box to configure if the frame subtypes are passed or are dropped If you check the check box the frame subtype is allowed to pass 3 In the SubType field choose the customizable frame subtype For help see the next table 4 Inthe Value field enter the two hex pairs For help see the next table 5 Click Submit Changes to save your changes To activate your changes from the menu bar click Save Discard Changes and then click Save Changes and Reboot For help see Saving Configuration Changes on page 45 Table 5 Subtype Filter Descriptions Subtype Value DIX IP TCP Port Port value in hexade
185. esses These filters do not prevent wireless traffic from reaching the Ethernet network For this example set these filter values 91 Chapter 3 Configuring the Ethernet Network MV Alied Telesyn Access Point Configuration Simply connecting the world Ethernet Advanced Filters Filter Values 802 11g Radio 802 11a Radio Spanning Tree Settings Telnet Gateway aa Ethernet Address Table Frame Type Filters Predefined Subtype Filters Customizable Subtype Filters aa Advanced Filters E Fiter Values Filter Expressions IP Tunnels Network Management Security Maintenance Value eea foooz2d04b7ad tt 0002240454235 2 VITAL TT TE Oo col wal A nm BB WwW N Table 10 Example 1 Filter Values Value ID Value Description 1 ff ff ff ff ff ff Allows multicast traffic to enter the wireless network which is necessary for IP end devices to communicate 2 00 02 2d 04 The MAC address of an end device you b7 a4 want to be able to communicate 3 00 02 2d Od The MAC address of an end device you 54 25 want to be able to communicate 92 AT 7500 and AT WA7501 Installation and User s Guide For this example set these filter expressions MAW Alied Telesyn Access Point Configuration Simply connecting the world Ga 802 11g Radio my Te pene il Expr
186. et AT WA7500 and AT WA7501 Installation and User s Guide Gua g eS O O oe gt U N TA Primary LAN root IP subnet IP router aa IP network lu til ti Designated AP4 APS IP router bridge ae e Secondary LAN remote IP subnet _ k a IP tunnels use encapsulation to establish a virtual LAN VLAN segment through IP routers The VLAN segment includes the root IP subnet and logically extends to include end devices attached to access points on remote IP subnets IP tunnels are branches in the spanning tree topology Any access point on a secondary LAN that can receive IP hello messages can be the endpoint of an IP tunnel Usually the access point that is the endpoint of an IP tunnel is also the designated bridge After an IP tunnel is formed between the root access point and an access point on a remote IP subnet end devices can roam to the remote IP subnet End devices must have an IP address from the root IP subnet However there are no address restrictions for non IP end devices When end devices roam to the remote IP subnet their data is IP tunneled back to the root IP subnet where it belongs and everything works properly If you have a DHCP server in your network it must be on the root IP subnet All access points on secondary LANs must have permanent IP addresses On the root access point you must allow IP multicast frames to pass 141 Chapter 5 Configuring the Spanning Tree 142 Cre
187. et is Master up to three secondary service sets may be set to Master O Ifthe primary service set is Station all secondary service sets are disabled and do not appear on screen O If the primary service set is Disabled all secondary service sets and the physical radio are disabled SSID Network Name Enter a unique SSID for each service set You can enter up to four SSIDs for this radio The SSID is case sensitive and cannot be more than 32 alphanumeric characters 802 11a radios communicate with other 802 11a radios with the same SSID You need to assign the same network name to the wireless end devices that will connect to the radio AT WA7500 and AT WA7501 Installation and User s Guide Table 9 Worldwide Frequencies for the 802 11a Radio Channel FCC ETSI France Japan Israel 36 5180 N A N A N A N A default 40 5200 N A N A N A N A 42 5210 Turbo N A N A N A N A 44 5220 N A N A N A N A 48 5240 N A N A N A N A 50 5250 Turbo N A N A N A N A 52 5260 N A N A N A N A default 56 5280 N A N A N A N A 58 5290 Turbo N A N A N A N A 60 5300 N A N A N A N A 64 5320 N A N A N A N A O Channels marked with an asterisk are not available in the mid range radio o If you set the Frequency parameter to Dynamic turbo channels are never selected Oo FCC countries include the United States Canada China Taiwan India Thail
188. eters Set Locally The designated bridges control flooding on their LANs AT WA7500 and AT WA7501 Installation and User s Guide Table 7 Global Flooding Parameter Descriptions Continued Parameter Explanation Allow Multicast Outbound to Terminals Unicast Flooding Appears only if Multicast Flooding is enabled Determines if outbound multicast frames with unknown destination addresses are flooded toward end devices Typically this parameter is checked However if your wired devices do not need to initiate communication with wireless end devices you may want to clear this check box Determines the flooding structure when this access point receives inbound unicast frames on non root ports with unknown destination addresses Disabled You do not want the access point to flood any inbound unicast frames Universal The access point forwards the unicast frame to every port This option uses more bandwidth Hierarchical The access point forwards the unicast frame only to the port to which the root access point is attached Unicast Outbound to Secondary LANs Appears only if Unicast Flooding is enabled Specifies if outbound unicast frames with unknown destination addresses are flooded toward secondary LANs Enabled The root access point controls flooding for all the designated bridges on secondary LANs Enabling this parameter makes managing secondary LANs easier because you do not n
189. ets E All z SNAP Other EtherTypes Unlisted 802 3 IPX Sockets D ja zl 802 2 IPX Sockets E ja z 802 2 Other SAPs T Unlisted gt El AP2 and AP4 designated bridge service end devices and the IP host and IPX host on the secondary LAN Also these access points pass IPX traffic The IPX router in this network periodically sends IPX RIP frames for coordinating with other routers These do not need to be forwarded to the secondary LAN because the secondary LAN does not contain a router To filter the IPX RIP frames you need to configure subtype filters This example sets filters for three different cases DIX 802 2 and 802 3 SNAP frames In many actual networks only one type of filter is required because all stations are configured using one of the three options AT WA7500 and AT WA7501 Installation and User s Guide For this example set these options on the Ethernet Frame Type Filters screen MV Allied Telesyn Access Point Configuration Simply connecting the wi Logout Save Discard Changes Upgrade Software Distributed Network Upgrade File Import Export Help IP Tunnels Frame Type Filters 802 11g Radio 802 11a Radio Spanning Tree Settings Telnet Gateway DIX IP TCP Ports z gt a All bd E Ethernet DIX IP UDP Ports aa IP Tunnels TP Addresses DNS Names DIX IP Other Protocols B Frame Type Filters DIX IPX Sockets Predefined Subtype Filters Customizable
190. evesceiss evan use Reareticdpusiaieeegcutennigeeeutigees 189 Configuring WEP 64 128 152 S CUMIty 3 cise cecso osc ecescn ces eet ii cechsst cede ucts dbeed dnecsebes TEA anida 191 Implementing an 802 1x Security Solution 0 eee eee cece ee ene erent eeeee eee eeaeeeeeaeeeseeaeeeaeeeeeaaeeeeeeaeeseeeenaeeseeneeeenneeeeed 194 Configuring Wi Fi Protected Access WPA Security 0000 0 eee eeeeeeeeeeneeeeneeeeeaeeeeeeaeeeseeeeeesaeeeseaaeesseeaeesieeeeeeateeeneaees 201 Chapter 7 Configuring the Embedded Authentication Server EAS 00 0 0 ecceeccceeeseeeceee cesses eeeaeeeeeneeeesaeeeseaaeeeeneeeensaneeeeaas 207 About the Embedded Authentication Server EAS 0 0 eeecceeesseeeceeeeeneeeeeeeeeeeneeeensaeeeseaaeeeeeeeeesaeeeesaeeeseeeeesseeeeenaeeseneaees 208 About Certificates niesieni ies ceeec ceeds cance ett a a iea a a dees venlaties stun i aa 209 Understanding Which Access Points Need Certificates 0 00 eee ceecceeneeeeeeneeeeeeeeeeeaeeeesaeeeeeeeeesneeeeneneesenaeeeenneeene 209 Understanding Which Certificates Are Installed by Default ec eecee enn eeeereeeenneeeeeaeeeeeeaeeeeeeeeeaeeeeeeeeneeeee 210 Viewing the Certificates Installed on an Access POINL ccccecceceeeeeeeceeee cee eeee eee eecaeaeeeeeeseeaeeeeseseaaeseeeeeaeeeeeeseaaees 210 Installing and Uninstalling Certificates 2 eee eeneecencee cent ee ceeeeeeeeeeeeeeeeeeaeeeeneaeeeseeeeeaeeseeeeeeeneeesenaeeseeaeeenneeeeed 211 Configuring the EAS sc vcsscs cz E E dae tba
191. ext Hop IP Address Displays the path to the root access point of the spanning tree via this connection The IP address associated with this device if discovered by the access point Click the hyperlink to perform the ICMP Echo ping The AP Neighbors screen provides information on all the access points even hidden access points in the area It displays information gathered by the radios receiving beacons from other sources as it operates on a specific channel You can use this screen to help you o distribute channels for maximum wireless network performance o identify interference problems AT WA7500 and AT WA7501 Installation and User s Guide To view AP neighbors O From the menu click Maintenance gt AP Neighbors The AP Neighbors screen appears For help interpreting the information on this read only screen see the next table AV Alied Telesyn Access Point Configuration Simply connecting the world Logout Save Discard Changes Upgrade Software Distributed Network Upgrade File Import Export Help Maintenance AP Neighbors TCP IP Settings 802 11 Radio Radio 1 neighbors received on channel 6 9 802 11a Radio Spanning Tree Settings Address Channel Signal dBm SSID Age sec Capabilities Telnet Gateway 17 Ethernet 00022d2b3e56 O 0 ESS Privacy IP Tunnels Network Management amp Securit F P p SE Address Channel Signal dBm SSID Age
192. ext table 3 Click Submit Changes to save your changes To activate your changes from the menu bar click Save Discard Changes and then click Save Changes and Reboot For help see Saving Configuration Changes on page 45 152 AT WA7500 and AT WA7501 Installation and User s Guide 4 If you set the Scope field to Unlisted for any of the frame types you must also configure predefined subtype filters or customizable subtype filters For help see Using Predefined Subtype Filters on page 154 or Customizing Subtype Filters on page 154 Table 4 Frame Type Filter Descriptions Frame Type Explanation DIX IP TCP Ports DIX IP UDP Ports SNAP IP TCP Ports SNAP IP UDP Ports DIX IP Other Protocols SNAP IP Other Protocols Primary Internet Protocol Suite IP transport protocols IP protocols other than TCP or User Datagram Protocol UDP DIX IPX Sockets Novell NetWare protocol over Ethernet II frames SNAP IPX Sockets 802 3 IPX Sockets Novell NetWare protocol over 802 2 SNAP frames Novell NetWare protocol over 802 3 RAW frames DIX Other Ethernet Types SNAP Other Ethernet Types DIX or SNAP registered protocols other than IP or IPX 802 2 IPX Sockets Novell running over 802 2 Logical Link Control LLC 802 2 Other SAPs 802 2 SAPs other than IPX or SNAP Note You should not filter HTTP Telnet SNMP and ICMP frames if you are using IP
193. ffice walls the signal range may decrease to 91 m 300 ft Using the proper antennas for your environment and placing them in the proper areas can help improve range For information about antenna options contact your local Allied Telesyn representative Here are some general guidelines for positioning antennas o Place the antenna as high as possible In an office environment try to place it above cubicle walls o Keep the line of sight between the antennas and wireless end devices clear of metal surfaces like beams or girders and large quantities of paper products O Do not place a sheet of metal such as a filing cabinet between two antennas These next sections provide detailed information about antenna placement for those access points that can have more than one antenna Positioning Antennas for 802 11 802 11b and 802 11a Radios AT WA7500 and AT WA7501 Installation and User s Guide The 802 11g and 802 11b radios have two ports one is a transmit receive port primary and the other is a receive only port secondary The 802 11a radios have two ports both ports are transmit receive ports Allied Telesyn recommends that you use two antennas for optimal performance of the radios If you only attach one antenna to the 802 11g or 802 11b radio you must attach it to the primary port Use antenna connectors 1 and 2 or 3 and 4 to attach antennas to the send receive ports Table 1 Recommended Antenna Separation
194. ficate 802 11g Radio Valid From Oct 30 12 50 50 2002 GMT 802 11a Radio f RADIUS Server List Valid To Oct 30 12 50 50 2037 GMT Spanning Tree Security Embedded Authentication Server B Certificate Details CA Certificate Security Events Ga Maintenance None Installed Active i 210 The Server Certificate table lists the server certificate that is installed and the CA Certificate table lists the trusted CA certificate that is installed Installing and Uninstalling Certificates AT WA7500 and AT WA7501 Installation and User s Guide Once you have determined that you need to install a certificate use this procedure To install certificates 1 From the main menu click Security gt Certificate Details The Certificate Details screen appears Click Install certificates in the certificate store The Import Certificate screen appears Note If you are not using the secure web browser you will be prompted to log in again Click A secure session is available and log in to the access point If a Security Alert dialog box appears click Yes to proceed Repeat Steps 1 and 2 MVE Alied Telesyn Secure Access Point Simply connecting the world Configuration Logout Save Discard Changes Upgrade Software Distributed Network Upgrade File Import Export Certificate Impo TCP IP Settings 802 11g Radio Warning Do not close or navigate away from this pa
195. file tftp get software fsys dnl1 1 file tftp get software help dnl 1 file tftp get software hlp dnl 1 file tftp get software jsutil dnl 1 file tftp get software login dn 1 file tftp get software logo dn 1 1 file tftp get software logo2 dn1 1 file tftp get software menu dnl1 1 file tftp get software netdwnl dnl1 1 file tftp get software open dn 1 file tftp get software sftdwnl dnl 1 file tftp get software sta3890 dnl1 1 file tftp get software stastats dnl 1 file tftp get software tbldata dnl 1 file tftp get software tftpcl dnl 1 file tftp get software tftpsrv dnl 1 file tftp get software welcome dnl 1 file sdvars set checkpoint 5 file sdvars set NextPowerUpTime 00 00 00 5 299 Chapter 9 Additional Access Point Features 300 Legacy Sample Script for Upgrading Any Access Point This sample script file was created for older access points with multiple segments Although this script specifies segments that do not exist on AT WA7500 and AT WA7501 access points you can run this script on the access points without generating errors For help understanding these commands see the command descriptions in this chapter Sample script file for upgrading an access point Step 1 Delete files file sdvars set checkpoint 1 file fe ib file fe id Step 2 Get boot files file sdvars set checkpoint 2 file tftp get data bootchk dn1 ib file tftp get startup uap dn1 ib file
196. for interoperability with other 802 11g and 802 11b wireless LAN devices The AT WA7500 and AT WA7501 access points with an IEEE 802 11g radio installed are Wi Fi certified for interoperability with other 802 11b and 802 11g wireless LAN devices The AT WA7500 and AT WA7501 access points with an IEEE 802 11b radio installed are Wi Fi certified for interoperability with other 802 11b wireless LAN devices The AT WA7500 and AT WA7501 access points with an IEEE 802 11a radio installed are Wi Fi certified for interoperability with other 802 11a wireless LAN devices The Allied Telesyn access family consists of these access points o AT WA7500 o AT WA7501 The access point can be configured as an access point or as a point to point or point to multipoint bridge Normally an access point is connected to a wired local area network LAN and provides network access for wireless end devices A point to point bridge connects two wired LANs and is often used to provide wireless communications in locations where running cable is difficult such as across roads or between buildings A point to multipoint bridge not only connects two wired LANs but also communicates with wireless end devices An access point can also be configured as a wireless access point WAP or repeater A WAP is not connected to a wired LAN it receives data from wireless end devices and forwards the data to an access point that is connected to the wired LAN A WAP is u
197. g Configuration Changes on page 45 Table 10 802 11a Radio Advanced Parameter Descriptions Parameter Description Power Output Level Set the transmitted power level Maximum Sets the output power to the highest level supported by the radio Medium Sets the output power to 3 dB lower than the highest level supported by the radio Low Sets the output power to a level higher than the lowest level supported by the radio Minimum Sets the output power to the lowest level supported by the radio Lowering the power output level reduces the radio coverage for this area and reduces the range for this radio AT WA7500 and AT WA7501 Installation and User s Guide Table 10 802 11a Radio Advanced Parameter Descriptions Continued Parameter Description Data Rate Allow Data Rate Choose the rate at which the access point transmits data In general higher speeds mean shorter range and lower speeds mean longer range If you choose the Speed Mode to be 802 11 compliant you can set this rate to 54 48 36 24 12 or 6 Mbps Determines if you want the radio to drop to a Fallback slower data rate when it has trouble communicating with another radio If this parameter is disabled the Basic Rate parameter is not available because the basic rate becomes the same value as the Data Rate parameter Basic Rate Appears only if the Allow Data Rate Fallback parameter is enable
198. ge during import G2 802 11a Radio Spanning Tree Settings Telnet Gateway i Ga Ethemet Server Certificate C Trusted CA Certificate Ga IP Tunnels Network Management Enter or select the name of the certificate file to import Security l Browse Maintenance Enter the associated passphrase for this certificate Import Certificate Click Server Certificate or Trusted CA Certificate In the Enter or select the name of the certificate file to import field enter the path and filename of the server certificate Or click Browse to locate the certificate Server Certificate only In the Enter the associated passphrase for this certificate field carefully enter the passphrase for the certificate Click Import Certificate 211 Chapter 7 Configuring the Embedded Authentication Server EAS To uninstall all certificates Note If you follow the procedure to uninstall all certificates you will lose the unique server certificate and the trusted CA certificate You will need to contact your local Allied Telesyn representative to purchase new certificates 1 From the main menu click Security gt Certificate Details The Certificate Details screen appears 2 Click Uninstall All Certificates The unique server certificate and the trusted CA certificate are deleted You can still use the secure web browser interface and install new certificates using the default certificate ValidforHT TPSOnly 212
199. gs screen appears MV Allied Telesyn Simply connecting the world Access Point Configuration Logout Save Discard Changes Upgrade Software Distributed Network Upgrade File Import Export Help Spanning Tree Settings TCP IP Settings 802 11g Radio a 802 11a Radio aa Spanning Tree Settings Global Flooding Telnet Gateway Ethernet P Tunnels a Network Management Security Maintenance Submit Changes Global RF Parameters AP Name LAN ID Domain Root Priority Enable GVRP for VLAN Enable Ethernet Bridging Secondary LAN Bridge Priority fiesase7eoo1 Kii IV IV i Secondary LAN Flooding Outbound Disabled x Co eS ing Tree Securit 2 Check or clear the Enable GVRP for VLAN check box O Check the check box if the VLAN switch is configured to dynamically configure its ports based on the end devices needs O Clear the check box if the VLAN switch is statically configured to always forward specific VLANs to specific ports 3 Click Submit Changes to save your changes 4 From the main menu click Security If you have enabled more than the primary service set you can configure each secondary service set for a different VLAN AT WA7500 and AT WA7501 Installation and User s Guide 5 Under the Security link click the radio service set you want to configure for the VLAN This screen appears MAW Alied Telesyn Acce
200. hanges on page 45 Table 7 802 11b Radio Inbound Filter Descriptions Parameter Description Allow APP Allow Wireless Transport Protocol WTP Determines if this radio accepts IAPP Inter Access Point Protocol frames from other access point station radios The IAPP frames must match Ethernet protocol 875c Determines if this radio accepts WTP frames from end devices The WTP frames must match Ethernet protocol 875b Allow SpectraLink Voice Protocol Determines if this radio accepts SVP frames from voice wireless telephones The SVP frames must SVP match IP 119 Allow UDP Plus Determines if this radio accepts UDP Plus frames UDP IP Port 5555 from end devices The UDP Plus frames must match the UDP network port 5555 on the DCS 30X Allied Telesyn Gateway or ARP Allow DHCP Determines if this radio accepts DHCP frames The DHCP frames must match UDP destination port 67 and ARP Check this check box if the end devices are DHCP clients Allow All Other Determines if this radio accepts all other Protocols protocols that are not filtered by one of the filters in this screen AT WA7500 and AT WA7501 Installation and User s Guide Configuring the 802 11a Radio The 802 11a radio will communicate with other 802 11a radios that have the same o SSID Network Name 0 Security For each radio you can assign up to four SSIDs creating one primary service set and up to
201. he Certificates Installed on an Access Point Your access point comes from the factory with a unique server certificate with a unique common name and passphrase It also comes with a trusted CA certificate that supports clients running the TLS authentication type These certificates support the secure web browser interface and provide basic security for all authentication types Note Access points also come with a default server certificate ValidforHTTPSOnly This default certificate supports the secure web browser interface and provides basic security for clients running the TTLS authentication type As described in the previous section you may also need a trusted CA certificate and or a unique server certificate depending on how you use the access point You can view the Certificate Details screen to determine which certificates are installed on the access point To view the certificates O From the main menu click Security gt Certificate Details The Certificate Details screen appears MVE Alied Telesyn Access Point Configuration Simply connecting the world TCP IP Settings 802 11g Radio GM 802 11a Radio Install certificates in the certificate store Spanning Tree Settings Serven Caruhcate Telnet Gateway a Ethernet Status Default I IP Tunnels Network Management Common Name CN ValidF orH TTPSOnly Security 7 7 pee Issuer Common Name CN Intermec Technologies Corporation Root Certi
202. he IP address or DNS name of the console Or leave this field blank and the access point sends out a broadcast request looking for any available agent 3 Click Submit Changes to save your changes 4 From the main menu click Security The Security page appears AT Alied Telesyn Access Point Configuration Simply connecting the world Logout Save Discard Changes Upgrade Software Distributed Network Upgrade File Import Export Help Security TCP IP Settings Submit Changes 802 11g Radio 802 11a Radio Browser Access Enabled Port 80 443 Spanning Tree Settings Allow Telnet Access Port 23 Ethernet mpannanele Allow SNMP Access Port 161 162 M Allow TFTP Access Read Only Vv Vv Network Management aa Security Allow ICMP Configuration Passwords 802 11 Radio 802 11 Radio Secondary 1 802 112 Radio Secondary 2 802 112 Radio Secondary 3 802 11a Radio RADIUS Server List Spanning Tree Security Embedded Authentication Server Certificate Details Security Events Maintenance 226 AT WA7500 and AT WA7501 Installation and User s Guide 5 Verify that the Allow Avalanche Access check box is checked 6 Click Submit Changes to save your changes To activate your changes from the menu bar click Save Discard Changes and then click Save Changes and Reboot For help see Saving Configuration Changes on page 45 7 Repeat Steps 1 through 6 for each access
203. he IP subnet that contains the root access point The primary LAN is typically the LAN on which the servers are located QFSK Quad Frequency Shift Key A broadcasting method that shortens the range but doubles the throughput as compared to the BFSK method In access points using a 2 4 GHz OpenAir radio the radio can automatically switch between QFSK and BFSK as needed if the transmit mode is set to AUTO remote IP subnet An IP subnet that is separated from the primary IP subnet primary LAN by a router Remote IP subnets communicate with the primary LAN through IP tunnels A remote IP subnet is a type of secondary LAN root access point The access point with the highest root priority becomes the root of the network spanning tree If the root becomes inactive the remaining root candidates negotiate to determine which access point becomes the new root The root can be used to set system wide flooding and RF parameters The root is also the only node in the network that can originate IP tunnels AT WA7500 and AT WA7501 Installation and User s Guide root port The access point port that provides the inbound connection to the spanning tree The root port provides a link to a parent access point Note that a root access point does not have a root port root IP subnet Also called the home IP subnet and primary LAN The IP subnet that contains the root access point If wireless end devices need to roam between IP subnets each end
204. he Type field choose the authentication type and then enter the information for each end device For help see Chapter 7 Configuring the Embedded Authentication Server EAS on page 207 O For help configuring an external RADIUS server see the documentation that came with your server You need to enter each authenticator s IP address and the shared secret key In the database you need to enter the information for each end device 203 Chapter 6 Configuring Security Configuring WPA PSK Security MV Alied Telesyn Access Point Configuration Simply connecting the world TCP IP Settings 802 11g Radio 802 11a Radio Spanning Tree Settings Telnet Gateway Ethernet amp IP Tunnels Network Management el Security Passwords E 802 112 Radio 802 1 1a Radio RADIUS Server List Spanning Tree Security Certificate Details Security Events Maintenance Embedded Authentication Server Submit Changes Enable ACL Client Authorization VLAN 1 Security Level WPA PSK Multicast Encryption Type Pre shared Key Key Rotation Period Minutes Table 6 WPA PSK Security Parameter Descriptions Parameter Explanation Multicast Encryption Type Indicates that TKIP is used as the data encryption method for broadcast and multicast for this radio port A station connected to this port may not select a weaker encryption method to exchange unicast frames Pre
205. he following router protocol types and decimal values m o2 aoao n DGP 86 Dissimilar Gateway Protocol EGP 8 Exterior Gateway Protocol IDPR 35 Inter Domain Policy Routing Protocol IDRP 45 Inter Domain Routing Protocol IGP 9 Interior Gateway Protocol IGRP 88 MHRP 48 Mobile Host Routing Protocol OSPFIGP 89 Open Shortest Path First Interior Gateway Protocol IP ICMP Internet Control Message Protocol types g o g m IPv6 Mobile IP Router Advertisement Router Selection IP UDP User Datagram Protocol frames with the following destination protocol port numbers g o m BGP 179 Border Gateway Protocol RAP 38 Route Access Protocol RIP 520 Routing Information Protocol IP TCP frames with the following destination or source protocol port numbers m m BGP 179 Border Gateway Protocol RAP 38 Route Access Protocol 147 Chapter 5 Configuring the Spanning Tree Configuring IP Tunnels For guidelines see About IP Tunnels on page 140 To configure the IP Tunnels screen 1 From the main menu click IP Tunnels The IP Tunnels screen appears MV Allied Telesyn Access Point Configuration Simply connecting the world Logout Save Discard Changes Upgrade Software Distributed Network Upgrade File Import Export Help IP Tunnels B TCPAP Setti ngs e Submit Changes E Ga 302 11g Radio Ga 802 11a Radio Mode Listen
206. he root priority to a number that is greater than the root priority of the secondary LAN bridge The access points will not form a point to point bridge if the primary LAN bridge has a lower root priority than the secondary LAN bridge O On the secondary LAN bridge set the root priority to 0 and the secondary LAN bridge priority to a number other than 0 You may also need to adjust the flooding parameters Here are some recommendations O If there are no end devices on the secondary LAN the bridge on the secondary LAN can use the default flooding settings The Secondary LAN Flooding parameter is disabled O If there are end devices on the secondary LAN the bridge on the secondary LAN should have Secondary LAN Flooding parameter set to Multicast If you also want unicast flooding you can set this parameter to Enabled O If there are end devices on the secondary LAN and the end devices communicate with end devices on another secondary LAN the root access point should have its Multicast Flooding parameter set to Universal This setting ensures that all ARP requests and multicast traffic is distributed through a second or third hop To install a point to point or a point to multipoint bridge 1 Follow the instructions for installing a simple wireless network in the section Using One Access Point in a Simple Wireless Network on page 22 2 Configure the LAN ID For help see Configuring the Spanning Tree Parameters on page 1
207. hello messages and attach to the network on the optimal path to the root A non root access point also transmits hello messages after it is attached to the network Each hello message contains the LAN ID of the access point that originated the message IAPP does not allow wireless links to exist between access points that do not have matching LAN IDs To configure a root access point 1 Using the selection criteria listed earlier in this section determine which access point to configure as the root 2 On that access point from the main menu click Spanning Tree Settings The Spanning Tree Settings screen appears 131 Chapter 5 Configuring the Spanning Tree About Secondary 132 LANs and Designated Bridges Configure the LAN ID All access points that want to participate in the spanning tree must have the same LAN ID Set the Root Priority parameter to be the highest number of all access points on the primary LAN Verify that the Enable Ethernet Bridging check box is checked The range is 1 to 7 The value 1 is the highest priority Verify that the Secondary LAN Bridge Priority is zero Verify that the Secondary LAN Flooding parameter is Disabled Click Submit Changes to save your changes To activate your changes from the menu bar click Save Discard Changes and then click Save Changes and Reboot For help see Saving Configuration Changes on page 45 There are two types of secondary LANs o A wireless secon
208. herType SNAP IP TCP Port SNAP IP UDP Port SNAP IP Protocol SNAP IPX Socket SNAP EtherType 802 3 IPX Socket 802 2 IPX Socket 802 2 SAP DIX IP TCP Port Value Two sets of hexadecimal pairs 00 through FF 00 00 Filter Values Value ID Value blank Filter Expressions ExprSeq Offset Mask blank Op EQ NE GT LE EQ Value ID 333 Parameter Name Range Default Your Site Action And Pass Drop And IP Tunnels Menu Defaults AT WA7500 and AT WA7501 Installation and User s Guide Tunnels Filter Menu Defaults Parameter Name Range Default Your Site Mode Listen Originate If Listen Root Disabled Enable IGMP Check Clear Clear Appears if Mode is Listen Allow IP Multicast Check Clear Clear Appears if Mode is Originate if Root Multicast Address 4 nodes 0 to 255 224 0 1 65 IP Addresses 1 through 8 4 nodes 0 to 255 blank or DNS name up to 31 characters Parameter Name Range Default Your Site Frame Type Filters Allow Pass Check Clear Clear Scope Unlisted All Unlisted Predefined Subtype Filters Allow Pass Check Clear Clear except Check for NNL Customizable Subtype Filters Allow Pass Check Clear Clear 335 Appendix B Default Settings 336 Par
209. hrough FF AT WA7500 and AT WA7501 Installation and User s Guide Telnet Gateway Configuration Menu Defaults halt Range Default Your Site ame Host Name IP address or blank DNS name Host Port 23 23 Term Port Off 23 5000 Off 5001 5002 5003 5004 5005 5006 5007 5008 5008 Idle Time Any number 0 disabled Lost Time Any number 0 disabled 331 Appendix B Default Settings Ethernet Configuration Menu Defaults Ethernet Advanced Filters 332 Menu Defaults Parameter Range Default Your Site Name Port Type 10 100 Mb Twisted 10 100 Mb Pair Twisted Pair 100 Mb Fiber Optic Link Speed Auto Select 100 Auto Select Mbps Full Duplex 100 Mbps Half Duplex 10 Mbps Full Duplex 10 Mbps Half Duplex Enable Link Check Clear Clear Status Check Address Table 1 through Six sets of 00 00 00 00 00 20 hexadecimal pairs 00 00 through FF Frame Type Filters Allow Pass Check Clear Check Scope Unlisted All Unlisted Predefined Subtype Filters Allow Pass Check Clear Check Parameter Range Default Your Site Name Customizable Subtype Filters Allow Pass Check Clear Check AT WA7500 and AT WA7501 Installation and User s Guide Parameter Name Range Default Your Site SubType DIX IP TCP Port DIX IP UDP Port DIX IP Protocol DIX IPX Socket DIX Et
210. i Fi Power Output Maximum Maximum Level Medium Low Minimum Mixed Mode Optimize Mixed Optimize Mixed Performance 802 11b and 802 11b and 802 119 802 119 Optimize for 802 119 clients Optimize for 802 11b clients 321 Appendix B Default Settings 322 Parameter Name Range Default Your Site Disallow Check Clear Clear Network Name of ANY DTIM Period 1 to 65535 1 Inbound Filters Primary Only Allow IAPP Check Clear Check Allow Check Clear Check Wireless Transport Protocol WTP Allow UDP Check Clear Check Plus UDP IP Port 5555 Allow DHCP Check Clear Check Allow All Check Clear Check Other Protocols AT WA7500 and AT WA7501 Installation and User s Guide IEEE 802 11b Radio Menu Defaults Parameter N Range Default Your Site ame Node Type Master Station Master Disabled SSID Network 0 to 32 atilan Name characters Frequency Channel 1 to Channel 03 11 2422 MHz 2412 to 2462 MHz Advanced Configuration Data Rate 11 5 5 2 or 1 11 Mbps High Mbps Allow Data Check Clear Check Rate Fallback Basic Rate 11 5 5 2 or 1 2 Mbps Mbps Standard Enable Check Clear Clear Medium Reservation Reservation 1 to 65535 500 Threshold Appears if Enable Medium Reservation is enabled Distance Large Medium Large Between APs or Small Enable Check Clear C
211. i antennas you can mount them along a single axis to minimize the antenna to antenna coupling Primary antenna for Radio 1 Secondary antenna for Radio 1 All four antennas are mounted along a single axis Access Point Secondary antenna for Radio 2 Primary antenna for Radio 2 Differences in Antenna Diversity Among 802 11b and 802 11a Radios Antenna diversity works differently for 802 11b radios than for the 802 11a radio Currently the 802 119 radio with software release 2 2 does not support antenna diversity Antenna Diversity for 802 11b Antenna diversity lets you attach two antennas to one radio to increase the odds of receiving a better signal on either of the antennas The 802 11b radio features antenna diversity If you are using antenna diversity placement of the antennas is critical because each antenna has a particular function Antennas placed too close together may cause interference with each other Antennas placed too far apart may not be able to establish two way communications with other radios AT WA7500 and AT WA7501 Installation and User s Guide To achieve optimum placement for the two antennas you must place the transmit receive antenna so that it is within range of all the radios that the receive only antenna can hear Note these important points oO Use external antennas to achieve the recommended antenna separation for placement of either omni or directional antennas 0 Position omni a
212. icates encrypt communication between the internal RADIUS server RADIUS clients and the supplicants and HTTPS clients There are two types of certificates O The trusted certificate authority CA certificate commonly referred to as the root certificate or root cert is the public key Trusted CA certificates can be in PEM format or CER format They can contain several trusted CAs but should be kept to a maximum file size of 2Kb O The server certificate sometimes referred to as the client certificate is the private key Server certificates can be in either PKCS12 P12 PFX or PEM format The next table summarizes when an access point needs to have a CA certificate and or a server certificate installed on it Table 2 Access Points and Certificates CA Server Access Point Certificate Certificate Needed Needed If you want to use the secure web browser No Yes HTTPS on this access point If this access point is an authentication Yes Yes server in your 802 1x enabled network If this access point is a supplicant EAP Yes No TTLS client If this access point is a supplicant EAP Yes Yes TLS client If this access point is a backup RADIUS No Yes server If the child access point is using SWAP No No and is an authenticator access point 209 Chapter 7 Configuring the Embedded Authentication Server EAS Understanding Which Certificates Are Installed by Default Viewing t
213. ice radio in both the user name and password fields For help see Chapter 7 Configuring the Embedded Authentication Server EAS on page 207 O For help configuring an external RADIUS server database see the documentation that came with your server In the database you will also need to enter the ACL RADIUS client password The default password is wireless case sensitive Configuring VLANs AT WA7500 and AT WA7501 Installation and User s Guide Virtual LANs VLANs make it easy to create and manage logical groups of wireless end devices that communicate as if they were on the same LAN You can group all wireless users on a particular VLAN in order to manage the IP address space differently Or you can use VLANs to separate secure and non secure traffic For example you may grant your employees full access to your network while routing all traffic from visitors to the Internet The access points may be configured to participate in a properly configured VLAN As described on pages 74 and 89 you can configure each 802 11g and 802 11a radio with up to four SSIDs creating up to four service sets Each service set shares one physical radio configuration but you may customize its security configuration Therefore each service set can be configured to support a separate VLAN However an 802 11b radio can be configured with only one SSID Therefore each 802 11b radio can support only one VLAN and you would need multiple 802
214. ick Save Changes and Reboot For help see Saving Configuration Changes on page 45 6 Configure the RADIUS server by clicking Select a RADIUS server for 802 1x authentication The RADIUS Server List screen appears MVE Alied Telesyn Access Point Configuration world Upgrade Soft Logout Save Discard Changes Upgrade Software Distributed Network Upgrade File Import Export Help Security RADIUS Server List B TCPAP Settings Submit Changes Ga 802 11g Radio oe IP Address DNS Name Secret Key Port 802 1x ACL Login panning tree Settings Telnet Gateway Server 1 PA fi 812 Oo O A TE Pag f ake O K G Network Management Server 3 aooaa fi 812 D ME a eee Server 4 en en ener fi 812 B M C 802 11g Radio Server 5 ee fi 812 M a B ae ee List Server 6 pooo tw CCiS paaaeeeaasnsssnosasoonaosan haz M E r Spanning Tree Security Embedded Authentication Server Certificate Details Security Events Maintenance ed 7 For each authentication server enter the IP address or DNS name enter the shared secret key port number and check the 802 1x check box Note If you enter more than one authentication server see page 132 fora description of how the access point uses the servers 8 Configure the database Depending on the authentication type enter the information for each end device that is allowed to communicate with the 802 1x network
215. ieaiaia 267 Chapter 9 Additional Access Point Features 2000 00 00 cecccececcecesnneeeeeeeeeceeeeeesaeeeceaaeessaeeeseeaeeeseaaeeesaeeeeesaeeeseaaeeceeeeeeeaeeeseaeessenaees 269 Understanding the Access Point Segments eee eeeceeeeeecenee teens eee enaeeeeeaaeeceneeeesaaeeeeeaaeeseneeeeeaeeseeaeeseneeeneaeeesnnaeeeeneeeenaa 270 Understanding Transparent Files s oc isc ss c cegecstusbenecedeceueanentteeds ndei pia t aoada er adica eredarit kaaa aea piarda diaaa 271 Using the A P Monitors anen ea e e ei it ae T a i a e e eee iinei 272 Entering the AP Monitor m a Stiegl i ase endl ede eee 272 Using AP Monitor Command isine nesei ieinpii ei iaaa EEEE dunce AEEA Sous dene es TE TE 273 Using Content Addressable Memory CAM Mode Commands cccceesseeeeeeeeeeneeeeenaeeeeeeeeesnaeeeeeaeeenneeeesnneeeeaas 275 Using Test Mode Command sirinov iadd iea tte daii iia sides suubeetdgedeuesdivesedgecdeceddeesdduegeuedesines 276 Using Service Mode COMmMANS i cs 3vecscesecgecekbe cee oatececeesdedecscupdestecevbucendens busing sntdvgeceednadive ich desdeneuneenesenvaceguaceustanes 277 Using Command Console Modestino e a selec cngueneed aA AEE EN Tan aea AAKE Aaaa EA aa KEKEE TRENEN 284 Entering Command Console Mode 000 ce eeccececeecenneeeeeeeeeeneeeceaaeeeeeeeeessaeeeeeaaeeeseeeeesaeeeseaaeesseeeeeeaeesesaeeseneeeessaeeeeeaas 284 Usingithe Commands narei rd oia a ide code elie a snes are eia ie aa aa i A iaaa sede 284 Using TLR Command
216. if it has not already been reached by the countdown Resetting starttime to 0 stops the timer and the download process sdvars set checkpoint Purpose Sets the internal variable called checkpoint to a specified value The checkpoint variable is useful for monitoring the progress of a script file as it AT WA7500 and AT WA7501 Installation and User s Guide is executed You can set the checkpoint variable to a different value after each script command and then query the checkpoint value using SNMP to determine the progress of the download Syntax sdvars set checkpoint va ue where value is a whole number Example Consider the following script file commands sdvars set checkpoint 1 fe 1 sdvars set checkpoint 2 TFTP get ap824x prg 1 sdvars set checkpoint 3 reboot When the software download is started you can use SNMP to query its progress by reading the checkpoint variable If the variable has a value of 2 you know that the access point is trying to execute the TFTP get statement If the value is 3 you know the script has completed and the reboot was executed The value of the checkpoint variable may also be helpful in determining where an error occurred if the script fails sdvars set terminate Purpose Sets the internal variable terminate to a specified value Use terminate to stop a countdown process in the access point If either starttime or nextpoweruptime is counting down setting this variable stops the timer
217. ing the Access Point as a DHCP Server on page 71 For help see the Table 4 DHCP Server Setup Parameter Descriptions on page 74 Allied Telesyn recommends that you change the IAPP secret key from the default for security reasons The IP Address is zero For help see Configuring the TCP IP Settings on page 66 AT WA7500 and AT WA7501 Installation and User s Guide Table 8 Alphabetized List of Configuration Error Messages Continued Configuration Error Message Additional Information The IP Address and IP Router must share the same subnet For help see Configuring the TCP IP Settings on page 66 The IP Subnet Mask is invalid For help see Configuring the TCP IP Settings on page 66 The IP Subnet Mask should not be zero For help see Configuring the TCP IP Settings on page 66 The login password has not been changed from its default value The RADIUS server shared secret has not been changed from its default value The read only password has the same value as the read write password There are TLS entries in the embedded authentication server database but no CA certificate is installed You need to install a trusted CA certificate For help see Installing and Uninstalling Certificates on page 211 This device is configured as a login RADIUS server but no login database entries exist For help see Ta
218. ing the Required Patch Cord and Adapter on page 55 57 Chapter 2 Installing the Access Points Connecting to an To connect to an ST network you need T Network ST Netwo O a patch cord with a female MT RJ connector to insert into the access points male MT RJ fiber optic port and an ST connector to insert into the ST adapter O an adapter for connecting the patch cord to the ST network To connect to an ST network 1 Remove any cable protectors attached to the patch cord and adapter 2 Connect the access point to your network as shown in the next illustration Female MT RJ connector To access point EER ST connector ST adapter STconhector eN To m Sigi E ST network Patch cord 4 a So To ST network Note The patch cord shown above must connect to the access point with a female MT RJ connector For details see Using and Purchasing the Required Patch Cord and Adapter on page 55 58 AT WA7500 and AT WA7501 Installation and User s Guide Connecting Power Over Ethernet The AT WA7500 is powered by power over Ethernet The AT WA7501 can be powered by AC power or by power over Ethernet or both For all access points you need a power bridge For a list of the power bridges that Allied Telesyn sells contact your local Allied Telesyn representative This illustration shows how you connect the AT WA7500 to a power bridge with a typical Ethernet cable to run power over Ethernet To AC
219. ing Ethernet network to Point in a Simple include wireless end devices The access point connects directly to your wired network and the end devices provide a wireless extension of the Wireless Network wired LAN p This illustration shows a simple wireless network with one access point and some wireless end devices f o D gt as 2 8 n N Ethernet Figure 6 Simple Wireless Network 22 AT WA7500 and AT WA7501 Installation and User s Guide In a simple wireless network the access point that is connected to the wired network serves as a transparent bridge between the wired network and wireless end devices To install a simple wireless network 1 Configure the initial IP address For help see Configuring the Access Point Setting the IP Address on page 39 Install the access point For help see Chapter 2 Getting Started on page 11 Configure the Ethernet network For help see Chapter 3 Configuring the Ethernet Network on page 65 Configure the radios For help see Chapter 4 Configuring the Radios on page 99 Decide what level of security you want to implement in your network For help see Chapter 6 Configuring Security on page 171 23 Chapter 1 Getting Started Using Multiple Access Points and Roaming Wireless End Devices 24 Example Configuring an 802 11g Access Point jiu i Access a N Sl point So E Ethernet Figure 7 802
220. ing LAN ID 0 0 0 Ls Root 5 4 3 tti Heung Priority Ethernet Checked Checked Checked Bridging Enabled Secondary 0 0 0 LAN Bridge Priority 26 Using an Access Point as a WAP AT WA7500 and AT WA7501 Installation and User s Guide The access points communicate with each other through the spanning tree The wireless end devices are configured as stations with LAN ID set to 0 and SSID set to Op3ratl ons You can extend the range of your wireless network by configuring a dual radio access point as a wireless access point WAP The WAP and the wireless end devices it communicates with comprise a secondary LAN You can position WAPs in strategic locations so they receive data from end devices and then forward the data to the wired network This configuration can be useful when distance or physical layout impedes radio reception and transmission This illustration shows a simple wireless network with one access point and one WAP Wireless end devices use the WAP to forward data to the access point J a Y N Host f j Su Gu E E Ethernet Figure 10 Access Point as a WAP WAPs send data from end devices to the access points via wireless hops Wireless hops are formed when data from end devices move from one access point to another access point through the radio ports The master radio in the access point transmits hello messages which allow the WAPs to attach to the spanning tree in the same way as access points Th
221. ings ExprSeq Offset Mask Action Telnet Gateway aa Ethernet 1 fo And Address Table Frame Type Filters Predefined Subtype Filters Customizable Subtype Filters Advanced Filters Filter Values Bi Filter Expressions 2 IP Tunnels Network Management Ea Security Maintenance 5 5 oll ol S oI 4 4 4 4 1 a ajaj a bali ball ball ba 5 J And 7 Pr 5 a Ti bali ball ba 4 HW TTT br 5 a m D 4 r a VT Eat 2 Configure the filter expressions parameters For help see the next table 3 Click Submit Changes to save your changes To activate your changes from the menu bar click Save Discard Changes and then click Save Changes and Reboot For help see Saving Configuration Changes on page 45 Table 9 Filter Expressions Parameter Descriptions Parameter Explanation ExprSeq Indicates the order in which the filters will be Expression executed When you change the parameter the Sequence statements are reordered and renumbered so the Expression Sequence order is maintained The range is from 0 to 255 This parameter works with the Action parameter for example if the action is set to And then the next sequence in another expression is processed Offset Identifies a point inside the frame where testing for the expression is to start The range is from 0 to 65535
222. int to your network as shown in the next illustration Female MT RJ connector Female MT RJ connector To access point A MT RJ adapter s Patch cord SSS To MT RJ network Figure 2 Connecting to an MT RJ Network Note The patch cord shown above must connect to the access point with a female MT RJ connector For details see Using and Purchasing the Required Patch Cord and Adapter on page 55 Connecting to an To connect to an SC network you need SC Network O a patch cord with a female MT RJ connector to insert into the access point s male MT RJ fiber optic port and an SC connector to insert into the SC adapter O an adapter for connecting the patch cord to an SC network To connect to an SC network 1 Remove any cable protectors attached to the patch cord and adapter 56 AT WA7500 and AT WA7501 Installation and User s Guide 2 Connect the access point to your network as shown in the next two illustrations Female MT RJ connector To access point network Note The patch cord shown above must connect to the access point with a female MT RJ connector For details see Using and Purchasing the Required Patch Cord and Adapter on page 55 Female MT RJ connector To access point SC adapter SC connector network Note The patch cord shown above must connect to the access point with a female MT RJ connector For details see Using and Purchas
223. ion with the access point you want to upgrade 2 From the menu bar click Upgrade Software The Upgrade Software screen appears MV Allied Telesyn Simply connecting the world Access Point Configuration ut Save Discard Changes Upgrade Software Distributed Network Upgrade File Import Export Help Upgrade Software TCP IP Settings G9 802 112 Radio G9 802 11a Radio 2 Spanning Tree Settings EQ Ethernet Ea IP Tunnels E Network Management Upgrade Warning Do not close or navigate away from this page during upload Enter or select the name of the firmware upgrade file Browse Maintenance z 3 Enter the path and filename of the upgrade file AP WEB BIN or click Browse to find the file on your PC For example AP21WEB BIN Troubleshooting the Upgrade AT WA7500 and AT WA7501 Installation and User s Guide Note If you have not already copied the upgrade file to your PC follow the instructions in Upgrading the Access Points on page 266 4 Click Upgrade to start the upgrade The upgrade may take up to 3 minutes to complete 5 When the upgrade is complete click Save Changes and Reboot When the access point is done rebooting it is upgraded to the new software Repeat this procedure for each access point you want to upgrade Each access point on a wired LAN requires approximately 3 minutes to upgrade it takes slightly longer for wireless access points The w
224. itches that do not support the IEEE 802 1d requirements for backward learning Some proprietary VLAN switches and ATM LANE bridges do not support this standard If the access points are connected to different ports on an Ethernet switch each time an end device roams to a new access point it appears on a different port Thus frames sent to the end device from the host are sent to the wrong port If the switch does not support 802 1d it may become confused and communications with the end device are disrupted Data link tunneling makes end device roaming transparent to the switch All the information appears to originate from only one port on the switch the port that is connected to the root access point or designated bridge O Use data link tunneling when you are using IP tunnels to provide mobility of other routable protocols such as IPX In some network installations detecting these addresses may generate alarms or cause switches to behave erroneously In this situation using data link tunneling does not increase network traffic To enable data link tunneling on the primary LAN 1 Make sure that all access points have the same LAN ID 2 On the root access point on the Spanning Tree Settings screen verify that the Enable Ethernet Bridging check box is checked 134 About Routable and Non Routable Network Protocols AT WA7500 and AT WA7501 Installation and User s Guide 3 On all other access points on the primary LAN cle
225. iversity You cannot configure it to only communicate with other 802 11g radios Wi Fi Protected Access WPA support For 802 11g and 802 11a radios WPA is a strongly enhanced interoperable Wi Fi security that addresses many of the vulnerabilities of Wired Equivalent Privacy WEP security Understanding the LEDs AT WA7500 and AT WA7501 Installation and User s Guide Multiple Service Sets For 802 11g and 802 11a radios you can assign up to four service sets and four SSIDs to each radio allowing each radio to handle traffic for up to four separate virtual LANs VLANs Telnet Gateway APpliance TGAP This feature lets the access point act as a gateway for up to 128 TE2000 clients to communicate with up to eight hosts Using the TGAP also offers client session persistence Enhanced DHCP Server You can configure the access point DHCP server to provide IP addresses to only Allied Telesyn devices This feature helps prevent unauthorized access to the wireless network You can also configure the DHCP server to always provide the same IP address to a DHCP client each time it requests one Instant On Server This server provides the device level distribution of firmware applications and settings to wireless end devices that have the Instant On client installed Currently this feature can only be used in EasyADC systems The AT WA7500 and AT WA7501 access points have five LEDs To understand the LEDs during normal use see the next
226. le Server is enabled Default Secret 16 to 32 bytes factory default Key UDP Port 49152 65535 1812 Authorization hh dd mm 0 01 00 Time 341 Appendix B Default Settings 342 Appendix C Glossary ARP Address Resolution Protocol cache A table that stores IP addresses and their corresponding MAC addresses The access point maintains an ARP cache and can act as an ARP server BFSK Binary Frequency Shift Key A broadcasting method that lengthens the range but halves the throughput as compared to the QFSK method In access points using an OpenAir radio the radio can be configured so that it automatically switches to this method when the RF protocol determines that throughput is degrading due to range The transmit mode parameter determines if BFSK will be used The default setting for transmit mode is AUTO which allows this automatic switching to occur broadcast A type of transmission in which a message sent from the host is received by many devices on the system data link tunneling An access point feature that encapsulates the data into an OWL data frame This frame is then forwarded via the Ethernet port to the next access point on the path and so on until the frame reaches the root access point or designated bridge The root access point or designated bridge unencapsulates the frame and forwards it to the host When the root access point or designated bridge receives data on the Ethernet netwo
227. lear Microwave Oven Robustness 323 Appendix B Default Settings 324 Parameter Nane Range Default Your Site Enable Load Check Clear Clear Balancing Enable Check Clear Clear Medium Density Distribution Data Voice Data Traffic Data Traffic Settings Only Data and only SpectraLink Traffic SpectraLink Traffic Only Disallow Check Clear Clear Network Name of ANY DTIM Period 1 to 65535 1 Inbound Filters Allow IAPP Check Clear Check Allow Check Clear Check Wireless Transport Protocol WTP Allow Check Clear Check SpectraLink Voice Protocol SVP Allow UDP Check Clear Check Plus UDP IP Port 5555 Allow DHCP Check Clear Check Allow All Check Clear Check Other Protocols AT WA7500 and AT WA7501 Installation and User s Guide IEEE 802 11a Radio Menu Defaults Parameter Range Default Your Site Name Frequency Dynamic 36 full range 40 42 44 48 Channel 36 50 52 56 58 5180 MHz IEEE 60 64 mid range Channel 52 5260 MHz IEEE Allow Wireless On Primary On Primary Access Points On Secondary 1 On Secondary 2 On Secondary 3 Do not allow wireless access points Node Type Master Station Master Disabled SSID Network 0 to 32 atilan Name characters Advanced Configuration Power Output Maximum Maximum Level Medium Low Minimum Data Rate 54 48 36 24
228. lesyn Access Point Configuration Simply connecting the world g Mi g pg il pgr ile ImportExp File Impo TCP IP Settings 802 11g Radio Warning Do not close or navigate away from this page during upload amp 802 11a Radio Spanning Tree Settings What name should the file be given on the access point optional Telnet Gateway a Ethernet Ks TP Tunnels Enter or select the name of the file to import Network Management j ra oe Browse Maintenance SS Import 2 Optional You can type a filename in the first input field to specify the name that the file will have on the access point To import a file to the memory card use the app segment identifier alone app or with a file name app test txt 3 Inthe second input field type the file name or click Browse to select the file to be imported to the device 4 When the correct file name is displayed in the input field click Import to start the file transfer 303 Chapter 9 Additional Access Point Features Viewing and To view and copy files from the access point using your web browser Copying Files 1 Click View the file system directory from this device using your Using Your Web browser The File System Directory screen appears Browser i AV Alied Telesyn Access Point Configuration Simply connecting the world Logout Save Discard Changes Upgrade Software Distributed Network U
229. lesyn Access Point Configuration Simply connecting the world Logout Save Discard Changes Upgrade Software Distributed Network Upgrade File Import Export Help TCP IP Settings Submit Changes G2 802 112 Radio Ga 802 11a Radio fi Pass 7k l Spanning Tree Settings Ja ass AMUTE 3 Value Telnet Gateway DDC ARP 3 La DIK EtherType 08 06 Ethernet SNAP ARP Ww SNAP EtherType 08 06 aee BO22PX RP P 802 21IPX Socket 0453 rame Type Filters I E Predefined Subtype Filters 802 2 IPX SAP M 802 2 IPX Socket 04 52 Customizable Subtype Filters INNL M DIX EtherType 87 5b ene NETBIOS F 802 2 SAP 0 0 unnels f i Network Management ICMP M DIX IP Protocol 00 01 Security DIX AirF ortress M DIX EtherType 88 95 Maintenance E 2 For each frame subtype field check or clear the Allow Pass check box to configure if the frame subtypes are allowed to pass or are dropped If you check the check box the frame subtype is allowed to pass 3 Click Submit Changes to save your changes To activate your changes from the menu bar click Save Discard Changes and then click Save Changes and Reboot For help see Saving Configuration Changes on page 45 Customizing Subtype Filters You can configure the access point to pass or drop certain customized frame subtypes You define the action subtype and value parameters Allow Pass Check or clear this check box Check this check box to pass all frames of the subtype and va
230. letter or number other than B and press Enter The test commands appear on the screen LED Test MACE Test Menu Get DRAM Size K Using Service In Service mode you can perform file functions and segment functions Mode Commands Such as deleting a file downloading a file using the Ymodem protocol and erasing a segment To enter Service mode 1 Atthe ap prompt type SRVC and press Enter 2 Enter the service password The default password is EV98203S case sensitive The service prompt service gt appears To exit Service mode O At the service prompt type X and press Enter You return the ap prompt 277 Chapter 9 Additional Access Point Features 278 To list service commands O Press any key except the letter B which reboots the access point and then press Enter The service commands appear on the screen Enter password HEE EE EEE service gt d File System Directory 4y modem File Download File Delete C Erase configuration Compact Segment s save FPGA config file Erase Segment s Set Boot Data Segments File System Reset B Reboot service gt x P ap gt _ Many of the commands that are available in Service mode are also available in the AP monitor or Console Command mode B Purpose Reboots the access point Syntax B FB Purpose Makes an inactive segment the active segment Because the access point has only one flash memory segment this command has no affect on an
231. llation and User s Guide Table 2 AT 7501 Technical Specifications Dimensions HxLxW 9 5 cm x 35 0 cm x 23 6 cm 3 8 in x 14 0 in x 5 8 in Weight 2 63 kg 5 8 Ib AC electrical rating Standard 100 to 240V 1 0 to 0 5A 50 to 60 Hz Heater optional 100 to 120V 1 0A 50 to 60 Hz or 200 to 240V 0 5A 50 to 60 Hz POE Electrical Rating x 48V 315 mA Operating temperature Standard 25 C to 70 C 13 F to 158 F Heater optional AC only 30 C to 70 C 22 F to 158 F Heater insulated bag optional AC only 30 C to 0 C 22 F to 32 F Storage temperature 40 C to 70 C 40 F to 158 F Humidity non condensing 10 to 90 Industrial sealing IPS54 NEMA 4 Architecture Transparent bridge Ethernet interfaces 10Base T 100Base TX twisted pair Ethernet compatibility Ethernet frame types and Ethernet addressing Ethernet data rate Fiber optic interface optional 10 Mbps 100 Mbps Ethernet 100 Mbps Fiber optic MT RJ Radios supported IEEE 802 119 IEEE 802 11b IEEE 802 11a Media Access protocol CSMA CD Filters protocol IP IPX NetBEUI DECNET AppleTalk Filters others IP ARP Novell RIP SAP LSP 311 Appendix A Specifications Table 2 AT 7501 Technical Specifications Serial port maximum 115 200 bps data rate Management interfaces Web browser ba
232. lp see Connecting the AT WA7500 to Your Wired LAN and Power on page 54 4 Connect the AT WA7500 to power For help see Connecting the AT WA7500 to Your Wired LAN and Power on page 54 When you are done installing the access points you need to configure them to communicate with your network Unless you are using the AT WA7500 as a WAP you must connect it to your Ethernet network To connect the AT WA7500 to your Ethernet network and to power you must first connect it to a power bridge or another 802 3af power bridge For help see Connecting Power Over Ethernet on page 59 and the documentation that shipped with your power bridge AT WA7500 and AT WA7501 Installation and User s Guide Connecting to Your Fiber Optic Network You can order your AT WA7501 access point with a fiber optic option Using an appropriate patch cord and adapter as described in the next section you can connect your access point to o an MT RJ network o a square connector SC network 0 astraight tip ST network Using and To connect the access point with the fiber optic option to your fiber optic Purchasing the network you must have a patch cord and an adapter Required Patch The access point fiber optic port consists of a male MT RJ connector Cord and interface Therefore the patch cord must have a female MT RJ connector Adapter that you insert into the access point fiber optic port To access To access point Ins
233. lp see the next table Note If you set DHCP Mode to Disable DHCP and the IP address for this access point is 0 0 0 0 all IP communications are disabled for this access point 69 Chapter 3 Configuring the Ethernet Network 70 Click Submit Changes to save your changes To activate your changes from the menu bar click Save Discard Changes and then click Save Changes and Reboot For help see Saving Configuration Changes on page 45 Table 2 DHCP Client Parameter Descriptions Parameter Explanation DHCP Mode DHCP Server Name To configure the access point as a DHCP client you must choose one of these options Always Use DHCP The access point uses DHCP after every reboot whether or not an infinite lease was granted in a previous session If this option is not selected infinite leases are stored in non volatile memory and reused after each reboot BOOTP is treated like an infinite lease Use DHCP if IP Address is Zero Default The access point uses DHCP only if the IP Address is 0 0 0 0 If you choose this option make sure that the IP Address is 0 0 0 0 Leave this field blank if you want the access point to respond to offers from any server Or enter the name of the DHCP server that this access point accesses for information This access point will not respond to any other DHCP server DHCP User Class Leave the field blank if you do not want the DHCP client to include a use
234. ls For help see Configuring IP Tunnels on page 148 9 Click Submit Changes to save your changes To activate your changes from the menu bar click Save Discard Changes and then click Save Changes and Reboot For help see Saving Configuration Changes on page 45 Example Configuring an 802 11g Bridge In this example each access point only has one 802 11g radio Since the designated bridge only has a station radio wireless end devices can only communicate with the root access point However wired devices on the secondary LAN can communicate with the primary LAN Primary LAN Secondary LAN Host z Root Designated bridge Figure 14 802 11g Bridge 35 Chapter 1 Getting Started Table 9 802 11g Point to Point Bridges Parameter Settings Bridge Bridge Secondary Screen Parameter Primary LAN LAN Root Designated Bridge 802 119 Allow Wireless Access On Primary not Radio Points applicable Node Type Master Station SSID Manufactur Manufactur ing ing Spanning LAN ID 0 0 Tree oe Settings Root Priority 2 0 Ethernet Bridging Checked Checked Enabled Secondary LAN Bridge 0 1 Priority Secondary LAN Bridge Disabled Enabled Flooding Allied Telesyn recommends that you implement some type of security Example Configuring an 802 11a Bridge In this example each access point only has one 802 11a radio Since the 802 11a radio can function as a master and a station wi
235. lue Clear this check box to drop all frames of the subtype and value SubType Selects the frame subtype you wish to configure For help setting the subtype and value see the Table 7 Subtype Filter Descriptions on page 86 85 Chapter 3 Configuring the Ethernet Network 86 Value The value must be two hex pairs When a match is found between frame subtype and value the specified action is taken To customize subtype filters 1 From the main menu click Ethernet gt Customizable Subtype Filters The Customizable Subtype Filters screen appears d Changes U Logout Save Discar g pgrade Software Distributed Network Upgrade File Import Export Help Ethernet Customizable Subtype Filters AVE Allied Telesyn Access Point Configuration Simply connecting the world TCPAP Settings Submit Changes G2 302 11g Radio ee B i Allow Pass SubType Value panning tting Telnet Gateway 1 Vv DIXIP TCP Port 0000 T T 2 r DIXAP TCP Pon 0000 ess Table Frame Type Filters 3 v DIXIP TCP Port 0000 Predefined Subtype Filters 4 F DIP TCP Pon z 0000 E Customizable Subtype Filters Ga Advanced Filters 5 lv DIX IP TCP Port 00 00 TP Tunnels eal NEM Esra 6 v DIXIP TCP Port 00 00 Security 7 m DIIP TCP Port 00 00 lg Irz DIV ID TOD Dart l inn nn z 2 For each subtype field check or clear the
236. m the menu click Security gt Security Events The Security Events log appears AT Alied Telesyn Access Point Configuration Simply connecting the world Logout Save Discard Changes Upgrade Software Distributed Network Upgrade File Import Export Help Security Security Events a TCP LP Settings Export this event log from this access point a 802 114 Radio ea 802 E Baie Mac Address IP Address Priority Trap Count Type Spanning Tree Settings Telnet Gateway Additional Data Age d h m s Ethernet a P Tunnels 001040042683 Low No Bad LAPP Sign Network Mianagement rd ees 0 00 00 02 Passwords 001040052af2 136 179 85 151 High AP Login Failure 802 11a Radio 802 11g Radio intermec 0 21 47 07 RADIUS Server List 3 ina Tree Securi 00104004e683 0 0 0 0 Insecure AP Embedded Authentication Server 2 02 46 36 Certificate Details Security Events 001040052af2 136 179 85 151 AP Login Failure pecunty Events Maintenance intermec 6 22 49 29 For help understanding the events see the next table Table 14 Security Events Log Description Column Description MAC Address Indicates the Ethernet MAC address of the device that caused the event IP Address Indicates the IP address of the device that caused the event Priority Indicates the priority of the event Critical High Low or Informative Critical and High priority even
237. mary Only The Inbound Filters screen appears MV Allied Telesyn Access Point Configuration Simply connecting the world Logout Save Discard Changes Upgrade Software Distributed Network Upgrade File Import Export Help 802 11g Radio Advanced Configuration Inbound Filters Primary Only E TCP IP Settings Submit Changes 802 112 Radio Advanced Configuration Allow LAPP El Inbound Filters Primary Only Allow Wireless Transport Protocol WTP Apply Hot Settings Allow UDP Plus UDP IP Port 5555 802 11a Radio Allow DHCP Spanning Tree Settings shed Telnet Gateway Allow All Other Protocols Ethernet amp P Tunnels a Network Management a4 lt I lt I xI P 2 For each frame type check or clear each check box For help see the next table 3 Click Submit Changes to save your changes To activate your changes from the menu bar click Save Discard Changes and then click Save Changes and Reboot For help see Saving Configuration Changes on page 45 109 Chapter 4 Configuring the Radios 110 Applying Hot Settings Table 4 802 11g Radio Inbound Filter Descriptions Parameter Description Allow APP Determines if this radio accepts IAPP Inter Access Point Protocol frames from other access point station radios The IAPP frames must match Ethernet protocol 875c Allow Wireless Transport Protocol WTP Determines if this radio ac
238. me password entry in the RADIUS database has a password but no username A username password entry in the RADIUS database has a username but no password AT WA7500 and AT WA7501 Installation and User s Guide Table 8 Alphabetized List of Configuration Error Messages Continued Configuration Error Message Additional Information All SSID values must be unique per physical radio While configuring multiple service sets you did not specify a unique SSID network name for each service set For help see Configuring the 802 11g Radio on page 101 or Configuring the 802 11a Radio on page 119 An entry in the RADIUS server list is using a default secret key Allied Telesyn recommends that you change the secret key from the default for security reasons At least one 802 1x supplicant protocol must be enabled Matching WEP keys will merge VLAN multicast No RADIUS servers have been configured for 802 1x authentication No RADIUS servers have been configured for ACL authorization Click the message and check the 802 1x check box for at least one server in the RADIUS Server List Click the message and check the ACL check box for at least one server in the RADIUS Server List No RADIUS servers have been configured for login authorization The 802 1x username and password have not been changed from their default values Click the message and check
239. ment where you want to load the configuration file 283 Chapter 9 Additional Access Point Features Using Command Console Mode 284 Entering Command Console Mode You can use the Command Console mode to manipulate some access point files and file segments You can also use Command Console mode to upgrade access points using TFTP and script files You access the Command Console mode through the serial port using a communications program or over the network using a telnet session You cannot access Command Console mode using a web browser interface 1 Use a communications program or telnet to start a session with the access point For help see Using a Communications Program on page 39 2 From the Access Point Configuration menu choose Maintenance 3 From the Maintenance menu choose Command Console The list of commands appears Description fd lt segment gt all directory list fe erase flash fdel lt filename gt delete file fb lt boot seglent gt lt data segment gt File transfer Execute script files Software Download variables Return to main menu Display this help Using the Commands To exit Command Console mode O Atthe prompt type exit You return to the Maintenance menu Several of these commands require that you enter filenames To indicate the segment where the file is located you precede the filename with either a segment number or name followed by a colon Fo
240. merica 802 11 compliant mode Mid range 4 North America Turbo mode 3 North America AT WA7500 and AT WA7501 Installation and User s Guide Table 5 IEEE 802 11a Radio Technical Specifications Range depending 248 m 813 7 ft 6 Mbps on environment 240 m 787 4 ft 12 Mbps 175 m 574 2 ft 18 Mbps 132 m 433 1 ft 24 Mbps 56 m 183 7 ft 36 Mbps 37 m 121 4 ft 48 Mbps 19 m 62 3 ft 54 Mbps Receiver sensitivity 68 dBm 54 Mbps 315 Appendix A Specifications 316 Appendix B Default Settings This appendix provides factory defaults for reference purposes only The factory default settings for the access points are listed in this section You can record the settings for your installation in each table for reference 317 Appendix B Default Settings TCP IP Settings Menu Defaults 318 Parameter N Range Default Your Site ame IP Address 4 nodes 0 to 0 0 0 0 255 or DNS name IP Subnet Mask 4 nodes 0 to 255 255 255 0 255 IP Router 4 nodes 0 to 0 0 0 0 Gateway 255 DNS Address 1 4 nodes 0 to 0 0 0 0 255 DNS Address 2 4 nodes 0 to 0 0 0 0 255 DNS Suffix 1 0 to 31 blank characters DNS Suffix 2 0 to 31 blank characters DHCP Mode Always use Use DHCP if IP DHCP Use Address is Zero DHCP if IP Address is Zero Disable DHCP This AP is a DHCP Server DHCP Server 0 to 31 blank Name characters DHCP User DHCP user
241. mplement 802 1x security on one radio network or both radio networks as long as the radio supports 802 1x security For example you have an access point with dual 802 11b radios and some end devices that have a supplicant and some end devices that do not have a supplicant In the access point you can configure one 802 11b radio to use 802 1x security and the other 802 11b radio to use an ACL Configuring the Access Point as an Authenticator The access point when acting as an authenticator receives requests from end devices that want to communicate with the network and forwards these requests to the authentication server It also distributes the WEP keys to end devices that are communicating with it Before you configure the access point as an authenticator the access point should be installed and configured to communicate with the wireless end devices To configure the access point as an authenticator 1 From the main menu click Security and then click the radio service set that you are configuring The appropriate radio screen appears 195 Chapter 6 Configuring Security 2 In the Security Level field select Dynamic WEP 802 1x MVE Allied Telesyn Access Point Configuration Simply connecting the world Logout Save Discard Changes Upgrade Software Distributed Network Upgrade File Import Export Help Security 802 11g Radio TCP IP Settings Submit Changes 802 11g Radio amp 802 11a Radio
242. n Access Point Configuration Simply connecting the world Logout Save Discard Changes Upgrade Software Distributed Network Upgrade File Import Export Help Security Passwords TCP IP Settings Submit Changes 802 11g Radio 802 11a Radio Use RADIUS for Login Authorization Spanning Tree Settings Allow Service Password Telnet Gateway Ethernet IP Tunnels Network Management ea Security B Passwords 802 11g Radio 802 11a Radio RADIUS Server List Spanning Tree Security Embedded Authentication Server Certificate Details Security Events Maintenance Selecta RADIUS server for login authorization 2 Check the Use RADIUS for Login Authorization check box 3 Optional Make sure the Allow Service Password check box is checked 4 Click Submit Changes to save your changes 179 Chapter 6 Configuring Security 5 Configure the password server by clicking Select a RADIUS server for login authorization The RADIUS Server List screen appears MVE Allied Telesyn Access Point Configuration Simply connecting the world Logout Save Discard Changes Upgrade Software Distributed Network Upgrade File Import Export Help Security RADIUS Server List 802 11g Radio 802 11a Radio B RADIUS Server List Spanning Tree Security Embedded Authentication Server Server 5 paee 1812 Server 6 aaaeeeaa 1812 xI OW 2 TCP IP Setting
243. n M 4 J a gin Embedded Authentication Server B Database Client Certificate Details 7 Login E Security Events Client Maintenance 2 Login z 3 In the Type field choose the type of client you are entering in the database For help see the next table 4 Click Submit Changes to save your changes 5 Enter the appropriate user name and password if applicable User names and passwords can be from 1 to 32 characters For help see the next table 6 Click Submit Changes to save your changes 7 Repeat Steps 3 through 6 for each client AT WA7500 and AT WA7501 Installation and User s Guide 8 Click Save Discard changes and then click Save Changes without Reboot Table 3 Embedded Authentication Server Entry Descriptions Type Field Description User Name Field Password Field Login RADIUS Enter user names and passwords for users who are authorized to configure and maintain access points using the password server Enter a secret key that is shared by the RADIUS client access point and the RADIUS server You do not need to enter any RADIUS clients if you do not change the default secret key For more security you should change the default secret key User name RADIUS client IP address User password Secret key ACL 802 1x TTLS PEAP Enter the end device radio MAC address for all end devices that are authorized to communicate
244. n combination with a DHCP user class to segment a network that has an existing DHCP server and an access point DHCP server You can configure the access point as a simple DHCP server that provides DHCP server functions for small installations where no other DHCP server is available The DHCP server will offer IP addresses and other TCP IP settings to any DHCP client it hears as long as a pool of unallocated IP addresses is available These clients may include other access points wireless end devices wired hosts on the distribution LAN or wired hosts on secondary LANs Note If you configure the access point as a DHCP server it is not intended to replace a general purpose configurable DHCP server and it makes no provisions for synchronizing DHCP policy between itself and other DHCP servers Customers with complex DHCP policy requirements should use other DHCP server software Note You cannot configure the access point as both a DHCP server and a DHCP client 71 Chapter 3 Configuring the Ethernet Network 72 To avoid a single point of failure you can configure more than one access point to be a DHCP server however the access points do not share DHCP client databases You should configure each DHCP server with a different address pool from which to allocate client IP addresses To configure the access point as a DHCP server 1 From the menu click TCP IP Settings The TCP IP Settings screen appears
245. n is available Repeat Steps 1 and 2 AVE Allied Telesyn Secure Access Point Simply connecting the world Configuration S Logo Mi ang pg i pg ile Import Exp p SSS TCP IP Settings Warning Do not close or navigate away from this page during 802 112 Radio upload import export 802 11a Radio Spanning Tree Settings Enter or select the name of the database file to import Ethernet Browse a IP Tunnels E Network Management Import Database ca s acs EAS database from this access point 4 Click Export the EAS database from this access point A File Download dialog box appears File Download E xj You have chosen to download a file from this location tleasdb csv from 10 150 1 97 What would you like to do with this file Open this file from its current location Save this file to disk IV Always ask before opening this type of file Cancel More Info 220 AT WA7500 and AT WA7501 Installation and User s Guide 5 Make sure Save this file to disk is selected and then click OK The Save As dialog box appears Save in E Desktop amp ex EE Po My Documents My Computer History My Network Places Shared PC Files Desktop x My Documents My Computer A File name My Network P mleasdb cs X Save as type Microsoft Excel Comma Separated Values File z Cancel N Z 6 Choose the location and filenam
246. n page 54 Connecting to Your Fiber Optic Network on page 55 Connecting Power Over Ethernet on page 59 OdQ0Q00 0 External Antenna Placement Guidelines on page 60 49 Chapter 2 Installing the Access Points Installation Guidelines Microwave Ovens 50 Cordless Telephones Allied Telesyn recommends that you have an Allied Telesyn certified RF specialist conduct a site survey to determine the ideal locations for all your Allied Telesyn wireless network devices To conduct a proper site survey you need to have special equipment and training The following general practices should be followed in any installation 0 Locate access points centrally within areas requiring coverage O Overlap access point radio coverage areas to avoid coverage holes 0 Position the access point so that its LEDs are visible The LEDs are useful for troubleshooting o Install wired LAN cabling within node limit and cable length limitations o Use an uninterruptible power supply UPS when AC power is not reliable Proper antenna placement can help improve range For information about antenna options contact your local Allied Telesyn representative For more guidelines see External Antenna Placement Guidelines on page 60 When determining ideal locations for the access points be aware that you may see network performance degradation from microwave ovens cordless telephones and other access points For more i
247. n page 85 or Customizing Subtype Filters on page 85 Table 6 Frame Type Filter Descriptions Frame Type Explanation DIX IP TCP Ports DIX IP UDP Ports SNAP IP TCP Ports SNAP IP UDP Ports DIX IP Other Protocols SNAP IP Other Protocols Primary Internet Protocol Suite IP transport protocols IP protocols other than TCP or User Datagram Protocol UDP DIX IPX Sockets Novell NetWare protocol over Ethernet II frames SNAP IPX Sockets 802 3 IPX Sockets Novell NetWare protocol over 802 2 SNAP frames Novell NetWare protocol over 802 3 RAW frames DIX Other Ethernet Types SNAP Other Ethernet Types DIX or SNAP registered protocols other than IP or IPX 802 2 IPX Sockets Novell running over 802 2 Logical Link Control LLC 802 2 Other SAPs 802 2 SAPs other than IPX or SNAP Note You should not filter HTTP Telnet SNMP and ICMP frames if you are using WAPs because these frame types are used for configuring troubleshooting and upgrading WAPs AT 7500 and AT WA7501 Installation and User s Guide Using Predefined Subtype Filters You can configure the access point to pass or drop certain predefined frame subtypes To configure predefined subtype filters 1 From the main menu click Ethernet gt Predefined Subtype Filters The Predefined Subtype Filters screen appears MVE Allied Te
248. n t read file The requested file may not exist AT WA7500 and AT WA7501 Installation and User s Guide Error Message Explanation Invalid opcode during put This error should not occur under normal operating conditions This error indicates a TFTP protocol error that will not occur when you use TFTP servers that conform to the protocol TFTP SERVER LOG Purpose The access point can function as a TFTP server You can use the TFTP server log command to save a history of TFTP client requests The TFTP server log contains useful TFTP server status information The log begins when you set up the server To clear the log reboot the access point Syntax TFTP SERVER LOG TFTP SERVER START Purpose Use this command to enable the access point to act as a server You can enable one access point to act as a TFTP server and download files to additional access points Syntax TFTP SERVER START access where access is blank for read only access default or rw for read write access TFTP does not require any authentication so a read write TFTP server is very insecure and should be used only briefly When the access point boots read only access is restored After you issue this command the access point responds to TFTP client requests that are directed to its IP address When acting as a server the access point supports up to four concurrent TFTP sessions TFTP SERVER STOP Purpose When you are done tra
249. nect the AT WA7501 to power O Plug one end of the power cord into the power port on the AT WA7501 and plug the other end into an AC power outlet The access point boots as soon as you apply power 53 Chapter 2 Installing the Access Points Installing the AT WA7500 Connecting the AT WA7500 to Your Wired LAN 54 and Power You can place the AT WA7500 horizontally on a desk or counter The AT WA7500 also ships with a mounting bracket that lets you mount it vertically to a wall Additional mounting options that you can use with the mounting bracket include a cubicle bracket that lets you mount the AT WA7500 on a cubicle wall or in a locking bracket O Cubicle bracket kit o Locking bracket kit To order one of these kits contact your Allied Telesyn representative Allied Telesyn also offers a variety of antennas and antenna accessories For more information see Antennas and Antenna Accessories on page 247 To install the AT WA7500 do the following 1 Attach the antenna or antennas For more information see External Antenna Placement Guidelines on page 60 Note If the AT WA7500 has an 802 11a full range radio you must use the antennas that are already attached to the antenna connectors 2 Mount the AT WA7500 For help see the AT WA7500 Quick Install Guide and the instructions that shipped with the bracket kit 3 Connect the AT WA7500 to your wired LAN unless you are using it as a WAP For he
250. ned by the radio See the Table 2 Worldwide Frequencies for 802 119 and 802 11b Radios on page 105 Configure all access points used in Spain France or Japan to a common frequency For all other countries configure all access points to a common frequency or select up to three frequencies that are at least three channels or 25 MHz apart For example you could select 2412 MHz 2437 MHz and 2462 MHz You may want to use a single frequency to isolate the installation to part of the band for example use a single frequency if other wireless networks or microwave ovens are in the area For optimal performance of master radios in access points that are in range of each other configure the frequencies to be at least five channels apart For example configure the frequency to use channels 1 6 and 11 113 Chapter 4 Configuring the Radios Configuring 802 11b Radio Advanced Parameters 114 1 From the main menu click 802 11b Radio gt Advanced Configuration The Advanced Configuration screen appears MV Alied Telesyn Access Point Configuration Simply connecting the world IEEE 802 11b Radio Advanced Configuration Submit Changes Data Rate 11 MBits High Allow Data Rate Fallback Vv Basic Rate 2 MBits Standard gt Enable Medium Reservation a Distance between APs Large gt Enable Microwave Oven Robustness I Enable Load Balancing B Enable Medium Density Distribution I Data V
251. net Within the spanning tree access points use IAPP Inter Access Point Protocol or secure IAPP to communicate with each other across the Ethernet network over wireless secondary LANs and through IP tunnels to remote IP subnets IAPP also enables fast roaming in an 802 11g 802 11b or 802 11a network using 802 1x security Secure IAPP prevents unauthorized access products from joining the spanning tree For example when an end device roams to a new access point the new access point informs the old access points via the root access point that any traffic for the end device needs to be routed to the new access point As end devices are added to or removed from the network access points are automatically updated so they can maintain reliable operation and communication About the Primary LAN and the Root Access Point AT WA7500 and AT WA7501 Installation and User s Guide The primary LAN also called the root IP subnet contains the root access point which initiates the spanning tree When choosing the primary LAN ideally you should choose the IP subnet that contains gateways or servers for the wireless end devices However these gateways and servers may also be on another subnet The root access point coordinates the network and distributes common system parameters to other access points and end devices Consider these selection criteria when choosing which access point to be the root o The root must be installed on the prim
252. nformation see the next sections Note Microwave ovens cordless telephones and other access points do not degrade the network performance of the 802 11a radio Microwave ovens operate in the same frequency band as 802 11g and 802 11b radios therefore if you use a microwave oven within range of your wireless network you may notice network performance degradation Both your microwave oven and your wireless network will continue to function but you may want to consider relocating your microwave oven out of range of your access point If you have an 802 11g or 802 11b radio in your access point the radio may experience interference from some cordless telephones For optimal performance consider operating cordless telephones out of range of your access points AT WA7500 and AT WA7501 Installation and User s Guide Other Access Access points that are configured for the same frequency and that are in Points the same radio coverage area may interfere with each other and decrease throughput You can reduce the chance of interference by configuring access points at least five channels apart such as channels 1 6 and 11 51 Chapter 2 Installing the Access Points Installing the AT WA7501 52 You can place the AT WA7501 horizontally or vertically on a desk or counter If you want to mount the AT WA7501 to a wall or beam using an Allied Telesyn mounting bracket kit you need one of these mounting kits Oo Mounting bracke
253. ng DHCP server and an access point DHCP server 73 Chapter 3 Configuring the Ethernet Network 4 Click Submit Changes to save your changes DHCP Server Setup appears in the menu 5 From the menu click DHCP Server Setup The DHCP Server Setup screen appears MV Allied Telesyn Access Point Configuration Simply connecting the world TCP IP Settings DHCP Server Setup Submit Changes E DHCP Server Setup 802 11g Radio Low Address 10 10 10 100 802 11a Radio fioto4 High Address 10 10 10 199 G2 Spanning Tree Settings Telnet Gateway Lease Time 0 00 20 E Ethernet Permanently Save IP Address Mappings I Ga IP Tunnels TP Subnet Mask 255 255 255 0 Network Management Security Maintenance TP Router Gateway DNS Address 1 DNS Address 2 10 10 10 100 0 0 0 0 0 0 0 0 NAT Status Auto Enabled 6 Configure the DHCP server For help see the next table 7 Click Submit Changes to save your changes To activate your changes from the menu bar click Save Discard Changes and then click Save Changes and Reboot For help see Saving Configuration Changes on page 45 Table 4 DHCP Server Setup Parameter Descriptions Parameter Explanation Low Address Enter the low IP address in the range of IP addresses available to the DHCP server for distribution to DHCP clients If these addresses are not on the same subnet as the access point the access point will perfo
254. nnels Network Management a Security Passwords Bi 802 112 Radio 802 11a Radio RADIUS Server List Spanning Tree Security Embedded Authentication Server Certificate Details Security Events Maintenance 1 None VLAN Security Level z Check the Enable ACL Client Authorization check box if you want to use an ACL to authorize end devices to communicate with the network Click Submit Changes to save your changes Normally the access point issues RADIUS requests with the user name and password of the end device that is trying to communicate with the network Check the Enable Alternative Method ACL check box if you want the access point to issue RADIUS requests with the user name and password both set to the MAC address of the end device that is trying to communicate with the network External RADIUS server only In the ACL RADIUS Client Password field enter the password that is used to sign RADIUS access requests for all end devices attached to this access point This password must match the password that is configured in the RADIUS server Click Submit Changes to save your changes To activate your changes from the menu bar click Save Discard Changes and then click Save Changes and Reboot For help see Saving Configuration Changes on page 45 187 Chapter 6 Configuring Security 7 Configure the RADIUS server by clicking Select a RADIUS server for ACL authorization The RADIUS
255. nnels mn 3 Mee Manseen Primary Master ATILAN Configure security settings for this service set Security Secondary 1 Disabled x ATILAN_1 Configure security settings for this service set Maintenance Secondary 2 Disabled x ATILAN_2 Configure security settings for this service set Secondary 3 Disabled x ATILAN_3 Configure security settings for this service se F b Make sure the Allow Wireless Access Points field is On Primary c In the Primary service set Node Type field choose Master d Inthe Primary service set SSID Network Name field type the SSID In this example the SSID is Manufacturing 7 Click Submit Changes to save your changes To activate your changes from the menu bar click Save Discard Changes and then click Save Changes and Reboot For help see Saving Configuration Changes on page 45 8 Configure the access point to be a root access point For help see About the Primary LAN and the Root Access Point on page 131 9 Click Submit Changes to save your changes To activate your changes from the menu bar click Save Discard Changes and then click Save Changes and Reboot For help see Saving Configuration Changes on page 45 29 Chapter 1 Getting Started 30 Example Configuring an 802 11b WAP With Roaming End Devices In this example there is one 802 11b radio in the access point and there are two 802 11b radios 802 11b Radio 1 and 802 11b Ra
256. nsferring files you can stop the access point from being a TFTP server by using this command 291 Chapter 9 Additional Access Point Features 292 Syntax TFTP SERVER STOP After you issue this command the access point no longer responds to TFTP client requests however current TFTP sessions with the server are allowed to complete This table lists error messages that can be issued from the TFTP server These messages are sent to the client and should be read from the client perspective Error Message Explanation Error Message Explanation TFTP server only supports octet mode The client is attempting to transfer a file in ASCII mode The access point TFTP server only supports octet mode which includes binary and image Unable to open remote file The TFTP server cannot open the file that is named in the read or write request If you are trying to read a file the file may not exist If you are trying to write a file the file may be too big the file may not have an access point file header or the file name may be incorrectly formed Can t read remote file The server returns this message if the access point file system returns an error while the server is attempting to read the file This message is unlikely to occur Can t write remote file The server returns this message if the access point file system returns an error while the server is attempting to write the file This message
257. nt number 1 If you do not specify a segment name or number in a command the access point first searches RAM and then the flash memory segment until it finds a file that matches the file name Note Legacy scripts with commands that specify segment numbers or names can be run on AT WA7500 and AT WA7501 access points without generating errors AT WA7500 and AT WA7501 Installation and User s Guide Understanding Transparent Files The AT WA7500 and AT WA7501 access points with software release 2 2 support transparent files which are files without file headers Transparent files all have the date May 14 2002 5 14 2002 and have no version The advantage of using file headers is that the date and file versions are correct when you use the FD command to view the directory All provided DNL files have file headers All files to be uploaded by script files must have file headers For help using the TFTP GET command with transparent files see page 288 271 Chapter 9 Additional Access Point Features Using the AP Monitor The AP access point ROM monitor is system software that lets you manipulate the access point files and file segments You can only access the AP monitor through the serial port using a communications program Note Certain functions available through the AP monitor can erase the access point configuration Allied Telesyn strongly recommends that you only use the AP monitor when absolutely neces
258. nt to point bridge A wireless link that connects two wired Ethernet segments Two access points can be used to provide a wireless bridge between two buildings so that wired and wireless devices in each building can communicate with devices in the other building wireless hop A wireless link that occurs when data from a wireless end device moves from one access point to another access point through the radio ports Using Allied Telesyn access products Allied Telesyn recommends that your data does not travel through more than three wireless hops Secure wireless hops are created when secure IAPP is enabled Access points use SWAP to authenticate each other WPA Wi Fi Protected Access A feature that can be implemented in the 802 119 802 11b and 802 11a radios for security in a wireless environment WPA is a strongly enhanced interoperable Wi Fi security protocol that addresses many of the vulnerabilities of WEP 351 Appendix C Glossary 352
259. ntennas for the 802 11b radio at least 0 61 m 2 ft apart 0 Position directional antennas so they point in the same direction 0 Position the antennas so that both antennas are within range of the radios they need to communicate with 0 Do not position the two antennas around a corner or so that a wall is between them o Follow the recommended antenna separation precisely when using the closest distances Movement of as little as 3 05 cm 1 2 in may strongly affect performance You should choose the greatest distance possible within the constraints of your environment Antenna Diversity for 802 11a The 802 11a radio diversity operation is enabled by the AP Configuration Menu When antenna diversity is enabled the second port can both transmit and receive This feature can be used to provide redundant coverage of the same area covered by the primary antenna or can be configured to cover a separate area This allows directional antennas to be pointed toward different areas or for the second antenna to be placed on the other side of the wall 63 Chapter 2 Installing the Access Points 64 Chapter 3 Configuring the Ethernet Network This chapter explains how to configure the AT WA7500 and AT WA7501 access points so that they communicate with your Ethernet network This chapter explains 0 Configuring the TCP IP Settings on page 66 o Configuring Other Ethernet or Fiber Optic Settings on page 79 o Config
260. o be at least five channels apart For example configure the frequency to use channels 1 6 and 11 Node Type Configure the 802 11g radio to master station or disabled Master The radio always operates in Master mode The radio becomes active to accept connections for wireless devices when the access point joins the spanning tree All service sets to be configured for a VLAN must be set to Master Station The radio always operates in Station mode The radio searches for an access point with an active Master mode radio to connect to If a connection is established this link becomes a possible connection to the root Disabled The radio is disabled You can create up to four service sets for this radio by setting the Node Type as follows O Ifthe primary service set is Master up to three secondary SSIDs may be set to Master 103 Chapter 4 Configuring the Radios 104 Table 1 802 11g Radio Parameter Descriptions Continued Parameter Explanation Node Type continued O If the primary SSID is Station all secondary service sets are disabled and do not appear on screen O If the primary service set is Disabled all secondary service sets and the physical radio are disabled SSID Network Name Enter a unique SSID for each enabled service set You can configure up to four service sets for this radio The SSID is case sensitive and cannot be more than 32 alphanumeric characters
261. o detect 1isz00en 1 SCROLL caps NUM Capture Print echo 40 Using a Web Browser Interface 10 11 AT WA7500 and AT WA7501 Installation and User s Guide Press Enter to access the TCP IP Settings menu If you are not using a DHCP server you need to manually assign an IP address Configure these parameters in the TCP IP Settings menu o IP Address A unique IP address o IP Subnet Mask The subnet mask that matches the other devices in your network 0 IP Router Gateway If the access point will communicate with devices on another subnet enter the address of the router that will forward frames Or if you are using a DHCP server to automatically assign an IP address to your access point configure these parameters in the TCP IP Settings menu oO DHCP Mode Set to lt Use DHCP if IP Address is Zero gt o DHCP Server Name The name of the DHCP server that the access point is to access for automatic address assignment If no server name is specified the access point responds to offers from any server Press Esc to return to the Access Point Configuration menu Choose Save Configuration Choose Reboot When the access point is done rebooting you are ready to install the access point in your network See Chapter 2 Installing the Access Points on page 49 After you have set the initial IP address you can configure manage and troubleshoot the access point from a remote location using a web b
262. o save your changes To activate your changes from the menu bar click Save Discard Changes and then click Save Changes and Reboot For help see Saving Configuration Changes on page 45 133 Chapter 5 Configuring the Spanning Tree About Ethernet Ethernet bridging is simply forwarding a frame received on the radio port Bridging Data to the Ethernet port and vice versa Using this default mode the access oint acts as a bridge between the wireless and wired networks Link Tunneling P 3 Note Allied Telesyn recommends that you enable Ethernet bridging on all access points However if you meet the criteria listed later in this section you can disable Ethernet bridging and use data link tunneling instead Be aware that data link tunneling increases network traffic Turning off Ethernet bridging enables data link tunneling The data link tunneling mode causes the child access point to encapsulate inbound wireless data into an 875C frame This data frame is then forwarded via the Ethernet port to the next access point on the path and so on until the frame reaches the root access point or designated bridge The root access point or designated bridge encapsulates the frame and forwards it to the host When the root access point or designated bridge receives data on the Ethernet network for an end device it reverses this process When should you use data link tunneling O Use data link tunneling if you have Ethernet sw
263. ocol check box and clear all other check boxes except the Allow IAPP check box The access point master radio will only accept the UDP Plus or WTP frames and discard all other frames which can make a more secure network AT WA7500 and AT WA7501 Installation and User s Guide Note If any of the devices are also DHCP clients you need to check the Allow DHCP check box To configure 802 11a radio inbound filters 1 From the main menu click 802 11a Radio gt Inbound Filters The Inbound Filters screen appears AT Alied Telesyn Access Point Configuration Simply connecting the world Logout Save Discard Changes Upgrade Software Distributed Network Upgrade File Import Export Help 802 11a Radio Advanced Configuration Inbound Filters TCPYTP Settings Submit Changes 302 11g Radio 302 11a Radio Allow LAPP al Advanced Co ation Allow Wireless Transport Protocol WTP El Inbound Fitters Allow UDP Plus UDP IP Port 5555 Spanning Tree Settings Allow DHCP Telnet Gateway E Ethernet Allow All Other Protocols amp IP Tunnels Network Management Ta 990 4 E 2 For each frame type check or clear each check box For help see the next table 3 Click Submit Changes to save your changes To activate your changes from the menu bar click Save Discard Changes and then click Save Changes and Reboot For help see Saving Configuration Changes on page 45 Table 11 80
264. oice Settings R Data Traffic only z Disallow Network Name of ANY L DTIM Period 1 TCP IP Settings IEEE 802 11b Radio Advanced Configuration Inbound Filters Spanning Tree Settings Ethernet IP Tunnels Network Management Security Maintenance Configure the advanced parameters For help see the next table Click Submit Changes to save your changes To activate your changes from the menu bar click Save Discard Changes and then click Save Changes and Reboot For help see Saving Configuration Changes on page 45 Table 6 802 11b Radio Advanced Parameter Descriptions Parameter Description Data Rate Choose the rate at which the access point transmits data In general higher speeds mean shorter range and lower speeds mean longer range You can set this rate to 11 5 5 2 or 1 Mbps Allow Data Rate Determines if you want the radio to drop to a Fallback slower data rate when it has trouble communicating with another radio AT WA7500 and AT WA7501 Installation and User s Guide Table 6 802 11b Radio Advanced Parameter Descriptions Continued Parameter Description Basic Rate Choose the rate at which the access point transmits multicast and beacon frames In general higher speeds mean shorter range and lower speeds mean longer range Do not set this rate higher than the maximum rate at which your end devices can receive m
265. om this device using the TFTP client The a TFTP Server TFTP Client screen appears AV Allied Telesyn Access Point Configuration Simply connecting the world Logout Save Discard Changes Upgrade Software Distributed Network Upgrade File Import Export TFTP Client TCP IP Settings TFTP Client 802 11g Radio Ga 802 11a Radio Spanning Tree Settings Server IP Address p Telnet Gateway Server File Name Ethernet Foai Gace a P Tunnels E Network Management Security Get Put 2 In the Server IP Address field enter the IP address or DNS name of the TFTP server 3 Inthe Server File Name field type the name in the format required by the operating system of the server In the Local File Name field type the file name for the file on the device Access point filenames for software release 2 2 or later use this format segment filename where segment is 1 for memory or app for the memory card A When performing TFTP GET commands this field need only contain the segment identifier 1 or app because the file name is determined by the header of the downloaded file Click Get or Put o Chapter 9 Additional Access Point Features Starting or To start or stop the TFTP server Stopping the 1 Click Start or stop the TFTP server The TFTP Server screen appears TFTP Server MAW Alied Telesyn Access Point Configuration Simply connecting the world Logout Save Discar
266. on shows the ports that are on the AT WA7500 For help understanding these ports see the Port Descriptions table on page 19 10BaseT 100BaseTx Ethernet port Serial port Figure 5 AT WA7500 Ports For more information on connecting the ports see Chapter 2 Getting Started on page 11 21 Chapter 1 Getting Started How the Access Point Fits in Your Network In general the access point forwards data from wireless end devices to the wired Ethernet network You can also use the access point as a point to point bridge or if your access point has two radios you can use it as a point to multipoint bridge or a WAP Use the access point in the following locations and environments Table 4 Access Point Environments Access Point Environment AT WA7500 Use in most indoor environments AT WA7501 Use in locations where an access point is exposed to extreme environments The access point supports a variety of network configurations These configurations are explained in the following sections o Using One Access Point in a Simple Wireless Network on page 22 o Using Multiple Access Points and Roaming Wireless End Devices on page 24 o Using an Access Point as a WAP on page 27 o Using Access Points to Create a Point to Point Bridge on page 32 o Using Dual Radio Access Points for Redundancy on page 37 Using One Access You can use an access point to extend your exist
267. ondary LAN This table contains all the MAC addresses on the secondary LAN that are communicating with the primary LAN You must enter the MAC addresses of all devices on the secondary LAN that do not always initiate communication Configuring Ethernet Filters AT 7500 and AT WA7501 Installation and User s Guide If you choose not to configure this table the designated bridge or WAP may need to flood frames to the Ethernet and radio ports to learn the path to the MAC address These addresses become permanent entries in the forwarding table of the designated bridge or WAP To configure the Ethernet address table 1 From the main menu click Ethernet gt Address Table The Address Table screen appears ATi Alied Telesyn Access Point Configuration Simply connecting the world Upgrade Software Logout Save Discard Changes Distributed Hetwork Upgrade File Import xport Help Ethernet Address Table Submit Changes TCPAP Settings G2 802 112 Radio 802 11a Radio Spanning Tree Settings Telnet Gateway aa Ethernet Bi Address Table Frame Type Filters Predefined Subtype Filters Customizable Subtype Filters Ga Advanced Filters Ga IP Tunnels Ga Network Management Ga Security E Maintenance won DA AH BW MY eH Oo 2 Enter up to 20 MAC addresses MAC addresses consist of six hex pairs that are
268. ors Transmitted Frames Bi Port Statistics DHCP Status Unicast Non Unicast Relayed Discarded Errors Cerne z Ethernet 470945 410685 490543 0 0 out This Access Point TP Tunnel 0 0 0 0 0 802 11g Radio 574844 2488751 2674045 0 0 I 237 Chapter 8 Managing Troubleshooting and Upgrading Access Points You can scroll down to see graphs of inbound and outbound packets 238 Viewing DHCP Status AT WA7500 and AT WA7501 Installation and User s Guide The DHCP Status screen shows a status report for the DHCP client or DHCP server If the access point is a DHCP server and if the Permanently Save IP Address Mappings check box is checked you can delete entries from the server s permanent address map To view DHCP status o From the menu click Maintenance gt DHCP Status The DHCP Status screen appears MVE Allied Telesyn Access Point Configuration Simply connecting the world SaveDiscard Changes Logout g pgrade Software Distributed Network Upgrade File Import Export Help Maintenance DHCP Status TCP IP Settings 802 11a Radio Release Selected Entries 302 11g Radio Spanning Tree Settings Telnet Gateway SelectAll Issued Entries DeselectAll Issued Entries Ethernet IP Tunnels Network Management Security CENAA Total Leases 1 AP Connections Issued Leases 1 AP Neighbors 5 7 i Port Statistics TP Address Status Time Client Identifier EEr 136 179 85 152 Permanent 0 00 06 52 010009
269. oting When the access point boots it performs internal diagnostics and the LEDs display the pattern shown in the next table With the LEDs Table 9 MobileLAN access LED Boot Sequence for Release 2 2 or later mole oof Power Wireless Wireless Wired LAN 1 2 Root Error Description OC Checksum Test starts Checksum Test fails Monitor Load PCI Bus Test starts PCI Bus Test fails RAM Test starts O O O O OOL Ol Ooo O oo RAM Test fails 250 AT WA7500 and AT WA7501 Installation and User s Guide Table 9 MobileLAN access LED Boot Sequence for Release 2 2 or later Continued O p XX at Wireless 1 and 2 blink in unison Only Boot ROM code is available on access point Load new files LED On LED Off y LED Flashing After the AT WA7500 or AT WA7501 successfully boots the LEDs display one of these patterns Table 10 AT WA7500 and AT WA7501 Normal LED Pattern After Booting g O xt Blinks for wireless data traffic y Blinks if a radio is installed Blinks for wired data traffic Ss Blinks if the AP becomes root 251 Chapter 8 Managing Troubleshooting and Upgrading Access Points General Troubleshooting 252 Table 11 General Troubleshooting
270. ou can the Default use the Web browser interface as explained in the following procedure Configuration 1 Inthe menu bar click Save Discard Changes grade Software Distributed Network Upgrade File Import Export Help TCP IP Settings 243 Chapter 8 Managing Troubleshooting and Upgrading Access Points 244 This screen appears Seve Changes end Reboot Discord Changes asd Reboot j Serva Chongas without Raboot Note Only Embedded Authentication Server database changes are activated immediately All other changes require 2 reboot Discard Pending Changes Posies Factory Defoutts Possible Configuration Errors The RADIUS server definit shaved secret has not been changed Bem ss defiesk vidue Ths Joan password has nos bren charged from its default valps Se I Dd Click Restore Factory Defaults Under Pending Changes you will see a list of what parameters need to be changed Click Save Changes and Reboot When the access point is done rebooting it will use the factory default settings as its active configuration You may need to reset the IP address and other network parameters AT WA7500 and AT WA7501 Installation and User s Guide Troubleshooting the Access Points Using the Configuration Error Messages This section provides you with information on the installation configuration and operation of the access point When you click Save Discard Changes the access point checks fo
271. our access point Using Simple The access point can be managed using Simple Network Management Network Protocol SNMP that is you access the access point from an SNMP management station Contact your Allied Telesyn representative if you Management eed to obtain a copy of the MIB Protocol SNMP Before you can use an SNMP management station you must define the access point s SNMP community strings To configure the SNMP community strings 1 From the menu click Network Management The Network Management screen appears AVE Allied Telesyn Access Point Configuration Simply connecting the world Logout Save Discard Changes Upgrade Software Distributed Network Upgrade File Import Export Help Network Management TCP IP Settings Submit Changes Ga 802 112 Radio Ga 802 11a Radio SNMP Read Community E Spanning Tree Settings Ethernet SNMP Write Community Ea IP Tunnels SNMP Secret Community a Network Management Instant On Ga Security Maintenance 2 Configure the SNMP community parameters For help see the next table 3 Click Submit Changes to save your changes To activate your changes from the menu bar click Save Discard Changes and then click Save Changes and Reboot For help see Saving Configuration Changes on page 45 Table 3 SNMP Community Parameter Descriptions Parameter Description SNMP Read Specify a password that provides read only Community a
272. outer Primary LAN root IP subnet tl ry Qe ete Ee itu lili lili aes AP5 AP6 Designated bridge AP4 Secondary LAN remote IP subnet Example 1 The root AP1 AP3 AP5 and AP6 service only wireless end devices These access points need to pass IP traffic but not pass IPX traffic that does not need to be forwarded to the primary or secondary LAN 157 Chapter 5 Configuring the Spanning Tree 158 Example 2 For this example set these options on the Ethernet Frame Type Filters screen No subtype filters are needed Simply connecting the world AV Alied Telesyn Access Point Configuration Logout Save Discard Changes Upgrade Software Distributed Network Upgrade File Import Export Help IP Tunnels Frame Type Filters E SSS TCP IP Settings 802 11g Radio 802 11a Radio Spanning Tree Settings Telnet Gateway a Ethernet aa IP Tunnels IP Addresses DNS Names E Erame Type Filters Predefined Subtype Filters Customizable Subtype Filters Submit Changes Network Management 2 Security Maintenance Allow Pass Scope DIX IP TCP Ports wv Unlisted v DIX IP UDP Ports Vv Unlisted DDCIP Other Protocols v Unlisted v DIX IPX Sockets L Al DIX Other EtherTypes Vv Unlisted SNAP IP TCP Ports Vv Unlisted SNAP IP UDP Ports Vv Unlisted v SNAP IP Other Protocols IV Unlisted v SNAP IPX Sock
273. ox and clear all other check boxes except the Allow IAPP check box The access point master radio will only accept the UDP Plus or WTP frames and discard all other frames which can make a more secure network Note If any of the devices are also DHCP clients you need to check the Allow DHCP check box To configure 802 11b radio inbound filters 1 From the main menu click 802 11b Radio gt Advanced Configuration gt Inbound Filters The Inbound Filters screen appears MVM Allied Telesyn Access Point Configuration Simply connecting the world Logout Save Discard Changes Upgrade Software Distributed Network Upgrade File Import Export Help 802 11b Radio Advanced Configuration Inbound Filters TCPAP Settings l Submit Changes amp 802 11b Radio Advanced Configuration Allow LAPP Vv El Inbound Fitters Allow Wireless Transport Protocol WTP M G2 802 11a Radio aa ai Allow UDP Plus UDP IP Port 5555 Vv GQ Spanning Tree Settings Ea Ethemet Allow DHCP Vv Ga IP Tunnels Allow All Other Protocols Vv Network Management Ga Security E Maintenance ied 2 For each frame type check or clear each check box For help see the next table 117 Chapter 4 Configuring the Radios 118 3 Click Submit Changes to save your changes To activate your changes from the menu bar click Save Discard Changes and then click Save Changes and Reboot For help see Saving Configuration C
274. parameters for the radio For help see the next table 3 Configure the advanced parameters for the radio For help see Configuring 802 11b Radio Advanced Parameters on page 114 4 Master only Configure inbound filters For help see Configuring 802 11b Radio Inbound Filters on page 117 5 Click Submit Changes to save your changes To activate your changes from the menu bar click Save Discard Changes and then click Save Changes and Reboot For help see Saving Configuration Changes on page 45 6 Optional Configure security by clicking Configure security settings for this radio For help see Chapter 6 Configuring Security on page 171 AT WA7500 and AT WA7501 Installation and User s Guide Table 5 802 11b Radio Parameter Descriptions Parameter Description Node Type Configure the 802 11b radio as a master or station You can also disable the radio SSID Enter the SSID network name for this radio The Network Name network name is case sensitive and can be no more than 32 alphanumeric characters 802 11b radios communicate with other 802 11b radios with the same SSID You need to assign the same SSID to the wireless end devices that will connect to the radio Frequency Master radio only Choose the frequency within the 2 4 to 2 5 GHz range that this access point uses to transmit and receive frames The available frequencies are country dependent and are determi
275. pe Filters Customizable Subtype Filters Advanced Filters Filter Values B Filter Expressions a IP Tunnels Network Management Security Maintenance Submit Changes Value ID Action N Drop 7 mi m m mi z m m oj oj ol ol mi Of ol o 2 hel elel ls m 4 Te wl cl u alan BR wl N HINT m 4 VTE PARRERHEN Table 15 Example 2 Third Filter Expression Parameter Value Explanation ExprSeq 3 The third expression that is executed Offset 6 Checks the source Ethernet address which starts 6 bytes from the destination address 97 Chapter 3 Configuring the Ethernet Network 98 Table 15 Example 2 Third Filter Expression Continued Parameter Value Explanation Mask ff ff ff ff ff ff Checks the 6 byte source Ethernet address for an exact match OP NE Compares the value after the offset and mask are applied to the value of the Value ID from the Filter Values menu to see if they are not equal Compare the source Ethernet address with the list of MAC addresses from the Filter Values menu Value ID This filter expression applies to value ID 3 from the Filter Values menu Action Drop If the source Ethernet address does not match any address in the list on the Filter Values menu then drop the frame Cha
276. pe riers Predefined Subtype Filters DIX IPX Sockets Customizable Subtype Filters EOE DIX Other EtherTypes IP Tunnels SNAP IP TCP Ports Network Management SNAP IP UDP Ports Security Maintenance SNAP IP Other Protocols SNAP IPX Sockets SNAP Other EtherTypes 802 3 IPX Sockets 802 2 IPX Sockets 802 2 Other SAPs a Unlisted v a Unlisted v xI Unlisted v xI Unlisted a Unlisted Unlisted xI Unlisted v xI Unlisted xI Unlisted v xI Unlisted xI Unlisted xI Unlisted 2 For each frame type field check or clear the Allow Pass check box to configure if the frame types are allowed to pass or are dropped If you check the check box the frame type is allowed to pass For help see the next table 3 For each frame type field set the Scope field to Unlisted or All For help see the next table 4 Click Submit Changes to save your changes To activate your changes from the menu bar click Save Discard Changes and then click Save Changes and Reboot For help see Saving Configuration Changes on page 45 83 Chapter 3 Configuring the Ethernet Network 84 5 If you set the Scope field to Unlisted for any of the frame types you must also configure predefined subtype filters or customizable subtype filters For help see the next section Using Predefined Subtype Filters o
277. peras reia tiani taia aiei 41 Usingia Felnet SOSSION eiin iie hen i o d A ii E oe en N 43 Saving Confighiration CHANGES srna a a ear e a aaa aa aa a N a a i eidi 45 Using a Web Browser Interface cccccecceceeeeeecceceeeeee eee ce ee eaeaaeeceeesaaeceeecaaaeaeeeesaaaaaeeeesaaaaeaeeseqaeeeseesaeueeeseseeeseeeeeees 45 Using a TEINGt SOSSIOM se oct ce snze eh s eenede sasceenecdaeens ache stcncdavbaghersasdeeseds sapuscenddatespeececdsdsneacassicevuantasddeneadesdseevencnadcerenasaees 47 Chapter 2 Installing the Access POINtS 5 2 0 525 lt ccc shscees ceveeecnsareesgunaepsnenteugncd oot th aetuenewesenenecehencunesdnbgethoseteveut kiaiii respite 49 Installation GUIGSIIMES smece aieea iaa i aaeoa ia n a tie sceece ie pee ennees 50 Microwave OvV nSm oiii niie a a a eaa aa a E a a a aaa a Aaien 50 Cordless Telephone Sintuie gea hia ee ee i We We en E a a 50 Other Access POINTS angori diaii aiaia aaa aada ues deers sberguytrededecgtsvernedinhie a ai 51 Installing the AT WA501 iisi ee ieee tii aiaia iiaiai de ddae eie aaea TE aadaki diad d added idite dceeedee deiae 52 Connecting the AT WA7501 to Your Wired LAN eecceeeeeeecenneeeeeeeeeenaeeceeaeeeseneeeesaeeeseaaeeeeeeeeenaeeeeenaeeseeeeesenteeenaaes 53 Connecting the AT WA7501 to POWE scenai ene ce erates seaaeesaeeeeeaaeeeeeaeeeeeneeessaeeeeeeaeeeseeeeesaeeeeenaeessneeensneeeeenaes 53 Installing the AT WAT500 E cece Me cceecg Mes cance E E E E E E EA E E EE 54 Connecting the
278. pgrade File Import Export File System Directory TCP IP Settings 802 11g Radio Click on a file name to transfer the file from this device to your computer 802 11a Radio Spanning Tree Settings n z Telnet Gateway be Daas Ethernet Name Segment Type Length Date Time Version IP Tunnels Network Management BOOT824X PRG AB E 93201 04 07 2004 08 55 40 05 71 Ea Security APB24XPRG AB E 1099558 04 07 2004 08 56 02 06 49 Maintenance FPGA8245 BIT AB D 97734 07 30 2002 14 23 22 00 14 ACT GIF AB D 130 01 15 2002 16 49 50 01 00 APPLETS JAR AB D 7959 04 07 2004 08 52 36 01 00 CLOSED GIF AB D 135 12 15 2000 15 20 46 01 00 ECHO HTM AB D 1369 03 11 2004 16 39 58 01 00 FILE GIF AB D 97 12 11 2000 09 23 36 01 00 HELP HTM AB D 100710 04 07 2004 08 53 52 01 00 HLP HTM AB D 1159 03 04 2004 08 06 26 01 00 Note The segment column on this screen contains the identifier AB which indicates that single flash memory segment on an access point For help see Understanding the Access Point Segments on page 270 The segment column could contain APP which would indicate a file stored on the memory card 2 Click any file name to transfer the file from the access point to your PC 304 AT WA7500 and AT WA7501 Installation and User s Guide Transferring To transfer files to and from a TFTP server Files to and from 1 Click Transfer files to or fr
279. point Managing Your Access Points Using Avalanche Each time the access point is rebooted it attempts to connect to the Avalanche Agent When the access point connects to the agent the agent determines whether an update is available and immediately starts the software upgrade file transfer or configuration update You can also schedule these updates or you can manually initiate an update Note The first time the access point locates the agent it needs to synchronize with the Avalanche system On the agent you must have installed a software package that can be downloaded to the access point To use Avalanche to manage your access points 1 Create a software package AVA file that includes the latest software release BIN file using Avalanche Package Builder ioixi File Tools Help Package Title faP220 Package Type Application z Package Revision 2 20 Menu Order 1 Target ITCAPWWA21 ITCAPWA22 Configuration Utilities Package Files File Count f1 Source File File Name CATempiap220web bin ap220web bin 227 Chapter 8 Managing Troubleshooting and Upgrading Access Points 228 Table 2 Avalanche Parameters Parameter Explanation Package Title A descriptive title of the application For example enter WA7500 Package Type Choose Application Package Revision The package version number For example enter 2 20 Menu Order Enter 1 Target Specifies which access poin
280. point within the same cell area to increase throughput and provide redundancy For more information see Using Dual Radio Access Points for Redundancy on page 37 To install multiple access points with roaming end devices 1 Follow the instructions for installing a simple wireless network in Using One Access Point in a Simple Wireless Network on page 22 2 Configure the LAN ID For help see Configuring the Spanning Tree Parameters on page 136 3 Configure one of the access points to be a root access point For help see About the Primary LAN and the Root Access Point on page 131 4 If your network has a switch that is not IEEE 802 1d compliant and is located between access points configure data link tunneling For help see About Ethernet Bridging Data Link Tunneling on page 134 25 Chapter 1 Getting Started Example Configuring an 802 11g Access Point with Roaming End Devices In this example there is one 802 11g radio in each access point Wireless end devices can roam between the access points to communicate with the host and other end devices Host Ethernet Figure 9 802 11g Access Point with Roaming End Devices AP1 Table 6 802 11g Access Points Parameter Settings 802 11 AP2 AP3 Screen Parameter 9 802 11g 802 11g Radio Radio Radio Root 802 11g Node Type Master Master Master Radi a SSID Op3rat ons Op3ratlons Op3rat ons Spann
281. power The access point has no On Off switch so it boots as soon as you apply power 39 Chapter 1 Getting Started 4 Press Enter when the message Starting system appears on your PC screen The Username field appears AP HyperTerminal 5 x File Edit View Call Transfer Help Dle al 3 alel al AP Monitor 5 55 April 4 2003 z AP FPGA Firmware 0 14 wa21 Platform lt Press any key within 5 seconds to enter the AP monitor gt Executing file AP824K PRG from segment 1 AP 6 34 July 21 2003 Starting system radio configuration 1 radio configuration 2 good good ou Access Point Configuration Copyright c 1995 2003 Intermec R Technologies Corporation All rights reserved IP DHCP Serial 002 045 Username X Connected 0 02 14 Auto detect 1152008 N 4 SCROLL CAPS NUM Capture Print echo Ui 5 In the Username field type the default user name atilan and then press Enter The user name is case sensitive 6 In the Password field type the default password atilan and then press Enter The password is case sensitive The Access Point Configuration menu appears iix Fie Edit View Call Transfer Help Die 5 3 ols Access Point Configuration TTCP IP Settings 7 IEEE 802 11a Radiol IEEE 802 11b Radiol Spanning Tree Settings Ethernet IP Tunnels Network Management Security Maintenance Save Configuration Reboot Connected 0 05 27 Aut
282. pter 4 Configuring the Radios This chapter explains how to configure the radios in the AT WA7500 and AT WA7501 access points so that they communicate with your wireless end devices This chapter covers these topics About the Radios on page 100 Configuring the 802 11g Radio on page 101 Configuring the 802 11b Radio on page 112 Configuring the 802 11a Radio on page 119 QOQQ0Q0 0 99 Chapter 4 Configuring the Radios About the Radios 100 The AT WA7500 and AT WA7501 access products may contain one or two radios You can use access points that contain two different types of radios to support two different types of wireless networks such as legacy networks You can use access points with two of the same type of radios as WAPs as point to multipoint bridges to increase throughput in a busy network or to provide redundancy Currently you cannot have two 802 11g radios or have one 802 11g radio and one 802 11b radio in the access points The 802 11g radio is sometimes referred to as the 802 11b g radio because it can be configured to communicate with any 802 11b and 802 11g radios that have the same SSID and security settings The next sections explain how to configure the radios that are in your access point Only the radios actually installed in your access point appear in the configuration menus AT WA7500 and AT WA7501 Installation and User s Guide Configuring the 802 11g Radio
283. r potential problems with the network configuration and security settings The access point displays error messages under the Possible Configuration Errors heading Each error message is a hyperlink which you can click to go to the screen where you can fix the possible configuration error You can save the configuration changes without resolving any of the possible configuration errors but the access point may not operate as expected Note The access point can only check its own configuration for possible errors It cannot check to see if the SSIDs passwords shared secret keys and other settings are all the same or compatible on other devices Screen Showing Possible Configuration Errors i Seve Changes end Reboot Discerd Change and Reboot j Seria Changes without Rahat Note Only Embedded Authentication Server database changes are activated immediately other changes require 2 reboot Discard Pending Changes Restores Factory Detoutts Possible Configurathes Errors The RADIUS server defaut shared secret has not been changed Bom ds defwik vadue bs losin password has not been changed from its default valpe Pending Changes Configuration Item Was Is Naw Secun IEEE 322 11b Radio SecuntwEnable WEP Frererhinn X To resolve possible configuration errors 1 Using your web browser click Save Discard Changes on the menu bar 2 Review the error messages listed under the Possible Config
284. r class identifier in its requests Or enter the DHCP user class identifier as defined in RFC 3004 When this access point acts as a DHCP client the string entered in this field is sent in DHCP option 77 in DHCP request messages DHCP Vendor Class Leave the field blank if you do not want the DHCP client to include the vendor class identifier in its requests Or enter the DHCP vendor class identifier as defined in RFC 2132 When this access point acts as a DHCP client the string entered in this field is sent in DHCP option 60 in DHCP request messages Configuring the Access Point as a DHCP Server AT 7500 and AT WA7501 Installation and User s Guide Table 2 DHCP Client Parameter Descriptions Continued Parameter Explanation DHCP for Access Determines which DHCP servers may be used by Point Network access points and wireless devices Use Any Available DHCP Server Access points and wireless devices may receive DHCP responses and addresses from any available DHCP server Only Use Access Point DHCP Server Access points and any associated wireless devices may receive DHCP responses and addresses only from an access point DHCP server Currently the DHCP server must be located in the root access point If this option is selected and the root access point does not have a DHCP server enabled access points and wireless devices will not be able to receive a DHCP address You can use this option i
285. r enabled automatically depending on the continuous range of addresses you enter into the DHCP server NAT is disabled if the range of addresses to be given to DHCP clients is on the Configuring the Access Point to Send ARP Requests AT 7500 and AT WA7501 Installation and User s Guide same subnet as the access point NAT is enabled if the range of addresses to be given to DHCP clients is not on the same subnet as the access point thus you are creating a virtual network and the DHCP server will also perform NAT translation When NAT operation is enabled the access point uses the low address in the range of addresses as its own The DHCP NAT clients also use this address as their router IP address These clients can configure the access point using this internal IP address or the normal external IP address To configure the access point as a NAT server 1 From the menu click TCP IP Settings The TCP IP Settings screen appears 2 Verify that the IP Address field and IP Subnet Mask field are configured For help see Configuring the TCP IP Settings on page 66 3 Inthe DHCP Mode field choose This AP is a DHCP Server 4 Click Submit Changes to save your changes 5 Click DHCP Server Setup and enter a range of IP addresses that are not on the same subnet as the access point 6 Click Submit Changes to save your changes To activate your changes from the menu bar click Save Discard Changes and then click Save Changes an
286. r example 1 ap824x prg refers to the AP824X PRG file is located in segment 1 AT WA7500 and AT WA7501 Installation and User s Guide For details about using segment numbers and names for an access point which contains only one flash memory segment see Understanding the Access Point Segments on page 270 FB Purpose Makes an inactive segment the active segment Because the AT WA7500 and AT WA7501 have only one flash memory segment this command has no affect on the access points This command is included here for backward compatibility with older scripts only Syntax FB bootsegment datasegment where bootsegment is the name or number of the boot segment to be activated datasegment is the name or number of the data segment to be activated Example These examples apply to non AT WA7500 and AT WA7501 products and are included for your reference only To make segment 2 the active boot segment and segment 4 the active data segment enter FB 2 4 You can use an asterisk instead of a segment name if you want to leave that segment unchanged For example to leave the active boot segment unchanged and make segment 4 the active data segment you could enter FB 4 After loading software into the access point a common task is to activate the new software To activate the new software enter FB IB ID This command activates the inactive boot and data segments You do not need to know which of the boot and d
287. r network you can implement one or more of the security solutions in the following table Table 1 AT WA7500 and AT WA7501 Security Solutions Security Type Secure Data Client Backbone Privacy Authentication Change default X parameters Disable access methods X Enable secure APP X Enable secure wireless X X hops Use a password server to X manage access point logins Configure a VLAN for X each radio Use an Access Control X List ACL Use WEP 64 128 152 X security AT WA7500 and AT WA7501 Installation and User s Guide Table 1 AT WA7500 and AT WA7501 Security Solutions Continued Security Type Secure Data Client Backbone Privacy Authentication Use an 802 1x security X X X solution Use Wi Fi Protected X X X Access WPA These security features and solutions are listed below in the order of amount of security and ease of use most basic least secure to most secure Allied Telesyn recommends you configure your wireless network for the maximum possible security that you deem necessary for the integrity of your network 1 Change the SSID from its default value of ATILAN and check the Disallow Network Name of ANY check box For help see Chapter 4 Configuring the Radios on page 99 2 Enable disable access methods For example if you are not using telnet sessions to configure or manage your access point you can disable
288. rame subtype is allowed to pass 3 Click Submit Changes to save your changes To activate your changes from the menu bar click Save Discard Changes and then click Save Changes and Reboot For help see Saving Configuration Changes on page 45 Customizing Subtype Filters You can define output filters that restrict customized frame subtypes that can pass through an IP tunnel Frames can be filtered by the DIX 802 2 or 802 3 SNAP type the IP protocol type or the TCP or UDP port number By default the filters drop all protocol types except the NNL DIX Ethernet type hexadecimal 875B Filters must be configured in all root candidates and in any access point that can attach to the remote end of an IP tunnel You define the action subtype and value parameters in customized filters Allow Pass Check or clear this check box Check this check box to pass all frames of the subtype and value Clear this check box to drop all frames AT WA7500 and AT WA7501 Installation and User s Guide of the subtype and value Subtype Selects the frame subtype you wish to configure Value The next table describes frame subtypes and their values The value must be two hex pairs When a match is found between frame subtype and value the specified action is taken To customize subtype filters 1 From the main menu click IP Tunnels gt Customizable Subtype Filters The Customizable Subtype Filters screen appears MV Allied Telesyn Acc
289. re Only amp IP Tunnels Network Management a Security Maintenance Select one of the following tasks Read or write the EAS RADIUS database Transfer files to this device using your browser View the file system directory and read files from this device using your browser Transfer files to or from this device using the TFTP client Start or stop the TFTP server Upgrade software using automated software download From this screen you can perform these tasks which are described next To import or export an EAS RADIUS database file To transfer files to the access point using your web browser To view and copy files from the access point using your web browser To transfer files to and from a TFTP server To start or stop the TFTP server To automatically upgrade software in a network with older access point software OdQ0Q0Q00 0 301 Chapter 9 Additional Access Point Features Importing or Exporting an EAS RADIUS Database File 302 To import or export an EAS RADIUS database file 1 Click Read or write the EAS RADIUS database The EAS Database Import Export screen appears MAW Alied Telesyn Access Point Configuration Simply connecting the world Logout Save Discard Changes Upgrade Software Distributed Network Upgrade File Import Export EAS Database Import Export TCP IP Settings Ga 802 11g Radio Ga 802 11a Radio Spanning Tree Settings Telnet Gateway
290. re an EAS For help see Chapter 7 Configuring the Embedded Authentication Server EASY on page 207 access points which are the RADIUS clients If the access point has two radios or if the access point contains one 802 11g or 802 11a radio with multiple service sets as described on pages 74 and 89 you can use an ACL for one radio and another type of security for the other radio For example you have some end devices that have an 802 1x supplicant and you have some end devices that do not have a supplicant You can enable one radio to use 802 1x security and the other radio to use an ACL You can also use one ACL for both radios However you cannot use a different ACL for each radio AT WA7500 and AT WA7501 Installation and User s Guide To use an ACL 1 From the main menu click Security and then click the radio service set you are configuring The appropriate radio screen appears MV Allied Telesyn Simply connecting the world Access Point Configuration Upgrade Soft Logout Save Discard Changes a oftware Distributed Network Upgrade File Import Export Help Security 802 11g Radio TCP IP Settings amp 802 112 Radio 802 11a Radio Spanning Tree Settings Telnet Gateway Ethernet Submit Changes Enable ACL Client Authorization M Enable Alternative Method ACL F ACL RADIUS Client Password aeaevewowaaeaasaaaaaaa Select a RADIUS server for ACL authorization IP Tu
291. reas on a subnet although it is possible to attach a geographically remote subnet through an IP tunnel The Internet Engineering Task Force developed RFC 2002 IP Mobility Support commonly referred to as mobile IP to provide mobility for IP hosts Mobile IP is designed primarily to address the needs of wireless end devices that may move between geographically separated locations The two technologies are complimentary and may coexist Both protocols use similar encapsulation to forward frames to or from end devices that have roamed away from a root IP subnet The root access point functions much like a mobile IP home agent an access point attached to the remote end of an IP tunnel functions much like a mobile IP foreign agent Table 6 IP Tunnels and Mobile IP Comparison Issue IP Tunneling Mobile IP Software compatibility No changes are required to Requires a mobile IP client existing IP software stacks in software stack in end devices end devices Addressing limitations for Requires that end device IP None IP end devices addresses belong to the root IP subnet Security Guest addresses are not Mobile IP authentication is used Data link security required for guest access to foreign subnets Roaming detection Data link indications facilitate Foreign agent fast roaming with no added advertisements broadcast traffic Roaming restrictions Currently roaming is limited None to a single network that may
292. reless end devices can communicate with either access point Primary LAN Secondary LAN Root Designated i bridge a Figure 15 802 11a Point to Point Bridges 36 AT WA7500 and AT WA7501 Installation and User s Guide Table 10 802 11a Point to Point Bridges Parameter Settings Bridge Bridge Secondary Screen Parameter Primary LAN LAN Root Designated Bridge 802 11a Allow Wireless Access On Primary On Primary Radio Points Node Type Master Master SSID Manufactur Manufactur ing ing Spanning LAN ID 11 11 Tree aoe Settings Root Priority 5 0 Ethernet Bridging Checked Checked Enabled Secondary LAN Bridge 0 1 Priority Secondary LAN Bridge Disabled Enabled Flooding Allied Telesyn recommends that you always implement some type of security Using Dual Radio You can configure AT WA7500 units and AT WA7501 units that have two Access Points for 292 119 radios two 802 11b radios or two 802 1 1a radios to provide redundancy for your network Redundancy oes Note Currently the AT WA7500 and AT WA7501 do not support two 802 11g radios During normal operations end devices send frames to the master radio in one of the access points which bridges the frames to the wired network If a section of the wired network goes down the master radio receives the frames and then the station radio forwards the frames to a master radio in another access point that is within range
293. ress of the access point This MAC address is printed on a label that is on the bottom of the access point 264 AT WA7500 and AT WA7501 Installation and User s Guide Note If you are only recovering one access point you can enter 00 10 40 FF FF FF This special MAC address works with all access points 2 Type this command to continuously ping the access point while you boot the access point ping t 1 100 TrPaddress where Padadress is the access point IP address you assigned in Step 1 3 Disconnect and reconnect the power cable or Ethernet cable if you are using power over Ethernet to the access point The access point has no On Off switch so it boots as soon as you apply power 4 When the access point responds to the ping use any TFTP client to transfer AP824X DNL file to the access point Make sure the Transfer mode is binary tftp i ZPaddress put AP824x dn where Paddress is the access point IP address you assigned in Step alk Once the TFTP transfer is complete the access point will begin booting the image that was just passed to it This image is only resident in RAM If you reboot the access point or if the access point loses power the AP824X DNL image will be lost 5 Type this command to remove the static ARP cache entry from your PC arp d IPaddress where Padadress is the access point IP address you assigned in Step 1 When the access point is done booting all access point ser
294. ress will be used for name solution and will be distributed to DHCP clients when this access point is a DHCP server DNS Address 2 Displays the IP address of the Domain Name Server This address will be used for name solution and will be distributed to DHCP clients when this access point is a DHCP server NAT Status This informative entry lets you know if DHCP has been properly configured and if the range of addresses has automatically enabled Network Address Translation NAT 75 Chapter 3 Configuring the Ethernet Network 76 Supported DHCP Server Options When the access point is acting as a DHCP server it issues IP address leases to configure the IP address along with the DNS addresses DNS suffixes IP subnet mask and IP router These parameters will contain the same values as those configured for the access point Unsupported DHCP Server Options When the access point is acting as a DHCP server it does not support any DHCP options other than those listed The DHCP server disregards any DHCP options that are not explicitly required by the DHCP specification The DHCP server ignores all frames with a non zero giaddr gateway IP address The DHCP server only responds to requests from its own subnet About Network Address Translation NAT NAT allows IP addresses to be used by more than one end device The access point can act as a NAT server which instantaneously rewrites IP addresses and port number
295. ributed Network Upgrade File Import Export Help Maintenance About This Access Point TCP IP Settings Ea 802 112 Radio G 802 11a Radio eee es Find This Access Paint elnet Gateway Ga Ethernet T t i i i i pa TP Tunnels The Find This Access Point button will cause the LEDs on this access point to blink i i ttern Network Management 52 aque pa il ight so i il all bi Fz are SESE The two outer LEDs will light solid and the inner LEDs will all blink together We aintenance This feature is intended to help locate this access point in a large facility AP Connections AP Neighbors _ Boot code version 5 85 eighbors Port Statistics Code version 6 64 Events L E bat This Access Point FPGA Firmware version 0 14 2 20 Enterprise Configuration Software Release Processor and Revision MPC8245 14 2 Scroll down to view more information about the access point 241 Chapter 8 Managing Troubleshooting and Upgrading Access Points Using the LEDs to Locate Access 242 Points 3 Continue scrolling down until you see the subtitle Configuration Summary Configuration Summary Display Only Differences From Defaults TCP IP Settings IP Address 10 150 1 97 TP Subnet Mask 255 255 255 0 IP Router Gateway 0 0 0 0 DNS Address 1 0 0 0 0 DNS Address 2 0 0 0 0 TINTS Sufiv 1 uu El 4 Click the button under the Configuration Summar
296. ribution of key material needed for encryption and message integrity checks Currently WPA satisfies some of the requirements in the IEEE 802 1 1i draft standard When the standard is finalized WPA will maintain forward compatibility WPA runs in Enterprise 802 1x mode or PSK pre shared key mode O In Enterprise mode WPA provides user authentication using 802 1x authentication and the Extensible Authentication Protocol EAP An authentication server such as a RADIUS server must authenticate each device before the device can communicate with the wireless network O In PSK mode WPA provides user authentication using a shared secret key between the access point and the end devices It does not require an authentication server WPA PSK is a good solution for small offices or home offices that do not want to use an authentication server To use WPA security you need 0 Anaccess point with an 802 11 radio that supports WPA o End devices with a radio and software that support WPA o Enterprise mode only An authentication server which is software that is installed on a PC or server on your network or an EAS The authentication server accepts or rejects requests from end devices that want to communicate with the 802 1x enabled network For help see Chapter 7 Configuring the Embedded Authentication Server EAS on page 207 To configure WPA security 1 From the main menu click Security and then click the radio service
297. rity Secondary LAN Flooding Outbound Disabled E Maintenance Co e Spanning Tree Securi gt 2 Configure the spanning tree parameters For help see the next table 3 Click Submit Changes to save your changes To activate your changes from the menu bar click Save Discard Changes and then click Save Changes and Reboot For help see Saving Configuration Changes on page 45 a AT WA7500 and AT WA7501 Installation and User s Guide Optional Configure security by clicking Configure Spanning Tree Security For help see Creating a Secure Spanning Tree on page 183 Table 2 Spanning Tree Parameter Descriptions Parameter Explanation AP Name Enter a unique name for this access point The name can be from 1 to 16 characters The default is the access point serial number LAN ID Domain Enter the LAN ID All access points must have the same LAN ID to participate in the same spanning tree The LAN ID is a number from 0 to 254 Root Priority Determines if this access point is a candidate to become the root of the spanning tree The access point with the highest root priority becomes the root whenever it is powered on and active The root priority can be a value from 0 off to 7 The value 1 is the highest priority for a participating access point If you set the root priority to 0 the access point can never become the root access point All access points on the secondary LAN should have
298. rk for an end device it reverses this process You should only use data link tunneling if you have Ethernet switches that do not support the IEEE 802 1d requirements for backward learning or if you are using IP tunnels to provide mobility of other routable protocols 343 Appendix C Glossary 344 To enable data link tunneling disable Ethernet bridging designated bridge Also called a secondary LAN bridge An access point that is assigned the role of bridging frames destined for or received from a secondary LAN A designated bridge connects a secondary LAN with the primary LAN In the access point the secondary LAN bridge priority parameter determines if the access point is a candidate to become the designated bridge DHCP Dynamic Host Configuration Protocol An Internet standard stack protocol that allows dynamic distribution of IP address and other configuration information to IP hosts on a network Implementation of the DHCP client in Allied Telesyn network devices simplifies installation because the devices automatically receive IP addresses from a DHCP server on the network directional antenna An antenna often called a yagi that transmits and receives RF signals more in one direction than others This radiation pattern is similar to the light that a flashlight produces These antennas have a narrower beam width which limits coverage on the sides of the antennas Directional antennas have much higher gain than omni ant
299. rm Network Address Translation NAT for the clients to which it grants IP addresses 74 AT 7500 and AT WA7501 Installation and User s Guide Table 4 DHCP Server Setup Parameter Descriptions Continued Parameter Explanation High Address Lease Time Permanently Save IP Address Mappings Enter the high IP address in the range of IP addresses available to the DHCP server for distribution to DHCP clients If these addresses are not on the same subnet as the access point the access point will perform Network Address Translation NAT for the clients to which it grants IP addresses Specifies the duration of the leases that are granted by the DHCP server Enter the lease time in the format days hours minutes If you set the lease time to 0 infinite leases are granted If you check this check box the DHCP server stores permanent mappings of IP addresses to DHCP client identifiers A DHCP client is guaranteed to receive the same IP address each time it requests an address even if the DHCP server reboots If you clear this check box the DHCP server tries to grant clients the same address each time but that result is not guaranteed Display only parameters IP Subnet Mask Displays the subnet mask entered at the TCP IP Settings screen IP Router Gateway Displays the address of the IP Router DNS Address 1 Displays the IP address of the Domain Name Server This add
300. rnet Parameter Descriptions Parameter Explanation Port Type Link Speed Appears only if the access point has a fiber optic port This field specifies the port that the access point uses to communicate with the Ethernet network 10 100 Mb Twisted Pair The access point communicates with the Ethernet network through the Ethernet port 100 Mb Fiber Optic The access point communicates with the Ethernet network through the fiber optic port If Port Type is 100 Mb Fiber Optic this field is automatically set to 100 Mbps Fiber Optic full duplex Choose the speed and duplex mode you want this port to use to communicate with the Ethernet If you want the access point to auto negotiate this field choose Auto Select Auto Select should work for most networks Enable Link Status Check Check this check box if you want the access point to periodically check its Ethernet connection If it loses the connection this access point can no longer be the root access point and any end devices that are connected to this access point whether or not it is the root will roam to a different access point The access point will attempt to reconnect to the spanning tree through one of its radio ports Clear this check box if this access point must be the root access point or if it is used as a WAP If you have a secondary LAN you should configure the Ethernet address table in the designated bridge or WAP on the sec
301. rowser interface The web browser interface has been tested using Internet Explorer Remotely accessing the access point using other browsers may provide unpredictable results When using the web browser interface keep the following points in mind m m Your session terminates if you do not use it for 15 minutes Command Console mode is not available Note If you access the Internet using a proxy server you must add the IP address of the access point to your Exceptions list The Exceptions list contains the addresses that you do not want to use with a proxy server 41 Chapter 1 Getting Started 42 To use a web browser interface 1 Determine the IP address of the access point If a DHCP server assigned the IP address you must get the IP address from the DHCP server 2 Start the web browser application 3 Access the access point using one of these methods o In the Address field Internet Explorer or in the Location field Netscape Communicator enter the IP address and press Enter O From the File menu choose Open Internet Explorer or choose Open Page Netscape Communicator In the field enter the IP address and press Enter The Access Point Login screen appears MVE Allied Telesyn Access Point Login Simply connecting the world Username jatilan Password lecccee Note This login session is not secure A secure session is available Some features such as importing certificate
302. s This chapter explains some of the more advanced ways that you can maintain the access points This chapter covers these topics Understanding the Access Point Segments on page 270 Understanding Transparent Files on page 271 Using the AP Monitor on page 272 Using Command Console Mode on page 284 Creating Script Files on page 298 OdQ0Q0a00 0 Copying Files To and From the Access Point on page 301 269 Chapter 9 Additional Access Point Features Understanding the Access Point Segments 270 The AT WA7500 and AT WA7501 access points contain one flash memory segment as well as temporary memory RAM Several of the commands described in this chapter require that you specify the segment where a file is located on the access point To indicate the segment where the file is located you precede the filename with either a segment number or name followed by a colon For example 1 ap824x prg refers to the AP824X PRG file is located in segment 1 The segment numbers 1 2 3 and 4 and names id ib ad and ab actually indicate specific segments on older access points But these numbers and names all indicate the same flash memory segment on an access point When you use a command that requires a segment number or name you can specify 1 2 3 4 id ib ad or ab to indicate the one flash memory segment on the access point For consistency all the commands in this chapter use the segme
303. s The 802 1x authentication process uses a RADIUS server which is the authentication server and access points which are the authenticators to manage the wireless end device authentication and wireless connection attributes Extensible Authentication protocol EAP authentication types provide devices with secure connections to the network They protect credentials and data privacy Examples of EAP authentication types include Transport Layer Security EAP TLS and Tunneled Transport Layer Security EAP TTLS To implement 802 1x security you must have the following O An authentication server RADIUS server which is software that is installed on a PC or server on your network or an EAS The authentication server accepts or rejects requests from end devices that want to communicate with the 802 1x enabled network For help see Chapter 7 Configuring the Embedded Authentication Server EAS on page 207 O An authenticator which is an access point on your network The authenticator receives requests from end devices that want to communicate with the network and forwards these requests to the authentication server The authenticator also distributes the WEP keys to end devices that are communicating with it O End devices that are 802 1x enabled These end devices have an 802 11b or an 802 11a radio and a supplicant EAP TLS EAP TTLS or PEAP loaded on them Supplicants request communication with the authenticator using a specifi
304. s E E E AE EAEE A A E A EA 288 Using sdvars Commands n a a aa a E r A Eaa Rea a A E AE A Aa a T Aa Eaa EAEE aTa 293 Contents Creating Sen pt Filessvic cisiges sae ced cohen dectic stat ths eaa en bab eee iotheadvionad iaia iaieiiea eidd 298 New Sample Script for Upgrading an Access POiMlt eee cece cesneeeeeneeeeeeeeeeeaeeseeaeeeseeeeeseeeseaaeeseeeeesneeesenaeeseeeaees 298 Legacy Sample Script for Upgrading Any Access POint ee eeeecseceseeeeceneeeeeeeeeeeaeeeeeaaeeeaeeeeaeeeeeaeeeesaeennaeeseenaees 300 Copying Files To and From the Access POINt ecceececceeeneeeeeeeeeeceeeeeesaeeeceaaeeeaeeeesaaeeceeaeeeseeeeesaeeeeneeseeaeeeseeeensaeeseenaees 301 Importing or Exporting an EAS RADIUS Database File ecceeeeneeeneeeeeneeeeeaeeeeeeeeeeaeeeesaaeeseeeeeesneeessaeeseenaees 302 Transferring Files Using Your Web BrowSef 0 ccscceeeseeesseeeeeeneeeceeeeeesaeeeeeeaeeeceeeeeesaeeeeeaaeeseeeeeessaeeeseaeesseeeeeeneeeeeaas 303 Viewing and Copying Files Using Your Web BrowSe ccceesceeceeneeeeneeeeeneeeceeeeeeeneeeeeaeeeseeaeesneeesenaeeseaeesneeeee 304 Transferring Files to and from a TFTP Servet ee eesceceesseeeseeeceneeeeeeeeeseeeeeeaeeeeeeeeesaeeseaaeeseeeeeesnaeeeaeeseneeeeeneeeeeaas 305 Starting or Stopping the TFTP Server c uch cen ein i a ee eee tern een nee ees 306 Automatically Upgrading Software eee ccceeeeeeeneeeceneeeeeeneeeeseeeseeeeeeseeeeenaeeeeeeaeeesneeeenaeeeseeaeseneeeesaeeeeeaeeenieeeee 306
305. s Submit Changes E TCPAP Settings 802 112 Radio Te a IP Address DNS Name Secret Key Port 802 1x ACL Login Spanning lree Settings Telnet Gateway Server 1 aaaeeeaa 1812 r r Ir Shae pari penne a2 e e Ip Network Management Server 3 jpaeuanenananpapapapapapnenapanay 1812 im aj mj aa Security pee Passwords Pereri 1812 O M o fisiz m z fe r Certificate Details Security Events Maintenance 180 6 For each password server enter the IP address or DNS name enter the shared secret key port number and check the Login check box Note If you enter more than one password server see page 132 fora description of how the access point uses the servers 7 Configure the password server database O Inthe EAS database in the Type field choose Login and then enter the user name and password for each login For help see Chapter 7 Configuring the Embedded Authentication Server EAS on page 207 O For help configuring an external RADIUS server database see the documentation that came with your server Changing the Default Login If you are not using a password server to authorize user logins you should change the default user name and password and create a read only password To set up logins AT WA7500 and AT WA7501 Installation and User s Guide 1 From the main menu click Security gt Passwords The Passwords screen appears MV Allied T
306. s are only available through the secure interface To only allow secure login and avoid ever seeing this message change the Browser Access option under the Security menu to Secure Only Once you enter the correct user name and or password you will be logged in to this access point s configuration menus If fifteen minutes elapse without activity after you have been logged in you will be logged out MV Allied Telesyn Simply connecting the world Licensed from the copyright ovmer by Allied Telesyn Intemational Copyright 2002 Intermec All Rights Reserved 4 If necessary enter a user name and a password The default user name is atilan and the default password is atilan You can define a user name and password For help see Setting Up Logins on page 178 Or you may want to log in to a secure session 5 Click Login The TCP IP Settings screen appears MV Allied Telesyn Simply connecting the world g Di g pg istri pg ile ImportiExp p TCP IP Settings Access Point Configuration E TCP IP Settings 802 11g Radio G 802 11a Radio Telnet Gateway Ethernet P Tunnels Security Maintenance Spanning Tree Settings Network Management Submit Changes TP Address TP Subnet Mask TP Router Gateway 10 150 1 97 255 255 255 0 0 0 0 0 DNS Address 1 DNS Address 2 0 0 0 0 0 0 0 0 AT WA7500 and AT WA7501 Installation and User s Guide DNS Suffix 1
307. s example three expressions combine to form a single compound expression The compound expression forms an advanced filter that drops all DIX IP multicast frames except those from the three AT 7500 and AT WA7501 Installation and User s Guide Ethernet stations whose addresses are listed on the Filter Values menu The default action is the opposite of the action specified in the last expression In this example the action of the last expression is drop therefore the default action is pass Any frame that meets the conditions specified in the advanced filter is passed Set the first filter expression as shown below MVE Alied Telesyn Access Point Configuration Simply connecting the world a 802 11g Radio eae N ae ExprSeq Offset Mask Op Value ID Action panning Lree Settings f Telnet Gateway il fi fo 01 EQ 2 And eee z 2ff fb p eap m ess Lable 2 E Frame Type Filters 3 fo fo EQ 0 And Predefined Subtype Filters 4 ooo bo o Eaz eo And z Customizable Subtype Filters z 2 Advanced Filters 5 fo fo EQ gt 0 And gt Filter Values bo bo D EQ ooo And d E E Fiter Expressions jt a IP Tunnels 7 fo fo EQ 0 And x Ga Network Management Tr a Security 8 f fo EQ 0 And gt Maintenance 9 fo fo EQ 0 And H Table 13 Example 2 First Filter Expression Parameter Value Explanation ExprS
308. s in IP headers so that frames all appear to be coming from or going to the single IP address of the access point instead of the actual source or destination When an end device uses the access point as an IP router the access point replaces the IP header which includes the device MAC address IP source address and TCP UDP port with its own You can configure the DHCP server to indicate that the access point is the IP router when the server allocates an IP address Special consideration is given to changing the FTP data connection TCP port number which is in the body of the TCP frame After the frame source is modified it is forwarded to the proper subnet If the destination subnet is a different subnet from the one the access point is on the destination MAC address is changed to the IP router that has been configured for the access point If the destination subnet is the same subnet as the one the access point is on the access point converts the MAC address to the MAC address that belongs to the destination IP address This may involve using ARP for MAC address discovery When the access point receives a frame with its IP address it identifies the need for address translation by inspecting the destination port number If the port number is within the pool reserved for NAT operation it looks up the original MAC address IP address and port number The frame is then modified and forwarded to the end device NAT operation is disabled o
309. s on this radio port Hello messages help maintain the spanning tree and serve as beacon messages to synchronize communications with end devices Chapter 5 Configuring the Spanning Tree This chapter explains how to configure the AT WA7500 and AT WA7501 access points so that they create a spanning tree topology This chapter covers these topics About the Access Point Spanning Tree on page 130 Configuring the Spanning Tree Parameters on page 136 About IP Tunnels on page 140 Configuring IP Tunnels on page 148 Filter Examples on page 157 Comparing IP Tunnels to Mobile IP on page 161 Oaog0Q0Q060Q0Q0 n Configuring Global Parameters on page 163 129 Chapter 5 Configuring the Spanning Tree About the Access Point Spanning Tree 130 AT WA7500 and AT WA7501 access points with the same LAN ID arrange themselves into a self organized network using a spanning tree topology The spanning tree provides efficient loop free forwarding of frames through the network and allows efficient roaming of wireless end devices It contains at least a primary LAN and a root access point but it may also contain secondary LANs designated bridges and other access points This spanning tree contains a root access point on the primary LAN and a designated bridge on the secondary LAN Host lt Primary LAN root IP subnet Designated sisis bridge Secondary LAN remote IP sub
310. s point software For help see Upgrading the Access Points on page 266 You should never need to use this procedure However if your access point is not functioning you may need to download an entirely new file system If the access point loses all its files except the boot ROM code 263 Chapter 8 Managing Troubleshooting and Upgrading Access Points you cannot ping the access point you cannot establish a telnet session to the access point and the LEDs display this pattern Table 16 LED Pattern of a Failed Access Point i oi oa e Only Boot xt xt xt ROM code is available Wireless 1 and 2 blink on access in unison point Load new files O LED On LED Off xt LED Flashing You can recover a failed access point using a Windows NT4 2000 XP PC The procedure is explained in the next subsection Using a Windows NT4 2000 XP PC You can use a Windows NT4 2000 XP PC and a command prompt to recover a failed access point To access a command prompt see your Windows documentation For this procedure you will need to contact Allied Telesyn Technical Support to obtain the AP824X DNL file To recover a failed access point 1 From a command prompt type this command to create a static ARP cache entry for the netloader arp S X X X X VY VV VV VV VYV VV where X X X X is the IP address that you want to assign the access point YY YY YY YY YY YY is the MAC add
311. sal Hierarchical Flooding Hierarchical Disabled Multicast Enabled Set locally Outbound to globally Set Secondary locally LANs Allow Multicast Check Clear Check Outbound to Terminals Unicast Universal Disabled Flooding Hierarchical Disabled Enable ARP Check Clear Check Flooding If Unicast Flooding is Universal or Hierarchical Unicast Enabled Set locally Outbound to globally Set Secondary locally LANs Allow Unicast Check Clear Check Outbound to Terminals AT WA7500 and AT WA7501 Installation and User s Guide Global RF Parameters Menu Defaults Parameter N Range Default Your Site ame Perform Check Clear Check RFC1042 DIX Conversion S UHF Rfp Threshold Set Globally Enabled Disabled Disabled Value 0 to 250 bytes 70 bytes S UHF Frag Size Set Globally Enabled Disabled Disabled Value 50 to 250 bytes 250 bytes 902 MHz Frag Size Set Globally Enabled Disabled Disabled Value 50 to 250 bytes 250 bytes S UHF 902 MHz Awake Time Set Globally Enabled Disabled Disabled Value 0 to 250 tenths 10 902 MHz of a second 20 S UHF RFC1042 Types to Pass Through 1 Two sets of 80 F3 hexadecimal pairs 00 through FF 2 Two sets of 81 37 hexadecimal pairs 00 through FF 329 Appendix B Default Settings 330 eth Range Default Your Site ame 3 through 20 Two sets of 00 00 hexadecimal pairs 00 t
312. sary For example you might use the AP monitor to upgrade the access point software or when instructed to do so by Allied Telesyn Technical Support Entering the AP 1 Use a communications program to start a session with the access Monitor point 2 Reboot the access point 3 When you see the message lt Press any key within 5 seconds to enter the AP monitor gt during the boot process press Enter The ap prompt ap gt appears 272 AT WA7500 and AT WA7501 Installation and User s Guide Using AP You can display a list of AP monitor commands on the screen anytime you Monitor see the ap prompt Commands To list AP monitor commands O Press any key except the letter B which reboots the access point and then press Enter A list of AP monitor commands appears AP Monitor 5 69 January 30 2004 AP Firmware 0 1 wa21 Platform Soh ir any key within 5 seconds to enter the AP monitor gt gt Display Mfg Record Ymodem File Download CAM Menu File System Directory Test Menu Run Flash Startup File Service Menu Manufacturing Menu Serial Baud Rate Device IDs Menu B Purpose Reboots the access point Syntax B FD Purpose Displays the flash file system directory including information about the boot file Syntax FD 273 Chapter 9 Additional Access Point Features 274 FR Purpose Finds the first executable file in the access point boot segment and tries to run it therefore the fir
313. sec Capabilities AP Connections B AP Neighbors Port Statistics Events Log About This Access Point Radio 2 neighbors received on channel 36 Table 5 AP Neighbors Screen Fields Display Field Description Address Displays the MAC address of the originator of the contact Channel Displays the channel advertised in the beacon Signal dBm Displays the power level of reception measured in dBm Graph colors red yellow green indicate poor adequate good signal levels for communication respectively SSID Displays the SSID advertised in the beacon This field may or may not be advertised by the originator of the contact Age sec Displays the amount of time in seconds that has elapsed since the last contact from the originator 235 Chapter 8 Managing Troubleshooting and Upgrading Access Points Table 5 AP Neighbors Screen Fields Continued Display Field Description Capabilities This information is derived from the capability information sent in the beacon Capabilities may include ESS Set for an access point and cleared for an end device or ad hoc device IBSS Cleared for an access point and set for an end device or ad hoc device Privacy Indicates that encryption is required on this service set Short Preamble Indicates that short preambles may be used for frame transmission on this service set OFDM Allowed Use of DSSS OFDM is allowed
314. sed manager text based menu system serial port Telnet SNMP SNMP agent RFC 1213 MIB 2 RFC 1398 dot3 RFC 1493 Bridge 802 11 802 1x Regulatory Approvals EN 55022 CISPR 22 Class A FCC Part 15 amp ICES 003 Class A C tick Marked AS 3548 CE Market Compliant with RTT amp E EMC LVD directives See separate radio approvals UL Listed 1950 C22 2 950 IEC 60529 IP53 and C22 2 94 ENC 3 5 TUV Licensed EN 60950 amp EN 60539 IP53 NYCE Certified NOM 19 plenum rated 312 Radio Specifications AT WA7500 and AT WA7501 Installation and User s Guide IEEE 802 11g IEEE 802 11b Table 3 IEEE 802 11g Radio Technical Specifications Frequency band 2 4 to 2 5 GHz worldwide Type Direct sequence spread spectrum Modulation Power output Direct sequence spread spectrum CCK DQPSK DBPSk 63 mW 18 dBm Basic data rate Extended data rate 11 5 5 2 and 1 Mbps 54 48 36 24 18 12 9 and 6 Mbps Channels 11 North America 13 Europe 4 France 14 Japan 1 Israel Range Maximum power output 11 Mbps 160 m 525 ft open environment 50 m 165 ft semi open environment 24 m 80 ft in closed environment Unlimited range with roaming Receiver sensitivity 82 dBm 11 Mbps Security IEEE 802 11 Wired Equivalent Privacy WEP standard WEP 64 WEP 128 Wi Fi Protected Access WPA 1 Lowering the power output le
315. seful in areas that do not support a wired network connection Chapter 1 Getting Started On the left this illustration shows the ways you can manage and configure the access point and on the right it shows the access point s general multiport bridge architecture Management and Configuration Multiport Bridge Forwarding Spanning Wireless ARP Database Tree Server TCP IP Bridging rere HTTP Ethernet Radio Radio IP File Configuration Port Port 1 Port 2 Port System Settings Configuration Port x RS 232 Connector Ethernet Antenna Antenna Connection Connection Connection Figure 1 Access Point Architecture Access points are multiport Ethernet to wireless bridges and because wireless end devices operate similarly to other Ethernet devices all your existing Ethernet applications will work with the wireless network without any special networking software Any access point except the root access point can concurrently receive hello messages on its Ethernet port its radio port and its IP tunnel port However an access point can use only one port to attach to the network Port priorities are structured as follows 1 Ethernet 2 IP tunnel 3 Radio Unlike the physical Ethernet and radio ports the IP tunnel port does not have its own output connector It is a logical port that provides IP encapsulation services for frames that must be routed to reach their destinations Once frames are encapsulated they are tr
316. shared Key Allows you to enter the pre shared key for WPA You can enter a 256 32 byte hexadecimal value or an ASCII pass phrase To enter a hexadecimal key start the value with Ox and follow it with 64 hexadecimal digits If you omit the Ox the value is treated as an ASCII pass phrase and the key is derived from the pass phrase using the PBKDF2 algorithm A short PSK is not as secure as a long PSK AT WA7500 and AT WA7501 Installation and User s Guide Table 6 WPA PSK Security Parameter Descriptions Continued Parameter Explanation Key Rotation Allows you to specify the key rotation policy for Period Minutes encryption keys when using WEP in 802 1x and for TKIP group keys when using WPA The value represents key duration in minutes The default value is 5 minutes Configuring WPA 802 1x Security AV Alied Telesyn Access Point Configuration Simply connecting the world Security 802 11g Radio TCP IP Settings 802 11g Radio 802 11a Radio Spanning Tree Settings Telnet Gateway Ethernet TP Tunnels Network Managernent a Security Passwords Bi 802 112 Radio 802 11a Radio RADIUS Server List Spanning Tree Security Embedded Authentication Server Certificate Details Security Events Maintenance Submit Changes Enable ACL Client Authorization VLAN fi Security Level WPA 802 1x Multicast Encryption Type TKIP WPA Only Key Rotation Perio
317. ss Point Configuration Simply connecting the world Logout Save Discard Changes Upgrade Software Distributed Network Upgrade File Import Export Help Security 802 11g Radio Secondary 1 TCP IP Settings Submit Changes 802 11g Radio 802 11a Radio Enable ACL Client Authorization I Telnet Gateway Ga Ethernet IP Tunnels Network Management Security Passwords 802 11g Radio E 802 112 Radio Secondary 1 802 11g Radio Secondary 2 802 11g Radio Secondary 3 802 11a Radio RADIUS Server List Spanning Tree Security Ea Embedded Authentication Server Certificate Details Security Events a Maintenance z Security Level 6 In the VLAN field enter the VLAN number that encapsulates all frames received on this radio port This value must match the values that are set in the VLAN capable Ethernet switches on the primary LAN Note The value in the VLAN field is also called the VLAN tag 7 Repeat Steps 5 and 6 to assign a unique VLAN tag to each service set that you want to configure to support a VLAN 8 Click Submit Changes to save your changes To activate your changes from the menu bar click Save Discard Changes and then click Save Changes and Reboot For help see Saving Configuration Changes on page 45 Configuring You can configure static WEP keys to provide security between the access WEP 64 128 152 Points and the wireless end devices To use static WEP keys your
318. st executable file in the access point boot segment must be the boot file Syntax FR FX Purpose Downloads a file using Ymodem batch protocol into the flash segment that is specified by s Syntax FX s where s is destination segment You can use any number 1 2 3 or 4 to specify the one flash memory segment on the access point MR Purpose Displays the manufacturing record for the access point Use the MR command to display the MAC address configuration string and serial number for your access point Syntax MR SR Purpose Sets the baud rate of the access point Syntax SR Z where z is the baud rate You must enter the baud rate as a whole number with no commas For example to enter a baud rate of 19 200 you must enter 19200 Using Content Addressable Memory CAM Mode Commands AT WA7500 and AT WA7501 Installation and User s Guide You can also set the baud rate to autobaud which lets the access point set its baud rate to match the baud rate of your wireless end device Type SR 0 and press Enter twice You may need to use CAM commands to perform certain functions Since the Ethernet port on the access points supports data rates significantly higher than the radio ports all frames cannot be forwarded from the Ethernet network to the radios CAM which is controlled by the Field Programmable Gate Array FPGA filters frames based on the radio s capability Because the commands can cause
319. syn recommends that you perform this step because it provides another layer of security 199 Chapter 6 Configuring Security 5 Click Submit Changes to save your changes To activate your changes from the menu bar click Save Discard Changes and then click Save Changes and Reboot For help see Saving Configuration Changes on page 45 6 Repeat Steps 1 through 5 for each access point in your spanning tree All access points must have the same IAPP secret key to communicate with each other In the access point that contains the master radio click Maintenance gt AP Connections The AP Connections screen lists the station radios including ones in other access points that are communicating with the master radio For help see Viewing AP Connections on page 231 Table 5 Spanning Tree Security Authentication Method Descriptions Parameter Description Allow SWAP Determines if this access point authenticates to other access points using SWAP Allow TLS If the authentication server offers the TLS protocol for the authentication method this check box determines if this access point can use its server certificate to authenticate to the network Allow TTLS MSCHAPv2 If the authentication server offers the TTLS protocol for the authentication method this check box determines if this access point uses a login to authenticate to the network This login must be in the authentication server database
320. t group IP multicast has these advantages m m You do not have to know the unicast or directed broadcast IP addresses in advance IP multicast provides better built in redundancy than IP unicast because any access point can establish an IP tunnel 143 Chapter 5 Configuring the Spanning Tree 144 IGMP is a standard protocol that lets you originate multiple IP tunnels using one IP multicast address It allows IP multicast frames to be routed to remote IP subnets that have hosts participating in the multicast group Note that IGMP is independent of IP it can be used to facilitate multicast for IP or any other application IGMP has these advantages o Causes IP hello messages to be forwarded only to those subnets that participate in the IP multicast group O Increases redundancy because multiple access points on a remote subnet can receive IP hello messages IP routers only forward multicast frames to those subnets that have IP hosts that participate in the respective IP multicast group An IP host uses IGMP to notify IP routers that it wants to participate in an IP multicast group Access points can act as IP hosts and participate in an IP multicast group by enabling IGMP The Internet Assigned Numbers Authority has allocated 224 0 1 65 for the AT WA750x s IAPP You must enter this address in the IP address list in the root access point the address list may contain other IP addresses and in the Multicast Address fi
321. t Aaji 802 11a 802 11a Allow Wireless Access On Primary Radio Points Node Type Master Master SSID ATILAN ATILAN Spanning LAN ID 11 11 Tree Ga Settings Root Priority 5 0 Ethernet Bridging Enabled Checked Checked Secondary LAN Bridge 0 0 Priority You need to configure the wireless end devices to have the same SSID LAN ID and frequency as the WAP radio You do not need to configure any secondary LAN settings because the WAP is not connected to a secondary LAN Allied Telesyn recommends that you always implement some type of security 31 Chapter 1 Getting Started Using Access Points to Create a 32 Point to Point Bridge You can use access points to create a point to point bridge between two wired LANs That is you can have one access point wired to a primary LAN in one building and have a second access point wired to a secondary LAN in another building This configuration lets wired and wireless end devices in both buildings communicate with each other which can be useful in a campus environment or any other environment where pavement or other objects prevent installation of a wired link This illustration shows two simple wireless networks that are connected with access points that are acting as point to point bridges Primary LAN Secondary LAN Root Designated bridge Figure 13 Access Points as Point to Point Bridges Point to point bridges send data from end devices on the secondary LAN to the root
322. t kit o Rotating mounting bracket kit To order one of these kits contact your Allied Telesyn representative To maintain the IP54 environmental rating you must mount the AT WA7501 in either the horizontal or vertical position If you order the AT WA7501 with the heater option you must use one of the mounting bracket kits to mount the AT WA7501 with the LEDs facing down A variety of external antenna options are available for the AT WA7501 Contact your Allied Telesyn representative for information about the various antenna options including higher gain and directional antennas For more information about antennas and antenna accessories see Antennas and Antenna Accessories on page 247 To install the AT WA7501 do the following procedure 1 Attach the antenna or antennas For more information see External Antenna Placement Guidelines on page 60 Note If the AT WA7501 has an 802 11a full range radio you must use the antennas that are already attached to the antenna connectors 2 Mount the AT WA7501 For help see the AT WA7501 Quick Install Guide and the instructions that shipped with the bracket kit 3 Connect the AT WA7501 to your wired LAN unless you are using it as a WAP For help see Connecting the AT WA7501 to Your Wired LAN on page 53 4 Connect the AT WA7501 to power For help see Connecting the AT WA7501 to Power on page 53 When you are done installing the access points you n
323. tation does not occur unless the radio detects interference Larger frame sizes can improve throughput on a reliable connection while smaller frame sizes can improve throughput on a poor connection 902 MHz Frag Size 902 MHz radios only Specifies the largest data frame that can be transmitted without fragmentation On certain radios fragmentation does not occur unless the radio detects interference Larger frame sizes can improve throughput on a reliable connection while smaller frame sizes can improve throughput on a poor connection AT WA7500 and AT WA7501 Installation and User s Guide Table 8 Global RF Parameter Descriptions Continued Parameter Explanation S UHF 902 MHz Awake Time S UHF and 902 MHz radios only Specifies the amount of time that a wireless end device stays awake when radios are inactive A sleeping device is less responsive to radio activity however the longer a device is kept fully awake the larger the drain on the battery You should set a device to stay awake long enough to receive an expected reply to a transmission and short enough to reduce power consumption The awake time can be set to a number from 0 to 250 tenths of a second RFC1042 Types to Pass Through 802 119 802 11b or 802 11a radios only If the RFC1042 DIX Conversion field is Enabled this parameter specifies values for protocol types that are to be passed without conversion
324. tftp get startup uapboot dnl ib Step 3 Get data files file sdvars set checkpoint 3 file tftp get data bkgrnd dnl id file tftp get data bootchk dn1 id file tftp get data discinca dnl id file tftp get data falcon_ dnl1 id file tftp get data help dnl id file tftp get data hlp dnl id file tftp get data intermec dnl id file tftp get data menu dnl id file tftp get data sftdwnl dnl id file tftp get data welcome dnl id file tftp get data write dnl id Step 4 Set checkpoint to show completed file sdvars set checkpoint 4 AT WA7500 and AT WA7501 Installation and User s Guide Copying Files To and From the Access Point You can accomplish a variety of file import export tasks from the File Import Export screen In the menu bar click File Import Export and the File Import and Export screen appears AT Alied Telesyn Access Point Configuration Simply connecting the world Logout Save Discard Changes Upgrade Software Distributed Network Upgrade File Import Export File Import and Export TCP IP Settings Note This login session is not secure A secure session is available 802 11g Radio Some features such as importing certificates are only available through the secure 802 11a Radio interface Spanning Tree Settings Telnet Gateway To only allow secure login and avoid ever seeing this message change the Ethernet Browser Access option under the Security menu to Secu
325. the Login check box for at least one server in the RADIUS Server List 247 Chapter 8 Managing Troubleshooting and Upgrading Access Points 248 Table 8 Alphabetized List of Configuration Error Messages Continued Configuration Error Message Additional Information The access point is set to originate IP tunnels but no there are no tunnel IP addresses On the IP Tunnels screen Mode is set to Originate if Root but no IP addresses have been added to the IP Addresses screen Either change the mode or add some addresses For help see Configuring IP Tunnels on page 148 and Configuring the IP Address List on page 149 The address range for the DHCP server is invalid On the TCP IP Settings gt DHCP Server Setup screen the Low Address and High Address are not set correctly For help see the Table 4 DHCP Server Setup Parameter Descriptions on page 74 The DHCP server is enabled with an address range that is too large If saved the range will be truncated to the maximum number of addresses On the TCP IP Settings gt DHCP Server Setup screen the Low Address and High Address are not set correctly For help see the Table 4 DHCP Server Setup Parameter Descriptions on page 74 The DHCP server requires a non zero IP address The DHCP server subnet mask is invalid The IAPP secret key has not been changed from its default value For help see Configur
326. the event IP Address Indicates the IP address of the device that caused the event Priority Indicates the priority of the event Critical High Low and Informative Critical and High priority events generate an SNMP trap Trap Indicates whether an SNMP trap is sent for this particular event type Count Indicates the number of times the event occurred 240 Viewing the About This Access Point Screen AT WA7500 and AT WA7501 Installation and User s Guide Table 6 Events Log Description Continued Column Description Type Indicates a description of the event Additional Data Indicates extra event specific information Indicates the amount of time that has passed since the event occurred Age This screen shows information about the access point such as the software version radio versions and MAC addresses It also provides a configuration summary section which can either show you the configuration settings that are different from the factory default settings or it can show you all the configuration settings Also you can view a processor utilization graph To view About This Access Point 1 From the menu click Maintenance gt About This Access Point The About This Access Point screen appears This screen is read only MV Allied Telesyn Simply connecting the world Access Point Configuration Logout Save Discard Changes Upgrade Software Dist
327. this access method For help see Controlling Access to Access Point Menus on page 176 3 Use a password server to maintain a list of authorized users who can configure and manage the access points You can either use an external RADIUS server or you can use any access point s embedded authentication server EAS Or change the default login for users who need to configure or manage the access point For help see Setting Up Logins on page 178 4 Create a secure spanning tree which between access points and includes secure IAPP and secure wireless hops For help see Creating a Secure Spanning Tree on page 183 5 Use a RADIUS server to maintain an access control list ACL which is a list of MAC addresses of end devices that can connect to the network through access point You can either use an external RADIUS server or you can use any access points embedded authentication server EAS For help see Using an Access Control List ACL on page 186 6 Configure VLANs that separate secure and non secure communications in your network For help see Configuring VLANs on page 189 173 Chapter 6 Configuring Security When You Include Multiple RADIUS Servers 174 on the RADIUS Server List 7 Implement one of these mutually exclusive security solutions on each service set to ensure secure communications between the access points and wireless end devices in your network Use basic WEP 6
328. tion that resides on the device 0 Software collections are logical groups of software packages For more information about software packages and software collections see the Wavelink Avalanche documentation and online help Or visit the Wavelink web site at www wavelink com Configuring Your Access Points to Use Avalanche The first time an access point is assigned an IP address either manually or from a DHCP server it attempts to connect to the Avalanche Management Console through the Avalanche Agent Once it finds the agent it automatically configures the console IP address Note The access points that you want Avalanche to configure and manage must be on the same subnet as the agent 225 Chapter 8 Managing Troubleshooting and Upgrading Access Points To configure your access points to use Avalanche 1 From the main menu click Network Management The Network Management page appears MV Alied Telesyn Access Point Configuration Simply connecting the world Logout Save Discard Changes Upgrade Software Distributed Network Upgrade File Import Export Help Network Management TCP IP Settings Submit Changes a 302 11g Radio 802 11a Radio SNMP Read Community Telnet Gateway SNMP Write Community f Ethernet SNMP Secret Community IP Tunnels m a Network Management Avalanche Agent Name Tnstant On Security Maintenance 2 Inthe Avalanche Agent Name field enter t
329. tional Access Point Features 290 Error Message Explanation Invalid opcode during read This error should not occur under normal operating conditions This error indicates a TFTP protocol error that will not occur when you use TFTP servers that conform to the protocol TFTP PUT Purpose Copies a file from a TFTP client to the TFTP server or to another access point Syntax TFTP PUT IPaddress foreignfilename localfilename where IPaddress is the IP address or DNS name of the server You can use an asterisk here if you want to use the value in the internal variable serveripaddress as defined on page 293 foreignfilename is the name of the file as it will appear on the server The file name can contain directory path information and must be in the format required by the server operating system localfilename is the name of the file to be sent from the access point Example The following command takes file AP824X PRG that is saved in the active boot drive on the access point client and stores it in the flash memory segment on the access point server that has IP address 1 2 3 4 TFTP PUT 1 2 3 4 IB AP824X PRG 1 AP824X PRG The access point may generate these error messages when it issues a TFTP PUT command Other error messages may be returned from the server and displayed by the access point See your server documentation for additional information Error Message Explanation Ca
330. tions Table 15 General Security Troubleshooting Problem Question Possible Solution Answer You enabled secure IAPP Oo The root access point is running software in your network but the release 1 80 or later All access points must access points do not also be running software release 1 80 or later communicate with the root Upgrade all access points to the same access point software release as the root access point o Verify that you enabled secure IAPP on all access points o Inthe root access point click Maintenance gt AP Connections If any access point station radios are blocked re enter the IAPP secret key in all access points You are implementing O Verify that the RADIUS server IP address is 802 1x security and you correct Re enter the RADIUS server secret cannot get an end device key in both the access point and the RADIUS to authenticate with a server RADIUS server o Verify that the IAPP secret key is the same in all access points 0 Verify that the access point that the end device is communicating with has the 802 1x Authentication field set to authenticate the radio that is in the end device O Verify that the root access point is running software release 1 72 or later 0 Verify that your end device is configured properly for 802 1x security For help see the end device user s manual Recovering a Failed Access Point Note Do not use this procedure to upgrade your acces
331. ts can receive this application Enter a between each ModelName ModelName ITCAPWA21 ModelName ITCAPWA22 Package Files The files that are included in this package For example ap220web bin 2 Install the software package using the Avalanche Management Console 3 Schedule access point updates or manually initiate an update using the console For more information on using the Wavelink Avalanche client management system see the Wavelink Avalanche documentation and online help Or visit the Wavelink web site at www wavelink com Important Information When Using Avalanche o If an access point is a DHCP server and Avalanche contains a network profile for the access point that assigns IP addresses from a DHCP server the access point will lose its static IP address Any devices that were supposed to receive an IP address from the access point will not succeed O In Avalanche when configuring a network profile for the access point if you configure two DNS entries two DNS suffixes will be configured for the access point o Tertiary DNS servers are not supported o If you change security parameters in your wireless network and you are using Avalanche make sure that you update the security parameters on your end devices before you update the security AT WA7500 and AT WA7501 Installation and User s Guide parameters on your access point Otherwise you will lose connectivity between your end devices and y
332. ts generate an SNMP trap Trap Specifies if the event generated an SNMP reliable trap Count Indicates the number of times the event occurred Type Includes details of the event that occurred Additional Data Includes extra event specific information 261 Chapter 8 Managing Troubleshooting and Upgrading Access Points Table 14 Security Events Log Description Continued Column Description Age Indicates the amount of time that has passed since the event occurred Note If you use an SNMP management station or another network management tool the age represents how much time has passed since the access point was booted that this event occurred Exporting the Security Events Log You can export the Security Events log from the web browser interface to a comma separated file You can open this file using Microsoft Excel or Notepad To export the security events log 1 From the menu click Security gt Security Events The Security Events log appears 2 Click Export the Security Events Log from this access point A File Download box may appear 3 Click Save The Save As dialog box appears 4 Choose where you want to save the SECLOG CSV file and click Save 262 AT WA7500 and AT WA7501 Installation and User s Guide General Security Troubleshooting This section provides you with information on getting help with your secure network and some problems and solu
333. ts to log in to the access point the user must enter a user name and password This login is sent through the RADIUS client access point to the RADIUS server The server compares the login to its list of authorized logins If a match is found the server returns an access accept frame and the user is logged in to the access point with read write privileges If no RADIUS server is available when the user attempts a login and the Allow Service Password check box is checked the service password is checked If the login does not match the service password the login fails Note Each time the service password login attempt fails the process may take up to 8 seconds AT WA7500 and AT WA7501 Installation and User s Guide If you do not want to enable RADIUS authorization you should change the default login user name and password You may also want to change the read only password For help see Changing the Default Login on page 180 Configuring the Access Point to Use a Password Server If you use a password server to manage users who can log in to this access point you need to tell this access point how to communicate with the password server and then you need to configure the password server The password server can either be an EAS or an external RADIUS server To configure the access point to use a password server 1 From the main menu click Security gt Passwords The Passwords screen appears MAW Alied Telesy
334. tunnel have the same LAN ID On the root access point set the Mode parameter to Originate if Root For help configuring a root access point see About the Primary LAN and the Root Access Point on page 131 On the access point at the endpoint of the IP tunnel set the Mode parameter to Listen On the root access point click IP Tunnels gt IP Addresses Enter the IP address or DNS name of the access point at the endpoint of the IP tunnel On the root access point and the access point at the endpoint of the IP tunnel click Frame Type Filters If you have end devices communicating using IP set these DIX filters to Pass DIX IP TCP Ports DIX IP UDP Ports DIX IP Other Protocols DIX IPX Sockets DIX Other EtherTypes OQ0Q000 On the root access point and the access point at the endpoint of the IP tunnel click Predefined Subtype Filters If you have end devices communicating using IP set these filters to Pass o DIX ARP o ICMP Click Submit Changes to save your changes To activate your changes from the menu bar click Save Discard Changes and then click Save Changes and Reboot For help see Saving Configuration Changes on page 45 IP tunneling supports IP multicast and Internet Group Management Protocol IGMP IP multicast provides an ideal way to distribute IP hello messages These hello messages are only forwarded to those IP subnets and IP hosts such as access points that participate in the multicas
335. tunnels because these filters are used for configuring troubleshooting and upgrading access points 153 Chapter 5 Configuring the Spanning Tree 154 Using Predefined Subtype Filters You can configure the access point to pass or drop certain predefined frame subtypes To configure predefined subtype filters 1 From the main menu click IP Tunnels gt Predefined Subtype Filters The Predefined Subtype Filters screen appears MVE Alied Telesyn Access Point Configuration Simply connecting the world Logout Save Discard Changes Upgrade Software Distributed Network Upgrade File Import Export Help IP Tunnels Predefined Subtype Filters ee Sear ea TCP IP Settings l Submit Changes G2 302 11g Radio ane oe Allow Pass SubType Value panning tting Talner Garay DIX ARP r DIX EtherType 08 06 E Ethernet SNAP ARP r SNAP EtherType 08 06 Ber mer 802 2 IPX RP T 802 2 IPX Socket 04 53 ESSES ames Frame Type Filters 802 2 IPX SAP 802 2 IPX Socket 04 52 E Predefined Subtype Filters INNL Vv DIX EtherType 87 5b Customizable Subtype Filters NETBIOS T 802 2 SAP f0 0 E Network Management i Security ICMP E DIX IP Protocol 00 01 Maintenance DIX AirFortress E DIX EtherType 88 95 i 2 For each frame subtype field check or clear the check box to configure if the frame subtypes are passed or are dropped If you check the check box the f
336. ubtype menus to pass only those specific DIX types that are used in your radio network You can also set the scope for general and specific frame types For example for DIX IP TCP ports you cannot pass all frame types Then all IP frames with the TCP type will be dropped even if specific TCP parts are set to pass in the subtype menus Here is the action and scope you can set for each parameter Allow Pass Check or clear this check box Check the check box to pass all frames of that type Clear the check box to drop all frames of that type Scope Set scope to Unlisted or All If you select All then all frames of that type are unconditionally passed or dropped depending on the action you specified If you select Unlisted then frames are passed or dropped only if the frame type is not listed in the predefined or customizable tables AT 7500 and AT WA7501 Installation and User s Guide To set frame type filters 1 From the main menu click Ethernet gt Frame Type Filters The Frame Type Filters screen appears MVE Allied Telesyn Access Point Configuration Simply connecting the world g mi g istri pg ile ImportiExp p Ethernet Frame Type Filters TCP IP Settings Submit Changes 802 11g Radio 802 11a Radio Spanning Tree Settings Telnet Gateway DIX IP TCP Ports 2 gt Scope a CE Unlisted T Ethernet DIX IP UDP Ports Address Table a Frame Tene Filters DIX IP Other Protocols frame Ly
337. ulticast frames You can set this rate to 11 5 5 2 or 1 Mbps This parameter should usually be left at the default 2 Mbps Enable Medium Reservation Reservation Threshold Determines if you want to specify a reservation threshold Check this check box to set a threshold value Click Submit Changes and the Reservation Threshold parameter appears If you clear this check box you may improve network response time in installations that usually send very small frames or that have no hidden stations Appears only if the Enable Medium Reservation parameter is checked If you enable medium reservation you need to set a threshold value which is the largest data frame that can be transmitted without reserving airtime Airtime is normally reserved to help prevent collisions with other transmitters Distance Between APs Controls the roaming sensitivity of your end devices This setting should match the setting on your end devices You can use this parameter to virtually reduce the range of your access point If you choose Small or Medium you do not reduce the absolute range of your radio but you modify the collision detection mechanism to allow significant overlap of the wireless cells Thus you create a higher performance radio network but you need more access points to cover an area Enable Microwave Oven Robustness Determines if the access point activates a modified algorithm for automatic rate fallb
338. uration Errors heading 245 Chapter 8 Managing Troubleshooting and Upgrading Access Points 246 3 Click each error message to jump to the configuration screen where you can resolve the possible configuration error The configuration error messages are listed in the next table Most are self explanatory but a few require additional information Table 8 Alphabetized List of Configuration Error Messages Configuration Error Message Additional Information A RADIUS entry in the RADIUS database has a IP address but no secret key password A RADIUS entry in the RADIUS database has a secret key password but no IP address A RADIUS server entry points at this access point but the Embedded Authentication Server is not enabled A RADIUS server entry points at this access point but the shared secret does not match that of the Embedded Authentication Server The Default Secret Key for the EAS does not match the secret key value in the RADIUS Server List For help see Enabling the EAS on page 213 A RADIUS server entry points at this access point but the UDP port number does not match that of the Embedded Authentication Server The UDP port number in the EAS does not match the port number entered in the RADIUS Server List For help see Enabling the EAS on page 213 A secure service set is available but wireless hops are allowed on an insecure service set A userna
339. uring Ethernet Filters on page 81 65 Chapter 3 Configuring the Ethernet Network Configuring the TCP IP Settings If you are using a DHCP server to automatically assign an IP address to the access point go to Configuring the Access Point as a DHCP Client on page 68 If you are not using a DHCP server you need to manually assign some TCP IP parameters Note You should have already configured an IP address for the access point For help see Configuring the Access Point Setting the IP Address on page 39 To configure the TCP IP settings 1 From the menu click TCP IP Settings The TCP IP Settings screen appears MVE Allied Telesyn Access Point Configuration Simply connecting the world Logout Save Discard Changes Upgrade Software Distributed Network Upgrade File Import Export Help TCP IP Settings E TCP IP Settings Submit Changes Ga 802 11g Radio Ga 802 11a Radio IP Address 10 150 1 97 Spanning Tree Settings TP Subnet Mask 255 255 255 0 TP Router Gateway 0 0 0 0 DNS Address 1 fooo 87 Maintenance DNS Address 2 foooo 87 DNS Suffix 1 i DNS Suffix 2 DHCP Mode Use DHCP if IP Address is Zero gt DHCP Server Name DHCP User Class DHCP Vendor Class DHCP for Access Point Network Use Any Available DHCP Server gt Auto ARP Minutes 5 2 Configure the TCP IP settings For help see the next table 3 If you want to configur
340. utions you need to go to the RADIUS Server List screen and enter one or more RADIUS servers The access point uses the first RADIUS server Server 1 in the list as the main server Other servers are simply backup servers o If the first RADIUS server responds and the client s information does not appear in that server s database the client is blocked The access point does not check the databases on any other RADIUS servers If the first RADIUS server goes down during the operation and a RADIUS server lookup needs to occur the authenticator access point will time out looking for the first server Then the access point looks for the next server in the list If the authenticator access point finds the next server it stays with that server forever even if the first server comes back If the backup server goes down the authenticator access point continues looking down the list and eventually wraps around to the first server again When You Specify the Security Options for Multiple SSIDs per Radio AT WA7500 and AT WA7501 Installation and User s Guide As described in About the Radios on page 100 you can configure each 802 11g and 802 11a radio with up to four SSIDs creating up to four service sets per radio Although each service set shares one physical radio configuration it may have a completely different security configuration Also you can configure each service set for a separate VLAN as described on page 144
341. ve your changes To activate your changes from the menu bar click Save Discard Changes and then click Save Changes and Reboot For help see Saving Configuration Changes on page 45 Table 8 Global RF Parameter Descriptions Parameter Explanation Perform RFC1042 DIX Conversion Determines how the access point will handle the conversion of RFC1042 DIX frames that are received on its radio ports Check this check box if the frames that are received and have a protocol type equal to a value in the RFC1042 types to pass through list are forwarded without conversion If the frame has a protocol type that is not found in the list it will be converted to DIX format before it is forwarded Clear this check box if the frames that are received are forwarded without conversion that is when a SNAP frame is received from a radio with an OUI Organizationally Unique Identifier equal to 000000 it will be forwarded without conversion S UHF Rfp Threshold S UHF radios only Specifies the largest data frame that can be transmitted without reserving airtime Air time is normally reserved to help prevent collisions with other transmitters however when the amount of data is small enough sending the data may be more effective than creating the reservation S UHF Frag Size S UHF radios only Specifies the largest data frame that can be transmitted without fragmentation On certain radios fragmen
342. vel reduces the range Table 4 IEEE 802 11b Radio Technical Specifications Frequency band 2 4 to 2 5 GHz worldwide Type Direct sequence spread spectrum Modulation Direct sequence spread spectrum CCK DQPSK DBPSk Power output 32 mW 15 dBm Data rate 11 Mbps High 5 5 Mbps Medium 2 Mbps Standard 1 Mbps Low with automatic fallback for increased range 313 Appendix A Specifications 314 IEEE 802 11a Table 4 IEEE 802 11b Radio Technical Specifications Channels 11 North America 13 Europe 4 France 14 Japan 1 Israel Range 11 Mbps 160 m 525 ft open environment 50 m 165 ft semi open environment 24 m 80 ft in closed environment Unlimited range with roaming Receiver sensitivity 11 Mbps Security 82 dBm IEEE 802 11 Wired Equivalent Privacy WEP standard WEP 64 WEP 128 Table 5 IEEE 802 11a Radio Technical Specifications Frequency band Full range 5 15 to 5 35 GHz Indoor only Mid range 5 25 to 5 35 GHz Indoor and outdoor Type Direct sequence spread spectrum Power output 40mW Data rate 802 11 compliant mode 54 Mbps 48 Mbps 36 Mbps 24 Mbps 12 Mbps 6 Mbps with automatic fallback for increased range Turbo mode 72 Mbps 48 Mbps 36 Mbps 24 Mbps 12 Mbps with automatic fallback for increased range Channels 802 11 compliant mode Full range 8 North A
343. vices are available You can now telnet to the access point to upgrade it with a permanent image and configure it Note You may be unable to access the web browser interface if the support files for this interface still need to be recovered If so use telnet to upgrade the access point and then use the web browser interface to configure it 265 Chapter 8 Managing Troubleshooting and Upgrading Access Points Upgrading the Access Points 266 Using a Web Browser Interface For optimal performance you should install the most current software version on all the access points in your network To upgrade the software you must copy the software release to your PC and then upload the release to your root access point and other access points However you can also configure the root access point to copy the release to all other access points in its spanning tree You can upgrade the access point software using a web browser interface as explained in the next subsection Note New releases of the firmware for the access point are available for downloading from the Allied Telesyn web site You can use a web browser interface to upgrade the access points one at a time In other words for each access point you want to upgrade you will need to establish a web browser session with it upgrade its software save the new configuration and reboot it To upgrade the access point software 1 Establish a web browser sess
344. vide the widest coverage and are most commonly used inside buildings outbound frames Frames moving away from the primary LAN peer to peer network A type of LAN whose workstations are capable of being both clients and servers point to multipoint bridge See also wireless bridge A bridge that connects two wired networks with similar architectures Two access points can be used to provide a point to multipoint bridge between two buildings so that wired and wireless devices in each building can communicate with devices in the other building A point to multipoint bridge has two radios which allows wireless end devices to communicate with it 347 Appendix C Glossary 348 point to point bridge See also wireless bridge A bridge that connects two wired networks with similar architectures Two access points can be used to provide a point to point bridge between two buildings so that wired and wireless devices in each building can communicate with devices in the other building power bridge A power bridge combines power and data onto an Ethernet cable that is connected to the access point with the power over Ethernet option primary bridging Ethernet bridging on a root port An access point uses primary bridging to bridge frames to and from the Ethernet network on its root port Note that primary bridging is not the same as bridging to the primary LAN primary LAN Also called the home IP subnet and root IP subnet T
345. ving Configuration Changes on page 45 78 AT 7500 and AT WA7501 Installation and User s Guide Configuring Other Ethernet or Fiber Optic Settings Many of the standard Ethernet or fiber optic settings are configured in the TCP IP Settings screen For help see Configuring the TCP IP Settings on page 66 In the Ethernet screen you can set the port type set the link speed and enable or disable the link status check To configure the Ethernet or fiber optic settings 1 From the main menu click Ethernet The Ethernet screen appears MVE Allied Telesyn Access Point Configuration Simply connecting the world Log Mi istril F i fi Ethernet TCP IP Settings Submit Changes Ga 302 11g Radio Ga 802 11a Radio Link Speed Auto Select gt E Spanning Tree Settings Enable Link Status Check I Telnet Gateway aa Ethernet Address Table Frame Type Filters Predefined Subtype Filters Customizable Subtype Filters Advanced Filters IP Tunnels Network Management Security Maintenance 2 Configure the parameters For help see the next table 3 Click Submit Changes to save your changes To activate your changes from the menu bar click Save Discard Changes and then click Save Changes and Reboot For help see Saving Configuration Changes on page 45 79 Chapter 3 Configuring the Ethernet Network Configuring the Ethernet Address 80 Table Table 5 Ethe
346. y title to switch between displaying all configuration settings and displaying the configuration settings that are different from the factory default settings To view a processor utilization graph 1 From the main menu click Maintenance gt About This Access Point The About This Access Point screen appears This screen is read only 2 Click the Processor and Revision link The Processor Utilization graph appears E http 10 150 1 97 cgi bin processor Microsoft Internet Explorer PROCESSOR UTILIZATION You can use the LEDs to help you locate a specific access point in your building To locate an access point 1 From the menu click Maintenance gt About this Access Point The About this Access Point screen appears AT WA7500 and AT WA7501 Installation and User s Guide 2 Click the Find This Access Point button The access point LEDs start blinking as shown in the next table Table 7 Find This Access Point ca z H Power Wireless Wireless Wired LAN Root Error O xe at O LED On Xf LED Off y LED Flashing 3 The LEDs continue to blink until you click the Finished Finding Access Point button Restoring the You may need to restore the access point to the factory default Access Point to configuration For a list of the default settings see Appendix B Default Settings To restore the access point to the default configuration y
Download Pdf Manuals
Related Search