ShadowAP User Manual, v1.01
Contents
1. firewall rule 1l out ixpl firewall rule 1 protocol TCP firewall rule 1 dport 25 firewall rule 2 status enabled firewall rule 2 table nat firewall rule 2 chain PREROUTING firewall rule 2 in ixp0 firewall rule 2 dst 195 14 162 78 firewall rule 2 protocol TCP firewall rule 2 dport 25 firewall rule 2 target ACCEPT firewall rule 3 status enabled firewall rule 3 table nat firewall rule 3 chain PREROUTING firewall rule 3 protocol TCP firewall rule 3 in ixp0 firewall rule 3 dport 25 firewall rule 3 target DNAT firewall rule 3 t dnat dst 195 14 162 78 firewall rule 4 status enabled firewall rule 4 table nat firewall rule 4 chain POSTROUTING firewall rule 4 target MASQUERADE firewall rule 4 out ixpl firewall rule 5 table nat firewall rule 5 chain PREROUTING firewall rule 5 protocol TCP firewall rule 5 dport 53 firewall rule 5 target REDIRECT firewall rule 6 table nat firewall rule 6 chain PREROUTING firewall rule 6 protocol UDP firewall rule 6 dport 53 firewall rule 6 target REDIRECT firewall rule 7 table nat firewall rule 7 chain PREROUTING firewall rule 7 list white firewall rule 7 target ACCEPT firewall rule 8 table filter firewall rule 8 chain FORWARD firewall rule 8 list white firewall rule 8 target ACCEPT firewall filter FORWARD policy DROP 105 y WAVET EQ ShadowAP User Manual 6 4 4 Bridging Firewall A bridging firewall contains three built in tables Filter NAT and broute Every table contains bui2. Notify me when this connection has limited or no connectivity Obtain DNS server address automatically Use the following DNS server addresses Cancel Preferred DNS server Alternate DNS server Figure 2 4 2 Network Connection TCP IP Settings Step 5 Open a Web browser and type the default IP address of ixp0 on the ShadowAP http 192 168 3 1 After the connection has established you will see the Web User Interface admin WAVETERL Figure 2 4 3 Administrator Login Screen gt WV WAVETEQ ShadowAP User Manual Step 6 Enter the ShadowAP based device administrator login details to access the web interface as in Figure 2 4 3 The default administrator login settings for all ShadowAP interfaces are User Name admin Password admin01 Step 7 After successfully logging in as the administrator you will see the main page of the ShadowAP device Web management interface The ShadowAP device is now ready for configuration For further instructions on Web management refer to Chapter 4 Web Interface 2 4 2 Using Wireless LAN Connection By default the ShadowAP based device does not run a DHCP server on any of its interfaces athO is bridged to device ixpO and therefore will respond to the static IP address 192 168 3 1 Use the following procedure to access the ShadowAP based device Web management pages via wireless interface A
3. ebtables t nat I POSTROUTING o ixpl j macvlan tag 3 btables rule 2 table nat btables rule 2 chain POSTROUTING btables rule 2 out ixpl btables rule 2 target macvlan tag 3 Example The configuration file snapshot for an example described above ebtables status enabled btables rule 1 table nat 114 y WAVETEQ ShadowAP User Manual btables rule 1 chain PREROUTING btables rule 1 in ms1l btables rule l target redirect btables rule 1 dst FF FF FF FF FF FE btables rule 1 dst inverse enabled btables rule 2 table nat btables rule 2 chain POSTROUTING btables rule 2 out ms1l btables rule 2 target snat btables rule 2 t to source 00 90 4B C8 36 37 btables rule 2 t snat_target ACCEPT btables rule 3 table broute btables rule 3 chain BROUTING btables rule 3 in ixp0 btables rule 3 protocol ARP btables rule 3 arp mac_dst 00 90 4B 69 4A 95 btables rule 3 arp mac_dst inverse enabled btables rule 3 target DROP 6 4 5 SMTP Redirection SMTP redirection is useful under authenticating wireless router setups It allows customers to connect to access points and send out emails without the need to reconfigure their email client software If AAA is enabled only authenticated customers should be allowed to use SMTP redirection SMTP redirection service intercepts SMTP connections on port 25 and redirects to a preconfigu
4. 6 0 Chapter 6 Configuring the ShadowAP In order to configure the ShadowAP properly the user must have working knowledge of the ShadowAP s configuration file and the Network Network Access Management Access and System Services configuration The following sections will go over these aspects in detail 6 1 ShadowAP Configuration File The keys of the configuration file in this manual are provided for ShadowAP 5 x firmware version therefore they may differ from the keys of 3 5x firmware and former versions The ShadowAP configuration file is a text file consisting of lt key gt lt value gt assignments one assignment per line Modified configurations will become active after the device reboots The keys are case sensitive Whitespace around keys and values is insignificant and it will be removed automatically after reboot If duplicate keys are found the first one is left and all the others are removed irrespective of the value assigned to those keys If the first character after whitespace on line is a character text between that character and the end of the same line is a comment Comment lines and blank lines are ignored and may be added to make the file easier to read Example this line is a comment netconf 1 devname ixp0 netconf 1 ip 192 168 2 5 netconf 1 netmask 255 255 255 0 In the example above keys have index 1 and describe the settings of ixpO interface The index indicates functionally similar items
5. aaa nas lt index gt properties location cc set the location ID attribute country code according E 164 specification 1 3 digits aaa nas lt index gt properties location ac s set the location ID attribute area code according E 164 specification of the NAS location up to 8 digits aaa nas lt index gt properties location network specify the name of the location network zone 1 64 characters This may be equal to the SSID for wireless networks and domains for wired networks aaa nas lt index gt properties operator specify the name of the operator owning this NAS zone 1 64 characters aaa nas lt index gt properties location specify the detailed description of the location 1 128 characters aaa nas lt index gt dynvlan status specify status of the dynamic VLAN service on the system enabled disabled Default disabled aaa nas lt index gt dynvlan default specify the name of default VLAN interface string If dynamic VLAN functionality is enabled on device during authentication RADIUS server should respond with VLAN tag id After successful authentication all client traffic will be tagged to specified VLAN In case RADIUS server doesn t respond with VLAN id the preconfigured VLAN will be used by default Example aaa nas lt index gt dynvlan status enabled aaa nas 1 dynvlan default ixp0 3000 Clients that are authenticated but RADIUS server doesn t specify VLAN id VLAN 3000 will be used on ixpO
6. Wireless Network Mode The Bit Rates Mbps B 1Mbps 2Mbps 5 5Mbps 11Mbps G 1Mbps 2Mbps 5 5Mbps 1i1Mbps 6Mbps 9Mbps 12Mbps 18Mbps 24Mbps 36Mbps 48Mbps 54Mbps A 6Mbps 9Mbps 12Mbps 18Mbps 24Mbps 36Mbps 48Mbps 54Mbps e y WAVETEQ ShadowAP User Manual radio lt index gt rate auto specify the automatic bit rate mode status enabled disabled Default enabled This setting sets automatic bit rate mode with fallback to lower rate on noisy channels If you specify a bit rate value radio lt index gt rate max and set auto to enabled the ShadowAP will use all bit rates lower or equal to this value radio lt index gt frag specify the fragmentation threshold in bytes which determines whether data frames will be fragmented and at what size 256 2346 off auto On an 802 11 wireless LAN frames exceeding the fragmentation threshold will be fragmented i e split into smaller units suitable for the circuit size Data frames smaller than the specified fragmentation threshold value is not fragmented Default auto Setting a lower fragmentation threshold value can help improve connection reliability in noisy environments where radio interference is present This mechanism does add overhead and therefore reduces effective throughput radio lt index gt rts specify the maximum packet size beyond which the wireless LAN card invokes its RTS CTS mechanism 0 2347 off auto Packets that exceed the specified RTS threshold trigger th
7. Example 2 Enabled WAN interface gre0001 has Assigned Tunnel ID table name set to WISP1 Other WAN s have empty Tunnel ID Assume that client has provided valid login credentials and RADIUS server is responding with Access Accept Received RADIUS Access Accept contains Tunnel Assignment ID e with value WISP1 and client is successfully authenticated e source route for that client is created through routing table named WISP1 e all client traffic is routed through gre0001 interface using routing table WISP1 e RADIUS accounting packets for that client include Tunnel Assignment ID attribute which contains the same value as it was in the Access Accept WISP1 e after client session end source route is removed e with value BadWISP and such routing table does not exist e client authorization is refused and no source route is set up e client session ends immediately 6 4 Network Access Configuration This section describes configuration keys for e AAA authentication authorization accounting including NAS RADIUS servers and proxy configuration RADIUS domains Dynamic WEP e WPA 802 1x supplicant e IP and bridging firewall settings e SMTP redirection 6 4 1 Authentication Authorization and Accounting AAA Authentication Authorization and Accounting service configuration settings are split into three groups e Authentication configuration includes authentication backend RADIUS server settings and local security
8. WAY WAVET EC SHADOWAP User Manual Revision 1 01 2009 10 22 Copyright 2006 2008 Waveteq Communications Inc 222 3121 Hill Road Lake Country BC V4V1G1 Canada US amp Can 1 888 928 3837 International 11 250 766 9229 Fax 250 766 9221 www waveteq com D WAVETEQ This Page Left Blank Intentionally D WAVETEQ ShadowAP User Manual Copyright 2006 2008 Waveteq Communications Inc This user s guide and the software described in it are copyrighted with all rights reserved No part of this publication may be reproduced transmitted transcribed stored in a retrieval system or translated into any language in any form by any means without the written permission of Waveteq Communications Inc Notice Waveteq Communications Inc reserves the right to change specifications without prior notice While the information in this guide has been compiled with great care it may not be deemed as an assurance of product characteristics Waveteq Communications Inc shall be liable only to the degree specified in the terms of sale and delivery The reproduction and distribution of the documentation and software supplied with this product and the use of its contents is subject to written authorization from Waveteq Communications Inc Trademarks The Waveteq logo and ShadowAP are trademarks of Waveteq Communications Inc All other registered and unregistered trademarks in this document are the sole property of their respecti
9. displays the main information of the device radio Refresh click to update wireless information GW WAVETEQ ShadowAP User Manual 4 2 4 Routes The Routes page displays the routing table for each interface Routes Interface Destination Gateway Netmask Flags Bridge br0 192 168 200 0 0 0 0 0 255 255 255 0 U Bridge br0 172 31 1 0 0 0 0 0 255 255 255 0 U Figure 4 2 3 Table of Routes Destination The subnet that doesn t exist on the ShadowAP but can be found through the associated gateway address Gateway The IP address of the device connected to the ShadowAP that can help find the desired destination IP address Netmask Specifies which part of the IP addresses is the subnet and which part is the destination machine Flags Displays the status of the route U route is up H target is a host G use gateway R reinstate route for dynamic routing D dynamically installed by daemon or redirect M modified from routing daemon or redirect A installed by addrconf C cache entry reject route Refresh click to renew information in table of routes 4 2 5 ARP Table The ARP Table page displays the table of ARP Address Resolution Protocol entries ARP is primarily used to translate IP addresses to Ethernet MAC addresses ARP Table Interface IP address HW type Flags HW address Bridge br0 192 168 3 175 0x1 0x2 00 17 31 46 9B BE Figure 4 2 4 ARP Table IP address The known IP address of the de
10. specify current SPD protocol entry status enabled disabled Default enabled ipsec lt index gt spd lt index gt protocol lt index gt name specify the SPD protocol name esp ah ipcomp The SPD protocol name is mandatory parameter ipsec lt index gt spd lt index gt protocol lt index gt level specify the level default use require unique Default level require will be used for esp and ah protocols Default level use will be added to ipcomp protocol Example The sample configuration below defines a policy which allows the ShadowAP device with IP address 192 168 4 8 to access stations on LAN2 IP address range 192 168 2 0 24 behind IPsec supporting router 192 168 4 10 IPsec tunnel is set between the ShadowAP device and the router Do not forget to setup routing on 192 168 4 8 so it knows that LAN2 192 168 1 0 24 network is reachable through 192 168 4 10 Otherwise packets leaving the device and destined for LAN2 will be routed through the default gateway which might not be the case in your setup be careful 192 168 4 8 ShadowAP lt LAN1 gt 192 168 4 10 Router N Station 1 192 168 1 2 LAN2 192 168 1 0 24 Station 2 192 168 1 103 ipsec status enabled ipsec 1 mode tunnel tunnel end point IP addresses local remote ipsec 1 point_src ip 192 168 4 8 56 WV WAVETEQ ShadowAP User Manual ipsec 1 point_dst ip 192 168 4 10 Sec
11. string wpasupplicant profile lt index gt network lt index gt anonymous_identity specify anonymous identity for EAP to be used as the unencrypted identity with EAP types that support different tunnelled identity e g EAP TTLS string wpasupplicant profile lt index gt network lt index gt password specify the password for EAP string wpasupplicant profile lt index gt network lt index gt pin specify the SIM pin code string wpasupplicant profile lt index gt network lt index gt pcsc specify the PCSC string used for SIM authentication Default empty string if wpasupplicant profile lt index gt network lt index gt pin is specified wpasupplicant profile lt index gt network lt index gt wep_key0 specify the WEP Key 0 40 bit or 104 bit The key used in static WEP mode an ASCII passphrase wpasupplicant profile lt index gt network lt index gt wep_key0 hex specify the static WEP key 0 40 bit or 104 bit static key The key used in static WEP mode hex digits i e 10 or 26 bytes If this key is specified it overrides wpasupplicant profile lt index gt network lt index gt wep_key0 5 pairs for 40 bit key e g 00 AC 01 35 FF 13 pairs for 104 bit key e g 00 11 22 33 44 55 66 77 88 99 AA BB CC wpasupplicant profile lt index gt network lt index gt wep_keyi specify the static WEP key 1 40 bit or 104 bit The key used in static WEP mode an ASCII passphrase wpasupplicant pro
12. twork twork k twork k twork twork kK twork k twork twork k twork k 1 rrerrrrrrrrrrrrrrrrrrrrrrrrrrrrr rr status enabled ap_scan enabled eapol version 1 fast_reauth enabled name user 1 ne ne ne ne ne ne ne ne ne ne ne priority 0 proto 1 status enabled proto 2 status enabled scan_ssid disabled ssid device SSID status enabled auth_alg 1 status enabled auth_alg 1 name 0P auth_alg 2 status disabled auth_alg 3 status disabled EN F E CF CF i ca_cert etc persistent public cert root pem eap 1 status enabled eap 1 name PEAP eapol flags 3 group 1 status enabled group 1 name TKIP group 2 status disabled group 3 sta group 4 sta identity user nam tatus enabled us disabled us disabled tatus enabled key mgmt 1 s key mgmt 1 name WPA EAP pairwise l s pairwise l name TKIP pairwise 2 status disabled Ppassword user password phasel peap outer success 0 phasel peaplabel disabled phasel peapver 0 Pphasel sim min num _chal 2 phase2 authpeap 1 status enabled phase2 authpeap 1 name MSCHAPV2 wep tx keyidx 0 L e y WAVET EQ ShadowAP User Manual 6 4 3 IP Firewall Access control and traffic accounting in a ShadowAP is implemented through IP firewall rules A firewall protects the resources of a private network from outside users by preventing unauthorized access and acting as a security filter w
13. wpasupplicant profile lt index gt network lt index gt phasel peapver specify the PEAP version which will be used 0 1 Default 1 wpasupplicant profile lt index gt network lt index gt phasel peaplabel specify the PEAP label status enabled disabled Default disabled When enabled new label client PEAP encryption y WAVET EQ ShadowAP User Manual will be used during key derivation with PEAPvi or newer Most existing PEAPvi implementations seem to be using the old label client EAP encryption and supplicant is now using this as default value Some servers may require peaplabel to be enabled to interoperate with PEAPv1 wpasupplicant profile lt index gt network lt index gt phasel peap_outer_success specify the method to terminate PEAP authentication on tunnelled EAP Success 0 1 2 Default 0 O PEAP terminated on Phase 2 inner EAP Success 1 reply with tunnelled EAP Success to inner EAP Success and expect access server to send outer unencrypted EAP Success after this 2 reply with PEAP TLS ACK to inner EAP Success and expect access server to send outer unencrypted EAP Success after this This is required with some RADIUS servers that implement draft josefsson pppext eap tls eap 05 txt wpasupplicant profile lt index gt network lt index gt phasel sim_min_num_chal specify to configure the EAP SIM to require 2 or 3 challenges 2 3 Default 2 Phase2 inner authentication with TLS tunn
14. TX antenna 63 V VLAN 53 dynamic 80 VSSID 68 W WDS 69 weather proofing 140 148 web interface 18 configuration 24 advanced network 29 basic network 26 basic wireless 27 expert 31 starting point 25 wireless security 30 logout 40 statistics 18 19 ARP tables 23 network statistics 21 routes 23 system information 20 wireless details 22 system 32 license 35 maintenance 32 password 33 remote management 34 tools 36 antenna alignment 37 site survey 36 wireless tests 38 WEP keys 65 white black list 116 wireless ACL 70 wireless client bridge 70 wireless interface 64 wireless radio 60 wireless security WEP dynamic 83 WEP static 65 WPA WPA2 84 WISP domains 82 WPA 84 89 WPA 802 1x supplicant 87 WPA2 89 156 Gy WAVE TED ShadowAP User Manual 10 0 Customer Support For any problems with the ShadowAP please contact the Waveteq main office at the contact information below Waveteq Communications Inc 222 3121 Hill Rd Lake Country BC Canada V4V 1G1 Toll Free 1 888 Waveteq 928 3837 Phone 250 766 9229 Email support waveteq com 157
15. The Service Set Identifier SSID defines a logical wireless network and the ShadowAP can be configured to provide another 15 wireless networks in addition to that defined by the primary SSID Each additional SSID may be configured for different security settings SSID encryption SSID broadcasting layer 2 isolation client limitation per SSID All the SSIDs may be active at the same time meaning that client devices can associate to the access point using any of the SSIDs In order to add delete VSSID the wireless card must be in master mode and the VSSID interfaces must be created before configuring them Remember to create a wireless set of keys for each VSSID All available VSSID configuration keys are listed below vssid status specify the VSSID feature status enabled disabled vssid lt index gt status specify current VSSID entry status enabled disabled vssid lt index gt parent specify the master interface on which the VSSID will be created eg ath0 vssid lt index gt devname specify the VSSID interface name custom string up to 15 characters in length If not specified default interface name will be athO_ lt index gt vssid lt index gt mode specify the VSSID wireless mode managed master If this key is not specified the VSSID will inherit the mode of the parent SSID If you are planning to use VSSIDs with different modes STA and AP on the same physical radio first interface must be configured in AP
16. VLAN 112 rule matches 107 rules configuration 106 target extensions arpnat 114 arpreply 107 112 dnat 113 macvlan 114 mark 113 redirect 113 snat 114 watcher extensions LOG 112 C CCMP 85 89 channel 61 802 11a 130 802 11b g 129 CLI access 14 introduction 14 CLI commands authcheck 15 passwd 15 quit 17 reboot 17 reset 17 shell 16 show 16 status 16 configuration file 43 configuration key aaa 76 acct 81 auth 80 domain 82 nas 79 radius proxy 85 security wep 83 wpa 84 access 116 autolock 67 bandwidth 118 bridge 46 date 123 dhcpc 48 dhcpd 49 dhcp fwd 50 dnsmasg 52 ebtables 106 firewall 95 httpd 120 ipsec 55 netconf 44 ntpd 124 pppoe 59 racoon 57 radio 60 resolv 51 route 72 snmpa 121 ssd 71 sshd 120 statsd 123 sysconf trace 125 sysctl 127 syslog 125 tunnel 58 ulogd 126 vlan 53 vssid 68 wacl 70 wds 69 wireless 64 wpasupplicant 87 connection 154 D WAVETEQ ShadowAP User Manual command line 14 Ethernet 9 wireless LAN 11 Conventions xi country codes 138 D DHCP 48 client 48 relay 50 server 49 DNS 51 DNS forwarder 52 DNSMASQ 52 domains WISPs 82 dynamic VLAN 80 E EAP 87 Ethernet Cable Assembly 6 F firewall bridging 106 IP 95 Fresnel Zone 5 G Graphical User Interface GUI 18 GRE tunnels 58 H half and quarter rates 63 half duplex 45 HTTP S Se
17. bsd ndis If not specified first in the list of compiled in drivers will be used by default wpasupplicant device lt index gt profile specify the profile name to use for the ShadowAP network interface string This should be equal to wpasupplicant profile lt index gt name described in next section 802 1x Supplicant Profile L e y WAVET EQ ShadowAP User Manual 6 4 2 1 802 1x Supplicant Profile In addition to enterprise level security WPA 802 1x ShadowAP supplicant supports the Pre Shared Key WPA version WPA PSK also intended for use in SOHO or home wireless networks All available keys of the profile of the 802 1x Supplicant are listed below wpasupplicant profile lt index gt status specify current profile entry status enabled disabled Default enabled wpasupplicant profile lt index gt name specify the configuration profile name string wpasupplicant profile lt index gt eapol_version specify the IEEE 802 1X EAPOL version 1 2 The supplicant implementation is based on IEEE 802 1X REV d8 which defines EAPOL version 2 However there are many APs that do not handle the new version number correctly they seem to drop the frames completely In order to allow supplicant to interoperate with these APs the version number is set to 1 by default This configuration value can be used to set it to the new version 2 wpasupplicant profile lt index gt ap_scan specifies the AP scanning selection e
18. certificate file file name with pem or der extension This file can have one or more trusted CA certificates If ca_cert2 is not included server certificate will not be verified This is insecure and the CA file should always be configured See also wpasupplicant profile lt index gt network lt index gt ca_cert wpasupplicant profile lt index gt network lt index gt client_cert2 specify the name of client certificate file file name with pem or der extension See also wpasupplicant profile lt index gt network lt index gt client_cert wpasupplicant profile lt index gt network lt index gt private_key2 specify the name of client private key file file name with key or p12 extension See also wpasupplicant profile lt index gt network lt index gt private_key L gt D WAVETEQ ShadowAP User Manual wpasupplicant profile lt index gt network lt index gt private_key2_passwd specify the password for private key string wpasupplicant profile lt index gt network lt index gt dh_file2 specify the path to DH DSA parameters file in PEM format See also wpasupplicant profile lt index gt network lt index gt dh_file wpasupplicant profile lt index gt network lt index gt subject_match2 specify substring to be matched against the subject of the authentication server certificate See also wpasupplicant profile lt index gt network lt index gt subject_match Example wpa
19. like ping utility if specific hosts are accessible on the network When network goes down wireless service will be disabled When network is up again wireless service will be re enabled All available keys of the AutoLock WLAN feature are listed below D The lt index gt range for AutoLock feature is 1 255 autolock status specify the autolock feature status enabled disabled Default disabled autolock interval specify the monitoring time period in seconds number Default 300 5 min autolock retry_count specify the number of failed reach ability checks after which the wireless service will be disabled 0 3 Default 3 autolock verbose specify verbose status enabled disabled autolock lt index gt status specify current server entry status enabled disabled Default enabled autolock lt index gt server specify the IP address to be checked autolock lock action specify the action on the lock event none down up kick reboot Default down none no action will be applied on the interface down bring the interface down up bring the interface up kick kick all wireless clients reboot reboot the device autolock unlock action specify the action when connection to the network is re established none down up kick reboot Default reboot none no action will be applied on the interface down bring the interface down up bring the interface up kick kick all wireless clients re
20. lt index gt network lt index gt wep_tx_keyidx specify the default static WEP key 0 1 2 3 Default O wpasupplicant profile lt index gt network lt index gt eappsk specify the EAP pre shared key in hexadecimal format 32 hexadecimal digits wpasupplicant profile lt index gt network lt index gt nai specify the user Network Access Identifier NAI used to identify communicating parties string up to 72 characters in length This is used for EAP PSK protocol wpasupplicant profile lt index gt network lt index gt server_nai specify the authentication server s NAI string up to 72 characters in length This is used for EAP PSK protocol wpasupplicant profile lt index gt network lt index gt ca_cert specify the name of CA certificate file file name with pem or der extension This file can have one or more trusted CA certificates If ca_cert is not included server certificate will not be verified This is insecure and the CA file should always be configured The file should be saved in etc persistent ca_cert directory on device wpasupplicant profile lt index gt network lt index gt client_cert specify the name of client certificate file file name with pem or der extension The file should be saved in etc persistent public_cert directory on device wpasupplicant profile lt index gt network lt index gt private_key specify the name of client private key file file name with key or p12 extension
21. over the public Internet Effectively a corporation uses a wide area network as a 151 Wy WANETER ShadowAP User Manual single large local area network This kind of interconnection is known as a virtual private network VPN R RADIUS RADIUS Remote Authentication Dial In User Service is a client server protocol and software that enables remote access servers to communicate with a central server to authenticate dial in users and authorize their access to the requested system or service RADIUS allows a company to maintain user profiles in a central database that all remote servers can share It provides better security allowing a company to set up a policy that can be applied at a single administered network point Having a central service also means that its easier to track usage for billing and for keeping network statistics S SNMP Simple Network Management Protocol SNMP is the protocol governing network management and the monitoring of network devices and their functions It is not necessarily limited to TCP IP networks SNMP is described formally in the Internet Engineering Task Force IETF Request for Comment RFC 1157 and in a number of other related RFCs SSL The Secure Sockets Layer SSL is a commonly used protocol for managing the security of a message transmission on the Internet SSL has recently been succeeded by Transport Layer Security TLS which is based on SSL SSL uses a program la
22. plug the AC adaptor into the wall and the DC jack into the PPoE injector To connect the ShadowAP to a computer use a CROSS OVER CABLE from the LAN port of the PPoE to the Ethernet port of the computer To connect to a network device like a hub router switch use instead a STRAIGHT THROUGH cable E BE WV WAVETEQ ShadowAP User Manual PPoE ensure you are doing so through the LAN RJ45 Port The PoE port outputs passive DC power intended for the ShadowAP and will damage most other Ethernet ports Y When connecting a computer router hub or switch to the ShadowAP through the Power to the ShadowAP unit is indicated when the link light on the Ethernet port of the computer hub or modem is enabled Note that the default IP address of the Ethernet 1 ixpO for short port is 192 168 3 1 and connecting it to a network with another device with the same IP address WILL CAUSE PROBLEMS Once this cable is set up it is possible to configure the ShadowAP see other sections on details pertaining to software setup 2 3 Factory Default Configuration By default the ShadowAP is configured to operate as an access point by transparently bridging the Ethernet port ixp0 to the internal 2 4 GHz or 5 GHz antenna athO as shown in the figure below WDS br 192 168 3 1 SH SSID DEFAULT1 ShadowAP ELA Channel 153 d 3 ixp1 192 168 10 1 EE i use ixp0 House House Figure 2 3 1 Factory Default Configuration The b
23. service status enabled disabled httpd port http specify the TCP port for incoming HTTP requests 0 65535 Default 80 httpd port https specify the TCP port for incoming HTTPS requests 0 65535 Default 443 httpd port admin specify the TCP port for incoming HTTPS requests to Web configuration interface 0 65535 Default 444 httpd certificate file specify the server certificate file name required for HTTPS operation file name with pem extension It is treated as file name relative to etc persistent public_cert Certificate file should be in PEM format httpd certificate key specify the key file name for the server certificate required for HTTPS operation file name with key or p12 extension It is treated as file name relative to etc persistent private_key If certificate file is specified in PCKS 12 format p12 extension it includes both the certificate and the key In this case httpd certificate file value will be ignored httpd certificate key password specify the password for key decryption string Only used if the certificate key is encrypted httpd servername specify the server name string If this value is specified HTTPS server will use it when generating self referencing URL s otherwise server will use client supplied IP address and port Default empty httpd external status specify the external Web portal feature status enabled disabled Default disabled httpd external secret
24. specify the external Web portal shared secret string Default empty The configuration keys for server performance tuning and troubleshooting 120 y WAVET EQ ShadowAP User Manual httpd backlog specify the maximum pending connections HTTP server accepts 0 65535 Default 100 httpd max request specify the maximum size for POST requests 0 65535 Default 51200 httpd max connections specify the maximum requests to be served concurrently 0 65535 Default 50 httpd max idletime specify the maximum session idle time in seconds before session is considered inactive and automatically destroyed integer Default 1800 seconds httpd verbose specify for additional logging information Default disabled Example setup HTTP S server httpd status enabled tpd port http 80 tpd port https 443 tpd port admin 444 tpd certificate file usr etc httpd server pem tpd certificate key usr etc httpd key pem tpd backlog 100 tpd external status disabled tpd max connections 50 tpd max request 51200 tpd verbose disabled 6 5 3 SNMP Agent SNMP is the standard network management protocol The Hotspot in a Box has a built in SNMP agent To communicate with SNMP agent you must configure SNMP communities and identifiers on both the SNMP manager and SNMP agent The ShadowAP supports all three SNMP protocol versions v1 v2c and v3 in read only mode Teh ct poppers E EF E a cr oct E oct oct cr ei
25. specify the packet creator s process id This match works only within the OUTPUT chain firewall rule lt index gt sid owner specify the packet creator s session id This match works only within the OUTPUT chain firewall rule lt index gt state specify the packet s connection state INVALID ESTABLISHED NEW RELATED This works for almost all protocols including ICMP and UDP firewall rule lt index gt tos specify the TOS Type Of Service field type decimal or hexadecimal value Minimize Delay 16 hexadecimal 0X10 Maximize Throughput 8 0X08 Maximize Reliability 4 0X04 Minimize Cost 2 0X02 Normal Service 0 0X00 firewall rule lt index gt ttl specify the time to live TTL value 0 256 firewall rule lt index gt unclean specify the unclean match status enabled disabled Default disabled If enabled this attempts to match packets which seem malformed or unusual firewall rule lt index gt ipp2p status specify the status of IPP2P enabled disabled Default disabled IPP2P is a net filter extension to identify P2P file sharing traffic firewall rule lt index gt ipp2p specify status to grab all known p2p packets enabled disabled Default disabled firewall rule lt index gt ipp2p edk specify to grab all known eDonkey eMule Overnet packets enabled disabled Default disabled firewall rule lt index gt ipp2p dc specify to grab all known Direct Connect packets enable
26. to perform the ACK timeout test ACK timeout select the ACK timeout value used to perform the wireless test The default value of 55 corresponds to a link distance of 5Km 3 1 miles See section 6 3 1 Wireless Radio for more details on the relationship between ACK timeout value and link distance Set click this button after setting the wireless interface and ACK timeout value to confirm the settings for the wireless test Save click this button to load the tested value into the configuration file The device will use this value upon successful reboot Step 3 Configure each ShadowAP s operating mode and device specific settings Throughput Test Operating mode Server Protocol TCP Host Duplex traffic Figure 4 5 6 Throughput Test subsection Operating Mode choose between server or client operation for both radios being tested One should be a server and the other a client Protocol when operating as the client for the wireless test the ShadowAP can select either TCP or UDP networking protocols Host when operating as the client for the wireless test the IP address of the server ShadowAP must be entered into this textbox Duplex Traffic click this checkbox to test sending and receiving data traffic simultaneously This will typically provide lower throughput results than a unidirectional test Step 4 Begin the test by clicking start on the ShadowAP configured as the test server Next click start
27. wireless lt index gt frameburst wireless lt index gt compression keys description in next section Turbo mode is available only for 802 11a and 802 119 radio lt index gt rx_antenna specify antenna for receiving 1 2 Default 1 1 is for the external antenna 2 is for the internal antenna radio lt index gt rx_antenna_diversity specify receiving antenna diversity status enabled disabled Default enabled Antenna diversity controls the signal strength on each antenna and switches to the one with better strength This works if radio lt index gt rx_antenna is set to 2 62 ShadowAP User Manual D WAVETEQ radio lt index gt tx_antenna specify antenna for transmitting 1 2 Default 1 1 is for the external antenna 2 is for the internal 5 GHz antenna radio lt index gt tx_antenna_diversity specify the transmitting antenna diversity status enabled disabled Default enabled Antenna diversity controls the signal strength on each antenna and switches to the one with better strength This works if radio lt index gt tx_antenna is set to 2 radio lt index gt slottime specify the Slot time value numeric Value 9 distance 300 rounded up where distance is in meters eg slot time for 1 kilometre is 12 333 rounded up to 13 radio lt index gt acktimeout specify the ACK timeout value numeric value Value 3 slottime 2 eg if distance is 1 kilometre then slot time is 13 and A
28. 192 168 2 21 192 168 2 25 Multiple destination hosts can also be defined using the following syntax firewall rule lt index gt t dnat lt index gt dst specify the IP address Example firewall rule firewall rule firewall rule firewall rule 101 target DNAT t dnat 1 dst 192 168 2 21 t dnat 2 dst 192 168 2 40 t dnat 3 dst 192 168 2 229 hee y WAVET EQ ShadowAP User Manual 6 4 3 7 3 DROP This target drops matched packets and will not carry out any further processing If packet is dropped in a sub chain it will not be processed in any of the main chains in current or any other table DROP target does not have any options firewall rule 1 target DROP 6 4 3 7 4 LOG This target is used for logging detailed information about packets to a system s syslog See section 6 6 4 Syslog for more details firewall rule lt index gt target LOG firewall rule lt index gt t log level specify the logging level emerg alert crit err warning notice info debug firewall rule lt index gt t log prefix specify the log prefix string without spaces firewall rule lt index gt t log tcp sequence specify the log sequence logging status enabled disabled The sequence option will log the TCP sequence numbers in a log message firewall rule lt index gt t log tcp options specify the TCP option logging status enabled disabled This logs the different options from the TCP packet headers and can be valu
29. 192 168 5 0 netconf lt index gt broadcast specify the interface broadcast IP address eg 192 168 5 255 netconf lt index gt alias status specify the interface alias functionality status enabled disabled This enables disables all interface aliases Default disabled netconf lt index gt alias lt index gt status specify current alias status enabled disabled netconf lt index gt alias lt index gt ip specify the IP address for the interface alias This key may be used as aliased IP range start used together with netconf lt index gt alias lt index gt ip_range_end key netconf lt index gt alias lt index gt ip_range_end specify the aliased IP range end This key is used with netconf lt index gt alias lt index gt ip which means the aliased IP range start netconf lt index gt alias lt index gt netmask specify the subnet mask for the interface alias eg 192 168 6 0 netconf lt index gt alias lt index gt broadcast specify the broadcast IP address for the interface alias eg 192 168 6 255 y WAVET EQ ShadowAP User Manual netconf lt index gt mcast status specify the multicast address status enabled disabled Default disabled The multicast keys are used to attach a static link layer multicast address to listen on the interface They only manage link layer addresses netconf lt index gt mcast lt index gt lladdress specify the multicast link layer address netconf lt
30. 1l devname ath0 dhcp fwd client 1l circuit id MY NAS ID 1 dhcp fwd client 2 status enabled dhcp fwd client 2 devname ixp0 dhcp fwd client 2 circuit id MY NAS ID 2 tatus enabled 6 2 4 DNS A maximum of three name servers and six domain search entries can be specified The DNS Domain Name Service translates Internet host names www example com into their IP addresses All available keys of the DNS configuration are listed below resolv status specify the DNS status enabled disabled resolv nameserver lt index gt status specify current DNS server status enabled disabled Default enabled resolv nameserver lt index gt ip specify the IP address of the DNS server IP address mandatory resolv search lt index gt status specify the status enabled disabled Default enabled resolv search lt index gt domain specify the domain name to use for DNS lookups when no domain is specified domain name e g mycompany net Specified domains will be checked in turn until a match is found resolv host lt index gt status specify current host entry status enabled disabled Default enabled resolv host lt index gt ip specify the IP address of the hostname IP address mandatory resolv host lt index gt name specify the canonical hostname hostname string mandatory e y WAVET EQ ShadowAP User Manual resolv host lt index gt alias lt index gt status specify the para
31. 4 5 2 below shows the Site Survey table found in the web interface Site Survey Results from 1 min 59 sec ago Click the column header to sort the table by that column MAC addressa ESSID Encryption Signal strength Noise floor Frequency GHz Channel 00 08 68 4E 4D D6 DEFAULT1 WPA 58 95 5 18 36 00 08 68 80 BD 7 WAYETEQ_2K_24 68 95 2 412 1 00 0B 6B 54 39 51 DEFAULT2 61 95 2 412 1 Note initiating Scan will temporary disable radio link with selected interface Choose wireless interface athO e Figure 4 5 2 Site Survey Table 4 5 2 Antenna Alignment The antenna alignment test measures signal quality between the ShadowAP and other wireless networking devices For best results turn off all wireless networking devices within range of the device except the device s with which you are trying to align the antenna Watch the constantly updated display in the Alignment Test window as you adjust the antenna Antenna Alignment Choose wireless interface EN f 39 30 39 20 39 10 40 40 Figure 4 5 3 Antenna Alignment Tool Choose wireless interface select the wireless interface to align the antenna on The Antenna Alignment test results appear when you click the Start button and finishes when you click Stop 37 GW WAVETEQ ShadowAP User Manual 4 5 3 Wireless Tests This test generates TCP UDP traffic and measures throughput from client to server with current established point to point link con
32. 4 backup syslog hosts can be configured on the device 125 y WAVET EQ ShadowAP User Manual syslog fwd backup lt index gt status specify the status of backup syslog host enabled disabled Default enabled syslog fwd backup lt index gt host ip specify the backup host IP address where syslog messages will be send to syslog fwd backup lt index gt host port specify the port to which syslog messages will be forwarded 0 65535 Default 514 syslog rotate status specify the rotation of logged message status enabled disabled Default enabled syslog rotate at size specify the log size in bytes after which the rotation should start 1 9223372036854775807 Default 102400 Example With such configuration all messages that have level equal or higher than warning will be logged locally Messages that have level equal or higher than critical will be logged on the remote syslog server 192 168 2 150 514 or to the backup server 192 168 2 152 514 The log message will be rotated when the syslog file will reach the 102400 bytes size syslog status enabled syslog file var log messages syslog file msg level warning syslog file umask 077 syslog fwd status enabled syslog fwd backup 1 status enabled syslog fwd backup 1 host ip 192 168 2 152 syslog fwd backup 1 host port 514 syslog fwd host ip 192 168 2 150 syslog fwd host port 514 syslog fwd msg level crit syslog rota
33. 5 1 Figure 2 5 2 Figure 2 5 3 Figure 2 5 4 Figure 3 3 1 Figure 3 3 2 Figure 3 4 1 Figure 3 5 1 Figure 3 6 1 Figure 3 8 1 Figure 4 1 1 Figure 4 2 1 Figure 4 2 2 Figure 4 2 3 Figure 4 2 4 Figure 4 3 1 Figure 4 3 2 Figure 4 3 3 Figure 4 3 4 Figure 4 3 5 Figure 4 3 6 Figure 4 3 7 Figure 4 3 8 Figure 4 3 9 Figure 4 4 1 Figure 4 4 2 Figure 4 4 3 Figure 4 4 4 Figure 4 4 5 Figure 4 5 1 Figure 4 5 2 Figure 4 5 3 Figure 4 5 4 Figure 4 5 5 Figure 4 5 6 Figure 4 5 7 Figure 4 6 1 Figure 5 4 1 Table of Figures El NA iiine ine a aE ae AERE AESi EA AE 4 Fresnel ele Ee 5 IP 67 COMPOMNCIUS mecanica in adria 6 IP 67 ASSOMDIY E 6 Common Ethernet Termination StandardS oocccccnnininnnnnncnncccnnncnn nac ccn nr 7 Tightening the End Capri A ees 7 Factory Default Configuration oomncnnnnninnccnnccnnoconnncnnnnnaccnnrnn nana 8 Network Connections Wimdow rn EAEAN EAAS SEEEN AEAEE SEEEN EEEE 9 Network Connection TCP IP Settings ccccccccceeeseeceeeeeceneeeeaaeeeeeeeseaeeeseaeeeeaaeseneeeseaeeeseaeeeeaeseeeeeeaas 10 Administrator Login Screen wis elite vi eee ad 10 Enabling the Wireless Network Connection ooocconoccconoccconcccconnnononcnano conc cnn nn nn naar nn cnc rra 11 List of Wireless CONNECTIONS nurini iana aa ira aa aai aa 12 Device LICENSE Page EE 12 successful Upload Soren ede eae 13 MaintenanCe Screen EE 13 System Information Screen ke 13 GD LOGI EE 15 Main CLI Comm
34. Access Point AP as a customer premise device CPE or as a point to point link 2 1 Mounting The ShadowAP should be mounted in a manner so that its antenna has a line of sight to their respective targets This is less of a necessity when using an Omni directional antenna The ShadowAP has been designed to allow for simple pole mounting it can be mounted to any pipe or pole with diameters ranging from 1 5 to 3 5 inches 4 cm 9 cm There are teeth built into the enclosure to allow low slippage mounting in either the horizontal or vertical polarization configurations True Line of Sight LoS between two radios is not quite as straight forward as typically thought Line of sight requires at least two conditions 1 The antenna can be aimed with an imaginary straight line with no objects obstructing or blocking this view 2 There needs to be a clear elliptical area surrounding the visual path known as the Fresnel zone Without the Fresnel zone clearance an object may cause diffraction effects that will degrade the signal The required clearance can roughly be computed by Radius r C 8 66 in metric or 36 025 for imperial D total distance in kilometres or miles f frequency in gigahertz r radius in meters or feet Figure 2 1 1 Fresnel Zone Clearance While true line of sight is difficult to achieve the requirements should be kept in mind so that the mounting point can best be determined in orde
35. Download Figure 6 4 1 Traffic Limitation According to the above Figure the configuration is bandwidth 1 up dev ixpl bandwidth 1 up speed 1024 bandwidth 1 down dev ath0 bandwidth 1 down speed 1024 bandwidth 1 ip 192 168 0 1 bandwidth 1 pps 131 According this configuration the bandwidth configuration file etc persistent bandwidth bandwidth cfg will be generated ixp1 1024 ath0 1024 192 168 0 1 131 The configuration of the limitation per interface bandwidth 2 devname ath0 bandwidth 2 speed 10240 The bandwidth configuration file etc persistent bandwidth bandwidth cfg will be generated ath0 10240 119 y WAVET EQ ShadowAP User Manual 6 5 Management Access Configuration This section describes user and administrative access settings configuration of SSH HTTP S SNMP servers and configuration of system users 6 5 1 SSH Server The SSH server is enabled by default on the ShadowAP sshd status specify the SSH server status enabled disabled Default enabled sshd port specify the port for incoming SSH connections 0 65535 Default 22 Example enable SSH server these are the defaults sshd status enabled sshd port 22 6 5 2 HTTP S Server This section provides the description of the HTTP and HTTPS services configuration that makes ability to manage the ShadowAP based device through a Web browser All available keys of the HTTP S configuration are listed below httpd status specify the HTTP S
36. Kryptolan 66 MIT Remote Virtual Disk Protocol 67 Internet Pluribus Packet Core 68 Any distributed file system 69 SATNET Monitoring 70 VISA Protocol 71 Internet Packet Core Utility 72 Computer Protocol Network Executive 73 Computer Protocol Heart Beat 74 Wang Span Network 75 Packet Video Protocol 76 Backroom SATNET Monitoring 77 SUN ND PROTOCOL Temporary 78 WIDEBAND Monitoring 79 WIDEBAND EXPAK 80 ISO Internet Protocol 81 VMTP 82 SECURE VMTP 83 VINES 84 TTP 85 NSFNET IGP 86 Dissimilar Gateway Protocol 87 TCF 88 EIGRP 89 OSPFIGP 90 Sprite RPC Protocol 91 Locus Address Resolution Protocol 92 Multicast Transport Protocol 93 AX 25 Frames 94 Ip Ir IP within IP Encapsulation Protocol 136 WV WAVETEQ ShadowAP User Manual Decimal value Keyword Protocol 95 Mobile Internetworking Control Pro 96 Semaphore Communications Sec Pro 97 Ethernet within IP Encapsulation 98 Encapsulation Header 99 po Any private encryption scheme 100 GMTP 101 Ipsilon Flow Management Protocol 102 PM PNNI over IP 103 Protocol Independent Multicast 104 ARIS 105 SCPS 106 QNX 107 Active Networks 108 IP Payload Compression Protocol 109 Sitara Networks Protocol 110 Compaq Peer Protocol m IPX in 1P 112 Virtual Router Redundancy Protocol 113 PGM Reliable Transport Protocol 114 any O hop protocol 115 Layer Two Tunneling Protocol 116 D II Data Exchange DDX 117 Interactive Agent Transfer Protocol 118 Sch
37. Lo o ta ta ta ta This configuration will create a GRE tunnel with following parameters gre_1 remote end IP 10 15 14 1 local end will use IP address 192 168 2 12 bound to ixp1 interface it should already be configured TTL value will be inherited path MTU discovery disabled 6 2 10 PPPoE Settings PPPoE is a protocol typically used by DSL providers to manage IP addresses and authenticate users Essentially PPPoE provides for a PPP connection to be established not over a physical serial line or mode but over a logical connection between two unique MAC addresses on an Ethernet network pppoe status specify the status of the PPPoE enabled disabled Default disabled pppoe lt index gt status specify the status of the particular PPPoE profile enabled disabled pppoe lt index gt name specify name of the PPPoE profile string pppoe lt index gt devname specify name of the interface peer can be connected through string The interface should be up before you start PPPoE but should not be configured to have an IP address refer to the section Interface for detailed information on interface configuration pppoe lt index gt user specify name which will be used for authenticating the local system to the peer string pppoe lt index gt password specify the password for the user authentication string pppoe lt index gt service_name specify the service name set on the access concentrator string PPPoE will
38. When PKCS 12 file p12 extension is used wpasupplicant profile lt index gt network lt index gt client_cert should be commented out or removed Both the private key and certificate will be read from the PKCS 12 file in this case The file should be saved in etc persistent private_key directory on device wpasupplicant profile lt index gt network lt index gt private_key_passwd specify the password for private key string wpasupplicant profile lt index gt network lt index gt dh_file specify the path to DH DSA parameters file in PEM format string This is an optional configuration file for setting parameters for an ephemeral DH key exchange In most cases the default RSA authentication does not use this configuration However it is possible setup RSA to use ephemeral DH key exchange In addition ciphers with DSA keys always use ephemeral DH keys This can be used to achieve forward secrecy If the file is in DSA parameters format it will be automatically converted into DH parameters wpasupplicant profile lt index gt network lt index gt subject_match specify substring to be matched against the subject of the authentication server certificate If this string is set the server certificate is only accepted if it contains this string in the subject The subject string is in following format C US ST CA L San Francisco CN Test AS emailAddress as example com Phasel outer authentication i e TLS tunnel parameters
39. added to the bridge setup bridging firewall rule refer to the respective section 6 4 4 Bridging Firewall ebtables rule 1 table broute ebtables rule 1 chain BROUTING ebtables rule 1 in lt aaa nas lt index gt devname gt ebtables rule 1 protocol 0x888e ebtables rule 1 target DROP aaa status specify the AAA service status enabled disabled mandatory Default disabled aaa lt index gt status specify current AAA profile status enabled disabled Default enabled aaa lt index gt name specify the AAA profile name string aaa lt index gt devname specify the interface name to start AAA service on string aaa lt index gt nas lt index gt status specify the NAS profile entry status enabled disabled Default enabled aaa lt index gt nas lt index gt profile specify the NAS profile name string aaa lt index gt wan lt index gt status specify the WAN interface entry status enabled disabled Default enabled Enable this parameter and specify which interfaces have to be set up for outgoing traffic bandwidth control if you intend to use bandwidth control for users of AAA service aaa lt index gt wan lt index gt devname specify the WAN interface name for AAA string Example Configuration file snapshot for an example described above should be like this aaa status enabled aaa 1l status enabled aaa 1l devname ath0 aaa 1l name ath0 UAM ixp0 aaa 1l nas 1 status enabled aaa l nas 1
40. an IP address automatically Use the following IP address IP Address fo 0 0 0 IP Subnet Mask 255 255 255 0 Bridge the Ethernet and Radio IP Address fi 92 168 200 221 IP Subnet Mask 255 255 255 0 Default Gateway DNS O Enabled DNS Server 1 DHS Server 2 2008 WAWETEG Communications Inc Figure 4 3 3 Basic Network Page IP Address Configuration For each of the interfaces specify Obtain an IP address automatically to enable it as a DHCP client see section 6 2 3 1 DHCP Client for details or else specify a static IP address and subnet mask You can also specify a default gateway IP address for the ShadowAP Bridge A bridge transparently relays traffic between multiple network interfaces Please see section 6 2 2 The Bridge for details and limitations on bridge configuration DNS Use this section to enable and configure the static Domain Name Service DNS For more details on DNS configuration see section 6 2 4 DNS gt WW WAVETEQ ShadowAP User Manual 4 3 3 Basic Wireless The Basic Wireless page allows configuration of both radios as well as wireless network setup From this page choose how the ShadowAP transmits data wirelessly These settings are covered in detail in section 6 3 Wireless Settings Basic Wireless 2 Country Code Canada v Operating Mode master O Managed Antenna O internal O External SSID DeFa MbroadcastssiD IEEE Mode A
41. bytes Forced logout once volume limitation is reached Acct Session Input 22 Integer X Session download volume limitation Gigawords in bytes Forced logout once volume limitation is reached Acct Session 23 Integer X Session upload volume limitation in Output Octets bytes Forced logout once volume limitation is reached Acct Session 24 Integer X Session upload volume limitation in Output Gigawords bytes Forced logout once volume limitation is reached Acct Session 25 Integer X Upload and download limitation Octets Acct Session 26 Integer X Upload and download limitation Gigawords 134 GQ waveten ShadowAP User Manual 7 4 Appendix D etc protocols This table describes the various protocols that are available from the TCP IP subsystem The values will occur in the IP packet s protocol header The latest version with references to further documentation can be found at http www iana org assignments protocol numbers Decimal value vi CO NI OS Ou A wN Keyword HOPOPT ICMP IGMP GGP un x lt un zc vu al DI a 4 Ur Q o m Cc 0wa BBN RCC MON NVP II ARGUS EMCON XNET CHAOS DCN MEAS HMP XNS IDP TRUNK 1 TRUNK 2 LEAF 1 LEAF 2 IRTP ISO TP4 NETBLT MFE NSP MERIT INP 3PC IDPR CMTP TP SDRP IPv6 Route Protocol IPv6 Hop by Hop Option Internet Control Message Internet Group Management Gateway to Gateway IP in IP encapsulation Stream Transmission C
42. drop bytes a E E ts ss es E a o o Oo 0 D D 0 0 IW IW 0 0 D D Dl 0 1977 0 Oo 73207 D 338 oj O 0 D Oo 0 Figure 3 8 1 Device Statistics 3 9 Reboot Type reboot now to immediately reboot the ShadowAP 3 10 Reset 255 255 255 0 255 255 255 0 255 255 255 0 Transmit statistics packets errors drop To reset the ShadowAP device to factory defaults use the reset command The device is restarted and default values are set O Please note that the administrator password will be set to the factory default 3 11 Quit Type quit to leave the CLI mode 17 y WAVETEQ ShadowAP User Manual 4 0 Chapter 4 Web Interface The ShadowAP s Graphical User Interface GUI is presented after connecting to the device through a web browser From the web interface all administrative details and configuration options may be accessed For details on connecting to the ShadowAP device see section 2 4 Connecting to the ShadowAP 4 1 Overview The main web management menu is displayed after successfully logging into the system see Figure 4 1 1 below From this menu all administrative pages are accessed k Details WAVETER Dean Figure 4 1 1 Main ShadowAP Management Menu By default the Statistics System Information menu is activated and the main ShadowAP device system information is displayed The active menu is displayed in a different color The web management menu has the following struc
43. ebtables rule lt index gt arp opcode inverse specify the match value inverse status enabled disabled Default disabled ebtables rule lt index gt arp htype specify the hardware type number or string Default Ethernet 1 ebtables rule lt index gt arp htype inverse specify the match value inverse status enabled disabled Default disabled ebtables rule lt index gt arp ptype specify the protocol type for which the R ARP is used hexadecimal number or string Default IPv4 0x0800 ebtables rule lt index gt arp ptype inverse specify the match value inverse status enabled disabled Default disabled ebtables rule lt index gt arp ip_src specify the ARP IP source address specification IP address netmask length in bits ebtables rule lt index gt arp ip_src inverse specify the match value inverse status enabled disabled Default disabled ebtables rule lt index gt arp ip_dst the ARP IP destination address specification IP address netmask length in bits ebtables rule lt index gt arp ip_dst inverse specify the match value inverse status enabled disabled Default disabled ebtables rule lt index gt arp mac_src specify the ARP MAC source address specification colon separated 6 hexadecimal value pairs netmask length in bits ebtables rule lt index gt arp mac_src inverse specify the match value inverse status enabled disabled Default disabled ebtables rule lt ind
44. else Character can be used to match string of letters and numbers e g value ixp will match all Ethernet devices firewall rule lt index gt out inverse specify the match value inverse status enabled disabled Default disabled 6 4 3 3 Implicit Matches firewall rule lt index gt sport specify the TCP or UDP source port or port range 0 65535 0 65535 This match can either take a service name from etc services file or a port number You can define a port range instead of one port e g 22 80 will match all ports from 22 to 80 firewall rule lt index gt sport inverse specify the match value inverse status enabled disabled Default disabled firewall rule lt index gt dport specify the TCP or UDP destination port or port range 0 65535 0 65535 This match can either take a service name from etc services file or a port y WAVET EQ ShadowAP User Manual number You can define a port range instead of one port e g 22 80 will match all ports from 22 to 80 firewall rule lt index gt dport inverse specify the match value inverse status enabled disabled Default disabled firewall rule lt index gt tcpflags specify the TCP flags in a packet SYN ACK FIN RST URG PSH ALL NONE firewall rule lt index gt tcpflags inverse specify the match value inverse status enabled disabled Default disabled firewall rule lt index gt tcpoption specify the TCP option number 0 256 firewal
45. firewall rule specifies criteria for a packet and a target If the packet does not match the next rule in the chain is the examined if it does match then the next rule is specified by the value of the target which can be the name of a user defined chain or one of the special values described below Some rule keys may have an inverse sub key If set to enabled it inverts the test for the main key match value The following configuration keys are used to determine where a particular rule shall be placed ebtables rule lt index gt status specify current rule status enabled disabled Default enabled ebtables rule lt index gt table specify the table name string ebtables rule lt index gt chain specify the chain name string 106 GW WANNE TED ShadowAP User Manual A firewall rule specifies criteria for an Ethernet frame and a frame processing specification called a target When a frame matches a rule then the next action specified by the target is performed The target can be one of these values ACCEPT DROP CONTINUE RETURN an extension see below or a user defined chain ebtables rule lt index gt target specify the target ACCEPT DROP CONTINUE RETURN target extension ACCEPT means to let the frame through DROP means the frame has to be dropped CONTINUE means the next rule has to be checked This can be handy to know how many frames pass a certain point in the chain or to log those frames RETURN
46. gt devname specify the input interface name The example below shows setup of the firewall configuration specific to DNSMASQ Refer to section 6 4 3 IP Firewall for further firewall configuration details Example configure DNSMASQ on ath0 interface first configure redirection of DNS ports firewall status enabled firewall rule 1l table nat firewall rule 1 chain PREROUTING firewall rule 1 protocol TCP firewall rule 1 in ath0 firewall rule 1 dport 53 firewall rule l target REDIRECT firewall rule 2 table nat firewall rule 2 chain PREROUTING firewall rule 2 protocol UDP firewall rule 2 in ath0 firewall rule 2 dport 53 firewall rule 2 target REDIRECT enable DNSMASQ on ath0 o y WAVETEQ ShadowAP User Manual dnsmasq status enabled dnsmasq 1 devname ath0 6 2 6 VLANs D Up to 4094 VLANs can be created on the system Virtual Local Area Networks VLANs are logical groupings of network resources e g public access users can be separated from company Intranet users using VLANs on the Ethernet interface Access control policies can be applied on a per VLAN basis VLANs are uniquely identified by VLAN id number Setting up a VLAN on physical interface will create virtual network interface named like a physical interface with dot and VLAN id appended e g setting VLAN with id 10 on interface ixpO will create virtual interface called ixp0 10 All available keys for VLAN con
47. lt 3 Set up a wireless network For a home or small office Unsecured wireless network ail Step 8 Repeat steps 5 7 from section 2 4 1 For further instructions on Web management refer to Chapter 4 Web Interface 2 5 Licensing The ShadowAP firmware you have purchased includes a 1 year upgrade licence A valid license file should already be loaded on your ShadowAP device when you received it If for some reason it is not present please contact Waveteq immediately A valid license file should be uploaded on the ShadowAP based device to activate a full set of the device features Use the following procedure to upload a new license file onto the ShadowAP based device using web interface Step 1 Connect to the ShadowAP web interface and choose System License menu Device License License status not valid License period N A Download current license file Download Upload New License License file upload Browse Figure 2 5 1 Device License Page Step 2 Use the Browse button to choose the license file and click the Upload button under Upload New License section to load the file on the system Be certain you are uploading a valid license file Step 3 After the license file has been successfully uploaded to the device the information message appears gt W waveten ShadowAP User Manual License uploaded and saved License will be activated after reboot Device License License status not valid Lic
48. mode 68 y WAVETEQ ShadowAP User Manual The key vssid lt index gt mode affects the wireless throughput therefore this key must be used only if you are aware of the key use Example create 2 new virtual wireless devices vssid status enabled vssid l status enabled vssid l parent atho0 vssid l devname ath0 vl vssid 2 status enabled vssid 2 parent atb vssid 2 devname ath0 v2 6 3 4 Wireless Distribution System WDS A Wireless Distribution System WDS allows you to create a wireless network infrastructure Normally the access points must be connected to a wired network LAN which is generally an Ethernet Once connected these access points create wireless cells allowing wireless connection to the wired network The WDS feature allows the access points to be wirelessly connected to another access point eliminating the need for a wired connection between them Use the following tips when configuring WDS e WDS mode can be enabled on each wireless interface including virtual interface VSSID e In order for WDS peers to communicate all the WDS network peers must operate on the same channel frequency and have the same security settings e Both sides have to be connected AP STA infrastructure prior to turning WDS mode on e If you need only to bridge two wired networks use Wireless ACL configuration to prevent undesired association of other clients In case you don t use WPA security create an ACL
49. on the ShadowAP configured as the test client TCP UDP socket connected to XXX XXX xxx xxx should be displayed below the start button where xxx xxx xxx xxx is the IP address of the ShadowAP acting as the test server WV WAVETEQ ShadowAP User Manual Show Results Results Step Input kbps Output kbps TCP socket connected to 192 168 3 1 1 14506 82 0 00 2 16379 78 0 00 3 16460 86 0 00 4 16281 31 0 00 average 15963 48 0 00 2008 WAWETEG Communications Inc Figure 4 5 7 Wireless Test Results Start click this button to begin the test Stop click this button to stop the test Show Results click this button only after the test has been started on both devices The ShadowAP might take a few seconds before completing the test so if less than four results show click this button once more Results displayed are the wireless test results in kbps The test is performed in 4 steps and an average is calculated for user convenience Do not forget to stop Server s side after the throughput test is finished as the test may influence the ShadowAP s performance 4 6 Logout Click LOGOUT link on the top right corner of the main menu to leave the Web management interface WAVETERI EN e Figure 4 6 1 Logout from the Web Management Logout click to leave the device Web management When the LOGOUT button is clicked the administrator is redirected to the login page gt GW WAVETEQ ShadowAP User
50. open policy means that no ACL will be used and ACL MAC entries will be ignored e allow policy means that all clients are allowed except the ones in a list e deny policy means that all clients are denied only the ones in a list are allowed wacl lt index gt acl lt index gt status specify current ACL entry status enabled disabled Default enabled wacl lt index gt acl lt index gt mac specify the MAC address of the wireless client colon separated 6 hexadecimal value pairs Example allow access to ath0 only from 1 MAC address wacl status enabled wacl 1 devname atb wacl l policy deny wacl l acl l mac 00 02 6f 22 32 d9 6 3 6 Wireless Client Bridge The concept behind making a wireless client work as a bridge is to send all packets coming from the Ethernet side as wireless client packets In order to do this the MAC address of the Ethernet packets must be changed to the MAC address of the wireless packets this is because the 802 11 standard says that AP s will not accept any packet not coming from an associated wireless client The configuration of a Wireless Client Bridge contains Ethernet bridge table ebtable rules for packets passing through the client s wireless interface designed to control Layer 2 packets Follow the steps to configure the wireless client bridge service on the ShadowAP device 1 Setup wireless device i e VSSID ms1 in wireless client mode refer to the section 6
51. opportunity before station defers access to medium Available for any capable station wireless lt index gt compression specify packet compression status enabled disabled Default disabled real time hardware Lempel Ziv data compression that increases data throughput using pre compressed frames Requires an AP that supports compression wireless lt index gt wmm specify the WMM status enabled disabled Default disabled Wi Fi Multimedia WMM is based on the IEEE 802 11e draft standard It provides basic quality of service QoS features to IEEE 802 11 networks WMM prioritizes traffic according to 4 AC Access Categories voice video best effort and background de The keys of the QoS based on the DiffServ architecture wireless lt index gt tos2ac lt index gt status specify the status of QoS enabled disabled Default enabled Enables packet classification on TOS value in IP header and dispatching to according radio queues AC values 1 4 corresponds BK BE VO VI queues 2 LS bits in TOS not used and are masked out Mapping record with tos 0 will be used as default rule for packets not matching any other configured mapping wireless lt index gt tos2ac lt index gt tos specify the IP header TOS value HEX format can be used internally this value is masked with Oxfc thus last 2 bits not used HEX format wireless lt index gt tos2ac lt index gt ac specify the queue in radio HW to select 1 4 The queue valu
52. profiles e g WPA for wireless station handling Lo y WAVET EQ ShadowAP User Manual e Authorization configuration includes settings for authenticated users like default bandwidth session time limits etc e Accounting configuration includes accounting backend RADIUS server and accounting functionality related settings failovers backups transmit receive information sending To configure a fully functioning AAA service you must first create profiles itemized below 5 configure RADIUS authentication servers refer to the respective section 6 4 1 2 RADIUS Authentication Servers 6 configure RADIUS accounting servers refer to the respective section 6 4 1 3 RADIUS Accounting Servers 7 group authentication and accounting servers into RADIUS Domain s refer to the respective section 6 4 1 4 RADIUS Domains WISPs 8 create security profiles WEP refer to the respective section 6 4 1 5 Dynamic WEP Security or WPA see chapter 6 4 1 6 WPA WPA2 Security 9 create NAS entries for each interface on which Network Access Server NAS will be running refer to the respective section 6 4 1 1 Network Access Server NAS 10 group NAS entries into AAA services see information below 11 if not yet created configure wireless interfaces on which NAS will be running refer to the respective section 6 3 Wireless Settings wireless 1 devname lt aaa nas lt index gt devname gt wireless 1 security wep64 wep128 none wirel
53. proper connection 9 Using a RJ 45 hand crimper crimp the assembly together 10 Move the coupler 5 over the plug holder 3 until it bottoms out 11 Seat the thick ring 4 inside the cable clinch 3 12 Slide the RJ 45 terminator plug back into the plug holder 3 until it can go no farther Take care to push the RJ 45 clip down and seat it into the notch on the plug holder be 13 While pulling the Ethernet cable slightly away from the plug assembly mate the end cap 6 with the cable clinch 3 by threading in a clockwise direction until tight as in 14 Figure 2 2 4 This will cause the cable clinch to tighten around the cable providing a waterproof seal A small wrench may be used to further tighten 15 Carefully remove the backing from the plug gasket 1 16 Stick the plug gasket 1 onto the face of the plug holder 3 ensuring proper orientation and that the sticky side is facing the plug Figure 2 2 4 Tightening the End Cap To power the ShadowAP you will require the included PPoE injector an Ethernet cable and the AC adaptor Note that none of these devices are waterproof and it is STRONLY RECOMMENDED that they be installed in a watertight enclosed space To power on the ShadowAP it is necessary to connect your Ethernet cable directly from the power port of the PPoE Injector to the main RJ 45 port of the ShadowAP Note that the end attached to the ShadowAP should have the field attachable connector on it Next
54. rule s to prevent undesired client association to the WDS Follow the steps to configure WDS link 1 select the check box to enable WDS service 2 click the New button to add the new entry for WDS 3 specify the Parent device the interface name on which the WDS will be created All available keys of the WDS feature are listed below wds status specify the WDS feature status enabled disabled wds lt index gt status specify the status of the particular WDS link enabled disabled wds lt index gt parent specify the interface name on which the WDS will be created string Example Enable WDS mode on ath0 interface wds status enabled wds 1l status enabled wds l parent atb y WAVET EQ ShadowAP User Manual 6 3 5 Wireless ACLs Use the wireless access control list ACL service to control default access to the wireless network interfaces athO athi and VSSIDs or to define special access rules for wireless clients All available keys of the wireless ACL feature are listed below wacl status specify the ACL service status enabled disabled wacl lt index gt status specify current ACL rule status enabled disabled Default enabled wacl lt index gt devname specify the wireless interface name on which the wireless interface rules will be assigned wacl lt index gt policy specify the policy for wacl lt index gt acl lt index gt mac entries open allow deny Default open e
55. status enabled netcont l alias 1 ip 192 168 2 16 netcont l alias 2 status enabled netcont l alias 2 ip 192 168 2 17 netcont l alias 3 status enabled netcont l alias 3 ip 192 168 2 200 netcont 1l alias 3 ip range end 192 168 2 210 The configuration in example 3 means that the ixpO interface is configured to have 192 168 2 220 as a primary IP address on interface netmask is set 255 255 255 0 default gateway 192 168 2 1 interface is up enabled Also see alias this tells to configure ixpO to have other aliased ip addresses as well 192 168 2 16 192 168 2 17 and 192 168 2 200 192 168 2 210 range It is the user s responsibility to define routes for these addresses in configuration file 6 2 2 The Bridge A bridge transparently relays traffic between multiple network interfaces Bridge is identified by a custom interface name It is basically a container for other interfaces There are some restrictions for bridge management that shall be taken into account e It is not possible to add a device to multiple bridges e The WAN interface cannot be added into a bridge lo GW WANNE TED ShadowAP User Manual e VLANs cannot be created on bridge interfaces they can only be added to them e A bridge cannot be included into another bridge All available keys of the bridge configuration are listed below i The lt index gt range for bridge is 1 100 bridge status specify the bridge feature status enabled disabled Default d
56. status of racoon service enabled disabled racoon psk lt index gt status specify current configuration entry status enabled disabled Default enabled racoon psk lt index gt identifier specify the remote host IP address racoon psk lt index gt secret specify the secret pre shared key string Example racoon status enabled racoon psk 1 status enabled racoon psk 1 identifier 192 168 2 151 racoon psk 1 secret VeRySecr3t 6 2 9 GRE Tunnels GRE Generic Routing Encapsulation RFC2784 is a solution for tunnelling RFC1812 private address space traffic over an intermediate TCP IP network such as the Internet GRE tunnelling does not use encryption it simply encapsulates data and sends it over the WAN Administrators should therefore take care that no unencrypted private information passes through a GRE tunnel Created GRE tunnels will appear as regular network interfaces e g grel gre4 The lt index gt range for GRE tunnels is 1 100 tunnel gre status specify the GRE tunnel status enabled disabled Default disabled tunnel gre lt index gt status specify current GRE entry status enabled disabled Default enabled tunnel gre lt index gt devname specify custom GRE tunnel interface name custom string up to 15 characters in length Bind the tunnel to the specified interface so that tunnelled packets will e y WAVET EQ ShadowAP User Manual only be routed through this interface and will not
57. works when multiple accounting servers are specified In backup mode the accounting information will be send to all servers at once without waiting for accounting responses assuming that accounting requests will be received by at least one server In failover mode the accounting information will be sent to another RADIUS server only if the primary RADIUS server does not respond aaa domain lt index gt default sessiontimeout specify the default user session timeout in seconds on particular domain 1 2147483647 Default is 18000 5 hours aaa domain lt index gt default idletimeout specify the default user idle timeout in seconds on particular domain 1 999999999 Default is 300 5 minutes aaa domain lt index gt default maxrxbandwidth specify the default maximum reception bandwidth in bps for a user on a particular domain 0 2147483647 The default value is O and means unlimited bandwidth aaa domain lt index gt default maxtxbandwidth specify the default maximum transmission bandwidth in bps for a user on a particular domain integer The default value is O and means unlimited bandwidth aaa domain lt index gt default minrxbandwidth specify the default minimum reception bandwidth in bps for a user on a particular domain integer The default value is 0 aaa domain lt index gt default mintxbandwidth specify the default minimum transmission bandwidth in bps for a user on a particular domain integer The default va
58. x Channel 153 Full k Data rate Mbps 54 v Y Automatic Rate Adjustment Link Distance km 51 ZD Transmit Power dBm 12 zz Throughput entancemente O Fast Frames O Packet Bursting O Compression Dynamic Turbo Quality of Service AMM 2008 WAWETEG Communications Inc Figure 4 3 4 Basic Wireless Page Country Code Specify which country the device is operating in This automatically limits the operating conditions on the rest of the page to ensure that it operates within a countries regulatory domain See Appendix B Regulatory Domain Channels for details on regulatory domain restrictions Operating Mode Specify the operating mode of the device Managed Master Antenna You can use either the internal antenna or any external antenna connected to external N port See section 1 2 Feature Locations for connection details Ensure that any antenna you connect meets the regulatory requirements for your particular area and application SSID The Service Set Identifier SSID is the name of the wireless network the radio is connected to managed mode or broadcasting master mode IEEE Mode Specify which IEEE 802 11 standard the radio will operate in Channel Specify which channel the radio will operate on Ensure that the chosen channel meets the regulatory requirements for your particularly area and application You may also choose to adjust the channel width to full half or quarter which will drop
59. 0 0 Network Configuration Interface MAC address IP address Netmask Broadcast Bridge br0 00 0B 6B 04 7D 23 192 168 200 221 255 255 255 0 192 168 200 255 2008 WAVETEQ Communications Inc Network Statistics displays detailed receive and transmit statistics of each interface Network Configuration displays the main parameters of the interfaces MAC address IP address Netmask The broadcast column Refresh click to renew network statistics information WV WAVETEQ ShadowAP User Manual 4 2 3 Wireless Details The Wireless Details page displays the main statistics of wireless interfaces including connectivity and associated devices peers Wireless Statistics Interface Status Link Level Noise Invalid Decryption Invalid Retry Miscellaneous Missed network errors fragments count errors beacons ID Radio ath0 up 0 160 160 30631 0 0 0 0 0 Peers Access Points Interface Mode HW address Quality Signal level Noise level Data rate No Peers Access Points found Radio Information Country CA Interface MAC address IEEE mode Channel ESSID Radio ath0 00 0B 6B 0A 7D 23 A 56 DEFAULT1 2008 WAVETEQ Communications Inc Figure 4 2 2 Wireless Details Wireless Statistics displays detailed statistics of each wireless interface Peers Access Points displays detailed information about the associated stations in master mode or information about the device the ShadowAP is associated with managed mode Radio Information
60. 10 second firewall rule lt index gt mac specify the source MAC address colon separated 6 hexadecimal value pairs This is only useful for packets traversing the INPUT and FORWARD chains firewall rule lt index gt mac inverse specify the match value inverse status enabled disabled Default disabled firewall rule lt index gt mark specify the mark value which is used to match packets that have previously been marked 0 4294967296 firewall rule lt index gt multiport sport specify the multiple comma separated source ports 0 65535 0 65535 up to 15 ports This match can be used only with TCP or UDP protocols firewall rule lt index gt multiport dport specify the multiple comma separated destination ports to 0 65535 0 65535 up to 15 ports This match can be used only with TCP or UDP protocols 98 y WAVET EQ ShadowAP User Manual firewall rule lt index gt multiport port specify the multiple ports 0 65535 0 65535 up to 15 ports This matches only if both the source and destination ports are equal to each other and are in the given port list This match can be used only with TCP or UDP protocols firewall rule lt index gt uid owner specify the packet creator s user id This match works only within the OUTPUT chain firewall rule lt index gt gid owner specify the packet creator s group id This match works only within the OUTPUT chain firewall rule lt index gt pid owner
61. 143 y WAVETEQ ShadowAP User Manual firewall mangle FORWARD policy ACCEPT firewall mangle INPUT policy ACCEPT firewall mangle OUTPUT policy ACCEPT firewall mangle POSTROUTING policy ACCEPT firewall mangle PREROUTING policy ACCEPT firewall nat OUTPUT policy ACCEPT firewall nat POSTROUTING policy ACCEPT firewall nat PREROUTING policy ACCEPT firewall status enabled FORKER Do NOT change this setting forker status enabled forker verbose disabled HTTP WEBSERVER These settings provide the ability to manage your device through a WEB Browser httpd backlog 100 httpd max connections 50 httpd max idletime 1800 httpd max request 51200 httpd port admin 444 httpd port http 80 httpd port https 443 httpd status enabled IPSEC PROTOCOL CLIENT IP sec is supported in both the transport and tunnel modes If enabed it can provide an independent secure connection between two remote LANs to provide a VPN solution a number of secure channels can be established simultaneously ipsec status disabled MESH Do NOT change these settings mesh status disabled NETWORK INTERFACE Assigns IP addresses and subnet masks netconf 1 devname ixp0 netconf 1 ip 0 0 0 0 netconf 1 netmask 255 255 255 0 netconf 1 status enabled netconf 1 up enabled netconf 2 devname ath0 netconf 2 ip 0 0 0 0 netconf 2 netmask 255 255 255 0 netconf 2 status enabled netconf 2 up enabled netconf 3 devname br0 netconf 3 ip 192 168 3 1 netcon
62. 3 Values O require no keys 1 require dynamically generated unicast WEP key 2 require dynamically generated broadcast WEP key 3 require both keys The following keys are only used with internal EAP implementation wpasupplicant profile lt index gt network lt index gt eap lt 1 12 gt status specify current entry status enabled disabled Default enabled wpasupplicant profile lt index gt network lt index gt eap lt 1 12 gt name specify the EAP methods MD5 MSCHAPV2 OTP GTC TLS PEAP TTLS LEAP PSK AKA FAST If not specified all methods are allowed MD5 EAP MD5 insecure and does not generate keying material cannot be used with WPA to be used as a Phase 2 method with EAP PEAP or EAP TTLS MSCHAPV2 EAP MSCHAPv2 cannot be used separately with WPA to be used as a Phase 2 method with EAP PEAP or EAP TTLS OTP EAP OTP cannot be used separately with WPA to be used as a Phase 2 method with EAP PEAP or EAP TTLS gt y WAVET EQ ShadowAP User Manual GTC EAP GTC cannot be used separately with WPA to be used as a Phase 2 method with EAP PEAP or EAP TTLS TLS EAP TLS client and server certificate PEAP EAP PEAP with tunnelled EAP authentication TTLS EAP TTLS with tunnelled EAP or PAP CHAP MSCHAP MSCHAPV2 authentication LEAP EAP LEAP PSK EAP PSK AKA EAP AKA FAST EAP FAST wpasupplicant profile lt index gt network lt index gt identity specify the identity for EAP
63. 3 2 Configuration file example vssid status enabled vssid 1 status enabled vssid 1 parent ath0 vssid 1 devname ms1 wireless 2 status enabled wireless 2 devname ms1 wireless 2 ssid SSID of the AP L gt y WAVETEQ ShadowAP User Manual 2 Setup network devices e ixpO athO msi and brO refer to the section Interface for more information Configuration file example netconf 4 status enabled netconf 4 ip 192 168 2 184 netconf 4 netmask 255 255 255 0 netconf 4 up enabled netconf 4 devname br0 Current STA bridge system implementation requires that bridge interface must have the IP address assigned 3 Setup bridge device refer to section 6 2 2 The Bridge for more information add wireless interface and Ethernet interface s to the bridge The configuration file example bridge status enabled bridge 1 status enabled bridge 1 devname br0 bridge 1l port 1 status enabled bridge 1l port 1 devname ixp0 bridge 1l port 2 status enabled bridge 1l port 2 devname ms1 4 Add client bridging firewall entries ebtables status enabled ebtables rule 1 table nat ebtables rule 1 chain PREROUTING btables rule 1 in msl ebtables rule 1 target arpnat ebtables rule 1 t arpnat_target ACCEPT ebtables rule 2 table nat ebtables rule 2 chain POSTROUTING btables rule 2 out ms1l ebtables rule 2 target arpnat ebtables rule 2 t arpnat_target ACCEPT 6 3 7 Static Supervision The station supervision service complements
64. 4 gt name specify accepted group broadcast multicast ciphers for WPA CCMP TKIP WEP104 WEP40 If not specified CCMP TKIP WEP104 and WEP40 are accepted CCMP AES in Counter mode with CBC MAC RFC 3610 IEEE 802 11i D7 0 TKIP Temporal Key Integrity Protocol IEEE 802 11i D7 0 WEP104 WEP Wired Equivalent Privacy with 104 bit key WEP4O WEP Wired Equivalent Privacy with 40 bit key IEEE 802 11 wpasupplicant profile lt index gt network lt index gt psk specify the WPA 256 bit pre shared key This is the key used in WPA PSK mode an ASCII passphrase with double quotation in which case the real PSK will be generated using the passphrase and SSID ASCII passphrase must be between 8 and 63 characters inclusive This field is not needed if WPA EAP is used Separate tool wpa_passphrase can be used to generate 256 bit keys from ASCII passphrase This process uses lot of CPU and wpa_supplicant startup and reconfiguration time can be optimized by generating the PSK only when the passphrase or SSID has actually changed wpasupplicant profile lt index gt network lt index gt psk hex specify the WPA pre shared key in hex 256 bit pre shared key 64 hex digits Le 32 bytes If specified it will override wpasupplicant profile lt index gt network lt index gt psk wpasupplicant profile lt index gt network lt index gt eapol_flags specify which dynamic WEP keys are required for non WPA mode 0 1 2 3 Default
65. 6 5230 48 5240 52 5260 56 5280 60 5300 64 5320 100 5500 104 5520 108 5540 112 5560 116 5580 120 5600 124 5620 128 5640 132 5660 136 5680 140 5700 149 5745 153 5765 157 5785 161 5805 165 5825 radio l acktimeout 55 radio 1 ani disabled radio 1 autochannel status disabled radio 1 channel 153 radio 1 ctstimeout 55 radio 1 devname ath0 radio 1 frag off radio 1 ieee mode A radio 1 mode master radio 1 rate auto enabled radio 1 rate max 54M radio 1 rts off radio 1 rx_antenna 2 radio 1 rx_antenna_diversity disabled radio 1 slottime 26 radio 1 status enabled radio 1 turbo disabled radio 1 tx_antenna 2 145 y WAVETEQ ShadowAP User Manual radio 1 tx_antenna_diversity disabled radio 1 txpower 12 radio countrycode CA radio outdoor 1 radio status enabled radio xchanmode 1 DNS Translates host names into their IP addressed based on a configuration file or dynamically through a DHCP lease resolv status disabled STATIC ROUTING This section is used to setup static routes to specific hosts or networks through an interface route ip forward enabled route status enabled SNMP STANDARD NETWORK MANAGEMENT PROTOCOL Configures both the Manager and SNMP agent snmpd status disabled STATIC SUPERVISION This feature complements authentication authorization and accounting AAA by notifying which client station should be monitored for availability After a specified number of retries user
66. 6 4 3 7 12 TOS TOS target is used to set the type of service field within IP header It is only valid in the mangle table firewall rule lt index gt target TOS firewall rule lt index gt t tos specify the TOS field type decimal or hexadecimal value Minimize Delay 16 hexadecimal 0X10 Maximize Throughput 8 0X08 Maximize Reliability 4 0X04 Minimize Cost 2 0X02 Normal Service 0 0X00 6 4 3 7 13 TTL 103 y WAVET EQ ShadowAP User Manual TTL target is used to modify the time to live in the IP header It is only valid in the mangle table firewall rule lt index gt target TTL firewall rule lt index gt t ttl set specify the TTL set option 0 256 This option tells the TTL target which TTL value to set on a packet firewall rule lt index gt t ttl dec specify the TTL decrement option 0 256 his option specifies to decrement TTL by given value firewall rule lt index gt t ttl inc specify the TTL increment option 0 256 This option specifies to increment TTL by given value 6 4 3 7 14 ULOG The ULOG target is used to provide userspace logging of matching packets The packet information is multicasted together with the whole packet through netlink socket firewall rule lt index gt target ULOG firewall rule lt index gt t ulog nlgroup specify the netlink group 0 32 This option tells the ULOG target which netlink group to send the packet to firewall rule lt index gt
67. 98 Security is based on community strings SNMPv2c the community string based Administrative Framework for SNMPv2 SNMPv2c the C stands for community is an experimental protocol defined in RFC1901 RFC1905 and RFC1906 SNMPv2c is an update of the protocol operations and data types of SNMPv2p SNMPv2 Classic and uses the community based security model of SNMPv1 SNMPv3 SNMP v3 is based on version 2 but with added security features It addresses security requirements through encryption authentication and access control rules Both SNMPv1 and SNMPv2c use a community based form of security The community of managers able to access the agent s MIB is defined by an IP address access control list and password SNMPv3 provides more robust security through the introduction of a User Security Model USM and through the encryption of SNMP protocol traffic The Access Controller implementation of SNMP supports all MIB II variables as described in RFC1213 and defines all traps using the guidelines described in RFC1215 The traps described in this RFC are coldStart A coldStart trap signifies that the SNMP entity acting in an agent role is reinitialising itself and that its configuration may have been altered e WV WAVETEQ ShadowAP User Manual nsNotifyShudown An nsNotifyShudown trap signifies that the SNMP entity acting in an agent role is being shut down 5 2 SNMP Agent The SNMP agent responds to SNMP ma
68. AT NAPT IP masquerading per interface and VLAN Virtual AP MBSSID Diffserv with 802 1p mapping for WMM queues PPPOE client Public Access WEB login redirection captive portal with HTTP proxy support and multiple selective authentication methods PAP CHAP MSCHAP MSCHAPv2 e RADIUS and MAC authentication e SMTP redirection e Static and dynamic white and black lists e RADIUS client has support for multiple authentication and accounting RADIUS servers e RADIUS accounting client supports fail over and backup modes e RADIUS authentication client supports fail over mode e Per virtual AP MBSSID RADIUS DHCP and NAT configuration e WISPr RADIUS attributes support with per user dynamic bandwidth management e Static bandwidth control w o RADIUS Management e WEB management via HTTPS e Command line management via SSH and serial console e Configuration file upload via HTTPS and SFTP e Firmware management and status reporting agent with NAT firewall traversal functionality e Subnet or VLAN for management traffic e Management access control list e Administrator authentication via RADIUS or TACACS e SNMP V1 2 3 e SNMP Traps e Supported MIB s 802 11 802 1x MIBII RADIUS authentication RADIUS accounting e SYSLOG support including remote servers and debug levels e Dual firmware images and TFTP firmware recovery from boot loader if both firmware images were damaged Management Options The ShadowAP can be monitored or managed through the followi
69. All available keys of the SNMP configuration are listed below snmpd status specify the SNMP service status on AC enabled disabled With this service enabled the AC acts as the SNMP agent and can be monitored using SNMP snmpd name specify an administratively assigned name for this managed node string By convention this is the node s fully qualified domain name snmpd location specify the physical location of this node e g telephone closet 3rd floor 0 99 string snmpd contact specify the textual identification of the contact person for this managed node together with information on how to contact this person 0 99 string D SNMP community name is only used in SNMP version 1 and version 2c snmpd rocommunity specify the read only community name 1 32 string ap SNMP user name and password are used in SNMP version 3 snmpd rouser specify the user name for read only SNMPv3 access 1 32 string 121 y WAVET EQ ShadowAP User Manual snmpd ropassword specify the password for read only SNMPv3 access 8 32 string Setup the Trap messages sending The system sends a Cold Start trap when it starts up If enabled it also sends traps on authentication failures Multiple trapsink trap2sink and informsink hosts may be specified Use trap2sink to send SNMPv2 traps and informsink to send inform notifications snmpd traps status specify the trap message sending status enabled disabled Default en
70. CHL 152 CN CHN 156 CO COL 170 CR CRI 188 HR HRV 191 CY CYP 196 CZ CZE 203 Country Albania Algeria Argentina Armenia Australia Austria Azerbaijan Bahrain Belarus Belgium Belize Bolivia Brazil Brunei Darussalam Bulgaria Canada Chile China Colombia Costa Rica Croatia Cyprus Czech republic Country Codes KE KEN 404 KP pRK 408 KR KOR 410 411 KW KWT 414 LV LVA 428 LB LBN 422 LY LBY 434 LI LIE 438 LT LTU 440 LU LUX 442 MO MAC 446 MK MKD 807 MY MYS 458 MX MEX 484 MC MCO 492 MA MAR 504 NL NLD 528 NZ NZL 554 NI NIC 558 NO NOR 578 OM OMN 512 PK PAK 586 Country Kenya Korea democratic people s republic of Korea republic of South Korea Kuwait Latvia Lebanon Libyan Arab Jamahiriya Liechtenstein Lithuania Luxembourg Macao Macedonia the former Yugoslav republic of Malaysia Mexico Monaco Morocco Netherlands Antilles New Zealand Nicaragua Norway Oman Pakistan 138 WV WAVETEQ ShadowAP User Manual Country Codes Country Country Codes Country F Qatar 255 France RU RUS 643 Russian federation IR a Iran Islamic republic Thailand of IT 784 United Arab Emirates KZ KAZ 398 Kazakhstan ZW ZWE 716 Zimbabwe 139 O y WAVET EQ ShadowAP User Manual 7 6 Appendix G Weather Proofing Waveteg uses high quality connectors that have
71. CK timeout value is 29 radio lt index gt ctstimeout specify the CTS timing value numeric Value 3 slottime 2 eg if distance is 1 kilometre then slot time is 13 and so the ACK timeout value is 29 D Hint for setting appropriate slottime acktimeout and ctstimeout values Distance 5GHz 5GHz turbo 2 4GHz G 2km ack ctstimeout 33 ack ctstimeout 31 ack ctstimeout 48 slottime 15 slottime 14 slottime 23 5km ack ctstimeout 53 ack ctstimeout 30 ack ctstimeout 62 slottime 25 slottime 14 slottime 30 10km ack ctstimeout 88 ack ctstimeout 48 ack ctstimeout 100 slottime 43 slottime 23 slottime 49 15km ack ctstimeout 125 ack ctstimeout 68 ack ctstimeout 135 slottime 61 slottime 33 slottime 66 20km ack ctstimeout 160 ack ctstimeout 90 ack ctstimeout 175 slottime 79 slottime 44 slottime 86 25km ack ctstimeout 205 ack ctstimeout 110 ack ctstimeout 220 slottime 101 slottime 54 slottime 109 Basic ack timeout setting methodology is this Boost the value to the approximate value as above 20 on both endpoints Evaluate link throughput Decrease the value by 5 and evaluate link throughput If the throughput has dropped rapidly increase the value by 3 5 Repeat the step 3 LD E GA A radio lt index gt chanattr lt index gt status specify the status of special channel attribute usage channel bandwidth enabled disabled Default enabled radio lt index gt
72. COON s weniceccesriecnts carr KEE dE EE a NEE EE EE REENEN AE S de St EEN ER 62 9 SREL Sais EE EE 58 6 2 10 PPPOE SQttinGS EE 59 6 3 Wireless gl e CN 60 6 3 1 Wireless RAGIO se sgeEer eseu a a a ied SEA again saad ENEE EE amass ee gea Een 60 6 3 2 Wireless Interface eh ghee AE SE EE E Laat SEN REN S dE AER AER goad ened ANEN 64 6 3 3 lt AUTOMOC WLAN EE 67 6 3 4 Wireless Distribution System WDS cece ees 69 6 3 9 Wireless ACES A 70 6 3 6 Wireless Client Bridgeriin n de EE REDEE E EO AAE geed EE ER 70 6 3 7 Static SUPSFVISION sisaveiiate sca EEN AER o a co bees BER nea cease AE ERR SE EBEN SEN EE AEN NEE OS NEES EEN 71 63 8 Stati el el Le WEEN 72 6 3 9 Static SOUrCE ROULING scrceeccsceicetecdatened ding sete SEENEN A ced ERR EE AEN 73 6 3 10 Selective Source ROWING ees ged EST active ENEE niece a ANNE n 74 6 4 Network Access Configuration ccccccecceee eee essence rn nnnn rra 76 6 4 1 Authentication Authorization and Accounting cece eee eect eee eee eee ners ee ee ee ease ea ea eae eeaia 76 6 4 2 WPA 302 1X SUPplicaN Einicio ae 87 624 3 A En 95 6 4 4 Bridging Firewall cusiii ia A A it 106 6 4 5 SMTP ReditectON scan ica ii it atar 115 6 4 6 White Black List oicioconicnoionic naciantrcndaanadannencianaddnacrano da EEN NENNEN ENNEN REENEN ENER NENNEN dana dan 116 6 4 7 Static Bandwidth Controle neissen e Se EE 118 6 5 Management Access Copnfiguration nan 120 GOD SSH Ee 120 6 5 2 HTITP S SEV T
73. DE firewall rule 7 table mangle firewall rule 7 chain POSTROUTING firewall rule 7 protocol TCP firewall rule 7 tcpflags SYN RST ACK SYN firewall rule 7 target ULOG firewall rule 7 t ulog nlgroup 2 firewall rule 7 t ulog prefix with nat Enable ULOGD service ulogd status enabled 6 6 6 Sysctl Plugin The plugin allows to control kernel sysctl parameters exported via proc Use the following keys to control sysctl plugin sysctl status specify the status of the sysctl plugin enabled disabled sysctl xxx specify the value of the command The symbols xxx is part of the key representing path to the file under proc Path symbols must be replaced with Possible keys can be extracted with command find proc sys type f sed s proc sysctl g sed s g Example sysctl status enabled sysctl sys net ipv4 ip forward 1 127 GQ waveten ShadowAP User Manual 7 0 Appendix 7 1 Appendix A ShadowAP Specifications Wireless Support Standard Data Rate MBSSID VSSID Encryption Network Access Control IP Router with NAT NAPT firewall filters AAA RADIUS client with EAP support Web proxy support any client configuration is accepted VPN client GRE WPA WPA2 support with hardware acceleration VPN pass through E mail redirection Management Interfaces Software Update Reset IEEE 802 11a OFDM IEEE 802 119 OFDM IEEE 802 11b DSSS IEEE 802 113 IEEE 802 11
74. DU If the manager does not receive an inform request it does not send a response If the sender never receives a response the inform request can be sent again Thus informs are more likely to reach their intended destination snmpd informsink lt index gt host specify the host IP address on which the inform requests will be enabled IP address snmpd informsink lt index gt community specify the community name for inform requests string If community is not specified the snmpd trap community will be used snmpd informsink lt index gt port specify the port number the inform requests should be send through 0 65535 Default 162 Example setup SNMP agent snmpd status enabled snmpd contact My system contact snmpd location My system location snmpd name My system snmpd rocommunity public snmpd ropassword secret 122 y WAVET EQ ShadowAP User Manual snmpd rouser user snmpd traps status enabled snmpd auth traps enabled snmpd trap community community string snmpd trap2sink 1 host 192 168 2 21 snmpd trap2sink 1 port 162 snmpd trapsink 1 host 192 168 2 21 snmpd trapsink 1 port 162 6 5 4 Network Usage Statistics Configure this setting to gather and record network usage statistics if you want to see associated wireless clients on device Gathered network usage statistics consists of MAC address of the client o e Device name e Connection time yyyy mm dd hh mm e Disconnection time for recent
75. Default disabled ebtables rule lt index gt ip source_port specify the source port or port range for IP protocol 0 65535 0 65535 ebtables rule lt index gt ip source_port inverse specify the match value inverse status enabled disabled Default disabled ebtables rule lt index gt ip destination_port specify the destination port or port range for IP protocols 0 65535 0 65535 ebtables rule lt index gt ip destination_port inverse specify the match value inverse status enabled disabled Default disabled MARK ebtables rule lt index gt mark specify the mark value to check in frames number mask If a mark value and mask is specified the logical AND of the mark value of the frame and the user specified mask is taken before comparing it with the user specified mark value If only a mask is specified start with the logical AND of the mark value of the frame and the user specified mark is taken and the result is compared with zero ebtables rule lt index gt mark inverse specify the match value inverse status enabled disabled Default disabled Packet Type ebtables rule lt index gt pkttype specify the packet type broadcast multicast host otherhost Matches on the Ethernet class of the frame which is determined by the generic networking code Possible values broadcast MAC destination is broadcast address multicast MAC destination is multicast address host MAC destination is the r
76. EE 120 D WAVETEQ ShadowAP User Manual 6S3 SNMP Agent REENEN SEENEN a AA EE EE EES 121 6 5 4 Network Usage Statistics ssnipe EE EE AE E SE Ee 123 6 6 System Services Copnfiguration eee ee eeeeeeeeee ran rra 123 6 6 1 Manual Clock ReQulati Onis cei tcseits scatciesseacener AER NEE ENEE NEEN tad ea 123 6 6 2 NTP e ET LEE 124 6 6 3 Trace System EE 125 Lee Le EE 125 6 6 5 GP LOGGING EE 126 6 6 6 Sysel Pl Mis cies setae geed ENEE dat 127 T0 05 01 p 18 gt APTA PU A 128 7 1 Appendix A ShadowAP Specifications ooccccocccccnccccnncncnnnnnnnnos 128 7 2 Appendix B Regulatory Domain Channels aeee essere 129 7 2 1 Channels for TEEE 802 11b 9 gege KE NEENE ENER REENEN ENEE Nee ENTENTE anti acer SEENEN 129 7 2 2 Channels for IEEE 802 1 Vai EE 130 7 3 Appendix C Standard RADIUS Attributes ccccceeceeee eee eeeees 131 Fol Mendor Specific Attributes coin iS 133 7 4 Appendix D Blc ge ee 135 7 5 Appendix E ISO Country Codes c ococccccoccccconnnccannnnna nn nn rr 138 7 6 Appendix G Weather Proofing NEEN 140 7 7 Appendix H Factory Default Configuration File oocoocccccccccnn 142 8 0 A PRO O ees ES 149 A o O Te ee err treet A errr 154 10 0 Customer SUD DOM eer erer dee Eegen 157 D WAVETEQ ShadowAP User Manual Figure 1 2 1 Figure 2 1 1 Figure 2 2 1 Figure 2 2 2 Figure 2 2 3 Figure 2 2 4 Figure 2 3 1 Figure 2 4 1 Figure 2 4 2 Figure 2 4 3 Figure 2 4 4 Figure 2 4 5 Figure 2
77. EQ ShadowAP User Manual y Figure 7 6 1 Properly taped Ethernet adapter To ensure a proper weather proof seal all external ports should be wrapped with tape These include ports that are not used in the installation such as unused Ethernet or antenna ports external N connectors Figure 7 6 2 below shows a properly taped external NI type connector Figure 7 6 2 Properly taped external antenna port 141 Wy WANETER ShadowAP User Manual 7 7 Appendix H Factory Default Configuration File Ha HE HHH EE TE AE HE EH HHH HE EH HE HEE EH HH Configuration created by skin Skin Waveteg version 0 5 14704 Generated on 2008 05 01 16 04 54 UTC FE AE HE FE HH HE EH HH HE EE HHH HE EH TE E HE EE HHH notes 1 Waveteq Communications Factory Default Configuration notes 2 Bridged 5 18 GHz 802 1la Access Point Using Internal Antenna Product ShadowAP AUTHENTICATION AUTHORIZATION AND ACCOUNTING aaa 1 devname ath0 aaa l nas 1 profile NAS ath0 aaa l nas 1 status disabled aaa 1l status disabled aaa 1 wan 1l devname 1xp0 aaa 1 wan 1l status enabled aaa auth 1 status disabled aaa domain 1 auth 1 status enabled aaa domain 1 name DOMAIN PROFILE PSK aaa domain 1 status disabled aaa nas 1l acct status disabled aaa nas 1l auth status disabled aaa nas 1 devname ath0 aaa nas 1 domain 1 status disabled aaa nas 1 maxclients 64 aaa nas 1 name NAS ath0 aaa nas 1 security profile WPA PSK ath0O aaa nas 1l se
78. ESP authentication algorithm hmac md5 hmac sha1 keyed md5 keyed sha1 null hmac sha2 256 hmac sha2 384 hmac sha2 512 hmac ripemdi160 aes xcbc mac Lo y WAVET EQ ShadowAP User Manual ipsec lt index gt esp auth secret specify the ESP authentication secret string Secret s length depends on selected algorithm eg 128 bit long secret is 16 characters in length 128 bits 8 bits one character 16 The algorithm key lengths in bits are des cbc 64 null O to 2048 blowfish cbc 40 to 448 cast128 cbc 40 to 128 des deriv 64 3des deriv 192 rijndael cbc 128 192 256 twofish cbc O to 256 aes ctr 160 224 288 ipsec lt index gt ipcomp in spi specify the inbound compression 256 65535 ipsec lt index gt ipcomp out spi specify the outbound compression 256 65535 ipsec lt index gt ipcomp compression specify the compression mode deflate oui Izs ipsec lt index gt spd lt index gt status specify current SPD security policy database entry status enabled disabled ipsec lt index gt spd lt index gt src ip specify the SPD source IP address ipsec lt index gt spd lt index gt src netmask specify the source netmask bit count 0 32 ipsec lt index gt spd lt index gt dst ip specify the SPD destination IP address ipsec lt index gt spd lt index gt dst netmask specify the destination netmask bit count 0 32 ipsec lt index gt spd lt index gt protocol lt index gt status
79. Ipaddr X X IP address of the user Address Reply 18 String X Text of reject reason if present Message State 24 String X X AC does not interpret the attribute locally Class 25 String X X Attribute provided by the authentication server forwarded to the accounting server Session 27 Integer X Forced logout once timeout period reached Timeout seconds Idle 28 Integer X Implicit logout inactivity timeout period Timeout seconds Called 30 String X X This field should contain the MAC address or Station ID other information identifying the Hotspot in a Box NAS 32 String X X String identifying the NAS Identifier Acct Status 40 Integer X 1 Start 2 Stop 3 Interim Update Type Acct Delay 41 Integer X Delay seconds between accounting event Time and when Acct Req was sent does not include estimated network transit time Acct Input 42 Integer X Indicates how many octets have been Octets received from the port over the course of this service being provided Acct Output 43 Integer X Indicates how many octets have been sent Octets to the port in the course of delivering this service Acct 44 String X X X Unique Accounting ID to make it easy to Session ID match start and stop records in a log file 131 y WAVET EQ ShadowAP User Manual Required Type Auth Auth Acctg Comment Attribute Req Reply Req Acct 46 Integer X Call duration in seconds already Session compensated for idle timeout Ti
80. LIM N dd ip 119 Figure 7 6 1 Properly taped Ethernet adapter nnna 141 Figure 7 6 2 Properly taped external antenna port 141 D WAVETEQ ShadowAP User Manual This Page is Left Intentionally Blank D WAVETEQ ShadowAP User Manual Purpose This document provides information and procedures on setup configuration and management of the ShadowAP Single Radio Access Point The ShadowAP may be used as a basis for the implementation of a wide variety of secure wireless and wired networking devices routers bridges Access Points AP and Access Controllers AC for public access areas Prerequisite Skills and Knowledge To use this document effectively you should have a working knowledge of Local Area Networking LAN concepts and wireless Internet access infrastructures Conventions Used in this Document The following typographic conventions and symbols are used throughout this document D Additional information that may be helpful though is not required D Important information that should be observed bold Menu commands buttons input fields links and configuration keys are displayed in bold italic References to sections inside the document are displayed in italic code File names directory names form names system generated output and user typed entries are displayed in constant width type lt value gt Placeholder for certain values e g user inputs that must be replaced with real values value Input field form
81. Manual 5 0 Chapter 5 SNMP Management Another way to monitor the ShadowAP over a TCP IP network is SNMP Simple Network Management Protocol SNMP is an application layer protocol that facilitates the exchange of management information between network devices It is part of the Transmission Control Protocol Internet Protocol TCP IP protocol suite SNMP allows network administrators to monitor and manage network performance find and solve network problems and plan for network growth The SNMP agent and Management Information Base MIB reside on the ShadowAP To configure SNMP on the controller you must define the relationship between the Network Management System NMS and the SNMP agent ShadowAP The SNMP agent contains standard MIB and variables whose values the SNMP manager can request or change A NMS can get a value from an agent The agent gathers data from the MIB the repository for information about device parameters and network data The agent can also respond to a manager s requests to get data In order to manage the device you have to provide your Network Management System software with adequate MIB files Please consult your management software manuals on how to do that 5 1 SNMP Versions The ShadowAP supports the following versions of SNMP SNMPvi the Simple Network Management Protocol A Full Internet Standard defined in RFC1157 RFC1157 replaces the earlier versions that were published as RFC1067 and RFC10
82. S authentication port UDP 85 y WAVET EQ ShadowAP User Manual e RADIUS accounting port UDP e accounting detection timeout 3 AP should have NAS configured specifically for RADIUS proxy feature see chapter 6 4 1 1 Network Access Server NAS 4 The AP which will use RADIUS proxy feature should send RADIUS authentication and accounting packets to the preconfigured proxy ports on ShadowAP LAN IP address 5 The ShadowAP will forward RADIUS authentication and accounting packets according to RADIUS domain server settings in the ShadowAP configuration without any modification as is 6 The RADIUS secret on AP should be the same as real RADIUS server secret to which the packets will be forwarded 7 The ShadowAP RADIUS proxy authentication port will accept only RADIUS authentication packets and the RADIUS proxy accounting port will accept only RADIUS accounting packets 8 The RADIUS proxy will ignore RADIUS Access Request packets without the Calling Station Id containing valid MAC address 9 The RADIUS proxy will use retransmission policies as configured per NAS radius domains and will ignore retransmissions from AP when internal retransmission will be in progress 10 The RADIUS proxy can do accounting detection This will be done by looking for Accounting Start packets for client who previously got Access Accept Lookup is done by Calling Station Id MAC address value and Acct Session Id if it was available in the last Access Re
83. UNIX Bourne like system shell for the administrator cli gt shell Launching system shell Enter exit or Ctrl D to return from shell BusyBox v1 5 0 2007 08 02 10 43 25 EEST Built in shell ash Enter help for a list of built in commands 1 Figure 3 6 1 Start System Shell Type exit or press Ctrl D key combination to quit the shell and return to CLI interface 3 7 Show The show command displays the current system configuration file 3 8 Status The status command displays general device status device type firmware version hardware revision uptime memory average load and receive transmit statistics for all interfaces D WAVETEQ cli gt status Current system status Device name Firmware version Hardware revision Uptime System memory Average load Licensing License status valid WILI S ShadowAP User Manual WILI S COYOTE v3 50 xscale ath vilibox 323 051011 1432 XScale IXP425 rev 1 w5b 00 17 48 Total 62712 KB Free 47260 kB imin 1 99 Smin 1 93 15min 1 35 License period 2005 01 01 to 2005 12 31 Network configuration Interface MAC address IP address EE aset ixpO 00 90 4B 69 46 9E 192 168 3 1 ixpl 00 90 4B 69 46 9F 192 168 2 221 Network statistics Interface bytes Ee Lol o tunlO D greD 0 ixpO 0 ixp1 162626 ar b D uatO D 00 90 4B CC 74 F9 192 168 4 1 Receive statistics packets errors
84. UNNEL This provides a solution to tunnel private address space traffic over an intermediate TCP IP network such as the Internet GRE tunnels encapsulate data over the WAN without using encryption tunnel gre status disabled USER CONNECTIONS LOG Allows logging of IP s MAC addresses if available and other connection information ulogd status disabled USERS User accounts and their encrypted passwords Do NOT change this setting users status enabled users 1 name admin users 1 password oHS13yqR t1luQ users 1 status enabled VIRTUAL LOCAL AREA NETWORK VLAN VLANs allow for logical groupings of network resources to be assigned and have access control policies to be applied on a per VLAN basis VLANs are identified by VLAN ID number so for a physical interface ixp0 designated with VLAN 10 will appear as ixp0 10 Up to 4094 VLANs can be created on the system vlan status disabled VIRTUAL SERVICE SET IDENTIFIER VSSID This feature can be used to provide another 15 virtual wireless networks in addition to that defined by the primary SSID They can be configured for different security settings and are active at the same time If you plan on having a mixture of master and managed vssid s the wireless card must be setup as a MASTER and the SSID must be configured before adding VSSIDs vssid status disabled WIRELESS ACCESS CONTROL LIST ACL The wireless ACL controls both default access by wireless clients t
85. a SPDJ60P using 60 5300 S transmit power levels up to 14 dB 64 5320 e e Full certification is still pending 100 5500 e 104 5520 e Ve E 8 16 8 dBi panel antenna SPDN6W using 112 5560 e transmit power levels up to 12 dB 9 dB 116 5580 e at 5700 120 2000 8 8 0 dBi Omni antenna SPDJ60P using 124 5620 e transmit power levels up to 12 dB 128 5640 e 132 5660 S Full certification is still pending 136 5680 e 140 5700 e 149 5745 e 153 5765 e 16 8 dBi panel antenna SPDN6W up to 12 dB 157 5785 a 2 8 0 dBi Omni antenna SPDJ60P up to 15 dB 161 5805 e 165 5825 e except in North America which allows for indoor and outdoor use of channels 52 64 Users are responsible for ensuring that the channel set configuration complies with the regulatory standards of Mexico 130 dy Mexico is included in the Americas regulatory domain All channels are restricted to indoor use ShadowAP User Manual GY waveten 7 3 Appendix C Standard RADIUS Attributes The following standard RADIUS attributes and messages are supported by the Hotspot in a Box Required Type Auth Auth Acctg Comment Attribute Req Reply Req User Name 1 String X X User enters full NAI User 2 String X Password of the user to be authenticated Password NAS IP 4 Ipaddr X X IP address of the Hotspot in a Box Address Service 6 Integer X Must be set to Login 1 Type Framed IP 8
86. able when trying to debug what could go wrong or what has actually gone wrong firewall rule lt index gt t log ip options specify the IP option logging status enabled disabled The IP options will log most of the IP packet header options 6 4 3 7 5 MARK This target is used to set net filter mark values that are associated with specific packets It is only valid in the mangle table firewall rule lt index gt target MARK firewall rule lt index gt t mark specify the net filter mark 0 4294967296 6 4 3 7 6 MASQUERADE This target modifies packet s source IP address It is only valid in the nat table in the POSTROUTING chain It should only be used with dynamically assigned IP connections firewall rule lt index gt target MASQUERADE firewall rule lt index gt t masq ports specify the port or port range 0 65535 0 65535 Ports option is used to specify source port or port range to use for outgoing packets This match can be used only with TCP or UDP protocols 6 4 3 7 7 QUEUE This target is used to queue packets for further processing in the userspace programs No additional options firewall rule lt index gt target QUEUE 6 4 3 7 8 REDIRECT 102 y WAVET EQ ShadowAP User Manual REDIRECT target is used to redirect packets and streams to the machine itself This target is valid only in PREROUTING and OUTPUT chains of the nat table It is also valid within user defined chains that are only called from t
87. abled snmpd auth traps specify the generation of authentication failure traps status enabled disabled Default disabled snmpd trap community specify the community name for the SNMP trap message string This community will be used in trap messages to authenticate to the SNMP manager community string snmpd trapsink lt index gt host specify the host IP address that will receive the SNMPv1 traps IP address snmpd trapsink lt index gt community specify the community name for SNMPv1 traps string If community is not specified the snmpd trap community will be used snmpd trapsink lt index gt port specify the port number the SNMPv1 trap messages should be send through 0 65535 Default 162 snmpd trap2sink lt index gt host specify the host IP address that will receive the SNMPv2 traps IP address snmpd trap2sink lt index gt community specify the community name for SNMPv2 traps string If community is not specified the snmpd trap community will be used snmpd trap2sink lt index gt port specify the port number the SNMPv2 trap messages should be send through 0 65535 Default 162 SNMP notifications can be sent as traps or inform requests Traps are unreliable because the receiver does not send any acknowledgment when it receives a trap The sender cannot determine if the trap was received However a SNMP manager that receives an inform request acknowledges the message with an SNMP response P
88. abled wireless 1 status enabled wireless 1 wmm disabled wireless status enabled Se Se Se OSE WPA 802 1x SUPPLICANT SETTINGS In situations where a wireless interface will connect to an access point the supplicant allows you to configure the user authentication settings required to connect wpasupplicant device 1 devname ath0 wpasupplicant device 1 driver madwifi wpasupplicant device 1 profile WPA sup ath0 wpasupplicant device 1 status disabled wpasupplicant profil wpasupplicant profil wpasupplicant profil wpasupplicant profil wpasupplicant profil ap_scan enabled eapol version 1 fast_reauth enabled name WPA sup ath0 network 1 group 1 name TKIP wpasupplicant profil network 1 key mgmt 1 name WPA PSK wpasupplicant profil network 1 pairwise 1 name TKIP wpasupplicant profil network 1 proto 1 name RSN wpasupplicant profil network 1l psk verysecretphrase wpasupplicant profil 0000000000 network 1 ssid DEFAULT1 wpasupplicant profile 1 status disabled wpasupplicant status disabled wpasupplicant wait for interface enabled 148 Wy WANETER ShadowAP User Manual 8 0 Glossary Symbols 802 11 802 11 is a family of specifications for wireless local area networks WLANs developed by a working group of the Institute of Electrical and Electronics Engineers IEEE The original specification provides for an Ethernet Media Access Controller MAC and several physical layer PHY options the m
89. allows operators to provide cost effective public Wi Fi services by managing per user access control device configuration and radio performance from the operations center HTTPS SSH and SNMP agents can be used for secure remote management Privacy The ShadowAP supports different levels of security and data encryption WEP WPA WPA2 Dynamic Key 802 1x Authenticator and Supplicant Device security settings can be configured per BSSID basis Client stations can be separated on the data link layer Layer 2 User Isolation preventing intruders from accessing the computers of the other users User credentials passwords are protected by SSL or EAP based authentication methods User traffic can be encrypted either by VPNs pass through or by Wi Fi Protected Access WPA y WAVET EQ ShadowAP User Manual 1 1 ShadowAP Features Supported Standards IEEE 802 11a b g IEEE 802 11i IEEE 802 11d Country element support IEEE 802 11e Enhancement QoS including packet bursting WMM IEEE 802 11h 5 GHz spectrum DCS DFS TPC IEEE 802 11j Security and Public safety band support Hardware Configuration 802 11a b g operation Custom weather proof enclosure Integrated or 2 4 or 5 GHz antenna Low loss N Type connector Ingress Protection IP rating 67 Field Attachable Ethernet Connector Wireless Functionality Virtual AP MBSSID with individual wireless security settings Multiple wireless interfaces Association limitat
90. ame gre2 netconf dev 2 type tunnel netconf dev 2 mode wan netconf dev 2 state up netconf dev 2 ip 10 0 2 2 netconf dev 2 netmask 255 255 255 0 netconf dev 2 broadcast 10 0 2 255 Install a default route in each source routing table Use a GRE tunnel s IP address as a default gateway so that all traffic traversing these tables is routed through GRE tunnel The system authenticator will create particular rules per IP address that depends on tunnel id route entry 1 enabled true route entry 1 ip 0 0 0 0 route entry 1 netmask 0 route entry 1 interface grel route entry 1 gateway 10 0 1 2 important route entry 1 table 101 route entry 2 enabled true route entry 2 ip 0 0 0 0 route entry 2 netmask 0 route entry 2 interface gre2 gt y WAVET EQ ShadowAP User Manual route entry 2 gateway 10 0 2 2 important route entry 2 table 102 route table 1 id 101 route table 1 name WISP1 route table 1 id 102 route table 1 name WISP2 This creates GRE1 tunnel from 192 168 2 110 lt gt 192 168 2 253 for a WISP1 clients traffic to transport The same goes for GRE2 192 168 2 110 lt gt 192 168 2 252 for a WISP2 clients to transport While client attempts to authenticate RADIUS server reports tunnel id WISP1 Assuming that interface is present on device and configured properly system authenticator adds the route on WISP1 table When client is gone system authenticator deletes the route automatically
91. and Senis ENEE NEE ENEE Sic eles Aine Eed dee 15 The authcheck Command s Parameters sense nn rra crac rana ranma 15 Change the Administrator s Password 16 Start SYSTSM EE 16 RE 17 Main ShadowAP Management Men 18 System INfOMMAatlOn sarisini naisina maiean iia airada 20 Wireless Detalls eg set ieudeee Ee uerg edeeEe eniai ia araa aiae a ii a aaia ang 22 Table of EE 23 TN ET EE 23 Configuration Starting Page ai iii 24 Starting Point Pag EE 25 Basic Network Page eee eae ee ee ne eevee 26 Basic Wireless Page 27 ccseecebesecteeeaseed winced rd depa atea 27 DHCP Server Subsection EE 29 Static ROUTING SUDSOCtON coioscccilo alcista noel cele anda adan peace dla eliana dad dai Set anna 29 Wireless Security Page iia dd 30 Edit Configuration File Manual 31 System Messag ccoo A didas 31 SA idiari aa id inaa han diaaa diada Ranendra aaan aa ien 32 Maintenance Paga iia E RE AN A O ee viene 32 Change the Administrator s Password 33 Remote Management Page ccccecsscceceeseeeeeeeeeneeeeesaeeeeeesaeeeseesaeaeeeesaeaeeeeaeeeeeeaeeeeeeneeaeeeeneaeeeeeneaes 34 Device License EE 35 Too MENU EE 36 Site SUPVOY E E 37 Antenna Alignment To uc ice 37 Rates Ti dba 38 ACK Timeout Testi A ii ds 38 Throughput Test SUDSECtION ooommccccnnniccconnncccnnnoncccnnnnnc cnn 39 Wireless Test Results cion it da 40 Logout from the Web Management 40 SNMP NotWofk viii ia 42 D WAVETEQ ShadowAP User Manual Figure 64 1 Trattic
92. and it will be specified as lt index gt in the configuration file descriptions e g netconf lt index gt devname netconf lt index gt ip netconf lt index gt netmask The configuration file location on local ShadowAP file system is tmp system cfg The configuration file can be changed or a new file can be uploaded using Web interface It is also possible to manually update device configuration Follow these steps login to device with secure SFTP client upload new configuration file to tmp system cfg login through SSH type shell command to exit to shell see 3 2 CLI Access execute sysconf w reboot the device Some keys can have default values others can be unused or have to be explicitly specified for some feature to work correctly These keys and their values will be printed through local syslog facility to a system log file The system log file on ShadowAP is var log messages Logging can be redirected to a remote host see section 6 6 4 Syslog Example An excerpt from default system log file Jan 1 00 00 06 sysconf 89 Using default value disabled for non existing bool key aaa nas 1 verbose Jan 1 00 00 06 sysconf 89 Unused key netconf 1 type Ethernet y WAVET EQ ShadowAP User Manual 6 2 Network Configuration This section describes settings of physical and logical network interfaces This includes physical LAN and WAN interface settings DNS settings DHCP settings AAA settings tunnels and
93. at limitations and or restrictions Help Us to Improve this Document If you should encounter mistakes in this document or want to provide comments to improve the user guide please send e mail directly to support waveteg com ShadowAP Waveteq Technical Support If you encounter problems when installing or using this product please contact support waveteq com y WAVETEQ ShadowAP User Manual 1 0 Chapter 1 Overview Introduction Thank you for purchasing the Waveteq ShadowAP The single radio design allows installation as a Customer Premise Device CPE a Point to Point Link and an access point Features of the ShadowAP include an integrated 2 4 GHz or 5 GHz backhaul antenna and enclosure with mounting brackets This allows the ShadowAP to fit into your network at the lowest cost possible while improving performance and quality Authentication Authorization amp Accounting The ShadowAP supports multiple secure authentication methods including MAC authentication to 802 1x EAP authentication with passwords certificates or SIM cards The integrated real time accounting system is based on industry standard RADIUS EAP and supports various billing plans prepaid pay per time per volume per use or flat rate Integration into existing Operation Support Systems OSS and Business Support Systems BSS can be done with ease Remote Control The ShadowAP based device is placed at the edge of a broadband access network and
94. at uniquely identifies it from all other computers on the Internet When you send or receive data for example an e mail note or a Web page the message gets divided into little chunks called packets Each of these packets contains both the sender s Internet address and the receiver s address Any packet is sent first to a gateway computer that understands a small part of the Internet The gateway computer reads the destination address and forwards the packet to an adjacent gateway that in turn reads the destination address and so forth across the Internet until one gateway recognizes the packet as belonging to a computer within its immediate neighborhood or domain That gateway then forwards the packet directly to the computer whose address is specified 150 Wy WAVETED ShadowAP User Manual IPsec IPsec Internet Protocol Security is a developing standard for security at the network or packet processing layer of network communication Earlier security approaches have inserted security at the application layer of the communications model IPsec will be especially useful for implementing virtual private networks and for remote user access through dial up connection to private networks A big advantage of IPsec is that security arrangements can be handled without requiring changes to individual user computers Cisco has been a leader in proposing IPsec as a standard or combination of standards and technologies and has incl
95. ately 1 5 of the cable ETA A shielding using a small knife or crimping tool y 5 Fan the wires of the cable untwisting them until they a 9 are straight up to where the shielding was removed RY EN 6 Starting with 6 in slide each of 6 5 4 and 3 OS over the cable sheath from the end with the exposed s wire as in Figure 2 2 2 Figure 2 2 1 IP 67 Components Figure 2 2 2 IP 67 Assembly 7 Slide the wires in the proper order into the RJ 45 terminator plug 2 that was included with the connector Take care to maintain the proper colour code If the other end of your cable has already been terminated ensure that you are using the same wire sequence The two most popular Ethernet wiring standards are shown in Figure 2 2 3 If proper wiring sequences are not used to terminate the cable malfunction and in this case because of the Passive Power over Ethernet PPoE technology damage to your equipment can result E D y WAVETEQ ShadowAP User Manual T 568B T 5684 12345678 12345678 RJ 45 Plug 0 0 G B B G Br Br Gi G 0 B Bi O Br Br Figure 2 2 3 Common Ethernet Termination Standards 8 Push the wire bundle into the back of the RJ 45 terminator plug 2 Pay particular attention to the orientation of the RJ 45 housing to ensure that the wires are not going in backwards Continue pushing until the wires are all flush with the back wall of the housing the wires must go in past the pins in order to make a
96. ation HTTP The Hypertext Transfer Protocol HTTP is the set of rules for exchanging files text graphic images sound video and other multimedia files on the World Wide Web Relative to the TCP IP suite of protocols which are the basis for information exchange on the Internet HTTP is an application protocol HTTPS HTTPS Hypertext Transfer Protocol over Secure Socket Layer or HTTP over SSL is a Web protocol developed by Netscape and built into its browser that encrypts and decrypts user page requests as well as the pages that are returned by the Web server HTTPS is really just the use of Netscape s Secure Socket Layer SSL as a sub layer under its regular HTTP application layering ICMP ICMP Internet Control Message Protocol is a message control and error reporting protocol between a host server and a gateway to the Internet ICMP uses Internet Protocol IP datagrams but the messages are processed by the IP software and are not directly apparent to the application user IEEE Institute of Electrical and Electronics Engineers The IEEE describes itself as the world s largest professional society The IEEE fosters the development of standards that often become national and international standards such as 802 11 IP The Internet Protocol IP is the method or protocol by which data is sent from one computer to another on the Internet Each computer known as a host on the Internet has at least one IP address th
97. ation method y WAVET EQ ShadowAP User Manual aaa security wpa lt index gt key cipher specify the encryption algorithms for pair wise keys unicast packets TKIP CCMP ALL TKIP Temporal Key Integrity Protocol IEEE 802 11i D7 0 CCMP AES in Counter mode with CBC MAC RFC 3610 IEEE 802 11i D7 0 ALL includes CCMP and TKIP Group cipher suite encryption algorithm for broadcast and multicast frames is automatically selected based on this configuration If only CCMP is allowed as the pair wise cipher group cipher will also be CCMP Otherwise TKIP will be used as the group cipher aaa security wpa lt index gt rekey group period specify the time interval for rekeying the Group Temporal Key GTK is used to decrypt broadcast multicast traffic in seconds 0 3600 The default value is 0 meaning no rekeying aaa security wpa lt index gt rekey gmk period specify the time interval for rekeying the Group Master Key GMK is used internally to generate GTKs in seconds The default value is O and means no rekeying The IEEE 802 11i RSN WPA2 pre authentication feature is used to speed up roaming by pre authenticating IEEE 802 1X EAP part of the full RSN authentication and key handshake before actually associating with a new AP aaa security wpa lt index gt rsn preauth status specify the IEEE 802 11i RSN WPA2 pre authentication status enabled disabled Default enabled aaa security wpa lt index gt rsn prea
98. attribute value for the client source routing The default routing rules will be applied for the clients which will get empty or no Tunnel Assignment ID on RADIUS Access Accept packet 74 KAZ WAVETEQ ShadowAP User Manual Example 1 Clients are coming on LAN interface which has a DHCP server configured to lease IP addresses in the range of 192 168 3 0 24 By default clients have 192 168 3 1 assigned as a default gateway WAN interface ixp0 has 192 168 2 110 IP address Also there are a couple of GRE tunnel devices configured on device configured like this WISP 1 creates tunnel interface GRE1 unnel gre 1l status enabled unnel gre 1 remote ip 192 168 2 253 unnel gre 1 ttl 64 CF AT Ch WISP 2 creates unnel interface GRE2 unnel gre 2 status enabled unnel gre 2 remote ip 192 168 2 252 unnel gre 2 tt1 64 cr ro cr ct Configure GRE1 and GRE2 interfaces 192 168 2 110 ixp0 lt GRE tunnel gt 192 168 2 252 WISP l remote gt WISP 1 NOC 10 0 1 2 grel lt gt greX 10 0 1 1 so 172 16 1 x particular IP address is routed via 10 0 1 2 which is default gateway in case of selective routing assign grel and gre2 ip addresses netconf dev 1 name grel netconf dev 1 type tunnel netconf dev 1 mode wan netconf dev 1 state up netconf dev 1 ip 10 0 1 2 netconf dev 1 netmask 255 255 255 0 netconf dev 1 broadcast 10 0 1 255 netconf dev 2 n
99. authentication authorization and accounting AAA service see Section 6 4 1 Authentication Authorization and Accounting for details AAA service notifies station supervision service which client stations should be monitored for availability If no response is received from station after specified number of retries user authenticated from that station is logged out Basically there should always be station supervision service running for every interface the AAA service is running on ssd status specify the feature status enabled disabled Default disabled ssd lt index gt status specify the station supervision entry status enabled disabled Default enabled ssd lt index gt devname specify the interface name for supervision ssd lt index gt check interval specify the interval to check for client availability in seconds number Default 20 ssd lt index gt check count specify the number of retries after which a user is logged out from the system 1 99 Default 3 L gt y WAVETEQ ShadowAP User Manual Example check stations on ath0 every minute after 5 failed retries user will be logged out ssd status enabled ssd 1 status enabled ssd 1 devname ath0 ssd 1 check interval 60 ssd 1 check count 5 6 3 8 Static Routing Gp The lt index gt range for route entries is 1 100 This service is used to set up static routes to specific hosts or networks through an interface The interface must al
100. ay d occurs Day 0 is a Sunday The time fields specify when in the local time currently in effect the change to the other time occurs If omitted the default is 02 00 00 Example 1 setup the device clock to year 2006 January 16th 14 32 12 GMT 2 date status enabled date lastknowntime status disabled date manual 011614322006 12 date timezone GMT 2 Example 2 setup the lastknowntime function date status enabled date lastknowntime status enabled date timezone GMT 2 6 6 2 NTP Client The NTP Network Time Protocol service is used to synchronize the clock of the AC with a selected time server D Up to 16 NTP servers can be configured on the ShadowAP based device 124 y WANNE TED ShadowAP User Manual All available keys of the NTP client are listed below ntpd status specify the status for NTP service enabled disabled Default disabled ntpd lt index gt status specify the status of the particular NTP server enabled disabled ntpd lt index gt server specify the trusted NTP server IP address or hostname for synchronizing time with IP address or hostname string Example ntpd status enabled ntpd 1 status enabled ntpd 1 server 192 53 103 103 6 6 3 Trace System The trace system functionality provides debug information for system services and protocols should a malfunction occur The trace system capability can help operators to locate mis configurations and system errors The trace
101. been specifically selected to resist the elements Under some circumstances it can be recommended that additional weather proofing be applied to the connectors once the ShadowAP has been mounted and connections have been completed Two types of products can are recommended first silicone rubber self fusing tape which bonds to itself providing UV moisture and dielectric resistance Secondly for hard to tape areas most self fusing tape companies also offer filler compounds that have similar characteristics and can also support addition of self fusing tape For further properties recommendations or usage please contact Waveteg or your local wireless installer Minimum requirements to follow during preparation of any tape configuration are as follows e At least two 2 layers of tape should be applied over any surface onto which the tape is wrapped i e bare connection or cable wire insulation or jacket e Tape must be overlapped onto the cable wire insulation jacket a minimum distance of 1 5 when an environmental seal is required e First layer of tape should be applied with maximum stretch lt 75 of original width Second layer should be applied with minimal zero stretch Consult your tape manufacturer s guidelines for specific recommendations on application Presented below are general recommendations when applying self fusing tape or fill e If fill is required use Self Fusion compound to fill in and around all ir
102. below aaa security wep lt index gt status specify current profile status enabled disabled aaa security wep lt index gt name specify current WEP security profile name string mandatory aaa security wep lt index gt keylen unicast specify the length of individual unicast key 0 5 13 Default 0 0 none 5 40 bit WEP also known as 64 bit WEP with 40 secret bits 13 104 bit WEP also known as 128 bit WEP with 104 secret bits aaa security wep lt index gt keylen broadcast specify the length of default broadcast key 0 5 13 Default value is equal to aaa security wep lt index gt keylen unicast value 0 none 5 40 bit WEP also known as 64 bit WEP with 40 secret bits 13 104 bit WEP also known as 128 bit WEP with 104 secret bits aaa security wep lt index gt rekey period specify the rekeying period in seconds 0 3600 Default value is O and means that rekeying is not used 6 4 1 6 WPA WPA2 Security Profile Wi Fi Protected Access WPA provides a higher level of protection for wireless LAN client stations as it includes methods for mutual authentication strong encryption and data integrity WPA takes the original master key only as a starting point and derives its encryption keys dynamically from this master key WPA regularly changes and rotates the encryption keys so that the same encryption key is never used twice Key exchange is done automatically transparent to the user The WPA2 is t
103. boot reboot the device autolock control lt index gt status specify the status of the wireless interface control enabled disabled Default enabled autolock control lt index gt devname specify the name of interface for control If the interface is not specified all wireless interfaces will be used from the file proc net wireless AutoLock has no influence on routes As soon as interfaces are brought down the routes will be deleted L e WV WANNE TED ShadowAP User Manual Example autolock status enabled autolock interval 600 autolock retry count 3 autolock 1 status enabled autolock 1 server 213 29 25 154 autolock 2 status enabled autolock 2 server 213 29 25 33 autolock 3 status disabled autolock 3 server 212 22 99 66 autolock 4 status enabled autolock 4 server 212 25 19 6 autolock lock action down autolock unlock action reboot autolock control 1 status enabled autolock control 1 devname atb autolock control 2 status enabled autolock control 2 devname athl In this configuration 3 servers are pinged every 10 minutes 600s One server checking is disabled When at least one server does not respond 3 times wireless interfaces athO and ath1 are brought down and wireless service will be disabled When the service becomes available again the device will be rebooted 6 3 3 1 Virtual SSID VSSID a The master SSID should be preconfigured before adding VSSID
104. cate with the ShadowAP in such a situation see 2 3 1 for details y Incorrect configuration file modifications keys and values may cause the ShadowAP Reset use this button to cancel recent changes of the configuration file text This button is functional before using the Save button Read active load the last saved configuration file from device flash memory Read backup load the next to last saved configuration file from device flash memory Adjust edit area height choose the height of the edit area 31 WW WAVETEQ ShadowAP User Manual 4 4 System Use the System menu to define access settings to the device or to use system utilities rd Management WAVETEQ Locour Figure 4 4 1 System Menu Maintenance to upgrade firmware reboot or reset to factory default configuration Password to change the administrative access password Remote Management to configure administrative access License to manage license file status 4 4 1 Maintenance Use the Maintenance menu to upgrade system firmware reboot the device or set the device to factory default values Firmware Upgrade Current Firmware Version WW LS AVILA v5 22 xscale Waveteq 19380 080705 031442 Firmware image L uptoad Reboot Reboot device EN Factory Defaults Reset device to factory defaults 2008 WWAYETEQ Communications Inc Figure 4 4 2 Maintenance Page L o WW WAVETEQ ShadowAP User Manual Current Firmware Versio
105. ch is available in OUTPUT FORWARD and POSTROUTING chains ebtables rule lt index gt lout inverse specify the match value inverse status enabled disabled Default disabled 6 4 4 1 3 Match Extensions 802 3 Specify 802 3 DSAP SSAP fields or SNAP type The protocol must be specified as LENGTH see protocol above ebtables rule lt index gt 802_3 sap specify the SAP byte hexadecimal number DSAP and SSAP are two one byte 802 3 fields The bytes are always equal so only one byte hexadecimal is needed as an argument ebtables rule lt index gt 802_3 sap inverse specify the match value inverse status enabled disabled Default disabled ebtables rule lt index gt 802_3 type specify the SNAP value hexadecimal number If the 802 3 DSAP and SSAP values are Oxaa then the SNAP type field must be consulted to determine the payload protocol This is a two byte hexadecimal argument Only 802 3 frames with DSAP SSAP Oxaa are checked for type ebtables rule lt index gt 802_3 type inverse specify the match value inverse status enabled disabled Default disabled ARP Specify ARP fields The protocol must be specified as ARP or RARP ebtables rule lt index gt arp opcode specify the R ARP opcode decimal or a string 1 Request 2 Reply 3 Request_Reverse 4 Reply_Reverse 5 DRARP_Request 6 DRARP_Reply 7 DRARP_Error 8 InARP_Request 9 ARP_NAK 108 y WAVET EQ ShadowAP User Manual
106. chanattr lt index gt channel specify one channel number on which bandwidth narrowing half quarter will be set channel radio lt index gt chanattr lt index gt freq specify one channel number on which it is to operate on a specific frequency freq xxxx x in Mhz The frequency agility is radio card dependant radio lt index gt chanattr lt index gt bw specify desirable channel bandwidth for specified channel full half quarter Default full Default channel bandwidth for 802 11 radio is 20MHz for lia mode and 22 MHz for 11g mode for turbo modes they double It is possible to narrow it 2x 63 y WAVETEQ ShadowAP User Manual or 4x times Though this will drop data transfer rates accordingly it will increase power density and may help to achieve greater operation distances G Do not use channel bandwidth narrowing in turbo modes Example radio status enabled radio 1 status enabled radio l acktimeout 55 radio 1 ctstimeout 55 radio 1 slottime 26 radio 1l autochannel status enabled radio 1l autochannel 1l status enabled radio 1l autochannel 1l channel 1 radio 1l autochannel 2 status enabled radio 1l autochannel 2 channel 6 radio 1l autochannel 3 status enabled radio 1l autochannel 3 channel 11 radio 1l devname ath0 radio 1 frag off radio l1 ieee mode G radio 1 mode master radio 1l rate auto enabled radio l rate max 54M radio 1l rts off radio 1 rx antenna 1 radio 1 rx antenna diversity
107. cified access lt index gt blacklist lt index gt port to specify the TCP or UDP port number 0 65535 This denotes the last port in a range access lt index gt blacklist lt index gt proto specify the IP protocol number 0 255 or protocol keyword See appendix D etc protocols for details The value O is used to match any protocol Default O access lt index gt blacklist location lt index gt status specify the status of the black list location entry enabled disabled Default enabled access lt index gt blacklist location lt index gt url specify the FTP or HTTP URL which will be used as an additional source for black list entries URL string Example The white entry demonstrates specifying ip and port range fRange 123 123 123 0 24 with port range 1024 65535 access 1l whitelist l descr Address Range 123 123 123 0 24 port range 1024 65535 access 1l whitelist 1 host 123 123 123 0 access 1l whitelist 1 netmask 255 255 255 0 access 1l whitelist l proto TCP access 1 whitelist l port from 1024 access 1 whitelist l port to 65535 117 y WAVET EQ ShadowAP User Manual 6 4 7 Static Bandwidth Control The Static Bandwidth Control is used for customers that do not use RADIUS servers to authenticate users but want to be able to control bandwidth statically e upload download bandwidth per user IP address based on bandwidth configuration file e in AP client operation ability to set max up
108. curity type wpa aaa nas 1 status disabled aaa security wpa l key cipher TKIP aaa security wpa l key method PSK aaa security wpa 1 mode WPA2 aaa security wpa 1 name WPA PSK ath0 aaa security wpa l passphrase verysecretphrase aaa security wpa l status disabled aaa status disabled USER ACCESS CONTROLLER This section sets up white and black lists to control user access access status disabled access verbose disabled SETTING TO LOCK OUT THE WLAN Useful to shut down the WLAN when a set number of pings is not returned When the pings return the network is restored autolock interval 300 autolock retry count 3 autolock status disabled BRIDGE Transparently relays traffic between multiple interfaces bridge 1 devname br0 bridge 1 port 1 devname ixp0 bridge 1 port 1 status enabled bridge 1 port 3 devname ath0 bridge 1 port 3 status enabled bridge 1 stp status disabled bridge 1 status enabled bridge status enabled 142 D WAVETEQ DATE Format is MMDDhhmmYYYY SS There are setting for timezone daylight savings reboot time settings date status disabled date timezone GMT 8 dhcp fwd status disabled DHCP CLIENT Used to accept an IP address from a DHCP server dhcpc 1 devname ixp0 dhcpc 1 status disabled dhcpc 2 devname ath0 dhcpc 2 status disabled dhcpc status disabled DHCP SERVER Each LAN interface ixp0 ixpl runs a separate DHCP server to assig
109. d Country element support IEEE 802 11e Enhancement QoS including WMM IEEE 802 11h 5 GHz spectrum DCS DFS TPC IEEE 802 11j Security and Public safety band support 802 112 54 48 36 24 18 12 9 6 Mbps 802 11b 11 5 5 2 1 Mbps auto fall back 802 11a 54s 48s 36s 24s 18s 12s 9s 6 Mbps 16 MBSSID VLANs WPA WPA2 WEP64 WEP128 TKIP IPsec with DES 3DES AES encryption IKE Hotspot access controller with 802 1x EAP support Smart Client support WISPr compliant Wi Fi alliance Universal access method Web browser log on with XML support and walled garden free Web sites WISPr compatible log on via Web browser SSL TLS support IEEE 802 1x authenticator with EAP SIM MD 5 TLS TTLS PEAP DHCP server DHCP relay gateway DHCP client Layer 2 user isolation Bandwidth management via RADIUS HTTPS SSH SNMP MIB II Ethernet MIB private MIB Remote software update via HTTPS or FTP Remote reset Manufacturing reset 128 y WAVET EQ ShadowAP User Manual 7 2 Appendix B Regulatory Domain Channels This appendix lists the IEEE 802 11a and IEEE 802 11b channels supported by the world s regulatory domains The ShadowAP supports all channels but it has only been tested and certified to Industry Canada IC and Federal Communications Commission FCC standards for Canada and the USA as described below Antenna types with similar in band and out of band radiation patterns and the same or low
110. d disabled Default disabled firewall rule lt index gt ipp2p kazaa specify to grab all known KaZaA packets enabled disabled Default disabled firewall rule lt index gt ipp2p gnu specify to grab all known Gnutella packets enabled disabled Default disabled firewall rule lt index gt ipp2p bit specify to grab all known BitTorrent packets enabled disabled Default disabled firewall rule lt index gt ipp2p apple specify to grab all known AppleJuise packets enabled disabled Default disabled firewall rule lt index gt ipp2p winmx specify to grab all known WinMX packets enabled disabled Default disabled firewall rule lt index gt ipp2p soul specify to grab all known SoulSeek packets enabled disabled Default disabled firewall rule lt index gt ipp2p ares specify to grab all known Ares packets use with DROP only enabled disabled Default disabled y WAVET EQ ShadowAP User Manual Either input or output interface not both can be specified for the following accounting match rule This match contains database of authenticated clients and traffic accounting for these clients is performed firewall rule lt index gt acct in specify the input interface name firewall rule lt index gt acct in inverse specify the match value inverse status enabled disabled Default disabled firewall rule lt index gt acct out specify the output interface name firewall rule lt i
111. ding allows your ShadowAP to act as a gateway or router It is usually enabled NAT Network Address Translation NAT also known as network masquerading native address translation or IP masquerading will rewrite the source and or destination IP address as network traffic passes through the interface This is commonly needed for routed network configurations gt D WAVETEQ ShadowAP User Manual 4 3 5 Advanced Wireless The Advanced Wireless page allows configuration of WEP WPA WPA2 security on each wireless device Access Control Lists can also be specified Be sure to click on each subheading to learn the required format for entering each WEP Key Passphrase and MAC Address Advanced Wireless 2 Wired Equivalent Privacy WEP Open system Le WEP Key Wi Fi Protected Access WPA WPA PSK TKIP e Passphrase bigfatphrase Access Control List Mode Open system Le MAC Address Add ACL MAC Address 2008 WAVETEQ Communications Inc Figure 4 3 7 Wireless Security Page Wired Equivalent Privacy WEP Specify either 64 bit or 128 bit WEP security Wi Fi Protected Access WPA Specify either WPA or WPA2 mode with either TKIP or AES encryption Access Control List ACL Mode Choose to Allow or Deny all except the MAC Addresses specified Click Add ACL MAC Address to add multiple MAC addresses to the ACL WV WAVETEQ ShadowAP User Manual 4 3 6 Expert This section is for editing the co
112. disabled radio 1 tx_antenna 1 radio 1 tx antenna diversity disabled radio 1 txpower auto 6 3 2 Wireless Interface This section provides the description of the general wireless LAN interface parameters The administrator is able to setup using this section WEP encryption SSID and broadcasting suppression Maximum number of clients Country element IEEE 802 11d Power constrain and channel switch for IEEE 802 11h Layer 2 isolation Throughput enhancements fast frames packet bursting compression WMM All available wireless interface configuration keys are listed below wireless status specify the wireless interface function status enabled disabled Default disabled wireless lt index gt status specify the wireless interface entry status enabled disabled Default enabled wireless lt index gt devname specify the wireless interface name eg athO or athi 64 WV WANNE TED ShadowAP User Manual wireless lt index gt ssid specify a unique name for your wireless network The string is case sensitive and up to 32 characters in length printable characters and spaces no control characters mandatory wireless lt index gt ssid_broadcast specify the master operating mode SSID broadcasting status enabled disabled When disabled the AP s SSID will not show up in the network list when a client scans for available networks By default SSID broadcasting is enabled Do not use this feature as a
113. ditions Use the following procedure to configure and run a test between two ShadowAP Devices Step 1 Configure the Rates Test subsection for each ShadowAP device Rates Test Choose wireless interface athO v Choose data rate Mbps auto Y Current data rate Mbps 54 Save values to configuration file Figure 4 5 4 Rates Test Choose Wireless Interface choose between radio 1 athO or radio 2 ath1 to perform the rates test Choose data rate select the data rate at which to perform the wireless test Current data rate displays the currently configured data rate A value of zero means that the data rate is automatically set Set click this button after setting the wireless interface and data rate to confirm the settings for the wireless test Save click this button to load the tested data rate into the configuration file The device will use this rate upon successful reboot Step 2 Configure the ACK Timeout Test subsection for each ShadowAP device The ACK Timeout value is directly related to the distance between two ShadowAP devices Setting this value too high will reduce performance while setting it too low may inhibit a successful connection ACK Timeout Test Choose wireless interface athO w ACK timeout 55 2 Save values to configuration file Figure 4 5 5 ACK Timeout Test L gt y WAVETEQ ShadowAP User Manual Choose Wireless Interface choose between radio 1 athO or radio 2 ath1
114. down speed limits overall e in AP client operation ability to limit packet per second upload bandwidth and max sessions connection limits bandwidth status specify status of the static bandwidth control enabled disabled Default disabled bandwidth manual enable manual editing of the configuration file etc persistent bandwidth bandwidth cfg enabled disabled Default disabled This means that if there is need to add new limitation or modify existing limitations per IP there is no need to reload ShadowAP device It is possible to modify configuration file etc persistent bandwidth bandwidth cfg manually and reload script from the shell with command sbin bandwidth sh start Manual configuration file editing means that sysconf do not overwrites configuration file on device reload Script reads data from etc persistent bandwidth bandwidth cfg and generates rules Configuration file etc persistent bandwidth bandwidth cfg pattern for limiting per IP Up_dev Up_bandwidth Down_dev Down_bandwidth ip pps Configuration file etc persistent bandwidth bandwidth cfg pattern for limiting per interface dev bandwidth Keys of the limitation per IP bandwidth lt index gt up dev specify Upload interface name string bandwidth lt index gt up speed specify the maximum upload speed in kbps integer bandwidth lt index gt down dev specify Download interface name string bandwidth lt index gt down speed specify the maximum dow
115. dress Static source routing method enables routing certain packets to specified interfaces GRE or IPsec tunnels VLAN interfaces according to the static source Routing rules and Routing entries in the table Each routing table for identification purposes should have the Name and ID attributes Source Routing tables can be defined using the following keys route table lt index gt status specify the table entry status enabled disabled Default enabled route table lt index gt id specify the table number 0 255 The table numbers 0 253 255 are reserved We strongly recommend not using the reserved table numbers In case of misuse the device can become unreachable and therefore it will need to be reset to factory defaults route table lt index gt name specify the table name string without spaces route lt index gt table specify the table number or name 0 255 or string without spaces Reserved numbers are 255 local table 254 main table 253 default table and O for unspecified table Preferably use table name instead of number All the static source routing rules should be defined in Routing rules section or by using the key route rule lt index gt status specify the rule status enabled disabled Default enabled route rule lt index gt ip specify the packet source IP address IP address route rule lt index gt netmask specify the netmask length in bits bitmask number eg 24 rout
116. e 4 means the highest priority wireless lt index gt tos2ac lt index gt drop specify drop probability 0 2 The value 2 means highest drop probability when queue getting full WMM does not provide guaranteed throughput It is suitable for simple applications that require QoS such as Wi Fi Voice over IP VoIP phone wireless lt index gt ap specify the MAC address of the device to which the particular device will connect to MAC address wireless lt index gt igmp_snooping specify the IGMP snooping status enabled disabled Default disabled When enabled AP will passively snoop on IGMP Report and Leave packets transferred between its clients and IP Multicast hosts It checks IGMP packets passing through it picks out the group registration information and generates internal L2 MAC forwarding table Then it forwards multicast traffic using unicast packets directed according to forwarding table Example wireless status enabled wireless 1l status enabled wireless 1 devname ath0 wireless 1l ssid my ssid wireless 1 max_ clients 100 wireless 1l security wep64 wireless 1l security l key 00 AC 01 25 F2 wireless 1l security 2 key 00 AC 01 35 F3 wireless 1 security 3 key 00 AC 01 55 F5 1 wireless security default _key 2 y WAVETEQ ShadowAP User Manual 6 3 3 AutoLock WLAN The ShadowAP based device has the possibility to lock the WLAN This feature checks using ICMP echo request
117. e RTS CTS mechanism The card transmits packets smaller than this threshold without using RTS CTS Default off Setting a lower RTS threshold value can improve connection reliability and throughput in crowded wireless LAN environments where many clients are trying to communicate simultaneously It adds a certain amount of overhead but can compensate for this by reducing bandwidth lost due to collisions radio lt index gt txpower specify the wireless card transmission power in dBm auto off number Default auto Ensure that the transmit power meets your specific regulatory requirements for your particular country antenna and channel radio lt index gt ieee_mode specify the wireless network mode auto A AST B G PUREG Default auto Meaning of auto depends on operating mode radio lt index gt mode If operating mode is Master then A mode will be set For B G only radios G mode will be set If operating mode is Managed radio will begin searching for AP starting with A mode and then switching to B and G until it finds an AP to associate to PUREG mode means accepting only G clients aka G only mode AST means 802 11a Static Turbo mode o Check with your country regulations before setting Static Turbo mode radio lt index gt turbo specify the status of dynamic turbo mode enabled disabled Default disabled Set dynamic turbo mode with combination of throughput enhancement functionality see wireless lt index gt fastframes
118. e packets after they have been routed e filter table INPUT chain used to filter all incoming traffic destined for the ShadowAP based device Packet generated by process on the ShadowAP based device locally traverses firewall tables chains and routing tables in this order e routing decision e mangle table OUTPUT chain normally used for mangling packets it is suggested that you do not filter in this chain since it can have side effects e NAT table OUTPUT chain can be used to NAT outgoing packets from the firewall itself e filter table OUTPUT chain used to filter all outgoing traffic from the ShadowAP based device e mangle table POSTROUTING chain used when we want to do mangling on packets before they leave the ShadowAP based device but after the actual routing decisions this chain will be hit by both packets just traversing the firewall as well as packets created by the firewall itself Lo y WAVET EQ ShadowAP User Manual e NAT table POSTROUTING chain used for SNAT it is suggested that you don t do filtering here since it can have side effects and certain packets might slip through even though the default policy is to drop them Packet passing through the ShadowAP and destined for another host on the network traverses firewall tables chains and routing tables in this order e mangle table PREROUTING chain normally used for mangling packets e NAT table PREROUTING chain mainly used for DNAT av
119. e rule lt index gt table specify the existing table number or name for current rule 0 255 or string without spaces route rule lt index gt prio specify the rule priority 0 32767 By default local table lookup priority is O main 32766 and default 32767 Priority allows the ShadowAP to control the performed matching order priorities are tested from the lowest to the highest until a match is found Example LAN interface has IP addresses 192 168 55 0 24 There is a GRE tunnel gre0001 with an IP address 10 0 0 2 24 set The following rules create routing setup where 192 168 55 0 24 LAN stations are routed via a GRE tunnel 73 KAZ WAVETELU ShadowAP User Manual define wispl routing table route table 1l id 100 route table l name wispl create static route entries in the table route 1 devname ixp0 route l ip 192 168 55 0 route l netmask 24 route l table 100 Set the default gateway route 2 devname gre0001 route 2 ip 0 0 0 0 route 2 netmask 0 Set the gateway GRE tunnel IP address route 2 gateway 10 0 0 2 route 2 table wispl Set the decision how to route packets from 192 168 55 0 24 route rule 1l ip 192 168 55 0 route rule 1l netmask 24 route rule l table wispl route rule 1l prio 100 6 3 10 Selective Source Routing Selective Source Routing is referring to a dynamic routing capability In particular client station traffic wi
120. eceiving network device or otherhost none of the above ebtables rule lt index gt pkttype inverse specify the match value inverse status enabled disabled Default disabled STP Specify STP BPDU Bridge Protocol Data Unit fields The destination address must be specified as the bridge group address BGA 110 y WAVET EQ ShadowAP User Manual ebtables rule lt index gt stp type specify the BPDU type 0 255 ebtables rule lt index gt stp type inverse specify the match value inverse status enabled disabled Default disabled ebtables rule lt index gt stp flags specify the BPDU flag 0 255 ebtables rule lt index gt stp flags inverse specify the match value inverse status enabled disabled Default disabled ebtables rule lt index gt stp root_prio specify the root priority range 0 65535 0 65535 ebtables rule lt index gt stp root_prio inverse specify the match value inverse status enabled disabled Default disabled ebtables rule lt index gt stp root_addr specify the root MAC address colon separated 6 hexadecimal value pairs netmask length in bits See ebtables rule lt index gt src for more details ebtables rule lt index gt stp root_addr specify the match value inverse status enabled disabled Default disabled ebtables rule lt index gt stp root_cost specify the root path cost range 0 4294967295 0 4294967295 ebtables rule lt index gt stp root_c
121. ed The STP protocol first elects a root bridge The root bridge is the bridge with the lowest priority in the network If several bridges have the same priority assigned the bridge with the lowest MAC address is chosen The root bridge is the central bridge in the spanning tree It is recommended not to use more than one VLAN or VSSID in the bridge otherwise in some network topologies using switches the bridge may not work as expected bridge lt index gt priority specify the bridge priority 0 65535 Default 32768 bridge lt index gt fd specify the forwarding delay time 0 65535 Forwarding delay time is the time spent in each of the listening and learning states before the forwarding state is entered Default 15 bridge lt index gt hello specify the interval between hello packets in seconds 0 65535 Hello packets are used to communicate information about the topology throughout the entire bridged LAN Default 2 bridge lt index gt ageing define the interface hardware MAC address ageing time in seconds 0 65535 The ageing time is the number of seconds that a MAC address will be kept in the forwarding database after receiving a packet from this MAC address The entries in the forwarding database are periodically timed out to ensure that old ones do not persist in the database Default 300 A H y WAVET EQ ShadowAP User Manual bridge lt index gt maxage specify the maximum bridge message age in seco
122. ed bridge 1 port 1 devname ixp0 bridge 1l port 2 status enabled bridge 1 port 2 devname ath0 bridge 1 priority 2 bridge 1 stp status disabled 6 2 3 DHCP The ShadowAP device can act as DHCP Dynamic Host Configuration Protocol client DHCP server and or as a DHCP relay gateway The DHCP service is supported on both physical and logical interfaces 6 2 3 1 DHCP Client D The lt index gt range for DHCP client is 1 50 A configured DHCP client will try to get an IP lease immediately on ShadowAP start up All available keys of the DHCP client are listed below WV WAVETEQ ShadowAP User Manual dhcpc status specify the service status enabled disabled Default disabled dhcpc background allows to enable the device and not wait for an IP address before starting the boot process enabled disabled Default disabled dh In case the key dhcpc background is enabled and the device starts the boot process without an IP address the following services will not be started NTP server Static Routing feature DNS Forwarder Syslog Wireless Client Bridge Station Supervision AAA e AutoLock WLAN dhcpc lt index gt status specify the DHCP client status enabled disabled Default enabled dhcpc lt index gt devname specify the interface on which you want to enable the DHCP client Example enable DHCP client on ixp0 interface dhcpc status enabled dhcpc 1 devname 1xp0 6 2 3 2 DHCP Server The DHCP server as
123. ed to match any protocol Default 0 access lt index gt whitelist location lt index gt status specify the status of the white list location enabled disabled Default enabled access lt index gt whitelist location lt index gt url specify the FTP or HTTP URL which will be used as an additional source for white list entries string access lt index gt blacklist lt index gt status specify the black list status enabled disabled Default enabled access lt index gt blacklist lt index gt url specify the URL string When specified system will extract the host port and protocol from the URL If specified the only key access lt index gt blacklist lt index gt descr is necessary all other keys will be ignored access lt index gt blacklist lt index gt descr specify the current entry description string string In case when URL is specified it can be used as a link text for that URL access lt index gt blacklist lt index gt host specify the host name or host network IP address IP address or hostname string access lt index gt blacklist lt index gt netmask specify the netmask used to cover network range limited by host and netmask Default 255 255 255 255 access lt index gt blacklist lt index gt port from specify the TCP or UDP port number 0 65535 This denotes the first port in a range or the single port when access lt index gt blacklist lt index gt port to is not spe
124. edule Transfer Protocol 119 SpectraLink Radio Protocol 120 UTI 121 Simple Message Protocol 122 SM 123 Performance Transparency Protocol 124 125 126 Combat Radio Transport Protocol 127 Combat Radio User Datagram 128 129 130 Secure Packet Shield 131 Private IP Encapsulation within IP 132 Stream Control Transmission Protocol 133 Fibre Channel 134 135 136 137 252 253 254 Use for experimentation 255 137 GQ waveten ShadowAP User Manual 7 5 Appendix E ISO Country Codes This list states the country codes a numeric code of a physical territory and the country names official short 2 or 3 letters names in English in alphabetical order as given in ISO 3166 1 and the corresponding ISO 3166 1 alpha 2 code elements Each country or territory has three codes a two letter code a three letter code a three digit code This is a subset of the full ISO 3166 lists The countries listed here are supported in the wireless interface drivers radio countrycode key See http www iso org iso en prods services iso3166ma 02iso 3166 code lists index html and http unstats un org unsd methods m49 m49alpha htm for the complete ISO country code lists Country Codes AL ALB 008 DZ DZA 012 AR ARG 032 AM ARM 051 AU AUS 036 AT AUT 040 AZ AZE 031 BH BHR 048 BY BLR 112 BE BEL 056 BZ BLZ 084 BO BOL 068 BR BRA 076 BN BRN 096 BG BGR 100 CA CAN 124 CL
125. el parameters wpasupplicant profile lt index gt network lt index gt phase2 auth specify the inner authentication type for TTLS MSCHAPV2 MSCHAP PAP CHAP It stands for TTLS MSCHAPV2 TTLS MSCHAP TTLS PAP and TTLS CHAP If not specified the keys wpasupplicant profile lt index gt network lt index gt phase2 autheap will be used instead see below wpasupplicant profile lt index gt network lt index gt phase2 autheap lt 1 5 gt status specify current entry status enabled disabled Default enabled wpasupplicant profile lt index gt network lt index gt phase2 autheap lt i 5 gt name specify the inner tunnelled EAP authentication types for TTLS MD5 TLS MSCHAPV2 GTC OTP They stand for TTLS EAP MD5 TTLS EAP TLS TTLS EAP MSCHAPV2 TTLS EAP GTC TTLS EAP OTP If not specified all available types will be accepted Note If wpasupplicant profile lt index gt network lt index gt phase2 auth is set this key will have no effect wpasupplicant profile lt index gt network lt index gt phase2 authpeap lt i 5 gt status specify current entry status enabled disabled Default enabled wpasupplicant profile lt index gt network lt index gt phase2 authpeap lt i 5 gt name specify the inner tunnelled EAP authentication types for PEAP MD5 TLS MSCHAPV2 GTC OTP If not specified all available types will be accepted wpasupplicant profile lt index gt network lt index gt ca_cert2 specify the name of CA
126. ello_time inverse specify the match value inverse status enabled disabled Default disabled ebtables rule lt index gt stp forward_delay specify the forward delay timer 0 65535 0 65535 111 WW WAVET EQ ShadowAP User Manual ebtables rule lt index gt stp forward_delay inverse specify the match value inverse status enabled disabled Default disabled VLAN Specify 802 1Q Tag Control Information fields The protocol must be specified as 802_1Q 0x8100 ebtables rule lt index gt vlan id specify the VLAN identifier 0 4095 ebtables rule lt index gt vian id inverse specify the match value inverse status enabled disabled Default disabled ebtables rule lt index gt vlan prio specify the VLAN user_priority field value 0 7 The ebtables rule lt index gt vian id should be set to O or be unspecified ebtables rule lt index gt vlan prio inverse specify the match value inverse status enabled disabled Default disabled ebtables rule lt index gt vlan encap specify the encapsulated Ethernet frame type length Ox0000 OxFFFF symbolic name from etc ethertypes Contents of etc ethertypes file are listed at http www cavebear com CaveBear Ethernet type html ebtables rule lt index gt vlan encap inverse specify the match value inverse status enabled disabled Default disabled 6 4 4 1 4 Watcher Extensions Watchers are things that only look at frames passing by These wa
127. ences for all menu items are presented 4 2 Statistics Use the Statistics menu to check the current status of the ShadowAP There are five sections of the status information System Information displays system information including uptime and version Network Details detailed receive transmit statistics for all interfaces Wireless Details detailed radio and wireless network statistics Routes displays routing information ARP Table displays the ShadowAP s ARP table IP addresses associated with MAC addresses WW WAVETEQ ShadowAP User Manual 4 2 1 System Information System Information menu displays general device status as well as network and wireless information This is the default page shown when accessing the ShadowAP e System Information displays system information including uptime license status and firmware version e Network Information displays basic receive and transmit information The table displays how many packets are sent and received how many errors have occurred while communicating and the IP address associated to each interface e Wireless Information displays general wireless device information The Status column shows if an interface is turned on and the Link column shows the signal strength for the wireless link based on the current noise level e Refresh click to renew the system information page System Information Uptime 1 days 01 03 07 License status valid Firmware versi
128. endpoints RFC2716 EAP TTLS Tunnelled TLS Authentication Protocol 149 Wy WANETER ShadowAP User Manual provides an authentication negotiation enhancement to TLS see Internet Draft lt draft ietf pppext eap ttls 05 txt gt ERP Extended Rate PHY The 802 11g enhancement to the Physical Layer definition that introduces OFDM as a mandatory coding scheme for mandatory 6 12 amp 24Mbps bit rates and 18 36 48 amp 54Mbps optional bit rates The ERP retains backward compatibility with 802 11b coding and modulation mechanisms G gateway A gateway is a network point that acts as an entrance to another network On the Internet a node or stopping point can be either a gateway node or a host end point node Both the computers of Internet users and the computers that serve pages to users are host nodes The computers that control traffic within your company s network or at your local Internet service provider ISP are gateway nodes H hotspot A hotspot is wireless public access system that allows subscribers to be connected to a wireless network in order to access the Internet or other devices such as printers Hot spots are created by WLAN access points installed in public venues Common locations for public access are hotels airport lounges railway stations or coffee shops hotspot operator An entity that operates a facility consisting of a Wi Fi public access network and participates in the authentic
129. ense period N A Download current license file Figure 2 5 2 Successful Upload Screen Step 4 Use the Reboot section under the System Maintenance menu to reboot the device for all locked features to be activated Reboot Reboot device Figure 2 5 3 Maintenance Screen Step 5 After the license is uploaded and the device has rebooted check the license validity on the Web management interface under Statistics System Information menu System Information Uptime 00 07 58 License status valid Firmware version 5 21 Check the license validity Figure 2 5 4 System Information Screen y WAVETEQ ShadowAP User Manual 3 0 Chapter 3 Command Line Interface Management 3 1 Introduction The CLI Command Line Interface software is a configuration shell for the ShadowAP The CLI is an alternative way to configure ShadowAP and is not intended to be used as the main device management method Using the CLI you can test authentication parameters change the administrator s password reboot the device reset the device to defaults show device configuration or view device status All available key combinations in CLI mode are listed in Table 3 1 1 Table 3 1 1 Key Combinations in the CLI Key and or Combination Function lt text gt Enter parameter s string with space lt TAB gt Complete current keyword or list all the options lt CTRL gt lt D gt Break out of subshell lt CTRL gt lt A gt Jump to the begi
130. ent of the Security Association IPsec SA between two peers is needed for IPsec communication It can be done by using manual or automated configuration IPsec Racoon uses the Internet Key Exchange IKE for automatically keying IPsec connections Several parameters Keys are exchanged between peers in order to establish the IPsec SA The Racoon exchange routine by using IKE has two phases establishing SA for own communication IKE SA and establishing IPsec SA WW WANNE TED ShadowAP User Manual The IPsec system maintains two databases Security Policy Database SPD which defines whether to apply IPsec to a packet or not and specify which how IPsec SA is applied and Security Association Database SAD which contains a Key of each IPsec SA The basic mechanism of applying the IPsec SA to a packet is the following The administrator sets a policy to SPD System refers to SPD in order to make a decision of applying IPsec to a packet If IPsec is required then system gets the Key for IPsec SA from SAD If it has failed then system sends a request to get the Key to IPsec Racoon IPsec Racoon exchanges the Key by using IKE with the other to be established IPsec SA IPsec Racoon put the Key into SAD System can now send a packet applied IPsec Racoon needs access to UDP port 500 Make sure that your firewall configuration does not block this port IPsec Racoon can be configured using the following keys racoon status specify the
131. er gain may be used with the same or lower power levels in Canada and the USA 7 2 1 Channels for IEEE 802 11b g Channels Frequency USA European ShadowAP IC FCC Certification Identifiers in MHz 0 NI Oli wo Al WIN Ne 10 11 12 13 14 D Canada Union FCC CE ETSI 2412 e e 2417 e e 2422 e e 2427 gt 20 5 dBi panel antenna SPAPG20 using 2432 S transmit power levels up to 13 dB 2437 e e 9 0 dBi Omni antenna SPDG80 using transmit 2442 power levels up to 14 dB 2447 e e 2452 e e 2457 e e 2462 e e 2467 e 2472 e 2484 Mexico is included in the Americas regulatory domain however channels 1 through 8 are for indoor use only while channels 9 through 11 can be used indoors and outdoors Users are responsible for ensuring that the channel set configuration complies with the regulatory standards of Mexico 129 y WAVET EQ ShadowAP User Manual 7 2 2 Channels for IEEE 802 11a Channels Frequency USA European ShadowAP IC FCC Certification Identifiers in MHz Canada Union FCC CE ETSI 34 5170 36 5180 e e 38 5190 _ m 16 8 dBi panel antenna SPDN6W using transmit power levels up to 7 dB 40 5200 e e 42 5210 8 0 dBi Omni antenna SPDJ60P using 44 5220 A S transmit power levels up to 14 dB 46 5230 48 5240 e 52 5260 e e 16 8 dBi panel antenna SPDN6W using 56 5280 F y transmit power levels up to 7 dB 8 0 dBi Omni antenn
132. escape to another interface when the route to endpoint changes If not specified default interface name will be gre lt index gt tunnel gre lt index gt local ip specify the fixed local IP address for tunnelled packets It must be an address of another interface of the device Default 0 0 0 0 means that no fixed address will used for local endpoint In this case local endpoint address for that tunnel will be automatically assigned by the routing process tunnel gre lt index gt remote ip specify the remote tunnel endpoint IP address Default 0 0 0 0 means accept any remote endpoint tunnel gre lt index gt parent specify the parent interface name Bind the tunnel to the specified interface so that tunnelled packets will only be routed through this interface and will not be able to escape to another interface when the route to endpoint changes tunnel gre lt index gt ttl specify the fixed time to live TTL value on tunnelled packets 0 255 The 0 is a special value meaning that packets inherit the TTL value Default 0 tunnel gre lt index gt pmtudiscovery the Path Maximum Transmission Unit Discovery PMTUD status on this tunnel enabled disabled Default enabled Example unnel gre status enabled unnel gre 1 status enabled unnel gre 1 devname gre 1 unnel gre 1l local ip 192 168 2 12 unnel gre 1l parent ixpl unnel gre 1 remote ip 192 168 2 13 unnel gre 1l pmtudiscovery disabled Ck CE CEET Er E
133. ess 1 security 1 key XX XX XX XX XX XX IXX IXX XX IXX IXXIXXIXKXIXKXIXKXIXXIXXIXX wireless 1 security default_key 1 12 create firewall chains that AAA service depends on refer to the respective section 6 4 3 IP Firewall firewall chain 1 name acctin firewall chain 1 table mangle firewall chain 1 parent PREROUTING firewall chain 2 name acctout firewall chain 2 table mangle firewall chain 2 parent POSTROUTING firewall chain 3 name fwdusers firewall chain 3 table filter firewall chain 3 parent FORWARD firewall filter FORWARD policy DROP 13 setup firewall rules for each AAA interface entry refer to the respective section 6 4 3 IP Firewall firewall rule 1 table mangle firewall rule 1 chain acctin firewall rule 1 acct in lt aaa lt index gt devname gt firewall rule 2 table mangle firewall rule 2 chain acctout firewall rule 2 acct out lt aaa lt index gt devname gt firewall rule 3 table filter firewall rule 3 chain fwdusers firewall rule 3 auth in lt aaa lt index gt devname gt 77 y WAVET EQ ShadowAP User Manual firewall rule 3 target ACCEPT firewall rule 4 table filter firewall rule 4 chain fwdusers firewall rule 4 auth out lt aaa lt index gt devname gt firewall rule 4 target ACCEPT firewall rule 5 status enabled firewall rule 5 table mangle firewall rule 5 chain PREROUTING firewall rule 5 auth auth firewall rule 5 auth in athO firewall rule 5 target NAS_MARK 14 if AAA interface is
134. ess string or IP address mandatory aaa acct lt index gt port specify the network port used to communicate with the RADIUS accounting server 0 65535 Default is 1813 D The default port value of 1813 is set according to RFC2866 RADIUS Accounting aaa acct lt index gt timeout specify the accounting request timeout in seconds 1 999 Default 2 If RADIUS response is not received during timeout period request is retransmitted EN WV WAVETEQ ShadowAP User Manual aaa acct lt index gt retry specify the number of times accounting request is retransmitted 0 99 Default 2 aaa acct lt index gt secret specify the shared secret of the accounting server string mandatory The shared secret is used to encrypt data packets transmitted between RADIUS server and client aaa acct lt index gt stripdomain specify the strip domain function status enabled disabled Default disabled Enabling this option removes the WISP domain prefix from the username before sending it to the RADIUS server see section 6 4 1 4 RADIUS Domains WISPs for details Default action is to send the username as is ei Some RADIUS servers can be configured to require the full unmodified user name to be sent Example aaa acct 1 secret password aaa acct 1 status enabled aaa acct 1 host 192 168 2 182 aaa acct 1 name ACCT aaa acct 1 port 1813 aaa acct 1 stripdomain disabled 6 4 1 4 RADIUS Domains WISPs The domain name is a s
135. ettings choose Internet Protocol TCP IP and click Properties Step 5 Manually assign the host an IP address that ranges within the ShadowAP s IP s subnet The default subnet for the bridge interface on athO ranges from 192 168 3 1 to 192 168 3 254 Enter an IP address different from the ShadowAPs address i e 192 168 3 100 and the subnet mask as 255 255 255 0 9 WV WAVETEQ ShadowAP User Manual Local Area Connection Properties General Authentication Advanced Connect using ES NVIDIA nForce Networking Controller This connection uses the following items E 00s Packet Scheduler General Internet Protocol TCP IP Properties E Link Layer Topology Discovery Responder the appropriate IP settings K3 Mi a Install Uninstall Properties Obtain an IP address automatically 5 Use the following IP address Description 3F Internet Protocol TCP IP You can get IP settings assigned automatically if your network supports this capability Otherwise you need to ask your network administrator for Transmission Control Protocol Internet Protocol The default IP address 192 168 3 100 wide area network protocol that provides communication across diverse interconnected networks Subnet mask 255 255 255 0 C Show icon in notification area when connected Default gateway 192 168 e
136. ex gt arp mac_dst specify the ARP MAC destination address specification colon separated 6 hexadecimal value pairs netmask length in bits ebtables rule lt index gt arp mac_dst inverse specify the match value inverse status enabled disabled Default disabled IP Specify the IP fields for IPv4 protocol ebtables rule lt index gt ip source specify the source IP address IP address netmask length in bits ebtables rule lt index gt ip source inverse specify the match value inverse status enabled disabled Default disabled ebtables rule lt index gt ip destination specify the destination IP address IP address netmask length in bits ebtables rule lt index gt ip destination inverse specify the match value inverse status enabled disabled Default disabled 109 y WAVET EQ ShadowAP User Manual ebtables rule lt index gt ip tos specify the IP type of service hexadecimal number Minimize Delay 0X10 Maximize Throughput 0X08 Maximize Reliability 0X04 Minimize Cost 0X02 Normal Service 0X00 ebtables rule lt index gt ip tos inverse specify the match value inverse status enabled disabled Default disabled ebtables rule lt index gt ip protocol specify the IP protocol 0 255 The standard IP protocol as specified in Appendix D etc protocols ebtables rule lt index gt ip protocol inverse specify the match value inverse status enabled disabled
137. f 3 netmask 255 255 255 0 netconf 3 status enabled netconf 3 up enabled netconf status enabled 144 y WAVETEQ ShadowAP User Manual NTP NETOWORK TIME PROTOCOL CLIENT SETTINGS This is used to synchronize the clock of the Access Controller to a selected time server Up to 16 NTP servers can be configured ntpd status disabled IPSEC RACOON Uses the Internet Key Exchange IKE for automatically keying IPsec connections racoon status disabled RADIO SETTINGS This section configures the radio parameters such as channel 802 11 mode ieee mode antenna and acktimeout ctstimeout slottime Refer to Sections 7 3 10 1 and 7 3 10 2 in the User Manual and to the application note for details Valid channels for IEEE 802 11 B G CANADA USA AND MEXICO Ch 01 to 11 EUROPE except FRANCE Ch 01 to 13 FRANCE Ch 10 to 13 ISRAEL Ch 03 to 09 CHINA Ch 01 to 13 JAPAN Ch 01 to 14 Mode B G are Channels Frequency in MHz 1 2412 2 2417 3 2422 4 2427 5 2432 6 2437 7 2442 8 2447 9 2452 10 2457 11 2462 12 2467 13 2472 14 2484 Valid channels for IEEE 802 11 A CANADA USA AND MEXICO 36 40 44 48 52 56 60 64 149 153 157 161 165 EUROPE 36 40 44 48 52 56 60 64 100 104 108 112 116 120 124 128 132 136 140 SINAPORE 36 42 44 48 CHINA 140 153 157 161 JAPAN 34 38 42 46 Mode A Channels Numbers and Corresponding Frequencies MHz 34 5170 36 5180 38 5190 40 5200 42 5210 44 5220 4
138. figuration are listed below vlan status specify the VLAN feature status enabled disabled Default disabled vlan lt index gt status specify the VLAN status enabled disabled Default enabled vlan lt index gt parent specify the LAN interface name to make VLAN on vlan lt index gt id assign ID for your VLAN network 2 4095 Devices configured with the same ID e g access points are logically grouped into this VLAN Per VLAN QoS offers differentiated quality of services to individual VLANs on a trunk port A per VLAN service policy can be separately applied to either ingress or egress traffic vlan lt index gt priority_in specify either manual or auto mappings for egress packets will be set auto manual Default manual vlan lt index gt priority_out specify either manual or auto mappings for egress packets will be set auto manual Default manual The ingress mapping maps VLAN QoS field 3 bits to local packet priority field 32 bits vlan lt index gt prio_in_map lt index gt vlan_qos specify the ingress VLAN priority in bits 0 7 vlan lt index gt prio_in_map lt index gt pkt_prio specify the ingress packet priority in bits 0 0x7fffff The egress mapping maps local packet priority field to VLAN QoS field vlan lt index gt prio_out_map lt index gt vlan_qos specify the egress VLAN priority in bits 0 7 vlan lt index gt prio_out_map lt index gt pkt_prio specify the eg
139. file lt index gt network lt index gt wep_keyi hex specify the static WEP key 1 in hex digits 40 bit or 104 bit static key The syntax is the same as wpasupplicant profile lt index gt network lt index gt wep_key0 hex If this key is specified it overrides wpasupplicant profile lt index gt network lt index gt wep_key1 wpasupplicant profile lt index gt network lt index gt wep_key2 specify the static WEP key 1 40 bit or 104 bit The key used in static WEP mode an ASCII passphrase wpasupplicant profile lt index gt network lt index gt wep_key2 hex specify the static WEP key 2 in hex digits 40 bit or 104 bit static key The syntax is the same as wpasupplicant profile lt index gt network lt index gt wep_key0 hex If this key is specified it overrides wpasupplicant profile lt index gt network lt index gt wep_key2 wpasupplicant profile lt index gt network lt index gt wep_key3 specify the static WEP key 1 40 bit or 104 bit The key used in static WEP mode an ASCII passphrase L e y WAVET EQ ShadowAP User Manual wpasupplicant profile lt index gt network lt index gt wep_key3 hex specify the static WEP key 3 in hex digits 40 bit or 104 bit static key The syntax is the same as wpasupplicant profile lt index gt network lt index gt wep_key0 hex If this key is specified it overrides wpasupplicant profile lt index gt network lt index gt wep_key3 wpasupplicant profile
140. hain name string without spaces The key firewall chain lt index gt parent is not recommended to use Use rules with Jump target instead to arrange chains 6 4 3 1 Rules Configuration A firewall rule specifies criteria for a packet and a target If the packet does not match the next rule in the chain is the examined if it does match then the next rule is specified by the value of the target which can be the name of a user defined chain or one of the special values described below Some rule keys may have an inverse sub key If set to enabled it inverts the test for the main key match value Following configuration keys are used to determine where a particular rule shall be placed firewall rule lt index gt status specify the rule entry status enabled disabled Default enabled firewall rule lt index gt table specify the table name nat mangle filter Lo y WAVETEQ ShadowAP User Manual firewall rule lt index gt chain specify the chain name string no spaces allowed firewall rule lt index gt index specify the rule index within the chain 1 1000 6 4 3 2 Rule Matches firewall rule lt index gt protocol specify the rule protocol TCP UDP ICMP ALL name from etc protocols integer value 0 The values of the etc protocols are listed in Appendix D etc protocols firewall rule lt index gt protocol inverse specify the match value inverse status enabled disabled Default disabled If e
141. han one access point in overlapping coverage areas we recommend a distance of at least four channels between the chosen channels The list of available channels is in Appendix B Regulatory Domain Channels Ensure that the channel you have selected meets your specific regulatory requirements for power levels indoor outdoor usage In the master operating mode the ShadowAP has the auto channel function It is used to find the best channel for client access point communication either an unused channel or if all are in use the least occupied one that with the lowest measured signal strength The channel list to select channels from can be specified for auto channel radio lt index gt autochannel status specify the auto channel status enabled disabled radio lt index gt autochannel lt index gt status specify current auto channel entry status enabled disabled radio lt index gt auto channel lt index gt channel specify one channel from auto channel list number depends on country code settings and operation mode The list of available channels is in the appendix B Regulatory Domain Channels radio lt index gt rate max specify the wireless transmission speed in bits sec by default Real data transmission speed will be lower due to distance obstacles in wireless signal path and wireless protocol overhead You may append the suffix k M or G to the value decimal multiplier 1043 106 and 10 9 bits s or add enough zeros
142. he MAC is the radio controller protocol It corresponds to the ISO Network Model s level 2 Data Link layer The IEEE 802 11 standard specifies the MAC protocol for medium sharing packet formatting and addressing and error detection N NAT NAT Network Address Translation is the translation of an Internet Protocol address IP address used within one network to a different IP address known within another network One network is designated the inside network and the other is the outside Typically a company maps its local inside network addresses to one or more global outside IP addresses and unmaps the global IP addresses on incoming packets back into local IP addresses NAT is included as part of a router and is often part of a corporate firewall P POP3 POP3 Post Office Protocol 3 is the most recent version of a standard protocol for receiving e mail POP3 is a client server protocol in which e mail is received and held for you by your Internet server Periodically you or your client e mail receiver check your mail box on the server and download any mail POP3 is built into the Netmanage suite of Internet products and one of the most popular e mail products Eudora It s also built into the Netscape and Microsoft Internet Explorer browsers PPTP Point to Point Tunnelling Protocol PPTP is a protocol set of communication rules that allows corporations to extend their own corporate network through private tunnels
143. he NAS to act as a RADIUS proxy This requires additional radius proxy settings to be configured See section 6 4 1 4 RADIUS Domains WISPs aaa nas lt index gt auth lt index gt profile specify the profile name string aaa nas lt index gt acct status specify the accounting status on NAS server enabled disabled Default disabled aaa nas lt index gt domain lt index gt status specify current domain entry status enabled disabled aaa nas lt index gt domain lt index gt profile specify the domain WISP name string This should be equal to aaa domain lt index gt domain see section 6 4 1 4 RADIUS Domains WISPs aaa nas lt index gt domain default specify the default domain WISP index number Default 1 aaa nas lt index gt security type specify the security type none wep wpa Default none aaa nas lt index gt security profile specify the security profile name string This may be omitted if security type is none It should be equal to aaa security wep lt index gt name or aaa security wpa lt index gt name see sections 6 4 1 5 Dynamic WEP Security and 6 4 1 6 WPA WPA2 Security The following properties are reported in RADIUS request packets Most of them are used for WISPr compliance aaa nas lt index gt properties location isocc specify the location ID attribute country code opf the NAS location according ISO standards 2 characters y WAVET EQ ShadowAP User Manual
144. he destinations are broadcast addresses The packets are sent as link broadcasts multicast a special type used for multicast routing It is not present in normal routing tables throw a special control route used together with policy rules If such a route is selected lookup in this table is terminated pretending that no route was found Without policy routing it is equivalent to the absence of the route in the routing table The packets are dropped and the ICMP message net unreachable is generated The local senders get an ENETUNREACH unreachable these destinations are unreachable Packets are discarded and the ICMP message host unreachable is generated The local senders get an EHOSTUNREACH error prohibit these destinations are unreachable Packets are discarded and the ICMP message communication administratively prohibited is generated The local senders get an EACCES error blackhole these destinations are unreachable Packets are discarded silently The local senders get an EINVAL error gt WV WANNE TED ShadowAP User Manual Example the configuration of the default route route status enabled route 1 status enabled route 1 devname ixp0 route 1 gateway 192 168 2 1 route 1 ip 0 0 0 0 route 1 netmask 0 route ip forward enabled 6 3 9 Static Source Routing Source routing is a routing method where a routing decision is made depending not only on packet s destination address but also on source IP ad
145. he second generation of WPA security providing enterprise and consumer Wi Fi users with a high level of assurance that only authorized users can access their wireless networks WPA2 is based on the final IEEE 802 111 amendment to the 802 11 standard All available keys of the WPA WPA2 profile are listed below aaa security wpa lt index gt status specify the WPA WPA2 security profile status enabled disabled Default enabled aaa security wpa lt index gt name specify the WPA WPA2 security profile name string aaa security wpa lt index gt mode specify the security mode WPA WPA2 ALL aaa security wpa lt index gt psk specify the WPA pre shared keys for WPA PSK 64 hexadecimal values This value can be overridden by specifying aaa security wpa lt index gt passphrase described below aaa security wpa lt index gt passphrase specify the WPA passphrase 8 63 characters The passphrase will be converted to pre shared key format This conversion uses SSID so the key changes when ASCII passphrase is used and the SSID is changed Provided passphrase overrides value of the aaa security wpa lt index gt psk aaa security wpa lt index gt key method specify the WPA key selection method PSK EAP ALL PSK requires for keys aaa security wpa lt index gt psk or aaa security wpa lt index gt passphrase to be specified When EAP is selected the NAS instance which uses this profile must support the IEEE 8021 x authentic
146. hich restricts specified types of network communication The firewall mechanism enables Port Forwarding features by creating a transparent tunnel through a firewall allowing users on the Internet access to a service Web server SSH server running on the LAN side From the outside user s point of view it looks like the service is running on the firewall The IP firewall contains three built in tables NAT mangle and filter Every table contains built in chains The user can create additional chains and include them into built in chains for more flexibility Here is the built in chain list for those tables e NAT network address translation including DNAT SNAT and masquerading e PREROUTING e POSTROUTING e OUTPUT e mangle general packet header modification such as setting the TOS value or marking packets for policy routing and traffic shaping e PREROUTING e INPUT e FORWARD e OUTPUT e POSTROUTING e filter packet filtering rejecting dropping or accepting packets e INPUT e FORWARD e OUTPUT Packets coming from the network and destined for the ShadowAP based device traverses the firewall tables chains and routing tables in this order e mangle table PREROUTING chain normally used for mangling packets Le changing TOS and so on e NAT table PREROUTING chain mainly used for DNAT avoid filtering in this chain since it will be bypassed in certain cases e routing decision e mangle table INPUT chain used to mangl
147. hose chains and nowhere else firewall rule lt index gt target REDIRECT firewall rule lt index gt t redirect port specify the port or port range 0 65535 0 65535 This match can be used only with TCP or UDP protocols 6 4 3 7 9 REJECT This target works basically the same as DROP target but it also sends back an error message to the host sending the packet that was blocked REJECT target is valid only in INPUT FORWARD and OUTPUT chains firewall rule lt index gt target REJECT firewall rule lt index gt t reject with specify the response to send to the host if sent packet was rejected icmp net unreachable icmp host unreachable icmp port unreachable icmp proto unreachable icmp net prohibited icmp host prohibited tcp reset Default port unreachable 6 4 3 7 10 RETURN This target will cause current packet to stop traversing this chain and resume at the next rule in the previous calling chain If the chain is the main chain default chain policy will apply for this packet firewall rule lt index gt target RETURN 6 4 3 7 11 SNAT This target is used to rewrite source IP address in the IP header of the packet SNAT target is valid in POSTROUTING chain of nat table only firewall rule lt index gt target SNAT firewall rule lt index gt t snat source specify the IP or IP range The IP range format is IP IP e g 194 236 50 155 194 236 50 160 Source option is used to specify which source the packet should use
148. ill be retrieved from the specified remote locations The static and remote entries will be refreshed automatically at the predefined time interval The remote white black is a simple text file where each non empty line is assumed to have one host If the list has changed since the last update all previously entered hosts will be overwritten by the new white black list All available keys of the White Black List are listed below access lt index gt status specify the white black list feature status enabled disabled Default enabled access verbose specify the status whether the service daemon should be verbose or not enabled disabled Default disabled access lt index gt devname specify the interface name for which black white policies should be applied Instead of interface name character can be specified and it stands for all interfaces access lt index gt update period specify the list update period in seconds 0 99999999 To disable the periodical update use O The accuracy of this setting is 30 seconds Default 3600 access lt index gt resolv period specify the DNS resolving period for black white list entries 0 999999991 To disable periodical resolving use O The accuracy of this setting is 30 seconds Default 300 The DNS resolving period should be less than update period otherwise it will be ignored and the resolving of DNS entries will be performed on the next update access lt index gt
149. ill be uploaded with the dynamic IP address given by the local DHCP server 4 5 Tools Use the Tools menu to align and test the ShadowAP R Antenna Alignment WAVETER Locout Figure 4 5 1 Tools Menu e Site Survey to view the list of wireless networks in the local geographical area e Antenna Alignment to align a ShadowAP device antenna e Wireless Tests to perform detailed wireless testing 4 5 1 Site Survey The Site Survey shows overview information for wireless networks in a local geographic area Using this test an administrator can scan for working access points check their operating channels WEP encryption and see signal noise levels An administrator can use this feature to identify a clear channel to set the ShadowAP to one that will not receive interference from other wireless devices D Note that Site Survey function can take several minutes to perform A Site Survey test is performed every time on the start up of the device therefore the results of the last performed Site Survey test and its time can be found on the page Thus to obtain the results the initiation of the scan is not necessary L e y WAVETEQ ShadowAP User Manual Choose wireless interface choose the interface on which the Site Survey test will be performed from the drop down list D The Site Survey function is impossible if the selected wireless interface is disabled Scan click to update the Site Survey Figure
150. in IP traffic IPP2P is a net filter extension to identify P2P file sharing traffic Thereby IPP2P integrates itself easily into existing Linux firewalls and its functionality can be used by adding appropriate filter rules IPP2P uses suitable search patterns to identify P2P traffic thus allowing the reliable identification of traffic belonging to many P2P networks Once identified one may handle P2P traffic in different ways dropping such traffic putting into low priority classes or shaping to a given bandwidth limit is possible Reducing costs freeing network resources and therefore improving network performance is often the result of using IPP2P All keys have default value disabled firewall rule lt index gt ipp2p status enable disable IPP2P match enabled disabled firewall rule lt index gt ipp2p grab all known p2p packets Equal to edk dc kazaa gnu enabled disabled firewall rule lt index gt ipp2p edk all known eDonkey eMule Overnet packets enabled disabled firewall rule lt index gt ipp2p dc all known direct connect packets enabled disabled 100 y WAVET EQ ShadowAP User Manual firewall rule lt index gt ipp2p kazaa all known KaZaA packets enabled disabled firewall rule lt index gt ipp2p gnu all known Gnutella packets enabled disabled firewall rule lt index gt ipp2p bit all known BitTorrent packets enabled disabled firewall rule lt index gt ipp2p apple all
151. index gt mcast lt index gt address specify the multicast IPv4 address will be remapped by plugin to link layer netconf 2 mcast status enabled netconf 2 mcast 1 address 01 00 5e 00 00 0a netconf 2 mcast 1 address 224 192 16 1 netconf lt index gt allmulti specify the status of all multicast mode enabled disabled default default disabled If enabled all multicast packets on the network will be received by the interface netconf lt index gt mac specify the interface MAC address colon separated 6 hexadecimal value pairs eg 03 FA 45 10 BA 44 netconf lt index gt promisc specify the promiscuous mode status enabled disabled If enabled all packets on the network will be received by this interface netconf lt index gt mtu specify the MTU size in B integer Default 1500 MTU is the largest physical packet size measured in bytes that a network can transmit Any messages larger than the MTU are divided into smaller packets before being sent The following keys autoneg advertise speed and duplex in netconf section apply to Ethernet devices only These keys allow you to control what speed and duplexity Ethernet devices are allowed to be connected in the network netconf lt index gt autonet specify status of auto negotiating enabled disabled Default enabled netconf lt index gt advertise specify advertise auto number Default auto This key is usable when autoneg key is enabled 0x001 Oba
152. interface 6 4 1 2 RADIUS Authentication Servers All available keys of the RADIUS authentication server are listed below aaa auth lt index gt status specify the RADIUS authentication server profile status enabled disabled Default enabled aaa auth lt index gt name specify the RADIUS authentication server profile name string mandatory aaa auth lt index gt host specify the RADIUS authentication server host name or IP address hostname string or IP address mandatory aaa auth lt index gt port specify the network port used to communicate with the RADIUS authentication server 0 65535 Default is 1812 The default port value of 1812 is set according to RFC2138 Remote Authentication Dial in User Service RADIUS aaa auth lt index gt timeout specify the authentication request timeout in seconds 1 999 Default 2 If RADIUS response is not received during timeout period request is retransmitted aaa auth lt index gt retry specify the number of times authentication request is retransmitted 0 99 Default 2 When all retry attempts are exhausted authentication with this server is treated as failed gt y WANNE TED ShadowAP User Manual aaa auth lt index gt secret specify the shared secret of the authentication server string mandatory The shared secret is used to encrypt data packets transmitted between RADIUS server and client D Shared secrets must be the same on the RADIUS server
153. ion per Virtual AP MBSSID Automated channel selection Antenna diversity control Output power control Wireless distribution system WDS Open client mode Secure client mode with WEP WPA WPA2 PSK and enterprise dynamic key with 802 1x supplicant WPA2 pre authentication support Half and quarter rate channel support FCC security band support Wireless Security WPA WPA2 personal and enterprise with dynamic key from remote RADIUS server TKIP AES CCMP Secure WDS mode WDS inter access point traffic is secured by WPA WPA2 in personal or enterprise modes Static and dynamic WEP 802 1x with EAP MD5 EAP TLS EAP PEAP EAP TTLS EAP SIM EAP LEAP Layer 2 intra access point client isolation SSID broadcasting suppression Static wireless Access Control List MAC address filtering Networking Static and dynamic VLAN tagging up to 4096 VLAN tags VLAN pass through Bridging spanning tree protocol STP Static and dynamic IP routing with Quagga Routing Suite DHCP server client relay y WANNE TED ShadowAP User Manual DNS relay proxy NTP and internal clock support Per VLAN Virtual AP MBSSID IP tunnel or physical interface networking settings 802 1x authenticator and supplicant IP and MAC filtering per interface IP filtering per interface Stateful inspection firewall with P2P traffic matching module IPSec with static keys and dynamic re keying hardware acceleration for IXP 42x platform Multiple GRE tunnels N
154. isabled bridge lt index gt status specify current entry status enabled disabled Default enabled bridge lt index gt devname specify the bridge interface name custom string up to 15 characters in length e g brO mandatory bridge lt index gt stp status define the STP Spanning Tree Protocol status enabled disabled Default disabled If you are running multiple or redundant bridges then you need to enable Spanning Tree Protocol STP to optimize multiple hops and avoid bridging loops Normally redundant bridges would result in duplicated packets which would saturate the connected networks Bridges configured to use STP negotiate the shortest possible link between the connected networks and disable all other possible links If a link fails STP recalculates the links and can enable a workaround for the failed link For the bridge to take part in this negotiation STP must be enabled It is disabled by default when creating the bridge Each bridge has a relative priority and cost Each interface is associated with a port number in the STP code The priority and cost are used to decide which is the shortest path to forward a packet The lowest cost path is always used unless the other path is down If you have multiple bridges and interfaces you may need to adjust the priorities to achieve optimum performance If your bridge is not the only bridge on the LAN or if there are loops in the LAN topology STP is strongly recommend
155. known AppleJuice packets beta only few test by now enabled disabled firewall rule lt index gt ipp2p winmx all known WinMX packets beta enabled disabled firewall rule lt index gt ipp2p soul all known SoulSeek beta enabled disabled firewall rule lt index gt ipp2p ares all known Ares use with DROP only beta enabled disabled 6 4 3 7 Rule Targets To jump to a specific chain set the rule target to be equal to that chain s name The chain should already exist firewall rule lt index gt target specify the rule target DNAT ACCEPT DROP LOG MARK MAS QUARADE QUEUE REDIRECT REJECT RETURN SNAT TOS T TL ULOG 6 4 3 7 1 ACCEPT As soon as the packet is matched the rule is accepted and will not continue traversing current chain or any other ones in the same table This target has no additional options firewall rule lt index gt target ACCEPT 6 4 3 7 2 DNAT Target DNAT target is used to rewrite destination IP address of a packet If a packet is matched the packet and all subsequent packets in the same stream will be translated and then routed to the correct device host or network DNAT target is only available in PREROUTING and OUTPUT chains in the NAT table firewall rule lt index gt target DNAT firewall rule lt index gt t dnat dst specify the IP or IP range The IP range format is IP IP e g 194 236 50 155 194 236 50 160 Example firewall rule 1 target DNAT firewall rule 1 t dnat dst
156. l has to give a standard target so ebtables knows what to do The default target is ACCEPT Making it CONTINUE could let you use multiple target extensions on the same frame Making it DROP does not make sense but you could do that too RETURN is also allowed Note that using RETURN in a base chain is not allowed arpnat The arpnat target can only be used in the POSTROUTING and PREROUTING chain of the nat table It is used instead of absolute Wireless Station Bridge application It must be used for both POSTROUTING and PREROUTING chain to make Wireless Station Bridge working properly arpnat may be configured using such options ebtables arpnat expiration specify the expiration time in seconds number Default 25200 s ebtables arpnat debug enabled disabled Default disabled ebtables arpnat bootpnat enabled disabled relay Default enabled ebtables arpnat pppoenat enabled disabled Default enabled ebtables rule lt index gt t arpnat_target specify the standard target DNAT ACCEPT DROP LOG MARK MASQUARADE QUEUE REDIRECT REJECT RETURN SNAT TOS T TL ULOG Default ACCEPT macvlan The arpnat target can be used to add or remove 802 1Q VLAN tag Example how to remove and add VLAN tag ebtables t nat I PREROUTING i ixp0 j macvlan untag 3 btables rule 1 table nat btables rule 1 chain PREROUTING btables rule 1 in ixp0 ebtables rule 1l target macvlan untag 3 btables rule 1 t arpnat_target ACCEPT
157. l rule lt index gt tcpoption inverse specify the match value inverse status enabled disabled Default disabled 6 4 3 4 ICMP Matches firewall rule lt index gt icmp type specify the ICMP type any echo reply destination unreachable network unreachable host unreachable protocol unreachable port unreachable fragmentation needed source route failed network unknown host unknown network prohibited host prohibited TOS network unreachable TOS host unreachable communication prohibited host precedence violation precedence cutoff source quench redirect network redirect host redirect TOS network redirect TOS host redirect echo request router advertisement router solicitation time exceeded ttl zero during transit ttl zero during reassembly parameter problem ip header bad required option missing timestamp request timestamp reply address mask request address mask reply ICMP types can be specified either by their numeric values or by their names Numerical values are specified in RFC 792 firewall rule lt index gt icmp type inverse specify the match value inverse status enabled disabled Default disabled 6 4 3 5 Explicit Matches firewall rule lt index gt limit specify the maximum average number of matches to allow per time unit 0 65535 second minute hour day e g 5 second firewall rule lt index gt limit burst specify the maximum burst per time unit before the above limit kicks in 0 65535 second minute hour day e g
158. lity e It runs only with a default configuration Only a single BSSID is allowed DHCP client runs on WAN interface DHCP servers run on LAN and Wireless interfaces e Itis impossible to change the configuration All features are locked down until a valid license is presented Any changes made in configuration will be stored in the flash memory of the device Thus only a default setting will be used after the reboot License period specifies the time period wherein the new released firmware images can be upgraded on particular ShadowAP device Once a valid license file was uploaded it will be valid even after the license period expiration 0 The device license will be still valid after resetting the device to defaults Download current license file click to download current device license file to your local PC License File Upload click for the license file upload on the device gt y WAVETEQ ShadowAP User Manual Browse click to specify the license file you want to upload on the device Upload click to upload the chosen license file on the device D Be certain you are uploading a valid license file After the new license file is uploaded the device must be rebooted for changes to take effect For instructions on how to reboot the device refer to the Reboot section on the Maintenance page In case the fault license file has been uploaded the device becomes inactive after reboot and the default configuration w
159. ll be routed according to RADIUS authentication request response The system routing mechanism works in the same manner as the static source routing except the fact that the routing rules will be defined automatically during the authorization routines Each routing table is dedicated for separate tunnel IPsec GRE VSSID or VLAN interface while having the unique name which is used as Tunnel ID Selection of the route successful only if there exists a Tunnel ID which corresponds to the Tunnel Assignment ID attribute provided by RADIUS on Access Accept The same Tunnel Assignment ID RADIUS attribute value should be used in all the RADIUS accounting requests if it was available in the RADIUS Access Accept packet In the provided example the device should have configured tunnels while each of them should have assigned Tunnel ID s If there is no existing tunnel with corresponding Tunnel ID the authentication will fail and the client station will be denied any network access beyond the NAS device With source routing enabled administrator must make sure that all source routing keys route rule lt index gt prio values are in 10000 20000 range The system authenticator will create dynamically source routes with priority in range 900 1000 If there will be a few Tunnel Assignment ID alternatives matching available Tunnel ID s on a device the first matching Assigned Tunnel ID will be selected with the lowest Tunnel Preference RADIUS
160. ll installation steps refer to the users using Windows XP and other Windows versions accordingly and assume that a wireless networking device is already installed on the computer Step 1 Follow steps 1 4 from 2 4 1 Using Ethernet Connection modifying your Wireless Network Connection instead of your Local Area Network Connection Step 2 If not already done enable the wireless network connection s Network Connections Eee File Edit view Favorites Tools Advanced Help a E Search j Folders Eii Address Network Connections B T IER Disable Network Tasks PEA View Available Wireless Net ocal Area Connection 2 See Local Area Connection Repar a Bridge Connections Change Windows Create Shortcut Firewall settings Dat enkeier wireless Rename S Disable this network device A Repair this connection v l Figure 2 4 4 Enabling the Wireless Network Connection Step 7 Choose the ShadowAP device s SSID from the list of available wireless networks The default SSID is DEFAULT1 for the ixp0 ath0 bridge using channel 153 on the 802 11a 5 765 GHz band e WW WAVETEQ ShadowAP User Manual ij Wireless Network Connection Choose a wireless network Network Tasks Refresh network list Click an item in the list below to connect to 4 wireless network in range or to get more information FOE q nu DEFAULT1 Figure 2 4 5 List of Wireless Connections
161. lows broadcasting DHCP request on WAN when no unicast server address is known dhcp fwd client lt index gt status specify the status of client interface enabled disabled Default enabled dhcp fwd client lt index gt devname specify the client interface name This parameter defines a LAN interface where DHCP clients reside A few interfaces may be defined dhcp fwd client lt index gt circuit_id specify the client circuit id string Every client interface LAN may have their unique identifier As the circuit id could be used NAS ID NAS MAC or NAS IP Refer to section 6 4 1 1 Network Access Server NAS for details about NAS settings The DHCP servers can provide IP addresses from different address pools depending on a circuit id Please refer to RFC 3046 for details gt y WAVETEQ ShadowAP User Manual Example 1 simple configuration with one client interface LAN and one server interface WAN dhcp fwd status enabled dhcp fwd server 1 status enabled dhcp fwd server 1 devname ixp0 dhcp fwd server 1l ip bcast dhcp fwd client 1 status enabled dhcp fwd client 1 devname ath0 Example 2 configuration to show all the possible features dhcp fwd status enabled dhcp fwd server 1 status enabled dhcp fwd server 1 devname ixp0 dhcp fwd server 1 ip 192 168 2 125 dhcp fwd server 2 status enabled dhcp fwd server 2 devname ixp2 i Ss d E dhcp fwd server 2 1 dhcp fwd client l dhcp fwd client
162. lt in chains Users can create additional chains and include them into built in chains for more flexibility Here is the built in chain list for those tables filter e INPUT e FORWARD e OUTPUT nat e PREROUTING e OUTPUT e POSTROUTING broute e BROUTING For details about nat and filter tables and their chains check Section 6 4 3 IP Firewall The broute table is used to make a brouter The targets DROP and ACCEPT have special meaning in the broute table DROP actually means the frame has to be routed while ACCEPT means the frame has to be bridged The BROUTING chain is traversed very early It is only traversed by frames entering on a bridge enslaved network interface that is in forwarding state Normally those frames would be bridged but you can decide otherwise here The redirect target described below is very handy here All available keys of the Bridging Firewall feature are listed below ebtables status specify the bridging firewall feature status enabled disabled Default disabled ebtables lt table name gt lt chain name gt policy specify the policy ACCEPT DROP RETURN Default ACCEPT See below for descriptions ebtables chain lt index gt status specify the chain entry status enabled disabled Default enabled ebtables chain lt index gt name specify the chain name string ebtables chain lt index gt table specify the chain table name filter nat broute 6 4 4 1 1 Rules Configuration A
163. lue is O aaa domain lt index gt default interim_update specify default accounting interim update interval in seconds integer Default 300 value O means disabled minimum 60 seconds interval By standard RADIUS server must be configured to send desired interim update interval in Acct Interim Interval request attribute This value can only appear in the Access Accept message If such attribute is present it overrides configured value If attribute Acct Interim Interval was missing on Access Accept default value will be used Example aaa domain aaa domain aaa domain aaa domain aaa domain aaa domain aaa domain status enabled name AAA acct 1 status enabled acct 1 profile ACCT acct mode failover auth 1 status enabled auth 1 profile AUTH PRPPPRPPRPRPRPRPRPEHEE aaa domain 1 default idletimeout 300 aaa domain 1 default sessiontimeout 30000 aaa domain 1 default maxrxbandwidth 250000 aaa domain 1 default maxtxbandwidth 500000 aaa domain 1 default minrxbandwidth 0 aaa domain 1 default mintxbandwidth 0 aaa domain 1 default interim update 240 6 4 1 5 Dynamic WEP Security Profile This section describes configuration of dynamic WEP security for usage with AAA service WEP is a data privacy mechanism based on a 64 bit or 128 bit shared key algorithm as described in the IEEE 802 11 standard y WAVET EQ ShadowAP User Manual All available keys of the Dynamic WEP configuration are listed
164. ly disassociated clients the same format as connection time e RX bytes e TX bytes e SSID statsd status enable network usage statistics gathering on device enabled disabled Default disabled statsd verbose switch on debug messages of statistics statsd daemon enabled disabled Default disabled 6 6 System Services Configuration This section describes system settings device clock synchronization NTP configuration and device message logging features 6 6 1 Manual Clock Regulation To set the device s internal clock use these keys for configuration date status specify the manual clock status enabled disabled Default disabled date manual specify the date value MMDDhhmmYYYY SS The time stamp format is MM month 01 12 DD day of month 01 31 hh hour 00 23 mm minute 00 59 YYYY year 1970 2037 SS seconds 00 59 date lastknowntime status specify the last known time feature status enabled disabled When this feature is enabled the system will save and restore the clock settings after reboot using 123 y WAVET EQ ShadowAP User Manual etc persistent lastknowntime file This should be used together with the NTP service the system clock will be set to the last reboot time if no NTP servers are available Default disabled date timezone specify the timezone information string The timezone string is one of special formats e std offset e std offset dst offset start ti
165. me Acct Input 47 Integer X Indicates how many packets have been Packets received from the port over the course of this service being provided Acct Output 48 Integer X Indicates how many packets have been sent Packets to the port in the course of delivering this service Acct 49 Integer X 1 Explicit Logoff 4 Idle Timeout 5 Session Terminate Timeout 6 Admin Reset 9 NAS Error Cause 10 NAS Request 11 NAS Reboot Acct Input 52 Integer X This attribute indicates how many times the Gigawords Acct Input Octets counter has wrapped around 2 over the course of this service being provided Acct 53 Integer X This attribute indicates how many times the Output Acct Output Octets counter has wrapped Gigawords around 2 in the course of delivering this service NAS Port 61 Integer X X 15 Ethernet 19 802 11 Type Acct 85 Integer X Interval seconds to send accounting Interim updates Interval 132 Wy WANETER ShadowAP User Manual 7 WISPr Vendor Specific Attributes Location ID Location Name Logoff URL Redirection URL Bandwidth Min Up Bandwidth Min Down Bandwidth Max Up Bandwidth Max Down Session Terminate Time Session Terminate End of Day Billing Class Of Service 3 1 Vendor Specific Attributes The Wi Fi Alliance recommends a list of certain Vendor Specific Attributes VSA The VSA values are intended to provide location information to the backend processing sys
166. me end time The first format is used when there is no daylight saving time in the local timezone The std string specifies the name of the time zone and must be three or more alphabetic characters The offset string immediately follows std and specifies the time value to be added to the local time to get Coordinated Universal Time UTC The offset is positive if the local time zone is west of the Prime Meridian and negative if it is east The hour must be between 0 and 24 and the minutes and seconds 0 and 59 The second format is used when there is daylight saving time There are no spaces in the specification The initial std and offset specify the standard time zone as described above The dst string and offset specify the name and offset for the corresponding daylight savings time zone If the offset is omitted it defaults to one hour ahead of standard time The start field specifies when daylight savings time goes into effect and the end field specifies when the change is made back to standard time These fields may have the following formats Jn This specifies the Julian day with n between 1 and 365 February 29 is never counted even in leap years n This specifies the Julian day with n between 1 and 365 February 29 is counted in leap years Mm w d This specifies day d 0 lt d lt 6 of week w 1 lt w lt 5 of month m 1 lt m lt 12 Week 1 is the first week in which day d occurs and week 5 is the last week in which d
167. me the rule still has to give a standard target so ebtables knows what to do The default target is ACCEPT Making it CONTINUE can let you do other things with the frame in other rules of the chain redirect The redirect target will change the MAC target address to that of the bridge device the frame arrived on This target can only be used in the BROUTING chain of the broute table and the PREROUTING chain of the nat table ebtables rule lt index gt t redirect_target specify the standard target DNAT ACCEPT DROP LOG MARK MASQUARADE QUEUE REDIRECT REJECT RETURN SNAT TOS T TL ULOG After doing the MAC redirect the rule still has to give a standard target so ebtables knows what to do The default target is ACCEPT Making it CONTINUE could let you use multiple target extensions on the same frame Making it DROP in the BROUTING chain will let the frames be routed RETURN is also allowed Note that using RETURN in a base chain is not allowed 113 y WAVET EQ ShadowAP User Manual snat The snat target can only be used in the POSTROUTING chain of the nat table It specifies that the source mac address has to be changed ebtables rule lt index gt t to_source specify the source MAC address colon separated 6 hexadecimal value pairs ebtables rule lt index gt t snat_target specify the standard target DNAT ACCEPT DROP LOG MARK MASQUARADE QUEUE REDIRECT REJECT RETURN SNAT TOS T TL ULOG After doing the snat the rule stil
168. means stop traversing this chain and resume at the next rule in the previous calling chain TARGET EXTENSIONS see section 6 4 4 1 5 Target Extensions arpreply 6 4 4 1 2 Rule Matches ebtables rule lt index gt protocol specify the protocol that is responsible for creating the frame hexadecimal number below 0x0600 name from etc ethertypes file LENGTH The protocol field of the Ethernet frame can be used to denote the length of the header 802 2 802 3 networks When the value of that field is below or equals 0x0600 the value equals the size of the header and should not be used as a protocol number Instead all frames where the protocol field is used as the length field are assumed to be of the same protocol The protocol name for these frames is LENGTH Contents of etc ethertypes file are listed at http www cavebear com archive CaveBear Ethernet type html ebtables rule lt index gt protocol inverse specify the match value inverse status enabled disabled Default disabled ebtables rule lt index gt src specify the source MAC address colon separated 6 hexadecimal value pairs Alternatively one can specify Unicast Multicast Broadcast or BGA Bridge Group Address Unicast 00 00 00 00 00 00 01 00 00 00 00 00 Multicast 01 00 00 00 00 00 01 00 00 00 00 00 Broadcast ff ff ff ff ff ff ff fF fF FF FF fF or BGA 01 80 c2 00 00 00 ff ff ff ff ff fF Note that a broadcast address will also match the mul
169. meter status enabled disabled Default enabled resolv host lt index gt alias lt index gt name specify the alias hostname string Aliases are used for name changes alternate spellings shorter hostnames or generic hostnames eg localhost Example resolv status enabled resolv nameserver 1 ip 204 74 112 1 resolv nameserver 2 ip 204 74 112 2 resolv search 1 domain domainl net resolv search 2 domain domain2 net resolv host 1 ip 127 0 0 1 resolv host 1 name host domainl net resolv host l alias 1l name fireball resolv host l alias 2 name 1localhost localdomain resolv host 1l alias 3 name localhost 6 2 5 DNS Forwarder DNS request forwarder called DNSMASQ intercepts all DNS requests from wireless LAN clients and forwards them to a particular DNS server s which may be defined in the system configuration file or dynamically obtained through DHCP lease forwarder will check for changes to system s DNS settings on every DNS request Forwarder has a cache which speeds up DNS requests and reduces network traffic It listens on the standard DNS TCP and UDP ports 53 on interfaces specified in the configuration file Two firewall rules are required for forwarder to function correctly hee The available keys of the DNS forwarder feature are listed below dnsmasq status specify the DNSMASQ feature status enabled disabled dnsmasq lt index gt status specify current DNSMASQ entry status enabled disabled dnsmasq lt index
170. n Use the information displayed to determine if a firmware version upgrade is necessary Firmware Image Click browse to find the new firmware image on your computer Then click Upload to save it onto the device the factory defaults Please back up your configuration before upgrading your O Upgrading your ShadowAP s firmware will cause the current configuration to be reset to ShadowAP Reboot Device Clicking reboot will save the current modified configuration file onto the device and the device will then proceed to restart and refresh all of the most recent settings This process may take up to one minute to complete Reset device to factory defaults Click this button to reload the factory default configuration Do not switch off and do not disconnect the device from the power supply during the firmware update process as the device could be damaged 4 4 2 Password The Password page is for changing the existing administrators password The only way to gain access to the web management if you forget the administrator password is to return your ShadowAP to Waveteq Communications Administrative Account Username admin Old password New password Verify password Figure 4 4 3 Change the Administrator s Password Username displays the username of the current connected administrator This parameter is not changeable Old password enter the old administrator password New password enter the new administrator
171. n IP addresses The DNS server the IP address range the gateway IP address and the network mask are specified dhcpd 1 devname ixp0 dhcpd 1 status disabled dhcpd 2 devname ath0 dhcpd 2 status disabled dhcpd status disabled DNS FORWARDER DNS request forwarder intercepts all DNS requests from clients and forwards them to a DNS server dnsmasq status disabled BRIDGE FIREWALL Used to filter layer 2 Packets using a bridging firewall that contains three built in tables Filter NAT and Broute ebtables broute BROUTING policy ACCEPT ebtables filter FORWARD policy ACCEPT ebtables filter INPUT policy ACCEPT ebtables filter OUTPUT policy ACCEPT ebtables nat OUTPUT policy ACCEPT ebtables nat POSTROUTING policy ACCEPT ebtables nat PREROUTING policy ACCEPT ebtables rul ebtables rul ebtables rul ebtables rul ebtables rul 1 chain BROUTING in ath0 protocol 0x888e status disabled table broute 00000 Ll wal il 1 ebtables rule 1 target DROP ebtables status enabled Se Se SH de SHE E SHE IP FIREWALL Used to filter layer 3 Packets using a bridging firewall that contains three built in tables and corresponding chain lists NAT PreRouting PostRouting Output MANGLE PreRouting Input Forward Output PostRouting and FILTER Input Forward Output firewall filter FORWARD policy ACCEPT firewall filter INPUT policy ACCEPT firewall filter OUTPUT policy ACCEPT ShadowAP User Manual
172. nabled this will match all protocols not specified by firewall rule lt index gt protocol firewall rule lt index gt src specify the source IP address IP address can be single address e g 192 168 2 1 or can be used with network mask to specify whole IP ranges e g 192 168 2 0 24 or 192 168 2 0 255 255 255 0 firewall rule lt index gt src inverse specify the match value inverse status enabled disabled Default disabled firewall rule lt index gt dst specify the destination IP address IP address can be single address e g 192 168 2 1 or can be used with network mask to specify whole IP ranges e g 192 168 2 0 24 or 192 168 2 0 255 255 255 0 firewall rule lt index gt dst inverse specify the match value inverse status enabled disabled Default disabled firewall rule lt index gt in specify the interface name where the packet came from This option is legal only in the INPUT FORWARD and PREROUTING chains and will not return any error message when used anywhere else Character can be used to match string of letters and numbers e g value ixp will match all Ethernet devices firewall rule lt index gt in inverse specify the match value inverse status enabled disabled Default disabled firewall rule lt index gt out specify the interface where the packet is going to This option is legal only in the INPUT FORWARD and PREROUTING chains and will not return any error message when used anywhere
173. nabled disabled Default enabled By default supplicant requests drivers to perform AP scanning and then uses the scan results to select a suitable AP Another alternative is to allow the drivers to take care of AP scanning and selection and use supplicant just to process EAPOL frames based on IEEE 802 11 association information from the driver enabled default supplicant initiates scanning and AP selection disabled driver takes care of scanning AP selection and IEEE 802 11 association parameters e g WPA IE generation this mode can also be used with non WPA drivers when using IEEE 802 1X mode wpasupplicant profile lt index gt fast_reauth specify the EAP fast re authentication enabled disabled By default fast re authentication is enabled for all EAP methods that support it This variable can be used to disable fast re authentication Normally there is no need to disable this wpasupplicant profile lt index gt blacklist_age specify timeout in seconds for blacklist entries integer Default 3600 Entries will be deleted from blacklist after this timeout wpasupplicant profile lt index gt network lt index gt status specify current entry status enabled disabled Default enabled wpasupplicant profile lt index gt network lt index gt ssid specify the SSID in ASCII format string wpasupplicant profile lt index gt network lt index gt ssid hex specify the SSID in a hexadecimal format Either wpa
174. nager requests using a Get a MIB variable the SNMP agent begins this function in response to a request from the SNMP manager The agent retrieves the value of the requested MIB variable and responds to the manager with that value The SNMP agent also sends unsolicited trap messages to notify an SNMP manager that a significant event has occurred e g SNMP authentication failures on the agent 5 3 SNMP Community Strings SNMP community strings authenticate access to MIB objects and function as embedded passwords The ShadowAP supports a Read only community string that gives read access to authorized management stations to all objects in the MIB except the community strings but does not allow write access 5 4 Use SNMP to Access MIB As shown in Figure 5 4 1 the SNMP agent gathers data from the MIB The agent can send traps notification of certain events to the SNMP manager which receives and processes the traps Traps are messages alerting the SNMP manager to a condition on the network such as improper SNMP manager authentication restarts link status up or down MAC address tracking and so forth The SNMP agent also responds to MIB related queries sent by the SNMP manager in get request get next request and get bulk format SHADOWAP get request get next reguest get bulk A ro Bi gt get response traps gt lt A oo MIB S SNMP Agent SNMP Manager Figure 5 4 1 SNMP Network y WAVETEQ ShadowAP User Manual
175. ndex gt acct out inverse specify the match value inverse status enabled disabled Default disabled Either input or output interface not both can be specified for the following authentication match rule firewall rule lt index gt auth specify the type of client packets authenticated or not authenticated auth not auth Default auth Based on this match single rule for all authenticated not authenticated clients can be applied e g DROP all packets from unauthenticated clients firewall rule lt index gt auth in specify the input interface name firewall rule lt index gt auth out specify the output interface name firewall rule lt index gt auth in inverse specify the match value inverse status enabled disabled Default disabled firewall rule lt index gt auth out inverse specify the match value inverse status enabled disabled Default disabled firewall rule lt index gt list specify white or black list to match packets against white black Based on this match a single rule for all clients going to from white or black listed sites can be applied White black list database is maintained in the separate application If configuration value is white all packets going to from white listed sites are matched Usually such rule has target ACCEPT Configuration value black is used for blacklisted sites together with DROP target 6 4 3 6 IPP2P The goal of the IPP2P is to identify peer to peer P2P data
176. nds 0 65535 If the last received hello packet is more than this value the bridge in question will initiate the root bridge election procedure Default 20 bridge lt index gt port lt index gt status specify current bridge port status enabled disabled Default disabled bridge lt index gt port lt index gt devname specify the interface name to be added into bridge physical interface VLAN or GRE tunnel bridge lt index gt port lt index gt path cost specify the port s path cost on this interface 0 65535 This metric is used in the designated port and root port selection algorithms Default 100 bridge lt index gt port lt index gt priority specify the priority of ports with equal cost 0 255 You can use this to control which port gets used when there are redundant paths Default 128 bridge arptables if enabled it will pass bridged ARP traffic to arptables FORWARD chain enabled disabled Default enabled bridge iptables if enabled it will pass bridged IPv4 traffic to iptables chains enabled disabled Default enabled bridge vlan if enabled it will pass bridged vlan tagged ARP IP IPv6 traffic to ARP IP IPv6 tables enabled disabled Default enabled Example create bridge br0 with ixp0 and ath0 interfaces bridge status enabled bridge 1 status enabled bridge 1 ageing 300 bridge 1 devname br0 bridge 1 fd 1 bridge 1 hello 20 bridge 1 maxage 300 bridge 1 port 1 status enabl
177. nfiguration file manually The configuration file entry field is active and ready for editing Refer to section 6 1 ShadowAP Configuration File for detailed information about the syntax of the configuration file Configuration File Management Upload new configuration file upload Download running configuration file Downioaa Edit Configuration dd A Configuration created by skin Skin Waveteq version 0 5 14704 Generated on 2008 05 01 16 04 54 UTC HEBHHBHHRRHHRHHERHHBHHRR HARB RRR EH notes i Waveteq Communications Factory Default Configuration notes 2 Bridged 5 18 GHz 802 11a Access Point Using Internal Antenna Product ShadowAP 1 devname athO aaa 1 nas 1 profile NA5 athO i nas 1 status disabled 1 status disabled E 2008 WAVETEQ Communications Inc Figure 4 3 8 Edit Configuration File Manually Save click to save a modified configuration file to the device flash memory Modified ShadowAP system configuration will become active after device reboot The system information message appears with direction to reboot the device Use the Reboot button to reboot the device and apply device configuration changes Device needs to be rebooted for new configuration to take effect Figure 4 3 9 System Message device to stop working In this case try to upload a known good configuration file or perform a reset to factory defaults See 4 4 1 for details The emergency IP may also be used to communi
178. ng interfaces Command Line Interface CLI refer to Chapter 3 Command Line Interface Management Web browser interface refer toChapter 4 Web Interface Simple Network Management Protocol SNMP vi v2 v3 refer to Chapter 5 SNMP Management Local SYSLOG facility with logging to remote server A HE y WAVETEQ ShadowAP User Manual Package Contents Each ShadowAP is shipped with the following ShadowAP Radio Wall Plug AC Adapter Passive Power Over Ethernet PPoE Injector 2 U Bolts plus 2 washers and 2 hex nuts 1 Field Attachable IP67 Ethernet Connectors Self Seal Tape 1 Ethernet Dust Cover ShadowAP Quick Start Guide Documentation CD If any of these items are missing or damaged please contact Waveteg or a local Waveteq sales representative 1 2 Feature Locations Please see Figure 1 2 1 for a look at the location of the ShadowAP s exterior features Also please note the following regarding these features e Features 1 is the Ethernet port It will be referred to throughout the manual as ixp0 e Feature 2 is the N connector port to the Radio It will be referred to throughout the manual as atho Ethernet Interface Pole Mounting Grip Groove Radio N RF IP67 rated ixp0 for H amp V Polarized Mounting connector athO Figure 1 2 1 ShadowAP Features E A WV WAVETEQ ShadowAP User Manual 2 0 Chapter 2 Installation The ShadowAP can be installed in a variety of configurations as an
179. nload speed in kbps integer bandwidth lt index gt ip specify IP address of the client for which the traffic limitation will be set bandwidth lt index gt pps specify packet per second integer The packet per second value must be calculated according formula down speed 1024 8 1000 pps The download speed should be multiplied by 1024 to get download speed in bps bits per second Then this value should be divided by 8 to get value in Bps bytes per second Then this value should be divided by 1000 the average of the packet size is 1000 bytes For example download speed is 1Mbps 1024 kbps then we calculate PPS according formula 1024 1024 8 1000 131 This means that minimum PPS value should be 131 otherwise the download process can be unexpected 118 WW WAVETEQ ShadowAP User Manual If device works as bridge the name of the bridge port interface ixp eth ath and etc should be used not bridge interface name brO etc Keys of the limitation per interface bandwidth lt index gt iface specify the interface of the ShadowAP device for which the traffic limitation will be set D Only the egress traffic can be limited per interface bandwidth lt index gt speed specify the maximum egress traffic speed in kbps integer The speed limitation per interface should be the sum of all speed limitations set per IP to that interface at the least Internet lt gt Gomme IP 192 168 0 1
180. nning of the line lt CTRL gt lt E gt Jump to the end of the line lt CursUP gt lt CursDOWN gt Scroll through the history of commands 3 2 CLI Access Use a SSH client application e g Tera Term http ttssh2 sourceforge jp or PUTTY http www putty nl to access the CLI of the ShadowAP based device 0 Make sure that the SSH server is configured properly see chapter SSH Server Default ShadowAP configuration has the DHCP client disabled on the WAN interface The device IP address will be by default 192 168 3 1 When connected the login prompt will be displayed 3 3 Login Enter the administrator login settings on the displayed command prompt Default administrator login settings are User Name admin Password admin01 gh Change the default administrator password as soon as possible oo y WAVETEQ ShadowAP User Manual login as admin admin 192 168 2 235 s password CLI version 1 0 Figure 3 3 1 CLI Login After a successful login a list of available commands followed by CLI command prompt will be displayed Available commands authcheck Test authentication config passwd Change any administrator password reboot Reboot device reset Reset device to defaults shell Start system shell show Show device configuration status Show device status quit Exit CLI cli gt A Figure 3 3 2 Main CLI Commands 3 4 Authentication Check With the authcheck command you can test configured authen
181. nt page on the ShadowAP web interface Load a pre defined configuration file for your network setup Factory Default By default the ShadowAP is configured to operate as an access point by transparently bridging the Ethernet port ixp0 to the internal antenna ath0 More Details Network Diagram Load Factory Default Expert Mode Upload new configuration file Browse Download running configuration file RTE eas E 2008 WAVETEQ Communications Inc Figure 4 3 2 Starting Point Page Factory Default click to load the Factory Default configuration file By default the ShadowAP is configured as an access point by transparently bridging the Ethernet port to the internal 5GHz antenna Expert Mode click to upload a custom configuration file or to download the running configuration file Multiple ShadowAPs can be quickly configured the same way by loading in the same configuration file into each device WV WAVETEQ ShadowAP User Manual 4 3 2 Basic Network This section is for configuring the basic networking interfaces on the ShadowAP From this page each interface can be set up as a DHCP client to obtain an IP address automatically or it can be assigned a unique IP address Static DNS servers and a bridge may also be configured Basic Network 2 Ethernet ixp0 obtain an IP address automatically Use the following IP address IP Address fo 0 0 0 IP Subnet Mask 255 255 255 0 Radio ath0 obtain
182. o the wireless network interfaces as well as special access rules for wireless clients Wireless ACL controls can be applied to ath0 athl VSSIDs wacl status disabled 147 y WAVETEQ ShadowAP User Manual wds 1 parent ath0 wds 1 status enabled wds status enabled WIRELESS DISTRIBUTION SYSTEM WDS SETTINGS The WDS feature allows the creation of wireless infrastructure so that it can be connected at Layer 2 and therefore be seemlessly joined to a wired network The WDS feature also allows wireless Access Points to be wirelessly connected eliminating the need for a wired connection between them WIRELESS INTERFACE SETTINGS These setting configure the general wireless LAN interface parameters such as WEP SSID SSID broadcast suppression Maximum number of clients Country element IEEE802 11d power constraints and channel switch for IEEE802 11h Layer 2 isolation throughput enhancements and Wireless Multi Media WMM wireless 1 authmode 1 wireless 1 chanswitch disabled wireless 1 compression disabled wireless 1 country element disabled wireless 1 devname ath0 wireless 1 fastframes disabled wireless 1 frameburst disabled wireless 1 12_isolation disabled wireless 1 max_clients 64 wireless l power constrain disabled wireless 1 security none wireless 1 security 1 key wireless 1 security default_key 1 wireless 1 security mode open wireless 1 ssid DEFAULT1 wireless 1 ssid_ broadcast en
183. oid filtering in this chain since it will be bypassed in certain cases e routing decision e mangle table FORWARD chain used for very specific needs where we want to mangle the packets after the initial routing decision but before the last routing decision made just before the packet is sent out e filter table FORWARD chain used for all the filtering all forwarded traffic goes through this chain e mangle table POSTROUTING chain used for specific types of packet mangling that we wish to take place after all kinds of routing decisions has been done but still on this machine e NAT table POSTROUTING chain used for SNAT avoid doing filtering here since certain packets might pass this chain without ever hitting it this is also where masquerading is done All available keys of the Firewall configuration are listed below firewall status specify the IP firewall feature status enabled disabled Default disabled firewall lt table name gt lt chain name gt policy specify the policy ACCEPT DROP RETURN Default ACCEPT See below for descriptions Create a custom user chain firewall chain lt index gt status specify the chain entry status enabled disabled Default enabled firewall chain lt index gt name specify the chain name string without spaces firewall chain lt index gt table specify the chain table name nat mangle filter mandatory firewall chain lt index gt parent specify the parent c
184. oint y WAVETEQ ShadowAP User Manual 4 3 4 Advanced Network The Advanced Network page allows management of advanced networking features including DHCP server and DNS services as well as static routing DHCP Server M Enabled Enable DHCP Server on Main Ethernet t cixpQ O Enable DHCP Server on Secondary Ethernet ixp1 Starting Address 192 168 100 50 Starting Address Ending Address 192 168 100 250 Ending Address Netmask 255 255 255 0 Netmask Gateway 192 168 100 1 Gateway DNS 1 DNS 1 DNS 2 DNS 2 O Enable DHCP Server on Radio 1 athO O Enable DHCP Server on Radio 2 ath1 Starting Address Starting Address Ending Address Ending Address Netmask Netmask Gateway Gateway DNS 1 a DNS 1 DNS 2 DNS 2 Figure 4 3 5 DHCP Server Subsection DHCP Server Use this section to configure an interface as a DHCP server Be sure to click the enable checkboxes for the DCHP server status as well as each interface it is to be enabled on Static Routing Enabled IP Address _ Gateway Netmask Length Interface Add a route 1192 168 6 0 IECH WE reg vile 2008 WAWETEG Communications Inc Figure 4 3 6 Static Routing Subsection Static Routing Specify IP address Gateway Netmask Length and which interface to enable a route on Click Add a route to configure more than one routing rule IP Forwar
185. on the Ethernet ports by default so the ixp0 port on the ShadowAP will initially only respond to the default static IP address 192 168 3 1 All installation steps refer to the users using the Windows XP operating system although procedures for other operating systems may be similar Use the following procedure to access the ShadowAP Web management pages via the ixpO interface assuming it is using its default settings Step 1 Connect the Ethernet cable from the LAN port of the PPoE Injector to your computer Step 2 Setup the network adapter on your computer Go to Start gt Settings gt Network Connections gt Right click on Local Area Connection and select Properties s Network Connections BAR Fie Edit View Favorites Tools Advanced Help aw Q sax y gt Ei ya Search 1 Folders gt 3 X 1 E Address Network Connections sl A S Local Area Connectio Disable Network Tasks WaveTeq Communical status E Create a new Repair connection Bridge Connections Z Set up a home or small office network Create Shortcut Change Windows Firewall settings amp Disable this network cove amp Repair this connection Rename mi Rename this connection View status of this connection Change settings of this connection d View or change settings For this connection such as adapter protocol or modem configuration settings Figure 2 4 1 Network Connections Window Step 4 Access the network adapter s TCP IP s
186. on v5 22 Network Information Interface MAC Address IP Address RX Pkts RX Errors TXPkts TX Errors Ethernet ixp0 00 D0 12 02 54 33 97182 E 43 o Bridge br0 00 0B 6B 0A 7D 23 192 168 200 221 15425 0 461 0 Wireless Information Interface SSID IEEE Mode Channel Status Link Raio latho DEFAULT A se gt 2008 WAVETEQ Communications inc Figure 4 2 1 System Information System Information displays system information including uptime license status and firmware version Network Information displays basic receive and transmit information The table displays how many packets are sent and received how many errors have occurred while communicating and the IP address associated to each interface Wireless Information displays general wireless device information The Status column shows if an interface is turned on and the Link column shows the signal strength for the wireless link based on the current noise level Refresh click to renew the system information page gt W waveten ShadowAP User Manual 4 2 2 Network Details The Network Details page displays the main network configuration and receive transmit statistics of all interfaces Network Statistics Interface Receive statistics Transmit statistics bytes packets errors drops bytes packets errors drops Ethernet ixp0 46593074 97569 3 0 46593074 4609 0 0 Radio ath0 37329 612 0 0 37329 14365 0 12 Bridge br0 3421716 15604 0 0 3421716 517
187. only initiate sessions with access concentrators which can provide the specified service pppoe lt index gt ac_name specify the desired access concentrator name string PPPoE will only initiate sessions with the specified access concentrator pppoe lt index gt maxfail terminate after n consecutive failed connection attempts integer Default 0 pppoe lt index gt mtu specify the Maximum Transmission Unit integer Default 1500 59 y WAVET EQ ShadowAP User Manual pppoe lt index gt mru specify the Maximum Received Unit integer Default 1500 pppoe lt index gt add_default_route set enabled to add a default route to the system routing tables using the peer as the gateway when IPCP negotiation is successfully completed enabled disabled Default enabled pppoe lt index gt use_peer_dns specify to use peer s DNS servers enabled disabled Default enabled pppoe lt index gt Icp_echo_failure specify the number of LCP echo requests that will be sent without receiving a valid LCP echo reply at which the pppd will consider the peer to be dead integer If this happens pppd will terminate the connection Use of this option requires a non zero value for the Icp echo interval parameter This option can be used to enable pppd to terminate after the physical connection has been broken e g the modem has hung up in situations where no hardware modem control lines are available pppoe lt index gt Icp_echo_inte
188. ontrol CBT Exterior Gateway Protocol Any private interior gateway used by Cisco for their IGRP BBN RCC Monitoring Network Voice Protocol PUP ARGUS EMCON Cross Net Debugger Chaos User Datagram Multiplexing DCN Measurement Subsystems Host Monitoring Packet Radio Measurement XEROX NS IDP Trunk 1 Trunk 2 Leaf 1 Leaf 2 Reliable Data Protocol Internet Reliable Transaction ISO Transport Protocol Class 4 Bulk Data Transfer Protocol MFE Network Services Protocol MERIT Internodal Protocol Sequential Exchange Protocol Third Party Connect Protocol Inter Domain Policy Routing Protocol XTP Datagram Delivery Protocol IDPR Control Message Transport Protocol TP Transport Protocol IL Transport Protocol Ipv6 Source Demand Routing Protocol Routing Header for IPv6 135 WV WAVETEQ ShadowAP User Manual Decimal value Keyword Protocol 44 Fragment Header for IPv6 45 IDRP Inter Domain Routing Protocol 46 Reservation Protocol 47 General Routing Encapsulation 48 Mobile Host Routing Protocol 49 BNA 50 Encap Security Payload 51 Authentication Header 52 Integrated Net Layer Security TUBA 53 IP with Encryption 54 NBMA Address Resolution Protocol 55 IP Mobility 56 Transport Layer Security Protocol Kryptonet key mgmt 57 SKIP 58 ICMP for IPv6 59 No Next Header for IPv6 60 Destination Options for IPv6 61 po Any host internal protocol 62 CFTP 63 anny local network 64 SATNET and Backroom EXPAK 65
189. or network attached devices The ShadowAP supports all three SNMP protocol versions in read only mode Clock NTP Client The ShadowAP can be configured to periodically update its internal clock to an internet time server Ensure that your ShadowAP is properly configured to be able to access the specified server L gt GW WAVETEQ ShadowAP User Manual 4 4 4 License When the device is installed and ready for use the valid license file should be uploaded on the device to activate a full set of the device features Within the valid license period the new released firmware images will be available to upgrade downgrade on the ShadowAP device After the expiration of license the device will keep functioning However new firmware revisions for the later period will not be available Contact Waveteq if you require a new firmware version and your update period has expired Device License License status valid License period unlimited Download current license file Upload New License License file upload upload 2008 WAVETEQ Communications Inc Figure 4 4 5 Device License Page License status displays the license validity status e valid this license status means that devise has full functionality of the purchased ShadowAP firmware release Even after the license period expiration the device will keep functioning with the current firmware e not valid this license status provides only a very limited functiona
190. ority to use the device For safety reasons people should not work in a situation where RF exposure limits could be exceeded To prevent this situation the user should avoid installing or using the antenna closer than 3 m 10 from people To reduce potential radio interference to other users the antenna type and its gain should be so chosen that the equivalent isotropically radiated power e i r p is not more than that permitted for successful communication The required antenna impedance is 50 ohms Antenna types not included in this list or antennas with gains greater than those listed below are strictly prohibited for use with this device This device has been designed to operate with the antennas and power levels listed below e SPDN6W 5100 5900 MHz 16 8 dBi panel antenna using transmit power levels of up to 7 dB 5180 5240 MHz and 12 dB 5755 5795 MHz e SPDJ6OP 5100 5900 MHz 9 dBi Omni antenna using transmit power levels of up to 14 dB 5180 5240 MHz 15 dB 5755 5795 MHz e SPAPG20 2300 2500 MHz 20 5 dBi panel antenna using transmit power levels up to 13 dB e SPDG8O 2400 2483 MHz 9 dBi Omni antenna using transmit power levels up to 14 dB Industry Canada Compliance This Class B digital device complies with Canadian ICES 003 Operation of this device is subject to the following two conditions 1 This device may not cause interference 2 This device must accept any interference including interference that ma
191. ost popular of which uses GFSK modulation at 2 4GHz enabling data rates of 1 or 2Mbps Since its inception two major PHY enhancements have been adopted and become industry standards 802 11b adds CCK modulation enabling data rates of up to 11Mbps 802 11g supports data rates of up to 54Mbps in the same frequency band and 802 11a specifies OFDM modulation and the same 54Mbps in the 5GHz frequency band A AAA Authentication Authorization and Accounting A method for transmitting roaming access requests in the form of user credentials typically user domain and password service authorization and session accounting details between devices and networks in a real time manner authentication The process of establishing the identity of another unit client user device prior to exchanging sensitive information B backbone The primary connectivity mechanism of a hierarchical distributed system All systems which have connectivity to an intermediate system on the backbone are assured of connectivity to each other This does not prevent systems from setting up private arrangements with each other to bypass the backbone for reasons of cost performance or security Bandwidth Technically the difference in Hertz Hz between the highest and lowest frequencies of a transmission channel However as typically used the amount of data that can be sent through a given communications circuit For example typical Etherne
192. ost inverse specify the match value inverse status enabled disabled Default disabled ebtables rule lt index gt stp sender_prio specify the BPDU sender priority range 0 65535 0 65535 ebtables rule lt index gt stp sender_prio inverse specify the match value inverse status enabled disabled Default disabled ebtables rule lt index gt stp sender_addr specify the BPDU sender MAC address colon separated 6 hexadecimal value pairs netmask length in bits See ebtables rule lt index gt src for more details ebtables rule lt index gt stp sender_addr inverse specify the match value inverse status enabled disabled Default disabled ebtables rule lt index gt stp port specify the port identifier range 0 65535 0 65535 ebtables rule lt index gt stp port inverse specify the match value inverse status enabled disabled Default disabled ebtables rule lt index gt stp msg_age specify the message age timer 0 65535 0 65535 ebtables rule lt index gt stp msg_age inverse specify the match value inverse status enabled disabled Default disabled ebtables rule lt index gt stp max_age specify the max age timer 0 65535 0 65535 ebtables rule lt index gt stp max_age inverse specify the match value inverse status enabled disabled Default disabled ebtables rule lt index gt stp hello_time specify the hello time timer 0 65535 0 65535 ebtables rule lt index gt stp h
193. password for user authentication Verify password re enter the new password to verify its accuracy Change click to save the new administrator password The only way to gain access to the web management if you forget the administrator password is to return your ShadowAP to Waveteq Communications gt y WAVETEQ ShadowAP User Manual Default administrator login settings are User Name admin Password admin01 4 4 3 Remote Management The Remote Management page allows configuration of administrative access and monitoring of the ShadowAP Remote Management 2 SSH Server El Enabled Port 22 HTTP Server Enabled Note HTTPS secure HTTP is always enabled SNMP Agent O Enabled Name System location System contact Read only community v1 w2 Read only user v3 Read only user password v3 Clock NTP Client Enabled Timezone GMT 8 00 M Server time nist gov 2008 WAVETEQ Communications Inc Figure 4 4 4 Remote Management Page SSH Server Secure Shell SSH is a network protocol that allows data to be exchanged using a secure channel between two computers When enabled the ShadowAP Shell can be accessed with an SSH client like PUTTY HTTP Server The HTTP server will process web browser requests to display this graphical user interface Secure HTTP HTTPS is always enabled on port 443 SNMP Agent Standard Network Management Protocol SNMP is used in network management systems to monit
194. pen system This setting allows any device regardless of its WEP keys to authenticate and attempt to associate e 2 Shared key This setting tells the AP to send a plain text shared key query to any device that attempts to associate with the AP e 4 Auto This setting uses both modes Open system and Shared key wireless lt index gt country_element specify the country element status enabled disabled Default disabled With this key enabled system adds Country Element to beacons and probe responses according to IEEE 802 11d wireless lt index gt power_constrain specify the power constrain status enabled disabled Default disabled With this key enabled system adds Power Constrain to beacons and probe responses according to IEEE 802 11h wireless lt index gt chanswitch specify the channel switch status enabled disabled Default disabled With this key enabled system adds Channel Switch notification to beacons according to IEEE 802 11h 65 ShadowAP User Manual D WAVETEQ wireless lt index gt fastframes specify the fast frame status enabled disabled Default disabled Frame aggregation to super frame up to 3000B thus maximizing efficiency via less overhead Requires AP that supports fast frame functionality wireless lt index gt frameburst specify the frame burst status enabled disabled Default disabled This technique allows transmitting more then one data frame during each transmission
195. ports multiple EAP based authentication types such as EAP TLS EAP TTLS and EAP MD5 The client transfers all authorization and accounting information to a RADIUS server The RADIUS server must be installed and properly configured to accept requests from the ShadowAP RADIUS client These keys are shared by all network blocks wpasupplicant status specify the WPA Supplicant status enabled disabled Default disabled wpasupplicant wait_for_interface specify to wait for all configured interfaces to become available enabled disabled Default disabled wpasupplicant verbose specify the logging verbosity level 0 4 Default 2 Verbosity levels are O quiet 1 somewhat quiet 2 normal 3 somewhat verbose 4 verbose wpasupplicant keys specify to include the secret keys passwords etc into verbose output enabled disabled Default disabled wpasupplicant timestamp specify to include the timestamp into verbose output enabled disabled Default disabled wpasupplicant device lt index gt status specify current entry status enabled disabled Default enabled wpasupplicant device lt index gt devname specify the name of the ShadowAP network interface on which WPA 802 1x supplicant will be started wpasupplicant device lt index gt driver specify the name of network interface driver to be used string Available driver names hostap prism54 madwifi atmel wext ndiswrapper broadcom ipw2100
196. profile ath0 UAM aaa 1l wan l status enabled aaa l wan 1 devname ixp0 gt y WAVET EQ ShadowAP User Manual 6 4 1 1 Network Access Server NAS All available keys of the NAS configuration are listed below aaa nas lt index gt status specify the NAS profile status enabled disabled Default disabled aaa nas lt index gt verbose specify verbose logging for the NAS status enabled disabled This setting may be useful for AAA troubleshooting Default disabled aaa nas lt index gt name specify the NAS profile name string Default is same as aaa nas lt index gt devname aaa nas lt index gt identifier specify the NAS identifier string Default lt MAC address gt lt SSID gt aaa nas lt index gt devname specify the interface name to start NAS on aaa nas lt index gt maxclients specify a number of maximum simultaneous clients to be accepted on current NAS number limited by HW capabilities Default 64 Value of O disables client limit checking the system will allow as many clients simultaneously as it can handle aaa nas lt index gt auth status specify the authentication status on NAS server enabled disabled Default disabled aaa nas lt index gt auth lt index gt status specify current authentication entry status enabled disabled aaa nas lt index gt auth lt index gt type specify current authentication type ieee802 1x uam radius_proxy The radius_proxy type instructs t
197. quest packet for that client 11 The RADIUS proxy will not start internal RADIUS accounting if there will be no RADIUS accounting information detected within specified accounting detection timeout period or accounting detection is turned off 12 The RADIUS proxy will leave Acct Session Id unchanged which is generated internally by NAS unless Acct Session Id attribute will be available in the last RADIUS Access Request packet from AP 13 The RADIUS proxy will logout client on Acct Stop if no accounting information is detected for that client All available keys of the RADIUS Proxy feature are listed below aaa radiusproxy lt index gt status specify the RADIUS proxy status enabled disabled aaa radiusproxy lt index gt name specify the RADIUS proxy profile name string This should be equal to aaa nas lt index gt auth lt index gt profile see chapter 6 4 1 1 Network Access Server NAS aaa radiusproxy lt index gt auth port specify the UDP port for the ShadowAP to listen on for RADIUS authentication packets The ShadowAP RADIUS proxy authentication port will accept only RADIUS authentication packets 0 65535 Default 1812 aaa radiusproxy lt index gt acct port specify the UDP port for the ShadowAP to listen on for RADIUS accounting packets The ShadowAP RADIUS proxy accounting port will accept only RADIUS accounting packets 0 65535 Default 1813 aaa radiusproxy lt index gt acct timeout specify the RADIUS pro
198. r to achieve at least 60 Fresnel Zone clearance Reduced Fresnel Zone clearance will contribute to an increased noise floor thereby decreasing the Signal to Noise ratio Once the ShadowAP has been mounted a site scan should be performed to adjust the aim of the antenna to achieve the best possible alignment For more details on antenna alignment please see section 4 5 2 The ShadowAP is designed to be weatherproof but under certain circumstances it can be recommended that additional weather proofing be applied to the connectors once the ShadowAP has been mounted and connections have been completed For more details please see section Appendix G Weather Proofing C PU WV WAVETEQ ShadowAP User Manual 2 2 Ethernet Cable and Connector Assembly The field attachable connecters are IP 67 rated to prevent ingress of water and dust when properly mated with an Ethernet cable The steps below show how to create a custom length cable with the field attachable connector Once this cable is complete it can be connected A to the Waveteq ShadowAP Referring to Figure 2 2 1 yI 1 throughout please follow the steps below to install the ke Lech connector to your cable 2 e 3 Start with an outdoor rated Ethernet cable that is of Ait sufficient length to reach the installation of the Waveteq ANY 3 ShadowAP Allow several extra feet in case of future ee 8 movement The cable should not exceed 100m 4 4 Carefully strip off approxim
199. rdware configuration are listed below radio status specify the radio module status enabled disabled Default disabled gt y WAVET EQ ShadowAP User Manual radio countrycode specify the device s country code Refer to Appendix E ISO Country Codes for your country code The country code can be specified as 2 or 3 letters or number code The country code helps to ensure compliance with your local regulatory requirements Ensure that you set this to your operating country radio outdoor specify the operation mode 0 1 0 is indoor 1 is outdoor Default 0 radio xchanmode specify the extended channel mode status 0 1 O is disabled 1 is enabled Default 1 radio lt index gt status specify current radio configuration entry status enabled disabled radio lt index gt devname specify current wireless interface name radio lt index gt parent the hardware wireless interface name eg wifi0 wifil string radio lt index gt mode specify the operating mode of the device Managed Master The device mode depends on the network topology e Managed In this mode node connects to a network composed of many access points with roaming e Master In this mode node is the synchronization master or acts as an access point radio lt index gt channel specify the wireless channel auto number Multiple channels are available to avoid interference between nearby access points If you wish to operate more t
200. ready be configured and enabled While data packets travel through the ShadowAP the system examines the destination IP address of each packet and chooses an interface to forward the packet to The system choice depends on static routing rules entries known as a routing table route status specify the status of routing service enabled disabled Default disabled route ip_forward specify the IP forwarding status enabled disabled The disabled IP forward means that no routing or bridging will take place packet received on one interface will not be forwarded through another interface route lt index gt status specify current routing entry status enabled disabled Default enabled route lt index gt devname specify the network interface name route lt index gt gateway specify the gateway IP address route lt index gt ip specify the destination IP address The destination address can be a network address or host IP address route lt index gt netmask specify the destination netmask length in bits bitmask number e g 24 The netmask is unnecessary for host routes route lt index gt type specify the route type unicast local broadcast multicast throw unreachable prohibit blackhole Route type unicast the route entry describes real paths to the destinations covered by the route prefix local the destinations are assigned to this host The packets are looped back and delivered locally broadcast t
201. red SMTP server It can be implemented by configuring the IP firewall See example below Example redirect e mail for clients on ixp0 interface 192 168 30 1 WAN gateway 195 14 162 78 SMTP server firewall status enabled firewall rule 1 status enabled firewall rule l target SNAT firewall rule 1 table nat firewall rule 1 chain POSTROUTING firewall rule 1 t snat source 192 168 30 1 firewall rule 1 out ixpl firewall rule 1 protocol TCP firewall rule 1 dport 25 firewall rule 2 status enabled firewall rule 2 table nat firewall rule 2 chain PREROUTING firewall rule 2 in ixp0 firewall rule 2 dst 195 14 162 78 firewall rule 2 protocol TCP firewall rule 2 dport 25 firewall rule 2 target ACCEPT firewall rule 3 status enabled firewall rule 3 table nat firewall rule 3 chain PREROUTING 115 y WANNE TED ShadowAP User Manual firewall rule firewall rule protocol TCP in ixp0 firewall rule firewall rule 6 4 6 White Black List The white and black access lists control user access to Web content through the Access Controller The unauthenticated users will be allowed to access sites from white list while access to the sites from black list will be denied even for authenticated users target DNAT t dnat dst 195 14 162 78 3 3 firewall rule 3 dport 25 3 3 There is a possibility to specify static and remote white black list entries in the system configuration The remote list w
202. regular surfaces in order to cover sharp surfaces i e bolts screws nuts terminal lug butt splice electrical connector etc and also to create a smooth evenly tapered surface prior to application of self fusing tape Note When using tape for this purpose simply stretch and push tape into cavity using finger or thumb pressure Cutting small pieces and pushing tape into cavity is another method for filling the irregular surfaces e Cut an appropriate length of tape from the roll and remove the liner taking care not to allow the tape to fold over onto itself e Begin wrapping the first layer of tape onto the wire or connection by holding the lead end on the surface and stretching the tape around until it touches itself The first layer of tape should be stretched continually so that the tape reduces to lt 3 4 of its original width The tape should be applied until it extends a minimum of 1 inch past any bare un insulated conducting surface Note Tape should be wrapped in a half lapped fashion If an environmental seal is not required then the tape doesn t need to be stretched on any layer e Wrap a second layer of tape over the entire surface of the first layer Figure 7 6 1 below shows a properly taped Ethernet connection after the second tape layer Note It is not necessary to stretch the second layer of tape as the first layer provides the permanent environmental seal and the tape fuses to itself upon contact 140 y WAVET
203. ress packet priority in bits 0 0x7fffff If vlan lt index gt priority_in out manual user configured mappings for ingress regress packets will be set If no mapping found will map to O same as default without any mappings if vlan lt index gt priority_in auto 0 0 1 1 7 7 mappings will be generated vlan lt index gt prio_out_map lt index gt vlan_qos specify the egress VLAN priority in bits 0 7 vlan lt index gt prio_out_map lt index gt pkt_prio specify the egress packet priority in bits 0 0x7fffffff If vlan lt index gt priority_in out manual user configured mappings for ingress regress packets will be set If no mapping found will map to O same as default without any mappings if vlan lt index gt priority_in auto 0 0 1 1 7 7 mappings will be generated gt WW WAVETEQ ShadowAP User Manual y WAVET EQ ShadowAP User Manual Example configure VLAN id 10 on ixp0 vlan status enabled vilan 1 devname ixp0 vlan 1 id 10 6 2 7 IPsec The IPsec protocol client enables the ShadowAP to establish a secure connection to an IPsec peer via the Internet IPsec is supported in two modes transport and tunnel Transport mode creates secure point to point channel between two hosts eg AP and client Tunnel mode can be used to build a secure connection between two remote LANs serving as a VPN solution A number of independent secure channels of either mode may be established simultaneously IP
204. ridge IP address 192 168 3 1 is only for administrative purposes so that the user can login and reconfigure the radio through either the ixpO interface or the wireless ath0 interface on the DEFAULT1 SSID For more details regarding the default configuration on the ShadowAP please refer to Appendix H Factory Default Configuration File 2 3 1 Emergency IP In case of a configuration error or forgetfulness you may not be able to connect to the ShadowAP as expected In most cases this is due to the user believing that the IP address is different than what has been configured Most manufacturers require the unit to be sent back in this case or a risky hardware reset functionality We have provided a permanent IP address on the Ethernet interface that can never be deleted or changed to solve this problem One caveat is that the subnet used for the emergency IP can never be used in the same collision domain LAN with the ShadowAP The emergency IP is 172 31 1 1 The computer IP address must be set manually to the 172 31 1 x 255 255 255 0 subnet before attempting a connection E BE y WANNE TED ShadowAP User Manual 2 4 Connecting to the ShadowAP Connection to the ShadowAP based device can be made using the wireless or Ethernet interfaces The next sections outline the instructions on how to access the ShadowAP based device management interfaces 2 4 1 Using Ethernet Connection Dynamic Host Configuration Protocol DHCP is not enabled
205. rval Specify the time interval in seconds at which an LCP echo request frame will be sent by the pppd to the peer integer Normally the peer should respond to the echo request by sending an echo reply This option can be used with the Icp echo failure option to detect that the peer is no longer connected pppoe lt index gt debug specify connection debugging status enabled disabled Default disabled If this option is given pppd will log the contents of all control packets sent or received in a readable form The packets are logged through syslog with facility daemon and level debug Example pppoe status enabled pppoe 1l status enabled pppoe 1 name pppoe pppoe l user user nam pppoe 1 password user password pppoe 1 devname ixp0 pppoe 1 mtu 1460 1 pppoe 1 mru 1460 6 3 Wireless Settings This section describes radio hardware Wireless Radio and wireless interface settings Wireless Interface WLAN locking VSSID wireless access control list ACL client bridge station supervision settings 6 3 1 Wireless Radio This section provides the description of the general parameters of the radio hardware such as Country code IEEE mode Auto channel selection Radio operating mode Turbo mode Data transfer rate Fragmentation Distance settings ACK timeout RTS CTS Transmit power dBm RX TX antenna diversity Half and quarter rate channel support FCC security band support All available keys of the radio ha
206. rver 120 Installation 5 IP firewall 95 IPP2P 100 rule matches 97 explicit 98 ICMP 98 implicit 97 rule targets 101 accept 101 DNAT target 101 DROP 102 LOG 102 MARK 102 MASQUERADE 102 NAS_MARK 104 QUEUE 102 REDIRECT 102 REJECT 103 RETURN 103 SNAT 103 TOS 103 TTL 103 ULOG 104 rules 96 IP logging 126 IPsec 55 IPsec Racoon 57 ISO country codes 138 L licensing 12 35 Line of Sight LoS 5 login 14 M manual clock regulation 123 mounting 5 N NAS Network Access Server 79 netconf 44 network configuration 76 network usage statistics 123 NTP client 124 P P2P 100 PPoE injector 7 PPPOE 59 product overview 1 protocols 135 Q QoS 53 66 155 D WAVETEQ ShadowAP User Manual R RADIUS accounting servers 81 authentication servers 80 domains WISPs 82 proxy 85 standard attributes 131 VSA 133 regulatory domain 129 RSN 89 RX antenna 62 S selective source routing 74 SMTP redirection 115 SNMP 41 SNMP agent 121 source routing 73 SSH 120 SSH Server 120 SSID broadcasting 65 static bandwidth control 118 static routing 72 static supervision 71 STP 47 support xi sysctl plugin 127 syslog 125 system services 123 T threshold 62 throughput enhancement compression 66 fast frame FF 66 frameburst 66 TKIP 85 trace system 125 tunnels GRE 58 IPsec 55 IPsec IKE daemon racoon 57
207. rver IP address dhcpd lt index gt domain specify the DHCP domain name 1 128 character string Example configure the DHCP server dhcpd status enabled dhcpd 1 devname ixp0 dhcpd 1l start 192 168 4 2 dhcpd 1l end 192 168 4 254 dhcpd 1l gateway 192 168 4 1 dhcpd 1 netmask 255 255 255 0 dhcpd 1 dns 1l server 212 59 0 1 dhcpd 1l lease time 10000 6 2 3 3 DHCP Relay DHCP relay forwards DHCP messages between subnets with different sub layer broadcast domains DHCP relay won t work if there is a DHCP server or client started on the same LAN D interface Depending on your network configuration you may need to add firewall rules to allow clients unrestricted to have access to the DHCP service ports on the DHCP servers This is needed because after negotiating a DHCP lease a client talks to DHCP server directly and not through DHCP relay See section 6 4 3 IP Firewall for details The available keys of the DHCP Relay feature are listed below dhcp fwd status specify the DHCP relay service status enabled disabled Default disabled dhcp fwd server lt index gt status specify current service status enabled disabled Default enabled dhcp fwd server lt index gt devname specify the WAN interface name through which the DHCP server could be reached string interface name dhcp fwd server lt index gt ip specify the DHCP server IP address IP address or string bcast Specifying bcast al
208. s The Ethernet source MAC and the ARP payload source MAC will be filled in with this address ebtables rule lt index gt t arpreply target specify the standard target DNAT ACCEPT DROP LOG MARK MASQUARADE QUEUE REDIRECT REJECT RETURN SNAT TOS T TL ULOG dnat The dnat target can only be used in the BROUTING chain of the broute table and the PREROUTING and OUTPUT chains of the nat table It specifies that the destination MAC address has to be changed ebtables rule lt index gt t to_destination specify the destination MAC address colon separated 6 hexadecimal value pairs ebtables rule lt index gt t dnat_target specify the standard target DNAT ACCEPT DROP LOG MARK MASQUARADE QUEUE REDIRECT REJECT RETURN SNAT TOS T TL ULOG After doing the dnat the rule still has to give a standard target so ebtables knows what to do The default target is ACCEPT Making it CONTINUE could let you use multiple target extensions on the same frame Making it DROP only makes sense in the BROUTING chain but using the redirect target is more logical there RETURN is also allowed Note that using RETURN in a base chain is not allowed mark The mark target can be used in every chain of every table ebtables rule lt index gt t set_mark specify the mark number ebtables rule lt index gt t mark_target specify the standard target DNAT ACCEPT DROP LOG MARK MASQUARADE QUEUE REDIRECT REJECT RETURN SNAT TOS T TL ULOG After marking the fra
209. s wpas wpas wpas wpas wpas wpas wpas wpas wpas wpas wpas wpas wpas wpas wpas wpas wpas wpas wpas wpas wpas wpas wpas wpas wpas wpas wpas wpas wpas wpas wpas wpas wpas wpas wpas wpas wpas pplican pplican pplican pplican pplican pplican pplican pplican pplican pplican pplican pplican pplican pplican pplican pplican pplican pplican pplican pplican pplican pplican pplican pplican pplican pplican pplican pplican pplican pplican pplican pplican pplican pplican pplican pplican pplican pplican CF CR EE EE CFE oer GE EE Cr Cr EE en er cer ZE CEP EE och EF EE ZE Err EE EE Gr EE aa er CF GR e O Er ick och och et profile profile profile profile profile profile profile profile profile profile profile profile profile profile profile profile profile profile profile profile profile profile profile profile profile profile profile profile profile profile profile profile profile profile profile profile profile profile PLREPRRRPRRRPRARPRRPRRARARRARARARARRRRARARAPRARAREARA AO ane ne ne ne ne ne ne ne ne ne ne ne ne ne ne ne ne ne ne ne ne ne Cwor Cwor Cwor Cwor Cwor Cwor Cwor Cwor Cwor Cwor Cwor Cwor Cwor Cwor k twork k twork twork k twork k twork twork k twork k twork twork k twork kK
210. s and the RADIUS client aaa auth lt index gt stripdomain specify the strip domain function status enabled disabled Default disabled Enabling this option removes the WISP domain prefix from the username before sending it to the RADIUS server see section 6 4 1 4 RADIUS Domains WISPs for details Default action is to send the username as is Some RADIUS servers can be configured to require the full unmodified user name to be sent aaa auth lt index gt authtype specify the authentication type PAP CHAP MSCHAP MSCHAPV2 Default PAP PAP Password Authentication Protocol CHAP Challenge Handshake Authentication Protocol MSCHAP Microsoft Challenge Handshake Authentication Protocol version 1 MSCHAPV2 Microsoft Challenge Handshake Authentication Protocol version 2 Example aaa auth 1 status enabled aaa auth 1 host 192 168 2 182 aaa auth 1 name AUTH aaa auth 1 port 1812 aaa auth 1 retry 5 aaa auth 1 secret password aaa auth 1 stripdomain disabled aaa auth 1 timeout 15 aaa auth 1 authtype PAP 6 4 1 3 RADIUS Accounting Servers All available keys of the RADIUS accounting server are listed below aaa acct lt index gt status specify the RADIUS accounting server profile status enabled disabled Default enabled aaa acct lt index gt name specify the RADIUS accounting server profile name string mandatory aaa acct lt index gt host specify the RADIUS accounting server host name or IP addr
211. s authenticated for that station are logged out Static supervision should run on each interface that AAA is running on ssd 1 check count 5 ssd 1 check interval 60 ssd 1 devname ath0 ssd 1 status disabled ssd status disabled SSH SECURE SHELL SERVER Provides remote access capability using a secure shell i e Putty The SSH server is enabled on port 22 and is enabled by default to ensure communications capability sshd port 22 sshd status enabled NETWORK USAGE STATISTICS Enable this to gather network usage statistics like the MAC address of the client device name connection amp disconnection times number of bytes received and transmitted SSID Se Se e e e statsd status disabled statsd verbose disabled SYSTEM TRACE This feature provides debug information for system services and protocols should a malfunction occur It is useful to locate mis configurations and system errors sysconf trace disabled 146 Wy WANETER ShadowAP User Manual SYSTEM LOG This feature allows systems log files to be set up to local or remote files for system devices syslog file var log messages syslog file msg level info syslog file umask 077 syslog fwd msg level info syslog fwd status disabled syslog rcms alarm level info syslog rcms alarm status disabled syslog rotate at size 102400 syslog rotate status enabled syslog status enabled GENERIC ROUTING ENCAPSULATION GRE T
212. seT HD 0x002 ObaseT FD 0x003 i10baseT 0x004 100baseTx HD 0x008 100baseTx FD Ox00C 100baseTx 0x010 1000baseTx HD 0x020 1000baseTx FD 0x030 1000baseTx 0x03F auto combination of all the above ixpO first Ethernet interface athO first wireless interface netconf lt index gt speed specify Ethernet link speed between switch and ShadowAP device in Mbps 10 100 1000 netconf lt index gt duplex specify duplexity of the Ethernet link half full y WAVET EQ ShadowAP User Manual Example 1 netconf 1 autoneg disabled netconf 1l1 advertise auto netconf 1 speed 10 netconf 1 duplex half Ethernet is allowed to connect at fixed 10 Mbps speed duplex will be set to ha f The advertise makes no sense when auto negotiation autoneg key is disabled Example 2 netconf 1 autoneg enabled netconf l advertise auto netconf 1 speed 10 netconf 1 duplex half Ethernet is allowed to negotiate best speed and duplexity Parameters speed and duplex will be ignored when autoneg is enabled It is up to the Ethernet driver to decide which speed duplexity must be used according to advertise key value default value is auto Example 3 netconf 1 devname ixp0 netconf 1 netmask 255 255 255 0 netconf 1 ip 192 168 2 220 netconf 1 up enabled netconf 1 mode wan netconf 1 type Ethernet netconf 1 promisc disabled netcont l alias status enabled netcont l alias 1l
213. sec can be configured using the following keys ipsec status specify the IPsec service status enabled disabled ipsec lt index gt status specify the IPsec entry status enabled disabled Default disabled ipsec lt index gt mode specify the IPsec operating mode for this entry transport tunnel ipsec lt index gt point_src ip specify the source IP address ipsec lt index gt point_dst ip specify the destination IP address ipsec lt index gt ah in spi specify the inbound security parameter index 256 65535 ipsec lt index gt ah out spi specify the outbound security parameter index 256 65535 ipsec lt index gt ah algo specify the authentication algorithm hmac md5 hmac sha1 keyed md5 keyed sha1 null hmac sha2 256 hmac sha2 384 hmac sha2 512 hmac ripemd160 aes xcbc mac ipsec lt index gt ah secret specify the authentication secret string Secret s length depends on selected algorithm eg 128 bit long secret is 16 characters in length 128 bits 8 bits one character 16 The algorithm key lengths in bits are hmac md5 128 hmac shal 160 keyed md5 128 keyed shal 160 null O to 2048 hmac sha2 256 256 hmac sha2 384 384 hmac sha2 512 512 hmac ripemdi60 160 aes xcbc mac 128 ipsec lt index gt esp in spi specify the inbound compression 256 65535 ipsec lt index gt esp out spi specify the outbound compression 256 65535 ipsec lt index gt esp auth algo specify the
214. security measure wireless lt index gt I2_isolation specify the layer 2 wireless client separation status enabled disabled Layer 2 isolation blocks the wireless clients from communicating with each other wireless lt index gt max_clients specify maximum number of connected clients 0 2147483647 Default 64 wireless lt index gt security specify the Wired Equivalent Privacy WEP encryption method wep64 wep128 none Default mode is none wireless lt index gt security mode specify the security mode restricted open The default mode is restricted e Restricted In this mode clients can connect only with WEP encryption configured e Open This mode allows clients with WEP security or without any security to connect wireless lt index gt security lt index gt key specify the WEP security keys WEP keys should be entered as a series of colon separated hexadecimal 0 9 A F and a f pairs e 5 pairs for 64 bit WEP security e g 00 AC 01 35 FF e 13 pairs for 128 bit WEP security e g 00 11 22 33 44 55 66 77 88 99 AA BB CC You can configure up to 4 security keys wireless lt index gt security default_key specify the index of the default key used to encrypt the data before it is transmitted 1 4 The same key value must also be entered in the WLAN card configuration for each of the wireless clients wireless lt index gt authmode specify the authentication mode of the AP 1 2 4 Default 4 e 1 O
215. sed wpasupplicant profile lt index gt network lt index gt auth_alg lt 1 3 gt status specify current entry status enabled disabled Default enabled wpasupplicant profile lt index gt network lt index gt auth_alg lt 1 3 gt name specify allowed IEEE 802 11 authentication algorithms OPEN SHARED LEAP If not specified automatic selection is used Open System with LEAP enabled if LEAP is allowed as one of the EAP methods OPEN Open System authentication required for WPA WPA2 SHARED Shared Key authentication requires static WEP keys LEAP LEAP Network EAP only used with LEAP wpasupplicant profile lt index gt network lt index gt pairwise lt 1 3 gt status specify current entry status enabled disabled Default enabled wpasupplicant profile lt index gt network lt index gt pairwise lt 1 3 gt name specify accepted pair wise unicast ciphers for WPA CCMP TKIP NONE If not specified both CCMP and TKIP are accepted CCMP AES in Counter mode with CBC MAC RFC 3610 IEEE 802 11i D7 0 TKIP Temporal Key Integrity Protocol IEEE 802 11i D7 0 WV WANNE TED ShadowAP User Manual NONE Use only Group Keys deprecated should not be included if APs support pair wise keys wpasupplicant profile lt index gt network lt index gt group lt 1 4 gt status specify current entry status enabled disabled Default enabled wpasupplicant profile lt index gt network lt index gt group lt 1
216. signs clients on the LAN dynamic IP addresses The server is supported on physical and logical LAN interfaces Each LAN interface runs a separate DHCP server instance All available keys of the DHCP server are listed below dhcpd status specify the feature status enabled disabled Default disabled dhcpd lt index gt status specify the DHCP server status enabled disabled Default enabled dhcpd lt index gt devname specify the name of interface on which you want to configure the DHCP service interface name mandatory dhcpd lt index gt start specify the starting IP address of the DHCP address pool IP address mandatory dhcpd lt index gt end specify the ending IP address of the DHCP address pool IP address mandatory dhcpd lt index gt gateway specify the gateway IP address dhcpd lt index gt netmask specify the netmask dhcpd lt index gt dns 1 status specify the primary DNS server status enabled disabled Default enabled dhcpd lt index gt dns 1 server specify the primary DNS server IP address dhcpd lt index gt dns 2 status specify the secondary DNS server status enabled disabled Default enabled dhcpd lt index gt dns 2 server specify the secondary DNS server IP address y WAVETEQ ShadowAP User Manual dhcpd lt index gt lease_time specify the IP address lease interval in seconds 1 4294967295 Default 86400 dhcpd lt index gt wins specify WINS se
217. supplicant profile lt index gt network lt index gt ssid or wpasupplicant profile lt index gt network lt index gt ssid hex is mandatory If both are specified wpasupplicant profile lt index gt network lt index gt ssid hex is used and the former is ignored wpasupplicant profile lt index gt network lt index gt scan_ssid specify to scan the SSID with specific Probe Request frames enabled disabled Default disabled Value disabled do not scan this SSID with specific Probe Request frames enabled scan with SSID specific Probe Request frames this can be used to find APs that do not accept broadcast SSID or use multiple SSIDs This will slow down scanning so enable this only when needed y WAVET EQ ShadowAP User Manual wpasupplicant profile lt index gt network lt index gt bssid specify the BSSID MAC address If BSSID is set this network block is used only when associating to the AP with configured BSSID wpasupplicant profile lt index gt network lt index gt priority specify the priority 0 65535 Default 0 By default all networks will get the same priority group 0 If some of the networks are more desirable this field can be used to change the order in which supplicant goes through the networks when selecting a BSS The priority groups will be iterated in decreasing priority i e the larger the priority value the sooner the network is matched against the scan results Within each priori
218. system functionality is controlled with the key sysconf trace specify the trace system status enabled disabled Default disabled 6 6 4 Syslog You can configure the device to save log messages to a local or remote file using standard syslog facility All available keys of the Syslog service are listed below syslog status specify the status of syslog service enabled disabled syslog file specify the logged information file name with the path string Default var log messages syslog file umask specify the umask for the output file numbers Default 077 syslog file msg level specify the message level you need to trace The level determines the importance of the message and the volume of messages generated by the AC The levels are in order of increasing importance emerg alert crit err warning notice info debug Default info You can configure the device to send system log messages to a remote server syslog fwd status specify the remote syslog server status enabled disabled Default disabled syslog fwd host ip specify the remote host IP address where syslog messages will be sent syslog fwd host port specify the port to which syslog messages will be forwarded 0 65535 Default 514 syslog fwd msg level specify the message level that will be send to the remote syslog server The levels are in order of increasing importance emerg alert crit err warning notice info debug Default info D Up to
219. t An OP A A 17 310 ROSELL osas 17 E e e E a E 17 4 0 Chapter 4 Web Intertace e 18 e EE E E dE ege a 18 4 2 SUALISLICS teen Eeer teg 19 4 2 1 Syst m Infor Mati gege ge eNE eEe See A EEN ones EN ue 20 4 27 Network Details iia Ee sweden iad anda Ee sous NEE dalle E one Ee 21 4 2 3 Wireless RT IC 22 A2 EE 23 4225 ARP Talaia E E EAE I E E E E E 23 4 3 CONQUE Murrieta 24 ADL Starting POE e de A E AA DER ede DAA 25 4 3 2 Basic NetWork iii A E E E 26 4 3 3 Basie e 27 4 3 4 Advanced Network s weg atada rad ado dee e e 29 4 3 5 Advanced WitelesS viii e 30 4 3 6 oe EEN 31 D WAVETEQ ShadowAP User Manual AA EE 32 4 4 1 E nl le EE 32 BAD PASS WO lira 33 Sek Remote Mandg E Menta ii Ai 34 glo A O O A O OO 35 ln O COOP O as 36 45 1 Site EE 36 4 5 2 Antenna Alignment TEE 37 4 5 3 Wireless Tests stat SEENEN NEEN SEN EEN AEN 38 ARO HEN eegen 40 5 0 Chapter 5 SNMP Management NEEN 41 5 14 Te o EE ESE EEE 41 5 2 SNMP AGO EE 42 5 3 SNMP COMMUNITY ST ANOS EE 42 5 4 Use SNMP to Access EE 42 6 0 Chapter 6 Configuring the ShadowAP ssssssssssssrssrresrrerrrne 43 6 1 ShadowAP Configuration Pie 43 6 2 Network Configura OM EE 44 6 2 1 Interfaces sart A das 44 6 2 2 The Bridj coin a an EE EDE EE EE NE E aaa 46 6 2 3 DHOP EE 48 624 DNS EE 51 6 2 5 DNS F rWwardef srant ninian o a Z i ge ENEE nie a aa Een elt aiaa 52 6 2 6 MANS ii A dd na A EE 53 6 2 7 EE 55 6 2 8 IPSEC RA
220. t has a bandwidth of 100Mbps bps bits per second A measure of the data transmission rate D DHCP Dynamic Host Configuration Protocol DHCP is a communications protocol that lets network administrators manage centrally and automate the assignment of Internet Protocol IP addresses in an organization s network Using the Internet Protocol each machine that can connect to the Internet needs a unique IP address When an organization sets up its computer users with a connection to the Internet IP address must be assigned to each machine Without DHCP the IP address must be entered manually at each computer and if computers move to another location in another part of the network a new IP address must be entered DHCP lets a network administrator supervise and distribute IP addresses from a central point and automatically sends a new IP address when a computer is plugged into a different place in the network DNS Domain Name Service An Internet service that translates a domain name such as waveteq com to an IP address in the form XX XX XX XxX where xx is an 8 bit hexadecimal number E EAP Extensible Authentication Protocol Defined in RFC2284 and used by IEEE 802 1x Port Based Authentication Protocol 8021x that provides additional authentication methods EAP TLS Transport Level Security RFC2716 RFC3546 provides for mutual authentication integrity protected ciphersuite negotiation and key exchange between two
221. t ulog prefix specify the ULOG prefix string without spaces This option prefixes all log entries with a user specified log prefix firewall rule lt index gt t ulog cprange specify how many bytes of packet to send 0 65535 firewall rule lt index gt t ulog qthreshold specify how many packets to queue before sending 0 65535 6 4 3 7 15 NAS_MARK The NAS_MARK target is used to mark all incoming packets with their source IP address These marks are used by traffic shaping module used for AAA user bandwidth configuration NAS_MARK target can be used only in PREROUTING chain or sub chains of mangle table This target has no additional parameters firewall rule lt index gt target NAS_MARK 6 4 3 7 16 Another Firewall Rule Definition Method There is a possibility to define firewall rule with all the parameters as a regular iptables command line firewall rule lt index gt cmd specify the iptables command line string Example firewall rule 5 cmd t nat A POSTROUTING s 192 168 1 0 24 o ixp0 j SNAT to source 192 168 2 1 The configuration file snapshot for an example described above should be like this firewall status enabled firewall rule 1 status enabled firewall rule 1 target SNAT firewall rule l table nat firewall rule 1 chain POSTROUTING firewall rule 1 t snat source 192 168 30 1 104 1 1 1 1 y WAVETEQ ShadowAP User Manual
222. tchers only look the frame if the frame matches the rule LOG The fact that the log module is a watcher lets us log stuff while giving a target by choice Note that the log module therefore is not a target Frames will be logged via system s syslog See section 6 6 4 Syslog for more details ebtables rule lt index gt log specify the logging status enabled disabled ebtables rule lt index gt log level specify the logging level emerg alert crit err warning notice info debug Default info ebtables rule lt index gt log prefix specify the prefix that will be printed before the logging information string ebtables rule lt index gt log ip specify to log the IP information when a frame made by the IP protocol matches the rule enabled disabled Default disabled ebtables rule lt index gt log arp specify to log the R ARP information when a frame made by the R ARP protocols matches the rule enabled disabled Default disabled 6 4 4 1 5 Target Extensions arpreply The arpreply target can be used in the PREROUTING chain of the nat table If this target sees an ARP request it will automatically reply with an ARP reply The used MAC address for the reply can be specified When the ARP message is not an ARP request it is ignored by this target 112 y WAVET EQ ShadowAP User Manual ebtables rule lt index gt t arpreply mac specify the MAC address to reply with colon separated 6 hexadecimal value pair
223. te status enabled syslog rotate at size 102400 6 6 5 IP Logging IP logging function logs authenticated client station connection requests D Be sure that syslog feature is configured properly before enabling IP logging feature The configuration file key of the IP Logging feature is ulogd status specify the IP logging status enabled disabled Default disabled When IP logging is enabled the system continuously scans the activity of authenticated users and logs new TCP connection attempts to syslog Each new connection is logged in the following format e Time stamp time when connection was attempted 126 y WAVETEQ ShadowAP User Manual Source IP source port Destination IP destination port Client network card MAC address if it can be determined WAN interface IP address Username Example The following configuration snippet illustrates how we can setup IP logging on a router Please be aware that ULOGD is targeted at router NAT ed platform only and will not work on a simple AP firewall rule 5 table nat firewall rule 5 chain POSTROUTING firewall rule 5 protocol TCP firewall rule 5 tcpflags SYN RST ACK SYN firewall rule 5 target ULOG firewall rule 5 t ulog nlgroup 2 firewall rule 5 t ulog prefix non nat Masquerade rules customize to your needs firewall rule 6 table nat firewall rule 6 chain POSTROUTING firewall rule 6 out ixpl firewall rule 6 target MASQUERA
224. tem or to deliver service type information back to the Hotspot in a Box The Wi Fi Alliance has registered an IANA Private Enterprise Number PEN of 14122 which can be used to pass Vendor Specific attributes to international roaming partners Type 1 String 2 String String 4 String 5 Integer 6 Integer 7 Integer 8 Integer 9 String 10 Integer 11 String Auth Req Auth Acctg Comment Reply Req X Hotspot Location Identifier X Hotspot Location and Operator s Name URL for user to perform explicit logoff X URL of Start Page X Minimum Transmit Rate bps X Minimum Receive Rate bps X Maximum Transmit Rate bps X Maximum Receive Rate bps X Session termination time in ISO 8601 format YYYY MM DDThh mm ssTZD X Flag of one or zero indicating termination rule terminate or not user s session at the end of a billing day X Text string indicating service type e g used for the visitor access feature ShadowAP vendor specific attributes are described at the client point of view reverse accounting is disabled Waveteq Recommends vendors wishing to implement this portion obtain an IANA Private Enterprise Number PEN which can be used to pass Vendor Specific attributes to international roaming partners 133 y WAVET EQ ShadowAP User Manual ShadowAP Type Auth Auth Acctg Comment Vendor Specific Req Reply Req Attributes Acct Session Input 21 Integer X Session download volume limitation Octets in
225. ternet It can also be used as a communications protocol in a private network either an intranet or an extranet When you are set up with direct access to the Internet your computer is provided with a copy of the TCP IP program just as every other computer that you may send messages to or get information from also has a copy of TCP IP TCP IP is a two layer program The higher layer Transmission Control Protocol manages the assembling of a message or file into smaller packets that are transmitted over the Internet and received by a TCP layer that reassembles the packets into the original message The lower layer Internet Protocol handles the address part of each packet so that it gets to the right destination W WAN A wide area network WAN is a geographically dispersed telecommunications 152 D WAVETEQ ShadowAP User Manual network The term distinguishes a broader telecommunication structure from a local area network LAN A wide area network may be privately owned or rented but the term usually connotes the inclusion of public shared user networks An intermediate form of network in terms of geography is a metropolitan area network MAN 153 y WAVETEQ ShadowAP User Manual 9 0 Index A AAA 71 76 antenna diversity 62 autolock WLAN 67 B bandwidth control 118 bridge 46 bridging firewall 106 match extensions 802 3 108 ARP 108 IP 109 MARK 110 packet type 110 STP 110
226. the transfer rate accordingly but will increase the power density and may help to achieve greater operation distances Data rate Mbps Specify the maximum transmission rate of the radio The Automatic Rate Adjustment checkbox will allow the radio to decrease the data rate in poor wireless conditions Link Distance km Setting this value too large may decrease performance while setting it too small may prevent communication entirely Transmit Power dBm The transmit power is limited by your country s regulatory domain Ensure that your chosen antenna channel and transmit power are all within the regulatory requirements for your particular area and application L gt y WAVET EQ ShadowAP User Manual Throughput Enhancements Choose from a variety of throughput enhancements Note that all devices on the network will need to be compatible with each enhancement Each feature must be enabled on both sides of the wireless connection in order to work properly Most of these options are only available on A G and auto IEEE modes e Fast Frames packet aggregation and timing modifications e Packet Bursting more data frames per given time period e Dynamic Turbo maximizes throughput using multiple channels e Compression utilizes compression techniques to reduce the amount of data to be transmitted e Quality of service WMM enable to support quality of service for prioritizing traffic from the Ethernet to the access p
227. ticast specification ebtables rule lt index gt src inverse specify the match value inverse status enabled disabled Default disabled ebtables rule lt index gt dst specify the destination MAC address colon separated 6 hexadecimal value pairs See ebtables rule lt index gt src for more details ebtables rule lt index gt dst inverse specify the match value inverse status enabled disabled Default disabled ebtables rule lt index gt in specify the interface name a frame is received from This match is available in INPUT FORWARD PREROUTING and BROUTING chains ebtables rule lt index gt in inverse specify the match value inverse status enabled disabled Default disabled 107 y WAVET EQ ShadowAP User Manual ebtables rule lt index gt out specify the interface name a frame is going to be sent to This match is available in OUTPUT FORWARD and POSTROUTING chains ebtables rule lt index gt out inverse specify the match value inverse status enabled disabled Default disabled ebtables rule lt index gt lin specify the logical bridge interface name a frame is received from This match is available in INPUT FORWARD PREROUTING and BROUTING chains ebtables rule lt index gt lin inverse specify the match value inverse status enabled disabled Default disabled ebtables rule lt index gt lout specify the logical bridge interface name a frame is going to be sent to This mat
228. tication settings To get a list of available command parameters type authcheck and press enter cli gt authcheck Usage authcheck lt options gt options 1 lt interface name gt mandatory m lt MAC address gt optional taken from interface by default u lt username gt optional default test p lt password gt optional default test t lt timeout in milliseconds gt optional default 30000 Figure 3 4 1 The authcheck Command s Parameters The authcheck command requires interface name parameter to be specified Other parameters are optional Example authcheck i athO u testuser p testpass will try to authenticate with username testuser and password testpass on local interface called atho Test result will be displayed immediately after command execution 3 5 Password With the passwd command you can change the administrator s password To change password you will need to provide the old and the new passwords loo y WAVETEQ ShadowAP User Manual cli gt passwd Changing password for administrator admin Enter old password Enter new password Confirm new password Command executed successfully Figure 3 5 1 Change the Administrator s Password a Passwords will not appear on the screen for safety The only way to gain access to the management tool if you forget the administrator s password is to send your ShadowAP back to Waveteq Communications 3 6 Shell shell starts
229. tring uniquely identifying the Wireless Internet Service Provider WISP Access Controller can be shared between different WISPs In this case the domain name can be appended to username to specify which WISP user is trying to authenticate to username WISPdomain WISPdomain username All available keys are listed below aaa domain lt index gt status specify the domain profile status enabled disabled Default enabled aaa domain lt index gt name specify the domain WISP profile name string aaa domain lt index gt domain specify the domain WISP name string aaa domain lt index gt auth lt index gt status specify current authentication entry status enabled disabled Default enabled aaa domain lt index gt auth lt index gt profile specify the authentication server profile for this domain string This should be equal to aaa auth lt index gt name see section 6 4 1 2 RADIUS Authentication Servers aaa domain lt index gt acct lt index gt status specify current accounting entry status enabled disabled Default enabled aaa domain lt index gt acct lt index gt profile specify the accounting server profile for this domain string This should be equal to aaa acct lt index gt name see section 6 4 1 3 RADIUS Accounting Servers y WAVET EQ ShadowAP User Manual aaa domain lt index gt acct mode specify the accounting mode failover backup Default failover This setting
230. ture Statistics System Information displays general information about the ShadowAP device Network Details displays main network statistics for the ShadowAP device Wireless Details displays wireless statistics for the ShadowAP device Routes displays route table for the ShadowAP device ARP Table displays ARP table for the ShadowAP device Configuration Starting Point choose from a variety of commonly implemented configuration files Basic Network set up network interfaces static DNS servers and bridging configuration Basic Wireless define radio and wireless configuration Advanced Network define DHCP and DNS server status as well as static routing rules Advanced Wireless setup wireless security WEP WPA WPA2 access control lists Expert manually edit the configuration file System Maintenance upgrade with a new firmware reboot or reset to factory defaults Password change administrator s password Remote Management configure administrative access and monitoring of the ShadowAP 18 y WAVET EQ ShadowAP User Manual License license file validity and upload on the ShadowAP device Tools Site Survey perform a site evaluation to show overview information for other wireless networks in the local geography Antenna Alignment measures signal quality between wireless devices Wireless Tests perform a wireless throughput test between two ShadowAPs In the following sections short refer
231. ty group networks will be selected based on security policy signal strength etc Note that AP scanning with wpasupplicant profile lt index gt network lt index gt scan_ssid 1 is not using this priority to select the order for scanning Instead it uses the order the networks are in the configuration file wpasupplicant profile lt index gt network lt index gt proto lt 1 2 gt status specify current entry status enabled disabled Default enabled wpasupplicant profile lt index gt network lt index gt proto lt 1 2 gt name specify the accepted protocols WPA RSN If this key is not specified both WPA and RSN WPA2 are accepted WPA WPA IEEE 802 11i D3 0 RSN WPA2 IEEE 802 11i also WPA2 can be used as an alias for RSN wpasupplicant profile lt index gt network lt index gt key_mgmt lt 1 4 gt status specify current entry status enabled disabled Default enabled wpasupplicant profile lt index gt network lt index gt key_mgmt lt 1 4 gt name specify accepted authenticated key management protocols WPA PSK WPA EAP IEEE8021X NONE If this key is not specified both WPA PSK and WPA EAP are accepted WPA PSK WPA pre shared key this requires wpasupplicant profile lt index gt network lt index gt psk field WPA EAP WPA using EAP authentication IEEE8021X IEEE 802 1X using EAP authentication and optionally dynamically generated WEP keys NONE WPA is not used plaintext or static WEP could be u
232. uded support for it in its network routers IPsec provides two choices of security service Authentication Header AH which essentially allows authentication of the sender of data and Encapsulating Security Payload ESP which supports both authentication of the sender and encryption of data as well The specific information associated with each of these services is inserted into the packet in a header that follows the IP packet header Separate key protocols can be selected such as the ISAKMP Oakley protocol ISP An ISP Internet Service Provider is a company that provides individuals and other companies access to the Internet and other related services such as Web site building and virtual hosting An ISP has the equipment and the telecommunication line access required to have a point of presence on the Internet for the geographic area served L LAN A local area network LAN is a group of computers and associated devices that share a common communications line and typically share the resources of a single processor or server within a small geographic area for example within an office building Usually the server has applications and data storage that are shared in common by multiple computer users A local area network may serve as few as two or three users for example in a home network or many as thousands of users for example in an FDDI network M MAC Medium Access Control In a WLAN network card t
233. urity Policy Indexes SPI value in HEX ipsec 1 esp out spi 0x4000 ipsec 1 esp in spi 0x5000 authentication key alabrstysaaslu e or hexadecimal 16c616272737479736161736c752165 ipsec 1 esp auth algo hmac md5 ipsec 1 esp auth secret alabrstysaaslule encryption key alabrsty or in hexadecimal 616c616272737479 ipsec 1 esp enc algo des cbc ipsec 1 esp enc secret alabrsty Security Policy Database SPD entries ipsec 1 spd 1 src ip 192 168 4 8 ipsec 1 spd 1 src netmask 32 ipsec 1 spd 1 dst ip 192 168 1 0 ipsec 1 spd 1 dst netmask 24 ipsec 1 spd 1 protocol 1 name esp ipsec 1 spd 1 protocol 1 level require install route telling 192 168 1 0 24 is behind 192 168 4 10 do not forget to adjust 20 to a reasonable value route 20 ip 192 168 1 0 route 20 netmask 24 route 20 devname ixp1 route 20 gateway 192 168 4 10 The IPSec Tunnel VPN Gateway should be configured at the remote router 192 168 4 10 side properly The valid configuration should include settings like Local Secure Network 192 168 1 0 255 255 255 0 Remote Secure Gateway IP address 192 168 4 8 Key Exchange Method Manual Encryption Algorithm DES Encryption Key value in hexadecimal is 616c616272737479 Authentication Algorithm MD5 Authentication Key value in hexadecimal is 616c616272737479736161736c752165 Inbound SPI value in HEX is 4000 Outbound SPI value in HEX is 5000 6 2 8 IPsec Racoon The establishm
234. uth lt index gt status specify the pre authentication interface list status enabled disabled Default enabled aaa security wpa lt index gt rsn preauth lt index gt status specify the pre authentication interface list status enabled disabled Default enabled aaa security wpa lt index gt rsn preauth lt index gt devname specify the list of interfaces from which pre authentication frames are accepted interface name list e g ixp0 or ixp0 1 ixp0 2 This list should include all interfaces that are used for connections to other APs The normal wireless data interface towards associated stations athO should not be added since pre authentication is only used with APs other than currently associated one Example aaa security wpa l status enabled aaa security wpa 1 name WPASEC aaa security wpa 1 mode WPA aaa security wpa 1 key method PSK aaa security wpa l key cipher ALL aaa security wpa l passphrase the secret phrase aaa security wpa l rekey group period 0 aaa security wpa l rekey gmk period 0 6 4 1 7 RADIUS Proxy The ShadowAP can forward RADIUS authentication and accounting packets between attached access points and RADIUS server reachable through the WAN interface The requirements for RADIUS proxy feature to work correctly are 1 The AP should be operating in bridge mode and be connected to Access Controller s LAN port 2 The ShadowAP should have these RADIUS proxy parameters configured e RADIU
235. ve owners National Radio Regulations The usage of wireless network components is subject to national and or regional regulations and laws Administrators must ensure that they select the correct radio settings according to their regulatory domain Refer to Appendix B Regulatory Domain Channels for more information on regulatory domains Please check the regulations valid for your country and set the parameters concerning frequency channel and output power to the permitted values i D WAVETEQ ShadowAP User Manual FCC Compliance This device has been tested and found to comply with the limits for a Class B digital device pursuant to Part 15 of the FCC rules These limits are designed to provide reasonable protection against harmful interference when the device is operated in a residential environment This device generates uses and can radiate radio frequency energy and if not installed and used in accordance with the user guide may cause harmful interference to radio communications There is no guarantee that interference will not occur in a particular installation If this equipment does cause harmful interference to radio or television reception which can be determined by turning the equipment off and on the user will be required to correct the interference at their own expense The user should not modify or change this device without written approval from Waveteq Communications Inc Modification will void the warranty and auth
236. vice hardware address Hardware Type The hardware type distinguishes between Ethernet 1 IEEE 802 Networks 6 IPsec tunnels 31 etc Flags ARP flags most commonly 0x02 ARP on Ethernet HW address The hardware address of the device most commonly a MAC address Refresh click to update information in ARP table gt y WAVETEQ ShadowAP User Manual 4 3 Configuration Use the Configuration section to manage the device s configuration file On each page there are headings which offer helpful advice for adjusting different configuration options Advanced Network Advanced Wireless WAVET EG i Expert Figure 4 3 1 Configuration Starting Page LOGOUT There are six sections of system configuration file management Starting Point choose from a variety of commonly implemented configuration files Basic Network set up network interfaces static DNS servers and bridging configuration Basic Wireless define radio and wireless configuration Advanced Network define DHCP and DNS server status as well as static routing rules Advanced Wireless setup wireless security WEP WPA WPA2 access control lists Expert manually edit the configuration file y WANNE TED ShadowAP User Manual 4 3 1 Starting Point This section is for loading the factory default configuration file Use the Network Diagram links to see a visual representation of each configuration Figure 4 3 2 below shows the starting poi
237. whitelist lt index gt status specify the white list status enabled disabled Default enabled access lt index gt whitelist lt index gt url specify the URL string When specified system will extract the host port and protocol from the URL If specified the only key access lt index gt whitelist lt index gt descr is necessary all other keys will be ignored access lt index gt whitelist lt index gt descr specify the current entry description string string In the case when the URL is specified it can be used as a link text for that URL access lt index gt whitelist lt index gt host specify the host name or host network IP address IP address or hostname string access lt index gt whitelist lt index gt netmask specify the netmask used to cover network range limited by host and netmask Default 255 255 255 255 116 y WAVET EQ ShadowAP User Manual access lt index gt whitelist lt index gt port from specify the TCP or UDP port number 0 65535 This denotes the first port in a range or the single port when access lt index gt whitelist lt index gt port to is not specified access lt index gt whitelist lt index gt port to specify the TCP or UDP port number 0 65535 This denotes the last port in a range access lt index gt whitelist lt index gt proto specify the IP protocol number 0 255 or protocol keyword See Appendix D etc protocols for details The value O is us
238. wireless interface settings 6 2 1 Interfaces The physical network interfaces can be configured to work as either local area network LAN or wide area network WAN interfaces LAN is used to connect hubs switches Access Points and other devices on a subscriber side while the WAN port connects to the Internet service provider s ISP network All available keys of the network interface configuration are listed below netconf status specify the interface configuration feature status enabled disabled In general this key should always be specified and set to enabled netconf lt index gt status specify current network interface status enabled disabled netconf lt index gt devname specify the interface name lo ixp0 athO logical interface name The physical interface names are lo local loopback interface ixpO first Ethernet interface athO first wireless interface Logical interface names will be described in the following sections netconf lt index gt type specify the interface type loopback wireless ethernet bridge gre netconf lt index gt mode specify the interface mode lan wan netconf lt index gt up specify the interface status enabled disabled This value causes the interface to be activated or the driver for this interface to be shut down netconf lt index gt ip specify the interface IP address eg 192 168 5 1 netconf lt index gt netmask specify the interface subnet mask eg
239. xy accounting detection timeout in seconds 0 999999 Default 30 The ShadowAP will wait the specified period of time for a RADIUS accounting start packet from the AP following a successful authentication If no RADIUS accounting start packet is received within this time interval the ShadowAP will send one for the user on the AP s behalf ShadowAP will continue to maintain accounting data for the duration of the user s session To disable accounting detection and internal accounting set this value to 0 Example aaa nas 1 auth 1 type radius_proxy aaa nas 1 auth 1 profile rp_ixpO aaa radius proxy 1 name rp_ ixp0 aaa radius proxy 1 auth port 1812 aaa radius proxy l acct port 1813 aaa radius proxy l acct timeout 30 86 WV WAVETEQ ShadowAP User Manual 6 4 2 WPA 802 1x Supplicant IEEE 802 1 x is the standard defining port based authentication and infrastructure for doing key management Extensible Authentication Protocol EAP messages are sent over an 802 11 wireless network using an EAPOL protocol IEEE 802 1x provides dynamically generated keys that are periodically refreshed EAP 802 1x authentication and dynamic key management enables stronger data encryption Once an EAP 802 1x association is made between the client WPA compliant ShadowAP supplicant and the authentication server WPA key management can be negotiated The ShadowAP can be configured to act as a supplicant a client to 802 1x protocol authenticator It sup
240. y cause undesired operation of the device The frequency band 5150 5250 MHz channels 34 40 is only for indoor usage to reduce potential for harmful interference to co channel mobile satellite systems Users should also take note that high power radars are allocated as primary users which means that they have priority in the bands 5250 5350 MHz channels 52 64 and 5650 5850 MHz channels 132 165 These radars could cause interference to the ShadowAP D WAVETEQ ShadowAP User Manual Table of Contents Table of EE ee e V Table of FIGUIrES Eeer viii 1 0 Chapter 1 Overvi W dee degt d Eesen geed be ee dE Neue 1 1 1 ShadowAP Features EE 2 1 2 Feature Locations susranicia a daa 4 2 0 Chapter 2 Installato EE 5 sc MOUNINO eener dE See 5 2 2 Ethernet Cable and Connector Aesembiv 6 2 3 Factory Default Configuratton cece ee cee cece eee e eee enaeeeenaneneaaas 8 25321 unge Lei LEE 8 2 4 Connecting to the ShadowAP sees NNN KREE NEE NEEN NEEN NEEN NEE 9 2 4 1 Using Ethernet Connections ask SENEE sirra REN ENEE tab Ee la a REESEN RES ee ENN 9 2 4 2 Using Wireless LAN Connection de8 NEES REENEN SEENEN aos 11 A EE 12 3 0 Chapter 3 Command Line Interface Management 5 14 SA ge ee Did Le e EE 14 32 A 0 un a EE EEE ED EON aE 14 Bsa LOJI ME 14 3 4 Authentication Check lge eene eebe 15 3 5 PasSsSWOrA EEN 15 36 A Co mn o 5 O 16 3A SNOWN arroan pe arcs i sae ay a nee E E E ER 16 SiO SOUS A o mo EE 16 3 9 Reboo
241. yer located between the Internet s Hypertext Transfer Protocol HTTP and Transport Control Protocol TCP layers The sockets part of the term refers to the sockets method of passing data back and forth between a client and a server program in a network or between program layers in the same computer SSL uses the public and private key encryption system from RSA which also includes the use of a digital certificate T TCP TCP Transmission Control Protocol is a set of rules protocol used along with the Internet Protocol IP to send data in the form of message units between computers over the Internet While IP takes care of handling the actual delivery of the data TCP takes care of keeping track of the individual units of data called packets that a message is divided into for efficient routing through the Internet TCP is a connection oriented protocol which means that a connection is established and maintained until such time as the message or messages to be exchanged by the application programs at each end have been exchanged TCP is responsible for ensuring that a message is divided into the packets that IP manages and for reassembling the packets back into the complete message at the other end In the Open Systems Interconnection OSI communication model TCP is in layer 4 the Transport Layer TCP IP TCP IP Transmission Control Protocol Internet Protocol is the basic communication language or protocol of the In
Download Pdf Manuals
Related Search