Wireless Controller User Manual - D-Link
Contents
1. The following actions are supported fromthis page Refresh Updates the page with the latest information 4 7 3 Peer Controller Configuration Status Status gt Global Info gt Peer Controller gt Configuration You can push portions of the controller configuration from one controller to another controller in the cluster The Peer Controller Configuration Status page displays information about the configuration sent by a peer controller in the cluster It also identifies the IP address of each peer controller that received the configuration information Peer IP Address Shows the IP address of each peer wireless controller in the cluster that received configuration information 122 Wireless Controller User Manual Configuration Controller IP Address Shows the IP Address of the controller that sent the configuration information Configuration Identifies which parts of the configuration the controller received from the peer controller Timestamp Shows when theconfiguration was applied to the controller The time is displayed as UTC time and therefore only useful if the administrator has configured each peer controller to use NTP Figure 64 Peer Controller Configuration Status Dwc 1000 SETUP ADVANCED TOOLS STATUS Global Info Mi PEER CONTROLLER CONFIGURATION STATUS LOGOUT Device Info gt 3 The Peer Controler Configuration Status page displays information about the configuration sent by a peer lessee Pantina2. Certificates Users gt 9 2 Using SSL VPN Policies Setup gt VPN Settings gt SSL VPN Server gt SSL VPN Policies SSL VPN Policies can be created on a Global Group or User level User level policies take precedence over Group level policies and Group level policies take precedence over Global policies These policies can be applied to a specific network resource IP address or ranges on the LAN or to different SSL VPN services supported by the controller The List of Available Policies can be filtered based on whether it applies to a user group or all users global XW A more specific policy takes precedence over a generic policy when both are applied to the same user group global domain I e a policy for a specific IP address takes precedence over a policy fora range of addresses containing the IP address already referenced 253 Wireless Controller User Manual Figure 145 List of SSL VPN polices Global filter DWC 1000 ADVANCED TOOLS STATUS Please Enable Remote Management to activate SSL VPN Configurations WLAN Global Setting SSL VPN POLICIES AP Management Policies are useful to permit or deny access to specific network resources IP addresses or IP networks They may be defined at the user group or global level By Default a global PERMIT policy not displayed was already configured over all addresses and over all services ports WLAN Visualization gt View List of SSL VPN Policies For
3. Guest User readonly Captive Portal User Radius Settings Idle Timeout 10 Seconds Controller Settings When SSLVPN users are selected the SSLVPN settings are displayed with the following parameters as captured in SSLVPN Settings As per the Authentication Type SSL VPN details are configured e Authentication Type The authentication Type can be one of the following Local User Database default Radius PAP Radius CHAP Radius MSCHAP Radius MSCHAPv2 NT Domain Active Directory and LDAP e Authentication Secret If the domain uses RADIUS authentication then the authentication secret is required and this has to match the secret configured on the RADIUS server e Workgroup This is required is for NT domain authentication If there are multiple workgroups user can enter the details for up to two workgroups 245 Wireless Controller User Manual e LDAP Base DN This is the base domain name for the LDAP authentication server If there are multiple LDAP authentication servers user can enter the details for up to two LDAP Base DN e Active Directory Domain If the domain uses the Active Directory authentication the Active Directory domain name is required Users configured in the Active Directory database are given access to the SSL VPN portal with their Active Directory username and password If there are multiple Active Directory domains user can enter the details for up to two authentication
4. 78 Wireless Controller User Manual Data 3 Background Lowest priority queue high throughput Bulk data that requires maximum throughput and is not time sensitive is sent to this queue FTP data for example AIFS Inter Frame Space The Arbitration Inter Frame Spacing AIFS specifies a wait time for dataframes The wait time is measured in slots Valid values for AIFS are through 255 cwMin Minimum Contention Window This parameter is input to the algorithm that determines the initial random backoff wait time window for retry of a transmission The value specified here in the Minimum Contention Window is the upper limit in milliseconds of a range from which the initial random backoff wait time is determined The first random number generated will be a number between O and the number specified here If the first random backoff wait time expires before the data frame is sent a retry counter is incremented and the random backoff value window is doubled Doubling will continue until the size of the random backoff value reaches the number defined in the Maximum Contention Window Valid values for the cwmin are 1 3 7 15 31 63 127 255 511 or 1024 The value for cwmin must be lower than the value for cwmax cwMax Maximum Contention Window The value specified here in the Maximum Contention Window is the upper limit in milliseconds for the doubling of the random backoff value This doubling continues until eith
5. Interfaces IP MAC Binding Radius Settings Switch Settings Use the following steps to associate one or more interfaces with a captive portal 1 Select the desired captive portal from the CP Configuration list 2 Select the interface or interfaces from the Interface List To select more than one interface hold CTRL and click multiple interfaces 3 Click Add 55 Wireless Controller User Manual 2 7 Use the following steps to remove an interface fromthe Associated Interfaces list for a captive portal 1 Select the desired captive portal from the CP Configuration list 2 In the Associated Interfaces field select the interface or interfaces to remove To select more than one interface hold CTRL and click multiple interfaces 3 Click Delete The interface is removed from the Associated Interface list and appears in the Interface List WLAN global configuration Setup gt WLAN Global Settings Following are the options available to enable the WLAN function on DWC 1000 Enable WLAN Controller Select this option to enable WLAN controller functionality on the system Clear the optionto administratively disable the WLAN controller If you clear the option all peer controller and APs that are associated with this controller are disassociated Disabling the WLAN controller does not affect non WLAN features on the controller such as VLAN or STP functionality WLAN Controller Operational Status Shows
6. 143 Wireless Controller User Manual e Any Select this option if the standalone AP might use a WDS link Expected Security Mode Select the option to specify the type of security the AP uses e Any Any security mode e Open No security e WEP Static WEP or WEP 802 1X e WPA WPA2 WPA and or WPA2 Personal or Enterprise Expected Wired Network Mode If the standalone AP is allowed on the wired network select Allowed If the AP is not permitted on the wired network select Not Allowed Channel The Channel defines the portion of the radio spectrum that the radio uses for transmitting and receiving The range of channels and the default channel are determined by the Mode of the radio interface and the country in which the APs operate Power The power level affects how far an AP broadcasts its RF signal If the power levelis too low wireless clients will not detect the signal or experience poor WLAN performance If the power level is too high the RF signal might interfere with other APs within range 5 2 RF Management 5 2 1 RF Configuration Setup gt AP Management gt RF Management gt RF Configuration The radio frequency RF broadcast channel defines the portion of the radio spectrum that the radio on the access point uses for transmitting and receiving The range of available channels for an access point is determined by the IEEE 802 11 mode also referred to as band of the access point The controller c
7. 243 Wireless Controller User Manual e Xauth User This user s authentication is performed by an externally configured RADIUS or other Enterprise server It is not part of the local user database SSLVPN User This user has access to the SSL VPN services as determined by the group policies and authentication domain of which it is a member The domain determined SSL VPN portal will be displayed when logging in with this user type Admin This is the controller s super user andcan manage the controller use SSL VPN to access network resources and login to LZTP PPTP servers on the Option There will always be one default administrator user for the GUI Guest User read only The guest user gains read only access to the GUI to observe and review configuration settings The guest does not have SSL VPN access Captive Portal User These captive portal users has access through the controller The access is determined based on captive portal policies Idle Timeout This the log in timeout period for users of this group 244 Wireless Controller User Manual Figure 138 User group configuration DWC 1000 ADVANCED TOOLS STATUS GROUP CONFIGURATION Peer Controllers AP Profle Profile This page allows user to add a new user group Once this group is added a user can then add system users toit Dont Save Settings PPTP User L2TP User Xauth User lt SSLVPN User Admin E
8. Available Groups Available Users Edit Delete To add a SSL VPN policy you must first assign it to a user group or make it global i e applicable to all SSL VPN users If the policy is for a group the available configured groups are shown in a drop down menu and one must be selected Similarly for a user defined policy a SSL VPN user must be chosen from the available list of configured users The next step is to define the policy details The policy name is a unique identifier for this rule The policy can be assigned to a specific Network Resource details follow in the subsequent section IP address IP network or all devices on the LAN of the controller Based on the selection of one of these four options the appropriate configuration fields are required i e choosing the network resources froma list of defined resources or defining the IP addresses For applying the policy to addresses the port range port number can be defined The final steps require the policy permission to be set to either permit or deny access to the selected addresses or network resources As well the policy can be specified for one or all of the supported SSL VPN services i e VPN tunnel 254 Wireless Controller User Manual Once defined the policy goes into effect immediately The policy name SSL service it applies to destination network resource or IP addresses and permission deny permit is outlined in a list of
9. Figure 179 Installing a License DWc 1000 SETUP ADVANCED STATUS System Check Schedules License Activate LICENSES elctoltay This page shows the list of activated licenses and also can be used for activating new DWC 1000 VPN and DWC 1000 AP6 licenses List of Available Licenses Licence Model Activation Code License Activation Activation Code Figure 180 Available Licenses Display after installing a License owc 1000 S SETUP ADVANCED STATUS License Activation Succeded Please reboot the device TEER List of Available Licenses Firmware via USB Licence Model Activation Code 0 DWC 1000 AP6 SEOBAOBOEAS827FB159911000 System Check License Activation Activation Code Activate The new features will be enabled after system reboot 317 Wireless Controller User Manual Appendix A Glossary Address Resolution Protocol Broadcast protocol for mapping IP addresses to MAC addresses Challenge Handshake Authentication Protocol Protocol for authenticating users to an ISP Dynamic DNS Systemfor updating domain names in real time Allows adomain name to be assigned to a device with a dynamic IP address Dynamic Host Configuration Protocol Protocol for allocating IP addresses dynamically so that addresses can be reused w hen hosts no longer need them Domain Name System Mechanism for translating H 323 IDs URLs or e mail IDs into IP addresses Also used to assist in locatin
10. The detaits will hen be displayed in the List of Captive Ponal Policies table on the cpSetup page Save Settings Don t Save Settings Save Settings Captive Portal A Captive Pont oUtrnguracrerr Policy Name Allow From InterfaceName LAN v To InterfaceName Option v Ei 50 Wireless Controller User Manual Captive Portal Configuration Captive portal login page display can be altered by modifying the settings available here General Details ProfileName Name of the profile that is being added Browser Title It is the browser title Page Background Color Sets the background color of the page Custom Color It allows choosing the custom background color Figure 26 Captive Portal Configuration Part 1 EN some sas CUSTOMIZED CAPTIVE PORTAL SETUP LOGOUT Captive Portal Login page is used for authentication on Captive Portal enabled interfaces Save Settings Don t Save Settings General Details Captive Portal D Profile Name Certi Browser Title Welcome Page Background Color Green Custom Color Header Details b IP MAC Binding Radius Settings Background Default Add Switch Settings Header Background Color Custom Color Header Caption Caption Font Font Size Font Color 51 Wireless Controller User Manual Figure 27 Captive Portal Configuration Part 2 Font Color Red v Login Details CAPT
11. available APs RTS Threshold Specify a Requestto Send RTS Threshold value between 0 and 2347 The RTS threshold indicates the number of octets in an MPDU below which an RTS CTS handshake is not performed Changing the RTS threshold can help control traffic flow through the AP especially one with a lot of clients If you specify a low threshold value RTS packets will be sent more frequently This will consume more bandwidth and reduce the throughput of the packet On the other hand sending more RTS packets can help the network recover from interference or collisions which might occur on a busy network or on a network experiencing electromagnetic interference Load Balancing If you enable load balancing you can control the amount of traffic that is allowed on each of the active AP s Load Utilization This field allows you to set a threshold for the percentage of network bandwidth utilization allowed on the radio Once the level you specify is reached the AP stops accepting new client associations Enter a percentage of utilization from to 100 Maximum Clients Specify the maximum number of stations allowed to associate with this access point at any one time You can enter a value between 0 and 200 66 Wireless Controller User Manual RF Scan Other Channels The access point can performRF scans to collect information about other wireless devices within range and then report this information to the DWC 1000 wireless c
12. that classify it as a threat it will be listed as a Rogue again Refresh Updates the page with the latest information 4 8 7 Pre Authorization History Status gt Wireless Client Info gt Pre Auth History To help authenticated clients roam without losing sessions and needing to re authenticate wireless clients can attempt to authenticate to other APs within range that the client could possibly associate with For successful pre authentication the 136 Wireless Controller User Manual target AP must havea VAP with an SSID and security configuration that matches that of the client including MAC authentication encryption method and pre shared key or RADIUS parameters The AP that the client is associated with captures all pre authentication requests and sends them to the controller MAC Address MAC address of the client AP MAC Address MAC Address of the managed AP to which the client has pre authenticated Radio Interface Number Radio number to which the client is authenticated which is either Radio 1 or Radio 2 VAP MAC Address VAP MAC address to which the client roamed SSID SSID Name used by the VAP Age Time since the history entry was added User Name Indicates the user name of client that authenticated via 802 1X Pre Authentication Status Indicates whether the client successfully authenticated and shows a status of Success or Failure Figure 75 Pre Auth History DWwc 1000 SETUP ADVANCED
13. Channel Plan History Setup gt AP Management gt RF Management gt Channel Plan History The wireless controller stores channel assignment information for the APs it manages The Cluster Controller that controls the cluster maintains the channel history information for all controllers in the cluster On the Cluster Controller the page shows information about the radios on all APs managed by controllers in the cluster that are eligible for channel assignment and were successfully assigned a new channel Channel Plan The 5 GHz and 2 4 GHz radios use different channel plans so the controller tracks the channel history separately for each radio The channel information that displays on the page is only for the radio you select 147 Wireless Controller User Manual Operational Status This field shows whether the controller is using the automatic channel adjustment algorithm on the AP radios Last Iteration The number in this field indicates the most recent iteration of channel plan adjustments The APs that received a channel adjustment in previous iterations cannot be assigned new channels in the next iteration to prevent the same APs from being changed time after time Last Algorithm Time Shows the date and time when the channel plan algorithm last ran AP MAC Address This table displays the channel assigned to an AP in an iteration of the channel plan Location Radio Iteration Channel Figure 80 Channel Plan Hi
14. LAN QoS Configuration 80k p Conigur aosan aE a a a A Waveabetuatraseencereetendenna DS GP COntigur IHON aoreet ariii A N ERA Remark CoS to DSOP nsss VLAN Configuration sssi Associating VLANs to ports Multiple VLAN Subnets ou ceeeesessessessessessesesesssessssessceseesesscsesneeneneeseeneeseesceententenss Configurable Port DMZ Setup ou eceesessessesseseeseesesncescsscescesceeseenesnesneeneeseeseeeeneeneeneenes Universal Plug and Play UPnP Captive Portal ecescsececseseeseeeeee Captive Portal Setup yauona Eer R i N Captive Portal Session sn yenne e ee WLAN CP Interface Association WLAN global configuration Wireless Discovery configuration Wireless Discovery Status AP Profile Global Configuration ssss sssesssseseessrrreessrrresesstrreeessrrreesssrrreessrereeessrereeessreee Chapter 3 Configuring Wireless LAN oc sesssssssssssessssscsccnsessesceseseessenesnesnesseesesscseeseenesnesnesneenceneecseentenenes 3 1 WLAN Setup Wizard Chapter 4 Monitoring Status And Statistics ec ccccsesesseseeeeseeseesssnecsecncesccsceeeeeesesnesneeneesceneeeeeseeeeneenenss 84 4 1 4 1 1 4 1 2 4 1 3 4 1 4 4 1 5 4 2 4 2 1 4 3 4 3 1 System OVELVIOW saioren nr AE T E EA AE n i 84 Dashboatd essen pee te eat nR E Be Es BP Device Status Wireless LAN AP information wu ccecscsescssssescessecscssscsscavscssesssessessenssasees 88 GIUSTEF information ereenn nl EAEE EE T ETERA Resour
15. LOGOUT This page shows a list of available users in the system A user can add delete and edit the users also This Page can also be used for setting policies on users List of Users Captive Portal Client Application Rules site Filter Edit Delete Firewall Settings 9 1 1 Users and Passwords Advanced gt Users gt Users The user configurations allow creating users associated to group The user settings contain the following key components User Name This is unique identifier of the user First Name This is the user s first name Last Name This is the user s last name 251 Wireless Controller User Manual Select Group A group is chosen froma list of configured groups Password The password associated with the user name Confirm Password The same password as above is required to mitigate against typing errors Idle Timeout The session timeout for the user It is recommended that passwords contains no dictionary words from any language and is a mixture of letters both uppercase and lowercase numbers and symbols The password can be up to 30 characters 252 Wireless Controller User Manual Figure 144 User Configuration options TT USERS CONFIGURATION LOGOUT This page allows a user to add new system users Save Settings Dont Save Settings WIDS Security Users Configuration Captive Portal Application Rules ADMIN w eocccee TTITO outing 4
16. Setup gt LAN QoS gt Port Queue Status This page shows the current queue management algorithm that is used in the LAN controller Queueing Management algorithm Display the current queue management algorithm that is used in the LAN controller 31 Wireless Controller User Manual Figure 10 Port Queue Status DWC 1000 SETUP ADVANCED TOOLS STATUS PORT QUEUE STATUS LOGOUT Port Queue Status WLAN Global Settings AP Management gt WLAN Visualization gt Queue Management Algorithm Tail Drop Internet Settings gt Network Settings d LAN QoS gt VPN Settings d VLAN Settings gt 2 2 3 Option QoS Configuration Setup gt LAN QoS gt Option QoS Configuration This page allows configuring the Option QoS and defining the bandwidth for Optio n intefaces 32 Wireless Controller User Manual Figure 11 Option QoS Configuration DWc 1000 ifs SETUP ADVANCED TOOLS STATUS Operation succeeded WLAN Global Settings LOGOUT AP Management d Option QoS WLAN Visualization gt Internet Settings Do you want to enable Bandwidth Network Settings a g Management LAN QoS Apply Reset VPN Settings VLAN Settings DMZ Setup Option Interface Upstream Bandwidth in Kbps Downstream Bandwidth in Kbps Option Configuration USB Settings gt Option1 1000000 50000 Option2 1000000 1000000 Apply Reset Option QoS To enable Bandwidth ma
17. Specify the number of seconds an AP should spend counting the authentication messages sent by wireless clients Authentication Requests Threshold Value If controller receives more than specified messages during the threshold interval the test triggers Probe Requests Threshold Interval Specify the number of seconds an AP should spend counting the probe messages sent by wireless clients Probe Requests Threshold Value Specify the number of probe requests a wireless client is allowed to send during the threshold interval before the event is reported as a threat Authentication Failure Threshold Value Specify the number of 802 1X authentication failures a client is allowed to have before the event is reported as a threat 290 Wireless Controller User Manual Figure 163 WIDS Client Configuration DWC 1000 SETUP TOOLS STATUS Peer Controllers b WIDS CLIENT CONFIGURATION LOGOUT The settings you configure on the WIDS Client Configuration page help determine whether a detected dient is classified as a rogue Clients classified as rogues are considered to be a threat to network security WIDS Client Configuration Enable Not Present in OUI Disabl Database Test a Enable Not Present in Known Client Disable v Database Test Enable Configured Authentication Rate Test Enable v Enable Configured Probe Requests Rate Test _ Enable Configured De Authentication Requests Rate Enable v Test Enable Maximum Authenti
18. Specify the priority of this controller for the Cluster Controller election The controller with highest priority in a cluster becomes the Cluster Controller If the priority is the same for all controllers then the controller with lowest IP address becomes the Cluster Controller A priority of 0 means that the controller cannot become the Cluster Controller The highest possible priority is 255 AP Client QoS Enable or disable the client QoS feature If AP Client QoS is disabled the Client QoS configuration remains in place but any ACLs or DiffServ policies applied to wireless traffic are not enforced 277 Wireless Controller User Manual The Client QoS feature extends the primary QoS capabilities of the Unified Wireless controller to the wireless domain More specifically access control lists ACLs and differentiated service DiffServ policies are applied to wireless clients associated to the AP the maximum MTU size of existing network infrastructure which is set up to controller and route 1518 1522 tagged byte frames If you increase the tunnel IP MTU size you must also increase the physical MTU of the ports on which the traffic flows 11 2 Distributed Tunneling Advanced gt Global gt Distributed Tunneling The Distributed Tunneling mode also known as AP AP tunneling mode is used to support L3 roaming for wireless clients without forwarding any data traffic to the wireless controller In the AP AP tunneling mode when a
19. The AP would still send probe responses to clients thatsend probe requests for the managed SSID fooling the clients into associating with the hacker s AP This test detects and flags APs that transmit beacons without the SSID field The test is automatically disabled if any of the radios in the profiles are configured not to send SSID field which is not recommended because it does not provide any real security and disables this test Fake managed AP on an invalid channel This test detects rogue APs that transmit beacons fromthe source MAC address of one of the managed APs but on different channel from which the AP is supposed to be operating Managed SSID detected with incorrect security During RF Scan the AP examines beacon frames received from other APs and determines whether the detected AP is advertising an open network WEP or WPA If the SSID reported in the RF Scan is one of the managed networks and its configured security not match the detected security then this test marks the AP as rogue Invalid SSID from a managed AP This test checks whether a known managed AP is sending an unexpected SSID The SSID reported in the RF Scan is compared to the list of all configured SSIDs that are used by the profile assigned to the managed AP If the detected SSID doesn t match any configured SSID then the AP is marked as rogue AP is operating on an illegal channel The purpose of this test is to detect hackers or incorrectly configured
20. The Option status page allows you to Enable or Disable static Option links For Option settings that are dynamically received from the ISP you can Renew or Release the link parameters if required 174 Wireless Controller User Manual 6 3 6 3 1 Features with Multiple Option Links This controller supports multiple Option links This allows you to take advantage of failover and load balancing features to ensure certain internet dependent services are prioritized in the event of unstable Option connectivity on one of the ports Setup gt Internet Settings gt Option Mode To use Auto Failover or Load Balancing Option link failure detection must be configured This involves accessing DNS servers onthe internet or ping to an internet address user defined If required you can configure the number of retry attempts when the link seems to be disconnected or the threshold of failures that determines if a Option port is down Auto Failover In this case one of your Option ports is assigned as the primary internet link for all internet traffic The secondary Option port is used for redundancy in case the primary link goes down for any reason Both Option ports primary and secondary must be configured to connect to the respective ISP s before enabling this feature The secondary Option port will remain unconnected until a failure is detected on the primary link either port can be assigned as the primary In the event of a failure
21. The protection feature contains rules to guarantee that 802 11 transmissions do not cause interference with legacy stations or applications By default these protection mechanisms are enabled Auto With protection enabled protection mechanisms will be invoked if legacy devices are within range of the AP You can disable Off these protection mechanisms however when 802 11n protection is off legacy clients or APs within range can be affected by 802 11n transmissions 802 11 protection is also available when the mode is 802 11b g When protection is enabled in this mode it protects 802 11b clients and APs from 802 11g transmissions 73 Wireless Controller User Manual Short Guard Interval The guard interval is the dead time in nanoseconds between OFDM symbols The guard interval prevents Inter Symbol and Inter Carrier Interference ISI ICI The 802 11n mode allows for a reduction in this guard interval from the a and g definition of 800 nanoseconds to 400 nanoseconds Reducing the guard interval can yield a 10 improvement in data throughput Select one of the following options e Enable The AP transmits data using a 400 ns guard Interval when communicating with clients that also support the 400 ns guard interval e Disable The AP transmits data using an 800 ns guard interval Space Time Block Code Space Time Block Coding STBC is an 802 11n technique intended to improve thereliability of data transmissions The data str
22. Wireless Controller User Manual Figure 159 Distributed Tunneling Clients Wireless ClientInfo gt Active VPNs E Distributed Tunnel Bar Graph 4 0 Distributed Tunnel Roamed Clients 4 Distributed Tunnel Clients 1 3 0 Distributed Tunnel Client Denials 0 No of tunnels 2 0 0 0 Types of tunnel Distributed Tunneling Data Distributed Tunnel Packets Trans mitted Distributed Tunnel Roamed Clients 4 Distributed Tunnel Clients 1 Distributed Tunnel Client Denials Distributed Tunnel Packets Trans mitted Total number of packets sent by all APs via distributed tunnels Distributed Tunnel Roamed Clients Total number of clients that successfully roamed away from Home AP using distributed tunneling Distributed Tunnel Clients Total number of clients that are associated with an AP that are using distributed tunneling Distributed Tunnel Client Denials Total number of clients for which the system was unable to set up a distributed tunnel when client roamed 280 Wireless Controller User Manual 11 4 Peer Controller Configuration 11 4 1 Peer Controller Configuraiton Request Status Advanced gt Peer Controller gt Configuraiton Request Status The Peer Controller Configuration feature allows you to send a variety of configuration information from one controller to all other controllers In addition to keeping the controllers synchronized this function allows you to ma
23. 36019 433 4285357 129837 View Details View Radio Details View VAP Details Refresh The following actions are supported from this page View Details Shows detailed status information collected from the AP View Radio Details Shows detailed status for a radio interface View VAP Details Shows summary information about the virtual access points VAPs for the selected AP and radio interface on the APs that the controller manages Refresh Updates the page with the latest information 4 3 2 LAN Assoicated Clients Status gt Traffic Monitor gt Associated Clients Statistics gt LAN Associated Clients The controller tracks the traffic the client connected wireless controller Name The LAN host name if available through NetBIOS IP Address The LAN device s IP address MAC Address The MAC address of the connected LAN client 97 Wireless Controller User Manual Figure 50 LAN Associated Clients Dwc 1000 UE SETUP ADVANCED TOOLS STATUS Global Info gt Device Info b Access Point Info gt ASSOCIATED CLIENTS STATISTICS Moletoluns Description goes here LAN Clients Info gt Wireless Clientinfo gt Associated Clients Statistics Packets Bytes MAC Address Transmitted Transmitted Traffic Monitor gt Active Sessions Active VPNs E e0 a6 70 8e bf 67 4 684 Refresh etai The following actions are supported from this page Refresh Updates the page with the latest information View
24. 4 8 1 Client Status Status gt Dashboard gt Client This page shows information about all the clients which are connected through our managed AP 128 Wireless Controller User Manual Figure 69 Client Status Lons E on ra Cia 0 BE leg nia 2 E iin nia 802 11 Clients Data 802 11a Clients Total number of IEEE 802 1la only clients that are authenticated 802 11b g Clients Total number of IEEE 802 11b g only clients that are authenticated 802 11n Clients Total number of clients that are IEEE 802 11n capable and are 129 Wireless Controller User Manual authenticated These include IEEE 802 1la n IEEE 802 11b g n 5 GHz IEEE 802 11n 2 4GHz IEEE 802 11n Clients Data Total Clients Total number of clients in the database This total includes clients with an Associated Authenticated or Disassociated status Authenticated Clients Total number of clients in the associated client database with an Authenticated status Maximum Associated Clients Maximum number of clients that can associate with the wireless system This is the maximum number of entries allowed in the Associated Client database Detected Clients Number of wireless clients detected in the WLAN Maximum Detected Clients Maximum number of clients that can be detected by the controller The number is limited by the size of the Detected Client Database Maximum Pre authentication History Entries Maximum number of Client
25. Access Point Info D LAN Clients Info gt ACCESS POINTS SUMMARY MoleTolths Description goes here List of APs Wireless ClientInfo gt Traffic Monitor gt MAC Address IP Address Age Status Radio Channel jv 1c af f7 1f 24 40 192 168 10 100 Oh 0m 10s No Database Entry NWA N A Delete All Acknowledge View Details Refresh MAC Address Shows the MAC address of the access point IP Address The network address of the access point Age Shows how much time has passed since the AP was last detected and the information was last updated Status Shows the access point status 108 Wireless Controller User Manual e Managed The AP profile configuration has been applied to the AP and it s operating in managed mode e No Database Entry MAC address of the AP does not appear in the local or RADIUS Valid AP database e Authentication Failed AP The AP failed to be authenticated by the controller or RADIUS server Since AP is not configured as a valid AP which the correct local or RADIUS authentication information e Failed The controller lost contact with the AP a failed entry will remain in the managed AP database unless you remove it Note that a managed AP will temporarily show a failed status during a reset e Rogue The AP has not attempted to contact the controller and the MAC address of the AP is not in the Valid AP database Radio Shows the wireless radio mode the AP is using
26. Access Points Number of trusted APs in Standalone mode APs in Standalone mode are not managed by a controller Rogue Access Points Number of Rogue APs currently detected on the WLAN When an AP performs an RFscan it might detect access points that have not been validated It reports these APs as rogues Discovered Access Points APs that havea connection with the controller but haven t been completely configured This value includes all managed APs with a Discovered or Authenticated status Connection Failed Access Points Number of APs that were previously authenticated and managed butcurrently don t have connection with the Unified Controller Authentication Failed Access Points Number of APs that failed to establish communication with the Unified Controller Unknown Access Points Number of Unknown APs currently detected onthe WLAN If an AP configured to be managed by the Unified Controller is detected through an RF scan at any time that it isnot actively managed it is classified as an Unknown AP 118 Wireless Controller User Manual Rogue AP Mitigation Limit Maximum number of APs for which the systemcan send de authentication frames Rogue AP Mitigation Count Number of APs to which the wireless system is currently sending the authentication messages to mitigate against rogue APs A value of 0 indicates that mitigation is notin progress Maximum Managed APs in Peer Group Maximum number of access points th
27. All Logs The controller GUI lets you observe configured log messages fromthe Status menu Whenever traffic through or to the controller matches the settings determined in the Tools gt Log Settings gt Logs Facility or Tools gt Log Settings gt Logs Configuration pages the corresponding log message will be displayed in this window with a timestamp XWA It is very important to have accurate system time manually set or froma NTP server in order to understand log messages 306 Wireless Controller User Manual Status gt Logs gt VPN Logs XW The following feature is available upon licensed activation of VPN Firewall features for the system This page displays IPsec VPN log messages as determined by the configuration settings for facility and severity This data is useful when evaluating IPsec VPN traffic and tunnel health Figure 173 VPN logs displayed in GUI event viewer owc1ooo JJA TEE roots I Global Info gt Device Info gt Access Point Info VPN LOGS LOGOUT This page shows the VPN IPSEC related log Display Logs LAN Clients Info Fri Oct 07 03 39 23 2011 GMT 0000 DWC 1000 IKE INFO ClientInfo IKE started Traffic Monitor Active Sessions Active VPNs Status gt Logs gt SSLVPN Logs XW The following feature is available upon licensed activation of VPN Firewall features for the system This page displays SSLVPN log messages as determined by the configuration sett
28. Details Shows detailed status associated client 4 3 3 WLAN Assoicated Clients Status gt Traffic Monitor gt Associated Clients Statistics gt WLAN Associated Clients The wireless client can roam among APs without interruption in WLAN service The controller tracks the traffic the client sends and receives during the entire wireless session while the client roams among APs that the controller manages The controller stores statistics about client traffic while it is associated with a single AP as well as throughout the roaming session MAC Address This field shows the MAC address of the client station Packet Transmitted This field shows the packet trans mitted to the client station Packet Received This field shows the packet received to the client station 98 Wireless Controller User Manual Bytes Transmitted This field shows the bytes transmitted to the client station Bytes Received This field shows the bytes received to the client station Figure 51 WLAN Associated Clients Dwc 1000 I SETUP ADVANCED TOOLS STATUS A d ASSOCIATED CLIENTS STATISTICS Meleto tis Description goes here LAN Clients Info Wireless Clientinfo gt Associated Clients Statistics Packets Bytes MAC Address Transmitted Transmitted Traffic Monitor E e0 a6 70 8e bf 67 4 684 Refresh View Details_ Active VPNs Refresh The following actions are supported from this page Refresh Updates the page with the late
29. Ending IP Address 192 168 15 152 Default Gateway Optional Primary DNS Server Secondary DNS Server Domain Name WINS Server Lease Time Relay Gateway 20 Wireless Controller User Manual Figure 2 Setup page for LAN TCP IP settings DHCP Relay DMZ Setup USB Settings gt DHCP Mode DHCP Relay w Starting IP Address 192 168 10 200 Ending IP Address 192 168 10 254 Default Gateway Optional Primary DNS Server Secondary DNS Server Domain Name 24 192 168 10 5 Host Name IP Address 1 Adminstration 192 168 10 30 2 When DHCP relay is eanabled DHCP clients on the LAN can receive IP address leases and corresponding information from a DHCP server on a different subnet Specify the Relay Gateway and when LAN clients make a DHCP request it will be passed along to the server accessible via the Relay Gateway IP address 2 1 1 LAN DHCP Reserved IPs Setup gt Network Settings gt LAN DHCP Reserved IPs The controller DHCP server can assign TCP IP configurations to computers in the LAN explicitly by adding client s network interface hardware address and the IP address to be assigned to that client in DHCP server s database Whenever DHCP server receives a request from client hardware address of that client is compared with the hardware address list present in the database if an IP address is already assigned to that computer or device in the database t
30. IP address of the remote NAT controller is not known in advance The gateway Option port acts as responder 223 Wireless Controller User Manual Figure 125 Example of Gateway to Gateway IPsec VPN tunnel using two DWC controllers connected to the Internet Outside Outside 209 165 200 226 209 165 200 236 Site A i Site B cone DWC DWC Inside Inside 10 10 10 0 10 20 20 0 Personal Personal computers m computers Mame ese eee ee eee ee eee ee eeeeeseeeeeeee jq i eter eee ee seeeeeeeseteseeesesesseseee 224 Wireless Controller User Manual Figure 126 Example of three IPsec client connections to the internal network through the DWC IPsec gateway DNS Server 10 10 10 163 al Personal Computer Internal network DWC Using VPN Software Client c Inside j Outside Internet A 10 10 10 0 a Personal Computer WINS Server Using VPN Software Client 10 10 10 133 Personal Computer Using VPN Software Client 225 Wireless Controller User Manual 8 1 VPN Wizard Setup gt Wizard gt VPN Wizard You can use the VPN wizard to quickly create both IKE and VPN policies Once the IKE or VPN policy is created you can modify it as required Figure 127 VPN Wizard launch screen D VPN WIZARD LOGOUT This page will guide you through common and easy steps to configure IPsec VPN policies VPN Setup Wizard If you would like to utilize our easy to use Web base
31. If the device is an access point an entry appears in the AP failure list with a failure reason Figure 66 IP Discovery wc JIA ae I IP DISCOVERY Global Info Device Info gt The IP Discovery Status page shows information about communication with the devices in the IP discovery list on the Setup gt AP Management gt Poll List page IP Address 192 168 10 200 192 168 10 201 192 168 10 202 4 7 6 Configuration Receive Status Status gt Global Info gt Config Receive Status The Peer Controller Configuration feature allows you to send the critical wireless configuration from one controller to all other controllers In addition to keeping the controllers synchronized this function enables the administrator to manage all wireless controllers in the cluster from one controller The Peer Controller Configuration Received Status page provides information about the configuration a controller has received from one of its peers 125 Wireless Controller User Manual Current Receive Status Indicates the global status when wireless configuration is received from a peer controller The possible status values are as follows Not Started Receiving Configuration Saving Configuration Applying AP Profile Configuration Success Failure Invalid Code Version Failure Invalid Hardware Version Failure Invalid Configuration Last Configuration Received Peer controller IP Address indicates the
32. In most cases the default settings can be used if the ISP did not specify that parameter The last step in the Wizard is to click the Connect button which confirms the settings by establishing a link with the ISP Once connected you can move on and configure other features in this controller 6 2 Option Configuration Setup gt Internet Settings gt Option1 Settings gt Option1 Setup You must either allow the controller to detect Option connection type automatically or configure manually the following basic settings to enable Internet connectivity Connection type Based on the ISP you have selected for the primary Option link for this controller choose Static IP address DHCP client Point to Point Tunneling Protocol PPTP Point to Point Protocol over Ethernet PPPoE Layer 2 Tunneling Protocol 161 Wireless Controller User Manual L2TP Required fields for the selected ISP type become highlighted Enter the following information as needed and as provided by your ISP PPPoE Profile Name This menu lists configured PPPoE profiles particularly useful when configuring multiple PPPoE connections i e for Japan ISPs that have multiple PPPoE support ISP login information This is required for PPTP and L2TP ISPs e User Name e Password e Secret required for L2TP only MPPE Encryption For PPTP links your ISP may require you to enable Micro soft Point to Point Encryption MPPE Split Tunnel supported for PPTP
33. NoAuthNoPriv Edit Tools gt Admin gt SNMP System Info Traps List IP Address Edit Delete Access Control List IP Address Edit Delete The controller is identified by an SNMP manager via the System Information The identifier settings The SysName set here is also used to identify the controller for SysLog logging 294 Wireless Controller User Manual Figure 166 SNMP system information for this controller cw T o Admin gt Date and Time SNMP LOGOUT Log Settings gt This page displays the current SNMP configuration of the router The following MIB Management Information system Base fields are displayed and can be modified here em Save Settings Don t Save Settings Firmware via USB SNMP System Information Dynamic DNS System Check 12 4 SNMP Traps Advanced gt Global gt SNMP Traps If you use Simple Network Management Protocol SNMP to manage the DWC 1000 wireless controller you can configure the SNMP agent onthe controller to send traps to the SNMP manager on your network When an AP is managed by a controller it does notsend out any traps The controller generates all SNMP traps based on its own events and the events it learns about through updates from the APs it manages 295 Wireless Controller User Manual Figure 167 SNMP Traps ooo JAAN o 1 o Admin Date and Time SNMP LOGOUT Simple Network
34. Point Info gt LAN Clients Info gt SSID ASSOCIATED CLIENT STATUS MeleTo tis Description goes here List of SSID Associated Clients Wireless Clientinfo gt SSID Client MAC Address Traffic Monitor gt Ae Disassociate View Client Details Refresh Active Sessions Active VPNs a MARIZUANA 0 46 70 8e bf 67 The following actions are supported from this page Disassociate Disassociates the client from the managed AP View Client Details Display associated client details Refresh Updates the page with the latest information 132 Wireless Controller User Manual 4 8 4 Associated Client VAP Status Status gt Wireless Client Info gt Associated Clients gt VAP Status Each AP has 16 Virtual Access Points VAPs per radio and every VAP has a unique MAC address BSSID The VAP Associated Client Status page which shows information about the VAPs on the managed AP that have associated wireless clients To disconnect a client from an AP select the box next to the BSSID and then click Disassociate BSSID Indicates the Ethernet MAC address for the managed AP VAP where this client is associated SSID Indicates the SSID for the managed AP VAP where this client is associated AP MAC Address This field indicates the base AP Ethernet MAC address for the managed AP Radio Displays the managed AP radio interface the client is associated to and its configured mode Client MAC Address The Ethernet
35. RADIUS authentication server is configured RADIUS Accounting Server Name Enter the name of the RADIUS server used for reporting wireless client associations and disassociations The name can contain up to 32 alphanumeric characters Spaces underscores and dashes are also permitted RADIUS Accounting Server Configured Indicates whether the RADIUS accounting server is configured RADIUS Accounting Select to enable RADIUS accounting for wireless clients Country Code Select the country code that represents the country where your controller and APs operate When you click Submit a pop up message asks you to confirm the change Wireless regulations vary from country to country Make sure you select the correct country code so that your WLAN system complies with the regulations in your country 58 Wireless Controller User Manual 2 8 Wireless Discovery configuration The wireless controller can discover validate authenticate or monitor the following system devices e Peer wireless controllers e APs e Wireless clients e Rogue APs e Rogue wireless clients Setup gt AP Management gt Poll List The wireless controller can discover peer wireless controller and APs regardless of whether these devices are connected to each other located in the same Layer 2 broadcast domain or attached to different IP subnets In order for the controller to discover other WLAN devices and establish communication with them the devices must
36. Range If the policy governs a type of traffic this field is used for defining TCP or UDP port number s corresponding to the governed traffic Leaving the starting and ending port range blank corresponds to all UDP and TCP traffic Service This is the SSL VPN service made available by this policy The services offered are VPN tunnel port forwarding or both Defined Resources This policy can provide access to specific network resources Network resources must be configured in advance of creating the policy to make them available for selection as a defined resource Network resources are created with the following information Permission The assigned resources defined by this policy can be explicitly permitted or denied Using Network Resources Setup gt VPN Settings gt SSL VPN Server gt Resources Network resources are services or groups of LAN IP addresses that are used to easily create and configure SSL VPN policies This shortcut saves time when creating similar policies for multiple remote SSL VPN users Adding a Network Resource involves creating a unique name to identify the resource and assigning it to one or all of the supported SSL services Once this is done editing one of the created network resources allows you to configure the object type either IP address or IP range associated with the service The Network Address Mask Length and Port Range Port Number can all be defined for this 256 Wireless Con
37. SNMP Configuration 0 eeesessessesssssesessessesseeseeseesessesecsuesuesusaeeaeeaessesecsecsuesueansneseeeeeees 293 A224 gt SSINMP STP cise ccteed cease A EAA EAE EA AEE E TAA EEE 295 12 5 Configuring Time Zone and NTP 298 12 6 Log Configuration 299 12 6 1 Defining What to LOG seers 300 12 6 2 Sending Logs to E mail or Syslog 303 1203 Event Log Viewer iG lis cccssisessessctesecvoassaviencosceusateseatusveive oivivnensdivesvaxeeswadeateavbencansbuoayeds 306 12 7 Backing up and Restoring Configuration Settings 0 eeseesseseeseseeseeseeneeeeees 308 12 8 Upgrading Wirelesss Controller Firm Ware ou ccecessesssssseesesseseeseeseesesesseeseeaeeneens 310 12 9 Dynamic DNS Setup creceron a OE N AEE deuce 12 9 1 Using Diagnostic Tools 12 Q 2s PANG EAA EEA ENTE EEE E E E snes E E EA AE TEREA 12 9 3 Trace Route 0 eeessseeseeseesssneeneeeeees 12 9 4 DNS Lookup ue ceceeceeseeseseeneeneeeeeee 12 9 5 Router OPON S a raoran ta NE AAA E AAN ERAO AE Ta a ERARA AS RE NEATA License Activations iiesccsccrssreccesessstvcssceveonsevsetses a svt a e e 316 Wireless Controller User Manual Appendix Az GLOSS ANY sassstses se sess r EE AE E E E T tions 318 Appendix B Factory Default Settings sesssssssssseesessessescesseseceaseaessesessucsessessusassacsaesscsecsueaueaseaceaeeeeees 321 Wireless Controller User Manual List of Figures Figure 1 Setup page for LAN TCP IP settings DHCP Server oe eessessssees
38. address of the client station Client IP Address The IP address of the client station Figure 72 Associated Client VAP Status DWC 1000 a SETUP ADVANCED TOOLS STATUS VAP ASSOCIATED CLIENT STATUS LOGOUT List of VAP Associated Clients Wireless Clientinfo p gt AP Client Client esso sso mac mado mac p Traffic Monitor gt Address Address Address J tevafif7 1f 24 51 MARIZUANA 1ciaf f7 1f 24 40 2 802 11big n e0 a6 70 8e bf 67 169 254 368 132 Active VPNs Disassociate Refresh 133 Wireless Controller User Manual The following actions are supported from this page Disassociate Disassociates the client from the managed AP Refresh Updates the page with the latest information 4 8 5 Controller Associated Client Status Status gt Wireless Client Info gt Associated Clients gt Controller Status This shows information about the controller that manages the AP to which the client is associated Controller IP Address Shows the IP address of the controller that manages the AP to which the client is associated Client MAC Address Shows the MAC address of the associated client Figure 73 Controller Associated Client Status e Global Info gt Device Info gt Access Point Info d CONTROLLER ASSOCIATED CLIENT STATUS LOGOUT Description goes here LAN Clients Info gt List of Controller Associated Clients Wireless Clientinfo gt Controller IP Address Client MAC Address Traf
39. are specified in the Known Client database and are not explicitly denied access are granted access If the MAC address is not in the database then the access to the client is denied Detected Clients Status Timeout This value determines how long to keep an entry in the Detected Client Status list Each entry in the status list shows an age and when the age reaches the value you configure in the timeout field the entry is deleted Tunnel IP MTU Size Select the maximum size of an IP packet handled by the network The MTU is enforced only on tunneled VAPs When IP packets are tunneled between the APs and the Unified Wireless controller the packet size is increased by 20 bytes during transit This means that clients configured for 1500 byte IP MTU size may exceed the maximum MTU size of existing network infrastructure which is set up to controller and route 1518 1522 tagged byte frames If you increase the tunnel IP MTU size you must also increase the physical MTU of the ports on which the traffic flows Note f any of the following conditions are true you do not need to increase the tunnel IP MTU size The wireless network does not use L3 tunneling The tunneling mode is used only for voice traffic which typically has small packets The tunneling mode is used only for TCP based protocols such as HTTP This is because the AP automatically reduces the maximum segment size for all TCP connections to fit within the tunnel Cluster Priority
40. client first associates with an AP in the wireless system the AP forwards its data using the VLAN forwarding mode The AP to which the client initially associates is the Home AP The AP to which the client roams is the Association AP 278 Wireless Controller User Manual Figure 158 Distributed Tunneling Koicioi tii Description goss here Submit Don t Save Settings Distributed Tunneling Configuration Distributed Tunnel Clients 128 1 to 8000 Distributed Tunnel Idle Timeout 120 30 to 3600 Distributed Tunnel Timeout 7200 30 to 86400 Distributed Tunnel Max Multicast Replications Allowed 128 1 to 1024 Distributed Tunnel Clients Specify the maximum number of distributed tunneling clients that can roam away from the Home AP at the same time Distributed Tunnel Idle Timeout Specify the number of seconds of no activity by the client before the tunnel to that client is terminated and the client is forced to change its IP address Distributed Tunnel Timeout Specify the number of seconds before the tunnel to the roamed client is terminated and the client is forced to change its IP address Distributed Tunnel Max Multicast Replications Allowed Specify the maximum number of tunnels to which a multicast frame is copied on the Home AP 11 3 Distributed Tunneling Status Status gt Dashboard gt Distributed Tunneling This page shows information about all the distributed tunnel clients 279
41. configured policies for the controller Figure 146 SSL VPN policy configuration DWC 1000 ADVANCED TOOLS STATUS Please Enable Remote Management to activate SSL VPN Configurations WLAN Global Settings SSL VPN POLICY CONFIGURATION AP Management This page allows you to add a new SSL VPN Policy or edit the configuration of an existing SSL VPN Policy Save Settings Don t Save Settings Global Available Groups ADMIN admin SSL VPN Policy USB Settings Port Range Port Number Begin 0 65535 End 0 65535 Service VPN Tunnel To configure a policy for a single user or group of users enter the following information Policy For The policy can be assigned toa group of users a single user or all users making it a global policy To customize the policy for specific users or groups the user can select fromthe Available Groups and Available Users drop down 255 Wireless Controller User Manual 9 2 1 Apply Policy To This refers to the LAN resources managed by the DWC 1000 and the policy can provide or prevent access to network resources IP address IP network etc Policy Name This field is a unique name for identifying the policy IP address Required when the governed resource is identified by its IP address or range of addresses Mask Length Required when the governed resource is identified by a range of addresses within a subnet Port
42. controller You must connect the controller to a 192 168 10 0 network After you configure network information suchas the IP address and subnet mask and the controlleris physically and logically connected to the network youcan manage and monitor the controller remotely through Web browser or an SNMP based network management system Once the initial setup is complete the DWC 1000 can be managed through wired interface connected to controller XW Access the controller s GUI for management by using any web browser such as Microsoft Internet Explorer or Mozilla Firefox Go to http 192 168 10 1 default IP address to display the controller s management login screen Default login credentials for the management GUI e Username admin e Password admin eX If the controller s LAN IP address was changed use that IP address in the navigation bar of the browser to access the controller s management UI LAN Configuration Setup gt Network Settings gt LAN Setup Configuration By default in the controller the Dynamic Host Configuration Protocol DHCP mode is set to None The DHCP mode can be set as a DHCP server or DHCP relay When DHCP mode is set as DHCP server the controller funtions as a DHCP server for assigning IP address leases to hosts on the WLAN or LAN With DHCP PCs and 17 Wireless Controller User Manual other LAN devices can be assigned IP addresses the default gateway as well as addresses for
43. display for logging can be customized based on where the logs are sent either the Event Log viewer in the GUI the Event Log viewer is in the Status gt Logs page or a remote Syslog server for later review E mail logs discussed in a subsequent section follow the same configuration as logs configured for a Syslog server Tools gt Log Settings gt Logs Configuration This page allows you to determine the type of traffic through the controller that is logged for display in Syslog E mailed logs or the Event Viewer Denial of service attacks general attack information login attempts dropped packets and similar events can be captured for review by the IT administrator 301 Wireless Controller User Manual Traffic through each network segment LAN Option DMZ can be tracked based on whether the packet was accepted or dropped by the firewall Accepted Packets are those that were successfully transferred through the corresponding network segment i e LAN to Option This option is particularly useful when the Default Outbound Policy is Block Always so the IT admin can monitor traffic that is passed through the firewall e Example If Accept Packets from LAN to Option is enabled and there is a firewall rule to allow SSH traffic from LAN then whenever a LAN machine tries to make an SSH connection those packets will be accepted and a message will be logged Assuming the log option is set to Allow for the SSH firewall r
44. domains e Timeout The timeout period for reaching the authentication server e Retries The number of retries to authenticate with the authentication server after which the DWC 1000 stops trying to reach the server 246 Wireless Controller Figure 139 SSLVPN Settings SSLVPN Settings Portal Name Authentication Type Authentication Server 1 Authentication Server 2 Authentication Server 3 Authentication Secret 1 Authentication Secret 2 LDAP attribute 1 LDAP attribute 2 LDAP attribute 3 LDAP attribute 4 Workgroup Second Workgroup LDAP Base DN Second LDAP Base DN Active Directory Domain Timeout Retries SSLVPN Radus SCHAP x Optional admin Optional Optional Optional Optional Optional 10 Seconds User Manual Login Policies To set login policies for the group select the corresponding group click Login policies The following parameters are configured Group Name This is the name of the group that can have its login policy edited Disable Login Enable to prevent the users of this group from logging into the devices management interface s 247 Wireless Controller User Manual Deny Login from Option interface Enable to prevent the users of this group from logging in from a Option wide area network interface In this case only login through LAN is allowed Figure 140 Group login policies options G
45. gt Controller in the cluster gt LAN Clients Info gt Connected Peer Controllers Wireless Clientinfo gt Peer IP Configuration Controller IP Configuration Timestamp Address Address Traffic Monitor gt Global Channel Power AP Database AP Profiles Nov 16 192 168 10 5 192 168 10 1 Known Client Wds Group Device Location 13 28 32 2011 RADIUS Client Configuration QoS ACL Refresh The following actions are supported from this page Refresh Updates the page with the latest information 4 7 4 Peer Controller Managed AP Status Status gt Global Info gt Peer Controller gt Managed AP The Peer Controller Managed AP Status page displays information about the APs that each peer controller in the cluster manages Use the menu above the table to select the peer controller with the AP information to display Each peer controller is identified by its IP address 123 Wireless Controller User Manual MAC Address Shows the MAC address of each AP managed by the peer controller Peer Controller IP Shows the IP address of the peer controller that manages the AP This field displays when All is selected from the drop down menu Location The descriptive location configured for the managed AP AP IP Address The IP address of the AP Profile The AP profile applied to the AP by the controller Hardware ID The Hardware ID associated with the AP hardware platform Figure 65 Peer Controller Man
46. have their own IP address must be able to find other WLAN devices and must be compatible When the controller discovers and validates APs the controller takes over the management of the AP If you configure the AP in Standalone mode the existing AP configuration is replaced by the default AP Profile configuration on the controller L3 IP Discovery Select or clear this option to enable or disable IP based discovery of access points and peer wireless controller When the L3 IP Discovery option is selected IP polling is enabled and the controller will periodically poll each address in the configured IP List By default L3 IP Discovery is enabled List of IP Address Shows the list of IP addresses configured for discovery To remove entries fromthe list select one or more entries and click Delete Hold the shift key or control key to select specific entry IP Address Range This text field is used to adda range of IP address entries to the IP List Enter the IP address at the start of the address range in the From field and enter the IP address at the end of the range in the To field then 59 Wireless Controller User Manual click Add All IP addresses in the range are added to the IP List Only the last octet is allowed to differ between the From address and the To address Figure 31 Configuring the Wireless Discovery owe co MAAN gt POLL LIST This page contain all the information stot IP Address amp Vi
47. network for this protocol binding Address Range Select if you want to allow computers within an IP address range to be a part of the source network Requires Start address and End address Start Address IP address from where the range needs to begin or the single address if that is the source network selected End Address IP address where the range needs to end Destination Network Select one of the following Any No specific network needs to be given Single Address Limit to one computer Requires the IP address of the computer that will be part of the destination network for this protocol binding Address Range Select if you want to allow computers within an IP address range to be a part of the destination network Requires Start address and End address Start Address IP address from where the range needs to begin or the single address if that is the destination network selected End Address IP address where the range needs to end Routing Configuration Routing between the LAN and Option will impact the way this controller handles traffic that is received on any of its physical interfaces The routing mode of the gateway is core to the behaviour of the traffic flow between the secure LAN and the internet Routing Mode Setup gt Internet Settings gt Routing Mode This device supports classical routing network address translation NAT and transport mode routing e With classical routing devices on the LAN can be d
48. number of clients that are associated with an AP that are using distributed tunneling Distributed Tunnel Client Denials Total number of clients for which the system was unable to setup a distributed tunnel when client roamed The following actions are supported from this page Refresh Updates the page with the latest information Clear Statistics Reset all counters on the page to zero 120 Wireless Controller User Manual 4 7 2 Peer Contorller Status Status gt Global Info gt Peer Controller gt Status The Peer Controller Status page provides information about other Wireless Controllers in the network Peer wireless controllers within the same cluster exchange data about themselves their managed APs and clients The controller maintains a database with this data so youcan view information about a peer such as its IP address and software version If the controller loses contact with a peer all of the data for that peer is deleted One controller in a cluster is elected as a Cluster Controller The Cluster Controller collects status and statistics from all the other controllers in the cluster including information about the APs peer controllers manage and the clients associated to those APs Cluster Controller IP Address IP address of the controller that controls the cluster Peer Controllers Displays the number of peer controller in the cluster List of Peer Controllers IP Address IP address of the peer wireless con
49. of informing other networking equipment on the LAN of DHCP information specific for the assigned prefix 25 Wireless Controller User Manual Prefix Delegation The following settings are used to configure the Prefix Delegation Prefix Delegation Select this option to enable prefix delegation in DHCPV6 server This optioncan be selected only in Stateless Address Auto Configuration mode of DHCPv6 server Prefix Address IPv6 prefix address in the DHCPv6 server prefix pool Prefix Length Length prefix address 2 1 4 DHCPv6 Leased Clients Advanced gt IPv6 gt IPv6 LAN gt DHCPv6 Leased Clients This page provides the list of DHCPv6 clients connected to the LAN DHCPv6 Server and to whom DHCPVv6 Server has given leases Figure 6 DHCPv6 Leased Clients DWC 1000 I sew ADVANCED TOOLS STATUS WIDS Security gt Firewall Settings DHCPV6 LEASED CLIENTS LOGOUT This table displays the list of DHCPv6 clients connected to the LAN DHCPv6 Server and to whom DHCPv6 Server has given leases DHCPv6 Leased Clients LAN IP Address DUID IAID 5005 8 64 00 01 00 01 16 59 18 9a 00 0F 1f 8d f0 70 529395824 gt IPv6 D Advanced Network p IP Addresses This is the DHCP server IP address DUID Each DHCP client and server has a DUID DHCP servers use DUIDs to identify clients for the selection of configuration parameters and in the association 26 Wireless Controller User Manual 2 1 5 of IAs with clients DH
50. on the Option Configuration page There are two types of PPPoE ISP s supported by the DWC 1000 the standard username password PPPoE and Japan Multiple PPPoE 164 Wireless Controller User Manual Figure 89 PPPoE configuration for standard ISPs DWC 1000 im osx ADVANCED TOOLS STATUS gt OPTION1 SETUP LOGOUT This page allows you to set up your Internet connection Ensure that you have the Internet connection information such as the IP Addresses Account Information etc This information is usually provided by your ISP or network administrator PPPoE Profile Configuration Connection Type Address Mode IP Address DMZ Setup IP Subnet Mask User Name Domain Name System DNS Servers DNS Server Source Get Dynamically from ISP Most PPPoEISP s usea single control and data connection and require username password credentials to login and authenticate the DWC 1000 with the ISP The ISP connection type for this case is PPPoE Username Password The GUI will prompt you for authentication service and connection settings in order to establish the PPPoE link For some ISP s most popular in Japan the use of Japanese Multiple PPPoE is required in order to establish concurrent primary and secondary PPPoE connections between the DWC 1000 and the ISP The Primary connection is used for the bulk of data and internet traffic and the Secondary PPPoE connection carries ISP specific i e cont
51. radio View VAP Details Shows summary information about the virtual access points VAPs for the selected AP and radio interface on the APs that the controller manages View Distributed Tunneling Details Shows information about the L2 tunnels currently in use on the AP Figure 44 Wireless LAN AP information DWC 1000 SETUP ADVANCED TOOLS STATUS Pe MANAGED AP STATUS eletolUys Global Info Device Info Show all the details related to selected AP List of Managed APs Access Point Info gt LAN Clients Info gt Wireless ClientInfo gt MAC Address Peer Managed IP Address Age Status Profile Radio Interface 1 802 11a n 2 802 11b g n Til 1c af f7 1f 24 40 192 168 10 101 0d 00 01 33 Managed 1 Default Traffic Monitor 1 802 11a n Active Sessions 2802 11big n gO 1c bd b9 95 a6 00 192 168 10 102 0d 00 00 03 Managed 1 Default Active VPNs View AP Details View Radio Details View Neighbor APs View Neighbor Clien View VAP Details View Distributed Tunneling Details Refresh MAC Address The Ethernet address of the contoller managed AP If the MAC address of the AP is followed by an asterisk it is managed by a peer controller IP Address The network IP address of the managed AP Age Time since last communication between the controller and the AP Status The current managed state of the AP The possible values are 89 Wireless Controlle
52. reach the controller s PPTP server Once authenticated by the PPTP server the tunnel endpoint PPTP clients have access to the network managed by the controller 235 Wireless Controller User Manual Figure 133 PPTP tunnel configuration PPTP Server DWC 1000 ADVANCED TOOLS STATUS PPTP SERVER LOGOUT PPTP allows an external user to connect to your router through the internet This section allows you to enable disable PPTP server and define a range of IP addresses for dients connecting to your router The connected dients can function as if they are on your LAN they can communicate with LAN hosts access any servers present etc Save Settings Dont Save Settings LAN QoS d VPN Settings gt PPTP Server Configuration Enable PPTP Server mere PPTP Routing Mode DMZ Setup gt USB Settings Starting IP Address Ending IP Address Authentication Supported 8 4 2 L2TP Tunnel Support Setup gt VPN Settings gt L2TP gt L2TP Server A L2TP VPN can be established through this controller Once enabled a L2TP server is available on the controller for LAN and Option L2TP client users to access Once the L2TP serveris enabled L2TP clients that are within the range of config ured IP addresses of allowed clients can reach the controller s L2TP server Once authenticated by the L2TP server the tunnel endpoint L2TP clients have access to the network managed by
53. server requires entering the local server IP 257 Wireless Controller User Manual address and TCP port number of the application to be tunnelled The table below lists some common applications and corresponding TCP port numbers TCP Application FTP Data usually not needed FTP Control Protocol web receive mail NTP netw ork time protocol Terminal Services VNC virtual netw ork computing 5900 or 5800 As aconvenience for remote users the hostname FQDN of the net work server can be configured to allow for IP address resolution This host name resolution provides users with easy to remember FQDN s to access TCP applications instead of error prone IP addresses when using the Port Forwarding service through the SSL Us er Portal To configure port forwarding following are required 258 Wireless Controller User Manual Local Server IP address The IP address of the local server which is hosting the application TCP port The TCP port of the application Once the new application is defined it is displayed in a list of configured applications for port forwarding allow users to access the private network servers by using a hostname instead of an IP address the FQDN corresponding to the IP address is defined in the port forwarding host configuration section Local server IP address The IP address of the local server hosting the application The application should be configured in advance Ful
54. the GUI will not respond Opena new connection to the new IP address and log in again Be sure the LAN host the machine used to manage the controller has obtained IP address from newly assigned pool or has a static IP address in the controller s LAN subnet before accessing the controller via changed IP address Subnet mask factory default 255 255 255 0 2 In the DHCP section select the DHCP mode None the controller s DHCP server is disabled for the LAN 18 Wireless Controller User Manual DHCP Server With this option the controller assigns an IP address within the specified range plus additional specified information to any LAN device that requests DHCP served addresses If DHCP is being enabled enter the following DHCP server parameters DHCP Relay With this option enabled DHCP clients on the LAN can receive IP address leases and corresponding information from a DHCP server on a different subnet Specify the Relay Gateway and when LAN clients make a DHCP request it will be passed along to the server accessible via the Relay Gateway IP address Starting and Ending IP Addresses Enter the first and last continuous addresses in the IP address pool Any new DHCP client joining the LAN is assigned an IP address in this range The default starting address is 192 168 10 100 The default ending address is 192 168 10 254 These addresses should be in the same IP address subnet as the controller s LAN IP address You may w
55. the controller 236 Wireless Controller User Manual Figure 134 L2TP tunnel configuration L2TP Server DWC 1000 ADVANCED TOOLS STATUS L2TP SERVER N Global Settings AP Management L2TP allows an external user to connect to your router through the internet forming a VPN This section allows you to enable disable L2TP server and define a range of IP addresses for cients connecting to your router The connected clients can function as if they are on your LAN they can communicate with LAN hosts alization gt any servers present etc Save Settings Don t Save Settings L2TP Server Configuration VPN Settings Enable L2TP Server E L2TP Routing Mode DMZ Setup USB Settings Enter the range of IP addresses that is allocated to L2TP Clients Authentication Supported CHAP MS CHAP MS CHAPv2 8 4 3 OpenVPN Support Setup gt VPN Settings gt OpenVPN gt OpenVPN Configuration OpenVPN allows peers to authenticate each other using a pre shared secret key certificates or username password When used in a multiclient server configuration it allows the server to release an authentication certificate for every client using signature and Certificate authority An Open VPN can be established through this controller Check Uncheck this and click save settings to start stop openvpn server 237 Wireless Controller User Manual Mode OpenVPN daemon mode It can run in ser
56. the firewall rules that control traffic to and from your network The List of Available Firewall Rules table indudes all firewall rules for this device and WIDS Security allows several operations on the firewall rules Captive Portal List of Available Firewall Rules Application Rules From To z Dest Local Internet Zone Zone Hosts Server Dest Log E Status ALLOW 192 168 17 15 always 192 168 17 50 Edit Enable Disable Delete Move To First v Move 1 Enabled LAN DMZ ANY Any Always 7 2 Defining Rule Schedules Tools gt Schedules Firewall rules can be enabled or disabled automatically if they are associated with a configured schedule The schedule configuration page allows you to define days of the week and the time of day for a new schedule and then this schedule can be selected in the firewall rule configuration page XW All schedules will follow the time in the controller s configured time zone Refer to the section on choosing your Time Zone and configuring NTP servers for more information 196 Wireless Controller User Manual Figure 107 List of Available Schedules to bind to a firewall rule DWC 1000 ADVANCED TOOLS STATUS Operation succeeded Date and Time m SCHEDULES When you create a firewall rule you can specify a schedule when the rule applies The table lists all the Available Schedules for this device and allows several operations on the Schedules Li
57. to configure Router Advertisement Daemon RADVD related configurations Save Settings Don t Save Settings Router Advertisement Daemon RADVD RADVD Status Disable Application Rules i ba Mode Unsolicited Muticast Ea Advertise Interval pooo RA Flags Managed Other Router Preference High MTU 1500 Binding Router Lifetime 3600 Seconds Advertisement Prefixes Advanced gt IPv6 gt IPv6 LAN gt Advertisement Prefixes The router advertisements configured with advertisement prefixes allow this router to inform hosts how to perform stateless address auto configuration Router advertisements contain a list of subnet prefixes that allow the router to determine neighbors and whether the host is on the same link as the router The following prefix options are available for the router advertisements IPv6 Prefix Type To ensure hosts support IPv6 to IPv4 tunnel select the 6to4 prefix type Selecting Global Local ISATAP will allow the nodes to support all other IPv6 routing options SLA ID The SLA ID Site Level Aggregation Identifier is available when 6to4 Prefixes are selected This should be the interface ID of the router s LAN interface used for router advertisements 29 Wireless Controller User Manual IPv6 Prefix When using Global Local ISATAP prefixes this field is used to define the IPv6 network advertised by this router IPv6 Prefix Length This value indicates the number contiguous higher o
58. to login to the ISP Authentication Type The type of Authentication in use by the profile Auto Negotiate PA P CHA P MS CHA P MS CHA Pv2 Dhcpv6 Options The mode of Dhcpv6 client that will start in this mode disable dhcpv6 stateless dhcpv6 stateful dhcpv6 stateless dhcpv6 with prefix delegation Primary DNS Server Enter a valid primary DNS Server IP Address Secondary DNS Server Enter a valid secondary DNS Server IP Address Click Save Settings to save your changes Checking Option Status Setup gt Internet Settings gt Option1 Settings gt Option 1 Status The status and summary of configured settings for both Option land Option 2 are available on the Option Status page You can view the following key connection status information for each Option port MAC Address MAC Address of the Option port IPv4 Address IP address of the Option port followed by the Option subnet Option State Indicates the state of the Option port UP or DOWN NAT IPv4 only Indicates if the security appliance is in NAT mode enabled or routing mode disabled IPv4 Connection Type Indicates if the Option IPv4 address is obtained dynamically through a DHCP server or assigned statically by the user or obtained through a PPPoE Username Password PPTP Username Password L2TP Username Password Japanese multiple PPPoE Russian dual access PPPoE Russian dual access PPTP Russian dual access L2TP ISP connection IPv4 Connection State Indica
59. traffic covered by this rule If the From Zone is the Option the to Zone can be the public DMZ or secure LAN Similarly if the From Zone is the LAN then the To Zone can be the public DMZ or insecure Option 5 Parameters thatdefine the firewall rule include the following Service ANY means all traffic is affected by this rule Fora specific service the drop down list has common services or you can select a custom defined service Action amp Schedule Select one of the 4 actions that this rule defines BLOCK always ALLOW always BLOCK by schedule otherwise ALLOW or ALLOW by schedule otherwise BLOCK A schedule must be preconfigured in order for it to be available in the dropdown list to assign to this rule Source amp Destination users For each relevant category select the users to which the rule applies e Any all users e Single Address enter an IP address e Address Range enter the appropriate IP address range Log traffic that is filtered by this rule can be logged this requires configuring the controller s logging feature separately QoS Priority Outbound rules where To Zone insecure Option only can have the traffic marked with a QoS priority tag Select a priority level e Normal Service ToS 0 lowest QoS e Minimize Cost ToS 1 e Maximize Reliability ToS 2 e Maximize Throughput ToS 4 Minimize Delay ToS 8 highest QoS 198 Wireless Controller User Manual 6 Inboundrules can u
60. usec units 47 Data 1 Video AIFS msecs 2 cwMin msecs 7 cwMax msecs D g TXOP Limit 32 usec units 94 Data 2 Best Effort AIFS msecs 3 cwMin msecs 15 cwMax msecs 1023 TXOP Limit 32 usec units 0 Data 3 Background AIFS msecs 7 cwMin msecs 15 v cwMax msecs 1023 TXOP Limit 32 usec units 0 82 Wireless Controller User Manual Chapter 3 Configuring Wireless LAN 3 1 WLAN Setup Wizard Setup gt Wizard gt WLAN Setup Wizard The WLAN Setup Wizard is available for users for configuring the basic wireless controller settings such as radio SSID and Access Point Figure 40 WLAN Setup Wizard DWC 1000 ADVANCED TOOLS STATUS gt WLAN CONNECTION LOGOUT This page will quide you through common configuration tasks for Wireless Controller such as Global Configuration Radio Configuration and VAP Configuration WLAN Configuration Setup Wizard Network Settings If you would like to utilize our easy to use Web based Wizards to assist you in connecting your new D Link Wireless Controller click on the button below WLAN Setup Wizard VPN Settings DMZ Setup d Note Before launching these wizards please make sure you have followed all steps outlined in the Quick Installation Guide induded in the package You can start using the Wizard by logging in with the administrator password for the controller Once authenticated set Country Code that you are located in and t
61. via USB Option Mode Option WAN Mode Use only single Option port Option1 Optioni DDNS Status Dynamic DNS System Check Schedules Use wildcards Update every 30 days Select the Dynamic DNS Service None Host and Domain Name User Name 12 9 1 Using Diagnostic Tools Tools gt System Check The controller has built in tools to allow an administrator to evaluate the communication status and overall network health 313 Wireless Controller User Manual Figure 178 Controller diagnostics tools available in the GUI owe 1000 Jf ADVANCED Toots saus Date and Time SYSTEM CHECK This page can be used for diagnostics purpose This page provides user with some diagnostic tools like ping traceroute and packet sniffer Ping or Trace an IP Address Firmware via USB IP Address Domain Name www dlink com Dynamic DNS Ping Traceroute System Check Perform a DNS Lookup Schedules Router Options Display the IPv4 Routing Table Display Display the IPv6 Routing Table Display Capture Packets Packet Trace 12 9 2 Ping This utility can be used to test connectivity between this controller and another device on the network connected to this controller Enter an IP address and click PING The command output will appear indicating the ICMP echo request status 12 9 3 Trace Route This utility will display all the controller present between the destination IP address and this
62. when Auto is selected With this option the optimal port settings are determined by the controller and network The duplex half or full can be defined based on the port support as well as one of three port speeds 10 Mbps 100 Mbps and 1000 Mbps i e 1 Gbps The default setting is 100 Mbps for all ports The default MAC address is defined during the manufacturing process for the interfaces and can uniquely identify this controller You can customize each Option port s MAC address as needed either by letting the Option port assume the current LAN host s MAC address or by entering a MAC address manually 191 Wireless Controller User Manual Figure 104 Physical Option port settings P gt OPTION PORT SETUP This page allows user to configure advanced WAN options for the router Save Settings Don t Save Settings gt Options Pin Captive Portal p 9 Option1 Port Setup MTU Size Custom MTU Port Speed Option2 Port Setup a Radius Settings Controller Settings 192 Wireless Controller User Manual 6 9 IP Aliases XW The following feature is available upon licensed activation of VPN Firewall features for the system Setup gt Internet Settings gt IP Aliases The List of IP Aliases displays the configured IP Aliases on the controller Figure 105 IP Aliases DWC 1000 SETUP ADVANCED TOOLS STATUS Operation succeeded WLAN Global Settings AP Management gt WLA
63. whether a client in the Known Client database is authenticated with an unknown AP Client Threat Mitigation Select enable to send de authentication messages to clients that are in the Known Clients database but are associated with unknown APs The Authentication with Unknown AP Test must also be enabled in order for the mitigation to take place Select disable to allow clients in the Known Clients database to remain authenticated with an unknown AP 289 Wireless Controller User Manual Known Client Database Lookup Method When the controller detects a client on the network it performs a lookup in the Known Client database Specify whether the controller should use the local or RADIUS database for these lookups Known Client Database RADIUS Server Name If the known client database lookup method is RADIUS then this field specifies the RADIUS server name Rogue Detected Trap Interval Specify the interval in seconds between transmissions of the SNMP trap telling the administrator that rogue APs are present in the RF Scan database If you set the value to 0 the trap is never sent De Authentication Requests Threshold Interval Specify the number of seconds an AP should spend counting the DE authentication messages sent by wireless clients De Authentication Requests Threshold Value If controller receives more than specified messages during the threshold interval the test triggers Authentication Requests Threshold Interval
64. 0 een History 0 Maximum Roam History Entries 500 Total Roam History Entries 0 Packets Bytes Transmitted Received Hemh esa Transmitted Received ri n 21299 351 0 0 1616128 58183 0 0 Distributed Tunneling Distributed Tunnel Packets Trans mitted 0 Distributed Tunnel Roamed Clients 0 Distributed Tunnel Clients 0 Distributed Tunnel Client Denials 0 Refresh Clear Stat 117 Wireless Controller User Manual WLAN Controller Operational Status This status field displays the operational status of this controller a WLAN controller The WLAN Controller may be configured as enabled but is operationally disabled due to configuration dependencies If the operational status is disabled the reason will be displayed in the following status field IP Address IP address of the controller Peer Controller Number of peer WLAN controllers detected on the network Cluster Controller Indicates whether this controller is the Cluster Controller for the cluster Cluster Controller IP Address The IP address of the peer controller that is the Cluster Controller Total Access Points Total number of Managed APs in the database This value is always equal to the sumof Managed Access Points Connection Failed Access Points and Discovered Access Points Managed Access Points Number of APs in the managed AP database that are authenticated configured and have an active connection with the controller Standalone
65. 0 el SETUP ADVANCED TOOLS STATUS RF CONFIGURATION LOGOUT AP Management gt Description goes here Submit Don t Save Settings Channel Configuration VPN Settings gt Channel Plan 5 GHz 802 11 a n 2 4 GHz 802 11 b g n VLAN Settings gt Channel Plan Mode Fixed Time Manual Interval DMZ Setup gt USB Settings Channel Plan History Depth B 0 to 10 Channel Plan Interval l 6 to 24 Hours Channel Plan Fixed Time Hours Minutes Channel Plan History Depth The channel plan history lists the channels the controller assigns each of the APs it manages after a channel plan is applied Entries are added to the history regardless of interval time or channel plan mode The number you specify in this field controls the number of iterations of the channel assignment XW APs changed in previous iterations cannot be assigned new channels in the next iteration This history prevents the same APs from being changed time after time Channel Plan Interval If you select the Interval channel plan mode you can specify the frequency at which the channel plan calculation and assignment occurs The interval time is in hours and youcan specify an interval that ranges between every 6 hours to every 24 hours Channel Plan Fixed Time If you select the Fixed Time channel plan mode you can specify the time at which the channel plan calculation and assignment occurs The channel plan calcu
66. 00 00 Firewall Settings gt E Edi 00 00 00 00 00 02 global Global Action Delete The following actions are supported from this page Add Add s aclient with the MAC address you enter in the field to the Known Client database Delete Removes the selected client fromthe Known Client database Edit changes the setting of particular MAC address 7 8 Application Rules XW The following feature is available upon licensed activation of VPN Firewall features for the system Advanced gt Application Rules gt Application Rules Application rules are also referred to as port triggering This feature allows devices on the LAN or DMZ to request one or more ports to be forwarded to them Port 210 Wireless Controller User Manual triggering waits foran outbound request from the LAN DMZ on one of the defined outgoing ports and then opens an incoming port for that specified type of traffic This can be thought of as a form of dynamic port forwarding while an application is transmitting data over the opened outgoing or incoming port s Port triggering application rules are more flexible than static port forwarding that is an available option when configuring firewallrules This is because a port triggering rule does not have to reference a specific LAN IP or IP range As well ports are not left open when not in use thereby providing a level of security that port forwarding does not offer XW Port triggering is not app
67. 00 192 168 10 1 192 168 10 1 192 168 10 1 Success Status Not Started 0 1c bd b9 95 a6 00 192 168 10 101 Delete Delete All Provision Edit Refresh Only Unmanaged APs can be deleted The following actions are supported from this page Delete Remove the selected AP from the AP provisioning list Delete All Remove all APs from the AP provisioning list Provision Initiate provisioning for the selected AP You can provision an AP only from the cluster controller After the AP is provisioned it should become managed by the controller with the configured Primary IP Address and appear in the AP provisioning database as a managed AP Edit Edit the parameters of selected AP fromthe AP provisioning list Refresh Updates the page with the latest information 5 6 Manual Management Setup gt AP Management gt Manual Management When the AP is in Managed mode remote access to the AP is disabled From the Manaual Management page you can also manually change the RF channel and power for each radio on an AP The manual power and channel changes override the 157 Wireless Controller User Manual settings configured in the AP profile including automatic channel selection and take effect immediately The manual channel and power assignments are not retained when the AP is reset orif the profile is reapplied to the AP such as when the AP disassociates and reassociates with the controller Figure 86 Manual M
68. 1 Unknown 0d 00 00 10 4 7 Global info 4 7 1 Global status Status gt Global Info gt Global Status The DWC 1000 controller periodically collects information from the APs it manages and from associated peer controller The information on the Global page shows status and statistics about the controller and all of the objects associated with it 115 Wireless Controller User Manual Figure 61 Global Status Part 1 DWc 1000 if seme ADVANCED TOOLS l STATUS Global Info gt summary TAE Access Point Info b WLAN Controller Operational Status Enabled c gt The information on the Global page shows status and statistics about the Controller and all of the objects associated with it IP Address 192 168 10 1 Traffic Monitor F Peer Controllers 0 Cluster Controller Yes Cluster Controller IP Address 192 168 10 1 Total Access Points 2 Managed Access Points 2 Standalone Access Points 0 Rogue Access Points 8 Discovered Access Points 0 Connection Failed Access Points 0 Authentication Failed Access Points 0 Unknown Access Points 46 Rogue AP Mitigation Limit 16 Rogue AP Mitigation Count 0 Maximum Managed APs in Peer Group 96 WLAN Utilization 17 Total Clients 0 Authenticated Clients 0 802 11a Clients 0 802 11b g Clients 0 802 11n Clients 0 116 Wireless Controller User Manual Figure 62 Global Status Part 2 area Pre authentication History 50
69. 6 AP s You increase the number by 6 upon each AP license 13 Wireless Controller User Manual 1 1 About this User Manual This document is a high level manual to allow new D Link Wireless Controller users to configure connectivity WLAN configuration setup VPN tunnels establish firewall rules and AP management and perform general administrative tasks Typical deployment and use case scenarios are described in each section For more detailed setup instructions and explanations of each configuration parameter refer to the online help that can be accessed from each page in the controller GUI XW For this user manual all screenshots are taken with an activated VPN license which enables VPN Firewall features 14 Wireless Controller User Manual 1 2 Typographical Conventions The following is a list of the various terms followed by an example of how that term is represented in this document e Product Name D Link Wireless Controller o Model number DWC 1000 e GUI Menu Path GUI Navigation Monitoring gt Controller Status e Important note XA 15 Wireless Controller User Manual Chapter 2 Configuring Your Network 2 1 To enable management access for the browser based web GUI access or SNMP manager you must connect the controller to the network The default IP address subnet mask of the controller management interface is 192 168 10 1 255 255 255 0 and DHCP server on the LAN is disabled by default on the
70. 6993 Listen on Port 16993 Redirect to Port 16994 Listen on Port 16994 Redirect to Port 16995 Listen on Port 16995 Redirect to Port 9971 Listen on Port 9971 Enable Ports When enabled inbound outbound firewall rules are added for certain ports to enable Intel AMT service Option Hosts If the user selects ANY all Option side hosts are granted access to the local server If the user selects Specify Option IPs he must provide a comma 273 Wireless Controller User Manual separated list of Option host addresses that are to be allowed access to the Local Server LAN Host Option Host Addresses The user must provide a comma separated list of Option IP addresses that must be allowed access to the Local Server in case he has selected Specify Option IPs in the Drop down menu Only commas are allowed and there should be no spaces between the comma and the IP address Internal IP Address The user must provide a single IP address of the LAN host Local Server Enable Intel Amt Reflector Check this box to reflect back the data on selected ports to the client initiating the connection Redirect to Port 16992 Check this box to redirect to port 16992 of the client initiating the connection Listen on Port Enter the port on which server should listen for incoming connections Redirect to Port 16993 Check this box to redirect to port 16993 of the client initiating the connection Listen on Port Ent
71. 7 SNMP Trape seneraran a a enan AEN A RAE OAA ANE A 296 Figure 168 Date Time and NTP server setup s sss sssssesssressstessstesssrtssstesssttesstrrssstessstessntisssteessrersssressstees 299 Figure 169 Facility settings for LOGGING sess esessssssesssrrrsessrrresesstrrseesstrreresstrreeessrreeesstrreeesstrreeessrrreeessrreeessreree 301 Figure 170 Log configuration options for traffic through Controller uo eeceseseseseeeeseeeeseeseesteseeneenes 303 Figure 171 E mail configuration as a Remote Logging Option csecssssessesesesseeeeeeseeseeeeneeneenseneeees 305 Figure 172 Syslog server configuration for Remote Logging continued 0 ee eseseeeeeeeeseeseeneeees 306 Figure 173 Figure 174 VPN logs displayed in GUI event viewer SSL VPN logs displayed in GUI event VOWEL sesesesesseseeseeseeseeseeneesceneeseeseesesteneeneenes 308 11 Wireless Controller User Manual Figure 175 Restoring configuration from a saved file will result in the current configuration being OVEPWHITTSM ANC a FED OO earna air a rA OEE ENE 310 Figure 176 Firmware version information and upgrade option sssssssssesssirtessssirresssrrreesssrrreesssrreeesssreee 311 Figure 178 Controller diagnostics tools available in the GUl s ssessssssssssrrssrsssssssrerrresssssssssnresrrrsrssessss 314 Figure 179 Installing LCENS E nasain are A a E i A EAEAN 317 12 Wireless Controller User Manual Chapter 1 Introduction D Link Wireless Control
72. 7 7 AP Hardware Capability Status gt Global Info gt AP H W Capability The controller can support APs that have different hardware capabilities such as the supported number of radios the supported IEEE 802 11 modes and the software image required by the AP Fromthe AP Hardware Capability tab you can access summary information about the AP Hardware support the radios and IEEE modes supported by the hardware and the software images that are available for download to the APs Hardware Type Identifies the ID number assigned to each AP hardware type The controller supports up to six different AP hardware types Hardware Type Description Includes a description of the platform and the supported IEEE 802 11 modes Radio Count Specifies whether the hardware supports one radio or two radios 127 Wireless Controller User Manual Image Type Specifies the type of software the hardware requires Figure 68 AP Hardware Capability DWC 1000 ADVANCED TOOLS STATUS Global Info iM AP HARDWARE CAPABILITY LOGOUT From the AP Hardware Capability page you can access summary information about the AP Hardware support the radios and IEEE modes supported by the hardware and the software images that are available for download to the APs List of Hardware Capabilities Supported by APs Hardware Type Hardware Type Description Radio Count Image Type DWL 8600AP Dual Radio a b g n 4 8 Wireless Client Status
73. AN If an AP configured to be managed by the controller is detected through an RF scan at any time that it is not actively managed it is classified as an Unknown AP Rogue AP Mitigation Limit Maximum number of APs for which the system can send de authentication frames Rogue AP Mitigation Count Number of APs to which the wireless system is currently sending de authentication messages to mitigate against rogue APs A value of 0 indicates that mitigation is not in progress Maximum Managed APs in Peer Group Maximum number of access points that can be managed by the cluster WLAN Utilization Total network utilization across all APs managed by this controller This is based on global statistics 107 Wireless Controller User Manual 4 6 2 AP Summary Status gt Access Point Info gt APs Summary The List of AP page shows summary information about managed failed and rogue access points the controller has discovered or detected The status entries can be deleted manually To clear all APs from the All Access Points status page except Managed Access Points click Delete All To configure an Authentication Failed AP to be managed by the controller the next time it is discovered select the check box next to the MAC address of the AP and click Manage You will be presented with the Valid Access Point Configuration page Figure 57 AP status DWc 1000 Hi SETUP ADVANCED TOOLS STATUS Global Info gt Device Info gt
74. AN identifier and the numerical VLAN ID which is assigned to the VLAN membership The VLAN ID value can be any number from 2 to 255 VLAN ID 1 is reserved for the default VLAN which is used for untagged frames received on the interface By enabling Inter VLAN Routing you will allow traffic from LAN hosts belonging to this VLAN ID to pass through to other configured VLAN IDs that have Inter VLAN Routing enabled 40 Wireless Controller User Manual Figure 18 Adding VLAN memberships to the LAN DWC 1000 i m3 SETUP ADVANCED TOOLS STATUS Operation succeeded WLAN Global Settings AVAILABLE VLANS LOGOUT This page shows a list of available VLANs which a user can edit or delete A user can add a new VLAN from this page as well AP Management WLAN Visualization Internet Settings List of available VLANs Network Settings Name ID Default 1 VLAN1 2 Edi Delete 2 3 1 Associating VLANs to ports In order to tag all traffic through a specific LAN port with a VLAN ID you can associate a VLAN to a physical port Setup gt VLAN Settings gt Port VLAN VLAN membership properties for the LAN and wireless LAN are listed on this page The VLAN Port table displays the port identifier the mode setting for that port and VLAN membership information The configuration page is accessed by selecting one of the four physical ports or a configured access point and clicking Edit The edit page offers t
75. AP you can enter a location This field accepts up to 32 alphanumeric characters AP Mode You can configure the AP to be in one of three modes e Standalone The AP acts as an individual access point in the network e Managed If an AP is in Managed Mode the Administrator Web UI and SNMP services on the AP are disabled e Rogue Select Rogue as the AP mode if you wish to be notified through an SNMP trap if enabled when this AP is detected in the network Profile If you configure multiple AP Profiles you can select the profile to assign to this AP 140 Wireless Controller User Manual Figure 77 Valid Access Point Configuration DWC 1000 ie SETUP ADVANCED TOOLS STATUS VALID AP LOGOUT WLAN Global Settings AP Management D SRR MACAddress 00 00 00 00 00 00 USB Settings lit Delete Add Description goes here List of Valid APs MAC Address AP Mode 1c af f7 1f 24 40 Managed 141 Wireless Controller User Manual The following actions are supported from this page Edit To edit AP details in Valid AP page Delete To delete a valid AP provide valid MAC address in Valid AP page Add To add an AP in Valid AP page Figure 78 Add a Valid Access Point DWC 1000 im SETUP ADVANCED TOOLS STATUS Peer Controllers gt AP Profile VALID AP Description goes here WIDS Security gt Captive Portal gt Application Rules gt Submit Don t Save Settings Valid Access Po
76. Active Runtime SESSIONS es esseseseeseeseeseeseeseeseesessessesuesuesussucaeesesuesecsuesuesussusaeeaeeseseesuesueseeaneanensess 54 Figure 29 WLAN CP Interface Association eee seesessessesseeseeseseesessecsueacencesessessesecsucsussnsaceneeneeneeueseeseeaueaeenets 55 Figure 30 WLAN global configuration ue eececsesesesessseessssessesuesuesussessueaeeaeseeseesuesuesussussueaseneeseseesueseeaneneensens 57 Figure 31 Configuring the Wireless DiSCOVETY 0 eesesssssssesseseseeseeseeneesessesessuesuesussusseeaeeseseeseesuesneateneeseens 60 Figure 32 Wireless Discovery Status ec ceceseseseseseeseessssessesuesuesessussuesesseseesecsuesuesussusaseaeeaeeseseeseneseeneensess 62 Figure 33 AP Profile Global Configuration 0 eeessessessssssesssesssssessnsscensesessessesecsussnssnsaeeaceseeeeseesecsueaueaeensees 63 Figure 34 AP Profle LiSt is cccsscciasia laa cases cuechscuateases hash ces cupcugtesudevda cle cteaveen chee Welased deed n ae ales lea as bipbeciasates 64 Wireless Controller User Manual Figure 35 AP Pofile Radio Configuration Part 1 ec eessessessseesessesesseseessesuesuesssesssaeseeseeseseaeseeneneens 71 Figure 36 AP Pofile Radio Configuration Part 2 oe cecsesesesesesseseeesesssssuesesssesssneeeeseesesesneaeaeenens 73 Figure 37 AP Pofile SSID configuration sese eeseeseeeeesssteesssseereessstereesssreesessstereessrereressreeeeessrereeesseeressseereess 75 Figure 39 AP Pofile QoS configuration Part 2 sse
77. Applications Select Interface ALS E HTTP 86 HTTPS 0 MB DNS 14 93 Wireless Controller User Manual Figure 47 Resource Utilization data continued Interface LAN Interface Option1 Interface DMZ Option2 Interface VLAN Port Incoming Packets Outgoing Packets Dropped In Packets Dropped Out Packets LAN2 0 6 0 0 WLAN Statistics Active Info 94 Wireless Controller User Manual 4 2 Traffic Statistics 4 2 1 Wired Port Statistics Status gt Traffic Monitor gt Device Statistics Detailed transmit and receive statistics for each physical port are presented here Each interface Optionl Option 2 DMZ LAN and VLANs have port specific packet level information provided for review Transmitted received packets port collisions and the cumulating bytes sec for transmit receive directions are provided for each interface along with the port up time If you suspect issues with any of the wired ports this table will help diagnose uptime or transmit level issues with the port The statistics table has auto refresh control which allows display of the most current port level data at each page refresh The default auto refresh for this page is 10 seconds Figure 48 Physical port statistics DWC 1000 SETUP ADVANCED TOOLS Global Info The page will auto refresh in 7 seconds DEVICE STATISTICS LOGOUT This page shows the Rx Tx packet and byte count for all the system interfaces It also
78. CP clients use DUIDs to identify a server in messages where a server needs to be identified IAID An identifier for an IA chosen by the client Each IA has an IAID which is chosen to be unique among all IA IDs for IAs belonging to that client This is Dhep server IP address Configuring IPv6 Router Advertisements Router Advertisements are analogous to IPv4 DHCP assignments for LAN clients in that the router will assign an IP address and supporting network information to devices that are configured to accept such details Router Advertisement is required in an IPv6 network is required for stateless auto configuration of the IPv6 LAN By configuring the Router Advertisement Daemon on this router the DWC 1000 will listen on the LAN for router solicitations and respond to these LAN hosts with router advisements RADVD Advanced gt IPv6 gt IPv6LAN gt Router Advertisement To support stateless IPv6 auto configuration on the LAN set the RADVD status to Enable The following settings are used to configure RADVD RADVD Status You can enable the RADVD process here to allow stateless auto configuration of the IPv6 LAN network Advertise Mode Select Unsolicited Multicast to send router advertisements RA s to all interfaces in the multicast group To restrict RA s to well known IPv6 addresses on the LAN and thereby reduce overall network traffic select Unicast only Advertise Interval When advertisements are unsolicited mul
79. Channel Shows the operating channel for the radio The following actions are supported from this page Delete All Manually clear all APs fromthe All Access Points status page except Managed Access Points Manage Configure an Authentication Failed AP to be managed by the controller the next time it is discovered Select the check box next to the MAC address of the AP before you click Manage You will be presented with the Valid Access Point Configuration page You can thenconfigure the AP and click Submit to save the AP in the local Valid AP database If you use a RADIUS server for AP validation you must add the MAC address of the AP to the AP database on the RADIUS server Acknowledge Identify an AP as an Acknowledged Rogue Select the check box next to the MAC address of the AP before you click Acknowledge The controller adds the AP to the Valid AP database as an Acknowledged Rogue View Details To view the details configured APs Select the check box next to the MAC address of the AP before you click View Details Refresh Updates the page with the latest information 109 Wireless Controller User Manual 4 6 3 Managed AP Status Status gt Access Point Info gt Managed AP Status In the Managed AP Status page you can access a variety of information about each AP that the controller manages Figure 58 Managed AP status DWwc 1000 Hi SETUP ADVANCED mwas STATUS Global Info gt Device Info gt Access Poi
80. Client Address Range Begin 192 168 251 1 Client Address Range End 192 168 251 254 LCP Timeout 60 Seconds The controller allows full tunnel and split tunnel support Full tunnel mode just sends all traffic from the client across the VPN tunnel to the controller Split tunnel mode only sends traffic to the private LAN based on pre specified client routes These client routes give the SSL client access to specific private networks thereby allowing access control over specific LAN services Client level configuration supports the following Enable Split Tunnel Support With a split tunnel only resources which are referenced by client routes can be accessed over the VPN tunnel With full tunnel support if the split tunnel option is disabled the DWC 1000 acts in full tunnel mode 261 Wireless Controller User Manual all addresses on the private network are accessible o ver the VPN tunnel Client routes are not required DNS Suffix The DNS suffix name which will be given to the SSL VPN client This configuration is optional Primary DNS Server DNS server IP address to set on the network adaptor created on the client host This configuration is optional Secondary DNS Server Secondary DNS server IP address to set on the network adaptor created on the client host This configuration is optional Client Address Range Begin Clients who connect to the tunnel get a DHCP served IP address assigned to the network adapto
81. Controllers ATTACK CHECKS This page allows you to specify whether or not to protect against common attacks from the LAN and WAN networks Save Settings Dont Save Settings Option Security Checks Enable Stealth Mode Application Rules Block TCP flood LAN Security Checks Firewall Settings 3 Block UDP flood IPv6 wo sical Advanced Network D Allow Ping from Lan gt Block ICMP Notification Block Fragmented Packets Block Multicast Packets Block Spoofed IP Packets Controller Settings DoS Attacks SYN Flood Detect Rate max sec 222 Wireless Controller User Manual Chapter 8 IPsec PPTP L2TP VPN XW The following feature is available upon licensed activation of VPN Firewall features for the system A VPN provides a secure communication channel tunnel between two gateway controller or a remote PC client The following types of tunnels can be created e Gateway to gateway VPN to connect two or more controller to secure traffic between remote sites e Remote Client client to gateway VPN tunnel A remote client initiates a VPN tunnel as the IP address of the remote PC client is not known in advance The gateway in this case acts as a responder Remote client behind a NAT controller The client has a dynamic IP address and is behind a NAT controller The remote PC client at the NAT controller initiates a VPN tunnel as the
82. DNS servers Windows Internet Name Service WINS servers The PCs in the LAN are assigned IP addresses from a pool of addresses specified in this procedure Each pool address is tested before it is assigned to avoid duplicate addresses on the LAN For most applications the default DHCP and TCP IP settings are satisfactory If you want another PC on your network to be the DHCP server or if you are manually configuring the network settings of all of your PCs set the DHCP mode to none DHCP relay can be used to forward DHCP lease information from another LAN device that is the network s DHCP server this is particularly useful for wireless clients Instead of using a DNS server you can use a Windows Internet Naming Service WINS server A WINS server is the equivalent of a DNS server but uses the NetBIOS protocol to resolve hostnames The controller includes the WINS server IP address in the DHCP configuration when acknowledging a DHCP request from a DHCP client You can also enable DNS proxy forthe LAN When this is enabled the controller then as a proxy for all DNS requests and communicates with the ISP s DNS servers When disabled all DHCP clients receive the DNS IP addresses of the ISP To configure LAN Connectivity please follow the steps below 1 In the LAN Setup page enter the following information for your controller IP address factory default 192 168 10 1 XW If you change the IP address and click Save Settings
83. Example of clientless SSL VPN connections to the DWC 1000 DNS Server 10 10 10 163 Internal network WINS Server 10 10 10 133 Z Clientless VPN Clientless VPN j Clientless VPN Inside Sg Outside 10 10 10 0 Internet 242 Wireless Controller User Manual 9 1 Groups and Users Advanced gt Users gt Groups The group page allows creating editing and deleting groups The groups are associated to set of user types The lists of available groups are displayed in the List of Group page with Group name and description of group e Click Add to create a group e Click Edit to update an existing group e Click Delete to clear an exisiting group Figure 137 List of groups owei000 If a zT Peer Controllers AP Profile WIDS Security Captive Portal GROUPS LOGOUT This page shows the list of added groups to the router The user can add delete and edit the groups also List of Groups Application Rules Edit Delete Firewall Settings Login Policies Policies By Browsers Policies By IP Website Filter Group configuration page allows to create a group with a different type of users The user types are as follows e PPTP User These are PPTP VPN tunnel LAN users that can establish a tunnel with the PPTP server on the Option e L2TP User These are L2TP VPN tunnel LAN users thatcan establish a tunnel with the L2TP server on the Option
84. Failure Type Age 1c af f7 1f 24 40 192 168 10 200 No Database Entry 0d 00 05 42 Delete Al Refresh 112 Wireless Controller User Manual MAC Address The Ethernet address of the AP If the MAC address of the AP is followed by an asterisk it was reported by a peer controller IP Address The IP address of the AP Last Failure Type Indicates the last type of failure that occurred which can be one of the following Local Authentication No Database Entry Not Managed RADIUS Authentication RADIUS Challenged RADIUS Unreachable Invalid RADIUS Response Invalid Profile ID Profile Mismatch Hardware Type Age Time since failure occurred 4 6 5 AP RF Scan Status Status gt Access Point Info gt AP RF Scan Status The radios on each AP can periodically scan the radio frequency to collect information about other APs and wireless clients that are within range In normal operating mode the AP always scans on the operational channel for the radio MAC Address The Ethernet MAC address of the detected AP This could be a physical radio interface or VAP MAC 113 Wireless Controller User Manual SSID Service Set ID of the network which is broadcast in the detected beacon frame Physical Mode Indicates the 802 11 mode being used on the AP Channel Transmit channel of the AP Status Indicates the managed status of the AP whether this is a valid AP known to the controller or a Rogue on the network Th
85. IP address associated with a port assigned this VLAN ID Subnet Mask Subnet Mask for the above IP Address The following actions are supported from this page 43 Wireless Controller User Manual Edit The Edit button will link to the Port VLAN Configuration page allowing you to make changes to the selected port VLAN attributes Figure 21 Multiple VLAN Subnets awc Jf ADVANCED Toots sans MULTI VLAN SUBNETS Kolc elt This page shows a list of availabe mult vian subnets User can even edit the mult vians from this page MULTI VLAN SUBNET List WLAN Global Settings AP Management gt WLAN Visualization gt Internet Settings IP Address Subnet Mask D VLAN Settings 192 168 10 1 255 255 255 0 192 168 2 1 255 255 255 0 Edit DMZ Setup gt 2 4 Configurable Port DMZ Setup This controller supports one of the physical ports Option Ports to be configuredas a secondary Ethernet port or a dedicated DMZ port A DMZ is a subnetwork that is open to the public but behind the firewall The DMZ adds an additional layer of security to the LAN as specific services ports that are exposed to the internet on the DMZ do not have to be exposed on the LAN It is recommended that hosts that must be exposed to the internet such as web or email servers be placed in the DMZ network Firewall rules can be allowed to permit access specific services ports to the DMZ from both the LAN or Option In the event of an att
86. IVE PORTAL LOGIN Optional Login Section Title Please Login Optorel Welcome Message Invalid UserName Password Optional Error Message Advertisement Details Enable Advertisement Ad Place Ad Content Font Font Size Font Color Footer Details Change Footer Content Footer Content Footer Font Color Header Details It allows user to configure how the header portion of the page should be displayed Background Sets the background for the header portion Add Will let you add a new image This image can be set as header image for this profile Header Background Color Custom Color It allows choosing the custom header background color Header Caption Text to be displayed in the header portion Caption Font Font of the header text to be displayed Font Size Font size for the header text to be displayed 52 Wireless Controller User Manual 2 6 2 Font Color Color in which the text is to be displayed Login Details Login Section Title Title for the Login Box Welcome Message Message which is displayed when a user visits the page Error Message Error Message displayed when user enters invalid credentials Advertisement Details Enable Advertisement This is to enable advertisement in login page where user can configure the custom messages information that is needed to be displayed in the CaptivePortal login page Ad Place The loca
87. Management Protocol SNMP lets you monitor and manage your router from an SNMP manager SNMP provides a remote means to monitor and control network devices and to manage configurations statistics collection performance and security Firmware via USB Name Privilege Security level Dynamic DNS admin RWUSER NoAuthNoPriv System Check guest ROUSER NoAuthNoPriv Edit AP Failure Traps If you enable this field the SNMP agent sends a trap if an AP Traps List IP Address Edit Delete Access Control List IP Address Edit Delete fails to associate or authenticate with the controller AP State Change Traps If you enable this field the SNMP agent sends a trap for one of the following reasons e Managed AP Discovered e Managed AP Failed e Managed AP Unknown Protocol Discovered e Managed AP Load Balancing Utilization Exceeded Client Failure Traps If you enable this field the SNMP agent sends a trap if a wireless client fails to associate or authenticate with an AP that is managed by the controller 296 Wireless Controller User Manual Client State Change Traps If you enable this field the SNMP agent sends a trap for one of the following reasons associated with the wireless client e Client Association Detected e Client Disassociation Detected e Client Roam Detected Peer Controller Traps If you enable this field the SNMP agent sends a trap
88. N Visualization gt IP ALIASES Melero ty This page displays the configured IP Aliases on Option interfaces Internet Settings gt List of IP Aliases Network Settings gt LAN QoS gt VPN Settings gt VLAN S S gt VLAN Settings Interface Name IP Address Subnet Mask OPTION1 192 168 2 1 255 255 255 0 OPTION2 192 168 11 1 255 255 255 0 Add Interface Name The interface on which the Alias was configured IP Address The IP Address of the configured IP Alias Subnet Mask The Subnet Mask of the configured IP Alias The following actions are supported from this page Edit Opens the IP Alias configuration page to edit the selected IP Alias Add Opens the IP Alias configuration page to add a new IP Alias Delete Deletes the selected IP Aliases 193 Wireless Controller User Manual Chapter 7 Securing the Private Network XW The following feature is available upon licensed activation of VPN Firewall features for the system You can secure your network by creating and applying rules that your controller uses to selectively block and allow inbound and outbound Internet traffic You then specify how and to whom the rules apply To do so you must define the following e Services or traffic types examples web browsing VoIP other standard services and also custom services that you define e Direction for the traffic by specifying the source and destination of traffic this is done by spec
89. PN IPsec policies which indudes Auto and Manual policies Save Settings Dont Save Settings Internet Settings Network Settings LAN QoS Policy Name VPN Settings Policy Type Auto Policy w IKE Version IKEvi IKEv2 DMZ Setup gt IPsec Mode Tunnel Mode w USB Settings gt Select Local Gateway Option Remote Endpoint IP Address w Enable Mode Config E Enable NetBIOS E Enable RollOver Protocol ESP Enable DHCP Local IP Subnet w Local Start IP Address 229 Wireless Controller User Manual Once the tunnel type and endpoints of the tunnel are defined you can determine the Phase Phase 2 negotiation to use forthe tunnel This is covered in the IPsec mode setting as the policy can be Manual or Auto For Auto policies the Internet Key Exchange IKE protocol dynamically exchanges keys between two IPsec hosts The Phase IKE parameters are used to define the tunnel s security association details The Phase 2 Auto policy parameters cover the security association lifetime and encryption authentication details of the phase 2 key negotiation The VPN policy is one half of the IKE VPN policy pair required to establish an Auto IPsec VPN tunnel The IP addresses of the machine or machines on the two VPN endpoints are configured here along with the policy parameters required to secure the tunnel 230 Wireless Controller User Manual Figure 129 IPsec policy configurati
90. Pre Authentication events that can be recorded by the system Total Pre authentication History Entries Current number of pre authentication history entries in use by the system Maximum Roam History Entries Maximum number of entries that can be recorded in the roam history for all detected clients Total Roam History Entries Current number of pre authentication history entries in use by the system 4 8 2 Assocaited Client Status Status gt Wireless Client Info gt Associated Clients gt Status You can view a variety of information about the wireless clients that are associated with the APs the controller manages MAC Address The Ethernet address of the client station If the MAC address is followed by an asterisk the client is associated with an AP managed by a peer controller 130 Wireless Controller User Manual AP MAC Address The Ethernet address of the AP SSID The network on which the client is connected BSSID The Ethernet MAC address for the managed AP VAP where this client is associated Detected IP Address Identifies the IPv4 address of the client if available Figure 70 Associated Client Status DWwc 1000 SETUP ADVANCED TOOLS STATUS Global Info gt Device Info d Access Point Info d LAN Clients Info gt Wireless ClientInfo gt ASSOCIATED CLIENTS STATUS Meletol tis You can view a variety of information about the wireless clients that are associated with the A
91. Ps the controller manages List of Associated Clients MAC Detected Logs p g seen MAC Address AP MAC Address ssiD BSSID iP Traffic Monitor Associated S Active Sessions e4 ec 10 5e 0d 0a 1c bd b9 95 a6 00 JJJJJJJJJJJJJJJJJJ 1c bd b9 95 a6 10 0 0 0 0 Active VPNs The following actions are supported from this page Disassociate Disassociates the selected client fromthe managed AP View Details Display associated client details View AP Details Display associated AP details View SSID Details Lists the SSIDs of the networks that each wireless client associated with a managed AP has used for WLAN access View VAP Details Shows information about the VAPs on the managed AP that have associated wireless clients 131 Wireless Controller User Manual View Neighbor AP Status Shows information about access points that the client detects 4 8 3 Associated Client SSID Status Status gt Wireless Client Info gt Associated Clients gt SSID Status Each managed AP can have up to 16 different networks that each has a unique SSID Although several wireless clients might be connected to the same physical AP they might not connect by using the same SSID SSID Indicates the network on which the client is connected Client MAC Address The Ethernet address of the client station Figure 71 Associated Client SSID Status Dwc 1000 iia SETUP ADVANCED TOOLS STATUS Global Info gt Device Info gt Access
92. ROUPS LOGOUT Peer Controllers AP Profile This page allows user to add login policies for the available users Save Settings Don t Save Settings Group Login Policies Captive Portal Application Rules Group Name Disable Login Deny Login from Option Interface site Filter Firewall Settings Policy by Browsers To set browser policies for the group select the corresponding group click Policy by Browsers The following parameters are configured Group Name This is the name of the group that can have its login policy edited Deny Login from Defined Browsers The list of defined browsers below will be used to prevent the users of this group from logging in to the controller s GUI All non defined browsers will be allowed for login for this group Allow Login from Defined Browsers The list of defined browsers below will be used to allow the users of this group from logging in to the controllers GUI All non defined browsers will be denied for login for this group Defined Browsers This list displays the web browsers that have been added to the Defined Browsers list upon which group login policies can be defined Check Box At First Column Header Selects all the defined browsers in the table Delete Deletes the selected browser s 248 Wireless Controller User Manual You can add to the list of Defined Browsers by selecting a client browser from the drop d
93. SUCH DAMAGES FURTHERMORE D LINK WILL NOT BE LIABLE FOR THIRD PARTY CLAIMS AGAINST CUSTOMER FOR LOSSES OR DAMAGES D LINK WILL IN NO EVENT BE LIABLE FOR ANY DAMAGES IN EXCESS OF THE AMOUNT D LINK RECEIVED FROM THE END USER FOR THE PRODUCT Wireless Controller User Manual Table of Contents Chapter 1 IMtrOMU COM aniio nao ar EAEE VENO E EIG 13 1 1 1 2 About this User Manual cececccsesssssssescseescsesucsesnesesuesessesessesesuesesacseeseeesseeeseeseeeenees 14 Typographical CONVENTIONS ecesecsessesessesesssscsesscsesuesesuesesseseeseeesuesesaesesseeesseeteseesees 15 Chapter 2 Configuring Your Network essssssssssssssssesecncensesceseeeseeseesesnecnseseeseeecseeseenesaesneencenceneeseseenteneenes 2 1 2 1 1 2 1 2 2 1 3 2 1 4 2 1 5 2 2 2 2 1 2 2 2 2 2 3 2 2 4 2 2 5 2 2 6 2 2 7 2 2 8 2 3 2 3 1 2 3 2 2 4 2 5 2 6 2 6 1 2 6 2 2 6 3 2 7 2 8 2 8 1 2 8 2 LAN Configura ON siscssceisesscisctssscetecssodsdecas chaos csvestcstccnccbesscbeedessces AAE ucansnecvestansetees LAN DHGP ReS rved IPS naeun nt itai EK LEREN LAN DHCP Leased Clients eee LAN Configuration in an IPv6 Network DHCP V6 Leased Centa iis cisssccssssisssssiasiesvesscvsesseesuvatesavesvesitvvans casevatesavesveivestenscancestaneeees Configuring IPv6 Router Advertisements Port QUEUE Scheduling arroen a a i Port Queue Status Option QOS Coniguratio Mesia ae E GLEE Traffic Selector Configuration eseresriinre erii A
94. Server IP Address Primary IP address of the primary RADIUS authentication server Authentication Server IP Address Secondary IP address of the secondary RADIUS authentication server Authentication Port RADIUS authentication server port to send RADIUS messages Secret Secret key that allows the device to log into the configured RADIUS server It must match the secret on RADIUS server Timeout Set the amount of time in seconds the router should wait for a response from the RADIUS server 219 Wireless Controller User Manual Retries This determines the number of tries the router will make to the RADIUS server before giving up 7 13 Switch Settings Advanced gt Switch Settings This page allows user to enable disable power saving jumbo frames in the router Figure 123 Switch settings LOGOUT This page allows user to enable disable power saving jumbo frames in the router Save Settings j Don t Save Settings Power Saving Options C ae Client Power Saving by Cable Length Application Rules Jumbo Frames Option Website Filter _ Enable Jumbo Frames Radius Settings Switch Settings Power Saving State When enabled the total power to the LAN controller is dependent on the number of connected ports The overall current draw when a single 220 Wireless Controller User Manual port is connected is less than when all of the available LAN ports have an act
95. Settings DMZ Setup USB Settings WLAN Visualization gt Description goes here 1c af f7 1f 24 40 192 168 1 67 5 4 Local OUI Database Summary Setup gt AP Management gt Local OUI Database To help identify AP and Wireless Client adapter manufacturers detected in the wireless network the wireless controller contains a database of registered Organizationally Unique Identifiers OUIs This is a read only list with over 10 000 registrations Fromthe Local OUI Database Summary page you can enter up to 64 user defined OUIs The local list is searched first so the same OUI can be located in the local list as well as the read only list OUI Value Enter the OUI that represents the company ID in the format XX XX XX where XX is a hexadecimal number between 00 and FF The first three bytes of the MAC address represents the company ID assignment XWA The first byte of the OUI must have the least significant bit set to 0 For example 02 FF FF is a valid OUI but 03 FF FF is not OUI Description Enter the organization name associated with the OUI The name can be up to 32alphanumeric characters 154 Wireless Controller User Manual Figure 84 Local OUI Database DWCc 1000 HT SETUP ADVANCED TOOLS STATUS WLAN Global Settings LOCAL OUI DATABASE SUMMARY LOGOUT AP Management gt gt d d d Description goes here Note No entries currently exist in the Local OUI Database lf desired y
96. TOOLS STATUS DETECTED CLIENT PRE AUTHENTICATION HISTORY SUMMARY LOGOUT Description goes here Detected Client Pre Authentication History No preauthentication history entries to display Traffic Monitor gt Refresh Active VPNs Wireless Clientinfo D This page includes the following button Refresh Updates the page with the latest information 137 Wireless Controller User Manual 4 8 8 Detected Client Roam History Status gt Wireless Client Info gt Roam History The wireless systemkeeps arecord of clients as they roam from one managed AP to another managed AP MAC Address MAC address of the detected client AP MAC Address MAC Address of the managed AP to which the client authenticated Radio Interface Number Radio Number to which the client is authenticated VAP MAC Address VAP MAC address to which the client roamed SSID SSID Name used by the VAP New Authentication A flag indicating whether the history entry represents a new authentication or a roam event Age Time since the history entry was added 138 Wireless Controller User Manual Figure 76 Detected Client Roam History Dwc 1000 Hi SETUP ADVANCED TOOLS STATUS DETECTED CLIENT ROAM HISTORY MeleTolthy Global Info gt Device Info gt Access Point Info gt LAN Clients Info gt Wireless Clientinfo D MAC Address f0 7d 68 11 7a a2 v gt Description goes here Detected AP List of Detected Cl
97. USB Device Setup soseer a E ENN RARER 268 T02 USB Share POrt svete wc ncithaneh wien a EAEN RSA 269 10 3 Authentication Certificates oo cceesesesssssesessessesuesnesssssesaseaeereseesuesessssseeneeneens 270 10 4 Intet INIT sssini 272 Advanced Wireless Controller Features oc cecscssssssssssssssnssncsnsesesseeseneenssnecnsenceseesententensenees 275 11 1 Advanced Global Wireless Controller Configuration sss sesesssiesesserrreesrrreese 275 11 2 Distributed TUNNELING eee essessessesesesseescesceseesesscsecsuesuesueaceaeeaessesuesecsueseesueaeneeeeees 278 11 3 Distributed Tunneling Status occ eesesseesseesesseseeseesecsesseeaeeaeeaeseesuesussesseaeeneenees 279 11 4 Peer Controller Configuration 0 ccc eesesessessessesesssesesesessseessacsaeseesuessssseneeneeneees 281 11 4 1 Peer Controller Configuraiton Request Status oe esesesseseseesessseeseeseeneeneees 281 11 4 2 Peer Controller Configuration 11 5 WIDS Configuration ose 11 5 1 WIDS AP Configrati on eesessessssesssssssescescesessessesscsuesueseaceaseaesseseesecsuesuessseeseeeeees 11 5 2 WIDS Client Configuration cc eceesssssssesesessessesuesnesssssesaseassesseeseseassesseaeeneens Administration amp Management ou ee eceesessessessesneesereesecueesesuesuecuccnccuceseesenesnesuscucencenceseeseetentenen 292 12 1 Remote Manageme nb esesssssssssssssescscecencsnessesessscsucsucsucascaseacsecsecsecsuesueansaesaesseees 292 pea CLP ACCOSS maaha LEE cna ovk AE GEEAE AEA EERS deen daatene 292 12 3
98. VANCED TOOLS STATUS Peer Controllers d AP APPROVED URLS LOGOUT Approved URLs List rofile P SSIDs WIDS Security d Captive Portal gt Application Rules gt Edit Delete Add Website Filter Import Approved URLs Add Approved URLs from File 7 10 3 Blocked Keywords Advanced gt Website Filter gt Blocked Keywords Keyword blocking allows youto block all website URL s or site content that contains the keywords in the configured list This is lower priority than the Approved URL List i e if the blocked keyword is present in a site allowed by a Trusted Domain in the Approved URL List then access to that site will be allowed Import export froma text or CSV file for keyword blocking is also supported 215 Wireless Controller User Manual Figure 119 One keyword added to the block list y sz Operation succeeded BLOCKED KEYWORDS LOGOUT You can block access to websites by entering complete URLs or keywords Keywords prevent access to websites that contain the specified characters in the URLs or the page contents The table lists all the Blocked keywords and allows several operations on the keywords Save Settings Dont Save Settings Blocked All URL Configuration Blocked Keywords Edit Enable Disable Delete Import Blocked Keywords 7 10 4 Export Web Filter Advanced gt Website Filter g
99. WIRELESS GONTROLLER USER MANUAL DWC 1000 BUSINESS WIRELESS SOLUTION User Manual Wireless Controller D Link Corporation Copyright 2011 http Awww dlink com Wireless Controller User Manual User Manual DWC 1000 Wireless Controller Version 1 01 Copyright 2011 Copyright Notice This publication including all photographs illustrations and software is protected under international copyright laws with all rights reserved Neither this manual nor any of the material contained herein may be reproduced without written consent of the author Disclaimer The information in this document is subject to change without notice The manufacturer makes no representations or warranties with respect to the contents hereof and specifically disclaim any implied warranties of merchantability or fitness for any particular purpose The manufacturer reserves the right to revise this publication and to make changes from time to time in the content hereof without obligation of the manufacturer to notify any person of such revision or changes Limitations of Liability UNDER NO CIRCUMSTANCES SHALL D LINK OR ITS SUPPLIERS BE LIABLE FOR DAMAGES OF ANY CHARACTER E G DAMAGES FOR LOSS OF PROFIT SOFTWARE RESTORATION WORK STOPPAGE LOSS OF SAVED DATA OR ANY OTHER COMMERCIAL DAMAGES OR LOSSES RESULTING FROM THE APPLICATION OR IMPROPER USE OF THE D LINK PRODUCT OR FAILURE OF THE PRODUCT EVEN IF D LINK IS INFORMED OF THE POSSIBILITY OF
100. acility corresponds to the 802 11 driver used for providing AP functionality to your network Local1 UTM This facility corresponds to IPS Intrusion Prevention System which helps in detecting malicious intrusion attempts fromthe Option For each facility the following events in order of severity can be logged Emergency Alert Critical Error Warning Notification Information Debugging When a particular severity level is selected all events with severity equal to and greater than the chosen severity are captured For example if you have configured CRITICAL level logging forthe Wireless facility then 802 11 logs with severities CRITICAL ALERT and EMERGENCY are logged The severity levels available for logging are e EMERGENCY system is unusable e ALERT action must be taken immediately e CRITICAL critical conditions e ERROR error conditions e WARNING warning conditions e NOTIFICATION normal but significant condition e INFORMATION informational e DEBUGGING debug level messages 300 Wireless Controller User Manual Figure 169 Facility settings for Logging DWC 1000 H SETUP ADVANCED STATUS Log Settings b This page allows user to set the date and time for the router User can use the automatic or manual date Save Settings Don t Save Settings Logs Facility System Firmware Firmware via USB The
101. ack to any of the DMZ nodes the LAN is not necessarily vulnerable as well Setup gt DMZ Setup gt DMZ Setup Configuration DMZ configuration is identical to the LAN configuration There are no restrictions on the IP address or subnet assigned to the DMZ port other than the fact that it cannot be identical to the IP address given to the LAN interface of this gateway Wireless Controller User Manual Figure 22 DMZ configuration DWC 1000 SETUP ADVANCED TOOLS STATUS DM2 SETUP LOGOUT The De Militarized Zone DMZ is a network which when compared to the LAN has fewer firewall restrictions by default This zone can be used to host servers and give public access to them Save Settings Don t Save Settings DMZ Port Setup IP Address 176 168 2 1 255 255 255 0 Subnet Mask DHCP for DMZ Connected Computers DHCP Mode DHCP Server gt Starting IP Address 7616 2100 Ending IP Address 17616 2254 Primary DNS Server a Secondary DNS Server aa WINS Server a Lease Time C Relay Gateway DMZ Proxy Enable DNS Proxy XW In order to configure a DMZ port the controller configurable port must be set to DMZ in the Setup gt Internet Settings gt Configurable Port page 2 5 Universal Plug and Play UPnP XW The following feature is available upon licensed activation of VPN Firewall features for the system 45 Wireless Controller User Manual Advanced gt Adv
102. affic flowing from the access point to the client station AP EDCA parameters e To disable WMM extensions click Disabled e To enable WMM extensions click Enabled Station EDCA Parameters Queue Queues are defined for different types of data transmitted from station to AP Data 0 Voice High priority queue minimum delay Time sensitive data such as VoIP and streaming media are automatically sent to this queue Data 1 Video High priority queue minimum delay Time sensitive video data is automatically sent to this queue Data 2 best effort Medium priority queue medium throughput and delay Most traditional IP data is sent to this queue Data 3 Background Lowest priority queue high throughput Bulk data that requires maximum throughput and is not time sensitive is sent to this queue FTP data for example AIFS Inter Frame Space The Arbitration Inter Frame Spacing AIFS specifies a wait time for data frames The wait time is measured in slots Valid values for AIFS are through 255 cwMin Minimum Contention Window This parameter is used by the algorithm that determines the initial random backoff wait time window for data transmission during a period of contention for The value specified in the Minimum Contention Window is the upper limit in milliseconds of a range from which the initial random backoff wait time is determined The 80 Wireless Controller User Manual first random number
103. aged AP Status DWCc 1000 im SETUP ADVANCED TOOLS STATUS PEER CONTROLLER MANAGED AP STATUS LOGOUT Global Info D Device Info d Access Point Info 0 gt LAN Clients Info gt Wireless Clientinfo gt Controller 192 168 10 1 v saena c gt The Peer Controller Managed AP Status page displays information about the APs that each peer Controller in the cluster manages Peer Controller Managed AP Status Traffic Monitor AP IP Address Hardware ID Active Sessions Active VPNs 192 168 10 101 hw_dw18600 Refresh 4 7 5 IP Discovery Status gt Global Info gt IP Discovery The IP Discovery list can contain the IP addresses of peer contorllers and APs for the wireless controller to discover and associate with as part of the WLAN IP Address Shows the IP address of the device configured in the IP Discovery list Status The status is in one of the following states Not Polled The controller has not attempted to contact the IP address in the L3 IP Discovery list 124 Wireless Controller User Manual Polled The controller has attempted to contact the IP address Discovered The controller contacted the peer controller or the AP in the L3 IP Discovery list and has authenticated or validated the device Discovered Failed The controller contacted the peer controller or the AP with IP address in the L3 IP Discovery list and was unable to authenticate or validate the device XW Note
104. agement method APSD is recommended if VoIP phones access the network through the AP RF Scan Interval This field controls the length of time between channel changes during the RF Scan Long Retries The value in this field indicates the maximum number of transmission attempts on frame sizes greater than the RTS Threshold The range is 1 255 69 Wireless Controller User Manual Rate Limiting Enabling multicast and broadcast rate limiting can improve overall network performance by limiting the number of packets transmitted across the network This feature is disabled by default XW Note The available rate limit values are very low for most environments so enabling this feature is not recommendedexcept for advanced users e To enable Multicast and Broadcast Rate Limiting click Enabled e To disable Multicast and Broadcast Rate Disabled click Disabled 70 Wireless Controller User Manual Figure 35 AP Pofile Radio configuration Part 1 ee Se on ia a sus AP PROFILES SUMMARY ESS AP Profile Radio Configuration Radio Configuration ase Oo D on RTS Threshold 2347 0 to 2347 ayes Load Balancing Load Utilization 60 1 te 100 Maximum Clients 200 Oto 200 Seconcs RF Scan Other Channels v RF Scan Sentry Mode IEEE 802 tian DTIM Period 10 1 to 255 2 Sezcons Beacon Interval 100 20 to 2000 Mec Automatic Cha
105. ailable Firewall Rules table on the Firewall Rules page Don t Save Settings Firewall Rule Configuration SECURE LAN X Defaut INSECURE Option w Default IP MAC Binding Radius Settings 4 G S S z z j ontroller Settings Any 201 Wireless Controller User Manual 7 3 1 Firewall Rule Configuration Examples Example 1 Allow inbound HTTP traffic to the DMZ Situation You host a public web server on your local DMZ network You want to allow inbound HTTP requests fromany outside IP address to the IP address of your web server at any time of day Solution Create an inbound rule as follows Insecure Option 1 Option2 ail Send to Local Server DNAT IP 192 168 5 2 w eb server IP address Destination Users Example 2 Allow videoconferencing from range of outside IP addresses Situation You want to allow incoming videoconferencing to be initiated from a restricted range of outside IP addresses 132 177 88 2 132 177 88 254 from a branch office Solution Create an inbound rule as follows In the example CUSeeMe the video conference service used connections are allowed only froma specified range of external IP addresses 202 Wireless Controller User Manual is a Send to Local Server DNAT P Enable Port Forw arding Yes enabled Example 3 Multi NAT configuration Situation You want to configure multi NAT to support multiple public IP addresses on one O
106. all blocking rule 205 Wireless Controller User Manual 7 4 4 As we defined our schedule in schedule Weekend this is available in the dropdown menu 5 We want to block the IP range assigned to the marketing group Let s say they have IP 192 168 10 20 to 192 168 10 30 On the Source Users dropdown select Address Range and add this IP range as the from and To IP addresses 6 We want to block all HTTP traffic to any services going to the insecure zone The Destination Users dropdown should be any 7 We don tneed to change default QoS priority or Logging unless desired clicking apply will add this firewall rule to the list of firewall rules 8 The last step is to enable this firewall rule Select the rule and click enable below the list to make sure the firewall rule is active Security on Custom Services Advanced gt Firewall Settings gt Custom Services Custom services can be defined to add to the list of services available during firewall rule configuration While common services have known TCP UDP ICMP ports for traffic many custom or uncommon applications exist in the LAN or Option In the custom service configuration menu you can define a range of ports and identify the traffic type TCP UDP ICMP for this service Once defined the new service will appear in the services list of the firewall rules configuration menu 206 Wireless Controller User Manual Figure 111 List of user d
107. an be left blank if you are not using a different FQDN or IP address than the one specified in the Option port s configuration 3 Configure the Secure Connection Remote Accessibility fields to identify the remote network Remote LAN IP address address of the LAN behind the peer gateway Remote LAN Subnet Mask the subnet mask of the LAN behind the peer XW Note The IP address range used on the remote LAN must be different from the IP address range used on the local LAN 4 Review the settings and click Connect to establish the tunnel The Wizard will create an Auto IPsec policy with the following default values for a VPN Client or Gateway policy these can be accessed from a link on the Wizard page 227 Wireless Controller User Manual 8 2 Local Option ID wan_local com only applies to Client policies Remote Option ID w an_remote com only applies to Client policies eer Authentication Algorithm SHA 1 Authentication Method Pre shared Key PFS Key Group DH Group 2 1024 bit ee aes NETBIOS Enabled only applies to Gatew ay policies XW The VPN Wizard is the recommended method to set up an Auto IPsec policy Once the Wizard creates the matching IKE and VPN policies required by the Auto policy one can modify the required fields through the edit link Refer to the online help for details Easy Setup Site to Site VPN Tunnel If you find it difficult to configure VPN policies through VPN wizard use easy setu
108. an value which can be configured for pemr controllers amp controllers The IP Discovery list can contain the IP addresses of peer controller and APs for the UWS to Giscover and associate with as part of the WLAN Lest of IP Adresses 192 168 10 101 4 L2 VLAN Discovery The D Link Wireless Device Discovery Protocol is a good discovery method to useif the controller and APs are located in the same Layer 2 60 Wireless Controller User Manual multicast domain The wireless controller periodically sends a multicast packet containing the discovery message on each VLAN enabled for discovery The following actions are supported from this page Add Adds the data in the IP Address or VLAN field to the appropriate list Delete Deletes the selected entry fromthe IP or VLAN list 2 8 1 Wireless Discovery Status Status gt Global Info gt IP Discovery The IP Discovery list cancontain the IP addresses of peer controller and APs for the DWC 1000 to discover and associate with as part of the WLAN IP Address Shows the IP address of the device configured in the IP Discovery list Status The wireless discovery status is in one of the following states e Not Polled The controller has not attempted to contact the IP address in the L3 IP Discovery list e Polled The controller has attempted to contact the IP address e Discovered The controller contacted the peer controller or the AP in the L3 IP Discover
109. anagement DWc 1000 n SETUP ADVANCED TOOLS STATUS MANUAL MANAGEMENT iMeletoltis WLAN Global Settings AP Management D WLAN Visualization gt Option Port Settings gt Network Settings gt L MAC Address Location Debug Radio Interface Channel Power LAN QoS gt AP managed by the Unified Wireless Switch i listed by its MAC address and location The location is based on the value in the RADIUS or local Valid AP database List of Managed APs 1c af f7 1f 24 40 Enabled 1 802 11a n 44 100 VLAN Settings gt 0O 2 802 11b g n 1 100 oO 1c bd b9 95 a6 00 Enabled 1 802 11a n 157 100 O 2 802 1 1b g n 1 100 Managed AP Debug Edit Channel Power Refresh MAC Address Shows the MAC address of the AP Location Shows the AP location which is based on the value configured in the RADIUS or local Valid AP database Debug To help you troubleshoot you can enable Telnet access tothe AP so that you can debug the device fromthe CLI The Debug field shows the debug status and can be one of the following e Disabled e Set Requested e Set in Progress e Enabled To change thestatus select the AP and click the Managed AP Debug button 158 Wireless Controller User Manual Radio Interface Identifies the radio to which the channel and power settings apply Channel Select the AP and click the Edit Channel Power button to access the Managed AP Channel Power Adjust page From that page you can se
110. anced Network gt UPnP Universal Plug and Play UPnP is a feature that allows the controller to discovery devices on the network that can communicate with the controller and allow for auto configuration If a network device is detected by UPnP the controller can open internal or external ports for the traffic protocol required by that network device Once UPnP is enabled you can configure the controller to detect UPnP supporting devices onthe LAN oraconfigured VLAN If disabled the controller will not allow for automatic device configuration Configure the following settings to use UPnP Advertisement Period This is the frequency that the controller broadcasts UPnP information over the network A large value will minimize network traffic but cause delays in identifying new UPnP devices to the network Advertisement Time to Live This is expressed in hops for each UPnP packet This is the number of steps a packet is allowed to propagate before being discarded Small values will limit the UPnP broadcast range A default of 4is typical for networks with few contorollers 46 Wireless Controller User Manual Figure 23 UPnP Configuration 2 lt TT Please enable UPnP to refresh UPnP Portmap Table Peer Contro UPnP Universal Plug and Play is a feature that allows for automatic discovery of devices that can AP Profile communicate with this security appliance WIDS Security Save Settings Don t Save Settings App
111. and L2TP connection This setting allows your LAN hosts to access internet sites over this Option link while still permitting VPN traffic to be directed to a VPN configured on this Option port XWA If split tunnel is enabled DWC won t expect a default route from the ISP server In such case user has to take care of routing manually by configuring the routing from Static Routing page To keep the connection always on click Keep Connected To log out after the connection is idle fora period of time usefulif your ISP costs are based on logon times click Idle Timeout and enter the time in minutes to wait before disconnecting in the Idle Time field 6 2 1 Option Port IP address Your ISP assigns you an IP address that is either dynamic newly generated each time you log in or static permanent The IP Address Source option allows you to define whether the address is statically provided by the ISP or should be received dynamically at each login If static enter your IP address IPv4 subnet mask and the ISP gateway s IP address PPTP and L2TP ISPs also can provide a static IP address and subnet to configure however the default is to receive that information dynamically from the ISP 162 Wireless Controller User Manual 6 2 2 6 2 3 Option DNS Servers The IP Addresses of Option Domain Name Servers DNS are typically provided dynamically from the ISP but in some cases you can define the static IP addresses of the DNS ser
112. annel from the available non interfering or clear channels However channel conditions can change during operation Enabling the Automatic Channel makes the radio of APs assigned to this profile eligible for auto channel selection You can automatically or manually run the autochannel selection algorithm to allow the DWC 1000 controller to adjust the channel on APs as WLAN conditions change Automatic Power The power level affects how far an AP broadcasts its RF signal If the power level is too low wireless clients will not detect the signal or experience poor WLAN performance If the power level is too high the RF signal might interfere with other APs within range Automatic power uses a proprietary algorithmto automatically adjust the RF signal to broadcast far enough to reach wireless clients but not so far that it interferes with RF signals broadcast by other APs The power level algorithm increases or decreases the power level in 10 increments based on presence or absence of packet retransmission errors Initial Power The automatic power algorithm will not reduce the power below the number you set in the initial power field By default the power levelis 100 Therefore even if you enable the automatic power the power of the RF signal will not decrease The power level is a percentage of the maximum transmission power for the RF signal APSD Mode Select Enable to enable Automatic Power Save Delivery APSD which is a power man
113. applications to access services on the private network without any special network configuration on the remote SSL VPN client machine It is important to ensure that the virtual PPP interface address of the VPN tunnel client does not conflict with physical devices on the LAN The IP address range for the SSL VPN virtual network adapter should be either in a different subnet or non overlapping range as the corporate LAN 260 Wireless Controller User Manual XW The IP addresses of the client s network interfaces Ethernet Wireless etc cannot be identical to the controller s IP address or a server on the corporate LAN that is being accessed through the SSL VPN tunnel Figure 149 SSL VPN client adapter and access configuration SSL VPN CLIENT LOGOUT An SSL VPN tunnel dient provides a point to point connection between the browser side machine and this device When a SSL VPN dient is launched from the user portal a network adapter with an IP address DNS WS RY ENEIT al and WINS settings is automatically created which allows local applications to talk to services on the private network without any special network configuration on the remote SSL VPN dient machine Save Settings Don t Save Settings Client IP Address Range Internet Settings Network Settings VPN Settings Enable Split Tunnel Support ia DNS Suffix Optional Primary DNS Server Optional Secondary DNS Server Optional
114. as discovered or detected 105 Wireless Controller User Manual Figure 56 AP status J ee abana Marge Aco Pointe Ea Da a Total Access Points Utilization Total Access Points Total number of Managed APs in the database This value is always equal to the sum of Managed Access Points Connection Failed Access Points and Discovered Access Points Managed Access Points Number of APs in the managed AP database that are authenticated configured and have an active connection with the controller 106 Wireless Controller User Manual Discovered Access Points APs that have a connection with the controller but haven t been completely configured This value includes all managed APs with a Discovered or Authenticated status Connection Failed Access Points Number of APs that were previously authenticated and managed but currently don t have connection with the controller Access Points Utilization Standalone Access Points Number of trusted APs in Standalone mode APs in Standalone mode are not managed by a controller Rogue Access Points Number of Rogue APs currently detected on the WLAN When an AP performs an RF scan it might detect access points that have not been validated It reports these APs as rogues Authentication Failed Access Points Number of APs that failed to establish communication with the controller Unknown Access Points Number of Unknown APs currently detected on the WL
115. at can be managed by the cluster WLAN Utilization Total network utilization across all APs managed by this controller This is based on global statistics Total Clients Total number of clients in the database This total includes clients with an Associated Authenticated or Disassociated status Authenticated Clients Total number of clients in the associated client database with an Authenticated status 802 11a Clients Total number of IEEE 802 11la only clients that are authenticated 802 11b g Clients Total number of IEEE 802 11b g only clients that are authenticated 802 11n Clients Total number of clients that are IEEE 802 11n capable and are authenticated These include IEEE 802 1 1la n IEEE 802 11b g n 5 GHz IEEE 802 11n 2 4GHz IEEE 802 11n Maximum Associated Clients Maximum number of clients that can associate with the wireless system This is the maximum number of entries allowed in the Associated Client database Detected Clients Number of wireless clients detected in the wireless network environment Maximum Detected Clients Maximum number of clients that can be detected by the controller The number is limited by the size of the Detected Client Database Maximum Pre authentication History Entries Maximum number of Client PreAuthentication events that can be recorded by the system Total Preauthentication History Entries Current number of pre authentication history entries in use by the syste
116. ation page allows you to activate or deactivate various threat detection tests and set threat detection thresholds in order to help detect rogue APs on the wireless network These changes can be done without disrupting network connectivity Since some of the work is done by access points the controller needs to send messages to the APs to modify its WIDS operational properties WIDS AP Configuration AP Enable v moe prag from a fake Enable AP without an SSID Enable v Certificates r C a l IP MAC Binding Managed a with Enable wv Invalid SSID from a managed AP Enable v Switch Settings illegal Enable v aaran with unexpected Enable m ee E linmananed AP detected on wired 11 5 2 WIDS Client Configuration Advanced gt WIDS Security gt Client The settings you configure on the WIDS Client Configuration page help determine whether a detected client is classified as a rogue Clients classified as rogues are considered to be a threat to network security The WIDS feature tracks the following types of management messages that each detected client sends 288 Wireless Controller User Manual e Probe Requests e 802 11 Authentication Requests e 802 11 De Authentication Requests In order to help determine whether a client is posing a threat to the network by flooding the network with management traffic the system keeps track of the number of times the AP received each message type and the highest m
117. atus Timeout 24 0 to 168 Hours Detected Clients Status Timeout 24 0 to 168 Hours Tunnel IP MTU Size 1500 v Cluster Priority 1 0 to 255 0 Disable AP Client QoS Disable v Peer Group ID In order to support larger networks you can configure wireless controllers as peers with up to 8 controllers in a cluster peer group Peer controllers share some information about APs and allow L3 roaming among them Peers are grouped according to the Group ID Client Roam Timeout This value determines how long to keep an entry in the Associated Client Status list after a client has disassociated Each entry in the status list shows an age and when the age reaches the value you configure in the timeout field the entry is deleted Ad Hoc Client Status Timeout This value determines how long to keep an entry in the Ad Hoc Client Status list Each entry in the status list shows an age and when the age reaches the value you configure in the timeout field the entry is deleted 276 Wireless Controller User Manual AP Failure Status Timeout This value determines how long to keep an entry in the AP Authentication Failure Status list Each entry in the status list shows an age and when the age reaches the value you configure in the timeout field the entry is deleted MAC Authentication Mode Select the global action to take on wireless clients in the white list Select this option to specify that any wireless clients with MAC addresses that
118. by this controller In this case the controller advertisement daemon RADVD must be configured on this device and ICMPv6 controller discovery messages are used by the host for auto configuration There are no managed addresses to serve the LAN nodes If stateful is selected the IPv6 LAN host will rely on an external DHCPvV6 server to provide required configuration settings The Domain Name of the DHCPV6 server is an optional setting Server Preference To indicate the preference level of this DHCP server DHCP advertise messages with the highest server preference value to a LAN host are preferred over other DHCP server advertise messages The default is 255 DNS server The details can be manually entered here primary secondary options An alternative is to allow the LAN DHCP client to receive the DNS server details from the ISP directly By selecting Use DNS proxy this router acts as a proxy for all DNS requests and communicates with the ISP s DNS servers a Option configuration parameter Primary and Secondary DNS servers If there are configured domain name system DNS servers available on the LAN enter the IP addresses here Lease Rebind time It sets the duration of the DHCPv6 lease from this router to the LAN client IPv6 Address Pools This feature allows you to define the IPv6 delegation prefix for a range of IP addresses to be served by the gateway s DHCPv6 server Using a delegation prefix you can automate the process
119. c7 23 Detected 00 00 00 18 0d 00 04 27 a 00 17 7 09 db 1e Detected 0d 00 04 58 0d 00 04 58 J 00 1b 11 1d fe 27 Detected 0d 00 01 19 00 00 01 19 ia 00 1b 11 1d fe 35 Authenticated 0d 00 00 01 00 00 04 58 00 1b 11 1d fe 48 Detected 0d 00 00 49 0d 00 04 58 00 1e e5 2b 4a b9 Detected 0d 00 00 49 0d 00 04 27 w 00 22 fb b3 e9 8c Detected 00 00 01 57 0d 00 03 57 MAC Address The Ethernet MAC address of the client Client Name Shows the name of the client if available from the Known Client Database If client is not in the database then the field is blank Client Status Shows the client status which can be one of the following e Authenticated The wireless client is authenticated with the wireless system e Detected The wireless client is detected by the wireless system but is nota security threat e Black Listed The client with this MAC address is specifically denied access via e MAC Authentication e Rogue The client is classified as a threat by one of the threat detection algorithms 104 Wireless Controller User Manual Age Time since any event has been received for this client that updated the detected client database entry Create Time Time since this entry was first added to the detected clients database 4 6 Access Point 4 6 1 Access Point Status Status gt General gt Access Point The Access Point Status page shows summary information about managed failed and rogue access points the controller h
120. cation Enabl Failures Test Enable Authentication with Disabl Unknown AP Test Enable Client Threat Mitigation Disable v Enable Known Client Database Lookup Method Local v 291 Wireless Controller User Manual Chapter 12 Administration amp Management 12 1 Remote Management Both HTTPS and telnet access can be restricted to a subset of IP addresses The controller administrator can define a known PC single IP address or range of IP addresses that are allowed to access the GUI with HTTPS The opened port for SSL traffic can be changed from the default of 443 at the same time as defining the allowed remote management IP address range Figure 164 Remote Management ey n T o scans Admin Date and Time Log Settings the box remotely from WAN side System Save Settings Don t Save Settings Firmware via USB Remote Management Enable Dynamic DNS Enable Remote Management a stem Check Enable Remote SSH m pean E To IP Address nner HTTPS Port Number 443 REMOTE MANAGEMENT LOGOUT From this page a user can configure the remote management feature This feature can be used to manage Enable Remote SNMP T 12 2 CLI Access In addition to the web based GUI the gateway supports SSH and Telnet management for command line interaction The CLI login credentials are shared 292 Wireless Controller User Manual with the GUI for administrator users To access the CLI type
121. ce Utilization Trattic Statisti Sneinen aa es ec asin E E a Wired Port Statistics Managed AP and Associated Clients Statistics 0 0 eceseessesessesesteseseeeneees 96 Managed AP Statistics 0 cccessssssessesesseesesesssesseeseeseeseeseseeseenesneeneeneeneeseeseeeneeneenss 96 Wireless Controller User Manual Chapter 5 Chapter 6 4 3 2 4 3 3 4 4 4 4 1 4 5 4 5 1 4 5 2 4 5 3 4 6 4 6 1 4 6 2 4 6 3 4 6 4 4 6 5 4 7 4 7 1 4 7 2 4 7 3 4 7 4 4 7 5 4 7 6 4 7 7 4 8 4 8 1 4 8 2 4 8 3 4 8 4 4 8 5 4 8 6 4 8 7 4 8 8 LAN Assoicated Clients wees cesses cscsccsssescsssecsesssssscassessessesssesssssssusesssaseesees 97 WLAN Assoicated Clients oo ccc ccscecssscscscsecscsescsssscscassesscassssscavesssessscsssssassasess 98 Active CONNECTIONS sonnera niee n E ER eterno vatbetean seme seivecen 99 Sessions through the Controller ss ssssssssssssssesssssssssteessstesssteessteesnreesnressteessteessnresssrees 99 LAN Client Info eee Associated Clients LAN GI CNIS 5 5 nnani Detected Clients ACCESS POINte io chika dad a Access Point Status AP SUIT ANY ssa Ssicssreset ace A cchaseataobastanewaptaevense tabaobastsneyeoyecvensttiaasesshiees RNR Managed AP Status Authentication Failure Status AP RES Cath Stals ceases ek vada RR eel eee esac cave GIOD Al ah io sass AeA hn BER Global Status cece cee esteseeeeseeteees Peer Contorller Status eee Peer Controller Configuration Status oe esesesesses
122. cli in the SSH or console prompt and login with administrator user credentials 12 3 SNMP Configuration Tools gt Admin gt SNMP SNMP is an additional management tool that is useful when multiple controller in a network are being managed by a central Master system When an external SNMP manager is provided with this controller Management Information Base MIB file the manager can update the controller hierarchal variables to view or update configuration parameters The controller as a managed device has an SNMP agent that allows the MIB configuration variables to be accessed by the Master the SNMP manager The Access Control List on the controller identifies managers in the network that have read only or read write SNMP credentials The Traps List outlines the port over which notifications from this controller are provided to the SNMP community managers and also the SNMP version v1 v2c v3 for the trap 293 Wireless Controller User Manual Figure 165 SNMP Users Traps and Access Control ooo JA o 1 a Admin Date and Time SNMP LOGOUT Simple Network Management Protocol SNMP lets you monitor and manage your router from an SNMP manager SNMP provides a remote means to monitor and control network devices and to manage configurations statistics collection performance and security Firmware via USB Name Privilege Security level Dynamic DNS admin RWUSER NoAuthNoPriv System Check guest ROUSER
123. configuration DWC 1000 7 ADVANCED TOOLS STATUS OPTION1 SETUP This page allows you to set up your Internet connection ee connection information such as the IP Addresses Account Information etc This information is usually provided by your ISP or network administrator Don t Save Settings Connection Type Russian dual access L2TP v Dynamic IP Static IP Domain Name System DNS Servers Get Dynamically fom ISP 0 0 0 0 0 0 0 0 6 2 6 Option Configuration in an IPv6 Network Advanced gt IPv6 gt IPv6 Optionl Config For IPv6 Option connections this controller can have a static IPv6 address or receive connection information when configured as a DHCPv6 client In the case where the ISP assigns you a fixed address to access the internet the static configuration settings must be completed In addition to the IPv6 address assigned 169 Wireless Controller User Manual to your controller the IPv6 prefix length defined by the ISP is needed The default IPv6 Gateway address is the server at the ISP that this controller will connect to for accessing the internet The primary and secondary DNS servers on the ISP s IPv6 network are used for resolving internet addresses and these are provided along with the static IP address and prefix length from the ISP When the ISP allows you to obtain the Option IP settings via DHCP you need to provide details for the DHCPv6 client con
124. controller Up to 30 hops intermediate controller between this controller and the destination will be displayed 314 Wireless Controller User Manual 12 9 4 12 9 5 DNS Lookup To retrieve the IP address of a Web FTP Mail or any other server on the Internet type the Internet Name in the text box and click Lookup If the host or domain entry exists you will see a response with the IP address A message stating Unknown Host indicates that the specified Internet Name does not exist XW This feature assumes there is internet access available on the Option link s Router Options The static and dynamic routes configured on this controller can be shown by clicking Display for the corresponding routing table Clicking the Packet Trace button will allow the controller to capture and display traffic through the DWC 1000 between the LAN and Option interface as well This information is often very useful in debugging traffic and routing issues 315 Wireless Controller User Manual Chapter 13 License Activation Tools gt License You can activate AP6 and VPN licenses in this controller by providing valid Activation Key and click Activate key After activating license AP6 license you should be able to manage 6 more AP s VPN license activates the VPN license functionality on the DWC 1000 device XW The AP firmware version must as same as DWC 1000 WLAN module version 316 Wireless Controller User Manual
125. csctsceseaseexeds cxsevexseoeVontvanb os sovaancavsaveneesebsvatvengansaveaveeyies Manual Manageme neeesa iiie A a EARE AAE A Connecting to the Internet Option Setup sssss sssessesessssssreseessrrreessstrreesssrrreesssrreeessrreeesssreeeess 160 6 1 6 2 6 2 1 6 2 2 6 2 3 6 2 4 Internet Connection Setup Wizard esss essessseeesessseeesessteeeeessreeeeessrereesssreressseeeeessee 160 Option COMMUN ALI OM sesinin iiit A EAA Option Port IP address Option DNS SErv rS enira e eae See PHGP ODIOM riarrak ir arinta E ATA AANEEN PPPOE sere ine E NE en tee AA OAAS Wireless Controller User Manual Chapter 7 Chapter 8 6 2 5 Russia L2TP and PP TP Option oo ceceesesseesessesseeceeseeeeseeseesesneeneeneeneeeeseeneenteneeneenes 167 6 2 6 Option Configuration in an IPv6 Network uu ceesessessssessesseesceneeseeeeeeeeeeseeneeneeneenes 169 6 2 7 Checking Option Status mananao Arar i EERE ORAN 6 3 Features with Multiple Option Links 6 3 1 Auto Failover on esecesseseeseestesteseeseens 6 3 2 Load Balancing 6 3 3 Protocol Bindings s s s 6 4 Routing Configuration ga 6 41 ROUTING TKO E E E EA 6 4 2 Dynamic Routing RIP e a a aina Aa iana 6 4 3 Static ROWING oenen E EA EA E EA 6 5 OS a E E E E E EE ee 6 6 Gt 4 TUMMEIIAG aeaee AA E 6 7 KMP SOUD a e AE E E R N 6 8 Option Port Settings 6 9 IP ANIS OS i NER REER ONENA A EE NEE ERAS Securing the Private Network seesseseseeseeees
126. csssivevsesseva AEO O REN 98 WLAN Associated Clients si cccccisinnaaiciaiavantnianacstaaanaiaianinseisataatantaarnasateranine 99 List of current Active Firewall Sessions 0 0 eesseseeseseseeseeseeseseeeeseeseeseesesseeneeseeseseeneenteneeneenss 100 Associated CM SAS riirn rsi egscatee esse staavens A ETEA 101 LIS TOF LANDOS Eeer nA AE N E AAE EEA A 103 Detected Centa seeriana EN R A E A N AA 104 APS TUE naa r RO RA A A A 108 Managed AP Status esessesssssssssssuesessssssscsnessessesecsuessnceaeeseesessessesesuesesnesneeneesesseeeeseeneenteneaes 110 Authentication Failure Status oo esssssssssssscnscssesenseneessessesscnscuscucesceseseessesscuscusencceceeceesseneeetes 112 AP RE Scan Statusssy dcteaiveunavastirhia dain asad a a a n 115 Global Status Part 1 ics scsrurdiavenentinvetaniaaiatea mi itaadia NENE EEA 116 Global Status Part 2 naita aE n EEEE EENE EEN T 117 Paer Comroller Stats iisdicsccses cecceseseascens seseescuececasaveaneinaes cavaovcaveses ER RA 122 Peer Controller Configuration Status oe ceceeceesesssssesesseseesesnesnsssseeseeaeseeseesuesesesseneeneeneess 123 Peer Controller Managed AP Status ececeesssessseseeessssesseesuesessessessesaeseeseesuesnessssneneensess 124 IP DISCO VON Y aiaa E hove hee kans ihe altace Senna hans SA Uae eesti aaa ae econ 125 Configuration Receive Status oo cecececsessessesecneeseceeseessesesseenecncenceneeseseenesnesnesncenceneeseeeeeeeneeneeneenss 127 AP Hardware Capability oe essssssessssseess
127. ctable set of VLANs All data going into and out of the port is tagged Untagged coming into the port is not forwarded except for the default VLAN with PVID 1 which is untagged Trunk ports multiplex traffic for multiple VLANs over the same physical link e Select PVID for the port when the General mode is selected e Configured VLAN memberships will be displayed on the VLAN Membership Configuration for the port By selecting one more VLAN 42 Wireless Controller User Manual membership options for a General or Trunk port traffic can be routed between the selected VLAN membership IDs Figure 20 Configuring VLAN membership for a port DWC 1000 ADVANCED TOOLS STATUS VLAN CONFIGURATION LOGOUT This page allows user to configure the port VLAN VLAN Configuration N Global Settings AP Management isualization Internet Settings Network Settings VPN Settings VLAN Settings Apply Cancel DMZ Setup gt USB Settings VLAN Membership Configuration VLAN Membership Apply Cancel 2 3 2 Multiple VLAN Subnets Setup gt VLAN Settings gt Multiple VLAN Subnets Each configured VLAN ID can map directly to a subnet within the LAN Each LAN port can be assigned a unique IP address and a VLAN specific DHCP server can be configured to assign IP address leases to devices on this VLAN VLAN ID The PVID ofthe VLAN that will have all member devices be part of the same subnet range IP Address The
128. d Respond to Identd from SMTP Server Send E mail logs by Schedule An external Syslog server is often used by network administrator to collect and store logs from the controller This remote device typically has less memory constraints than the local Event Viewer on the controller GUI and thus can collect a considerable number of logs over a sustained period This is typically very useful for debugging network issues or to monitor controller traffic over a long duration This controller supports up to 8 concurrent Syslog servers Each can be configured to receive different log facility messages of varying severity To enable a Syslog 305 Wireless Controller User Manual server select the checkbox next to an empty Syslog server field and assign the IP address or FQDN to the Name field The selected facility and severity level messages will be sent to the configured and enabled Syslog server once you save this configuration page s settings Figure 172 Syslog server configuration for Remote Logging continued SYS LOG SERVER CONFIGURATION Name SysLog Facility SysLog Severity SysLog Server1 a aooo moo SysLog Server2 s far o o farted SysLog Server3 a far oo far tid SysLog Server4 EE a o m SysLog Server5 E mo a SysLog Server6 ds moo mo SysLog Server E j mo o fared SysLog Serverd E a o m o m m m u m m a 12 6 3 Event Log Viewer in GUI Status gt Logs gt View
129. d Add the MAC address of the AP to the Valid AP database which can be kept locally on the controller or in an external RADIUS server When the controller discovers an AP that is not managed by another 57 Wireless Controller User Manual ccontroller it looks up the MAC address of the AP in the Valid AP database If it finds the MAC address in the database the controller validates the AP and assumes management Select the database to use for AP validation and optionally for authentication if the Require Authentication Passphrase option is selected e Local If you select this option you must add the MAC address of each AP to the local Valid AP database e RADIUS If you select this option you must configure the MAC address of each AP in an external RADIUS server Require Authentication Passphrase Select this option to require APs to be authenticated before they can associate with the controller If you select this option you must configure the passphrase onthe AP while it is in standalone mode as well as in the Valid AP database RADIUS Authentication Server Name Enter the name of the RADIUS server used for AP and client authentications The name can contain up to 32 alphanumeric characters Spaces underscores and dashes are also permitted The controller acts as the RADIUS client and performs all RADIUS transactions on behalf of the APs and wireless clients RADIUS Authentication Server Configured Indicates whether the
130. d Wizards to assist you in VPN Configuration dick on the button below VPN Setup Wizard Manual VPN Configuration Options If you would like to configure the VPN Policies of your new D Link Systems Router manually dick on the button below USB Settings Manual VPN Configuration To easily establish a VPN tunnel using VPN Wizard follow the steps below 1 Select the VPN tunneltype to create The tunnel can either be a gateway to gateway connection site to site ora tunnel to a host on the internet remote access 226 Wireless Controller User Manual Set the Connection Name and pre shared key the connection name is used for management and the pre shared key will be required on the VPN client or gateway to establish the tunnel Determine the local gateway for this tunnel if there is more than 1 Option configured the tunnel can be configured for either of the gateways 2 Configure Remote and Local Option address for the tunnel endpoints Remote Gateway Type identify the remote endpoint of the tunnel by FQDN or static IP address Remote Option IP address FQDN This field is enabled only if the peer you are trying to connect to is a Gateway For VPN Clients this IP address or Internet Name is determined when a connection request is received from a client Local Gateway Type identify this controller s endpoint of the tunnel by FQDN or static IP address Local Option IP address FQDN This field c
131. de the list of QoS services available on the port 2 2 6 801 p Configuration Setup gt LAN QoS gt 801 p Configuration Port CoS Mapping enables you to change the priority of the PCP value 36 Wireless Controller User Manual Figure 15 801 p Configuration DWC 1000 ADVANCED TOOLS STATUS gt WLAN Global Settings PORT COS MAPPING LOGOUT Save Settings Don t Save Settings AP Management gt WLAN Visualization gt Internet Settings gt CoS to Port Priority Queue Mapping CoS Value value of the cos in the PCP part of the LAN traffic Priority Queue Priority for the particular CoS value 2 2 7 DSCP Configuration Setup gt LAN QoS gt DSCP Configuration This page allows configuring IP DSCP values to which you can map an internal traffic class 37 Wireless Controller User Manual Figure 16 DSCP Configuration DWC 1000 im sw e ADVANCED TOOLS STATUS 3 4 23 Low Y 2 2 8 8 2 8 DSCP Lists the IP DSCP values to which you can map an internal traffic class The values range from 0 63 Queue This provides the priority of the queue 38 Wireless Controller User Manual 2 2 0 Remark CoS to DSCP Setup gt LAN QoS gt Remark CoS to DSCP Remarking CoS to DSCP is an advanced QoS configuration where the Layer 2 quality of service field is translated to a Layer 3 QoS field in the packet so that upstream routers can make a QoS decision based on the DSCP
132. devices that are operating on channels that are not legal in the country where the wireless system is set up Note In order for the wireless system to detect this threat the wireless network must contain one or more radios that operate in sentry mode Standalone AP with unexpected configuration If the AP is classified as a known standalone AP then the controller checks whether the AP is operating with the expected configuration parameters You configure the expected parameters for the 285 Wireless Controller User Manual standalone AP in the local or RADIUS Valid AP database This test may detect network misconfiguration as well as potential intrusion attempts The following parameters are checked e Channel Number e SSID e Security Mode e WDS Mode e Presence on a wired network Unexpected WDS device detected on network If the AP is classified as a Managed or Unknown AP and wireless distribution system WDS traffic is detected on the AP then the AP is considered to be Rogue Only stand alone APs that are explicitly allowed to operate in WDS mode are not reported as rogues by this test Unmanaged AP detected on wired network This test checks whether the AP is detected on the wired network If the AP state is Unknown then the test changes the AP state to Rogue The flag indicating whether AP is detected on the wired network is reported as part of the RF Scan report If AP is managed and is detected on the network then t
133. dvanced Network D Enable IGMP Proxy Allowed Network Addresses Network Address Mask Length 192 168 20 0 24 Edit Delete Add Enable IGMP Proxy Check this to enable IGMP proxy on this LAN Allowed Network Addresses Allthe IP network addresses host addresses of the multicast sources are listed here Network Address The IP network or the host address of the multicast source Mask Length The length of the subnet mask The following actions are supported from this page 190 Wireless Controller User Manual Add To add a network host address alongwith mask length Edit To edit a network host address alongwith mask length Delete To delete a network host address alongwith mask length 6 8 Option Port Settings Advanced gt Advanced Network gt Option Port Setup The physical port settings for each Option link can be defined here If your ISP account defines the Option port speed or is associated with a MAC address this information is required by the controller to ensure a smooth connection with the network The default MTU size supported by all ports is 1500 This is the largest packet size that can pass through the interface without fragmentation This size can be increased however large packets can introduce network lag and bring down the interface speed Note that a 1500 byte size packet is the largest allowed by the Ethernet protocol at the network layer The port speed can be sensed by the controller
134. e configuration file and prompts to save the file on your host 2 To restore your saved settings from a backup file click Browse then locate the file on the host After clicking Restore the controller begins importing the file s saved configuration settings After the restore the controller reboots automatically with the restored settings 3 To erase your current settings and revert to factory default settings click the Default button The controller will then restore configuration settings to factory defaults and will reboot automatically See Appendix B for the factory default parameters for the controller 309 Wireless Controller User Manual Figure 175 Restoring configuration from a saved file will result in the current configuration being overwritten and a reboot ys AED crams System Firmware Firmware via USB Dyna NS Sy SYSTEM LOGOUT This page allows user to do configuration related operations which indudes backup restore and factory default This page also allows user to reboot the router Backup Restore Settings Save Current Settings Restore Saved Settings mic D m Check Restore Factory Default settings Default Reboot Reboot 12 8 Upgrading Wirelesss Controller Firmware Tools gt Firmware You can upgrade to a newer software version from the Administration web page In the Firmware Upgrade section to upgrade your firmware click Browse locate and select the fi
135. e route will not be shared in a RIP broadcast or multicast This is only applicable for IPv4 static routes Destination the route will lead to this destination host or IP address IP Subnet Mask This is valid for IPv4 networks only and identifies the subnet that is affected by this static route Interface The physical network interface Option Option2 DMZ or LAN through which this route is accessible 184 Wireless Controller User Manual Gateway IP address of the gateway through which the destination host or network can be reached Metric Determines the priority of the route If multiple routes to the same destination exist the route with the lowest metric is chosen Figure 98 Static route configuration fields DWC 1000 SETUP TOOLS STATUS STATIC ROUTE CONFIGURATION LOGOUT This page allows user to add a new static route Application Rule Firewall Settings 6 5 OSPF Advanced gt Routing gt OSPF Advanced gt IPv6 gt OSPF This page shows the OSPFv2 and OSPFv3 parameters configured on the controller You can also edit the configured parameters from the OSPF configuration page 185 Wireless Controller User Manual Figure 99 OSPFv2 status IPv4 Interface Status Area Priority HelloInterval DeadInterval Cost Authentication Type 1 10 40 10 1 10 40 10 1 40 10 Please Set IP Mode to IPv4 IPv6 in Routing Mode Page to configure thi
136. e valid values are e Managed The neighbor AP is managed by the wireless system e Standalone The AP is managed in standalone mode and configured as a valid AP entry local or RADIUS e Rogue The AP is classified as a threat by one of the threat detection algorithms e Unknown The AP is detected in the network butis not classified as a threat by the threat detection algorithms Age Time since this AP was last detectedin an RF scan Status entries for the RF Scan Status page are collected at a point in time and eventually age out The age value for each entry shows how long ago the controller recorded the entry 114 Wireless Controller User Manual Figure 60 AP RF Scan Status Dashboard AP RF SCAN STATUS LOGOUT Access Pointinfo D ASSES ed APs Authentication Failure Status PhysicalMode Channel Status netgear 1 802 11 big 1 Unknown 0d 00 00 10 AP RF Scan Status 00 00 Traffic Monitor AP De FVS318N_1 802 1 1big 2 Unknown 0d 00 00 10 FVS318N_1 802 1 1big 1 Unknown 0d 00 00 10 00 0e 8e 20 09 4d rlinx prosoftO 802 11 big 1 Unknown 0d 00 00 10 00 02 8 20 10 b5 rlinxprosoftO 802 1 1b g 1 Unknown 0d 00 00 10 EH 00 12 21 12 21 16 cisco_we 802 1 1big 1 Unknown 0d 00 00 10 E 00 15 62 fficf 46 rv220_1 802 11b g 1 Unknown 0d 00 00 10 B 00 18 e7 89 a9 d0 DSR 1000N_1 802 11b g 1 Unknown 0d 00 00 10 J 001b 2t fd tt 58 NETGEAR WGR614 802 1 1big 11 Unknown 0d 00 02 10 E 00 1e 2a b3 20 b1 srxnlite 802 11b g
137. e10 1c45 64 DOWN Disabled Dynamic IP DHCP Dynamic IP DHCPv6 Not Yet Connected Not Yet Connected LINK DOWN Use only single Option port Option1 0 0 0 0 0 0 0 0 0 0 0 0 Option2 Information MAC Address 14 00 2B 10 1C 46 87 Wireless Controller User Manual Figure 43 Device Status display continued Option2 Information 1A 00 2B 10 1C 46 0 0 0 0 255 255 255 0 fe80 1800 2bff fe10 1c46 64 DOWN Disabled Dynamic IP DHCP Dynamic IP DHCPv6 Not Yet Connected Not Yet Connected LINK DOWN Use only single Option port Option1 0 0 0 0 0 0 0 0 0 0 0 0 LAN Information 1A4 00 2B 10 1C 44 192 168 10 1 255 255 255 0 fe80 1800 2bff fe10 1c44 64 fe80 200 ff f 00 0 64 fec0 1 64 4 1 3 Wireless LAN AP information Status gt Device Info gt Wireless LAN AP Information The Managed AP status pages allows to access configuration and association information about managed APs and their neighbors View AP Details Shows detailed status information collected from the AP View Radio Details Shows detailed status for a radio interface Use the radio button to navigate between the two radio interfaces 88 Wireless Controller User Manual View Neighbor APs Shows the neighbor APs that the specified AP has discovered through periodic RF scans on the selected radio interface View Neighbor Clients Shows information about wireless clients associated with an AP or detected by the AP
138. eam is transmitted on multiple antennas so the receiving system has a better chance of detecting at least one of the data streams Select one of the following options e Enable The AP transmits the same data stream on multiple antennas at the same time e Disable The AP does not transmits the same data on multiple antennas Radio Resource Management Radio Resource Measurement RRM mode requires the Wireless System to send additional information in beacons probe responses and association responses Enable or disable the support for radio resource measurement feature in the AP profile The feature is set independently for each radio and is enabled by default No ACK Select Enable to specify that the AP should not acknowledge frames with QosNoAck as the service class value Multicast Tx Rate Mbps Select the 802 11 rate at which the radio transmits multicast frames The rate is in Mbps The lowest rate in the 5 GHz band is 6 Mbps 74 Wireless Controller User Manual SSID Configuration The SSID Configuration page displays the virtual access point VAP settings associated with the selected AP profile Each VAP is identified by its network number and Service Set Identifier SSID Figure 37 AP Pofile SSID configuration onc 3000 M AAD man AP PROFILES SUMMARY This page displays the virtual access point VAP settings associated with the selected AP profile Each VAP is identified by its network number a
139. ect the appropriate driver from the displayed list 7 Click on next and finish to complete adding the printer 268 Wireless Controller User Manual Figure 153 USB Device Detection USB SETTINGS LOGOUT This page displays information about the USB devices connected to the USB port s This page also allows user to do certain configurations on USB devices such as safely ummounting the devices USB 1 Device Not Connected Device Vendor Device Model Device Type Mount Status USB 2 Device Not Connected Device Vendor Device Model Device Type Mount Status 10 2 USB Share Port Setup gt USB Settings gt USB Status The DWC 1000 Wireless controller has a USB interface for printer access this page allows you to enable USB device support for both interface USB1 and USB2 It also allows you to enable printer access froma particular VLAN 269 Wireless Controller User Manual Figure 154 USB Share Port DWC 1000 im osx ADVANCED TOOLS STATUS v Wizara Wizara USB SHARE PORT Keiciel tii Global Settings AP Management Don t Save Settings USB 1 NA Enable USB Printer WLAN Visualization gt Internet Settings gt VPN Settings gt USB 2 NA Enable USB Printer Sharing Enabled interfaces VLAN Settings DMZ Setup USB Settings gt VLAN Name 10 3 Authentication Certificates Advanced gt Certificates This gateway uses digital certificates for IP
140. ed captive portal with a specific physical interface or wireless network SSID The CP feature only runs on the wired or wireless interfaces that you specify A CP can have multiple interfaces associated with it but an interface can be associated to only one CP at a time CP Configuration Lists the captive portals configured on the controller by number and name Associated Interfaces Lists the interfaces that are currently associated with the selected captive portal Wireless interfaces are identified by the wireless network number and SSID Physical wired interfaces are identified by the Port Description that includes slot number port number and interface type Interface List Lists the interfaces available on the controller that are not currently associated with a CP Wireless interfaces are identified by the wireless network 54 Wireless Controller User Manual number and SSID Physical wired interfaces are identified by the Port Description that includes slot number portnumber and interface type Figure 29 WLAN CP Interface Association Keicie tii Captive Portal Interface association CP Configuration 1 Default v 6 1 Wireless Network 1 dlink1 6 2 Wireless Network 2 dlink2 6 3 Wireless Network 3 dlink3 6 4 Wireless Network 4 dlink4 6 5 Wireless Network 5 dlink5 6 6 Wireless Network 6 dlink6 6 7 Wireless Network 7 dlink7 6 8 Wireless Network 8 dlink8 bg gt m
141. ee eeseeseeseesesseeseeseesecseseesuessseeseesceneeseesesueseesesnesneeneeneesesecneeneeneenereds 229 Figure 129 IPsec policy configuration continued Auto policy via IKE sesseseseeeeeeeeeseeseeneenes 231 Figure 130 IPsec policy configuration continued Auto Manual Phase 2 0 eseeseseeseseeeeeseenenees 232 Figure 131 PPTP tunnel configuration PP TP Client 00 esessesseeseeseeeeseeseesessesseeneeneesceseseeneeneeneenss 235 Figure 132 PPTP VPN connection Status 00 eeeesessssesseeseseseseesesseeseesceseesceseeseseesessesnceneeneeseeseeecseenteneeess 235 Figure 133 PPTP tunnel configuration PP TP Server ou ecessssessessesseseeseeseesessesseeneeneeeeeeesseeneeneeess 236 Figure 134 L2TP tunnel configuration L2TP Server oo eeesesssessessesseeseseeseeseesessesseeseeseeeeseeseeneeneeneeess 237 Figure 135 OPENVPN COMFiQUIAtION eseina aeei A a laa A EAA 239 Figure 136 Example of clientless SSL VPN connections to the DWC 1000 ee eeeeeeeeneeees 242 Fiame 1 37 Usto QrOUPS unori eaae ne Ein AREA AEE A AA E AAAA alsa ane 243 Figure 138 User group config uration asees eesessessessessessesseseeseseeseeseesessessessessessesseseeseesessessesseeseresseseeneeseesenses 245 10 Wireless Controller User Manual Figure 139 SSLVPN Settings erenn er enai E SE E RENEE E AA OE aT 247 Figure 140 Group login policies options oo eeessessesseeseesesesesesessesessecsesseeseseeseenesseeneesesseeseeeeeeneeneeneenss 248 Figure 141 Browser polic
142. eeneeneeneeees 221 IPsec PPTP L2TP VPN 2 eeseesesseesessessscssesssssncesessnesncesseesesuesunssessueeucesseesesuessnsesseaeeaneenseseenees 8 1 VPN Wizard oo eee ceseessessseeseesessceseesscsucesscsncsuscnsceseesesaessesuecuseesessessssenceseeaessuseneeneeaneeneereees 8 2 Configuring IPsec Policies 8 2 1 Extended Authentication XAUTH 8 2 2 Internet over IPSec tunnel 0 8 3 Configuring VPN clients eee 8 4 PPTP L2TP Tunnels eseseseeeeeee 8 4 1 PPTP Tunnel Support ee eeeeeeeeee 8 4 2 L2TP Tunnel Support ou eee 8 4 3 OpenVPN Support seoti AE NE A E Wireless Controller User Manual Chapter 9 Chapter 10 Chapter 11 Chapter 12 Chapter 13 pa EPA N A ed ge ee eden nee ee ee eter ee ae ene eer 9 1 Grups AN USMS a aa A A A gs1 Users and PASS words ciiccscsenseasenstvessasndivacoesopsatnasnetedsnusnisussaacosnasnansartuentesnareleettuenet clout 9 2 Using SSL VPN Policies soenen oaa n e e A E AANA 9 2 1 Using Network Resources sseseeeeseseseereessseeeessstereessstereessstereesssreeeessrereeesseereeessrereees 9 3 Application Port Forwarding ou cccscsssssesssesssessseseeseseesnssessesaesaceacsuesuesuesessneaeeneeneees 9 4 SSL VPN Client Configuration 9 4 1 Creating Portal Layouts ee 9 5 Active VPN TUNNels aeiee R A a an nai Advanced System Functionalities 0 0 cceeceessssssessesssesseeseesncsnssnceseeceesenseassuesnccncenceseeseeeeneenses 268 T01
143. eeseesessesnecnccncescescescseenecsesnecneeseeseeseseeseesesnesneenecneeseseententeneeneass 214 Figure 118 Two trusted domains added to the Approved URLS List ee sessestesteeeeseeseeseeseeneenes 215 Figure 119 One keyword added to the block list ec eesseseeseseeseeseeseeseeeeseseeseesesneeneeseeeeeneententeneeneenss 216 Figure 120 Export Approved URL list ceseesesssessesssssesseseeseeseesessessessessessesseseeseesessesseesessesseseesesseeseenenses 217 Figure 121 Example binding a LAN host s MAC Address to a served IP address eesseeeee 218 Figure 122 RADIUS Server Configuration oo esssesessesseseseesessesseesceseeseesesscescsesnesnesneesesnesseesceeeseenteneenss 219 Fige 12 3 SWITCh Settings nions S A A dohtsateabaas tascachase phatebcandalechoas tate ighansb RERA 220 Figure 124 Protecting the controller and LAN from internet attacks eeceseseeeeeeeeseeneeseeseeneenes 222 Figure 125 Example of Gateway to Gateway IPsec VPN tunnel using two DWC controllers connected tO the INCEPME eeeeceeceeseesesseeseesesscenccncescescescseeneesecnesneeseesceseseeseesecneeneeneeneeseseententeneeneense 224 Figure 126 Example of three IPsec client connections to the internal network through the DWC IPSEC Qate WAY E A E A A E T N T tvatoe ots tenets 225 Figure 127 VPN Wizard launch SCrEON ceeceeseesesessessesseeseesessesuessesesseesesnessecaesuesueseenesseneeneeneeseeseeseseeneeneenes 226 Figure 128 IPSEC policy COMP QUIATION 0 e
144. eessesesesseesceneeseeseeseseeneeneeneeees Peer Controller Managed AP Status ec sesseseseseesesseseeseesceneeseeseeseeeeneeneeneeees 123 IP DIS COVEIY ET EAEE est EAEE E EEEE A A E TE I 124 Configuration Receive Status oc eccsessssssssscsesssnesnssnssnsecceseesenesatenssncenceteeteeeentententen 125 AP Hardware Capability Wireless Client Status nn en a E T ARN RARER Client Status woes sees Assocaited Client Status Associated Client SSID Status wc ccscscecssscssssecscsesscscsssssseasssssesssesssseas Associated Client VAP Status Controller Associated Client Status Detected Client Status wu Pre Authorization History Detected Client Roam History oc ceceseesesessseeseeteseseeseesesssseesceneeneeteneeneenseneeneeees AP Manag OMe nitis sscsccsscccevcseccvessshesvescqvesnssteonsesestapvens onvendesevennebapveevervehsctecdecstevessoshonsssveseesdqrteneaats 140 5 1 5 2 5 2 1 5 2 2 5 2 3 5 2 4 5 3 5 4 5 5 5 6 Valid Access Point Configuration ecessesssssssssnesnesnseseesersensensesssneenseneetentententenees 140 RE Ma nagement masenna natin dacascisectesstateboens ARA AAS RF COMMGUTAU OM riran n e a A E RAN EAN Channel Plan HIStory eire R R A Manual Channel Plan eee Manual Power Adjustment Plan Access Point Software Download 0 es esessessssseseseeseesessessecacencesessesecsueaeaeeneeneeseees 152 Local OUI Database Summary AP Provisioning SUMM ALY ss sicis cess cc
145. efined services DWC 1000 ADVANCED TOOLS STATUS Operation succeeded Peer Controllers AP Profile CUSTOM SERVICES LOGOUT When you create a firewall rule you can specify a service that is controlled by the rule Common types of services are available for selection and you can create your own custom services This page allows creation of custom services against which firewall rules can be defined Once defined the new service will appear in the List of Available Custom Services table List OF Available Custom Services ICMP Type Port Range 4554 4556 Edit Delete Firewall Settings 7 5 ALG support Advanced gt Firewall Settings gt ALGs Application Level Gateways ALGs are security component that enhance the firewall and NAT support of this controller to seamlessly support application layer protocols In some cases enabling the ALG will allow the firewall to use dynamic ephemeral TCP UDP ports to communicate with the known ports a particular client application such as H 323 or RTSP requires without which the admin would have to open large number of ports to accomplish the same support Because the ALG understands the protocol used by the specific application that it supports it is a very secure and efficient way of introducing support for client applications through the controller s firewall 207 Wireless Controller User Manual Figure 112 Available ALG support on the cont
146. eless Controller User Manual Connect Status Status of the SSL connection between this controller and the remote VPN client Not Connected or Connected 267 Wireless Controller User Manual Chapter 10 Advanced System Functionalities 10 1 USB Device Setup Setup gt USB Settings gt USB Status The DWC 1000 Wireless controller has a USB interface for printer access file sharing e USB Mass Storage also referred to as a share port files on a USB disk connected to the DWC can be accessed by LAN users as a network drive e USB Printer The DWC can provide the LAN with access to printers connected through the USB The printer driver will have to be installed on the LAN host and traffic will be routed through the DWC between the LAN and printer To configure printer on a Windows machine follow below given steps 1 Click Start on the desktop N Select Printers and faxes option 3 Right click and select add printer or click on Add printer present at the left menu 4 Select the Network Printer radio button and click next select device isn t listed in case of Windows7 5 Select the Connect to printer using URL radio button Select a shared printer by name in case of Windows 7 and give the following URL http lt controller s LAN IP address gt 631 printers lt Model Name gt Model Name can be found in the USB status page of controller s GUD 6 Click next and sel
147. em wide log settings System Firmware Firmware via USB Save Settings Don t Save Settings Routing Logs Dynamic DNS System Check gt ched License System Logs All Unicast Traffic lt All Broadcast Multicast Traffic lt FTP Logs Redirected ICMP Packets Invalid Packets a S amp Other Events Logs Bandwidth Limit v 12 6 2 Sending Logs to E mail or Syslog Tools gt Log Settings gt Remote Logging Once you have configured the type of logs that you want the controller to collect they can be sent to either a Syslog server or an E Mail address For remote logging a key configuration field is the Remote Log Identifier Every logged message will contain the configured prefix of the Remote Log Identifier so that syslog servers or email addresses that receive logs from more than one controller can sort for the relevant device s logs 303 Wireless Controller User Manual Once you enable the option to e mail logs enter the e mail server s address IP address or FQDN of the SMTP server The controller will connect to this server when sending e mails out to the configured addresses The SMTP port and return e mail addresses are required fields to allow the controller to package the logs and send a valid e mail that is accepted by one of the configured send to addresses Up to
148. en Japanese multiple PPPoEis configured and secondary connection is up some predefined routes are added on that interface These routes are needed to access the internal domain of the ISP where he hosts various services These routes can even be configured through the static routing page as well Figure 91 Optionl configuration for Multiple PPPoE part 2 Secondary PPPoE Profile Configuration Address Mode Dynamic IP Static IP IP Address 0 0 0 0 IP Subnet Mask 0 0 0 0 User Name dlink Password eee Service Optional Authentication Type Auto negotiate Reconnect Mode Always On On Demand Maximum Idle Time 5 Secondary PPPoE Domain Name System DNS Servers DNS Server Source Get Dynamically from ISP Primary DNS Server 0 0 0 0 Secondary DNS Server 0 0 0 0 Mac Address MAC Address Source Use Default Address MAC Address 00 00 00 00 00 00 6 2 5 Russia L2TP and PPTP Option For Russia L2TP Option connections you can choose the address mode of the connection to get an IP address from the ISP or configure a static IP address 167 Wireless Controller User Manual provided by the ISP For DHCP client connections you can choose the MAC address of the controller to register with the ISP In some cases you may need to clone the LAN host s MAC address if the ISP is registered with that LAN host 168 Wireless Controller User Manual Figure 92 Russia L2TP ISP
149. ents This feature is disabled by default e To enable Multicast and Broadcast Rate Limiting click Enabled e To disable Multicast and Broadcast Rate Disabled click Disabled Channel Bandwidth The 802 11n specification allows the use of a 40 MHz wide channel in addition to the legacy 20 MHz channel available with other modes The 40 MHz channel enables higher data rates but leaves fewer channels available for use by other 2 4 GHz and 5 GHz devices The 40 MHz option is enabled by default for 802 1la n modes and 20 MHz for 802 11b g n modes You can use this setting to restrict the use of the channel bandwidth to a 20 MHz channel Primary Channel This setting is editable only when a channel is selected and the channel bandwidth is set to 40 MHz A 40 MHz channel can be considered to consist of two 20 MHz channels that are contiguous in the frequency domain These two 20 MHz channels are often referred to as the Primary and Secondary channels The Primary Channel is used for 802 11n clients that support only a 20 MHz channel bandwidth and for legacy clients Use this setting to set the Primary Channel as the upper or lower 20 MHz channel in the 40 MHz band 72 Wireless Controller User Manual Figure 36 AP Pofile Radio configuration Part 2 Transmit Lifetime msecs Rate Limit pkts sec Receive Lifetime msecs Rate Limit Burst pkts sec Protection
150. er Status Status of the most recently issued AP provisioning command which has one of the following values e Not Started Provisioning has not been started for this AP e Success Provisioning finished successfully for this controller The AP Provisioning Status table should reflect the latest provisioning configuration e In Progress Provisioning is in progress for this AP e Invalid Controller IP Address Either primary or backup controller IP address is not in the cluster or the mutual authentication mode is enabled and the primary controller IP address is not specified e Provisioning Rejected AP is not managed and is configured not to accept provisioning data in unmanaged mode e Timed Out The last provisioning request timed out 156 Wireless Controller User Manual Figure 85 AP Provisioning Summary Status AP PROVISIONING SUMMARY STATUS Meletollyy WLAN Global Settings AP Management AP Provisioning Summary Status page shows information about all provisioned APs The AP Provisioning WLAN Visualization gt Summary and Detail pages display cata only when the controler is configured as the Cluster Controller N A Option Port Settings gt Network Settings gt AP Provisioning Status New LAN QoS gt VLAN Settings d MAC Address IP Add Primary IP BackupIP Primary New Backup Managed sS Address Address IP IP Address USB Settings gt Address O tcaf f7 1f 24 40 192 168 2 1
151. er the data frame is sent or the Maximum Contention Window size is reached Once the Maximum Contention Window size is reached retries will continue until a maximum number of retries allowed is reached Valid values for the cwmax are 1 3 7 15 31 63 127 255 511 or 1024 The value for cwmax must be higher than the value for cwmin Max Burst Length AP EDCA Parameter Only The Max Burst Length applies only to traffic flowing from the access point to the client station This value specifies in milliseconds the Maximum Burst Length allowed for packet bursts on the wireless network A packet burst is a collection of multiple frames transmitted without header information The decreased overhead results in higher throughput and better performance Valid values for maximum burst length are 0 0 through 999 79 Wireless Controller User Manual WMM Mode Wi Fi MultiMedia WMM is enabled by default With W MM enabled QoS prioritization and coordination of wireless medium access is on With WMM enabled QoS settings on the DWC 1000 wireless controller control downstream traffic flowing from the access point to client station AP EDCA parameters and the upstream traffic flowing from the station to the access point station EDCA parameters Disabling WMM deactivates QoS control of station EDCA parameters on upstream traffic flowing from the station to the access point With WMM disabled you can still set some parameters on the downstream tr
152. er Controllers AP Profile From Access Point Profile Summary page you can create copy or delete AP profiles You can create up to 16 AP profiles on the Unified Wireless Controller WIDS Securit gt Captive Portal Client Edit Delete gi Add Copy Apply Configure Radio Configure SSID Configure QoS For each AP profile you can configure the following features Profile settings Name Hardware Type ID Wired Network Discovery VLAN ID Radio settings SSID settings QoS settings Wireless Controller User Manual Profile The Access Point profile name you added Use 0 to 32 characters Profile Status can have one of the following values Associated The profile is configured and one or more APs managed by the controller are associated with this profile Associated Modified The profile has been modified since it was applied to one or more associated APs the profile must be re applied for the changes to take effect Apply Requested After you select a profile and click Apply the screen refreshes and shows that an apply has been requested Apply In Progress The profile is being applied to all APs that use this profile During this process the APs reset and all wireless clients are disassociated fromthe AP Configured The profile is configured but no APs managed by the controller currently use this profile XW Associate a profi
153. er Manual Figure 121 Example binding a LAN host s MAC Address to a served IP address owc 1000 Ae P Operation succeeded Peer Controllers gt IP MAC BINDING LOGOUT The table lists all the currently defined IP MAC Bind rules and allows several operations on the rules Captive Portal gt Delete Firewall Settings In the above example if there is an IP MAC Binding violation the violating packet will be dropped and logs will be captured 7 12 RADIUS Settings Advanced gt RADUIS Settings From the RADIUS Server Configuration page you can add a new RADIUS server configure settings for a new or existing RADIUS server and view RADIUS server status information 218 Wireless Controller User Manual Figure 122 RADIUS Server Configuration RADIUS SERVER LOGOUT This page configures the RADIUS servers to be used for authentication A RADIUS server maintains a database of user accounts used in larger environments If a RADIUS server is configured in the LAN t can be used for authenticating users that want to connec to the wireless network provided by this device If the first primary RADIUS server is not accessible at any time then the device will attempt to contact the secondary RADIUS server for user authentication Save Settings Don t Save Settings Application Rules Radius Server Configuration 192 168 1 2 1812 Seconds 192 168 1 3 1812 Authentication
154. er User Manual Figure 82 Manual Power Adjustment Plan Dwc 1000 SETUP ADVANCED TOOLS STATUS WLAN Global Settings MANUAL POWER ADJUSTMENTS LOGOUT AP Management D WLAN Visualization gt Description goes here Internet Settings gt Network Settings gt A Current Status VPN Settings gt VLAN Settings gt Proposed Power Adjustments Power Adjustment Algorithm DMZ Setup gt USB Settings AP MAC Address Location Radio Interface Old Power New Power No proposed power adjustment entries exist 5 3 Access Point Software Download Setup gt AP Management gt Software Download The wireless controller can upgrade software on the APs that it manages XW The AP firmware version must as same as DWC 1000 WLAN module version Server Address Enter the IP address of the host where the upgrade file is located The host must have a TFTP server installed and running File Path Enter the file path on the TFTP server where the software is located You may enter up to 96 characters File Name Enter the name of the upgrade file You may enter up to 32 characters and the file extension tar must be included Group Size When you upgrade multiple APs each AP contacts the TFTP server to download the upgrade file To prevent the TFTP server from being overloaded you can limit the number of APs to be upgraded at a time In the 152 Wireless Controller User Manual Group Size field e
155. er the port on which server should listen for incoming connections Redirect to Port 16994 Check this box to redirect to port 16994 of the client initiating the connection Listen on Port Enter the port on which server should listen for incoming connections Redirect to Port 16995 Check this box to redirect to port 16995 of the client initiating the connection Listen on Port Enter the port on which server should listen for incoming connections Redirect to Port 9971 Check this boxto redirect to port 9971 of the client initiating the connection Listen on Port Enter the port on which server should listen for incoming connections 274 Wireless Controller User Manual Chapter 11 Advanced Wireless Controller Features 11 1 Advanced Global Wireless Controller Configuration Advanced gt Global gt General The fields on the advanced Wireless Global Configuration page are settings that apply to the DWC 1000 Wireless Controller 275 Wireless Controller User Manual Figure 157 Wireless Configuration LOGOUT The fields on this page are settings that apply to the Unified Wireless controller Submit Don t Save Settings Wireless Configuration Peer Group ID 1 1 to 255 Captive Portal gt Application Rules Client Roam Timeout 30 1 to 120 Seconds Ad Hoc Client Status Timeout 24 0 to 168 Hours AP Failure Status Timeout 24 0 to 168 Hours MAC Authentication Mode white list v RF Scan St
156. er to adapt to modifications in the LAN without interrupting traffic flow The RIP direction will define how this controller sends and receives RIP packets Choose between e Both The controller both broadcasts its routing table and also processes RIP information received from other controllers This is the recommended setting in order to fully utilize RIP capabilities e Out Only The controller broadcasts its routing table periodically but does not accept RIP information from other controllers e In Only The controller accepts RIP information from other controller but does not broadcast its routing table e None The controller neither broadcasts its route table nor does it accept any RIP packets from other controllers This effectively disables RIP e The RIP version is dependent on the RIP support of other routing devices in the LAN Disabled This is the setting when RIP is disabled RIP 1 is a class based routing version that does not include subnet information This is the most commonly supported version RIP 2 includes all the functionality of RIPv1 plus it supports subnet information Though the data is sent in RIP 2 format for both RIP 2B and RIP 2M the mode in which packets are sent is different RIP 2B broadcasts data in the entire subnet while RIP 2M sends data to multicast addresses 183 Wireless Controller User Manual 6 4 3 If RIP 2B or RIP 2M is the selected version authentication between
157. erentiated wireless traffic different types of audio video and streaming media as well as traditional IP data over the DWC 1000 Figure 38 AP Pofile QoS configuration Part 1 DWC 1000 SETUP ADVANCED TOOLS STATUS AP PROFILES SUMMARY Description goes here Submit Don t Save Settings AP Profile QoS Configuration AP Profile 1 Default Application Rules Radio Mode 1 902 11a n 2 802 11b g n Template Custom Data 0 Voice AIFS msecs cwMin msecs 3 lw cwMax msecs 7 ow Max Burst usecs 1500 Data 1 Video AIFS msecs 1 cwMin msecs 7 v cwMax msecs 15 x Max Burst usecs 3000 Data 2 Best Effort AIFS msecs 3 cwMin msecs 15 v cwMax msecs 63 v Configuring Quality of Service QoS on the DWC 1000 consists of setting parameters on existing queues for different types of wireless traffic and 77 Wireless Controller User Manual effectively specifying minimum and maximum wait times through Contention Windows for transmission The settings described here apply to data transmission behavior on the access point only not tothatof the client stations AP Enhanced Distributed Channel Access EDCA Parameters affect traffic flowing from the access point to the client station Station Enhanced Distributed Channel Access EDCA Parameters affect traffic flowing from the client station to the access point You can specify custom QoS settings or you can select a template that c
158. eseeseeseenes 269 Figure 1 54 USB Shar Ss POM roroi a NINER EREA E ER EERE 270 Figure 155 Certificate summary for IPsec and HTTPS management sessssssseeserrrserssreseesssrreeesssreee 272 Figure 156 IMROL ES NID sep Decne es deacasel creole eres abet ett tetas dle tah 273 Figure 157 Wireless Configuration cc cesessessesseseesessssesseesceseeseeesseseseesesnesneenseneeseeeeeeeneseneeess 276 Figure 158 Distributed Tunnelling ou eesessessesseseeseeseesessessessessecsessessessesessecsecseesessesseseresseesseseeses 279 Figure 159 Distributed Tunneling Clients oe eeseeseeseeseeeeeeeseeseesesseeseesesneetentententeneeneenss 280 Figure 160 Peer Controller Configuration Request Status ose 281 Figure 161 Peer Controller Configuraiton on ccecesesesssessessesseceessesesessesscesesneseeneneneneeneenes 283 Figure 162 WIDS AP Configuration on cessssesseessesessessesscsscssesseseseesessessessessessesseseeseeneseeneeses 288 Figure 163 WIDS Client Configuration oon ceceeessssssseessssesesesessseesessessesneseeseseenesneeneeneeneeseeeeesneeneeneeess 291 Figure 164 Remote Management 0 cesecesssseeseesessesscsscescssesscsscsseseseeseesessessesssseseesessesseesesseseeseeseeseeneeneeses 292 Figure 165 SNMP Users Traps and ACCESS Control oo eeeeseesessessssesssssssssessesessesceseeceseeceseeceseeseseeneseesenes 294 Figure 166 SNMP system information for this controller o esesesessesseeeeseesesseeseeneeneeneeseeseeseseeneeneenes 295 Figure 16
159. esesseseeneeeesseseesesteatesennees 20 Figure 2 Setup page for LAN TCP IP settings DHCP Relay oo eseesssseesssssseseeneeeesseseseseaneneeneees 21 Figure 3 LAN DHCP Reserved IPS ou esssssssssseseseesecesencensssessesscsucsucsussucaseseseesucsussuesesausaseaseaeeesuesuesesaesaeeasens 22 Figure 4 LAN DHCP Leased Clients on ce cesessesecsccensssessesseseesessessessesaessessesscsucsucsessucaseaseaeseesecsesaesseeasensens 23 Figure 5 IPV6 LAN and DHCP V6 configuration 0 eeesesssssssseseseseeseeseesessessesuesuesussusaceneeseseeseesueseeanenneaeens 24 Figure 6 DHCP V6 Leased Gems oe eesessssssesessesecencnsssessessesuesussusaseaeesessessssussussesausaseaseaesessueseeseeaeeaeeaseas 26 Figure 7 Configuring the Router Advertisement Daemon qu esessssessessesesesssessneseeneeneeseseeseeseeaeeneeneees 29 Figure 8 IPv6 Advertisement Prefix settings 0 esessesssssesssssssesesssnssceneeseseesseseesuesusaceaceaeeseseeseesuesueanenenees 30 Figure 9 Port Queue Scheduling 00 eeesessessesessesecsessuessenecncssessesscsucsuesueaeeneeseseesecsuesuesussessusaeseesecsuesuesnenneneeasens 31 Figure 10 Port Queue Status oe eessssessessesssseesnesnssessucseesessesuesecsucsucaseaeeneeseseesuesuesuesusaceaceneeeeseeseesueseeaeaeeseens 32 Figure 11 Option QOS Configuration oe eceecseceeseseeseseeseesessessesuesuesessussecsesseseeseesuesuesussusaeeaeeaeeeesecsusseeneneeneens 33 Figure 12 Bandwidth Profile Configuration 0 eessessssssesessesesssessnsscescesesse
160. essage rate detected in a single RF Scan report On the WIDS Client Configuration page you can set thresholds for each type of message sent and the APs monitor whether any clients exceed those thresholds or tests Not Present in OUI Database Test This test checks whether the MAC address of the client is froma registered manufacturer identified in the OUI database Known Client Database Test This test checks whether the client which is identified by its MAC address is listed in the Known Client Database and is allowed access to the AP either through the Authentication Action of Grant or through the White List global action If the client is in the Known Client Database and has an action of Deny or if the action is Global Action and it is globally set to Black List the client fails this test Configured Authentication Rate Test This test checks whether the client has exceeded the configured rate for transmitting 802 11 authentication requests Configured Probe Requests Rate Test This test checks whether the client has exceeded the configured rate for transmitting probe requests Configured De Authentication Requests Rate Test This test checks whether the client has exceeded the configured rate for transmitting de authentication requests Maximum Authentication Failures Test This test checks whether the client has exceeded the maximum number of failed authentications Authentication with Unknown AP Test This test checks
161. etwork s addresses is set by the prefix length field 23 Wireless Controller User Manual Figure 5 IPv6 LAN and DHCPv6 configuration DWC 1000 SETUP TOOLS STATUS IPV6 LAN CONFIG Relcieline This page allows user to IPv6 related LAN configurations Save Settings Don t Save Settings Enable DHCPv6 Server Stateful w diink com 255 DNS Servers Use below Primary DNS Server Secondary DNS Server Lease Rebind Time Prefix Delegation List of IPv6 Address Pools XW If you change the IP address and click Save Settings the GUI will not respond Opena new connection to the new IP address and log in again Be sure the LAN host the machine used to manage the router has obtained IP address fromnewly assigned pool or has a static IP address in the router s LAN subnet before accessing the router via changed IP address 24 Wireless Controller User Manual DHCP v6 As with an IPv4 LAN network the router has a DHCPv6 server If enabled the router assigns an IP address within the specified range plus additional specified information to any LAN PC that requests DHCP served addresses The following settings are used to configure the DHCPv6 server DHCP Status This allow to Enable Disable DHCPv6 server DHCP Mode The IPv6 DHCP server is either stateless or stateful If stateless is selected an external IPv6 DHCP server is not required as the IPv6 LAN hosts are auto configured
162. evices Javaapplets can be prevented from being downloaded from internet sites and similarly the gateway can prevent ActiveX controls from being downloaded via Internet Explorer For added security cookies which typically contain session information can be blocked as well for all devices on the private network 213 Wireless Controller User Manual Figure 117 Content Filtering used to block access to proxy servers and prevent ActiveX controls from being downloaded CONTENT FILTERING LOGOUT This content filtering option allows the user to block access to certain Internet sites Up to 32 key words in the site s name web site URL can be specified which will block access to the site To setup URLs go to Approved URLs and Blocked Keywords page Save Settings Don t Save Settings Content Filtering Configuration Enable Content Filtering v 7 10 2 Approved URLs Advanced gt Website Filter gt Approved URLs The Approved URLs is an acceptance list for all URL domain names Domains added to this list are allowed in any form For example if the domain yahoo is added to this list then all of the following URL s are permitted access from the LAN www yahoo com yahoo co uk etc Import export from a text or CSV file for Approved URLs is also supported 214 Wireless Controller User Manual Figure 118 Two trusted domains added to the Approved URLs List DWC 1000 J sewe AD
163. feature all the traffic will pass through the VPN Tunnel and from the Remote Gateway the packet will be routed to Internet On the remote gateway side the outgoing packet will be SNAT ed Configuring VPN clients Remote VPN clients must be configured with the same VPN policy parameters used in the VPN tunnel thatthe client wishes to use encryption authentication life time and PFS key group Upon establishing these authentication parameters the VPN Client user database must also be populated with an account to give a user access to the tunnel XW VPN client software is required to establish a VPN tunnel between the controller and remote endpoint Open source software such as Open VPN or Openswan as well as Microsoft IPsec VPN software can be configured with the required IKE policy parameters to establish an IPsec VPN tunnel Refer to the client software guide for detailed instructions on setup as well as the controller s online help The user database contains the list of VPN user accounts that are authorized to use a given VPN tunnel Alternatively VPN tunnel users can be authenticated using a configured Radius database Refer to the online help to determine how to populate the user database and or configure RADIUS authentication 233 Wireless Controller User Manual 8 4 PPTP L2TP Tunnels This controller supports VPN tunnels from either PPTP or L2TP ISP servers The controller acts as a broker device to allow the ISP s serve
164. fic Monitor gt Disassociate View Client Details Refresh Active VPNs 192 168 1 185 e0 a6 70 8e bf 67 The following actions are supported from this page Disassociate Disassociates the client from the managed AP View Client Details Display associated client details Refresh Updates the page with the latest information Wireless Controller User Manual 4 8 6 Detected Client Status Status gt Wireless Client Info gt Detected Clients Wireless clients are detected by the wireless system when the clients either attempt to interact with the system or when the systemdetects traffic from the clients The Detected Client Status page contains information about clients that have authenticated with an AP as well information about clients that disassociate and are no longer connected to the system MAC Address The Ethernet address of the client Client Name Shows the name of the client if available fromthe Known Client Database If client is not in the database then the field is blank Client Status Shows the client status which can be one of the following Authenticated The wireless client is authenticated with the wireless system Detected The wireless client is detected by the wireless system but is not a security threat Black Listed The client with this MAC address is specifically denied access via MAC Authentication Rogue The client is classified as a threat by one of the threat detection al
165. field set in the packet Figure 17 Remark CoS to DSCP DWwc 1000 SETUP ADVANCED TOOLS STATUS Operation succeeded gt Internet Settings Remark CoS to DSCP LAN QoS gt Do you want to enable CoS to DSCP gt PORT COS MAPPING Meleto ty Save Settings Don t Save Settings Mi Remark CoS to DSCP oc 1 8 v 2 16 v 3 B y 4 32 v 5 40 y 6 48 vo Once you enable CoS to DSCP marking by choosing the check box you can choose the appropriate value of the DSCP for a given CoS value 39 Wireless Controller User Manual 2 3 VLAN Configuration The controller supports virtual network isolation on the LAN with the use of VLANs LAN devices can be configured to communicate in a subnetwork defined by VLAN identifiers LAN ports can be assigned unique VLAN IDs so that traffic to and from that physical port can be isolated from the general LAN VLAN filtering is particularly useful to limit broadcast packets of a device in a large network VLAN support is disabled by default in the controller In the VLAN Configuration page enable VLAN support on the controller and then proceed to the next section to define the virtual network Setup gt VLAN Settings gt Available VLAN The Available VLAN page shows a list of configured VLANs by name and VLAN ID A VLAN membership can be created by clicking the Add button below the List of Available VLANs A VLAN membership entry consists of a VL
166. fields are as follows 265 Wireless Controller User Manual Policy Name IKE or VPN policy associated with this SA Endpoint IP address of the remote VPN gateway or client Tx KB Kilobytes of data transmitted over this SA Tx Packets Number of IP packets transmitted over this SA State Status of the SA for IKE policies Not Connected or IPsec SA Established Action Click Connect to establish an inactive SA connection or Disconnect to terminate an active SA connection Figure 152 List of current Active VPN Sessions DWC 1000 ADVANCED TOOLS STATUS The page will auto refresh in 2 seconds Global Info gt ACTIVE VPN LOGOUT Device Info gt This page displays the active VPN connections IPSEC as well as SSL Active IPsec SAs Policy Name tx Packets State Action Active SSL VPN Connections UserName IP Address Local PPP Interface Peer PPP Interface IP Connect Status Action Connect Poll Interval 10 Seconds Start Allactive SSL VPN connections both for VPN tunnel and VPN Port forwarding are displayed on this page as well Table fields are as follows User Name The SSL VPN user that has an active tunnel or port forwarding session to this controller IP Address IP address of the remote VPN client Local PPP Interface The interface Option lor Option2 through which the session is active Peer PPP Interface IP The assigned IP address of the virtual network adapter 266 Wir
167. figuration The DHCPv6 client on the gateway can be either stateless or stateful If a stateful client is selected the gateway will connect to the ISP s DHCPv6 server for a leased address For stateless DHCP there need not be a DHCPv6 server available at the ISP rather ICMPv6 discover messages will originate from this gateway and will be used for auto configuration A third option to specify the IP address and prefix length of a preferred DHCPv6 server is available as well 170 Wireless Controller User Manual Figure 93 IPv6 Optionl Setup page ry OE os stars IPV6 OPTION1 CONFIG This page allows user to IPv 6 related WAN1 configurations Don t Save Settings gt P MAC Binding U Radius Settings User Name admin Password cecce Authentication Type Auto negotate Dhcpv6 Options disable dhepv Primary DNS Server Secondary DNS Server Prefix Delegation Select this option to request controller advertisement prefix from any available DHCPv6 servers available on the ISP the obtained prefix is updated to the advertised prefixes on the LAN side This option can be selected only in Statesless Address Auto Configuration mode of DHCPv6 Client When IPv6 is PPPoE type the following PPPoE fields are enabled Username Enter the username required to log in to the ISP 171 Wireless Controller User Manual 6 2 7 Password Enter the password required
168. for one of the following reasons associated with a peer controller e Peer Controller Discovered e Peer Controller Failed e Peer Controller Unknown Protocol Discovered Configuration command received from peer controller The controller need not be Cluster Controller for generating this trap RF Scan Traps If you enable this field the SNMP agent sends a trap when the RF scan detects a new AP wireless client or ad hoc client Rogue AP Traps If you enable this field the SNMP agent sends a trap when the controller discovers a rogue AP The agent also sends a trap every Rogue Detected Trap Interval seconds if any rogue AP continues to be present in the network Wireless Status Traps If you enable this field the SNMP agent sends a trap if the operational status of the Unified Wireless controller it need not be Cluster Controller for this trap changes It sends a trap if the Channel Algorithm is complete or the Power Algorithmis complete It also sends a trap if any of the following databases or lists has reached the maximum number of entries l Managed AP database 2 AP Neighbor List 3 Client Neighbor List 4 AP Authentication Failure List 5 RF Scan AP List 6 Client Association Database 7 Ad Hoc Clients List 297 Wireless Controller User Manual 8 Detected Clients List 12 5 Configuring Time Zone and NTP Tools gt Date and Time You can configure your time zone whether or not to adjust for Day
169. g remote gatekeepers and to map IP addresses to hostnames of administrative domains Fully qualified domain name Complete domain name including the host portion Example serverA companyA com File Transfer Protocol Protocol for transferring files between networknodes Hypertext Transfer Protocol Protocol used by w eb browsers and web servers to transfer files Internet Key Exchange Mode for securely exchanging encryption keys in ISAKMP as part of building a VPN tunnel IP security Suite of protocols for securing VPNtunnels by authenticating or encrypting IP packets in a data stream IPsec operates in either transport mode encrypts payload but not packet headers or tunnel mode encrypts both payload and packet headers 318 Wireless Controller User Manual Internet Key Exchange Security Protocol Protocol for establishing security associations and cryptographic keys on the Internet Internet service provider Media access control address Unique physical address identifier attached to a netw ork MAC Address dapt a er Maximum transmission unit Size in bytes of the largest packet that can be passed on The MTU for Ethernet is a 1500 byte packet E Netw ork Address Translation Process of rewriting IP addresses as a packet passes through a NAT controller or firew all NA T enables multiple hosts on a LAN to access the Internet using the single public IP address of the LAN s gatew ay controller NetBIOS Micr
170. gate to Security Schedule and name the schedule Weekend 204 Wireless Controller User Manual e Define weekend to mean 12 am Saturday morning to 12 am Monday morning all day Saturday amp Sunday e Inthe Scheduled days box check that you want the schedule to be active for specific days Select Saturday and Sunday e Inthe scheduled time of day select all day this will apply the schedule between 12 amto 11 59 pmof the selected day e Click apply now schedule Weekend isolates all day Saturday and Sunday from the rest of the week Figure 110 Schedule configuration for the above example oe Syste Save Settings Don t Save Settings Firmware via USB Schedule Name Dynamic DNS Name System Check Scheduled Days Schedules Do you want this schedule to be AID sce onal ns orse SO SCHEDULE CONFIGURATION LOGOUT This page allows user to configure schedules These schedules then can be applied to firewall rules to achieve 2 Since we are trying to block HTTP requests it is a service with To Zone Insecure Option 1 Option2 that is to be blocked according to schedule Weekend 3 Select the Action to Block by Schedule otherwise allow This will take a predefined schedule and make sure the rule is a blocking rule during the defined dates times All other times outside the schedule will not be affected by this firew
171. generated will be a number between 0 and the number specified here If the first random backoff wait time expires before the data frame is sent a retry counter is incremented and the random backoff value window is doubled Doubling will continue until the size of the random backoff value reaches the number defined in the Maximum Contention Window cwMax Maximum Contention Window The value specified in the Maximum Contention Window is the upper limit in milliseconds for the doubling of the random backoff value This doubling continues until either the data frame is sent or the Maximum Contention Window size is reached Once the Maximum Contention Window size is reached retries will continue until a maximum number of retries allowed is reached TXOP Limit Station EDCA Parameter Only The TXOP Limit applies only to traffic flowing from the client station to the access point The Transmission Opportunity TXOP is an interval of time when a WME client station has the right to initiate transmissions onto the wireless medium WM This value specifies in milliseconds the Transmission Opportunity TXOP for client stations that is the interval of time when a WMM client station has the right to initiate transmissions on the wireless network 81 Wireless Controller User Manual Figure 39 AP Pofile QoS configuration Part 2 Station EDCA Parameters Data 0 Voice AIFS msecs 2 cwMin msecs 3 y cwMax msecs 7 X TXOP Limit 32
172. gh an SNMP trap if enabled when this AP is detected in the network Additionally the when this AP is detected through an RF scan the status is listed as Rogue If you select the Rogue mode the screen refreshes and fields that do not apply to this mode are hidden Location To help you identify the AP youcan enter a location This field accepts up to 32 alphanumeric characters Authentication Password You can require that the AP authenticate itself with the controller upon discovery Edit option and enter the password in this field The valid password range is between 8 and 63 alphanumeric characters The password in this field must match the password configured on the AP Profile If you configure multiple AP Profiles you can select the profile to assign to this AP Expected SSID Enter the SSID that identifies the wireless network on the standalone AP Expected Channel Select the channel that the standalone AP uses If the AP is configured to automatically select a channel or if you do not want to specify a channel select Any Expected WDS Mode Standalone APs can use a Wireless Distribution System WDS link to communicate with each other without wires The menu contains the following options e Bridge Select this option if the standalone AP you add to the Valid AP database is configured to use one or more WDS links e Normal Select this option if the standalone AP is not configured to use any WDS links
173. gorithms Age Time since any event has been received for this client that updated the detected client database entry Create Time Time since this entry was first added to the detected client s database 135 Wireless Controller User Manual Figure 74 Detected Client Status DWc 1000 SETUP ADVANCED TOOLS STATUS DETECTED CLIENT STATUS Melelolthy Description goes here List of Detected Clients Wireless ClientInfo gt MAC Address Client Name Client Status Age Create time E 00 07 0e2 b3 76 8d Detected 0d 00 02 16 0d 00 17 09 Traffic Monitor gt E 00 0e 8e 20 10 a4 Detected 0d 00 00 15 0d 00 17 09 E 00 0f 3d aa 46 a9 Detected 0d 00 03 46 0d 00 03 46 Active VPNs K 00 13 02 9a a7 bf Detected 0d 00 00 46 0d 00 16 10 f 00 13 e8 da 22 85 Detected 0d 00 00 46 0d 00 17 09 a 00 1 4 d 1 0 1 f1 35 Detected 0d 00 12 39 0d 00 13 39 The following actions are supported from this page Delete Delete the selected client from the list If the client is detected again it will be added to the list Delete All Deletes all non authenticated clients from the Detected Client database As clients are detected they are added to the database and appear in the list Acknowledge All Rogues Clear the rogue status of all clients listed as rogues in the Detected Client database The status of an acknowledge client is return ed to the status it had when it was first detected If the detected client fails any of the tests
174. guration download List of Peers Peer IP Address Lists the IP address of each controller in the cluster and indicates the configuration request status of that controller 11 4 2 Peer Controller Configuration Advanced gt Peer Controller gt Configuraiton Items The Peer Controller Configuration itesm pages allows to Enable Disable allows you to select which parts of the configuration to copy to one 282 Wireless Controller User Manual Figure 161 Peer Controller Configuraiton DWC 1000 lis SETUP ADVANCED TOOLS STATUS Peer Controllers gt CONFIGURATION ITEMS LOGOUT AP Profile The Peer Controller Configuration page allows you to select which parts of the configuration to copy to one or more peer controllers in the group un a oS w WIDS Security Submit Don t Save Settings Peer Controller Configuration Website Filter Global Enable Firewall Settings Captive Portal Client Application Rules Discovery Disable IPv6 Channel Power Enable AP Database Enable 0 AP Profiles Enable Known Client Enable RADIUS Client Enable Y i Global Enable this field to include the basic and advanced global settings in the configuration that the controller pushes to its peers The configuration does not include the controller IP address since that is a unique setting Discovery Enable this field to include the L2 and L3 discovery information including the VLAN li
175. hat each radio on the AP is using The following actions are supported from this page Delete Manually clear existing APs View AP Details Shows detailed status information collected from the AP View Radio Details Shows detailed status for a radio interface View Neighbor Details Shows the neighbor APs that the specified AP has discovered through periodic RF scans on the selected radio interface View Neighbor Clients Shows information about wireless clients associated with an AP or detected by the AP radio View VAP Details Shows summary information about the virtual access points VAPs for the selected AP and radio interface on the APs that the controller manages 4 6 4 Authentication Failure Status Status gt Access Point Info gt Authentication Failure Status An AP might fail to associate to the controller due to errors such as invalid packet format or vendor ID or because the AP is not configured as a valid AP with the correct local or RADIUS authentication information The AP authentication failure list shows information about APs that failed to establish communication with the DWC 1000 wireless contorller The AP can fail due to one of the following reasons 111 Wireless Controller User Manual No Database Entry The MAC address of the AP is not in the local Valid AP database or the external RADIUS server database so the AP has not been validated Local Authentication The authentication password conf
176. he LAN and DMZ to access internal servers eg an internal FTP server using their externally known domain name This is also referred to as NAT loopback since LAN generated traffic is redirected through the firewall to reach LAN servers by their external name 181 Wireless Controller User Manual Figure 97 Routing Mode is used to configure traffic routing between Option and LAN as well as Dynamic routing RIP DWC 1000 ADVANCED TOOLS STATUS d WLAN Global Settings ROUTING MODE LOGOUT This page allows user to configure different routing modes like NAT Classical Routing and Transparent This page also allows to configure the RIP Routing Information Protocol WLAN Visualization Don t Save Settings Internet Settings Network Settings Routing Mode between Option and LAN QoS QoS Settings VLAN Settings DMZ Setup Dynamic Routing RIP USB Settings Authentication for RIP 2B 2M 182 Wireless Controller User Manual 6 4 2 Dynamic Routing RIP XW The following feature is available upon licensed activation of VPN Firewall features for the system Setup gt Internet Settings gt Routing Mode Dynamic routing using the Routing Information Protocol RIP is an Interior Gateway Protocol IGP that is common in LANs With RIP this controller can exchange routing information with other supported controllers in the LAN and allow for dynamic adjustment of routing tables in ord
177. he SSL YPN Client wishes to access the LAN network then in SPLIT Tunnel mode you should add the LAN subnet as the Destination Network Save Settings Don t Save Settings SSL YPN Client Route Configuration VPN Settings Destination Network Subnet Mask 9 4 1 Creating Portal Layouts Setup gt VPN Settings gt SSL VPN Server gt Portal Layouts The controller allows you to create a custom page for remote SSL VPN users that is presented upon authentication There are various fields in the portal that are customizable for the domain and this allows the controller administrator to communicate details such as login instructions available services and other usage details in the portal visible to remote users During domain setup configured portal layouts are available to select for all users authenticated by the domain XW The default portal LAN IP address is https 192 168 10 1 scgi bin userPortal portal This is the same page that opens when the User Portal link is clicked on the SSL VPN menu of the controller GUI The controller administrator creates and edits portal layouts from the configuration pages inthe SSL VPN menu The portal name title banner name and banner contents are all customizable to the intended users for this portal The portal name is appended to the SSL VPN portal URL As well the users assigned to this portal through their authentication domain can be presented with one or more of the c
178. he controller simply reports this fact and doesn t change the AP state to Rogue In order for the wireless system to detect this threat the wireless network must contain one or more radios that operate in sentry mode Rogue Detected Trap Interval Specify the interval in seconds between transmissions of the SNMP trap telling the administrator that rogue APs are present in the RF Scan database If you set the value to 0 the trap is never sent Wired Network Detection Interval Specify the number of seconds that the AP waits before starting a new wired network detection cycle If you set the value to 0 wired network detection is disabled AP De Authentication Attack Enable or disable the AP de authentication attack The wireless controller can protect against rogue APs by sending DE authentication messages tothe rogue AP The de authentication attack feature must be globally enabled in order for the wireless system to do this function Make sure that no 286 Wireless Controller User Manual legitimate APs are classified as rogues before enabling the attack feature This feature is disabled by default 287 Wireless Controller User Manual Figure 162 WIDS AP Configuration a TT Pe s gt ee s WIDS Security amp rtal Application Rules Vebsite Filter rer gt Administrator configured rogue AP Enable F vall Settinc sci Managed SSID from an unknown WIDS AP CONFIGURATION LOGOUT The WIDS AP Configur
179. he customized IP address is configured otherwise an IP address is assigned to the client automatically from the DHCP pool 21 Wireless Controller User Manual IP Addresses The LAN IP address of a host that is reserved by the DHCP server MAC Addresses The MAC address that will be assigned the reserved IP address when it is on the LAN The actions that can be taken on list of reserved IP addresses are Select Selects all the reserved IP addresses in the list Edit Opens the LAN DHCP Reserved IP Configuration page to edit the selected binding rule Delete Deletes the selected IP address reservation s Add Opens the LAN DHCP Reserved IP Configuration page to add a new binding rule Figure 3 LAN DHCP Reserved IPs DWc 1000 SETUP ADVANCED TOOLS STATUS Operation succeeded WLAN Global Settings DHCP RESERVED IPS LAN LOGOUT AP Management gt This e allows user to configure the reserved IP Addresses for the DHCP Server configuration WLAN Visualizati on gt Internet Settings gt DHCP Reserved IPs LAN Network Settings Df O IP Address MAC Address LAN QoS gt 192 168 10 233 00 00 00 00 00 67 VPN Settings gt 2 1 2 LAN DHCP Leased Clients Setup gt Network Settings gt LAN DHCP Leased Clients This page provides the list of clients connect to LAN DHCP server 22 Wireless Controller User Manual Figure 4 LAN DHCP Leased Clients Dwc 1000 SETUP ADVANCED TOOLS STATUS WLAN G
180. he following configuration options e Mode The mode of this VLAN can be General Access or Trunk The default is access e In General mode the port is a member of a user selectable set of VLANs The port sends and receives data that is tagged or untagged with a VLAN ID If the data into the port is untagged it is assigned the defined PVID In the configuration from Figure 6 Port 3 is a General port with PVID 3 so 41 Wireless Controller User Manual untagged data into Port 3 will be assigned PVID 3 All tagged data sent out of the port with the same PVID will be untagged This is mode is typically used with IP Phones that have dual Ethernet ports Data coming from phone to the controller port on the controller will be tagged Data passing through the phone froma connected device will be untagged Figure 19 Port VLAN list DWC 1000 ADVANCED TOOLS STATUS PORT VLANS LOGOUT This page allows user to configure the port VLANs A user can choose ports and can add them into a VLAN Port VLANs WLAN Global Settings anagement isualization Internet Settings Network Settings VPN Settings VLAN Settings DMZ Setup USB Settings e In Access mode the port is a member of a single VLAN and only one All data going into and out of the port is untagged Traffic through a port in access mode looks like any other Ethernet frame e In Trunk mode the port is a member of a user sele
181. hen configure the Radio Configuration VAP configuration and Acces point The last step in the Wizard is to click the Connect button 83 Wireless Controller User Manual Chapter 4 Monitoring Status and Statistics 4 1 System Overview The Status page allows you to get a detailed overview of the system configuration The settings for the wired and wireless interfaces are displayed in the DWC 1000 Status page and then the resulting hardware resource and controller usage details are summarized on the controller Dashboard 4 1 1 Dashboard Status gt Dashboard gt General The DWC 1000 dashboard page gives a summary of the CPU and Memory utilization 84 Wireless Controller User Manual Figure 41 Dashboard Dashboard D gt This page displays the resources being used in the system currently This page also shows the bandwidth used in form of bar graphs Access Point info CPU Utilization LAN Clients Info Wireless Client Info Active VPNs Memory Utilization 247916 KB 201676 KB 46240 KB 60744 KB 17148 KB CPU Utilization This section displays the router s processor statistics CPU usage by user Percent of the CPU utilization being consumed currently by all user space processes such as SSL VPN or management operations CPU usage by kernel percent of the CPU utilization being consumed currently by kernel space processes such as firewall operations CPU idle percent of CPU cycles tha
182. his feature can beused only if your Option is configured in Auto Rollover mode Figure 130 IPsec policy configuration continued Auto Manual Phase 8 2 1 2 Phase2 Manual Policy Parameters SPI Incoming SPI Outgoing Encryption Algorithm Key Length Key In Key Out Integrity Algorithm Key In Key Out Phase2 Auto Policy Parameters SA Lifetime Seconds Encryption Algorithm 3DES z Key Length Integrity Algorithm PFS Key Group Extended Authentication XAUTH You can also configure extended authentication XA UTH Rather than configure a unique VPN policy for each user you can configure the VPN gateway controller to authenticate users from a stored list of user accounts or with an external authentication server such as a RADIUS server With a user database user accounts created in the controller are used to authenticate users 232 Wireless Controller User Manual 8 2 2 8 3 With a configured RADIUS server the controller connects to a RADIUS server and passes to it the credentials that it receives fromthe VPN client You can secure the connection between the controller and the RADIUS server with the authentication protocol supported by the server PAP or CHAP For RADIUS PAP the controller first checks in the user database to see if the user credentials are available if they are not the controller connects to the RADIUS server Internet over IPSec tunnel In this
183. ices IEEE 802 11n can achieve a higher throughput when it does not need to be compatible with legacy devices 802 11b g or 802 1 1a DTIM Period The Delivery Traffic Information Map DTIM message is an element included in some Beacon frames It indicates which client stations currently sleeping in low power mode have data buffered on the access point awaiting pick up The DTIM period you specify indicates how often the clients served by this access point should check for buffered data stillon the AP awaiting pickup Specify a DTIM period within the given range 1 255 The measurement is in beacons For example if you set this field to 1 clients will check for buffered dataon the AP at every beacon If you set this field to 10 clients will check on every 10th beacon Beacon Interval Beacon frames are transmitted by an access point at regular intervals to announce the existence of the wireless network The default behavior is to send a beacon frame once every 100 milliseconds or 68 Wireless Controller User Manual 10 per second The Beacon Interval value is set in milliseconds Enter a value from 20 to 2000 Automatic Channel The channel defines the portion of the radio spectrum that the radio uses for transmitting and receiving The range of channels and the default channel are determined by the Mode of the radio interface When the AP boots each AP radio scans the RF area for occupied channels and selects a ch
184. ients Roam History AP MAC Address Radio VAP MAC Address SSID Status Time Since Event Traffic Monitor 0O 1c af f7 1f 1d 40 2 1c af f7 1f 1d 51 dwc naren New Authentication 0d 00 01 53 Active VPNs 1c af f7 1f 20 c0 2 1c af f7 1f 20 d1 dwc naren Roam 0d 00 08 59 O 1c af f7 1f 1d 40 2 1c af f7 1f 1d 51 dwc naren New Authentication 0d 00 12 34 O 1c af f7 1f 1d 40 2 1c af f7 1f 1d 51 dwc naren Roam 0d 00 20 55 i 1c af f7 1f 20 c0 2 1c af f7 1f 20 d1 dwe naren New Authentication 0d 00 23 55 Refresh Purge History This page includes the following button Refresh Updates the page with the latest information Purge History To purge the history when the list of entries is full View Details Shows the details of the detected clients 139 Wireless Controller User Manual Chapter 5 AP Management The AP Management contains links to the following pages that help you manage and maintain the APs on your DWC 1000 wireless controller network e Valid Access Point Configuration e RF Management e Access Point Software Download e Local OUI Database e AP Provisioning e Manual Management 5 1 Valid Access Point Configuration Setup gt AP Management gt Valid AP MAC Address This field shows the MAC address of the AP To change this field you must delete the entire Valid AP configuration and then enter the correct MAC address fromthe page that lists all Valid AP s Location To help you identify the
185. ies options eess eesseseeeeesssteesesseeeesesstereeessteresessreesesssteeeesstreresstereeesseereessrereeessreree 249 Figure 142 IP policigs Options sensein E E A E 250 Figure 143 Available Users with login status and associated Group s seessssssesssrrrsessreseesssreeeessseeee 251 Figure 144 User Configuration Options ssesseeesessseeesssteeesesstereeessteresessrereeestereeesserreressrereeesserreressreeeessreree 253 Figure 145 List of SSL VPN polices Global filter occ eeeseeseeseeseesesseeeeseeseesesnesneeneesesseseeneeneeneeneenss 254 Figure 146 SSL VPN policy conf g ration ssesecssiaasn anaia 255 Figure 147 List of configured resources which are available to assign to SSL VPN policies 257 Figure 148 List of Available Applications for SSL Port Forwarding uu essssesseseeeeseeeeseeseeseeseeneenes 260 Figure 149 SSL VPN client adapter and ACCESS configuration oo eceeseeseeseeseeseeseeseeseeseeeceeeeeneententeneenes 261 Figure 150 Configured client routes only apply in split tunnel mode oo ee eseseceeseeeeseeseesteseeneenes 263 Figure 151 SSL VPN Portal configuration ue esessessesseseeseeseesesseeneeseeseeseesessesessesneeneeneeneeseeseeseneenteneenss 265 Figure 152 List of current Active VPN Sessions ue esesseseesseseesesseeseeseeseesesseseeseesesnesseesessesscseenteneeneeneenss 266 Figure 153 USB Device Detection oo essseseeseesessessssseesessessesseseeseesessessessessesseseeseesecsecseesessesseseene
186. ifying the From Zone LAN Option DMZ and To Zone LAN Option DMZ e Schedules as to when the controller should apply rules e Any Keywords in a domain name or on a URL ofa web page that the controller should allow or block e Rules for allowing or blocking inbound and outbound Internet traffic for specified services on specified schedules e MAC addresses of devices that should not access the internet e Port triggers that signal the controller to allow or block access to specified services as defined by port number e Reports and alerts that you want the controller to send to you You can for example establish restricted access policies based on time of day web addresses and web address keywords You can block Internet access by applications and services on the LAN such as chat rooms or games You can block just certain groups of PCs on your network from being accessed by the Option or public DMZ network 194 Wireless Controller User Manual 7 1 Firewall Rules Advanced gt Firewall Settings gt Firewall Rules Inbound Option to LAN DMZ rules restrict access to traffic entering your network selectively allowing only specific outside users to access specific local resources By default all access fromthe insecure Option side are blocked from accessing the secure LAN except in response to requests from the Option or DMZ To allow outside devices to access services on the secure LAN you must create an
187. igured in the AP did not match the password configured in the local database Not Managed The AP is in the Valid AP database but the AP Mode in the local database is not set to Managed RADIUS Authentication The password configured in the RADIUS client for the RADIUS server was rejected by the server RADIUS Challenged The RADIUS server is configured to use the Challenge Response authenticationmode which is incompatible with the AP RADIUS Unreachable The RADIUS server that the AP is configured to use is unreachable Invalid RADIUS Response The AP received a response packet from the RADIUS server that was not recognized or invalid Invalid Profile ID The profile ID specified in the RADIUS database may not exist on the controller This can also happen with the local database when the configuration has been received from a peer controller Profile Mismatche Hardware Type The AP hardware type specified in the AP Profile is not compatible with the actual AP hardware Figure 59 Authentication Failure Status Global Info gt Device Info gt Access Point Info D d LAN Clients Info Wire Clientinfo gt AP AUTHENTICATION FAILURE STATUS LOGOUT The AP authentication failure list shows information about APs that failed to establish communication with the Unified Wireless Controler List of Authentication Failure APs Traffic Monitor gt Active VPNs MAC Address IP Address Last
188. ime US and Canada Enable Daylight Saving Configure NTP Servers Set Date and Time Manually NTP Servers Configuration Default NTP Server Custom NTP Server Primary NTP Server 0 us pool ntp org Secondary NTP Server 1 us pool ntp org Time to re synchronize in minutes Set Date And Time Year Month Day Hours Min Sec 2077 o o 05 25 os 12 6 Log Configuration This controller allows you to capture log messages for traffic through the firewall VPN and over the wireless AP As an administrator you can monitor the type of traffic that goes through the controller and also be notified of potential attacks or errors when they are detected by the controller The following sections describe the log configuration settings and the ways you can access these logs 299 Wireless Controller User Manual 12 6 1 Defining What to Log Tools gt Log Settings gt Logs Facility The Logs Facility page allows you to determine the granularity of logs to receive from the controller There are three core components of the controller referred to as Facilities Kernel This refers to the Linux kernel Log messages that correspond to this facility would correspond to traffic through the firewall or network stack System This refers to application and management level features available on this controller including SSL VPN and administrator changes for managing the unit Wireless This f
189. inbound fire wall rule for each service If you want to allow incoming traffic you must make the controllers Option port IP address known to the public This is called exposing your host How you make your address known depends on how the Option ports are configured for this controller you may use the IP address if a static address is assigned to the Option port or if your Option address is dynamic a DDNS Dynamic DNS name can be used Outbound LAN DMZ to Option rules restrict access to traffic leaving your network selectively allowing only specific local users to access specific outside resources The default outbound rule is to allow access from the secure zone LAN to either the public DMZ or insecure Option On other hand the default outbound rule is to deny access from DMZ to insecure Option You can change this default behaviour in the Firewall Settings gt Default Outbound Policy page When the default outbound policy is allow always you can to block hosts on the LAN from accessing internet services by creating an outbound firewall rule for each service 195 Wireless Controller User Manual Figure 106 List of Available Firewall Rules once oT Operation succeeded ontrollers Peer AP Profile Ds FIREWALL RULES LOGOUT A firewall is a security mechanism to selectively block or allow certain types of traffic in accordance with rules specified by network administrators You can use this page to manage
190. ings for facility and severity This data is useful when evaluating SSL VPN traffic and tunnel health 307 Wireless Controller User Manual Figure 174 SSL VPN logs displayed in GUI event viewer Global Info gt Device Info d VIEW SSLVPN LOGS LOGOUT Display Logs Logs Traffic Monitor Active Sessions Active VPNs Refresh Logs Clear Logs 12 7 Backing up and Restoring Configuration Settings Tools gt System You can back up the controller custom configuration settings to restore them to a different device or the same controller after some other changes During backup your settings are saved as a file on your host You can restore the controller saved settings from this file as well This page will also allow you revert to factory default settings or execute a soft reboot of the controller XW IMPORTANT During a restore operation do NOT try to go online turn off the controller shut down the PC or do anything else to the controller until the operation is complete This will take approximately 1 minute Once the LEDs are turned off wait a few more seconds before doing anything with the controller 308 Wireless Controller User Manual For backing up configuration or restoring a previously saved configuration please follow the steps below 1 To savea copy of your current settings click the Backup button in the Save Current Settings option The browser initiates an export of th
191. int Configuration MAC address h 00 00 00 00 00 08 Firewall Settings gt AP Mode Managed IPv6 gt Location admin Ad etwork p Authentication Password SO000 O ei Profile 1 Default Expected SSID IP MAC Binding Ex i pected Channel Radius Settings Expected WDS Mode Controller Settings Expected Security Mode a MAC Address This field shows the MAC address of the AP To change this field you must delete the entire Valid AP configuration and then enter the correct MAC address from the page that lists all Valid APs AP Mode You can configure the AP to be in one of three modes e Standalone The AP acts as an individual access point in the network You do not manage the AP by using the controller Instead you log on to the AP itself and manage it by using the Administrator Web User Interface UI CLI 142 Wireless Controller User Manual or SNMP If you select the Standalone mode the screen refreshes and different fields appear For Standalone mode the following fields are enabled Expected SSID Expected Channel Expected WDS Mode Expected Security Mode and Expected Wired Network Mode e Managed The AP is part of the D Link Wireless Controller and you manage it by using the Wireless Controller If an AP is in Managed Mode the Administrator Web UI and SNMP services on the AP are disabled e Rogue Select Rogue as the AP mode if you wish to be notified throu
192. io When enabled use the menu to select a networks to assign to the VAP You can configure up to 64 separate networks on the controller and apply them across multiple radio and VAP interfaces By default 16 networks are pre configured and applied in order to the VAPs on each radio Enabling a VAP on one radio does not automatically enable it on the other radio VLAN Shows the VLAN ID of the VAP To change this setting click Edit L3 Tunnel Shows whether L3 Tunneling is enabled on the network Note When L3 tunneling is enabled the VLAN ID configured above is not used In fact the controller puts the management VLAN ID if any on the tunneled packets destined to the AP Hide SSID Shows whether the VAP broadcasts the SSID If enabled the SSID for this network is not included in AP beacons To change this setting click Edit Security Shows thecurrent security settings for the VAP To change this setting click Edit Redirect Shows whether HTTP redirect is enabled The possible values for the field are as follows e HTTP HTTP Redirect is enabled e None HTTP Redirect is disabled Edit Click Edit to modify settings for the corresponding network When you click Edit the Wireless Network Configuration page appears 76 Wireless Controller User Manual QoS Configuration Quality of Service QoS provides you with the ability to specify parameters on multiple queues for increased throughput and better performance of diff
193. irectly accessed from the internet by their public IP addresses assuming appropriate firewall settings If 180 Wireless Controller User Manual your ISP has assigned an IP address for each of the computers that you use select Classic Routing e NAT is a technique which allows several computers on a LAN to share an Internet connection The computers on the LAN use a private IP address range while the Option port on the controller is configured with a single public IP address Along with connection sharing NAT also hides internal IP addresses fromthe computers on the Internet NAT is required if your ISP has assigned only one IP address to you The computers that connect through the controller will need to be assigned IP addresses from a private subnet e Transparent routing between the LAN and Option does not perform NAT Broadcast and multicast packets that arrive on the LAN interface are switched to the Option and vice versa if they do not get filtered by firewall or VPN policies To maintain the LAN and Option in the same broadcast domain select Transparent mode which allows bridging of traffic from LAN to Option and vice versa except for controller terminated traffic and other management traffic All DWC features are supported in transparent mode assuming the LAN and Option are configured to be in the same broadcast domain XW NAT routing has a feature called NAT Hair pinning that allows internal network users on t
194. ish to save part of the subnet range for devices with statically assigned IP addresses in the LAN Default Gateway Optional Enter the IP address of the controller which you want to make it as a default other than DWC 1000 Primary and Secondary DNS servers If configured domain name system DNS servers are available on the LAN enter their IP addresses here Domain Name Enter domain name WINS Server optional Enter the IP address for the WINS server or if present in your network the Windows NetBios server Lease Time Enter the time in hours for which IP addresses are leased to clients Enable DNS Proxy To enable the controller to act as a proxy for all DNS requests and communicate with the ISP s DNS servers click the checkbox Relay Gateway Enter the gateway address This is the only configuration parameter required in this section when DHCP Relay is selected as its DHCP mode 3 Click Save Settings to apply all changes 19 Wireless Controller User Manual Figure 1 Setup page for LAN TCP IP settings DHCP server DWC 1000 ADVANCED TOOLS STATUS gt LAN SETUP Kocie tii The LAN Configuration page allows you to configure the LAN interface of the router including the DHCP Server which runs on it Save Settings Don t Save Settings internet Settings gt Network Settings D 192 168 15 1 255 255 255 0 DHCP Mode DHCP Server w USB Settings Starting IP Address 192 168 15 100
195. ive Ethernet connection Length Detection State When enabled the LAN controller will reduce the overall current supplied to the LAN port when a small cable length is connected to that port Longer cables have higher resistance than shorter cables and require more power to transmit packets over that distance This option will reduce the power to a LAN port if an Ethernet cable of less than 10 ft is detected as being connected to that port Jumbo Frames Option When enabled LAN side devices can exchange traffic contaning jumbo frames 7 14 Protecting from Internet Attacks Advanced gt Advanced Network gt Attack Checks Attacks can be malicious security breaches or unintentional network issues that render the controller unusable Attack checks allow you to manage Option security threats suchas continual ping requests and discovery via ARP scans TCP and UDP flood attack checks can be enabled to manage extreme usage of Option resources Additionally certain Denial of Service DoS attacks can be blocked These attacks if uninhibited can use up processing power and bandwidth and prevent regular network services from running normally ICMP packet flooding SYN traffic flooding and Echo stormthresholds can be configured to temporarily suspect traffic from the offending source 221 Wireless Controller User Manual Figure 124 Protecting the controller and LAN from internet attacks DWC 1000 ADVANCED TOOLS STATUS Peer
196. la and 802 11n devices IEEE 802 11n is an extension of the 802 11 standard that includes multiple input multiple output MIMO technology IEEE 802 11n supports data ranges of up to 248 Mbps and nearly twice the indoor range of 802 11 b 802 11g and 802 11a e 5 GHz IEEE 802 11n is the recommended mode for networks with 802 11n devices that operate in the 5 GHz frequency that do not need to support 802 1la or 802 11b g devices IEEE 802 11n can achieve a 67 Wireless Controller User Manual higher throughput when it does not need to be compatible with legacy devices 802 11b g or 802 1 1a Radio 2 supports e IEEE 802 11b g operates in the 2 4 GHz ISM band IEEE 802 11b is an enhancement of the initial 802 11 PHY to include 5 5 Mbps and 11 Mbps data rates It uses direct sequence spread spectrum DSSS or frequency hopping spread spectrum FHSS as well as complementary code keying CCK to provide the higher data rates It supports data rates ranging from 1 to 11 Mbps IEEE 802 11g is a higher speed extension up to 54 Mbps to the 802 11b PHY It uses orthogonal frequency division multiplexing OFDM It supports datarates ranging from 1 to 54 Mbps e IEEE 802 11b g n operates in the 2 4 GHz ISM band and includes support for 802 11b 802 11g and 802 11n devices e 2 4 GHz IEEE 802 11n is the recommended mode for networks with 802 11n devices that operate in the 2 4 GHz frequency thatdo not need to support 802 1la or 802 11b g dev
197. last controller from which this controller received any wireless configuration data Configuration Indicates which portions of configuration were last received froma peer controller which can be one or more of the following e Global e Discovery e Channel Power e AP Database e AP Profiles e Known Client e Captive Portal e RADIUS Client e QoS ACL e QoS DiffServ If the controller has not received any configuration for another controller the value is None 126 Wireless Controller User Manual Timestamp Indicates the last time this controller received any configuration data from a peer controller The Peer Controller Managed AP Status page displays information about the APs that each peer controller in the cluster manages Use the menu above the table to select the peer controller with the AP information to display Each peer controller is identified by its IP address Figure 67 Configuration Receive Status Global Info PA CONFIGURATION RECEIVE STATUS LOGOUT Device Info d Point Info gt The Peer Controller Configuration Received Status page provides information about the configuration a controller has received from one of its peers LAN Clients Info Current Receive Status Current Receive Status Not Started Last Configuration Received lientinfo gt gt Traffic Monitor gt Peer Controller IP Address 0 0 0 0 Configuration None Active VPNs Timestamp Jan 1 00 00 00 1970 4
198. lation will occur once every 24 hours at the time you specify Power Adjustment Mode You can set the power of the AP radio frequency transmission in the AP profile the local database or in the RADIUS server The 146 Wireless Controller User Manual 5 2 2 power levelin the AP profile is the default level for the AP and the power will not be adjusted below the value in the AP profile The settings in the local database and RADIUS server always override power setin the profile setting If you manually set the power the level is fixed and the AP will not use the automatic power adjustment algorithm You can configure the power as a percentage of maximum power where the maximum power is the minimum of power level allowed for the channel by the regulatory domain or the hardware capability Manual In this mode you run the proposed power adjustments manually from the Manual Power Adjustments page Interval In this mode the controller periodically calculates the power adjustments and applies the power for all APs The interval period begins when you click Submit Power Adjustment Interval This field determines how often the controller runs the power adjustment algorithm The algorithmruns automatically only if you set the power adjustment mode to Interval XW This setting gets applied to both radios of the AP The following actions are supported from this page Submit Updates the controller with the values you enter
199. le with an AP Entry of the AP is valid and available in database of the controller The following actions are supported from this page Edit To edit the existing AP profile Delete To delete the existing AP profile Add Add a new AP profile Copy Copy the existing AP profile Apply Update the AP profile configuration details entered Configure Radio Allows configuration of the AP profile Radio configuration Configure SSID Allows configuration of the AP profile VAP configuration Configure QoS Allows configuration of the AP profile QoS configuration 65 Wireless Controller User Manual Radio Configuration Radio Mode From this field you can select the radio that you want to configure By default Radio 1 operates in IEEE 802 1la n mode and Radio 2 operates in IEEE 802 11b g n mode If you change the mode the labels for the radios change accordingly Changes to the settings apply only to the selected radio The DWL 3600AP is a single radio AP Any settings you configure for Radio 1 802 1la n are not applied to the DWL 3600AP If the selected Hardware Type ID for the AP profile is DWL 3600AP the radio selectors are not available State Specify whether you want the radio on or off by clicking On or Off If you turn off a radio the AP sends disassociation frames to all the wireless clients it is currently supporting so that the radio can be gracefully shutdown and the clients can start the association process with other
200. ler DWC DWC 1000 is a full featured wireless LAN controller designing for small network environment The centralized control function contains various access point management functions suchas fast roaming inter subnet roaming automatic channel and power adjustment self healing etc The advanced wireless security function including rouge AP detection captive portal wireless intrusion detection system WIDS offers a strong wireless network protection avoiding attacks from hackers After license upgrade optimal network security is provided via features such as virtual private network VPN tunnels IP Security IPsec Point to Point Tunneling Protocol PPTP Layer 2 Tunneling Protocol L2TP and Secure Sockets Layer SSL Empower your road warriors with clientless remote access anywhere and anytime using SSL VPN tunnels There are two types of licenses available to activate increased functionality for the DWC These licenses are not activated by default 1 VPN license upgrade enables the following features ISP Connection types PPPoE PPTP L2TP NAT Transparent mode Option2 DMZ port IP Aliasing Dynamic Routing RIP VPN PPTP client server L2TP client server SSLVPN OpenVPN Intel AMT Dynamic DNS Website Filter Application Rules Firewall Rules UPNP IGMP proxy and ALG SMTP ALG 2 AP license upgrades the number of APs controller can manage You can upgrade upto 3 AP licenses By default DWC 1000 can manage upto
201. lication Rules Do you want to enable UPnP Website Filter LAN Firewall Settings Advanced Network UPnP Port map Table Active Protocol Int Port Ext Port IP Address Refresh UPnP Port map Table The UPnP Port map Table has the details of UPnP devices that respond to the controller advertisements The following information is displayed for each detected device Active A yes no indicating whether the port of the UPnP device that established a connection is currently active Protocol The network protocol i e HTTP FTP etc used by the DWC Int Port Internal Port The internal ports opened by UPnP if any Ext Port External Port The external ports opened by UPnP if any IP Address The IP address of the UPnP device detected by this controller Click Refresh to refresh the portmap table and search for any new UPnP devices 47 Wireless Controller User Manual 2 6 Captive Portal 2 6 1 LAN and WLAN users can gaininternet access via web portal authentication with the DWC Also referred to as Run Time Authentication a Captive Portal is ideal for a web caf scenario where users initiate HTTP connection requests for web access but are not interested in accessing any LAN services The LAN and WLAN users can access captive portal using HTTP Firewall policies underneath will define which users require authentication for HTTP access and when a matching user request is made the DWC will intercept
202. light Savings Time and with which Network Time Protocol NTP server to synchronize the date and time You can choose to set Date and Time manually which will store the information on the controller real time clock RTC If the controller has access to the internet the most accurate mechanism to set the controller time is to enable NTP server communication XW Accurate date and time on the controller is critical for firewall schedules Wi Fi power saving support to disable APs at certain times of the day and accurate logging Please follow the steps below to configure the NTP server 1 Select the controller time zone relative to Greenwich Mean Time GMT 2 If supported for your region click to Enable Daylight Savings 3 Determine whether to use default or customNetwork Time Protocol NTP servers If custom enter the server addresses or FQDN 298 Wireless Controller User Manual Figure 168 Date Time and NTP server setup DWC 1000 SETUP ADVANCED TOOLS STATUS Admin fle ena tae DATE AND TIME LOGOUT This page allows us to set the date time and NTP servers Network Time Protocol NTP is 2 protocol that is used to synchronize computer clock time in a network of computers Accurate time across a network is important for many reasons Date and Time Log Settings Firmware via USB Dynamic DNS Current Router Time Fri Oct 7 05 25 08 GMT 2011 System Check Schedules Time Zone GMT 08 00 Pacific T
203. ller manages you can view detailed status information about the client and its association with the access point View Neighbor Status The associated client status shows information about access points that the client detects The information on this page can help you determine the managed AP an associated client might use for roaming View Distributed Tunneling Status The associated client status shows information about access points that the client detects The AP AP tunneling mode is used to support L3 roaming for wireless clients without forwarding any data traffic to the wireless controller View SSID Details Each managed AP can be from different networks that each have a unique SSID Although several wireless clients might be connected to the same physical AP they might not connect by using the same SSID The WLAN gt Monitoring gt Client gt Associated Clients gt SSID Status page lists the SSIDs of the networks that each wireless client associated with a managed AP has used for WLAN access View VAP Details Each AP has set of Virtual Access Points VAPs per radio and every VAP has a unique MAC address BSSID This displays the VAP Associated Client Status page which shows information about the VAPs on the managed AP that have associated wireless clients LAN Clients Status gt LAN Client Info gt LAN Clients The LAN clients to the controller are identified by an ARP scan through the LAN controller The NetBi
204. lobal Settings DHCP LEASED CLIENTS Kolcteltii AP Management gt This tab displays the list of DHCP clients connected to the LAN DHCP Server and to whom DHCP Server has given kases WLAN Visualization gt Internet Settings gt D DHCP Leased Clients LAN gt Network Settings IP Address MAC Address LAN QoS 192 168 10 233 00 00 00 00 00 67 VPN Settings gt IP Addresses The LAN IP address of a host that matches the reserved IP list MAC Addresses The MAC address ofa LAN host that has a configured IP address reservation 2 1 3 LAN Configuration in an IPv6 Network Advanced gt IPv6 gt IPv6 LAN gt IPv6 LAN Config In IPv6 mode the LAN DHCP server is enabled by default similar to IPv4 mode The DHCPv6 server will serve IPv6 addresses fromconfigured address pools with the IPv6 Prefix Length assigned to the LAN XW IPv4 IPv6 mode must be enabled in the Advanced gt IPv6 gt Routing mode to enable IPv6 configuration options LAN IP Address Setup The default IPv6 LAN address for the router is fec0 1 You can change this 128 bit IPv6 address based on your network requirements The other field that defines the LAN settings for the router is the prefix length The IPv6 network subnet is identified by the initial bits of the address called the prefix By default this is 64 bits long All hosts in the network have common initial bits for their IPv6 address the number of common initial bits in the n
205. ly qualified domain name The domain name of the internal server is to be specified Once the new FQDN is configured it is displayed in a list of configured hosts for port forwarding XW Defining the hostname is optional as minimum requirement for port forwarding is identifying the TCP application and local server IP address The local server IP address of the configured hostname must match the IP address of the configured application for port forwarding 259 Wireless Controller User Manual Figure 148 List of Available Applications for SSL Port Forwarding DWC 1000 im sw ADVANCED TOOLS STATUS Operation succeeded N Global Settings PORT FORWARDING AP Management The Port Forwarding page allows you to detect and re route data sent from remote users to the SSL VPN SEMPLE gateway to predefined applications running on private networks List of Configured Applications for Port Forwarding Local Server IP Address 97 0 0 64 Local Server IP Address 192 168 15 25 Delete Add 9 4 SSL VPN Client Configuration Setup gt VPN Settings gt SSL VPN Client gt SSL VPN Client An SSL VPN tunnel client provides a point to point connection between the browser side machine and this controller When a SSL VPN client is launched from the user portal a network adapter with an IP address from the corporate subnet DNS and WINS settings is automatically created This allows local
206. m Maximum Roam History Entries Maximum number of entries that can be recorded in the roam history for all detected clients 119 Wireless Controller User Manual Total Roam History Entries Current number of roam history entries in use by the system AP Provisioning Count Current number of AP provisioning entries configured on the system WLAN Bytes Transmitted Total bytes transmitted across all APs managed by the controller WLAN Packets Transmitted Total packets transmitted across all APs managed by the controller WLAN Bytes Received Total bytes received across all APs managed by the controller WLAN Packets Received Total packets received across all APs managed by the controller WLAN Bytes Transmit Dropped Total bytes transmitted across all APs managed by the controller that were dropped WLAN Packets Transmit Dropped Total packets transmitted across all APs managed by the controller that were dropped WLAN Bytes Receive Dropped Total bytes received across all APs managed by the controller that were dropped WLAN Packets Receive Dropped Total packets received across all APs managed by the controller that were dropped Distributed Tunnel Packets Transmitted Total number of packets sent by all APs via distributed tunnels Distributed Tunnel Roamed Clients Total number of clients that successfully roamed away from Home AP using distributed tunneling Distributed Tunnel Clients Total
207. m Complete The channel plan algorithm has finished running A table displays to indicate proposed channel assignments Each entry shows the AP along with the current and new channel To accept the proposed channel change click Apply You must manually apply the channel plan for the proposed assignments to be applied e Apply In Progress The controller is applying the proposed channel plan and adjusting the channel on the APs listed in the table e Apply Complete The algorithm and channel adjustment are complete Proposed Channel Assignments If no APs appear in the table after the algorithmis complete the algorithmdoes not recommend any channel changes e Current Channel Shows the current operating channel for the AP that the algorithm recommends for new channel assignments e New Channel Shows the proposed operating channel for the AP The following actions are supported from this page Start To initiate the channel plan algorithm 149 Wireless Controller User Manual Figure 81 Manual Channel Plan Dwc 1000 HH SETUP ADVANCED TOOLS STATUS WLAN Global Settings MANUAL CHANNEL PLAN Kelcieltij AP Management WLAN Visualization Internet Settings Description goes here Channel Plan 5 GHz 802 11 a n 2 4 GHz 802 11 b g n Channel Plan Algorithm VPN Settings VLAN Settings DMZ Setup USB Settings Current Status None D d d d d d d MZ Start Proposed Chan
208. n Allow s clients on different IP subnets to dynamically resolve addresses register themselves and browse the network without sending broadcasts 320 Appendix B Factory Default Settings a User login URL http 192 168 10 1 Device login User name case sensitive Login password case sensitive Option MAC address Use default address Internet f Option MTU size 1500 Connection mn IP address 192 168 10 1 IPv4 subnet mask 255 255 255 0 RIP direction None Local area network LAN ai RIP authentication Disabled DHCP server Enabled Wireless Controller DHCP starting IP address DHCP ending IP address Time zone Time zone adjusted for Daylight Saving Time Remote management Inbound communications fromthe Internet Outbound communications to the Internet Source MAC filtering Stealth mode 322 User Manual Disabled Disabled except traffic on port 80 the HTTP port Enabled all Disabled Enabled
209. n Rules 7 7 Client Advanced gt Client The Known Client Summary shows the wireless clients currently in the Kno wn Client Database and allows you to add new clients or modify existing clients to the database MAC Address Shows the MAC address of the known client Name Shows the descriptive name configured for the client when it was added to the Known Client database Authentication Action When MAC authentication is enabled on the network this field shows the action to take on a wireless client The following options are available Grant Allow the client with the specified MAC address to access the network Deny Prohibit the client with the specified MAC address from accessing the network 209 Wireless Controller User Manual Global Action Use the global white list or black list action configured on the Advanced Global Configuration page to determine how to handle the client Figure 114 List of Known Clients DWC 1000 eB SETUP ADVANCED TOOLS STATUS Peer Controllers gt KNOWN CLIENTS LOGOUT The Known Client Summary shows the wireless clients currently in the Known Client Database and allows AP SSIDs you to add new clients or modify existing clients to the database W S Securi z 3 SELU List of Known Clients ID gt Captive Portal gt MAC Address Name Authentication Action Client Application Rules p 70 00 00 60 00 00 client deny Deny Website Filter gt 00 00 00 00
210. n Rules Status This page allows displaying the list of available application rules and corresponding satus Figure 116 List of Available Application Rules and corresponding status DWC 1000 HEN SETUP ADVANCED TOOLS STATUS Peer Controllers gt AP Profile WIDS Security gt APPLICATION RULES STATUS LOGOUT This page lists the application rules currently configured Application Rules Status LANDMZ IP Address Open Ports Time Remaining Sec 192 168 10 100 400 600 595 Application Rules D Captive Portal gt Website Filter gt Firewall Settings 7 10 Web Content Filtering The gateway offers some standard web filtering options to allow the admin to easily create internet access policies between the secure LAN and insecure Option Instead of creating policies based on the type of traffic as is the case when using firewall rules web based content itself can be used to determine if traffic is allowed or dropped 212 Wireless Controller User Manual 7 10 1 Content Filtering eX The following feature is available upon licensed activation of VPN Firewall features for the system Advanced gt Website Filter gt Content Filtering Content filtering must be enabled to configure and use the subsequent features list of Trusted Domains filtering on Blocked Keywords etc Proxy servers which can be used to circumvent certain firewall rules and thus a potential security gap can be blocked for all LAN d
211. n eavetuenselioanndviuseydavanvensaneteiaavtauan auvecneetye 146 Chamel PlansHistory lt iis cic sa citiciaitacaeadesccteieitesientei ites NAE ten intense 148 Manual Channel Plaid sicc sisscsctssacasstsicssiiscescasteseuatabsieassabenactscensenceasdescoleestedsebessuensalestebsestestubianterse 150 Manual Power Adjustment Plano eessessessesseeeesesessessenceseeseeseeseescsesnesseneeneeneeseeseeseneenteneenss 152 Access Point Software Download oe eeseesessessesnesneetesecnesnesuesuccnccnccnceseescnesussuscucencenceseeeeeententen 154 LOCal OW LiDatab aS Ea a ceibassatia ceteaspusgacnasacsdubaeeseavoapnaseebecsalbncotiavsapnecnenhis 155 AP Provisioning Summary Status oe ceceecesesesnesneeeessenesseseesuesnccnccnceseeenesuesuecncencenceseeeeeensenten 157 Manual Manage Ment escinu E AA OAE E NES 158 Internet Connection Setup Wizard ou ec ecseseseseseseeseeseesessessesuesuesusseeseseeseeseesuesuessseaeneeness 161 Manual Optiont COMFIQUrati ON one eeesesesseeseeseeeseeseesesseseseescesessesseseesessesneeneeneeneeseeseseenteneeneenes 164 PPPOE configuration for Standard ISPS ceesesesssesseseesesseseesessesseeseeseeseesesecsuesuesessneaseneensees 165 Option1 configuration for Japanese Multiple PPPOE part 1 cee sesessesseceeeeeseeneeneeneenes 166 Option configuration for Multiple PPPOE part 2 oe esessesseseesessessessceneeseeseeeeseeneeneeneenss 167 Russia L2TP ISP Configuration essere ai a E N AAR 169 IPv6 Option Setup page sse esse
212. nage all wireless controllers in the cluster from one controller The Peer Controller Configuration Request Status page provides information about the status of the configuration upgrade on the controllers in the cluster Figure 160 Peer Controller Configuration Request Status Peer Controllers CONFIGURATION REQUEST LOGOUT The Peer Controller Configuration Request Status page provides information about the status of the configuration upgrade on the controllers in the cluster Configuration Request Status Not Started Total Count Success Count Website Filter Failure Count List of Peers Peer Controller Configuration Request Status Configuration Request Status Indicates the global status for a configuration push operation to one or more peer controllers The status can be one of the following 281 Wireless Controller User Manual e Not Started e Receiving Configuration e Saving Configuration e Success Failure Invalid Code Version e Failure Invalid Hardware Version e Failure Invalid Configuration Total Count Indicates the number of peer controllers included at the time a configuration download request is started the value is 1 if a download request is for a single controller Success Count Indicates the total number of peer controllers that have successfully completed a configuration download Failure Count Indicates the total number of peer controllers that have failed to complete a confi
213. nagement select the check box and click Apply Option Configuration Define the upstream downstream for bandwidth for Option1 and Option 2 interfaces Bandwidth Profile Click Add to define bandwidth profile Bandwidth Management Profile Name Allows defining a profile name Priority Select the priority of profile Maximum Bandwidth Provide the maximum allowed bandwidth of the profile Minimum Bandwidth Provide the minimum allowed bandwidth of the profile Option Interface Select the interface Option 1 Option2 33 Wireless Controller User Manual Figure 12 Bandwidth Profile Configuration pwe 1000 fff ADVANCED TOOLS STATUS ard gt BANDWIDTH MANAGEMENT LOGOUT WLAN Global Settings AP Management Save Settings Don t Save Settings Bandwidth Profile Configuration WLAN Visualization gt Internet Settings gt Network Settings LAN QoS VPN Settings VLAN Settings USB Settings 2 2 4 Traffic Selector Configuration Setup gt LAN QoS gt Traffic Selector Configuration After you create a bandwidth profile you can associate it with a traffic flow 34 Wireless Controller User Manual Figure 13 Traffic Selector Configuration DWC 1000 ADVANCED TOOLS STATUS rd gt WLAN Global Settings TRAFFIC SELECTORS LOGOUT Traffic Selector Configuration AP Management gt WLAN Visualization gt Internet Settings gt Traffic Selector Match Type IP Address USB Se
214. nd Service Set Identifier SSID Don t Save Settings AP Profile 1 Default 1 802 11a n 2 802 11b g n Network VLAN L3 Tunnel HideSSID Security Redirect 1 dinki 4 1 default Disabled Disabled None None m 2 dlink2 1 default Disabled Disabled None None Im 3 dlink3 1 default Disabled Disabled None None 4 dlink4 1 default Disabled Disabled None None E 5 dink5 1 default Disabled Disabled None None F 6 dlinks 1 default Disabled Disabled None None Im 7 dlink7 1 default Disabled Disabled None None 8 diink8 1 default Disabled Disabled None None 3 dlinkS 1 default Disabled Disabled None None F 10 diink10 1 default Disabled Disabled None None 11 dlink11 1 default Disabled Disabled None None 75 Wireless Controller User Manual Radio Mode From this field you can select the radio that you want to configure By default Radio 1 operates in IEEE 802 11la n mode and Radio 2 operates in IEEE 802 11b g n mode If you change the mode the labels for the radios change accordingly Changes to the settings apply only to the selected radio The DWL 3600AP is a single radio AP Any settings you configure for Radio 1 802 1la n are not applied to the DWL 3600AP If the selected Hardware Type ID for the AP profile is DWL 3600AP the radio selectors are not available Network Use the option to the left of the network to enable or disable the corresponding VAP on the selected rad
215. nd to a firewall rule oes eeseesseeeteseeestesnesneestenees 197 Figure 108 Example where an outbound SNAT rule is used to map an external IP address 209 156 200 225 to a private DMZ IP address 10 30 30 30 o eccesesesseesesseeeesneeneeees 200 Figure 109 The firewall rule configuration page allows you to define the To From zone service action schedules and specify source destination IP addresses as needed 201 Figure 110 Schedule configuration for the above example essesessessesseceesessesseeseeseeseescesceeententeneenss 205 Figure 111 List of user defined services oo eee eeseesesessesseeseeseseseseesecseneeneeseesesscseesesneeseeneeneenessesseeseneeneeneteds 207 Figure 112 Available ALG Support on the controller oo eeeesessessesseeeesteseseeseeseeseeneeseeneeeeneeneeneeneeneeees 208 Figure 113 Passthrough options for VPN tunnels ou eesseseeseseeseeseeseeseeseescseeseesessesneeneeseeeseeneenteneeneess 209 Figure 11 4 List of Known Cents siciccsciscsscssesstisshecsscscibestessnssnsssesssacscsdsuccssessnassstennavuscestessetectendenscevessectuteessetens 210 Figure 115 List of Available Application Rules showing 4 unique rules uu eseseseeeeeeeeeseeseeneeees 211 Figure 116 List of Available Application Rules and corresponding Status 00 0 eeeseseeseeeeeeeeeneeees 212 Figure 117 Content Filtering used to block access to proxy servers and prevent ActiveX controls from being downloaded u ee ecesseessesees
216. nel Assignments No proposed channel plan entries exist 150 Wireless Controller User Manual 5 2 4 Manual Power Adjustment Plan Setup gt AP Management gt RF Management gt Manual Power Adjustment Plan If you select Manual as the Power Adjustment Mode on the Configuration tab you can manually initiate the power adjustment algorithm on the Manual Power Adjustments page Current Status Shows the Current Status of the plan which is one of the following states e None The power adjustment algorithm has not been manually run since the last controller reboot e Algorithm In Progress The power adjustment algorithm is running e Algorithm Complete The power adjustment algorithm has finished running e A table displays to indicate proposed power adjustments Each entry shows the AP along with the current and new power levels e Apply In Progress The controller is adjusting the power levels that the APs use e Apply Complete The algorithm and power adjustment are complete AP MAC Address Identifies the AP MAC address Identifies the AP MAC address Location Identifies the location of the AP which is set in the Valid AP database Radio Interface Identifies the radio Old Power Shows the earlier power level for the AP New Power Shows the proposed power level for the AP The following actions are supported from this page Start To initiate the power adjustment algorithm 151 Wireless Controll
217. nnel E Automatic Power v Initial Power 100 1 to 100 APSD Mode Enable y RF Scan Interval secs 60 0 te 12 Transmit Lifetime Shows the number of milliseconds to wait before terminating attempts to transmit the MSDU after the initial transmission Rate Limit Enter the rate limit you want to set for multicast and broadcast traffic The limit should be greater than 1 but less than 50 packets per second Any traffic that falls below this rate limit will always conform to and be transmitted to the appropriate destination The default and maximum 71 Wireless Controller User Manual rate limit setting is 50 packets per second This field is disabled if Rate Limiting is disabled Receive Lifetime Shows the number of milliseconds to wait before terminating attempts to reassemble the MMPDU or MSDU after the initial reception of a fragmented MMPDU or MSDU Rate Limit Burst Setting a rate limit burst determines how much traffic bursts can be before all traffic exceeds the rate limit This burst limit allows intermittent bursts of traffic on a network above the set rate limit The default and maximum rate limit burst setting is 75 packets per second This field is disabled if Rate Limiting is disabled Station Isolation When this option is selected the AP blocks communication between wireless clients It still allows data traffic between its wireless clients and wired devices on the network but not among wireless cli
218. nt Info D gt LAN Clients Info gt Wireless Clientinfo gt Traffic Monitor d MANAGED AP STATUS LOGOUT Description goes here List of Managed APs MAC Address Peer IP Address Age Status Profile Radio Interface Managed Active Sessions 1 802 11a n 2 802 1 1 big n E 1c af f7 1f 24 40 192 168 10 100 0d 00 00 03 Authenticated 1 Default AP Detail View Rad et Neighbc jhbor ient Vie Af t Refresh MAC Address The Ethernet address of the controller managed AP IP Address The network IP address of the managed AP Age Time since last communication between the Controller and the AP Status The current managed state of the AP The possible values are e Discovered The AP is discovered and by the controller but is not yet authenticated Authenticated The AP has been validated and authenticated if authentication is enabled but it is not configured 110 Wireless Controller User Manual e Managed The AP profile configuration has been applied to the AP and it s operating in managed mode e Failed The Controller lost contact with the AP a failed entry will remain in the managed AP database unless you remove it Note that a managed AP will temporarily show a failed status during a reset Profile The AP profile configuration currently applied to the managed AP The profile is assigned to the AP in the valid AP database Radio Interface Shows the wireless radio mode t
219. nter the number of APs that can be upgraded at the same time When one group completes the upgrade the next group begins the process Image Download Type Type of the image to be downloaded which can be one of the following e All images img _dwl8600 and img_dw13600 6600 img dwl8600 img_dw13600 6600 XW To download all images make sure you specify the file path and file name for both images in the appropriate File Path and File Name fields Managed AP The list shows all the APs that the controller manages If the controller is the Cluster Controller then the list shows the APs managed by all controllers in the cluster Each AP is identified by its MAC address IP address and Location in the lt MAC IP Location gt format To upgrade a single AP select the AP MAC address fromthe drop down list To upgrade all APs select All from the top of the list If Allis selected the Group Size field will limit the number of simultaneous AP upgrades in order not to overwhelmthe TFTP server 153 Wireless Controller User Manual Figure 83 Access Point Software Download DWwc 1000 im SETUP ADVANCED TOOLS STATUS Wizard WLAN Global Settings SOFTWARE DOWNLOAD LOGOUT AP Management gt Internet Settings gt Network Settings gt a Access Point Software Download gt gt gt Server Address booo File Path a File Name o Group Size ho 1 to 6 Image Download Type All images x VPN Settings VLAN
220. on the primary port all internet traffic will be rolled over to the backup port When configured in Auto Failover mode the link status of the primary Option port is checked at regular intervals as defined by the failure detection settings Note that both Option and Option2 can be configured as the primary internet link e Auto Rollover using Option port e Primary Option Selected Option is the primary link Option1l Option2 e Secondary Option Selected Option is the secondary link Failover Detection Settings To check connectivity of the primary internet link one of the following failure detection methods can be selected e DNS lookup using Option DNS Servers DNS Lookup of the DNS Servers of the primary link are used to detect primary Option connectivity 175 Wireless Controller User Manual 6 3 2 e DNS lookup using Option Servers DNS Lookup of the custom DNS Servers can be specified to check the connectivity of the primary link e Ping these IP addresses These IP s will be pinged at regular intervals to check the connectivity of the primary link e Retry Interval is The number tells the controller how often it should run the above configured failure detection method e Failover after This sets the number of retries after which failover is initiated Load Balancing This feature allows you to use multiple Option links and presumably multiple ISP s simultaneously After configuring more than one Option p
221. on continued Auto policy via IKE Phase1 IKE SA Parameters Exchange Mode Direction Type Nat Traversal On Off NAT Keep Alive Frequency in seconds Local Identifier Type LocalWanIP Local Identifier Remote Identifier Type Remote Wan IP gt Remote Identifier Encryption Algorithm Es Authentication Algorithm SHAT Authentication Method Pre shared key o gt Pre shared key o Diffie Hellman DH Group Group 2 1024 bit SA Lifetime sec 20 Enable Dead Peer Detection Detection Period fi 0 Reconnect after failure count E Enable Extended Authentication O Username admin Password A Manual policy does not use IKE and instead relies on manual keying to exchange authentication parameters between the two IPsec hosts The incoming and outgoing security parameter index SPI values must be mirrored on the remote tunnel endpoint As well the encryption and integrity algorithms and keys must match on the remote IPsec host exactly in order for the tunnel to establish successfully Note that 231 Wireless Controller User Manual using Auto policies with IKE are preferred as in some IPsec implementations the SPI security parameter index values require conversion at each endpoint DWC 1000 supports VPN roll over feature This means that policies configured on primary Option will rollover to the secondary Option in case of a link failure on a primary Option T
222. onfigures the AP profile with pre defined settings that are optimized for data traffic or voice traffic Radio Mode From this field you can select the radio for which you want to configure QoS settings Settings for each radio are configured separately By default Radio 1 operates in IEEE 802 11a n mode and Radio 2 operates in IEEE 802 11b g n mode If you change the mode the labels for the radios change accordingly Changes to the settings apply only to the selected radio The DWL 3600AP is a single radio AP Any settings you configure for Radio 1 802 1la n are not applied to the DWL 3600AP If the selected Hardware Type ID for the AP profile is DWL 3600AP the radio selectors are not available Template Select the QoS template to apply to the AP profile If you select Custom you can change the AP and station parameters If you select Voice or Factory Defaults the controller will use the pre defined settings for the template you select AP EDCA Parameters Queue Queues are defined for different types of data transmitted from AP to station Data 0 Voice High priority queue minimum delay Time sensitive data such as VoIP and streaming media are automatically sent to this queue Data 1 Video High priority queue minimum delay Time sensitive video data is automatically sent to this queue Data 2 best effort Medium priority queue medium throughput and delay Most traditional IP data is sent to this queue
223. ontains a channel plan algorithm that automatically determines which RF channels each AP should use to minimize RF interference When you enable the channel plan algorithm the controller periodically evaluates the 144 Wireless Controller User Manual operational channel on every AP it manages and changes the channel if the current channel is noisy Channel Plan Each AP is dual band capable of operating in the 2 4 GHz and 5 GHz frequencies The 802 1la n and 802 11b g n modes use different channel plans Before you configure channel plan settings select the mode to configure Channel Plan Mode This field indicates the channel assignment mode The mode of channel plan assignment can be one of the following e Fixed Time If you select the fixed time channel plan mode you specify the time for the channel plan and channel assignment In this mode the plan is applied once every 24 hours at the specified time e Manual With the manual channel plan mode you control and initiate the calculation and assignment of the channel plan You must manually run the channel plan algorithm and apply the channel plan to the APs e Interval In the interval channel plan mode the controller periodically calculates and applies the channel plan You can configure the interval to be from every 6 to every 24 hours The interval period begins when you click Submit 145 Wireless Controller User Manual Figure 79 RF configuration Dwc 100
224. ontroller s supported SSL services such as the VPN Tunnel page or Port Forwarding page To configure a portal layout and theme following information is needed 263 Wireless Controller User Manual Portal Layout Name A descriptive name for the custom portal that is being configured It is used as part of the SSL portal URL Portal Site Title The portal web browser window title that appears when the client accesses this portal This field is optional Banner Title The banner title that is displayed to SSL VPN clients prior to login This field is optional Banner Message The banner message that is displayed to SSL VPN clients prior to login This field is optional Display banner message on the login page The user has the option to either display or hide the banner message in the login page HTTP meta tags for cache control This security feature prevents expired web pages and data from being stored in the client s web browser cache It is recommended that the user selects this option ActiveX web cache cleaner An ActiveX cache control web cleaner can be pushed fromthe gateway to the client browser whenever users login to this SSL VPN portal SSL VPN portal page to display The User can either enable VPN tunnel page or Port Forwarding or both depending on the SSL services to display on this portal Once the portal settings are configured the newly configured portal is added to the list of portal la
225. ontroller If you select the Scan Other Channels option the radio periodically moves away from the operational channel to scan other channels Enabling this mode causes the radio to interrupt user traffic which may be noticeable with voice connections When the Scan Other Channels option is cleared the AP scans only the operating channel RF Scan Sentry Select this option to allow the radio to operate in sentry mode When the RF Scan Sentry option is selected the radio primarily performs dedicated RF scanning The radio passively listens for beacons and traffic exchange between clients and other access points but does not accept connections from wireless clients In sentry mode all VAPs are disabled Networks that deploy sentry APs or radios can detect devices on the network quicker and perform more through security analysis In this mode the radio controllers from one channel to the next The length of time spent on each channel is controlled by the scan duration The default scan duration is 10 milliseconds Mode The Mode defines the Physical Layer PHY standard the radio uses Select one of the following modes for each radio interface Radio 1 supports e IEEE 802 1la is a PHY standard that specifies operating in the 5 GHz U NII band using orthogonal frequency division multiplexing OFDM It supports data rates ranging from 6 to 54 Mbps e IEEE 802 11a n operates in the 5 GHz ISM band and includes support for both 802 11
226. ort the load balancing option is available to carry traffic over more than one link Protocol bindings are used to segregate and assign services over one Option port in order to manage internet flow The configured failure detection method is used at regular intervals on all configured Option ports when in Load Balancing mode DWC 1000 currently supports three algorithms for Load Balancing Round Robin This algorithm is particularly useful when the connection speed of one Option port greatly differs from another In this case you can define protocol bindings to route low latency services such as VOIP over the higher speed link and let low volume background traffic such as SMTP go over the lower speed link Protocol binding is explained in next section Spill Over If Spill Over method is selected Option lacts as a dedicated link till a threshold is reached After this Option 2 will be used for new connections You can configure spill over mode by using folloing options e Load Tolerance It is the percentage of bandwidth after which the controller controllers to secondary Option e Max Bandwidth This sets the maximum bandwidth tolerable by the primary Option If the link bandwidth goes above the load tolerance value of max bandwidth the controller will spill over the next connections to secondary Option 176 Wireless Controller User Manual For example if the maximum bandwidth of primary Option is Kbps and the load
227. os name if available IP address and MAC address of discovered LAN hosts are displayed 102 Wireless Controller User Manual Figure 54 List of LAN hosts DWC 1000 J sewe ADVANCED TOOLS STATUS Global Info gt LAN CLIENTS LOGOT Device Info A This page displays a list of LAN clients connected to the router Name IP Address MAC Address WORKGROUP 192 168 10 100 F0 4D A2 59 28 E1 4 5 3 Detected Clients Status gt LAN Client Info gt Detected Clients Wireless clients are detected by the wireless system when the clients either attempt to interact with the system or when the system detects traffic from the clients The Detected Client Status page contains information about clients that have authenticated with an AP as well information about clients that disassociate and are no longer connected to the system 103 Wireless Controller User Manual Figure 55 Detected Clients DWC 1000 SETUP ADVANCED TOOLS STATUS Global Info gt Device Info gt Access Point Info DETECTED CLIENT STATUS Releteltis The Detected Client Status page contains information about clients that have authenticated with an AP as well information about clients that disassociate and are no longer connected to the system LAN Clients Info List of Detected Clients Wireless Client Info gt MAC Address Client Name Client Status Age Create time a 00 0f 3d ae af bb Detected 00 00 00 18 0d 00 04 27 00 1 1 95 bd
228. osoft Window s protocol for file sharing printer sharing messaging authentication and name resolution Netw ork Time Protocol Protocol for synchronizing a controller to a single clockon the netw ork know n as the clock master Passw ord Authentication Protocol Protocol for authenticating users to aremote access server or ISP Point to Point Protocol over Ethernet Protocol for connecting a netw ork of hosts to an ISP without the ISP having to manage the allocation of IP addresses Point to Point Tunneling Protocol Protocol for creation of VPNs for the secure transfer of data fromremote clients to private servers over the Internet 319 Wireless Controller User Manual Remote Authentication Dial In User Service Protocol for remote user authentication and accounting Provides centralized management of usernames and passw ords Rivest Shamir Adleman Public key encryption algorithm Transmission Control Protocol Protocol for transmitting data over the Internet w ith guaranteed reliability and in order delivery User Data Protocol Protocol for transmitting data over the Internet quickly but w ith no guarantee of reliability or in order delivery Virtual private netw ork Netw ork that enables IP traffic to travel securely over a public TCP IP netw ork by encrypting all traffic fromone netw ork to another Uses tunneling to encrypt all information at the IP level Window s Internet Name Service Service for name resolutio
229. ou can add new OU entries Delete Delete All _Refresh Add to Database OUI Value 00 00 00 VPN Settings VLAN Settings DMZ Setup USB Settings OUI Description Add 5 5 AP Provisioning Summary Setup gt AP Management gt AP Provisioning Summary Status The AP Provisioning feature helps you add new APs to an existing controller cluster With AP Provisioning you can configure the access points with parameters that are needed to connect to the wireless network Use AP Provisioning to connect devices to a network enabled for mutual authentication If a network is not enabled for mutual authentication then APs can be attached to the network by properly configuring the local Valid AP database or RADIUS AP database and discovery options The provisioning feature can optionally be used on networks not enabled for mutual authentication to simplify AP attachment to the cluster MAC Address MAC address ofthe AP IP Address IP Address of the AP Primary IP Address The IP address of the primary provisioned controller as reported by the AP Backup IP Address The IP address of the backup provisioned controller as reported by the AP 155 Wireless Controller User Manual New Primary IP Address Enter the IP address of primary controller to which the AP should try to connect New Backup IP Address Enter the IP address of controller to which the AP should try to connect if it is unable to connect to the primary controll
230. own menu and clicking Add This browser will then appear in the above list of Defined Browsers Click Save Settings to save your changes Figure 141 Browser policies options WIDS Security Captive Portal Application Rules Certificates Users D IP MAC Binding Controller Settings DWC 1000 SETUP ADVANCED TOOLS STATUS iT GROUPS LOGOUT This page allows user to add browser specific policies for available users Save Settings Don t Save Settings Group Policy By Client Browser Group Name Deny Login from Defined Browsers Allow Login from Defined Browsers Defined Browsers Add Defined Browser Policy by IP To set policies bye IP forthe group select the corresponding group click Policy by IP The following parameters are configured Group Name This is the name of the group that can have its login policy edited Deny Login from Defined Browsers The list of defined browsers below will be used to prevent the users of this group from logging in to the controller GUI All non defined browsers will be allowed for login for this group 249 Wireless Controller User Manual Allow Login from Defined Browsers The list of defined browsers below will be used to allow the users of this group from logging in to the controller GUI All non defined browsers will be denied for login for this group Defined Browsers This list displays the web browsers that ha
231. p site to site VPN tunnel This willadd VPN policies by importing a file containing vpn policies Configuring IPsec Policies Setup gt VPN Settings gt IPsec gt IPsec Policies An IPsec policy is between this controller and another gateway or this controller and a IPsec client on a remote host The IPsec mode can be either tunnel or transport depending on the network being traversed between the two policy endpoints 228 Wireless Controller User Manual Transport This is used for end to end communication between this controller and the tunnel endpoint either another IPsec gateway or an IPsec VPN client ona host Only the data payload is encrypted and the IP header is not modified or encrypted Tunnel This mode is used for network to network IPsec tunnels where this gateway is one endpoint of the tunnel In this mode the entire IP packet including the header is encrypted and or authenticated When tunnel mode is selected you can enable NetBIOS and DHCP over IPsec DHCP over IPsec allows this controller to serve IP leases to hosts on the remote LAN As wellin this mode you can define the single IP address range of IPs or subnet on both the local and remote private networks that can communicate over the tunnel Figure 128 IPsec policy configuration DWC 1000 ADVANCED TOOLS STATUS IPSEC CONFIGURATION LOGOUT WLAN Global Settings AP Management N Visualization gt This page allows user to add edit V
232. phase to authenticate connecting VPN gateways or clients or to be authenticated by remote entities Trusted Certificates CA Certificate CA Identity Subject Name Issuer Name Expiry Time IP MAC Binding New Self Certificate Delete Controller Settings 10 4 Intet AMT XW This feature is available upon licensed activation of VPN Firewall features for the system Advanced gt Intet AMT Intel Active Management Technology enables IT managers to remotely access and manage every networked computing system even those that lack a working operating systemor hard drive or are turned off as long as the PC Notebook is connected to line power and to the network even if PC Notebook is off or OS is crashed Intel AMT uses a separate management processor that runs independetly on the client machine and can be reached through the wired or wireless network With D Link DSR 272 Wireless Controller User Manual Routers Intel AMT Technology could cross Internet seamlessly and it s an ideal solution to help IT managers for asset management over Internet Figure 156 Intet AMT DWC 1000 SETUP ADVANCED TOOLS STATUS INTEL AMT LOGOUT This page allows you to configure Intel AMT service Intel AMT Intel AMT Reflector Enable Intel Amt Reflector E Redirect to Port 16992 Listen on Port 16992 Redirect to Port 1
233. policies Disable Can disable the added Policies Delete Will delete the Policy selected Add Will let you add a new policy List of Available Profiles Any one of these profiles can be used for Captive Portal Login page while enabling Captive Portal Enable Can enable the added profiles Edit Can edit the added profiles The default Profile cant be edited Delete Will delete the profile selected You cannot delete the default profile and the current profile being used 49 Wireless Controller User Manual Add Will let you add a new profile Maximum allowed number of profiles are 5 excluding default Show Preview Will show preview of the page if a profile is selected Configure Captive Portal Policies This allows to add a captive portal policy or to edit the configuration of an exisiting policy Policy Name Set the Name of the Particular Policy which is to be configured From Interface The source Interface of the traffic that is controlled by this Captive Portal LAN or VLAN s To Interface The destination Interface of the traffic that is controlled by this Captive Portal Option or DMZ Enable This enables the captive portal policy Figure 25 Configuring a captive portal policy DWC 1000 SETUP ADVANCED TOOLS STATUS CAPTIVE PORTAL CONFIGURATION LOGOUT Peer Controllers AP Profile This page albws you to add a new captive Ponal Policy or edil the configuration of an existing Policy
234. ption port interface Solution Create an inbound rule that configures the firewall to host an additional public IP address Associate this address with a web server on the DMZ If you arrange with your ISP to have more than one public IP address for your use you can use the additional public IP addresses to map to servers on your LAN One of these public IP addresses is used as the primary IP address of the controller This address is used to provide Internet access to your LAN PCs through NAT The other addresses are available to map to your DMZ servers The following addressing scheme is used to illustrate this procedure e Option IP address 10 1 0 118 203 Wireless Controller User Manual LAN IP address 192 168 10 1 subnet 255 255 255 0 Web server host in the DMZ IP address 192 168 12 222 Access to Web server simulated public IP address 10 1 0 52 Insecure Option 1 Option 2 Send to Local Server DNAT IP 192 168 12 222 w eb server local IP address Destination Users Single Address i g ple 4 Block traffic by schedule if generated from specific range of machines Use Case Block all HTTP traffic on the weekends if the request originates from a specific group of machines in the LAN having a known range of IP addresses and anyone coming in through the Network from the Option i e all remote users Configuration 1 Setup a schedule e To setup a schedule that affects traffic on weekends only navi
235. r User Manual 4 1 4 e Discovered The AP is discovered and by the controller but is not yet authenticated e Authenticated The AP has been validated and authenticated if authentication is enabled but it is not configured e Managed The AP profile configuration has been applied to the AP and it s operating in managed mode e Failed The controller lost contact with the AP a failed entry will remain in the managed AP database unless you remove it Note that a managed AP will temporarily show a failed status during a reset XW Note When management connectivity is lost for a managed AP then both radios of the AP are turned down All the clients associated with the AP get disassociated The radios become operational if and when that AP is managed again by a controller Profile The AP profile configuration currently applied to the managed AP The profile is assigned to the AP in the valid AP database Radio Interface Shows the wireless radio mode that each radio onthe AP is using Cluster information Status gt Device Info gt Cluster Information The Peer Controller Status page provides information about other wireless controller in the network Peer wireless contoreller within the same cluster e xchange data about themselves their managed APs and clients The controller maintains a database with this data so youcan view information about a peer such as its IP address and software version If the controller lose
236. r from the range of addresses beginning with this IP address Client Address Range End The ending IP address of the DHCP range of addresses served to the client network adaptor Setup gt VPN Settings gt SSL VPN Client gt Configured Client Routes If the SSL VPN client is assigned an IP address in a different subnet than the corporate network a client route must be added to allow access to the private LAN through the VPN tunnel As well a static route on the private LAN s firewall typically this controller is needed to forward private traffic through the VPN Firewall to the remote SSL VPN client When split tunnel mode is enabled the user is required to configure routes for VPN tunnel clients Destination Network The network address of the LAN or the subnet information of the destination network fromthe VPN tunnel clients perspective is set here Subnet Mask The subnet information of the destination network is set here 262 Wireless Controller User Manual Figure 150 Configured client routes only apply in split tunnel mode SETUP ADVANCED TOOLS STATUS SSL YPN CLIENT ROUTE CONFIGURATION LOGOUT The Configured Client Routes entries are the routing entries which will be added by the SSL YPN Client such that only traffic to these destination addresses is redirected through the SSL YPN tunnels All other traffic is redirected using the native network interface of the hosts SSL VPN Clients For example if t
237. r to create a TCP control connection between the LAN VPN client and the VPN server 8 4 1 PPTP Tunnel Support Setup gt VPN Settings gt PPTP gt PPTP Client PPTP VPN Client can be configured on this controller Using this client we can access remote network which is local to PPTP server Once client is enabled the user can access Status gt Active VPNs page and establish PPTP VPN tunnel clicking Connect To disconnect the tunnel click Drop 234 Wireless Controller User Manual Figure 131 PPTP tunnel configuration PPTP Client Internet Settings PPTP CLIENT Wireless Settings This page allows the user to configure PPTP VPN Client Network Settings Save Settings Don t Save Setting DMZ Setup PPTP Client Configuration VPN Settings Enable PPTP Client 4 USB Settings VLAN Settings PPTP Client Configuration Server IP 10 10 10 10 Remote Network 192 168 20 0 Remote Netmask 24 Username C Password ee Mppe Encryption w Idle Time Out 100 Seconds Figure 132 PPTP VPN connection status Active PPTP VPN connections Action Connect Setup gt VPN Settings gt PPTP gt PPTP Server A PPTP VPN can be established through this controller Once enabled a PPTP server is available on the controller for LAN and Option PPTP client users to access Once the PPTP serveris enabled PPTP clients that are within the range of configured IP addresses of allowed clients can
238. rder bits of the IPv6 address that define up the network portion of the address Typically this is 64 Prefix Lifetime This defines the duration in seconds that the requesting node is allowed to use the advertised prefix It is analogous to DHCP lease time in an IPv4 network Figure 8 IPv6 Advertisement Prefix settings DWC 1000 SETUP ADVANCED TOOLS STATUS A gt cation Rules site Filter p ADVERTISEMENT PREFIXES LOGOUT Description Save Settings Don t Save Settings Advertise Prefixes Configuration IPv6 Prefix Type SLA ID IPv6 Prefix IPv6 Prefix Length Prefix Lifetime Seconds 2 2 LAN QoS 2 2 1 Port Queue Scheduling Setup gt LAN QoS gt Port Queue Scheduling This page allows toselect the queueing scheduling algorithm Queueing scheduling algorithm The scheduling algorithm for the LAN controller can be configured here The supported algorithms are strict and weighted round 30 Wireless Controller User Manual robin only The device will be programmed to handle the traffic using the algorithm configured here Figure 9 Port Queue Scheduling DWC 1000 SETUP ADVANCED TOOLS STATUS PORT QUEUE SCHEDULING Meletoluns WLAN Global Settings gt Network Settings Don t Save Settings Save Settings Port Queue Scheduling Queue Scheduling Algorithm LAN QoS gt VPN Settings gt VLAN Settings gt 2 2 2 Port Queue Status
239. red services or any of the user defined services the type of traffic can be assigned to go over only one of the available Option ports For increased flexibility the source network or machines can be specified as well as the destination network or machines For example the VOIP traffic for a set of LAN IP addresses can be assigned to one Option and any VOIP traffic from the remaining IP addresses can be assigned to the other Option link Protocol bindings are only applicable when load balancing mode is enabled and more than one Option is configured Figure 96 Protocol binding setup to associate a service and or LAN source to an Option and or destination network DWC 1000 SETUP ADVANCED TOOLS STATUS PROTOCOL BINDINGS LOGOUT This page allows user to add a new protocol binding rule for the WAN interfaces Service Local Gateway Source Network Start Address End Address Advanced Network Destination Network Routing Start Address Service Select one ofthe various services available for protocol binding End Address Local Gateway select the port that sets the local gateway for this protocol binding either option or option2 Source Network Select one of the following 179 Wireless Controller User Manual 6 4 6 4 1 Any No specific network needs to be given Single Address Limit to one computer Requires the IP address of the computer that will be part of the source
240. ress of the peer wireless controller in the cluster Vendor ID Vendor ID of the peer controller software Software Version The software version for the given peer controllers Protocol Version Indicates the protocol version supported by the software on the peer controllers Discovery Reason The discovery method of the given peer controller which can be through an L2 Poll or IP Poll Managed AP Count Shows the number of APs that the controller currently manages Age Time since last communication with the contorller in Hours Minutes and Seconds 91 Wireless Controller User Manual 4 1 5 Resource Utilization Status gt Dashboard gt Interface The Dashboard page presents hardware and usage statistics The CPU and Memory utilization is a function of the available hardware and current configuration and traffic through the controller Interface statistics for the wired connections LAN Option1 Option 2 DMZ VLANs provide indication of packets through and packets dropped by the interface Click refresh to have this page retrieve the most current statistics 92 Wireless Controller User Manual Figure 46 Resource Utilization statistics DWC 1000 SETUP ADVANCED TOOLS STATUS Dashboard gt DASHBOARD LOGOUT This page displays the resources being used in the system currently This page also shows the bandwidth used in form of bar graphs Ml HTTP 1129 0 HTTPS 0 28 Ml DNS 185 0 Used
241. rmware image on your host and click Upgrade After the new firmware image is validated the new image is written to flash and the controller is automatically rebooted with the new firmware The Firmware Information and also the Status gt Device Info gt Device Status page will reflect the new firmware version XW IMPORTANT During firmware upgrade do NOT try to go online turn off the DWC 1000 shut down the PC or interruptthe process in anyway until the operation is complete This should take only a minute or so including the reboot process Interrupting the upgrade process at specific points when the flash is being written to may corrupt the flash memory and render the controller unusable without a low level process of restoring the flash firmware not through the web GUI 310 Wireless Controller User Manual Figure 176 Firmware version information and upgrade option DWC 1000 Ti SETUP ADVANCED STATUS Firmware FIRMWARE LOGOUT This page allows user to upgrade downgrack the router firmware This page also shows the information regarding firmware version and buik time Firmware Information Firmware Version 1 01B61_WW WLAN Module Version 4 0 0 1 Schedules Firmware Date Fri Nov 18 19 17 17 2011 Firmware Upgrade Locate amp select the upgrade file Browse Firmware Upgrade Notification Options Check Now This controller also supports an automated notification to determine if a newer firmware ve
242. rol traffic between the DWC 1000 and the ISP 165 Wireless Controller User Manual Figure 90 Optionl configuration for Japanese Multiple PPPoE part 1 rd gt OPTION1 SETUP LOGOUT This page allows you to set up your Internet connection Ensure that you have the Internet connection information such as the IP Addresses Account Information etc This information is usually provided by your ISP or network administrator Save Settings Don t Save Settings Primary PPPoE Profile Configuration Japanese multiple PPPoE Dynamic IP Static IP USB Settings g dlink Password TETTI Service Authentication Type Auto negotiate w Reconnect Mode AlwaysOn OnDemand Maximum Idle Time Primary PPPoE Domain Name System DNS Servers Use These DNS Servers w 192 168 1 2 192 158 1 16 There are a few key elements of a multiple PPPoE connection e Primary and secondary connections are concurrent e Each session has a DNS server source for domain name lookup this can be assigned by the ISP or configured through the GUI e The DWC 1000 acts as a DNS proxy for LAN users 166 Wireless Controller User Manual e Only HTTP requests that specifically identify the secondary connection s domain name for example flets will use the secondary profile to access the content available through this secondary PPPoEterminal All other HTTP HTTPS requests go through the primary PPPoE connection Wh
243. roller Peer Controllers gt LOGOUT A Application Level Gateway allows customized NAT traversal filters to be plugged into the gateway to support address and port translation for certain application layer control data protocols such as TFTP SIP RTSP IPsec PPTP etc Each ALG provides special handling for a specific protocol or application A number of ALGs for common applications are enabled by default WIDS Security gt Save Settings Don t Save Settings Client Enable ALGs Application Rules Website Filter Firewall Settings 7 6 VPN Passthrough for Firewall Advanced gt Firewall Settings gt VPN Passthrough This controller s firewall settings can be configured to allow encrypted VPN traffic for IPsec PPTP and L2TP VPN tunnel connections between the LAN and internet A specific firewall rule or service is not appropriate to introduce this passthrough support instead the appropriate check boxes in the VPN Passthrough page must be enabled 208 Wireless Controller User Manual Figure 113 Passthrough options for VPN tunnels owcx000 J maz ae ae VPN PASSTHROUGH This page allows user to configure VPN IPsec PPTP and L2TP passthrough on the router Enabled passthrough checkboxes have higher priority than firewall rules based on the same service Save Settings Don t Save Settings WIDS Security Captive Portal VPN Passthrough Applicatio
244. roller User Manual Figure 53 Associated Clients DWC 1000 tf ial SETUP ADVANCED TOOLS ASSOCIATED CLIENTS STATUS Reco lis Wireless Client Info Logs Traffic Monitor viene MAC Address AE MAE pen Status Associated 00 1b 11 1d3 2d_1cati7 1t1240 udai 1 1cati7 1t1250 192 168 10 102 Authentcate 00 1b 11 1d3e35 1cafi7 1f1b80 udai 1 Icafi7 1f1b90 192 168 10 107 Authenticate Refresh MAC Address The Ethernet address of the client station If the MAC address is followed by an asterisk the client is associated with an AP managed by a peer controller AP MAC Address The Ethernet address of the AP SSID The network on which the client is connected BSSID The Ethernet MAC address for the managed AP VAP where this client is associated Detected IP Address Identifies the IPv4 address of the client if available Status Indicates whether or not the client has associated and or authenticated The valid values are e Associated The client is currently associated to the managed AP e Authenticated The client is currently associated and authenticated to the managed AP 101 Wireless Controller User Manual 4 5 2 e Disassociated The client has disassociated fromthe managed AP If the client does not roamto another managed AP within the client roam timeout it will be deleted Disassociate Disassociates the client fromthe managed AP View Details Foreach client associated with an AP that the contro
245. ropriate for servers on the LAN since there is a dependency on the LAN device making an outgoing connection before incoming ports are opened Some applications require that when external devices connect to them they receive data ona specific port or range of ports in order to function properly The controller must send all incoming data for that application only on the required port or range of ports The controller has a list of common applications and games with corresponding outbound and inbound ports to open You can also specify a port triggering rule by defining the type of traffic TCP or UDP and the range of incoming and outgoing ports to open when enabled Figure 115 List of Available Application Rules showing 4 unique rules ey a APPLICATION RULES LOGOUT The table lists all the available port triggering rules and allows several operations on the rules List of Available Application Rules Peer Controllers gt AP Profile S Outgoing Ports Incoming Ports Name Enable Protocol Interface Start Port End Port Start Port End Port Captive Portal Application Rules D Edit Delete XboxUDP Yes TOP LAN 88 88 88 88 211 Wireless Controller User Manual The application rule status page will list any active rules i e incoming ports that are being triggered based on outbound requests froma defined outgoing port 7 9 Application Rules Status Advanced gt Application Rules gt Applicatio
246. rsion is available for this controller By clicking the Check Now button in the notification section the controller will check a D Link server to see if a newer firmware version for this controller is available for download and update the Status field below 12 9 Dynamic DNS Setup Tools gt Dynamic DNS Dynamic DNS DDNS is an Internet service that allows controller with varying public IP addresses to be located using Internet domain names To use DDNS you must setup an account with a DDNS provider such as DynDNS org D Link DDNS or Oray net 311 Wireless Controller User Manual Each configured Option can have a different DDNS service if required Once configured the controller will update DDNS services changes in the Option IP address so that features that are dependent on accessing the controller Option via FQDN will be directed to the correct IP address When you set up an account with a DDNS service the host and domain name username password and wildcard support will be provided by the account provider 312 Wireless Controller User Manual Figure 177 Dynamic DNS configuration owc1000 JJ ADVANCED sratus DYNAMIC DNS Dynamic DNS DDNS is an Internet service that allows routers with varying public IP addresses to be located using Internet domain names To use DDNS you must setup an account with a DDNS provider such as DynDNS com DlinkDDNS com or Oray net Save Settings Don t Save Settings Firmware
247. s contact with a peer all of the data for that peer is deleted One of the controller in a cluster is elected as a Cluster Controller The Cluster Controller collects status and statistics from all the other controllers in the cluster including information about the APs peer controller manage and the clients associated to those APs 90 Wireless Controller User Manual Figure 45 Cluster information Dwc 1000 SETUP ADVANCED STATUS Global Info PEER CONTROLLER STATUS LOGOUT D gt gt The Peer Controller Status page provides information about other Unified Wireless Controllers in the network Peer wireless Controllers within the same cluster exchange data about themselves their managed APs and Active Sessions clients The Controller maintains a database with this data so you can view information about a peer such as its IP address and software version If the Controller loses contact with a peer all of the data for that peer is dekted Peer Controller Status Cluster Controller IP Address 192 168 10 1 Peer Controllers 1 Active VPNs List of Peer Controllers Vendor Software Protocol Discovery Managed AP Poke ID Version Version Reason Count Age 192 168 10 5 D Link 400 1 2 L2 Poll 1 0d 00 01 39 Refr e sh Cluster Controller IP Address IP address of the controller that controls the cluster Peer Controllers Displays the number of peer controllers in the cluster IP Address IP add
248. s is the name that will be displayed as the owner of this certificate This should be your official registered or company name as IPsec or SSL VPN peers are shown this field Serial Number The serial number is maintained by the CA and used to identify this signed certificate Issuer Name This is the CA name that issued signed this certificate Expiry Time The date after which this signed certificate becomes invalid you should renew the certificate before it expires To request a self certificate to be signed by a CA you can generate a Certificate Signing Request fromthe gateway by entering identification parameters and passing it along to the CA for signing Once signed the CA s Trusted Certificate and signed certificate from the CA are uploaded to activate the self certificate validating the identity of this gateway The self certificate is then used in IPsec and SSL connections with peers to validate the gateway s authenticity 271 Wireless Controller User Manual Figure 155 Certificate summary for IPsec and HTTPS management DWC 1000 ADVANCED TOOLS STATUS Peer Controllers AP Profile CERTIFICATES Digital Certificates also known as X509 Certificates are used to authenticate the identity of users and systems and are issued by Certification Authorities CA such as VeriSign Thawte and other organizations Digital Certificates are used by this router during the Internet Key Exchange IKE authentication
249. s page Captive Portal Application Rules gt Firewall Settings gt IPv6 D 186 Wireless Controller User Manual Figure 101 OSPFv2 Configuration omc IA sans p OSPFV2 CONFIGURATION Relciel ine This page allows the user to update the configured OSPFv2 parameters Save Settings J Don t Save Settings J y gt Captive Portal Application Rules gt Website Filter ertifi sers S OSPFv2 Enable A check box to enable disable OSPFv2 Interface The physical network interface on which OSPFv2 is Enabled Disabled Area The area to which the interface belongs Enter values from 1 to 255 Two routers having acommon segment their interfaces have to belong to the same area on that segment The interfaces should belong to the same subnet and have similar mask Priority Helps to determine the OSPFv2 designated router for a network The router with the highest priority will be more eligible to become Designated Router Setting the value to 0 makes the router ineligible to become Designated Router The default value is 1 Lower value means higher priority HelloInterval The number of seconds for HelloInterval timer value Setting this value Hello packet will be sent every timer value seconds on the specified interface 187 Wireless Controller User Manual This value must be the same for all routers attached to a common network The default value is 10
250. se Destination NAT DNAT for managing traffic from the Option Destination NAT is available when the To Zone DMZ or secure LAN With an inbound allow rule you can enter the internal server address that is hosting the selected service You can enable port forwarding for an incoming service specific rule From Zone Option by selecting the appropriate checkbox This will allow the selected service traffic from the internet to reach the appropriate LAN port via a port forwarding rule Translate Port Number With port forwarding the incoming traffic to be forwarded to the port number entered here External IP address The rule can be bound to a specific Option interface by selecting either the primary Option or configurable port Option as the source IP address for incoming traffic XWA This controller supports multi NAT and so the External IP address does not necessarily have to be the Option address On a single Option interface multiple public IP addresses are supported If your ISP assigns you more than one public IP address one of these can be used as your primary IP address onthe Option port and the others can be assigned to servers on the LAN or DMZ In this way the LAN DMZ server can be accessed from the internet by its aliased public IP address 7 Outbound rules can use Source NAT SNAT in order to map bind all LAN DMZ traffic matching the rule parameters toa specific Option interface or external IP address
251. sec VPN authentication as well as SSL validation for HTTPS and SSL VPN authentication You can obtain a digital certificate from a well known Certificate Authority CA such as VeriSign or generate and sign your own certificate using functionality available on this gateway The gateway comes with a self signed certificate and this can be replaced by one signed by a CA as per your networking requirements A CA certificate provides strong assurance of the server s identity and is a requirement for most corporate network VPN solutions The certificates menu allows you to view a list of certificates both froma CA and self signed currently loaded on the gateway The following certificate data is displayed in the list of Trusted CA certificates CA Identity Subject Name The certificate is issued to this person or organization Issuer Name This is the CA name that issued this certificate 270 Wireless Controller User Manual Expiry Time The date after which this Trusted certificate becomes invalid A self certificate is a certificate issued by a CA identifying your device or self signed if you don t want the identity protection of a CA The Active Self Certificate table lists the self certificates currently loaded on the gateway The following information is displayed for each uploaded self certificate Name The name you use to identify this certificate it is not displayed to IPsec VPN peers or SSLusers Subject Name Thi
252. seconds DeadInterval The number of seconds that a devicea s hello packets must not have been seen before its neighbors declare the OSPF router down This value must be the same for all routers attached to a common network The default value is 40 seconds OSPF requires these intervals to be exactly the same between two neighbors If any of these intervals are different these routers will not become neighbors on a particular segment Cost The cost of sending a packet on an OSPFv2 interface Authentication Type This column displays the type of authentication to be used for OSPFv2 If Authentication type is none the interface does not authenticate ospf packets If Authentication Type is Simple then ospf packets are authenticated using simple text key If Authentication Type is MDS then the interface authenticates ospf packets with MDS authentication Authentication Key Assigna specific password to be used by neighboring OSPF routers on a network segment that is using Authentication Routers in the same area that want to participate in the routing domain will have to be configured with the same key Md5 Key Id Input the unique MD 5 key ID to be used by neighboring OSPF routers on a network segment that is using Authentication Type as MD5 Md5 Authentication Key Input the auth key for this MD5 key to be used by neighboring OSPF routers on a network segment that is using Authentication Type as MD5 6 6 6to4 Tunneling Advanced gt IP
253. seesecsussessnsaceneeseeueseesecseeaeasenees 34 Figure 13 Traffic Selector Configuration on eeceesessesssssesesssssesuesesessessesscssessessesuesussussesaceneeaeeeesueseeseeseeneensens 35 Figure 14 LAN QoS Configuration senenin r ENEE 36 Figure 15 801 p CONMMQ ULATION erosen a A EL E EEEO OE 37 Figure 16 DS GF COmfQuratio irerieinennii i ea en NELERE LORETA 38 Figure 17 Remark GoS to DS CP rennarar ro a EEA E EN A NAO AAA E NTA 39 Figure 18 Adding VLAN memberships to the LAN sss ssssssssssssssressssssrrsesssreesesssreeeesssrreeesssreeesssrreeesssrreresssrreees 41 Fore IA PO VLANIIST a a a E a a A A AE A A A AETA 42 Figure 20 Configuring VLAN membership for a pott ne eecceceesesessseseeeeseesseseesuesesseeaeeneeneeeeseseeaneaeneensens 43 Figure 21 Multiple VLAN Subnet eseesssesessnssnessesseseessssessesuesucsusaeeneeseseesecsuesuesussusaeeaeeaeeessueaueansaneanensens 44 Figure 22 DMZ c ntg ratio N urasi a iar OEE E A NA 45 Figure 23 UPNP Configuratio Messenia nE ORTAN OR TAE ORAT 47 Figure 24 Captive Portal SQtup a iiir NAAK NE EAS NERES 49 Figure 25 Configuring a Captive Portal POliCy oe eesessessesessesesesseescenseseseesseseesuesusaeeaeeneeesseseesueseaneaeeneees 50 Figure 26 Captive Portal Configuration Part 1 oe eesssssssssesessssescesesesseseesueseesssueaceaeeeeseesecseseeaeaeneens 51 Figure 27 Captive Portal Configuration Part 2 esssssssssssssesesessesceseeeseseesuesuessssneeaeeeseeseeseseateaeanens 52 Figure 28
254. sers to access the LAN over an encrypted link through a customizable user portal interface and each SSL VPN user can be assigned unique privileges and network resource access levels The remote user can be provided different options for SSL service through this controller VPN Tunnel The remote user s SSL enabled browser is used in place of a VPN client on the remote host to establish a secure VPN tunnel A SSL VPN client Active X or Java based is installed in the remote hostto allow the client to join the corporate LAN with pre configured access policy privileges At this point a virtual network interface is created on the user s host and this will be assigned an IP address and DNS server address from the controller Once established the host machine can access allocated network resources Port Forwarding A web based ActiveX or Java client is installed on the client machine again Note that Port Forwarding service only supports TCP connections between the remote user and the controller The controller administrator can define specific services or applications that are available to remote port forwarding users instead of access to the full LAN like the VPN tunnel XW ActiveX clients are used when the remote user accesses the portal using the Internet Explorer browser The Java client is used for other browsers like Mozilla Firefox Netscape Navigator Google Chrome and Apple Safari Wireless Controller User Manual Figure 136
255. sesseeeeessrereeesstereeesseereeesstreeessnreeeesssreeeessereeesssreress 7 1 Firewall Rules oc eseseeseeseeesteseeneeees 7 2 Defining Rule Schedules 7 3 Configuring Firewall Rules oe essssssscsscessscsecescnccsccscesceseeeseesseesencenceeceseesenentenses 197 7 3 1 Firewall Rule Configuration Example csesssssssssecsessesssesseeseencenceeeeseeeeseenseneenes 202 7 4 Security ON CUSTOM SELVES eecssescesessesectesecueenccnccncescesenscseeseeseenccnceseeseesestentenses 206 7 5 ALG SUP OM sess cescssestesseseasnevesst esd svencan seve bey ssbestes covers sole aetyessb eaves ceasnacebanstent bases sevens eoumneeeness 207 7 6 VPN Passthrough for Firewall csessessscssssssssesessncsnccncecseseeesnesassussneenceseeeeesentententen 208 7 7 2 E D se aces NETER TE NT EEA ETE E TEE EA AON E NE 209 7 8 Application RUES veneeni E R RE A A RE A OE 210 7 9 Application Rules Status cecsupiniireri ai nE AEAEE EAA 212 7 10 Web Content Filtering eesseeeseeseeeeseseereeessreresessrereeessrereressreeresssereeesssrreresssrreeesssreress 212 7 10 1 Content Filtering sessies aala 7 10 2 Approved URLS ssssssssessessseeseesssrreese 214 7 10 3 Blocked Keywords a215 7 10 4 Export Web Filter o s 216 7 11 IP MAC Binding cece S217 Tiz RADIUS Settings sorana heated ee soatehintace ananassae 218 FAS SWIICHSCHINGS cessed anaE ii STAA AN AAN 220 7 14 Protecting from Internet Attacks oe ccsecesessecseeseeseeeeseeseesesneeneeneeneeeeseen
256. sessessnccncsncescescesesesnssnccuccucesceseesenesassuscasenceseeseeseneentenen 128 Ghent Status ancar adel emia ihn ve tield edenetanadaehe AA 129 Associated Client Status sreisciscieitivess cavereblectelstivessqaververseruedessueveestsueivers cnuanessdvesseadetvuns ii Associated Client SSID Status Associated Client VAP Status on cecessssssssssssesensenessssssssscuscesesccsceseeseseessesseuscesencencenceseeteeseeses 133 Wireless Controller User Manual Figure 73 Figure 74 Figure 75 Figure 76 Figure 77 Figure 78 Figure 79 Figure 80 Figure 81 Figure 82 Figure 83 Figure 84 Figure 85 Figure 86 Figure 87 Figure 88 Figure 89 Figure 90 Figure 91 Figure 92 Figure 93 Figure 94 Figure 95 Controller Associated Client Status esesessssseseesesseencenccneesceseeeeseeneesesneeneeneeseeseeeeseenteneeneenes 134 Detected Client Status ionini ornis enr S T Nere NES ERAS 136 PresAuth HIStOrycisiiteice discal ionia E AA E O EATA ANA 137 Detected Client Roam History es e sseeseeeesseseteeeessteeeeesstereeessrereeessrereesssrreeesssreeeesssreeresssereeeseereeess 139 Valid Access Point Configuration ou cceessssssssesesssesessecnecncsncencesesseeeeseeassneenceneeeeeseeeeseententeneense 141 Add a Valid ACCESS POINTE ai secccssccrtirsivacrivssesicsaveaeazacvarraceoncsiee eevea ievatrotved caxbebedeaveiuetteevnn nee vbeneeetvers 142 RF COMM QUIRON vaste sisscint ts csendiveabeccisitents caudexcassacsuchueseadctuves eve
257. shows the up time for all the interfaces Lies Up time Not Yet Available Not Yet Available 0 Days 09 48 22 121 298 95 Wireless Controller User Manual 4 3 Managed AP and Associated Clients Statistics 4 3 1 Managed AP Statistics Status gt Traffic Monitor gt Managed AP Statistics The managed AP statistics page shows information about traffic on the wired and wireless interfaces of the access point This information can help diagnose network issues such as throughput problems The following figure shows the Managed Access Point Statistics page with a managed AP MAC Address This field shows the MAC address of the client station Interface This field shows the interface type WLAN or Ethernet Packet Transmitted This field shows the packet transmitted to the client station Packet Received This field shows the packet received to the client station Bytes Transmitted This field shows the bytes transmitted to the client station Bytes Received This field shows the bytes received to the client station 96 Wireless Controller User Manual Figure 49 Managed AP Statistics Dwc 1000 I SETUP ADVANCED STATUS W amp b MANAGED AP STATISTICS LOGOUT Description goes here LAN Clients Info Vireless ClientInfo gt Managed Access Point Statistics Packets Bytes MAC Address Interface Transmitted Received Transmitted Received Traffic Monitor gt Ethernet 2279 17385 1120043 197 WLAN
258. some of the work is done by access points the controller needs to send messages to the APs to modify its WIDS operational properties Administrator configured rogue AP If the source MAC address is in the valid AP database onthe controller or on the RADIUS server and the AP type is marked as Rogue then the AP state is Rogue Managed SSID from an unknown AP This test checks whether an unknown AP is using the managed network SSID A hacker may set up an AP with managed SSID to fool users into associating with the AP and revealing password and other secure information Administrators with large networks who are using multiple clusters should either use different network names in each cluster or disable this test Otherwise if an AP in the first cluster detects APs in the second cluster transmitting the same SSID as APs in the first cluster then these APs are reported as rogues 284 Wireless Controller User Manual Managed SSID from a fake managed AP A hacker may set up an AP with the same MAC address as one of the managed APs and configure it to send one of the managed SSIDs This test checks for a vendor field in the beacons which is always transmitted by managed APs If the vendor field is not present then the AP is identified as a fake AP AP without an SSID SSID is an optional field in beacon frames To avoid detection a hacker may set up an AP with the managed network SSID but disable SSID transmission in the beacon frames
259. sseeeseeseseeessssreeresssreeeesssreeresssreeessseerersnrereessnreeeesssreeesssreeressseeeeess 171 Connection Status information of Option oo eecscesecsecseeceeseeeeseeseeseeseeneeneeseeeeseeneeneeneeneenes 174 Load Balancing is available when multiple Option ports are configured and Protocol Bindings Nave been Aefined asrus RE AAEE EREA 178 Figure 96 Protocol binding setup to associate a service and or LAN source to an Option and or destination NetWork 0 eeeececsessesessesesesecsessesesneseesesesseseesescesesessesessesseseeceneeceseesesceseneeseseeneneeneneeneaneneanes 179 Figure 97 Routing Mode is used to configure traffic routing between Option and LAN as well as Dynami routing RIP erences ieena a E NAA 182 Figure 98 Static route configuration fields oe eessesseeseesesesteseeseesseseenecseeseesessesesnesneeneeneeneesesseeeeaeenteneenss 185 Figure 99 OSPF V2 Status PVA vssccscsssnssussscicusnesascsisasnesease canvas veancscesicuchascastian EERTE A ARa 186 Figure 100 OSPFyva Status IP VG niaro AE EE A ONE ANE 186 Figure 101 OSPFV2 ConfiQuration sassoni anann E E ENANTA ENEA A 187 Figure 102 6to4 Tunneling Figure 103 E i E e EAA EIA A AEA E TA A EEO E EA A E A N Figure 104 Physical Option port SettingS 0 cesses Figure 105 IP Aliases wii ciciisissstenasenssaaciiaenaianieencsadienns Figure 106 List of Available Firewall Rules Wireless Controller User Manual Figure 107 List of Available Schedules to bi
260. ssssssessssreseesssrseesssrresesssrreeesssrreeesssreeesssrreeesssrreeesssrreees 82 Figure 40 WLAN Setup Wiza ieceres ioeie AEAEE EENE AEA ATRO 83 FIQUEG4 1 DASHD OAL enio e EENE O LAOR OTAN ENR O 85 Figure 42 Desce Status GIS play oersrenarirarereii a nian E EERE O EERTE 87 Figure 43 Device Status display continued esse sesessseessessstesesssteeeesssrereesssrereessreeessrereesssrereesseersessseeeess 88 Figure 44 Wireless LAN AP information ceccesesessssssesseessssesuesuesessessneacesceaeseesuesussussusaseneeneeeeseesecseeaneneensens 89 Figure 45 Cluster infonnatio i recae n A aAA AERA Aa EET A E 91 Figure 46 Resource Utilization StALISTICS 0 eeessesseseeseeseesesueseesussessucaeseaessesuesussessusaceaeeseeeeseeseesnsseneensens 93 Figure 47 Resource Utilization data continued oo eee eceessesteseseseeneeseesesseseesuesuesussesseseesseseesuesuesneseneensens 94 Figure 48 Physical port Statistics ecsssessssssssssessesecensensssessessesecsucsusaceaeeseseesecsussussessessesaeseesecsuesessesseesesasess 95 Figure 49 Managed AP Statistic cscsscscssccscsccscisssssissssiscvssssstivssvectssnsssssnsctssscsdevtevsensnsususcaensenenes 97 Figure 50 Figure 51 Figure 52 Figure 53 Figure 54 Figure 55 Figure 57 Figure 58 Figure 59 Figure 60 Figure 61 Figure 62 Figure 63 Figure 64 Figure 65 Figure 66 Figure 67 Figure 68 Figure 69 Figure 70 Figure 71 Figure 72 LAN ASSOCIated ClO Mts nense a ibesnasv
261. st and IP list in the configuration thatthe controller pushes to its peers Channel Power Enable this field to include the RF management information in the configuration that the controller pushes to its peers AP Database Enable this field to include the AP Database in the configuration that the controller pushes to its peers AP Profiles Enable this field to include all AP profiles in the configuration that the controller pushes to its peers The AP profile includes the global AP settings such as the hardware type Radio settings VAP and Wireless Network settings and QoS settings 283 Wireless Controller User Manual Known Client Enable this field to include the Known Client Database in the configuration that the controller pushes to its peers RADIUS Client Enable this field to include the Client RADIUS information in the configuration that the controller pushes to its peers 11 5 WIDS Configuration The D Link Wireless Controller Wireless Intrusion Detection System WIDS can help detect intrusion attempts into the wireless network and take automatic actions to protect the network 11 5 1 WIDS AP configration Advanced gt WIDS Security gt AP The WIDS AP Configuration page allows you to activate or deactivate various threat detection tests and set threat detection thresholds in order to help detect rogue APs on the wireless network These changes can be done without disrupting network connectivity Since
262. st information View Details Shows detailed status associated client 4 4 Active Connections 4 4 1 Sessions through the Controller Status gt Active Sessions This table lists the active internet sessions through the controllers firewall The session s protocol state local and remote IP addresses are shown 99 Wireless Controller User Manual Figure 52 List of current Active Firewall Sessions DWwc 1000 SETUP ADVANCED TOOLS STATUS Global Info d ACTIVE SESSIONS Melero ty This page dispkays a list of active sessions on your router Active Sessions Local Internet State 192 168 10 103 35034 74 125 236 95 80 ESTABLISHED 192 168 1 155 16793 192 168 1 2 53 none 192 168 1 155 17846 192 168 1 2 53 none 192 168 10 103 60939 74 125 236 87 443 ESTABLISHED 192 168 10 103 33502 74 125 236 83 80 ESTABLISHED Active Sessions i 192 168 1 155 17846 192 168 1 16 53 none Active VPNs 192 168 10 103 60883 74 125 236 84 80 ESTABLISHED 192 168 1 155 16793 192 168 1 16 53 none 192 168 10 103 52079 74 125 236 93 443 ESTABLISHED 192 168 10 103 46197 74 125 236 86 443 SYN_SENT 192 168 10 103 33499 74 125 236 83 80 ESTABLISHED 192 168 1 155 2746 192 168 1 16 53 none 192 168 10 103 46196 74 125 236 86 443 SYN_SENT 4 5 LAN Client Info 4 5 1 Associated Clients Status gt LAN Client Info gt Associated Clients The clients that are associated with the APs the controller manages as displayed 100 Wireless Cont
263. st of Available Schedules Firmware via USB Name Days Start Time End Time Dynamic DNS Guest Tuesday Wednesday Thursday 09 00 AM 05 00 PM System Check i Sales Department All Days 12 00 AM 11 59 PM Schedules Edit Delete 7 3 Configuring Firewall Rules XW The following feature is available upon licensed activation of VPN Firewall features for the system Advanced gt Firewall Settings gt Firewall Rules All configured firewall rules on the controller are displayed in the Firewall Rules list This list also indicates whether the rule is enabled active or not and gives a summary of the From To zone as well as the services or users that the rule affects To create a new firewall rules follow the steps below 1 View the existing rules in the List of Available Firewall Rules table 2 To edit or add an outbound or inbound services rule do the following a To edit a rule click the checkbox next to the rule and click Edit to reach that rule s configuration page To add a new rule click Add to be taken to a new rule s configuration page Once created the newrule is automatically added to the original table 197 Wireless Controller User Manual 3 Chose the From Zone to be the source of originating traffic either the secure LAN public DMZ or insecure Option For an inbound rule Option should be selected as the From Zone 4 Choose the To Zone to be the destination of
264. story DWwc 1000 I SETUP ADVANCED TOOLS STATUS l WLAN Global Settings AP Management D gt gt gt CHANNEL PLAN HISTORY LOGOUT Description goes here Channel Plan Channel Plan 5 GHz 802 11 a n 2 4 GHz 802 11 bigin VPN Settings VLAN Settings Operational Status Active DMZ Setup gt Last Iteration 0 USB Settings Channel Plan History Last Algorithm Time Jan 1 00 00 00 1970 List of Iterations No Channel Plan history entries exists 5 2 3 Manual Channel Plan Setup gt AP Management gt RF Management gt Manual Channel Plan If you specify Manual as the Channel Plan Mode on the Configuration tab the Manual Channel Plan page allows you to initiate the channel plan algorithm To 148 Wireless Controller User Manual manually run the channel plan adjustment feature select the radio to update the channels on 5 GHz or 2 4 GHz and click Start Channel Plan The 5 GHz and 2 4 GHz radios use different channel plans so the controller tracks the channel history separately for each radio The channel information that displays on the page is only for the radio you select Channel plan algorithm Current Status Shows the Current Status of the plan which is one of the following states e None The channel plan algorithmhas not been manually run since the last controller reboot e Algorithm in Progress The channel plan algorithm is running e Algorith
265. t Export Export Approved URLs Feature enables the user to export the URLs to be allowed to a csv file which can then be downloaded to the local host The user has to click the export button to get the csv file Export Blocked Keywords This feature enables the user to export the keywords to be blocked to a csv file which can then be downloaded to the localhost The user has to click the export button to get the csv file 216 Wireless Controller User Manual Figure 120 Export Approved URL list owe JJA n es sans EXPORT WEB FILTER LOGOUT Export Web Filter Export Approved URLs Peer Controllers AP Profile WIDS Security Export Blocked Keywords Captive Portal gt Application Rules gt Website Filter Firewall Settings 7 11 IP MAC Binding Advanced gt IP MAC Binding Another available security measure is to only allow outbound traffic fromthe LAN to Option when the LAN node has an IP address matching the MAC address bound to it This is IP MAC Binding and by enforcing the gateway to validate the source traffic s IP address with the unique MAC Address of the configured LAN node the administrator can ensure traffic from that IP address is not spoofed In the event of a violation i e the traffic s source IP address doesn t match up with the expected MAC address having the same IP address the packets will be dropped and can be logged for diagnosis 217 Wireless Controller Us
266. t a new channel for Radio 1 or Radio 2 The available channels depend on the radio mode and country in which the APs operate The manual channel change overrides the channel configured in the AP profile and is not retained when the AP reboots or when the AP profile is reapplied Power Select the AP and click the Edit Channel Power button to access the Managed AP Channel Power Adjust page From that page you can set a new power level forthe AP The manual power change overrides the power setting configured in the AP profile and is not retained when the AP reboots or when the AP profile is reapplied 159 Wireless Controller User Manual Chapter 6 Connecting to the Internet Option Setup 6 1 This contoller has two Option ports that can be used to establish a connection to the internet The following ISP connection types are supported DHCP Static PPPoE PPTP L2TP It is assumed that you have arranged for internet service with your Internet Service Provider ISP Please contact your ISP or network administrator for the configuration information that will be required to setup the controller XWA The ISP Connection types PPPoE PPTP L2TP NAT Transparent mode feature are available upon licensed activation of VPN Firewall features for the system Internet Connection Setup Wizard Setup gt Wizard gt Internet The Internet Connection Setup Wizard is available for users new to networking By going through a few straigh
267. t are currently not in use CPU waiting for IO percent of CPU cycles that are allocated to input output devices Memory Utilization This section displays memory status of system Total Memory Indicates total available volatile physical memory Used Memory Indicates memory used by all processes in system 85 Wireless Controller User Manual 4 1 2 Free Memory Indicates available free memory in system Cached Memory Indicates cached memory in system Buffer Memory Indicates buffered memory in system Device Status Status gt Device Info gt Device Status The DWC 1000 Status page gives a summary of the controller configuration settings configured in the Setup and Advanced menus The static hardware serial number and current firmware version are presented in the General section The Option and LAN interface information shown on this page are based on the administrator configuration parameters The radio band and channel settings are presented below along with all configured and active APs that are enabled on this controller 86 Wireless Controller User Manual Figure 42 Device Status display DWC 1000 SETUP ADVANCED TOOLS status gt DEVICE STATUS LOGOUT This page displays the current settings and displays a snapshot of the system information Access Point Info General DWC 1000 1 01841_Www LAN Clients Info QBAA1AC0000073 1A4 00 2B 10 1C 45 0 0 0 0 255 255 255 0 fe80 1800 2bff f
268. tes and keys the server uses Second Row Set of certificates and keys newly uploaded Enable TLS Authentication Key Enabling this adds Tls authentication which adds an additional layer of authentication Can be checked only when the tls key is uploaded Disabled by default Click Save Settings to save the configuration entered 238 Wireless Controller User Manual Figure 135 OpenVPN configuration 128 10 0 0 255 255 0 0 1194 Default 194 v Tunnel Protocol UDP s Encryption Algorithm BF CBC Hash Algorithm SHA1L Tunnel Type Full Tunnel gt Enable Client to Client Communication Upload Access Server Client Configuration Certificates CA Subject Name Subject Name v C US ST CA L SanFrancsoo C US ST CA L SanFrancsco O Fort Funsion CN Openvpnina O Fort Funston CN serverAna 239 Chapter 9 SSL VPN XW The following feature is available upon licensed activation of VPN Firewall features for the system The controller provides an intrinsic SSL VPN feature as an alternate to the standard IPsec VPN SSL VPN differs from IPsec VPN mainly by removing the requirement of a pre installed VPN client on the remote host Instead users can securely login through the SSL User Portal us ing a standard web browser and receive access to configured network resources within the corporate LAN The controller supports multiple concurrent sessions to allow remote u
269. tes if the Option is connected to the Internet Service Provider Link State Detects if a link is present on the Option Interface Option Mode Indicates if Option or Option2 is in use Gateway Gateway IP address of the Option port 172 Wireless Controller User Manual Primary DNS Primary DNS server IP address of the Option port Secondary DNS Secondary DNS server IP address of the Option port If the Connection Status indicated that the association with the ISP is active then the Option can be disconnected by clicking the Disable button If the Connection Status indicated that the association with the ISP is active then the Option can be disconnected by clicking the Disable button 173 Wireless Controller User Manual Figure 94 Connection Status information of Option1l DWC 1000 i SETUP ADVANCED TOOLS STATUS OPTION1 STATUS LOGOUT The page provides current information regarding the WAN1 interface Along with the information a user can enable or disable his Internet connection from this page 14 00 2B 10 1C 45 0 0 0 0 255 255 255 0 DOWN Disabled Dynamic IP DHCP Not Yet Connected LINK DOWN Use only single Option port Option1 0 0 0 0 0 0 0 0 Optioni Status IPv6 MAC Address 1A4 00 2B 10 1C 45 IPv6 Address fe80 1800 2bff fe10 1c45 64 Option State DOWN IPv6 Connection Type Dynamic IP DHCP IPv6 Connection State Not Yet Connected Gateway Primary DNS Secondary DNS
270. tforward configuration pages you can take the information provided by your ISP to get your Option connection up and enable internet access for your network 160 Wireless Controller User Manual Figure 87 Internet Connection Setup Wizard gt J Global Settings f INTERNET CONNECTION LOGOUT DWC 1000 This page will guide you through common configuration tasks such as changing the password timezone and setting up of your internet connection AP Management Internet Connection Setup Wizard If you would like to utilize our easy to use Web based Wizards to assist you in connecting your new D Link Systems Router to the Internet dick on the button below Internet Connection Setup Wizard Note Before launching these wizards please make sure you have followed all steps outlined in the Quick Installation Guide induded in the package Manual Internet Connection Options If you would like to configure the Internet settings of your new D Link Systems Router manually then dick on the button below Manual Internet Connection Setup You can start using the Wizard by logging in with the administrator password for the controller Once authenticated set the time zone that you are located in and then choose the type of internet connection type DHCP Static PPPoE PPTP L2TP Depending onthe connection type a username password may be required to register this controller with the ISP
271. the operational status of the controller The status can be one of the following values e Enabled e Enable Pending e Disabled e Disable Pending 56 Wireless Controller User Manual Figure 30 WLAN global configuration DWC 1000 ADVANCED TOOLS STATUS WLAN Global GLOBAL STATUS AP Management p This page will guide you through common and easy steps to configure your DWC 1000 router WLAN lilies eae global settings Make sure that WLAN controller is being enabled Submit Don t Save Settings Wireless Global Configuration Enable WLAN Controller F WLAN Controller Operational Stat Enabled IP Address 192 168 10 1 AP Validation AP MAC Validation Require Authentication Passphrase RADIUS Server Configuration RADIUS Authentication Server N Default RADIUS Server RADIUS Authentication Server Not Configured RADIUS Accounting Server Name Default RADIUS Server RADIUS Accounting Server Status Not Configured RADIUS Accounting Country Configuration Country Code US United States IP Address This field shows the IP address of the WLAN interface on the controller If the controller does not have the Routing Package installed or if routing is disabled the IP address is the network interface If the routing package is installed and enabled this is the IP address of the routing or loopback interface you configure for the controller features AP MAC Validation Metho
272. the request and prompt for a username password The login credentials are compared against the RunTimeAuth users in user database prior to granting HTTP access XW Captive Portal is available for LAN and WLAN users only and not for DMZ hosts Captive Portal Setup Advanced gt Captive Portal gt Setup Captive Portal Policies The List of Available CaptivePortal Policies are shown in this table Policy Name Set the Name of the Particular Policy which is to be configured Status The status of the Policy can be enabled active or Disabled configured but not in use In Interface The source Interface of the traffic that is controlled by this Captive Portal LAN or VLANS Out Interface The destination Interface of the traffic that is controlled by this Captive Portal Option or DMZ 48 Wireless Controller User Manual Figure 24 Captive Portal Setup DWC 1000 SETUP ADVANCED TOOLS STATUS iS CAPTIVE PORTAL SETUP LOGOUT Captive Portal is a security mechanism to selectively provide authentication on certain interfaces You can use this page to manage the Policies and Profiles of CaptivePorial Captive Portal Policies Policy Name Status In Interface Out Interface Captive Portal Edit Enable Disable Delete Add List of Available Profiles Action Show Preview The following actions are supported from this page Edit Can edit the added policies Enable Can enable the added
273. this controller and other controllers configured with the same RIP version is required MD5 authentication is used in a first second key exchange process The authentication key validity lifetimes are configurable to ensure that the routing information exchange is with current and supported controllers detected on the LAN Static Routing Advanced gt Routing gt Static Routing Advanced gt IPv6 gt IPv6 Static Routing Manually adding static routes to this device allows youto define the path selection of traffic from one interface to another There is no communication between this controller and other devices to account for changes in the path once configured the static route will be active and effective until the network changes The List of Static Routes displays all routes that have been added manually by an administrator and allows several operations on the static routes The List of IPv4 Static Routes and List of IPv6 Static Routes share the same fields with one exception Name Name of the route for identification and management Active Determines whether the route is active or inactive A route can be added to the table and made inactive if not needed This allows routes to be used as needed without deleting and re adding the entry An inactive route is not broadcast if RIP is enabled Private Determines whether the route can be shared with other controllers when RIP is enabled If the route is made private then th
274. three e mail addresses can be configured as log recipients In order to establish a connection with the configured SMTP port and server define the server s authentication requirements The controller supports Login Plain no encryption or CRAM MDS encrypted for the username and password data to be sent to the SMTP server Authentication can be disabled if the server does not have this requirement In some cases the SMTP server may send out IDENT requests and this controller can have this response option enabled as needed Once the e mail server and recipient details are defined you can determine when the controller should send out logs E mail logs can be sent out based on a defined schedule by first choosing the unit i e the frequency of sending logs Hourly Daily or Weekly Selecting Never will disable log e mails but will preserve the e mail server settings 304 Wireless Controller User Manual Figure 171 E mail configuration as a Remote Logging option DWC 1000 SETUP ADVANCED STATUS REMOTE LOGGING CONFIGURATION Log Settings D This page allows user to configure the remote logging options for the router Don t Save Settings Log Options Enable E Mail Logs Enable E Mail Logs E Mail Server Address SMTP Port Return E Mail Address Send to E Mail Address 1 Send to E Mail Address 2 Send to E Mail Address 3 Authentication with SMTP Server User Name Passwor
275. ticast packets this interval sets the maximum time between advertisements from the interface The actual duration between advertisements is a random value between one third of this field and this field The default is 30 seconds RA Flags The router advertisements RA s can be sent with one or both of these flags Chose Managed to use the administered stateful protocol for address auto configuration If the Other flag is selected the host uses administered stateful protocol for non address auto configuration 27 Wireless Controller User Manual Router Preference this low medium high parameter determines the preference associated with the RADVD process of the router This is useful if there are other RADVD enabled devices on the LAN as it helps avoid conflicts for IPv6 clients MTU The router advertisement will set this maximum transmission unit MTU value for all nodes in the LAN that are autoconfigured by the router The default is 1500 Router Lifetime This value is presentin RA s and indicates the usefulness of this router as a default router for the interface The default is 3600 seconds Upon expiration of this value anew RADVD exchange must take place between the host and this router 28 Wireless Controller User Manual Figure 7 Configuring the Router Advertisement Daemon onc000 JJ n T Please Set IP Mode to IPv4 IPv6 in Routing Mode Page to configure this page LOGOUT This page allows user
276. tion AP PROFILES SUMMARY Relcieliny Peer Controllers This page is used tp configure a variety of global settings for a new or existing AP profile AP Profile Global Configuration Default DWL 8600AP Dual Radio a b g n w 4 1 to 255 Profile Name The Access Point profile name you added Use 0 to 32 characters Only alphanumeric characters are allowed No special characters are allowed Hardware Type Select the hardware type for the APs that use this profile The hardware type is determined in part by the number of radios the AP supports single or dual and the IEEE 802 11 modes that the radio supports a b g or a b g n The option available in the Hardware Type ID is e DWL 8600AP Dual Radio a b g n DWL 3600AP Single Radio b g n DWL 6600AP Dual Radio a b g n Wired Network Discovery VLAN ID Enterthe VLAN ID that the controller uses to send tracer packets in order to detect APs connected to the wired network AP Profile Advanced gt AP Profile Access point configuration profiles are a useful feature for large wireless networks with APs that servea variety of different users You can create multiple AP profiles on the Controller to customize APs based on location function or other criteria Profiles are like templates and once youcreate an AP profile you can apply that profile to any AP 63 Wireless Controller User Manual Figure 34 AP Profile List y E zo AP PROFILES SUMMARY LOGOUT Pe
277. tion of the advertisement content to be displayed Ad Content The content of the advertisement in the login page Font Font for the information to be displayed Font Size Font size for the information to be displayed Font Color Color in which the information is to be displayed Footer Details Change Footer Content It allows user to configure the footer portion of the page Footer Content It allows user to add the footer content Footer Font Color Color in which the footer is to be displayed Captive Portal Session Advanced gt Captive Portal gt Captive Portal Sessions The Active Runtime internet sessions through the controller firewall are listed in the below table These users are present in the local or external user database and have had their login credentials approved for internet access A Disconnect button allows the DWC 1000 admin to selectively drop an authenticated user 53 Wireless Controller User Manual Figure 28 Active Runtime sessions A DWC 1000 H SETUP ADVANCED TOOLS STATUS HELP lication Rules d Helpful Hints CAPTIVE PORTAL SESSIONS LOGOUT This page displays a list of active run time sessions on your router List of Captive Portal Sessions IP Adress 192 168 17 38 192 168 17 41 2 6 3 WLAN CP Interface Association Advanced gt Captive Portal gt WLAN CP Interface Association From the Interface Association page you can associate a configur
278. tolerance is set to 70 Now every time a new connection is established the bandwidth increases After a certain number of connections say bandwidth reached 70 of 1Kbps the new connections will be spilled over to secondary Option The maximum value of load tolerance is 80 and the least is 20 Protocol Bindings Refer Section 6 3 3 for details Load balancing is particularly useful when the connection speed of one Option port greatly differs from another In this case youcan define protocol bindings to route low latency services such as VOIP over the higher speed link and let low volume background traffic such as SMTP go over the lower speed link 177 Wireless Controller User Manual Figure 95 Load Balancing is available when multiple Option ports are configured and Protocol Bindings have been defined DWC 1000 MEA SETUP ADVANCED TOOLS STATUS OPTION MODE This page allows user to configure the policies on the two WAN ports for Internet connection Don t Save Settings Option1 Round Robin Optioni DNS lookup using Option DNS Servers DNS lookup using DNS Servers 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 Retry Interval Failover after SPILLOVER CONFIGURATION 6 3 3 Protocol Bindings 178 Wireless Controller User Manual Advanced gt Routing gt Protocol Bindings Protocol bindings are required when the Load Balancing feature is in use Choosing from a list of configu
279. troller User Manual resource as required A network resource can be defined by configuring the following in the GUI Resource Name A unique identifier name for the resource Service The SSL VPN service corresponding to the resource VPN tunnel Port Forwarding or All Figure 147 List of configured resources which are available to assign to SSL VPN policies DWC 1000 HT SETUP ADVANCED TOOLS STATUS Operation succeeded Please Enable Remote Management to activate SSL VPN Configurations RESOURCES LOGOUT You can configure resources to use when configuring SSL VPN policies Resources are groups of host names IP addresses or IP networks The table lists the resources that have been added and allows several operations on the resources List of Resources A Resource Name Service VPN Settings z DocServer VPN Tunnel VLAN Settings DMZ Setup gt Delete Configure USB Settings 9 3 Application Port Forwarding Setup gt VPN Settings gt SSL VPN Server gt Port Forwarding Port forwarding allows remote SSL users to access specified network applications or services after they login to the User Portal and launch the Port Forwarding service Traffic from the remote user to the controller is detected and re routed based on configured port forwarding rules Internal host servers or TCP applications must be specified as being made accessible to remote users Allowing access to a LAN
280. troller in the cluster Vendor ID Vendor ID of the peer controller software Software Version The software version for the given peer controller Protocol Version Indicates the protocol version supported by the software on the peer controller Discovery Reason The discovery method of the given peer controller which can be through an L2 Poll or IP Poll Managed AP Count Shows the number of APs that the controller currently manages Age Time since last communication with the controller in Hours Minutes and Seconds 121 Wireless Controller User Manual Figure 63 Peer Controller Status DWC 1000 SETUP ADVANCED TOOLS STATUS Global Info bag PEER CONTROLLER STATUS Meletoluns Wireless ClientInfo gt The Peer Controller Status page provides information about other Unified Wireless Controllers in the network Peer wireless Controllers within the same cluster exchange data about themselves their managed APs and clients The Controler maintains a database with this data so you can view information about a peer such as its IP address and software version If the Controller loses contact with a peer all of the data for that peer is deleted Peer Controller Status Cluster Controller IP Address 192 168 10 1 Active Sessions Active VPNs Peer Controllers 1 List of Peer Controllers Vendor Software Discovery Managed AP ot ID Version Reason Count 192 168 10 5 D Link 400 1 L2 Poll Refresh
281. ttings Available Profiles Select one of the previously configured bandwidth profiles to associate this traffic selector Service Select one of the services from the available services Traffic Selector Match Type Choose the method foridentifying the host that is controlled by this traffic Selector IP Address MAC Address Port Name VLAN Name DSCP value or BSSID IP Address Enter IP Address of LAN host if you chose IP as the Match Type MAC Address Enter a valid MAC Address if you chose MAC Address as the Match Type Port Name Select the LAN port number if you chose Port Name as the Match Type Available VLANs Select a VLAN if you chose VLAN Name as the Match Type DSCP value Enter a valid DSCP value between 0 and 63 if choose DSCP as the Match Type 35 Wireless Controller User Manual 2 2 5 LAN QoS Configuration Setup gt LAN QoS gt LAN QoS Configuration Enabling QoS on LAN is an advanced configuration which is required only if you expect congestion on the traffic on the LAN ports This page allows you to enable the configuration and configure each port s to trust a CoS or DSCP values in the packet Figure 14 LAN QoS Configuration DWC 1000 ADVANCED TOOLS STATUS ard E AN Global Settings AP Management gt Save Settings Don t Save Settings WLAN Visualization gt USB Settings LAN Port This lisf out the available LAN ports Classify Using This provi
282. ule Dropped Packets are packets that were intentionally blocked from being transferred through the corresponding network segment This optionis useful when the Default Outbound Policy is Allow Always e Example If Drop Packets from LAN to Option is enabled and there is a firewall rule to block SSH traffic from LAN then whenever a LAN machine tries to make an SSH connection those packets will be dropped and a message will be logged Make sure the log option is set to allow for this firewall rule XW Enabling accepted packet logging through the firewall may generate a significant volume of log messages depending on the typical network traffic This is recommended for debugging purposes only In addition to network segment logging unicast and multicast traffic can be logged Unicast packets have a single destination on the network whereas broadcast or multicast packets are sent to all possible destinations simultaneously One other useful log controlis to log packets that are dropped due to configured bandwidth profiles over a particular interface This data will indicate to the admin whether the bandwidth profile has to be modified to account for the desired internet traffic of LAN users 302 Wireless Controller User Manual Figure 170 Log configuration options for traffic through controller DWC 1000 SETUP ADVANCED STATUS Admin LOGS CONFIGURATION LOGOUT Log Settings D This page allows user to configure syst
283. usually provided by your ISP Once the new or modified rule parameters are saved it appears in the master list of firewall rules To enable or disable a rule click the checkbox next to the rule in the list of firewall rules and choose Enable or Disable XWA The controller applies firewall rules in the order listed As a general rule you should move the strictest rules those with the most specific services or addresses to the top of the list To reorder rules click the checkbox next to a rule and click up or down 199 Wireless Controller User Manual Figure 108 Example where an outbound SNAT rule is used to map an external IP address 209 156 200 225 to a private DMZ IP address 10 30 30 30 www example com Public IP Address 209 165 200 225 outside interface DWC Source Address Translation 209 165 201 225 gt 10 30 30 30 Inside interface DMZ interface 192 168 10 1 10 30 30 1 DMZ User Web Server 192 168 10 10 Private IP Address 10 30 30 30 Public IP Address 209 165 200 225 200 Wireless Controller User Manual Figure 109 The firewall rule configuration page allows you to define the To From zone service action schedules and specify source destination IP addresses as needed owe000 JA a ae FIREWALL RULES This page allows you to add a new firewall rule or edit the configuration of an existing firewall rule The details will then be displayed in the List of Av
284. v6 gt 6to4 Tunneling 6to4 is an Internet transition mechanism for migrating from IPv4 to IPv6 a system that allows IPv6 packets to be transmitted over an IPv4 network Select the check boxto Enable Automatic Tunneling and allow traffic from an IPv6 LAN to be sent over a IPv4 Option to reach a remote IPv6 network 188 Wireless Controller User Manual Figure 102 6to4 Tunneling 6 TO 4 TUNNELING LOGOUT Peer Controllers AP Profile WIDS Security This page allows user to enable disable the 6 to 4 tunneling Save Settings Don t Save Settings Enable Automatic Tunneling Captive Portal Application Rules Website Filter Enable Automatic Tunneling Firewall Settings IPv6 gt 189 Wireless Controller User Manual 6 7 IGMP Setup XW The following feature is available upon licensed activation of VPN Firewall features for the system Advanced gt Advanced Network gt IGPM Setup Active IGMP snooping is referred to as IGMP proxy When in use IGMP packets through the LAN are filtered in order to reduce the amount of multicast traffic in the network Figure 103 IGMP Setup DWC 1000 SETUP ADVANCED TOOLS STATUS Operation succeeded Peer Controllers gt Profile IGMP SETUP LOGOUT The IGMP Proxy page allows the user to enable IGMP proxy on a LAN interface AP SSIDs Save Settings Don t Save Settings WIDS Security gt Captive Portal d IGMP Setup A
285. ve been added to the Defined Browsers list upon which group login policies can be defined Check Box At First Column Header Selects all the defined browsers in the table Delete Deletes the selected browser s You can add to the list of Defined Browsers by selecting a client browser from the drop down menu and clicking Add This browser will then appear in the above list of Defined Browsers Click Save Settings to save your changes Figure 142 IP policies options P ontro gt GROUPS LOGOUT A ile This page allows user to add IP based policies specific policies for available users IDs Save Settings Don t Save Settings Groups Policy By Source IP Address Group Name Sales Deny Login from Defined Addresses Defined Addresses Source Address Type Network Address IP Address XW Login Policies Policy by Browsers Policy by IP are applicable SSL VPN user only 250 Wireless Controller User Manual Advanced gt Users gt Users The users page allows adding editing and deleting existing groups The user are associated to configured groups The lists of available users are displayed in the List of Users page with User name associated group and Login status e Click Add to create a user e Click Edit to update an existing user e Click Delete to clear an existing user Figure 143 Available Users with login status and associated Group DWC 1000 ADVANCED TOOLS STATUS
286. ver mode client mode or access server client mode In access server client mode the user has to download the auto login profile from the Openvpn Access Server and upload the same to connect Server IP OpenVPN server IP address to which the client connects Applicable in client mode VPN Network Address of the Virtual Network VPN Netmask Netmask of the Virtual Network Port The port number on which openvpn server or Access Server runs Tunnel Protocol The protocol used to communicate with the remote host Ex Tcp Udp Udp is the default Encryption Algorithm The cipher with which the packets are encrypted Ex BF CBC AES 128 AES 192 and AES 256 BF CBC is the default Hash algorithm Message digest algorithm used to authenticate packets Ex SHA1 SHA256 and SHA512 SHA1 is the default Tunnel Type Select Full Tunnel to redirect all the traffic through the tunnel Select Split Tunnel to redirect traffic to only specified resources added from openVpnClient Routes through the tunnel Full Tunnel is the default Enable Client to Client communication Enable this to allow openvpn clients to communicate with each other in split tunnel case Disabled by default Upload Access Server Client Configuration The user has to download the auto login profile and upload here to connect this controller to the OpenVPN Access Server Certificates Select the set of certificates openvpn server uses First Row Set of certifica
287. vers DNS servers map Internet domain names example www google com to IP addresses Click to indicate whether to get DNS server addresses automatically from your ISP or to use ISP specified addresses If its latter enter addresses for the primary and secondary DNS servers To avoid connectivity problems ensure that you enter the addresses correctly DHCP Option For DHCP client connections youcan choose the MAC address of the controller to register with the ISP In some cases you may need to clone the LAN host s MAC address if the ISP is registered with that LAN host 163 Wireless Controller User Manual Figure 88 Manual Optionl configuration DWC 1000 ADVANCED TOOLS STATUS OPTION1 SETUP AP Management This page allows you to set up your Internet connection Ensure that you have the Internet connection information such as the IP Addresses Account Information etc This information is usually provided by your ISP or network administrator WLAN Visualization gt Internet Settings Save Settings Don t Save Settings Network Settings Connection Type Connection Type Dynamic IP DHCP X Host Name DMZ Setup gt USB Settings Domain Name System DNS Servers Get Dynamically from ISP joo 0 0 0 0 00 MAC Address Use Default Address 00 00 00 00 00 00 6 2 4 PPPoE Setup gt Internet Settings gt Option1 Settings gt Optionl Setup The PPPoE ISP settings are defined
288. y list and has authenticated or validated the device e Discovered Failed The controller contacted the peer controller or the AP with IP address in the L3 IP Discovery list and was unable to authenticate or validate the device If the device is an access point an entry appears in the AP failure list with a failure reason 61 Wireless Controller User Manual Figure 32 Wireless Discovery status DWC 1000 SETUP ADVANCED TOOLS saus f Dashboard b IP DISCOVERY Relcleltay Global Info D gt Device Info The IP Discovery Status page shows information about communication with the devices in the IP discovery Access Point Info P list on the Set up gt AP Management gt Poll List page LAN Clients Info Ip Discovery Wireless Client Info gt z IP Address Status Logs 192 168 10 101 Polled Traffic Monitor Active Sessions Active VPNs The following actions are supported from this page Refresh Updates the page with the latest information 2 8 2 AP Profile Global Configuration Advanced gt AP Profile Access Point Profile Summary page you can Add Copy Edit Delete AP profiles To add a new profile click Add in AP Profile Summary page In the AP Profile Global Configuration page enter the name of the profile in the Profile Name field select Hardware type and enter the valid VLAN ID and then click Submit Wireless Controller User Manual Figure 33 AP Profile Global Configura
289. youts 264 Wireless Controller User Manual Figure 151 SSL VPN Portal configuration SETUP ADVANCED TOOLS STATUS PORTAL LAYOUT CONFIGURATION LOGOUT This page allows you to add a new portal layout or edit the configuration of an existing portal layout The details will then be displayed in the List of Portal Layouts table on the SSL YPN Server gt Portal Layouts page under the YPN menu Save Settings Don t Save Settings Portal Layout and Theme Name Portal Layout Name Portal Site Title Optional Banner Title Optional Banner Message Optional Display banner message on login page HTTP meta tags for cache control recommended Activex web cache cleaner SSL PN Portal Pages to Display YPN Tunnel page Port Forwarding 9 5 Active VPN Tunnels XW The following feature is available upon licensed activation of VPN Firewall features for the system Status gt Active VPNs You can view and change the status connect or drop of the controllers IPsec security associations Here the active IPsec SAs security associations are listed along with the traffic details and tunnel state The traffic is a cumulative measure of transmitted received packets since the tunnel was established If a VPN policy state is IPsec SA Not Established it can be enabled by clicking the Connect button of the corresponding policy The Active IPsec SAs table displays a list of active IPsec SAs Table
Download Pdf Manuals
Related Search