User Manual - D-Link
Contents
1. Firewall Settings 7 7 Client Advanced gt Client The Known Client Summary shows the wireless clients currently in the Known Client Database and allows you to add new clients or modify existing clients to the database MAC Address Shows the MAC address of the known client Name Shows the descriptive name configured for the client when it was added to the Known Client database Authentication Action When MAC authentication is enabled on the network this field shows the action to take on a wireless client The following options are available Grant Allow the client with the specified MAC address to access the network Deny Prohibit the client with the specified MAC address from accessing the network 223 Wireless Controller User Manual Global Action Use the global white list or black list action configured on the Advanced Global Configuration page to determine how to handle the client Figure 126 List of Known Clients DWC 1000 fe SETUP ADVANCED TOOLS STATUS AP Profile The Known Client Summary shows the wireless clients currently in the Known Client Database and allows you to add new clients or modify existing clients to the database Captive Portal MAC Address Name Authentication Action Client 00 00 00 00 00 02 global Global Action Application Rules 70 00 00 60 00 00 client deny Deny a 00 00 00 00 00 00 Edith Delete The following actions are supported from this2. 2 6 3 Captive Portal Session Setup gt Captive Portal gt Captive Portal Sessions The Active Runtime internet sessions through the controller firewall are listed in the below table These users are present in the local or external user database and have had their login credentials approved for internet access A Disconnect button allows the DWC 1000 admin to selectively drop an authenticated user 54 Wireless Controller User Manual Figure 31 Active Runtime sessions DWC 1000 i SETUP TOOLS STATUS CAPTIVE PORTAL SESSIONS This page displays a list of active run time sessions on your router List of Captive Portal Sessions IP Adress 192 168 17 38 192 168 17 41 2 6 4 Service Level Agreement SLA Setup gt Captive Portal gt SLA This section allows the administrator to modify the Service Level Agreement which is the set of rules to be accepted before the appliance grants internet access in case of temporary and SLA type captive portal users 55 Wireless Controller User Manual Figure 32 Defining the Terms of Service for a Portal DWC 1000 ADVANCED TOOLS STATUS WLAN Global Settings Service Level Agreement are the set of rules temporary Captive Portal user needs to accept before accessing internet or other services This page is used to help admin set SLA rules 1 Changes We may occasionally change the Terms sc we encourage you to review the terms periodically
3. ceccccecccessesesessesescseeseseseeeescsensseseseseeaensecsaceeseceeneeeeaeeeeeesenteeeaees 289 SNMP Tita SOs nse e eei e ee Sa a EEEE TR EESE 292 Figure 170 11 Wireless Controller User Manual Figure 171 Distributed Tunneling eee cceeseeeccceseseeseseesececseeseceeneesececeeesesenseseeecneeseeeeneeseeecneeaeeeeneees 293 Figure 172 Distributed Tunneling Clients ec eeeeccsseceseeeesescseeceseseseecseecesesesececaeeeeaeeceeeseaeeeeaeeesees 294 Figure 173 Peer Controller Configuration Request Status 0 ccccceccsseseseeseseecsseeeseeeeseseneeeeseeeeees 296 Figure 174 Peer Controller Configuration ececccccsseseseeseseecseceseseseeecseeceaesesececaeeesseeeeceeaeeeeateesees 297 Figure 175 WIDS AP Configuration cccceccesesesescesesceseceseeceseseececeseeesecsenseassceesecsenesasseeeeecseneeataeeeeees 302 Figure 176 WIDS Client Configuration eeeceecesescsseseseeeesescseeceseseseeecaeeceaesesececaeeeeatecseceeaeeetaeeesees 305 Figure 177 WDS Group Configuration cccceceseecesescsseceseeeesescseeceseseseeecaeeceaeseeececseneeaeeceeeseaeeeateeeees 307 Figure 178 WIDS Managed AP Configuration ccceeseseesesescsseseseeeeseecsseceseseseeecseeceaeecseeecaeeesateesees 308 Figure 179 WDS AP Link Configuration eececeeceecseseceseeseseseeseceseeeeeceeseseeseseeeseneeseaceeeeeaeneeataeeeeees 309 Figure 180 RADIUS Server Configuration cccecececceseseseeeesescscecese
4. 1 40 10 Figure 110 OSPF v3 status IPv6 onc TN oo er ers Global g Please Set IP Mode to IPv4 IPv6in Routing Mode Page to configure this page Kocie tii Application Rules b Firewall Settings gt IPv6 D 198 Wireless Controller User Manual Figure 111 OSPF v2 Configuration Keicioi tii This page allows the user to update the configured OSPFv2 parameters OSPFv2 Enable A check box to enable disable OSPFv2 Interface The physical network interface on which OSPF v2 is Enabled Disabled Area The area to which the interface belongs Enter values from 1 to 255 Two routers having a common segment their interfaces have to belong to the same area on that segment The interfaces should belong to the same subnet and have similar mask Priority Helps to determine the OSPFv2 designated router for a network The router with the highest priority will be more eligible to become Designated Router Setting the value to 0 makes the router ineligible to become Designated Router The default value is 1 Lower value means higher priority HelloInterval The number of seconds for HelloInterval timer value Setting this value Hello packet will be sent every timer value seconds on the specified interface This 199 Wireless Controller User Manual value must be the same for all routers attached to a common network The default value is 10 seconds
5. 293 Wireless Controller User Manual Distributed Tunnel Max Multicast Replications Allowed Specify the maximum number of tunnels to which a multicast frame is copied on the Home AP 11 3 1 Distributed Tunneling Status Status gt Dashboard gt Distributed Tunneling This page shows information about all the distributed tunnel clients Figure 172 Distributed Tunneling Clients Distributed Tunnel Bar Graph 4 0 Distributed Tunnel Roamed Clients 4 Distributed Tunnel Clients 1 ae Distributed Tunnel Client Denials 0 No of tunnels 2 0 0 0 Types of tunnel Distributed Tunneling Data Distributed Tunnel Packets Trans mitted Distributed Tunnel Roamed Clients 4 Distributed Tunnel Clients 1 Distributed Tunnel Client Denials Distributed Tunnel Packets Transmitted Total number of packets sent by all APs via distributed tunnels Distributed Tunnel Roamed Clients Total number of clients that successfully roamed away from Home AP using distributed tunneling 294 Wireless Controller User Manual Distributed Tunnel Clients Total number of clients that are associated with an AP that are using distributed tunneling Distributed Tunnel Client Denials Total number of clients for which the system was unable to set up a distributed tunnel when client roamed 11 4 Peer Controller Configuration 11 4 1 Peer Controller Configuration Request Status
6. 114 Wireless Controller User Manual Figure 64 Detected Clients DWc 1000 SETUP ADVANCED TOOLS STATUS Global Info gt Device Info gt DETECTED CLIENT STATUS Releteltis MAC Address Client Name Client Status Age Create time 00 0f 3d ae af bb Detected 0d 00 00 18 00 00 04 27 Adie Een E 00 11 95 bd c7 23 Detected 0d 00 00 18 0d 00 04 27 iz 00 17 7 209 db 1e Detected 0d 00 04 58 0d 00 04 58 00 1b 11 1d fe 27 Detected 0d 00 01 19 0d 00 01 19 E 00 1b 11 1d fe 35 Authenticated 0d 00 00 01 0d 00 04 58 E 00 1b 11 1d fe 48 Detected 0d 00 00 49 0d 00 04 58 00 1e e5 2b 4a b9 Detected 0d 00 00 49 0d 00 04 27 p 00 22 fb b3 e9 8c Detected 00 00 01 57 00 00 03 57 MAC Address The Ethernet MAC address of the client Client Name Shows the name of the client if available from the Known Client Database If client is not in the database then the field is blank Client Status Shows the client status which can be one of the following e Authenticated The wireless client is authenticated with the wireless system e Detected The wireless client is detected by the wireless system but is not a security threat e Black Listed The client with this MAC address is specifically denied access via e MAC Authentication e Rogue The client is classified as a threat by one of the threat detection algorithms 115 Wireless Controller User Manual 4 5 4 Age Time since any event has been received for this cl
7. 310 Wireless Controller User Manual 11 7 1 RADIUS Settings Setup gt External Authentications gt RADUIS Settings From the RADIUS Server Configuration page you can add a new RADIUS server configure settings for a new or existing RADIUS server and view RADIUS server status information Figure 180 RADIUS Server Configuration ADVANCED TOOLS STATUS RADIUS SERVER Relcleling This page configures the RADIUS servers to be used for authentication A RADIUS server maintains a database of user accounts used in larger environments If a RADIUS server is configured in the LAN it can be used for authenticating users that want to connect to the wireless network provided by this device If the first primary RADIUS server is not accessible at any time then the device will attempt to contact the secondary RADIUS server for user authentication DonisfianesSelsings Radius Server Configuration 192 168 1 2 1812 Seconds 192 168 1 3 IP MAC Binding 1812 Radius Settings Switch Settings Authentication Server IP Address Primary IP address of the primary RADIUS authentication server Authentication Server IP Address Secondary IP address of the secondary RADIUS authentication server 311 Wireless Controller User Manual Authentication Port RADIUS authentication server port to send RADIUS messages Secret Secret key that allows the device to log into the configured RADIUS server It must
8. by default This zone can be used to host servers and give public access to them Save Settings Don t Save Settings DMZ Port Setup IP Address 176 16 2 1 255 255 255 0 Subnet Mask DHCP for DMZ Connected Computers DHCP Mode DHCP Server gt Starting IP Address 76 16 2100 Ending IP Address 176 16 2 254 Primary DNS Server a Secondary DNS Server a WINS Server a Lease Time C Relay Gateway Enable DNS Proxy XW In order to configure a DMZ port the controller configurable port must be set to DMZ in the Setup gt Internet Settings gt Configurable Port page 2 5 Universal Plug and Play UPnP XW The following feature is available upon licensed activation of VPN Firewall features for the system 47 Wireless Controller User Manual Advanced gt Advanced Network gt UPnP Universal Plug and Play UPnP is a feature that allows the controller to discovery devices on the network that can communicate with the controller and allow for auto configuration If a network device is detected by UPnP the controller can open internal or external ports for the traffic protocol required by that network device Once UPnP is enabled you can configure the controller to detect UPnP supporting devices on the LAN or a configured VLAN If disabled the controller will not allow for automatic device configuration Configure the following settings to use UPnP Advertisement Period
9. 151 Wireless Controller User Manual Chapter 5 AP Management The AP Management contains links to the following pages that help you manage and maintain the APs on your DWC 1000 wireless controller network e Valid Access Point Configuration e RF Management e Access Point Software Download e Local OUI Database e AP Provisioning e Manual Management 5 1 Valid Access Point Configuration Setup gt AP Management gt Valid AP MAC Address This field shows the MAC address of the AP To change this field you must delete the entire Valid AP configuration and then enter the correct MAC address from the page that lists all Valid AP s Location To help you identify the AP you can enter a location This field accepts up to 32 alphanumeric characters AP Mode You can configure the AP to be in one of three modes e Standalone The AP acts as an individual access point in the network e Managed If an AP is in Managed Mode the Administrator Web UI and SNMP services on the AP are disabled e Rogue Select Rogue as the AP mode if you wish to be notified through an SNMP trap if enabled when this AP is detected in the network Profile If you configure multiple AP Profiles you can select the profile to assign to this AP 152 Wireless Controller User Manual Figure 87 Valid Access Point Configuration DWcC 1000 iz SETUP ADVANCED TOOLS STATUS WLAN Global Settings VALID AP LOGOUT AP Management gt Descrip
10. Monitoring gt Controller Status e Important note XA 14 Wireless Controller User Manual Chapter 2 Configuring Your Network To enable management access for the browser based web GUI access or SNMP manager you must connect the controller to the network The default IP address subnet mask of the controller management interface is 192 168 10 1 255 255 255 0 and DHCP server on the LAN is disabled by default on the controller You must connect the controller to a 192 168 10 0 network After you configure network information such as the IP address and subnet mask and the controller is physically and logically connected to the network you can manage and monitor the controller remotely through Web browser or an SNMP based network management system Once the initial setup is complete the DWC 1000 can be managed through wired interface connected to controller XW Access the controller s GUI for management by using any web browser such as Microsoft Internet Explorer or Mozilla Firefox Go to http 192 168 10 1 default IP address to display the controller s management login screen Default login credentials for the management GUI e Username admin e Password admin XW If the controller s LAN IP address was changed use that IP address in the navigation bar of the browser to access the controller s management UI 2 1 LAN Configuration Setup gt Network Settings gt LAN Setup Configuration By defau
11. ualization gt This page will quide you through common configuration tasks such as changing the password timezone and setting up of your internet connection internet Settings Internet Connection Setup Wizard If you would like to utilize our easy to use Web based Wizards to assist you in connecting your new D Link Systems Router to the Internet dick on the button below Internet Connection Setup Wizard Note Before launching these wizards please make sure you have followed all steps outlined in the Quick Installation Guide induded in the package Manual Internet Connection Options If you would like to configure the Internet settings of your new D Link Systems Router manually then click on the button below Manual Internet Connection Setup You can start using the Wizard by logging in with the administrator password for the controller Once authenticated set the time zone that you are located in and then choose the type of internet connection type DHCP Static PPPoE PPTP L2TP Depending on the connection type a username password may be required to register this controller with the ISP In most cases the default settings can be used if the ISP did not specify that parameter The last step in the Wizard is to click the Connect button which confirms the settings by establishing a link with the ISP Once connected you can move on and configure other features in this controller 6 2 Option Co
12. AP Management This page allows user to add edit VPN IPsec policies which indudes Auto and Manual policies Save Settings Dont Save Settings WLAN Visualization Internet Settings Network Settings LAN QoS Policy Name VPN Settings Policy Type Auto Policy ao IKEvi KEv2 IPsec Mode Tunnel Mode w Select Local Gateway Option Remote Endpoint IP Address s Enable Mode Config FA Enable NetBIOS F Enable RollOver F Protocol ESP Enable DHCP F Local IP Subnet s Local Start IP Address Once the tunnel type and endpoints of the tunnel are defined you can determine the Phase 1 Phase 2 negotiation to use for the tunnel This is covered in the IPsec mode setting as the policy can be Manual or Auto For Auto policies the Internet Key Exchange IKE protocol dynamically exchanges keys between two IPsec hosts The Phase 1 IKE parameters are used to define the tunnel s security association details The Phase 2 Auto policy parameters cover the security association lifetime and encryption authentication details of the phase 2 key negotiation The VPN policy is one half of the IKE VPN policy pair required to establish an Auto IPsec VPN tunnel The IP addresses of the machine or machines on the two VPN endpoints are configured here along with the policy parameters required to secure the tunnel 245 Wireless Controller User Manual Figure 141 IPsec policy configuration continued
13. Advanced Network D Binding Block ICMP Notification Block Fragmented Packets Block Multicast Packets Block Spoofed IP Packets Radius Settings Controller Settings DoS Attacks SYN Flood Detect Rate max sec 237 Wireless Controller User Manual Chapter 8 IPsec PPTP L2TP VPN XW The following feature is available upon licensed activation of VPN Firewall features for the system A VPN provides a secure communication channel tunnel between two gateway controller or a remote PC client The following types of tunnels can be created e Gateway to gateway VPN to connect two or more controller to secure traffic between remote sites e Remote Client client to gateway VPN tunnel A remote client initiates a VPN tunnel as the IP address of the remote PC client is not known in advance The gateway in this case acts as a responder Remote client behind a NAT controller The client has a dynamic IP address and is behind a NAT controller The remote PC client at the NAT controller initiates a VPN tunnel as the IP address of the remote NAT controller is not known in advance The gateway Option port acts as responder 238 Wireless Controller User Manual Figure 137 Example of Gateway to Gateway IPsec VPN tunnel using two DWC controllers connected to the Internet Outside Outside 209 165 200 226 209 165 200 236 Site A f SiteB i DWC DWC
14. LOGOUT Peer Controllers AP Profile WIDS Security Application Level Gateway allows customized NAT traversal filters to be plugged into the gateway to support address and port translation for certain application layer control data protocols such as TFTP SIP RTSP IPsec PPTP etc Each ALG provides special handling for a specific protocol or application A number of ALGs for common applications are enabled by default Save Settings Don t Save Settings Captive Portal gt Application Rules Enable ALGs 7 6 VPN Passthrough for Firewall Advanced gt Firewall Settings gt VPN Passthrough This controller s firewall settings can be configured to allow encrypted VPN traffic for IPsec PPTP and L2TP VPN tunnel connections between the LAN and internet A specific firewall rule or service is not appropriate to introduce this passthrough support instead the appropriate check boxes in the VPN Passthrough page must be enabled 222 Wireless Controller User Manual Figure 125 Passthrough options for VPN tunnels e I ET VPN PASSTHROUGH LOGOUT This page allows user to configure VPN IPsec PPTP and L2TP passthrough on the router Enabled passthrough checkboxes have higher priority than firewall rules based on the same service AP Profile WIDS Security Captive Portal Application Rul Save Settings Dont Save Settings VPN Passthrough Nebsite Filter
15. WLAN Global Settings OPTION SETUP LOGOUT This page allows you to set up your Internet connection Ensure that you have the Internet connection information such as the IP Addresses Account Information etc This information is usually provided by your ISP or network administrator Primary PPPoE Profile Configuration AP Management WLAN Visualization Japanese multiple PPPoE DynamicIP Static IP USB Settings dlink Password eoccees Service Authentication Type Auto negotiate w Reconnect Mode AlwaysOn OnDemand Maximum Idle Time Primary PPPoE Domain Name System DNS Servers Use These DNS Servers 192 168 1 2 192 158 1 16 There are a few key elements of a multiple PPPoE connection e Primary and secondary connections are concurrent e Each session has a DNS server source for domain name lookup this can be assigned by the ISP or configured through the GUI e The DWC 1000 acts as a DNS proxy for LAN users 178 Wireless Controller User Manual e Only HTTP requests that specifically identify the secondary connection s domain name for example flets will use the secondary profile to access the content available through this secondary PPPoE terminal All other HTTP HTTPS requests go through the primary PPPoE connection When Japanese multiple PPPoE is configured and secondary connection is up some predefined routes are added on that interface These routes are needed to ac
16. version for this controller is available for download and update the Status field below 340 Wireless Controller User Manual 12 9 Dynamic DNS Setup Tools gt Dynamic DNS Dynamic DNS DDNS is an Internet service that allows controller with varying public IP addresses to be located using Internet domain names To use DDNS you must setup an account with a DDNS provider such as DynDNS org D Link DDNS or Oray net Each configured Option can have a different DDNS service if required Once configured the controller will update DDNS services changes in the Option IP address so that features that are dependent on accessing the controller Option via FQDN will be directed to the correct IP address When you set up an account with a DDNS service the host and domain name username password and wildcard support will be provided by the account provider 341 Wireless Controller User Manual Figure 199 Dynamic DNS configuration DWC 1000 J sew ADVANCED TOOLS STATUS DYNAMIC DNS Dynamic DNS DDNS is an Internet service that allows routers with varying public IP addresses to be located using Internet domain names To use DDNS you must setup an account with a DDNS provider such as DynDNS com DlinkDDNS com or Oray net Save Settings Don t Save Settings Option Mode Option WAN Mode Use only single Option port Option1 Schedules Use wildcards Update every 30 days Select the Dynamic DNS Service Non
17. Advanced gt Peer Controller gt Configuration Request Status The Peer Controller Configuration feature allows you to send a variety of configuration information from one controller to all other controllers In addition to keeping the controllers synchronized this function allows you to manage all wireless controllers in the cluster from one controller The Peer Controller Configuration Request Status page provides information about the status of the configuration upgrade on the controllers in the cluster 295 Wireless Controller User Manual Figure 173 Peer Controller Configuration Request Status Peer Controllers yy CONFIGURATION REQUEST LOGOUT The Peer Controller Configuration Request Status page provides information about the status of the configuration upgrade on the controllers in the cluster Total Count Success Count Failure Count List of Peers No data available for peer switch status Routing gt Peer Controller Configuration Request Status Configuration Request Status Indicates the global status for a configuration push operation to one or more peer controllers The status can be one of the following e Not Started e Receiving Configuration e Saving Configuration e Success Failure Invalid Code Version e Failure Invalid Hardware Version Failure Invalid Configuration Total Count Indicates the number of peer controllers included at the time a configuration download request is
18. Cluster Controller for generating this trap RF Scan Traps If you enable this field the SNMP agent sends a trap when the RF scan detects a new AP wireless client or ad hoc client Rogue AP Traps If you enable this field the SNMP agent sends a trap when the controller discovers a rogue AP The agent also sends a trap every Rogue Detected Trap Interval seconds if any rogue AP continues to be present in the network Wireless Status Traps If you enable this field the SNMP agent sends a trap if the operational status of the Unified Wireless controller it need not be Cluster Controller for this trap changes It sends a trap if the Channel Algorithm is complete or the Power Algorithm is complete It also sends a trap if any of the following databases or lists has reached the maximum number of entries 1 Managed AP database 2 AP Neighbor List 3 Client Neighbor List 4 AP Authentication Failure List 326 Wireless Controller User Manual 5 RF Scan AP List 6 Client Association Database 7 Ad Hoc Clients List 8 Detected Clients List 12 5 Configuring Time Zone and NTP Tools gt Date and Time You can configure your time zone whether or not to adjust for Daylight Savings Time and with which Network Time Protocol NTP server to synchronize the date and time You can choose to set Date and Time manually which will store the information on the controller real time clock RTC If the controller has access t
19. Defined Browsers This list displays the web browsers that have been added to the Defined Browsers list upon which group login policies can be defined Check Box At First Column Header Selects all the defined browsers in the table 263 Wireless Controller User Manual Delete Deletes the selected browser s You can add to the list of Defined Browsers by selecting a client browser from the drop down menu and clicking Add This browser will then appear in the above list of Defined Browsers Click Save Settings to save your changes Figure 154 IP policies options Peer Controllers gt j GROUPS LOGOUT This page allows user to add IP based policies specific policies for available users Save Settings Dont Save Settings Captive Portal Group Name Sales Deny Login from Defined Addresses Defined Addresses Source Address Type XW Login Policies Policy by Browsers Policy by IP are applicable SSL VPN user only Advanced gt Users gt Users The users page allows adding editing and deleting existing groups The user are associated to configured groups The lists of available users are displayed in the List of Users page with User name associated group and Login status e Click Add to create a user e Click Edit to update an existing user e Click Delete to clear an existing user 264 Wireless Controller User Manual Figure 155 Available Users with login status an
20. Password Text field and cannot be NULL Example 1 The following Groups have already been created in the GUI a l2tp with L2TP VPN capability 268 Wireless Controller User Manual b pptp with PPTP VPN capability c cp with Captive Portal capabality 2 Here is a compatible CSV file MES eS DDO Ol testi Re SUIMEMCC SNS THp OMe OMe St INe egian El ht a ADIMIN OO ies kresto kddi an GUES TA ie OMe testo Mies GE SSi CP g I Testi 9 2 Using SSL VPN Policies Setup gt VPN Settings gt SSL VPN Server gt SSL VPN Policies SSL VPN Policies can be created on a Global Group or User level User level policies take precedence over Group level policies and Group level policies take precedence over Global policies These policies can be applied to a specific network resource IP address or ranges on the LAN or to different SSL VPN services supported by the controller The List of Available Policies can be filtered based on whether it applies to a user group or all users global XW A more specific policy takes precedence over a generic policy when both are applied to the same user group global domain I e a policy for a specific IP address takes precedence over a policy for a range of addresses containing the IP address already referenced 269 Wireless Controller User Manual Figure 158 List of SSL VPN polices Global filter DWC 1000 ADVANCED TOOLS STATUS Please Enable Remote Mana
21. The de authentication attack feature must be globally enabled in order for the wireless system to do this function Make sure that no legitimate APs are classified as rogues before enabling the attack feature This feature is disabled by default Wireless Controller User Manual Figure 175 WIDS AP Configuration on a WIDS AP CONFIGURATION LOGOUT The WIDS AP Configuration page allows you to activate or deactivate various threat detection tests and set threat detection thresholds in order to help detect rogue APs on the wireless network These changes can be done without disrupting network connectivity Since some of the work is done by access points the controller needs to send messages to the APs to modify its WIDS operational properties Submit Don t Save Settings WIDS AP Configuration Administrator configured rogue AP Enable Managed SSID from an unknown Firewall Settings AP Enable v n from a fake Enable AP without an SSID Enable v pd AP on an invalid ais Managed SSID detected with incorrect security Enable Dae tse Invalid SSID from a managed AP Enable v switch Settings P z ka pie gaia ae Enable v Intel AMT Standalone AP with unexpected configuration Enable v Unexpected WDS device detected ee Enable v Unmananed AP detected on wired 11 5 2 WIDS Client Configuration Advanced gt WIDS Security gt Client The settings you configure on the WIDS Client Configuration page help de
22. This is the frequency that the controller broadcasts UPnP information over the network A large value will minimize network traffic but cause delays in identifying new UPnP devices to the network Advertisement Time to Live This is expressed in hops for each UPnP packet This is the number of steps a packet is allowed to propagate before being discarded Small values will limit the UPnP broadcast range A default of 4 is typical for networks with few controllers 48 Wireless Controller User Manual Figure 26 UPnP Configuration DWC 1000 SETUP ADVANCED TOOLS STATUS Please enable UPnP to refresh UPnP Portmap Table Peer Controllers gt LOGOUT ile AP Profile SIDs UPnP Universal Plug and Play is a feature that allows for automatic discovery of devices that can communicate with this security appliance WIDS Security gt Save Settings Dont Save Settings Captive Portal d Application Rules gt Do you want to enable UPnP LAN Website Filter Firewall Settings b Advanced Network D UPnP Port map Table Active Protocol Int Port Ext Port IP Address Refresh UPnP Port map Table The UPnP Port map Table has the details of UPnP devices that respond to the controller advertisements The following information is displayed for each detected device Active A yes no indicating whether the port of the UPnP device that established a connection is currently active Protocol The network p
23. This page shows information about all the clients which are connected through our managed AP Figure 79 Client Statistics DWC 1000 see ADVANCED TOOLS STATUS Dashboard D Global Info p CLIENT STASTICS This page shows information about all the dients which are connected through our managed AP Access Point Info gt s 802 11 Clients BAR inan LAN Clients Info gt E 802 112 Clients 0 Wireless Clientinfo gt 802 11b g Clients 0 WDS Managed APs gt E 802 11n Clients 0 Traffic Monitor gt z No of Clients Active VPNs Types of Clients 802 11 Clients Data 802 11a Clients 802 11b g Clients 0 _802 t1n Gients Z OZ O O O O O O O oo 11n Clients Total Clients Authenticated Clients 0 Maximum Associated Clients 200 Detected Clients 0 Maximum Detected Clients 0 141 Wireless Controller User Manual 802 11 Clients Data 802 11a Clients Total number of IEEE 802 11a only clients that are authenticated 802 11b g Clients Total number of IEEE 802 11b g only clients that are authenticated 802 11n Clients Total number of clients that are IEEE 802 11n capable and are authenticated These include IEEE 802 1la n IEEE 802 11b g n 5 GHz IEEE 802 11n 2 4GHz IEEE 802 1 1n Clients Data Total Clients Total number of clients in the database This total includes clients with an Associated Authenticated or Disassociated status Authenticated Clients Total number
24. USB 1 Device Not Connected Device Vendor Device Model Device Type Mount Status USB 2 Device Not Connected Device Vendor Device Model Device Type Mount Status 10 2 USB Share Port Setup gt USB Settings gt USB Status The DWC 1000 Wireless controller has a USB interface for printer access this page allows you to enable USB device support for both interface USB1 and USB2 It also allows you to enable printer access from a particular VLAN 283 Wireless Controller User Manual Figure 166 USB Share Port DWC 1000 ADVANCED TOOLS STATUS cumin N Global Settings USB SHARE PORT LOGOUT AP Management Don t Save Settings WLAN Visualization gt internet Settings USB 1 NA Network Settings gt LAN QoS gt USB 2 NA VPN Settings gt NA VLAN Settings Sharing Enabled interfaces 10 3 Authentication Certificates Advanced gt Certificates This gateway uses digital certificates for IPsec VPN authentication as well as SSL validation for HTTPS and SSL VPN authentication You can obtain a digital certificate from a well known Certificate Authority CA such as VeriSign or generate and sign your own certificate using functionality available on this gateway The gateway comes with a self signed certificate and this can be replaced by one signed by a CA as per your networking requirements A CA certificate provides strong assurance of the server s identity and is a requirement
25. VLAN Configuration As part of VLAN configuration the user can enable specific features for clients within that network Inter VLAN routing allows clients with that VLAN ID to communicate to other clients in different VLANs as long as the other VLAN also has inter VLAN routing enabled Without this option VLAN clients are isolated and cannot communicate between each other Another feature that can be enabled and configured on a per VLAN basis is the captive portal While the captive portal profiles and display are defined in the Setup gt Captive Portal section this configuration page allows the admin to add Captive Portal support for that VLAN by choosing a Captive Portal type 40 Wireless Controller User Manual Figure 21 VLAN Configuration Options DWC 1000 II SETUP ADVANCED TOOLS STATUS AVAILABLE VLANS WLAN Global Settings AP Management This page allows user to enable disable VLAN support on the LAN WLAN Visualization p Save Settings Don t Save Settings Internet Settings gt Network Settings p VLAN Configuration Qos gt Captive Portal gt rnal Authentications VPN Settings gt ld Inter VLAN Routing Enable R Captive Portal Type Free SLA PermanentUser Temporary User Enable Redirect 0o R Uri VLAN Settings D DMZ Setup gt Captive Portal Config USB Settings gt Authentication Server Local User Database Radius Server LDAP Serve
26. Wireless Controller User Manual Figure 148 Example of clientless SSL VPN connections to the DWC 1000 DNS Server 10 10 10 163 Clientless VPN ere oe Outside E 5 Clientless VPN WINS Server 10 10 10 133 Clientless VPN 256 Wireless Controller User Manual 9 1 Groups and Users Advanced gt Users gt Groups The group page allows creating editing and deleting groups The groups are associated to set of user types The lists of available groups are displayed in the List of Group page with Group name and description of group e Click Add to create a group e Click Edit to update an existing group e Click Delete to clear an existing group Figure 149 List of Groups DWC 1000 ADVANCED TOOLS STATUS Peer Controllers d A ofile GROUPS LOGOUT This page shows the list of added groups to the router The user can add delete and edit the groups also List of Groups WIDS Security gt Captive Portal d Application Rules d Edit Delete Firewall Settings Login Policies Policies By Browsers Policies By IP Website Filter Group configuration page allows to create a group with a different type of users The user types are as follows e PPTP User These are PPTP VPN tunnel LAN users that can establish a tunnel with the PPTP server on the Option e L2TP User These are L2TP VPN tunnel LAN users that can establish a tunnel with the L2TP server o
27. click Browse then locate the file on the host After clicking Restore the controller begins importing the file s saved configuration settings After the restore the controller reboots automatically with the restored settings 3 To erase your current settings and revert to factory default settings click the Default button The controller will then restore configuration settings to factory defaults and will reboot automatically See Appendix B for the factory default parameters for the controller 338 Wireless Controller User Manual Figure 197 Restoring configuration from a saved file will result in the current configuration being overwritten a I os Log Settings gt System LOGOUT This page allows user to do configuration related operations which indudes backup restore and factory default This page also allows user to reboot the router Firmware Backup Restore Settings Save Current Settings Backup Firmware via USB Dynamic DNS System Check Restore Saved Settings Browse_ Restore Factory Default settings Default Reboot Reboot 12 8 Upgrading Wirelesss Controller Firmware Tools gt Firmware You can upgrade to a newer software version from the Administration web page In the Firmware Upgrade section to upgrade your firmware click Browse locate and select the firmware image on your host and click Upgrade After the new firmware image is validated the new ima
28. database of the controller The following actions are supported from this page Edit To edit the existing AP profile Delete To delete the existing AP profile Add Add a new AP profile Copy Copy the existing AP profile Apply Update the AP profile configuration details entered Configure Radio Allows configuration of the AP profile Radio configuration Configure SSID Allows configuration of the AP profile VAP configuration Configure QoS Allows configuration of the AP profile QoS configuration 72 Wireless Controller User Manual Radio Configuration Radio Mode From this field you can select the radio that you want to configure By default Radio 1 operates in IEEE 802 11a n mode and Radio 2 operates in IEEE 802 11b g n mode If you change the mode the labels for the radios change accordingly Changes to the settings apply only to the selected radio The DWL 3600AP is a single radio AP Any settings you configure for Radio 802 11a n are not applied to the DWL 3600AP If the selected Hardware Type ID for the AP profile is DWL 3600AP the radio selectors are not available State Specify whether you want the radio on or off by clicking On or Off If you turn off a radio the AP sends disassociation frames to all the wireless clients it is currently supporting so that the radio can be gracefully shutdown and the clients can start the association process with other available APs Radio Scheduler If you have conf
29. gt SSL VPN Client gt SSL VPN Client An SSL VPN tunnel client provides a point to point connection between the browser side machine and this controller When a SSL VPN client is launched from the user portal a network adapter with an IP address from the corporate subnet DNS and WINS settings is automatically created This allows local applications to access services on the private network without any special network configuration on the remote SSL VPN client machine It is important to ensure that the virtual PPP interface address of the VPN tunnel client does not conflict with physical devices on the LAN The IP address range for the SSL VPN virtual network adapter should be either in a different subnet or non overlapping range as the corporate LAN 276 Wireless Controller User Manual XW The IP addresses of the client s network interfaces Ethernet Wireless etc cannot be identical to the controller s IP address or a server on the corporate LAN that is being accessed through the SSL VPN tunnel Figure 162 SSL VPN client adapter and access configuration SSL VPN CLIENT An SSL VPN tunnel dient provides a point to point connection between the browser side machine and this device When a SSL VPN client is launched from the user portal a network adapter with an IP address DNS AP Management sualization and WINS settings is automatically created which allows local applications to talk to services on th
30. or Unknown AP and wireless distribution system WDS traffic is detected on the AP then the AP is considered to be Rogue Only stand alone APs that are explicitly allowed to operate in WDS mode are not reported as rogues by this test Unmanaged AP detected on wired network This test checks whether the AP is detected on the wired network If the AP state is Unknown then the test changes the AP state to Rogue The flag indicating whether AP is detected on the wired network is reported as part of the RF Scan report If AP is managed and is detected on the network then the controller simply reports this fact and doesn t change the AP state to Rogue In order for the wireless system to detect this threat the wireless network must contain one or more radios that operate in sentry mode 300 Wireless Controller User Manual Rogue Detected Trap Interval Specify the interval in seconds between transmissions of the SNMP trap telling the administrator that rogue APs are present in the RF Scan database If you set the value to 0 the trap is never sent Wired Network Detection Interval Specify the number of seconds that the AP waits before starting a new wired network detection cycle If you set the value to 0 wired network detection is disabled AP De Authentication Attack Enable or disable the AP de authentication attack The wireless controller can protect against rogue APs by sending DE authentication messages to the rogue AP
31. the server s authentication requirements The controller supports Login Plain no encryption or CRAM MDS5 encrypted for the username and password data to be sent to the SMTP server Authentication can be disabled if the server does not have this requirement In some cases the SMTP server may send out IDENT requests and this controller can have this response option enabled as needed Once the e mail server and recipient details are defined you can determine when the controller should send out logs E mail logs can be sent out based on a defined schedule by first choosing the unit i e the frequency of sending logs Hourly Daily or Weekly Selecting Never will disable log e mails but will preserve the e mail server settings 333 Wireless Controller User Manual Figure 193 E mail configuration as a Remote Logging option DWC 1000 SETUP ADVANCED STATUS REMOTE LOGGING CONFIGURATION Log Settings D This page allows user to configure the remote logging options for the router m Don t Save Settings Log Options Firmware via USB Remote Log Identifier DWC 1000 Enable E Mail Logs Enable E Mail Logs E Mail Server Address SMTP Port Return E Mail Address Send to E Mail Address 1 Send to E Mail Address 2 Send to E Mail Address 3 Authentication with SMTP Server Never Sunday An external Syslog server is often used by network administrator to collect and stor
32. viewing questionable online material or libraries and small businesses like coffee stores that want to limit customers from accessing certain sites on their network You can filter up to 32 categories of websites in total such as pornography gambling online shopping and many others You can easily block or unblock these categories in just a few clicks The dynamic WCF also has a logging feature Whenever a user tries to access a website that is 13 Wireless Controller User Manual blocked or the time stamp of login logout the corresponding event will be logged 1 1 About this User Manual This document is a high level manual to allow new D Link Wireless Controller users to configure connectivity WLAN configuration setup VPN tunnels establish firewall rules and AP management and perform general administrative tasks Typical deployment and use case scenarios are described in each section For more detailed setup instructions and explanations of each configuration parameter refer to the online help that can be accessed from each page in the controller GUI XW For this user manual all screenshots are taken with an activated VPN license which enables VPN Firewall features 1 2 Typographical Conventions The following is a list of the various terms followed by an example of how that term is represented in this document e Product Name D Link Wireless Controller o Model number DWC 1000 e GUI Menu Path GUI Navigation
33. 1 1b g 1 Unknown 0d 00 00 10 J 00 0 8e 20 10 b5 rlinxprosoftO 802 1 1b g 1 Unknown 0d 00 00 10 E 00 12 21 12 21 16 cisco_wce 802 11b g 1 Unknown 0d 00 00 10 E 00 15 62 ff cf 46 rv220_1 802 11b g 1 Unknown 0d 00 00 10 J 00 18 e7 89 a9 d0 DSR 1000N_1 802 11b g 1 Unknown 0d 00 00 10 E 00 1b 2f fd ff 58 NETGEAR WGR614 802 1 1b g 11 Unknown 0d 00 02 10 00 1e 2a b3 20 b1 srxnlite 802 11b g 1 Unknown 0d 00 00 10 4 7 Global Info 4 7 1 Global status Status gt Global Info gt Global Status The DWC 1000 controller periodically collects information from the APs it manages and from associated peer controller The information on the Global page shows status and statistics about the controller and all of the objects associated with it 127 Wireless Controller User Manual Figure 71 Global Status Part 1 DWC 1000 fj seme ADVANCED TOOLS l STATUS Global Info gt SUMMARY LOGOUT Device Info The information on the Global page shows status and statistics about the Controller and all of the objects Access Point Info gt E TE LAN Clients Info gt Wireless ClientInfo gt WLAN Controller Operational Status Enabled IP Address 192 168 10 1 Traffic Monitor gt F Peer Controllers Active Sessions Cluster Controller Yes 0 Cluster Controller IP Address 192 168 10 1 Total Access Points 2 Managed Access Points 2 Standalone Access Points 0 Rogue Access Poin
34. 255 255 255 0 C OPTION2 192 168 11 1 255 255 255 0 VLAN Settings gt aaa List of IP Aliases Interface Name The interface on which the Alias was configured IP Address The IP Address of the configured IP Alias Subnet Mask The Subnet Mask of the configured IP Alias The following actions are supported from this page Edit Opens the IP Alias configuration page to edit the selected IP Alias Add Opens the IP Alias configuration page to add a new IP Alias Delete Deletes the selected IP Aliases 207 Wireless Controller User Manual Chapter 7 Securing the Private Network XW The following feature is available upon licensed activation of VPN Firewall features for the system You can secure your network by creating and applying rules that your controller uses to selectively block and allow inbound and outbound Internet traffic You then specify how and to whom the rules apply To do so you must define the following e Services or traffic types examples web browsing VoIP other standard services and also custom services that you define e Direction for the traffic by specifying the source and destination of traffic this is done by specifying the From Zone LAN Option DMZ and To Zone LAN Option DMZ e Schedules as to when the controller should apply rules e Any Keywords in a domain name or on a URL of a web page that the controller should allow or block e Rules for allowin
35. 4 Local OUI Database Summary 0 ce eeeseeceseceeseseseseeseecseeeseseseeecaeneeateeeeeeeatees 166 5 5 AP Provisioning SUMMALY ccceceseseseeseecseeseseseeeeecseeeeceseeeeeceenceeeseeeeecseneeeeates 167 5 6 Manual Manage MENi srne eiiiai a eira eA S EA 169 Connecting to the Internet Option Setup ssssessssesessesesreresrsessesesresesrssssesesresesrsessesee 172 6 1 Internet Connection Setup Wizard s ssssessesesesesseseseeresrsessesesreresrsrssesesreresrsees 172 6 2 Option Config rat O s a e a E AERE EERE r EATA 173 6 2 1 Option Port IP addr SSi ceben eee ee rii era 174 6 2 2 Option DNS Serve nenene nyeoe ie eno iena p Hi 175 6 2 3 DHCP OPOR msi nennen eet eiar e hana E E 175 PAT NE A l E A E EE E avin etn A 176 6 2 5 Russia L2TP and PPTP Option cs ccc caie einai yen taaeenene 179 6 2 6 Option Configuration in an IPV6 Network ou ceeccccsceseseeseseseseeseseeeeeeseseeeeaees 181 6 2 7 Checking Option Status oe ceccceceseseeseecseeseseseeececseeeeacseeceeseneeatseeeseaeeeeaees 184 6 3 Features with Multiple Option LINKS 0 0 eee eeeeeceeseceseeeeseeeeeeeseeeeseseaeeeeateeeees 187 6 3 1 Auto Failover sss ccvisce cecccstves Ses caecdeceaviesabeoadeaccestbescenchaebecesvbusede sated seneubessensaneeeency 187 6 3 2 Load BaAlanCiig ies sicstecadesccecseesccnesdedeccavtesete navasee a a i a sensebedocn sy 188 6 3 3 Protocol BINGINGS vrasesit i i a 190 6 4 Routing ConfiQuration ccecceccsseceseesesescseesesese
36. 7 10 10 to 2000 4 512 50 1 to 50 512 75 1 to 75 40 MHz Lower Auto Enable v Enable v Enable Disable v Auto Supported Channels 36 44 cn Auto Eligible 4 4 Protection The protection feature contains rules to guarantee that 802 11 transmissions do not cause interference with legacy stations or applications By default these protection mechanisms are enabled Auto With protection enabled protection mechanisms will be invoked if legacy devices are within range of the AP You can disable Off these protection mechanisms however when 802 11n protection is off legacy clients or APs within range can be affected by 802 11n transmissions 802 11 protection is also available when the mode is 802 11b g When protection is enabled in this mode it protects 802 11b clients and APs from 802 11g transmissions 80 Wireless Controller User Manual Short Guard Interval The guard interval is the dead time in nanoseconds between OFDM symbols The guard interval prevents Inter Symbol and Inter Carrier Interference ISI ICI The 802 11n mode allows for a reduction in this guard interval from the a and g definition of 800 nanoseconds to 400 nanoseconds Reducing the guard interval can yield a 10 improvement in data throughput Select one of the following options e Enable The AP transmits data using a 400 ns guard Interval when communicating with clien
37. AP SSID The network on which the client is connected BSSID The Ethernet MAC address for the managed AP VAP where this client is associated Detected IP Address Identifies the IPv4 address of the client if available Figure 80 Associated Client Status DWc 1000 SETUP ADVANCED TOOLS STATUS Global Info gt Device Info gt Access Point Info gt LAN Clients Info gt Wireless ClientInfo gt ASSOCIATED CLIENTS STATUS MelcTol ths You can view a variety of information about the wireless clients that are associated with the APs the controller manages List of Associated Clients MAC siao FS rear MAC Address AP MAC Address SSID BSSID IP Traffic Monitor gt neea sad Active Sessions O e4 ec 10 5e 0d 0a 1c bd b9 95 a6 00 JJJJJJJJJJJJJJJJJJ 1c bd b9 95 a6 10 0 0 0 0 Active VPNs The following actions are supported from this page 143 Wireless Controller User Manual Disassociate Disassociates the selected client from the managed AP View Details Display associated client details View AP Details Display associated AP details View SSID Details Lists the SSIDs of the networks that each wireless client associated with a managed AP has used for WLAN access View VAP Details Shows information about the VAPs on the managed AP that have associated wireless clients View Neighborr AP Status Shows information about access points that the client detects 4 8 3 Associated Client S
38. APs operate Power The power level affects how far an AP broadcasts its RF signal If the power level is too low wireless clients will not detect the signal or experience poor WLAN performance If the power level is too high the RF signal might interfere with other APs within range RF Management RF Configuration Setup gt AP Management gt RF Management gt RF Configuration The radio frequency RF broadcast channel defines the portion of the radio spectrum that the radio on the access point uses for transmitting and receiving The range of available channels for an access point is determined by the IEEE 802 11 mode also referred to as band of the access point The controller contains a channel plan algorithm that automatically determines which RF channels each AP should use to minimize RF interference When you enable the 156 Wireless Controller User Manual channel plan algorithm the controller periodically evaluates the operational channel on every AP it manages and changes the channel if the current channel is noisy Channel Plan Each AP is dual band capable of operating in the 2 4 GHz and 5 GHz frequencies The 802 11la n and 802 11b g n modes use different channel plans Before you configure channel plan settings select the mode to configure Channel Plan Mode This field indicates the channel assignment mode The mode of channel plan assignment can be one of the following e Fixed Time If you
39. Captive Portal Disable Y Switch Settings RADIUS Client Enable Y AP Database Enable Y Global Enable this field to include the basic and advanced global settings in the configuration that the controller pushes to its peers The configuration does not include the controller IP address since that is a unique setting 297 Wireless Controller User Manual Discovery Enable this field to include the L2 and L3 discovery information including the VLAN list and IP list in the configuration that the controller pushes to its peers Channel Power Enable this field to include the RF management information in the configuration that the controller pushes to its peers AP Database Enable this field to include the AP Database in the configuration that the controller pushes to its peers AP Profiles Enable this field to include all AP profiles in the configuration that the controller pushes to its peers The AP profile includes the global AP settings such as the hardware type Radio settings VAP and Wireless Network settings and QoS settings Known Client Enable this field to include the Known Client Database in the configuration that the controller pushes to its peers Captive Portal Enable this field to include Captive Portal information in the configuration that the controller pushes to its peers RADIUS Client Enable this field to include the Client RADIUS information in the configuration that the controll
40. Configuration Received Status page provides information about the configuration a controller has received from one of its peers Current Receive Status Indicates the global status when wireless configuration is received from a peer controller The possible status values are as follows 137 Wireless Controller User Manual Not Started Receiving Configuration Saving Configuration Applying AP Profile Configuration Success Failure Invalid Code Version Failure Invalid Hardware Version Failure Invalid Configuration Last Configuration Received Peer controller IP Address indicates the last controller from which this controller received any wireless configuration data Configuration Indicates which portions of configuration were last received from a peer controller which can be one or more of the following e Global e Discovery e Channel Power e AP Database e AP Profiles e Known Client e Captive Portal e RADIUS Client e QoS ACL e QoS DiffServ If the controller has not received any configuration for another controller the value is None Timestamp Indicates the last time this controller received any configuration data from a peer controller The Peer Controller Managed AP Status page displays information about the APs that each peer controller in the cluster manages Use the 138 Wireless Controller User Manual menu above the table to select the peer controller with the AP inform
41. DeadInterval The number of seconds that a device s hello packets must not have been seen before its neighbors declare the OSPF router down This value must be the same for all routers attached to a common network The default value is 40 seconds OSPF requires these intervals to be exactly the same between two neighbors If any of these intervals are different these routers will not become neighbors on a particular segment Cost The cost of sending a packet on an OSPFv2 interface Authentication Type This column displays the type of authentication to be used for OSPFv2 If Authentication type is none the interface does not authenticate OSPF packets If Authentication Type is Simple then OSPF packets are authenticated using simple text key If Authentication Type is MD5 then the interface authenticates OSPF packets with MD5 authentication Authentication Key Assign a specific password to be used by neighboring OSPF routers on a network segment that is using Authentication Routers in the same area that want to participate in the routing domain will have to be configured with the same key Md5 Key Id Input the unique MD 5 key ID to be used by neighboring OSPF routers on a network segment that is using Authentication Type as MD5 Md5 Authentication Key Input the authentication key for this MD5 key to be used by neighboring OSPF routers on a network segment that is using Authentication Type as MD5 6 6 6to4 Tunneling Advanced gt IPv6
42. Default Service ANY X Action Always Block Select Schedule Gut Source Hosts Any X ro a To a Destination Hosts Any X To 215 Wireless Controller User Manual 7 3 1 Firewall Rule Configuration Examples Example 1 Allow inbound HTTP traffic to the DMZ Situation You host a public web server on your local DMZ network You want to allow inbound HTTP requests from any outside IP address to the IP address of your web server at any time of day Solution Create an inbound rule as follows Insecure Option 1 Option2 ais Send to Local Server DNAT IP 192 168 5 2 web server IP address Destination Users Example 2 Allow videoconferencing from range of outside IP addresses Situation You want to allow incoming videoconferencing to be initiated from a restricted range of outside IP addresses 132 177 88 2 132 177 88 254 from a branch office Solution Create an inbound rule as follows In the example CUSeeMe the video conference service used connections are allowed only from a specified range of external IP addresses 216 Wireless Controller User Manual i Send to Local Server DNAT IP Enable Port Forwarding Yes enabled Example 3 Multi NAT configuration Situation You want to configure multi NAT to support multiple public IP addresses on one Option port interface Solution Create an inbound rule that configures the firewall to host an additional public IP ad
43. Dwc 1000 HT SETUP ADVANCED TOOLS STATUS Global Info d ASSOCIATED CLIENTS STATISTICS LOGOUT Device Info gt gt Access Point Info Description goes here LAN Clients Info d Associated Clients Statistics Wireless Clientinfo p Packets Bytes w aaam Transmitted Transmitted Traffic Monitor gt E 0 a6 70 8e bf 67 4 684 Refresh tail Active VPNs The following actions are supported from this page Refresh Updates the page with the latest information View Details Shows detailed status associated client 4 3 3 WLAN Associated Clients Status gt Traffic Monitor gt Associated Clients Statistics gt WLAN Associated Clients The wireless client can roam among APs without interruption in WLAN service The controller tracks the traffic the client sends and receives during the entire wireless session while the client roams among APs that the controller manages The controller stores statistics about client traffic while it is associated with a single AP as well as throughout the roaming session MAC Address This field shows the MAC address of the client station Packet Transmitted This field shows the packet transmitted to the client station Packet Received This field shows the packet received to the client station 109 Wireless Controller User Manual Bytes Transmitted This field shows the bytes transmitted to the client station Bytes Received This field shows the bytes received to the client
44. Edi Delete 7 3 Configuring Firewall Rules XW The following feature is available upon licensed activation of VPN Firewall features for the system Advanced gt Firewall Settings gt Firewall Rules All configured firewall rules on the controller are displayed in the Firewall Rules list This list also indicates whether the rule is enabled active or not and gives a summary of the From To zone as well as the services or users that the rule affects To create a new firewall rules follow the steps below 1 View the existing rules in the List of Available Firewall Rules table 2 To edit or add an outbound or inbound services rule do the following a To edit a rule click the checkbox next to the rule and click Edit to reach that rule s configuration page To add a new rule click Add to be taken to a new rule s configuration page Once created the new rule is automatically added to the original table 211 Wireless Controller User Manual 3 Chose the From Zone to be the source of originating traffic either the secure LAN public DMZ or insecure Option For an inbound rule Option should be selected as the From Zone 4 Choose the To Zone to be the destination of traffic covered by this rule If the From Zone is the Option the To Zone can be the public DMZ or secure LAN Similarly if the From Zone is the LAN then the To Zone can be the public DMZ or insecure Option 5 Parameters that define the firewall
45. Inside Inside 10 10 10 0 10 20 20 0 Personal Personal computers a computers Mee meee eee eee eee eee eee eee eeeeeeeee 4 H ee eee were ee ee ee eee eee eeeeeeeeT 239 Wireless Controller User Manual Figure 138 Example of three IPsec client connections to the internal network through the DWC IPsec gateway DNS Server 10 10 10 163 Personal Computer Using VPN Software Client Internal network WINS Server 10 10 10 133 DWC g be Inside KSA Outside 10 10 10 0 masa ousie wo lt r Personal Computer Using VPN Software Client Personal Computer Using VPN Software Client 240 Wireless Controller User Manual 8 1 VPN Wizard Setup gt Wizard gt VPN Wizard You can use the VPN wizard to quickly create both IKE and VPN policies Once the IKE or VPN policy is created you can modify it as required Figure 139 VPN Wizard launch screen DWC 1000 ADVANCED TOOLS STATUS D WLAN Global Settings f VPN WIZARD LOGOUT This page will guide you through common and easy steps to configure IPsec VPN policies AP Management d VLAN Visualization gt ears VPN Setup Wizard Internet Settings If you would like to utilize our easy to use Web based Wizards to assist you in VPN Configuration dick on the Network Settings button below VPN Setup Wizard Manual VPN Configuration Options If you would like to configure the VPN Policies of your new D Lin
46. Load Balancing feature is in use Choosing from a list of configured services or any of the user defined services the type of traffic can be assigned to go over only one of the available Option ports For increased flexibility the source network or machines can be specified as well as the destination network or machines For example the VOIP traffic for a set of LAN IP addresses can be assigned to one Option and any VOIP traffic from the remaining IP addresses can be assigned to the other Option link Protocol bindings are only applicable when load balancing mode is enabled and more than one Option is configured Figure 106 Protocol binding setup to associate a service and or LAN source to an Option and or destination network Belcleltag This page allows user to add a new protocol binding rule for the WAN interfaces Service Local Gateway Source Network Website Filter Firewall Settings Start Address End Address Destination Network Routing Start Address Certificates Service Select one of the various services available for protocol binding End Address Local Gateway select the port that sets the local gateway for this protocol binding either option or option2 Source Network Select one of the following Any No specific network needs to be given 191 Wireless Controller User Manual Single Address Limit to one computer Requires the IP address of the computer that will be
47. MAC Binding 7 10 4 Export Web Filter Advanced gt Website Filter gt Export Export Approved URLs Feature enables the user to export the URLs to be allowed to a csv file which can then be downloaded to the local host The user has to click the export button to get the csv file Export Blocked Keywords This feature enables the user to export the keywords to be blocked to a csv file which can then be downloaded to the local host The user has to click the export button to get the csv file 230 Wireless Controller User Manual Figure 132 Export Approved URL list ec bers wW Website Filter gt Firewall Settings SID Captive Portal gt Application Rules owe JJA mn sans a gt Peer Controllers gt f EXPORT WEB FILTER LOGOUT AP Profile Export Web Filter gt 7 11 Content Keeper Support Web Content Filtering Web Content Filtering WCF is branded as Content Keeper It monitors manages and controls all web traffic and fully examines new and or unknown sites in real time as the data passes through the appliance It manages and controls downloads and desktop access to web content Content Keeper has support for content list blocking and category filtering considered Dynamic WCF Syslog support for Content Keeper permits the appliance to continuously off load log files as the data is accumulated rather than tying up the users network with one huge daily
48. Manual Chapter 12 Chapter 13 Appendix A Appendix B Appendix C Appendix D 11 7 2 NT Domain Settings oo cece eccceseseseesesescseeesesesececaeeesaescsececseseeaeseeececseneeataeeesees 312 1127 3 EDAP Setting S rie neee a R E ER edges gion eae 314 11 7 4 Active Directory Settings 0 eeceseecssescsseseseeeeseecseeeeseeeeececseeeseaeseeesaeeeeateeeeees 316 11 7 5 POPS Settings srar en e aa ha hited eave E EE ARE ene 318 Administration amp Management eeeeseesessesisesisesrsesrsrsrsrsesrsesrsrstsrsrsrsrsrsrsesesrsrsesee 321 12 1 Remote Management sesesesesesesesesesesesesesesesesesesesesesesesesesesesesesesesesesesereresese 321 AAS e eo E E E Reset treet 321 12 3 SNMP Configuration sense a S 322 12 4 SNMP Traps nee R a N eG 324 12 5 Configuring Time Zone and NTP s sssssssessesesesssseseseeresrsessesesreresrsrssesesreresrsees 327 12 6 Log Configurations sesen n e ecg ane neat 328 12 6 1 Defining What to Log ssussccancennscgucenuecgucensndgiienini giie 329 12 6 2 Sending Logs to E mail or Syslog eeeseecesecsceceseeeeseeceeeceseeeeeeeeneeeeaeeeeeeeeees 332 12 6 3 Event Log Viewer in GUI s esssessssesesresesesessesesresesrsessesesreresesessesesresesesessesesrerese 335 12 7 Backing up and Restoring Configuration Settings 0 0 0 0 ceeeeseeseeteeeereeeees 337 12 8 Upgrading Wirelesss Controller Firmware cccecececceseceseeeeseseeseseeeeeeeeeees 339 12 9 Dynamic DNS Setup ree e
49. Scan is one of the managed networks and its configured security not match the detected security then this test marks the AP as rogue 299 Wireless Controller User Manual Invalid SSID from a managed AP This test checks whether a known managed AP is sending an unexpected SSID The SSID reported in the RF Scan is compared to the list of all configured SSIDs that are used by the profile assigned to the managed AP If the detected SSID doesn t match any configured SSID then the AP is marked as rogue AP is operating on an illegal channel The purpose of this test is to detect hackers or incorrectly configured devices that are operating on channels that are not legal in the country where the wireless system is set up Note In order for the wireless system to detect this threat the wireless network must contain one or more radios that operate in sentry mode Standalone AP with unexpected configuration If the AP is classified as a known standalone AP then the controller checks whether the AP is operating with the expected configuration parameters You configure the expected parameters for the standalone AP in the local or RADIUS Valid AP database This test may detect network misconfiguration as well as potential intrusion attempts The following parameters are checked e Channel Number e SSID e Security Mode e WDS Mode e Presence on a wired network Unexpected WDS device detected on network If the AP is classified as a Managed
50. Service Set Identifier SSID Figure 44 AP Profile SSID configuration Peer Controllers AP Profile AP PROFILES SUMMARY This page displays the virtual access point VAP settings associated with the selected AP profile Each VAP is identified by its network number and Service Set Identifier SSID Save Settings Don t Save Settings Advanced Netw AP Profile VAP Configuration AP Profile AP Profile 1 Default Radio Mode 1 802 11a n 2 802 11b g n Network VLAN Hide SSID Security Redirect Y 1 dlink1 Edit 1 default Disabled None None 2 diink2 v Edit 1 default Disabled None None 3 dlink3 v Edit 1 default Disabled None None 4 dlink4 v Edit 1 default Disabled None None 3 5 diinkS v Edit 1 default Disabled None None Intel AMT inte arr 6 diink6 v Edit 1 default Disabled None None 7 dlink v Edit 1 default Disabled None None B 8 dlink8 v Edit 1 default Disabled None None 9 diink9 v Edit 1 default Disabled None None 10 diinki0 v Edit 1 default Disabled None None Radio Mode From this field you can select the radio that you want to configure By default Radio 1 operates in IEEE 802 11a n mode and Radio 2 operates in IEEE 802 11b g n mode If you change the mode the labels for the radios change accordingly Changes to the settings apply only to the selected radio The DWL 3600AP is a s
51. Standalone Access Points 0 ACCESS POINT LOGOUT The Access Point Status page shows summary information about managed failed and rogue access points the controller has discovered or detected Total Access Points Utilization Data Rogue Access Points 0 Authentication Failed Access Points 0 Unknown Access Points 0 Rogue AP Mitigation Limit 16 Rogue AP Mitigation Count 0 Maximum Managed APs in Peer Group 96 WLAN Utilization 0 Total Access Points Utilization PIE CHART Total Access Points Utilization Total Access Points Total number of Managed APs in the database This value is always equal to the sum of Managed Access Points Connection Failed Access Points and Discovered Access Points 118 Wireless Controller User Manual Managed Access Points Number of APs in the managed AP database that are authenticated configured and have an active connection with the controller Discovered Access Points APs that have a connection with the controller but haven t been completely configured This value includes all managed APs with a Discovered or Authenticated status Connection Failed Access Points Number of APs that were previously authenticated and managed but currently don t have connection with the controller Access Points Utilization Standalone Access Points Number of trusted APs in Standalone mode APs in Standalone mode are not managed by a controller Rogue Access Point
52. When this is enabled the controller then as a proxy for all DNS requests and communicates with the ISP s DNS servers When disabled all DHCP clients receive the DNS IP addresses of the ISP To configure LAN Connectivity please follow the steps below 1 Inthe LAN Setup page enter the following information for your controller IP address factory default 192 168 10 1 XW If you change the IP address and click Save Settings the GUI will not respond Open a new connection to the new IP address and log in again Be sure the LAN host the machine used to manage the controller has obtained IP address from newly assigned pool or has a static IP address in the controller s LAN subnet before accessing the controller via changed IP address Subnet mask factory default 255 255 255 0 2 Inthe DHCP section select the DHCP mode None the controller s DHCP server is disabled for the LAN DHCP Server With this option the controller assigns an IP address within the specified range plus additional specified information to any LAN device that requests DHCP served addresses If DHCP is being enabled enter the following DHCP server parameters 16 Wireless Controller User Manual DHCP Relay With this option enabled DHCP clients on the LAN can receive IP address leases and corresponding information from a DHCP server on a different subnet Specify the Relay Gateway and when LAN clients make a DHCP request it will be passed a
53. Wireless Controller User Manual DHCP v6 As with an IPv4 LAN network the router has a DHCPV6 server If enabled the router assigns an IP address within the specified range plus additional specified information to any LAN PC that requests DHCP served addresses The following settings are used to configure the DHCPv6 server DHCP Status This allow to Enable Disable DHCPv6 server DHCP Mode The IPv6 DHCP server is either stateless or stateful If stateless is selected an external IPv6 DHCP server is not required as the IPv6 LAN hosts are auto configured by this controller In this case the controller advertisement daemon RADVD must be configured on this device and ICMPv6 controller discovery messages are used by the host for auto configuration There are no managed addresses to serve the LAN nodes If stateful is selected the IPv6 LAN host will rely on an external DHCPv6 server to provide required configuration settings The Domain Name of the DHCPvV6 server is an optional setting Server Preference To indicate the preference level of this DHCP server DHCP advertise messages with the highest server preference value to a LAN host are preferred over other DHCP server advertise messages The default is 255 DNS servers The details can be manually entered here primary secondary options An alternative is to allow the LAN DHCP client to receive the DNS server details from the ISP directly By selecting Use DNS Proxy this router acts as a
54. a feature to allow for recovering from a corrupted firmware upgrade event In rare occurrences the firmware upgrade operation can fail and render the web UI inaccessible To recover follow the following instructions 1 Connect your LAN host that has a verified firmware image located on it to the LAN of the DWC 1000 The host s IP address should be in the 192 168 1 x subnet 2 You can force the controller into Recovery Mode by a Turn on Power and push Reset button The system LED will flash 5 times and the system will be in recovery mode b If during upgrade the firmware checksum integrity check fails the system will reboot and the system LED will flash 5 times This indicates that recovery mode has been entered 3 The DWC 1000 LAN IP address is 192 168 1 1 and open this site with any browser 4 Select the firmware image on your host these screens will allow you to upload the full DWC 1000 firmware image to restore full system functionality prior to the upgrade issue The following screenshots demonstrate the expected display when the system is in recovery mode Recovery Mode launch DWC 1000 WEB Recovery Mode Firmware Image Browse WARNING Do NOT power off the device during the firmware upgrade process e After upgrading it will restore system to factory default settings the default IP address will be 192 168 10 1 Selecting DWC 1000 firmware on host 352 Wireless Controll
55. a profile This is a link to create a new captive Portal Login profile Upon clicking the link the admin will be taken to the configuration page to create new login profile and configure the VLAN with that profile Associating VLANs to ports In order to tag all traffic through a specific LAN port with a VLAN ID you can associate a VLAN to a physical port 42 Wireless Controller User Manual Setup gt VLAN Settings gt Port VLAN VLAN membership properties for the LAN and wireless LAN are listed on this page The VLAN Port table displays the port identifier the mode setting for that port and VLAN membership information The configuration page is accessed by selecting one of the four physical ports or a configured access point and clicking Edit The edit page offers the following configuration options e Mode The mode of this VLAN can be General Access or Trunk The default is access e In General mode the port is a member of a user selectable set of VLANs The port sends and receives data that is tagged or untagged with a VLAN ID If the data into the port is untagged it is assigned the defined PVID In the configuration from Figure 6 Port 3 is a General port with PVID 3 so untagged data into Port 3 will be assigned PVID 3 All tagged data sent out of the port with the same PVID will be untagged This is mode is typically used with IP Phones that have dual Ethernet ports Data coming from phone to the controller port o
56. a unique name to identify the resource and assigning it to one or all of the supported SSL services Once this is done editing one of the created network resources allows you to configure the object type either IP address or IP range associated with the service The Network Address Mask Length and Port Range Port Number can all be defined for this resource as required A network resource can be defined by configuring the following in the GUI 272 Wireless Controller User Manual Resource Name A unique identifier name for the resource Service The SSL VPN service corresponding to the resource VPN tunnel Port Forwarding or All Figure 160 List of configured resources which are available to assign to SSL VPN policies DWC 1000 fo SETUP ADVANCED TOOLS STATUS Operation succeeded Please Enable Remote Management to activate SSL VPN Configurations RESOURCES LOGOUT You can configure resources to use when configuring SSL VPN policies Resources are groups of host names IP addresses or IP networks The table lists the resources that have been added and allows several operations on the resources List of Resources VPN Settings AN Settings Delete Configure DMZ Setup gt USB Settings gt 9 3 Application Port Forwarding Setup gt VPN Settings gt SSL VPN Server gt Port Forwarding Port forwarding allows remote SSL users to access specified network applications or servi
57. broadcast far enough to reach wireless clients but not so far that it interferes with RF signals broadcast by other APs The power level algorithm increases or decreases the power level in 10 increments based on presence or absence of packet retransmission errors Initial Power The automatic power algorithm will not reduce the power below the number you set in the initial power field By default the power level is 100 Therefore even if you enable the automatic power the power of the RF signal will not decrease The power level is a percentage of the maximum transmission power for the RF signal 76 Wireless Controller User Manual APSD Mode Select Enable to enable Automatic Power Save Delivery APSD which is a power management method APSD is recommended if VoIP phones access the network through the AP RF Scan Interval This field controls the length of time between channel changes during the RF Scan Long Retries The value in this field indicates the maximum number of transmission attempts on frame sizes greater than the RTS Threshold The range is 1 255 Rate Limiting Enabling multicast and broadcast rate limiting can improve overall network performance by limiting the number of packets transmitted across the network This feature is disabled by default XW Note The available rate limit values are very low for most environments so enabling this feature is not recommended except for advanced users e To
58. client if available from the Known Client Database If client is not in the database then the field is blank Client Status Shows the client status which can be one of the following 147 Wireless Controller User Manual Authenticated The wireless client is authenticated with the wireless system Detected The wireless client is detected by the wireless system but is not a security threat Black Listed The client with this MAC address is specifically denied access via MAC Authentication Rogue The client is classified as a threat by one of the threat detection algorithms Age Time since any event has been received for this client that updated the detected client database entry Create Time Time since this entry was first added to the detected client s database Figure 84 Detected Client Status DWC 1000 SETUP ADVANCED TOOLS STATUS Global Info gt Device Info gt Access Point Info LAN Clients Info gt Wireless ClientInfo gt DETECTED CLIENT STATUS Meletolths Description goes here List of Detected Clients L gt MAC Address Client Name Client Status Age Create time sS a 00 07 02 b3 76 8d Detected 0d 00 02 16 0d 00 17 09 Traffic Monitor gt in 00 02 8e 20 10 a4 Detected 0d 00 00 15 Od 00 17 09 in 00 0f 3d aa 46 a9 Detected 0d 00 03 46 0d 00 03 46 Active VPNs E 00 13 02 9a a7 bf Detected 0d 00 00 46 0d 00 16 10 E 00 13 e8 da 22 85 Detected 0d 00 00
59. client and the VPN server 248 Wireless Controller User Manual 8 4 1 PPTP Tunnel Support Setup gt VPN Settings gt PPTP gt PPTP Client PPTP VPN Client can be configured on this controller Using this client we can access remote network which is local to PPTP server Once client is enabled the user can access Status gt Active VPNs page and establish PPTP VPN tunnel clicking Connect To disconnect the tunnel click Drop 249 Wireless Controller User Manual Figure 143 PPTP tunnel configuration PPTP Client DWC 1000 ADVANCED TOOLS STATUS WLAN Global Settings f PPTP CLIENT AP Management gt This page allows the user to configure PPTP VPN Client WLAN Visualization gt Save Settings Don t Save Settings Internet Settings d PPTP Client Configuration Network Settings d Enable PPTP Client ee Captive Portal d Senere External Remote Network Authentications Remote Netmask VPN Settings gt Username VLAN Settings gt DMZ Setup gt Password USB Settings gt Mppe Encryption Idle Time Out eo ae Figure 144 PPTP VPN connection status Active PPTP VPN connections Action Connect Setup gt VPN Settings gt PPTP gt PPTP Server A PPTP VPN can be established through this controller Once enabled a PPTP server is available on the controller for LAN and Option PPTP client users to access Once the PPTP server is enabled PPTP clients that are within the
60. configure in the timeout field the entry is deleted Tunnel IP MTU Size Select the maximum size of an IP packet handled by the network The MTU is enforced only on tunneled VAPs When IP packets are tunneled between the APs and the Unified Wireless controller the packet size is increased by 20 bytes during transit This means that clients configured for 1500 byte IP MTU size may exceed the maximum MTU size of existing network infrastructure which is set up to controller and route 1518 1522 tagged byte frames If you increase the tunnel IP MTU size you must also increase the physical MTU of the ports on which the traffic flows Note f any of the following conditions are true you do not need to increase the tunnel IP MTU size The wireless network does not use L3 tunneling The tunneling mode is used only for voice traffic which typically has small packets The tunneling mode is used only for TCP based protocols such as HTTP This is because the 290 Wireless Controller User Manual AP automatically reduces the maximum segment size for all TCP connections to fit within the tunnel Cluster Priority Specify the priority of this controller for the Cluster Controller election The controller with highest priority in a cluster becomes the Cluster Controller If the priority is the same for all controllers then the controller with lowest IP address becomes the Cluster Controller A priority of 0 means that the controller cannot become th
61. determines the initial random backoff wait time window for data transmission during a period of contention for The value specified in the Minimum Contention Window is the upper limit in milliseconds of a range from which the initial random backoff wait time is determined The first 87 Wireless Controller User Manual random number generated will be a number between O and the number specified here If the first random backoff wait time expires before the data frame is sent a retry counter is incremented and the random backoff value window is doubled Doubling will continue until the size of the random backoff value reaches the number defined in the Maximum Contention Window cwMax Maximum Contention Window The value specified in the Maximum Contention Window is the upper limit in milliseconds for the doubling of the random backoff value This doubling continues until either the data frame is sent or the Maximum Contention Window size is reached Once the Maximum Contention Window size is reached retries will continue until a maximum number of retries allowed is reached TXOP Limit Station EDCA Parameter Only The TXOP Limit applies only to traffic flowing from the client station to the access point The Transmission Opportunity TXOP is an interval of time when a WME client station has the right to initiate transmissions onto the wireless medium WM This value specifies in milliseconds the Transmission Opportunity TXOP for
62. displays the list of DHCPv6 clients connected to the LAN DHCPv6 Server and to whom DHCPv6 Server has given leases DHCPv6 Leased Clients LAN IP Address DUID IAID 5005 8 64 00 01 00 01 16 59 18 9a 00 0Ff 1f 8d f0 70 529395824 IPv6 D gt Advanced Network IP Addresses This is the DHCP server IP address DUID Each DHCP client and server has a DUID DHCP servers use DUIDs to identify clients for the selection of configuration parameters and in the association of 26 Wireless Controller User Manual 2 1 6 IAs with clients DHCP clients use DUIDs to identify a server in messages where a server needs to be identified IAID An identifier for an IA chosen by the client Each IA has an IAID which is chosen to be unique among all IAIDs for IAs belonging to that client This is the DHCP server IP address Configuring IPv6 Router Advertisements Router Advertisements are analogous to IPv4 DHCP assignments for LAN clients in that the router will assign an IP address and supporting network information to devices that are configured to accept such details Router Advertisement is required in an IPv6 network is required for stateless auto configuration of the IPv6 LAN By configuring the Router Advertisement Daemon on this router the DWC 1000 will listen on the LAN for router solicitations and respond to these LAN hosts with router advisements RADVD Advanced gt IPv6 gt IPv6 LAN gt Router Advertisement To suppor
63. displays to indicate proposed power adjustments Each entry shows the AP along with the current and new power levels e Apply In Progress The controller is adjusting the power levels that the APs use e Apply Complete The algorithm and power adjustment are complete AP MAC Address Identifies the AP MAC address Identifies the AP MAC address Location Identifies the location of the AP which is set in the Valid AP database Radio Interface Identifies the radio Old Power Shows the earlier power level for the AP New Power Shows the proposed power level for the AP The following actions are supported from this page Start To initiate the power adjustment algorithm 163 Wireless Controller User Manual Figure 92 Manual Power Adjustment Plan DWc 1000 SETUP ADVANCED TOOLS STATUS WLAN Global Settings f MANUAL POWER ADJUSTMENTS LOGOUT AP Management D WLAN Visualization gt Description goes here Internet Settings gt Power Adjustment Algorithm Network Settings gt 3 Current Status None VPN Settings gt a VLAN Settings gt DMZ Setup gt Proposed Power Adjustments AP MAC Address Location Radio Interface Old Power New Power USB Settings No proposed power adjustment entries exist 5 3 Access Point Software Download Setup gt AP Management gt Software Download The wireless controller can upgrade software on the APs that it manages XW The AP firmware versi
64. filtering is particularly useful to limit broadcast packets of a device in a large network VLAN support is disabled by default in the controller In the VLAN Configuration page enable VLAN support on the controller and then proceed to the next section to define the virtual network Setup gt VLAN Settings gt Available VLAN The Available VLAN page shows a list of configured VLANs by name and VLAN ID A VLAN membership can be created by clicking the Add button below the List of Available VLANs A VLAN membership entry consists of a VLAN identifier and the numerical VLAN ID which is assigned to the VLAN membership The VLAN ID value can be any number from 2 to 255 VLAN ID 1 is reserved for the default VLAN which is used for untagged frames received on the interface By enabling Inter VLAN Routing you will allow traffic from LAN hosts belonging to this VLAN ID to pass through to other configured VLAN IDs that have Inter VLAN Routing enabled 39 Wireless Controller User Manual Figure 20 Adding VLAN memberships to the LAN DWC 1000 SETUP ADVANCED TOOLS STATUS Operation succeeded AVAILABLE VLANS LOGOUT This page shows a list of available VLANs which a user can edit or delete A user can add a new VLAN from this page as well List of available VLANs VPN Settings VLAN Settings Ei Delete DMZ Setup USB Settings 2 3 1 VLAN Configuration Options Setup gt VLAN Settings gt
65. first cluster then these APs are reported as rogues Managed SSID from a fake managed AP A hacker may set up an AP with the same MAC address as one of the managed APs and configure it to send one of the managed SSIDs This test checks for a vendor field in the beacons which is always transmitted by managed APs If the vendor field is not present then the AP is identified as a fake AP AP without an SSID SSID is an optional field in beacon frames To avoid detection a hacker may set up an AP with the managed network SSID but disable SSID transmission in the beacon frames The AP would still send probe responses to clients that send probe requests for the managed SSID fooling the clients into associating with the hacker s AP This test detects and flags APs that transmit beacons without the SSID field The test is automatically disabled if any of the radios in the profiles are configured not to send SSID field which is not recommended because it does not provide any real security and disables this test Fake managed AP on an invalid channel This test detects rogue APs that transmit beacons from the source MAC address of one of the managed APs but on different channel from which the AP is supposed to be operating Managed SSID detected with incorrect security During RF Scan the AP examines beacon frames received from other APs and determines whether the detected AP is advertising an open network WEP or WPA If the SSID reported in the RF
66. for most corporate network VPN solutions The certificates menu allows you to view a list of certificates both from a CA and self signed currently loaded on the gateway The following certificate data is displayed in the list of Trusted CA certificates CA Identity Subject Name The certificate is issued to this person or organization Issuer Name This is the CA name that issued this certificate Expiry Time The date after which this Trusted certificate becomes invalid 284 Wireless Controller User Manual A self certificate is a certificate issued by a CA identifying your device or self signed if you don t want the identity protection of a CA The Active Self Certificate table lists the self certificates currently loaded on the gateway The following information is displayed for each uploaded self certificate Name The name you use to identify this certificate it is not displayed to IPsec VPN peers or SSL users Subject Name This is the name that will be displayed as the owner of this certificate This should be your official registered or company name as IPsec or SSL VPN peers are shown this field Serial Number The serial number is maintained by the CA and used to identify this signed certificate Issuer Name This is the CA name that issued signed this certificate Expiry Time The date after which this signed certificate becomes invalid you should renew the certificate before it expires To req
67. gt IEEE EAE Save Settings Don t Save Settings Channel Configuration Channel Plan 5 GHz 802 11 a n 2 4 GHz 802 11 b g n Channel Plan Mode J Fixed Time Manual interval Channel Plan Interval 6 to 24 Hours VPN Settings Channel Plan Fixed Time Hours 0 Minutes VLAN Settings gt Ignore Unmanaged Aps Enable Channel Change Threshold 82 9910 1 Managed AP CH Conflict Threshold 56 99 to 1 Power Adjustment Configuration Manual Auto 85 99 to 1 Ignore Unmanaged APs Enable this option to exclude unmanaged APs from the channel plan configuration settings from this section Channel Change Threshold This is the threshold strength in dBm for neighbor to be considered noisy If this threshold is exceeded the Channel Plan will be run Managed AP CH Conflict Threshold This is the threshold in dBm below which managed APs that have a conflicting channel compared to the Channel Plan will have their channel updated Power Adjustment Mode You can set the power of the AP radio frequency transmission in the AP profile the local database or in the RADIUS server The power level in the AP profile is the default level for the AP and the power will not be adjusted below the value in the AP profile The settings in the local database and RADIUS server always override power set in the profile setting If you manually set the power the level is fixed and the AP will not
68. gt 6to4 Tunneling 6to4 is an Internet transition mechanism for migrating from IPv4 to IPv6 a system that allows IPv6 packets to be transmitted over an IPv4 network Select the check box to Enable Automatic Tunneling and allow traffic from an IPv6 LAN to be sent over a IPv4 Option to reach a remote IPv6 network 200 Wireless Controller User Manual Figure 112 6to4 Tunneling 6 TO 4 TUNNELING LOGOUT WIDS urity This page allows user to enable disable the 6 to 4 tunneling Save Settings Don t Save Settings Enable Automatic Tunneling J Captive Portal Client Application Rules Website Filter Enable Automatic Tunneling Firewall Settings IPv6 gt 6 7 IPv6 Tunnels Status Advanced gt IPv6 gt IPv6 Tunnels Status This status page displays the IPv6 tunnels 6to4 and ISATAP status in the GUI Figure 113 IPv6 Tunnel Status display 201 Wireless Controller Global Firewall Settings gt IPv6 Users Intel AMT WIRELESS CO IPV6 TUNNELS STATUS Refresh IPv6 Tunnels Status Tunnel Name sit0 Option1 isatap1 LAN isatap2 LAN Advanced Network IPv6 Option1 Config IP MAC Binding OSPF Switch Settings 6to4 Tunneling IPv6 TunnelpStatus ISATAP Tunnels This page shows the status of IPv6 tunnels User Manual DWC 1000 SETUP ADVANCED TOOLS STATUS LOGOUT IPv6 Addresses 64 5efe c0a8 a01 64 192 168 10 1 128 fe80 5efe c0a8 a01 64 89
69. have associated wireless clients To disconnect a client from an AP select the box next to the BSSID and then click Disassociate BSSID Indicates the Ethernet MAC address for the managed AP VAP where this client is associated SSID Indicates the SSID for the managed AP VAP where this client is associated AP MAC Address This field indicates the base AP Ethernet MAC address for the managed AP Radio Displays the managed AP radio interface the client is associated to and its configured mode Client MAC Address The Ethernet address of the client station Client IP Address The IP address of the client station 145 Wireless Controller User Manual Figure 82 Associated Client VAP Status DWC 1000 im SETUP ADVANCED TOOLS STATUS Wireless Clientinfo gt VAP ASSOCIATED CLIENT STATUS LOGOUT Description goes here List of VAP Associated Clients Client IP Address Address E 1c af f7 1f 24 51 MARIZUANA 1c af f7 1f 24 40 2 802 11big n e0 a6 70 8e bf 67 169 254 365 132 Active VPNs Disassociate Refresh The following actions are supported from this page Disassociate Disassociates the client from the managed AP Refresh Updates the page with the latest information 4 8 5 Controller Associated Client Status Status gt Wireless Client Info gt Associated Clients gt Controller Status This shows information about the controller that manages the AP to which the client is associated C
70. here is also used to identify the controller for SysLog logging 323 Wireless Controller User Manual Figure 188 SNMP system information for this controller ow Jj nova sans Admin gt This page displays the current SNMP configuration of the router The following MIB Management Information Base fields are displayed and can be modified here Save Settings Don t Save Settings Firmware via US SNMP System Information Dynamic DNS System Check Schedules 12 4 SNMP Traps Advanced gt Global gt SNMP Traps If you use Simple Network Management Protocol SNMP to manage the DWC 1000 wireless controller you can configure the SNMP agent on the controller to send traps to the SNMP manager on your network When an AP is managed by a controller it does not send out any traps The controller generates all SNMP traps based on its own events and the events it learns about through updates from the APs it manages 324 Wireless Controller User Manual Figure 189 SNMP Traps ae gt DWC 1000 Admin SNMP LOGOUT Date and Time Log Settings Simple Network Management Protocol SNMP lets you monitor and manage your router from an SNMP manager SNMP provides a remote means to monitor and control network devices and to manage configurations statistics collection performance and security Name Privilege Security level admin RWUSER NoAuthNoPriv guest R
71. internal network users on the LAN and DMZ to access internal servers e g an internal FTP server using their externally known domain name This is also referred to as NAT loopback since LAN generated traffic is redirected through the firewall to reach LAN servers by their external name 193 Wireless Controller User Manual Figure 107 Routing Mode is used to configure traffic routing between Option and LAN as well as Dynamic routing RIP DWC 1000 ADVANCED TOOLS STATUS gt WLAN Global Settings ROUTING MODE LOGOUT This page allows user to configure different routing modes like NAT Classical Routing and Transparent This page also allows to configure the RIP Routing Information Protocol Network Settings Routing Mode between Option and LAN AN Visualization gt internet Settings LAN QoS VPN Settings VLAN Settings DMZ Setup Dynamic Routing RIP USB Settings Authentication for RIP 2B 2M 194 Wireless Controller User Manual 6 4 2 Dynamic Routing RIP XW The following feature is available upon licensed activation of VPN Firewall features for the system Setup gt Internet Settings gt Routing Mode Dynamic routing using the Routing Information Protocol RIP is an Interior Gateway Protocol IGP that is common in LANs With RIP this controller can exchange routing information with other supported controllers in the LAN and allow for dynamic adjustment of routi
72. keys newly uploaded Enable TLS Authentication Key Enabling this adds TLS authentication which adds an additional layer of authentication Can be checked only when the TLS key is uploaded Disabled by default Click Save Settings to save the configuration entered 253 Wireless Controller User Manual Figure 147 OpenVPN configuration OpenVPN Server Client Configuration Server 128 10 0 0 255 255 0 0 Port 1194 Deiault 1194 Tunnel Protocol UDP s Encryption Algorithm BF CBC Hash Algorithm SHAL c Tunnel Type Full Tunnel gt Enable Client to Client Communication Upload Access Server Client Configuration Upload Status File Certificates CA Subject Server Client Cert Name Subject Name Z C US ST CA L SanFrancsoo G US ST CA L SanFranasco O Fort Funsion CN Openvpnina O Fort Funsion CN serverA na 254 Chapter 9 SSL VPN XW The following feature is available upon licensed activation of VPN Firewall features for the system The controller provides an intrinsic SSL VPN feature as an alternate to the standard IPsec VPN SSL VPN differs from IPsec VPN mainly by removing the requirement of a pre installed VPN client on the remote host Instead users can securely login through the SSL User Portal using a standard web browser and receive access to configured network resources within the corporate LAN The controller supports
73. largest packet that can be passed on The MTU for Ethernet is a 1500 byte packet Network Address Translation Process of rewriting IP addresses as a packet passes through a controller or firewall NAT enables multiple hosts on a LAN to access the Internet using the single public IP address of the LAN s gateway controller Microsoft Windows protocol for file sharing printer sharing messaging authentication and name resolution Network Time Protocol Protocol for synchronizing a controller to a single clock on the network known as the clock master Password Authentication Protocol Protocol for authenticating users to a remote access server GnlSie Point to Point Protocol over Ethernet Protocol for connecting a network of hosts to an ISP without the ISP having to manage the allocation of IP addresses Point to Point Tunneling Protocol Protocol for creation of VPNs for the secure transfer of data from remote clients to private servers over the Internet 348 Wireless Controller User Manual Remote Authentication Dial In User Service Protocol for remote user authentication and accounting Provides centralized management of usernames and passwords Rivest Shamir Adleman Public key encryption algorithm Transmission Control Protocol Protocol for transmitting data over the Internet with guaranteed reliability and in order delivery User Data Protocol Protocol for transmitting data over the Internet quickly but wi
74. made private then the route will not be shared in a RIP broadcast or multicast This is only applicable for IPv4 static routes Destination the route will lead to this destination host or IP address IP Subnet Mask This is valid for IPv4 networks only and identifies the subnet that is affected by this static route Interface The physical network interface Optionl Option2 DMZ or LAN through which this route is accessible 196 Wireless Controller User Manual Gateway IP address of the gateway through which the destination host or network can be reached Metric Determines the priority of the route If multiple routes to the same destination exist the route with the lowest metric is chosen Figure 108 Static route configuration fields DWC 1000 SETUP TOOLS STATUS p p STATIC ROUTE CONFIGURATION LOGOUT This page allows user to add a new static route Routing Certificates 6 5 OSPF Advanced gt Routing gt OSPF Advanced gt IPv6 gt OSPF This page shows the OSPFv2 and OSPFv3 parameters configured on the controller You can also edit the configured parameters from the OSPF configuration page 197 Wireless Controller User Manual Figure 109 OSPF v2 status IPv4 Interface Status Area Priority HelloInterval DeadInterval Cost Authentication Type Captive Portal Disabled 1 10 40 10 j Disabled 1 10 4 10 Application Rules Website Filter gt
75. name of the RADIUS server used for reporting wireless client associations and disassociations The name can contain up to 32 alphanumeric characters Spaces underscores and dashes are also permitted RADIUS Accounting Server Configured Indicates whether the RADIUS accounting server is configured RADIUS Accounting Select to enable RADIUS accounting for wireless clients Country Code Select the country code that represents the country where your controller and APs operate When you click Submit a pop up message asks you to confirm the change Wireless regulations vary from country to country Make sure you select the correct country code so that your WLAN system complies with the regulations in your country 65 Wireless Controller User Manual 2 8 Wireless Discovery configuration The wireless controller can discover validate authenticate or monitor the following system devices e Peer wireless controllers APs e Wireless clients e Rogue APs e Rogue wireless clients Setup gt AP Management gt Poll List The wireless controller can discover peer wireless controller and APs regardless of whether these devices are connected to each other located in the same Layer 2 broadcast domain or attached to different IP subnets In order for the controller to discover other WLAN devices and establish communication with them the devices must have their own IP address must be able to find other WLAN devices and must be compa
76. of clients that can associate with the wireless system This is the maximum number of entries allowed in the Associated Client database Detected Clients Number of wireless clients detected in the wireless network environment Maximum Detected Clients Maximum number of clients that can be detected by the controller The number is limited by the size of the Detected Client Database Maximum Pre authentication History Entries Maximum number of Client Pre authentication events that can be recorded by the system Total Pre authentication History Entries Current number of pre authentication history entries in use by the system Maximum Roam History Entries Maximum number of entries that can be recorded in the roam history for all detected clients Total Roam History Entries Current number of roam history entries in use by the system 131 Wireless Controller User Manual AP Provisioning Count Current number of AP provisioning entries configured on the system WLAN Bytes Transmitted Total bytes transmitted across all APs managed by the controller WLAN Packets Transmitted Total packets transmitted across all APs managed by the controller WLAN Bytes Received Total bytes received across all APs managed by the controller WLAN Packets Received Total packets received across all APs managed by the controller WLAN Bytes Transmit Dropped Total bytes transmitted across all APs managed by the contro
77. one or more images such as your office floor plan to provide customized information for the WLAN Visualization feature Images file formats that are recommended to upload should be in one of the following formats e GIF Graphics Interchange Format e JPG Joint Photographic Experts Group It is also recommended that you do not use color images since the WLAN components might not show up well Once user uploads an image file and save the running configuration the image remains on the switch and you can assign it to an existing graph using the WLAN Visualization application 93 Wireless Controller User Manual Figure 48 WLAN Visualization Image import Dwc 1000 ADVANCED TOOLS STATUS A gt Wizard Global Settings DOWNLOAD IMAGE AP Management WLAN Visualization gt NRGEGR ERE Internet Settings gt Start File Transfer Deleting Images This option is available only if images are already loaded onto the controller To delete all images loaded onto the switch click Delete All Images Deleting background images is not recommended However if user uses has to delete the images user will need to refresh the WLAN Visualization tool after deleting images 3 2 2 Visualization Launch To start the WLAN Visualization tool the Launch Menu under WLAN Visualization has to be used This opens a new browser window and starts the Java applet that allows the AP and WLAN controller network to be pr
78. part of the source network for this protocol binding Address Range Select if you want to allow computers within an IP address range to be a part of the source network Requires Start address and End address Start Address IP address from where the range needs to begin or the single address if that is the source network selected End Address IP address where the range needs to end Destination Network Select one of the following Any No specific network needs to be given Single Address Limit to one computer Requires the IP address of the computer that will be part of the destination network for this protocol binding Address Range Select if you want to allow computers within an IP address range to be a part of the destination network Requires Start address and End address Start Address IP address from where the range needs to begin or the single address if that is the destination network selected End Address IP address where the range needs to end 6 4 Routing Configuration 6 4 1 Routing between the LAN and Option will impact the way this controller handles traffic that is received on any of its physical interfaces The routing mode of the gateway is core to the behavior of the traffic flow between the secure LAN and the internet Routing Mode Setup gt Internet Settings gt Routing Mode This device supports classical routing network address translation NAT and transport mode routing e With classical routin
79. point to client station AP EDCA parameters and the upstream traffic flowing from the station to the access point station EDCA parameters Disabling WMM deactivates QoS control of station EDCA parameters on upstream traffic flowing from the station to the access point With WMM disabled you can still set some parameters on the downstream traffic flowing from the access point to the client station AP EDCA parameters e To disable WMM extensions click Disabled e To enable WMM extensions click Enabled Station EDCA Parameters Queue Queues are defined for different types of data transmitted from station to AP Data 0 Voice High priority queue minimum delay Time sensitive data such as VoIP and streaming media are automatically sent to this queue Data 1 Video High priority queue minimum delay Time sensitive video data is automatically sent to this queue Data 2 best effort Medium priority queue medium throughput and delay Most traditional IP data is sent to this queue Data 3 Background Lowest priority queue high throughput Bulk data that requires maximum throughput and is not time sensitive is sent to this queue FTP data for example AIFS Inter Frame Space The Arbitration Inter Frame Spacing AIFS specifies a wait time for data frames The wait time is measured in slots Valid values for AIFS are 1 through 255 cwMin Minimum Contention Window This parameter is used by the algorithm that
80. saving Network Standby mode within 1 minute of no packets being transmitted It can also be turned off through a power switch to save energy when it is not needed Network Standby 10 9 watts Switched Off 0 watts 354
81. station Figure 60 WLAN Associated Clients DWC 1000 HT SETUP ADVANCED TOOLS STATUS Global Info gt ASSOCIATED CLIENTS STATISTICS LOGOUT Device Info gt Access Point Info gt Description goes here Associated Clients Statistics Packets Bytes me Ae Transmitted Transmitted Traffic Monitor D Ref h t Active VPNs Refresh _ E 0 a6 70 8e bf 67 4 684 The following actions are supported from this page Refresh Updates the page with the latest information View Details Shows detailed status associated client 4 4 Active Connections 4 4 1 Sessions through the Controller Status gt Active Sessions This table lists the active internet sessions through the controllers firewall The session s protocol state local and remote IP addresses are shown 110 Wireless Controller User Manual Figure 61 List of current Active Firewall Sessions DWwc 1000 Hi SETUP ADVANCED TOOLS STATUS Active Sessions ACTIVE SESSIONS Kolciolt i This page disphys a list of active sessions on your router Active Sessions Local Internet State 192 168 10 103 35034 74 125 236 95 80 ESTABLISHED 192 168 1 155 16793 192 168 1 2 53 none 192 168 1 155 17846 192 168 1 2 53 none 192 168 10 103 60939 74 125 236 87 443 ESTABLISHED 192 168 10 103 33502 74 125 236 83 80 ESTABLISHED 192 168 1 155 17846 192 168 1 16 53 none 192 168 10 103 60883 74 125 235 84 80 ESTABLISHED 192 168 1 155 16793 192 168 1 16 53 none
82. sure to push the configuration to other controllers in the cluster 307 Wireless Controller User Manual Figure 178 WIDS Managed AP Configuration Global WDS MANAGED AP CONFIGURATION See gaa tna aS a ea ea aan ace ad ade ek a oe ene D aa S Se gt Cc WDS Configuration gt EAEE Ga eA EE AP Configuration z figuration Summary No WDS AP exists Firewall Settings gt es Refresh etwork p Routing cates Users IP MAC Binding Radius Settings Switch Settings Intel WIRELESS CONTROLLER The following fields are available on the WDS Managed AP Summary page WDS Group ID Select the ID associated with the group to configure AP MAC Address MAC Address of the AP STP Priority Spanning Tree Priority for this AP The STP priority is used only when spanning tree mode is enabled The STP priority determines which AP is selected as the root of the spanning tree and which AP has preference over another AP when multiple equal cost paths exist in the topology The lower value for the spanning tree priority means that the AP is more likely to be used for bridging data into the campus network You should assign a lower priority to the APs connected to the wired network than to the Satellite Aps The STP priority value is rounded down to a multiple of 4096 The range is 0 61440 and the default value is 36864 11 6 3 Link Configuration 308 Wireless Controller User Manual After creating a WD
83. the managed AP database unless you remove it Note that a managed AP will temporarily show a failed status during a reset Profile The AP profile configuration currently applied to the managed AP The profile is assigned to the AP in the valid AP database Radio Interface Shows the wireless radio mode that each radio on the AP is using The following actions are supported from this page Delete Manually clear existing APs View AP Details Shows detailed status information collected from the AP View Radio Details Shows detailed status for a radio interface View Neighbor Details Shows the neighbour APs that the specified AP has discovered through periodic RF scans on the selected radio interface View Neighbor Clients Shows information about wireless clients associated with an AP or detected by the AP radio View VAP Details Shows summary information about the virtual access points VAPs for the selected AP and radio interface on the APs that the controller manages 4 6 4 Authentication Failure Status Status gt Access Point Info gt Authentication Failure Status An AP might fail to associate to the controller due to errors such as invalid packet format or vendor ID or because the AP is not configured as a valid AP with the correct local or RADIUS authentication information The AP authentication failure list shows information about APs that failed to establish communication with the DWC 1000 wireless controller T
84. the most current version of the Terms along with their effective date will be linked Erom each of services If you continue to use the service jafter we change the Terms you accept all the changes TERMS OF SERVICE RULE Captive Portal D 2 Registration and access controls You are responsible for maintaining the confidentiality of ernal gt your login names and passwords and you accept responsibility Authenticati zoe all activities changes and damages that occur in your account If you have reason to believe that someone is using pede account without your permission you should contact us immediately We will not be responsible for any loss or VLAN Settings gt damage resulting from your failure to notify us of DMZ Setup gt f Edit USB Settings d 2 6 5 Billing Profiles Setup gt Captive Portal gt Billing Profiles This feature allows the administrator to create customized accounting and billing types using billing profiles All profiles created here are displayed to front desk user on their homepage The front desk user has administrative privileges to generate temporary captive portal users for a profile and those users will be having these accounting and billing properties applied 56 Wireless Controller User Manual Figure 33 List of Configured Billing Profiles DWC 1000 SETUP ADVANCED TOOLS STATUS Wizard WLAN Global Settings BILLING PROFILES Releieliiy AP Management This pa
85. to either permit or deny access to the selected addresses or network resources As well the policy can be specified for one or all of the supported SSL VPN services i e VPN tunnel 270 Wireless Controller User Manual Once defined the policy goes into effect immediately The policy name SSL service it applies to destination network resource or IP addresses and permission deny permit is outlined in a list of configured policies for the controller Figure 159 SSL VPN policy configuration DWC 1000 ADVANCED TOOLS STATUS Please Enable Remote Management to activate SSL VPN Configurations WLAN Global Settings SSL VPN POLICY CONFIGURATION LOGOUT AP Management This page allows you to add a new SSL VPN Policy or edit the configuration of an existing SSL VPN Policy isualization Save Settings Don t Save Settings SSL VPN Policy Port Range Port Number Begin 0 65535 End 0 65535 Service VPN Tunnel To configure a policy for a single user or group of users enter the following information Policy For The policy can be assigned to a group of users a single user or all users making it a global policy To customize the policy for specific users or groups the user can select from the Available Groups and Available Users drop down 271 Wireless Controller User Manual 9 2 1 Apply Policy To This refers to the LAN resources managed by the DWC 1000 and the polic
86. to the Internet seansini en anian iA i AANA EAEN a h 239 Example of three IPsec client connections to the internal network through the DWC IPSs GalOWAY nienie ne E E NERE EAA Ee SAA EEr ANSA 240 VPN Wizard launch screen eeeeseeeseeereseseeerereeeeeeeereeeeeereereeeeererererteereeeeereereereerereeerereeeee 241 IPSEC policy coniguralion sece E E 245 IPsec policy configuration continued Auto policy via IKE e eeesessseeseeereerererererereeeeee 246 IPsec policy configuration continued Auto Manual Phase 2 s ssesssessessesesessessseseese 247 PPTP tunnel configuration PPTP Client 0 0 cccceeseeceseseseeceseeeeseeesenseseeceseecaeeeeateesees 250 PPTP VPN Connection Status s ieni EERE A O ERS 250 PPTP tunnel configuration PPTP Server esssesseseseseesrsesssseserresrsrsseseseeresrsrsseseseeres 251 L2TP tunnel configuration L2TP Servet eeecceeceseeseseseeseseseeeeseeeseeeeseeceeescseeeeateesees 252 OpenVPN configuration eee eceseseeeecesesesceceseseeccseneecsceeseesenseeeseeesecaesseceaseesecasneeeaeeeeeeeeets 254 Example of clientless SSL VPN connections to the DWC 1000 ee eeeeeeeeeee 256 Listof GroupsSectiet sisi s uid ie elena nites Ri ain OR ei eae Sli ae RL 257 User Group Configuration cecececessecesescsseseseesescsesceceseseseeseseeeeaeecseceeaeeceaeeceeeeaeneeaeeesees 259 SOLVPN SetlIngS x sac sesh hi E E E ane eaek tee 260 Group login policies OPtiONS 2 ee eeceeceseseseeeeecseece
87. to this profile to configuring captive portal on VLAN or for a particular SSID This customized profile will be shown in captive portal login page 52 Wireless Controller User Manual 2 6 2 Captive Portal SSID Setup Setup gt Captive Portal gt Captive Portal SSID Setup This feature allows the administrator to configure existing SSIDs with Captive Portal authentication These SSID s can be those hosted by this system or by AP s managed by this WLAN controller By default this page contains 16 SSIDs to configure If needed the appliance supports another 48 SSIDs to enable for Captive Portal vial the SSIDs page in the advanced settings Figure 29 List of SSID s associated with Captive Portals DWC 1000 ME SETUP ADVANCED TOOLS STATUS Wizard WLAN Global Settings CAPTIVE PORTAL SETUP AP Management Captive Portal is a security mechanism to selectively provide authentication on certain interfaces You can use this page to manage the Policies and Profiles of CaptivePortal WLAN Visualization gt Internet Settings gt Captive Portal SSID Setup Network Settings Captive Portal AuthServer a T sim Enabled Local User Database GVRP diink2 Disabled None Captive Portal D Captive Portal Setup Disabled None External gt Captive ais SSID Disabled None Authentications Setup VPN Settings a Cepive Portal ee Aa Sessions VLAN Settings poche sa DMZ Setup Disabled None Disa
88. used only if your Option is configured in Auto Rollover mode Figure 142 IPsec policy configuration continued Auto Manual Phase 2 Phase2 Manual Policy Parameters SPI Incoming SPI Outgoing Encryption Algorithm Key Length Key In Key Out Integrity Algorithm Key In Key Out Phase2 Auto Policy Parameters SA Lifetime Seconds i Encryption Algorithm es Key Length Integrity Algorithm PFS Key Group 8 2 1 Extended Authentication XAUTH You can also configure extended authentication XAUTH Rather than configure a unique VPN policy for each user you can configure the VPN gateway controller to authenticate users from a stored list of user accounts or with an external authentication server such as a RADIUS server With a user database user accounts created in the controller are used to authenticate users With a configured RADIUS server the controller connects to a RADIUS server and passes to it the credentials that it receives from the VPN client You can secure the 247 Wireless Controller User Manual 8 2 2 connection between the controller and the RADIUS server with the authentication protocol supported by the server PAP or CHAP For RADIUS PAP the controller first checks in the user database to see if the user credentials are available if they are not the controller connects to the RADIUS server Internet over IPSec tunnel In this feature all the traffic w
89. values for the cwmin are 1 3 7 15 31 63 127 255 511 or 1024 The value for cwmin must be lower than the value for cwmax cwMax Maximum Contention Window The value specified here in the Maximum Contention Window is the upper limit in milliseconds for the doubling of the random backoff value This doubling continues until either the data frame is sent or the Maximum Contention Window size is reached Once the Maximum Contention Window size is reached retries will continue until a maximum number of retries allowed is reached Valid values for the cwmax are 1 3 7 15 31 63 127 255 511 or 1024 The value for cwmax must be higher than the value for cwmin Max Burst Length AP EDCA Parameter Only The Max Burst Length applies only to traffic flowing from the access point to the client station This value specifies in milliseconds the Maximum Burst Length allowed for packet bursts on the wireless network A packet burst is a collection of multiple frames transmitted without header information The decreased overhead results in higher throughput and better performance Valid values for maximum burst length are 0 0 through 999 86 Wireless Controller User Manual WMM Mode Wi Fi MultiMedia WMM is enabled by default With WMM enabled QoS prioritization and coordination of wireless medium access is on With WMM enabled QoS settings on the DWC 1000 wireless controller control downstream traffic flowing from the access
90. 0 J sewe ADVANCED TOOLS STATUS APPROVED URLS LOGOUT This page displays the approved URLs Approved URLs List Peer Controllers gt AP Profile SSIDs Captive Portal gt Import Approved URLs Add Approved URLs from File 7 10 3 Blocked Keywords Advanced gt Website Filter gt Blocked Keywords Keyword blocking allows you to block all website URL s or site content that contains the keywords in the configured list This is lower priority than the Approved URL List i e if the blocked keyword is present in a site allowed by a Trusted Domain in the Approved URL List then access to that site will be allowed Import export from a text or CSV file for keyword blocking is also supported 229 Wireless Controller User Manual Figure 131 One keyword added to the block list owc1000 Jf ae Operation succeeded Peer Controllers BLOCKED KEYWORDS LOGOUT You can block access to websites by entering complete URLs or keywords Keywords prevent access to websites that contain the specified characters in the URLs or the page contents The table lists all the Blocked IDS Security keywords and allows several operations on the keywords W Security Save Settings Dont Save Settings Captive Portal Blocked All URL Configuration Application Rule Website Filter D Blocked Keywords Edit Enable Disable Delete Import Blocked Keywords IP
91. 000 ADVANCED TOOLS STATUS GLOBAL STATUS WLAN Global Settings Enable WLAN Controller v WLAN Controller Operational Status Enabled This page will guide you through common and easy steps to configure your DWC 1000 router WLAN global settings Make sure that WLAN controller is being enabled Save Settings Don t Save Settings Wireless Global Configuration External IP Address 10 10 10 206 Authentications AP Validation VPN Settings b AP MAC Validation Local VLAN Settings d Require Authentication Passphrase DMZ Setup gt Manage AP with Previous Release Code USB Settings gt RADIUS Server Configuration RADIUS Authentication Server Name Default RADIUS Server RADIUS Authentication Server Status Configured RADIUS Accounting Server Name Default RADIUS Server RADIUS Accounting Server Status Configured RADIUS Accounting Country Configuration Country Code US United States oa IP Address This field shows the IP address of the WLAN interface on the controller If the controller does not have the Routing Package installed or if routing is disabled the IP address is the network interface If the routing package is installed and enabled this is the IP address of the routing or loopback interface you configure for the controller features AP MAC Validation Method Add the MAC address of the AP to the Valid AP database which can be kept locally on the
92. 04 Resource Utilization data continued eeeeessesesesesesrsrsrsrsrsrsrsrsrsrsrsrsrsesrsrsrsrsrsrs 104 Physical port staliStiCSs ici ineton ein Ati SS Mi Ath dts Gate N eats 106 Managed AP Statistics ennenen taicetein ea aon a E A 108 LAN Associated Clients 0 eeceececececsseseseesescscssecesesesscecscscsacecsececacecsacecseceeaeaeateeeeeseateeeates 109 WLAN Associated Clients eececcececesceseceseeeeseecseecesesesececaeecacecseeecaeneeasacsececaeeeeataceeeeatees 110 List of current Active Firewall SESSIONS cccceeseseeeeseseseeceseseeeceeseneceseeeeeeaeneeeeaeeeeeeeeees 111 Associated Clients nnen a coe ie gute EE ERS eae aS 112 List of LAN MOSS cs secsccccctuiiee veesceecisss ioveucuaczeoatudieecuten seek ie ureoceevat R 114 Detected Clients ss 20 0 ccc beeen heh ee ace han en GGe Aaa Can rea ieee an oh 115 List of current Active VPN Sessions ccccceseceseesesescececeseseesceesseceseecseceeneeeeaeeeeeeseneeeeaees 117 AP SUAliStiCS 25 este R hha ok N Yee and te haa te Nels hoa eS 118 AP SEIU Sease iaaa e 120 Managed AP Status ei E E ENTE ceive chest dea Sein eeatoetoaens soneeats 122 Authentication Failure Status ooo cee a N E R E E 124 Wireless Controller User Manual Figure 70 AP RF Scan Stat S nenn n E a E 127 Figure 71 Global Status Part Iy acien ae a aa E a e es eaS 128 Fig re 72 Global Status Part 2 pe eee ienien penres tarere ee 129 Figure 73 Peer Controller Status
93. 1 3 Distributed Tunneling Advanced gt Global gt Distributed Tunneling The Distributed Tunneling mode also known as AP AP tunneling mode is used to support L3 roaming for wireless clients without forwarding any data traffic to the wireless controller In the AP AP tunneling mode when a client first associates with an AP in the wireless system the AP forwards its data using the VLAN forwarding mode The AP to which the client initially associates is the Home AP The AP to which the client roams is the Association AP Figure 171 Distributed Tunneling saus gt DWC 1000 Global Peer Controllers p DISTRIBUTED TUNNELING LOGOUT AP Profile Distributed Tunneling Configuration Captive Portal gt Distributed Tunnel Clients 128 1 to 8000 Distributed Tunnel Idle Timeout 120 30 to 3600 Distributed Tunnel Timeout 7200 30 to 86400 Distributed Tunnel Max Multicast Replications Allowed 128 1 to 1024 Routing gt Distributed Tunnel Clients Specify the maximum number of distributed tunneling clients that can roam away from the Home AP at the same time Distributed Tunnel Idle Timeout Specify the number of seconds of no activity by the client before the tunnel to that client is terminated and the client is forced to change its IP address Distributed Tunnel Timeout Specify the number of seconds before the tunnel to the roamed client is terminated and the client is forced to change its IP address
94. 10 1 platform cgi page billingDeskLogin htm XW Opening the Front Desk page from the same browser as the current admin session will not auto redirect to the correct page Figure 36 Login prompt for Front Desk users FRONT DESK LOGIN 62 Wireless Controller User Manual In the Front Desk configuration page attributes enabled in the Billing Profile are available for management such as batch user generation customized account names or modifying usage limits The Generate button is required to create the Temporary User accounts and the View Accounts section has a summary of all users generated by this Front Desk User 2 7 WLAN global configuration Setup gt WLAN Global Settings Following are the options available to enable the WLAN function on DWC 1000 Enable WLAN Controller Select this option to enable WLAN controller functionality on the system Clear the option to administratively disable the WLAN controller If you clear the option all peer controller and APs that are associated with this controller are disassociated Disabling the WLAN controller does not affect non WLAN features on the controller such as VLAN or STP functionality WLAN Controller Operational Status Shows the operational status of the controller The status can be one of the following values e Enabled e Enable Pending e Disabled e Disable Pending 63 Wireless Controller User Manual Figure 37 WLAN global configuration DWC 1
95. 16995 of the client initiating the connection Listen on Port Enter the port on which server should listen for incoming connections Redirect to Port 9971 Check this box to redirect to port 9971 of the client initiating the connection Listen on Port Enter the port on which server should listen for incoming connections 288 Wireless Controller User Manual Chapter 11 Advanced Wireless Controller Features 11 1 General Advanced gt Global gt General The fields on the advanced Wireless Global Configuration page are settings that apply to the DWC 1000 Wireless Controller Figure 169 Wireless Configuration gt DWC 1000 Global p CONFIGURATION ITEMS Relciel ing The fields on this page are settings that apply to the Unified Wireless controller WIDS Security Don t Save Settings Captive Portal gt Wireless Configuration Peer Group ID 1 1 to 255 Client Roam Timeout 30 1 to 120 Seconds Ad Hoc Client Status Timeout 24 0 to 168 Hours AP Failure Status Timeout 24 0 to 168 Hours MAC Authentication Mode white list v RF Scan Status Timeout 24 0 to 168 Hours iser gt Detected Clients Status Timeout 24 0 to 168 Hours i peas o omasa AP Client QoS Disable v Switch Settings 289 Wireless Controller User Manual Peer Group ID In order to support larger networks you can configure wireless controllers as peers with up to 8 controllers in a cluster peer group Peer
96. 192 168 10 103 52079 74 125 236 93 443 ESTABLISHED 192 168 10 103 46197 74 125 236 86 443 SYN_SENT 192 168 10 103 33499 74 125 238 83 80 ESTABLISHED 192 168 1 155 2746 192 168 1 16 53 none 192 168 10 103 46196 74 125 235 86 443 SYN_SENT 4 5 LAN Client Info 4 5 1 Associated Clients Status gt LAN Client Info gt Associated Clients The clients that are associated with the APs the controller manages as displayed 111 Wireless Controller User Manual Figure 62 Associated Clients DWC 1000 fe SETUP ADVANCED TOOLS ASSOCIATED CLIENTS STATUS Kece tii You can view a variety of information about the wireless clients that are associated with the APs the controller List of Associated Clients Detected IP Peer Address Address OO1b 11 idte2d 1cati7 1t1240 udai 1 1cati7 1t1250 192 168 10 102 Authenticate 00 1b 11 1d4e35 1cafi7 1f1b80 udai 1 1cafi7 1f1b90 192 168 10 107 Authenticate Refresh MAC Address The Ethernet address of the client station If the MAC address is followed by an asterisk the client is associated with an AP managed by a peer controller AP MAC Address The Ethernet address of the AP SSID The network on which the client is connected BSSID The Ethernet MAC address for the managed AP VAP where this client is associated Detected IP Address Identifies the IPv4 address of the client if available Status Indicates whether or not the client has associated and or authentic
97. 46 0d 00 17 09 E 00 14 d1 c1 f1 36 Detected 0d 00 12 39 0d 00 13 39 The following actions are supported from this page Delete Delete the selected client from the list If the client is detected again it will be added to the list 148 Wireless Controller User Manual 4 8 7 Delete All Deletes all non authenticated clients from the Detected Client database As clients are detected they are added to the database and appear in the list Acknowledge All Rogues Clear the rogue status of all clients listed as rogues in the Detected Client database The status of an acknowledge client is returned to the status it had when it was first detected If the detected client fails any of the tests that classify it as a threat it will be listed as a Rogue again Refresh Updates the page with the latest information Pre Authorization History Status gt Wireless Client Info gt Pre Auth History To help authenticated clients roam without losing sessions and needing to re authenticate wireless clients can attempt to authenticate to other APs within range that the client could possibly associate with For successful pre authentication the target AP must have a VAP with an SSID and security configuration that matches that of the client including MAC authentication encryption method and pre shared key or RADIUS parameters The AP that the client is associated with captures all pre authentication requests and sends them to the controll
98. 5efe 101 101 64 1 1 1 1 128 fe80 5efe 101 101 64 3 3 3 3 128 Sefe 303 303 64 fe80 5efe 303 303 64 Tunnel Name The active IPv6 to IPv4 tunnel identifier IPv6 Addresses the source IPv6 address es in your LAN that have data being sent over this tunnel 6 8 ISATAP Tunnels Advanced gt IPv6 gt ISATAP Tunnels This feature allows the administrator to configure ISATAP Intra Site Automatic Tunnel Addressing Protocol is an IPv6 transmission mechanism meant to transmit IPv6 packets between dual stack nodes over an IPv4 network Unlike 6to4 ISATAP uses IPv4 as a virtual non broadcast multiple access network data link layer so that it doesn t require the underlying IPv4 network infrastructure to support multicast To configure ISATAP tunnel administrator needs to configure the following fields 202 Wireless Controller User Manual ISATAP Subnet Prefix This is the 64 bit subnet prefix that is assigned to the logical ISATAP subnet for this intranet This can be obtained from your ISP or internet registry or derived from RFC 4193 Figure 114 ISATAP Tunnel Configuration DWC 1000 SETUP ADVANCED TOOLS STATUS Peer Controllers ISATAP TUNNELS AP Profile This page allows user to configure a new isatap tunnel Save Settings Don t Save Settings Client ISATAP Tunnel Configuration WDS Configuration p ISATAP Subnet Prefix Application Rules gt End Point Address Website Fi
99. 8 Figure 852 Pre AUth HISTO cerraron e dh lav A E E deve nenseten ettens 150 Figure 86 Detected Client Roam History ceeceeceeccsseseseesesescseeeeseseescecseeeeseeesececaeeeeseeceeecaeeesaeeeeees 151 Figure 87 Valid Access Point Configuration 0 0 0 cccccceseceseecesesceseseseeescseneecesceeeecaeneneeseeeeecaeneeataeeeeees 153 Figure 88 Add a Valid ACCESS Point oo ee eeeeesceseeecseeesecceeeesececsescseeneescseneeseeeneeseeeeneeseeeeneeaeeeeneees 154 Figure 89 gt RE Configuration anise idee alii aiewich dhdanite Mead date ee 158 Figure 90 Channel Plan History snene neniesa riren esee n E its e 160 Figure 91 Manual Channel Plan ceececeeccsssseseeseseccseceseseeececseecaeecsececaeeeeaesesececaenesateceeeeaeeeeateesees 162 Figure 92 Manual Power Adjustment Plan ou ceeccccssssecccsseeceeeesececeeesceeneeseeecneeaeeeeneeseeeeneeaeeneneees 164 Figure 93 Access Point Software Download s sssssssssesessseseeresesrssssestresesrsesesterestsrsstseseeresesrssesenee 166 Figure 94 Local OUI Database ee eseecesesessssesessesesersesesesessesensesesesessenenseseseseseeseneaseseseeseseneaesesesnes 167 Figure 95 AP Provisioning Summary Status cecceseceseeeesescseeceseseeseecseeeeseseeececaeeeseeeeeeesaeeeeateesees 169 Figure 96 Manual Management cecsessscssesssecesesececseesececseeseceeneeseeeeneesceeeneeseeeeneeseeeeneeaeeecneeaeeneneees 170 Figure 97 Internet Connection Setup Wizard eee
100. APs root APs and satellite APs A root AP acts as a bridge or repeater on the wireless medium and communicates with the controller via the wired link A satellite AP communicates with the controller via a WDS link to the root AP The WDS links are secured using WPA2 Personal authentication and AES encryption Support for the WDS managed AP feature within the Unified Wired and Wireless Access System includes the following e The wireless system can contain up to two WDS managed AP groups e Each WDS managed AP group can contain up to four APs e An AP can be a member of only one WDS AP group e Each satellite AP can have only one WDS link on the satellite APs This means that a satellite AP must be connected to a root AP A satellite AP cannot be connected to another satellite AP By default an AP is configured as a root AP For an AP to be attached to the Wireless System as a satellite AP configure the following settings on the AP while it is in stand alone mode Satellite AP mode This setting enables the satellite AP to discover and establish WDS link with the root AP By default the WDS Managed Mode is Root AP Password This is for WPA2 Personal authentication used to establish the WDS links Only the satellite APs need this setting The root APs get the password from the controller when they become managed Static Channel The APs on each end of a WDS link must use the same radio and channel to communicate Configure
101. All other times outside the schedule will not be affected by this firewall blocking rule As we defined our schedule in schedule Weekend this is available in the dropdown menu We want to block the IP range assigned to the marketing group Let s say they have IP 192 168 10 20 to 192 168 10 30 On the Source Users dropdown select Address Range and add this IP range as the from and To IP addresses We want to block all HTTP traffic to any services going to the insecure zone The Destination Users dropdown should be any We don t need to change default QoS priority or Logging unless desired clicking apply will add this firewall rule to the list of firewall rules The last step is to enable this firewall rule Select the rule and click enable below the list to make sure the firewall rule is active Security on Custom Services Advanced gt Firewall Settings gt Custom Services Custom services can be defined to add to the list of services available during firewall rule configuration While common services have known TCP UDP ICMP ports for traffic many custom or uncommon applications exist in the LAN or Option In the custom service configuration menu you can define a range of ports and identify the traffic type TCP UDP ICMP for this service Once defined the new service will appear in the services list of the firewall rules configuration menu 220 Wireless Controller User Manual
102. Auto policy via IKE Phase 1 IKE SA Parameters Exchange Mode Direction Type Nat Traversal On Off NAT Keep Alive Frequency in seconds Local Identifier Type LocalWanIP Local Identifier Remote Identifier Type Remote Wan IP z Remote Identifier Encryption Algorithm 3DES Authentication Algorithm sH gt Authentication Method Pre shared key Pre shared key a Diffie Hellman DH Group Group 2 1024 bit gt SA Lifetime sec 20 Enable Dead Peer Detection T Detection Period fi 0 Reconnect after failure count B Enable Extended Authentication T Username fa dmin Password A Manual policy does not use IKE and instead relies on manual keying to exchange authentication parameters between the two IPsec hosts The incoming and outgoing security parameter index SPI values must be mirrored on the remote tunnel endpoint As well the encryption and integrity algorithms and keys must match on the remote IPsec host exactly in order for the tunnel to establish successfully Note that using Auto 246 Wireless Controller User Manual policies with IKE are preferred as in some IPsec implementations the SPI security parameter index values require conversion at each endpoint DWC 1000 supports VPN roll over feature This means that policies configured on primary Option will rollover to the secondary Option in case of a link failure on a primary Option This feature can be
103. Client Status 0 0 0 cc cece ccc ccesccsecssecssccssecssssssesssessecssessscesscaeceecees 143 4 8 3 Associated Client SSID Status cee eee ccsccssccssecssesssessscsscesscssecssecssesees 144 4 8 4 Associated Client VAP Status cece cece cccecsecssecssesssesssessscsscesscsssessecssesees 145 4 8 5 Controller Associated Client Status ccc cece ccecsseessesssesscesscssscssscssesees 146 4 8 6 Detected Client Status oo cece ce cceccssccsecssecssecssecssssssesssesscsssesscsescaecssesees 147 4 8 7 Pre Authorization History oc eeseecssesceecssescesceeseeeceeeseeecneeseeecnesaceecneeaeereneees 149 4 8 8 Detected Client Roam History ceccecesecesseseseceseseseeseseseeseeeseeecseseeeeeeseeeeees 150 AP Manageme nt ccicsisc tcavescs seve ite cxtatoasueceannd E A NE 152 5 1 Valid Access Point Configuration cccccccceesesseseseeeseseseeeeecseneeseseeeescseneeeeaees 152 5 2 RE Manageme nt viesssnccstsscccsevssvevsavdencunsvasnevsgvaevectovasvevaavdesounevasvevsavacvevsovasvestavdenecs 156 521 RES CONTIQUrALION neime wasteland aac aes 156 5 2 2 Channel Plan History eececcecesesesseceseeeesescseeceseeeeececseeeseeceeeeeseeeeaeeeeeeseneeeaees 159 5 2 3 Manual Channel Plan a ra 160 5 2 4 Manual Power Adjustment Plan eeesseseesenseseeecseeseeeceeeaeeecneeaeerenseaeerente 163 5 3 Access Point Software Downloads si c sess sc deters rect esas saesessracy Oovbanetetseunsonaveons 164 Wireless Controller User Manual Chapter 6 Chapter 7 5
104. E AE 224 7 9 Application Rules Status oc ccccceesescesescceseseseeeeecseseesesesececaeeesaesceeeeeaeeetateesees 226 7 10 Web Content Filtering ee ceeeccccsseceseesesescseeceseeceececseeeeaeecseceseceeeaeeceesenseeeaees 226 7 10 1 Content Filtering ou cee ecesesesessesesesceseseseeceesesesesesececseseeacscseceeneseeareeseceeneeeeaees 227 TAD Approve URLS sce socecsecssstentaagug TAR T NE 228 7 10 3 Blocked KeyWords S E AA ATE E 229 7 MO 4 EXport Web Filter orsina r E A E E TA uerssaee 230 7 11 Content Keeper Support Web Content Filtering ceeeeeeeseeeeseseeeeeeeees 231 72 Dynamic WCF casei es eal Goa iia iad ee ARR Aen he ae 231 Wireless Controller User Manual FAS JIP MAG Binding seere a a nu eee een cu hee A 233 FAA SWN Settings ts cecsescese er ea a e e Ea a ee N aed 234 7 15 Protecting from Internet Attacks 20 00 ee eeceeeeecceeeeeceeeeeseceeeeeeeeseeaeeeceeeaeeeeees 236 Chapter 8 IPsec PPTP LOTP VPN cceeececcsseseseesesescsceceseeesececaeseacscsececaesesaceceeeecsenenaeaeereeeatees 238 8 1 MPN WRA eausa a a 8s save stesenieatysavensenseron Ss Sovectereeuren anions 241 8 2 Configuring IPsec Policies 00 0 eee ceceseseeseseseseeceseseeseecseeceseecseceeseeeeaeeesecseneeeeaees 244 8 2 1 Extended Authentication XAUTH cc eccseeescsseseescsseseeeceeeaeeecneeaeercnseaeerente 247 8 2 2 Internet over IPSEC tunnel eee eceseseseeeesescscecesesesececseeceaesceeceenceceaeeceeesenteeeaees 248 8 3 Conf
105. Either primary or backup controller IP address is not in the cluster or the mutual authentication mode is enabled and the primary controller IP address is not specified e Provisioning Rejected AP is not managed and is configured not to accept provisioning data in unmanaged mode e Timed Out The last provisioning request timed out 168 Wireless Controller User Manual Figure 95 AP Provisioning Summary Status DWC 1000 Ti SETUP ADVANCED TOOLS STATUS AP PROVISIONING SUMMARY STATUS Meoleloluns WLAN Global Settings AP Management D AP Provisioning Summary Status page shows information about all provisioned APs The AP Provisioning Summary and Detail pages display data only when the controller is configured as the Cluster Controler WLAN Visualization gt Option Port Settings gt Network Settings gt LAN QoS gt VLA gt AP Provisioning Status New MAC Address Primary IP BackupIP Primary New Backup Managed Address Addess Address IP IPAddeas Stus Address VLAN Settings USB Settings gt C 1ciaf t7 1f 24 40 192 168 2100 192 168 10 1 192 168 10 1 192 168 10 1 Success Not Started 1c bd b9 95 a6 00 192 168 10 101 Delete Delete Al Provision Edit Refresh Only Unmanaged APs can be deleted The following actions are supported from this page Delete Remove the selected AP from the AP provisioning list Delete All Remove all APs from the AP provisioning list
106. Enable or Disable static Option links For Option settings that are dynamically received from the ISP you can Renew or Release the link parameters if required 186 Wireless Controller User Manual 6 3 Features with Multiple Option Links 6 3 1 This controller supports multiple Option links This allows you to take advantage of failover and load balancing features to ensure certain internet dependent services are prioritized in the event of unstable Option connectivity on one of the ports Setup gt Internet Settings gt Option Mode To use Auto Failover or Load Balancing Option link failure detection must be configured This involves accessing DNS servers on the internet or ping to an internet address user defined If required you can configure the number of retry attempts when the link seems to be disconnected or the threshold of failures that determines if the Option port is down Auto Failover In this case one of your Option ports is assigned as the primary internet link for all internet traffic The secondary Option port is used for redundancy in case the primary link goes down for any reason Both Option ports primary and secondary must be configured to connect to the respective ISP s before enabling this feature The secondary Option port will remain unconnected until a failure is detected on the primary link either port can be assigned as the primary In the event of a failure on the primary port all internet t
107. FAILURE STATUS LOGOUT Device Info gt z The AP authentication failure list shows information about APs that faid to establish communication with the Access Pointinfo D Unified Wireless Controller LAN Clients Info gt Wireless ClientInfo gt Traffic Monitor gt List of Authentication Failure APs MAC Address IP Address Last Failure Type Age 1c af f7 1f 24 40 192 168 10 200 No Database Entry 0d 00 05 42 m Active VPNs 124 Wireless Controller User Manual MAC Address The Ethernet address of the AP If the MAC address of the AP is followed by an asterisk it was reported by a peer controller IP Address The IP address of the AP Last Failure Type Indicates the last type of failure that occurred which can be one of the following Local Authentication No Database Entry Not Managed RADIUS Authentication a RADIUS Challenged RADIUS Unreachable Invalid RADIUS Response Invalid Profile ID Profile Mismatch Hardware Type Age Time since failure occurred 4 6 5 AP RF Scan Status Status gt Access Point Info gt AP RF Scan Status The radios on each AP can periodically scan the radio frequency to collect information about other APs and wireless clients that are within range In normal operating mode the AP always scans on the operational channel for the radio MAC Address The Ethernet MAC address of the detected AP This could be a physical radio interfa
108. Failed The controller lost contact with the AP a failed entry will remain in the managed AP database unless you remove it Note that a managed AP will temporarily show a failed status during a reset e Rogue The AP has not attempted to contact the controller and the MAC address of the AP is not in the Valid AP database Radio Shows the wireless radio mode the AP is using Channel Shows the operating channel for the radio The following actions are supported from this page Delete All Manually clear all APs from the All Access Points status page except Managed Access Points Manage Configure an Authentication Failed AP to be managed by the controller the next time it is discovered Select the check box next to the MAC address of the AP before you click Manage You will be presented with the Valid Access Point Configuration page You can then configure the AP and click Submit to save the AP in the local Valid AP database If you use a RADIUS server for AP validation you must add the MAC address of the AP to the AP database on the RADIUS server Acknowledge Identify an AP as an Acknowledged Rogue Select the check box next to the MAC address of the AP before you click Acknowledge The controller adds the AP to the Valid AP database as an Acknowledged Rogue View Details To view the details configured APs Select the check box next to the MAC address of the AP before you click View Details Refresh Updates the page with the latest i
109. Figure 123 List of user defined services owc 100 Jf AIANCED roos sratus Operation succeeded roii ID CUSTOM SERVICES LOGOUT When you create a firewall rule you can specify a service that is controlled by the rule Common types of services are available for selection and you can create your own custom services This page allows creation of custom services against which firewall rules can be defined Once defined the new service will appear in the List of Available Custom Services table List OF Available Custom Services ICMP Type Port Range 4554 4556 Edit Delete 7 5 ALG support Advanced gt Firewall Settings gt ALGs Application Level Gateways ALGs are security component that enhance the firewall and NAT support of this controller to seamlessly support application layer protocols In some cases enabling the ALG will allow the firewall to use dynamic ephemeral TCP UDP ports to communicate with the known ports a particular client application such as H 323 or RTSP requires without which the admin would have to open large number of ports to accomplish the same support Because the ALG understands the protocol used by the specific application that it supports it is a very secure and efficient way of introducing support for client applications through the controller s firewall 221 Wireless Controller User Manual Figure 124 Available ALG support on the controller y aes TF
110. GAINST CUSTOMER FOR LOSSES OR DAMAGES D LINK WILL IN NO EVENT BE LIABLE FOR ANY DAMAGES IN EXCESS OF THE AMOUNT D LINK RECEIVED FROM THE END USER FOR THE PRODUCT Wireless Controller User Manual Table of Contents Chapter 1 Chapter 2 Chapter 3 Chapter 4 IMTPODUCHION 3 edevssssesessassascosassascosasdavcosascaseosasdaseesaesascovansaseosaneaseovasdadevsaiavsovasasoosabiasebsaeadennays 13 1 1 About this User MANUA A A Aa ERAR EE 14 1 2 Typographical Conventions e eeeessesesescsseseseeeseecaeeceseeceececseeeatseeeceeseeetateeeees 14 Configuring Your Network cccccsesesessesesesceseseseeeeecsesessesesececsenesaesceeeeaeneeateceeeeeaeeeeatereees 15 2 1 LAN Configurations see a E a R 15 2 1 1 LAN DHCP Reserved IPS nenna eei 20 2 1 2 LAN DHCP Leased Clients ee eceecesesceseseseeeeseeeseeceseeceeeeeseeeeaeeceeeseaeeeeateeeees 21 2 1 3 LAN DHCP POOS ean r A aman eel eae 22 2 1 4 LAN Configuration in an IPv6 Network sssssssesssesessessseesssrsessesesreresrsessesesresesrsess 23 2 1 5 DHCPv6 Leased Clients 0 0 eee cceeeseseeseseseeseseseeeeeeseneeaeseeeeecaeneeataceececaeneeataeeeeees 26 2 1 6 Configuring IPv6 Router Advertisement cccceseseseecescseeeeseeeeeeeeseeeeseseeeeees 27 22 QOS ee ae i T eles eee ria ee ne tae te ee 30 2 2 1 LAN QoS Configuration ccceccesecesessesescseseseeeeececseeceseeceeeeeneeeeaeeceeeeeseeesateesees 30 2 2 2 801 P Priority CoS to Port Mapping eceeeeeeescsseces
111. IPS 2 02 nnn E So week oie eens 21 LAN DHCP Leased Clients cceeceececesesceseseseeeesescsseceseecsececseecacecsececnenesacacseceeaeeeeateeeeeeeatees 22 LAN DHCP Pool configuration c cccecceseceseesesesesseceseeeesesesseceseeeeeseneeassceeseeaeseeaeaeeeseeseneaes 23 IPv6 LAN and DHCPV6 configuration eeceececeesceseseseeeeseseseesesesececaeneaeseseeecaeeeeateeeeeeeneees 24 DHCPV6 Leased Client ceeeeceesesesessesesescesesescsecscsescaesesececneseeacsesececneseaceeseceeuseeeaeeeeeeeeees 26 Configuring the Router Advertisement Daemon cceeesseseseseeseceseeeesesenceceseeceseseneeeaees 28 IPv6 Advertisement Prefix settings cc ceeecccescesecsenseseceeseeseceeneesececneeseeecnteaeeeeneeaeeeeneaees 29 LAN QoS Configurations i 5 ccca cick aie ce aniiiheewalaiheaudphmaanhene 30 801P Contigurationiss 23 005 aed iene Ae ea ee ea ee 31 Port DSGP Mapping AEE E 32 Port Queue Scheduler sic sci s cen ailcdai ahi bi Ale iota eek hele Ge habaehedees inte ecbenes 33 Port Queue Status wis ses aegis agnosie ee te linea aE Nowa ORS AAR S 34 Option QOS Configuration eecccceseceseeceseseeseceseeeesesencecesesececseneaeseeececseneeseaeeeeseaeneeaseeeeeees 35 Bandwidth Profile Configuration ceececcsseceseesesescseeceseseescecseeeeseeceececseeeeaeaeeeeeeneeeeateeeees 36 Traffic Selector Configuration 00 0 0 eeceeeececesceseceseesesesescecesesececsencaesesececaeneatseseeseaeeeea
112. IPv4 tunnel select the 6to4 prefix type Selecting Global Local ISATAP will allow the nodes to support all other IPv6 routing options SLA ID The SLA ID Site Level Aggregation Identifier is available when 6to4 Prefixes are selected This should be the interface ID of the router s LAN interface used for router advertisements IPv6 Prefix When using Global Local ISATAP prefixes this field is used to define the IPv6 network advertised by this router IPv6 Prefix Length This value indicates the number contiguous higher order bits of the IPv6 address that define up the network portion of the address Typically this is 64 Prefix Lifetime This defines the duration in seconds that the requesting node is allowed to use the advertised prefix It is analogous to DHCP lease time in an IPv4 network Figure 10 IPv6 Advertisement Prefix settings DWC 1000 SETUP ADVANCED TOOLS STATUS Ar n Rules ADVERTISEMENT PREFIXES Description Save Settings Don t Save Settings IPv6 Prefix Type SLA ID i tti CSC s zOY IPv6 Prefix a IPv6 Prefix Length Ss Seconds Prefix Lifetime 29 Wireless Controller User Manual 2 2 QoS 2 2 1 LAN QoS Configuration Setup gt QoS gt LAN QoS gt Trust Mode Configuration Enabling QoS on LAN is an advanced configuration which is required only if you expect congestion on the traffic on the LAN ports This page allows you to enable QoS a
113. List of Available Application Rules and corresponding status DWC 1000 Ue SETUP ADVANCED TOOLS STATUS Peer Controllers gt AP Profile IDs APPLICATION RULES STATUS LOGOUT This page lists the application rules currently configured Application Rules Status WIDS Security gt LANDMZ IP Address Open Ports Time Remaining Sec ID Captive Portal gt 192 168 10 100 400 600 595 Application Rules D Website Filter gt Firewall Settings 7 10 Web Content Filtering The gateway offers some standard web filtering options to allow the admin to easily create internet access policies between the secure LAN and insecure Option Instead of creating policies based on the type of traffic as is the case when using firewall rules web based content itself can be used to determine if traffic is allowed or dropped 226 Wireless Controller User Manual 7 10 1 Content Filtering XW The following feature is available upon licensed activation of VPN Firewall features for the system Advanced gt Website Filter gt Content Filtering Content filtering must be enabled to configure and use the subsequent features list of Trusted Domains filtering on Blocked Keywords etc Proxy servers which can be used to circumvent certain firewall rules and thus a potential security gap can be blocked for all LAN devices Java applets can be prevented from being downloaded from internet sites and similarly the gateway can preven
114. MT cs searek oot ieee eh dou be eG anh ke eens 286 Chapter 11 Advanced Wireless Controller Features ceeceececcesceseseseeeeseseeeceseeeeeceeneeeeseeeeeeeeees 289 TLT Generalcoceeneecg tein oe eA R 289 12 SNMP apie c hcsse ote estate cet cio a a ett he 291 11 3 Distributed TUNNELING escis erne E E 293 11 3 1 Distributed Tunneling Status ccc cceceseseeceseeceeceseeeeececseeeseeeeeeeeseeenataeeeeres 294 11 4 Peer Controller Configuration ececceeceseeseseccsseseseeeeseecseeeeseseeetecsenenataeeeeres 295 11 4 1 Peer Controller Configuration Request Status cccccceeseeeeeeseseeeeeeeeeeees 295 11 4 2 Peer Controller Configuration eececcesecsseeeeseecsseceseeeseecseeeeseseeetecaeeeeaeaeeeeees 297 11 52 WIDS Configuration eisint aa a neha a eae 298 11 51 WIDS AP configuration 0 0 aici tea nti china aenaaweanieaniake 298 11 5 2 WIDS Client Configuration ce cececccsseseseesesescseeeeseeeeeeecseeeeseseeeeeeaeeeeatseeesees 302 1 13 60 WDS Settings ccc 5 iene BARRE ALE Ain aka Ean ae ck 305 11 6 1 Group Configuration oo cececceseceseesesescsseseseseescecseceseeceececseeeeaeeeeeeeeaseeeateeeeeeeees 307 11 6 2 AP Configuration icis ccics een teieaide r E R e 307 11 6 3 Link Configuratio N n ien n n RE E A Aee 308 11 7 External Authentications 0 cee eeeseseescnseseesceeseeeeneeseeeceeeseeecneeseeecneeaeeeenteaees 310 1157 1 RADIUS Setting Sisir err o aea i ie 311 Wireless Controller User
115. Mbps IEEE 802 11g is a higher speed extension up to 54 Mbps to the 802 11b PHY It uses orthogonal frequency division multiplexing OFDM It supports data rates ranging from to 54 Mbps IEEE 802 11b g n operates in the 2 4 GHz ISM band and includes support for 802 11b 802 11g and 802 11n devices 2 4 GHz IEEE 802 11n is the recommended mode for networks with 802 11n devices that operate in the 2 4 GHz frequency that do not need to support 802 1 1a or 802 11b g devices IEEE 802 11n can achieve a higher throughput when it does not need to be compatible with legacy devices 802 11b g or 802 1 1a IEEE 802 1 1a n ac operates in the 5 GHz ISM band and includes support for 802 1la 802 11n and 802 1 lac devices IEEE 802 11n ac operates in the 5 GHz ISM band and includes support for 802 11n and 802 1 lac devices DTIM Period The Delivery Traffic Information Map DTIM message is an element included in some Beacon frames It indicates which client stations currently sleeping in low power mode have data buffered on the access point awaiting pick up The DTIM period you specify indicates how often the clients served by this access point should check for buffered data still on the AP awaiting pickup 75 Wireless Controller User Manual Specify a DTIM period within the given range 1 255 The measurement is in beacons For example if you set this field to 1 clients will check for buffered data on the AP at every b
116. N Optional Timeout Seconds Retries 192 168 10 1 platform cgi page IdapProfileConfig htm Optional The administrator can configure authentication servers for LDAP authentication After configuring the servers with the below listed parameters whenever user tries to authenticate the client will send an LDAP Request to server and server sends backs the LDAP Response determining authentication success Authentication Server 1 The IP Address of the primary authentication server Authentication Server 2 The IP Address of the secondary authentication server it is an optional field Authentication Server 3 The IP Address of the tertiary authentication server it is an optional field LDAP attribute 1 4 These are attributes related to LDAP users configured in LDAP server and defined by the LDAP server administrator These may include attributes like 315 Wireless Controller User Manual SAM account name Associated Domain Name and so on These can be used to distinguish between different users having same user name LDAP Base DN LDAP authentication requires the base domain name contact your administrator for the Base DN to use LDAP authentication for this domain This Domain name is for Authentication Server Second LDAP Base DN optional Base domain name for Authentication Server2 if in use Third LDAP Base DN optional Base domain name for Authentication Server3 if in use Ti
117. NTS LOGOUT AP Management L This page shows a list of clients MAC addresses blocked by admin WLAN Visualization gt Block Clients Mac List O MAC Address Description Network Settings Ca Captive Portal iba Captive Portal Setup External gt Captive Portal SSID Authentications Setup VPN Settings gt Captive Portal Sessions VLAN Settings DMZ Setup Billing Profiles USB Settings Block Ne c WIRELESS CONTR k 2 6 7 Hotspot Hotspot support is a feature that offers Internet access over a wireless local area network WLAN through the use of a router connected to a link to an Internet service provider Hotspots typically use Wi Fi to offer clients internet service via approval through the captive portal 60 Wireless Controller User Manual The typical Hotspot application is an administrator at a front desk or reception granting temporary user accounts for internet access through a captive portal This portal will have an SLA and associated billing profile Whenever the front desk admin creates new temporary user accounts the admin will have to push these temporary accounts to the peer controller manually via the DWC GUI However in a clustering setup temporary users created in one controller will be pushed automatically to the peer controller The billing profiles associated with that user will have to be pushed manually to peer controllers in advance This will allow the auto synchronization of temporary user
118. OUSER NoAuthNoPriv Edit Traps List Edit Delete Access Control List IP Address AP Failure Traps If you enable this field the SNMP agent sends a trap if an AP fails to associate or authenticate with the controller AP State Change Traps If you enable this field the SNMP agent sends a trap for one of the following reasons each containing location objects e Managed AP Discovered e Managed AP Failed e Managed AP Unknown Protocol Discovered e Managed AP Load Balancing Utilization Exceeded Client Failure Traps If you enable this field the SNMP agent sends a trap with failure info for clients authenticated by AP s managed by the controller with each trap containing location objects 325 Wireless Controller User Manual e Client Association Failure e Client Authentication Failure Client State Change Traps If you enable this field the SNMP agent sends a trap for one of the following reasons associated with the wireless client each containing location objects e Client Association Detected e Client Disassociation Detected e Client Roam Detected Peer Controller Traps If you enable this field the SNMP agent sends a trap for one of the following reasons associated with a peer controller e Peer Controller Discovered e Peer Controller Failed e Peer Controller Unknown Protocol Discovered Configuration command received from peer controller The controller need not be
119. P ADVANCED TOOLS status DEVICE STATUS LOGOUT This page displays the current settings and displays a snapshot of the system information DWC 1000 1 01B41_WW QBAA1AC000073 1A 00 2B 10 1C 45 IPv4 Address 0 0 0 0 255 255 255 0 IPv6 Address fe80 1800 2bff fe10 1c45 64 Option State DOWN NAT IPv4 only Disabled IPv4 Connection Type Dynamic IP DHCP IPv6 Connection Type Dynamic IP DHCPv IPv4 Connection State Not Yet Connected IPv6 Connection State Not Yet Connected Link State LINK DOWN Option Mode Use only single Option port Option1 Gateway 0 0 0 0 Primary DNS 0 0 0 0 Secondary DNS 0 0 0 0 Primary DNS IPv6 Secondary DNS IPv6 Option2 Information MAC Address 1A 00 2B 10 10 46 98 Wireless Controller User Manual Figure 52 Device Status display continued Option2 Information 1A 00 2B 10 1C 46 0 0 0 0 255 255 255 0 fe80 1800 2bff fe10 1c46 64 DOWN Disabled Dynamic IP DHCP Dynamic IP DHCPv6 Not Yet Connected Not Yet Connected LINK DOWN Use only single Option port Option1 0 0 0 0 0 0 0 0 0 0 0 0 LAN Information 1A 00 2B 10 1C 44 192 168 10 1 255 255 255 0 fe80 1800 2bff fe10 1c44 64 fe80 200 ff f 00 0 64 fecd 1 64 4 1 3 Wireless LAN AP information Status gt Device Info gt Wireless LAN AP Information The Managed AP status pages allows to access configuration and association information about managed APs and thei
120. PN Settings DWC 1000 ADVANCED TOOLS STATUS VLAN CONFIGURATION LOGOUT This page allows user to configure the port VLAN VLAN Configuration VLAN Settings gt Apply Cancel DMZ Setup USB Settings 2 3 3 VLAN Membership Configuration VLAN Membership Apply Cancel Multiple VLAN Subnets Setup gt VLAN Settings gt Multiple VLAN Subnets Each configured VLAN ID can map directly to a subnet within the LAN Each LAN port can be assigned a unique IP address and a VLAN specific DHCP server can be configured to assign IP address leases to devices on this VLAN VLAN ID The PVID of the VLAN that will have all member devices be part of the same subnet range IP Address The IP address associated with a port assigned this VLAN ID Subnet Mask Subnet Mask for the above IP Address The following actions are supported from this page Edit The Edit button will link to the Port VLAN Configuration page allowing you to make changes to the selected port VLAN attributes 45 Wireless Controller User Manual Figure 24 Multiple VLAN Subnets gt Network Settings gt LAN QoS gt VPN Settings gt D VLAN Settings DWc 1000 SETUP ADVANCED TOOLS STATUS WLAN Global Settings AP Management gt WLAN Visualization gt Internet Settings MULTI VLAN SUBNETS Meletoluns This page shows a list of available mult vlan subnets User can even edit the mult vians from
121. Provision Initiate provisioning for the selected AP You can provision an AP only from the cluster controller After the AP is provisioned it should become managed by the controller with the configured Primary IP Address and appear in the AP provisioning database as a managed AP Edit Edit the parameters of selected AP from the AP provisioning list Refresh Updates the page with the latest information 5 6 Manual Management Setup gt AP Management gt Manual Management When the AP is in Managed mode remote access to the AP is disabled From the Manual Management page you can also manually change the RF channel and power for each radio on an AP The manual power and channel changes override the settings 169 Wireless Controller User Manual configured in the AP profile including automatic channel selection and take effect immediately The manual channel and power assignments are not retained when the AP is reset or if the profile is reapplied to the AP such as when the AP disassociates and re associates with the controller Figure 96 Manual Management See ME covers isan WLAN Global Settings AP Management gt gt MANUAL MANAGEMENT Kelctelti AP managed by the Unified Wireless Switch is listed by its MAC address and location The location is based WLAN Visualization on the value in the RADIUS or local Valid AP database Option Port Settings gt Network Settings gt List of Manage
122. S Managed AP group we can use the WDS AP Link Configuration page to configure the WDS links between the APs that are members of the group Figure 179 WDS AP Link Configuration Global WDS AP LINK CONFIGURATION This Page allows you to configure the WDS links between the APs that are members of the group WDS Group Configured WDS Configuration gt ELNA En Application Rules gt AP Configuration z Website Filter g Link Configuration No WDS AP Link is configured Firewall Settings Add Refresh IPv6 Routing Certificates Users IP MAC Binding Radius Settings Switch Settings WIRELESS CONTROLLER The following fields are available on the WDS AP Link Configuration page Xw Note After changing WDS Managed AP group settings make sure to push the configuration to other controllers in the cluster Select the ID associated with the group to configure Source AP MAC Address MAC Address of the source AP The AP must be included in the selected WDS group Note The WDS links are bidirectional The terms Source and Destination simply reflect the WDS link endpoints specified when the WDS link is created Source Radio The radio number of the WDS link endpoint on the source AP Dest AP MAC Address The MAC address of the destination AP in the group 309 Wireless Controller User Manual Destination Radio The radio number of the WDS link endpoint on the destination AP STP Link Cost S
123. SID Status Status gt Wireless Client Info gt Associated Clients gt SSID Status Each managed AP can have up to 16 different networks that each has a unique SSID Although several wireless clients might be connected to the same physical AP they might not connect by using the same SSID SSID Indicates the network on which the client is connected Client MAC Address The Ethernet address of the client station Figure 81 Associated Client SSID Status DWwc 1000 I SETUP ADVANCED TOOLS STATUS Global Info gt Device Info gt Access Point Info gt LAN Clients Info gt Wireless Clientinfo gt SSID Client MAC Address E MARIZUANA 0 a6 70 8e bf 67 Traffic Monitor gt A Disassociate View Client Details Refresh Active Sessions Active VPNs SSID ASSOCIATED CLIENT STATUS LOGOUT Description goes here List of SSID Associated Clients 144 Wireless Controller User Manual The following actions are supported from this page Disassociate Disassociates the client from the managed AP View Client Details Display associated client details Refresh Updates the page with the latest information 4 8 4 Associated Client VAP Status Status gt Wireless Client Info gt Associated Clients gt VAP Status Each AP has 16 Virtual Access Points V APs per radio and every VAP has a unique MAC address BSSID The VAP Associated Client Status page which shows information about the VAPs on the managed AP that
124. STATUS SSL YPN CLIENT ROUTE CONFIGURATION LOGOUT Internet Settings The Configured Client Routes entries are the routing entries which will be added by the SSL VPN Client such that only traffic to these destination addresses is redirected through the SSL YPN tunnels All other traffic is redirected using the native network interface of the hosts SSL YPN Clients For example if the SSL YPN Client wishes to access the LAN network then in SPLIT Tunnel mode you should add the LAN subnet as the Destination Network Save Settings Don t Save Settings ern y te SSL VPN Client Route Configuration VLAN Settings Destination Network Subnet Mask 9 4 1 Creating Portal Layouts Setup gt VPN Settings gt SSL VPN Server gt Portal Layouts The controller allows you to create a custom page for remote SSL VPN users that is presented upon authentication There are various fields in the portal that are customizable for the domain and this allows the controller administrator to communicate details such as login instructions available services and other usage details in the portal visible to remote users During domain setup configured portal layouts are available to select for all users authenticated by the domain XW The default portal LAN IP address is https 192 168 10 1 scgi bin userPortal portal This is the same page that opens when the User Portal link is clicked on the SSL VPN menu of the controller GUI The con
125. TATUS D WLAN Management Settings WLAN Global Settings AP Management VPN Wizard WLAN Configuration Setup Wizard If you would like to utilize our easy to use Web based Wizards to assist you in connecting your new D Link Wireless Controller dick on the button below WLAN Setup Wizard VPN Settings VLAN Settings Note Before launching these wizards please make sure you have followed all steps outlined in the Quick Installation Guide induded in the package DMZ Setup b USB Settings Wireless Network Setup Wizard helps user to get wireless network up and running via easy steps Step 1 Wireless Global Configuration Step 2 Wireless Default Profile Configuration 90 Wireless Controller User Manual Step 3 Wireless Default Radio Configuration Step 4 Wireless Default VAP Configuration Step 5 Valid Access Point Summary Step 6 Save Settings and Connect Wireless Global Configuration Country Code Select the country code that represents the country where your controller and APs operate Make sure you select the correct country code so that your WLAN system complies with the regulations in your country XW Changing the country code disables and re enables the controller Any channel and radio mode settings that are invalid for the regulatory domain are reset to the default values The country code IEEE 802 11d is transmitted in beacons and probe responses from the access points Wireless D
126. Type The type of Authentication in use by the profile Auto Negotiate PAP CHAP MS CHAP MS CHAPv2 Dhcpv6 Options The mode of Dhcpv6 client that will start in this mode disable dhcpv6 stateless dhcpv6 stateful dhcpv6 stateless dhcpv6 with prefix delegation Primary DNS Server Enter a valid primary DNS Server IP Address Secondary DNS Server Enter a valid secondary DNS Server IP Address Click Save Settings to save your changes Checking Option Status Setup gt Internet Settings gt Option1 Settings gt Option 1 Status The status and summary of configured settings for both Option land Option 2 are available on the Option Status page You can view the following key connection status information for each Option port MAC Address MAC Address of the Option port IPv4 Address IP address of the Option port followed by the Option subnet Option State Indicates the state of the Option port UP or DOWN NAT IPv4 only Indicates if the security appliance is in NAT mode enabled or routing mode disabled IPv4 Connection Type Indicates if the Option IPv4 address is obtained dynamically through a DHCP server or assigned statically by the user or obtained through a PPPoE Username Password PPTP Username Password L2TP Username Password Japanese multiple PPPoE Russian dual access PPPoE Russian dual access PPTP Russian dual access L2TP ISP connection IPv4 Connection State Indicates if the Option is connected to the Intern
127. US server name Rogue Detected Trap Interval Specify the interval in seconds between transmissions of the SNMP trap telling the administrator that rogue APs are present in the RF Scan database If you set the value to 0 the trap is never sent De Authentication Requests Threshold Interval Specify the number of seconds an AP should spend counting the DE authentication messages sent by wireless clients De Authentication Requests Threshold Value If controller receives more than specified messages during the threshold interval the test triggers Authentication Requests Threshold Interval Specify the number of seconds an AP should spend counting the authentication messages sent by wireless clients Authentication Requests Threshold Value If controller receives more than specified messages during the threshold interval the test triggers Probe Requests Threshold Interval Specify the number of seconds an AP should spend counting the probe messages sent by wireless clients Probe Requests Threshold Value Specify the number of probe requests a wireless client is allowed to send during the threshold interval before the event is reported as a threat Authentication Failure Threshold Value Specify the number of 802 1X authentication failures a client is allowed to have before the event is reported as a threat 304 Wireless Controller User Manual Figure 176 WIDS Client Configuration LOGOUT The settings you config
128. User Manual Wireless Controller D Link Corporation Copyright 2014 http www dlink com Wireless Controller User Manual User Manual DWC 1000 Wireless Controller Version 3 01 Copyright 2014 Copyright Notice This publication including all photographs illustrations and software is protected under international copyright laws with all rights reserved Neither this manual nor any of the material contained herein may be reproduced without written consent of the author Disclaimer The information in this document is subject to change without notice The manufacturer makes no representations or warranties with respect to the contents hereof and specifically disclaim any implied warranties of merchantability or fitness for any particular purpose The manufacturer reserves the right to revise this publication and to make changes from time to time in the content hereof without obligation of the manufacturer to notify any person of such revision or changes Limitations of Liability UNDER NO CIRCUMSTANCES SHALL D LINK OR ITS SUPPLIERS BE LIABLE FOR DAMAGES OF ANY CHARACTER E G DAMAGES FOR LOSS OF PROFIT SOFTWARE RESTORATION WORK STOPPAGE LOSS OF SAVED DATA OR ANY OTHER COMMERCIAL DAMAGES OR LOSSES RESULTING FROM THE APPLICATION OR IMPROPER USE OF THE D LINK PRODUCT OR FAILURE OF THE PRODUCT EVEN IF D LINK IS INFORMED OF THE POSSIBILITY OF SUCH DAMAGES FURTHERMORE D LINK WILL NOT BE LIABLE FOR THIRD PARTY CLAIMS A
129. WL 8600AP Dual Radio a b g n w 1 to 255 Profile Name The Access Point profile name you added Use 0 to 32 characters Only alphanumeric characters are allowed No special characters are allowed Hardware Type Select the hardware type for the APs that use this profile The hardware type is determined in part by the number of radios the AP supports single or dual and the IEEE 802 11 modes that the radio supports a b g or a b g n The option available in the Hardware Type ID is e DWL 8600AP amp DWL 6600AP Dual Radio a b g n e DWL 3600AP amp DWL 2600AP Single Radio b g n e DWL 8610AP Dual Radio a b g n ac Wired Network Discovery VLAN ID Enter the VLAN ID that the controller uses to send tracer packets in order to detect APs connected to the wired network AP Profile Advanced gt AP Profile Access point configuration profiles are a useful feature for large wireless networks with APs that serve a variety of different users You can create multiple AP profiles on the Controller to customize APs based on location function or other criteria Profiles are like templates and once you create an AP profile you can apply that profile to any AP 70 Wireless Controller User Manual Figure 41 AP Profile List cn pre ee AP PROFILES SUMMARY LOGOUT Peer Controllers gt AP Profile From Access Point Profile Summary page you can create copy or delete AP profiles You can create up to 16 AP profile
130. achability the administrator can use Server Checking option When the administrator clicks on server checking button the server reachability status for the configured servers is returned 11 7 3 LDAP Settings Setup gt External Authentications gt LDAP Settings LDAP Lightweight Directory Access Protocol is often used by organizations as a central repository for user information and as an authentication service It is an application protocol for accessing and maintaining distributed directory This appliance uses port 389 for binding the LDAP authentication server 314 Wireless Controller User Manual Figure 182 LDAP Authentication Configuration DWC 1000 SETUP ADVANCED TOOLS STATUS d Wizard WLAN Global Settings f LDAP CONFIGURATION AP Management g This page allows a user to configure authentication servers for LDAP authentication Relea Save Settings Don t Save Settings Internet Settings Network Settings LDAP Configuration QoS GVRP Authentication Server 1 Captive Portal gt Authentication Server 2 Optional External D Radius Settings Authentications er3 Optional NT Domain Settings rn VPN Settings gt 7 LDAP Settings Ss Optionaly VLAN Settings gt aS p Active Directory Optional DMZ Setup gt Settings oO USB Settings gt POP3 Settings gt SS Optional LDAP attribute 4 Optional LDAP Base DN Second LDAP Base DN Optional Third LDAP Base D
131. acility or Tools gt Log Settings gt Logs Configuration pages the corresponding log message will be displayed in this window with a timestamp XW It is very important to have accurate system time manually set or from a NTP server in order to understand log messages 335 Wireless Controller User Manual Status gt Logs gt VPN Logs XW The following feature is available upon licensed activation of VPN Firewall features for the system This page displays IPsec VPN log messages as determined by the configuration settings for facility and severity This data is useful when evaluating IPsec VPN traffic and tunnel health Figure 195 VPN logs displayed in GUI event viewer wa F ET TE Device Info VPN LOGS LOGOUT This page shows the VPN IPSEC related log Display Logs Access Point Info LAN Clients Info a SFR R z Fri Oct 07 03 39 23 2011 GMT 0000 DWC 1000 IKE INFO IKE started Wireless Client Info Logs Traffic Monitor gt Active Sessions Active VPNs Refresh Logs Clear Logs Status gt Logs gt SSLVPN Logs XW The following feature is available upon licensed activation of VPN Firewall features for the system This page displays SSLVPN log messages as determined by the configuration settings for facility and severity This data is useful when evaluating SSL VPN traffic and tunnel health 336 Wireless Controller User Manual Figure 196 SSL VPN log
132. agement Information Base MIB file the manager can update the controller hierarchal variables to view or update configuration parameters The controller as a managed device has an SNMP agent that allows the MIB configuration variables to be accessed by the Master the SNMP manager The Access Control List on the controller identifies managers in the network that have read only or read write SNMP credentials The Traps List outlines the port over which notifications from this controller are provided to the SNMP community managers and also the SNMP version v1 v2c v3 for the trap 322 Wireless Controller User Manual Figure 187 SNMP Users Traps and Access Control DWC 1000 Admin Date and Time Log Settings m Firmware Firmware via USB Dynamic DNS System Check ae gt SNMP LOGOUT Simple Network Management Protocol SNMP lets you monitor and manage your router from an SNMP manager SNMP provides a remote means to monitor and control network devices and to manage configurations statistics collection performance and security Name Privilege Security level admin RWUSER NoAuthNoPriv guest ROUSER NoAuthNoPriv Edit Traps List Edit Delete Access Control List IP Address Tools gt Admin gt SNMP System Info The controller is identified by an SNMP manager via the System Information The identifier settings The SysName set
133. ailable to carry traffic over more than one link Protocol bindings are used to segregate and assign services over one Option port in order to manage internet flow The configured failure detection method is used at regular intervals on all configured Option ports when in Load Balancing mode DWC 1000 currently supports three algorithms for Load Balancing Round Robin This algorithm is particularly useful when the connection speed of one Option port greatly differs from another In this case you can define protocol bindings to route low latency services such as VOIP over the higher speed link and let low volume background traffic such as SMTP go over the lower speed link Protocol binding is explained in next section Spill Over If Spill Over method is selected Option 1 acts as a dedicated link till a threshold is reached After this Option 2 will be used for new connections You can configure spill over mode by using following options e Load Tolerance It is the percentage of bandwidth after which the controller controllers to secondary Option e Max Bandwidth This sets the maximum bandwidth tolerable by the primary Option If the link bandwidth goes above the load tolerance value of max bandwidth the controller will spill over the next connections to secondary Option 188 Wireless Controller User Manual For example if the maximum bandwidth of primary Option is 1 Kbps and the load tolerance is set to 70 Now e
134. al Settings OPTION1 SETUP LOGOUT This page allows you to set up your Internet connection Ensure that you have the Internet connection information such as the IP Addresses Account Information etc This information is usually provided by your ISP or network administrator AP Management WLAN Visualization gt Save Settings Don t Save Settings PPPoE Profile Configuration Password Service Authentication Type Reconnect Mode Maximum Idle Time Domain Name System DNS Servers DNS Server Source Get Dynamically from ISP w Most PPPoE ISP s use a single control and data connection and require username password credentials to login and authenticate the DWC 1000 with the ISP The ISP connection type for this case is PPPoE Username Password The GUI will prompt you for authentication service and connection settings in order to establish the PPPoE link For some ISP s most popular in Japan the use of Japanese Multiple PPPoE is required in order to establish concurrent primary and secondary PPPoE connections between the DWC 1000 and the ISP The Primary connection is used for the bulk of data and internet traffic and the Secondary PPPoE connection carries ISP specific i e control traffic between the DWC 1000 and the ISP 177 Wireless Controller User Manual Figure 100 Option1 configuration for Japanese Multiple PPPoE part 1 onc I romeo sons star V rd gt
135. amic routing RIP ss ivccsaciscecsaviceseasvscuevagvdevavaavsovevaavaovactavasspenavasvavaavavtevdavasvevsgvaospvaantevend 194 Figure 108 Static route Configuration fields 0 2 2 cece eeseseseeeesescseeseseseeeeccseeceseseeececaeeeeaeeeseeeeaeeeeaeeesees 197 Figure 109 OSPF v2 status IPV4 ou eeccceseseseseeseecesecesesesseeessecesesesecaenssaeseeesscaenssaeseeeseeaeeeeataesesees 198 Figure 110 OSPFV3 status IPv6 ou eccecesseseseeeeseeceeeceseseeececsenesaescsececaeeesacscsececaeeeeatacsececaeeeateesees 198 Figure 111 OSPFV2 Configuration cecccccceseseseeeesesceceseseeeesesenceceseeesececneseeaeeeecseneeaeseeeeecaeaeeataeeesees 199 FIQure 112 6t04 TUMMEMING scsiss ss g sas sseevect a soap saeaavaevect abeesaeaavsen es so apsane dvaeveckeoup thea ssdovies soap sveasvaons 201 Figure 113 IPv6 Tunnel Status display eeecceseescsseceseeeseseseceseeeeecseseeacseeeeecseneeeseeeeeeseneeetaeeeeees 201 Figure 114 ISATAP Tunnel Configuration oo eceeeccsseceseesesescseeeeseseseeecaeeeeseeesececaeeeeaeeceeeecaeeeeateesees 203 Figure 115 IGMP Setup vig esi eigen E deen ann Geni eee 204 Figure 116 Physical Option port settings ceeceeecceseceseeeesesesceceseseeeceeseeaeseeeeeeseseseseeeeecseneeeeaeeesees 206 Foure TIAI FARSO n Moses cha awlovs a deaslataav ines Gladeaaeiawiovs aoaetinaeas ne aad neva easter eee tes 207 Figure 118 List of Available Firewall RUleS 2 eeeecssessescsseseesceeseeecseeseeecneeseeecneeaceecneeaeerene
136. and packets dropped by the interface Click refresh to have this page retrieve the most current statistics 103 Wireless Controller User Manual Figure 55 Resource Utilization statistics DWC 1000 SETUP ADVANCED TOOLS STATUS DASHBOARD LOGOUT This page displays the resources being used in the system currently This page also shows the bandwidth used in form of bar graphs Bandwidth Usage Ml HTTP 1129 0 HTTPS 0 28 E ONS 185 0 Used Applications Select Interface ALS Wl HTTP 86 HTTPS 0 E DNS 14 Figure 56 Resource Utilization data continued 104 Wireless Controller User Manual Interface LAN Interface Option1 Interface DMZ Option2 Interface VLAN Port Incoming Packets Outgoing Packets Dropped In Packets Dropped Out Packets LAN2 0 6 0 0 WLAN Statistics Active Info 4 2 Traffic Statistics 105 Wireless Controller User Manual 4 2 1 Wired Port Statistics Status gt Traffic Monitor gt Device Statistics Detailed transmit and receive statistics for each physical port are presented here Each interface Optionl Option 2 DMZ LAN and VLANs have port specific packet level information provided for review Transmitted received packets port collisions and the cumulating bytes sec for transmit receive directions are provided for each interface along with the port up time If you suspect issues with any of the wired ports this table will help diag
137. annel Power Adjust page From that page you can set a new power level for the AP The manual power change overrides the power setting configured in the AP profile and is not retained when the AP reboots or when the AP profile is reapplied 171 Wireless Controller User Manual Chapter 6 Connecting to the Internet Option Setup This controller has two Option ports that can be used to establish a connection to the internet The following ISP connection types are supported DHCP Static PPPoE PPTP L2TP It is assumed that you have arranged for internet service with your Internet Service Provider ISP Please contact your ISP or network administrator for the configuration information that will be required to setup the controller XW The ISP Connection types PPPoE PPTP L2TP NAT Transparent mode feature are available upon licensed activation of VPN Firewall features for the system 6 1 Internet Connection Setup Wizard Setup gt Wizard gt Internet The Internet Connection Setup Wizard is available for users new to networking By going through a few straightforward configuration pages you can take the information provided by your ISP to get your Option connection up and enable internet access for your network 172 Wireless Controller User Manual Figure 97 Internet Connection Setup Wizard ADVANCED TOOLS STATUS D DWC 1000 Wizard N Global Settings INTERNET CONNECTION LOGOUT AP Management
138. arding allow users to access the private network servers by using a hostname instead of an IP address the FQDN corresponding to the IP address is defined in the port forwarding host configuration section Local server IP address The IP address of the local server hosting the application The application should be configured in advance Fully qualified domain name The domain name of the internal server is to be specified Once the new FQDN is configured it is displayed in a list of configured hosts for port forwarding XW Defining the hostname is optional as minimum requirement for port forwarding is identifying the TCP application and local server IP address The local server IP address of the configured hostname must match the IP address of the configured application for port forwarding 275 Wireless Controller User Manual Figure 161 List of Available Applications for SSL Port Forwarding DWC 1000 Tm sw ADVANCED TOOLS STATUS Operation succeeded WLAN Global Settings PORT FORWARDING The Port Forwarding page allows you to detect and re route data sent from remote users to the SSL VPN gateway to predefined applications running on private networks List of Configured Applications for Port Forwarding Local Server IP Address TCP Port Number 97 0 0 64 125 Local Server IP Address 192 168 15 25 Delete Add 9 4 SSL VPN Client Configuration Setup gt VPN Settings
139. ardware supports one radio or two radios Image Type Specifies the type of software the hardware requires 139 Wireless Controller User Manual Figure 78 AP Hardware Capability DWC 1000 SETUP ADVANCED TOOLS STATUS AP HARDWARE CAPABILITY Global Info Device Info From the AP Hardware Capability page you can access summary information about the AP Hardware support the radios and IEEE modes supported by the hardware and the software images that are available for download to the APs List of Hardware Capabilities Supported by APs Hardware Type Description DWL 8600AP Dual Radio a b g n Traffic Monitor Active Sessions Active VPNs Each Radio will allow you to find out more information in the View Radio Details button The following information is captured for each radio 802 11a Support Shows whether support for IEEE 802 11a mode is enabled Radio Type Description Displays the type of radio which might contain information such as the manufacturer name and supported IEEE 802 11 modes 802 11bg Support Shows whether support for IEEE 802 11bg mode is enabled VAP Count Displays the number of VAPs the radio supports 802 11n Support Shows whether support for IEEE 802 11n mode is enabled 802 1lac Support Shows whether support for IEEE 802 1 lac mode is enabled 140 Wireless Controller User Manual 4 8 Wireless Client Status 4 8 1 Client Status Status gt General gt Clients
140. ated The valid values are e Associated The client is currently associated to the managed AP e Authenticated The client is currently associated and authenticated to the managed AP 112 Wireless Controller User Manual 4 5 2 e Disassociated The client has disassociated from the managed AP If the client does not roam to another managed AP within the client roam timeout it will be deleted Disassociate Disassociates the client from the managed AP View Details For each client associated with an AP that the controller manages you can view detailed status information about the client and its association with the access point View Neighbour Status The associated client status shows information about access points that the client detects The information on this page can help you determine the managed AP an associated client might use for roaming View Distributed Tunneling Status The associated client status shows information about access points that the client detects The AP AP tunnelling mode is used to support L3 roaming for wireless clients without forwarding any data traffic to the wireless controller View SSID Details Each managed AP can be from different networks that each have a unique SSID Although several wireless clients might be connected to the same physical AP they might not connect by using the same SSID The WLAN gt Monitoring gt Client gt Associated Clients gt SSID Status page lists t
141. ation to display Each peer controller is identified by its IP address Figure 77 Configuration Receive Status DWC 1000 I sew ADVANCED TOOLS STATUS CONFIGURATION RECEIVE STATUS Global Info D s Point Info gt The Peer Controller Configuration Received Status page provides information about the configuration a controller has received from one of its peers Clients Info Current Receive Status Clientinfo gt Current Receive Status Not Started gt Last Configuration Received Traffic Monitor gt Active Sessions Peer Controller IP Address 0 0 0 0 Configuration None Active VPNs Timestamp Jan 1 00 00 00 1970 4 7 7 AP Hardware Capability Status gt Global Info gt AP H W Capability The controller can support APs that have different hardware capabilities such as the supported number of radios the supported IEEE 802 11 modes and the software image required by the AP From the AP Hardware Capability tab you can access summary information about the AP Hardware support the radios and IEEE modes supported by the hardware and the software images that are available for download to the APs Hardware Type Identifies the ID number assigned to each AP hardware type The controller supports up to six different AP hardware types Hardware Type Description Includes a description of the platform and the supported IEEE 802 11 modes Radio Count Specifies whether the h
142. aximum Usage Time Maximum Usage Traffic Allow Frontdesk to Modify Usage WIRELESS CONTROLLER Profile Name Each profile uses a unique Name to identify itself This profile name will be displayed whenever the front desk user login to the front desk page to create temporary users Profile Description A helpful description of the purpose intent of this profile can be noted here for future administrator reference Allow Multiple Login Selecting this option will allow multiple wireless users to employ the same captive portal login credentials created for this profile to login simultaneously Wireless Controller User Manual Allow customized account on Front Desk This option will let the front desk user who can administer captive portal credentials to give customized account name to the captive portal users being created on this profile Allow batch generation on Front Desk Selecting this option enables the front desk user to generate a batch of temporary CP users at one click Session Idle Timeout This defines the Idle timeout for CP users generated for this profile Show alert message on login page while rest of usage time traffic under Enter a value here in Hours Days MB GB to get an alert message when usage time traffic left reaches the desired limit By default if 0 is entered it implies no alert message is required Basic Limit by Duration This is section is used to configure the paramete
143. be restricted to a subset of IP addresses The controller administrator can define a known PC single IP address or range of IP addresses that are allowed to access the GUI with HTTPS The opened port for SSL traffic can be changed from the default of 4443 at the same time as defining the allowed remote management IP address range Figure 186 Remote Management oe OO e O o os o Admin D REMOTE MANAGEMENT From this page a user can configure the remote management feature This feature can be used to manage the box remotely from Option side Save Settings Don t Save Settings Firmware via USB Remote Management Enable Dynamic DNS Enable Remote Management System Check Enable Remote SSH A Schedules Access Type All IP Addresses Y To D IP Address p HTTPS Port Number 4443 Enable Remote SNMP 2 12 2 CLI Access In addition to the web based GUI the gateway supports SSH and Telnet management for command line interaction The CLI login credentials are shared with the GUI for administrator users To access the CLI type cli in the SSH or console prompt and login with administrator user credentials 321 Wireless Controller User Manual 12 3 SNMP Configuration Tools gt Admin gt SNMP SNMP is an additional management tool that is useful when multiple controller in a network are being managed by a central Master system When an external SNMP manager is provided with this controller Man
144. ble redirection for captive portal user after login to the captive portal page successfully This is available for SLA Permanent User and Temporary User types For the SLA type the user will be redirected to the SLA page or the logout page based on the user agreement on the re directed page URL This field accepts the redirection URL if Enable Redirect is selected This is the site that the user will be taken to after success portal login Authentication Server This lists the available authentication servers among which one can be selected for this VLAN All users login into the captive portal for this VLAN are authenticated through the selected server This option appears only if Captive Portal type is selected as Permanent user The list of available authentication servers is Local User Database RADIUS Server LDAP Server and POP3 Whenever a Permanent user tries to login to the captive portal the user will be authenticated based on the Authentication server type selected by the admin while configuring VLAN Authentication Type This option is available for RADIUS authentication servers The available authentication types are PAP CHAP MSCHAP MSCHAPV2 Based on Authentication type configured by the admin in VLAN the portal user will be authenticated Captive Portal Profile The configured and available captive portal login profiles are shown here Any of the available profiles can be used for the configuring VLAN Create
145. bled None O dlink 10 Disabled None O dlink11 Disabled None 0O dlink 12 Disabled None O dlink13 Disabled None O dlink 14 Disabled None O dlink15 Disabled None dlink 16 Disabled 192 168 10 1 platform cgi page cpSsidSetup htm Selecting an SSID and clicking Edit will allow that SSID to be associated with a Captive Portal profile The Captive Portal Configuration page will be available for that SSID 53 Wireless Controller User Manual Figure 30 Associating a Captive Portal to a specific SSID DWwc 1000 ja SETUP ADVANCED TOOLS STATUS WLAN Global Settings f CAPTIVE PORTAL CONFIGURATION AP Management 14 This page allows you to add a new captive Portal Policy or edit the configuration of an existing Policy The details will then be displayed in the List of Captive Portal Policies table on the Captive Portal Setup page WLAN Visualization gt hemetSeuings R Save Settings Don t Save Settings Network Settings gt Captive Portal Configuration oS b GVRP CO Captive Portal Type Free SLA Permanent User Temporary User Captive Portal D gt gt Enable Redirect External Authentications Url cricinfo com Captive Portal Authentication Configuration VLAN Settings gt Captive Portal Profile default2 Create a Profile DMZ Setup gt T USB Settings gt WIRELESS CONTROLLER The fields of this configuration page match that of the VLAN Configuration page
146. ce or VAP MAC 125 Wireless Controller User Manual SSID Service Set ID of the network which is broadcast in the detected beacon frame Physical Mode Indicates the 802 11 mode being used on the AP Channel Transmit channel of the AP Status Indicates the managed status of the AP whether this is a valid AP known to the controller or a Rogue on the network The valid values are e Managed The neighbor AP is managed by the wireless system e Standalone The AP is managed in standalone mode and configured as a valid AP entry local or RADIUS e Rogue The AP is classified as a threat by one of the threat detection algorithms e Unknown The AP is detected in the network but is not classified as a threat by the threat detection algorithms Age Time since this AP was last detected in an RF scan Status entries for the RF Scan Status page are collected at a point in time and eventually age out The age value for each entry shows how long ago the controller recorded the entry 126 Wireless Controller User Manual Figure 70 AP RF Scan Status Dashboard AP RF SCAN STATUS LOGOUT Access Point Info gt BSS TEN Wireless Clientinfo p Authentication Failure Status SSID Physical Mode Channel Status AP RF Scan Status Traffic Monitor FVS318N_1 802 1 1big 2 Unknown 0d 00 00 10 i nnn FVS318N_1 802 11b g 1 Unknown 0d 00 00 10 0e 8e 20 09 rlinx prosoftO 802 1 1b g 1 Unknown 0d 00 00 10 netgear 1 802
147. cececceeessssesessesesescseeeeseeeeeeecscecsesesecacneeasaceececseneecaeeeeesseneeataeeesees 134 Figure 74 Peer Controller Configuration Status 00 0 0 ccececeeceesceseseseeeesesesseseseeeeecseneeseseeeeecseneeetaeeeeees 135 Figure 75 Peer Controller Managed AP Status cceeseeceseccsseseseeeeseecseeeeseseescecaeeeeaeeeeeseaeeetateesees 136 Figure 76 IP DISCOVELY s assisccssescotescascowscancovescavcensesassovescassewsecancovassascesbsaeenacaveeuseiancondgsdveenteedveerapsdveens 137 Figure 77 Configuration Receive Status 0 0 eecceeceescesesesseseseseeseseseeeeecseseeeesceeeeeeeneeaeseeeeecaeeesetaeeeeees 139 Figure 78 AP Hardware Capability ccccesecessssesesceseseseeeesesensecescsesecseneeassceesecsenesasaeeeeesaeneeataeeeeees 140 Figure 79 Client Statistics seer E eer iee ierk aeien e rtirar eei iee 141 Figure 80 Associated Client Status cccccesecessesesesceseseseeeesesenseseseeeeeseneeasseseeecaeseesseeeeecseneeataeeesees 143 Figure 81 Associated Client SSID Status occ cccccceseceseeseseseeseseseeeeecseseeaeseeececaenesaeaceeeeeseneeetaeeeeres 144 Figure 82 Associated Client VAP Status ceccecececcsseseseesesescseesesesesececseecesesesececseneeatecececaeeenaeeesees 146 Figure 83 Controller Associated Client Status 0 0 ceeccseecesesseseseseeeesesesesesceeeecseseeeseeeeecseneeetseeesees 147 Figure 84 Detected Client Status 0 e ec ececceseseseesesesceseceseseeseseneeeesesesecsesesausceesscaenesesseeeceeseneeataeeesees 14
148. ced wireless security function including rouge AP detection captive portal wireless intrusion detection system WIDS offers a strong wireless network protection avoiding attacks from hackers After license upgrade optimal network security is provided via features such as virtual private network VPN tunnels IP Security IPsec Point to Point Tunneling Protocol PPTP Layer 2 Tunneling Protocol L2TP and Secure Sockets Layer SSL Empower your road warriors with clientless remote access anywhere and anytime using SSL VPN tunnels There are three types of licenses available to activate increased functionality for the DWC These licenses are not activated by default 1 VPN license upgrade enables the following features ISP Connection types PPPoE PPTP L2TP NAT Transparent mode Option2 DMZ port IP Aliasing Dynamic Routing RIP VPN PPTP client server L2TP client server SSLVPN OpenVPN Intel AMT Dynamic DNS Website Filter Application Rules Firewall Rules UPNP IGMP proxy and ALG SMTP ALG 2 AP license upgrades the number of APs controller can manage You can upgrade up to 3 AP licenses By default DWC 1000 can manage up to 6 AP s You increase the number by 6 upon each AP license 3 WCF License is a powerful dynamic web filtering function that can be used in many places It is ideal for companies that want to ensure that employees aren t wasting time online schools that want to prevent their students from
149. ceeeeaeeceseseneeeeaees 56 List of Configured Billing Profiles eee ececceseseseeseseseeesesesececseseneeseeececseneeecseeeeeeeeeeeeeates 57 Wireless Controller User Manual Figure 34 Figure 35 Figure 36 Figure 37 Figure 38 Figure 39 Figure 40 Figure 41 Figure 42 Figure 43 Figure 44 Figure 45 Figure 46 Figure 47 Figure 48 Figure 49 Figure 50 Figure 51 Figure 52 Figure 53 Figure 54 Figure 55 Figure 56 Figure 57 Figure 58 Figure 59 Figure 60 Figure 61 Figure 62 Figure 63 Figure 64 Figure 65 Figure 66 Figure 67 Figure 68 Figure 69 Billing Profiles Configuration Settings cceesesseseseseeseseseeeescseseeseseeeeeeseneeeseeeeeeseneeeeates 58 List of MAC addresses not allowed to authenticate via the Captive Porrtal 0 60 Login prompt for Front Desk users 0 ec eesseseeseseeseesesceseeecneeaeecneeaeecneeseeecneeseeecneeseeneneaees 62 WLAN global COnfiQguration eene a E 64 Configuring the Wireless Discovery c cesecesseseseseeseseseeeescseneeceseeesececaeeceaeeceeeeeateeeateeeees 67 Wireless Discovery Status 2 0 0 0 eessscesscsescececsescecscccenscsecsssscsscensessesensessecensesseeensesseeensess 69 AP Profile Global Configuration ccccccceseesseseseseeseseseeeesceeneceseeeeecseneeceseeeeeceeneeeaeeeeeeeeees 70 AP Protile List ca nonadnak inn cance nana nuh din mantel muna nile a A 71 AP Profile Radio Configuration Part 1 0 0 cee eese
150. ces after they login to the User Portal and launch the Port Forwarding service Traffic from the remote user to the controller is detected and re routed based on configured port forwarding rules Internal host servers or TCP applications must be specified as being made accessible to remote users Allowing access to a LAN server requires entering the local server IP address and TCP port number of the application to be tunneled The table below lists some common applications and corresponding TCP port numbers 273 Wireless Controller User Manual TCP Application FTP Data usually not needed FTP Control Protocol SMTP send mail HTTP web POPS receive mail NTP network time protocol Terminal Services VNC virtual network computing 5900 or 5800 As a convenience for remote users the hostname FQDN of the network server can be configured to allow for IP address resolution This host name resolution provides users with easy to remember FQDN s to access TCP applications instead of error prone IP addresses when using the Port Forwarding service through the SSL User Portal To configure port forwarding following are required Local Server IP address The IP address of the local server which is hosting the application TCP port The TCP port of the application 274 Wireless Controller User Manual Once the new application is defined it is displayed in a list of configured applications for port forw
151. ceseseseeseseccsseceseseeeecaeecesesesececseeceaeeceeseaeeeeaeeesees 173 Figure 98 Manual Optiont configuration 0 ee eee eesceseseseeeeseseececeseseceseneecesesesecsesesaeseeetecaeeeeataeeeeees 176 Figure 99 PPPoE configuration for Standard ISPS cecececssseseseeeeseseececeseeeeeeseneseeseeeeeeseneeetaeeeeees 177 Figure 100 Option1 configuration for Japanese Multiple PPPoE part 1 cesses 178 Figure 101 Option1 configuration for Multiple PPPOE part 2 00 0 cceeesseseseseeeeseeeseeeseeeeeeeeeeeres 179 Figure 102 Russia L2TP ISP Configuration eeecceseseseesesescsceeeseseeseecaeecesesesececaeeeeseeeeceeaeeeateesees 181 Figure 103 IPV6 Options Setup Page ececeeseceseeseseeeseceseeeesesescesesesececseseeaesesececseneeetseeeeecseneeetaeeesees 183 Figure 104 Connection Status information Of Option 0 ee eeseecesesceseseseeeeseeeeeeeeseeeeeeseseeetseeesees 186 Wireless Controller User Manual Figure 105 Load Balancing is available when multiple Option ports are configured and Protocol Bindings have been defined 0 0 eee eesseeeecseseeecseeseeecsseaeeecasaeeecaeaesecaeeaeeecaeaeereateasenente 190 Figure 106 Protocol binding setup to associate a service and or LAN source to an Option and or COSTIN ATION MOLWOMK svies teini eiaa ERS E eave deste vebtes NE condecabcolvnsdscoxsesasconedsasteneecuscoleeientons 191 Figure 107 Routing Mode is used to configure traffic routing between Option and LAN as well as Dyn
152. cess the internal domain of the ISP where he hosts various services These routes can even be configured through the static routing page as well Figure 101 Option1 configuration for Multiple PPPoE part 2 Secondary PPPoE Profile Configuration Address Mode Dynamic IP Static IP IP Address booo IP Subnet Mask booo User Name dlink Password Service Optional Authentication Type Auto negotiate e Reconnect Mode Always On On Demand Maximum Idle Time 5 Secondary PPPoE Domain Name System DNS Servers DNS Server Source Get Dynamically from ISP Primary DNS Server 0 0 0 0 Secondary DNS Server 0 0 0 0 Mac Address MAC Address Source Use Default Address MAC Address 00 00 00 00 00 00 6 2 5 Russia L2TP and PPTP Option For Russia L2TP Option connections you can choose the address mode of the connection to get an IP address from the ISP or configure a static IP address provided 179 Wireless Controller User Manual by the ISP For DHCP client connections you can choose the MAC address of the controller to register with the ISP In some cases you may need to clone the LAN host s MAC address if the ISP is registered with that LAN host 180 Wireless Controller User Manual Figure 102 Russia L2TP ISP configuration DWC 1000 im sw ADVANCED TOOLS STATUS OPTION1 SETUP This page allows you to set up your Internet connection Ensure that you have
153. channel information that displays on the page is only for the radio you select Operational Status This field shows whether the controller is using the automatic channel adjustment algorithm on the AP radios Last Iteration The number in this field indicates the most recent iteration of channel plan adjustments The APs that received a channel adjustment in previous iterations cannot be assigned new channels in the next iteration to prevent the same APs from being changed time after time 159 Wireless Controller User Manual Last Algorithm Time Shows the date and time when the channel plan algorithm last ran AP MAC Address This table displays the channel assigned to an AP in an iteration of the channel plan Location Radio Iteration Channel Figure 90 Channel Plan History DWC 1000 ima SETUP ADVANCED TOOLS STATUS l WLAN Global Settings AP Management D gt CHANNEL PLAN HISTORY LOGOUT WLAN Visualization Internet Settings gt Network Settings gt Channel Plan 5 GHz 802 11 a n 2 4 GHz 802 11 b g n TE VLAN Settings gt Operational Status Active DMZ Setup gt Last Iteration 0 USB Settings Description goes here Channel Plan Last Algorithm Time Jan 1 00 00 00 1970 List of Iterations No Channel Plan history entries exists 5 2 3 Manual Channel Plan Setup gt AP Management gt RF Management gt Manual Channel Plan If you specify Manua
154. cks whether the client has exceeded the configured rate for transmitting 802 11 authentication requests Configured Probe Requests Rate Test This test checks whether the client has exceeded the configured rate for transmitting probe requests Configured De Authentication Requests Rate Test This test checks whether the client has exceeded the configured rate for transmitting de authentication requests Maximum Authentication Failures Test This test checks whether the client has exceeded the maximum number of failed authentications Authentication with Unknown AP Test This test checks whether a client in the Known Client database is authenticated with an unknown AP Client Threat Mitigation Select enable to send de authentication messages to clients that are in the Known Clients database but are associated with unknown APs The Authentication with Unknown AP Test must also be enabled in order for the mitigation to take place Select disable to allow clients in the Known Clients database to remain authenticated with an unknown AP 303 Wireless Controller User Manual Known Client Database Lookup Method When the controller detects a client on the network it performs a lookup in the Known Client database Specify whether the controller should use the local or RADIUS database for these lookups Known Client Database RADIUS Server Name If the known client database lookup method is RADIUS then this field specifies the RADI
155. client stations that is the interval of time when a WMM client station has the right to initiate transmissions on the wireless network 88 Wireless Controller User Manual Figure 46 AP Profile QoS configuration Part 2 Station EDCA Parameters Data 0 Voice AIFS msecs 2 cwMin msecs 3 x cwMax msecs 7 v TXOP Limit 32 usec units 47 Data 1 Video AIFS msecs 2 cwMin msecs 7 X cwMax msecs O y TXOP Limit 32 usec units 94 Data 2 Best Effort AIFS msecs 3 cwMin msecs 15 v cwMax msecs 1023 TXOP Limit 32 usec units 0 Data 3 Background AIFS msecs 7 cwMin msecs 15 v cwMax msecs 1023 TXOP Limit 32 usec units 0 89 Wireless Controller User Manual Chapter 3 Configuring Wireless LAN 3 1 WLAN Setup Wizard Setup gt Wizard gt WLAN Settings The WLAN controller can manage external AP s and also act as an AP for wireless LAN clients The Wireless Wizard is a user friendly approach to configure a wireless LAN connection using the controller s built in 802 11 radio It allows user to aim your wireless adapter measure network performance and quickly identify and fix wireless broadband problems The Wizard includes a Wi Fi analyzer to easily identify the best channel and resolve interference issues One can even compare the performance of his her broadband network to networks around the world Figure 47 The Wireless LAN setup Wizard launch DWC 1000 ADVANCED TOOLS S
156. controller or in an external RADIUS server When the controller discovers an AP that is not managed by another ccontroller it looks up the MAC address of the AP in the Valid AP database If it finds the MAC address in the database the controller validates the AP and assumes management Select the database to use for AP validation and optionally for authentication if the Require Authentication Passphrase option is selected 64 Wireless Controller User Manual e Local If you select this option you must add the MAC address of each AP to the local Valid AP database e RADIUS If you select this option you must configure the MAC address of each AP in an external RADIUS server Require Authentication Passphrase Select this option to require APs to be authenticated before they can associate with the controller If you select this option you must configure the passphrase on the AP while it is in standalone mode as well as in the Valid AP database RADIUS Authentication Server Name Enter the name of the RADIUS server used for AP and client authentications The name can contain up to 32 alphanumeric characters Spaces underscores and dashes are also permitted The controller acts as the RADIUS client and performs all RADIUS transactions on behalf of the APs and wireless clients RADIUS Authentication Server Configured Indicates whether the RADIUS authentication server is configured RADIUS Accounting Server Name Enter the
157. controllers share some information about APs and allow L3 roaming among them Peers are grouped according to the Group ID Client Roam Timeout This value determines how long to keep an entry in the Associated Client Status list after a client has disassociated Each entry in the status list shows an age and when the age reaches the value you configure in the timeout field the entry is deleted Ad Hoc Client Status Timeout This value determines how long to keep an entry in the Ad Hoc Client Status list Each entry in the status list shows an age and when the age reaches the value you configure in the timeout field the entry is deleted AP Failure Status Timeout This value determines how long to keep an entry in the AP Authentication Failure Status list Each entry in the status list shows an age and when the age reaches the value you configure in the timeout field the entry is deleted MAC Authentication Mode Select the global action to take on wireless clients in the white list Select this option to specify that any wireless clients with MAC addresses that are specified in the Known Client database and are not explicitly denied access are granted access If the MAC address is not in the database then the access to the client is denied Detected Clients Status Timeout This value determines how long to keep an entry in the Detected Client Status list Each entry in the status list shows an age and when the age reaches the value you
158. d APs O MAC Address Location Debug Radio Interface Channel Power LAN QoS gt 1c at t7 1f 24 40 Enabled 1 802 11a n 44 100 VLAN Settings gt C 2 802 11big n 1 100 USB Settings gt O 1c bd b9 95 a6 00 Enabled 1 802 11a n 157 100 O 2 802 1 1 big n 1 100 Managed AP Debug Edit Channel Power Refresh MAC Address Shows the MAC address of the AP Location Shows the AP location which is based on the value configured in the RADIUS or local Valid AP database Debug To help you troubleshoot you can enable Telnet access to the AP so that you can debug the device from the CLI The Debug field shows the debug status and can be one of the following e Disabled e Set Requested e Set in Progress e Enabled To change the status select the AP and click the Managed AP Debug button 170 Wireless Controller User Manual Radio Interface Identifies the radio to which the channel and power settings apply Channel Select the AP and click the Edit Channel Power button to access the Managed AP Channel Power Adjust page From that page you can set a new channel for Radio 1 or Radio 2 The available channels depend on the radio mode and country in which the APs operate The manual channel change overrides the channel configured in the AP profile and is not retained when the AP reboots or when the AP profile is reapplied Power Select the AP and click the Edit Channel Power button to access the Managed AP Ch
159. d associated Group DWC 1000 ADVANCED TOOLS STATUS Peer Controllers AP Profile WIDS Security LOGOUT This page shows a list of available users in the system A user can add delete and edit the users also This page can also be used for setting policies on users List of Users Captive Portal Application Rules Edit Delete Firewall Settings 9 1 1 Users and Passwords Advanced gt Users gt Users The user configurations allow creating users associated to group The user settings contain the following key components User Name This is unique identifier of the user First Name This is the user s first name Last Name This is the user s last name Select Group A group is chosen from a list of configured groups MultiLogin Allow multiple users to login with the same credentials assigned to this user It is particularly useful for Captive Portal users Password The password associated with the user name Confirm Password The same password as above is required to mitigate against typing errors 265 Wireless Controller User Manual It is recommended that passwords contains no dictionary words from any language and is a mixture of letters both uppercase and lowercase numbers and symbols The password can be up to 30 characters Figure 156 User Configuration options DWC 1000 o O ADVANCED TOOLS STATUS Peer Controllers p USERS CONFIGURATION AP P
160. d in Section 2 6 5 are available for display on the Front Desk user s admin page From this page create a new temporary user ID and associate a pre defined Billing Profile to this user The Front Desk user will b able to leverage the features like batch user generation customized account names or modifying usage limits for these temporary CP users if the admin has enabled the Billing Profile with this support Section 2 6 2 outlines how to associate an SSID for Captive Portal authentication For users given access by the Front Desk the Captive Portal Type needs to be a temporary user This will allow for the usage limits to have control on the amount or duration of internet access The last step to leverage this feature is to create a Front Desk group and assign a user to this group i e username HotelAdmin The Front Desk user HotelAdmin will be allowed to access the appliance s management interface via the following URL lt Controller_LAN_IP gt frontdesk With the defined login credentials the Front Desk user can now create and customize temporary accounts for internet access through the selected Billing Profile XW The entered URL of lt Controller_LAN_IP gt frontdesk will redirect to lt Controller_LAN_IP gt platform cgi page billingDeskLogin htm I e if the LAN IP address is the default 192 168 10 1 then the Front Desk user s entry of 192 168 10 1 frontdesk in their browser s URL will redirect to http 192 168
161. dd Will let you add a new profile Maximum allowed number of profiles are 5 excluding default Show Preview Will show preview of the page if a profile is selected 51 Wireless Controller User Manual Figure 28 Adding or Editing a Custom Captive Portal DWC 1000 ADVANCED TOOLS STATUS WLAN Global Settings AP Management E Captive Portal Login page is used for authentication on Captive Portal enabled interfaces WLAN Visualization gt Save Settings Don t Save Settings Internet Settings gt Network Settings d Profile Name GVRP Browser Title Captive Portal p Page Background image External gt Authentications e vss gt rn rr VLAN Settings gt Page Background Color White v DMZ Setup gt Custom Color D CF00CF Minimal page for mobile devices 4 CUSTOMIZED CAPTIVE PORTAL SETUP gt a gt a gt a jo Background Image FE Default Add Add Add Add Add Header Background Color White Y Custom Color CFOOCF Header Caption Caption Font Tahoma v Font Size Small v Font Color Red v Managing an existing or creating a new captive portal profile will direct the admin to the Customized Captive Portal Setup page This page defines what the wireless client will see messages color background page titles web page headers etc as part of hitting the Captive Portal page After customizing the profile the admin has access
162. ddress Shows the MAC address of each AP managed by the peer controller 135 Wireless Controller User Manual Peer Controller IP Shows the IP address of the peer controller that manages the AP This field displays when All is selected from the drop down menu Location The descriptive location configured for the managed AP AP IP Address The IP address of the AP Profile The AP profile applied to the AP by the controller Hardware ID The Hardware ID associated with the AP hardware platform Figure 75 Peer Controller Managed AP Status DWwc 1000 im SETUP ADVANCED TOOLS STATUS Global Info M PEER CONTROLLER MANAGED AP STATUS LOGOUT Device Info gt E The Peer Controler Managed AP Status page displays information about the APs that each peer Controller in Access Point Info gt the cluster manages LAN Clients Info gt Wireless Clientinfo gt Controller 192 168 10 1 v Logs gt d Traffic Monitor Peer Controller Managed AP Status st tra Active VPNs 192 168 10 101 hw_dw18600 Refresh 4 7 5 IP Discovery Status gt Global Info gt IP Discovery The IP Discovery list can contain the IP addresses of peer controllers and APs for the wireless controller to discover and associate with as part of the WLAN IP Address Shows the IP address of the device configured in the IP Discovery list Status The status is in one of the following states Not Polled The controller has not attempted to contac
163. delay Time sensitive data such as VoIP and streaming media are automatically sent to this queue Data 1 Video High priority queue minimum delay Time sensitive video data is automatically sent to this queue Data 2 best effort Medium priority queue medium throughput and delay Most traditional IP data is sent to this queue 85 Wireless Controller User Manual Data 3 Background Lowest priority queue high throughput Bulk data that requires maximum throughput and is not time sensitive is sent to this queue FTP data for example AIFS Inter Frame Space The Arbitration Inter Frame Spacing AIFS specifies a wait time for dataframes The wait time is measured in slots Valid values for AIFS are through 255 cwMin Minimum Contention Window This parameter is input to the algorithm that determines the initial random backoff wait time window for retry of a transmission The value specified here in the Minimum Contention Window is the upper limit in milliseconds of a range from which the initial random backoff wait time is determined The first random number generated will be a number between 0 and the number specified here If the first random backoff wait time expires before the data frame is sent a retry counter is incremented and the random backoff value window is doubled Doubling will continue until the size of the random backoff value reaches the number defined in the Maximum Contention Window Valid
164. dium v Authentications d 3 Lowest Y VPN Settings gt 4 Low y gt VLAN Settings DMZ Setup gt 5 a a USB Settings gt 6 Low Y CoS Value value of the CoS in the PCP part of the LAN traffic Priority Queue Priority for the particular CoS value 2 2 3 DSCP Configuration Setup gt QoS gt IP DSCP Configuration This page allows configuring IP DSCP values to which you can map an internal traffic class 31 Wireless Controller User Manual Figure 13 Port DSCP Mapping DWC 1000 ADVANCED TOOLS STATUS WLAN Global Settings AP Management gt WLAN Visualization gt Internet Settings gt Network Settings DSCP to Port Priority Queue Mapping Q D oS DSCP Queue DSCP Queue DSCP Queue DSCP Queue GVRP 0 Medium 1 Highest v 2 Lowest 3 Highest Captive Portal d 4 Low Y 5 Low Y 6 Low v 7 Low v External Authentications gt a Low v 9 Low 10 Low v 1i Low v VPN Settings gt 12 Low v 13 Low v 14 Low v 15 Low VLAN Settings gt 16 Low o 17 Low v 18 Low Y 19 low e DMZ Setup gt 20 Low d 21 Low v 22 Low v 23 Low v USB Settings d 24 Low d 25 Low v 26 Low Y 27 Low v PORT DSCP MAPPING This page defines the map between the DSCP value in the packet and the associated priority it gets while traveling through the LAN switch Save Settings Don t Save Settings 28 Low 29 Low v 30 Low v 31 Low v 32 Low sf 33 Low v 34 Low v 35 Low b 3 L
165. domain name to be assigned to a device with a dynamic IP address Dynamic Host Configuration Protocol Protocol for allocating IP addresses dynamically so that addresses can be reused when hosts no longer need them Domain Name System Mechanism for translating H 323 IDs URLs or e mail IDs into IP addresses Also used to assist in locating remote gatekeepers and to map IP addresses to hostnames of administrative domains Fully qualified domain name Complete domain name including the host portion Example serverA companyA com File Transfer Protocol Protocol for transferring files between network nodes Hypertext Transfer Protocol Protocol used by web browsers and web servers to transfer files Internet Key Exchange Mode for securely exchanging encryption keys in ISAKMP as part of building a VPN tunnel IP security Suite of protocols for securing VPN tunnels by authenticating or encrypting IP packets in a data stream IPsec operates in either transport mode encrypts payload but not packet headers or tunnel mode encrypts both payload and packet headers 347 Wireless Controller User Manual ISAKMP MAC Address Internet Key Exchange Security Protocol Protocol for establishing security associations and cryptographic keys on the Internet Internet service provider Media access control address Unique physical address identifier attached to a network adapter Maximum transmission unit Size in bytes of the
166. dress Associate this address with a web server on the DMZ If you arrange with your ISP to have more than one public IP address for your use you can use the additional public IP addresses to map to servers on your LAN One of these public IP addresses is used as the primary IP address of the controller This address is used to provide Internet access to your LAN PCs through NAT The other addresses are available to map to your DMZ servers The following addressing scheme is used to illustrate this procedure e Option IP address 10 1 0 118 217 Wireless Controller User Manual e LAN IP address 192 168 10 1 subnet 255 255 255 0 e Web server host in the DMZ IP address 192 168 12 222 e Access to Web server simulated public IP address 10 1 0 52 Insecure Option 1 Option 2 Send to Local Server DNAT IP 192 168 12 222 web server local IP address Destination Users Single Address fad af Example 4 Bloc Example 4 Block traffic by schedule if generated from specific range of machines Use Case Block all HTTP traffic on the weekends if the request originates from a specific group of machines in the LAN having a known range of IP addresses and anyone coming in through the Network from the Option i e all remote users Configuration 1 Setup a schedule 218 Wireless Controller User Manual e To setup a schedule that affects traffic on weekends only navigate to Security Schedule and name the sc
167. ds 10 Mbps 100 Mbps and 1000 Mbps i e Gbps The default setting is 100 Mbps for all ports The default MAC address is defined during the manufacturing process for the interfaces and can uniquely identify this controller You can customize each Option port s MAC address as needed either by letting the Option port assume the current LAN host s MAC address or by entering a MAC address manually 205 Wireless Controller User Manual Figure 116 Physical Option port settings DWC 1000 Hi SETUP ADVANCED TOOLS STATUS OPTION PORT SETUP This page allows user to configure advanced WAN options for the router Save Settings Don t Save Settings WIDS Security Options Pin Captive Portal gt Client Optioni Port Setup Advanced Network D Routing IP MAC Binding Radius Settings Controller Settings 206 Wireless Controller User Manual 6 11 IP Aliases XW The following feature is available upon licensed activation of VPN Firewall features for the system Setup gt Internet Settings gt IP Aliases The List of IP Aliases displays the configured IP Aliases on the controller Figure 117 IP Aliases DWC 1000 SETUP ADVANCED TOOLS STATUS Operation succeeded WLAN Global Settings IP ALIASES Melero uy This page displays the configured IP Aliases on Option interfaces Internet Settings gt C Interface Name IP Address Subnet Mask C OPTION1 192 168 2 1
168. e You can enable port forwarding for an incoming service specific rule From Zone Option by selecting the appropriate checkbox This will allow the selected service traffic from the internet to reach the appropriate LAN port via a port forwarding rule Translate Port Number With port forwarding the incoming traffic to be forwarded to the port number entered here External IP address The rule can be bound to a specific Option interface by selecting either the primary Option or configurable port Option as the source IP address for incoming traffic XW This controller supports multi NAT and so the External IP address does not necessarily have to be the Option address On a single Option interface multiple public IP addresses are supported If your ISP assigns you more than one public IP address one of these can be used as your primary IP address on the Option port and the others can be assigned to servers on the LAN or DMZ In this way the LAN DMZ server can be accessed from the internet by its aliased public IP address 7 Outbound rules can use Source NAT SNAT in order to map bind all LAN DMZ traffic matching the rule parameters to a specific Option interface or external IP address usually provided by your ISP Once the new or modified rule parameters are saved it appears in the master list of firewall rules To enable or disable a rule click the checkbox next to the rule in the list of firewall rules and ch
169. e IPv6 Prefix Length assigned to the LAN XW IPv4 IPv6 mode must be enabled in the Advanced gt IPv6 gt Routing mode to enable IPv6 configuration options LAN IP Address Setup The default IPv6 LAN address for the router is fec0 1 You can change this 128 bit IPv6 address based on your network requirements The other field that defines the LAN settings for the router is the prefix length The IPv6 network subnet is identified by the initial bits of the address called the prefix By default this is 64 bits long All hosts in the network have common initial bits for their IPv6 address the number of common initial bits in the network s addresses is set by the prefix length field 23 Wireless Controller User Manual Figure 7 IPv6 LAN and DHCPv6 configuration Captive Portal Application Rules Filter Firewall Settings IPV6 LAN CONFIG Relcleliny This page allows user to IPv6 related LAN configurations LAN IP Address Setup Enable DHCPv6 Server Stateful diink com 255 Use below List of IPv6 Address Pools If you change the IP address and click Save Settings the GUI will not respond Open a new connection to the new IP address and log in again Be sure the LAN host the machine used to manage the router has obtained IP address from newly assigned pool or has a static IP address in the router s LAN subnet before accessing the router via changed IP address 24
170. e Host and Domain Name User Name 12 9 1 Using Diagnostic Tools Tools gt System Check The controller has built in tools to allow an administrator to evaluate the communication status and overall network health 342 Wireless Controller User Manual Figure 200 Controller diagnostics tools available in the GUI onc J nova This page can be used for diagnostics purpose This page provides user with some diagnostic tools like ping traceroute and packet sniffer Ping or Trace an IP Address prame wend Dynamic DNS Ping Traceroute System Check Perform a DNS Lookup Schedules Int t Name Router Options Display the IPv4 Routing Table Display the IPv6 Routing Table Capture Packets 12 9 2 Ping This utility can be used to test connectivity between this controller and another device on the network connected to this controller Enter an IP address and click PING The command output will appear indicating the ICMP echo request status 12 9 3 Trace Route This utility will display all the controller present between the destination IP address and this controller Up to 30 hops intermediate controller between this controller and the destination will be displayed 343 Wireless Controller User Manual 12 9 4 12 9 5 DNS Lookup To retrieve the IP address of a Web FTP Mail or any other server on the Internet type the Internet Name in the t
171. e logs from the controller This remote device typically has less memory constraints than the local Event Viewer on the controller GUI and thus can collect a considerable number of logs over a sustained period This is typically very useful for debugging network issues or to monitor controller traffic over a long duration This controller supports up to 8 concurrent Syslog servers Each can be configured to receive different log facility messages of varying severity To enable a Syslog server 334 Wireless Controller User Manual select the checkbox next to an empty Syslog server field and assign the IP address or FQDN to the Name field The selected facility and severity level messages will be sent to the configured and enabled Syslog server once you save this configuration page s settings Figure 194 Syslog server configuration for Remote Logging continued SYS LOG SERVER CONFIGURATION Name SysLog Facility SysLog Severity Syslog Server1 E E m E SysLog Server2 E CE a L SysLog Server3 C a E SysLog Server4 A E a Syslog Server5 E a o a Syslog Server6 a CE a SysLog Server E Aa o a J SysLog Server8 E m o o m 12 6 3 Event Log Viewer in GUI Status gt Logs gt View All Logs The controller GUI lets you observe configured log messages from the Status menu Whenever traffic through or to the controller matches the settings determined in the Tools gt Log Settings gt Logs F
172. e Cluster Controller The highest possible priority is 259 AP Client QoS Enable or disable the client QoS feature If AP Client QoS is disabled the Client QoS configuration remains in place but any ACLs or DiffServ policies applied to wireless traffic are not enforced The Client QoS feature extends the primary QoS capabilities of the Unified Wireless controller to the wireless domain More specifically access control lists ACLs and differentiated service DiffServ policies are applied to wireless clients associated to the Apothem maximum MTU size of existing network infrastructure which is set up to controller and route 1518 1522 tagged byte frames If you increase the tunnel IP MTU size you must also increase the physical MTU of the ports on which the traffic flows 11 2 SNMP Trap Advanced gt Global gt General Traps are asynchronous notifications sent from the SNMP agent to a SNMP manager Traps allow an agent to notify the management station of significant events by way of an unsolicited SNMP message The device can act as an agent and can send asynchronous notification when certain events happen DWC 1000 supports both public and private traps e Public traps include traps specified in RFC 1215 Details are in the SNMPv2 MIB txt MIB file available with the DWC 1000 firmware Example the coldStart trap comes under snmpTraps which is having value 1 e Private traps mainly consist of wireless traps Details are in the dli
173. e compatible with legacy devices 802 1 1b g or 802 1 1a Mode 802 11b g n The Mode defines the Physical Layer PHY standard the radio uses Select one of the following modes for radio interface IEEE 802 11b g operates in the 2 4 GHz ISM band IEEE 802 11b is an enhancement of the initial 802 11 PHY to include 5 5 Mbps and 11 Mbps data rates It uses direct sequence spread spectrum DSSS or frequency hopping spread spectrum FHSS as well as complementary code keying CCK to provide the higher data rates It supports data rates ranging from 1 to 11 Mbps IEEE 802 11g is a higher speed extension up to 54 Mbps to the 802 11b PHY It uses orthogonal frequency division multiplexing OFDM It supports data rates ranging from to 54 Mbps IEEE 802 11b g n operates in the 2 4 GHz ISM band and includes support for 802 11b 802 11g and 802 11n devices 2 4 GHz IEEE 802 11n is the recommended mode for networks with 802 11n devices that operate in the 2 4 GHz frequency that do not need to support 802 11a or 802 11b g devices IEEE 802 11n can achieve a higher throughput when it does not need to be compatible with legacy devices 802 11b g or 802 1 1a Wireless Default VAP Configuration SSID Wireless clients identify a wireless network by the SSID which is an alphanumeric key that uniquely identifies a wireless local area network The SSID can be up to thirty two characters in length and there are no restrictions on the characters t
174. e for LAN TCP IP settings DHCP server DWC 1000 ADVANCED TOOLS STATUS gt LAN SETUP LOGOUT WLAN Global Settings AP Management gt Visualization gt internet Settings gt Network Settings D VPN Settings The LAN Configuration page allows you to configure the LAN interface of the router including the DHCP Server which runs on it Save Settings Don t Save Settings LAN IP Address Setup 192 168 15 1 255 255 255 0 DHCP Mode DHCP Server Starting IP Address 192 168 15 100 Ending IP Address 192 168 15 152 Default Gateway Optional Primary DNS Server Secondary DNS Server Domain Name WINS Server Lease Time Relay Gateway 18 Wireless Controller Figure 2 Setup page for LAN TCP IP settings DHCP Relay DMZ Setup USB Settings DHCP Mode Starting IP Address Ending IP Address Default Gateway Optional Primary DNS Server Secondary DNS Server Domain Name Host Name 1 Adminstration 2 DHCP Relay 192 168 10 200 192 168 10 254 24 192 168 10 5 IP Address 192 168 10 30 User Manual When DHCP relay is enabled DHCP clients on the LAN can receive IP address leases and corresponding information from a DHCP server on a different subnet Specify the Relay Gateway and when LAN clients make a DHCP request it will be passed along to the server accessible via the Relay Gateway IP addr
175. e private network without any special network configuration on the remote SSL VPN dient machine Save Settings Don t Save Settings Internet Settings Network Settings Client IP Address Range VPN Settings Enable Split Tunnel Support DNS Suffix Optional Primary DNS Server Optional Secondary DNS Server Optional Client Address Range Begin 192 168 251 1 Client Address Range End 192 168 251 254 LCP Timeout 60 Seconds The controller allows full tunnel and split tunnel support Full tunnel mode just sends all traffic from the client across the VPN tunnel to the controller Split tunnel mode only sends traffic to the private LAN based on pre specified client routes These client routes give the SSL client access to specific private networks thereby allowing access control over specific LAN services Client level configuration supports the following Enable Split Tunnel Support With a split tunnel only resources which are referenced by client routes can be accessed over the VPN tunnel With full tunnel support if the split tunnel option is disabled the DWC 1000 acts in full tunnel mode all addresses on the private network are accessible over the VPN tunnel Client routes are not required 277 Wireless Controller User Manual DNS Suffix The DNS suffix name which will be given to the SSL VPN client This configuration is optional Primary DNS Server DNS server IP address to se
176. e to re synchronize in minutes Set Date And Time Year Month Day Hours Min Sec 2077 o o 05 250 08 12 6 Log Configuration This controller allows you to capture log messages for traffic through the firewall VPN and over the wireless AP As an administrator you can monitor the type of traffic that goes through the controller and also be notified of potential attacks or errors when they are detected by the controller The following sections describe the log configuration settings and the ways you can access these logs 328 Wireless Controller User Manual 12 6 1 Defining What to Log Tools gt Log Settings gt Logs Facility The Logs Facility page allows you to determine the granularity of logs to receive from the controller There are three core components of the controller referred to as Facilities Kernel This refers to the Linux kernel Log messages that correspond to this facility would correspond to traffic through the firewall or network stack System This refers to application and management level features available on this controller including SSL VPN and administrator changes for managing the unit Wireless This facility corresponds to the 802 11 driver used for providing AP functionality to your network Local1 UTM This facility corresponds to IPS Intrusion Prevention System which helps in detecting malicious intrusion attempts from the Option For each facility the f
177. eX cache control web cleaner can be pushed from the gateway to the client browser whenever users login to this SSL VPN portal SSL VPN portal page to display The User can either enable VPN tunnel page or Port Forwarding or both depending on the SSL services to display on this portal Once the portal settings are configured the newly configured portal is added to the list of portal layouts 280 Wireless Controller User Manual Figure 164 SSL VPN Portal configuration SETUP ADVANCED TOOLS STATUS PORTAL LAYOUT CONFIGURATION LOGOUT This page allows you to add a new portal layout or edit the configuration of an existing portal layout The details will then be displayed in the List of Portal Layouts table on the SSL VPN Server gt Portal Layouts page under the YPN menu Save Settings Don t Save Settings Portal Layout and Theme Name Portal Layout Name l Portal Site Title Optional Banner Title Optional Banner Message Optional Display banner message r on login page HTTP meta tags for cache r control recommended ActiveX web cache cleaner r SSL PN Portal Pages to Display PN Tunnel page Port Forwarding 281 Wireless Controller User Manual Chapter 10 Advanced System Functionalities 10 1 USB Device Setup Setup gt USB Settings gt USB Status The DWC 1000 Wireless controller has a USB interface for printer access file sharin
178. eacon If you set this field to 10 clients will check on every 10th beacon Beacon Interval Beacon frames are transmitted by an access point at regular intervals to announce the existence of the wireless network The default behavior is to send a beacon frame once every 100 milliseconds or 10 per second The Beacon Interval value is set in milliseconds Enter a value from 20 to 2000 Automatic Channel The channel defines the portion of the radio spectrum that the radio uses for transmitting and receiving The range of channels and the default channel are determined by the Mode of the radio interface When the AP boots each AP radio scans the RF area for occupied channels and selects a channel from the available non interfering or clear channels However channel conditions can change during operation Enabling the Automatic Channel makes the radio of APs assigned to this profile eligible for auto channel selection You can automatically or manually run the autochannel selection algorithm to allow the DWC 1000 controller to adjust the channel on APs as WLAN conditions change Automatic Power The power level affects how far an AP broadcasts its RF signal If the power level is too low wireless clients will not detect the signal or experience poor WLAN performance If the power level is too high the RF signal might interfere with other APs within range Automatic power uses a proprietary algorithm to automatically adjust the RF signal to
179. eader Selects all the defined browsers in the table Delete Deletes the selected browser s You can add to the list of Defined Browsers by selecting a client browser from the drop down menu and clicking Add This browser will then appear in the above list of Defined Browsers Click Save Settings to save your changes 262 Wireless Controller User Manual Figure 153 Browser policies options Peer Controllers gt GROUPS LOGOUT AP Profile This page allows user to add browser specific policies for available users Save Settings Don t Save Settings IDs Advan Certificates Users IP MAC Binding Radius Settings Controller Settings gt Group Policy By Client Browser Defined Browsers Add Defined Browser Policy by IP To set policies bye IP for the group select the corresponding group click Policy by IP The following parameters are configured Group Name This is the name of the group that can have its login policy edited Deny Login from Defined Browsers The list of defined browsers below will be used to prevent the users of this group from logging in to the controller GUI All non defined browsers will be allowed for login for this group Allow Login from Defined Browsers The list of defined browsers below will be used to allow the users of this group from logging in to the controller GUI All non defined browsers will be denied for login for this group
180. eaees 210 Figure 119 List of Available Schedules to bind to a firewall rule oo ee ceeeeeeeceeeeseseeeeeeseeeeeeeeeeeees 211 Figure 120 Example where an outbound SNAT rule is used to map an external IP address 209 156 200 225 to a private DMZ IP address 10 30 30 30 o ceecceeeeeeeeteeees 214 Figure 121 The firewall rule configuration page allows you to define the To From zone service action schedules and specify source destination IP addresses as needed 215 Figure 122 Schedule configuration for the above ExAMple ccececcsseceseeeeseeeeseeeseeeeseseeeeeseeesees 219 Figure 123 List of user defined services oo sees csseeescsseseeecseeseeecnesaeeecneeseeecneeaeeecneeseeeeneeaeereneeaees 221 Figure 124 Available ALG support on the controller cecccceseseseeeeseseeeeseseeeeeeseeeeseseeeeecseneesteeeeeees 222 Figure 125 Passthrough options for VPN tunnels 0 0 0 eeeeeseseesenseseeeceeeseeecneeseeecneeseecneeaeereneenees 223 Figure 126 List of KNOWN Clients 2 00 cee ceeeececsceseseeeeseecseecesesceeeecasecsaesesececaeseaeacsececaeneeseeceeceeaeeenateesees 224 Figure 127 List of Available Application Rules showing 4 unique rules eee eeeeteeeeneeeeeeeneees 225 Figure 128 List of Available Application Rules and corresponding status 0 0 0 0 eeeeeeeseeeeneeeees 226 Figure 129 Content Filtering used to block access to proxy servers and prevent ActiveX controls from being COWNOAME eee ee
181. ed Some applications require that when external devices connect to them they receive data on a specific port or range of ports in order to function properly The controller must send all incoming data for that application only on the required port or range of ports The controller has a list of common applications and games with corresponding outbound and inbound ports to open You can also specify a port triggering rule by defining the type of traffic TCP or UDP and the range of incoming and outgoing ports to open when enabled Figure 127 List of Available Application Rules showing 4 unique rules DWC 1000 ADVANCED TOOLS STATUS Peer Controllers gt APPLICATION RULES ORONT The table lists all the available port triggering rules and allows several operations on the rules ID 5 z tr List of Available Application Rules WIDS Security Outgoing Ports Incoming Ports Name Enable Protocol Interface Captive Portal gt Start Port End Port StartPort End Port XboxUDP Yes TCP LAN 88 88 88 88 D Edit Delete 225 Wireless Controller User Manual The application rule status page will list any active rules i e incoming ports that are being triggered based on outbound requests from a defined outgoing port 7 9 Application Rules Status Advanced gt Application Rules gt Application Rules Status This page allows displaying the list of available application rules and corresponding status Figure 128
182. ed The controller contacted the peer controller or the AP with IP address in the L3 IP Discovery list and was unable to authenticate or validate the device If the device is an access point an entry appears in the AP failure list with a failure reason 68 Wireless Controller User Manual Figure 39 Wireless Discovery status DWC 1000 SETUP ADVANCED TOOLS sas fff Dashboard gt IP DISCOVERY Global Info D Device Info The IP Discovery Status page shows information about communication with the devices in the IP discovery list on the Set up gt AP Management gt Poll List page Ip Discovery IP Address 192 168 10 101 Status Polled Active VPNs The following actions are supported from this page Refresh Updates the page with the latest information 2 8 2 AP Profile Global Configuration Advanced gt AP Profile Access Point Profile Summary page you can Add Copy Edit Delete AP profiles To add a new profile click Add in AP Profile Summary page In the AP Profile Global Configuration page enter the name of the profile in the Profile Name field select Hardware type and enter the valid VLAN ID and then click Submit 69 Wireless Controller User Manual Figure 40 AP Profile Global Configuration we No meer Peer Controles AP PROFILES SUMMARY LOGOUT This page is used tp configure a variety of global settings for a new or existing AP profile Default D
183. edirect is disabled Edit Click Edit to modify settings for the corresponding network When you click Edit the Wireless Network Configuration page appears 83 Wireless Controller User Manual QoS Configuration Quality of Service QoS provides you with the ability to specify parameters on multiple queues for increased throughput and better performance of differentiated wireless traffic different types of audio video and streaming media as well as traditional IP data over the DWC 1000 Figure 45 AP Profile QoS configuration Part 1 DWC 1000 SETUP ADVANCED TOOLS STATUS AP PROFILES SUMMARY Submit Don t Save Settings AP Profile QoS Configuration AP Profile 1 Default Radio Mode 1 802 11a n 2 802 11b g n Template Custom Data 0 Voice AIFS msecs cwMin msecs 3 X cwMax msecs 7 x Max Burst usecs 1500 Data 1 Video AIFS msecs cwMin msecs 7 v cwMax msecs 15 x Max Burst usecs 3000 Data 2 Best Effort AIFS msecs 3 cwMin msecs 15 v cwMax msecs 63 y Configuring Quality of Service QoS on the DWC 1000 consists of setting parameters on existing queues for different types of wireless traffic and 84 Wireless Controller User Manual effectively specifying minimum and maximum wait times through Contention Windows for transmission The settings described here apply to data transmission behavior on the access point only not to that of the cli
184. eeeeeseneeceaceeeecaeneseeseeeeecaeneeetaeeeeees 311 Figure 181 NT Domain Configuration cceceseeceseccsseseseeeeseecseecesesceececaeeceaeacsececaeneeaeaceeecaeesaeeeeees 312 Figure 182 LDAP Authentication Configuration eececeeceesseseseseeeeseseseseseeeeseeeneseseeeeecseneeetaeeeeees 315 Figure 183 Active Directory Configuration cceccccsseceseesesescseeseseseescecseecesesesececaeeeeseecsececsenetateeeees 317 Figure 184 POP3 Server Configuration cececeecesescsseseseesesescseeceseseseeecaeeeeaescseeecaeeeeaeaceeeeeaeeeeateesees 319 Figure 185 ROP3 CA Eile List 2 8 ces ice cents oak ches Ree eo O ee E O E 320 Figure 186 Remote Management cesseesessceseeecsceeesececeeeseceeneeseceneeseeeneeseeecneeseeecneeaeeecneeaeeneneens 321 Figure 187 SNMP Users Traps and Access COmtrol c ccccccccesecscscssesscscsceeceeseesecesseesececsesseeeeseees 323 Figure 188 SNMP system information for this controller oo eee teeeeseccsseceseeeeseeceeeeeseeceseseneeeeaeeeeees 324 Figure 1892SNMP Wraps 43s E E A A Aa ea AT 325 Figure 190 Date Time and NTP Server setup cc eccceeccsseeecseeesceseeeeeseeseesecaeeseceaeeeceaeeseeaeeseeareneens 328 Figure 191 Facility settings for Logging ee eeseescsseseescseeseescseeseeecseaesecneesceecaeeaeecneeaeescneeaeeeeneeaees 330 Figure 192 Log configuration options for traffic through controller 332 Figure 193 E mail configuration as a Remote Logging Opt
185. eeseseeeneeeeseeeeseseaeeeeseeeeees 30 2 2 3 DSCP Configuration se eneee arire ASE a EREE ER E EEEE 31 2 2 4 Port Queue Scheduling s seesesesseseseeeesesessesesresesesessesesresesrsessesesresesesessesesresesesess 32 2 2 5 Port QUEUE Sla S e re E arae ASE a AEE En EEEIEE 33 2 2 6 Option QOS Configuration eeceeceseeseseceseceseeseseeeseeeeseeeeseeeeeeeeaeeeeeeeeseeeeaeeesees 34 2 2 7 Traffic Selector COnfiQuration ececececescsseseseeseseseeeseseeceeeeeeeeeeaeeeeeeseaseeeaeeeeees 36 2 2 8 Remark CoS to DSCP 2 0 ececccsseseseseeseeeseecesesesececseeeeaescseceeneseearseseeeeneeeeateeeees 38 2 3 VEAN Configuratio M 22253 ncandeiia ccna feck cota eines EEEa E aE has 38 2 3 1 VLAN Configuration Options 20 0 0 ceeceeecsecesceseseesesescseeseseseeececseneeaeseeeeecseneeateeeeeees 40 2 3 2 Associating VLANS tO POMS nra a e ea e ean E eS e aeaeaei 42 2 3 3 Multiple VLAN Subnet nainii ane enean a i a e ei 45 2 4 Configurable Port DMZ Setup s ssssssesesresesessseserresrsrsssseseresesrsstseserresesrssesesee 46 2 5 Universal Plug and Play UPMP eee eesseseescsseseeeceeeaeeecseeaeeceseaeercateaeereneeas 47 2 6 Gaptive Portal MEE net eit atniehec eae a ae eee ete 50 2 6 1 Captive Portal Setup ec eeeccsseseseseeseseseesesesesececaesesaesesececaeseatsesececaeneeataeeesees 50 2 6 2 Captive Portal SSID Setup 0 ee cececceceseeseseseeeeecseneeseseeeeecaeneaeaeeeeecaeneaeseeeeees 53 2 6 3 Captive Portal SESSION ecccsseses
186. efault Radio Configuration AP Profile Name AP Profile Name can be alphanumeric identifier that can contain a maximum of 32 characters This profile name is associated to default profile 1 State Here the admin indicates whether to enable or disable the radio If user turns off a radio the AP sends disassociation frames to all the wireless clients it is currently supporting so that the radio can be gracefully shutdown and the clients can start the association process with other available APs Mode 802 11a n The Mode defines the Physical Layer PHY standard the radio uses Select one of the following modes for radio interface e IEEE 802 11a is a PHY standard that specifies operating in the 5 GHz U NII band using orthogonal frequency division multiplexing OFDM It supports data rates ranging from 6 to 54 Mbps e IEEE 802 1 1a n operates in the 5 GHz ISM band and includes support for both 802 lla and 802 11n devices IEEE 802 11n is an extension of the 802 11 standard that includes multiple input multiple output MIMO technology IEEE 802 11n supports data ranges of up to 248 Mbps and nearly twice the indoor range of 802 11 b 802 11g and 802 11a 91 Wireless Controller User Manual 5 GHz IEEE 802 11n is the recommended mode for networks with 802 11n devices that operate in the 5 GHz frequency that do not need to support 802 11la or 802 11b g devices IEEE 802 11n can achieve a higher throughput when it does not need to b
187. elects ANY all Option side hosts are granted access to the local server If the user selects Specify Option IPs he must provide a comma 287 Wireless Controller User Manual separated list of Option host addresses that are to be allowed access to the Local Server LAN Host Option Host Addresses The user must provide a comma separated list of Option IP addresses that must be allowed access to the Local Server in case he has selected Specify Option IPs in the Drop down menu Only commas are allowed and there should be no spaces between the comma and the IP address Internal IP Address The user must provide a single IP address of the LAN host Local Server Enable Intel AMT Reflector Check this box to reflect back the data on selected ports to the client initiating the connection Redirect to Port 16992 Check this box to redirect to port 16992 of the client initiating the connection Listen on Port Enter the port on which server should listen for incoming connections Redirect to Port 16993 Check this box to redirect to port 16993 of the client initiating the connection Listen on Port Enter the port on which server should listen for incoming connections Redirect to Port 16994 Check this box to redirect to port 16994 of the client initiating the connection Listen on Port Enter the port on which server should listen for incoming connections Redirect to Port 16995 Check this box to redirect to port
188. elete All To configure an Authentication Failed AP to be managed by the controller the next time it is discovered select the check box next to the MAC address of the AP and click Manage You will be presented with the Valid Access Point Configuration page Figure 67 AP status DWc 1000 im SETUP ADVANCED TOOLS STATUS Global Info gt gt Device Info Access Point Info gt gt gt ACCESS POINTS SUMMARY LOGOUT Description goes here LAN Clients Info Wireless Clientinfo gt List of APs MAC Address IP Address Age Status Radio Channel Traffic Monitor v 1c af f7 1f 24 40 192 168 10 100 Oh Om 10s No Database Entry N A N A Delete All Manage Acknowledge View Details Refresh MAC Address Shows the MAC address of the access point IP Address The network address of the access point Age Shows how much time has passed since the AP was last detected and the information was last updated Status Shows the access point status 120 Wireless Controller User Manual e Managed The AP profile configuration has been applied to the AP and it s operating in managed mode e No Database Entry MAC address of the AP does not appear in the local or RADIUS Valid AP database e Authentication Failed AP The AP failed to be authenticated by the controller or RADIUS server Since AP is not configured as a valid AP which the correct local or RADIUS authentication information e
189. enable Multicast and Broadcast Rate Limiting click Enabled e To disable Multicast and Broadcast Rate Disabled click Disabled 77 Wireless Controller User Manual Figure 42 AP Profile Radio configuration Part 1 Peer Controllers AP Profile Advanced Networ IP MAC Binding Switch Settings Intel AMT DWC 1000 o O ADVANCED TOOLS STATUS AP PROFILES SUMMARY This page contains several fields that are not available for the default AP Profile Save Settings Don t Save Settings AP Profile Radio Configuration AP Profile AP Profile 1 Default Radio Mode 1 802 11a n 2 802 11b g n Radio Configuration State On Off Radio Scheduler Scheduler Off RTS Threshold 2347 0 to 2347 Bytes Load Balancing Load Utilization 60 1 to 100 Maximum Clients 200 0 to 200 RF Scan Other Channels RF Scan Sentry Mode IEEE 802 11a n v DTIM Period ho 1 to 255 Bescons Beacon Interval 100 20 to 2000 msecs Automatic Channel A Automatic Power e Initial Power 100 1 to 100 Minimum Power 100 1 to 100 Transmit Lifetime Shows the number of milliseconds to wait before terminating attempts to transmit the MSDU after the initial transmission Rate Limit Enter the rate limit you want to set for multicast and broadcast traffic The limit should be greater than 1 but less than 50 packets per second Any traffic that fa
190. ent stations AP Enhanced Distributed Channel Access EDCA Parameters affect traffic flowing from the access point to the client station Station Enhanced Distributed Channel Access EDCA Parameters affect traffic flowing from the client station to the access point You can specify custom QoS settings or you can select a template that configures the AP profile with pre defined settings that are optimized for data traffic or voice traffic Radio Mode From this field you can select the radio for which you want to configure QoS settings Settings for each radio are configured separately By default Radio 1 operates in IEEE 802 11a n mode and Radio 2 operates in IEEE 802 11b g n mode If you change the mode the labels for the radios change accordingly Changes to the settings apply only to the selected radio The DWL 3600AP is a single radio AP Any settings you configure for Radio 1 802 11a n are not applied to the DWL 3600AP If the selected Hardware Type ID for the AP profile is DWL 3600AP the radio selectors are not available Template Select the QoS template to apply to the AP profile If you select Custom you can change the AP and station parameters If you select Voice or Factory Defaults the controller will use the pre defined settings for the template you select AP EDCA Parameters Queue Queues are defined for different types of data transmitted from AP to station Data 0 Voice High priority queue minimum
191. er User Manual Choose File to upload a oA be lej Look in Fies 7 oem fs owc 1000_ DWC 1000_B1_FW_4 2 0 3_Ba01_WW aE E Dwc 1000_B1_FW_4 2 0 3 MASA My Recent Documents Q801_W4 Date Modified 11 25 2013 9 27 PM tn G Ci a Page Safety gt Tools E Size 25 1 MB Desktop very Mode My Documents Browse My Computer ve e cas File name owca 000_A1_Fw_4 2 0 gt Open Places Files of type far Files x Cancel Zig the firmware upgrade process e After upgrading it will restore system to factory default settings the default IP address will be 192 168 10 1 Upgrade in Progress DWC 1000 WEB Recovery Mode Device is upgrading the firmware 19 WARNING Do NOT power off the device during the firmware upgrade process After upgrading it will restore system to factory default settings the default IP address will be 192 168 10 1 After a successful upgrade the unit will reboot DWC 1000 WEB Recovery Mode Upgrade successfully WARNING Do NOT power off the device during the firmware upgrade process e After upgrading it will restore system to factory default settings the default IP address will be 192 168 10 1 353 Wireless Controller User Manual Appendix D Product Statement Power Usage This device is an Energy Related Product ErP with High Network Availability HiNA and automatically switches to a power
192. er MAC Address MAC address of the client AP MAC Address MAC Address of the managed AP to which the client has pre authenticated Radio Interface Number Radio number to which the client is authenticated which is either Radio 1 or Radio 2 VAP MAC Address VAP MAC address to which the client roamed SSID SSID Name used by the VAP Age Time since the history entry was added User Name Indicates the user name of client that authenticated via 802 1X Pre Authentication Status Indicates whether the client successfully authenticated and shows a status of Success or Failure 149 Wireless Controller User Manual Figure 85 Pre Auth History DWc 1000 SETUP ADVANCED TOOLS STATUS Global Info gt Device Info gt Access Point Info gt DETECTED CLIENT PRE AUTHENTICATION HISTORY SUMMARY LOGOUT Description goes here LAN Clients Info gt Detected Client Pre Authentication History Wireless Clientinfo gt togs No preauthentication history entries to display Logs gt Traffic Monitor gt Refresh Active Sessions Active VPNs This page includes the following button Refresh Updates the page with the latest information 4 8 8 Detected Client Roam History Status gt Wireless Client Info gt Roam History The wireless system keeps a record of clients as they roam from one managed AP to another managed AP MAC Address MAC address of the detected client AP MAC Address MAC Address
193. er pushes to its peers 11 5 WIDS Configuration The D Link Wireless Controller Wireless Intrusion Detection System WIDS can help detect intrusion attempts into the wireless network and take automatic actions to protect the network 11 5 1 WIDS AP configuration Advanced gt WIDS Security gt AP The WIDS AP Configuration page allows you to activate or deactivate various threat detection tests and set threat detection thresholds in order to help detect rogue APs on the wireless network These changes can be done without disrupting network 298 Wireless Controller User Manual connectivity Since some of the work is done by access points the controller needs to send messages to the APs to modify its WIDS operational properties Administrator configured rogue AP If the source MAC address is in the valid AP database on the controller or on the RADIUS server and the AP type is marked as Rogue then the AP state is Rogue Managed SSID from an unknown AP This test checks whether an unknown AP is using the managed network SSID A hacker may set up an AP with managed SSID to fool users into associating with the AP and revealing password and other secure information Administrators with large networks who are using multiple clusters should either use different network names in each cluster or disable this test Otherwise if an AP in the first cluster detects APs in the second cluster transmitting the same SSID as APs in the
194. escecaeeesesceeeecaenenseseeeescseeeeateeeeeees 192 64 1 Routing Mode encsancnnnynin n a E E N E 192 6 4 2 Dynamic Routing RIP 0 eeesseeeecsseseescseeseeecsseaeeecsseaeeecaeeaeeecaeeaeersaeeaeerents 195 6 4 3 Static ROUTING nenesie eiaa a a EE EEEE e E 196 6 5 a el EENE AE E E A TE PEE SAAE A TAEA SEAE ARTES At 197 6 6 tos TUNNEN sirenen E E 200 6 7 IPy6 To nels Status enrere ereere a E e EEEa EEROR E EE Ri 201 6 8 ISATAP Tunnels ren a ata e ak ah Ga ea BARR ARG ete 202 6 9 IGMP Setup aa units ears in ean a uated 203 6 10 Option Port Settings eeri a ERER eNA e 205 GAI IPAS oS ana E T E ET T EN E 207 Securing the Private Network ss sesssssseeeesesessesesresesesesseseeresestsesseseresesrsseseseeresesrssesesee 208 7 1 Firewall Rules ecriccniie nireti a E AE A A ia 209 7 2 Defining Rule Schedules s sesseseeeesesesseseseetestsessesesreeesesessesesreresesessesesresesesess 210 7 3 Configuring Firewall RUI S ccccessssssesescsseseseeeeseecseeceseeesececaeeceaeeeeeceeneeeeaees 211 7 3 1 Firewall Rule Configuration EXamples ceccccecccescesecesseseseeeeseseseeeeeeseneeeeaees 216 7 4 Security on Custom Services ssssssseseesesesesseserresesrssstserrestsrsstseserresesrssesesee 220 7 5 ALG SUPPOM enin A A Geese R 221 7 6 VPN Passthrough for Firewall esssesesesesrsesrsrsrsrsrsrsrsrsrsrsrsrsrsrsrsesrsese 222 7 7 GON naes a e a a n a a o E o 223 7 8 Applicaton Rules senccnecgancainiiaieniii a a
195. eseeseseseseseseeeeecaeneseseeeecaeneaeaeeeceeaeneeataeeeeees 54 2 6 4 Service Level Agreement SLA cccccesseseseeseseseseeseseseeeeecseneestaceeeecseneeataeeeeees 55 2 0S Billing Prone ensi a E cbvasea teaveohan E A EE 56 2 6 6 BICK MAG inene e ae een tee ae A EA E E 60 PA HOTS POL E E E E teaeusenteosaSnlentetentetea siete 60 2 6 8 Captive Portal Front D SK cc eeseseesesesceseseseeeesceeseeceseececeeseeceaeeeeeeeseeetaeeesees 61 2 7 WLAN global configuration ec eecceeeeceeseeceeeeeseceeneeseeecneesceeeneeseeecneeseeeeneaees 63 2 8 Wireless Discovery configuration 00 0 ee eeeeseeeeseeseeeseeceseeseeeeseceeeceseceeneeeeteeeeeeees 66 2 8 1 Wireless Discovery Status cceececeesesesceseseeeeceeseesesesceececseneeaesceeeecseneeatseeeeees 68 2 8 2 AP Profile Global Configuration cccccceceseseseeseecsceseseseeeecseeeeseseeececseneeatseeeeees 69 Configuring Wireless LAN cccccccesesesseseecseeseseseeececsesseeesceeeecacsesasaceeseceenseesacecseceeeteeeates 90 3 1 WLAN Setup WiZatd 2 2s stcs len ine ae tine Rhee aye REE 90 3 2 WLAN Visualization SUPPOFT ee eceeeeceeseeeceeeeseeeceeesececneeseeeeneeseeeeneeseereneaees 93 a21 Downoad Image siioni ase iida dineke iaee ai e si iiie aiD 93 3 22 VisualiZation Laune a AAEE AAE 94 Monitoring Status and Statistics 20 ecccseeseseeeesescseeceseeeescecseeeseeeseceeseeceaeeeeeceeeteeeaees 96 Wireless Controller User Manual Chapter 5 4 1 S
196. esented as a topology diagram with or without a custom background image 94 Wireless Controller User Manual Figure 49 The launched visualization page m Controllers 192 168 1 50 a m Managed APs m RF Scan APs IRELESS CONTROLLER 95 Wireless Controller User Manual Chapter 4 Monitoring Status and Statistics 4 1 System Overview The Status page allows you to get a detailed overview of the system configuration The settings for the wired and wireless interfaces are displayed in the DWC 1000 Status page and then the resulting hardware resource and controller usage details are summarized on the controller Dashboard 4 1 1 Dashboard Status gt Dashboard gt General The DWC 1000 dashboard page gives a summary of the CPU and Memory utilization Figure 50 Dashboard zy svn Dashboard gt Global Info r Device Info DASHBOARD LOGOUT This page displays the resources being used in the system currently This page also shows the bandwidth used in form of bar graphs CPU Utilization Access Point info gt LAN Clients Info gt CPU usage by user CPU usage by kernel CPU idle Wireless Client Info gt VLAN Info gt Logs CPU waiting for IO v Traffic Monitor Memory Utilization Active Sessions 247916 KB 201676 KB 46240 KB 60744 KB 17148 KB 96 Wireless Controller User Manual 4 1 2 CPU Utilization This section di
197. eserved IP Configuration page to add a new binding rule Figure 4 LAN DHCP Reserved IPs DWwc 1000 SETUP ADVANCED TOOLS STATUS Operation succeeded Network Settings PD L 192 168 10 233 00 00 00 00 00 67 DHCP RESERVED IPS LAN Kelcieltii This page allows user to configure the reserved IP Addresses for the DHCP Server configuration DHCP Reserved IPs LAN IP Address MAC Address 2 1 2 LAN DHCP Leased Clients Setup gt Network Settings gt LAN DHCP Leased Clients This page provides the list of clients connect to LAN DHCP server 21 Wireless Controller User Manual Figure 5 LAN DHCP Leased Clients DWwc 1000 SETUP ADVANCED TOOLS STATUS WLAN Global Settings DHCP LEASED CLIENTS LOGOUT AP Management v eme gt WLAN V lizati gt This table displays the list of DHCP clients connected to the LAN DHCP Server and to whom DHCP Server VLAN Visualization has given eases e d Internet Settings DHCP Leased Clients LAN Network Settings D IP Address MAC Address LAN QoS d 192 168 10 233 00 00 00 00 00 67 VPN Settings gt IP Addresses The LAN IP address of a host that matches the reserved IP list MAC Addresses The MAC address of a LAN host that has a configured IP address reservation 2 1 3 LAN DHCP Pools Setup gt Network Settings gt LAN DHCP Pools Upon enabling DHCP you can define a set of IP ranges referred to as pools from which to assign LAN clients IP addre
198. eseseesenseseeecseeseecsssesecnssacsecnsacsecnteaeecaeeaeescateaeeecneeseerenteaees 228 Figure 130 Two trusted domains added to the Approved URLS List 00 ee eeeeeceeeeteeeeneeeeeeneees 229 Figure 131 One keyword added to the block list ee ceeeceesceseseseeseseseseeseseeeeeeseneeeeseeeeecseneeataeeeeees 230 Figure 132 Export Approved URL liSt ccc eesseseescsseseescsseseeecseeseeecneeaeeecaesaeeecneeaeeecneeaeeeeneeaeereneeaees 231 Figure 133 Category Filtering Options eeeseeceseccsseceseeescecseeceseseseeecseeceaesceececaeeeeatecseeeeaseetsteeeees 233 Figure 134 Example binding a LAN host s MAC Address to a served IP address eee 234 Figure 135 Switch Settings ccccessesssessssesesseseseessesessesesesessenensusssesessesersssesssessesensasessssssenenssesesesnes 235 Figure 136 Protecting the controller and LAN from internet attacks 0 0 eee eee ereeeeeetees 237 10 Wireless Controller User Manual Figure 137 Figure 138 Figure 139 Figure 140 Figure 141 Figure 142 Figure 143 Figure 144 Figure 145 Figure 146 Figure 147 Figure 148 Figure 149 Figure 150 Figure 151 Figure 152 Figure 153 Figure 154 Figure 155 Figure 156 Figure 157 Figure 158 Figure 159 Figure 160 Figure 161 Figure 162 Figure 163 Figure 164 Figure 165 Figure 166 Figure 167 Figure 168 Figure 169 Example of Gateway to Gateway IPsec VPN tunnel using two DWC controllers Connected
199. ess 19 Wireless Controller User Manual Figure 3 Setup page for LAN TCP IP settings continued DNS Host Name Mapping Enable DNS Proxy g List of Available DHCP Pools Start IP Address End IP Addresss 192 168 10 100 192 168 10 254 2 1 1 LAN DHCP Reserved IPs Setup gt Network Settings gt LAN DHCP Reserved IPs The controller DHCP server can assign TCP IP configurations to computers in the LAN explicitly by adding client s network interface hardware address and the IP address to be assigned to that client in DHCP server s database Whenever DHCP server receives a request from client hardware address of that client is compared with the hardware address list present in the database if an IP address is already assigned to that computer or device in the database the customized IP address is configured otherwise an IP address is assigned to the client automatically from the DHCP pool IP Addresses The LAN IP address of a host that is reserved by the DHCP server MAC Addresses The MAC address that will be assigned the reserved IP address when it is on the LAN 20 Wireless Controller User Manual The actions that can be taken on list of reserved IP addresses are Select Selects all the reserved IP addresses in the list Edit Opens the LAN DHCP Reserved IP Configuration page to edit the selected binding rule Delete Deletes the selected IP address reservation s Add Opens the LAN DHCP R
200. essaging sites e Dating Sites Online dating matchmaking relationship advice personal ads and web pages related to marriage e Game Sites Sites that offer online games MORPG and information about computer games cheat codes etc e Investment Sites Sites for brokerages trusts insurance and other investments related organizations e E banking Sites providing online banking services offered by financial institutions e Crime Terrorism Sites providing information on anti social activities like murder sabotage bombing etc e Personal Beliefs Cults Sites about religion places of worship religious groups and occultism e Politics Sites about politics elections and legislation and sites that promote a politician or political party e Sports Sites about sports teams fan clubs and generally about all kinds of sports 232 Wireless Controller User Manual e www Email Sites Websites that allow users to send and or receive email through a web accessible email account Figure 133 Category Filtering options DWC 1000 see ADVANCED TOOLS STATUS Peer Controllers p f CATEGORY FILTERING LOGOUT AP Profile This page displays the list of categories to be blocked You can block access to certain category of websites based on this configuration Save Settings Don t Save Settings Select the categories to be blocked Adult Content o www Email Sites oO News oO Violence Unde
201. et Service Provider Link State Detects if a link is present on the Option Interface Option Mode Indicates if Option or Option2 is in use Gateway Gateway IP address of the Option port 184 Wireless Controller User Manual Primary DNS Primary DNS server IP address of the Option port Secondary DNS Secondary DNS server IP address of the Option port If the Connection Status indicated that the association with the ISP is active then the Option can be disconnected by clicking the Disable button If the Connection Status indicated that the association with the ISP is active then the Option can be disconnected by clicking the Disable button 185 Wireless Controller User Manual Figure 104 Connection Status information of Option1 DWC 1000 i SETUP ADVANCED TOOLS STATUS OPTION1 STATUS LOGOUT The page provides current information regarding the WAN1 interface Along with the information a user can enable or disable his Internet connection from this page AP Management gt 1A 00 2B 10 1C 45 0 0 0 0 255 255 255 0 DOWN Disabled Dynamic IP DHCP Not Yet Connected LINK DOWN Use only single Option port Option1 0 0 0 0 0 0 0 0 MAC Address 1A4 00 2B 10 1C 45 IPv6 Address fe80 1800 2bff fe10 1c45 64 Option State DOWN IPv6 Connection Type Dynamic IP DHCP IPv6 Connection State Not Yet Connected Gateway Primary DNS Secondary DNS The Option status page allows you to
202. etup site to site VPN tunnel This will add VPN policies by importing a file containing pre configured VPN policies 243 Wireless Controller User Manual 8 2 Configuring IPsec Policies Setup gt VPN Settings gt IPsec gt IPsec Policies An IPsec policy is between this controller and another gateway or this controller and a IPsec client on a remote host The IPsec mode can be either tunnel or transport depending on the network being traversed between the two policy endpoints Transport This is used for end to end communication between this controller and the tunnel endpoint either another IPsec gateway or an IPsec VPN client on a host Only the data payload is encrypted and the IP header is not modified or encrypted Tunnel This mode is used for network to network IPsec tunnels where this gateway is one endpoint of the tunnel In this mode the entire IP packet including the header is encrypted and or authenticated When tunnel mode is selected you can enable NetBIOS and DHCP over IPsec DHCP over IPsec allows this controller to serve IP leases to hosts on the remote LAN As well in this mode you can define the single IP address range of IPs or subnet on both the local and remote private networks that can communicate over the tunnel 244 Wireless Controller User Manual Figure 140 IPsec policy configuration DWC 1000 swe ADVANCED TOOLS STATUS IPSEC CONFIGURATION LOGOUT WLAN Global Settings
203. ewall Settings re Edit Enable Disable Delete IPv6 Move To First v Move List of Available Firewall Rules From To s z Dest Local Internet Zone Zone Sea Hosts Server Dest Eey Status ALLOW 192 168 17 15 always 192 168 17 50 1 Enabled LAN DMZ ANY Any 7 2 Defining Rule Schedules Tools gt Schedules Firewall rules can be enabled or disabled automatically if they are associated with a configured schedule The schedule configuration page allows you to define days of the week and the time of day for a new schedule and then this schedule can be selected in the firewall rule configuration page XW All schedules will follow the time in the controller s configured time zone Refer to the section on choosing your Time Zone and configuring NTP servers for more information 210 Wireless Controller User Manual Figure 119 List of Available Schedules to bind to a firewall rule DWC 1000 ADVANCED TOOLS STATUS Operation succeeded SCHEDULES LOGOUT When you create a firewall rule you can specify a schedule when the rule applies The table lists all the Available Schedules for this device and allows several operations on the Schedules List of Available Schedules Firmware via USB Days Start Time End Time Dynamic DNS Guest Tuesday Wednesday Thursday 09 00 AM 05 00 PM System Check Sales Department All Days 12 00 AM 11 59 PM Schedules
204. ext box and click Lookup If the host or domain entry exists you will see a response with the IP address A message stating Unknown Host indicates that the specified Internet Name does not exist XW This feature assumes there is internet access available on the Option link s Router Options The static and dynamic routes configured on this controller can be shown by clicking Display for the corresponding routing table Clicking the Packet Trace button will allow the controller to capture and display traffic through the DWC 1000 between the LAN and Option interface as well This information is often very useful in debugging traffic and routing issues 344 Wireless Controller User Manual Chapter 13 License Activation Tools gt License The DWC 1000 can be upgraded with three optional license packs y The DWC 1000 AP6 DWC 1000 AP6 LIC License Packs enable the Wireless Controller to manage 6 extra access points The DWC 1000 can be upgraded up to 3 times with this license pack enabling it to support up to 24 access points in total The DWC 1000 VPN DWC 1000 VPN LIC License Packs enable the Wireless Controller to support VPN Firewall Website Filter static WCF and routing functions The DWC 1000 WCF 12 DWC 1000 WCF 12 LIC License Packs enable the dynamic WCE Category filtering feature for one year It allows you to filter up to 32 categories of websites to restrict users from accessing them from your net
205. formation about a peer such as its IP address and software version If the controller loses contact with a peer all of the data for that peer is deleted One controller in a cluster is elected as a Cluster Controller The Cluster Controller collects status and statistics from all the other controllers in the cluster including information about the APs peer controllers manage and the clients associated to those APs Cluster Controller IP Address IP address of the controller that controls the cluster Peer Controllers Displays the number of peer controller in the cluster List of Peer Controllers IP Address IP address of the peer wireless controller in the cluster Vendor ID Vendor ID of the peer controller software Software Version The software version for the given peer controller Protocol Version Indicates the protocol version supported by the software on the peer controller Discovery Reason The discovery method of the given peer controller which can be through an L2 Poll or IP Poll Managed AP Count Shows the number of APs that the controller currently manages Age Time since last communication with the controller in Hours Minutes and Seconds 133 Wireless Controller User Manual Figure 73 Peer Controller Status DWC 1000 SETUP ADVANCED TOOLS STATUS PEER CONTROLLER STATUS Meletoluns Global Info Device Info gt Wireless ClientInfo gt The Peer Controler Status page provides infor
206. g e USB Mass Storage also referred to as a share port files on a USB disk connected to the DWC can be accessed by LAN users as a network drive e USB Printer The DWC can provide the LAN with access to printers connected through the USB The printer driver will have to be installed on the LAN host and traffic will be routed through the DWC between the LAN and printer To configure printer on a Windows machine follow below given steps 1 Click Start on the desktop Select Printers and faxes option Right click and select add printer or click on Add printer present at the left menu Select the Network Printer radio button and click next select device isn t listed in case of Windows7 Select the Connect to printer using URL radio button Select a shared printer by name in case of Windows 7 and give the following URL http lt controller s LAN IP address gt 63 1 printers lt Model Name gt Model Name can be found in the USB status page of controller s GUI Click next and select the appropriate driver from the displayed list Click on next and finish to complete adding the printer 282 Wireless Controller User Manual Figure 165 USB Device Detection USB SETTINGS LOGOUT This page displays information about the USB devices connected to the USB port s This page also allows user to do certain configurations on USB devices such as safely unmounting the devices
207. g devices on the LAN can be directly accessed from the internet by their public IP addresses assuming appropriate firewall settings If your ISP has assigned an IP address for each of the computers that you use select Classic Routing 192 Wireless Controller User Manual e NAT isa technique which allows several computers on a LAN to share an Internet connection The computers on the LAN use a private IP address range while the Option port on the controller is configured with a single public IP address Along with connection sharing NAT also hides internal IP addresses from the computers on the Internet NAT is required if your ISP has assigned only one IP address to you The computers that connect through the controller will need to be assigned IP addresses from a private subnet e Transparent routing between the LAN and Option does not perform NAT Broadcast and multicast packets that arrive on the LAN interface are switched to the Option and vice versa if they do not get filtered by firewall or VPN policies To maintain the LAN and Option in the same broadcast domain select Transparent mode which allows bridging of traffic from LAN to Option and vice versa except for controller terminated traffic and other management traffic All DWC features are supported in transparent mode assuming the LAN and Option are configured to be in the same broadcast domain XW NAT routing has a feature called NAT Hair pinning that allows
208. g or blocking inbound and outbound Internet traffic for specified services on specified schedules e MAC addresses of devices that should not access the internet e Port triggers that signal the controller to allow or block access to specified services as defined by port number e Reports and alerts that you want the controller to send to you You can for example establish restricted access policies based on time of day web addresses and web address keywords You can block Internet access by applications and services on the LAN such as chat rooms or games You can block just certain groups of PCs on your network from being accessed by the Option or public DMZ network 208 Wireless 7 1 Controller User Manual Firewall Rules Advanced gt Firewall Settings gt Firewall Rules Inbound Option to LAN DMZ rules restrict access to traffic entering your network selectively allowing only specific outside users to access specific local resources By default all access from the insecure Option side are blocked from accessing the secure LAN except in response to requests from the Option or DMZ To allow outside devices to access services on the secure LAN you must create an inbound firewall rule for each service If you want to allow incoming traffic you must make the controllers Option port IP address known to the public This is called exposing your host How you make your address known depends on how the Option ports a
209. ge is written to flash and the controller is automatically rebooted with the new firmware The Firmware Information and also the Status gt Device Info gt Device Status page will reflect the new firmware version 339 Wireless Controller User Manual x IMPORTANT During firmware upgrade do NOT try to go online turn off the DWC 1000 shut down the PC or interrupt the process in anyway until the operation is complete This should take only a minute or so including the reboot process Interrupting the upgrade process at specific points when the flash is being written to may corrupt the flash memory and render the controller unusable without a low level process of restoring the flash firmware not through the web GUI Figure 198 Firmware version information and upgrade option FIRMWARE This page allows user to upgrade downgrade the router firmware This page also shows the information regarding firmware version and build time Firmware Firmware via USB Firmware Information 1 01B41_WW Dynamic DNS Wed Sep 28 23 33 22 2011 Firmware Upgrade Locate amp select the upgrade file Browse_ Firmware Upgrade Notification Options This controller also supports an automated notification to determine if a newer firmware version is available for this controller By clicking the Check Now button in the notification section the controller will check a D Link server to see if a newer firmware
210. ge shows a list of available billing profiles for temporary CaptivePortal Users We can add delete and edit the profiles WLAN Visualization gt Captive Portal D Captive Portal Setup List of Billing Profiles Billing Status Description Begin End Duration a gt Captive Portal thentications Setup VPN Settings gt Capti Sessions S DMZ Setup gt Billing Profil USB Settings gt Block MAC WIRELESS CON R Adding or modifying a billing profile will open the selected Profile s setup page 37 Wireless Controller User Manual Figure 34 Billing Profiles Configuration Settings WLAN Global Settings BILLING PROFILE This page allows us to create new billing profile for temporary Captive Portal user Save Settings Don t Save Settings Profile Details Profile Name Profile Description Captive Portal gt Allow Multiple Login External Authentications gt Allow customized account on Front Desk VPN Settings b Allow batch generation on Front Desk VLAN Settings gt Session Idle Timeout Minutes DME Setup A Show alert messsage on login page while rest of a 0 Hour lt USB Settings gt usage time traffic under J Basic limit by duration Valid with Begin and End time O Valid Begin Start while account created Start while account login r Begin From Allow Frontdesk to Modify Duration Basic limit by usage M
211. gement to activate SSL VPN Configurations WLAN Global Settings SSL VPN POLICIES LOGOUT Policies are useful to permit or deny access to specific network resources IP addresses or IP networks They may be defined at the user group or global level By Default a global PERMIT policy not displayed was already configured over all addresses and over all services ports WLAN Visualization View List of SSL VPN Policies For Available Groups Available Users Edit Delete To add a SSL VPN policy you must first assign it to a user group or make it global i e applicable to all SSL VPN users If the policy is for a group the available configured groups are shown in a drop down menu and one must be selected Similarly for a user defined policy a SSL VPN user must be chosen from the available list of configured users The next step is to define the policy details The policy name is a unique identifier for this rule The policy can be assigned to a specific Network Resource details follow in the subsequent section IP address IP network or all devices on the LAN of the controller Based on the selection of one of these four options the appropriate configuration fields are required i e choosing the network resources from a list of defined resources or defining the IP addresses For applying the policy to addresses the port range port number can be defined The final steps require the policy permission to be set
212. h over 10 000 registrations From the Local OUI Database Summary page you can enter up to 64 166 Wireless Controller User Manual user defined OUIs The local list is searched first so the same OUI can be located in the local list as well as the read only list OUI Value Enter the OUI that represents the company ID in the format XX XX XX where XX is a hexadecimal number between 00 and FF The first three bytes of the MAC address represents the company ID assignment XW The first byte of the OUI must have the least significant bit set to 0 For example 02 FF FF is a valid OUI but 03 FF FF is not OUI Description Enter the organization name associated with the OUI The name can be up to 32alphanumeric characters Figure 94 Local OUI Database DWC 1000 I SETUP ADVANCED TOOLS STATUS WLAN Global Settings AP Management p gt gt A d M gt LOCAL OUI DATABASE SUMMARY WeletolUys Description goes here Note No entries currently exist in the Local OU Database lf desired you can add new OU entries Delete Delete All Refresh Add to Database OUI Value 00 00 00 VPN Settings VLAN Settings DMZ Setup USB Settings OUI Description Add 5 5 AP Provisioning Summary Setup gt AP Management gt AP Provisioning Summary Status The AP Provisioning feature helps you add new APs to an existing controller cluster With AP Provisioning you can configure the access points with para
213. hat may be used in an SSID Security The default AP profile does not use any security mechanism by default In order to protect your network D Link strongly recommends that you select a security mechanism so that unauthorized wireless clients cannot gain access to your network The following WLAN network security options are available in WLAN wizard None No security 92 Wireless Controller User Manual e Static WEP security require is Static WEP Authentication as shared key type ascii and length 128 bits are used for setting Static WEP key through the WLAN wizard e WPA Personal This type of security supports version WPA and WPA2 with ciphers ccmp and tkip bcast key refresh rate 300 are used for setting WPA Personal Key through the WLAN wizard Valid Access Point Summary MAC address This field shows the MAC address of the AP broadcast by this controller wW Note Experienced WLAN administrators can input all the settings in one page via the Manual Wireless Network Setup 3 2 WLAN Visualization support 3 2 1 Setup gt WLAN Visualization WLAN Visualization is a tool that provides a graphical representation of the wireless network through a Web browser The WLAN Visualization graph does not have a background image of its own and so the administrator can upload a static graphic image that provides the wireless topology of the APs and controllers in the wireless network Download Image User can upload
214. he AP can fail due to one of the following reasons 123 Wireless Controller User Manual No Database Entry The MAC address of the AP is not in the local Valid AP database or the external RADIUS server database so the AP has not been validated Local Authentication The authentication password configured in the AP did not match the password configured in the local database Not Managed The AP is in the Valid AP database but the AP Mode in the local database is not set to Managed RADIUS Authentication The password configured in the RADIUS client for the RADIUS server was rejected by the server RADIUS Challenged The RADIUS server is configured to use the Challenge Response authentication mode which is incompatible with the AP RADIUS Unreachable The RADIUS server that the AP is configured to use is unreachable Invalid RADIUS Response The AP received a response packet from the RADIUS server that was not recognized or invalid Invalid Profile ID The profile ID specified in the RADIUS database may not exist on the controller This can also happen with the local database when the configuration has been received from a peer controller Profile Mismatche Hardware Type The AP hardware type specified in the AP Profile is not compatible with the actual AP hardware Figure 69 Authentication Failure Status DWwc 1000 im SETUP ADVANCED TOOLS STATUS Global Info gt f AP AUTHENTICATION
215. he SSIDs of the networks that each wireless client associated with a managed AP has used for WLAN access View VAP Details Each AP has set of Virtual Access Points VAPs per radio and every VAP has a unique MAC address BSSID This displays the VAP Associated Client Status page which shows information about the VAPs on the managed AP that have associated wireless clients LAN Clients Status gt LAN Client Info gt LAN Clients The LAN clients to the controller are identified by an ARP scan through the LAN controller The NetBios name if available IP address and MAC address of discovered LAN hosts are displayed 113 Wireless Controller User Manual Figure 63 List of LAN hosts DWC 1000 J sewe ADVANCED TOOLS STATUS Global Info gt Device Info gt Access Point Info LAN CLIENTS LOGOUT This page displays a list of LAN dients connected to the router List of LAN Clients LAN Clients Info a IP Address MAC Address WORKGROUP 192 168 10 100 F0 4D A2 59 28 E1 4 5 3 Detected Clients Status gt LAN Client Info gt Detected Clients Wireless clients are detected by the wireless system when the clients either attempt to interact with the system or when the system detects traffic from the clients The Detected Client Status page contains information about clients that have authenticated with an AP as well information about clients that disassociate and are no longer connected to the system
216. he profile to assign to this AP Expected SSID Enter the SSID that identifies the wireless network on the standalone AP Expected Channel Select the channel that the standalone AP uses If the AP is configured to automatically select a channel or if you do not want to specify a channel select Any Expected WDS Mode Standalone APs can use a Wireless Distribution System WDS link to communicate with each other without wires The menu contains the following options e Bridge Select this option if the standalone AP you add to the Valid AP database is configured to use one or more WDS links e Normal Select this option if the standalone AP is not configured to use any WDS links 155 Wireless Controller User Manual 5 2 5 2 1 e Any Select this option if the standalone AP might use a WDS link Expected Security Mode Select the option to specify the type of security the AP uses e Any Any security mode e Open No security e WEP Static WEP or WEP 802 1X e WPA WPA2 WPA and or WPA2 Personal or Enterprise Expected Wired Network Mode If the standalone AP is allowed on the wired network select Allowed If the AP is not permitted on the wired network select Not Allowed Channel The Channel defines the portion of the radio spectrum that the radio uses for transmitting and receiving The range of channels and the default channel are determined by the Mode of the radio interface and the country in which the
217. hedule Weekend e Define weekend to mean 12 am Saturday morning to 12 am Monday morning all day Saturday amp Sunday e Inthe Scheduled days box check that you want the schedule to be active for specific days Select Saturday and Sunday e In the scheduled time of day select all day this will apply the schedule between 12 am to 11 59 pm of the selected day e Click apply now schedule Weekend isolates all day Saturday and Sunday from the rest of the week Figure 122 Schedule configuration for the above example owc1000 Jf peen Tous Date and Time Log Settings Firmware Firmware via USB SCHEDULE CONFIGURATION This page allows user to configure schedules These schedules then can be applied to firewall rules to achieve schedule based firewall l Save Settings l Dont Save Settings Schedule Name Dynamic DNS System Check Scheduled Days Schedules Do you want this schedule to be AID aawe onal days arsena NO Monday Tuesday Wednesday 2 Since we are trying to block HTTP requests it is a service with To Zone Insecure Option 1 Option2 that is to be blocked according to schedule Weekend 219 Wireless Controller User Manual 3 7 4 Select the Action to Block by Schedule otherwise allow This will take a predefined schedule and make sure the rule is a blocking rule during the defined dates times
218. ice Info gt Point Info ACTIVE VPN LOGOUT This page displays the active VPN connections IPSEC as well as SSL Active IPsec SAs Policy Name Endpoint tx KB tx Packets Active SSL VPN Connections UserName IP Address Local PPP Interface Peer PPP Interface IP Connect Status Active PPTP VPN connections Action Active VPNs Connect Poll Interval 10 Seconds Start All active SSL VPN connections both for VPN tunnel and VPN Port forwarding are displayed on this page as well Table fields are as follows User Name The SSL VPN user that has an active tunnel or port forwarding session to this controller IP Address IP address of the remote VPN client Local PPP Interface The interface Option lor Option2 through which the session is active Peer PPP Interface IP The assigned IP address of the virtual network adapter Connect Status Status of the SSL connection between this controller and the remote VPN client Not Connected or Connected 117 Wireless Controller User Manual 4 6 Access Point 4 6 1 Access Point Status Status gt General gt Access Point The Access Point Status page shows summary information about managed failed and rogue access points the controller has discovered or detected Figure 66 AP Statistics vc ee S Dashboard gt Total Access Points Managed Access Points 0 Discovered Access Points 0 Connection Failed Access Points Access Points Utilization
219. ien View VAP Details View Distributed Tunneling Details Refresh MAC Address The Ethernet address of the controller managed AP If the MAC address of the AP is followed by an asterisk it is managed by a peer controller IP Address The network IP address of the managed AP Age Time since last communication between the controller and the AP Status The current managed state of the AP The possible values are 100 Wireless Controller User Manual 4 1 4 e Discovered The AP is discovered and by the controller but is not yet authenticated e Authenticated The AP has been validated and authenticated if authentication is enabled but it is not configured e Managed The AP profile configuration has been applied to the AP and it s operating in managed mode e Failed The controller lost contact with the AP a failed entry will remain in the managed AP database unless you remove it Note that a managed AP will temporarily show a failed status during a reset XW Note When management connectivity is lost for a managed AP then both radios of the AP are turned down All the clients associated with the AP get disassociated The radios become operational if and when that AP is managed again by a controller Profile The AP profile configuration currently applied to the managed AP The profile is assigned to the AP in the valid AP database Radio Interface Shows the wireless radio mode that each radio on the AP is u
220. ient that updated the detected client database entry Create Time Time since this entry was first added to the detected clients database Active VPN Tunnels XW The following feature is available upon licensed activation of VPN Firewall features for the system Status gt Active VPNs You can view and change the status connect or drop of the controllers IPsec security associations Here the active IPsec SAs security associations are listed along with the traffic details and tunnel state The traffic is a cumulative measure of transmitted received packets since the tunnel was established Ifa VPN policy state is IPsec SA Not Established it can be enabled by clicking the Connect button of the corresponding policy The Active IPsec SAs table displays a list of active IPsec SAs Table fields are as follows Policy Name IKE or VPN policy associated with this SA Endpoint IP address of the remote VPN gateway or client Tx KB Kilobytes of data transmitted over this SA Tx Packets Number of IP packets transmitted over this SA State Status of the SA for IKE policies Not Connected or IPsec SA Established Action Click Connect to establish an inactive SA connection or Disconnect to terminate an active SA connection 116 Wireless Controller User Manual Figure 65 List of current Active VPN Sessions DWC 1000 ADVANCED TOOLS STATUS The page will auto refresh in 2 seconds Global Info gt Dev
221. igured a time of day active schedule in the Tools gt Schedules menu it will be available for selection in this drop down menu You can associate a pre defined schedule with this radio to turn on off radio functionality during desired times of the day week XA Ensure that firmware v4 2 0 6_B101 or above for DWC 1000 4 2 0 1_B009 or above for DWL 2600AP 4 1 0 11_B015 or above for DWL 3600AP 4 2 0 9_B009 or above for DWL 6600AP and 4 1 0 14_RFsc or above for DWL 8600AP are being used to leverage the above feature RTS Threshold Specify a Request to Send RTS Threshold value between 0 and 2347 The RTS threshold indicates the number of octets in an MPDU below which an RTS CTS handshake is not performed Changing the RTS threshold can help control traffic flow through the AP especially one with a lot of clients If you specify a low threshold value RTS packets will be sent more frequently This will consume more bandwidth and reduce the throughput of the packet On the other hand sending more RTS packets can help the network recover from interference or collisions which might occur on a busy network or on a network experiencing electromagnetic interference Load Balancing If you enable load balancing you can control the amount of traffic that is allowed on each of the active AP s 73 Wireless Controller User Manual Load Utilization This field allows you to set a threshold for the percentage of network bandwidth util
222. iguring VPN Clients nsen a aeea eena aa e aak 248 8 4 PPTP L2TP T nn senaren i a E RAE 248 8 4 1 PPTP Tunnel Support e seeeeseseseeeeseeseresseseserresrseoseseerreesrseoseseeresesrsrosesreresesrsseseeee 249 8 4 2 L2TP Tunnel Support esences esie ren ie sest 251 8 4 3 OpenVPN Suppor eessseseseesesesrsreseeeesereesesesrrresrseoseseereeeseseoststeresesrsroresreresesrssereeee 252 Chapter9 lt SSE VPN E E E E E neem i bocce iea Neen ie 255 9 1 Groups ANA USETS ceecccsceseseseesesescscecesesesecsescsaesesececsenssaesesececaenseaesesecseaenesaees 257 9 1 1 MUSEFS ANG PASSWOTAS nosion eein Rein eee 265 9 12 User Database ere E E EA A entoceence 266 9 2 Using SSL VPN PONCIES sesisih aente it 269 9 2 1 Using Network RESOUICES orinni a e et 272 9 3 Application Port Forwarding cccccsescescssessescseeseeeceeseeecneeseeecneeeeeeeneeaeeeeneeaees 273 9 4 SSL VPN Client Configuration 0 cee cecceseesceseseeeeeecseeeeseseeececseneeaeseeeeeeaenenaees 276 9 4 1 Creating Portal Layouts oo ccc ececeseseeseseecsseceseseescecseeceaeececeeneeeeaeeeeeseneeeeaees 279 Chapter 10 Advanced System Functionalities cece ccceceeeeeeeseseeeeseseeececeeneseseeeeecseneeetateeeeeseees 282 10 1 USB Device Setup an ain eenandiakeas cea eae Mek anak 282 10 2 USB Share Polte c cccetie ce cunhadginitniwnguauiiacg ane e naan 283 10 3 Authentication Certificates ee ceecceccsseseeeseseecseeeeseseeeeecseeeseaeseeecseneeateeeeeees 284 104 lntelPOA
223. ill pass through the VPN Tunnel and from the Remote Gateway the packet will be routed to Internet On the remote gateway side the outgoing packet will be SNAT ed 8 3 Configuring VPN clients Remote VPN clients must be configured with the same VPN policy parameters used in the VPN tunnel that the client wishes to use encryption authentication life time and PFS key group Upon establishing these authentication parameters the VPN Client user database must also be populated with an account to give a user access to the tunnel XW VPN client software is required to establish a VPN tunnel between the controller and remote endpoint Open source software such as OpenVPN or Openswan as well as Microsoft IPsec VPN software can be configured with the required IKE policy parameters to establish an IPsec VPN tunnel Refer to the client software guide for detailed instructions on setup as well as the controller s online help The user database contains the list of VPN user accounts that are authorized to use a given VPN tunnel Alternatively VPN tunnel users can be authenticated using a configured Radius database Refer to the online help to determine how to populate the user database and or configure RADIUS authentication 8 4 PPTP L2TP Tunnels This controller supports VPN tunnels from either PPTP or L2TP ISP servers The controller acts as a broker device to allow the ISP s server to create a TCP control connection between the LAN VPN
224. in the LAN that are auto configured by the router The default is 1500 Router Lifetime This value is present in RA s and indicates the usefulness of this router as a default router for the interface The default is 3600 seconds Upon expiration of this value a new RADVD exchange must take place between the host and this router Figure 9 Configuring the Router Advertisement Daemon DWC 1000 J sw ADVANCED TOOLS STATUS Please Set IP Mode to IPv4 IPv6 in Routing Mode Page to configure this page LOGOUT This page allows user to configure Router Advertisement Daemon RADVD related configurations Save Settings Don t Save Settings Router Advertisement Daemon RADVD RADVD Status Disable Advertise Mode Unsolicited Multicast Advertise Interval pooo RA Flags Managed Other Router Preference High MTU 1500 Router Lifetime 3600 Seconds Advertisement Prefixes Advanced gt IPv6 gt IPv6 LAN gt Advertisement Prefixes The router advertisements configured with advertisement prefixes allow this router to inform hosts how to perform stateless address auto configuration Router 28 Wireless Controller User Manual advertisements contain a list of subnet prefixes that allow the router to determine neighbors and whether the host is on the same link as the router The following prefix options are available for the router advertisements IPv6 Prefix Type To ensure hosts support IPv6 to
225. ing CoS to DSCP is an advanced QoS configuration where the Layer 2 quality of service field is translated to a Layer 3 QoS field in the packet so that upstream routers can make a QoS decision based on the DSCP field set in the packet Figure 19 Remark CoS to DSCP DWC 1000 ADVANCED TOOLS STATUS Please enable CoS to DSCP Marking to map CoS to DSCP Remark WLAN Global Settings AP Management gt WLAN Visualization gt internet Settings gt Network Settings gt Qos D Remark CoS to DSCP GVRP Do you want to enable CoS to DSCP m Marking Captive Portal gt Authentications PORT COS MAPPING Remarking CoS to DSCP is an advanced QoS configuration where the Layer 2 quality of service field is translated to a Layer 3 QoS field in the packet so that upstream routers can make a QoS decision based on the DSCP field set in the packet Save Settings Don t Save Settings 4 32 v 5 40 6 48 y 7 ES Once you enable CoS to DSCP marking by choosing the check box you can choose the appropriate value of the DSCP for a given CoS value 2 3 VLAN Configuration The controller supports virtual network isolation on the LAN with the use of VLANs LAN devices can be configured to communicate in a subnet defined by VLAN 38 Wireless Controller User Manual identifiers LAN ports can be assigned unique VLAN IDs so that traffic to and from that physical port can be isolated from the general LAN VLAN
226. ingle radio AP Any settings you 82 Wireless Controller User Manual configure for Radio 802 11a n are not applied to the DWL 3600AP If the selected Hardware Type ID for the AP profile is DWL 3600AP the radio selectors are not available Network Use the option to the left of the network to enable or disable the corresponding VAP on the selected radio When enabled use the menu to select a networks to assign to the VAP You can configure up to 64 separate networks on the controller and apply them across multiple radio and VAP interfaces By default 16 networks are pre configured and applied in order to the VAPs on each radio Enabling a VAP on one radio does not automatically enable it on the other radio VLAN Shows the VLAN ID of the VAP To change this setting click Edit L3 Tunnel Shows whether L3 Tunneling is enabled on the network Note When L3 tunneling is enabled the VLAN ID configured above is not used In fact the controller puts the management VLAN ID if any on the tunneled packets destined to the AP Hide SSID Shows whether the VAP broadcasts the SSID If enabled the SSID for this network is not included in AP beacons To change this setting click Edit Security Shows the current security settings for the VAP To change this setting click Edit Redirect Shows whether HTTP redirect is enabled The possible values for the field are as follows HTTP HTTP Redirect is enabled e None HTTP R
227. ion eeeccseeseeceseeseeeeneeseeeeeeseereneens 334 Figure 194 Syslog server configuration for Remote Logging Continued ceeeeseeeteeeeeeees 335 Figure 195 VPN logs displayed in GUI event viewer ceeecceseseseeeeseccseeeeseeeescecseceateceeeeeaenenaeeeeees 336 Figure 196 SSL VPN logs displayed in GUI event viewer 0 0 ceeeesecceseceeeeeseecseeeeseeeeeeeeaeeeeaeeesees 337 Figure 197 Restoring configuration from a saved file will result in the current configuration being OVEFWIITLOM A RE AE E EAT T EE I E N E E 339 Figure 198 Firmware version information and upgrade option ce eceesceeeseeteesceeeteeeeeeseeeeneesees 340 Figure 199 Dynamic DNS Configuration ceeceeeeescsseceseeeesescsceceseseseeecaeeceaesesececseeeeaeeceeeeaenenaeeesees 342 Figure 200 Controller diagnostics tools available in the GUI ssssessssesssrssssesssresesrssssesseresesrssssesee 343 Figure 201 Installing a Cons Euer Eaa ea S R 346 Figure 202 Available Licenses Display after installing a License 0 eee eeeeteeccneeteeeeeeseeeeneenees 346 12 Wireless Controller User Manual Chapter 1 Introduction D Link Wireless Controller DWC DWC 1000 is a full featured wireless LAN controller designing for small network environment The centralized control function contains various access point management functions such as fast roaming inter subnet roaming automatic channel and power adjustment self healing etc The advan
228. ion is useful when the Default Outbound Policy is Allow Always e Example If Drop Packets from LAN to Option is enabled and there is a firewall rule to block SSH traffic from LAN then whenever a LAN machine tries to make an SSH connection those packets will be dropped and a message will be logged Make sure the log option is set to allow for this firewall rule XW Enabling accepted packet logging through the firewall may generate a significant volume of log messages depending on the typical network traffic This is recommended for debugging purposes only In addition to network segment logging unicast and multicast traffic can be logged Unicast packets have a single destination on the network whereas broadcast or multicast packets are sent to all possible destinations simultaneously One other useful log control is to log packets that are dropped due to configured bandwidth profiles over a particular interface This data will indicate to the admin whether the bandwidth profile has to be modified to account for the desired internet traffic of LAN users Wireless Controller User Manual Figure 192 Log configuration options for traffic through controller DWC 1000 see ADVANCED TOOLS STATUS Date and Time LOGS CONFIGURATION Log Settings D This page allows user to configure system wide log settings Save Settings Don t Save Settings Firmware via USB Accepted Packets Dropped Packets Dynamic DNS LAN to Opti
229. is more convenient than GUI only for adding a large number of users where users could be added at one go rather than one at a time through the GUI Creating a CSV file to Upload to the User Database There are some core assumptions and requirements for creating a compatible CSV file of users to upload to the DWC 267 Wireless Controller User Manual Tis 2 Each line corresponds to a single entry All the fields must be enclosed within double quotes Consecutive fields must beseperated by commas There cannot be any leading or trailing spaces in aline There should be no spaces between fields The Group must already be present in the device configured via the GUI only Duplicate user names are not permitted The following format must be used for adding a user via the CSV file UserName FirstName LastName GroupName MultiLogin enable password change Password The fields can have the following values UserName Name of the user Text field and cannot be NULL FirstName Text field and cannot be NULL LastName Text field and cannot be NULL GroupName pre configured Group of which this user is a member Text field and cannot be NULL MultiLogSup If 1 then enable multiple users to login with this user s credentials This is a Boolean value cannot be NULL Enable password change If 1 then allow the captive portal user to modify their password This is a Boolean value cannot be NULL
230. is field shows the bytes transmitted to the client station Bytes Received This field shows the bytes received to the client station 107 Wireless Controller User Manual Figure 58 Managed AP Statistics DWc 1000 ig SETUP ADVANCED TOOLS STATUS Global Info gt A MANAGED AP STATISTICS MeleToltiy Description goes here gt Managed Access Point Statistics Packets Bytes Mic Aen wn Transmitted Received Transmitted Received Traffic Monitor D WLAN 3019 433 4285357 129837 Ethernet 2279 17385 1120043 1972000 Active VPNs View Details View Radio Details View VAP Details Refresh The following actions are supported from this page View Details Shows detailed status information collected from the AP View Radio Details Shows detailed status for a radio interface View VAP Details Shows summary information about the virtual access points V APs for the selected AP and radio interface on the APs that the controller manages Refresh Updates the page with the latest information 4 3 2 LAN Associated Clients Status gt Traffic Monitor gt Associated Clients Statistics gt LAN Associated Clients The controller tracks the traffic the client connected wireless controller Name The LAN host name if available through NetBIOS IP Address The LAN device s IP address MAC Address The MAC address of the connected LAN client 108 Wireless Controller User Manual Figure 59 LAN Associated Clients
231. ization allowed on the radio Once the level you specify is reached the AP stops accepting new client associations Enter a percentage of utilization from 1 to 100 Maximum Clients Specify the maximum number of stations allowed to associate with this access point at any one time You can enter a value between 0 and 200 RF Scan Other Channels The access point can perform RF scans to collect information about other wireless devices within range and then report this information to the DWC 1000 wireless controller If you select the Scan Other Channels option the radio periodically moves away from the operational channel to scan other channels Enabling this mode causes the radio to interrupt user traffic which may be noticeable with voice connections When the Scan Other Channels option is cleared the AP scans only the operating channel RF Scan Sentry Select this option to allow the radio to operate in sentry mode When the RF Scan Sentry option is selected the radio primarily performs dedicated RF scanning The radio passively listens for beacons and traffic exchange between clients and other access points but does not accept connections from wireless clients In sentry mode all VAPs are disabled Networks that deploy sentry APs or radios can detect devices on the network quicker and perform more through security analysis In this mode the radio controllers from one channel to the next The length of time spent on each channel i
232. k access is granted The required action can be simply viewing and agreeing to an acceptable use policy or entering a user ID and password which must be validated against a database of authorized users xW Captive Portal is available for LAN and WLAN users only and not for DMZ hosts Captive Portal Setup Setup gt Captive Portal gt Setup Captive Portal profiles are the grouping of display settings that are pushed to the WLAN client that hits a particular portal The Captive Portal Setup page allows for management of these profiles and this setup page displays configured custom Captive Portal profiles and indicates which are in use 50 Wireless Controller User Manual Figure 27 Captive Portal Setup Product Page DWC 0 Hardware Version A WLAN Global Settings CAPTIVE PORTAL PROFILE LOGOUT Captive Portal Login page is used for authentication on Captive Portal enabled interfaces List of Available Profiles Status Action VLAN1 VLAN5 Show Preview sim Show Preview GVRP Captive Portal Not In Use Show Preview Edit VPN Settings Settings WIRELESS CON List of Available Profiles Any one of these profiles can be used for Captive Portal Login page while enabling Captive Portal Edit Can edit the added profiles The default Profile cannot be edited Delete Will delete the profile selected You cannot delete the default profile and the current profile being used A
233. k Systems Router manually dick on the button below USB Settings Manual VPN Configuration Easy Setup Site to Site VPN Tunnel Easy Setup Site to Site VPN Tunnel To easily establish a VPN tunnel using VPN Wizard follow the steps below 1 Select the VPN tunnel type to create The tunnel can either be a gateway to gateway connection site to site or a tunnel to a host on the internet remote access 241 Wireless Controller User Manual Set the Connection Name and pre shared key the connection name is used for management and the pre shared key will be required on the VPN client or gateway to establish the tunnel Determine the local gateway for this tunnel if there is more than Option configured the tunnel can be configured for either of the gateways 2 Configure Remote and Local Option address for the tunnel endpoints Remote Gateway Type identify the remote endpoint of the tunnel by FQDN or static IP address Remote Option IP address FQDN This field is enabled only if the peer you are trying to connect to is a Gateway For VPN Clients this IP address or Internet Name is determined when a connection request is received from a client Local Gateway Type identify this controller s endpoint of the tunnel by FQDN or static IP address Local Option IP address FQDN This field can be left blank if you are not using a different FQDN or IP address than the one specified in the Option port s config
234. known APs currently detected on the WLAN If an AP configured to be managed by the Unified Controller is detected through an RF scan at any time that it is not actively managed it is classified as an Unknown AP Rogue AP Mitigation Limit Maximum number of APs for which the system can send de authentication frames 130 Wireless Controller User Manual Rogue AP Mitigation Count Number of APs to which the wireless system is currently sending the authentication messages to mitigate against rogue APs A value of 0 indicates that mitigation is not in progress Maximum Managed APs in Peer Group Maximum number of access points that can be managed by the cluster WLAN Utilization Total network utilization across all APs managed by this controller This is based on global statistics Total Clients Total number of clients in the database This total includes clients with an Associated Authenticated or Disassociated status Authenticated Clients Total number of clients in the associated client database with an Authenticated status 802 11a Clients Total number of IEEE 802 11a only clients that are authenticated 802 11b g Clients Total number of IEEE 802 11b g only clients that are authenticated 802 11n Clients Total number of clients that are IEEE 802 11n capable and are authenticated These include IEEE 802 1 1a n IEEE 802 11b g n 5 GHz IEEE 802 11n 2 4GHz IEEE 802 1 1n Maximum Associated Clients Maximum number
235. l as the Channel Plan Mode on the Configuration tab the Manual Channel Plan page allows you to initiate the channel plan algorithm To manually run the channel plan adjustment feature select the radio to update the channels on 5 GHz or 2 4 GHz and click Start Channel Plan The 5 GHz and 2 4 GHz radios use different channel plans so the controller tracks the channel history separately for each radio The channel information that displays on the page is only for the radio you select Channel plan algorithm Current Status Shows the Current Status of the plan which is one of the following states 160 Wireless Controller User Manual e None The channel plan algorithm has not been manually run since the last controller reboot e Algorithm in Progress The channel plan algorithm is running e Algorithm Complete The channel plan algorithm has finished running A table displays to indicate proposed channel assignments Each entry shows the AP along with the current and new channel To accept the proposed channel change click Apply You must manually apply the channel plan for the proposed assignments to be applied e Apply In Progress The controller is applying the proposed channel plan and adjusting the channel on the APs listed in the table e Apply Complete The algorithm and channel adjustment are complete Proposed Channel Assignments If no APs appear in the table after the algorithm is complete the algorithm d
236. lems ensure that you enter the addresses correctly DHCP Option For DHCP client connections you can choose the MAC address of the controller to register with the ISP In some cases you may need to clone the LAN host s MAC address if the ISP is registered with that LAN host 175 Wireless Controller User Manual Figure 98 Manual Option1 configuration DWC 1000 ADVANCED TOOLS STATUS OPTION1 SETUP LOGOUT AP Management This page allows you to set up your Internet connection Ensure that you have the Internet connection information such as the IP Addresses Account Information etc This information is usually provided by your WLAN Visualization ISP or network administrator Internet Settings Don t Save Settings Network Settings LAN QoS Connection Type VPN Settings Dynamic IP DHCP Domain Name System DNS Servers DNS Server Source Get Dynamically from ISP w Primary DNS Server 0 0 00 Secondary DNS Server joo 0 0 MAC Address Use Default Address 00 00 00 00 00 00 6 2 4 PPPoE Setup gt Internet Settings gt Option1 Settings gt Option1 Setup The PPPoE ISP settings are defined on the Option Configuration page There are two types of PPPoE ISP s supported by the DWC 1000 the standard username password PPPoE and Japan Multiple PPPoE 176 Wireless Controller User Manual Figure 99 PPPoE configuration for standard ISPs owe1000 JA ADVANCED Toos samus e WLAN Glob
237. ler User Manual unique security identifiers The AD client on the appliance will use Authentication port 88 to communicate with server Figure 183 Active Directory Configuration Wizard ACTIVE DIRECTORY CONFIGURATION This page allow to configure Active Directory authentication servers Save Settings Don t Save Settings gt gt gt Network Settings Active Directory Configuration Qo Authentication Server 1 Captive Portal Authentication Server 2 C O Oio External gt Radius Settings Auth ations er 3 Optional CEN NT Domain Settings VPN Settings d LDAP Settings mahn VLAN Settings gt Active g story Domain Optional DMZ Setup g Settings t USB Settings p POP3 Settings ery Domain Oooo J Optima Timeout Timeout Retries WIRELESS CONTROLLER After configuring the AD server s whenever user tries to authenticate with credentials the client will send AS Request to server and server sends backs the AS Response Authentication Server 1 The IP Address of the primary authentication server Authentication Server 2 The IP Address of the secondary authentication server it is an optional field Authentication Server 3 The IP Address of the tertiary authentication server it is an optional field Active Directory Domain Since Active Directory is the chose authentication type admin must enter the Active Directory domain name in this field Users that a
238. ller Status Cluster Controller IP Address 192 168 10 1 Active VPNs Peer Controllers zh List of Peer Controllers Vendor Software Protocol Discovery Managed AP macana ID Version Version Reason Count zas 192 168 10 5 D Link 40 0 1 2 L2 Poll i 0d 00 01 39 Refresh Cluster Controller IP Address IP address of the controller that controls the cluster Peer Controllers Displays the number of peer controllers in the cluster IP Address IP address of the peer wireless controller in the cluster Vendor ID Vendor ID of the peer controller software Software Version The software version for the given peer controllers Protocol Version Indicates the protocol version supported by the software on the peer controllers Discovery Reason The discovery method of the given peer controller which can be through an L2 Poll or IP Poll Managed AP Count Shows the number of APs that the controller currently manages Age Time since last communication with the controller in Hours Minutes and Seconds 102 Wireless Controller User Manual 4 1 5 Resource Utilization Status gt Dashboard gt Interface The Dashboard page presents hardware and usage statistics The CPU and Memory utilization is a function of the available hardware and current configuration and traffic through the controller Interface statistics for the wired connections LAN Option Option 2 DMZ VLANs provide indication of packets through
239. ller that were dropped WLAN Packets Transmit Dropped Total packets transmitted across all APs managed by the controller that were dropped WLAN Bytes Receive Dropped Total bytes received across all APs managed by the controller that were dropped WLAN Packets Receive Dropped Total packets received across all APs managed by the controller that were dropped Distributed Tunnel Packets Transmitted Total number of packets sent by all APs via distributed tunnels Distributed Tunnel Roamed Clients Total number of clients that successfully roamed away from Home AP using distributed tunneling Distributed Tunnel Clients Total number of clients that are associated with an AP that are using distributed tunneling Distributed Tunnel Client Denials Total number of clients for which the system was unable to set up a distributed tunnel when client roamed The following actions are supported from this page Refresh Updates the page with the latest information Clear Statistics Reset all counters on the page to zero 4 7 2 Peer Controller Status 132 Wireless Controller User Manual Status gt Global Info gt Peer Controller gt Status The Peer Controller Status page provides information about other Wireless Controllers in the network Peer wireless controllers within the same cluster exchange data about themselves their managed APs and clients The controller maintains a database with this data so you can view in
240. lls below this rate limit will always conform to and be transmitted to the appropriate destination The default and maximum rate limit setting is 50 packets per second This field is disabled if Rate Limiting is disabled 78 Wireless Controller User Manual Receive Lifetime Shows the number of milliseconds to wait before terminating attempts to reassemble the MMPDU or MSDU after the initial reception of a fragmented MMPDU or MSDU Rate Limit Burst Setting a rate limit burst determines how much traffic bursts can be before all traffic exceeds the rate limit This burst limit allows intermittent bursts of traffic on a network above the set rate limit The default and maximum rate limit burst setting is 75 packets per second This field is disabled if Rate Limiting is disabled Station Isolation When this option is selected the AP blocks communication between wireless clients It still allows data traffic between its wireless clients and wired devices on the network but not among wireless clients This feature is disabled by default e To enable Multicast and Broadcast Rate Limiting click Enabled e To disable Multicast and Broadcast Rate Disabled click Disabled Channel Bandwidth The 802 11n specification allows the use of a 40 MHz wide channel in addition to the legacy 20 MHz channel available with other modes The 40 MHz channel enables higher data rates but leaves fewer channels available for use by other 2 4 GHz and 5 GHz de
241. log file off load 7 12 Dynamic WCF Advanced gt Website Filter gt Category Filtering This feature allows the administrator to block access from a range of web content categories The system needs the WCF licensee and then Content Filtering option which allows the user to filter out internet sites needs to be enabled 231 Wireless Controller User Manual The Dynamic Content Filtering configuration page will let the administrator choose from a range of pre defined categories to be blocked When enabled access to a website belonging to one of these configured categories will be blocked with an error page e Adult Content Sites that host explicit sex content nudity and sites that use profanity e News Sites that offer news and information on current events including newspapers broadcasters and other publishers e Job Search Sites that offer job listings interview coaching and other employment related services e Gambling Sites that offer online gambling or information about gambling e Travel Tourism Sites with travel and tourism information like city maps and services including planning trips reservations for bus train airlines hotel booking etc e Shopping Online shops catalogs auction sites and classified ads etc e Entertainment Websites for TV movies entertainment news etc and sites hosting video content of movies TV streaming etc e Chatrooms IM Social networking sites chartrooms and instant m
242. long to the server accessible via the Relay Gateway IP address Starting and Ending IP Addresses Enter the first and last continuous addresses in the IP address pool Any new DHCP client joining the LAN is assigned an IP address in this range The default starting address is 192 168 10 100 The default ending address is 192 168 10 254 These addresses should be in the same IP address subnet as the controller s LAN IP address You may wish to save part of the subnet range for devices with statically assigned IP addresses in the LAN Default Gateway Optional Enter the IP address of the controller which you want to make it as a default other than DWC 1000 Primary and Secondary DNS servers If configured domain name system DNS servers are available on the LAN enter their IP addresses here Domain Name Enter domain name WINS Server optional Enter the IP address for the WINS server or if present in your network the Windows NetBios server Lease Time Enter the time in hours for which IP addresses are leased to clients Enable DNS Proxy To enable the controller to act as a proxy for all DNS requests and communicate with the ISP s DNS servers click the checkbox Relay Gateway Enter the gateway address This is the only configuration parameter required in this section when DHCP Relay is selected as its DHCP mode 3 Click Save Settings to apply all changes 17 Wireless Controller User Manual Figure 1 Setup pag
243. lt in the controller the Dynamic Host Configuration Protocol DHCP mode is set to None The DHCP mode can be set as a DHCP server or DHCP relay When DHCP mode is DHCP server the controller functions as a DHCP server to assign IP address leases to hosts on the WLAN or LAN With DHCP PCs and other LAN devices 15 Wireless Controller User Manual can be assigned IP addresses the default gateway as well as addresses for DNS servers Windows Internet Name Service WINS servers The PCs in the LAN are assigned IP addresses from a pool of addresses specified in this procedure Each pool address is tested before it is assigned to avoid duplicate addresses on the LAN For most applications the default DHCP and TCP IP settings are satisfactory If you want another PC on your network to be the DHCP server or if you are manually configuring the network settings of all of your PCs set the DHCP mode to none DHCP relay can be used to forward DHCP lease information from another LAN device that is the network s DHCP server this is particularly useful for wireless clients Instead of using a DNS server you can use a Windows Internet Naming Service WINS server A WINS server is the equivalent of a DNS server but uses the NetBIOS protocol to resolve hostnames The controller includes the WINS server IP address in the DHCP configuration when acknowledging a DHCP request from a DHCP client You can also enable DNS proxy for the LAN
244. lter gt IPv4 Address Firewall Settings IPv6 D Advanced Network gt Routing Certificates Users IP MAC Binding Switch Settings WIRELESS CONTROLLER End Point Address This is the endpoint address for the tunnel that starts with this router The endpoint can be the LAN interface assuming the LAN is an IPv4 network or a specific LAN IPv4 address IPv4 Address The end point address if not the entire LAN 6 9 IGMP Setup XW The following feature is available upon licensed activation of VPN Firewall features for the system 203 Wireless Controller User Manual Advanced gt Advanced Network gt IGMP Setup Active IGMP snooping is referred to as IGMP proxy When in use IGMP packets through the LAN are filtered in order to reduce the amount of multicast traffic in the network Figure 115 IGMP Setup DWC 1000 SETUP ADVANCED TOOLS STATUS Operation succeeded Peer Controllers IGMP SETUP LOGOUT AP Profile The IGMP Proxy page allows the user to enable IGMP proxy on a LAN interface a7 a o a Save Settings Don t Save Settings WIDS Security v v Captive Portal IGMP Setup Client Enable IGMP Proxy Application Rules Allowed Network Addresses Website Filter v Network Address Mask Length Firewall Settings 192 168 20 0 24 IPv6 Advanced Network p gt pelt Delete add Enable IGMP Proxy Check this to enable IGMP proxy on this LAN Allowed Ne
245. match the secret on RADIUS server Timeout Set the amount of time in seconds the router should wait for a response from the RADIUS server Retries This determines the number of tries the router will make to the RADIUS server before giving up 11 7 2 NT Domain Settings Setup gt External Authentications gt NT Domain Settings NT Domain offers centralized control over the network The samba module is used to provide domain control The authentication protocol used is NTLM NT LAN MANAGER which is a challenge response authentication protocol First the client will send a negotiate message with the values configured by the admin as part of the NT domain Next the server will send the challenge message and finally the client will send authenticate message to server With success at all steps the authentication will take place Figure 181 NT Domain Configuration 312 Wireless Controller Wizard gt Network Settings gt External D Authentications gt VPN Settings DMZ Setup gt NT DOMAIN CONFIGURATION This page allow you to configure NT Domain servers Save Settings Don t Save Settings NT Domain Configuration Authentication Server 1 Authentication Server2 Radius Settings NT Domain Settings Active Director Settings USB Settings gt POP3 Settings gt Timeout Retries User Manual DWC 1000 eS SETUP ADVANCED TOOLS STATUS Keieioltii Optional Opti
246. mation about other Unified Wireless Controllers in the network Peer wireless Controllers within the same cluster exchange data about themselves their managed APs and clients The Controler maintains a database with this data so you can view information about a peer such as its IP address and software version If the Controller loses contact with a peer all of the data for that peer is deleted Peer Controller Status Cluster Controller IP Address 192 168 10 1 Active Sessions Active VPNs Peer Controllers 1 List of Peer Controllers Vendor Software Discovery Managed AP ID Version Reason Count IP Address Age 192 168 10 5 D Link 400 1 L2 Poll 1 Refresh f The following actions are supported from this page Refresh Updates the page with the latest information 4 7 3 Peer Controller Configuration Status Status gt Global Info gt Peer Controller gt Configuration You can push portions of the controller configuration from one controller to another controller in the cluster The Peer Controller Configuration Status page displays information about the configuration sent by a peer controller in the cluster It also identifies the IP address of each peer controller that received the configuration information Peer IP Address Shows the IP address of each peer wireless controller in the cluster that received configuration information 134 Wireless Controller User Manual Configuration Controller IP Addres
247. meout Set the amount of time in seconds the appliance should wait for a response from the authentication server Retries The number of attempts the appliance will make to the authentication server before giving and considering the authentication attempt as failed First Administrator Account Primary admin account in LDAP server that will be used when LDAP authentication is required for PPTP L2TP connection Password Primary admin password Second Administrator Account Second admin account in LDAP server that will be used when LDAP authentication is required for PPTP L2TP connection Password Second admin password Third Administrator Account Third admin account in LDAP server that will be used when LDAP authentication is required for PPTP L2TP connection Password Third admin password After configuring all fields in LDAP configuration to check the server reachability the administrator can use Server Checking option When the administrator clicks on server checking button the server reachability status for the configured servers is returned 11 7 4 Active Directory Settings Setup gt External Authentications gt Active Directory Settings Active Directory AD structure is a hierarchical arrangement of Information about objects The objects fall into two broad categories resources e g printers and security principals user or computer accounts and groups Security principals are assigned 316 Wireless Control
248. meters that are needed to connect to the wireless network Use AP Provisioning to connect devices to a network enabled for mutual authentication If a network is not enabled for mutual authentication then APs can be attached to the network by properly configuring the 167 Wireless Controller User Manual local Valid AP database or RADIUS AP database and discovery options The provisioning feature can optionally be used on networks not enabled for mutual authentication to simplify AP attachment to the cluster MAC Address MAC address of the AP IP Address IP Address of the AP Primary IP Address The IP address of the primary provisioned controller as reported by the AP Backup IP Address The IP address of the backup provisioned controller as reported by the AP New Primary IP Address Enter the IP address of primary controller to which the AP should try to connect New Backup IP Address Enter the IP address of controller to which the AP should try to connect if it is unable to connect to the primary controller Status Status of the most recently issued AP provisioning command which has one of the following values e Not Started Provisioning has not been started for this AP e Success Provisioning finished successfully for this controller The AP Provisioning Status table should reflect the latest provisioning configuration e In Progress Provisioning is in progress for this AP e Invalid Controller IP Address
249. multiple concurrent sessions to allow remote users to access the LAN over an encrypted link through a customizable user portal interface and each SSL VPN user can be assigned unique privileges and network resource access levels The remote user can be provided different options for SSL service through this controller VPN Tunnel The remote user s SSL enabled browser is used in place of a VPN client on the remote host to establish a secure VPN tunnel A SSL VPN client Active X or Java based is installed in the remote host to allow the client to join the corporate LAN with pre configured access policy privileges At this point a virtual network interface is created on the user s host and this will be assigned an IP address and DNS server address from the controller Once established the host machine can access allocated network resources Port Forwarding A web based ActiveX or Java client is installed on the client machine again Note that Port Forwarding service only supports TCP connections between the remote user and the controller The controller administrator can define specific services or applications that are available to remote port forwarding users instead of access to the full LAN like the VPN tunnel XW ActiveX clients are used when the remote user accesses the portal using the Internet Explorer browser The Java client is used for other browsers like Mozilla Firefox Netscape Navigator Google Chrome and Apple Safari
250. n of VPN Firewall features for the system Advanced gt Intel AMT Intel Active Management Technology enables IT managers to remotely access and manage every networked computing system even those that lack a working operating system or hard drive or are turned off as long as the PC Notebook is connected to line power and to the network even if PC Notebook is off or OS is crashed Intel AMT uses a separate management processor that runs independently on the client machine and can be reached through the wired or wireless network With D Link DSR Routers Intel 286 Wireless Controller User Manual AMT Technology could cross Internet seamlessly and it s an ideal solution to help IT managers for asset management over Internet Figure 168 Intel AMT DWC 1000 SETUP ADVANCED TOOLS STATUS INTEL AMT LOGOUT This page allows you to configure Intel AMT service Save Settings Don t Save Settings Intel AMT Reflector Enable Intel Amt Reflector Ne gt Redirect to Port 16992 Certificates Listen on Port 16992 Redirect to Port 16993 Listen on Port 16993 Redirect to Port 16994 Listen on Port 16994 Redirect to Port 16995 Listen on Port 16995 Redirect to Port 9971 Listen on Port 9971 Enable Ports When enabled inbound outbound firewall rules are added for certain ports to enable Intel AMT service Option Hosts If the user s
251. n the Option 257 Wireless Controller User Manual Xauth User This user s authentication is performed by an externally configured RADIUS or other Enterprise server It is not part of the local user database SSLVPN User This user has access to the SSL VPN services as determined by the group policies and authentication domain of which it is a member The domain determined SSL VPN portal will be displayed when logging in with this user type Admin This is the controller s super user and can manage the controller use SSL VPN to access network resources and login to L2TP PPTP servers on the Option There will always be one default administrator user for the GUI Guest User read only The guest user gains read only access to the GUI to observe and review configuration settings The guest does not have SSL VPN access Captive Portal User These captive portal users has access through the controller The access is determined based on captive portal policies Front Desk User The front desk user has the ability to create temporary HotSpot users that can access the internet or other networks via Captive Portal authentication Idle Timeout This the log in timeout period for users of this group 258 Wireless Controller User Manual Figure 150 User Group Configuration PrP sr GROUP CONFIGURATION This page allows user to add a new user group Once this group is added a user can then add system users t
252. n the controller will be tagged Data passing through the phone from a connected device will be untagged 43 Wireless Controller User Manual Figure 22 Port VLAN list DWC 1000 ADVANCED TOOLS STATUS PORT VLANS LOGOUT This page allows user to configure the port VLANs A user can choose ports and can add them into a VLAN WLAN Global Settings AP Management alization Internet Settings VPN Settings DMZ Setup USB Settings e In Access mode the port is a member of a single VLAN and only one All data going into and out of the port is untagged Traffic through a port in access mode looks like any other Ethernet frame e In Trunk mode the port is a member of a user selectable set of VLANs All data going into and out of the port is tagged Untagged coming into the port is not forwarded except for the default VLAN with PVID 1 which is untagged Trunk ports multiplex traffic for multiple VLANs over the same physical link e Select PVID for the port when the General mode is selected e Configured VLAN memberships will be displayed on the VLAN Membership Configuration for the port By selecting one more VLAN membership options for a General or Trunk port traffic can be routed between the selected VLAN membership IDs 44 Wireless Controller User Manual Figure 23 Configuring VLAN membership for a port VLAN Global Settings Network Settings LAN QoS V
253. naged by the controller 251 Wireless Controller User Manual Figure 146 L2TP tunnel configuration L2TP Server DWC 1000 ADVANCED TOOLS STATUS L2TP SERVER L2TP allows an external user to connect to your router through the internet forming a VPN This section allows you to enable disable L2TP server and define a range of IP addresses for clients connecting to your router The connected cients can function as if they are on your LAN they can communicate with LAN hosts any servers present etc Save Settings Dont Save Settings Enable L2TP Server DMZ Setup gt USB Settings gt Enter the range of IP addresses that is allocated to L2TP Clients Starting IP Address Ending IP Address admin Authentication Supported 8 4 3 OpenVPN Support Setup gt VPN Settings gt OpenVPN gt OpenVPN Configuration OpenVPN allows peers to authenticate each other using a pre shared secret key certificates or username password When used in a multiclient server configuration it allows the server to release an authentication certificate for every client using signature and Certificate authority An Open VPN can be established through this controller Check Uncheck this and click save settings to start stop the OpenVPN server 252 Wireless Controller User Manual Mode OpenVPN daemon mode It can run in server mode client mode or access server client mode In access se
254. nd configure each port to trust a CoS or DSCP values in the packet Figure 11 LAN QoS Configuration DWC 1000 ADVANCED TOOLS STATUS Please enable QoS for LAN ports to set Trust Mode to LAN ports WLAN Global Settings AP Management gt Enabling QoS on LAN is an advanced configuration which is required only if you expect congestion on the traffic on the LAN ports WLAN Visualization gt Save Settings Wil Don t Save Settings Internet Settings gt i gt e S D Enable QoS for LAN ports 4 GVRP LAN QoS Configuration Captive Portal gt LAN Port Classify Using External DSCP Y pY Authentications i asee T VPN Settings gt 2 a VLAN Settings gt AN Settings gt 3 Cos Y DMZ Setup gt 4 CoS USB Settings gt 5 CoS Fy LAN Port This list out the available LAN ports Classify Using This provide the list of QoS services available on the port 2 2 2 801 P Priority CoS to Port Mapping Setup gt QoS gt 801 P Priority Port CoS Mapping enables you to change the priority of the PCP value 30 Wireless Controller User Manual Figure 12 801 P Configuration a nova sans Qos PORT COS MAPPING Port CoS Mapping enables you to change the priority of the PCP value Save Settings Don t Save Settings CoS to Port Priority Queue Mapping gt gt gt gt CoS Value Priority Queue 0 Highest GVRP 1 i v Captive Portal gt Low External 2 Me
255. nfiguration Setup gt Internet Settings gt Option1 Settings gt Option1 Setup You must either allow the controller to detect Option connection type automatically or configure manually the following basic settings to enable Internet connectivity Connection type Based on the ISP you have selected for the primary Option link for this controller choose Static IP address DHCP client Point to Point Tunneling Protocol PPTP Point to Point Protocol over Ethernet PPPoE Layer 2 Tunneling Protocol 173 Wireless Controller User Manual L2TP Required fields for the selected ISP type become highlighted Enter the following information as needed and as provided by your ISP PPPoE Profile Name This menu lists configured PPPoE profiles particularly useful when configuring multiple PPPoE connections i e for Japan ISPs that have multiple PPPoE support ISP login information This is required for PPTP and L2TP ISPs e User Name e Password e Secret required for L2TP only MPPE Encryption For PPTP links your ISP may require you to enable Microsoft Point to Point Encryption MPPE Split Tunnel supported for PPTP and L2TP connection This setting allows your LAN hosts to access internet sites over this Option link while still permitting VPN traffic to be directed to a VPN configured on this Option port XW If split tunnel is enabled DWC won t expect a default route from the ISP server In such case user has t
256. nformation 121 Wireless Controller User Manual 4 6 3 Managed AP Status Status gt Access Point Info gt Managed AP Status In the Managed AP Status page you can access a variety of information about each AP that the controller manages Figure 68 Managed AP status DWC 1000 a SETUP ADVANCED TOOLS STATUS Global Info gt Device Info gt MANAGED AP STATUS Kelcielti Description goes here List of Managed APs Wireless Clientinfo p Traffic Monitor MAC Address Peer Managed Access Point Info D gt gt IP Address Age Status Profile Radio Interface LAN Clients Info Active Sessions 1 802 11a n 2 802 11b g n E 1c af f7 1f 24 40 192 168 10 100 0d 00 00 03 Authenticated 1 Default Refresh MAC Address The Ethernet address of the controller managed AP IP Address The network IP address of the managed AP Age Time since last communication between the Controller and the AP Status The current managed state of the AP The possible values are e Discovered The AP is discovered and by the controller but is not yet authenticated Authenticated The AP has been validated and authenticated if authentication is enabled but it is not configured 122 Wireless Controller User Manual e Managed The AP profile configuration has been applied to the AP and it s operating in managed mode e Failed The Controller lost contact with the AP a failed entry will remain in
257. ng tables in order to adapt to modifications in the LAN without interrupting traffic flow The RIP direction will define how this controller sends and receives RIP packets Choose between e Both The controller both broadcasts its routing table and also processes RIP information received from other controllers This is the recommended setting in order to fully utilize RIP capabilities e Out Only The controller broadcasts its routing table periodically but does not accept RIP information from other controllers e In Only The controller accepts RIP information from other controller but does not broadcast its routing table e None The controller neither broadcasts its route table nor does it accept any RIP packets from other controllers This effectively disables RIP e The RIP version is dependent on the RIP support of other routing devices in the LAN e Disabled This is the setting when RIP is disabled RIP 1 is a class based routing version that does not include subnet information This is the most commonly supported version RIP 2 includes all the functionality of RIPv1 plus it supports subnet information Though the data is sent in RIP 2 format for both RIP 2B and RIP 2M the mode in which packets are sent is different RIP 2B broadcasts data in the entire subnet while RIP 2M sends data to multicast addresses 195 Wireless Controller User Manual 6 4 3 If RIP 2B or RIP 2M is the selected version au
258. ng the controller Instead you log on to the AP itself and manage it by using the Administrator Web User Interface UI CLI or 154 Wireless Controller User Manual SNMP If you select the Standalone mode the screen refreshes and different fields appear For Standalone mode the following fields are enabled Expected SSID Expected Channel Expected WDS Mode Expected Security Mode and Expected Wired Network Mode e Managed The AP is part of the D Link Wireless Controller and you manage it by using the Wireless Controller If an AP is in Managed Mode the Administrator Web UI and SNMP services on the AP are disabled e Rogue Select Rogue as the AP mode if you wish to be notified through an SNMP trap if enabled when this AP is detected in the network Additionally the when this AP is detected through an RF scan the status is listed as Rogue If you select the Rogue mode the screen refreshes and fields that do not apply to this mode are hidden Location To help you identify the AP you can enter a location This field accepts up to 32 alphanumeric characters Authentication Password You can require that the AP authenticate itself with the controller upon discovery Edit option and enter the password in this field The valid password range is between 8 and 63 alphanumeric characters The password in this field must match the password configured on the AP Profile If you configure multiple AP Profiles you can select t
259. nkwlan mib file Example the wsClientAssociationDetected trap comes under wsTraps which having value 20 291 Wireless Controller User Manual Figure 170 SNMP Trap settings DWC 1000 ADVANCED TOOLS STATUS Global D Peer Controllers gt AP Profile SsiDs WIDS Security gt x A r Save Settings Don t Save Settings WDS Configuration gt Wireless SNMP Trap Configuration Application Rules gt Website Filter gt AP Failure Traps Enable v Tiree AP State Change Traps Disable Client Failure Traps Disable Advanced Network gt Client State Change Traps Enable Y Peer Controller Traps Disable uses RF Scan Traps Disable Users gt a IPMAC Binding Rogue AP Traps Disable Switch Settings WIDS Status Traps Disable Y Intel AMT Wireless Status Traps Disable SNMP TRAPS If you use Simple Network Management Protocol SNMP to manage the Unified Wireless Controller you can configure the SNMP agent on the Controller to send traps to the SNMP manager on your network To user SNMP traps associate the device to a trap manager Add the trap manager IP address and port in the Maintenance gt Management gt SNMP gt SNMP Trap List page e IP Address IP address of SNMP manager e Port Trap port number Range 0 65535 e Community community used for authentication e Authentication Type v1 v2c v3 292 Wireless Controller User Manual 1
260. nose uptime or transmit level issues with the port The statistics table has auto refresh control which allows display of the most current port level data at each page refresh The default auto refresh for this page is 10 seconds Figure 57 Physical port statistics DWC 1000 SETUP ADVANCED TOOLS The page wil auto refresh in 7 seconds DEVICE STATISTICS LOGOUT This page shows the Ro Tx packet and byte count for all the system interfaces It also shows the up time for all the interfaces LAN Clients Info System up Time O days 9 hours 50 minutes 3 seconds Up time Not Yet Available Not Yet Available 0 Days Poll Interval 10 Seconds Start 106 Wireless Controller User Manual 4 3 Associated Client Status Statistics 4 3 1 Managed AP Statistics Status gt Traffic Monitor gt Managed AP Statistics The managed AP statistics page shows information about traffic on the wired and wireless interfaces of the access point This information can help diagnose network issues such as throughput problems The following figure shows the Managed Access Point Statistics page with a managed AP MAC Address This field shows the MAC address of the client station Interface This field shows the interface type WLAN or Ethernet Packet Transmitted This field shows the packet transmitted to the client station Packet Received This field shows the packet received to the client station Bytes Transmitted Th
261. o it Save Settings Don t Save Settings Group Configuration Group Name Description L2TP User Xauth User a SSLVPN User ws Guest User readonly J Users IPMAC Binding Captive Portal User Switch Settings Front Desk User Idle Timeout 110 Minutes intel AMT When SSLVPN users are selected the SSLVPN settings are displayed with the following parameters as captured in SSLVPN Settings As per the Authentication Type SSL VPN details are configured e Authentication Type The authentication Type can be one of the following Local User Database default Radius PAP Radius CHAP Radius MSCHAP Radius MSCHAPv2 NT Domain Active Directory and LDAP e Authentication Secret If the domain uses RADIUS authentication then the authentication secret is required and this has to match the secret configured on the RADIUS server e Workgroup This is required is for NT domain authentication If there are multiple workgroups user can enter the details for up to two workgroups e LDAP Base DN This is the base domain name for the LDAP authentication server If there are multiple LDAP authentication servers user can enter the details for up to two LDAP Base DN 259 Wireless Controller User Manual e Active Directory Domain If the domain uses the Active Directory authentication the Active Directory domain name is required Users configured in the Active Directory databa
262. o take care of routing manually by configuring the routing from Static Routing page To keep the connection always on click Keep Connected To log out after the connection is idle for a period of time useful if your ISP costs are based on logon times click Idle Timeout and enter the time in minutes to wait before disconnecting in the Idle Time field 6 2 1 Option Port IP address Your ISP assigns you an IP address that is either dynamic newly generated each time you log in or static permanent The IP Address Source option allows you to define whether the address is statically provided by the ISP or should be received dynamically at each login If static enter your IP address IPv4 subnet mask and the ISP gateway s IP address PPTP and L2TP ISPs also can provide a static IP address and subnet to configure however the default is to receive that information dynamically from the ISP 174 Wireless Controller User Manual 6 2 2 6 2 3 Option DNS Servers The IP Addresses of Option Domain Name Servers DNS are typically provided dynamically from the ISP but in some cases you can define the static IP addresses of the DNS servers DNS servers map Internet domain names example www google com to IP addresses Click to indicate whether to get DNS server addresses automatically from your ISP or to use ISP specified addresses If its latter enter addresses for the primary and secondary DNS servers To avoid connectivity prob
263. o the internet the most accurate mechanism to set the controller time is to enable NTP server communication XW Accurate date and time on the controller is critical for firewall schedules Wi Fi power saving support to disable APs at certain times of the day and accurate logging Please follow the steps below to configure the NTP server 1 Select the controller time zone relative to Greenwich Mean Time GMT 2 If supported for your region click to Enable Daylight Savings 3 Determine whether to use default or custom Network Time Protocol NTP servers If custom enter the server addresses or FQDN 327 Wireless Controller User Manual Figure 190 Date Time and NTP server setup DWC 1000 SETUP ADVANCED TOOLS STATUS Date and Time DATE AND TIME LOGOUT This page allows us to set the date time and NTP servers Network Time Protocol NTP is a protocol that is used to synchronize computer clock time in a network of computers Accurate time across a network is important for many reasons Save Settings J Don t Save Settings Date and Time Current Router Time Fri Oct 7 05 25 08 GMT 2011 Time Zone GMT 08 00 Pacific Time US and Canada Enable Daylight Saving Configure NTP Servers Set Date and Time Manually NTP Servers Configuration Default NTP Server Custom NTP Server Primary NTP Server 0 us pool ntp org Secondary NTP Server 1 us pool ntp org Tim
264. oes not recommend any channel changes e Current Channel Shows the current operating channel for the AP that the algorithm recommends for new channel assignments e New Channel Shows the proposed operating channel for the AP The following actions are supported from this page Start To initiate the channel plan algorithm 161 Wireless Controller User Manual Figure 91 Manual Channel Plan Dwc 1000 HH SETUP ADVANCED TOOLS STATUS Melctoltys WLAN Global Settings MANUAL CHANNEL PLAN AP Management D b d A d S d Description goes here Channel Plan 5 GHz 802 11 a n 2 4 GHz 802 11 big n Channel Plan Algorithm Current Status Proposed Channel Assignments No proposed channel plan entries exist 162 Wireless Controller User Manual 5 2 4 Manual Power Adjustment Plan Setup gt AP Management gt RF Management gt Manual Power Adjustment Plan If you select Manual as the Power Adjustment Mode on the Configuration tab you can manually initiate the power adjustment algorithm on the Manual Power Adjustments page Current Status Shows the Current Status of the plan which is one of the following states e None The power adjustment algorithm has not been manually run since the last controller reboot e Algorithm In Progress The power adjustment algorithm is running e Algorithm Complete The power adjustment algorithm has finished running e A table
265. of clients in the associated client database with an Authenticated status Maximum Associated Clients Maximum number of clients that can associate with the wireless system This is the maximum number of entries allowed in the Associated Client database Detected Clients Number of wireless clients detected in the WLAN Maximum Detected Clients Maximum number of clients that can be detected by the controller The number is limited by the size of the Detected Client Database Maximum Pre authentication History Entries Maximum number of Client Pre Authentication events that can be recorded by the system Total Pre authentication History Entries Current number of pre authentication history entries in use by the system Maximum Roam History Entries Maximum number of entries that can be recorded in the roam history for all detected clients Total Roam History Entries Current number of pre authentication history entries in use by the system 142 Wireless Controller User Manual 4 8 2 Associated Client Status Status gt Wireless Client Info gt Associated Clients gt Status You can view a variety of information about the wireless clients that are associated with the APs the controller manages MAC Address The Ethernet address of the client station If the MAC address is followed by an asterisk the client is associated with an AP managed by a peer controller AP MAC Address The Ethernet address of the
266. of the managed AP to which the client authenticated Radio Interface Number Radio Number to which the client is authenticated VAP MAC Address VAP MAC address to which the client roamed SSID Name used by the VAP New Authentication A flag indicating whether the history entry represents a new authentication or a roam event Age Time since the history entry was added 150 Wireless Controller User Manual Figure 86 Detected Client Roam History Dwc 1000 Ff SETUP ADVANCED TOOLS STATUS Global Info gt Device Info gt Access Point Info gt DETECTED CLIENT ROAM HISTORY LOGOUT Description goes here Wireless ClientInfo gt MAC Address f0 7d 68 11 7a HEE gt List of Detected Clients Roam History AP MAC Address Radio VAP MAC Address SSID Status Time Since Event Active Sessions O 1c af f7 1f 1d 40 2 1c af f7 1f 1d 51 cwe naren New Authentication 0d 00 01 53 O 1c af f7 1f 20 c0 2 1c af f7 1f 20 d1 dwc naren Roam 0d 00 08 59 C 1c af f7 1f 1d 40 2 1c af f7 1f 1d 51 dwc naren New Authentication 0d 00 12 34 O 1c af f7 1f 1d 40 2 1c af f7 1f 1d 51 dwc naren Roam 0d 00 20 55 O 1c af f7 1f 20 c0 2 1c af f7 1f 20 d1 dwc naren New Authentication 0d 00 23 55 Refresh Purge History This page includes the following button Refresh Updates the page with the latest information Purge History To purge the history when the list of entries is full View Details Shows the details of the detected clients
267. ollowing events in order of severity can be logged Emergency Alert Critical Error Warning Notification Information Debugging When a particular severity level is selected all events with severity equal to and greater than the chosen severity are captured For example if you have configured CRITICAL level logging for the Wireless facility then 802 11 logs with severities CRITICAL ALERT and EMERGENCY are logged The severity levels available for logging are e EMERGENCY system is unusable e ALERT action must be taken immediately e CRITICAL critical conditions e ERROR error conditions e WARNING warning conditions e NOTIFICATION normal but significant condition e INFORMATION informational e DEBUGGING debug level messages 329 Wireless Controller User Manual Figure 191 Facility settings for Logging DWC 1000 EE SETUP ADVANCED mos STATUS Log Settings Firmware Firmware via USB LOGS FACILITY LOGOUT This page allows user to set the date and time for the router User can use the automatic or manual date Save Settings Don t Save Settings Logs Facility Dynamic DNS System Check Display and Send Logs Display in Event Log Send to Syslog The display for logging can be customized based on where the logs are sent either the Event Log viewer in the GUI the Event Log viewer is in the S
268. on System Check Option to LAN Schedules Option to DMZ DMZ to Option LAN to DMZ DMZ to LAN VLAN to VLAN All Unicast Traffic All Broadcast Multicast Traffic FTP Logs Redirected ICMP Packets Invalid Packets Bandwidth Limit Captive Portal 12 6 2 Sending Logs to E mail or Syslog Tools gt Log Settings gt Remote Logging Once you have configured the type of logs that you want the controller to collect they can be sent to either a Syslog server or an E Mail address For remote logging a key configuration field is the Remote Log Identifier Every logged message will contain the configured prefix of the Remote Log Identifier so that syslog servers or email addresses that receive logs from more than one controller can sort for the relevant device s logs Once you enable the option to e mail logs enter the e mail server s address IP address or FQDN of the SMTP server The controller will connect to this server when 332 Wireless Controller User Manual sending e mails out to the configured addresses The SMTP port and return e mail addresses are required fields to allow the controller to package the logs and send a valid e mail that is accepted by one of the configured send to addresses Up to three e mail addresses can be configured as log recipients In order to establish a connection with the configured SMTP port and server define
269. on Interface Optiont 2 2 Traffic Selector Configuration Setup gt QoS gt Traffic Selector Configuration After you create a bandwidth profile you can associate it with a traffic flow 36 Wireless Controller User Manual Figure 18 Traffic Selector Configuration maces TRAFFIC SELECTORS LOGOUT ADVANCED TOOLS STATUS WLAN Global Settings VPN Settings Traffic Selector Match Type VLAN Settings IP Address DMZ Setup gt USB Settings b MAC Address Port Name Available VLANs DSCP Value Available Profiles Select one of the previously configured bandwidth profiles to associate this traffic selector Service Select one of the services from the available services Traffic Selector Match Type Choose the method for identifying the host that is controlled by this traffic Selector IP Address MAC Address Port Name VLAN Name DSCP value or BSSID IP Address Enter IP Address of LAN host if you chose IP as the Match Type MAC Address Enter a valid MAC Address if you chose MAC Address as the Match Type Port Name Select the LAN port number if you chose Port Name as the Match Type Available VLANs Select a VLAN if you chose VLAN Name as the Match Type DSCP value Enter a valid DSCP value between 0 and 63 if choose DSCP as the Match Type 37 Wireless Controller User Manual 2 2 6 Remark CoS to DSCP Setup gt QoS gt Remark CoS to DSCP Remark
270. on must as same as DWC 1000 WLAN module version Server Address Enter the IP address of the host where the upgrade file is located The host must have a TFTP server installed and running File Path Enter the file path on the TFTP server where the software is located You may enter up to 96 characters File Name Enter the name of the upgrade file You may enter up to 32 characters and the file extension tar must be included Group Size When you upgrade multiple APs each AP contacts the TFTP server to download the upgrade file To prevent the TFTP server from being overloaded you can limit the number of APs to be upgraded at a time In the Group Size field 164 Wireless Controller User Manual enter the number of APs that can be upgraded at the same time When one group completes the upgrade the next group begins the process Image Download Type Type of the image to be downloaded which can be one of the following e All images img_dw18600 img_dw13600 6600 and img_dw18610 e img _dwl8600 e img_dw1l3600 6600 e img _dwl2600 e img_dwl8610 xw To download all images make sure you specify the file path and file name for both images in the appropriate File Path and File Name fields Managed AP The list shows all the APs that the controller manages If the controller is the Cluster Controller then the list shows the APs managed by all controllers in the cluster Each AP is identified by its MAC address IP addres
271. onal Optional Optional Seconds 5 WIRELESS CONTROLLER After configuring NT Domain Settings users in to the configured domain are able to authenticate The following fields needs to be configured in NT Domain configuration Authentication Server 1 The IP Address of the primary authentication server Authentication Server 2 The IP Address of the secondary authentication server it is an optional field Authentication Server 3 The IP Address of the tertiary authentication server it is an optional field Workgroup This is the Workgroup for Authentication Server 1 The NT domain type of authentication requires the workgroup field contact your administrator for the workgroup needed to configure NT Domain authentication Second Workgroup Workgroup for Authentication Server 2 Though it is optional if Authentication Server2 is defined this field becomes necessary Third Workgroup Workgroup for Authentication Server 3 Though it is optional if Authentication Server2 is defined this field becomes necessary 313 Wireless Controller User Manual Timeout Set the amount of time in seconds the appliance should wait for a response from the authentication server Retries The number of attempts the appliance will make to the authentication server before giving and considering the authentication attempt as failed After configuring all fields in NT Domain settings to check the server re
272. ontroller IP Address Shows the IP address of the controller that manages the AP to which the client is associated Client MAC Address Shows the MAC address of the associated client 146 Wireless Controller User Manual Figure 83 Controller Associated Client Status e Global Info gt Device Info gt Access Point Info CONTROLLER ASSOCIATED CLIENT STATUS LOGOUT Description goes here gt LAN Clients Info gt List of Controller Associated Clients Wireless Clientinfo p gt Controller IP Address Client MAC Address Traffic Monitor gt Active Sessions Disassociate View Client Details Refresh Active VPNs 192 168 1 185 e0 a6 70 8e bf 67 The following actions are supported from this page Disassociate Disassociates the client from the managed AP View Client Details Display associated client details Refresh Updates the page with the latest information 4 8 6 Detected Client Status Status gt Wireless Client Info gt Detected Clients Wireless clients are detected by the wireless system when the clients either attempt to interact with the system or when the system detects traffic from the clients The Detected Client Status page contains information about clients that have authenticated with an AP as well information about clients that disassociate and are no longer connected to the system MAC Address The Ethernet address of the client Client Name Shows the name of the
273. oose Enable or Disable XW The controller applies firewall rules in the order listed As a general rule you should move the strictest rules those with the most specific services or addresses to the top of the list To reorder rules click the checkbox next to a rule and click up or down 213 Wireless Controller User Manual Figure 120 Example where an outbound SNAT rule is used to map an external IP address 209 156 200 225 to a private DMZ IP address 10 30 30 30 www example com ee ee Toe a Internet Public IP Address 209 165 200 225 outside interface DWC Source Address Translation 209 165 201 225 gt 10 30 30 30 DMZ interface 10 30 30 1 Inside interface 192 168 10 1 DMZ User Web Server 192 168 10 10 Private IP Address 10 30 30 30 Public IP Address 209 165 200 225 214 Wireless Controller User Manual Figure 121 The firewall rule configuration page allows you to define the To From zone service action schedules and specify source destination IP addresses as needed FIREWALL RULES This page allows you to add a new firewall rule or edit the configuration of an existing firewall rule The details will then be displayed in the List of Available Firewall Rules table on the Firewall Rules page Save Settings Dont Save Settings Firewall Rule Configuration From Zone SECURE LAN X Available VLANs Default To Zone INSECURE Option w Available VLANs
274. option will reduce the power to a LAN port if an Ethernet cable of less than 10 ft is detected as being connected to that port Jumbo Frames Option When enabled LAN side devices can exchange traffic containing jumbo frames 235 Wireless Controller User Manual 7 15 Protecting from Internet Attacks Advanced gt Advanced Network gt Attack Checks Attacks can be malicious security breaches or unintentional network issues that render the controller unusable Attack checks allow you to manage Option security threats such as continual ping requests and discovery via ARP scans TCP and UDP flood attack checks can be enabled to manage extreme usage of Option resources Additionally certain Denial of Service DoS attacks can be blocked These attacks if uninhibited can use up processing power and bandwidth and prevent regular network services from running normally ICMP packet flooding SYN traffic flooding and Echo storm thresholds can be configured to temporarily suspect traffic from the offending source 236 Wireless Controller User Manual Figure 136 Protecting the controller and LAN from internet attacks ontrollers ATTACK CHECKS LOGOUT This page allows you to specify whether or not to protect against common attacks from the LAN and WAN networks Save Settings Don t Save Settings S Security ree Application Rules Block TCP flood site Filter LAN Security Checks Firewall Settings
275. overy list can contain the IP sddresses of peer controller and APs for the UWS to discover and associate with as part of the WLAN List of IP Adresses 192 168 10 101 4 L2 VLAN Discovery The D Link Wireless Device Discovery Protocol is a good discovery method to use if the controller and APs are located in the same Layer 2 67 Wireless Controller User Manual multicast domain The wireless controller periodically sends a multicast packet containing the discovery message on each VLAN enabled for discovery The following actions are supported from this page Add Adds the data in the IP Address or VLAN field to the appropriate list Delete Deletes the selected entry from the IP or VLAN list 2 8 1 Wireless Discovery Status Status gt Global Info gt IP Discovery The IP Discovery list can contain the IP addresses of peer controller and APs for the DWC 1000 to discover and associate with as part of the WLAN IP Address Shows the IP address of the device configured in the IP Discovery list Status The wireless discovery status is in one of the following states e Not Polled The controller has not attempted to contact the IP address in the L3 IP Discovery list e Polled The controller has attempted to contact the IP address e Discovered The controller contacted the peer controller or the AP in the L3 IP Discovery list and has authenticated or validated the device e Discovered Fail
276. ow Y 37 Low T 38 low Y 39 low Y 40 Low v 41 Low X 42 Low v 43 Low v Low y 45 Low Y 46 Low v 47 Low v 48 Low 49 Low v 50 Low v 51 Low v 52 Low v 53 Low v 54 Low v 55 Low 56 Low y 57 Low v 58 Low v 59 Low v 60 Low v 61 Low v 62 Low v 63 Low v DSCP Lists the IP DSCP values to which you can map an internal traffic class The values range from 0 63 Queue This provides the priority of the queue 2 2 4 Port Queue Scheduling Setup gt QoS gt Queue Scheduler This page allows the admin to determine the queuing scheduling algorithm 32 Wireless Controller User Manual Queuing scheduling algorithm The scheduling algorithm for the LAN controller can be configured here The supported algorithms are strict and weighted round robin only The device will be programmed to handle the traffic using the algorithm configured here Figure 14 Port Queue Scheduler DWC 1000 ADVANCED TOOLS STATUS WLAN Global Settings PORT QUEUE SCHEDULING AP Management ia The scheduling algorithm for the LAN switch can be configured here The supported algorithms are strict and weighted round robin only URI Save Settings Don t Save Settings Internet Settings gt Port Queue Scheduling Network Settings gt gt Queue Scheduling Algorithm Strict vi Strict Qos Weighted Round Robin Captive Portal d 2 2 5 Port Queue Status Setup gt QoS gt Queue Management This page shows the cur
277. page Add Add a client with the MAC address you enter in the field to the Known Client database Delete Removes the selected client from the Known Client database Edit changes the setting of particular MAC address 7 8 Application Rules XW The following feature is available upon licensed activation of VPN Firewall features for the system Advanced gt Application Rules gt Application Rules Application rules are also referred to as port triggering This feature allows devices on the LAN or DMZ to request one or more ports to be forwarded to them Port triggering 224 Wireless Controller User Manual waits for an outbound request from the LAN DMZ on one of the defined outgoing ports and then opens an incoming port for that specified type of traffic This can be thought of as a form of dynamic port forwarding while an application is transmitting data over the opened outgoing or incoming port s Port triggering application rules are more flexible than static port forwarding that is an available option when configuring firewall rules This is because a port triggering rule does not have to reference a specific LAN IP or IP range As well ports are not left open when not in use thereby providing a level of security that port forwarding does not offer XW Port triggering is not appropriate for servers on the LAN since there is a dependency on the LAN device making an outgoing connection before incoming ports are open
278. panning Tree Path cost for the WDS link The range is 0a 255 When multiple alternate paths are defined in the WDS group the link cost is used to indicate which links are the primary links and which links are the secondary links The spanning tree selects the path with the lowest link cost XW Note if no links have been configured for the selected WDS group only the Add and Refresh buttons display XW Note After changing WDS Managed AP group settings make sure to push the configuration to other controllers in the cluster 11 7 External Authentications XW This feature is available with the VPN Firewall license The admin can configure external authentication XAUTH Rather than configure a unique VPN policy for each user the admin can configure the VPN gateway router to authenticate users from a stored list of user accounts or with an external authentication server such as a RADIUS server With a user database user accounts created in the router are used to authenticate users With a configured RADIUS server the router connects to a RADIUS server and passes to it the credentials that it receives from the VPN client You can secure the connection between the router and the RADIUS server with the authentication protocol supported by the server PAP or CHAP For RADIUS PAP the router first checks in the user database to see if the user credentials are available if they are not the router connects to the RADIUS server
279. proxy for all DNS requests and communicates with the ISP s DNS servers an optional configuration parameter Primary and Secondary DNS servers If there are configured domain name system DNS servers available on the LAN enter the IP addresses here Lease Rebind time It sets the duration of the DHCPv6 lease from this router to the LAN client IPv6 Address Pools This feature allows you to define the IPv6 delegation prefix for a range of IP addresses to be served by the gateway s DHCPv6 server Using a delegation prefix you can automate the process of informing other networking equipment on the LAN of DHCP information specific for the assigned prefix 25 Wireless Controller User Manual Prefix Delegation The following settings are used to configure the Prefix Delegation Prefix Delegation Select this option to enable prefix delegation in DHCPv6 server This option can be selected only in Stateless Address Auto Configuration mode of DHCPVv6 server Prefix Address IPv6 prefix address in the DHCPv6 server prefix pool Prefix Length Length prefix address 2 1 5 DHCPv6 Leased Clients Advanced gt IPv6 gt IPv6 LAN gt DHCPv6 Leased Clients This page provides the list of DHCPv6 clients connected to the LAN DHCPVv6 Server and to whom DHCPv6 Server has given leases Figure 8 DHCPv6 Leased Clients DWC 1000 I SETUP ADVANCED TOOLS STATUS Peer Controllers gt DHCPV6 LEASED CLIENTS LOGOUT This table
280. r POP3 Authentication Type gt Captive Portal Profile default Create a Profile WIRELESS CONTROLLER Captive Portal Type Select any of the 4 types of access types Free SLA Permanent User and Temporary User Free No authentication is required for users connected to this VLAN This option means that the VLAN does not have Captive Portal in use for joining this network SLA SLA stands for Service Level Agreement If this is selected as Captive Portal type then users connected to this VLAN needs to accept Service Level Agreement before accessing anything outside this VLAN Permanent User When this option is selected users need to get authenticated before accessing data outside this VLAN Only permanent Captive Portal users can login from this VLAN Administrator can create Permanent Captive portal users only those users can login from captive portal to access data outside VLAN Temporary User When this option is selected users will get authenticated before accessing data outside this VLAN Only temporary Captive Portal users created 41 Wireless Controller User Manual 2 3 2 by front desk user can login from this VLAN Administrator can create front desk user and front desk user will login to front desk page and he will generate Temporary users Only Temporary users created by front desk user are allowed to access data outside VLAN Enable Redirect Selecting this option will ena
281. r Controller Number of peer WLAN controllers detected on the network Cluster Controller Indicates whether this controller is the Cluster Controller for the cluster Cluster Controller IP Address The IP address of the peer controller that is the Cluster Controller Total Access Points Total number of Managed APs in the database This value is always equal to the sum of Managed Access Points Connection Failed Access Points and Discovered Access Points Managed Access Points Number of APs in the managed AP database that are authenticated configured and have an active connection with the controller Standalone Access Points Number of trusted APs in Standalone mode APs in Standalone mode are not managed by a controller Rogue Access Points Number of Rogue APs currently detected on the WLAN When an AP performs an RFscan it might detect access points that have not been validated It reports these APs as rogues Discovered Access Points APs that have a connection with the controller but haven t been completely configured This value includes all managed APs with a Discovered or Authenticated status Connection Failed Access Points Number of APs that were previously authenticated and managed but currently don t have connection with the Unified Controller Authentication Failed Access Points Number of APs that failed to establish communication with the Unified Controller Unknown Access Points Number of Un
282. r neighbors View AP Details Shows detailed status information collected from the AP View Radio Details Shows detailed status for a radio interface Use the radio button to navigate between the two radio interfaces 99 Wireless Controller User Manual View Neighbour APs Shows the neighbour APs that the specified AP has discovered through periodic RF scans on the selected radio interface View Neighbour Clients Shows information about wireless clients associated with an AP or detected by the AP radio View VAP Details Shows summary information about the virtual access points VAPs for the selected AP and radio interface on the APs that the controller manages View Distributed Tunneling Details Shows information about the L2 tunnels currently in use on the AP Figure 53 Wireless LAN AP information DWC 1000 SETUP ADVANCED TOOLS STATUS E Global Info gt Device Info gt AccessPointInfo D d MANAGED AP STATUS Meletoltyy Show all the details related to selected AP List of Managed APs LAN Clients Info Active VPNs MAC Address Peer Managed IP Address Age Status Profile Radio Interface 1 802 11a n Til 1c af f7 1f 24 40 192 168 10 101 0d 00 01 33 Managed 1 Default 2802 11big n 1 802 11a n g 1c bd b9 95 a6 00 192 168 10 102 0d 00 00 03 Managed 1 Default 2802 1 1big n View AP Details View Radio Details View Neighbor APs View Neighbor Cl
283. r seioed p aiee eein a neii 341 12 9 1 Using Diagnostic Tools oe ecceeesscsseeecseeseseceeseesececneeseeeeneeseeeeneeseeecneeaeeeeneeas 342 1229525 PUN a O E E a EE A E O E T SANE E E A TAN A 343 1493 traco ROUTO seikoa raea e a i eiea iaa a ariaa 343 12 9 4 DNS E OOk UDa Ea Ree hema ane aaas 344 12 9 5 Router Options EE EEE EESE EE S EEEE S 344 License Activati n ncns a a AEAEE A S raina 345 Glossa oenina E a R E 347 Factory Default Setting cceeceecesecsceceseeeescecseecesescsececaeeeeaeecsececaeeeeateceeceeneeeeaeeeereeeees 350 Recovery from Upgrade Failure 00 ee esecsseseescseeeeeceeseeeceeeseeecaeeseeecneeaeeecneeaeeeeneeaees 352 Product Statements T xcs este oo ec tao es aL eee 354 Wireless List o Figure 1 Figure 2 Figure 3 Figure 4 Figure 5 Figure 6 Figure 7 Figure 8 Figure 9 Figure 10 Figure 11 Figure 12 Figure 13 Figure 14 Figure 15 Figure 16 Figure 17 Figure 18 Figure 19 Figure 20 Figure 21 Figure 22 Figure 23 Figure 24 Figure 25 Figure 26 Figure 27 Figure 28 Figure 29 Figure 30 Figure 31 Figure 32 Figure 33 Controller User Manual f Figures Setup page for LAN TCP IP settings DHCP Server eeceeesecesseseseeeeseeeseeeeseeeeeeeeseeeeaees 18 Setup page for LAN TCP IP settings DHCP Relay 0 0 ccccecseseseseesesescseseseeeeseseneeeeaees 19 Setup page for LAN TCP IP settings continued 0 00 eeceeeeceseseeeeceseeeeseseeeeesceesesenteeaees 20 LAN DHGP Reserved
284. raffic will be rolled over to the backup port When configured in Auto Failover mode the link status of the primary Option port is checked at regular intervals as defined by the failure detection settings Note that both Option and Option2 can be configured as the primary internet link e Auto Rollover using Option port e Primary Option Selected Option is the primary link Option1 Option2 e Secondary Option Selected Option is the secondary link Failover Detection Settings To check connectivity of the primary internet link one of the following failure detection methods can be selected e DNS lookup using Option DNS Servers DNS Lookup of the DNS Servers of the primary link are used to detect primary Option connectivity 187 Wireless Controller User Manual 6 3 2 e DNS lookup using Option Servers DNS Lookup of the custom DNS Servers can be specified to check the connectivity of the primary link e Ping these IP addresses These IP s will be pinged at regular intervals to check the connectivity of the primary link e Retry Interval is The number tells the controller how often it should run the above configured failure detection method e Failover after This sets the number of retries after which failover is initiated Load Balancing This feature allows you to use multiple Option links and presumably multiple ISP s simultaneously After configuring more than one Option port the load balancing option is av
285. ral operations on the rules D Captive Portal MAC Address Application Rules Website Filter Firewall Settings In the above example if there is an IP MAC Binding violation the violating packet will be dropped and logs will be captured 7 14 Switch Settings Advanced gt Switch Settings This page allows user to enable disable power saving jumbo frames in the router 234 Wireless Controller User Manual Figure 135 Switch settings oc e era Peer C rs p SWITCH SETTINGS LOGOUT This page allows user to enable disable power saving jumbo frames in the router Save Settings Don t Save Settings Power Saving Options Power Saving by Link Status Power Saving by Cable Length Application Rules a Website Filter Firewall Settings Jumbo Frames Option Radius Settings Switch Settings Power Saving State When enabled the total power to the LAN controller is dependent on the number of connected ports The overall current draw when a single port is connected is less than when all of the available LAN ports have an active Ethernet connection Length Detection State When enabled the LAN controller will reduce the overall current supplied to the LAN port when a small cable length is connected to that port Longer cables have higher resistance than shorter cables and require more power to transmit packets over that distance This
286. range of configured IP addresses of allowed clients can reach the controller s PPTP server Once authenticated by the PPTP server the tunnel endpoint PPTP clients have access to the network managed by the controller 250 Wireless Controller User Manual Figure 145 PPTP tunnel configuration PPTP Server DWC 1000 ADVANCED TOOLS STATUS PPTP SERVER PPTP allows an external user to connect to your router through the internet This section allows you to enable disable PPTP server and define a range of IP addresses for dients connecting to your router The connected dients can function as if they are on your LAN they can communicate with LAN hosts access any servers present etc Save Settings Don t Save Settings PPTP Server Configuration PPTP Routing Mode USB Settings Starting IP Address Ending IP Address Authentication Supported PAP CHAP MS CHAP MS CHAPv2 8 4 2 L2TP Tunnel Support Setup gt VPN Settings gt L2TP gt L2TP Server A L2TP VPN can be established through this controller Once enabled a L2TP server is available on the controller for LAN and Option L2TP client users to access Once the L2TP server is enabled L2TP clients that are within the range of configured IP addresses of allowed clients can reach the controller s L2TP server Once authenticated by the L2TP server the tunnel endpoint L2TP clients have access to the network ma
287. re registered in the Active Directory database can now access the SSL VPN portal by using their Active Directory user name and password 317 Wireless Controller User Manual Second Active Directory Domain optional Active Directory Domain for Authentication Server2 if in use Third Active Directory Domain optional Active Directory Domain for Authentication Server3 if in use Timeout Set the amount of time in seconds the appliance should wait for a response from the authentication server Retries The number of attempts the appliance will make to the authentication server before giving and considering the authentication attempt as failed After configuring all fields in Active Directory settings to check the server reachability the administrator can use Server Checking option When the administrator clicks on server checking button the server reachability status for the configured servers is returned 11 7 5 POP3 Settings Setup gt External Authentications gt POP3 Settings POP3 Post Office Protocol is commonly used by email clients to retrieve email It supports both SSL as well as plain accounts Enabling SSL support will have the client send a SSL socket to the POP server The POP client on the appliance uses authentication 110 port for plain type and 995 for SSL type Each step will return at greeting messages if success it will receive OK else ERROR If SSL support is enabled a certificate authori
288. re configured for this controller you may use the IP address if a static address is assigned to the Option port or if your Option address is dynamic a DDNS Dynamic DNS name can be used Outbound LAN DMZ to Option rules restrict access to traffic leaving your network selectively allowing only specific local users to access specific outside resources The default outbound rule is to allow access from the secure zone LAN to either the public DMZ or insecure Option On other hand the default outbound rule is to deny access from DMZ to insecure Option You can change this default behavior in the Firewall Settings gt Default Outbound Policy page When the default outbound policy is allow always you can to block hosts on the LAN from accessing internet services by creating an outbound firewall rule for each service 209 Wireless Controller User Manual Figure 118 List of Available Firewall Rules an n A Operation succeeded Peer Controllers AP Profile FIREWALL RULES LOGOUT A firewall is a security mechanism to selectively block or allow certain types of traffic in accordance with rules specified by network administrators You can use this page to manage the firewall rules that control traffic to and from your network The List of Available Firewall Rules table includes all firewall rules for this device and allows several operations on the firewall rules Captive Portal gt Application Rules Website Filter Fir
289. rent queue management algorithm that is used in the LAN controller Queuing Management algorithm Display the current queue management algorithm that is used in the LAN controller 33 Wireless Controller User Manual Figure 15 Port Queue Status DWC 1000 ADVANCED TOOLS STATUS WLAN Global Settings AP Management gt This page shows the current queue management algorithm that is used in the LAN switch WLAN Visualization gt f port Queue Status Queue Management Algorithm Tail Drop PORT QUEUE STATUS Internet Settings Network Settings gt Q gt oS 2 2 6 Option QoS Configuration Setup gt QoS gt Option QoS Configuration This page allows configuring the Option QoS and defining the bandwidth for Option interfaces Wireless Controller User Manual Figure 16 Option QoS Configuration DWC 1000 im sw ADVANCED TOOLS STATUS Please enable Bandwidth Management to perform Add Edit Delete Operations WLAN Global Settings OPTION QOS AP Management gt Bandwidth management controls the rate and priority of the traffic on your Internet link allowing you to effeciently utilize the Internet eaters a bandwidth gt gt internet Settings Network Settings Do you want to enable Bandwidth Qos D Management Captive Portal gt Option Configuration External gt z Authentications Option Interface Upstream Bandwidth in Kbps Downstream Bandwidth in Kbps VPN Se
290. rofile This page allows a user to add new system users Save Settings Don t Save Settings Users Configuration User Name WDS Configuration Application Rules First Name Website Filter Last Name Firewall Settings Select Group ADMIN MultiLogin Password Confirm Password Certificates 9 1 2 User Database Advanced gt Users gt Get User DB This feature allows the administrator to import a CSV formatted user database to the router The local user database stored in this router s memory can be extracted for review with the help of this feature Get Users DB file Here the selected Comma Separated Value CSV format file on the local host containing the users database can be uploaded to apply the configuration 266 Wireless Controller User Manual Figure 157 User Database export DWC 1000 iia SETUP ADVANCED TOOLS STATUS GET USERS DB LOGOUT This page allows user to import a CSV formatted user database to the router WIDS Security Captive Portal gt Application Rules Get Users DB Users gt GetUsers DB WIRELESS CONTROLLER The user may only add system users using the CSV file upload mechanism Before adding users to different groups the groups must be created using GUI Also edit and delete operations on users can be more conveniently handled through GUI as it is much easier to select a particular user for edit delete This mechanism of csv file upload
291. rotocol i e HTTP FTP etc used by the DWC Int Port Internal Port The internal ports opened by UPnP if any Ext Port External Port The external ports opened by UPnP if any IP Address The IP address of the UPnP device detected by this controller Click Refresh to refresh the port map table and search for any new UPnP devices 49 Wireless Controller User Manual 2 6 Captive Portal 2 6 1 The captive portal technique forces an HTTP client on a network to see a special web page usually for authentication purposes before using the Internet normally A captive portal turns a web browser into an authentication device LAN users can gain internet access via web portal authentication with the appliance Also referred to as Run Time Authentication a Captive Portal is ideal for a web caf scenario where users initiate HTTP connection requests for web access but are not interested in accessing any LAN services Firewall policies set by the administrator will define which users require authentication for HTTP access and when a matching user request is made the appliance will intercept the request and prompt for a username password The login credentials are compared against the Runtime Authentication users in user database prior to granting HTTP access A user can use captive portal for guest and registered users at the same time A captive portal presents a web page which requires action on the part of the user before networ
292. rs required in limiting the user access on duration basis Valid Begin There are 3 types of limiting user access by duration Start While Account Created This option is to activate account when user is created Start While Account Login This option is to activate account when user first login using his credentials Begin From This option is to activate account from this date Allow Frontdesk to modify duration Checking this option enables the Frontdesk user to modify duration limits Basic Limit by Usage This section is for limiting user on Usage basis Maximum Usage Time used to set maximum time user can stay login before his account expires Maximum Usage Traffic used to set maximum traffic user can use before his account expires Only inbound traffic shall be considered towards bandwidth usage 59 Wireless Controller User Manual Allow Frontdesk to modify usage Checking this option enables the Frontdesk user to modify usage limits 2 6 6 Block MAC Setup gt Captive Portal gt Block MAC This feature allows the administrator to add a MAC address and description of the corresponding device to a black list for the Captive Portal Adding a MAC address to the list will result in denying access to the clients having these MAC address Figure 35 List of MAC addresses not allowed to authenticate via the Captive Portal DWwc 1000 SETUP ADVANCED TOOLS STATUS Wizard WLAN Global Settings BLOCK CLIE
293. rule include the following e Service ANY means all traffic is affected by this rule For a specific service the drop down list has common services or you can select a custom defined service e Action amp Schedule Select one of the 4 actions that this rule defines BLOCK always ALLOW always BLOCK by schedule otherwise ALLOW or ALLOW by schedule otherwise BLOCK A schedule must be preconfigured in order for it to be available in the dropdown list to assign to this rule Source amp Destination users For each relevant category select the users to which the rule applies e Any all users e Single Address enter an IP address e Address Range enter the appropriate IP address range Log traffic that is filtered by this rule can be logged this requires configuring the controller s logging feature separately QoS Priority Outbound rules where To Zone insecure Option only can have the traffic marked with a QoS priority tag Select a priority level e Normal Service ToS 0 lowest QoS e Minimize Cost ToS 1 e Maximize Reliability ToS 2 e Maximize Throughput ToS 4 Minimize Delay ToS 8 highest QoS 212 Wireless Controller User Manual 6 Inbound rules can use Destination NAT DNAT for managing traffic from the Option Destination NAT is available when the To Zone DMZ or secure LAN With an inbound allow rule you can enter the internal server address that is hosting the selected servic
294. rver client mode the user has to download the auto login profile from the OpenVPN Access Server and upload the same to connect Server IP OpenVPN server IP address to which the client connects Applicable in client mode VPN Network Address of the Virtual Network VPN Netmask Netmask of the Virtual Network Port The port number on which OpenVPN server or Access Server runs Tunnel Protocol The protocol used to communicate with the remote host Ex TCP UDP UDP is the default Encryption Algorithm The cipher with which the packets are encrypted Ex BF CBC AES 128 AES 192 and AES 256 BF CBC is the default Hash algorithm Message digest algorithm used to authenticate packets Ex SHA1 SHA256 and SHA512 SHA is the default Tunnel Type Select Full Tunnel to redirect all the traffic through the tunnel Select Split Tunnel to redirect traffic to only specified resources added from OpenVpnClient Routes through the tunnel Full Tunnel is the default Enable Client to Client communication Enable this to allow OpenVPN clients to communicate with each other in split tunnel case Disabled by default Upload Access Server Client Configuration The user has to download the auto login profile and upload here to connect this controller to the OpenVPN Access Server Certificates Select the set of certificates OpenVPN server uses First Row Set of certificates and keys the server uses Second Row Set of certificates and
295. s and Location in the lt MAC IP Location gt format To upgrade a single AP select the AP MAC address from the drop down list To upgrade all APs select All from the top of the list If All is selected the Group Size field will limit the number of simultaneous AP upgrades in order not to overwhelm the TFTP server 165 Wireless Controller User Manual Figure 93 Access Point Software Download Dwc 1000 im sw ADVANCED TOOLS STATUS WLAN Global Settings AP Management D The Unified Wireless Controller can upgrade software on the APs that it manages The Cluster Controller can update code on APs ERIE eit ee managed by peer wireless controllers Internet Settings gt f Save Settings Don t Save Settings Network Settings gt Access Point Software Download oe server accross 0090 SS img_dwis610 DLink 8610 AP Radios Img_dwls600 DLink 8600 AP Radios Img_dwl3600 6600 DLink 3600 6600 AP Radios SOFTWARE DOWNLOAD File Path File Name Img_dwl2600 DLink 2600 AP Radios File Path File Name Group Size 6 1 to 6 Image Download Type All images v None Managed AP 5 4 Local OUI Database Summary Setup gt AP Management gt Local OUI Database To help identify AP and Wireless Client adapter manufacturers detected in the wireless network the wireless controller contains a database of registered Organizationally Unique Identifiers OUIs This is a read only list wit
296. s Number of Rogue APs currently detected on the WLAN When an AP performs an RF scan it might detect access points that have not been validated It reports these APs as rogues Authentication Failed Access Points Number of APs that failed to establish communication with the controller Unknown Access Points Number of Unknown APs currently detected on the WLAN If an AP configured to be managed by the controller is detected through an RF scan at any time that it is not actively managed it is classified as an Unknown AP Rogue AP Mitigation Limit Maximum number of APs for which the system can send de authentication frames Rogue AP Mitigation Count Number of APs to which the wireless system is currently sending de authentication messages to mitigate against rogue APs A value of 0 indicates that mitigation is not in progress Maximum Managed APs in Peer Group Maximum number of access points that can be managed by the cluster WLAN Utilization Total network utilization across all APs managed by this controller This is based on global statistics 119 Wireless Controller User Manual 4 6 2 AP Summary Status gt Access Point Info gt APs Summary The List of AP page shows summary information about managed failed and rogue access points the controller has discovered or detected The status entries can be deleted manually To clear all APs from the All Access Points status page except Managed Access Points click D
297. s Shows the IP Address of the controller that sent the configuration information Configuration Identifies which parts of the configuration the controller received from the peer controller Timestamp Shows when the configuration was applied to the controller The time is displayed as UTC time and therefore only useful if the administrator has configured each peer controller to use NTP Figure 74 Peer Controller Configuration Status Global Info Mi PEER CONTROLLER CONFIGURATION STATUS LOGOUT The Peer Controller Configuration Status page displays information about the configuration sent by a peer Controller in the cluster Connected Peer Controllers Configuration Controller IP Configuration Timestamp Address gt Traffic Monitor gt Global Channel Power AP Database AP Profiles 192 168 10 5 192 168 10 1 Known Client Wds Group Device Location RADIUS Client Configuration QoS ACL Nov 16 13 28 32 2011 Refresh The following actions are supported from this page Refresh Updates the page with the latest information 4 7 4 Peer Controller Managed AP Status Status gt Global Info gt Peer Controller gt Managed AP The Peer Controller Managed AP Status page displays information about the APs that each peer controller in the cluster manages Use the menu above the table to select the peer controller with the AP information to display Each peer controller is identified by its IP address MAC A
298. s certificate Timeout Set the amount of time in seconds the appliance should wait for a response from the authentication server Retries The number of attempts the appliance will make to the authentication server before giving and considering the authentication attempt as failed 319 Wireless Controller User Manual After configuring all fields in Active Directory settings to check the server reachability the administrator can use Server Checking option When the administrator clicks on server checking button the server reachability status for the configured servers is returned To Add the CA certificate in case of SSL support the admin needs to upload certificate in the POP3 CA file page Figure 185 POP3 CA File List DWC 1000 U SETUP ADVANCED TOOLS STATUS WLAN Global Settings POP3 CA FILES AP Management This page shows the list of POP3 CA Files WLAN Visualization gt List of POPS CA Files CA File Network Settings gt aia Saptiv gt 3 Captive Portal External D Authentications NT Domain Settings VPN Settings gt LDAP Settings VLAN Settings gt _ Active Directory USB Settings gt POP3 Settings gt POP3 Server Configuration WIRELESS CONTROLLER POP3 Tru ed CA Copyright 2012 D Link Corporation 320 Wireless Controller User Manual Chapter 12 Administration amp Management 12 1 Remote Management Both HTTPS and telnet access can
299. s controlled by the scan duration The default scan duration is 10 milliseconds Mode The Mode defines the Physical Layer PHY standard the radio uses Select one of the following modes for each radio interface e IEEE 802 11a is a PHY standard that specifies operating in the 5 GHz U NII band using orthogonal frequency division multiplexing OFDM It supports data rates ranging from 6 to 54 Mbps e IEEE 802 11a n operates in the 5 GHz ISM band and includes support for both 802 11la and 802 11n devices IEEE 802 11n is an extension of the 802 11 standard that includes multiple input multiple output MIMO 74 Wireless Controller User Manual technology IEEE 802 11n supports data ranges of up to 248 Mbps and nearly twice the indoor range of 802 11 b 802 11g and 802 1 1a 5 GHz IEEE 802 11n is the recommended mode for networks with 802 11n devices that operate in the 5 GHz frequency that do not need to support 802 1 1a or 802 11b g devices IEEE 802 11n can achieve a higher throughput when it does not need to be compatible with legacy devices 802 11b g or 802 1 1a IEEE 802 11b g operates in the 2 4 GHz ISM band IEEE 802 11b is an enhancement of the initial 802 11 PHY to include 5 5 Mbps and 11 Mbps data rates It uses direct sequence spread spectrum DSSS or frequency hopping spread spectrum FHSS as well as complementary code keying CCK to provide the higher data rates It supports data rates ranging from 1 to 11
300. s displayed in GUI event viewer Ac VIEW SSLVPN LOGS LOGOUT b 0 gt Device Info gt Display Logs ss Clientinfo gt Logs gt gt Traffic Monito Active lt ions Active VPNs Refresh Logs Clear Logs 12 7 Backing up and Restoring Configuration Settings Tools gt System You can back up the controller custom configuration settings to restore them to a different device or the same controller after some other changes During backup your settings are saved as a file on your host You can restore the controller saved settings from this file as well This page will also allow you revert to factory default settings or execute a soft reboot of the controller xw IMPORTANT During a restore operation do NOT try to go online turn off the controller shut down the PC or do anything else to the controller until the operation is complete This will take approximately minute Once the LEDs are turned off wait a few more seconds before doing anything with the controller 337 Wireless Controller User Manual For backing up configuration or restoring a previously saved configuration please follow the steps below 1 To save a copy of your current settings click the Backup button in the Save Current Settings option The browser initiates an export of the configuration file and prompts to save the file on your host 2 To restore your saved settings from a backup file
301. s on the Unified Wireless Controller curity Access Point Profile List WI curity gt Captive Portal d ent Cc o Application Rules site Filter Edit Delete Add Copy Apply Configure Radio Configure SSID Configure QoS Firewall Settings For each AP profile you can configure the following features Profile settings Name Hardware Type ID Wired Network Discovery VLAN ID Radio settings SSID settings QoS settings Wireless Controller User Manual Profile The Access Point profile name you added Use 0 to 32 characters Profile Status can have one of the following values Associated The profile is configured and one or more APs managed by the controller are associated with this profile Associated Modified The profile has been modified since it was applied to one or more associated APs the profile must be re applied for the changes to take effect Apply Requested After you select a profile and click Apply the screen refreshes and shows that an apply has been requested e Apply In Progress The profile is being applied to all APs that use this profile During this process the APs reset and all wireless clients are disassociated from the AP e Configured The profile is configured but no APs managed by the controller currently use this profile XW Associate a profile with an AP Entry of the AP is valid and available in
302. s selected the gateway will connect to the ISP s DHCPv6 server for a leased address For stateless DHCP there need not be a DHCPv6 server available at the ISP rather ICMPv6 discover messages will originate from this gateway and will be used for auto configuration A third option to specify the IP address and prefix length of a preferred DHCPv6 server is available as well 182 Wireless Controller User Manual Figure 103 IPv6 Option Setup page ry nce a ccc IPV6 OPTION1 CONFIG LOGOUT This page allows user to IPv6 related WAN1 configurations Save Settings Don t Save Settings Internet Address IPv6 Static IP Address Cn oller Settings Controller Settings User Name admin Password cecce Authentication Type Auto negotiate Dhcpv6 Options disable dhepv6 Primary DNS Server Secondary DNS Server Prefix Delegation Select this option to request controller advertisement prefix from any available DHCPVv6 servers available on the ISP the obtained prefix is updated to the advertised prefixes on the LAN side This option can be selected only in Stateless Address Auto Configuration mode of DHCPv6 Client When IPv6 is PPPoE type the following PPPoE fields are enabled Username Enter the username required to log in to the ISP 183 Wireless Controller User Manual 6 2 7 Password Enter the password required to login to the ISP Authentication
303. s to take place between peer controllers Example e Ina hotel the controller administrator creates a set of billing and captive portal profiles and pushes them from the DWC controller to all peer controllers e The front desk administrator creates temporary accounts for a new guest e The temporary accounts will be pushed automatically to all peer controllers so that guests can have access to the portal and be authenticated for internet access from any floor any peer controller The front desk administrator has the ability to create 256 temporary users Each peer controller can manage 1024 total temporary users For the auto synchronization to work it is a requirement that each controller in the cluster have synchronized time settings to enable time based billing or accounting for the user XW Note accounting is on a per controller basis This means that a temporary user authenticated on one controller will not have its usage statistics shared among controllers in the event that the same user credentials are used to authenticate via another peer or cluster controller 2 6 8 Captive Portal Front Desk The Front Desk user has the ability to create temporary user accounts for internet access thorugh the Captive Portal This user does not have full administrative priviledges but instead will be able to create a user based on pre defined billing profiles 61 Wireless Controller User Manual All created Billing Profiles describe
304. se are given access to the SSL VPN portal with their Active Directory username and password If there are multiple Active Directory domains user can enter the details for up to two authentication domains e Timeout The timeout period for reaching the authentication server e Retries The number of retries to authenticate with the authentication server after which the DWC 1000 stops trying to reach the server Figure 151 SSLVPN Settings SSLVPN Settings Portal Name SSLVPN Authentication Type Radius MSCHAP x Authentication Server 1 Authentication Server 2 Optional Authentication Server 3 admin Optonal Authentication Secret 1 pee Authentication Secret 2 Optional LDAP attribute 1 LDAP attribute 2 Sai LDAP attribute 3 a LDAP attribute 4 O Workgroup Second Workgroup Optional LDAP Base DN p Second LDAP Base DN P opioa Active Directory Domain a Second Active Directory Domain Optional Timeout 10 Seconds Retries 5 260 Wireless Controller Login Policies User Manual To set login policies for the group select the corresponding group click Login policies The following parameters are configured Group Name This is the name of the group that can have its login policy edited Disable Login Enable to prevent the users of this group from logging into the devices management interface s Deny Login from Option interface Enable to prevent the u
305. select the fixed time channel plan mode you specify the time for the channel plan and channel assignment In this mode the plan is applied once every 24 hours at the specified time e Manual With the manual channel plan mode you control and initiate the calculation and assignment of the channel plan You must manually run the channel plan algorithm and apply the channel plan to the APs e Interval In the interval channel plan mode the controller periodically calculates and applies the channel plan You can configure the interval to be from every 6 to every 24 hours The interval period begins when you click Submit Channel Plan Interval If you select the Interval channel plan mode you can specify the frequency at which the channel plan calculation and assignment occurs The interval time is in hours and you can specify an interval that ranges between every 6 hours to every 24 hours Channel Plan Fixed Time If you select the Fixed Time channel plan mode you can specify the time at which the channel plan calculation and assignment occurs The channel plan calculation will occur once every 24 hours at the time you specify 157 Wireless Controller User Manual Figure 89 RF configuration DWC 1000 WLAN Global Settings RF CONFIGURATION AP Management D gt Through this page we can configure AP radio frequency related values like channel configuration amp Power Adjustment Configuration WLAN Visualization
306. sers of this group from logging in from an Option wide area network interface In this case only login through LAN is allowed Figure 152 Group login policies options Peer Controllers GROUPS This page allows user to add login policies for the available users Save Settings Don t Save Settings WIDS Security Group Login Policies Captive Portal gt Group Name Client Disable Login Application Rules Deny Login from Option Interface site Filter Firewall Settings Policy by Browsers LOGOUT To set browser policies for the group select the corresponding group click Policy by Browsers The following parameters are configured Group Name This is the name of the group that can have its login policy edited 261 Wireless Controller User Manual Deny Login from Defined Browsers The list of defined browsers below will be used to prevent the users of this group from logging in to the controller s GUI All non defined browsers will be allowed for login for this group Allow Login from Defined Browsers The list of defined browsers below will be used to allow the users of this group from logging in to the controllers GUI All non defined browsers will be denied for login for this group Defined Browsers This list displays the web browsers that have been added to the Defined Browsers list upon which group login policies can be defined Check Box At First Column H
307. sescsececseseeaesesececseneeaeeceececaeeeateceeeeeaeees 261 Browser polies Options assein ieaie Mie Ai A EN EA AE E EEIE 263 P policies Options ss 5 5 ascs ces avses saseises coved in aan ian ara R AA EAA A 264 Available Users with login status and associated Group es s esssesseseseeresesrsseseseereee 265 User Configuration Options cececeecsseccssesesesseseecseeeeseseeececseseseseeececaeneeaeseeeceeaenenetaeeeeees 266 User Database OXO eae E Te E EE E 267 List of SSL VPN polices Global filter 00 0 cceeseceseeceseseeeseseeeeseeeneeeeaeeeeeeseaeeeesteeeees 270 SSL VPN policy configuration eee ccs eeeeeeescseceseseseeecseeeaeseseeecaeseacaceeeecaeetateeeeeeeatees 271 List of configured resources which are available to assign to SSL VPN policies 273 List of Available Applications for SSL Port Forwarding cccccccseceseeseseeneeeeseeeeees 276 SSL VPN client adapter and access configuration 2 ee ceeeeceseseeeeceeeeeseceeteeeseeeeeeeeees 277 Configured client routes only apply in split tunnel mode eee eeeeeseecseeeeeeeeeeeeeees 279 SSL VPN Portal configuration 0 eee ecceseseeeeeeseseececeseseeeceeseeceaeseseceeseeeeaeeesecaeatctateeeeeetees 281 USB Device Detection 2s nne ie ire KE R K EE e EEEE e guinea 283 VSE Share ROE a a a N 284 Certificate summary for IPsec and HTTPS management eceseceseceseeseseeeeseeeneees 286 IntelPAM Tranen aaa aaa white fren A 287 Wireless Configuration
308. sing Cluster information Status gt Device Info gt Cluster Information The Peer Controller Status page provides information about other wireless controller in the network Peer wireless controller within the same cluster exchange data about themselves their managed APs and clients The controller maintains a database with this data so you can view information about a peer such as its IP address and software version If the controller loses contact with a peer all of the data for that peer is deleted One of the controller in a cluster is elected as a Cluster Controller The Cluster Controller collects status and statistics from all the other controllers in the cluster including information about the APs peer controller manage and the clients associated to those APs 101 Wireless Controller User Manual Figure 54 Cluster information DWwc 1000 II SETUP ADVANCED TOOLS STATUS PEER CONTROLLER STATUS eleTol bys Global Info gt The Peer Controller Status page provides information about other Unified Wireless Controllers in the network Peer wireless Controllers within the same cluster exchange data about themselves their managed APs and clients The Controller maintains a database with this data so you can view information about a peer such as its IP address and software version If the Controller loses contact with a peer all of the data for that peer is deleted Traffic Monitor d Peer Contro
309. sirable EJ Job Search Fj Malicious l Website Filter gt Gambling F Search Sites C Firewall Settings b Travel Tourism oO Health Sites oO Shopping Fi Clubs and Societies E Entertainment o Music Video oO Chatrooms IM o Business Oriented F Dating Sites o covenia Blocking o Game Sites o Educational F Investment Sites oO Advertising C E Banking Fj Drugs Alcohol C Crime Terrorism o Computing IT oO Personal Beliefs Cults o paren Lingerie oO Politics Oo RemoteControl Desktop F Sports Ej Reserved E 7 13 IP MAC Binding Advanced gt IP MAC Binding Another available security measure is to only allow outbound traffic from the LAN to Option when the LAN node has an IP address matching the MAC address bound to it This is IP MAC Binding and by enforcing the gateway to validate the source traffic s IP address with the unique MAC Address of the configured LAN node the administrator can ensure traffic from that IP address is not spoofed In the event of a violation i e 233 Wireless Controller User Manual the traffic s source IP address doesn t match up with the expected MAC address having the same IP address the packets will be dropped and can be logged for diagnosis Figure 134 Example binding a LAN host s MAC Address to a served IP address me os Operation succeeded IP MAC BINDING LOGOUT The table lists all the currently defined IP MAC Bind rules and allows seve
310. splays the router s processor Statistics CPU usage by user Percent of the CPU utilization being consumed currently by all user space processes such as SSL VPN or management operations CPU usage by kernel percent of the CPU utilization being consumed currently by kernel space processes such as firewall operations CPU idle percent of CPU cycles that are currently not in use CPU waiting for IO percent of CPU cycles that are allocated to input output devices Memory Utilization This section displays memory status of system Total Memory Indicates total available volatile physical memory Used Memory Indicates memory used by all processes in system Free Memory Indicates available free memory in system Cached Memory Indicates cached memory in system Buffer Memory Indicates buffered memory in system Device Status Status gt Device Info gt Device Status The DWC 1000 Status page gives a summary of the controller configuration settings configured in the Setup and Advanced menus The static hardware serial number and current firmware version are presented in the General section The Option and LAN interface information shown on this page are based on the administrator configuration parameters The radio band and channel settings are presented below along with all configured and active APs that are enabled on this controller 97 Wireless Controller User Manual Figure 51 Device Status display DWC 1000 SETU
311. sses Each LAN on the router can sub divded into 8 pools The subnet and network of each pool must be within that of the LAN configured on the LAN Settings page Most importantly pool IP addresss must not overlap on another New LAN DHCP clients will be assigned IP addresses starting with the Start IP address in the first pool in the list of pools Clients will continue to receive se quential IP addresses until the End IP address of the first pool Then if further pools are configured the next LAN client to join the domain of this router will receive the Start IP address of the second configured pool and so on 22 Wireless Controller User Manual Figure 6 LAN DHCP Pool configuration DWC 1000 ADVANCED TOOLS STATUS WLAN Global Settings LAN DHCP POOLS AP Management This page allows us to create new LAN DHCP pools for DHCP server on LAN Save Settings Don t Save Settings Network Settings gt PR Mebeadaces sun aaa End IP Address VLAN Settings DMZ Setup gt USB Settings gt Once confirgured the list of DHCP Pools at the bottom of the LAN Setup Configuration page Figure 3 is updated with the new pool range 2 1 4 LAN Configuration in an IPv6 Network Advanced gt IPv6 gt IPv6 LAN gt IPv6 LAN Config In IPv6 mode the LAN DHOP server is enabled by default similar to IPv4 mode The DHCPv6 server will serve IPv6 addresses from configured address pools with th
312. ssescsseeescsseseescaeeaeeecaseaeeecaseaeeeeneeaerente 78 AP Profile Radio Configuration Part 2 oe ce eesseeeecseeseeecseesesecseeeeeeceeeaeseceeeaseeseeeeeeesees 80 AP Profile SSID configuration eee ceceseeeeeseeeseeceseseseeecacecsaescseeecaeseacacsetecaeseeaeeeeeteeneees 82 AP Profile QoS Configuration Part 1 eceeccesceseseseeeeseseeseseseseeeeseneceseeeeeeseseeeeaeeeeeeeenes 84 AP Profile QoS Configuration Part 2 ececccccsesesessesescseeeeseseeeeecsenesseseeeceeaeeeeateeeeeeeneees 89 The Wireless LAN Setup Wizard IaUn Ch ee eecseeeeeceeseeeseeseseceeeceseceeeceseceesaeseeaeneeeeeees 90 WLAN Visualization Image iMpPOrt ee eesseseescseeseesceeseeeceeesceeceeeaeeecneeseescneeaeeecneeaeenentens 94 The launched visualization page eeeceeeeseeesesecsesesecsceseseeseecesecsceaeseceeeeeseceeeaseeeeenaeeeeaes 95 DASNDOAIC 5 fei e eves docatecivacs Susilo EL loca tect cade Subods usevcs cod che decavectabde N 96 Device Status display c0e ch eg aes cheatin laren a ieee atten 98 Device Status display continued 0 0 0 ceeceseceseseseeeesescseeeeseeesscecsenceacecsececateceaeeceseecneeeeates 99 Wireless LAN AP information eceecseeeessesseeecseesesecseecesecseeaeseceeseeseceesaeseseenaeseseenaeeesaes 100 Gluster informatio Nse ere rea a iaa tee eee de ede KER E A a Ea iias i 102 Resource Utilization statistics 2 0 cee ceseescsseeeeceeseeecseeseeecaseaeeecaeeaeeecaeeaeercaeeaeereneeasenents 1
313. started the value is if a download request is for a single controller 296 Wireless Controller User Manual Success Count Indicates the total number of peer controllers that have successfully completed a configuration download Failure Count Indicates the total number of peer controllers that have failed to complete a configuration download List of Peers Peer IP Address Lists the IP address of each controller in the cluster and indicates the configuration request status of that controller 11 4 2 Peer Controller Configuration Advanced gt Peer Controller gt Configuration Items The Peer Controller Configuration items pages allows to Enable Disable allows you to select which parts of the configuration to copy to one Figure 174 Peer Controller Configuration Dwc 1000 sew ADVANCED TOOLS STATUS Peer Controllers D ASasdimiipeiniieh DASE UL AP Profile Ce The Peer Controller Configuration page allows you to select which parts of the configuration to copy to one or more peer controllers in SSIDs the group WIDS S _ _ Save Settings Don t Save Settings WDS Configuration gt Peer Controller Configuration Application Rules gt Website Filter r Global Enable Firewall Settings gt Discovery Disable Y Channel Power Enable Y IPv6 gt Advanced Network gt AP Profiles Enable Certificates 5 Known Client Enable Y IP MAC Binding
314. t ActiveX controls from being downloaded via Internet Explorer For added security cookies which typically contain session information can be blocked as well for all devices on the private network 227 Wireless Controller User Manual Figure 129 Content Filtering used to block access to proxy servers and prevent ActiveX controls from being downloaded w a a CONTENT FILTERING LOGOUT Peer Controllers AP Profile WIDS Security Captive Portal This content filtering option allows the user to block access to certain Internet sites Up to 32 key words in the site s name web site URL can be specified which will block access to the site To setup URLs go to Approved URLs and Blocked Keywords page Save Settings Dont Save Settings Content Filtering Configuration Enable Content Filtering Web Components 7 10 2 Approved URLs Advanced gt Website Filter gt Approved URLs The Approved URLs is an acceptance list for all URL domain names Domains added to this list are allowed in any form For example if the domain yahoo is added to this list then all of the following URL s are permitted access from the LAN www yahoo com yahoo co uk etc Import export from a text or CSV file for Approved URLs is also supported 228 Wireless Controller User Manual Figure 130 Two trusted domains added to the Approved URLs List DWC 100
315. t on the network adaptor created on the client host This configuration is optional Secondary DNS Server Secondary DNS server IP address to set on the network adaptor created on the client host This configuration is optional Client Address Range Begin Clients who connect to the tunnel get a DHCP served IP address assigned to the network adaptor from the range of addresses beginning with this IP address Client Address Range End The ending IP address of the DHCP range of addresses served to the client network adaptor Setup gt VPN Settings gt SSL VPN Client gt Configured Client Routes If the SSL VPN client is assigned an IP address in a different subnet than the corporate network a client route must be added to allow access to the private LAN through the VPN tunnel As well a static route on the private LAN s firewall typically this controller is needed to forward private traffic through the VPN Firewall to the remote SSL VPN client When split tunnel mode is enabled the user is required to configure routes for VPN tunnel clients Destination Network The network address of the LAN or the subnet information of the destination network from the VPN tunnel clients perspective is set here Subnet Mask The subnet information of the destination network is set here 278 Wireless Controller User Manual Figure 163 Configured client routes only apply in split tunnel mode owc 1000 ff SETUP ADVANCED TOOLS
316. t stateless IPv6 auto configuration on the LAN set the RADVD status to Enable The following settings are used to configure RADVD RADVD Status You can enable the RADVD process here to allow stateless auto configuration of the IPv6 LAN network Advertise Mode Select Unsolicited Multicast to send router advertisements RA s to all interfaces in the multicast group To restrict RA s to well known IPv6 addresses on the LAN and thereby reduce overall network traffic select Unicast only Advertise Interval When advertisements are unsolicited multicast packets this interval sets the maximum time between advertisements from the interface The actual duration between advertisements is a random value between one third of this field and this field The default is 30 seconds RA Flags The router advertisements RA s can be sent with one or both of these flags Chose Managed to use the administered stateful protocol for address auto configuration If the Other flag is selected the host uses administered stateful protocol for non address auto configuration 27 Wireless Controller User Manual Router Preference this low medium high parameter determines the preference associated with the RADVD process of the router This is useful if there are other RADVD enabled devices on the LAN as it helps avoid conflicts for IPv6 clients MTU The router advertisement will set this maximum transmission unit MTU value for all nodes
317. t the IP address in the L3 IP Discovery list Polled The controller has attempted to contact the IP address 136 Wireless Controller User Manual Discovered The controller contacted the peer controller or the AP in the L3 IP Discovery list and has authenticated or validated the device Discovered Failed The controller contacted the peer controller or the AP with IP address in the L3 IP Discovery list and was unable to authenticate or validate the device XW Note If the device is an access point an entry appears in the AP failure list with a failure reason Figure 76 IP Discovery DWC 1000 ADVANCED TOOLS STATUS Global Info IP DISCOVERY LOGOUT Device Info The IP Discovery Status page shows information about communication with the devices in the IP discovery list on the Set up gt AP Management gt Poll List page Ip Discovery Wireless Clientinfo gt IP Address Status 192 168 10 200 Polled Traffic Monitor gt 192 168 10 201 Polled Active Sess 192 168 10 202 Polled 4 7 6 Configuration Receive Status Status gt Global Info gt Config Receive Status The Peer Controller Configuration feature allows you to send the critical wireless configuration from one controller to all other controllers In addition to keeping the controllers synchronized this function enables the administrator to manage all wireless controllers in the cluster from one controller The Peer Controller
318. taeeesees 37 Remark GoS to DSCP eiennenn e he ea eae ane ea 38 Adding VLAN memberships to the LAN uu eseessessescsseseeecseeaeeecneeaeeecaeaeeecneeaeeenseaeerente 40 VLAN Configuration Options 0 cc ceeeececesesesseseseeeeseseseeceseeeseceeseeeeaeeesececaeeeeateceeeesteeeateeeees 41 Pon VEAN Eiaon ous cota cia See beasentued ecloetl ous cxtatedaaveseetun cunt dove cnt cpiate a asveneetevuentntos 44 Configuring VLAN membership for a port ceeeescsseseseeeeseseeeceseeeeeeecseeceaeeceeeeesteeeaeersees 45 Multiple VLAN Subnet eceeeececssessseseeecsesescesesesececsesssaesesececsenesavscsececaenesavsesetseseeesateeeees 46 DMZ CONMQUIATIOM ie ccscctveiis ta secevace svt e eR seid ciiniahees cuter RS cvbevedeteaabe 47 UPnP Configuratio ee Reick Bie Ras ead He ae Re A 49 Captive Portal Setup ceeceecsseccsceseseseesescseseesesesececsenesacscsesecaenenaeaceececaeneataceesecaeneeatseeesees 51 Adding or Editing a Custom Captive Portal ccececececcsseseseeeeseseseeeeseseeeeecseeeeateeeeeeeneees 52 List of SSID s associated with Captive Portals cccccccccssseccsseescesseeseceesecseceeseeseeessees 53 Associating a Captive Portal to a specific SSID ee ecceeeseseeceeeseeeeseseeeeeeseseseseeeeeenenes 54 Active Runtime sessions ee eesceecesceceecescececsccecuccsceesuacsccnsuacsccessacaceessaaccesuasaceessasarsess 55 Defining the Terms of Service for a Portal eececececcsseseseeeesescseeceseecesee
319. tatus gt Logs page or a remote Syslog server for later review E mail logs discussed in a subsequent section follow the same configuration as logs configured for a Syslog server Tools gt Log Settings gt Logs Configuration This page allows you to determine the type of traffic through the controller that is logged for display in Syslog E mailed logs or the Event Viewer Denial of service attacks general attack information login attempts dropped packets and similar events can be captured for review by the IT administrator Traffic through each network segment LAN Option DMZ can be tracked based on whether the packet was accepted or dropped by the firewall 330 Wireless Controller User Manual Accepted Packets are those that were successfully transferred through the corresponding network segment i e LAN to Option This option is particularly useful when the Default Outbound Policy is Block Always so the IT admin can monitor traffic that is passed through the firewall e Example If Accept Packets from LAN to Option is enabled and there is a firewall rule to allow SSH traffic from LAN then whenever a LAN machine tries to make an SSH connection those packets will be accepted and a message will be logged Assuming the log option is set to Allow for the SSH firewall rule Dropped Packets are packets that were intentionally blocked from being transferred through the corresponding network segment This opt
320. termine whether a detected client is classified as a rogue Clients classified as rogues are considered to be a threat to network security The WIDS feature tracks the following types of management messages that each detected client sends 302 Wireless Controller User Manual e Probe Requests e 802 11 Authentication Requests e 802 11 De Authentication Requests In order to help determine whether a client is posing a threat to the network by flooding the network with management traffic the system keeps track of the number of times the AP received each message type and the highest message rate detected in a single RF Scan report On the WIDS Client Configuration page you can set thresholds for each type of message sent and the APs monitor whether any clients exceed those thresholds or tests Not Present in OUI Database Test This test checks whether the MAC address of the client is from a registered manufacturer identified in the OUI database Known Client Database Test This test checks whether the client which is identified by its MAC address is listed in the Known Client Database and is allowed access to the AP either through the Authentication Action of Grant or through the White List global action If the client is in the Known Client Database and has an action of Deny or if the action is Global Action and it is globally set to Black List the client fails this test Configured Authentication Rate Test This test che
321. th no guarantee of reliability or in order delivery Virtual private network Network that enables IP traffic to travel securely over a public TCP IP network by encrypting all traffic from one network to another Uses tunneling to encrypt all information at the IP level Windows Internet Name Service Service for name resolution Allows clients on different IP subnets to dynamically resolve addresses register themselves and browse the network without sending broadcasts 349 Wireless Controller User Manual Appendix B Factory Default Settings Description Default Setting Device login User name case sensitive Login password case sensitive Option MAC address Use default address Internet Option MTU size 1500 Connection Wi IP address 192 168 10 1 IPv4 subnet mask 255 255 2595 0 RIP direction None Local area network LAN RIP version Disabled RIP authentication Disabled DHCP server Enabled 350 Wireless Controller Firewall DHCP starting IP address DHCP ending IP address Time zone Time zone adjusted for Daylight Saving Time Remote management Inbound communications from the Internet Outbound communications to the Internet Source MAC filtering Stealth mode User Manual Disabled Disabled except traffic on port 80 the HTTP port Enabled all Disabled Enabled 351 Wireless Controller User Manual Appendix C Recovery from Upgrade Failure The DWC 1000 has
322. the Internet connection information such as the IP Addresses Account Information etc This information is usually provided by your ISP or network administrator Don t Save Don t Save Settings Connection Type Russian dual access L2TP x Dynamic IP Static IP Domain Name System DNS Servers Get Dynamically from ISP 0 0 0 0 0 0 0 0 6 2 6 Option Configuration in an IPv6 Network Advanced gt IPv6 gt IPv6 Option1 Config For IPv6 Option connections this controller can have a static IPv6 address or receive connection information when configured as a DHCPv6 client In the case where the ISP assigns you a fixed address to access the internet the static configuration settings must be completed In addition to the IPv6 address assigned to your controller the 181 Wireless Controller User Manual IPv6 prefix length defined by the ISP is needed The default IPv6 Gateway address is the server at the ISP that this controller will connect to for accessing the internet The primary and secondary DNS servers on the ISP s IP v6 network are used for resolving internet addresses and these are provided along with the static IP address and prefix length from the ISP When the ISP allows you to obtain the Option IP settings via DHCP you need to provide details for the DHCPv6 client configuration The DHCPv6 client on the gateway can be either stateless or stateful If a stateful client i
323. the satellite AP to use a static channel For a root AP set the static channel when you add the AP to the Valid AP database on the controller Optionally to allow the Ethernet port on a satellite AP to provide wired access to the LAN you must set the WDS Managed Ethernet Port to Enabled It is disabled by default WDS configuration is divided into three sections Group AP and Link configuration 306 Wireless Controller User Manual 11 6 1 Group Configuration WDS Group ID Define the group s ID which will be used in AP and Link configuration pages to identify this group Figure 177 WDS Group Configuration DWwc 1000 Hf SETUP ADVANCED TOOLS STATUS Peer Controllers WDS MANAGED AP CONFIGURATION LOGOUT AP Profile From WDS Managed AP Group Configuration Page you can create configure and delete WDS Manged Group SSIDs WIDS Security gt WDS Managed AP Group List No WDS Group exists WDS Configuration p gt Group Configuration z ma up Configuration Application Rules gt AP Configuration Website Filter gt Link Configuration Add Crees fet aur Intel AN WIRELESS CONTROLLER 11 6 2 AP Configuration After creating a WDS Managed AP group use the WDS Managed AP Configuration page to view the APs that are members of the group add new members and change STP Priority values for existing members XW Note After changing WDS Managed AP group settings make
324. thentication between this controller and other controllers configured with the same RIP version is required MD5 authentication is used in a first second key exchange process The authentication key validity lifetimes are configurable to ensure that the routing information exchange is with current and supported controllers detected on the LAN Static Routing Advanced gt Routing gt Static Routing Advanced gt IPv6 gt IPv6 Static Routing Manually adding static routes to this device allows you to define the path selection of traffic from one interface to another There is no communication between this controller and other devices to account for changes in the path once configured the static route will be active and effective until the network changes The List of Static Routes displays all routes that have been added manually by an administrator and allows several operations on the static routes The List of IPv4 Static Routes and List of IPv6 Static Routes share the same fields with one exception Name Name of the route for identification and management Active Determines whether the route is active or inactive A route can be added to the table and made inactive if not needed This allows routes to be used as needed without deleting and re adding the entry An inactive route is not broadcast if RIP is enabled Private Determines whether the route can be shared with other controllers when RIP is enabled If the route is
325. this page MULTI VLAN SUBNET List IP Address Subnet Mask 192 168 10 1 255 255 255 0 192 168 2 1 255 255 255 0 Edit DMZ Setup gt 2 4 Configurable Port DMZ Setup This controller supports one of the physical ports Option Ports to be configured as a secondary Ethernet port or a dedicated DMZ port A DMZ is a sub network that is open to the public but behind the firewall The DMZ adds an additional layer of security to the LAN as specific services ports that are exposed to the internet on the DMZ do not have to be exposed on the LAN It is recommended that hosts that must be exposed to the internet such as web or email servers be placed in the DMZ network Firewall rules can be allowed to permit access specific services ports to the DMZ from both the LAN or Option In the event of an attack to any of the DMZ nodes the LAN is not necessarily vulnerable as well Setup gt DMZ Setup gt DMZ Setup Configuration DMZ configuration is identical to the LAN configuration There are no restrictions on the IP address or subnet assigned to the DMZ port other than the fact that it cannot be identical to the IP address given to the LAN interface of this gateway 46 Wireless Controller User Manual Figure 25 DMZ configuration DWC 1000 Ti SETUP ADVANCED TOOLS STATUS DM2 SETUP LOGOUT Internet Settings The De Militarized Zone DMZ is a network which when compared to the LAN has fewer firewall restrictions
326. tible When the controller discovers and validates APs the controller takes over the management of the AP If you configure the AP in Standalone mode the existing AP configuration is replaced by the default AP Profile configuration on the controller L3 IP Discovery Select or clear this option to enable or disable IP based discovery of access points and peer wireless controller When the L3 IP Discovery option is selected IP polling is enabled and the controller will periodically poll each address in the configured IP List By default L3 IP Discovery is enabled List of IP Address Shows the list of IP addresses configured for discovery To remove entries from the list select one or more entries and click Delete Hold the shift key or control key to select specific entry IP Address Range This text field is used to add a range of IP address entries to the IP List Enter the IP address at the start of the address range in the From field and enter the IP address at the end of the range in the To field then click 66 Wireless Controller User Manual Add All IP addresses in the range are added to the IP List Only the last octet is allowed to differ between the From address and the To address Figure 38 Configuring the Wireless Discovery owe co II gt POLL LIST This page contain all the information abot IP Address amp Vian value wich can be configured for peer controllers amp controllers The IP Disc
327. tion goes here List of Valid APs MAC Address le atf7 19 24 40 MACAddress 00 00 00 00 00 00 dit Delete Add 153 Wireless Controller User Manual The following actions are supported from this page Edit To edit AP details in Valid AP page Delete To delete a valid AP provide valid MAC address in Valid AP page Add To add an AP in Valid AP page Figure 88 Add a Valid Access Point DWC 1000 SETUP ADVANCED TOOLS STATUS d Global Peer Controllers gt f VALID AP LOGOUT AP Profile Description goes here WIDS Security v Captive Portal v Captive Porai gt Submit Don t Save Settings Application Rules gt If Valid Access Point Configuration Website Filter gt MAC address 00 00 00 00 00 08 Firewall Settings AP Mode Managed Location T Advanced Network p Authentication Password TY O s Pros a Datel Certificates Seeds etl peis ssi IP MAC Binding Expected Channel any Radius Settings Expected WDS Mode Controller Settings Expected Security Mode MAC Address This field shows the MAC address of the AP To change this field you must delete the entire Valid AP configuration and then enter the correct MAC address from the page that lists all Valid APs AP Mode You can configure the AP to be in one of three modes e Standalone The AP acts as an individual access point in the network You do not manage the AP by usi
328. troller administrator creates and edits portal layouts from the configuration pages in the SSL VPN menu The portal name title banner name and banner contents are all customizable to the intended users for this portal The portal name is appended to the SSL VPN portal URL As well the users assigned to this portal through their authentication domain can be presented with one or more of the controller s supported SSL services such as the VPN Tunnel page or Port Forwarding page To configure a portal layout and theme following information is needed 279 Wireless Controller User Manual Portal Layout Name A descriptive name for the custom portal that is being configured It is used as part of the SSL portal URL Portal Site Title The portal web browser window title that appears when the client accesses this portal This field is optional Banner Title The banner title that is displayed to SSL VPN clients prior to login This field is optional Banner Message The banner message that is displayed to SSL VPN clients prior to login This field is optional Display banner message on the login page The user has the option to either display or hide the banner message in the login page HTTP meta tags for cache control This security feature prevents expired web pages and data from being stored in the client s web browser cache It is recommended that the user selects this option ActiveX web cache cleaner An Activ
329. ts 8 Discovered Access Points 0 Connection Failed Access Points 0 Authentication Failed Access Points 0 Unknown Access Points 46 Rogue AP Mitigation Limit 16 Rogue AP Mitigation Count 0 Maximum Managed APs in Peer Group 96 WLAN Utilization 17 Total Clients 0 Authenticated Clients 0 802 11a Clients 0 802 11b g Clients 0 802 11n Clients 0 128 Wireless Controller Figure 72 Global Status Part 2 Maximum Pre authentication History Entries 500 Total Pre authentication History 0 Entries Maximum Roam History Entries 500 Total Roam History Entries 0 WLAN Statistics Packets Transmit Receive Transmitted Received Dropped Dropped 21299 351 0 0 Bytes Transmit Receive Transmitted Received Dropped Dropped 1616128 58183 0 0 Distributed Tunneling Distributed Tunnel Packets Trans mitted Distributed Tunnel Roamed Clients 0 Distributed Tunnel Clients 0 Distributed Tunnel Client Denials Refresh Clear Stat User Manual WLAN Controller Operational Status This status field displays the operational status of this controller a WLAN controller The WLAN Controller may be configured 129 Wireless Controller User Manual as enabled but is operationally disabled due to configuration dependencies If the operational status is disabled the reason will be displayed in the following status field IP Address IP address of the controller Pee
330. ts haat ar Ms 111 A252 AN CIGNIS 2 ick ect keeles het Maite ye hin eg od Ne ee teh di ad Ze 113 4 523 IDEteCtedr ClO ices EEA A EAA TE EA te tabetha 114 4 5 4 Active VPN TUNNE Sie eee ccecssecccssscecesssscecsseececsssseceesasevcrsssceessseceenaess 116 4 6 ACCESS POND cnc iscsieurerawiisinovenmmmnasantaininntnstwunnn conten E EEE REES 118 4 6 1 ACCESS POINT Status sns A a EE 118 46 2 AP SUMIMANY i ee e a diseases E E EE EE R E E 120 4 6 3 Managed AP Status eccceccsseceseeeesesesecesceeescecnesceseeeeeceeneeeseeeceseeesetaeeesees 122 4 6 4 Authentication Failure Status 0 0 0 cece cece cscecssccssecssesssesssessscsscesscssscssecseesees 123 4 6 5 sAP RE Scan Statusi sist cack oe ete EE oe ase 125 4 7 Global NiO s 2o ts eset htt et ee ke ee te 127 Az7alt Global Statuse ics wie eee ote ho Ree ee te RE et a 127 4T 2 Peer Controller Statuss ein icoss hi a a E a a naan 132 4 7 3 Peer Controller Configuration Status cc ceeeccsseseseeseseeceeeeeseeeeseeeeeeeseeeeees 134 4 7 4 Peer Controller Managed AP Status cecccceceesceseseseeeesesenseseseeeeeeseeeetseeeeees 135 4 7 5 IP DISCOVELY onesna aE EEEE ERE a 136 4 7 6 Configuration Receive Status ececcccssecessesesesceseseseeeeseseeeseseeeeseseneeetaeeesees 137 4 7 7 AP Hardware Capability cc ceeeseecesesceseceseeeeseseneeceseeeescseneasaceeeesaeneeataeeeeees 139 4 8 Wireless Clen Status EN 141 7 ke a AEE SH TEELE TA e E E EEA E EE AA E EEE EA 141 4 8 2 Associated
331. ts that also support the 400 ns guard interval e Disable The AP transmits data using an 800 ns guard interval Space Time Block Code Space Time Block Coding STBC is an 802 11n technique intended to improve the reliability of data transmissions The data stream is transmitted on multiple antennas so the receiving system has a better chance of detecting at least one of the data streams Select one of the following options e Enable The AP transmits the same data stream on multiple antennas at the same time e Disable The AP does not transmits the same data on multiple antennas Radio Resource Management Radio Resource Measurement RRM mode requires the Wireless System to send additional information in beacons probe responses and association responses Enable or disable the support for radio resource measurement feature in the AP profile The feature is set independently for each radio and is enabled by default No ACK Select Enable to specify that the AP should not acknowledge frames with QoS NoAck as the service class value Multicast Tx Rate Mbps Select the 802 11 rate at which the radio transmits multicast frames The rate is in Mbps The lowest rate in the 5 GHz band is 6 Mbps 81 Wireless Controller User Manual SSID Configuration The SSID Configuration page displays the virtual access point VAP settings associated with the selected AP profile Each VAP is identified by its network number and
332. ttings gt Option1 1000000 1000000 VLAN Settings gt Option2 1000000 1000000 gt i b DMZ Setup USB Settings Option QoS To enable Bandwidth management select the check box and click Apply Option Configuration Define the upstream and downstream for bandwidth for Option and Option 2 interfaces Bandwidth Profile Click Add to define bandwidth profile Bandwidth Management Profile Name Allows defining a profile name Priority Select the priority of profile Maximum Bandwidth Provide the maximum allowed bandwidth of the profile Minimum Bandwidth Provide the minimum allowed bandwidth of the profile Option Interface Select the interface Option1 Option2 35 Wireless Controller User Manual Figure 17 Bandwidth Profile Configuration owe i000 Jj ADVANCED Toos WLAN Global Settings AP Management b WLAN Visualization gt internet Settings gt Network Settings gt gt BANDWIDTH MANAGEMENT Configuring bandwidth management will allow you to control the rate and priority of the traffic going to the internet ensuring that high priority traffic such as voice are assured of certain quality of service and also limit low priority traffic Save Settings Don t Save Settings Bandwidth Profile Configuration QoS D Profile Name Priority Urgent v Maximum Bandwidth Minimum Bandwidth External Authentications VPN Settings d gt VLAN Settings Opti
333. twork Addresses All the IP network addresses host addresses of the multicast sources are listed here Network Address The IP network or the host address of the multicast source Mask Length The length of the subnet mask The following actions are supported from this page Add To add a network host address along with mask length Edit To edit a network host address along with mask length Delete To delete a network host address along with mask length 204 Wireless Controller User Manual 6 10 Option Port Settings Advanced gt Advanced Network gt Option Port Setup The physical port settings for each Option link can be defined here If your ISP account defines the Option port speed or is associated with a MAC address this information is required by the controller to ensure a smooth connection with the network The default MTU size supported by all ports is 1500 This is the largest packet size that can pass through the interface without fragmentation This size can be increased however large packets can introduce network lag and bring down the interface speed Note that a 1500 byte size packet is the largest allowed by the Ethernet protocol at the network layer The port speed can be sensed by the controller when Auto is selected With this option the optimal port settings are determined by the controller and network The duplex half or full can be defined based on the port support as well as one of three port spee
334. ty must be selected to use for the SSL authentication 318 Wireless Controller User Manual Figure 184 POP3 Server Configuration DWC 1000 i SETUP ADVANCED TOOLS STATUS Wizard WLAN Global Settings POP3 CONFIGURATION Kolelet This page allow user to configure pop3 authentication servers a Adr E Save Settings Don t Save Settings Internet Settings gt Network Settings p POPS Configuration Qos gt Server Checking Authentication Server Primary m Captive Portal gt Authentication Port Bo o External Radius Settings Authentications NT Domain Settings VPN Settings LDAP Settings pei 9 eoo 72 Secondary DMZ Setup gt Settings USB Settings gt POP3 Settings ia POP3 Server SSL Enable Confitiration ed CA CA File POP3 Trusted CA Authentication Server3 Optional Authentication Port SSL Enable CA File Authentication Server 1 The IP Address of the primary authentication server Authentication Server 2 The IP Address of the secondary authentication server it is an optional field Authentication Server 3 The IP Address of the tertiary authentication server it is an optional field Authentication Port Authentication port for respective authentication server SSL Enable Enable SSL support for POP3 If this option is enabled it is mandatory to select a certificate authority for it CA File Certificate Authority file to verify POP3 server
335. uest a self certificate to be signed by a CA you can generate a Certificate Signing Request from the gateway by entering identification parameters and passing it along to the CA for signing Once signed the CA s Trusted Certificate and signed certificate from the CA are uploaded to activate the self certificate validating the identity of this gateway The self certificate is then used in IPsec and SSL connections with peers to validate the gateway s authenticity 285 Wireless Controller User Manual Figure 167 Certificate summary for IPsec and HTTPS management DWC 1000 ADVANCED TOOLS STATUS r Controllers AP Profile CERTIFICATES Digital Certificates also known as X509 Certificates are used to authenticate the identity of users and systems and are issued by Certification Authorities CA such as VeriSign Thawte and other organizations Digital Certificates are used by this router during the Internet Key Exchange IKE authentication phase to authenticate connecting VPN gateways or clients or to be authenticated by remote entities Captive Portal Client Application Rules Trusted Certificates CA Certificate CA Identity Subject Name Active Self Certificates Name Subject Name Self Certificate Requests IPIMAC Binding New Self Certificate Delete Radius Settings 10 4 Intel AMT XW This feature is available upon licensed activatio
336. uration 3 Configure the Secure Connection Remote Accessibility fields to identify the remote network Remote LAN IP address address of the LAN behind the peer gateway Remote LAN Subnet Mask the subnet mask of the LAN behind the peer XW Note The IP address range used on the remote LAN must be different from the IP address range used on the local LAN 4 Review the settings and click Connect to establish the tunnel The Wizard will create an Auto IPsec policy with the following default values for a VPN Client or Gateway policy these can be accessed from a link on the Wizard page 242 Wireless Controller User Manual Parameter Default value from Wizard Exchange Mode Aggressive Client policy or Main Gateway policy ID Type Local Option ID wan_local com only applies to Client policies Remote Option ID wan_remote com only applies to Client policies Encryption Algorithm 3DES Authentication Algorithm SHA 1 Authentication Method Pre shared Key PFS Key Group DH Group 2 1024 bit ale aa NETBIOS Enabled only applies to Gateway policies XW The VPN Wizard is the recommended method to set up an Auto IPsec policy Once the Wizard creates the matching IKE and VPN policies required by the Auto policy one can modify the required fields through the edit link Refer to the online help for details Easy Setup Site to Site VPN Tunnel If you find it difficult to configure VPN policies through VPN wizard use easy s
337. ure on the WIDS Client Configuration page help determine whether a detected dient is classified as a rogue Clients classified as rogues are considered to be a threat to network security WIDS Client Configuration Enable Not Present in OUI TT Database Test Enable Not Present in Known Client Datat Test Disable v Enable Configured Authentication ced Rate Test Enable v nc ai teeta tees orm eae De Authenticatior De Authentication Requests Rate Enable v a Radius Settings Enable Maximum Authentication Failures Test A r U Enable w Switch Settings Unk AP Test Disable v Enable Client Threat Mitigation Disable v Enable Known Client Database Lookup Method Local v 11 6 WDS Settings Advanced gt WDS Configuration The Wireless Distribution System WDS Managed AP feature allows administrator to add managed APs to the cluster using over the air WDS links through other managed APs This capability is critical in providing a seamless experience for roaming clients and for managing multiple wireless networks It can also simplify the network infrastructure by reducing the amount of cabling required With WDS APs may be located outdoors where wired connection to the data network is unavailable or in remote buildings that are not connected to the main campus with a wired network 305 Wireless Controller User Manual The WDS AP group consists of two types of
338. use the automatic power adjustment algorithm You can configure the power as a 158 Wireless Controller User Manual 5 2 2 percentage of maximum power where the maximum power is the minimum of power level allowed for the channel by the regulatory domain or the hardware capability Manual In this mode you run the proposed power adjustments manually from the Manual Power Adjustments page Auto In this mode the controller periodically calculates the power adjustments and applies the power for all APs automatically Power Threshold dBm The threshold in dBm below which Power Adjustment Mode takes effect XW This setting gets applied to both radios of the AP The following actions are supported from this page Submit Updates the controller with the values you enter Channel Plan History Setup gt AP Management gt RF Management gt Channel Plan History The wireless controller stores channel assignment information for the APs it manages The Cluster Controller that controls the cluster maintains the channel history information for all controllers in the cluster On the Cluster Controller the page shows information about the radios on all APs managed by controllers in the cluster that are eligible for channel assignment and were successfully assigned a new channel Channel Plan The 5 GHz and 2 4 GHz radios use different channel plans so the controller tracks the channel history separately for each radio The
339. very time a new connection is established the bandwidth increases After a certain number of connections say bandwidth reached 70 of 1Kbps the new connections will be spilled over to secondary Option The maximum value of load tolerance is 80 and the least is 20 Protocol Bindings Refer Section 6 3 3 for details Load balancing is particularly useful when the connection speed of one Option port greatly differs from another In this case you can define protocol bindings to route low latency services such as VOIP over the higher speed link and let low volume background traffic such as SMTP go over the lower speed link 189 Wireless Controller User Manual Figure 105 Load Balancing is available when multiple Option ports are configured and Protocol Bindings have been defined DWC 1000 J SETUP ADVANCED TOOLS STATUS OPTION MODE This page allows user to configure the policies on the two WAN ports for Internet connection Don t Save Settings Port Mode Option1 Round Robin Optont y Option Failure Detection Method None DNS lookup using Option DNS Servers DNS lookup using DNS Servers Option i 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 Retry Interval is 30 Seconds Failover after 4 Failures SPILLOVER CONFIGURATION 6 3 3 Protocol Bindings 190 Wireless Controller User Manual Advanced gt Routing gt Protocol Bindings Protocol bindings are required when the
340. vices The 40 MHz option is enabled by default for 802 1 1a n modes and 20 MHz for 802 11b g n modes You can use this setting to restrict the use of the channel bandwidth to a 20 MHz channel If the selected mode is 1la n ac or lln ac then the 80MHz bandwidth option is available Primary Channel This setting is editable only when a channel is selected and the channel bandwidth is set to 40 MHz A 40 MHz channel can be considered to consist of two 20 MHz channels that are contiguous in the frequency domain These two 20 MHz channels are often referred to as the Primary and Secondary channels The Primary Channel is used for 802 11n clients that support only a 20 MHz channel bandwidth and for legacy clients Use this setting to set the Primary Channel as the upper or lower 20 MHz channel in the 40 MHz band 79 User Manual Wireless Controller Figure 43 AP Profile Radio configuration Part 2 Minimum Power APSD Mode RF Scan Interval secs Frag Threshold bytes RF Scan Sentry Channels Short Retries RF Scan Duration msecs Long Retries Rate Limiting Transmit Lifetime msecs Rate Limit pkts sec Receive Lifetime msecs Rate Limit Burst pkts sec Station Isolation Channel Bandwidth Primary Channel Protection Short Guard Interval Space Time Block Code Radio Resource Management No ACK Multicast Tx Rate Mbps 100 1 to 100 Enable 60 30 to 120 2346 256 to 2346 802 11a 802 11b q
341. work such as pornography gambling online shopping and many others Dynamic WCF also has a logging feature Whenever a user tries to access a website that is blocked the corresponding event will be logged Ensure that firmware v4 2 0 6 or above for DWC 1000 is being used Ensure that DWC 1000 VPN License is already activated before activating DWC 1000 WCF 12 License 345 Wireless Controller User Manual Figure 201 Installing a License DWc 1000 HT SETUP ADVANCED STATUS Date and Time LICENSES LOGOUT Log Settings gt Firmware List of Available Licenses Firmware via USB Licence Model Activation Code Dynamic DNS System Check Hee OL ear License Activation Key Save Configuration Activate Key Figure 202 Available Licenses Display after installing a License DWC 1000 fe SETUP ADVANCED STATUS License Activation Succeded Please reboot the device TEER Licence Model Activation Code Expires 0 DWC 1000 AP6 8E0BA0B0EA5827FB159911000 Perpetual License Activation Activation Code Activate XW The newly licensed features will be enabled after system reboot 346 Wireless Controller User Manual Appendix A Glossary Address Resolution Protocol Broadcast protocol for mapping IP addresses to MAC addresses Challenge Handshake Authentication Protocol Protocol for authenticating users to an ISP Dynamic DNS System for updating domain names in real time Allows a
342. y can provide or prevent access to network resources IP address IP network etc Policy Name This field is a unique name for identifying the policy IP address Required when the governed resource is identified by its IP address or range of addresses Mask Length Required when the governed resource is identified by a range of addresses within a subnet Port Range If the policy governs a type of traffic this field is used for defining TCP or UDP port number s corresponding to the governed traffic Leaving the starting and ending port range blank corresponds to all UDP and TCP traffic Service This is the SSL VPN service made available by this policy The services offered are VPN tunnel port forwarding or both Defined Resources This policy can provide access to specific network resources Network resources must be configured in advance of creating the policy to make them available for selection as a defined resource Network resources are created with the following information Permission The assigned resources defined by this policy can be explicitly permitted or denied Using Network Resources Setup gt VPN Settings gt SSL VPN Server gt Resources Network resources are services or groups of LAN IP addresses that are used to easily create and configure SSL VPN policies This shortcut saves time when creating similar policies for multiple remote SSL VPN users Adding a Network Resource involves creating
343. ystem OVEIVICW eccceecesescssseeseseesceeseeseseseseecenesesavscseseesesesavscsesecaeneeatseeesseaeeesases 96 A AGT IDASMBOANCE s22 css ceded EEEE SE EEEE E EEEE E E EEEE eens 96 4AA 2 DEVICS Status N E E E E etd E E EEEN 97 4 1 3 Wireless LAN AP information ee ceeecccsssseceesesccrssseceesssescesssseverseeeees 99 4 1 4 Cluster information eee eccecessccessecessccesseceseveseecesseeeseecessevenseensesenaees 101 4 1 5 Resource Utilization cece cece ccescccssecesseeesseceseccssecesseccssecessseessecesseeessess 103 4 2 WTPAC STALISTIOS AE AEE E A AE adeeb teed ue 105 4 2 1 Wired Port Statistics oo eee ceeseecesscceseecessevessecesseccssecesseeesecnsseveseensees 106 4 3 Associated Client Status Statistics 0 0 ccc ccc cccccsscsscesscssscssessscssscssscssecssecees 107 4 3 1 Managed AP Statistics 2 0 ececceeceseeeescseseceseeeesceenceceseeeecseneeeeseeeeecseneeetaeeeeees 107 4 3 2 LAN Associated Clients 0 0 0 0 ccecce ccc ccesccssccsecssecssecssecesesssesssesssesscessceasceascsueees 108 4 3 3 WLAN Associated CHi Nts 0 0 cece ce cceccescssecssecssecssecsssessesssesscsscesscascascsaecees 109 4 4 ACTIVE CONNECTIONS 00 lee eee ceeccescecesscecscecesscccssecesscecssecessecssseceaserenaecnsseseneees 110 4 4 1 Sessions through the Controller 0 0 cecceeeseesesesceseseseeeeseseneeeesceeeeeseeeataeeeeees 110 4 5 LAN Glienit O on Sete cold ces i isos el Meee ee Site ed ae 111 4 544 VAssociated Cllentsicasstic bsciaccdectst a d
Download Pdf Manuals
Related Search