User's Guide - Allied Telesis
Contents
1. AT WA7400 Management Software User s Guide can decrypt WEP key 3 transmits in WEP key 1 C Client Station 1 WEP key 3 can decrypt WEP key 3 transmits in WEP key 2 WEP key 2 Access Point transmits to both stations with same WEP key Client Station 2 e g WEP key 3 IEEE 802 1x Figure 36 Example of Using Multiple WEP Keys and Transfer Key Index on Client Stations IEEE 802 1x is the standard defining port based authentication and infrastructure for doing key management Extensible Authentication Protocol EAP messages sent over an IEEE 802 11 wireless network using a protocol called EAP Encapsulation Over LANs EAPOL IEEE 802 1x provides dynamically generated keys that are periodically refreshed An RC4 stream cipher is used to encrypt the frame body and cyclic redundancy checking CRC of each 802 11 frame This mode requires the use of a RADIUS server to authenticate users and configuration of user accounts on the Cluster gt User Management page The access point requires a RADIUS server capable of EAP such as the Microsoft Internet Authentication Server or the AT WA7400 Wireless Access Point s internal authentication server To work with Windows clients the authentication server must support Protected EAP PEAP and MSCHAP V2 When configuring IEEE 802 1x mode you have a choice of whether to use the embedded RADIUS server or an external RADIUS server that you provide The AT WA7400 Wireles2. 1 Disconnect the crossover cable from the computer and the access point 2 Connect a regular Ethernet cable from the access point to the LAN 3 Connect your computer to the LAN either via an Ethernet cable or wireless client card Test the AT WA7400 Wireless Access Point by trying to detect it and associate it with some wireless client devices After you have the wireless network up and running and have tested against the access point with some wireless clients you can add in more layers of security add users configure a guest interface and fine tune performance settings These features are described in the rest of this guide 41 Chapter 2 Setting up the AT WA7400 Management Software Logging in After the Initial Setup 42 When you log in again after you complete the initial setup the default web page is the Interfaces page as shown in Figure 16 HOME HELE LOGOUT AT WA7400 ms WIRELESS ACCESS POINT View settings for network interfaces CLUSTER i This page Wired Settings Configure displays current aaa mre Internal Interface ati User Management and Wireless MAC Address 00 0C 46 F2 E2 BC settings on the Sessions access point VLAN ID Channel Management To configure r IP Address 149 35 8 241 Ethernet Wireless Neighborhood Subnet Mask 255 255 255 0 Settings go to STATUS the Ethernet Interfaces Guest Interface Events MAC Address
3. 320 In this example an external RADIUS server with an IP address of 142 77 1 1 is used as the authentication server AT wA7400 set bss wlanObssInternal radius ip 142 77 1 1 Set the RADIUS Key For External RADIUS Server Only If you use an external RADIUS server you must provide the RADIUS key If you use the built in authentication server the RADIUS key is automatically provided Function AT WA7400 Management Software User s Guide This command sets the RADIUS key to KeepSecret for an external RADIUS server AT WA7400 set bss wlanObssInternal radius key KeepSecret Enable RADIUS Accounting External RADIUS Server Only You can enable RADIUS Accounting if you want to track and measure the resources a particular user has consumed such system time amount of data transmitted and received and so on The commands to enable or disable RADIUS accounting are shown in Table 22 Note RADIUS accounting is not supported by the built in server so if you are using the built in server make sure that RADIUS accounting is off Table 22 RADIUS Accounting Commands Command Enable RADIUS accounting set bss wlanObssInternal radius accounting on Disable RADIUS accounting set bss wlanObssInternal radius accounting off For our example we ll enable RADIUS accounting for our external RADIUS server AT WA7400 set bss wlanObssInternal radius accounting on Allow Non WPA Clients You can let non WPA 802
4. When an access point is not listed in the access points list the MAC filtering of rogue access points feature sends an SNMP trap to alert you to the unregistered rogue access point To enable MAC filtering of rogue access points perform the following procedure 1 From the main menu select Advanced gt Pre Config Rogue AP The Configure MAC Filtering of Rogue Access Points page is shown in Figure 20 Configure Rogue MAC Filtering of Access Point Access Points List Remove Figure 20 Configure Rogue MAC Filtering of Access Point Page 2 To add an access point to the list a Type its MAC address in the fields above the Add button b Click Add c Click Update 3 To remove an access point from the list a Select the MAC address of the access point in the Access Points List 55 Chapter 3 Managing Access Points and Clusters b Click Add c Click Update 56 Chapter 4 Managing User Accounts The AT WA7400 Management Software includes user management capabilities for controlling client access to access points User management and authentication must always be used in conjunction with the following two security modes which require use of a RADIUS server for user authentication and management o IEEE 802 1x mode o WPA with RADIUS mode You have the option of using either the internal RADIUS server embedded in the AT WA7400 Wireless Access Point or an external RADIUS server that y
5. Wireless Neighborhoods on page 79 Displaying Status Yes Yes Ethernet Wired Interface Yes Yes You can configure all Ethernet Wired settings from the CLI except the Connection Type To change the Connection Type from DHCP to Static IP addressing or vice versa you must use the web UI Setting Up the Wireless Yes Yes Interface Setting Up Security Yes Yes Enabling and Configuring the Yes Yes Guest Login Welcome Page Configuring Multiple BSSIDs on Yes Yes Virtual Wireless Networks Radio Settings Yes Yes You can configure all radio settings from the CLI except for turning on off Super AG MAC Filtering Yes Yes Load Balancing Yes Yes Quality of Service Yes Yes Wireless Distribution System Yes Yes Time Protocol Yes Yes Rebooting the Access Point Yes Yes Resetting the Access Point to Yes Yes the Factory Defaults Upgrade the Firmware No Yes as described in Upgrading the Firmware on page 207 267 Appendix D Command Line Interface CLI for Access Point Configuration Table 2 Comparison of CLI to Web Browser Interface Settings Continued Feature or Setting Configurable from CLI Configurable from Web Back Up and Restore No Yes as described in Chapter 18 Backing Up and Restoring a Configuration on page 211 268 AT WA7400 Management Software User s Guide Accessing the CLI for an Access Point Telnet Connection to the Access Poin
6. 91 Chapter 8 Configuring Ethernet Wired Settings Enabling or Disabling Spanning Tree 92 The AT WA7400 Management Software allows you to enable or disable spanning tree through both the wired and wireless interfaces To enable or disable spanning tree perform the following procedure 1 From the main menu select Advanced gt Ethernet Wired Settings The Ethernet Wired Settings page is shown in Figure 30 on page 88 2 For the Spanning Tree Protocol setting choose one of the following 0 Click Enabled to enable spanning tree O Click Disabled to disable spanning tree AT WA7400 Management Software User s Guide Configuring the Internal Interface Ethernet Settings To configure Ethernet wired settings for the internal LAN perform the following procedure 1 From the main menu select Advanced gt Ethernet Wired Settings The Ethernet Wired Settings page is shown in Figure 30 on page 88 In the Internal Interface Settings section configure the following settings MAC Address Shows the MAC address for the internal interface for the Ethernet port on this access point This is a read only field that you cannot change VLAN ID If you choose to configure internal and guest networks by VLANs this field is enabled Enter a number between 1 and 4094 for the internal VLAN This causes the access point to send DHCP requests with the VLAN tag The switch and the DHCP server must support VLAN IEEE
7. Set the cipher suite you want to use The options are shown in Table 17 Table 17 Cipher Commands Commands TKIP Temporal Key Integrity set bss wlanObssIngernal wpa cipher tkip on Protocol TKIP which is the default set bss wlanObssIngernal wpa cipher ccmp off CCMP AES Counter mode set bss wlanObssIngernal wpa cipher tkip off CBC MAC protocol CCMP is an encryption method for IEEE set bss wlanObssIngernal wpa2 cipher ccmp on 802 11i that uses the Advanced Encryption Algorithm AES Both When the authentication set bss wlanObssIngernal wpa cipher tkip on algorithm is set to Both both TKIP and AES clients can set bss wlanObssIngernal wpa2 cipher ccmp on associate with the access point WPA clients must have either a valid TKIP key ora valid CCMP AES key to be able to associate with the access point 316 The following example sets the cipher suite to Both AT WA7400 set bss wlanObssInternal wpa cipher tkip on AT WA7400 set bss wlanObssInternal wpa cipher ccmp on 4 Set the Pre shared Key The Pre shared Key is the shared secret key for WPA PSK Enter a string of at least 8 characters to a maximum of 63 characters Following are two examples the first sets the key to Secret the second sets the key to KeepSecret Ex 1 AT wA7400 set interface wlan0 wpa personal key Secret or Ex 2 AT wA7400 set interface wlan0 wpa personal key KeepSecret Note
8. Wi Fi Protected Access 2 WPA2 with Remote Authentication Dial In User Service RADIUS is an implementation of the Wi Fi Alliance IEEE 802 11 standard which includes Advanced Encryption Standard AES Counter mode CBC MAC Protocol CCMP and Temporal Key Integrity Protocol TKIP mechanisms This mode requires the use of a RADIUS server to authenticate users This security mode also provides backwards compatibility for wireless clients that support only the original WPA When you configure WPA WPA2 Enterprise RADIUS security mode on the access point you have a choice of whether to use the built in authentication server or an external RADIUS server that you provide The AT WA7400 Wireless Access Point s built in authentication server supports Protected Extensible Authentication Protocol EAP known as EAP PEAP and Microsoft Challenge Handshake Authentication Protocol Version 2 MSCHAP V2 which provides authentication for point to point PPP connections between a Windows based computer and network devices such as access points If you configure the network access point to use security mode and choose the built in authentication server you must configure client stations to use WPA WPA2 Enterprise RADIUS and EAP PEAP If you configure the network access point to use this security mode with an external RADIUS server you must configure the client stations to use WPA WPA2 Enterprise RADIUS and whichever security protocol your
9. eee ce eeeeceeeeeeeeneeeeeeneeeeeeeeeeaeeeeesaeeeeeeaeeeeneeeesaaeeseneeeesneeesenaeeesneaees 74 Viewing the Last Proposed Set of Changes eee ceceececeseeceeeneeeeeeeeeeeeeseaaeeeceeeeesaaeeseeaeeecneeeesaeeseeaeeeneeeesneeesnnaeeesenaees 74 Configuring Advanced Settings Customizing and Scheduling Channel Plans eee eeeceeeeeeeeeeeeeeeeeeeeeeeeeeesaeeeeeaas 75 Chapter 7 Wireless Neighborhoods 0 00 00 eee cece eee neee cece eeeeeeeeeeaeeeeeaaeeeeeeeeeesaeeeseaaeeeseaaeesaeeeseaaeeseeeaeeseneeeeenaeeeenes 79 Understanding Wireless Neighborhood Information c c cccceeeceececeeeeeeeae cece eeeeeaee cece sesaeaeeeeseaeeaeceeeeseeeeeeeeeceaeeeeeeeeenaeeeees 80 Displaying the Wireless Neighborhood Information ccccecceeeeeeeeceeeeeeceeeeeeeeeeeeaeeeesesecaeeeesecaeeeeseaeeeeeeceeeeseeeeteeneeeess 81 Viewing Details of a Cluster Membe tres ccciseisscccgsisfevgeccees aeiae ea a a a bee uecanadeueteg Suebaesteenede a eaii 84 Chapter 8 Configuring Ethernet Wired Settings 2 0 0 0 cece eeeeeeeeeneeeeeeeeeeeeeeeeaaeeseeaeeeseeeeeseeeseaeeesneeeenseeeeenaes 87 Setting the DNS N Meinst o ia idade cbavbenesssoeyeel ven sbout ck sarees a a eia ia E S 88 Enabling or Disabling Guest ACCESS anpi e Eaa Eaa aa E a E E a 90 Configuring an Internal LAN and a Guest Network eeeeeceeeecenneeeeeeeeeenneeeeeaaeeeseeeeeeaeeeeeaaeeeeeeaeesnneeeenaeeseeeeeeeneeeee 90 Enabling or Disabling Guest ACCESS ce eececeeeeeeeneee
10. on page 278 The interface name you reference in a command determines whether a setting applies to a wired or wireless interface the internal or guest network or on a two radio access point to radio one or radio two Load balancing parameters affect the distribution of wireless client connections across multiple access points Using load balancing you can prevent scenarios where a single access point in your network shows performance degradation because it is handling a disproportionate share of the wireless traffic For a detailed conceptual overview of Load Balancing see Chapter 14 Load Balancing on page 155 The access point provides default settings for load balancing The following command examples reconfigure some load balancing settings and get details on the configuration AT WA7400 set radio wlan0 load balance disassociation stations 2 335 Appendix D Command Line Interface CLI for Access Point Configuration Quality of Service 336 AT WA7400 get radio wlan0 load balance disassociation stations 2 AT WA7400 set radio wlan0 load balance disassociation utilization 25 AT WA7400 AT WA7400 get radio wlan0 load balance disassociation utilization 25 AT WA7400 set radio wlan0 load balance no association utilization 50 AT wA7400 AT WA7400 get radio wlan0 load balance no association utilization 50 Note Before configuring this feature from the CLI make sure you are famili
11. on page 52 The web pages for the standalone access point are displayed From the main menu select Cluster gt Access Points Click Join Cluster The Summary of Settings page is redisplayed as shown in Figure 18 with the settings of the access point that is now part of the cluster Summary of settings Clustered Summary o Access Fa z PE Points The IP address of this access point is 10 10 20 230 The location of the access point is not set 0 User i Accounts The Wireless Network Name SSID of the network is 20_230a 5 If you need to change these settings click the Basic Settings tab Next unauthorized users can connect to your wireless network gt Security Until you choose a security option without restriction Set Security Options User Accounts If you have chosen to use the local gt authentication server in your security settings manage your user accounts here Add Users or Manage User Accounts gt Access Points Manage your access point s here Manage Access Points Figure 18 Settings of Access Point that Joined the Cluster AT WA7400 Management Software User s Guide The access point is now a cluster member Its Status Mode on the Cluster gt Access Points page now indicates Clustered Note In some situations it is possible for the cluster to become out of sync If after removing an access point from the cluster the access point list still refle
12. on page 92 Configuring the Internal Interface Ethernet Settings on page 93 OdQ0Q00Q00 Configuring the Guest Interface Settings on page 96 87 Chapter 8 Configuring Ethernet Wired Settings Setting the DNS Name To set the DNS name perform the following procedure 1 From the main menu select Advanced gt Ethernet Wired Settings The Ethernet Wired Settings page is shown in Figure 30 Modify Ethernet Wired setting DNS Name AT V A7400 Spanning Tree Protocol Enabled Disabled Guest Access Enabled Disabled For Guest access use VLAN on Ethemet Pon 1 M Virtual Wireless Networks Using VLANs on Ethernet Port 1 Enabled Disabled Internal Interface Settings MAC Address 00 00 46 F2 D7 64 VLANID 20 PHY Type Aulo Secure Management Enabled Disabled Management IP Address Deny Management via WLAN Enabled Disabled Connection Type Siatic IP Static IP Address 10 10 20 20 Subnet Mask 255 255 255 Oo Default Gateway 10 10 20 iH DNS Nameservers Dynamic Manual Guest Interface Settings MAC Address 00 00C 46 F2 07 64 VLANID 30 Subnet 10 10 30 0 Update Figure 30 Ethernet Wired Settings Page 2 In the Ethernet Wired Settings page enter the DNS name The DNS name is the host name It may be provided by your ISP or network administrator or you can provide your own The rules for DNS names are 88 AT WA7
13. would occur if multiple access points got access to the medium at the same time and tried to transmit data simultaneously The more active users you have on a network the more significant the performance gains of the backoff timer will be in reducing the number of collisions and retransmissions Doubling continues on each try until MaxCW is reached at which point this wait time is used on retries EE Backoff re doubled until data is sent or until retries limit is reached range of MinCW v top i pp he og ge ee ae 5 10 15 20 25 The random backoff used by the access point is a configurable parameter To describe the random delay a Minimum Contention Window MinCW and a Maximum Contention Window MaxCW is defined O The value specified for the Minimum Contention Window is the upper limit of a range for the initial random backoff wait time The number used in the random backoff is initially a random number between 0 and the number defined for the Minimum Contention Window O If the first random backoff time ends before successful transmission of the data frame the access point increments a retry counter and doubles the value of the random backoff window The value specified in the Maximum Contention Window is the upper limit for this doubling of the random backoff This doubling continues until either the data frame is sent or the Maximum Contention Window size is reached Packet Bursting for Better Performanc
14. Figure 41 CLI Class Relationships 355 Appendix D Command Line Interface CLI for Access Point Configuration 356 Appendix E Radio Bands The Allied Telesyn AT WA7400 Wireless Access Point is capable of operating in the 2 4GHZ IEEE 802 11g b AND in the 5GHZ band IEEE 802 11a simultaneously The access point is shipped with the 802 119g b radio enabled and is software upgradeable to operate in 802 11g b and 802 11a For further information about this upgrade please contact your Allied Telesyn sales representative Some of the advantages of the 802 11a option are O Higher performance 802 11a can deliver data rates up to 54Mbps and there is enough room in the 5GHz spectrum to support up to 12 access points operating in the same area without causing interference between access points This equates to 432Mbps 12 X 54Mbps total data rate performance With 802 11g you have three non overlapping channels for setting access point frequencies which can limit capacity O Less RF interference The growing use of 2 4GHz cordless phones and Bluetooth devices is crowding the radio spectrum within many facilities This significantly decreases the performance of 802 11g wireless LANs The use of 802 11a operating in the relatively uncrowded 5GHz band avoids this interference O Ability to use the Wireless Distribution System WDS feature using the 802 11a radio for bridging to another access point while servicing 802 11g custo
15. Note In some cases you might want to set limits for only one access point that is consistently over utilized You can apply unique settings to a particular access point if it is operating in standalone mode See Understanding Clustering on page 44 and Understanding and Changing Access Point Settings on page 48 A comparison of session monitoring data for multiple access points allows you to identify an access point that is consistently handling a disproportionately large percentage of wireless traffic This can happen when location placement or other factors causes one access point to transmit the strongest signal to a majority of clients on a network By default that access point will receive most of client requests while the other access points stay idle much of the time Imbalances in distribution of wireless traffic across access points will be evident in session monitoring statistics which will show higher utilization rates on overworked access points and conversely higher idle times on under utilized access points An access point that is handling more than its fair share of traffic might also show slower data rates or lower transmit receive rates due to the overload You can correct for imbalances in network access point utilization by enabling load balancing and setting limits on utilization rates and number of client associations allowed per access point Load balancing also plays a part in contributing to Quality o
16. including a Certificate Authority CA server configured on your network It is beyond the scope of this document to describe these configuration of the RADIUS server PKI and CA server Consult the documentation for those products Some good starting points available on the web for the Microsoft Windows PKI software are How to Install Uninstall a Public Key Certificate Authority for Windows 2000 at http support microsoft com default aspx scid kb EN US 231881 and How to Configure a Certificate Server at http support microsoft com default aspx scid kb en us 318710 3 Wireless clients configured to use either WPA WPAZ Enterprise RADIUS or IEEE 802 1x security modes with an external RADIUS server that supports TLS EAP certificates must obtain a TLS certificate from the RADIUS server This is an initial one time step that must be completed on each client that uses either of these modes with certificates In this procedure we use the Microsoft Certificate Server as an example To obtain a certificate for a client perform the following procedure 1 Go to the following URL in a web browser https TPAddressofserver certsrv 253 Appendix B Configuring Security on Wireless Clients Where IPAddressofserver is the IP address of your external RADIUS server or of the Certificate Authority CA depending on the configuration of your infrastructure as shown in Figure 26 Security Alert changed by others Howev
17. 802 1Q frames The access point must be able to reach the DHCP server Check with the Administrator regarding the VLAN and DHCP configurations Configure the copper port The speed and duplex settings for the LAN Ethernet port The options are Auto The speed and duplex are automatically selected recommended 10Mbps Full 10Mbps and full duplex 10Mbps Half 10Mbps and half duplex 100Mbps Full 100Mbps and full duplex 100Mbps Half 100Mbps and half duplex Secure Management This selection enables or disables the Management IP Address field Enabled Only the client with the IP address specified in the next selection can manage the access point Disabled Even if an IP address for a wireless client is specified no client can manage the AP Management IP Address The IP address of a wireless client that can manage the access point Deny Management via WLAN If checked disables management access to the access point by a 93 Chapter 8 Configuring Ethernet Wired Settings 94 wireless client associated with the AP even if its IP address is defined in the Management IP Address field Connection Type Select one of the following DHCP The Dynamic Host Configuration Protocol DHCP is a protocol that allows a centralized server to provide network configuration information to devices on the network This information includes the IP address and netmask plus the address of its DNS servers and gateway Sta
18. EDCF Control of Data Frames and Arbitration Interframe Spaces on page 164 cwMin Minimum Contention Window This parameter is input to the algorithm that determines the initial random backoff wait time window for retry of a transmission The value specified here in the Minimum Contention Window is the upper limit in milliseconds of a range from which the initial random backoff wait time is determined The first random number generated will be a number between 0 and the number specified here If the first random backoff wait time expires before the data frame is sent a retry counter is incremented and the random backoff value window is doubled Doubling will continue until the size of the random backoff value reaches the number defined in the Maximum Contention Window Valid values for the cwmin are 1 3 7 15 31 63 127 255 511 or 1024 The value for cwmin must be lower than the value for cwmax For more information see Random Backoff and Minimum Maximum Contention Windows on page 165 cwMax Maximum Contention Window The value specified here in the Maximum Contention Window is the upper limit in milliseconds for the doubling of the random backoff value This doubling continues until either the data frame is sent or the Maximum Contention Window size is reached 169 Chapter 15 Configuring Quality of Service QoS 170 Enabling Disabling Wi Fi Multimedia When the Maximum Contention Wind
19. Information about the current firmware version is displayed and an option to upgrade to a new firmware image is provided 2 If you know the path to the New Firmware Image file enter it in the text box Otherwise click Browse and locate the firmware image file 3 Click Update to apply the new firmware image A confirmation window is displayed that describes the upgrade process 4 Click OK to confirm the upgrade and start the process A Caution The firmware upgrade process begins after you click Update and then OK in the confirmation window The upgrade process may take several minutes during which time the access point will be unavailable Do not power down the access point while the upgrade is in process When the upgrade is complete the access point restarts and resumes normal operation using the factory default configuration settings To verify that the firmware upgrade completed successfully check the firmware version shown on the Advanced gt Upgrade page and also on the Basic Settings page If the upgrade was successful the updated version name or number is displayed AT WA7400 Management Software User s Guide SNMP Firmware Upgrade To upgrade the firmware using SNMP perform the following procedure 1 From the main menu select Advanced gt SNMP Firmware Upgrade The Configure SNMP Firmware Upgrade page is shown in Figure 65 Configure SNMP Firmware Upgrade SNMP Firmware TFTP Serv
20. The current rate will always be one of the rates shown in Supported Rates Signal Indicates the strength of the radio signal emitting from this access point as measured in decibels Db of Beacons Shows the total number of beacons transmitted by this access point since it was last booted Last Beacon Shows the date and time of the most recent beacon was transmitted from the access point Rates Shows supported and basic advertised rate sets for the neighboring access point Rates are shown in megabits per second Mbps All Supported Rates are listed with Basic Rates shown in bold For information about setting the rates refer to Chapter 13 Configuring Radio Settings on page 145 The rates shown for an 195 Chapter 17 Maintenance and Monitoring 196 access point will always be the rates currently specified for that access point in its Radio Settings AT WA7400 Management Software User s Guide Viewing System Information You can view information about a particular access point such as its hardware version and current firmware version by viewing the System Information page To view system information perform the following procedure 1 From the main menu select Status gt Information The System Information page is shown in Figure 58 System information Hardware Version 1 00 00 Serial No A0Q2956B050900288A MAC Addresses 00 0C 46 F2 E2 BC 00 0C 46 F2 E2 C0 Boot Code Version 1 00 Firm
21. The session begins when the client logs on to the network and the session ends when the client either logs off intentionally or loses the connection for some other reason Note A session is not the same as an association which describes a client connection to a particular access point A client network connection can shift from one clustered access point to another within the context of the same session A client station can roam between access points and maintain the session Note For information about monitoring associations and link integrity monitoring see Viewing the Associated Wireless Clients on page 192 65 Chapter 5 Session Monitoring Viewing Sessions Information To view session monitoring information perform the following procedure 1 From the main menu select Cluster gt Sessions The Sessions page is shown in Figure 24 Sessions You may sort the following table by clicking on any of the column names Display All v User AP Location User MAC Idle Rate Mbps Siqnal Utilization Rx Total Tx Total Error Rate Idle gi4 00 0e 35 4c efid6 1120 54 38 0 1 257 221 0 1120 gi4 00 0c 41 dc 09 e1 730 54 34 1 1 174292 422779 o 730 You may restrict the number of columns displayed by selecting a field other than all in the choice box above By seleting a specific field the table will show only User AP Location User MAC and the selected field for each session
22. Transmit Type Ethernet Radio Name Internal Guest Internal Guest Total packets 1749 0 459 Total bytes 1268022 0 47760 Errors 0 0 1 Receive Type Ethernet Radio Name Internal Guest Internal Guest Total packets 1970 o 0 Totalbytes 156995 o 0 Errors 0 o it Figure 55 Transmit Receive Statistics Page This page provides some basic information about the current access point and a real time display of the transmit and receive statistics for this access point as described in the following table All transmit and receive statistics shown are totals because the access point was last started If the access point is rebooted these figures indicate transmit receive totals since the reboot IP Address IP address for the access point AT WA7400 Management Software User s Guide MAC Address Media access control MAC address for the specified interface A MAC address is a permanent unique hardware address for any device that represents an interface to the network The MAC address is assigned by the manufacturer The AT WA7400 Wireless Access Point has a unique MAC address for each interface A two radio access point has a different MAC address for each interface on each of its two radios VLAN ID Virtual LAN VLAN ID A VLAN is a software based logical grouping of devices on a network that allow them to act as if they are connected to a single physical network even though they may not be VLANs can be used to establ
23. Wi Fi Protected Access 2 WPA2 with Remote Authentication Dial In User Service RADIUS is an implementation of the Wi Fi Alliance IEEE 802 11i standard which includes Advanced Encryption Standard AES Counter mode CBC MAC Protocol CCMP and Temporal Key Integrity Protocol TKIP mechanisms This mode requires the use of a RADIUS server to authenticate users WPA WPA2 Enterprise RADIUS provides the best security available for wireless networks This security mode also provides backwards compatibility for wireless clients that support only the original WPA as described in Table 4 Table 4 RADIUS Security Key Management Encryption Algorithm User Authentication WPA WPA2 Enterprise RADIUS mode provides dynamically generated keys that are periodically refreshed There are different unicast keys for each station Temporal Key Integrity Protocol TKIP Counter mode CBC MAC Protocol CCMP Advanced Encryption Standard AES Remote Authentication Dial In User Service RADIUS You have a choice of using the AT WA7400 Management Software embedded RADIUS server or an external RADIUS server The embedded RADIUS server supports Protected EAP PEAP and MSCHAP V2 WPA WPA2 Enterprise RADIUS mode is the recommended mode The CCMP AES and TKIP encryption algorithms used with WPA modes are far superior to the RC4 algorithm used for Static WEP or IEEE 802 1x modes Therefore CCMP AES
24. cluster and which are not see Which Settings are Shared as Part of the Cluster Configuration and Which Are Not on page 45 To configure internal and guest networks on virtual LANs perform the following procedure 1 Use only one wired connection from the network port on the access point to the LAN Make sure this port is configured to handle VLAN tagged packets Configure Ethernet wired Settings for internal and guest networks on VLANs as described in Chapter 8 Configuring Ethernet Wired Settings on page 87 Start by enabling guest access as described in Enabling or Disabling Guest Access on page 90 Provide the radio interface settings and network names SSIDs for both internal and guest networks as described in Chapter 9 Configuring the Wireless Settings on page 97 135 Chapter 11 Setting Up Guest Access Configuring the Welcome Screen Captive Portal 136 5 Configure the guest splash screen as described in Configuring the Welcome Screen Captive Portal next You can set up or modify the Welcome screen captive portal guest clients see when they open a web browser or try to browse the web To set up the captive portal perform the following procedure 1 From the main menu select Advanced gt Guest Login The Guest Login configuration page is shown in Figure 42 Modify guest welcome screen settings Guest User Welcome Screen Enabled Disab
25. external RADIUS server and a Public Key Authority Infrastructure PKI including a Certificate Authority CA server configured on your network It is beyond the scope of this document to describe these configuration of the RADIUS server PKI and CA server Consult the documentation for those products Some good starting points available on the web for the Microsoft Windows PKI software are How to Install Uninstall a Public Key Certificate Authority for Windows 2000 at http support microsoft com default aspx scid kb EN US 231881 and How to Configure a Certificate Server at http support microsoft com default aspx scid kb en us 318710 3 To use this type of security you must do the following 1 Add the AT WA7400 Wireless Access Point to the list of RADIUS server clients See Configuring an External RADIUS Server to Recognize the AT WA7400 Wireless Access Point on page 248 Configure the AT WA7400 Wireless Access Point to use your RADIUS server by providing the RADIUS server IP address as part of the IEEE 802 1x security mode settings Configure wireless clients to use IEEE 802 1x security and Smart Card or other Certificate as described in this section Obtain a certificate for this client as described in Obtaining a TLS EAP Certificate for a Client on page 253 231 Appendix B Configuring Security on Wireless Clients 5 Verify that you configured the AT WA7400 Wireless Access Point to us
26. portable or stationary device equipped with a Wi Fi adapter and supporting drivers In order to connect to the access point wireless clients need the following software and hardware o Wi Fi Client Adapter Portable or built in Wi Fi client adapter that supports one or more of the IEEE 802 11 modes in which you plan to run the access point IEEE 802 11a 802 11b 802 11g and 802 11a Turbo modes are supported Wi Fi client adapters vary considerably The adapter can be a PC card built in to the client device a portable PCMCIA or PCI card types of NICs or an external device such as a USB or Ethernet adapter that you connect to the client by means of a cable The AT WA7400 Wireless Access Point supports 802 11a g modes The fundamental requirement for clients is that they all have configured adapters that match the 802 11 a g mode O Wireless Client Software Client software such as Microsoft Windows Supplicant or Funk Odyssey wireless client configured to associate with the AT WA7400 Management Software O Client Security Settings Security should be disabled on the client used to do initial configuration of the access point If the Security mode on the access point is set to anything other than plain text wireless clients will need to set a profile to the authentication mode used by the access point and provide a valid username and password certificate or similar user identity proof Security modes are Static WEP IEEE 8
27. status up description Wireless Distribution System Link 1 mac 00 0 B8 76 26 08 ip mask 345 Appendix D Command Line Interface CLI for Access Point Configuration 346 static ip static mask nat rx bytes rx packets rx errors rx drop rx fifo rx frame rx compressed rx multicast tx bytes tx packets tx errors tx drop tx fifo tx colls tx carrier tx compressed port isolation ssid bss security wpa personal key wep key ascii wep key length wep defaul1t key wep key 1 wep key 2 O O O O O O O O O O O O O O O OQO no 104 Time Protocol AT WA7400 Management Software User s Guide wep key 3 wep key 4 vlan interface vlan id radio wlan0O remote mac 00 0 B8 76 1B 14 The Network Time Protocol NTP is an Internet standard protocol that synchronizes computer clock times on your network NTP servers transmit Coordinated Universal Time UTC also known as Greenwich Mean Time to their client systems NTP sends periodic time requests to servers using the returned time stamp to adjust its clock The timestamp will be used to indicate the date and time of each event in log messages See http www ntp org for more general information on NTP To enable the Network Time Protocol NTP server on the access point do the following 1 Enable the NTP Server ntp status up 2 Provide the Host Name or Address of an NTP Server ntp server N7P_Server Where N7P_Server is the host name or IP address of the
28. such as a guest network where the priority is making it easy for clients to get a connection and where no sensitive information is available See also Guest Network on page 116 When station isolation is enabled the access point blocks communication between wireless clients The access point still allows data traffic between its wireless clients and wired devices on the network but not among wireless clients The traffic blocking extends to wireless clients connected to the network via WDS links these clients cannot communicate with each other when Station Isolation is on See Chapter 16 Configuring the Wireless Distribution System WDS on page 173 for more information about WDS 113 Chapter 10 Configuring Security Configuring Security Settings The following section explains how to configure security modes on the access point Keep in mind that each wireless client that wants to exchange data with the access point must be configured with the same security mode and encryption key settings consistent with access point security On a two radio access point these Security Settings apply to both radios Note Security modes other than plain text apply only to configuration of the internal network On the guest network you can use only plain text mode For more information about guest networks see Chapter 11 Setting Up Guest Access on page 133 Broadcast SSID To configure the broadcast SSID s
29. 00 00 00 00 00 00 Transmit Receive Statistics VLAN ID Client Associations Subnet n a Neighboring Access Points Wireless Settings Configure POR SNEED Radio One MAC Addresses 00 0C 46 F2 E2 BC n a Mode IEEE 802 11a Wireless Network Name SSID _ allied Channel 52 5260 MHz Radio Two MAC Addresses 00 0C 46 F2 E2 CO n a Mode IEEE 802 11g Wireless Network Name SSID allied Channel 6 2437 MHz Figure 16 Default Web Page Chapter 3 Managing Access Points and Clusters The AT WA7400 Management Software shows current basic configuration settings for clustered access points location IP address MAC address status and availability and provides a way of navigating to the full configuration for specific access points if they are cluster members Standalone access points or those which are not members of this cluster do not show up in this listing To configure standalone access points you must discover via KickStart or know the IP address of the access point and by using its IP address in a URL http IPAddressofAaccessPoint Note The AT WA7400 Management Software is not designed for multiple simultaneous configuration changes If you have a network that includes multiple access points and more than one administrator is logged on to the web pages and making changes to the configuration all access points in the cluster will stay in synch but there is no guarantee that all configurat
30. 11 unauthenticated client stations use this access point by setting the wpa al lowed option to on The commands are listed in Table 23 Table 23 WPA Client Commands Function Command Allow non WPA clients set bss wlanObssInternal wpa allowed on TDisallow non WPA clients set bss wlanObssInternal wpa2 allowed off For this example allow non WPA clients AT WA7400 set bss wlanObssInternal wpa al lowed on Get Current Security Settings After Reconfiguring to WPA WPA2 Enterprise RADIUS Use the get command again to view the updated security configuration 321 Appendix D Command Line Interface CLI for Access Point Configuration 322 and see the results of our new settings The following command gets the security mode in use on the internal network AT WA7400 get interface wlan0 security wpa enterprise The following command gets details on how the internal network is configured including details on Security AT WA7400 get bss wlanObssInternal detail Field status description radio beacon interface mac dtim period max Sstations ignore broadcast ssid mac acl mode mac acl name radius accounting radius ip radius key open system authentication shared key authentication wpa al low non wpa stations wpa cipher tkip wpa cipher ccmp wpa al lowed wpa2 al lowed Value up Internal wlanO wlanO 00 0C 41 16 DF A6 2 2007 off deny list wlanO
31. 2a seee Seed ey eae Jase heeds Ca et SE oe a e 287 POMS SOLS 2 cif sachs le tevebe boa N EEE TEA E antes a2 cree ni endde au tenet A EE ET 288 Remove a User A OOUE ens lite othe iittala aed ee aa ae abel ah de a ee eel bade E Aan ENT ARS 289 DISPIAYING Status EA EN TEE E EA E A A E 289 Get Common Information on the Internal Interface for the Access POint c cccceeeseceeeeeeeneeeeeeeeenteaeeeeeeeenaees 291 Get Current Settings for the Ethernet Wired Internal Interface 0 0 0 eee eeeeeee eens eeeneeeeeeeeeeeneeeenaeeeeeeeenneeeee 291 Get All Wired Settings for the Wired Internal Interface eee eee ceeeeeeeneeeeeeaeeeeeeeeeseeeeeeaeeeseeeeesnaeeenaaes 292 Get the MAC Address for the Wired Internal Interface cececeeneee cent eeeneeeeeeneeeseeaeeenneeeennaeeeeeaeeeeneeeeaa 292 Get the Network Name SSID for the Wired Internal Interface eee eects eee eeeereeeeneeeeeaeeeeeaeeeneeeeee 292 Get Current Settings for the Ethernet Wired Guest Interface 0 eee eeeeeeenneeeeeeeeeeeaeeeeeeaeeeeeeeeeenaeeeeeeeeeenaes 292 Get Current Wireless Radio Settings 2 2 cc s cccsceececeeeesuneeesboetencetenessenentocensdecteseduecesdboeenesestecednessotnendunoes eeeess 293 Get the Current IEEE 802 11 Radio Mode eee ecceceneeeeeenneeeeneeeeeneeeeenaeeenneeeenaeeeeeeeeesneeeeseeeeseaneneeeeeaa 293 Get the Channel the Access Point is Currently USING ccc ccceeeeeeeeceneeeeeneee seats eeeaeeeneeeeeeaeeeeeeeeenneeee
32. 7 49 wlan0 vi 2 7 15 94 wlan0O be 3 15 1023 0 wlan0O bk 7 15 1023 0 Note Before configuring this feature make sure you are familiar with the names of the interfaces as described in Understanding Interfaces as Presented in the CLI on page 278 The interface name you reference in a command determines whether a setting applies to a wired or wireless interface the internal or guest network or on a two radio access point to radio one or radio two AT WA7400 Management Software User s Guide Table 32 provides a list of the WDS commands Table 32 WDS Commands Function Command Configure a WDS Link See detailed command example below Get Details on a WDS get interface wlanOwdsO detail Configuration Configure a WDS Link To set up a wireless distribution system WDS link between two wireless networks Enable the WDS interface wian0wds0 on the current access point AT WA7400 set interface wlanOwdsO status up AT WA7400 set interface wlanOwdsO radio wlan0 Provide the MAC address of the remote access point to which you want to link AT WA7400 set interface wlanOwdsO remote mac MAC_Address_Of_Remote_AP For example AT WA7400 4 set interface wlan0OwdsO remote mac 00 E 0 B8 76 1B 14 Get Details on a WDS Configuration Verify the configuration of the WDS link you just configured by getting details on the WDS interface AT WA7400 get interface wlanOwds0O detail Field Value type wds
33. Available Networks on a client station Instead the client must have the exact network name configured in the supplicant before it will be able to connect 141 Chapter 12 VLANs 142 Note The Broadcast SSID you set here is specifically for this Virtual Network One or Two Other networks continue to use the security modes already configured Your original internal network configured on the Advanced gt Ethernet Wired page uses the Broadcast SSID set on the Advanced gt Security page If a Guest network is configured the Broadcast SSID is always allowed Security Mode Select the Security Mode for this VLAN one of the following m OaQ0Q0 0 Plain text Static WEP IEEE 802 1x WPA WPA2 Personal PSK WPA WPA2 Enterprise RADIUS Note The Security mode you set here is specifically for this Virtual Network One or Two Other networks continue to use the security modes already configured Your original internal network configured on the Advanced gt Ethernet Wired page uses the Security mode set on the Advanced gt Security page If a Guest network is configured it always using plain text security mode 3 Click Update to save your changes AT WA7400 Management Software User s Guide Configuring the Management VLAN When you configure a management VLAN only those users who have the required IP address and subnet mask of the management AP can make any management changes To
34. Certificate Properties Dialog BOX 0 0 eee eeseceeeeeeeneeeeeeeeeeeeeeeeaaeeseeaeeseaeeeeaeeeeeeeeeenaeeeenaas 234 Security Settings PAGE irreais saan sup leeds cnasien nacho gntewmuges nav durik A EAA A AR EREE EAA ETSE 237 User Management Accounts Page ecceeecceeesceceeneeeeeneeeceeeeeeseeeeeaaeeeeeaeeeeaeeeeeaeeeseaaeeeeeeaeaeeseeaaeesseeeeesneeeeeeas 238 Wireless Network Properties Dialog BOX ecceeeseeeceeeeeeeneeeeeaaeeceeeeeesaeeeeeeaeeeseeeeeeaeeeseeneeseeeeesieeeseaeeeeneeeees 239 Protected AP Properties Dialog BOX cc cccceeeeeseeeeeeeeeeaeeeeeeeeceeaeeeececaeaeeeeeeeeaaeeeesescaaeeeeesecaeeeeeeeeeaeeeeeeeeeaaes 240 Secut Settings PAGS sesso cheeks saceeigts a a heeded states a e da pl eaaa a a a ee iaaa 242 Association and Authentication Tabs eccecceceeneeeceneeeenneeeeeeeeeseeeeessaeeeesaaeeseeeeeeseeeeseaeeeseeeeessieeeeesaeeseenaes 243 Smart Card or other Certificate Properties Dialog BOX eee eeseeeeeeeeeneeeeeeeeeeeeeeeaeeeseeeeeeseaeeaeeesneeeenseeeenaas 244 security Settings Page i cies c0 ae nene en n ences eeeeeiy Shoes ylides eed eens A E R N a ASSOCIATION TAD issnin geopen aa aaa eaaet taeae i aae taparen eeaeee aN ian a evanida iaaa Security Settings Pag csis noissa i a aaia a A i aidien Internet Authentication Service Window New RADIUS Client Dialog Box Name and Address Dialog BOX 0 eeceeccceeneeeeeeneeeeeeeeeenaeeseeaeesneeeeneeeeeaas 251 New RADIUS Client Wizard Additional Information D
35. Chapter 1 Preparing to Set Up the AI WA7400 Wireless Access Point Before you plug in and boot a new AT WA7400 Wireless Access Point review the following sections for a quick check of required hardware components software client configurations and compatibility issues Make sure you have everything you need ready to go for a successful launch and test of your new or extended wireless network This chapter contains the following sections O Setting Up the Administrator s Computer on page 20 O Setting Up the Wireless Client Computers on page 22 o Understanding Dynamic and Static IP Addressing on the AT WA7400 Management Software on page 23 Chapter 1 Preparing to Set Up the AT WA7400 Wireless Access Point Setting Up the Administrator s Computer 20 You configure and administer the AT WA7400 Wireless Access Point with the KickStart utility which you run from the CD through a web based user interface UI or through the command line interface In order to successfully start the management software the administrator s computer must be set up with the following hardware and software components O Ethernet connection The computer used to configure the first AT WA7400 Wireless Access Point with KickStart must be connected to the access point either directly or through a hub by an Ethernet cable O Wireless Connection to the Network After you initially configure and launch the first AT WA7400 Wire
36. Click the Go button to apply the new selection Figure 24 Sessions Page The Sessions page displays the following information about client stations associated with access points in the cluster User Name Indicates the client user name of IEEE 802 1x clients Note This field is relevant only for clients that are connected to access points using IEEE 802 1x security mode and local authentication server For more information about this mode see IEEE 802 1x on page 121 No user name is shown for clients of access points using IEEE 802 1x with RADIUS server or other security modes AP Location Indicates the location of the access point This is derived from the location description specified on the Basic Settings page User MAC Address Indicates the MAC address of the user s client device station A MAC address is a hardware address that uniquely identifies each node of a network Idle Time Indicates the amount of time this station has remained inactive 66 Viewing Specific Session Information AT WA7400 Management Software User s Guide A station is considered to be idle when it is not receiving or transmitting data Data Rate The speed at which this access point is transferring data to the specified client The data transmission rate is measured in megabits per second Mbps This value should fall within the range of the advertised rate set for the IEEE 802 1x mode in use on the a
37. Command Get Current Settings for the Ethernet Wired Internal get interface brO Interface Find out if guest access is enabled and configured get interface brguest status will be up or down Set DNS Nameservers to Use Static IP Addresses Dynamic See example below to Manual Mode Set DNS Nameservers to Use DHCP IP Addressing Manual See example below to Dynamic Mode Get Summary View of Internal and Guest Interfaces AT wWA7400 get bss name status radio beacon interface mac wlanObssInternal up wlanO wlan0O 00 0C 41 16 DF A6 Get the DNS Name AT WA7400 get host id AT WA7400 AP Set the DNS Name AT WA7400 set host id vicky ap bob get host name vicky ap Get Wired Internal Interface Settings See Get Current Settings for the Ethernet Wired Internal Interface on page 291 under Displaying Status Get Wired Guest Interface Settings See Get Current Settings for the Ethernet Wired Guest Interface on page 292 under Displaying Status 302 AT WA7400 Management Software User s Guide Set DNS Nameservers to Use Static IP Addresses Dynamic to Manual Mode This example shows how to reconfigure DNS Nameservers from Dynamic mode where name server IP addresses are assigned through DHCP to Manual mode and specify static IP addresses for them 1 Check to see which mode the DNS Name Service is running in In our example DNS naming is running in DHCP mode when we
38. Figure 17 242 Choose WPA Data Encryption mode AT WA7400 Management Software User s Guide Choose either TKIP or AES for the Choose Smart Card or other then click certificate and enable Authenticate Properties as computer when info is available Wireless network properties Association Authentication My AP Network name SSID Nie Select this option to provide authenticated network access fof Wireless network key wireless Ethemet networks This network requires a key for the following Enable IEEE 802 1 authentication for this network Network Authentication WPA _ EAP type Smart Card or other Certificate Data encryption T KIP _ il E Authenticate as computer when computer information is available C This is a computer to computer ad hoc network wireless access points are not used 7 C Authenticate as guest when user or computer information is unavailable Figure 17 Association and Authentication Tabs Configure the following settings on the Association tab on the Network Properties dialog Network Authentication WPA Data Encryption TKIP or AES depending on how this option is configured on the access point Note When the Cipher Suite on the access point is set to Both then TKIP clients with a valid TKIP key and AES clients with a valid CCMP AES key can associate with the access point Configure these setting
39. IEEE 802 1x mode and the Built in Authentication Server then configure wireless clients as described in IEEE 802 1x Client Using EAP PEAP on page 227 O If the AT WA7400 Wireless Access Point is configured to use WPA WPA2 Enterprise RADIUS mode and the Built in Authentication Server then configure wireless clients as described in WPA WPA2 Enterprise RADIUS Client Using EAP PEAP on page 236 The following sections assume that if you have an external RADIUS server and PKI CA setup you will know how to configure client security options appropriate to your security infrastructure beyond the fundamental suggestions given here Topics covered here that particularly relate to client security configuration in a RADIUS PKI environment are o IEEE 802 1x Client Using EAP TLS Certificate on page 231 o WPA WPA2 Enterprise RADIUS Client Using EAP TLS Certificate on page 241 0 Configuring an External RADIUS Server to Recognize the AT WA7400 Wireless Access Point on page 248 o Obtaining a TLS EAP Certificate for a Client on page 253 Details about how to configure an EAP PEAP client with an external RADIUS server are not covered in this document 219 Appendix B Configuring Security on Wireless Clients Make Sure the Wireless Client Software is Up to Date 220 Before starting out please keep in mind that service packs patches and new releases of drivers and other supporting technologies
40. MAC filtering is on only clients with a listed MAC address can access the network Based on how you set the MAC filter you can allow only client stations with a listed MAC address or prevent access to the stations listed For the guest interface MAC Filtering settings apply to both BSSes On a two radio access point MAC Filtering settings apply to both radios To set the DNS name perform the following procedure 1 From the main menu select Advanced gt MAC Filtering The MAC Filtering page is shown in Figure 19 Allow only stations in list Filter a ee Allow any station unless in list FE DA BD 09 87 65 A Stations List Figure 19 MAC Filtering Page 53 Chapter 3 Managing Access Points and Clusters 54 2 Configure the following settings Filter Click one of the following radio buttons ao Allow only stations in the list 0 Allow any station unless in list Stations List To add a MAC Address to Stations List enter its 48 bit MAC address into the lower text boxes then click Add The MAC Address is added to the Stations List To remove a MAC Address from the Stations List select its 48 bit MAC address then click Remove The stations in the list will either be allowed or prevented from accessing the access point based on how you set the Filter 3 Click Update to save your settings AT WA7400 Management Software User s Guide MAC Filtering of Rogue Access Points
41. Point For the single band access point select one of these modes o IEEE 802 11b o IEEE 802 11g O Atheros Turbo 2 4 GHz o Atheros Dynamic Turbo 2 4 GHz Dual Band Access Point For the dual band access point select one of these modes for each Radio Interface o IEEE 802 11b o IEEE 802 11g o IEEE 802 11a o Atheros Turbo 5 GHz IEEE 802 11a Turbo Wireless Network Name SSID The name for all wireless access points on this network You cannot change this name on this page To change this name refer to Configuring the Basic Settings and Starting the Wireless Network on page 37 Channel Select the Channel The range of channels and the default is determined by the Mode of the radio interface AT WA7400 Management Software User s Guide The channel defines the portion of the radio spectrum the radio uses for transmitting and receiving Each mode offers a number of channels dependent on how the spectrum is licensed by national and transnational authorities such as the Federal Communications Commission FCC or the International Telecommunication Union ITU R The default is Auto which picks the least busy channel at startup time Radar detection When this option is enabled if the access point detects military radar on the same frequency as the 802 11a channel to which the access point is set the access point changes to a different channel 3 Click Update to save your settings 101 Chapter 9 Configu
42. Protocol EAP referred to here as EAP PEAP O If you are using the built in authentication server with IEEE 802 1x security mode on the AT WA7400 Wireless Access Point then you will need to set up wireless clients to use PEAP O Additionally you may have an external RADIUS server that uses EAP PEAP If so you will need to 1 add the AT WA7400 Wireless Access Point to the list of RADIUS server clients and 2 configure your IEEE 802 1x wireless clients to use PEAP Note The following example assumes that you are using the built in authentication server that is shipped with the AT WA7400 Wireless Access Point If you are setting up EAP PEAP on a client of an access point that is using an external RADIUS server the client configuration process will differ somewhat from this example especially with regard to certificate validation To configure IEEE 802 1x security on a client perform the following procedure 1 If you configured the AT WA7400 Wireless Access Point to use IEEE 227 Appendix B Configuring Security on Wireless Clients 802 1x security mode as shown in Figure 6 Broadcast SSID Allow Prohibit Station Isolation off O on Security Mode EEE 802 1x v Authentication Server Radius IP Radius Key Enable radius accounting Figure 6 Security Settings Page 633Then configure IEEE 802 1x security with PEAP authentic
43. RADIUS server is configured to use The built In authentication server on the AT WA7400 Wireless Access Point uses Protected Extensible Authentication Protocol EAP known as EAP PEAP O If you are using the Built in Authentication server with WPA WPA2 Enterprise RADIUS security mode on the AT WA7400 Wireless Access Point then you will need to set up wireless clients to use PEAP O Additionally you may have an external RADIUS server that uses EAP PEAP If so you will need to 1 add the AT WA7400 Wireless Access Point to the list of RADIUS server clients and 2 configure your WPA WPA2 Enterprise RADIUS wireless clients to use PEAP AT WA7400 Management Software User s Guide Note The following example assumes that you are using the built in authentication server that is shipped with the AT WA7400 Wireless Access Point If you are setting up EAP PEAP on a client of an access point that is using an external RADIUS server the client configuration process will differ somewhat from this example especially with regard to certificate validation If you configured the AT WA7400 Wireless Access Point to use WPA WPA2 Enterprise RADIUS security mode and to use either the built in authentication server or an external RADIUS server that uses EAP PEAP perform the following procedure 1 Onthe Security Settings page Figure 12 verify that the Security Mode is set to WPA WPA2 Broadcast SSID Allow Prohibit Sta
44. Settings on page 102 or Configuring the Guest Network Wireless Settings on page 103 A guest network and an internal network running on the same access point must always have two different network names Privacy Indicates whether there is any security on the neighboring device O Off indicates that the Security mode on the neighboring device is set to plain text mode no security o On indicates that the neighboring device has some security in place AT WA7400 Management Software User s Guide For more information on security settings see Appendix B Configuring Security on Wireless Clients on page 217 WPA Indicates whether WPA security is on or off for this access point Band This indicates the IEEE 802 11 mode being used on this access point For example IEEE 802 11a IEEE 8 2 11b IEEE 802 11g The number shown indicates the mode according to the following list 0 2 4 indicates IEEE 802 11b mode or IEEE 802 119 mode O 5indicates IEEE 802 11a mode Oo 5 Turbo indicates Atheros Turbo 5 GHz mode Channel Shows the channel on which the access point is currently broadcasting The channel defines the portion of the radio spectrum that the radio uses for transmitting and receiving See Chapter 13 Configuring Radio Settings on page 145 for information on the radio settings Rate Shows the rate in megabits per second at which this access point is currently transmitting
45. Shared secret keys can include spaces and special characters if the key is placed inside quotation marks as in the first example above If the key is a string of characters with no spaces or special characters in it the quotation marks are not necessary as in the second example above AT WA7400 Management Software User s Guide 5 Get Current Security Settings After Reconfiguring to WPA WPA2 Personal PSK Now use the get command again to view the updated security configuration and see the results of the new settings The following command gets the security mode in use on the internal network AT WA7400 get interface wlan0 security wpa personal The following command gets details on how the internal network is configured including details on Security AT WA7400 get bss wlanObssinternal detail Field status description radio beacon interface mac dtim period max stations ignore broadcast ssid mac acl mode mac acl name radius accounting radius ip radius key open system authentication shared key authentication wpa al low non wpa stations wpa cipher tkip wpa cipher ccmp Value up Internal wlanO wlanO 00 0C 41 16 DF A6 off deny list wlanObssInternal 127 0 0 1 secret on on 317 Appendix D Command Line Interface CLI for Access Point Configuration wpa al lowed wpa2 al lowed on on rsn preauthentication Set Security to WPA WPA2 Enterprise RADIUS Set the
46. To view the current log settings AT WA7400 get log Field Value depth 15 relay enabled 1 relay host 10 10 5 220 relay port 514 From the above output for the get 10g command you can identify the following about the Log Relay Host syslog server g o m The syslog server is enabled because relay enabled is set to 1 The syslog server is at the IP address 10 10 5 220 The access point is listening for syslog messages on the default port 514 Get Transmit Receive Statistics 297 Appendix D Command Line Interface CLI for Access Point Configuration AT WA7400 get interface all ip mac ssid tx packets tx bytes tx errors rx packets rx bytes rx errors Name Ip Mac ssid Tx packets Tx bytes Tx errors Rx packets Rx bytes Rx errors lo 127 0 0 1 00 00 00 00 00 00 1319 151772 0 1319 151772 0 eth0 00 A0 C9 8C C4 7E 4699 3025566 0 11323 1259824 0 eth1 0 0 0 0 00 50 04 6F 6F 90 152 49400 0 6632 664298 0 bro 10 10 55 216 00 A0 C9 8C C4 7E 4699 3025566 0 10467 885264 0 brguest 10 10 56 248 00 50 04 6F 6F 90 152 48032 0 5909 293550 0 wlanO 0 0 0 0 02 0C 41 00 02 00 AAP1000 Trusted 6483 710681 0 0 0 o0 wlanOguest 0 0 0 0 02 0C 41 00 02 01 AAP1000 Guest 5963 471228 0 0 0 o0 wlanOwdsO wlanOwds1 wlanOwds2 wlanOwds3 298 AT WA7400 Management Software User s Guide Get Client Associations AT WA7400 get association Interf Station Authen Associ RxX pac Tx pac Rx byt Tx byt Tx rat wlanO 00 0c 41 8f a7 72
47. User s Guide wlanO 6 wlanO 5 5 wlanO 2 wlanO 1 Get Basic Rate Set The Basic Rate Set is what the access point will advertise to the network for the purposes of setting up communication with other access points and client stations on the network It is generally more efficient to have an access point broadcast a subset of its supported rate sets AT WA7400 get basic rate name rate wlanO 11 wlanO 5 5 wlanO 2 wlanO 1 Configure Radio Settings Note To get a list of all fields you can set on the access point radio type the following at the CLI prompt set radio wlan0 SpaceKey TAB TAB Turn the Radio On or Off The commands to turn the radio on or off are listed inTable 26 Table 26 Radio Operation Commands Function Command Turn the radio on set radio wlan0 status on Turn the radio off set radio wlanO status off Set the Radio Mode Valid values depend on the capabilities of the radio Possible values and 329 Appendix D Command Line Interface CLI for Access Point Configuration 330 how you would use the CLI to set each one are shown in Table 27 Table 27 Radio Mode Commands Function Command IEEE 802 11b set radio wlan0 mode b IEEE 802 119 set radio wlanO mode g IEEE 802 11a set radio wlan0 mode a Atheros Turbo 5 GHz set radio wlan0 mode turbo a Atheros Dynamic Turbo 5 GHz set radio wlan0 mode dynamic turbo a Atheros Turbo 2 4 GHz s
48. Wireless network properties Association Authenticatign Network name SSID Wireless network key Network Authentication Data encryption This network requires a key for the Enable IEEE 802 x authentication for this network EAP type Protected EAP PEAP TKIP EZEZ EET orssrooco C Authenticate as computer when computer information is available J This is a computer to computer ad hoc network wireless access points are not used C Authenticate as guest when user or computer information is unavailable Figure 14 Wireless Network Properties Dialog Box 4 Configure the following settings on the Association and Authentication tabs in the Network Properties dialog box Network Authentication WPA Data Encryption TKIP or AES depending on how this option is configured on the access point Note When the Cipher Suite on the access point is set to Both then TKIP clients with a valid TKIP key and AES clients with a valid CCMP AES key can associate with the access point 5 Configure this setting on the Authentication tab EAP Type Choose Protected EAP PEAP 239 Appendix B Configuring Security on Wireless Clients Click Properties to open the Protected EAP Properties dialog box as shown in Figure 15 Disable click to uncheck Choose secured password EAP MSCHAP v2 Validate server certificate TT PTT
49. Yes Yes 126 29 9222 3055 540 wlanO 00 09 5b 2f a5 2f Yes Yes 382 97 16620 10065 110 AT WA7400 get association detail Inter Station Authe Assoc Rx pa Tx pa Rx byt Tx byt Tx ra Liste wlanO 00 0c 41 8f a7 72 Yes Yes 126 29 9222 3055 540 1 wlanO 00 09 5b 2f a5 2f Yes Yes 382 97 16620 10065 110 1 Get Neighboring Access Points The Neighboring access point view shows wireless networks within range of the access point These commands provides a detailed view of neighboring access points including identifying information SSIDs and MAC addresses for each and statistical information such as the channel each access point is broadcasting on signal strength and so forth To see the kinds of information about access point neighbors you can search on type get detected ap TAB TAB AT WA7400 get detected ap Enter Get common fields band Frequency band beacon interval Beacon interval in kus 1 024 ms capability IEEE 802 11 capability value channel Channel detail Get all fields erp ERP last beacon Time of last beacon mac MAC address num_beacons Number of beacons received phy type PHY mode detected with privacy WEP or WPA enabled 299 Appendix D Command Line Interface CLI for Access Point Configuration rate Rate Signal Signal strength ssid Service Set IDentifier a k a Network Name supported rates Supported rates list type Type AP Ad hoc or Other wpa WPA security enabled To get the neighboring access
50. access point perform the following procedure 1 From the main menu select Advanced gt Ethernet Wired Settings The Ethernet Wired Settings page is shown in Figure 30 on page 88 2 For the Guest Access setting choose one of the following 0 Click Enabled to enable guest access 0 Click Disabled to disable guest access 3 Click Update to save your changes If you want to configure the internal network as a VLAN whether or not you have a guest network configured you must enable virtual wireless networks on the AT WA7400 Wireless Access Point To enable or disable virtual wireless networks on the access point perform the following procedure 1 From the main menu select Advanced gt Ethernet Wired Settings The Ethernet Wired Settings page is shown in Figure 30 on page 88 AT WA7400 Management Software User s Guide 2 For the Virtual Wireless Networks setting select one of the following O Select Enabled to enable VLANs for the internal network and for additional networks If you choose this option you can run the internal network on a VLAN whether or not you have guest access configured and you can set up additional networks on VLANs using the Advanced gt Virtual Wireless Networks page as described in Chapter 12 VLANs on page 139 Select Disabled to disable the VLAN for the internal network and for any additional virtual networks on this access point 3 Click Update to save your changes
51. and Monitoring 194 Oo wlan0 radio one o wlan radio two One Radio Access Points This field is not included on the Neighboring Access Points pages of one radio access points Beacon Interval Shows the beacon interval being used by this access point Beacon frames are transmitted by an access point at regular intervals to announce the existence of the wireless network The default behavior is to send a beacon frame once every 100 milliseconds or 10 per second See Chapter 13 Configuring Radio Settings on page 145 for information on setting the beacon interval Type Indicates the type of device O AP indicates the neighboring device is an access point that supports the IEEE 802 11 wireless networking framework in infrastructure mode O Ad hoc indicates a neighboring station running in ad hoc mode Stations set to ad hoc mode communicate with each other directly without the use of a traditional access point Ad hoc mode is an IEEE 802 11 wireless networking framework also referred to as peer to peer mode or an Independent Basic Service Set IBSS SSID The Service Set Identifier SSID for the access point The SSID is an alphanumeric string of up to 32 characters that uniquely identifies a wireless local area network It is also referred to as the Network Name To set the SSID refer to Configuring the Basic Settings and Starting the Wireless Network on page 37 Configuring Internal Wireless LAN
52. basic rate Basic rates of radios bridge port Bridge ports of bridge interfaces bss Basic Service Set of radios interface Network interface mac acl MAC address access list item radius user RADIUS user supported rate Supported rates of radios Example 8 Type remove TAB TAB including a space after remove to get a list of all field options for the renove command AT WA7400 remove basic rate Basic rates of radios bridge port Bridge ports of bridge interfaces bss Basic Service Set of radios interface Network interface ip route IP route entry mac acl MAC address access list item radius user RADIUS user supported rate Supported rates of radios 353 Appendix D Command Line Interface CLI for Access Point Configuration CLI Classes and Fields Reference 354 The following is an introduction to the CLI classes and fields Configuration information for the AT WA7400 Wireless Access Point is represented as a set of classes and objects Different kinds of information uses different classes For example information about a network interface is represented by the interface class while information about an NTP client is represented by the ntp class Depending on the type of class there can be multiple instances of a class For example there is one instance of the interface class for each network interface the access point has Ethernet radio and so on while there is just a singleton instance of the ntp class since an
53. bss wlanObssIngernal wpa2 cipher ccmp on 319 Appendix D Command Line Interface CLI for Access Point Configuration Table 20 Cipher Commands Continued Function Commands the access point WPA cl or a valid CCMP AES k must have either a valid TKIP key able to associate with the access Both When the authentication set bss wlanObssIngernal wpa cipher tkip on algorithm is set to Both both TKIP and AES clients can associate with set bss wlanObssIngernal wpa2 cipher ccmp on ients ey to be point In this example the cipher suite is set to TKIP Only AT WA7400 set bss wlanObssInternal wpa cipher tkip on AT WA7400 set bss wlanObssInternal wpa cipher ccmp off Set the Authentication Server You can use the built in authentication server on the access point or an external RADIUS server The commands are shown in Table 21 Note To use the built in authentication server set the RADIUS IP address to that used by the built in server 127 0 0 1 and turn RADIUS accounting off because it is not supported by the built in server Table 21 Authentication Server Commands Function Commands Set the access point to use the set bss wlanObssInternal radius ip 127 0 0 1 built in authentication server Set the access point to use an set bss wlanObssInternal radius ip external RADIUS server RADIUS_IP_Address where RADIUS_IP_Address is the IP address of an external RADIUS server
54. command gets details on the interface and shows the WEP AT WA7400 Management Software User s Guide Key settings specifically AT WA7400 get interface wlan0 detail Field type status description mac ip static ip static mask nat rx bytes rx packets rx errors rx drop rx fifo rx frame rx compressed rx multicast tx bytes tx packets tx errors tx drop tx fifo tx colls tx carrier tx compressed ssid Value service set up Wireless Internal 00 0C 41 16 DF A6 0 0 0 0 0 0 0 0 O O O O O O O O 259662 722 0 0 0 0 0 0 Vicky s AP 311 Appendix D Command Line Interface CLI for Access Point Configuration bss wlanObssInternal security static wep wpa personal key wep key ascii yes wep key length 104 wep default key 4 wep key 1 abcde wep key 2 fghij wep key 3 k1mno wep key 4 vlan interface vlan id radio remote mac wep key Set Security to IEEE 802 1x Set the Security Mode AT WA7400 set interface wlan0 security dotlx Set the Authentication Server You can use the built in authentication server on the access point or an external RADIUS server Table 14 lists the authentication server commands Note To use the built in authentication server set the RADIUS IP address to that used by the built in server 127 0 0 1 and turn RADIUS accounting off because it is not supported by the built in server Table 14 Authentication Server Commands Function Com
55. configure the management VLAN perform the following procedure 1 From the main menu select Advanced gt VLAN Management The VLAN Management page is shown in Figure 44 Modify Management VLAN settings Separated VLAN Management Enabled Disabled LAN ID Management IP Address Management IP Subnet Mask Figure 44 VLAN Management Page To set up the management VLAN you must first enable it 2 For the Separated VLAN Management setting click Enabled The rest of the fields on the page become available wo For the VLAN ID setting enter a number for the VLAN ID gt A For the Management IP address enter the AT WA7400 management IP address associated with this VLAN 5 For the Management IP Subnet Mask enter the subnet mask associated with the VLAN D Click Update 143 Chapter 12 VLANs 144 Chapter 13 Configuring Radio Settings This chapter describes how to configure radio settings on the AT WA7400 Wireless Access Point and includes the following sections o Understanding Radio Settings on page 146 0 Configuring Radio Settings on page 147 Note If you are using the two radio version of the AT WA7400 Access Point keep in mind that both radio one and radio two are configured on this page The displayed settings apply to either radio one or radio two depending on which radio you choose in the Radio field first field on the page When you have configured s
56. disable a user click the enable or disable button Likewise to remove a user click the remove button Ensure that you have selected at least one user prior to any of these actions 4 User Accounts Note These user accounts apply only when the security mode is set to IEEE 802 1x or WPA with RADIUS and the Built In authentication server is chosen See the Help panel for more information Edit User Name Real Name Status Edit samantha Elizabeth enabled Montgomery Edit endora Agnes Moorhead enabled Edit darren Dick York enabled Selected users backup or restore the user database Add a user To add a user fill in the fields below and click add account User Name Real Name Password Password again for safety Figure 21 User Management Page User accounts are shown at the top of the page under User Accounts The user name real name and status enabled or disabled are shown 2 In the Add a User section provide the following information User Name User names are alphanumeric strings of up to 237 characters Do not use special characters or spaces Real Name For information purposes provide the user s full name up to 256 characters 58 AT WA7400 Management Software User s Guide Password Specify a password for this user Passwords are alphanumeric strings of up to 256 characters Do not use special characters or spaces You m
57. examples correspond to tasks you can accomplish on the Basic Settings page of the web UI for access points with clustering capabilities In some cases the CLI get command provides additional details not available through the web UI Table 5 provides a quick view of Basic Settings commands and provides links to detailed examples Table 5 Basic Settings Commands Function Command Get the IP Address for the Internal Interface on an Access Point get interface br0 ip or get interface get interface is a catch all command that shows common information on all interfaces for the access point such as IP addresses MAC addresses and so on The IP address for the internal interface and the one used to access the access point is that shown for br0 See Understanding Interfaces as Presented in the CLI on page 278 Get the MAC Address for an Access Point get interface brO mac Get Both the IP Address and MAC Address get interface brO mac ip Get Common Information on All Interfaces for an Access Point get interface Get the Firmware Version for the Access Point get system version Get the Location of the Access Point get cluster location 282 AT WA7400 Management Software User s Guide Table 5 Basic Settings Commands Continued Function Command Set the Location for an Access set system location NewLocation Point For example set system location hallway or s
58. is 514 2 To apply your changes click Update If you enabled the Log Relay Host clicking Update activates remote logging The access point sends its kernel messages real time for display to the remote log server monitor a specified kernel log file or other storage depending on how you configured the Log Relay Host If you disabled the Log Relay Host clicking Update disables remote logging The events log shows system events on the access point such as stations associating being authenticated and other occurrences The real time AT WA7400 Management Software User s Guide events log is always shown on the Status gt Events page for the access point you are monitoring 189 Chapter 17 Maintenance and Monitoring Viewing the Transmit Receive Statistics 190 To view transmit receive statistics for a particular access point perform the following procedure 1 From the main menu of the access point you want to monitor select Status gt Transmit Receive Statistics Note The following figure shows the Transmit Receive page for a two radio access point The page for the one radio access point will look slightly different The Transmit Receive Statistics page is shown in Figure 55 Type Ethernet Radio Name Internal Guest Internal Guest IP Address 10 10 103 214 MAC Address 00 00 41 04 33 7E 00 00 00 00 00 00 00 0C 41 0A 33 7E n a LAN ID SSID Internal Instant802 Network Guest Instant802 Network
59. key The number of characters required updates automatically based on how you set Key Length and Key Type WEP Keys You can specify up to four WEP keys In each text box enter a string of characters for each key 117 Chapter 10 Configuring Security 118 If you selected ASCII enter any combination of integers and letters 0 9 a z and A Z If you selected HEX enter hexadecimal digits any combination of 0 9 and a f or A F Use the same number of characters for each key as specified in the Characters Required field These are the RC4 WEP keys shared with the stations using the access point Each client station must be configured to use one of these same WEP keys in the same slot as specified here on the access point See Rules to Remember for Static WEP on page 119 Authentication Algorithm The authentication algorithm defines the method used to determine whether a client station is allowed to associate with an access point when static WEP is the security mode Specify the authentication algorithm you want to use by choosing one of the following from the list O Open System Open System authentication allows any client station to associate with the access point whether that client station has the correct WEP key or not This is algorithm is also used in plain text IEEE 802 1x and WPA modes When the authentication algorithm is set to Open System any client can associate with the access point Note that just
60. key index and re type to confirm Optionally set a different transfer key index to send data from client back to access point Disable auto key option 225 Appendix B Configuring Security on Wireless Clients Figure 5 Wireless Network Properties Dialog Box Network Authentication Choose Open or Shared depending on how you configured this option on the access point Note When the Authentication Algorithm on the access point is set to Both clients set to either Shared or Open can associate with the access point Clients configured to use WEP in Shared mode must have a valid WEP key in order to associate with the access point Clients configured to use WEP as an Open system can associate with the access point even without a valid WEP key but a valid key will be required to actually view and exchange data Data Encryption Choose WEP Network Key Provide the WEP key you entered on the access point Security settings in the Transfer Key Index position For example if the Transfer Key Index on the access point is set to 1 then for the client Network Key specify the WEP Key you entered as WEP Key 1 on the access point Key Index Set key index to indicate which of the WEP keys specified on the access point Security page will be used to transfer data from the client back to the access point For example you can set this to 1 2 3 or 4 if you have all four WEP keys configured on the access point The key is pr
61. link between any pair of access points That is aremote MAC address may appear only once on the WDS page for a particular access point O Both access points participating in a WDS link must be on the same radio channel and using the same IEEE 802 11 mode See Configuring Radio Settings on page 147 for information on configuring the Radio mode and channel O Do not create loops with either WDS bridges or combinations of Wired Ethernet connections and WDS bridges Spanning Tree Protocol STP which manages path redundancy and prevent unwanted loops is not enabled for this release Keep these rules in mind when working with WDS on this release of the AT WA7400 Management Software 0 Any two access points can be connected by only a single path either a WDS bridge wireless or an Ethernet connection wired but not both o Do not create backup links o Ifyou can trace more than one path between any pair of access points going through any combination of Ethernet or WDS links you have a loop O You can only extend or bridge either the internal or guest network but not both 260 Cluster Recovery AT WA7400 Management Software User s Guide Reboot or Reset the Access Point Stop Clustering and Reset Each Access Point in the Cluster In cases where the access points in a cluster become out of sync or an access point cannot join or be removed from a cluster the following methods for cluster recovery are recomm
62. list For example to add 4 new clients to the list with the following MAC addresses AT WA7400 add mac acl wlanObssinternal mac 00 01 02 03 04 05 AT WA7400 add mac acl wlanObssinternal mac 00 01 02 03 04 06 AT WA7400 add mac acl wlanObssinternal mac 00 01 02 03 04 07 AT WA7400 add mac acl wlanObssInternal mac 00 01 02 03 04 08 Remove a Client Station s MAC Address from the Filtering List To remove a MAC address from the list remove mac acl wlanObssInternal mac MAC_Address_Of_Client Where MAc_Address_of_Ci7entis the MAC address of a wireless client you want to remove from the MAC filtering list For example AT WA7400 remove mac acl wlanObssInternal mac 00 01 02 03 04 04 Load Balancing AT WA7400 Management Software User s Guide Getting Current MAC Filtering Settings Get the Type of MAC Filtering List Currently Set Accept or Deny The following command shows which type of MAC filtering list is currently configured AT WA7400 get bss wlanObssInternal mac acl mode accept list Get MAC Filtering List The following command shows the clients on the MAC filtering list AT WA7400 get mac acl name mac wlanObssInternal 00 01 02 03 04 05 wlanObssInternal 00 01 02 03 04 06 wlanObssInternal 00 01 02 03 04 07 wlanObssInternal 00 01 02 03 04 08 Note Before configuring this feature make sure you are familiar with the names of the interfaces as described in Understanding Interfaces as Presented in the CLI
63. of the subnetwork of which the guest is a member 3 Click Update to save your changes Chapter 9 Configuring the Wireless Settings Wireless settings describe aspects of the local area network LAN related specifically to the radio device in the access point 802 11 mode and channel and to the network interface to the access point MAC address for access point and wireless network name also known as SSID The following sections describe how to configure the wireless address and related settings on the AT WA7400 Wireless Access Point Configuring 802 11d Regulatory Domain Support on page 98 Configuring the Radio Interface on page 100 Configuring Internal Wireless LAN Settings on page 102 QOQQ0Q0 0 Configuring the Guest Network Wireless Settings on page 103 97 Chapter 9 Configuring the Wireless Settings Configuring 802 11d Regulatory Domain Support 98 You can enable or disable IEEE 802 11d regulatory domain support to broadcast the access point country code information To configure the IEEE 802 11d regulatory domain support perform the following procedure 1 From the main menu select Advanced gt Wireless Settings The Wireless Settings page is shown in Figure 31 Modify wireless settings 802 11d Regulatory Domain Support Radio Interface One Mode Wireless Network Name SSID Channel Radar Detection Radio Interface Two Mode Wireless Network Name SSI
64. on page 49 Standalone access points are not listed on the Cluster gt Access Points page in the web pages of access points that are cluster members You need to know the IP address of a standalone access points in order to configure and manage it directly See Navigating to an Access Point by Using its IP Address in a URL on page 52 The Basic Settings page for a standalone access point indicates only that the current mode is standalone and provides a button for adding the access point to a cluster group If you click on any of the Cluster page in the web pages for an access point in standalone mode you are redirected to the Join Cluster page because Cluster settings do not apply to standalone access points Note When the cluster is full eight access points is the limit extra access points are added in standalone mode regardless of the configuration policy in effect for new access points See How Many Access Points Can a Cluster Support on page 44 You can re enable cluster mode on a standalone access point See Adding an Access Point to a Cluster on page 50 Cluster Formation Cluster Size and Membership Intra Cluster Security Auto Synch of Cluster Configuration AT WA7400 Management Software User s Guide A cluster is formed when the first AT WA7400 Wireless Access Point is configured See Configuring the Basic Settings and Starting the Wireless Network on page 37 If a clus
65. or inefficient Network Beyond For example suppose you have an access point which is connected to the the Wired network by Ethernet and serving multiple client stations in one area East Coverage Area Wing in the example but cannot reach others which are out of range l 8 Suppose also that it is too difficult or too costly to wire the distant area with 174 AT WA7400 Management Software User s Guide Ethernet cabling You can solve this problem by placing a second access point closer to second group of stations Poolside in the example and bridge the two access points with a WDS link This extends your network wirelessly by providing an extra hop to get to distant stations as shown in Figure 51 Z EEEE Client Station Backup Links and Unwanted Loops in WDS Bridges Security Considerations Related to WDS Bridges Poolside AP conn LAN Figure 51 WDS Bridge Another use for WDS bridging the creation of backup links is not supported in this release of the AT WA7400 Management Software The topic is included here to emphasize that you should not try to use WDS in this way backup links will result in unwanted endless loops of data traffic If an access point provides Spanning Tree Protocol STP WDS can be used to configure backup paths between access points across the network For example between two access points you could have both a primary path via Ethernet and
66. points in the cluster The AT WA7400 Management Software is not available during the auto synch Note that auto synchronization always occurs during configuration updates that affect the cluster but the processing time is usually negligible The auto synch progress bar is displayed only for longer than usual wait times 47 Chapter 3 Managing Access Points and Clusters Understanding and Changing Access Point Settings 48 The Access Points page provides information about all access points in the cluster From this page you can view location descriptions IP addresses enable activate or disable deactivate clustered access points and remove access points from the cluster You can also modify the location description for an access point The IP address links provide a way to navigate to configuration settings and data on an access point Standalone access points those which are not members of the cluster are not shown on this page To view or edit information on access points in a cluster perform the following procedure 1 From the main menu select Cluster gt Access Points The Access Points page is shown in Figure 17 This page shows any access points that are connected to a cluster F Clustered lt gt Access Points Status connected to cluster 2 Access Fg omnts the list of Access Points 0 User Accounts ae LOCATION MAC ADDRESS IP ADDRESS not set 00 0a 01 98 98 2c 10 10 5 2
67. points on the WDS link For example to create a WDS link between a pair of access points named MyAP1 and MyAP2 do the following 1 Open the web pages for MyAP1 by entering the IP address for MyAP1 as a URL in the web browser address bar in the following form http IPAddressofAccessPoint where PAddressOfAccessPoint is the address of MyAP1 2 Go to the Wireless Distribution System page on the MyAP1 web pages 181 Chapter 16 Configuring the Wireless Distribution System WDS 182 The MAC address for MyAP1 the access point you are currently viewing are displayed as the Local Address at the top of the page Configure a WDS interface for data exchange with MyAP2 Start by entering the MAC address for MyAP2 as the Remote Address and fill in the rest of the fields to specify the network guest or internal security and so on Save the settings click Update Navigate to the radio settings on the web pages Advanced gt Radio to verify or set the mode and the radio channel on which you want MyAP1 to broadcast Remember that the two access points participating in the link MyAP1 and MyAP2 must be set to the same Mode and be transmitting on the same channel For our example if you use IEEE 802 11b Mode and broadcasting on Channel 6 you would choose Mode and Channel from the lists on the Radio page Now repeat the same steps for MyAP2 O Open the web pages for MyAP2 by using MyAP2 s IP address in a URL
68. riy a a E TE a dhs EEA aa a EDA E E E A EE 131 Guest Login Configuration Page uc ic c ccos ccccoceecsceecscuteesvecosescesvosccnenshehensuecesvborevaceedeetrnescdeevsoededectesecthencvnoesveeeess 136 Virtual Wireless Networks Page iu ec2 cceccecesieceececceestecetcactecectedesuetes stddesuchededecveveddeededbeesdaveveddeseeuecedduadevevsateesoee 140 VLAN Management Pagerie eaii a ea a tis vgeney sedi gecdebheunde aiia ai 143 Radio One m LS S E E E E E A E E E A E 147 Radio One Rate Sets a ea eee E e a e re cpu desea a ar e a an a Aaa aee opas aar eden irea eai aaia 152 Radio Two Rate Sets inneni a a E a EEA E a E T AA E A i eae ieaiai 152 Load Balancing nele E E A A A E at E E A EE 158 Quality of S rvi e Pagea iaer eroaa ae aE aa a a Aaa aE a Taa E ER SA Aaa Kaa a Aa TOn AEA 168 Example Wireless NAMO eaer re a ae aae a E a tnseneqessecesdanentegacdeseecesddneneduasedeueddnesedersedneseas 174 Figures Figure 51 Figure 52 Figure 53 Figure 54 Figure 55 Figure 56 Figure 57 Figure 58 Figure 59 Figure 60 Figure 61 Figure 62 Figure 63 Figure 64 Figure 65 Figure 66 Figure 67 Figure 68 Figure 69 Figure 70 Figure 71 Figure 72 Figure 73 Figure 74 Figure 75 Figure 76 Figure 77 Figure 78 Figure 79 Figure 80 Figure 81 Figure 82 Figure 83 Figure 84 Figure 85 Figure 86 Figure 87 Figure 88 Figure 89 Figure 90 Figure 91 Figure 92 Figure 93 Figure 94 Figure 95 Figu
69. s Guide authentication for WPA2 clients as shown in Table 19 Table 19 Preauthentication Commands Function Command Enable pre authentication if you want WPA2 wireless clients to send pre authentication packet The pre authentication information will be relayed from the access point the client is currently using to the target access point Enabling this feature can help speed up authentication for roaming clients who connect to multiple access points set bss wlanObssInternal rsn preauthentication on To disable pre authentication for WPA2 clients set bss wlanObssInternal rsn preauthentication on This option does not apply if you set the WPA Version to support WPA clients only because the original WPA does not support this pre authentication For our example we ll disable pre authentication AT WA7400 set bss wlanObssinternal rsn preauthentication off Set the Cipher Suites Set the cipher suite you want to use The options are shown in Table 20 Table 20 Cipher Commands Function Commands TKIP Temporal Key Integrity Protocol TKIP which is the default set bss wlanObssIngernal wpa cipher tkip on set bss wlanObssIngernal wpa cipher ccmp off CCMP AES Counter mode set bss wlanObssIngernal wpa cipher tkip off CBC MAC protocol CCMP is an encryption method for IEEE 802 11i that uses the Advanced Encryption Algorithm AES set
70. specify a fragmentation threshold as a number between 256 and 2 346 to set the frame size threshold in bytes The fragmentation threshold is a way of limiting the size of packets frames transmitted over the network If a packet exceeds the fragmentation threshold set here the fragmentation function will be activated and the packet will be sent as multiple 802 11 frames If the packet being transmitted is equal to or less than the threshold fragmentation will not be used Setting the threshold to the largest value 2 346 bytes effectively disables fragmentation The following command sets the fragmentation threshold to 2000 AT WA7400 set radio wlan0 fragmentation threshold 2000 Set the RTS Threshold You can specify an RTS Threshold value between 0 and 2347 The RTS threshold specifies the packet size of a request to send RTS transmission This helps control traffic flow through the access point especially one with a lot of clients The following command sets the RTS threshold at AT WA7400 set radio wlan0 rts threshold 2346 Configure Basic and Supported Rate Sets The rate set commands are shown in Table 28 Table 28 Rate Set Commands Function Command Add a basic rate set add basic rate wire essiInterface rate SomeRate For example add basic rate wlanO rate 48 Get current basic rates get basic rate 331 Appendix D Command Line Interface CLI for Access Point Configuration Table 28 Rate Set Com
71. start because the following command returns up for the mode AT WA7400 get host dns via dhcp up Turn off Dynamic DNS Nameservers and re check the settings AT WA7400 set host dns via dhcp down AT WA7400 get host dns via dhcp down Get the current IP addresses for the DNS Nameservers AT WA7400 get host static dns 1 10 10 3 9 AT WA7400 get host static dns 2 10 10 3 11 Re set the IP addresses for the DNS Nameservers as desired AT WA7400 set host static dns 1 10 10 3 10 AT WA7400 get host static dns 1 10 10 3 10 AT WA7400 set host static dns 2 10 10 3 12 AT WA7400 get host static dns 2 10 10 3 12 Set DNS Nameservers to Use DHCP IP Addressing Manual to Dynamic Mode To switch DNS Nameservers from Manual static IP addresses to Dynamic mode nameserver addresses assigned by DHCP use the reverse command and check to see the new configuration AT WA7400 set host dns via dhcp up 303 Appendix D Command Line Interface CLI for Access Point Configuration Setting Up the Wireless Interface Setting Up Security AT WA7400 get host dns via dhcp up To set up a wireless radio interface configure the following on each interface Internal or guest as described in other sections of this CLI document o Configure the Radio Mode and Radio Channel as described in Configuring Radio Settings on page 147 O Configure the Network Name as described in Configuring Internal Wireless LAN Setting
72. the Guest Interface issic iernii E eE A SA E EE E TKE ear nesses 135 Configuring a Guest Network on a Virtual LAN 0 eee eecceeeeeeeeeeeeeeeneeeeeaaeeceeeeeeeaeeeeeaaeeseeeaeeeaeeeseaeeeeneaeessaeeeeeaeeeeeaees 135 Configuring the Welcome Screen Captive Portal ececcceeeeeeneeeeeenneeeeeeeeeeneeeeeaeeseseeeesneeesesaeeeseeeessneeeeenaeeeeeaees 136 Using the Guest Network as a Client oo eee cenneeeeeeeeeenneeeceeaeeeeeeeeeaaeeeeeeaeeeeaeeeeeaaeeseeeeeeeaeeeeeaeeseeeeeesaaeeeeenaeeeeeeeeseneeeenaas 137 Chapter 12 VLANS sc 0 2 500 eee et ed se Se ei ee ed ee vegeta gee 139 aonje lalaro AYA t E AEE ET E A E E E E 140 Configuring the Management VLAN eecceeeeeeceesneeceeeeeeeeeeseeaeeeeeeeeeeaaeeeseaaeeseneeeessaeeeeeaaeeseeeeeeeaeeeeeeaeeeseeeeeseeeeseaaeessneeeee 143 Chapter 13 Configuring Radio Settings 2 0 00 eee een eeeeeeeeene eee eaeeenneeeeeaeeeeeaeeeeeneeeesaaeeseeaeeeenneeeeseeeseaaeeeneeeeee 145 Understanding Radio Settings siino nenian iai rd R edid e ene ia iini 146 Config ning Radio Settings esr ea eea E a a aa a cede a a a a a aaa 147 Configuring the Rate Sets siisaie aca Warne cine ee ee ee ne ie 152 Chapter 14 Load Balancing anneren eta sneensaek uncon does bude peves bend ea a ara Janes tlbas a aa aa e 155 Understanding L ad Balancing ies a a ee e a a eaa A Ea e Aae Eaa a aa 156 Identifying the Imbalance Overworked or Under utilized Access Points seeseeeeeisseriesriieeriererissrrreerreerssrerens 156 Spe
73. the CLI prompt use the TAB key This is a Commands atthe ick way to see all valid completions for a class CLI Press TAB once to complete the current command If multiple completions exist a beep is sounded and no results are displayed Press TAB again to display all available completions O Example 1 At a blank command line press TAB twice to get a list of all commands AT WA7400 add Add an instance to the running configuration factory reset Reset the system to factory defaults get Get field values of the running configuration reboot Reboot the system remove Remove instances in the running configuration save running Save the running configuration set Set field values of the running configuration 275 Appendix D Command Line Interface CLI for Access Point Configuration 276 O Example 2 Type get TAB TAB including a space after get to see a list of all field options for the get command AT wA7400 get association basic rate bridge port bss cluster cluster member config detected ap dhcp client dot11 host interface ip route klog entry log log entry mac acl ntp portal radio radius user ssh supported rate system telnet tx queue wme queue Associated station Basic rates of radios Bridge ports of bridge interfaces Basic Service Set of radios Clustering based configuration settings Member of a cluster of like configured access points Configuration settings Detected access poi
74. the Password AT WA7400 set system password admin AT WA7400 get system encrypted password rYSvxS40kptc Get the Wireless Network Name SSID AT WA7400 get interface wlan0 ssid Internal AT WA7400 Network Set the Wireless Network Name SSID AT wA7400 set interface wlan0 ssid Vicky s AP AT WA7400 get interface wlan0 ssid Vicky s AP The command examples in this section show how to get the configuration for a cluster of access points These settings generally correspond to those on the Cluster gt Access Points page in the web UI Table 6 provides a quick view of Access Point Cluster commands and 285 Appendix D Command Line Interface CLI for Access Point Configuration links to detailed examples Table 6 Cluster Functions and Commands Function Command Determine if the Access Point is a Cluster Member or in get cluster detail Standalone Mode Get MAC Addresses for all Access Points in the Cluster get clustered ap all name Configure the Access Point as a Member of a Cluster set cluster clusterable 1 Configure the Access Point as a Standalone Device set cluster clusterable 0 Determine if the Access Point is a Cluster Member or in Standalone Mode This command shows whether the access point is clustered or not If the command returns 0 the access point is in standalone mode not clustered If the command returns 1 the access point is a member of a cluster In the following example t
75. the Wireless Interface on page 304 Setting Up Security on page 304 Ooaoqgegagdaudau Enabling and Configuring the Guest Login Welcome Page on page 323 Q Configuring Multiple BSSIDs on Virtual Wireless Networks on page 325 Radio Settings on page 326 MAC Filtering on page 333 Load Balancing on page 335 Quality of Service on page 336 Wireless Distribution System on page 344 Time Protocol on page 347 Rebooting the Access Point on page 348 Resetting the Access Point to the Factory Defaults next Keyboard Shortcuts on page 349 Oaoagaaqaaoagaa n Tab Completion and Help on page 350 The following summary of interface names is provided to help clarify the related CLI commands and output results These names are not shown in the web UI but are used throughout the CLI You get and set many configuration values on the access point by referring to interfaces In order to configure the access point through the CLI you need to understand which interfaces are available on the access point what role they play corresponding setting on the web UI and how to refer to them AT WA7400 Management Software User s Guide Table 4 Interfaces in the CLI Interface Description lo Local loopback for data meant for the access point itself eth0 The wired Ethernet interface for the internal network bro The internal bridge rep
76. the access point AT WA7400 login Password Enter the default Administrator username and password for the AT WA7400 Wireless Access Point manager friend and press 269 Appendix D Command Line Interface CLI for Access Point Configuration Enter after each The password is masked so it will not be displayed on the screen When the user name and password is accepted the screen displays the AT WA7400 Wireless Access Point help command prompt AT WA7400 login manager Password friend Enter help for help You are now ready to enter CLI commands at the command line prompt SSH Connection If you know already have your network deployed and know the IP address to the Access Of your access point you can use a remote SSH connection to the access Point point to view the system console over the network Note The default Static IP address is 192 168 1 230 If there is no DHCP server on the network the access point retains this static IP address at first time startup You can use KickStart to find the IP address of the access point For more about IP addressing see Understanding Dynamic and Static IP Addressing on the AT WA7400 Management Software on page 23 Using an SSH connection to the access point is similar to Telnet because it gives you remote access to the system console and CLI SSH has the added advantage of being a secure connection traffic encrypted To use an SSH connection you need to have
77. the user accounts for this access point perform the following procedure 1 From the main menu select Cluster gt User Management The User Management page is shown in Figure 21 on page 58 2 Inthe User Accounts section click the backup or restore the user database link The Backup or restore the user database for this access point page is displayed as shown in Figure 23 1 Click the link below to download a file containing the current user database for this AP access To Backup the User Database aon backup user database 0 User Accounts To Restore a User Database Backup Enter the location on your hard drive of the file containing the user database backup you wish to restore or click browse to open a dialog to help you locate the file Then click restore to load this file in place of the current user database Restore Figure 23 Backup or Restore User Database Page 3 Choose the Save option in this first dialog box This opens a file browser 4 Use the file browser to navigate to the directory where you want to save the file and click OK to save the file You can keep the default file name wirelessUsers ubk or rename the backup file but be sure to save the file with a ubk extension Restoring a User Database from a Backup File AT WA7400 Management Software User s Guide To restore a user database from a backup file perform the following procedure 1 From the
78. unnamed The command syntax is get unnamed class field detail get named class instance all field name detail The rest of the command line is optional If provided it is either a list of one or more fie ds or the keyword detail An example of using the get command on an unnamed class with a single instance is get log There is only one log on the access point This command returns information on the log file An example of using the get command on an unnamed class with multiple instances is get log entry There are multiple log entries but they are not named This command returns all log entries An example of using the get command on a named class with multiple instances is get bss wlanObssInternal There are multiple bss s and they are named This command returns information on the BSS named wlanObssInternal An example of using the get command on a named class to get all instances get radius user all name get radius user all Note wlan0ObssInternal is the name of the basic service set BSS on the internal network wlan0 interface For information on interfaces see Understanding Interfaces as Presented in the CLI on page 278 273 Appendix D Command Line Interface CLI for Access Point Configuration Table 3 Commands and Syntax Continued Command Description set add The set command allows you to set the field values of existing instances of
79. were created with the Backup function and saved as cbk backup configuration files are valid to use with Restore for example apconfig cbk Click Restore The access point reboots Note When you click Restore the access point reboots A reboot confirmation dialog box and follow on rebooting status message are displayed Wait for the reboot process to complete a minute or two After a moment try accessing the web pages as described in the next step they are not accessible until the access point has rebooted When the access point has rebooted access the web pages either by clicking again on one of the pages if the Ul is still displayed or by typing the IP address of the AT WA7400 Wireless Access Point as a URL in the address field of the web browser The URL for the access point should be entered as http IPAddressoOfAccessPoint Now you should see the configuration settings restored to the saved configuration from the Backup file you selected 213 Chapter 18 Backing Up and Restoring a Configuration 214 Appendix A Management Software Default Settings Table 1 lists the management software default settings Table 1 Management Software Default Settings Setting Default System Name WA7400 User Name manager Password friend Network Name SSID Allied Network Time Protocol NTP None IP Address 192 168 1 230 Connection Type DHCP Subnet Mask None
80. will apply to all access points on this network As you add more access points they will share this SSID The Service Set Identifier SSID is an alphanumeric string of up to 32 characters If you are connected as a wireless client to the same access point that you are administering resetting the SSID causes you to lose connectivity to the access point You will need to reconnect to using the new SSID after you save the new Network Name Note The AT WA7400 Management Software is not designed for multiple simultaneous configuration changes If you have a network that includes multiple access points and more than one administrator is logged on to the AT WA7400 Management Software s web pages and making changes to the configuration all access points in the cluster will stay in synch but there is no guarantee that all configuration changes specified by multiple users will be applied In the Set Configuration Policy for New Access Points section configure the following parameter as necessary New Access Points Choose the policy you want to put in effect for adding new access points to the network If you choose are configured automatically then when a new access point is added to the network it automatically joins the existing cluster The cluster configuration is copied to the new access point and no manual configuration is required to deploy it AT WA7400 Management Software User s Guide If you choose are ign
81. 02 1x WPA with RADIUS server and WPA PSK For information on configuring security on the access point see Chapter 10 Configuring Security on page 105 AT WA7400 Management Software User s Guide Understanding Dynamic and Static IP Addressing on the AT WA7400 Management Software Dynamic IP Addressing Static IP Addressing Very little setup is required for the first access point and no configuration required for additional access points subsequently joining a pre configured cluster When you run KickStart it discovers the AT WA7400 Wireless Access Points on the network and lists their IP addresses and MAC addresses KickStart also provides a link to the administration web pages of each access point using the IP address in the URL For more information about the KickStart utility see Running KickStart to Find Access Points on the Network on page 26 The AT WA7400 Wireless Access Point generally expects that a DHCP server is running on the network where the access point is deployed Most home and small business networks already have DHCP service provided either via a gateway device or a centralized server However if no DHCP server is present on the internal network the access point will use the default static IP address in the Static IP address field for first time startup Similarly wireless clients and other network devices such as printers will receive their IP addresses from the DHCP server if there is on
82. 1 C Deutsche Telekom Root CA 2 v Select check the name of certificate on this client downloaded from RADIUS server in a prerequisite procedure View Certificate C Use a different user name for the connection 9 10 11 OK Cancel Figure 11 Smart Card or other Certificate Properties Dialog Box Click Properties to open the Smart Card or other Certificate Properties dialog box and enable the Validate server certificate option Validate Server Certificate Enable this option click to check the box Certificates In the certificate list shown select the certificate for this client Click OK on all dialog boxes to close them and save your changes To complete the client configuration you must now obtain a certificate from the RADIUS server and install it on this client For information on how to do this see Obtaining a TLS EAP Certificate for a Client on page 253 IEEE 802 1x clients should now be able to connect to the access point using their TLS certificates The certificate you installed is used when you connect so you will not be prompted for login information The AT WA7400 Management Software User s Guide certificate is automatically sent to the RADIUS server for authentication and authorization 235 Appendix B Configuring Security on Wireless Clients Configuring WPA WPA2 Enterprise RADIUS Security on a Client WPA WPA2 Enterprise RADIUS Client Using EAP PEAP 236
83. 13 e not set 00 04 01 98 98 3b 10 10 5 235 the selected Access Points from the cluster Figure 17 Access Points Page 2 Click Refresh to update the access points list The Access Points page provides the following information Location Description of where the access point is physically located MAC Address The media access control MAC address of the access point Modifying the Location Description Removing an Access Point from the Cluster AT WA7400 Management Software User s Guide A MAC address is a permanent unique hardware address for any device that represents an interface to the network The MAC address is assigned by the manufacturer You cannot change the MAC address It is provided here for informational purposes as a unique identifier for the access point The address shown here is the MAC address for the bridge br0 This is the address by which the access point is known externally to other networks IP Address The IP address of the access point Each IP address is a link to the AT WA7400 Management Software web pages for that access point You can use the links to navigate to the web pages for a specific access point This is useful for viewing data on a specific access point to make sure a cluster member is picking up cluster configuration changes to configure advanced settings on a particular access point or to switch a standalone access point to cluster mode To see MAC ad
84. 20 21 39 55 debug udhcpc Sending renew 2 Apr 20 21 39 55 info udhcpc Lease of 10 10 55 216 obtained lease time 300 3 Apr 20 21 37 25 debug udhcpc Sending renew 4 Apr 20 21 37 25 info udhcpc Lease of 10 10 55 216 obtained lease time 300 5 Apr 20 21 34 55 debug udhcpc Sending renew 6 Apr 20 21 34 55 info udhcpc Lease of 10 10 55 216 obtained lease time 300 Enable Remote Logging and Specify the Log Relay Host for the Kernel Log The Kernel Log is a comprehensive list of system even its and kernel messages such as error conditions like dropping frames To capture Access Point Kernel Log messages you need access to a remote syslog server on the network Prerequisites for Remote Logging To capture Kernel Log messages from the access point system you must first set up a remote server running a syslog process and acting as a syslog log relay host on your network For information on how to set up the remote server see Setting Up the Log Relay Host on page 187 Then you can use the CLI to configure the AT WA7400 Wireless Access Point to send its syslog messages to the remote server View Log Settings 295 Appendix D Command Line Interface CLI for Access Point Configuration 296 To view the current log settings AT WA7400 get log Field Value depth 15 relay enabled 0 relay host relay port 514 When you start a new access point the Log Relay Host is disabled From the above output for the get 10g
85. 27 Certificate Server Welcome Page 3 Click Request a certificate 254 AT WA7400 Management Software User s Guide The login window for the RADIUS server opens as shown in Figure 28 Connect to 10 10 1 9 Connecting to 10 10 1 9 User name lary Password eccccee C Remember my password Figure 28 RADIUS Server Login Window 4 Provide a valid user name and password to access the RADIUS server Note The user name and password you need to provide here is for access to the RADIUS server for which you will already have user accounts configured at this point This document does not describe how to set up Administrative user accounts on the RADIUS server Please consult the documentation for your RADIUS server for these procedures The Request a Certificate page opens as shown in Figure 29 Microsoft Certificate Services dcO1 Request a Certificate Select the certificate type User Certificate Or submit an advanced certificate request Figure 29 Request a Certificate Page 5 Click User Certificate 255 Appendix B Configuring Security on Wireless Clients The Security Warning dialog box opens as shown in Figure 30 Microsoft Certifi c Home User Certificate Identifying Information Security Warning No further identifying infor p Do you want to install and run Microsoft Certificate More Options gt gt Enrollment Control signed on 5 14 2001 2 35 PM a
86. 3 set tx queue wlanO with queue data0 to aifs 3 4 set tx queue wlan0O with queue data0 to aifs 7 cwmin 15 cwmax 1024 burst 0 5 set bridge port brO with interface ethO to path cost 200 Note For information on interfaces used in this example such as wlan0 brO or eth0 see Understanding Interfaces as Presented in the CLI on page 278 The add command allows you to add a new instance of a class add named class instance field value add anonymous class field value For example add radius user wally 274 AT WA7400 Management Software User s Guide Table 3 Commands and Syntax Continued Command Description remove Save running The remove command allows you to remove an existing instance of a class remove unnamed class field value remove named class instance all field value For example remove radius user wally The save running command saves the running configuration as the startup configuration For more information see Saving Configuration Changes on page 281 reboot The reboot command restarts the access point a soft reboot For more information see Rebooting the Access Point on page 348 factory The factory reset command resets the access point to factory defaults reset and reboots For more information see Resetting the Access Point to the Factory Defaults on page 348 Getting Help on To get help on commands at
87. 400 Management Software User s Guide The name can be up to 20 characters long Only letters numbers and dashes are allowed The name must start with a letter and end with either a letter or a number 89 Chapter 8 Configuring Ethernet Wired Settings Enabling or Disabling Guest Access Configuring an Internal LAN and a Guest Network Enabling or Disabling Guest Access Enabling or Disabling Virtual 90 Wireless Networks on the Access Point You can provide controlled guest access over a secure internal LAN on the AT WA7400 Wireless Access Point A local area network LAN is a communications network covering a limited area for example one floor of a building ALAN connects multiple computers and other network devices like storage and printers Ethernet is the most common technology implementing a LAN Wi Fi IEEE is another very popular LAN technology The AT WA7400 Management Software allows you to configure two different LANs on the same access point one for a secure internal LAN and another for a public guest network with no security and little or no access to internal resources To configure these networks you need to provide both wireless and Ethernet wired settings Information on how to configure the Ethernet wired settings is provided in the sections below The AT WA7400 Management Software is shipped with the guest access feature disabled by default To provide guest access on your
88. 6 and 2 346 to set the frame size threshold in bytes The fragmentation threshold is a way of limiting the size of packets frames transmitted over the network If a packet exceeds the fragmentation threshold set here the fragmentation function is activated and the packet is sent as multiple 802 11 frames If the packet being transmitted is equal to or less than the threshold fragmentation is not used Setting the threshold to the largest value 2 346 bytes effectively disables fragmentation Fragmentation involves more overhead both because of the extra work of dividing up and reassembling of frames it requires and because it increases message traffic on the network However fragmentation can help improve network performance and reliability if properly configured Sending smaller frames by using lower fragmentation threshold may help with some interference problems for example with microwave ovens By default fragmentation is off Allied Telesyn recommends not using fragmentation unless you suspect radio interference The additional headers applied to each fragment increase the overhead on the network and can greatly reduce throughput RTS Threshold Specify an RTS threshold value between 0 and 2347 The RTS threshold specifies the packet size of a request to send RTS transmission This helps control traffic flow through the access point especially one with a lot of clients If you specify a low threshold value RTS p
89. 7400 Management Software User s Guide Network Infrastructure and Choosing Between the Built in or External Authentication Server I Want to Use the Built in Authentication Server EAP PEAP I Want to Use an External RADIUS Server with EAP TLS Certificates or EAP PEAP Network security configurations including Public Key Infrastructures PKI Remote Authentication Dial in User Server RADIUS servers and Certificate Authority CA can vary a great deal from one organization to the next in terms of how they provide Authentication Authorization and Accounting AAA Ultimately the particulars of your infrastructure will determine how clients should configure security to access the wireless network Rather than try to predict and address the details of every possible scenario this section provides general guidelines about each type of client configuration supported by the AT WA7400 Wireless Access Point If you do not have a RADIUS server or PKI infrastructure in place and or are unfamiliar with many of these concepts Allied Telesyn strongly recommends setting up the AT WA7400 Wireless Access Points with security that uses the Built in Authentication Server on the access point This will mean setting up the access point to use either IEEE 802 1x or WPA WPA2 Enterprise RADIUS security mode The built in authentication server uses the EAP PEAP authentication protocol o If the AT WA7400 Wireless Access Point is set up to use
90. AT WA7400 Wireless Access Point The wired settings show the Ethernet MAC address IP address subnet mask and Associated Network Wireless Name SSID for the internal interface 184 AT WA7400 Management Software User s Guide The guest Interface includes the MAC address VLAN ID and Associated Network Wireless Name SSID Tochange these settings click Configure and the Advanced gt Ethernet Wired Settings page is displayed The wireless settings for the Radio Interface settings include the radio mode and channel Also shown here are MAC addresses read only for internal and guest interfaces See Chapter 9 Configuring the Wireless Settings on page 97 and Chapter 13 Configuring Radio Settings on page 145 for more information Tochange these settings click Configure and the Advanced gt Wireless Settings page is displayed 185 Chapter 17 Maintenance and Monitoring Viewing the Event Logs To view system events and the kernel log for a particular access point perform the following procedure 1 From the main menu select Status gt Events The Events page is shown in Figure 54 View events generated by this access point Log Relay Host Enabled Disabled Relay Host Relay Port Update Events Log Time Severity Service Description Jan 30 inf mini_httpd manager login web server from 149 35 8 54 18 34 33 Lid 662 success Jan 30 info mini_httpd manager logout web server fr
91. Advanced to show the advanced settings The advanced settings are shown at the bottom of Clustered Channels 1 aS a Access Stop automatically re assigning channels Point Fa Current Channel Assignments 4 User IP Address Band Current Locked Accounts 10 10 103 214 b g 1 Time since last modification to channel assignments 34 minutes and 52 seconds There is a set of channel combinations that would produce less interference but not by enough You may redefine this threshold in the advanced settings panel Last proposed set of channel assignments IP Address Current Proposed 10 10 103 214 1 1 Advanced Change channels if interference is reduced by at least 5 m Determine if there is better set of channel settings every 30 Minutes v Use these channels when applying channel assignments 1 611 v Apply channel modifications even when network is busy Update 3 Configure the following settings as necessary 75 Chapter 6 Channel Management 76 Change channels if interference is reduced by at least Specify the minimum percentage of interference reduction a proposed plan must achieve in order to be applied The default is 25 percent Choose percentages ranging from 25 percent to 75 percent from the list This setting lets you set a gating factor for channel reassignment so that the network is not continually disrupted for minimal gains in efficiency For example if channel
92. Algorithm to Both set bss wlanObssInternal open system authentication on set bss wlanObssInternal shared key authentication on In the following example the authentication algorithm is set to Shared Key AT wA7400 set bss wlanObssInternal shared key authentication on AT WA7400 set bss wlanObssInternal open system authentication off Get Current Security Settings After Re Configuring to Static WEP Security Mode Now use the get command again to view the updated security configuration and see the results of the new settings The following 309 Appendix D Command Line Interface CLI for Access Point Configuration 310 command gets the security mode in use on the internal network AT WA7400 get interface wlan0 security static wep The following command gets details on how the internal network is configured including details on Security AT wA7400 get bss wlanObssinternal detail Field status description radio beacon interface mac dtim period max stations ignore broadcast ssid mac acl mode mac acl name radius accounting radius ip radius key open system authentication shared key authentication wpa al low non wpa stations wpa cipher tkip wpa cipher ccmp wpa al lowed wpa2 al lowed rsn preauthentication Value up Internal wlanO wlan0O 00 0C 41 16 DF A6 2 2007 off deny list wlanObssInternal off 127 0 0 1 secret off on off off off off off off The following
93. BC CTR and Cipher Block Chaining Message Authentication Code CBC MAC for encryption and message integrity Both When the authentication algorithm is set to Both both TKIP and AES clients can associate with the access point Client stations configured to use WPA with RADIUS must have one of the following to be able to associate with the access point 0 A valid TKIP RADIUS IP address and valid shared Key o A valid CCMP AES IP address and valid shared Key Clients not configured to use a WPA PSK will not be able to associate with the access point Both is the default Authentication Server Select one of the following Built in To use the authentication server provided with the AT WA7400 Management Software If you choose this option you do not have to provide the Radius IP and Radius Key they are automatically provided External To use an external authentication server If you choose this option you must supply a Radius IP and Radius Key of the server you want to use 127 Chapter 10 Configuring Security 128 Note The RADIUS server is identified by its IP address and UDP port numbers for the different services it provides With firmware version 1 0 and greater the RADIUS server User Datagram Protocol UDP ports used by the access point are configurable The AT WA7400 Wireless Access Point defaults to use RADIUS server UDP port 1812 for authentication and port 1813 for accounting RADIUS IP The IP addre
94. Box 2 From the list of Available networks select the SSID of the network to which you want to connect and click Configure Configuring a Client to Access an Unsecure Network Plain Text mode AT WA7400 Management Software User s Guide The Wireless Network Connection Properties dialog box Figure 2 opens with the Association and Authentication tabs for the selected network Wireless network properties Association Authentication Network name SSID My AP Wireless network key This network requires a key for the following Network Authentication Open Data encryption WEP The key is provided for me automatically C This is a computer to computer ad hoc network wireless access points are not used Figure 2 Wireless Network Properties Dialog Box Use this dialog box to configure the types of client security described in the following sections Make sure that the Wireless Network Properties dialog box you are working in pertains to the Network Name SSID for the network you want to reach on the wireless client you are configuring If the access point or wireless network to which you want to connect is configured as plain text security mode no security you need to configure the client accordingly A client using no security to connect is configured with Network Authentication Open to that network and Data Encryption Disabled as described below If you do have
95. D Channel Guest Settings MAC Addresses Wireless Network Name SSID Enabled Disabled IEEE 802 11a allied 52 v Enabled Disabled IEEE 802 11g allied e Isl n a nfa suest AT VWVWA7400 Figure 31 Wireless Settings Page 2 Enable or disable the regulatory domain support setting Enabling support for IEEE 802 11d on the access point causes the access point to broadcast which country it is operating in as a part of its beacons 0 To enable 802 11d regulatory domain support click Enabled 0 To disable 802 11d regulatory domain support click Disabled AT WA7400 Management Software User s Guide 3 Click Update to save your settings 99 Chapter 9 Configuring the Wireless Settings Configuring the Radio Interface 100 The radio interface allows you to set the radio channel and 802 11 mode for each radio To configure the radio interface perform the following procedure 1 From the main menu select Advanced gt Wireless Settings The Wireless Settings page is shown in Figure 31 on page 98 In the Radio Interface sections one and two configure the following settings Mode The Mode defines the Physical Layer PHY standard being used by the radio The AT WA7400 Wireless Access Point is available as a single or dual band access point with one or two radios The configuration options for Mode differ depending on which product you have Single Band Access
96. Dialog Box Click OK in all dialog boxes to close and save your changes To complete the client configuration you must now obtain a certificate from the RADIUS server and install it on this client For information on how to do this see Obtaining a TLS EAP Certificate for a Client on page 253 WPA clients should now be able to connect to the access point using their TLS certificates The certificate you installed is used when you connect so you will not be prompted for login information The certificate is automatically sent to the RADIUS server for authentication and authorization AT WA7400 Management Software User s Guide Configuring WPA WPA2 Personal PSK Security on a Client Wi Fi Protected Access WPA with Pre Shared Key PSK is a Wi Fi Alliance subset of IEEE 802 11i which includes Temporal Key Integrity Protocol TKIP Advanced Encryption Algorithm AES and Counter mode CBC MAC Protocol CCMP mechanisms PSK employs a pre shared key for an initial check of client credentials To configure WPA WPA2 security on a client perform the following procedure 1 Verify that you configured the AT WA7400 Wireless Access Point to use WPA WPA2 Personal PSK security mode as shown Figure 19 Broadcast SSID Allow Prohibit Station Isolation off on Security Mode VWPA WY PA2 Personal PSK v Supported Client Stations WPA v Cipher Suites TKIP Key 012345678 Figure 19 Security S
97. EAP and MSCHAP V2 If you select the WPA WPA2 Enterprise RADIUS security mode the settings in Table 39 are displayed 125 Chapter 10 Configuring Security 126 1 Security Mode VYPAVPAQ2 Enterprise RADIUS x WPA Yersions Both C Enable pre authentication Cipher Suites TKIP W Authentication Server Built in Radius IP Radius Port 1812 Range 0 65535 Radius Key WPA Group Rekey Interval 1800 Range 30 1800 Enable radius accounting Figure 39 WPA WPA2 Enterprise RADIUS Security Mode Settings Configure the following settings WPA Versions Select the types of client stations you want to support WPA If all client stations on the network support the original WPA but none support the newer WPA2 then select WPA WPA2 If all client stations on the network support WPA2 we suggest using WPA2 which provides the best security per the IEEE 802 11i standard Both If you have a mix of clients some of which support WPA2 and others which support only the original WPA select Both This lets both WPA and WPA2 client stations associate and authenticate but uses the more robust WPA2 for clients who support it This WPA configuration allows more interoperability at the expense of some security Enable pre authentication If for WPA Versions you select WPA2 or Both you can enable pre authentication for WPA2 clients Click Enable pre authentication if you want WPA2 wireless clien
98. Enable A user with an account that is enabled can log on to the wireless access points in your network as a client Disabling a User To disable a user account perform the following procedure Account 1 From the main menu select Cluster gt User Management The User Management page is shown in Figure 21 on page 58 2 Inthe User Accounts section click the checkbox next to the user name you want to disable 3 Click Disable A user with an account that is disabled cannot log on to the wireless access points in your network as a client However the user remains in the database and can be enabled later as needed Removing a User To remove a user account perform the following procedure Account 1 From the main menu select Cluster gt User Management The User Management page is shown in Figure 21 on page 58 2 Inthe User Accounts section click the checkbox next to the user name you want to remove 3 Click Remove If you think you might want to add this user back in at a later date consider disabling the user rather than removing the account altogether 61 Chapter 4 Managing User Accounts Backing Up and Restoring a User Database 62 Backing Up the User Database You can save a copy of the current set of user accounts to a backup configuration file You can use the backup file at a later date to restore the user accounts on the access point to the previously saved configuration To create a backup copy of
99. IP Address Specifies the IP address for the access point 73 Chapter 6 Channel Management Updating the Current Channel 74 Settings Manually Viewing the Last Proposed Set of Changes Band Indicates the band b g or a on which the access point is broadcasting Current Indicates the radio channel on which this access point is currently broadcasting Locked Click Locked if you want to this access point to remain on the current channel When the Locked checkbox is checked enabled for an access point automated channel management plans will not re assign the access point to a different channel as a part of the optimization strategy Instead access points with locked channels are factored in as requirements for the plan If you click Update you will see that locked access points show the same channel for Current Channel and Proposed Channel Locked access points keep their current channels To run a manual channel management update at any time click Update in the Advanced section The Last Proposed Set of Channel Assignments section shows the last channel plan The plan lists all access points in the cluster by IP Address and shows the current and proposed channels for each access point Locked channels are not reassigned and the optimization of channel distribution among access points takes into account the fact that locked access points must remain on their current channels Access points that are not Locked m
100. IS LS LS Figure 47 Radio Two Rate Sets 152 AT WA7400 Management Software User s Guide To configure the rate sets perform the following procedure 1 From the main menu select Advanced gt Radio The Radio page for radio one is shown in Figure 45 on page 147 Figure 46 on page 152 shows the rate sets for radio one and Figure 47 on page 152 shows the rate sets for radio two Make your radio rate set choices Click Update to save your settings 153 Chapter 13 Configuring Radio Settings 154 Chapter 14 Load Balancing The AT WA7400 Management Software allows you to balance the distribution of wireless client connections across multiple access points Using load balancing you can prevent scenarios where a single access point in your network shows performance degradation because it is handling a disproportionate share of the wireless traffic The following sections describe how to configure Load Balancing on your wireless network o Understanding Load Balancing on page 156 o Configuring Load Balancing on page 157 155 Chapter 14 Load Balancing Understanding Load Balancing Identifying the Imbalance Overworked or Under utilized Access Points Specifying Limits for Utilization and Client Associations Load Balancing and QoS 156 Like most configuration settings on the AT WA7400 Wireless Access Point load balancing settings are shared among clustered access points
101. MM is enabled on the access point With WMM enabled QoS settings on the AT WA7400 Wireless Access Point control both downstream traffic flowing from the access point to client station access point EDCA parameters and upstream traffic flowing from the station to the access point station EDCA parameters Enabling WMM essentially activates station to access point QoS control Disabling WMM will deactivates QoS control of station EDCA parameters on upstream traffic flowing from the station to the access point With WMM disabled you can still set downstream access point to station QoS parameters but no station to access point QoS parameters O To disable WMM AT WA7400 set radio wlanO wme off AT wA7400 get radio wlan0 wme off o To enable WMM AT WA7400 set radio wlan0 wme on AT WA7400 get radio wlan0 wme on About Access Point and Station EDCA Parameters AP Enhanced Distributed Channel Access EDCA Parameters affect traffic flowing from the access point to the client station access point to station Station Enhanced Distributed Channel Access EDCA Parameters affect traffic flowing from the client station to the access point station to access point Keep in mind that station to access point parameters apply only when WMM is enabled as described in Enable Disable Wi Fi Multimedia on page 338 above AT WA7400 Management Software User s Guide Understanding the Queues for Access Point and Station The same types
102. Management Software AT WA7400 NA User s Guide 613 000486 Rev B AV Al ied Te CSYN Copyright 2007 Allied Telesynsyn Inc All rights reserved No part of this publication may be reproduced without prior written permission from Allied Telesyn Inc Microsoft and Internet Explorer are registered trademarks of Microsoft Corporation Netscape Navigator is a registered trademark of Netscape Communications Corporation All other product names company names logos or other designations mentioned herein are trademarks or registered trademarks of their respective owners Allied Telesyn Inc reserves the right to make changes in specifications and other information contained in this document without prior written notice The information provided herein is subject to change without notice In no event shall Allied Telesyn Inc be liable for any incidental special indirect or consequential damages whatsoever including but not limited to lost profits arising out of or related to this manual or the information contained herein even if Allied Telesyn Inc has been advised of known or should have known the possibility of such damages Contents Preface iiini ainar penn ee eaae E EE chee ail wdetde AAE ENEN Eo dane A AE A E RE a AONE vents vay AAE EEE TEKE CE AE aaar aeeie 15 Where to Find Web based Guide vse sic niani h a iaa i T ead e iiiaio 16 Contacting Allied Telesyn inep a e aa a e ea aa a r aa a a Aaaa 17 Online Suppor
103. NNEAE EEEN EEEAAEE AENEA EEEn Ennen 67 Sorting Sessigir Information scirent iki deien dba Downes eei daraa ie E ea aeaa SAE 68 Chapter 6 Channel Management 0000 0 eee cece ee enneeeeeaaeeeeeeeeeeaaeeeeeaeeeceeeeeeaaeeseeaeeeceeeeeesaeeeseaaeeeseaeeseeaeeeeeaaeeeeeee ey 69 Understanding Channel Management cceecceeeseeceeeeeeeeeeeeeeaeeeceeeeeeaeeeeeaaeeeceeeeeeaaeeesesaeeseeeeeeaeeseaaeeeseeeeensaeeseeaeesneeenes 70 How it Works incaiNutshell c 2 c 32 2 feeesicccacaste lec decays e coving pe eeee dace sexes cuacecontats N Leta tia ceeduad a 70 Overlapping Channel ac monre eenean eip eani EE nn eastioves aena T AAA EAN RAE Ee A AE ROEE ENNE a a aAA TO EAEE RATRE 70 Example A Network Before and After Channel Management sesssissesissssiesrriesriirerissritesiitesinnttnnitnniintneinssrnnnnnnnt 71 Displaying the Channel Management Settings 0 ec eee eeeeceeeeneeeeeeeeeeeneeeeeeaeeeeeeeeeeaeesesaaeecneeeeesaeeeseaaeeeseeeeensaeeeseeaeeeeeeeee 72 Configuring the Channel Management Settings 0 00 0 ee eeeeeeeceeesneeceeeeeenneeeeeaaeeceeeeeeeaeeeeeeaeeseeeaeesaeeeenaeeseeeeeesneeesenteeenaees 73 Stopping or Starting Automatic Channel ASSIQNMENK 0 0 eee cece cece ee eeeee ee creat eeeeeeeesaeeeseaaeeeseeeeeeaeeeseaeeseneeeeenaeeeeeaas 73 Viewing Current Channel Assignments and Setting LOCKS cc ce eeeeeeesseeceneeeeeneeeceaaeeeseeeeeeaeeeeeaaeeseneeeesaeessnaeeeennaees 73 Updating the Current Channel Settings Manuallly
104. NTP server you want to use Allied Telesyn recommends using the host name rather than the IP address because IP addresses change more frequently For example this command sets the NTP server by host name to ntp at wa7400 com ntp server ntp at wa 7400 com 3 Get the Current Time Protocol Settings AT WA7400 get ntp detail Field Value status up server ntp at wa7400 com 347 Appendix D Command Line Interface CLI for Access Point Configuration 348 Rebooting the Access Point Resetting the Access Point to the Factory Defaults To reboot the access point type reboot at the command line AT WA7400 reboot If you are experiencing extreme problems with the AT WA7400 Wireless Access Point and have tried all other troubleshooting measures you can reset the access point This will restore factory defaults and clear all settings including settings such as a new password or wireless settings The following command resets the access point from the CLI AT wA7400 factory reset Note Keep in mind that the factory reset command resets only the access point you are currently administering not other access points in the cluster For information on the factory default settings see Appendix A Management Software Default Settings on page 215 AT WA7400 Management Software User s Guide Keyboard Shortcuts and Tab Completion Help The CLI provides keyboard shortcuts to help you navigate the comma
105. P EDCA parameters o Wi FI Multimedia WMM o Station EDCA Parameters The following procedures describe how to configure the parameters in these sections AP Enhanced Distributed Channel Access EDCA Parameters affect traffic flowing from the access point to the client station To configure these parameters perform the following procedure 1 Inthe AP EDCA parameters section of the Quality of Service page configure the following parameters Queue Queues are defined for different types of data transmitted from access point to station Data 0 Voice High priority queue minimum delay Time sensitive data such as VolP and streaming media are automatically sent to this queue Data 1 Video High priority queue minimum delay Time sensitive video data is automatically sent to this queue AT WA7400 Management Software User s Guide Data 2 best effort Medium priority queue medium throughput and delay Most traditional IP data is sent to this queue Data 3 Background Lowest priority queue high throughput Bulk data that requires maximum throughput and is not time sensitive is sent to this queue FTP data for example For more information see QoS Queues and Parameters to Coordinate Traffic Flow on page 162 AIFs Inter Frame Space The Arbitration Inter Frame Spacing AIFs specifies a wait time in milliseconds for data frames Valid values for AIFs are 1 through 255 For more information see
106. PA2 Personal PSK 1 Set the Security Mode AT wA7400 set interface wlan0 security wpa personal 2 Set the WPA Versions Select the WPA version based on what types of client stations you want to support as shown in Table 16 Table 16 WPA Version Function Command WPA If all client stations on the network support the original WPA but none support the newer WPA2 then use WPA WPA2 If all client stations on the network set bss wlanObssIngernal wpa allowed on set bss wlanObssIngernal wpa2 al lowed off set bss wlanObssIngernal wpa allowed off support WPA2 use WPS2 which provides the best security based on the IEEE 802 11i standard set bss wlanObssIngernal wpa2 al lowed on set bss wlanObssIngernal wpa allowed on Both If you have a mix of clients some of which support WPS2 and others which support only the original WPA use Both This lets both WPA and WPA2 client stations associate and authenticate but uses the more robust WPA2 for clients that support it This WPA configuration allows more interoperability at the expense of some security set bss wlanObssIngernal wpa2 al lowed on The following example sets the access point to support Both WPA and WPA2 client stations AT WA7400 set bss wlanObssInternal wpa allowed on AT WA7400 set bss wlanObssInternal wpa2 allowed on 3 Set the Cipher Suites 315 Appendix D Command Line Interface CLI for Access Point Configuration
107. PA2 which provides the best security per the IEEE 802 11i standard Both If you have a mix of clients some of which support WPA2 and others which support only the original WPA select Both This lets both WPA and WPA2 client stations associate and authenticate but uses the more robust WPA2 for clients who support it This WPA configuration allows more interoperability at the expense of some security Cipher Suites Select the cipher you want to use Temporal Key Integrity Protocol TKIP This is the default TKIP provides a more secure encryption solution than WEP keys The TKIP process more frequently changes the encryption key used and better ensures that the same key will not be re used to encrypt data a weakness of WEP TKIP uses a 128 bit temporal key shared by clients and access points The temporal key is combined with the client s MAC address and a 16 octet initialization vector to produce the key that will encrypt the data This ensures that each client station uses a different key to encrypt data TKIP uses RC4 to perform the encryption which is the same as WEP But TKIP changes temporal keys every 10 000 packets and distributes them thereby greatly improving the security of the network Counter mode CBC MAC Protocol CCMP CCMP is an encryption method for IEEE 802 11 that uses the Advanced Encryption Algorithm AES It uses a CCM combined with Cipher Block Chaining Counter WPA WPA2 Enterprise RADIUS AT WA7400 M
108. Point Configuration AT WA7400 get system version Example 4 Type set TAB TAB including a space after set to get a list of all field options for the set command AT WA7400 set bss cluster cluster member config dhcp client dot11 host interface ip route log mac acl ntp portal radio radius user ssh system telnet tx queue wme queue Basic Service Set of radios Clustering based configuration settings Member of a cluster of 1ike configured access points Configuration settings DHCP client settings IEEE 802 11 all radios Internet host settings Network interface IP route entry Log settings MAC address access list item Network Time Protocol client Guest captive portal Radio RADIUS user SSH access to the command line interface System settings Telnet access to the command line interface Transmission queue parameters Transmission queue parameters for stations Example 5 Type set mac TAB and the command will complete with the only matching option AT WA7400 set mac acl Example 6 Type set cluster TAB TAB and the two matching options are displayed 352 AT WA7400 Management Software User s Guide AT WA7400 set cluster cluster Clustering based configuration settings cluster member Member of a cluster of like configured access points Example 7 Type add TAB TAB including a space after add to get a list of all field options for the add command AT WA7400 add
109. Radio On IEEE 802 11 Mode 802 11g 802 11g Channel Auto Beacon Interval 100 DTIM Period 2 Fragmentation Threshold 2346 Regulatory Domain FCC RTS Threshold 2347 MAX Stations 2007 Transmit Power 100 percent 215 Appendix A Management Software Default Settings 216 Table 1 Management Software Default Settings Continued Setting Default Rate Sets Supported Mbps IEEE 802 1a 54 48 36 24 18 12 9 6 Upgrade required IEEE 802 19 54 48 36 24 18 12 11 9 5 5 2 1 IEEE 802 1b 11 5 5 2 1 Atheros Turbo 5 Ghz 108 96 72 48 36 24 18 12 Upgrade required Rate Sets Mbps Basic Advertised IEEE 802 1a 24 12 6 Upgrade required IEEE 802 19 11 5 5 2 1 IEEE 802 1b 2 1 Atheros Turbo 5 Ghz 48 214 12 Upgrade required Broadcast SSID Allow Security Mode None plain text Authentication Type None MAC Address Filtering Allow any station unless in list Guest Login and Management Disabled Load Balancing Disabled WDS Settings None Appendix B Configuring Security on Wireless Clients Users will typically configure security on their wireless clients for access to many different networks access points The list of Available Networks changes depending on the location of the client and which access points are online and detectable in that location The exception to this setup is if
110. Reset Configuration function This feature restores the factory defaults and clears all settings including settings such as a new password or wireless settings To reboot the access point perform the following procedure 1 From the main menu select Advanced gt Reset Configuration The Reset Configuration page is shown in Figure 63 Reset Restore Factory Default Configuration Figure 63 Reset Configuration Page 2 Click Reset The factory defaults are restored Note Another option is to press the Reset button on the back of the AT WA7400 Wireless Access Point for at least 10 seconds when the power is on Note If you do reset the configuration from this page you are doing so for this access point only not for other access points in the cluster For information about the factory default settings see Appendix A Management Software Default Settings on page 215 AT WA7400 Management Software User s Guide Upgrading the Firmware As new versions of the AT WA7400 Wireless Access Point firmware become available you can upgrade the firmware on your devices to take advantages of new features and enhancements A Caution Do not upgrade the firmware from a wireless client that is associated with the access point you are upgrading Doing so causes the upgrade to fail Furthermore all wireless clients are disassociated and no new associations are allowed If you encounter this scenar
111. S server about the access point corresponds to settings on the access point Advanced gt Security and vice versa You should have already provided the RADIUS server IP Address to the access point In the steps that follow you provide the access point IP address to the RADIUS server The RADIUS Key provided on the access point is the shared secret you will provide to the RADIUS server AT WA7400 Management Software User s Guide To configure an external RADIUS server perform the following procedure 1 On the Security Settings page verify that the Authentication Server field is set to External as shown in Figure 21 Modify security settings that apply to the Internal Networ Broadcast SSID Allow Prohibit Station Isolation off On Security Mode ji 33TAE Authentication Server External gt Radius 1p h7 fp ff Radius Port fisi2 Range 0 65535 Radius Key jeeeeee WPA Group Rekey Interval 1800 Range 30 1800 I Enable radius accounting Figure 21 Security Settings Page Note The RADIUS server is identified by its IP address and UDP port numbers for the different services it provides With firmware version 1 0 and greater the RADIUS server User Datagram Protocol UDP ports used by the access point are configurable The AT WA7400 Management Software defaults to use RADIUS server UDP port 1812 for authentication and port 1813 for accounting 249 Appendix B Configuring Securit
112. SSH software installed on your PC such as PuTTY which is available at http www chiark greenend org uk sgtatham putty 1 Start your SSH application PUTTY is used here as an example The PuTTY settings are shown in Figure 40 270 AT WA7400 Management Software User s Guide DX PuTTY Configuration Category amp Session Logging amp Terminal Keyboard Bell Features Window Appearance Behaviour Translation Basic options for your PuTTY session Specify your connection by host name or IP address Host Name or IP address Port 22 Protocol O Raw ORlogin Load save or delete a stored session O Telnet SSH Saved Sessions Selection Colours Connection Pow elnet Rlogin SSH Auth tunnel Close window on exit Bugs Odlways Never Default Settings Load Only on clean exit Figure 40 PuTTY Configuration Dialog Box 2 Enter the IP address of access point and click Open If your Domain Name Server is configured to map domain names to IP addresses via DHCP you can enter the domain name of the access point instead of an IP address This brings up the SSH command window and establishes a connection to the access point The login prompt is displayed login as 3 Enter the default Administrator username and password for the AT WA7400 Wireless Access Point manager friend and press Enter after each The password is masked so it will not be displayed on th
113. Saanaa aiii 166 Transmission Opportunity TXOP Interval for Client Stations eeeeeeeneeeeeeeeeesneeeeeaeeeeeeeeesaeeeeenaeeenenees 166 Configuring QOS QUEUES E ET T A eps aacatusecen dadsueagscdcdeebeceustestvaghasede 167 Configuring AP EDCA Paramete Sinisisi ider E E da d e a an i aidai iea 168 Enabling Disabling Wi Fi Multimedia ooo eee eee cece ee eneeeeeeaeeeeeeeeeeaeeeeeaaeeeaeeeeaaeeeeeaaeeceeeeeeaaeeeeeesneeeenseeeseaaeeseneeeee 170 Configuring Station EDCA Parameter Sisirin cenni n enaa aa Ea a aE AEA E AA EE a A inana aana A 171 Chapter 16 Configuring the Wireless Distribution System WDS ec eee cere e seer eeeeeeeeeneeeeeaeeeeeaeeenneeeenaa 173 Understanding the Wireless Distribution SySteM eee eeeeceeeteecesneeeeeeeeeeeeeeeeeaaeeceeeeeesaeeeesaeeeseaaeeseeeesaeeseeaeeseneeeeeneeeeeaas 174 Using WDS to Bridge Distant Wired LANS 0000 ccceeeeeceeenneeeeeeeeeeaeeeeeeaeeeeeeeeeeaaeeseeaeeeceeeesaeeeseeeaeeseeeeneeeeseaaeessneeeee 174 Using WDS to Extend the Network Beyond the Wired Coverage Area ceceeeeseeeeeeeeeeneeeeeeeeeeneeeennaeeeeeaeeeneneeen 174 Backup Links and Unwanted Loops in WDS BridgeS eeccesceeeeeecenneeeeeeeeeeeaeeeeeaaeeeeeeeeeesaeeeeeaaeeenneeeeeaeeseaeeseneeeee 175 Contents Security Considerations Related to WDS Bridges cei eecceeenneeeeeree sents eeeneeeeeeeeeeeaeeeeeaaeeseeeeeeeneeenaeeseeaeesnneeeees 175 W DS GUIGENMES sta E aA E ace bbls duce etc saabessntees A E T T 176 Config
114. Security Mode AT wWA7400 set interface wlan0 security wpa enterprise Set the WPA Versions Select the WPA version based on what types of client stations you want to support as shown in Table 18 Table 18 WPA Version Command Function Command WPA If all client stations on the network support the original WPA but none support the newer WPA2 then use WPA set bss wlanObssIngernal wpa allowed on set bss wlanObssIngernal wpa2 al lowed off WPA2 If all client stations on the network support WPA2 use WPS2 which provides the best security based on the IEEE 802 11i standard set bss wlanObssIngernal wpa allowed off set bss wlanObssIngernal wpa2 allowed on Both If you have a mix of clients some of which support WPS2 and others which support only the original WPA use Both This lets both WPA and WPA2 client stations associate and authenticate but uses the more robust WPA2 for clients that support it This WPA configuration allows more interoperability at the expense of some security set bss wlanObssIngernal wpa allowed on set bss wlanObssIngernal wpa2 allowed on For this example set the access point to support WPA client stations only AT WA7400 set bss wlanObssInternal wpa allowed on AT WA7400 set bss wlanObssInternal wpa2 allowed off Enable Pre Authentication If you set WPA versions to WPA or Both you can enable pre 318 AT WA7400 Management Software User
115. Set AlFson the Access POInt sve 2 2 i e aa a e veeiinsis kt dee ede ae eee 340 Set AIFS on the Client Station siiin naa e aaan aae aE RAE EMEA AEA AOO anA Ena ERAEN EAS 341 Set Minimum and Maximum Contention Windows CWMIN CWMAX eee eeeeee eect cent eeeneeeeeaeeeeeaeeeeneeeeeeateeeneaees 341 Set cwmin and cwmax on the Access Point o oo ee eee eceeee erent ee eeaeeeseeaeeeaeeeeesaeeeseeaeesneeeenaeeseeaeeeneeeeeaa 342 Set cwmin and cwmax on the Station ee eeseeeeeeeeeeneeeeeneeeeeeeeeeeeeeseeaeeeeeeeeeaeeseeeeeesneeeeenaeesneeenneeeenea 342 Set the Maximum Burst Length burst on the Access POiNt ee eieeceeeseeeeeeeneeeceeeeeesaeeeseaaeeeeeeeeeesneeesenaeeeeenees 343 Set Transmission Opportunity Limit txop limit for WMM client stations 0 eee eee eeeeeeeerneeeeeeeeesnneeeeeaeeneeees 344 Wireless Distribution Systems sinaga eia eee niae e a auenibes e edd a a a aai aa 344 Configure a WDS EINK sasinen isna a nee i ee eat 345 Enable the WDS interface wlanOwds0 on the current access point essssssereiieeriieerisrrrierrirerrireriserens 345 Provide the MAC address of the remote access point to which you want to link nsere 345 Get Details on a WDS Configuration eieecceeeceeeenneeeeeeeeeeaeeeeeaaeeseeeeesaeeseeaaeeceeeeeeeaeeeseaeeesneeeenseeeeenaeeenenees 345 TMe Protocol i c cgsccshbececsbudc bes ony E T a a E E e a A R oben N AE E A AA AA ana 347 Rebooting the AcCess POINt EEEE ETTE EA TEE E 348 Resetting t
116. Size and MemberShip nenii ranee aaea E aA ENEEK cauite sn EEEE Ea A ngiceebeuecnketeueanneeeegeeansbeeendecnees 47 Intra Clust r S CUrity AE E T E T E E E ETE 47 Auto Synch of Cluster Configuration eee ceeceeeeeeeeeeneeeeeeeeeeeeeeeeeaeeeceeeeesneeeseaeeeseeaeeesneeesnaeeseeaeesnieeseseeeseeeeeeeneeeenaa 47 Understanding and Changing Access Point Settings cece ceeeceeceneeeeeeeeeeeaeeeeeeaeeeaeeseeaaeeeeeaeeeeeeeeeseeeseeaeeesneeeesseeeeeaas 48 Contents Modifying the Location Descriptio Mis issis aaa a e a ieda a ai 49 Removing an Access Point from the Cluster eee cee ceceeeeceeeeneeeeeeeeeeneeeeeaeeeseseeeeseeeenaaeeeseeeeeeseeeenaaeseneeeesneeeennaeeesenaees 49 Adding an Access Point to a Cluster oo eee cece ceeeeeeeneeeeeaeeeeeeeeeeeeeeeeaeeeseaaeecaeeeeeaaeeeeeaeeseeaeesaeeeaaeeseeeeeesneeeeenaeeeennaees 50 Navigating to Configuration Information for a Specific Access Point and Managing Standalone Access Points 52 Navigating to an Access Point by Using its IP Address in a URL ww eee eee eeeceee een ceeenneeeeeeeeeenaeeeeeaeeeeneaeeseeeeenaeeeennaees 52 Configuring MAC Address Filtering cc ccecccceseneeseceeeeenteeesusceneseceesencedebensesescenesseneseteceseeeendaeenesentesesteenidenebecesedenneeeneeees 53 MAC Filtering of Rogue Access Points cccccecccceceeeeeeeceeeececeeee eee ceceaeaeeeeeceaaaeeeeeeeaaeeeeeeseaaeeeeeesesaeaeeeeseseeaeeeeseseaeeeeeeseeaees 55 Chapter 4 Managing U
117. The Administration dialog box opens as shown in Figure 5 KickStart Allied Telesyn BEE About KickStart MV Allied Telesyn k A KickStart i Administration If you are adding your first Access Point you need to provide Basic Settings information on the Administration Console to configure and start the new wireless network To configure your network go to the Administration Adding more Access Points to an existing network If itis set to automatically configure new Access Points Orchestrator will do the rest Go to the Administration console if you want to monitor or reconfigure an active network Figure 5 Administration Dialog Box Note KickStart provides a link to the AT WA7400 management software web pages via the IP address of the first access point of each model For more information about model types and clustering see What Kinds of Access Points Can Cluster Together on page 44 29 Chapter 2 Setting up the AT WA7400 Management Software The AT WA7400 management software is a centralized management tool that you can access through the IP address for any access point in a cluster After your other access points are configured you can also link to the AT WA7400 management software web pages using the IP address for any of the other AT WA7400 Wireless Access Points for example http IPAddressofAccessPoint Installing To install the KickStart utility on the administrator s PC perform the Kic
118. The Domain Name Service DNS is a system that resolves the descriptive name domainname of a network resource for example AT WA7400 Management Software User s Guide www alliedtelesyn com to its numeric IP address for example 66 93 138 219 ADNS server is called a Nameserver There are usually two Nameservers a Primary Nameserver and a Secondary Nameserver 3 Choose Dynamic or Manual mode If you choose Manual you should assign static IP addresses manually If you choose Dynamic the IP addresses for the DNS servers is assigned automatically through DHCP This option is only available if you specified DHCP for the Connection Type 4 Click Update to save your changes 95 Chapter 8 Configuring Ethernet Wired Settings Configuring the Guest Interface Settings 96 The guest interface settings allows a wireless client limited access to the network for instance to the Internet To configure the guest interface settings perform the following procedure 1 From the main menu select Advanced gt Ethernet Wired Settings The Ethernet Wired Settings page is shown in Figure 30 on page 88 2 In the Guest Interface Settings section configure the following settings MAC Address Shows the MAC address for the internal interface for the Ethernet port on this access point This is a read only field that you cannot change VLAN ID The ID number of the VLAN associated with the guest Subnet The subnet mask
119. Timeout on page 204 Rebooting the Access Point on page 205 Resetting the Configuration to Factory Defaults on page 206 Upgrading the Firmware on page 207 02 0 2 O0 028 0 02 0 0 0000 SNMP Firmware Upgrade on page 209 183 Chapter 17 Maintenance and Monitoring Monitoring Wired and Wireless LAN Settings To monitor wired LAN and wireless LAN WLAN settings perform the following procedure 1 From the main menu select Status gt Interfaces The Interfaces page is shown in Figure 53 Note On a two radio access point current wireless settings for both radio one and radio two are shown On a one radio access point settings are shown for one radio The Interfaces page for a two radio access point is shown in Figure 53 View settings for network interfaces Wired Settings Configure Internal Interface MAC Address 00 00 46 F2 D7 64 YLAN ID 20 IP Address 10 10 20 230 Subnet Mask 255 255 255 0 Guest Interface MAC Address 00 0C 46 F2 D7 64 VLANID 30 Subnet 10 10 30 0 Wireless Settings Configure Radio One MAC Addresses 00 0C 46 F2 D7 64 00 0C 46 F2 D7 65 Mode IEEE 802 11a Wireless Network Name SSID 10_1_1_2a Channel 60 5300 MHz Radio Two MAC Addresses 00 0C 46 F2 D7 68 00 0C 46 F2 D7 69 Mode IEEE 802 11g Wireless Network Name SSID 10_1_1_2g Channel 11 2462 MHz Figure 53 Interfaces Page This page displays the current settings of the
120. Troubleshooting iioii bens fund e i e aa aad nati a etie a aiet aien 259 Wireless Distribution System WDS Problems and Solutions 00 0 ecceecceeeseeceeneeeeeeeeeeaeeeseaaeeseneeeesaeeeseaeeeneeeenseeeenaas 260 Cluster RO OVA 5 2 22 ies a a aT Ca a gb a a a a a e de aa r sb 2ede e Aa Eae eae a A a ae e E Eai ia 261 Reboot or Reset the Access Pints ii ccccscccceteneeccetencecsucbecedsdannsccenssgncese siedeeecpeevsetenn ede sbanenefaapedeucdsectdaeugeenevdaeuesenenineecs 261 Stop Clustering and Reset Each Access Point in the CIUStED 00 0 eee cece ceene etter ee eeeneeeeeaeeseeeaeeenaeeeseaeeeeaeeenieeeee 261 Appendix D Command Line Interface CLI for Access Point Configuration 0 00 00 eee eeeee ener eeeneeeeeeeeeeeneeeees 265 Comparison of Settings Configurable with the CLI and Web Ul ou ec ee eeeecereeeenneeeeeaeeeeeeeeeeaeeeeeaeeseeeeesneeeseeeeeneaees 266 Accessing the CLI for an AccessPoint 22 2c 5kcciecccoeesseetiec cbt geceb oven ecescdcbesscndetieee cus gengusebdeusecugendudsgesdeh cede stews dradeselcevovoedevienes 269 Telnet Connection to the Access Pontani niiae aa a ae a e a aa a A a aias 269 AT WA7400 Management Software User s Guide SSH Connection to the Access Point a is niii vig cate ites tan daes eseudhads sized aieiaiei 270 Quick View of Commands and How to Get Help ou eee eesceceeeeeeceeeeeeneeeceeeeeeaeeeceaaeeeeneaeeesaeeeseaaeeseneeeesieeeeseaeeesneeeseneeeeeaas 272 Commands ANd SYMtax T eh c2hciascceveah cscdce
121. a class for example set unnamed class with qua lifier field qualifier value to Field value The first argument is an unnamed class in the configuration After this is an optional qualifier that restricts the set to only some instances For singleton classes with only one instance no qualifier is needed If there is a qualifier it starts with the keyword with then has a sequence of one or more qualifier field qualifier value pairs and ends with the keyword to If these are included then only instances whose present value of qualifier field is qualifier value will be set The qualifier value arguments cannot contain spaces Therefore you cannot select instances whose desired qualifier value has a space in it The rest of the command line contains field value pairs set named class instance all with qua 7fier field gqualifier value to field value The first argument is either a named class in the configuration The next argument is the name of the instance to set or the keyword a11 which indicates that all instances should be set Classes with multiple instances can be set consecutively in the same command line as shown in Example 4 below The qualifier value arguments cannot contain spaces Here are some examples Bold text indicates class names field names or keywords the unbold text are values to which the fields are being set 1 set interface wlan0 ssid Vicky s AP 2 set radio all beacon interval 200
122. a AEE EE ATETEA 307 Set Secunity to Static WEP ye soceesc i2cnscceey dicey otestcstecesitceseecees dds eaha Ae aaaea ea eA Lada e Roteta asvielcpasiebaeencuetesi tdeees 307 Set the Security Modes riita gested eis Gomes tl eaead ci eve ee Geis Ge a i ieveaet al oes 307 set the Transtfer iKey Index c vci hae ie We ele ee ee ee ees 307 Set the Key LOn oth s c 2cccpesacheneved neea na ec cnpaat hace ia ae Saaai e ded aa ted anet iiaia ei aai Ane 307 Set the Key Typ rimaire encores evens ete hal ceeds ete ena eve laces ene estes Shoei feds ieee SG Set the WEP Keys Set the Authentication AlQorithim 0 cccccccecececceceseeceeeeceesescddecestecebencebeesetvesbiteesWiscebdecendecetvesdeveceedeesoueensiees 309 Get Current Security Settings After Re Configuring to Static WEP Security Mode 309 set Security to IEEE 802 1X rerea e araa o eoe a n ea aa a an bev tondvesthesedbapevoentv E 312 Setthe Securty Modes e a ail gist on haz aeaa a e aa a aa a aaas 312 Set the Authentication Server assetiar ena aE aaeeea aa aaa Raa AATE aAA A E aaraa ia EAE aidian iE na 312 Set the RADIUS Key For External RADIUS Server Only 0eeecceeeeeseeeeeeeeeseeeeeeeeeeeeaeeeeeaeeeseeeeesnaeeeeenaes 313 Enable RADIUS Accounting External RADIUS Server Only ce eeeceeeeeeeeeeeeeeeneeeeeaeeseeeeeesnneeeeenaeeeeeaees 313 Get Current Security Settings After Re Configuring to IEEE 802 1x Security Mode eeeeeeeeereeeerees 314 Set Security to WPA WPAZ Person
123. a ana Ey 114 Broadcast SSID Station Isolation and Security Mode ccceccceeceeeeseneeceeeeeeeeeeeeeesecaeeeceesececaeeeeeesenaeeeeeeseseeeeenees 114 Plain Text iaie a ete a a a ea evened Ween es Sa Ses ad eh as aaa iiad 115 Guest NetWork ennen ie ee ee ee a a i 116 SEIS WE E occu ER EN T E E E EE esha au tick oh Jeet ntiat A E AT 116 Rules to Remember for Static WEP citonte eiiiai ideea a iaaa daie iiai iodide diieas 119 Example of Using Static WEP aaith a ad Eu eas seed tl eh ee ee eed ade 119 Static WEP with Transfer Key Indexes on Client Stations 00 eee eeeseeeeneeeeeneeeeeeeeeesneeeeeaeeeeneeeeenaeeeeeaas 120 VEE SOQ EAE ves adh ack eent evan sacee tosds E ETE E ats aachesusatact aghcaecd ssteunshes ane usadeestesusigessteematuageaunesstagtde 121 WPA WPA2 Personal PSK 3 j 0i ba serrated fees eosin elie ici ieee be edd eet a peek eccier inet 123 WPA WPAZ Enterprise RADIUS reiia a a e e a e a a e aa aa aA e atas 125 Configuring the IAPP Mapping Table 2 2 ccccsccccencccneseccesstenseseceesendeneedenmesucedenbaeevenauneegeitensnteensdacebeceneedusoedestatenecdenneses 129 Configurinig SNM E A E A E ET 131 Chapter 11 Setting Up Guest ACCESS cccecccccceecectcce ce eteee ts aee ee eesaaaeeceeesaeaeaeeecaaaeaeceseaeaaeceseeseeaaeeeeseeesaeaeseeeeeneaees 133 Understanding the Guest INtertace riipi eiria casseeedeseseevessinnseet entunneneecet ii aoee inune eenia broidi kesian einen ina iige 134 Configuring
124. a dieiis 105 Understanding Security Issues on Wireless Networks 0 0 0 eeecceeeececereeeeneeeeeeaeeeeeeeeeeaaeeeeaaeeeseeeeesaaeeeeeaaesneeeeneaeeseeaeeenneeeee 106 How Do Know Which Security Mode to USC 0 ee eecceecceeeeneeceeneeceneeeeseeeeecaeeeseeeessaeeeeeaaeeeseeeeeeaeeseaeesneeeesnaeeeeeaas 106 Comparison of Security Modes for Key Management Authentication and Encryption Algorithms 0 eee 107 Whento Use Plain Textron a e ye aten cba E asec edecebceasezeeek A Ea E lessee davesl cadens E ai sleet 107 When to Use Static WEP soci anea anre aaa aaa aaa a aA En N ANE EREE Aa EE dubs toda anbecud T a Ea a e AAE AAE A ATTENERE 107 AT WA7400 Management Software User s Guide When to Use IEEE 802136 fares cae sotecescnsnesecenny iiaea a aeaa onaga aaiae aai 108 When to Use WPA WPA2 Personal PSK cceecceeesneeeeenneeeeeeeeeeeeeeeeeaeecneeeeesaeeeseaaeesaeeeenaeeseeaeeesneeeeenaeeeenaees 110 When to Use WPA WPA2 Enterprise RADIUS ee ecceceeceeeeeneeeeeneeeeeeeeeeeaeeeceaaeesaeeeesaaeeeseaaeeseneeeesneeesnaeeeneeees 111 Does Prohibiting the Broadcast SSID Enhance Security ee eceeeenceeceeeeeeeeneeeesneeeceeeeeesneeeenaeeeseeaeeesneeeneateeeneetess 113 How Does Station Isolation Protect the Network 0 ccc eecceeeseceseeeeceneeeeeeeeeesaeeeseaaeeseneeeesaeeeeeaaeeenneeeneeeesnaeesseeeeeed 113 Configuring SECurity SettiNgS issnin ea aeaaaee EAn aAA NEE ne EE PAAA AATE AEE EAK E Ea Ea AEE nan ERTAK NAE EE
125. a secondary backup wireless path via a WDS link If the Ethernet connection goes down STP would reconfigure its map of the network and effectively fix the down network segment by activating the backup wireless path In this release the AT WA7400 Management Software does not provide STP Without STP it is possible that both connections paths may be active at the same time and result in an endless loop of traffic on the LAN Therefore be sure not create loops with either WDS bridges or combinations of Wired Ethernet connections and WDS bridges For more information see WDS Guidelines on page 176 Static Wired Equivalent Privacy WEP is a data encryption protocol for 802 11 wireless networks Both access points in a given WDS link must be configured with the same security settings For static WEP either a static 64 bit 40 bit secret key 24 bit initialization vector IV or 128 bit 104 bit secret key 24 bit IV Shared Key is specified for data encryption 175 Chapter 16 Configuring the Wireless Distribution System WDS WDS Guidelines 176 You can enable Static WEP on the WDS link bridge When WEP is enabled all data exchanged between the two access points in a WDS link is encrypted using a fixed WEP key that you provide Static WEP is the only security mode available for the WDS link and it does not provide effective data protection to the level of other security modes available for service to client stat
126. access point needs only a single NTP client Some classes require their instances to have names to differentiate between them these are called named classes For example one interface might have a name of eth0 to indicate that it is an Ethernet interface while another interface could have a name of wlan0 to indicate it is a wireless LAN WLAN interface Instances of singleton classes do not have names since they only have a single instance Classes that can have multiple instances but do not have a name are called anonymous classes Together singleton and anonymous classes are called unnamed classes Some classes require their instances to have names but the multiple instances can have the same name to indicate that they are part of the same group These are called group classes has name of instances one multiple no singleton anonymous yes unique n a unique named yes non unique n a group named Each class defines a set of fields that describe the actual information associated with a class Each instance of a class will have a value for each field that contains the information For example the interface class has fields such as ip and mask For one instance the ip field might have a value of 192 168 1 1 while the mask field has a value of 255 255 0 0 another instance might have an ip field with a value of 10 0 0 1 and mask AT WA7400 Management Software User s Guide field with a value of 255 0 0 0
127. access points that share the same settings For more information on clustering see Understanding Clustering on page 44 For information on how to set an access point to standalone or cluster mode from the web interface see Cluster Mode on page 46 and Standalone Mode on page 46 The following topics provide an introduction to the class structure upon which the CLI is based CLI commands and examples of using the CLI to get or set configuration information on an access point or cluster of access points a Comparison of Settings Configurable with the CLI and Web UI on page 266 Accessing the CLI for an Access Point on page 269 Quick View of Commands and How to Get Help on page 272 Command Usage and Configuration Examples on page 278 Keyboard Shortcuts and Tab Completion Help on page 349 CLI Classes and Fields Reference on page 354 OQ 00 0 265 Appendix D Command Line Interface CLI for Access Point Configuration Comparison of Settings Configurable with the CLI and Web UI The command line interface CLI and the web user interface UI to the AT WA7400 Wireless Access Point are designed to suit the preferences and requirements of different types of users and scenarios Most administrators will probably use both Uls in different contexts Some features such as clustering can only be configured through the web UI and conversely some details and more complex configurations
128. access points within range of every member of the cluster shows which access points are within range of which cluster members and distinguishes between cluster members and nonmembers For each neighbor access point the Wireless Neighborhood view shows identifying information SSID or Network Name IP address MAC address along with radio statistics signal strength channel beacon interval You can click on an access point to get additional statistics about the access points in radio range of the currently selected access point The Wireless Neighborhood view can help you o Detect and locate unexpected or rogue access points in a wireless domain so that you can take action to limit associated risks 0 Verify coverage expectations By assessing which access points are visible at what signal strength from other access points you can verify that the deployment meets your planning goals O Detect faults Unexpected changes in the coverage pattern are evident at a glance in the color coded table AT WA7400 Management Software User s Guide Displaying the Wireless Neighborhood Information To view the Wireless Neighborhood page perform the following procedure 1 From the main menu select Cluster gt Wireless Neighborhood The Wireless Neighborhood page is shown in Figure 28 top of the column Wireless Neighborhood The Wireless Neighborhood table shows all access points within range of any AP in the clus
129. ackets will be sent more frequently This will consume more bandwidth and reduce the throughput of the packet On the other hand sending more RTS packets can help the network recover from interference or collisions which might occur on a busy network or on a network experiencing electromagnetic interference Maximum Stations Specify the maximum number of stations allowed to access this access point at any one time You can enter a value between 0 and 2007 AT WA7400 Management Software User s Guide Transmit Power Provide a percentage value to set the transmit power for this access point The default is to have the access point transmit using 100 percent of its power O In most situations Allied Telesyn recommends keeping the default and having the transmit power set to 100 percent This is more cost efficient because it gives the access point a maximum broadcast range and reduces the number of access points needed O To increase capacity of the network place access points closer together and reduce the value of the transmit power This setup helps reduce overlap and interference among access points A lower transmit power setting can also keep your network more secure because weaker wireless signals are less likely to propagate outside of the physical location of your network Preamble This setting applies only to radio two Rate Sets Radio one and radio two have different rate sets See Configuring the Rate Sets o
130. ad eagecerbedues tasks 35 Navigational AldS s iccvscch ie este Gee teed a a eee th ees ne i Case netsh teresa tess 36 Summary of Settings P ge rent ee ee es 40 Default Web P gen aa an aa e a aa ti patpi rondia eeii eaae eaaa aala a tee 42 ACCESS POINTS P gen eiit eiea e ed e a ada addini iiia 48 Settings of Access Point that Joined the CUSED eee cere center eeeeeeee eee seaeeeeeaaeeeeeeeeeneeeenaeeeeeaeeeneeeee 50 MAC Filtering Pagerie cede ier teen ive ene slides N E layla e 53 Configure Rogue MAC Filtering of Access Point Page c cccceceeeeeececeeeeeeeee eee eeceaeeeeesecneeeeeeeseeaeeeeseteneeeeees 55 User Management Pages omoa e canes stave Haneda desl baile ene ade 58 UsenAccounts Sectionin tiie etic tess Mii Mh on A eee Selah Ai adie Moe Root in 60 Backup or Restore User Database Page cccccccceseceeeceeeeceeeeeeeeaeeeeseeaaeaeeeeseaaeaeseeseaaeaeeeesesecaeeeeeeteeeeeeeeeees 62 SESSIONS PAGS ELE sie rece ca ctaceacuasedeveegiiaceedus dans ysoeeceuds Sdnvancetssescus uses sana cutebag cadets Geena dgecdtases eet aded ducneastarveaeis tov 66 Without Automatic Channel Management Access Points Can Broadcast on Overlapping Channels 71 With Channel Management Enabled Access Points are Re Assigned to Non Interfering Channels 71 Channel Management Page 5 cccs cteeeccressetet cepecadeat eana iaeaea aanpak api parerent aaa gheeedees ceeds 72 Wireless Neighborhood Page v i c
131. age 35 Chapter 2 Setting up the AT WA7400 Management Software Navigating the Web Pages The web pages provide several ways that you can navigate through the software as shown in Figure 14 MM Allied Telesyn Links HOME HELP LOGOUT ae T WA7400 WIRELESS ACCESS POINT BASIC SETTINGS Menu a CLUSTER For a typical access point Access Points which is a member of a User Management cluster provide the minimal set of configuration Channel Management information 2 needed to set Wireless Neighborhood up the access point and start Sessions wireless STATUS networking as Interfaces described in the numbered ctanc Help Figure 14 Navigational Aids Links The three links at the top of all the pages allow you to navigate to the following locations o Home The home page for the access point showing the Basic Settings page o Help The entire help system for the access point o Logout Opens the logout page so that you can log out from the AT WA7400 management software The Logout page is also available on the Advanced menu and is automatically displayed when your HTTP connection times out Menu The menuis located along the left side of the page The Advanced section is always collapsed until you click the plus sign to make a selection from that menu When you go to one of the other menus the section is collapsed again Help The help tex
132. ait times are built in to 802 11 as infrastructure support and are not configurable The AT WA7400 Management Software supports the Enhanced Distribution Coordination Function EDCF as defined by the 802 11e standard EDCF which is an enhancement to the DCF standard and is based on CSMA CA protocol defines the interframe space IFS between data frames Data frames wait for an amount of time defined as the arbitration interframe space AIFs before transmitting This parameter is configurable Note that sending data frames in AIFs allows higher priority management and control frames to be sent in SIFs first The AIFs ensures that multiple access points do not try sending data at the same time but instead wait until a channel is free Random Backoff and Minimum Maximum Contention Windows If an access point detects that the medium is in use busy it uses the DCF random backoff timer to determine the amount of time to wait before attempting to access a given channel again Each access point waits some random period of time between retries The wait time initially a random value within a range specified as the Minimum Contention Window increases exponentially up to a specified limit Maximum Contention Window The random delay avoids most of the collisions that 165 Chapter 15 Configuring Quality of Service QoS Backoff time in milliseconds 1 166 EE Backoff MinCW doubled I initial Backoff random number in
133. al PSK c ceeeseeeeeeeeeneeeeeeeeeeeeaeeeeaaeeeseeeeeeaeeeseaaeeceeeeeesnaeeseenaeeseeeeensaeeeenaas 315 Set Security to WPA WPAZ2 Enterprise RADIUS eeneeeeceeeeneeeeeraeeeeeeeeeeaeeeeeeaeeseaeeeeeaeeeeeeeeesnneeeneeeenenees 318 Setthe Sectirity Moders iiaae ed nM a dais Meee e oina eek ated 318 setthe WPA Versions i c s edee ah ie esha hei lll eee eile ee siti 318 Enable Pre Authentication cccsices cetescteessetet vosectevsscensstunds sou neniuds cous spzevbscbeevdnes bus eaa an eertain adian 318 et the Cipher S ites aiec r a Sued chess dben Arse Sa Soto dees E evi Shasta besten 319 set the Authentication SOrver a aae a a eaa ea Ee e aea a aa aia e a aa aieea daoii 320 Set the RADIUS Key For External RADIUS Server Only eeeiessieeiiesrisssirsriireriiresiinrirrsrinresrnnerrsnrenns 320 Enable RADIUS Accounting External RADIUS Server Only ceeeceeeesseeeeeeeeeeeneeeeenaeeseeeeeeenneeeeenaeeeeeaees 321 Allow Non WPA Clients ccec eveesdeeczcioceesncebescunceculcceus a ecbeuciuevuerebend chung a e aE Eaa e aies 321 Get Current Security Settings After Reconfiguring to WPA WPA2 Enterprise RADIUS 321 Enabling and Configuring the Guest Login Welcome Page ccccceceesseteeenneeeseeeeeesaeeeseaeeceeeeeesaeeseenaeesneeeensaeeeeeaas 323 View Guest Login Settings aisciai ia aaie eai aida iii i ea 323 Enable Disable the Guest Welcome Page eccceeeseceeeeeeeceeeeeeeneeeeeaeeeceeeeesaeeeeeaaeeceneeeesaeeseaeesee
134. an all use the same key but this is less secure because it means one station can decrypt the data being sent by another Security on a To configure Static WEP security on a client perform the following procedure 1 Confirm the Security mode setting on the Security Settings page as 224 shown in Figure 4 AT WA7400 Management Software User s Guide Broadcast SSID Allow Prohibit Station Isolation off O on Security Mode Static WEP B Transfer Key Index Key Length Key Type Characters Required WEP Keys Authentication Algorithms 7 A See O64bits 128 bits O ASCII Hex 26 1 01234567890012345678900123 N 01234567890012345678900123 T Figure 4 Security Settings Page 2 Configure WEP security on each client as shown in Figure 5 Wireless network properties Network name SSID My AP Wireless network key This network requires a key for the following Network Authentication Open v Data encryption WEP Network key eoccccee Key index advanced 1 access points are not used C The key is provided for me automatically C This is a computer to computer ad hoc network wireless Choose Open or Shared Choose WEP as the Data Encryption mode Enter a network key that matches the WEP key on the access point in the position set to the transfer
135. anagement Software User s Guide mode CBC CTR and Cipher Block Chaining Message Authentication Code CBC MAC for encryption and message integrity Both When the authentication algorithm is set to Both both TKIP and AES clients can associate with the access point WPA clients must have one of the following to be able to associate with the access point 0 Avalid TKIP key o A valid CCMP AES key Clients not configured to use a WPA PSK cannot associate with the access point Key The Pre shared Key is the shared secret key for WPA PSK Enter a string of at least 8 characters to a maximum of 63 characters 2 Click Update to save your settings Wi Fi Protected Access 2 WPA2 with Remote Authentication Dial In User Service RADIUS is an implementation of the Wi Fi Alliance IEEE 802 11i standard which includes Advanced Encryption Standard AES Counter mode CBC MAC Protocol CCMP and Temporal Key Integrity Protocol TKIP mechanisms The Enterprise mode requires the use of a RADIUS server to authenticate users and the configuration of user accounts using the Cluster gt User Management page This security mode is backwards compatible with wireless clients that support the original WPA When you configure WPA2 Enterprise RADIUS mode you have a choice of whether to use the built in RADIUS server or an external RADIUS server that you provide The AT WA7400 Management Software built in RADIUS server supports Protected EAP P
136. ant802 not set Internal Instant 02 Internal Instant 02 not set Brad Lab IOS g10_wgt624_guest O Dark Blue Bar A dark blue bar and a high signal strength number for example 50 indicates good signal strength detected from the AT WA7400 Management Software User s Guide Neighbor seen by the access point whose IP address is listed above that column Lighter Blue Bar A lighter blue bar and a lower signal strength number for example 20 or lower indicates medium or weak signal strength from the Neighbor seen by the access point whose IP address is listed above that column White Bar A white bar and the number 0 indicates that a neighboring access point that was detected by one of the cluster members cannot be detected by the access point whose IP address if listed above that column Light Gray Bar A light gray bar and no signal strength number indicates a Neighbor that is detected by other cluster members but not by the access point whose IP address is listed above that column Dark Gray Bar A dark gray bar and no signal strength number indicates this is the access point whose IP address is listed above that column since it is not applicable to show how well the access point can detect itself 83 Chapter 7 Wireless Neighborhoods Viewing Details of a Cluster Member To view details on a cluster member access point perform the following procedure 1 From th
137. ar with the names of the interfaces as described in Understanding Interfaces as Presented in the CLI on page 278 The interface name referenced in a command determines if a setting applies to a wired or wireless interface the internal or guest network or on a two radio access point to radio one or radio two Quality of Service QOS provides you with the ability to specify parameters on multiple queues for increased throughput and better performance of differentiated wireless traffic like Voice over P VoIP other types of audio video and streaming media as well as traditional IP data over the AT WA7400 Wireless Access Point For a complete conceptual overview of QoS see Understanding QoS on page 162 AT WA7400 Management Software User s Guide Table 30 provides a quick view of QOS commands Table 30 QoS Commands Function Command Enable Disable Wi Fi Multimedia About Access Point and Station EDCA Parameters set radio wlanO wme off set radio wlanO wme on get radio wlanO wme See About Access Point and Station EDCA Parameters on page 338 Understanding the Queues for Access Point and Station See Understanding the Queues for Access Point and Station on page 339 Distinguishing between Access Point and Station Settings in QoS Commands See Distinguishing between Access Point and Station Settings in QoS Commands on page 339 Get QoS Settings on the Access P
138. are only available through the CLI The CLI is particularly useful because it provides an interface to which you can write programmatic scripts for access point configurations The CLI may also be less resource intensive than a web interface Table 2 shows a feature by feature comparison of which settings can be configured through the CLI or the web UI and which are configurable with either Table 2 Comparison of CLI to Web Browser Interface Settings Feature or Setting Configurable from CLI Configurable from Web Basic Settings Yes Yes Getting changing Administrator Password Getting changing access point name and location Viewing information such as MAC IP address and firmware version Access Point and Cluster Get existing settings only Yes Settings You cannot set configuration policy or other cluster features from the CLI Use for clustering settings User Accounts Yes Yes User Database Backup and No Yes as described in Backing Restore Up and Restoring a User Database on page 62 Sessions No Yes Channel Management No Yes as described in Chapter 6 Channel Management on page 69 266 AT WA7400 Management Software User s Guide Table 2 Comparison of CLI to Web Browser Interface Settings Continued Feature or Setting Configurable from CLI Configurable from Web Wireless Neighborhood No Yes as described in Chapter 7
139. ation on each client as follows Enable click to check IEEE 8021x authentication then click Choose Protected EAP PEAP Prepare Choose WEP Data Encryption mode Choose Open Wireless network properties Wireless network properties Association Authentication Association Authenticat yn Network name SSID Select this option to provide auth nticated network access wireless Ethernet networks Wireless network key This network requires a key for the following V Enable IEEE 802 1 authentication for this network Network Authentication Open A x EAP type Protected EAP PEAP J Data encryption WEP Enable auto eccccece key option Authenticate as computer when computer information is available C Authenticate as guest when user or computer information is unavailable e key is provided for me automatically C This is a computer to computer ad hoc network wireless access points are not used Figure 7 Association and Authentication Tabs 228 AT WA7400 Management Software User s Guide 2 Configure the following settings on the Association tab in the Network Properties dialog box Network Authentication Open Data Encryption WEP Note An RC4 stream cipher is used to encrypt the frame body and cyclic redundancy checking CRC of each IEEE 802 11 fram
140. authenticating and authorizing TLS EAP certificates from wireless clients of a particular AT WA7400 Wireless Access Point configured for either WPA WPA2 Enterprise RADIUS or IEEE 802 1x security modes The intention of this section is to provide some idea of what this process will look like procedures will vary depending on the RADIUS server you use and how you configure it For this example the Internet Authentication Service that is shipped with Microsoft Windows 2003 server is used Note This document does not describe how to set up Administrative users on the RADIUS server In this example Allied Telesyn assumes that you already have RADIUS server user accounts configured You will need a RADIUS server user name and password for both this procedure and the following one that describes how to obtain and install a certificate on the wireless client Please consult the documentation for your RADIUS server for information on setting up user accounts The purpose of this procedure is to identify your AT WA7400 Wireless Access Point as a client to the RADIUS server The RADIUS server can then handle authentication and authorization of wireless clients for the access point This procedure is required per access point If you have more than one access point with which you plan to use an external RADIUS server you need to follow these steps for each of those access points Keep in mind that the information you need to provide to the RADIU
141. ay Host for the Kernel Log As a prerequisite to remote logging the Log Relay Host must be configured first as described in Setting Up the Log Relay Host on page 187 See a complete explanation of CLI commands at Enable Remote Logging and Specify the Log Relay Host for the Kernel Log on page 295 Here are a few set log relay enabled 1 enables remote logging set log relay enabled 1 disables remote logging get log set log TAB TAB shows values you can set on the log Get Transmit Receive Statistics get interface all ip mac ssid tx packets tx bytes tx errors rx packets rx bytes rx errors Get Client Associations Get Neighboring Access Points get association get clustered ap Get Common Information on the Internal Interface for the Access Point The following command obtains all information on the internal interface for an access point AT WA7400 Field type status hello mac ip mask get interface br0 Value 00 a0 c9 8c c4 7e 192 168 1 1 255 255 255 0 Get Current Settings for the Ethernet Wired Internal Interface The following example shows how to use the CLI to get the Ethernet Wired settings for the internal interface for an access point You can see by the output results of the command that the MAC address is 00 a0 c9 8c c4 7e the IP address is 192 168 1 1 and the subnet mask is 255 255 255 0 291 Appendix D Command Line Interface CLI for Access P
142. ay be assigned to different channels than they were previously using depending on the results of the plan The following information is displayed IP Address Specifies the IP address for the access point Current Indicates the radio channel on which this access point is currently broadcasting Proposed Indicates the radio channel to which this access point would be re assigned if the Channel Plan is executed Configuring Advanced Settings Customizing and Scheduling Channel Plans AT WA7400 Management Software User s Guide If you use channel management as provided without updating the Advanced settings channels are automatically fine tuned once every hour if interference can be reduced by 25 percent or more Channels are reassigned even if the network is busy The appropriate channel sets are used b g for access points using IEEE 802 11b g and a for access points using IEEE 802 11a These defaults are designed to satisfy most scenarios where you would need to implement channel management You can use the Advanced settings to modify the interference reduction potential that triggers channel reassignment change the schedule for automatic updates and reconfigure the channel set used for assignments To configure the advanced settings perform the following procedure 1 From the main menu select Cluster gt Channel Management The Channel Management page is displayed as shown in Figure 27 on page 72 2 Click
143. because a client station is allowed to associate does not ensure it can exchange traffic with an access point A station must have the correct WEP key to be able to successfully access and decrypt data from an access point and to transmit readable data to the access point O Shared Key Shared Key authentication requires the client station to have the correct WEP key in order to associate with the access point When the authentication algorithm is set to Shared Key a station with an incorrect WEP key will not be able to associate with the access point O Both This is the default When the authentication algorithm is set to Both e Client stations configured to use WEP in shared key mode must have a valid WEP key in order to associate with the access point e Client stations configured to use WEP as an open system shared key mode not enabled will be able to associate with the access point even if they do not have the correct WEP key AT WA7400 Management Software User s Guide Rules to Remember for Static WEP o All client stations must have the wireless LAN WLAN security set to WEP and all clients must have one of the WEP keys specified on the access point in order to de code access point to station data transmissions The access point must have all keys used by clients for station to access point transmit so that it can de code the station transmissions The same key must occupy the same slot on all nodes access point a
144. bridge interface for VWN2 consists of wlanOvwn1 vlanVLANID where VLANIDis a four digit VLAN ID that you provided For example if you provided a VLAN ID of 1234 the VLAN interface would be vlan1234 On a two radio access point the bridge interface for VWN2 consists of wlanOvwnl wlanlvwnl vlanVLANID where VLANIDis a four digit VLAN ID that you provided For example if you provided a VLAN ID of 5678 the VLAN interface would be vlan5678 wlan0 The wireless radio interface for the internal network wlanOguest The wireless radio interface for the guest network wlan0vwn1 The wireless interface for virtual wireless network VWN 1 wlanOvwn2 The wireless interface for virtual wireless network VWN 2 wlanOwdsx wlan1 A wireless distribution system WDS interface where x indicates the number of the WDS link For example wlanOwds1 On a two radio access point the wireless radio interface for the internal network on the second radio wlanlguest On a two radio access point the wireless radio interface for the guest network on the second radio wlanlvwn1 wlanlvwn2 On a two radio access point the wireless interface for virtual wireless network VWN 1 on the second radio On a two radio access point the wireless interface for virtual wireless network VWN 2 on the second radio vlanxxxx A VLAN interface for VLAN ID xxxx To find out what this VLAN
145. bssInternal on 142 77 1 1 KeepSecret on off off on off on off Enabling and Configuring the Guest Login Welcome Page AT WA7400 Management Software User s Guide rsn preauthentication off The guest login and welcome page commands are shown in Table 24 Table 24 Guest Login and Welcome Page Commands Function Command View all guest login settings get portal Enable guest login and Welcome page set portal status up Disable guest login and Welcome page Specify Guest Welcome page text for the captive portal set portal status down set portal welcome screen text welcome Screen Text Where welcome Screen Text is the content of the Welcome message you want displayed on the Guest Welcome page The Welcome message must be in quotes if it contains spaces punctuation and special characters Note Guest login settings are only relevant if you have first configured a guest network For information about configuring a guest network see Chapter 11 Setting Up Guest Access on page 133 You can set up a captive portal that guest clients will see when they log on to the guest network or modify the Welcome screen guest clients see when they open a web browser or try to browse the web View Guest Login Settings To view the current settings for guest login AT WA7400 get portal Field Value status down welcome screen on 323 Appendix D Command L
146. ccess point For example 6 to 54Mbps for 802 11a Signal Indicates the strength of the radio frequency RF signal the client receives from the access point The measure used for this is an IEEE 802 1x value known as Received Signal Strength Indication RSSI and will be a value between 0 and 100 RSSI is determined by a an IEEE 802 1x mechanism implemented on the network interface card NIC of the client station Utilization Utilization rate for this station For example if the station is active transmitting and receiving data 90 of the time and inactive 10 of the time its utilization rate is 90 Receive Total Indicates number of total packets received by the client during the current session Transmit Total Indicates number of total packets transmitted to the client during this session Error Rate Indicates the percentage of time frames are dropped during transmission on this access point To view only specific information about a session perform the following procedure T On the Sessions page from the Display list choose the field you want to display and click Go The page is refreshed and displays the User AP Location and User MAC information in addition to the field you selected 67 Chapter 5 Session Monitoring Sorting Session Information 68 To sort the information in the session list perform the following procedure 1 On the Sessions page click the column label by which you want
147. cessPoint stop_clustering cgi Where IPAddres0sofAccessPoint is the IP address of the access point you want to stop clustering You can find the IP addresses for the cluster members on the Cluster gt Access Points page for any of the clustered access points Allied Telesyn recommends making a note of all IP addresses at this point 261 Appendix C Troubleshooting 262 The Stop Clustering page for this access point is displayed as shown in Figure 37 Stop Clustering This page is used to stop clustering in order to help resolve a serious cluster configuration problem Please follow these steps to remedy the problem 1 Press the Stop Clustering button for every Access Point in the cluster You may obtain the IP addresses of each Access Point in the cluster by viewing the Cluster gt Access Points page To find the Stop Clustering page for a particular Access Point type http lt ip address gt stop_clustering cgi in your browser s address bar 2 After clustering is stopped proceed to the Advanced gt Reset Configuration page of each Access Point and press the Reset button 3 After resetting all Access Points in the original cluster navigate to the Cluster gt Access Points page and press the Refresh button until all Access Points are displayed in the list 4 Review all configuration settings and make modifications as needed Pay special attention to the security settings because after a reset Access Points run withou
148. channel is set to 6 the beacon interval is 100 and so forth For information on how to configure radio settings through the CLI see Radio Settings on page 326 Radio settings are fully described in the web UI topic on Configuring Radio Settings on page 147 Get the Current IEEE 802 11 Radio Mode AT WA7400 get radio wlan0 mode g Get the Channel the Access Point is Currently Using AT WA7400 get radio wlan0 channel 2 Get Basic Radio Settings for the Internal Interface AT wA7400 get radio wlan0 Field Value status up max bsses 2 channel policy best channel 6 static channel 9 mode g fragmentation threshold 2346 293 Appendix D Command Line Interface CLI for Access Point Configuration 294 rts threshold 2347 ap detection on beacon interval 100 Get All Radio Settings on the Internal Interface AT WA7400 get radio wlan0 detail Field status description mac max bss channel policy mode static channel channel tx power tx rx status beacon interval rts threshold fragmentation threshold load balance disassociation uti lization load balance disassociation stations load balance no association uti lization ap detection station isolation frequency wme up IEEE 802 11 best 11 100 up 100 2347 2346 on off 2417 on AT WA7400 Management Software User s Guide Get Status on Events AT WA7400 get log entry all Number Time Priority Daemon Message 1 Apr
149. cifying Limits for Utilization and Client Associations 00 0 eee cette ceennee cere eeeneeeeeeaeeeseeeeeeeeeeeeaaeeseneeeesseeenenaeeeeenees 156 Load Balancing and QoS ive ites eiateteesitge a hte albbeewy deviate esd a dh adeeb a a aeiaai 156 Configuring Load Balancing 2 ss0cesee Shere ese etn eee ee eee eee a ee athe eens seeped a E EE EE A boone EA 157 Chapter 15 Configuring Quality of Service QOS oo cece renter ee eee eee aee setae eeseeeeeeeaeeesesaeeeseneeeeseeesnaeeeeneeeenaa 161 Understanding QOS a r scetaad Cevenceteehbel ties T Mies pe caack Sedans tal daleaeeded aren eeiddesias a aa aaRS 162 QoS and Load Balamcimg ites ios Ree tes igen ntti citces ohh Ualencta aan E O RE E eee adi o E SEA Aa eaaa Saa Eai 162 802 11e and WMM Standards Support oo eee eeseceeeeeeeeeneeeeeeeeeeaeeeeeaaeeceeeeeeseeeseeaeeeseeaeeeeneeeesaaeeseneaeessieeesenaeeeeenees 162 QoS Queues and Parameters to Coordinate Traffic FIOW ee cceeeecceeeseeceeeeeeesneeeeenaeeceeeeeeenaeeeeeeeeeseeeeesneeeeenaeeeeeaees 162 QoS Queues and Type of Service TOS On Packets eesceceeeeeeeeeeeeenneeeseeeeeesneeeeenaeeseeaeeseeeeeenaeeeeeeeesneeeees 163 EDCF Control of Data Frames and Arbitration Interframe Spaces eee ceeeceeeeeeeeeeneeeeeeeeeeeeeseeaeeeeneeenseeeeeaas 164 Random Backoff and Minimum Maximum Contention WiIndOWS cccceeseeeseeeeeeneeeeeeeeeeneeeeeaeeeeeaeeenieeeenaa 165 Packet Bursting for Better Performa Eriniin iaren a a tadaa aa
150. ckup File Click the link below to download a file containing the current configuration for this AP download confiquration To Restore the Configuration from a Previously Saved File Enter the path and file name of the configuration backup file you want to use or click Browse to open a dialog where you can locate and select the file Then click Restore to load this file in place of the current configuration Browse Restore Figure 66 Backup Restore Page 2 Inthe top section of the page click download configuration A File Download or Open dialog box is displayed 3 Choose the Save option in this first dialog box The file browser window opens 4 Navigate to the directory where you want to save the file and click OK to save the file You can keep the default file name apconfig cbk or rename the backup file but be sure to save the file with a cbk extension 212 AT WA7400 Management Software User s Guide Restoring Access Point Settings to a Previous Configuration To restore the configuration on an access point to previously saved settings perform the following procedure 1 From the main menu select Advanced gt Backup Restore The Backup Restore page opens as shown in Figure 66 on page 212 Select the backup configuration file you want to use either by typing the full path and file name in the Restore field or clicking Browse and selecting the file Note Only those files that
151. cludes both the internal and guest network when guest access is enabled To configure load balancing perform the following procedure 1 From the main menu select Advanced gt Load Balancing 157 Chapter 14 Load Balancing 158 The Load Balancing page is shown in Figure 48 Load Balancing Enabled Disabled Utilization for No New Assocations Percent 0 disables Utilization for Disassociation Percent 0 disables Station Threshold for Disassociation Range 1 2007 0 disables Figure 48 Load Balancing Page 2 Configure the following settings as required Load Balancing To enable load balancing on this access point click Enable To disable load balancing on this access point click Disable Utilization for No New Associations Utilization rate limits relate to wireless bandwidth utilization Provide a bandwidth utilization rate percentage limit for this access point to indicate when to stop accepting new client associations When the utilization rate for this access point exceeds the specified limit no new client associations are allowed on this access point If you specify 0 in this field all new associations are allowed regardless of the utilization rate Utilization for Disassociation Utilization rate limits relate to wireless bandwidth utilization Provide a bandwidth utilization rate percentage limit for this access point to indicate when to disassociate current clients When the uti
152. command you can identify the following about the Log Relay Host syslog server o The syslog server is disabled because relay enabled is set to O o No IP address or Host Name is specified for the syslog server o The access point is listening for syslog messages on the default port 514 Enable Disable Log Relay Host To enable the Log Relay Host AT WA7400 set log relay enabled 1 To disable the Log Relay Host AT WA7400 set log relay enabled 0 Specify the Relay Host To specify the Relay Host provide either the IP address or a DNS name for the Log Relay Host as parameters to the set log relay host command as shown below O To specify an IP address for the syslog server set log relay host IP_Address_Of_LogRelayHost Where IP_Address_Of_LogRe ayHost is the IP address of the Log Relay Host For example AT WA7400 set log relay host 10 10 5 220 0 To specify a Host Name for the syslog server AT WA7400 Management Software User s Guide set log relay host Host_Name_Of_LogRelayHost Where Host_Name_Of_LogRelayHost is the a DNS name for the Log Relay Host For example AT WA7400 set log relay host myserver Specify the Relay Port To specify the Relay Port for the syslog server set log relay port Number_Of_LogRelayPort Where Number_Of_LogRelayPort is the port number for the Log Relay Host For example AT WA7400 set log relay port 514 Review Log Settings After Configuring Log Relay Host
153. cts the deleted access point or shows an incomplete display refer to the information on cluster recovery in Cluster Recovery on page 261 51 Chapter 3 Managing Access Points and Clusters Navigating to Configuration Information for a Specific Access Point and Managing Standalone Access Points Navigating to an Access Point by Using its IP Address in a URL 52 In general the AT WA7400 Management Software is designed for central management of clustered access points For access points in a cluster all access points in the cluster reflect the same configuration In this case it does not matter which access point you actually connect to for administration There may be situations however when you want to view or manage information on a particular access point For example you might want to check status information such as client associations or events for an access point Or you might want to configure and manage features on an access point that is running in standalone mode In these cases you can navigate to the AT WA7400 Management Software web interface for individual access points by clicking the IP address links on the Access Points page All clustered access points are shown on the Cluster gt Access Points page To navigate to clustered access points you can simply click on the IP address for a specific cluster member shown in the list You can also link to the web pages of a specific access point by enteri
154. d Channel The channel defines the portion of the radio spectrum that the radio uses for transmitting and receiving The range of channels and the default channel are determined by the Mode of the radio interface For most Modes the default is Auto Auto is the recommended mode because it automatically detects the best channel choices based on signal strength traffic loads and so on Channels operate in a specific frequency range The available frequencies depend upon the country as shown in Table 5 Table 5 Worldwide Frequencies for 802 119 and 802 11b Radios Channel FCC ETSI France Japan Israel 1 2412 2412 2412 2 2417 2417 2417 3 2422 default 2422 default 2422 default 2422 default 4 2427 2427 2427 5 2432 2432 2432 6 2437 2437 2437 7 2442 2442 2442 8 2447 2447 2447 Table 5 Worldwide Frequencies for 802 119 and 802 11b Radios AT WA7400 Management Software User s Guide Channel FCC ETSI France Japan Israel 9 2452 2452 2452 10 2457 2457 2457 2457 11 2462 2462 2462 default 2462 12 2467 2467 2467 13 2472 2472 2472 14 2484 The 802 11g and 802 11b channels that are allowed in a given country may change without notice Be sure you use only those frequencies that are permissible in the given country Note the following o FCC countries include the United States Canada China Taiwan India Thailand I
155. d and received for each station The AT WA7400 Wireless Access Point provides link integrity monitoring to continually verify its connection to each associated client even when there is no data exchange occurring To do this the access point sends data packets to clients every few seconds when no other traffic is passing This allows the access point to detect when a client goes out of range even during periods when no normal traffic is exchanged The client connection drops off the list of associated clients within 300 seconds of a client disappearing even if they do not disassociate but went out of range An association describes a client connection to a particular access point A session describes a client connection to the network A client network connection can shift from one clustered access point to another within the context of the same session A client station can roam between access points and still maintain the session For information on monitoring sessions see Chapter 5 Session Monitoring on page 65 AT WA7400 Management Software User s Guide Viewing the Status of Neighboring Access Points The status page for neighboring access points provides real time statistics for all access points within range of the access point on which you are viewing the web pages To view information about other access points on the wireless network perform the following procedure 1 From the main menu select Status gt Nei
156. dansdevdessgchusdc E 272 Getting Help on Commands at the CLI 2c ccc cccscieccescccecseveegcncescbdcecncceevsenchdcccdedbeedenecdcucbscenusebendeneedecceesseteedeneetepecceneedes 275 Command Usage and Configuration Examples cccceccceceeececeeeeeeeaeeeeeeccaeeeeeeeeaaeeeeesseaaeaeeseesaeeesaaeeeeeeeeeneeeeeeeeeaees 278 Understanding Interfaces as Presented in the CLI ees eeeeneeenneeeeenaeeeeeeeeeenaeeeeeaaeeseeeaeeenaeeeseaeeeseeaeessneeeeenaeeeeeaees 278 Saving Configuration Changes sissie iee aeieea re diaree kaipi si Deside capat da itda pides podna p onir peldas a iait damri poa i danradiai iin 281 BaSiG Settings 2 peta i n a a a a lee ae a Sue ie eh ataei iie 282 Get the IP Address for the Internal Interface on an Access Point ueeeeiissirsssriisrirrerirsrsissriesrieerresrrserene 283 Get the MAC Address for an Access Point 0 ce ceeececesseeenneeeeeeeeeeeeaeeceeeeesaaeeseeaaeeeeneaeesaeeeeeaeeeeeeeeeeseeeeenaeeeneeees 283 Get Both the IP Address and MAC AddresS ecceceesceceenneeeeeeeeeeneeeceaaeeecneeeeeeaeeeseeaeeesaeeeenaeeeseaaeessneeeneateeeenatess 283 Get Common Information on All Interfaces for an ACCESS POINTE ce eeeeeeeeeceeneeeceeeeeeeneeeceaaeeeeeeeeeesteeenaeeseeaees 284 Get the Firmware Version for the Access Point eee eeecee eens eeeeneeeeeeeeesaeeeesaaeeceeeeesaeeeeeaeeeeeneeeeeeeeeeenaeeeennees 284 Get the Location of the Access Point cccccecesececeeeeeeeeeeeeeeeaeeeecesea
157. data in one go Interactive feedback is nice to have in this situation but certainly less critical VolP data packets are set for minimum delay because that is a critical factor in quality and performance for that type of data The access point examines the ToS field in the headers of all packets that pass through the access point Based on the value in a packet s ToS field the access point prioritizes the packet for transmission by assigning it to one of the queues This process occurs automatically regardless of whether you deliberately configure QoS or not A different type of data is associated with each queue The queue and associated priorities and parameters for transmission are as follows 0 Data 0 Voice Highest priority queue minimum delay Time sensitive data such as Voice over IP VoIP is automatically sent to this queue o Data 1 Video High priority queue minimum delay Time sensitive data such as Video and other streaming media are automatically sent to this queue 163 Chapter 15 Configuring Quality of Service QoS 164 o Data 2 Best Effort Medium priority queue medium throughput and delay Most traditional IP data is sent to this queue o Data 3 Background Lowest priority queue high throughput Bulk data that requires maximum throughput and is not time sensitive is sent to this queue FTP data for example Packets in a higher priority queue will be transmitted before packets in a lower prio
158. den AT WA7400 get radius user all Displaying Status AT WA7400 Management Software User s Guide name username disabled password realname larry David white samantha Elizabeth Montgomery endora Agnes Moorhead darren Dick York wally Tony Dow Remove a User Account To remove a user account type the following AT WA7400 remove radius user wally Use the get command to view all user names You can see that wally has been removed AT WA7400 get radius user all name name larry Samantha endora darren The command tasks and examples in this section show status information on access points These settings correspond to what is shown on the Status pages in the web UI See Monitoring Wired and Wireless LAN Settings on page 184 Viewing the Event Logs on page 186 Viewing the Transmit Receive Statistics on page 190 Viewing the Associated Wireless Clients on page 192 and Viewing the Status of Neighboring Access Points on page 193 Note Make sure you are familiar with the names of the interfaces as described in Understanding Interfaces as Presented in the CLI on page 278 The interface name you reference in a get command determines whether the command output shows a wired or wireless interface the internal or guest network or on a two radio access point to radio one or radio two Table 8 provides a quick view of all Status commands and links to detailed 289 Append
159. dows on page 165 and the more 341 Appendix D Command Line Interface CLI for Access Point Configuration 342 detailed field description for this value in that topic Valid values for the cwmax are 1 3 7 15 31 63 127 255 511 or 1024 The value for cwmax must be higher than the value for cwmin Set cwmin and cwmax on the Access Point To set the Minimum and Maximum Contention Windows cwmin cwmax on access point to station traffic set tx queue wlan0 with queue Queue Name to cwmin cwmin_Value cwmax cwmax_Value Where Queuve_Name is the queue on the access point to which you want the setting to apply and cwmin_Va7ue and cwmax_value are the values in milliseconds you want to specify for contention back off windows For example this command sets the access point Video queue data1 cwmin value to 15 and cwmax value to 31 AT WA7400 set tx queue wlan0 with queue datal cwmin 15 cwmax 31 View the results of this configuration update bold in the command output highlights the modified values AT WA7400 get tx queue name queue aifs cwmin cwmax burst wlanO data0 13 3 7 1 5 wlanO datal 1 15 31 3 0 wlanO data2 3 15 63 0 wlanO data3 7 15 1023 0 Set cwmin and cwmax on the Station To set the Minimum and Maximum Contention Windows cwmin cwmax on station to access point traffic set wme queue wlan0 with queue Queue Name to cwmin cwmin_Value cwmax cwmax_Value Where Queue_Name is the queue on the station
160. dresses for guest and internal interfaces on the access point see the Status gt Interfaces page To change the location description for an access point 1 From the main menu select Basic Settings The Basic Settings page is shown in Figure 13 on page 35 Update the Location description in section 1 under Review Description of this Access Point Click Update to apply the changes To remove an access point from the cluster do the following 1 From the main menu select Cluster gt Access Point The Access Points page is shown in Figure 17 on page 48 Click the checkbox next to the access point so that the box is checked Click Remove The change is under Status for that access point the access point will now show as standalone instead of cluster 49 Chapter 3 Managing Access Points and Clusters Adding an Access Point to a Cluster 50 Note In some situations it is possible for the cluster to become out of sync If after removing an access point from the cluster the access point list still reflects the deleted access point or shows an incomplete display refer to the information on cluster recovery in Cluster Recovery on page 261 To add an access point that is currently in standalone mode back into a cluster do the following 1 Go to the AT WA7400 Management Software web pages for the standalone access point See Navigating to an Access Point by Using its IP Address in a URL
161. e cccceceseceeseceeneeeceeeeeesneeeeeeeeceeeeesaeeeesnaeeseeeeessaeeeeeeeseeeeesseeeeeaas 209 Backup Restore Pages 5 mei a ie et atime a a a a R aa a a a a Eaa 212 Wireless Network Connections Properties Dialog BOX cecccceeeeeceeeceeeeeeeeeceeeeceeaaeeeeeeeeaaeeeeseesaeeeeetsnnanaeess 222 Wireless Network Properties Dialog BOX eceeseseeeeeeeeeeneeeeenaeeeceneeeeeneeeeeeaeeeseeeeeeaeeeseaaeseneeeenaeeeeeaeeenneeeees 223 Wireless Network Properties Dialog BOX 0 ccccccceeceeeececeeeeeeeceeeeeeeaaeeeeeesecacaeceeseseeaeeeeseseaeeeeesesnsaeeeeeseeneatess 224 security Settings Page iiviath ats ene ae eee Sie en eee ents due iin ee ede 225 Wireless Network Properties Dialog BOX eeceeeseeeeeeeeeeeeeeecenaeeeeeeeeeesaeeeeeeaeeecneeeeeaeeeseaaesnneeeenaeeseeaeeseeeeeees 226 Security Settings Page israse eni olen iiai aaa tee deed aii ei cay aia edie iadair nindita 228 Association and Authentication Tabs ce eeecceeeeneeecenneeeeneeeeeeaeeeceaeeeeaeeeesaaeeeeeeeeeseeeeeaeeseeeeesseeeseaeeeeeenees 228 Protected EAP Properties Dialog Box and EAP Properties Dialog BOX eecceeeseeeseeceeeeteeeeeneeseeeeeeeeeeeeaas 230 Security Settings Page sisri srin ccgone genes setebevereceecscubnsaua ds csucetiencetebesty cbsbbecvestebeesdnessotps ha erinadi sar naea 232 Association and Authentication Tabs ee eeececceceeneeeceneeeesneeeeeeaeeeseeeeessaeeeeeaaeeseeeeeesaeeesaeeseeeeeessieeesenaeeseenees 233 Smart Card or other
162. e Status On Off Mode IEFE amp 02 11a v SuperAG Enabled Disabled Channel 2 x Beacon Interval 100 Msec Range 20 2000 DTIM Period 2 Range 1 255 Fragmentation 2346 Range 256 2346 even numbers Threshold oniy RTS Threshold 2347 Range 0 2347 Maximum Stations 2007 Range 0 2007 Transmit Power 100 Percent Rate Supported Basic 54 Mbps m 48 Mbps 7 I 36 Mbps F Rate Sets 2 4Mbps 7 a 18 Mbps y 12 Mbps ra K 9 Mbps ra 6 Mbps ra m Figure 45 Radio One Page 2 Configure the following settings as necessary Radio Choose radio one or radio two Be sure to configure settings for both radios Status On Off Specify whether you want the radio on or off by clicking On or Off 147 Chapter 13 Configuring Radio Settings 148 Mode The Mode defines the Physical Layer PHY standard being used by the radio Note With a two radio access point different modes may be available depending on whether radio one or radio two is selected in the Radio field above Atheros Turbo 5 GHz is IEEE 802 11a Turbo mode Atheros Turbo 2 4 GHz is IEEE 802 11g Turbo mode Super AG Enabling Super AG provides better performance by increasing radio throughput for a radio mode IEEE 802 11b g a and so on Keep in mind that with Super AG enabled the access point transmissions will consume more bandwidth To enable Super AG click Enabled To disable Super AG click Disable
163. e The Arbitration Inter Frame Spacing AIFs specifies a wait time in milliseconds for data frames For more information see EDCF Control of Data Frames and Arbitration Interframe Spaces on page 164 cwMin Minimum Contention Window This parameter is input to the algorithm that determines the initial random backoff wait time window for retry of a transmission The value specified here in the Minimum Contention Window is the upper limit in milliseconds of a range from which the initial random backoff wait time is determined The first random number generated will be a number between 0 and the number specified here If the first random backoff wait time expires before the data frame is sent a retry counter is incremented and the random backoff value window is doubled Doubling continues until the size of the random 171 Chapter 15 Configuring Quality of Service QoS 172 backoff value reaches the number defined in the Maximum Contention Window For more information see Random Backoff and Minimum Maximum Contention Windows on page 165 cwMax Maximum Contention Window The value specified here in the Maximum Contention Window is the upper limit in milliseconds for the doubling of the random backoff value This doubling continues until either the data frame is sent or the Maximum Contention Window size is reached Once the Maximum Contention Window size is reached retries will continu
164. e Configuring the Guest Network Wireless Settings The guest settings describe the MAC address read only and wireless network name SSID for the guest network Configuring an access point with two different network names SSIDs allows you to leverage the guest interface feature on the AT WA7400 Wireless Access Point To configure the guest network wireless settings perform the following procedure 1 From the main menu select Advanced gt Wireless Settings The Wireless Settings page is shown in Figure 31 on page 98 In the Guest Settings section configure the following settings MAC Address Shows the MAC address for the guest interface for this access point This is a read only field that you cannot change Although this access is point is physically a single device it can be represented on the network as two or more nodes each with a unique MAC Address This is accomplished by using multiple Basic Service Set Identifiers BSSID for a single access point The MAC address es shown for the guest access point is the BSSID s for the guest interface For the two radio access point two MAC addresses are shown one for each radio on the guest interface Wireless Network Name SSID Enter the SSID for the guest network The Service Set Identifier SSID is an alphanumeric string of up to 32 characters that uniquely identifies a wireless local area network It is also referred to as the Network Name There are no restric
165. e The AT WA7400 Management Software includes 802 11e based packet bursting technology that increases data throughput and speed of transmission over the wireless network Packet bursting enables the transmission of multiple packets without the extra overhead of header information The effect of this is to increase network speed and data throughput The size of packet bursts allowed maximum burst length is a configurable parameter Transmission Opportunity TXOP Interval for Client Stations The Transmission Opportunity TXOP is an interval of time when a Wi Fi Multimedia WMM client station has the right to initiate transmissions onto the wireless medium WM AT WA7400 Management Software User s Guide Configuring QoS Queues Configuring Quality of Service QoS on the AT WA7400 Wireless Access Point consists of setting parameters on existing queues for different types of wireless traffic and effectively specifying minimum and maximum wait times via Contention Windows for transmission The settings described here apply to data transmission behavior on the access point only not to that of the client stations Note For the guest interface QoS queue settings apply to the access point load as a whole both BSSes together On a two radio access point these settings apply to both radios but the traffic for each radio is queued independently The exception to this is guest traffic as noted below Internal and guest network
166. e name type status lo ethod eth1 bro brguest wlanO wlanOguest wlanOwdsO wlanOwds1 wlanOwds2 wlanOwds3 AT WA7400 bridge bridge service set service set wds wds wds wds up up down up down 00 00 00 02 00 02 00 02 00 00 00 0Cc 00 B3 B3 B3 00 41 00 01 02 01 00 16 00 01 02 01 00 DF 00 127 0 0 1 255 0 0 0 01 02 701 10 10 100 110 255 255 255 0 00 A6 Get the Firmware Version for the Access Point In the following example the access point is running Firmware Version 1 0 0 9 Use the get command as shown to obtain the Firmware Version AT WA7400 get system version 1 0 0 9 Get the Location of the Access Point In the following example the location of the access point has not been set Use the get command as shown to obtain the location of the access point Access Point and Cluster Settings AT WA7400 Management Software User s Guide AT wA7400 get cluster location not set Set the Location for an Access Point To set the location for an access point use the set command as follows AT WA7400 set system location hallway AT WA7400 set system location Vicky s Office To check to make sure that the location was set properly use the get command again to find out the location AT WA7400 get system location Vicky s office Get the Current Password AT WA7400 get system encrypted password 2yn 4fvaTgedm Set
167. e If no DHCP server is present on the network you must manually assign static IP addresses to your wireless clients and other network devices The AT WA7400 Wireless Access Point is shipped with a default static IP address of 192 168 1 230 See Appendix A Management Software Default Settings on page 215 If no DHCP server is found on the network the access point retains this static IP address at first time startup After the access point starts up you have the option of specifying a static IP addressing policy on AT WA7400 Wireless Access Point and assigning static IP addresses to access points on the internal network using the management software See information about the Connection Type field and related fields in Enabling or Disabling Guest Access on page 90 A Caution If you do not have a DHCP server on the internal network and do not plan to use one the first thing you must do after bringing up the access point is to verify that the Connection Type is Static IP You can either assign a new Static IP address to the access point or continue using the default address Allied Telesyn recommends assigning a new Static IP address so that if later you bring up another AT WA7400 Wireless Access Point on the same network the IP address for each access point will be unique 23 Chapter 1 Preparing to Set Up the AT WA7400 Wireless Access Point Recovering an IP 24 Address If you experience trouble communicat
168. e This is the same encryption algorithm as is used for Static WEP therefore the data encryption method configured on the client for this mode is WEP This key is provided for me automatically Enable click to check this option 3 Configure this setting on the Authentication tab EAP Type Choose Protected EAP PEAP 229 Appendix B Configuring Security on Wireless Clients Disable click to uncheck Choose secured password EAP MSCHAP v2 Validate server certificate then click Configure Validate server certificate _ ABA ECOM Root CA Autoridad Certificadora de la Asociacion Nacional del Notaria Autoridad Certificadora del Colegio Nacighal de Correduria P Baltimore EZ by DST Belgacom E Trust Primary CA C amp W HKT SecureNet CA Class 4 amp C amp W HKT SecureNet CA Class B C amp W HKT SecureNet CA Root Disable click to uncheck option to automatically use Windows logon name and password EAP MSCHAPy 2 Properties poo00600 When connecting Saeed el sotalol aCitomatically use my Windows logon name and password and domain if any Secured password EAP MSCHAP v2 v C Enable Fast Reconnect Figure 8 Protected EAP Properties Dialog Box and EAP Properties Dialog Box 4 Click Properties to open the Protected EAP Properties dialog box and configure the following settings Validate Server Certificate Disable this optio
169. e IEEE 802 1x security mode with an external RADIUS server as shown in Figure 9 Broadcast SSID Allow Prohibit Station Isolation off O on Security Mode EEE 802 1x gi Authentication Server External Y Radiustp j0 ho n p Radius Key Figure 9 Security Settings Page 6 Then configure IEEE 802 1x security with certificate authentication on each client as follows Figure 10 232 AT WA7400 Management Software User s Guide Enable click to check IEEE 8021x authentication Choose Smart Card Certificate Choose Open Choose WEP Data Encryption mode then click Properties Wireless network properties Wireless network properties Association Authentication Association Authentication Network name SSID A A r A Select this option to provide authenticated network access f Wireless network key wireless Ethernet networks This network requires a key fohe following Enable IEEE 802 1 authentication for this network Network Authentication EAP type Smart Card or other Certificate v Data encryption WEP E sal lil Enable auto key option C Authenticate as computer when computer information is available C Authenticate as guest when user or computer information is unavailable he key is provided for me automatically C This is a computer to computer ad hoc network wireless access poin
170. e LAN port on the access point and the other end to the same hub where your PC is connected O Connect one end of an Ethernet cable to the LAN port on the access point and the other end of the cable to the Ethernet port on your PC AT WA7400 Management Software User s Guide 2 Insert the AT WA7400 Wireless Access Point CD into the CD ROM drive on your computer The CD s main page is shown in Figure 1 WIRELESS ACCESS POINT r4 Introduction KickStart Utilit J User s Guide Figure 1 AT WA7400 CD Main Page 3 Click KickStart Utility The KickStart page as shown in Figure 3 provides two options Open KickStart and Install KickStart WIRELESS ACCESS POINT e P Open KickStart F Install KickStart Figure 2 KickStart Page 27 Chapter 2 Setting up the AT WA7400 Management Software For information about installing KickStart refer to Installing KickStart on the Administrator s PC on page 30 Otherwise continue with this procedure 4 Click Open KickStart The KickStart Welcome dialog box is displayed as shown in Figure 3 KickStart Allied Telesyn About KickStart MM Allied Telesyn KickStart finds new and existing Instant802 Orchestrator smart Access Points If you are configuring the first Access Point KickStart will guide you through the process Is your new Access Point plugged in and powered up When it is click Next and the Kickstart wizard will guide you through
171. e cluster configuration with other access points it must be configured manually You can always update the settings on a standalone access point to have it join the cluster You can also remove an access point from a cluster thereby switching it to run in standalone mode 5 Click Update to activate the wireless network with these new settings If you follow the steps above and accept all the defaults the access point will have the default configuration described in Appendix A Management Software Default Settings on page 215 Next Steps AT WA7400 Management Software User s Guide Make Sure the Access Point is Connected to the LAN Test LAN Connectivity with Wireless Clients Secure and Fine Tune the Access Point Using Advanced Features To make sure the access point is connected to the LAN bring up some wireless clients and connect the clients to the network After you have tested the basics of your wireless network you can enable more security and fine tune the setup by modifying advanced configuration features on the access point If you configured the access point and administrator PC by connecting both into a network hub then your access point is already connected to the LAN That s it you re up and running The next step is to test some wireless clients If you configured the access point using a direct wired connection using a crossover cable from your computer to the access point do the following
172. e existence of the wireless network The default behavior is to send a beacon frame once every 100 milliseconds or 10 per second You set the Beacon Interval is set on the Advanced gt Radio Settings page See Chapter 13 Configuring Radio Settings on page 145 Capability A hexadecimal number which when converted to binary indicates each IEEE 802 11 feature or functionality and whether it is on or off on this access point Last Beacon Shows the date and time of the most recent beacon was transmitted from the access point 85 Chapter 7 Wireless Neighborhoods 86 Chapter 8 Configuring Ethernet Wired Settings Ethernet wired settings describe the configuration of your Ethernet local area network LAN Note The Ethernet settings including guest access are not shared across the cluster You must configure these settings on the web pages for each access point To get to the web pages for an access point that is amember of the current cluster click on its IP Address link on the Cluster gt Access Points page of the current access point For more information about which settings are shared by the cluster and which are not see Which Settings are Shared as Part of the Cluster Configuration and Which Are Not on page 45 This chapter contains the following sections Setting the DNS Name on page 88 Enabling or Disabling Guest Access on page 90 Enabling or Disabling Spanning Tree
173. e main menu select Cluster gt Wireless Neighborhood The Wireless Neighborhood page is displayed as shown in Figure 28 on page 81 2 Click the IP address of a cluster member at the top of the page The Neighbor Details section is displayed at the bottom of the page as shown in Figure 29 Neighbor Details 10 10 100 246 Sessions SSID MAC Address Channel Rate Signal Beacon Interval Beacon Age Internal Instant802 02 0c 41 00 02 e0 10 34 1098063136 100 Internal Instant802 wi fi a Brad Lab IOS guest int g10_wgt624_guest g10_wgt624 OO Oci4i 16 alie4 10 1098063132 100 O0 e0 b8 76 28 44 10 1098057207 100 00 0e 38 62 62 20 00 e0 b8 76 25 f3 00 e0 b8 76 25 f2 00 0e 81 01 01 97 00 0e 81 01 01 96 10 10 10 10 10 1098061627 1098063103 1098063112 1098062886 1098060060 2000 100 100 100 100 Purina 00 e0 b8 76 28 e0 10 1098050710 100 demoap guest 00 0c 41 16 df 95 10 1098063100 100 BradLabNetwork 00 40 96 58 7c fd 10 1098063117 100 demoap 00 0c 41 16 df 94 10 1098063120 100 guest 00 e0 b8 76 28 cf 10 1098062834 100 Figure 29 Neighbor Details Information The table displays the following information about the access point SSID The Service Set Identifier SSID for the access point The SSID is an alphanumer
174. e screen login as manager admin 10 10 100 110 s password Enter help for help When the user name and password is accepted the screen displays the AT WA7400 Wireless Access Point help command prompt AT WA7400 You are now ready to enter CLI commands at the command line prompt 271 Appendix D Command Line Interface CLI for Access Point Configuration Quick View of Commands and How to Get Help A Caution Settings you update from the CLI with the get set add and remove commands are not saved to the startup configuration unless you explicitly save them using the save running command For a description of configurations maintained on the access point and details on how to save your updates see Saving Configuration Changes on page 281 Commands and The CLI for the AT WA7400 Wireless Access Point provides the Syntax commands shown in Table 3 Note named_ciass is a class of an object from the configuration whose instances are individually named instance is a name of an instance of class field values cannot contain spaces unless the value is in quotes For a detailed class and field reference see CLI Classes and Fields Reference on page 354 272 AT WA7400 Management Software User s Guide Table 3 Commands and Syntax Command Description get The get command allows you to get the field values of existing instances of a class Classes can be named or
175. e station to the access point With WMM disabled you can still set some parameters on the downstream traffic flowing from the access point to the client station AP EDCA parameters o To disable WMM extensions click Disabled o To enable WMM extensions click Enabled Configuring Station EDCA Parameters AT WA7400 Management Software User s Guide Station Enhanced Distributed Channel Access EDCA parameters affect traffic flowing from the client station to the access point To configure the EDCA parameters perform the following procedure 1 Inthe Station EDCA parameters section of the Quality of Service page configure the following parameters Queue Queues are defined for different types of data transmitted from station to access point Data 0 Voice Highest priority queue minimum delay Time sensitive data such as VoIP and streaming media are automatically sent to this queue Data 1 Video Highest priority queue minimum delay Time sensitive video data is automatically sent to this queue Data 2 best effort Medium priority queue medium throughput and delay Most traditional IP data is sent to this queue Data 3 Background Lowest priority queue high throughput Bulk data that requires maximum throughput and is not time sensitive is sent to this queue FTP data for example For more information see QoS Queues and Parameters to Coordinate Traffic Flow on page 162 AIFs Inter Frame Spac
176. e until a maximum number of retries allowed is reached For more information see Random Backoff and Minimum Maximum Contention Windows on page 165 TXOP Limit Station EDCA Parameter Only The TXOP Limit applies only to traffic flowing from the client station to the access point The Transmission Opportunity TXOP is an interval of time when a WME client station has the right to initiate transmissions onto the wireless medium WM This value specifies in milliseconds the Transmission Opportunity TXOP for client stations that is the interval of time when a WMM client station has the right to initiate transmissions on the wireless network 2 Click Update to save the settings Chapter 16 Configuring the Wireless Distribution System WDS The AT WA7400 Management Software lets you connect multiple access points using a wireless distribution system WDS WDS allows access points to communicate with one another wirelessly in a standardized way This capability is critical in providing a seamless experience for roaming clients and for managing multiple wireless networks It can also simplify the network infrastructure by reducing the amount of cabling required The following sections describe how to configure the WDS using the AT WA7400 Management Software o Understanding the Wireless Distribution System on page 174 0 Configuring WDS Settings on page 178 173 Chapter 16 Configuring the Wirele
177. eaeeceeeeeeeaeeeeeaaeeeeeeeesaaeesesaeeseeeeeeseaeeeeaeeseeeaeesieeeeenaeeseeaees 313 WPA Version sseni a a wet sdoev seer einen dey deeg tat a reed te i a oddan 315 Cipher Commands ic 222002 25 68o207s 266 ds a a a E a ave teSes axe e ee elec BAe Balk le 316 WPA Version Command sisi i T scene ndeqnicougiedut even shevetooenavansceendhvaustuedastenpitcasecsucemvlewtecel evslboeeesthlapsccuanases 318 Preauthentication COMMANAS o ee eeccecesseceeeeeeeneeeceaeeeeeeeeeeaeeeeeaaeeseeeesaeeeseaaeeseeeeeesnaeeseaaeeseeeeeesseeesenaeeeeeaees 319 Cipher Command avespa leses longs eceh Deaton te e E N OE E EAE a En 319 Authentication Server COMMAMNAS siiin neei e aeiio e a E a a EE aC EEN E Ta 320 RADIUS Accounting COMMANAS sssrini irinin niinn arein aia inap igiit 321 WPA Client Command isein oeni aeiiaaie de ideie id EE adiada aade iaat 321 Guest Login and Welcome Page Commands ceeeseceeneeeeeeeeeeeneeeseeeaeeeneeeesaeeesneaeeesneeeenaeeesnaeeesneeeesateeenaas 323 Radio Settings Command sareen ne easier eel es ie a ae ee as 326 Radio Operation COMMANS Assisii ede cee epiceedeaehsseds qeabepheated tebigedsdasdheebedestautneds cecsagtcebevenevydocuh sacvnestande dupe tends ee 329 Radio Mode Command raisini ei A A a A i ae e a a TE a E E aaide 330 Rate Set GommandS o re aa aia ee E E a ENE Eae aa E Ee La ia epee Site ceed ee A 331 Accept and Deny List Commands iss sisarien ennnen aaan a Ea Aa aE EEN EREA ANKERRAK eia 334 COS Eeo a
178. eeea en ekeit inaa iedig taei ionian aieiaa ereda kodas inpia nee 327 Get Supp rted Rate S to nenni niai i aeaa e ie ea e ead a a a a e 328 Get Basic Rate Seturan e n e a dened a A a aa aa e e A a anes 329 Configure Radio Settings ienas codec a coded cucu snus ANERE EERE n TANE EAR a AAE NEA SANEA E PE EEE En aa AE EENE AETA Ni 329 RNA EROE IKO AEA E A ET E ETET 329 Set the Radio Mod irosirsi tei ee eiai egn uses coed E a eaa Se a a i R TaN 329 Enable r Disable S per AG vient e a Ge A ae et eee a a e a aaa ah 330 Set the Radio Channeli sinek e a a aeea ERa AEA E O Ea EE a Aa ERa aa EA aeaa Aaen anA 330 Set the Beacon I ea a e r e en e r a ra aaa a aAA a raa E a pana pE suneeebacsedeccd asetaceasteest 330 Set the DTIM Peri du ipiscing iaeio eae ei A E aea EE E E iaaa 330 Set the Fragmentation Threshold sc scsceccccvcloceesencseeecs vest ute eveiseeutee sescuiteseeee EEN EEE ET es 331 Set the RTS THreSHOld ccc sscscs seeesste tanin gaa aea a Aaa eatea ekaia adane einar iaaio 331 Configure Basic and Supported Rate Sets oo eeeeeeeeeeenneeeeeeeeesneeeeeeaaeeseeeeeesaeeeeeaeeeeeeeeeesneeeeeeeesenaees 331 MAC Filtering eiai ssctescaci bed se iaine as teudids veneek Hack iea iae E ea a Varhetevis a see tban eae geet 333 AT WA7400 Management Software User s Guide Specify n Accept of Deny iStats ea aata a e aa aiaa eia 333 Add MAC Addresses of Client Stations to the Filtering List eeeeeeeeeereeirrerrssrissriiesiinrerinsrirssrineeren
179. eeeeeaeeeeeaeeeseeeeeeaeesesaeenneeeenaeeseeaeeenneeeee 258 Stop Clustering PAG raint a a e e a a hee ev tetas nied la at pan a Manes 262 Reset Configuration Page issan e an eaaa a aaa a e aa Ea EAE E NE EA A a E a aE 263 Cluster Management Page c ccessscseessaccensestasegeresugaeceeoecunsecevusuhens ncderustedenniuensceeapeneeteseeceeeppaeesnnerssseedense 263 PuTTY Configuration Dialog Box 2c scsceciee seas ecue chee ssnecs theese quecdewsusceosscbertgedcesuscncvusuceitbanesbaneeeedeceuaeteusedciecveee 271 CLI Class Relationships nrrainn ieee bose er eevee eon eevee E a AE Sai 355 Tables Table 1 Table 2 Table 3 Table 4 Table 5 Table 6 Table 7 Table 8 Table 9 Table 10 Table 11 Table 12 Table 13 Table 14 Table 15 Table 16 Table 17 Table 18 Table 19 Table 20 Table 21 Table 22 Table 23 Table 24 Table 25 Table 26 Table 27 Table 28 Table 29 Table 30 Table 31 Table 32 Table 33 Table 34 Table 35 Table 36 Table 37 Table 38 Static WEP Configuration sci sccccscscdenedetieeestecenetice inga reen EEK rE EAEE A ETEA VE eneeseeebaesduubeenyecipescuntvesboeeesavers 108 IEEE 802 1x Configuration sssri ii a ii a i a ei 109 WPA MWPA2 Comntigttrationn scia a a e a E aa a re ra a aaia 110 RADIUS Security cenae a E E N A EEE E AEE EA 111 Worldwide Frequencies for 802 11g and 802 11b Radios 00 2 ceeeeceneeeeeereeeeeeeeeeaaeeseeeeeesaeeeeeaeeeeeeeeeenteeeeaas 148 Managem
180. eeeeeeeceeeeeeaaeeeeeeaeeceeeeesaeeeeeaaeeseeeeeesaaeeseeaeeeseeensaeeeseaeessneeeesneeeeeaas 90 Enabling or Disabling Virtual Wireless Networks on the Access POINt ceeeeceeeeeeeeeeeeeseeeeeeeeeeeeesaeeeeeeaeeesneeeenaeeeeeaas 90 Enabling or Disabling Spanning Tree vc c c cc ueeceseecteeecceessctesbec ck oeese cence a E Sobebben ss viseeu snes E EE i Naa a duane 92 Configuring the Internal Interface Ethernet Settings eee ceeneeeeeeceeeeneeeeaeeesneeeeeaeeeeeaaeeseneeeeseeseaaeeseneeeensaeeeeeaeeenneeened 93 Configuring the Guest Interface SettingS 2 cc ccccccccesueeeueceosecetecesneeesteeeseueddedeccevesdhesedeoetduseedessdduesedadesdedeeddtesdeceedetssdeneedecesse 96 Chapter 9 Configuring the Wireless Settings 00 0 0 eee ceeeeeeeeeeeeenaeeeeeeeeeeaeeeeeaaeeeeeeeeesaeeeseaeeeeeeeeeeneeeneeeeeeaaees 97 Configuring 802 11d Regulatory Domain Support eee eee ceeeceeenneeceeeeeeeneeeeeaaeeeeeeeeesaeeeseaaeeseeeeeseaeeseeeesneeeensaeeeseaeessneeeee 98 Configuring the Radio Intertace irinin ee e ei deustensdugecewecdesdbdebes Secbeavdh eceduadbussenoetanets 100 Configuring Internal Wireless LAN SettingS eeccceesseeeeeceeeeneeceeeeeseeeeeeaeeeceeaeesaaeeeseaaeeseeeaeesneeeenaeeseeeeessieeeeenaeeeneaees 102 Configuring the Guest Network Wireless Settings 00 0 0 eccececceeesneeceneeeeneeeeeeaaeeeeeeaeeeaeeeesaaeeseeeeeeseaeeeseaeeeseeaeeeseeeneaeeeeneaees 103 Chapter 10 Configuring S Curity uiine aea iiaia eaaa iet
181. eeeeeesecaaeeeeeseaaeeeeseecaaeeeeeseaeeeeeesenneeeeeeeeeaees 284 Set the Location toran Access POI srscsc2f cccchssecescnentsnace cues deans dewey eebocadees a dualad cnet a e does eduecesvevdenecees 285 Get the Current PasSsword s s EEA boiz ent Sebecig ta etee aad hae te ee Scie cia Ua A ea ee dct ect eee 285 Seb the PASSWOMG ics OE EE E abe gE EE Meese E Mca en pelgsaete E begedata Mi hah Mit ca ee dae i ARM Ses atied ate dead 285 Get the Wireless Network Name SSID ce eesceesseeceeeeeeeeeeeeeaeeeeeaaeecaeeeesaaeeeeeaaeeseeeeesnaeeeseaeeeenneeesieeeesenaeeeeenees 285 Set the Wireless Network Name SSID ecceeeeeeeeeeeeeeeeeeeeeaeeeseaaeeeeneeeesaaeeeeeaaeeceneeeesaeeeeseaeeeseeaeenaeeesenaeeeeeaees 285 Access Point and Cluster Settings vc ccccccec c senc dei n n e A EE dndyenee e EE E A NE 285 Determine if the Access Point is a Cluster Member or in Standalone Mode eccceeeccecesneeeeeneeeesereeeeneeeeeeeees 286 Get MAC Addresses for all Access Points in the Cluster oo ee eeeeeeeeeeeesnneeceaeeeeeeeeeeaaeeeeeaeeeseeeeessaeeenaeeeenneees 286 Configure the Access Point as a Member of a CIUStEM 0 eee eeeeceeeeneeeeeeeeeseeeeeeaaeeeeeeeeeeaaeeeeeaeeeseneeeeseeeeenaeeeeenees 286 Configure the Access Point as a Standalone Device ou eeeeceeeeseeeeeeeeeeeeeseeeaeeeeeeeeeeaeeeeeaeeeeeteeeeenaeeeenaeeeeenees 287 User ACCOUNTS eae renee tea teenth Ot a a puree eaten aetna AAR anol 287 Get All USerACCOUNntS 3 siocse hited
182. eeeeneeeseneeeeneaees 324 set Guest Welcome Page Text cevec ice ces elie eke E E ed eee eee EE A Ei 324 Review Guest LOgin Settings iisipin satin cevecggbeasienencecuguacdhenantysccedeudhcocneucachestunasashesulice eoteucsntacedeeanrese 324 Configuring Multiple BSSIDs on Virtual Wireless Networks 0 eeceeseeeeeree center eeeeeeeeeeeeeaeeeeeeeeeesneeeenaeeeeeaeeenneeeee 325 Configuring Virtual Wireless Network One on Radio One cesses eeeee cence eeeeaeeeeeeeeeenaeeeeeaeeeeeeeeeeneeeneneeeeenees 325 Configure These Settings from the Web UI FirSt ee eeeceesneceeeeeesneeeceaeeeeeeeeeseaeeeseaeeeseeeeesseeeeeeeeenaees 325 Use the CLI to Configure Security on the Interface eee cceeeeeeneee eter eeeeneeeeeneeeseeeeeesneeeenaeeeseeaeeeneeeene 325 Use the CLI to set the Network Name SSID for the New Virtual Wireless Network 0 eeseeeeseeeeeeeees 326 Creating VWN Two on Radio One with WPA security 00 eee cee eeneeeeeeeeeeneeeeeaaeeeeeaeeeeaeeeeeaeeseenaeeeneeeneeenenees 326 Radio Settings a nen shsspres oc cestowenh litte aa aa anced ud E E N a ty vale odes ene eed kes AAEE Aa pa iaaea 326 Get IEEE 802 11 Radio Mode svc cc2 cscee cscs ceeecscne sooece sities sbete dtue eeeedtnegateedbdiee tiai an Tadaa ae ieda vee Ea eeraa Eriata 326 Get Radio Channeli man erii e aaae aaaea aaaea ra e a aieeaii 327 Get Basic Radio Settings csiicci seit el Ai estes ee ae eee te ee cee ae te hs 327 Get All RAGIO S STINGS isse iarna aa
183. eenneeeenaeeeeeaees 192 Viewing the Status of Neighboring Access Points cee ceeeeceeeeneeeeeeeeeeaeeeeeeaeeeeeeeesaeeceeaeeeseneeessaeeeseaaeeseneaeeenaeesseaeeeeneaees 193 Viewing System Information i sccc cccc eek teststen edeceedesieeeececseesucetesacteedsvaeesuceestadedeeedtedgusedestuseddeusdeteeucntestigecdetecevecddeussoneestedbs 197 Setting the Administrator PASSWOMG c cccccceeececeeeeeceseeaeceeeeeeaaece ee eeaaaeeceeesaaaeee aa a ae aa aeaaea E aaae a a eare aa aai 199 Enabling the Network Time Protocol NTP Server cc cececeeceeesneceeeneeeeeeeeeeaaeeceeeeeesaeeeeeaeeesesaeeeseeeseaeessenaeesineeeseaeeeeeeaees 202 Setting the HTTP Timeout isise cance tenoecgasesvensseeustetestuncenasavs Shoes qeexseoees faces iaai ezsebeneigee cxsatvnaetemeay tp cpelbcepdacteeedenaeaabai cence 204 Rebooting the Access POIs ix cvsselaceeeess fies liek ons Bie bedoeelneg a es hates eee aaae PR oe eich eed shes aa learns whee seri neers 205 Resetting the Configuration to Factory Defaults 00 0 0 ccccceceeseceeceee cece eee eeeeeeceeaeeeeeecaeaeeeeeesaeaeeeeeeseaeeeesesesaeeeeeeseaeeeeeeeeeaees 206 Upgrading the Firmware iseennast aaeeea a a AE suit esducdeveuuesesteehevenetevenedasuiteeeaueleucoumeviuness 207 Verifying the Firmware Upgrade ec eeeccecesseeeeeeecenneeeeeeeeeeseeeeceaaeeeceeeeessaeeeseaaeesseeeeesaeeeeeaeeseeeeeseeeeseaeeesneeeensaeeeenaas 208 SNMP Firmware Upgrade ierocim iea cnet needa ced cabbage
184. embedded RADIUS server supports Protected EAP PEAP and MSCHAP V2 WPA WPA2 configuration is described in Table 3 Table 3 WPA WPA2 Configuration Key Management Encryption Algorithm User Authentication WPA WPA2 Personal PSK provides dynamically generated keys that are periodically refreshed There are different Unicast keys for each station Temporal Key Integrity Protocol TKIP Counter mode CBC MAC Protocol CCMP Advanced Encryption Standard AES The use of a Pre Shared PSK key provides user authentication similar to that of shared keys in WEP WPA WPA2 Personal PSK is not recommended for use with the AT WA7400 Wireless Access Point when WPA WPA2 Enterprise RADIUS is an option Allied Telesyn recommends that you use WPA WPA2 Enterprise RADIUS mode instead unless you have interoperability issues that prevent you from using this mode For example some devices on your network may not support WPA or WPA2 with EAP talking to a RADIUS server Embedded printer servers or other small client devices with very limited space for implementation may not support RADIUS For such cases we recommend that you use WPA WPA2 Personal PSK For information on how to configure this security mode see WWPA WPA2 Personal PSK on page 123 under Configuring Security Settings on page 114 AT WA7400 Management Software User s Guide When to Use WPA WPAZ2 Enterprise RADIUS
185. encryption WEP enabled Network Authentication Shared mode Network key COTTI Confirm network key secccce Key index advanced 1 The key is provided for me automatically OK Cancel Figure 35 Providing a Wireless Client with a WEP Key If you have a second client station that station also needs to have one of the WEP keys defined on the access point You could give it the same WEP key you gave to the first station Or for a more secure solution you could give the second station a different WEP key key 2 for example so that the two stations cannot decrypt each other s transmissions Static WEP with Transfer Key Indexes on Client Stations Some wireless client software like Funk Odyssey lets you configure multiple WEP keys and set a transfer index on the client station then you can specify different keys to be used for station to access point transmissions The standard Windows wireless client software does not allow you to do this To build on the example using Funk Odyssey client software you could give each of the clients WEP key 3 so that they can decode the access point transmissions with that key and also give client 1 WEP key 1 and set this as its transfer key You could then give client 2 WEP key 2 and set this as its transfer key index The following figure illustrates the dynamics of the access point and two client stations using multiple WEP keys and a transfer key index
186. ended These recovery methods are given in the order you should try them In all but the last case stop clustering you only need to reset or reboot the particular access point whose configuration is out of sync with other cluster members or cannot remove join the cluster o Reboot the access point from its web UI To do this go to http IPAddressofAccessPoint navigate to Advanced gt Reboot and click Reboot IP addresses for access points are on the Cluster gt Access Points page for cluster members Physically reboot the access point by pressing the Reset button on the AT WA7400 Wireless Access Point Reset the access point from its web UI To do this go to http IPAddressofAccessPoint navigate to Advanced gt Reset Configuration and click Reset IP addresses for access points are on the Cluster gt Access Points page for any cluster member Physically reset the access point by pressing the Reset button on the device In some extreme cases reboot or reset may not solve the problem In these cases follow the procedure described next in Stop Clustering and Reset Each Access Point in the Cluster to recover every access point on the subnet If the previous reboot or reset methods do not solve the problem do the following to stop clustering and reset all access points 1 Enter the Stop Clustering command as part of the URL in the address bar of your web browser as follows http IPAddressofAc
187. ent a hacker may be able to connect to the network from many miles away For a more detailed explanation of security concepts including a comparison of the advantages and disadvantages of using different security modes and suggestions on which mode to use see Appendix B Configuring Security on Wireless Clients on page 217 In general Allied Telesyn recommends that you use the most robust security mode that is feasible in your environment on your internal network When you configure security on the access point you first must choose the security mode then in some modes an authentication algorithm and whether to allow clients not using the specified security mode to associate Wi Fi Protected Access WPA with Remote Authentication Dial In User Service RADIUS using the CCMP AES encryption algorithm provides the best data protection available and is clearly the best choice if all client stations are equipped with WPA supplicants However backward compatibility or interoperability issues with clients or even with other access points may require that you configure WPA with RADIUS with a different encryption algorithm or choose one of the other security modes Security may not be as much of a priority on some types of networks If you are only providing Internet and printer access as on a guest network plain text mode no security may be the appropriate choice To prevent clients from accidentally discovering and connecting to you
188. ent Software Default Settings 0 ec eeeeeeeeeeeeeeeneeeeeeaeeeeneeeeesaeeeseaaeesaeeeeeaaeeeseaaeesieeeeesaeeesnaeesenneeees 215 Comparison of CLI to Web Browser Interface Settings 00 ee ceeeeceeeeeeeeeeeeeeenaeeeeeeeeeseaeeeeeaeeeseeeeeeseeeeenaeeseenees 266 Commands and Syntax snasta leensteelencocaebieneussctestuleesebecteugectenshaceseotlavececsuuseesnsdasbecesscdimesdedindaoeeautiens 273 Interfaces incthecGEI jzo 2 So cectcs fap A n E O caca eascectd ade nbde sed aeetaceasteersahastas 279 Basic Settings COMMANAS ricard on ebb oucek N go die tuce dees Aa daei 282 Cluster Functions and COMMANAS 00 0 eeescceeeeeeeceeeeeeeneeeceeeeeeeeeeeeaaeeeeeaeeesieeeesaeeeseeaeeeeneesaeeseeaeeenneeeesnteeenaas 286 User ACcount Command seira a bid aR Ea aE E a A AEE AA EAE Aa aa AAA a a aA EER dapoeenst dae 287 Seoane 10T E E E O A E E E T 290 WiredInterface Comma ndSsiniitai an aa aa a atta aa eaaa eiai 301 security Commands Asyran i e ee ee a ee Ws 304 WEP Key Lethgth Command asia osee cece steegsenches adaa aaea a A eioi eia iadi iaai iie 308 Key Type Commands ieste ii eoin edie aiai i ad e di iaai ri 308 Authentication Algorithm Commands 0 ccceecceeeeeceeenneeeeeeeeeeneeeseaaeeeeneeeeeeeeseaaeeeseeeeesaeeseeeesneeeeneeeeseaeeseneeeee 309 Authentication Server COMMAMNAS eee cesceeeeeeeeeeeeeeeeeeeeeeneeecesaeeeeeeeeeeaeeeeeaeeeseeeeeeeaeeeseeesieeeeeeeeeseaeessnneeee 312 RADIUS Accounting COMMANAS 00 0 0 cece eee ceeteceneeeee
189. ent ie aaa ne igl leg then click Configure When conpeeting TVvalidate server certificate C ABA ECOM Root CA a C Autoridad Certificadora de la Asociacion Nacional del Notaria C Autoridad Certificadora del Colegio Naciofial de Correduria P C Baltimore EZ by DST C Belgacom E Trust Primary CA C C amp W HKT SecureNet CA Class A Disable click to uncheck this option Fi C amp W HKT SecureNet CA Class B C C amp W HKT SecureNet CA Root v EAP MSCHAPy2 Properties k lt gt When connecting Select Authentication Method ctomatically use my Windows logon name and Secured password EAP MSCHAP v2 j password and domain if any C Enable Fast Reconnect Figure 15 Protected AP Properties Dialog Box 6 Configure the following settings Validate Server Certificate Disable this option click to uncheck the box Note This example assumes you are using the Built in Authentication server on the access point If you are setting up EAP PEAP on a client of an access point that is using an external RADIUS server you might certificate validation and choose a certificate depending on your infrastructure Select Authentication Method Choose Secured password EAP MSCHAP v2 7 Click Configure to open the EAP MSCHAP v2 Properties dialog box 8 Disable click to uncheck the option to Automatically use my Windows login name etc so that upon login you will be prompted for user name and passwo
190. ents that support WPA or WPA2 and some older ones that do not support any flavors of WPA You might even have other access points on the network that support only 802 1x and some that support WPA with RADIUS or WPA2 Enterprise RADIUS For as long as this mix persists use the Allow non WPA IEEE 802 1x clients option When all the stations have been upgraded to use WPA or better yet WPA2 you should disable the Allow non WPA IEEE 802 1x clients option and set the WPA Versions option appropriately WPA WPA2 or Both Does Prohibiting the Broadcast SSID Enhance Security How Does Station Isolation Protect the Network AT WA7400 Management Software User s Guide For information on how to configure this security mode see WPA WPA2 Enterprise RADIUS on page 125 You can suppress prohibit this broadcast to discourage stations from automatically discovering your access point When the access point s broadcast SSID is suppressed the network name is not displayed in the List of Available Networks on a client station Instead the client must have the exact network name configured in the supplicant before it can connect Disabling the broadcast SSID is sufficient to prevent clients from accidentally connecting to your network but it will not prevent even the simplest of attempts by a hacker to connect or monitor plain text traffic This offers a very minimal level of protection on an otherwise exposed network
191. equired for each WEP key depends on how you set Key Length and Key Type If Key Length is 40 bits and the Key Type is ASCII then each WEP key be 5 characters long AT WA7400 Management Software User s Guide If Key Length is 40 bits and Key Type is Hex then each WEP key must be 10 characters long If Key Length is 104 bits and Key Type is ASCII then each WEP Key must be 13 characters long If Key Length is 104 bits and Key Type is Hex then each WEP Key must be 26 characters long Although the CLI will allow you to enter WEP keys of any number of characters you must use the correct number of characters for each key to ensure a valid security configuration AT WA7400 set interface wlan0 wep key 1 abcde AT WA7400 set interface wlan0 wep key 2 fghi AT WA7400 set interface wlan0 wep key 3 k1imno AT wA7400 set interface wlan0 wep key 4 Set the Authentication Algorithm The options for the authentication algorithm are Open System Shared Key or Both and are shown in Table 13 Table 13 Authentication Algorithm Commands Function Command Set Authentication Algorithm to Open System set bss wlanObssInternal open system authentication on set bss wlanObssInternal shared key authentication off Set Authentication Algorithm to Shared Key set bss wlanObssInternal open system authentication off set bss wlanObssInternal shared key authentication on Set Authentication
192. er there is a problem with the site s ss Information you exchange with this site cannot be viewed or security certificate amp The security certificate was issued by a company you have not chosen to trust View the certificate to determine whether you want to trust the certifying authority iv The security certificate date is valid The name on the security certificate is invalid or does not match the name of the site Do you want to proceed View Certificate Figure 26 Security Alert Window 2 Click Yes to open the secure web page for the server The Welcome page for the Certificate Server is displayed in the browser as shown in Figure 27 Microsoft Certificate Se Welcome Use this Yeb site to request a certificate for your Yeb browser e mail client or other program By using a certificate you can verify your identity to people you communicate with over the Yeb sign and encrypt messages and depending upon the type of certificate you request perform other security tasks You can also use this YVeb site to download a certificate authority CA certificate certificate chain or certificate revocation list CRL or to view the status of a pending request For more information about Certificate Services see Certificate Services Documentation Select a task Request a certificate View the status of a pending certificate request Download a CA certificate certificate chain or CRL Figure
193. er IP Address Firmware Filename Enabled Disabled Figure 65 Configure SNMP Firmware Upgrade Page For the SNMP Firmware option click Enabled In the TFTP Server IP Address field enter the IP address of the host TFTP server where the software is located In the Firmware Filename field enter the path and file name of the file you want to download Click Upgrade Firmware Wait about five minutes for the upgrade to complete 209 Chapter 17 Maintenance and Monitoring 210 Chapter 18 Backing Up and Restoring a Configuration You can save a copy of the current settings on the AT WA7400 Wireless Access Point to a backup configuration file You can use the backup file at a later date to restore the access point to the previously saved configuration The following topics describe how to back up and restore access point configurations o Backing up the Configuration Settings for an Access Point on page 212 o Restoring Access Point Settings to a Previous Configuration on page 213 211 Chapter 18 Backing Up and Restoring a Configuration Backing up the Configuration Settings for an Access Point To save a copy of the current settings on an access point to a backup configuration file cbk format perform the following procedure 1 From the main menu select Advanced gt Backup Restore The Backup Restore page is shown in Figure 66 To Save the Current Configuration to a Ba
194. ers for traditional IP data For example time sensitive voice video and multimedia are given effectively higher priority for transmission lower wait times for channel access while other applications and traditional IP data which are less time sensitive but often more data intensive are expected to tolerate longer wait times The AT WA7400 Management Software implements QoS based on the IEEE wireless multimedia WWMM standard A Linux based queuing class is used to tag packets and establish multiple queues The queues provided offer built in prioritization and routing based on the type of data being transmitted AT WA7400 Management Software provides a way for you to configure parameters on the queues QoS Queues and Type of Service ToS on Packets QoS on the AT WA7400 Wireless Access Point leverages WMM information in the IP packet header related to Type of Service ToS Every IP packet sent over the network includes a ToS field in the header that indicates how the data should be prioritized and transmitted over the network The ToS field consists of a 3 to 7 bit value with each bit representing a different aspect or degree of priority for this data as well as other meta information low delay high throughput high reliability low cost and so on For example the ToS for FTP data packets is likely to be set for maximum throughput because the critical consideration for FTP is the ability to transmit relatively large amounts of
195. ersion 1 0 and greater the RADIUS server User Datagram Protocol UDP ports used by the access point are configurable The AT WA7400 Management Software defaults to use RADIUS server UDP port 1812 for authentication and port 1813 for accounting RADIUS IP The Radius IP is the IP address of the RADIUS server The IP address of the AT WA7400 Wireless Access Point s internal authentication server is 127 0 0 1 If you have an external RADIUS server on your network Allied Telesyn recommends that you use it rather than the using the embedded RADIUS server on the access point An external RADIUS server will provide better security than the local authentication server WPA WPA2 Personal PSK AT WA7400 Management Software User s Guide For information on setting up user accounts see Chapter 4 Managing User Accounts on page 57 RADIUS Port The default port number is 1812 You can change this if your application requires it RADIUS Key The Radius Key is the shared secret key for the RADIUS server The text you enter is displayed as characters to prevent others from seeing the RADIUS key as you type The AT WA7400 Management Software internal authentication server key is secret This value is never sent over the network WPA Group Rekey Interval The interval after which the WPA encryption key is automatically changed and authenticated between devices The shorter the interval is the stronger that the encry
196. es eeeneeeeeeneeeeeeaeeeneeeesaeeeeeaeeeneeeeeenaeeseeas 25 Running KickStart to Find Access Points on the Network 00 c eee eeeeeeeeeeeseeeeeeneeeceeeeeesaeeeeeaaeeeseeaeesaeeeseaaeseeeeeeeneeeeeaeeeeenaees 26 Installing KickStart on the Administrators PC oo eee ceesceeeeeeeenneeeeeeeeeeeneeeesaaeeeeeeeeesaeeeesaeeeseneeeesieeeeneaeeeseeeeeeseeseeaas 30 Logging in to the AT WA7400 Management Software eeecceesseeceeeeeeeeneeeenaeeeseeeeeeaeeeseaaeeseeeeeesaeeeeeaaeeseeeeesseeeeenaeeeeenaees 34 Navigating th Web Page insets aspie aee etdin diaa pieri e Sa a e eiee andana Gener decreed 36 LINKS rontana a a a a a e a e a a A e couse aa aA 36 eaa E tes PEATA E E AT 36 ae E E E E E E E E E E E A E E ieee 36 Configuring the Basic Settings and Starting the Wireless Network ssssssesissrissssiesriesriissiisstresiiiesiinnrnstnnnninnnsinnnnnntnnnt 37 Configuring the Basic Settings s reic irsini iiia ea Eei E E A E AEE A aa 37 D faut Configura O T a ce E cna Ta a a ein MU a a a aaia 40 ARE AE E N E E A E E E A EE A E E E teas 41 Make Sure the Access Point is Connected to the LAN 00 ee ceeeeeeceneeeeeeeeeeeeeeeseeeeeesaeeeseaaeeseeeeeesnaeeeseaeesseneeeenaeeeeeaes 41 Test LAN Connectivity with Wireless Clients eee eeeeceeeeneeeeeeeeeeeeeeeaaeeceeeeeesaaeeeesaeeeeeeeeeeseeeseeaeeseeeeeesieeeeeeaeeeeeeaees 41 Secure and Fine Tune the Access Point Using Advanced Features ce eecceccceeenneeseneeeeseeeeeaeeesneeeesnaeeseeeeeneeeenaa 41 Log
197. ess point on the Advanced gt Security page as shown in Figure 24 New RADIUS Client x Additional Information If you are using remote access policies based on the client vendor attribute specify the vendor of the RADIUS client Client Vendor RADIUS Standard Shared secret e Confirm shared secret oo J Request must contain the Message Authenticator attribute lt Back Cancel Figure 24 New RADIUS Client Wizard Additional Information Dialog Box 7 Re type the key to confirm 8 Click Finish 251 Appendix B Configuring Security on Wireless Clients The access point is now displayed as a client of the Authentication Server Figure 25 File Action View Help e amene Friendly Name Address Protocol Client vendor 5 JeffsAP 5 5 46 30 RADIUS RADIUS Standard RADIUS RADIUS Standard 3 Remote Access Logging SamsAP 7613 2 Eg Remote Access Policies F Vickys GW AP 10 10 100 248 RADIUS RADIUS Standard E Connection Request Processing Internet Authentication Service Local Figure 25 Internet Authentication Service Window Showing Access Point 252 AT WA7400 Management Software User s Guide Obtaining a TLS EAP Certificate for a Client Note If you want to use IEEE 802 1x mode with EAP TLS certificates for authentication and authorization of clients you must have an external RADIUS server and a Public Key Authority Infrastructure PKI
198. et Wired settings including enabling or disabling guest access Guest interface configuration 45 Chapter 3 Managing Access Points and Clusters Cluster Mode Standalone Mode 46 Settings that are not shared must be configured individually on the AT WA7400 Management Software web pages for each access point To access the AT WA7400 Management Software web pages for an access point that is a member of the current cluster click on its IP Address link on the Cluster gt Access Points page of the current access point When an access point is a cluster member it is considered to be in cluster mode You define whether you want new access points to join the cluster or not via the configuration policy you set in the Basic Settings You can re set an access point in cluster mode to standalone mode See Removing an Access Point from the Cluster on page 49 Note When the cluster is full eight access points is the limit extra access points are added in standalone mode regardless of the configuration policy in effect for new access points See How Many Access Points Can a Cluster Support on page 44 The AT WA7400 Wireless Access Point can be configured in standalone mode In standalone mode an access point is not a member of the cluster and does not share the cluster configuration but rather requires manual configuration that is not shared with other access points See Removing an Access Point from the Cluster
199. et radio wlan0 mode turbo g Atheros Dynamic Turbo 2 4 GHz set radio wlan0 mode dynamic turbo g The following command sets the wireless mode to IEEE 802 119 AT wA7400 set radio wlan0 mode g Enable or Disable Super AG You cannot enable disable Super AG from the CLI You must set this from the web UI For information on how to set this option please see the field description for this option in Configuring Radio Settings on page 147 Set the Radio Channel The following command sets the Channel to 6 AT WA7400 set radio wlan0 channel 6 Set the Beacon Interval The following command sets the beacon interval to 80 AT WA7400 set radio wlan0 beacon interval 80 Set the DTIM Period The Delivery Traffic Information Map DTIM period indicates how often wireless clients should check to see if they have buffered data on the access point awaiting pickup The measurement is in beacons Specify a DTIM period within a range of 1 255 beacons For example if you set this to 1 clients will check for buffered data on the access point at every beacon If you set this to 2 clients will check on every other beacon The following command sets the DTIM interval to 3 AT WA7400 Management Software User s Guide AT WA7400 set bss wlanObssInternal dtim period 3 To get the updated value for DTIM interval after you have changed it AT WA7400 get bss wlanObssInternal dtim period 3 Set the Fragmentation Threshold You can
200. et system location Vicky s Office Get the Current Password get system encrypted password Set the Password set system password NewPassword For example set system password admin Get the Wireless Network Name get interface wlan0 ssid SSID Set the Wireless Network Name SSID set interface wlan0 For example set interface wlan0 set interface wlan0 ssid NewSS7D ssid Vicky ssid Vicky s AP Get the IP Address for the Internal Interface on an Access Point In the following example the IP address for the access point is 10 10 55 216 Use the get command as shown to obtain the IP address for the internal network AT WA7400 get interface brO ip 10 10 55 216 Get the MAC Address for an Access Point In the following example the MAC address for the access point is 00 a0 c9 8c c4 7e Use the get command as shown to obtain the MAC address AT WA7400 get interface brO mac 00 a0 c9 8c c4 7e Get Both the IP Address and MAC Address The following command returns both the IP address and the MAC address for an access point AT WA7400 get interface brO mac ip 283 Appendix D Command Line Interface CLI for Access Point Configuration 284 Field Value ip 10 10 55 216 mac 00 a0 c9 8c c4 7e Get Common Information on All Interfaces for an Access Point The following example shows common information including IP addresses for all interfaces AT WA7400 get interfac
201. ettings Page 245 Appendix B Configuring Security on Wireless Clients 246 2 Configure WPA WPA2 Personal PSK security on each client as shown in Figure 20 x Association Authentication Network name SSID My AP Wireless network key Choose WPA PSK This network requires a key for the following ae Network Authentication WPA PSK v Data encryption KP CCC Choose either TKIP or AES for the Data Encryption mode n Enter a network key that matches the one specified on the access point and confirm by re typing Network key eocccces C This is a computer to computer ad hoc network wireless access points are not used ox tance Sr ee es Figure 20 Association Tab 3 Configure the following settings on the Association tab Network Authentication WPA PSK Data Encryption TKIP or AES depending on how this option is configured on the access point Note When the Cipher Suite on the access point is set to Both then TKIP clients with a valid TKIP key and AES clients with a valid CCMP AES key can associate with the access point Network Key Provide the key you entered on the access point Security settings for the cipher suite you are using For example if the key on the access point is set to use a TKIP key of 012345678 then a TKIP client specifies this same string as the network key AT WA7400 Management Software User s Guide The key is provided for me automatica
202. ettings for one of the radios click Update and then select and configure the other radio Be sure to click Update to apply the second set of configuration settings for the other radio 145 Chapter 13 Configuring Radio Settings Understanding Radio Settings 146 Radio settings directly control the behavior of the radio device in the access point and its interaction with the physical medium that is how what type of electromagnetic waves the access point emits You can specify whether the radio is on or off radio frequency RF broadcast channel beacon interval amount of time between access point beacon transmissions transmit power IEEE 802 11 mode in which the radio operates and so on The AT WA7400 Wireless Access Point is capable of broadcasting in the following modes IEEE 802 11b mode IEEE 802 11g mode IEEE 802 11a mode Atheros Turbo 5 GHz Atheros Dynamic Turbo 5 GHz Atheros Turbo 2 4 GHz Atheros Dynamic Turbo 2 4 GHz o2 aoaoud For more information about Atheros Turbo modes see 802 11a Turbo You configure the IEEE mode along with other radio settings as described in Configuring Radio Settings on page 147 AT WA7400 Management Software User s Guide Configuring Radio Settings To configure the radio settings perform the following procedure 1 From the main menu select Advanced gt Radio The Radio page for radio one is shown in Figure 45 Modify radio setting Radio On
203. etup a Installing KickStartSetup KickStartSetup is being installed Please wait e Figure 10 Installing KickStart Dialog Box 32 AT WA7400 Management Software User s Guide When the installation is complete the Installation Complete dialog box is displayed as shown in Figure 11 P KickStartSetup 7 imi _ Installation Complete KickStartSetup has been successfully installed Click Close to exit Figure 11 KickStart Installation Complete Dialog Box 7 Click Close You can now run KickStart from the Programs folder under Allied Telesyn 33 Chapter 2 Setting up the AT WA7400 Management Software Logging in to the AT WA7400 Management Software To access the AT WA7400 management software perform the following procedure 1 In the KickStart Administration dialog box click Administration You are prompted for a user name and password as shown in Figure 12 Connect to 10 10 12 234 ED i wn Gateway 7001 4P User name eg manager Password eesece C Remember my password Figure 12 Login Dialog Box The defaults for user name and password are Username manager Password friend Note You cannot modify the user name 2 Enter the username and password and click OK When you log in for the first time the Basic Settings page is displayed as shown in Figure 13 This page displays the global settings for all access points that are members of
204. f Service QoS for Voice Over IP VoIP and other such time sensitive applications competing for bandwidth and timely access to the air waves on a wireless network For more information about configuring your network for QoS see Chapter 15 Configuring Quality of Service QoS on page 161 AT WA7400 Management Software User s Guide Configuring Load Balancing To configure load balancing you enable load balancing and set limits and behavior to be triggered by a specified utilization rate of the access point Note To view the current Utilization Rates for access points click Cluster gt Sessions on the web pages See Chapter 5 Session Monitoring on page 65 Even when clients are disassociated from an access point the network still provides continuous service to client stations if another access point is within range so that clients can re connect to the network Clients should automatically retry the access point they were originally connected to and other access points on the subnet Clients who are disassociated from one access point should experience a seamless transition to another access point on the same subnet Load Balancing settings apply to the access point load as a whole When guest access is enabled the settings apply to both internal and guest networks together On a two radio access point Load Balancing settings apply to both radios but the load of each radio is calculated independently and in
205. fer to the Support amp Services section of the Allied Telesyn web site www alliedtelesyn com Select your country from the list displayed on the website then select the appropriate menu tab For hardware warranty information refer to the Allied Telesis web site www alliedtelesis com support warranty Products for return or repair must first be assigned a return materials authorization RMA number A product sent to Allied Telesyn without an RMA number will be returned to the sender at the sender s expense To obtain an RMA number contact Allied Telesyn Technical Support through our web site www alliedtelesyn com support rma Select your country from the list displayed on the website then select the appropriate menu tab You can contact Allied Telesyn for sales or corporate information through our web site www alliedtelesyn com To find the contact information for your country select Contact Us gt Worldwide Contacts New releases of management software for our managed products are available from either of the following Internet sites 0 Allied Telesyn web site www alliedtelesyn com o Allied Telesyn FTP server ftp ftp alliedtelesyn com If you prefer to download new software from the Allied Telesyn FTP server from your workstation s command prompt you will need FTP client software and you must log in to the server Enter anonymous for the user name and your email address for the password Preface 18
206. fic set wme queue wlan0O with queue Queue Name to aifs AIFs_Value Where Queue_Name is the queue on the station to which you want the setting to apply and ArFs_va ue is the wait time value you want to specify for AIFs For example this command sets the AIFs wait time on the station Voice queue vo to 14 milliseconds AT WA7400 set wme queue wlanO with queue vo to aifs 14 View the results of this configuration update bold in the command output highlights the modified value AT WA7400 get wme queue name queue aifs cwmin cwmax txop limit wlanO vo 14 3 7 47 wlanO vi 2 7 15 94 wlanO be 3 15 1023 0 wlanO bk 7 15 1023 0 Set Minimum and Maximum Contention Windows cwmin cwmax The Minimum Contention Window cwmin sets the upper limit in milliseconds of the range from which the initial random backoff wait time is determined For more details see Random Backoff and Minimum Maximum Contention Windows on page 165 and the more detailed field description for this value in that topic Valid values for the cwmin are 1 3 7 15 31 63 127 255 511 or 1024 The value for cwmin must be lower than the value for cwmax The Maximum Contention Window cwmax sets the upper limit in milliseconds for the doubling of the random backoff value This doubling continues until either the data frame is sent or the Maximum Contention Window size is reached For more details see Random Backoff and Minimum Maximum Contention Win
207. for wireless clients are being generated at a fast pace A common problem encountered in client security setup is not having the right driver or updates to it on the client For example if you are setting up WPA on the client make sure you have a driver installed that supports WPA which is a relatively new technology Even many client cards currently available do not ship from the factory with the latest drivers AT WA7400 Management Software User s Guide Accessing the Microsoft Windows Wireless Client Security Settings To access the Microsoft Windows wireless client settings perform the following procedure 1 Use one of the following two ways to access the security properties for a wireless client a From the wireless connection icon on the Windows task bar Right click on the wireless connection icon in your Windows task bar and select View available wireless networks Select the SSID of the network to which you want to connect and click Advanced to open the Wireless Network Connection Properties dialog box b From the Windows Start menu at the left end of the task bar Choose Start gt My Network Places to open the Network Connections window From the Network Tasks menu on the left select View Network Connections to open the Network Connections window Select the wireless network connection you want to configure right click and choose View available wireless networks Select the SSID
208. g along with the interference reduction setting is designed to help weigh the cost benefit impact on network performance of re assigning channels against the inherent disruption it can cause to clients during a busy time AT WA7400 Management Software User s Guide 4 Click Update to apply these settings Advanced settings take effect when they are applied and influence how automatic channel management is performed The new interference reduction minimum scheduled tuning interval channel set and network busy settings are taken into account for automated and manual updates 77 Chapter 6 Channel Management 78 Chapter 7 Wireless Neighborhoods The wireless neighborhood view shows those access points within range of any access point in the cluster This page provides a detailed view of neighboring access points including identifying information SSIDs and MAC addresses for each cluster status which are members and non members and statistical information such as the channel each access point is broadcasting on signal strength and so forth This chapter contains the following sections o Understanding Wireless Neighborhood Information on page 80 o Displaying the Wireless Neighborhood Information on page 81 a Viewing Details of a Cluster Member on page 84 79 Chapter 7 Wireless Neighborhoods Understanding Wireless Neighborhood Information 80 The wireless neighborhood shows all
209. g and kernel messages such as error conditions like dropping frames You cannot view kernel Log messages directly from the web pages for an access point You must first set up a remote server running a syslog process and acting as a syslog log relay host on your network Then you can configure the AT WA7400 Wireless Access Point to send its syslog messages to the remote server Using a remote server to collect access point syslog messages provides several benefits You can 0 Aggregate syslog messages from multiple access points 0 Store a longer history of messages than kept on a single access point o Trigger scripted management operations and alerts Setting Up the Log Relay Host To use kernel log relaying you must configure a remote server to receive the syslog messages This procedure varies depending on the type of machine you use as the remote log host Following is an example of how to configure a remote Linux server using the syslog daemon The following steps activate the syslog daemon on a Linux server Make sure you have root user identity for these tasks 1 Log on as root to the machine you want to use as your syslog relay host The following operations require root user permissions If you are not already logged on as root type su at the command line prompt to become root super user 2 Edit etc init d sysklogd and add r to the variable SYSLOGD near the top of the file The line you edit will loo
210. g the same IEEE 802 11 mode See Configuring Radio Settings on page 147 for information on configuring the Radio mode and channel O Do not create loops with either WDS bridges or combinations of Wired Ethernet connections and WDS bridges Spanning Tree Protocol STP which manages path redundancy and prevent unwanted loops is not enabled for this release Keep these rules in mind when working with WDS in this release of the AT WA7400 Management Software 0 Any two access points can be connected by only a single path either a WDS bridge wireless or an Ethernet connection wired but not both o Do not create backup links AT WA7400 Management Software User s Guide O If you can trace more than one path between any pair of access points going through any combination of Ethernet or WDS links you have a loop O You can only extend or bridge either the internal or guest network but not both 177 Chapter 16 Configuring the Wireless Distribution System WDS Configuring WDS Settings 178 You must configure the WDS settings for each access point intended to receive hands off and send information from the sending access point To configure WDS on an AT WA7400 Access Point perform the following procedure 1 From the main menu select Advanced gt Wireless Distribution System The Wireless Distribution System page is shown in Figure 52 on page 179 Note Figure 52 shows the WDS settings page for t
211. gement Software User s Guide Configuring the APP Mapping Table The Inter Access Point Protocol IAPP enforces a unique association through an extended service set ESS for the secure exchange of the station s security information between access points To configure the IAPP map table perform the following procedure 1 From the main menu select Advanced gt IAPP Table The Configure IAPP map table page is shown in Figure 40 Configure IAPP Map Table Inter Access Point Protocol Enabled Disabled IAPP IAPP Map Table Remove IP Address MAC Address Figure 40 IAPP Map Table 2 For the Inter Access Point Protocol setting click Enable 3 To add a station to the map table a Inthe fields below the map table enter the IP and MAC addresses of the station you want to add b Click Add c Click Update 129 Chapter 10 Configuring Security 130 4 Toremove a station from the map table a In map table select the station you want to remove b Click Remove c Click Update AT WA7400 Management Software User s Guide Configuring SNMP Simple Network Management Protocol SNMP is another way for you to manage the access point This type of management involves viewing and changing the management information base MIB objects on the device using an SNMP application program To configure SNMP perform the following procedure 1 From the main menu select Advanced gt SNMP Co
212. ghboring Access Points The Neighboring Access Points page is shown in Figure 57 View neighboring access points AP Detection Enabled Disabled Update MAC Addr Radio Beacon Int Type SSID Privacy WPA Band Channel Rate Signal of Beacons Last Beacon Rates Fri Mar 10 rn 00 0c 46 f2 e2 fc wland 100 AP ATNET On On 5 52 60 2 305 10 01 33 eae 36 48 2006 54 FriMario SP 00 0c 46 cfi2c f4 wland 100 AP allied Off Off 5 52 60 10 5598 10 01 33 one 36 48 2006 54 Fri Mar 10 eer 00 0c 46 cf146 64 wland 100 AP allied Off Off 5 52 60 16 5599 10 01 33 36 48 2 2006 54 FriMario 9 912 00 0c 46 f2 dd 7c wland 100 AP allied Off of 5 52 60 42 5601 10 01 33 36 48 2006 i 54 FriMario 9 912 OO Oc 46 chi32 84 wland 100 AP allied off off 5 52 60 46 15256 10 01 33 Pes 2006 36 48 4 Figure 57 Neighboring Access Points Page 2 Click Enabled to allow the software to detect the neighboring access points The Neighboring Access Points page displays a table that provides the following items of information MAC Address Shows the MAC address of the neighboring access point A MAC address is a hardware address that uniquely identifies each node of a network Radio Two Radio Access Points If the access point that detecting the neighboring access points is a two radio access point the Radio field is included The Radio field indicates which radio the neighboring access point was detected on 193 Chapter 17 Maintenance
213. ging invAfter the Initial Setpro pasenes tan taalaa teed dees terden aa en aa iaeaea ineei tiikan 42 Chapter 3 Managing Access Points and Clusters 0 0 0 0 ceccceeeeee cere eeeneeeeeeaeeeeeeeeeeaeeeeeaaeeeseeeeeeeaeeesenaeesseeeesenaeeeneas 43 Understanding Clustering tiii aa E E a AA A AE aaa Aaaa aa Ea S aa aa aaaea aaria aaan 44 What is a CluSter sineera ea e ean ete e tae dee ida aenda ieee suse ets ai oe ieie aeie ia diidini 44 How Many Access Points Can a Cluster Support eee eee cece ee ener eeeeaeeceeeeeeeaaeeeeaaeeeseeeeeeaeeeseaaeessneeeeneeeseeaeeeeneeeenea 44 What Kinds of Access Points Can Cluster Together 0 cc eeecceesseeeeeceeeeeneeeeeaeeeseeeeeeaeeeseaaeeseneeeeenaeeeseaeeseneeeeeneeeneaes 44 What is the Relationship of the Master Access Point to Other Cluster Members 0 0 0 ceeeseeeeeeeeeeneeeeeneeeeneeeeenteneaes 44 Which Settings are Shared as Part of the Cluster Configuration and Which Are Not ecceeeceeeeeeeeenneeeeeeeeeeneeeeaas 45 Settings Shared in the Cluster Configuration eee eeceeeeeeeeeeneeeeeeeeeeeneeeeeaeeeeeeeeeseeeeeaeeseeeeeeseneaeeaeeseeaeeeeneeeeeea 45 Settings Not Shared By the Cluster c 0 05 4st el eesti dee eed eee a a ERa 45 Cluster MOGG E ET E sd aggedeuigdeacchds seers N A fusca cdsases cagnaaesuacdsvaac st agsebesues na teagbaseaege 46 Standalone Mode 4z 2s c0svsosed lod a a a aeaa e a aa lence E E A E a A a iadaaa 46 Cluster o anaele a EEE EAE E E E N 47 Cluster
214. he Access Point to the Factory Defaults 00 0 eee eeeceesneeeenneeeeeeeeeseeeeseaaeeeceeaeeeaeeeseaaeeseeeeesseeenenaeeeeenees 348 Keyboard Shortcuts and Tab Completion Help 0 eeccececcecesneeeeeeeeeeneeeeeeeeseneeeeeaaeeceeeeeeseeeeeeaeeeseeeeesaeeeseaeeeeneeeesneeeenaas 349 Keyboard Shorte tSi siinsesse tind eveastenebtatnegshoendhagedsent ceeunaecsevicensscueuectnesdalbarsbans a aA i oriee einai ineen 349 Tab Completion and Helpi inoi ii riete aeiaai ee aeaieie a e aae sitet a eiia dni 350 CLI Classes a d Fields ReferencE sitan iite a i ea a a iaa aiea 354 Appendix E Radio Bands 0 cccccecccscccecececee ee eee eee eee ee eee eaaeeeeeeceaaeae sees caaaeeeeeecaeaeeeeseeeaaeeeeeesesaeeeeeeseeaeeeeeseneeseeeeeeaees 357 Index inoit en ee ee eo ee E a E 359 Contents Figures Figure 1 Figure 2 Figure 3 Figure 4 Figure 5 Figure 6 Figure 7 Figure 8 Figure 9 Figure 10 Figure 11 Figure 12 Figure 13 Figure 14 Figure 15 Figure 16 Figure 17 Figure 18 Figure 19 Figure 20 Figure 21 Figure 22 Figure 23 Figure 24 Figure 25 Figure 26 Figure 27 Figure 28 Figure 29 Figure 30 Figure 31 Figure 32 Figure 33 Figure 34 Figure 35 Figure 36 Figure 37 Figure 38 Figure 39 Figure 40 Figure 41 Figure 42 Figure 43 Figure 44 Figure 45 Figure 46 Figure 47 Figure 48 Figure 49 Figure 50 AT WA7400 CD Main Pagering cieesdeeesctceseuace esbbeewedeceessunecesbouce
215. he access point is in standalone mode AT WA7400 get cluster detail Field Value clustered 0 clusterable 0 kickstarted 0 location not set formation Get MAC Addresses for all Access Points in the Cluster AT WA7400 get cluster member all name mac ip location removed 00 e0 b8 76 23 b4 00 e0 b8 76 23 b4 10 10 10 248 not set 0 00 e0 b8 76 16 88 00 e0 b8 76 16 88 10 10 10 230 not set 0 Configure the Access Point as a Member of a Cluster set cluster clusterable 1 286 User Accounts Function AT WA7400 Management Software User s Guide Configure the Access Point as a Standalone Device set cluster clusterable 0 The following command examples show configuration tasks related to user accounts These tasks correspond to the Cluster gt User Management page in the web UI Table 7 provides a quick view of User Management commands and provides links to detailed examples Table 7 User Account Commands Command Get All User Accounts Add Users To view all usernames get radius user all name To view all user accounts get radius user all add radius user UserName For example add radius user samantha Set the user s real name set radius user Username Realname For example set radius user samantha Elizabeth Montgomery or set radius user samantha Elizabeth Set user s password set radius user UserName password Password For example set radius user samantha password bewi
216. he two radio access point The web page for the one radio access point will look slightly different AT WA7400 Management Software User s Guide Configure WDS bridges to other access points Radio Two v Local Address 00 0C 46 CF 26 F8 Remote Address 00 0C 46 CF 26 48 Bridge with Internal Network x WEP Enabled Disabled Key Length 64bits 128 bits O 152 bits Key Type ASCII Hex Characters Required WEP Key Radio One lv Local Address 00 00 46 CF 26 F4 Remote Address Bridge with Internal Network iv WEP Enabled Disabled Key Length 64bits 128 bits O 152 bits Key Type ASCII Hex Characters Required WEP Key Radio One x Local Address 00 0C 46 CF 26 F4 Remote Address Bridge with Internal Network x WEP Enabled Disabled Key Length 64bits 128 bits 152 bits Key Type ASCII Hex Characters Required WEP Key Radio One Local Address 00 00 46 CF 26 F4 Remote Address Bridge with Internal Network x WEP Enabled Disabled Key Length 64bits 128 bits 152 bits Key Type ASCII Hex Characters Required WEP Key Figure 52 Wireless Distribution System Page 2 Configure the following settings as necessary 179 Chapter 16 Configuring the Wireless Distribution System WDS 180 Radio For each WDS link select Radio One or Radio Two The rest of the settings for the link apply to the radio selected in this field The read only Loca
217. heceseensinevonavse seen EEEE EENE EEE 27 KickStart Page ieie onn i ede e a i A a E ie dese ddecsdedsutee doce E ie arie a ieie 27 Kickstart Welcome Dialog Box tiii iaa na a aaa e e aa aa agi aaaea eaeoe eaaa e thes Goemeetatens 28 KickStart Search Results Dialog BOX rsciniunniien u e apaa E E KEE 28 Administration Dialog BOX Sassi cscsessctedssecnccste seers cciescubes eaaa iaaii nia pe sea iaaa ia aap Aesi Aaa ia ARKEEN E NAAN 29 KickStart Setup Wizard Dialog BOX eee cesneeeeeeeeeeneeeeeeeaeeceeeeeeeaaeeseeaeeesaeeenaeeeeeaaeesneeeseaeeeseaaeesseeeensaeesennaees 30 Select Installation Folder Dialog BOX sssini tingini iadenin kesat sce tecuhenddudeceeesedecscuededehesseutiussdooeuseddeuscueteetees 31 KickStart Setup Disk Space Dialog BOX 0 e ce eeecceeeeeeeeneeceeneeeeeeeeeeeaeeeseaaeeeaeeeesaaeeeeeaaeeeseeeeaeeeseeaeessneeeensaeeseenaees 31 KickStart Installation Confirmation Dialog BOX ecceccceceseeeeeeeeeeeneeceeeaeeceeeeeeeaeeeeeaaeeenaeeenaeeseeaeeesneeeeeeneeeennaees 32 Installing KickStart Dialog BOX 2 26 20cc 0iSestsecvisten erri dave stern i R jecba ouch doucbachusdoeed sen cbbsaciesbuedeneciemescenecrabes 32 KickStart Installation Complete Dialog BOX 0000 ee ececcecesneeeceneeeeeneeeeeeaeeeeeeeeeeaeeeseaaeeseneeeesneeeseeaeeesneeeeeeeeseenas 33 LOGIN DIEI eTo M BOX Pn ae sien oar EA EEEE OE ae ceca ei heehee ode ead eee ig nduagans T 34 Basic Settings PAGS EE eeseccaessdcbeccusescovecnanssce cap A a A E E tes v
218. ialog BOX ssessssseessieisiiesisssriesriresiirerinsriirsrinerinesrnnsene 251 Internet Authentication Service Window Showing Access Point ee eceeeeceeeeeeeeereeeeeeeeeeeaeeeeeaeeseeeensaeeeeaas 252 SECUMILY ASCE WINDOW siete i sizs 08 cate NS aocuat Bega Zatt cc de due ecb dnabuc aces ativea detec eus Uhddendan hee pdaa sein lag sh eal ele cine 254 Certificate Server Welcome Page isicing a aAA EEE EEA Aa AANA AAE Eaa AAE A EANTA E 254 RADIUS Server Login WindOW eeccecesseeeceeeee cent eeeeaeeeeeeeeeeaeeeeeaeeeeeeeeesaeeeeeeaeeseeaaeeesneeeeeeeeeeeaeeesneeeesnaeeeenaas 255 Request a Certificate Pages cise iosia eitinn a eieiaeo aaae aidai 255 security Warning Dialog Boxe t cesstgctese cc sitesi tevin elie ie velar nn dined tie degen TE 256 User Certificate Dialog BOX saci issc cciuccevest hneacntsevaceneednt beds cnet piian phougcetensoegh shows ia aaaeaii elat hiii 256 Potential Scripting Violation Dialog BOX eccececeeesseeeeeeeeeeeneeeeeaaeeeeeeaeeeaeeeeeaeeseeaeeesneeeeeaeeeseeaeeesneeeenseeeeeaas 256 Certificate Issued Dialog Box ngain aa a atelier ee 257 Potential Scripting Error Dialog BOX 0 c cececeeeeseeeeee cesses eeeeeeeeaeeeeeaaeeseeeaeeeaeeeeeaeeeseeeeesieeeeseaeeeseeeeesseeeeeaas 257 Root Certificate Store Dialog BOX ee eeeceeeeeeeeeeeeeeeeeeeeeaeeeeeaeeeaeeeeeaaeeeeeeeeeseeeseaaeseeeeesieeeeeeaeeeseeeeennaneeeeaas 257 Certificate Installed Confirmation WiNdOW cccceesceeeeceeeeeeeeeeneeece
219. ic string of up to 32 characters that uniquely identifies a wireless local area network It is also referred to as the Network Name To set the SSID refer to Configuring the Basic Settings and Starting the Wireless Network on page 37 Configuring Internal Wireless LAN Settings on page 102 or Configuring the Guest Network Wireless Settings on page 103 A guest network and an internal network running on the same access point must always have two different network names MAC Address Shows the MAC address of the neighboring access point A MAC address is a hardware address that uniquely identifies each node of a network 84 AT WA7400 Management Software User s Guide Channel Shows the channel on which the access point is currently broadcasting The channel defines the portion of the radio spectrum that the radio uses for transmitting and receiving The channel is set on the Advanced gt Radio Settings page See Chapter 13 Configuring Radio Settings on page 145 Rate Shows the rate in megabits per second at which this access point is currently transmitting The current rate will always be one of the rates shown in Supported Rates Signal Indicates the strength of the radio signal emitting from this access point as measured in decibels Db Beacon Interval Shows the beacon interval being used by this access point Beacon frames are transmitted by an access point at regular intervals to announce th
220. ike Up and Down arrow keys typically do Up Down arrow keys also work for this Up Arrow key 349 Appendix D Command Line Interface CLI for Access Point Configuration Table 33 Keyboard Shortcuts Continued CLI Action Keyboard Shortcut Display next command in history Ctrl p and Ctrl n let you cycle through a history of all executed commands like Up and Down arrow keys typically do Up Down arrow keys also work for this Ctrl n Down Arrow key Exit the CLI At a blank command prompt typing Ctrl d closes the CLI Typing Ctrl d within command text also removes characters one ata time at cursor location like Ctrl h Ctrl d Tab Completion You can get help on commands in the command line interface CLI by and Help using the TAB key See also Basic Settings on page 282 Hitting TAB once will attempt to complete the current command If multiple completions exist a beep will sound and no results will be displayed Enter TAB again to display all available completions O Example 1 At a blank command line press TAB twice to get a list of all commands AT WA7400 add Add an instance to the running configuration factory reset Reset the system to factory defaults get Get field values of the running configuration reboot Reboot the system remove Remove instances in the running configuration Save running Save the running configuration set Set field values of
221. ine Interface CLI for Access Point Configuration 324 welcome screen text Thank you for using wireless Guest Access as provided by this Allied Telesyn AT wA7400 wireless access point when you click Accept you will gain access to our wireless guest network This network allows complete access to the Internet but is external to the corporate network Please note that this network is not configured to provide any level of wireless security Enable Disable the Guest Welcome Page To enable the Guest Welcome page AT WA7400 set portal status up To disable the Guest Welcome page AT WA7400 set portal status down Set Guest Welcome Page Text To specify the text for the Guest Welcome page AT wWA7400 set portal welcome screen text welcome to the Wireless Network Review Guest Login Settings The following example shows the results of the set portal command after specifying some new settings AT WA7400 get portal Field Value status up welcome screen on welcome screen text Welcome to the Wireless Network Configuring Multiple BSSIDs on Virtual Wireless Networks AT WA7400 Management Software User s Guide Note Before you configure this feature make sure you are familiar with the names of the interfaces as described in Understanding Interfaces as Presented in the CLI on page 278 The interface name you reference in a command determines whether a setting applies to a wired or wireless interface the interna
222. ing 131 software defaults 215 spanning tree enabling or disabling 92 SSH connection to AP 270 standalone mode described 46 startup configuration 281 static WEP security mode 107 configuring 116 361 Index on WDS bridge 175 station isolation configuring 114 described 113 stations configuring maximum allowed 147 See also client Stop Clustering page 262 subnet mask default setting 215 supported platforms administrator 20 client 22 synchronization of cluster 47 system name default setting 215 T Telnet connection to AP 269 TLS EAP configuring on IEEE 802 1x client 231 configuring on WPA WPA2 Enterprise RADIUS client 241 obtaining certificate for client 253 TLS EAP certificate for a client 253 ToS as related to QoS 163 transmit power configuring 147 transmit receive statistics displaying 190 troubleshooting 259 U user adding 58 editing 60 user account backing up and restoring 62 disabling 61 enabling 60 removing 61 user authentication configuring on IEEE 802 1x client 227 configuring on WPA WPA2 Enterprise RADIUS client 236 user database backing up 62 restoring 63 user management described 57 users managing 57 V virtual wireless networks enabling or disabling 90 VLANs configuring 140 for internal and guest interface 135 W wait time for cluster auto synch 47 WDS configuring 178 default setting 216 example 181 362 explanation 174 Welcome screen configuring 136 WEP security mode c
223. ing with the access point you can recover a Static IP address by resetting the access point configuration to the factory defaults see Resetting the Configuration to Factory Defaults on page 206 or you can get a dynamically assigned address by connecting the access point to a network that has DHCP Chapter 2 Setting up the AT WA7400 Management Software Section Basic Features Setting up and deploying one or more AT WA7400 Wireless Access Points is in effect creating and launching a wireless network The KickStart utility and corresponding AT WA7400 Management Software Basic Settings web page simplify this process This chapter contains procedures for setting up your AT WA7400 Wireless Access Points and the resulting wireless network Have the AT WA7400 Wireless Access Point CD handy and familiarize yourself with the default settings described in Appendix A Management Software Default Settings on page 215 This chapter includes the following procedures Running KickStart to Find Access Points on the Network on page 26 Logging in to the AT WA7400 Management Software on page 34 Navigating the Web Pages on page 36 QOQQ0Q0 0 Configuring the Basic Settings and Starting the Wireless Network on page 37 Q Next Steps on page 41 Q Logging in After the Initial Setup on page 42 25 Chapter 2 Setting up the AT WA7400 Management Software Running KickStart to Find Access Po
224. interface is Internal guest VWN1 or VWN2 use the following command to look at the role field get interface vlanVLANID role For example get interface vlanl1234 role 280 Saving Configuration Changes AT WA7400 Management Software User s Guide The AT WA7400 Wireless Access Point maintains three different configurations O Factory Default Configuration This configuration consists of the default settings shipped with the access point as specified in Appendix A Management Software Default Settings on page 215 You can always return the access point to the factory defaults by using the factory reset command as described in Resetting the Access Point to the Factory Defaults on page 348 O Startup Configuration The startup configuration contains the settings with which the access point will use the next time it starts up for example upon reboot To save configuration updates made from the CLI to the startup configuration you must execute the save running or set config startup running command from the CLI after making changes O Running Configuration The running configuration contains the settings with which the access point is currently running When you view or update configuration settings through the CLI using get set add and remove commands you are viewing and changing values on the running configuration only If you do not save the configuration by executing the save running or set c
225. interference must be reduced by 75 percent and the proposed channel assignments will only reduce interference by 30 percent then channels are not reassigned However if you re set the minimal channel interference benefit to 25 percent and click Update the proposed channel plan will be implemented and channels reassigned as needed Determine if there is better set of channels every Select the schedule from the list The range of intervals is from 1 Minute to 6 Months and the default is 1 Hour channel usage reassessed and the resulting channel plan applied every hour Use these channels when applying channel assignments Choose a set of noninterfering channels on a particular band b g or a The choices are 0 b g channels 1 6 1 1 o b g channels 1 4 8 11 oA IEEE 802 11b 802 11g modes 802 11 b g support use of channels 1 through 11 For the b g radio band the classical set of non interfering channels is 1 6 11 Channels 1 4 8 11 produce minimal overlap IEEE 802 11a mode supports a larger set of non consecutive channels 36 40 44 48 52 56 60 64 149 153 157 161 165 All a band channels are non interfering Apply channel modifications even when the network is busy Click to enable or disable this setting A checkmark indicates it is enabled and channel modifications are applied even when the network is busy If this is not checked channel modifications are not applied on a busy network This settin
226. ints on the Network 26 KickStart is an easy to use utility for discovering and identifying new AT WA7400 Wireless Access Points KickStart scans the network looking for access points displays ID details on those it finds and provides access to the AT WA7400 Management Software Note KickStart and the other AT WA7400 tools recognizes and configures only AT WA7400 Wireless Access Points KickStart will not find or configure non AT WA7400 Wireless Access Points and will not find any other devices Note Run KickStart only in the subnet of the internal network SSID Note KickStart finds only those access points that have IP addresses IP addresses are dynamically assigned to access points if you have a DHCP server running on the network If you deploy the access point on a network with no DHCP server the default static IP address 192 168 1 230 is used A Caution Use caution with non DHCP enabled networks Do not deploy more than one new access point on a non DHCP network because they will use the same default static IP addresses and conflict with each other For more information see Understanding Dynamic and Static IP Addressing on the AT WA7400 Management Software on page 23 To start the discovery process perform the following procedure 1 Do one of the following to create an Ethernet connection between the access point and your computer O Connect one end of an Ethernet cable to th
227. io the solution is to use a wired client to gain access to the access point Create a wired Ethernet connection from a PC to the access point Start the AT WA7400 Management Software Repeat the upgrade process using the wired client Note You must upgrade each access point you cannot upgrade firmware automatically across the cluster Keep in mind that a successful firmware upgrade restores the access point configuration to the factory defaults See Appendix A Management Software Default Settings on page 215 To upgrade the firmware on a particular access point perform the following procedure 1 From the main menu of the access point you want to upgrade select Advanced gt Upgrade 207 Chapter 17 Maintenance and Monitoring 208 Verifying the Firmware Upgrade The Upgrade Firmware page is shown in Figure 64 Upgrade firmware Model ATI WA7400 Enterprise AP Platform wa 7400 Firmware Yersion wa 7400 ver 1 11 06c_DUAL Jan 24 2006 10 45 53 New Firmware Image Browse Please note Uploading the new firmware may take up to 20 seconds Please do not refresh the page or navigate to another page while uploading thew new firmware or the firmware upload will be aborted When the upload is complete a page will be displayed indicating whether the new firmware was uploaded successfully If successful the upgrade will proceed automatically Update Figure 64 Upgrade Firmware Page
228. ion changes specified by multiple users will be applied This chapter contains the following sections o Understanding Clustering on page 44 o Understanding and Changing Access Point Settings on page 48 o Navigating to Configuration Information for a Specific Access Point and Managing Standalone Access Points on page 52 o Configuring MAC Address Filtering on page 53 o MAC Filtering of Rogue Access Points on page 55 43 Chapter 3 Managing Access Points and Clusters Understanding Clustering What is a Cluster How Many Access Points Can a Cluster Support What Kinds of Access Points Can Cluster Together What is the Relationship of the Master Access Point to Other Cluster Members 44 A key feature of the AT WA7400 Management Software is the ability to form a dynamic configuration aware group called a cluster with other AT WA7400 Wireless Access Points in a network in the same subnet Access points can participate in a self organizing cluster which makes it easier for you to deploy administer and secure your wireless network The cluster provides a single point of administration and lets you view the deployment of access points as a single wireless network rather than a series of separate wireless devices A cluster is a group of access points which are coordinated as a single group through the AT WA7400 Management Software You cannot create multiple clusters on a si
229. ions If you use WDS on a LAN intended for secure wireless traffic you are putting your network at risk Therefore Allied Telesyn recommends using WDS to bridge the guest network only for this release Do not use WDS to bridge access points on the internal network unless you are not concerned about the security risk for data traffic on that network For more information about the effectiveness of different security modes see Appendix B Configuring Security on Wireless Clients on page 217 This topic also covers use of plain text security mode for access point to station traffic on the guest network which is intended for less sensitive data traffic The following list summarizes some critical guidelines regarding WDS configuration O The only security mode available on the WDS link is Static WEP which is not very secure Therefore Allied Telesyn recommends that you use WDS to bridge the guest network only for this release Do not use WDS to bridge access points on the internal network unless you are not concerned about the security risk for data traffic on that network O When using WDS be sure to configure WDS settings on both access points participating in the WDS link o You can have only one WDS link between any pair of access points That is a remote MAC address may appear only once on the WDS page for a particular access point O Both access points participating in a WDS link must be on the same radio channel and usin
230. ish internal and guest networks on the same access point SSID Wireless network name Also known as the SSID this alphanumeric key uniquely identifies a wireless local area network The SSID is set on the Basic Settings page The Transmit and Receive sections provide the following information Total Packets Indicates total packets sent in Transmit table or received in Received table by this access point Total Bytes Indicates total bytes sent in Transmit table or received in Received table by this access point Errors Indicates total errors related to sending and receiving data on this access point 191 Chapter 17 Maintenance and Monitoring Viewing the Associated Wireless Clients Link Integrity Monitoring What is the Difference Between an Association and a Session 192 To view the client stations associated with a particular access point perform the following procedure 1 From the main menu select Status gt Client Associations The Client Associations page is shown in Figure 56 View list of currently associated client stations Radio Network Station Status From Station To Station Authenticated Associated Packets Bytes Packets Bytes Two Internal O0 0a 79 89 66 3d Yes Yes 39 1134 26 2749 Two Guest 00 0a 79 89 66 42 Yes Yes 12906 402859 6616 676428 Figure 56 Client Associations Page The associated stations are displayed along with information about packet traffic transmitte
231. ix D Command Line Interface CLI for Access Point Configuration examples Table 8 Status Commands Function Command Understanding Interfaces as Reference of interface names and purposes as described in Presented in the CLI Understanding Interfaces as Presented in the CLI on page 278 Global command to get all detail get bss all detail on a Basic Service Set BSS This is a useful command to use to get a comprehensive picture of how the access point is currently configured Get Common Information on the get interface brO Internal Interface for the Access Point Get All Wired Settings for the get interface brO Wired Internal Interface Get Current Settings for the get interface brguest Ethernet Wired Guest Interface get interface brguest mac get interface brguest ssid Get the MAC Address for the get interface wlan0 mac Wired Internal Interface Get the Network Name SSID for get interface wlan0 ssid the Wired Internal Interface Get the Current IEEE 802 11 get radio wlan0 mode Radio Mode Get the Channel the Access Point get radio wlan0 channel is Currently Using Get Basic Radio Settings for the get radio wland Internal Interface get radio wlan0 detail Get Status on Events get log entry all 290 Table 8 AT WA7400 Management Software User s Guide Status Commands Continued Function Command Enable Remote Logging and Specify the Log Rel
232. k like this SYSLOGD r Consult the man pages to get more information on syslogd command options Type man syslogd at the command line 3 If you want to send all the messages to a file edit etc syslog conf For example you can add this line to send all messages to a log file called AP_sys1log X o xox tmp AP_syslog 187 Chapter 17 Maintenance and Monitoring 188 Events Log Consult the man pages to get more information on syslog conf command options Type man syslog conf at the command line 4 Restart the syslog server by typing the following at the command line prompt etc init d sysklogd restart Note The syslog process will default to use port 514 Allied Telesyn recommends keeping this default port However If you choose to reconfigure the log port make sure that the port number you assign to syslog is not being used by another process Enabling or Disabling the Log Relay Host To enable and configure the log relay host perform the following procedure 1 Inthe upper section of the Status gt Events page configure the following parameters Log Relay Host Enabled To enable the Log Relay Host click Enable To disable it click Disabled If you select Enabled the Relay Host and Relay Port fields are editable Relay Host Specify the IP address or DNS name of the Relay Host Relay Port Specify the Port number for the syslog process on the Relay Host The default port
233. kStart on the following procedure ae Administrator s 4 Insert the AT WA7400 Wireless Access Point CD into the CD ROM PC drive on your computer The CD s main page is shown in Figure 1 on page 27 Click KickStart Utility The KickStart page as shown in Figure 2 on page 27 provides two options Open KickStart and Install KickStart The Open KickStart option is described in Running KickStart to Find Access Points on the Network on page 26 2 Click Install KickStart The KickStart Setup Wizard dialog box is shown in Figure 6 ie KickStartSetup L m Welcome to the KickStartSetup Setup Wizard The installer will guide you through the steps required to install KickStartSetup on your computer WARNING This computer program is protected by copyright law and international treaties Unauthorized duplication or distribution of this program or any portion of it may result in severe civil or criminal penalties and will be prosecuted to the maximum extent possible under the law Cancel f Figure 6 KickStart Setup Wizard Dialog Box 3 Click Next 30 AT WA7400 Management Software User s Guide The Select Installation Folder dialog box is shown in Figure 7 yy KickStartSetup tJ o _ _ Select Installation Folder The installer will install KickStartS etup to the following folder To install in this folder click Next To install to a different folder enter it below or c
234. l 1 7 15 3 0 wlanO data2 3 15 63 0 Appendix D Command Line Interface CLI for Access Point Configuration 340 wlanO data3 7 15 1023 0 Get QoS Settings on the Client Station To view the current QoS settings queue names for station to access point parameters AT WA7400 get wme queue name queue aifs cwmin cwmax txop limit wlanO vo 2 3 7 47 wlanO vi 2 7 15 94 wlanO be 3 15 1023 0 wlan0 bk 7 15 1023 0 Set Arbitration Interframe Spaces aifs Arbitration Inter Frame Spacing AIFs specifies a wait time in milliseconds for data frames Valid values for AIFs are 1 255 Set AIFs on the Access Point To set AIFs on access point to station traffic set tx queue wlanO with queue Queue Name to aifs AIFs_Value Where Queue_Name is the queue on the access point to which you want the setting to apply and ArFs_va ue is the wait time value you want to specify for AIFs For example this command sets the AIFs wait time on the access point Voice queue data0 to 13 milliseconds AT WA7400 set tx queue wlan0 with queue data0 to aifs 13 View the results of this configuration update bold in the command output highlights the modified value AT WA7400 get tx queue name queue aifs cwmin cwmax burst wlanO data0 13 3 7 1 5 AT WA7400 Management Software User s Guide wlanO datal 1 7 15 3 0 wlanO data2 3 15 63 0 wlanO data3 7 15 1023 0 Set AIFs on the Client Station To set the AIFs on station to access point traf
235. l Address changes depending on which radio you select here Local Address Indicates the media access control MAC addresses for this access point A MAC address is a permanent unique hardware address for any device that represents an interface to the network The MAC address is assigned by the manufacturer You cannot change the MAC address It is provided here for informational purposes as a unique identifier for the access point or interface For each WDS link the Local Address reflects the MAC address for the internal interface on the selected radio Radio one on WLANO or radio two WLAN1 Remote Address Specify the MAC address of the destination access point that is the access point to which data will be sent or handed off and from which data will be received Bridge with The AT WA7400 Management Software provides the capability of setting up guest and internal networks on the same access point See Chapter 11 Setting Up Guest Access on page 133 The guest network typically provides Internet access but isolates guest clients from more sensitive areas of your internal network It is common to have security disabled on the guest network to provide open access Alternatively the internal network provides full access to protected information behind a firewall and requires secure logins or certificates for access When you use WDS to link up one access point to another you need to identify within which of
236. l join the cluster when they are powered up and inherit the settings specified on this page If you choose to ignore new access points you must configure them manually New Access Points This access point is in standalone mode If you need to change these settings click the Access Points tab gt Settings Click update to save the new settings Figure 59 Basic Settings Page 2 In the Provide Network Settings section enter the current administrator password The default is manager The text you enter is displayed as characters to prevent others from seeing your password as you type 200 AT WA7400 Management Software User s Guide 3 In the New Password field enter the new password The default is friend The Administrator password must be an alphanumeric string of up to 8 characters Do not use special characters or spaces 4 Re enter the new administrator password to confirm that you typed it as intended 5 Click Update to save the changes 201 Chapter 17 Maintenance and Monitoring Enabling the Network Time Protocol NTP Server The Network Time Protocol NTP is an Internet standard protocol that synchronizes computer clock times on your network NTP servers transmit Coordinated Universal Time UTC also known as Greenwich Mean Time to their client systems NTP sends periodic time requests to servers using the returned time stamp to adjust its cl
237. l or guest network or on a two radio access point to radio one or radio two Configuring Virtual Wireless Network One on Radio One Configure These Settings from the Web UI First O On the Advanced gt Ethernet Wired settings page in the web UI enable virtual wireless networks as described in Enabling or Disabling Virtual Wireless Networks on the Access Point on page 90 O On the Advanced gt Virtual Wireless Networks page in the web UI provide a VLAN ID as described in Configuring VLANs on page 140 Use the CLI to Configure Security on the Interface The following example shows commands for configuring WPA WPA2 Enterprise RADIUS security mode allowing Both WPA and WPA2 clients to authenticate and using a TKIP cipher suite AT WA7400 set bss wlanObssvwnl open system authentication on AT WA7400 set bss wlanObssvwnl shared key authentication on AT WA7400 set bss wlan0bssvwnl wpa al lowed on AT WA7400 set bss wlanObssvwnl wpa2 allowed on AT WA7400 set bss wlanObssvwnl wpa cipher tkip on AT WA7400 set bss wlanObssvwnl wpa cipher ccmp off AT WA7400 set bss wlanObssvwnl radius ip 127 0 0 1 AT WA7400 set bss wlanObssvwnl radius ip 127 0 0 1 AT WA7400 set bss wlanObssvwnl radius key secret AT WA7400 set bss wlanObssvwnl1 status up AT WA7400 set interface wlanOvwnl security wpa enterprise 325 Appendix D Command Line Interface CLI for Access Point Configuration Radio Settings Use the CLI
238. le access point1 could and After be assigned to channel 6 access point2 to channel 6 and access point3 Channel to channel 5 as shown in Figure 25 Management Interference from APs on adjacent channels 5 6 7 gt Interference from APs on same channel 6 Client Station Client Station Figure 25 Without Automatic Channel Management Access Points Can Broadcast on Overlapping Channels With automated channel management access points in the cluster are automatically reassigned to noninterfering channels as shown in Figure 26 Channel 1 802 11b Channel 1 802 11b Client Station Client Station Figure 26 With Channel Management Enabled Access Points are Re Assigned to Non Interfering Channels 71 Chapter 6 Channel Management Displaying the Channel Management Settings 72 To view channel management information perform the following procedure 1 From the main menu select Cluster gt Channel Management The Channel Management page is displayed as shown in Figure 27 Clustered Channels 1 r Access Stop automatically tunning channels Point Fa Current Channel Settings 2 User IP Address Band Current Locked Accounts 10 10 100 247 b g 1 Update Time since last modification to channel assignments 20 minutes and 9 seconds Last Channel Modifications IP Address From To 10 10 100 247 11 1 note new channel assignments may diffe
239. led Thank you for using wireless Guest la Access as provided by this AT WA7400 Welcome Screen Text Access Point Upon clicking Accept you will gain access to our wireless guest network This network allows v Figure 42 Guest Login Configuration Page Choose Enabled to activate the Welcome screen In the Welcome Screen Text field type the text message you would like guest clients to see on the captive portal Click Update to save your changes AT WA7400 Management Software User s Guide Using the Guest Network as a Client After the guest network is configured a client can access the guest network as follows m m A guest client enters an area of coverage and scans for wireless networks The guest network advertises itself via a guest AT WA7400 Wireless Access Point SSID or some similar name depending on how the guest SSID is specified in the web pages for the guest interface The guest client chooses guest AT WA7400 Wireless Access Point SSID The guest client starts a web browser and receives a Guest Welcome screen The guest Welcome Screen provides a button for the client to click to continue The guest client is now enabled to use the guest network 137 Chapter 11 Setting Up Guest Access 138 Chapter 12 VLANs This chapter describes how to configure Virtual LANs VLANs for multiple wireless networks and management and includes the following sections 0 Configu
240. less Access Point you can make further configuration changes through the management software using a wireless connection to the internal network This configuration includes Portable or built in Wi Fi client adapter that supports one or more of the IEEE 802 11 modes in which you plan to run the access point IEEE 802 11a 802 11b 802 11g and 802 11a Turbo modes are supported e Wireless client software such as Microsoft Windows XP or Funk Odyssey wireless client configured to associate with the AT WA7400 Management Software For more details about the Wi Fi client setup see Setting Up the Wireless Client Computers on page 22 Oo Web browser operating system Configuration and administration of the AT WA7400 Wireless Access Point is provided through a web based user interface hosted on the access point Allied Telesyn recommends using one of the following supported web browsers to access the AT WA7400 management software e Microsoft Internet Explorer version 5 5 or greater with up to date patch level for either major version on Microsoft Windows XP or Microsoft Windows 2000 e Netscape Mozilla 1 7 x on Redhat Linux version 2 4 The administration web browser must have JavaScript enabled to support the interactive features of the administration interface It must also support HTTP uploads to use the firmware upgrade feature O AT WA7400 Software and Documentation CD This CD contains the KickStart utility and the s
241. lick Browse Folder C Program Files AlliedT elesyn KickStartUtility Browse Disk Cost Cancel lt Back Figure 7 Select Installation Folder Dialog Box 4 Do one of the following O To see how much disk space the files require click Disk Cost The KickStart Setup Disk Space window is shown in Figure 8 Je KickStartSetup Disk Space The list below includes the drives you can install KickStartSetup to along with each drive s available and required disk space Available Figure 8 KickStart Setup Disk Space Dialog Box Select the drive where you want to install KickStart and then click OK O Click Browse to select a specific location for the KickStart utility The Browse for Folder window shows the default folder where the utility will be installed unless you select a different location If this selection is OK click OK Otherwise select a different folder and click OK 5 Click Next 31 Chapter 2 Setting up the AT WA7400 Management Software The KickStart Setup confirmation dialog box is shown in Figure 9 ickStartSetup a Confirm Installation The installer is ready to install KickStartS etup on your computer Click Next to start the installation Figure 9 KickStart Installation Confirmation Dialog Box 6 Click Next to start the installation The Installing KickStart dialog box is shown in Figure 10 ickStartS
242. lient configuration 224 configuring 116 when to use 107 Wi Fi MultiMedia enabling or disabling 170 Wired Equivalent Privacy security mode for client 224 wired LAN settings monitoring 184 wireless client settings 221 wireless distribution system WDS configuration guidelines 260 configuring 178 described 174 guidelines 176 troubleshooting 260 wireless LAN settings monitoring 184 wireless neighborhood described 80 displaying 81 wireless network security 106 WPA WPA2 Enterprise RADIUS security mode 111 client configuration 236 configuring 125 WPA WPA2 Enterprise client using EAP TLS certificate 241 WPA WPA2 Personal PSK Security client 245 WPA WPA2 Personal PSK security mode client configuration 245 configuring 123 when to use 110 WPA2 Enterprise security mode configuring 125
243. lization rate exceeds the specified limit a client currently associated with this access point is disconnected If you specify 0 in this field current clients are never disconnected regardless of the utilization rate Stations Threshold for Disassociation Specify the number of client stations you want as a stations threshold AT WA7400 Management Software User s Guide for disassociation If the number of client stations associated with the access point at any one time is equal to or less than the number you specify here no stations will be disassociated regardless of the Utilization for Disassociation value Theoretically the maximum number of client stations allowed is 2007 Allied Telesis recommends setting the maximum to between 30 and 50 client stations This allows for a workable load on the access point given that bandwidth is shared among the access point clients 159 Chapter 14 Load Balancing 160 Chapter 15 Configuring Quality of Service QoS Quality of Service QoS provides you with the ability to specify parameters on multiple queues for increased throughput and better performance of differentiated wireless traffic like Voice over IP VoIP other types of audio video and streaming media as well as traditional IP data over the AT WA7400 Wireless Access Point The following sections describe how to configure Quality of Service queues using the AT WA7400 Management Software o Understandi
244. lling data streams on shared network connections The IEEE 802 11 e task group is in the process of defining a QoS standard for transmission quality and availability of service on wireless networks QoS is designed to provide better network service by minimizing network congestion limiting jitter latency and packet loss supporting dedicated bandwidth for time sensitive or mission critical applications and prioritizing wireless traffic for channel access As with all IEEE 802 11 working group standards the goal is to provide a standard way of implementing QoS features so that components from different companies are interoperable The AT WA7400 Management Software provides QoS based on the wireless multimedia WMM specification and wireless multimedia WMM standards which are implementations of a subset of 802 11e features Both access points and wireless clients laptops consumer electronics products and so forth can be WMM enabled Configuring QoS options on the AT WA7400 Wireless Access Point consists of setting parameters on existing queues for different types of wireless traffic You can configure different minimum and maximum wait times for the transmission of packets in each queue based on the requirements of the media being sent Queues automatically provide minimum transmission delay for voice video multimedia and mission AT WA7400 Management Software User s Guide critical applications and rely on best effort paramet
245. lly This box should be disabled automatically based on other settings Configure the following settings on the Authentication tab Enable IEEE 802 1x authentication for this network Make sure that IEEE 802 1x authentication is disabled unchecked Setting the encryption mode to WEP should automatically disable authentication Click OK in the Wireless Network Properties dialog box to close it and save your changes WPA PSK clients should now be able to associate and authenticate with the access point As a client you are not prompted for a key The TKIP or AES key you configured on the client security settings is automatically used when you connect 247 Appendix B Configuring Security on Wireless Clients Configuring an External RADIUS Server to Recognize the AT WA7400 Wireless Access Point 248 An external Remote Authentication Dial in User Server RADIUS server running on the network can support of EAP TLS smart card certificate distribution to clients in a Public Key Infrastructure PKI as well as EAP PEAP user account setup and authentication By external RADIUS server we mean an authentication server external to the access point itself This is to distinguish between the scenario in which you use a network RADIUS server versus one in which you use the built in authentication server on the AT WA7400 Wireless Access Point This section provides an example of configuring an external RADIUS server for the purposes of
246. logies that are built in to the AT WA7400 Wireless Access Point The guest network is implemented as multiple BSSIDs on the same access point each with different network names SSIDs on the wireless interface and different VLAN IDs on the Wired interface On a two radio access point the guest management and login settings apply to both radio one and radio two AT WA7400 Management Software User s Guide Configuring the Guest Interface Configuring a Guest Network on a Virtual LAN To configure the guest interface on the AT WA7400 Wireless Access Point perform these configuration steps 1 2 Configure the access point to represent two virtually separate networks as described in Configuring a Guest Network on a Virtual LAN on page 135 Set up the guest Welcome screen for the guest captive portal as described in Configuring the Welcome Screen Captive Portal on page 136 Note If you want to configure the guest and internal networks on Virtual LAN VLANs the switch and DHCP server you are using must support VLANs As a prerequisite step configure a port on the switch for handling VLAN tagged packets as described in the IEEE 802 1Q standard Guest Welcome Screen settings are shared among access points across the cluster When you update these settings for one access point the configuration is shared with the other access points in the cluster For more information about which settings are shared by the
247. main menu select Cluster gt User Management The User Management page is shown in Figure 21 on page 58 In the User Accounts section click the backup or restore the user database link The Backup or restore the user database for this access point page is displayed as shown in Figure 23 on page 62 Select the backup configuration file you want to use either by typing the full path and file name in the Restore field or by clicking Browse and selecting the file Only those files that were created with the User Database Backup function and saved as ubk backup configuration files are valid to use with Restore for example wirelessUsers ubk Click Restore When the backup restore process is complete a message is shown to indicate that the user database has been successfully restored This process is not time consuming the restore should complete almost immediately From the main menu select Cluster gt User Management to see the restored user accounts 63 Chapter 4 Managing User Accounts 64 Chapter 5 Session Monitoring The AT WA7400 Management Software provides real time session monitoring information including which clients are associated with a particular access point data rates transmit receive statistics signal strength and idle time A session in this context is the period of time in which a user on a client device station with a unique MAC address maintains a connection with the wireless network
248. mand Set the access point to use the set bss wlanObss Internal radius ip 127 0 0 1 built in authentication server 312 AT WA7400 Management Software User s Guide Table 14 Authentication Server Commands Continued Function Command Set the access point to use an set bsswlanObss Internal radius ip external RADIUS server radjius_Tp_address where rad7us_7p_address is the IP address of an external RADIUS server The following example sets the access point to use the built in server AT WA7400 set bss wlanObssInternal radius ip 127 0 0 1 Set the RADIUS Key For External RADIUS Server Only If you use an external RADIUS server you must provide the RADIUS key If you use the built in authentication server the RADIUS key is automatically provided This command sets the RADIUS key to secret for an external RADIUS server AT WA7400 set bss wlanObssInternal radius key secret Enable RADIUS Accounting External RADIUS Server Only You can enable RADIUS Accounting if you want to track and measure the resources a particular user has consumed such system time amount of data transmitted and received and so on The RADIUS accounting commands are shown in Table 15 Note RADIUS accounting is not supported by the built in server so if you are using the built in server make sure that RADIUS accounting is off Table 15 RADIUS Accounting Commands Function Command E
249. mands Continued Function Command Add supported rate add supported rate WirelessinterfaceName rate SomeRate For example add supported rate wlanO rate 9 Get current supported get supported rate wlan0O rates The following command adds 48 as a basic rate to wlan0 the internal wireless interface AT WA7400 add basic rate wlan0 rate 48 To get the basic rates currently configured for this access point AT WA7400 get basic rate name rate wlanO 11 wlanO 5 5 wlanO 2 wlanO 1 wlanl 24 wlanl 12 wlanl 6 wlanO 48 The following command adds 9 as a supported rate to wlan0 the internal wireless interface AT WA7400 add supported rate wlan0 rate 9 To get the supported rates currently configured for this access point using wlan0 as the interface for this example AT WA7400 get supported rate wlan0 rate 332 MAC Filtering 5 5 11 12 18 24 36 48 54 AT WA7400 Management Software User s Guide Note You can use the get command to view current rate sets from the CLI as described in Get Supported Rate Set on page 328 and Get Basic Rate Set on page 329 However you cannot reconfigure Supported Rate Sets or Basic Rate Sets from the CLI You must use the Advanced gt Radio page on the web UI to configure this feature Note Before configuring this feature make sure you are familiar with the names of the interfaces as described in Understanding In
250. mers without using user bandwidth for the bridging function 357 Appendix E Radio Bands 358 Index A access point adding to cluster 50 clustering 44 factory default configuration 281 navigating to 52 removing from cluster 49 running configuration 281 startup configuration 281 Access Points page 48 administrator name default setting 215 administrator password changing 38 configuring 199 default setting 215 administrator s PC setting up 20 AP EDCA parameters configuring 168 associated wireless clients displaying 192 AT WA7400 Wireless Access Point rebooting 205 resetting to factory defaults 206 authentication server for IEEE 802 1x security mode 121 for WPA WPA2 Enterprise RADIUS security mode 125 authentication in different security modes 107 auto synch of cluster configuration 47 B back up user accounts database 62 backup links WDS 175 basic settings configuring 37 basic setup testing 41 beacon interval configuring 147 bridges WDS 174 broadcast SSID configuring 114 default setting 216 built in authentication server described 219 Cc captive portal configuring 136 certificate obtaining TLS EAP certificate for client 253 security for IEEE 802 1x client 231 security for WPA WPAZ2 Enterprise RADIUS client 241 channel automated management of clustered APs 72 configuring 147 channel assignment starting or stopping 73 updating 74 viewing 73 channel management advanced settings 75 configuri
251. mode Advanced gt Security When you reconfigure the access point with a security setting and click Update your wireless client is disassociated and you lose connectivity to the AT WA7400 Wireless Access Point In some cases you may need to make additional changes to the access point security settings before configuring the client Therefore you must have a backup Ethernet wired connection The following sections describe how to set up each of the supported 217 Appendix B Configuring Security on Wireless Clients 218 security modes on wireless clients of a network served by the AT WA7400 Wireless Access Point m Network Infrastructure and Choosing Between the Built in or External Authentication Server on page 219 Make Sure the Wireless Client Software is Up to Date on page 220 Accessing the Microsoft Windows Wireless Client Security Settings on page 221 Configuring a Client to Access an Unsecure Network Plain Text mode on page 223 Configuring Static WEP Security on a Client on page 224 Configuring IEEE 802 1x Security on a Client on page 227 Configuring WPA WPA2 Enterprise RADIUS Security on a Client on page 236 Configuring WPA WPA2 Personal PSK Security on a Client on page 245 Configuring an External RADIUS Server to Recognize the AT WA7400 Wireless Access Point on page 248 Obtaining a TLS EAP Certificate for a Client on page 253 AT WA
252. n click to uncheck the box Note This example assumes that you are using the built in authentication server on the access point If you are setting up EAP PEAP on a client of an access point that is using an external RADIUS server you might see a certificate validation dialog box and need to choose a certificate depending on your infrastructure Select Authentication Method Choose Secured password EAP MSCHAP v2 5 Click Configure to open the EAP MSCHAP v2 Properties dialog box 6 Disable click to uncheck the option to Automatically use my Windows login name etc 230 AT WA7400 Management Software User s Guide 7 Click OK on all dialog boxes starting with the EAP MSCHAP v2 Properties dialog box to close and save your changes IEEE 802 1x PEAP clients should now be able to associate with the access point Client users will be prompted for a user name and password to authenticate with the network IEEE 802 1x Client Using EAP TLS Certificate Extensible Authentication Protocol EAP Transport Layer Security TLS or EAP TLS is an authentication protocol that supports the use of smart cards and certificates You have the option of using EAP TLS with both WPA WPA2 Enterprise RADIUS and IEEE 802 1x modes if you have an external RADIUS server on the network to support it Note If you want to use IEEE 802 1x mode with EAP TLS certificates for authentication and authorization of clients you must have an
253. n configure the same access point to broadcast and function as two different wireless networks a secure internal LAN and a public guest network Guest clients can access the guest network without a username or password When guests log in they see a guest Welcome screen also known as a captive portal This chapter contains the following sections ao Understanding the Guest Interface on page 134 0 Configuring the Guest Interface on page 135 Oo Using the Guest Network as a Client on page 137 133 Chapter 11 Setting Up Guest Access Understanding the Guest Interface 134 You can define unique parameters for guest connectivity and isolate guest clients from other more sensitive areas of the network No security is provided on the guest network only plain text security mode is allowed Simultaneously you can configure a secure internal network using the same access point as your guest interface that provides full access to protected information behind a firewall and requires secure logins or certificates for access You configure an AT WA7400 Wireless Access Point using a single network with VLANs by setting up the guest interface configuration options on the web pages for the AT WA7400 Wireless Access Point For details on how to set up this type of guest interface see Configuring a Guest Network on a Virtual LAN on page 135 This method leverages multiple BSSID and Virtual LAN VLAN techno
254. n page 152 for information 3 Click Update to save your settings 151 Chapter 13 Configuring Radio Settings Configuring the Rate Sets Why do the different radios have different rate sets Rate sets specify the transmission rate sets you want the access point to support and the basic rate sets you want the access point to advertise Rates are expressed in megabits per second O Supported Rate Sets indicate rates that the access point supports You can check multiple rates click a checkbox to select or de select a rate The access point will automatically choose the most efficient rate based on factors like error rates and distance of client stations from the access point O Basic Rate Sets indicate rates that the access point will advertise to the network for the purposes of setting up communication with other access points and client stations on the network It is generally more efficient to have an access point broadcast a subset of its supported rate sets Figure 46 shows the rate sets for radio one Rate Supported Basic 54 Mbps 48 Mbps 36 Mbps Rate Sets 24Mbps 18 Mbps 12 Mbps 9 Mbps 6 Mbps v v v v v v v v Figure 46 Radio One Rate Sets Figure 47 shows the rate sets for radio two Rate Supported Basic 54 Mbps 48 Mbps 36 Mbps 24 Mbps 18 Mbps Rate Sets 12 Mbps 11 Mbps 9 Mbps 6 Mbps 5 5 Mbps 2 Mbps 1 Mbps v v E is il It iS it
255. naa 293 Get Basic Radio Settings for the Internal Interface 0 0 eee eeeneee cere teens ee eeeeeeseeaeesneeeetaeeesnaeenneeeeeaa 293 Get All Radio Settings on the Internal Interface oo eee eeeeeneeecenneeeceeeeeeeneeeeeeaeeeseaaeesneeeseaeeeeneeeesneeeenaa 294 Get Status On Events esi cesses Fece b a be nee sdb da pcase Roden Saas dan eh yee Leg ee eaten nee ee ER oan a Eae 295 Enable Remote Logging and Specify the Log Relay Host for the Kernel LOQ eeceeeseeeeeeeeeeneeeeeneeeeeneeeeeae 295 Prerequisites for Remote Logging asise eanan iaa ae E K en E a raaa A ENEA A AE aa Enia 295 View Log Settings ois saa iea i a e a Ee Sete iea a leai iiaiai eii 295 Enable Dis ble Log Relay HOS 2s is cessecnagcsesek eid eieiei aa aa eaaa e a aa paia 296 Specify the Relay Hostar ranean ie ei eee seins ite lod ev E T ae 296 Specify the Relay POM iise cingit enaa aopean dior spect pieiet keiadi tap eaan aredig ai iaai a aii ieai 297 Review Log Settings After Configuring Log Relay HoSt eee ceeeseeseeceeeneeeeeneeeeneeeeeeeeeeeeaeeesneeeesnaeeeeenaees 297 Get Transmit Receive Statistics 2 ccccccccccccceeeceneeceeeececenae cee ea a e a aaa Ea 297 Get Client ASSOCIATIONS A ice TEE anemia oad kia sa EEE E E E E 299 Get Neighboring Access Points ec eeeceeeeeeeeeeneeeeeeeeeenaeeeeeeaeeeeeeeeeesaeeeeeaaeeseeeaeesaeeeneaeeseeeeeesneeeensaeeeseaeeenneeeeed 299 Ethernet Wired Interface csiis a a lbocbebcceck sav a Mebecnesscbe
256. nable RADIUS accounting set bss wlanObssInternal radius accounting on Disable RADIUS accounting set bss wlanObssInternal radius accounting off For our example we ll disable RADIUS accounting since we re using the built in server AT WA7400 set bss wlanObssinternal radius accounting off 313 Appendix D Command Line Interface CLI for Access Point Configuration 314 Get Current Security Settings After Re Configuring to IEEE 802 1x Security Mode Now use the get command again to view the updated security configuration and see the results of our new settings The following command gets the security mode in use on the internal network AT WA7400 get interface wlan0 security dot1x The following command gets details on how the internal BSS is configured including details on Security AT WA7400 get bss wlanObssInternal detail Field status description radio beacon interface mac dtim period max stations ignore broadcast ssid mac acl mode mac acl name radius accounting radius ip radius key open system authentication shared key authentication wpa al low non wpa stations wpa cipher tkip wpa cipher ccmp value up Internal wlanO wlan0O 00 0C 41 16 DF A6 2 2007 off deny list wlanObssInternal off 127 0 0 1 secret off on off off off AT WA7400 Management Software User s Guide wpa al lowed off wpa2 al lowed off rsn preauthentication off Set Security to WPA W
257. nd distributed by Microsoft Corporation ropa authenticity verified by Microsoft Code Signing Caution Microsoft Corporation asserts that this content is safe You should only install view this content if you trust Microsoft Corporation to make that assertion CO Always trust content from Microsoft Corporation Figure 30 Security Warning Dialog Box 6 Click Yes The User Certificate dialog box opens as shown in Figure 31 Microsoft Certificate Services dc01 User Certificate Identifying Information No further identifying information is required To complete your certificate press submit More Options gt gt Figure 31 User Certificate Dialog Box 7 Click Submit to complete The Potential Scripting Violation dialog box opens as shown in Figure 32 Potential Scripting Violation d This Web site is requesting a new certificate on your behalf You should allow only trusted Web sites to request a certificate for you Do you want to request a certificate now lt a Figure 32 Potential Scripting Violation Dialog Box 8 Click Yes 256 AT WA7400 Management Software User s Guide The Certificate Issued dialog box opens as shown in Figure 33 Microsoft Certificate Services Home Certificate Issued The certificate you requested was issued to you Install this certificate Figure 33 Certificate Issued Dialog Box 9 Click Install this certificate t
258. nd line and build valid commands along with tab completion hints on available commands that match what you have typed so far Using the CLI will be easier if you use the tab completion help and learn the keyboard shortcuts Keyboard Table 33 lists the keyboard shortcuts that are available when you use the Shortcuts CH Table 33 Keyboard Shortcuts A Keyboard CLI Action Shortcut Move cursor to the beginning of the current line Ctrl a Home Move cursor to the end of the current line Ctrl e End Move cursor back on the current line one character at a time Ctrl b Left Arrow key Move the cursor forward on the current line one character at a time Ctrl f Right Arrow Key Start over at a blank command prompt abandons the input on the current line Ctrl c Remove one character on the current line Ctrl h Remove the last word in the current command Ctrl W Clears one word at a time from the current command line always starting with the last word on the line Remove characters starting from cursor location to end of the current line Ctrl k Clears the current line from the cursor forward Remove all characters before the cursor Ctrl U Clears the current line from the cursor back to the CLI prompt Clear screen but keep current CLI prompt and input in place Ctrl l Display previous command in history Ctrl p Ctrl p and Ctrl n let you cycle through a history of all executed commands l
259. nd clients For example if the access point defines abc123 key as WEP key 3 then the client stations must define that same string as WEP key 3 On some wireless client software like Funk Odyssey you can configure multiple WEP keys and define a client station transfer key index and then set the stations to encrypt the data they transmit using different keys This ensures that neighboring access points cannot decode each other s transmissions Example of Using Static WEP For a simple example suppose you configure three WEP keys on the access point In the following example the Transfer Key Index for the access point is set to 3 This means that the WEP key in slot 3 is the key the access point will use to encrypt the data it sends Security Mode Static WEP k Transfer Key Index 3 v Key Length 64bits O 128 bits Key Type ascII OHex Characters Required WEP Keys abcde fghij klmno U N e Authentication Algorithms Bath iv Figure 34 Setting the AP Transfer Key on the Access Point You must then set all client stations to use WEP and provide each client with one of the slot key combinations you defined on the access point 119 Chapter 10 Configuring Security 120 Figure 35 illustrates setting the WEP key 1 on a Windows client tmobile properties Association Authentication Network name SSID Wireless network key WEP network requires a key for the following Data
260. ndonesia Malaysia Hong Kong and most South American countries O ETSI countries include all European Union countries except France It also includes Switzerland Iceland Norway Czech Republic Slovenia Slovakia Turkey Russia and the United Arab Emirates O France Mexico and Singapore use the same channels Beacon Interval Beacon frames are transmitted by an access point at regular intervals to announce the existence of the wireless network The default behavior is to send a beacon frame once every 100 milliseconds or 10 per second The Beacon Interval value is set in milliseconds Enter a value from 20 to 2000 DTIM Period The Delivery Traffic Information Map DTIM message is an element included in some beacon frames It indicates which client stations currently sleeping in low power mode have data buffered on the access point awaiting pick up The DTIM period you specify here indicates how often the clients served by this access point should check for buffered data still on the access point awaiting pickup Specify a DTIM period within the range 1 255 The measurement is in beacons For example if you set this to 1 clients check for buffered data on the access point at every beacon If 149 Chapter 13 Configuring Radio Settings 150 you set this to 2 clients check on every other beacon If you set this to 10 clients check on every 10th beacon Fragmentation Threshold Specify a number between 25
261. nel defines the portion of the radio spectrum that the radio on the access point uses for transmitting and receiving The range of available channels for an access point is determined by the IEEE 802 11 mode also referred to as band of the access point IEEE 802 11b 802 11g modes 802 11 b g support use of channels 1 through 11 inclusive while IEEE 802 11a mode supports a larger set of non consecutive channels 36 40 44 48 52 56 60 64 149 153 157 161 165 Interference can occur when multiple access points within range of each other are broadcasting on the same or overlapping channels The impact of this interference on network performance can intensify during busy times when a large amount of data and media traffic competing for bandwidth The Channel Manager detects which bands b g or a clustered access points are on and uses a predetermined collection of channels that will not mutually interfere For the b g radio band the classical set of non interfering channels is 1 6 11 Channels 1 4 8 11 produce minimal overlap A similar set of non interfering channels is used for the a radio band which includes all channels for that mode since they are not overlapping AT WA7400 Management Software User s Guide Example A Without automated channel management channel assignments to Network Before clustered access points might be made on consecutive channels which would overlap and cause interference For examp
262. nfiguration The SNMP Configuration page is shown in Figure 41 SNMP Configuration Public Community public Name Private Community private Name Location Not set Contact Not set System waz 400 Name Trap Enabled Z Enabled Disabled Disabled Trap Host 192 168 1 1 Figure 41 SNMP Configuration Page 2 Configure the following parameters Public Community Name This community name has read privileges only Enter a name for the public community name Private Community Name The private community name has an access mode of read write If you enable SNMP management Allied Telesyn recommends that you remove the private community name to prevent others from making unauthorized changes to the access point 131 Chapter 10 Configuring Security 132 Location The physical location of the access point Contact The contact person for the access point System Name A unique name given to this access point Trap Enabled Disabled A trap is a signal sent to one or more management workstations by the access point to indicate the occurrence of a particular operating event on the access point Choose Enabled or Disabled Trap Host The IP address of the workstation where trap messages are sent 3 Click Update Chapter 11 Setting Up Guest Access The guest interface features allow you to configure the AT WA7400 Wireless Access Point for controlled guest access to an isolated network You ca
263. ng the IP address for that access point as a URL directly into a web browser address bar in the following form http IPAddressofAccessPoint where PAddressOfAccessPoint is the address of the particular access point you want to monitor or configure This is the only way to navigate to configuration information for a standalone access point If you do not know the IP address of a standalone access point use KickStart to find all access points on the network and you should be able to derive which ones are standalone by comparing KickStart findings with access points listed on the Cluster gt Access Points page The access points that KickStart finds that are not shown on the this page are probably standalone access points For more information on using KickStart see Running KickStart to Find Access Points on the Network on page 26 AT WA7400 Management Software User s Guide Configuring MAC Address Filtering A media access control MAC address is a hardware address that uniquely identifies each node of a network All IEEE 802 network devices share a common 48 bit MAC address format usually displayed as a string of 12 hexadecimal digits separated by colons for example FE DC BA 09 87 65 Each wireless network interface card NIC used by a wireless client has a unique MAC address You can control client access to your wireless network by switching on MAC filtering and specifying a list of approved MAC addresses When
264. ng 73 described 70 displaying 72 example 71 starting or stopping 73 updating assignments 74 channel management of clustered APs advanced settings 75 example 71 proposed channel assignments 74 understanding 70 viewing setting locks 73 channel plan viewing last 74 CLI basic settings commands 282 class and field reference 354 cluster commands 285 commands and syntax quick view 272 comparison with Web UI 266 configuring time protocol 347 configuring WDS 345 getting help on 275 guest login configuration 323 how to access 269 how to save configuration changes 281 interface names used in 278 keyboard shortcuts 349 load balancing commands 335 MAC filtering configuration 333 multi BSSIDs configuration 325 quality of service configuration 336 rebooting AP from 347 resetting AP from 348 security commands 304 status and monitoring commands 289 user accounts commands 287 virtual wireless networks configuration 325 wired interface commands 301 wireless interface commands 304 client link integrity monitoring 192 platform 22 359 Index session definition 65 See also stations client workstations setting up 22 cluster adding access point 50 adding an access point to 50 auto synch 47 configuration changes 47 configuration settings 45 definition 44 description 44 formation 47 mode 46 recovering 261 recovery 261 removing access point 49 removing an access point from 49 security 47 size 44 47 size and membership 47 troublesho
265. ng QoS on page 162 0 Configuring QoS Queues on page 167 161 Chapter 15 Configuring Quality of Service QoS Understanding QoS QoS and Load Balancing 802 1le and WMM Standards Support QoS Queues and 162 Parameters to Coordinate Traffic Flow A primary factor that affects QoS is network congestion due to an increased number of clients attempting to access the air waves and higher traffic volume competing for bandwidth during a busy time of day The most noticeable degradation in service on a busy overloaded network will be evident in time sensitive applications such as video Voice over IP VoIP and streaming media Unlike typical data files which are less affected by variability in QoS video VoIP and streaming media must be sent in a specific order at a consistent rate and with minimum delay between packet transmission If the quality of service is compromised the audio or video will be distorted By using a combination of load balancing see Chapter 14 Load Balancing on page 155 and QoS techniques you can provide a high quality of service for time sensitive applications even on a busy network Load balancing is a way of better distributing the traffic volume across access points QoS is a means of allocating bandwidth and network access based on transmission priorities for different types of wireless traffic within a single access point QoS describes a range of technologies for contro
266. ngle wireless network SSIS Only one cluster per wireless network is supported Up to eight access points are supported in a cluster at any one time If a new access point is added to a network with a cluster that is already at full capacity the new access point is added in standalone mode Note that when the cluster is full extra access points are added in standalone mode regardless of the configuration policy in effect for new access points For related information see Cluster Mode on page 46 and Standalone Mode on page 46 A single AT WA7400 Wireless Access Point can form a cluster with itself a cluster of one and with other AT WA7400 Wireless Access Points of the same model You use a master access point which you choose from among the cluster members to change the cluster configuration share configuration updates and track new access points joining or leaving the group If a master access point becomes unavailable a new cluster member is assigned master responsibilities This process is fully automated based on a ruleset that takes into account seniority cluster size and other factors to determine which access point is best suited to the task at any given time There is no need to track or attend to which access point is the master because this status is subject to change at any time depending on the needs of the cluster This concept is important because you may notice slight differences between configurati
267. nlaa lale EEPE ETTA E E T 337 Queue ComM AdS r a Eaa edhe E a a a a a eea ein N eaa 339 DRS ATETA le EEEE A A EET 345 Keyboard SHOrtC tS siegon aga aende raaa isni eaat pk apaa eirda ana oiia onion insap i et 349 13 Tables Preface This guide contains instructions on how to configure and maintain an AT WA7400 Wireless Access Point using its management software and contains the following sections o Where to Find Web based Guides on page 16 0 Contacting Allied Telesyn on page 17 Preface Where to Find Web based Guides The installation and user guides for all Allied Telesyn products are available in portable document format PDF on our web site at www alliedtelesyn com You can view the documents online or download them onto a local workstation or server AT WA7400 Management Software User s Guide Contacting Allied Telesyn Online Support Email and Telephone Support Warranty Returning Products Sales or Corporate Information Management Software Updates This section provides Allied Telesyn contact information for technical support as well as sales and corporate information You can request technical support online by accessing the Allied Telesyn Knowledge Base www alliedtelesyn com support kb aspx You can use the Knowledge Base to submit questions to our technical support staff and review answers to previously asked questions For Technical Support via email or telephone re
268. ns must have the same key indexed in the same slot to access data on the access point An RC4 stream cipher is used to encrypt the frame body and cyclic redundancy checking CRC of each 802 11 frame If you set the Authentication Algorithm to Shared Key this protocol provides a rudimentary form of user authentication However if the Authentication Algorithm is set to Open System no authentication is performed If the algorithm is set to Both only WEP clients are authenticated Static WEP was designed to provide security equivalent of sending unencrypted data through an Ethernet connection However it contains major flaws and it does not provide even this intended level of security Therefore Static WEP is not recommended as a security mode The only time to use Static WEP is when interoperability issues make it the only option available to you and you are not concerned with the potential of exposing the data on your network For information on how to configure Static WEP security mode see Static WEP on page 116 When to Use IEEE 802 1x IEEE 802 1x is the standard for passing the Extensible Authentication Protocol EAP over an 802 11 wireless network using a protocol called EAP Encapsulation Over LANs EAPOL This is a newer more secure standard than Static WEP as described in Table 2 AT WA7400 Management Software User s Guide Table 2 IEEE 802 1x Configuration Key Management Enc
269. nsitive information on the internal LAN For example the guest network might provide Internet and printer access for day visitors The absence of security on the guest access point is designed to make it as easy as possible for guests to get a connection without having to pro gram any security settings in their clients For a minimum level of protection on a guest network you can choose to suppress prohibit the broadcast of the SSID network name to discourage client stations from automatically discovering your access point See also Does Prohibiting the Broadcast SSID Enhance Security on page 113 For more about the guest network see Chapter 11 Setting Up Guest Access on page 133 Wired Equivalent Privacy WEP is a data encryption protocol for 802 11 wireless networks All wireless stations and access points on the network are configured with a static 64 bit 40 bit secret key 24 bit initialization vector IV or 128 bit 104 bit secret key 24 bit IV Shared Key for data encryption You cannot mix 64 bit and 128 bit WEP keys between the access point and its client stations Static WEP is not the most secure mode available but it offers more protection than plain text mode as it does prevent an outsider from easily sniffing out unencrypted wireless traffic For more secure modes see the sections on IEEE 802 1x on page 121 WPA WPA2 Enterprise RADIUS on page 125 or WPA WPA2 Personal PSK
270. nt DHCP client settings IEEE 802 11 all radios Internet host settings Network interface IP route entry Kernel log entry Log settings Log entry MAC address access list item Network Time Protocol client Guest captive portal Radio RADIUS user SSH access to the command line interface Supported rates of radios System settings Telnet access to the command line interface Transmission queue parameters Transmission queue parameters for stations Example 3 Type get system v TAB This will result in completion with the only matching field get system version Press Enter to display the output results of the command AT WA7400 Management Software User s Guide For detailed examples on getting help see Keyboard Shortcuts and Tab Completion Help on page 349 277 Appendix D Command Line Interface CLI for Access Point Configuration Command Usage and Configuration Examples 278 Understanding Interfaces as Presented in the CLI The following sections provide examples of using the CLI to perform functions similar to those documented in the web browser interface chapters in this book Understanding Interfaces as Presented in the CLI next Saving Configuration Changes on page 281 Basic Settings on page 282 Access Point and Cluster Settings on page 285 User Accounts on page 287 Displaying Status on page 289 Ethernet Wired Interface on page 301 Setting Up
271. o configuring 147 IEEE 802 11a configuring 147 IEEE 802 11b configuring 147 IEEE 802 11d regulatory domain configuring 98 IEEE 802 11g configuring 147 IEEE 802 1x radio mode configuring 147 IEEE 802 1x security for a client 227 IEEE 802 1x security mode 108 client configuration 227 configuring 121 IEEE rate set configuring 147 interframe spaces as related to QoS 164 internal and guest networks on virtual LANs configuring 135 internal LAN configuring 93 internal wireless LAN settings 102 IP address default setting 215 IP addresses configuring 37 dynamic 23 navigating to 52 recovering 24 static 23 viewing for access points 81 K key management security 107 KickStart 26 KickStart utility running to find access points 26 L link integrity monitoring 192 load balancing configuring 157 default setting 216 described 156 location description 49 log relay host configuring 187 enabling or disabling 188 logon administration Web pages 34 logout 36 loops WDS 175 M MAC address filtering configuring 53 default setting 216 MAC address configuring 37 master access point described 44 N neighboring access point displaying status 193 network name configuring 38 network time protocol NTP server enabling or disabling 202 Network Time Protocol NTP default setting 215 P packet bursting as related to QoS 166 password configuring 37 PEAP configuring on IEEE 802 1x client 227 configuring on WPA WPA2 Ente
272. o Configure a Certificate Server at http support microsoft com default aspx scid kb en us 318710 3 To use this type of security you must do the following 1 Add the AT WA7400 Wireless Access Point to the list of RADIUS server clients See Configuring an External RADIUS Server to Recognize the AT WA7400 Wireless Access Point on page 248 Configure the AT WA7400 Wireless Access Point to use your RADIUS server by providing the RADIUS server IP address as part of the WPA WPA2 Enterprise RADIUS security mode settings Configure wireless clients to use WPA security and Smart Card or other Certificate as described in this section Obtain a certificate for this client as described in Obtaining a TLS EAP Certificate for a Client on page 253 241 Appendix B Configuring Security on Wireless Clients 5 Verify that you configured the AT WA7400 Wireless Access Point to use WPA WPAZ2 Enterprise RADIUS security mode with an external RADIUS server as shown in Figure 16 Broadcast SSID Allow Prohibit Station Isolation off O on Security Mode VWPA PA2 Enterprise RADIUS Supported Client Stations Both Enable pre authentication Cipher Suites TKIP v Authentication Server External Radiustp j0 o ja Je Radius Key O Allow non WPA IEEE 802 1x clients Figure 16 Security Settings Page 6 Configure WPA security with certificate authentication on each client as shown in
273. o Navigate to the WDS page in the MyAP2 web pages MyAP2 s MAC address will show as the Local Address ao Configure a WDS interface for data exchange with MyAP1 starting with the MAC address for MyAP1 o Navigate to the radio settings for MyAP2 to verify that it is using the same mode and broadcasting on the same channel as MyAP1 For our example Mode is 802 11b and the channel is 6 Be sure to save the settings by clicking Update Chapter 17 Maintenance and Monitoring The maintenance and monitoring tasks described here all pertain to viewing and modifying settings on specific access points not on a cluster configuration that is automatically shared by multiple access points Therefore it is important to ensure that you are accessing the management software web pages for the particular access point you want to configure For information on this see Chapter 3 Managing Access Points and Clusters on page 43 This chapter contains the following sections Monitoring Wired and Wireless LAN Settings on page 184 Viewing the Event Logs on page 186 Viewing the Transmit Receive Statistics on page 190 Viewing the Associated Wireless Clients on page 192 Viewing the Status of Neighboring Access Points on page 193 Viewing System Information on page 197 Setting the Administrator Password on page 199 Enabling the Network Time Protocol NTP Server on page 202 Setting the HTTP
274. o install the newly issued certificate on your client station The Potential Scripting Violation dialog box opens as shown in Figure 34 Potential Scripting Violation AX This Web site is adding one or more certificates to this computer Allowing an untrusted Web site to update your certificates is a security risk The Web site could install certificates you do not trust which could allow programs that you do not trust to run on this computer and gain access to your data Do you want this program to add the certificates now Click Yes if you trust this Web site Otherwise click No No Figure 34 Potential Scripting Error Dialog Box 10 Click Yes The Root Certificate Store dialog box is displayed as shown in Figure 35 E f Do you want to ADD the following certificate to the Root Store Subject DCO2 lab instant802 com Issuer Self Issued Time Validity Monday November 10 2003 through Monday November 10 2008 Serial Number 7C275440 6 022B97 48881486 ADSSE655 Thumbprint shal 4608357F F932040B C4D05C72 7C780514 8404F935 Thumbprint md5 87CF128E 61698880 4D45215D 8 287391 Yes No Figure 35 Root Certificate Store Dialog Box 11 Click Yes 257 Appendix B Configuring Security on Wireless Clients A success message Figure 36 is displayed indicating the certificate is now installed on the client Microsoft Certificate Services dc01 Home Certificate Installed Your new ce
275. oadcast frames and allows clients to select whether to use CCMP or TKIP for unicast access point to single station frames This WPA configuration allows more interoperability at the expense of some security Client stations that support CCMP can use it for their unicast frames If you encounter access point to station interoperability problems with the Both encryption algorithm setting then you will need to select TKIP instead See next bullet The third best choice is WPA WPA2 Enterprise RADIUS with the encryption algorithm set to TKIP Some clients have interoperability issues with CCMP and TKIP enabled at same time If you encounter this problem then choose TKIP as the encryption algorithm This is the standard WPA mode and most interoperable mode with client wireless software security features TKIP is the only encryption algorithm that is being tested in Wi Fi WPA certification Note If there are older client stations on your network that do not support WPA or WPA2 you can configure WPA WPA2 Enterprise RADIUS with Both CCMP or TKIP and check the Allow non WPA IEEE 802 1x clients checkbox to allow non WPA clients This provides IEEE 802 1x key management for non WPA clients with even better data protection of TKIP and CCMP AES key management and encryption algorithms for your WPA clients A typical scenario is when you are upgrading a current 802 1x network to use WPA You might have a mix of clients some new cli
276. ock The timestamp is used to indicate the date and time of each event in log messages See http Awww ntp org for more general information on NTP To configure your access point to use a network time protocol NTP server perform the following procedure 1 From the main menu select Advanced gt Time Protocol The Time Protocol page is shown in Figure 60 Modify how the access point discovers the time Network Time Protocol NTP Enabled Synchronize with PC Day Light Saving Time Enabled Disable NTP Server Time Zone GMT 08 00 Pacific Time US amp Canada Tijuana v Local Time 2006 Feb 24 6 48 10 PM Figure 60 Time Protocol Page 2 For the Network Time Protocol NTP setting select one of the following Enabled The access point sets its time by contacting the NTP server Synchronize with PC The access point synchronizes its clock with the PC from which you are managing the access point 3 For the Daylight Saving Time setting select one of the following 202 AT WA7400 Management Software User s Guide Enabled Daylight saving time is automatically adjusted Diabled No adjustment is made for daylight saving time Note If the time zone you select in the next setting is not one that participates in daylight saving time then this selection is unavailable For the NTP Server setting specify the NTP server by host name or IP address For the Time Zone select your time
277. of queues are defined for different kinds of data transmitted from access point to station and station to access point but they are referenced by differently depending on whether you are configuring access point or station parameters The commands are shown in Table 31 Table 31 Queue Commands Access Data Point Station Voice High priority queue minimum delay Time sensitive data data0 VO such as VolP and streaming media are automatically sent to this queue Video High priority queue minimum delay Time sensitive video data1 vi data is automatically sent to this queue Best Effort Medium priority queue medium throughput and delay data2 be Most traditional IP data is sent to this queue Background Lowest priority queue high throughput Bulk data data3 bk that requires maximum throughput and is not time sensitive is sent to this queue FTP data for example Distinguishing between Access Point and Station Settings in QoS Commands Access Point To get and set QoS settings on the access point access point use tx queue class name in the command Station To get and set QoS settings on the client station use the wme queue class name in the command Get QoS Settings on the Access Point To view the current QoS settings and queue names for access point to station parameters AT WA7400 get tx queue name queue aifs cwmin cwmax burst wlanO data0 1 3 7 1 5 wlanO data
278. of the network to which you want to connect and click Advanced to open the Wireless Network Connection Properties dialog box The Wireless Networks page which should be automatically displayed lists Available networks and Preferred networks as shown in Figure 1 221 Appendix B Configuring Security on Wireless Clients 222 General Wireless Networks Advanced Use Windows to configure my wireless networl ings Available networks To connect to an availa etwork click Configure i Moar a delta x86 atheros ap3 F Preferred networks Automatically connect to available networks in the order listed below i My AP Instant802 hd lj y L Mountain Roasting v Learn about setting up wireless network configuration List of available networks changes depending on client location Each network or access point that that is detected by the client shows up in this list Refresh updates the list with current information For each network you want to connect to configure security settings on the client to match the security mode being used by that network Note The exception to this is if the access point is configured to prohibit broadcast of its network name the name is not shown on this list In that case you would need to type in the exact network name to be able to connect to it Figure 1 Wireless Network Connections Properties Dialog
279. oftware User s Guide The radio in the example is using IEEE 802 11g mode Get Radio Channel To get the current setting for radio Channel AT WA7400 get radio wlan0 channel 6 The radio in this example is on Channel 6 Get Basic Radio Settings To get basic current radio settings AT WA7400 get radio wlan0 Field Value status up mac channel policy static mode g static channel 6 channel 6 tx rx status up Get All Radio Settings To get all current radio settings get radio wlanO detail AT WA7400 get radio wlan0 detail Field Value status up description IEEE 802 11 mac max bss 2 channel policy static 327 Appendix D Command Line Interface CLI for Access Point Configuration 328 mode static channel channel tx power tx rx status beacon interval rts threshold fragmentation threshold load balance disassociation uti lization load balance disassociation stations load balance no association uti lization ap detection station isolation frequency wme Get Supported Rate Set 100 up 100 2347 2346 off off 2437 on The Supported Rate Set is what the access point supports The access point will automatically choose the most efficient rate based on factors like error rates and distance of client stations from the access point AT WA7400 get supported rate name rate wlanO 54 wlanO 48 wlanO 36 wlanO 24 wlanO 18 wlanO 12 wlanO 11 wlanO 9 AT WA7400 Management Software
280. oftware documentation You can run the KickStart utility on any Windows laptop or computer AT WA7400 Management Software User s Guide that is connected to the access point via wired or wireless connection It detects AT WA7400 Wireless Access Points on the network The wizard steps you through initial configuration of new access points and provides a link to the AT WA7400 management software where you finish the basic setup process in a step by step mode and launch the network You can also download KickStart onto the administrator s computer which makes it unnecessary to have the CD For more about using KickStart see Running KickStart to Find Access Points on the Network on page 26 CD ROM Drive The administrator s computer must have a CD ROM drive to run the KickStart application on the AT WA7400 Wireless Access Point CD or to download it to their computer Security Settings Ensure that security is disabled on the wireless client used to initially configure the access point 21 Chapter 1 Preparing to Set Up the AT WA7400 Wireless Access Point Setting Up the Wireless Client Computers 22 The AT WA7400 Wireless Access Point provides wireless access to any client with a properly configured Wi Fi client adapter for the 802 11 mode in which the access point is running Multiple client operating systems are supported Clients can be laptops or desktops personal digital assistants PDAs or any other hand held
281. oint get tx queue Get QoS Settings on the Client Station get wme queue Set Arbitration Interframe Spaces aifs On the access point set wme queue wlan0 with queue Queue Name to aifs AIFs_Value On a client station set wme queue wlan0O with queue Queue Name to aifs AIFs_Value See examples in Set Arbitration Interframe Spaces aifs on page 340 Set Minimum and Maximum Contention Windows cwmin cwmax On the access point set tx queue wlanO with queue Queue name to cwmin cwmin_Value cwmax cwmax_Value On a client station set wme queue wlanO with queue Queve_Name to cwmin cwmin_Value cwmax cwmax_Value See examples in Set Minimum and Maximum Contention Windows cwmin cwmax on page 341 Set the Maximum Burst Length burst on the Access Point set tx queue wlanO with queue Queue Name to burst burst_Value See examples in Set the Maximum Burst Length burst on the Access Point on page 343 337 Appendix D Command Line Interface CLI for Access Point Configuration Table 30 QoS Commands Continued Function Command 338 Set Transmission Opportunity Limit set wme queue wlanO with queue Queue Name to txop limit for WMM client stations txop limit txop im7t_value See examples in Set Transmission Opportunity Limit txop limit for WMM client stations on page 344 Enable Disable Wi Fi Multimedia By default Wi Fi MultiMedia W
282. oint Configuration 292 Get All Wired Settings for the Wired Internal Interface AT WA7400 get interface br0 Field Value mac 00 a0 c9 8c c4 7e ip 192 168 1 1 mask 255 255 255 0 Get the MAC Address for the Wired Internal Interface AT WA7400 get interface wlan0 mac 02 0C 41 00 02 00 Get the Network Name SSID for the Wired Internal Interface AT WA7400 get interface wlan0 ssid elliot_AP Get Current Settings for the Ethernet Wired Guest Interface The following example shows how to use the CLI to get the Ethernet Wired settings for the guest interface for an access point You can see by the output results of the command that the MAC address is 00 50 04 6f 6f 90 the IP address is 10 10 56 248 and the subnet mask is 255 255 255 0 AT WA7400 get interface brguest Field Value type bridge status up mac 00 50 04 6f 6f 90 ip 10 10 56 248 mask 255 255 255 0 AT WA7400 Management Software User s Guide Note You can get specifics on the guest interface by using the same types of commands as for the internal interface but substituting brguest for wlan0 For example to get the MAC address for the guest interface get interface wlan0 ssid Get Current Wireless Radio Settings The following examples show how to use the CLI to get wireless radio settings on an access point such as mode channel and so on You can see by the output results of the commands that the access point mode is set to IEEE 802 11g the
283. oint as a wireless network 39 Chapter 2 Setting up the AT WA7400 Management Software 40 Default Configuration A summary of the settings is shown in Figure 15 Summary of setting Clustered Summary o Access RA A APE Points The IP address of this access point is 10 10 20 230 The location of the access point is not set 0 User i 4 t The Wireless Network Name SSID of the network is 20_230a Scenn If you need to change these settings click the Basic Settings tab Next Security Until you choose a security option gt unauthorized users can connect to your wireless network without restriction Set Security Options User Accounts If you have chosen to use the local gt authentication server in your security settings manage your user accounts here Add Users or Manage User Accounts gt Access Points Manage your access point s here Manage Access Points Figure 15 Summary of Settings Page At initial startup no security is in place on the access point An important next step is to configure security as described in Chapter 10 Configuring Security on page 105 At this point if you click Basic Settings again the summary of settings page is replaced by the standard Basic Settings configuration options If you chose to ignore new access points then as you add new access points they will run in standalone mode In standalone mode an access point does not share th
284. om 149 35 8 54 18 25 20 653 done Jan 30 inf mini_httpd manager login web server from 149 35 8 54 18 14 21 pi 554 success Jan 30 info mini_httpd manager logout web server from 149 35 8 54 18 13 00 550 done Jan 30 infi mini_httpd manager login web server from 149 35 8 54 17 47 14 mre 285 success Jt ele debug udhcpe Sending select for 149 35 8 81 17 44 54 aidai Jan 30 fs 3 17 44 54 debug udhepe Sending discover Jan 30 i i 17 44 32 info udhcpe udhep client v0 9 8 pre started Figure 54 Events Page This page lists the most recent events generated by this access point see Events Log on page 188 This page also gives you the option of enabling a remote log relay host to capture all system events and errors in a Kernel Log This requires setting up a remote relay host first See Log Relay Host for Kernel Messages on page 187 Note The AT WA7400 Wireless Access Point acquires its date and time information using the network time protocol NTP This data is reported in UTC format also known as Greenwich Mean Time You need to convert the reported time to your local time 186 Log Relay Host for Kernel Messages AT WA7400 Management Software User s Guide For information on setting the network time protocol see Chapter 18 Enabling the Network Time Protocol NTP Server on page 202 The kernel log is a comprehensive list of system events shown in the system lo
285. on information displayed on AT WA7400 Management Software web pages for a master access point versus other cluster members Which Settings are Shared as Part of the Cluster Configuration and Which Are Not AT WA7400 Management Software User s Guide Most configuration settings that you define using the AT WA7400 Management Software are propagated to cluster members as a part of the cluster configuration Settings Shared in the Cluster Configuration The cluster configuration includes o2 oa o m m Network name SSID Administrator password Configuration policy User accounts and authentication Wireless interface settings Guest Welcome screen settings Network Time Protocol NTP settings Radio settings Only Mode Channel Fragmentation Threshold RTS Threshold and Rate Sets are synchronized across the cluster Beacon Interval DTIM Period Maximum Stations and Transmit Power do not cluster Note When Channel Planning is enabled the radio Channel is not synched across the cluster See Stopping or Starting Automatic Channel Assignment on page 73 Security settings QoS queue parameters MAC address filtering Settings Not Shared by the Cluster The settings not shared among clustered access points are the following most of which by nature must be unique Oaog0Q060dUUdUDdLUQ IP addresses MAC addresses Location descriptions Load balancing settings WDS bridges Ethern
286. on is On the access point blocks communication between wireless clients The access point still allows data traffic between its wireless clients and wired devices on the network but not among wireless clients The traffic blocking extends to wireless clients connected to the network via WDS links these clients cannot communicate with each other when Station Isolation is on See Chapter 16 Configuring the Wireless Distribution System WDS on page 173 for more information about WDS Security Mode Select the Security Mode one of the following Oo Plain Text Static WEP IEEE 802 1x WPA WPA2 Enterprise RADIUS WPA WPA2 Personal PSK OQ 00 For a guest network you can only use the plain text setting For more information see Chapter 11 Setting Up Guest Access on page 133 3 Click Update to save your settings Plain Text Plain text means any data transferred to and from the AT WA7400 115 Chapter 10 Configuring Security 116 Static WEP Wireless Access Point is not encrypted There are no further options for plain text mode Plain text mode can be useful during initial network configuration or for problem solving but it is not recommended for regular use on the internal network because it is not secure Guest Network Plain text mode is the only mode in which you can run the guest network which is by definition an easily accessible unsecure LAN always virtually or physically separated from any se
287. on page 123 WEP encrypts data moving across the wireless network based on a static key The encryption algorithm is a stream cipher called RC4 The access point uses a key to transmit data to the client stations Each client station must use that same key to decrypt data it receives from the access point AT WA7400 Management Software User s Guide Client stations can use different keys to transmit data to the access point Or they can all use the same key but this is less secure because it means one station can decrypt the data being sent by another If you selected Static WEP Security Mode the settings in Figure 33 are displayed at the bottom of the page 1 Security Mode Static WEP M Transfer Key Index v Key Length O64bits 128 bits Key Type Oascil Hex Characters Required 26 WEP Keys e U N e Authentication Algorithms Open System Figure 33 Static WEP Security Mode Settings Configure the following settings Transfer Key Index Select a key index from the list Key indexes 1 through 4 are available The default is 1 The Transfer Key Index indicates which WEP key the access point will use to encrypt the data it transmits Key Length Specify the length of the key by clicking one of the buttons 0 64 bits o 128 bits Key Type Select the key type by clicking one of the buttons o ASCII oO Hex Characters Required Indicates the number of characters required in the WEP
288. onfig startup running command in the CLI you will lose any changes you submitted via the CLI upon reboot The save running command saves the running configuration as the startup configuration The save running command is a shortcut command for set config startup running which accomplishes the same thing Settings updated from the CLI with the get set add and remove commands are not saved to the startup configuration unless you explicitly save them via the save running command This gives you the option of maintaining the startup configuration and trying out values on the running configuration that you can discard by not saving By contrast configuration changes updated from the web UI are automatically saved to both the running and startup configurations If you make changes from the web UI that you do not want to keep your only option is to reset to factory defaults The previous startup configuration will be lost 281 Appendix D Command Line Interface CLI for Access Point Configuration Basic Settings Note Before configuring this feature make sure you are familiar with the names of the interfaces as described in Understanding Interfaces as Presented in the CLI on page 278 The interface name you reference in a command determines whether a setting applies to a wired or wireless interface the internal or guest network or on a two radio access point to radio one or radio two The following CLI command
289. or 104 bits 307 Appendix D Command Line Interface CLI for Access Point Configuration Note The Key Length values used by the CLI do not include the initialization vector in the length On the web UI longer Key Length values may be shown which include the 24 bit initialization vector A Key Length of 40 bits not including initialization vector is equivalent to a Key Length of 64 bits with initialization vector A Key Length of 104 bits not including initialization vector is equivalent to a Key Length of 128 bits which includes the initialization vector To set the WEP Key Length type one of the commands in Table 11 Table 11 WEP Key Length Commands Function Command bits Set the WEP Key Length to 40 bits set interface wlan0 wep key length 40 Set the WEP Key Length to 104 set interface wlan0 wep key length 128 The following example sets the WEP Key Length to 40 AT WA7400 set interface wlanO wep key length 40 Set the Key Type Valid values for Key Type are ASCII or Hex The following commands set the Key Type Table 12 Key Type Commands Function Command Set the Key Type to ASCII set interface wlan0 wep key ascii yes Set the Key Type to Hex set interface wlanO wep key ascii no In the following example the key type is set to ASCII AT WA7400 set interface wlan0 wep key ascii yes Set the WEP Keys 308 Note The number of characters r
290. or TKIP should be used whenever possible All WPA modes allow you to use these encryption schemes so WPA security modes are recommended above the others when using WPA is an option Additionally this mode incorporates a RADIUS server for user authentication which gives it an edge over WPA WPA2 Personal PSK mode If you have an external RADIUS server on your network Allied Telesyn recommends using it rather than the using the embedded RADIUS server on the access point An external RADIUS server will provide better security than the local authentication server Use the following guidelines for choosing options within the WPA WPA2 Enterprise RADIUS mode security mode 111 Chapter 10 Configuring Security 112 O The best security you can have on a wireless network is WPA WPA2 Enterprise RADIUS mode using CCMP AES encryption algorithm AES is a symmetric 128 bit block data encryption technique that works on multiple layers of the network It is the most effective encryption system currently available for wireless networks If all clients or other access points on the network are WPA CCMP compatible use this encryption algorithm If all clients are WPA2 compatible choose to support only WPA2 clients The second best choice is WPA WPA2 Enterprise RADIUS with the encryption algorithm set to Both that is both TKIP and CCMP This lets WPA client stations without CCMP associate uses TKIP for encrypting multicast and br
291. ored new access points will not join the cluster they will be considered standalone You need to configure standalone access points manually using KickStart and the AT WA7400 management software residing on the standalone access points To get to the web page for a standalone access point use its IP address in a URL as follows http TPAddressOfAccessPoint Note If you change the policy so that new access points are ignored then any new access points you add to the network will not join the cluster Existing clustered access points will not be aware of these standalone access points Therefore if you are viewing the AT WA7400 management software web pages through the IP address of a clustered access point the new standalone access points will not show up in the list of access points on the Cluster gt Access Points page The only way to see a standalone access point is to browse to it directly by using its IP address in the URL If you later change the policy to cluster so that new access points are configured automatically all subsequent new access points will automatically join the cluster Standalone access points however will stay in standalone mode until you explicitly add them to the cluster For information on how to add standalone access points to the cluster see Adding an Access Point to a Cluster on page 50 In the Settings section click Update to apply these settings and deploy the access p
292. oting 261 types of access points supported 44 understanding 44 viewing 48 cluster member viewing 84 cluster mode described 46 cluster neigbhors 80 cluster recovery 261 commands add 272 factory reset 348 get 272 reboot 348 remove 272 save running 281 set 272 configuration file backing up 212 factory default 281 restoring 213 running configuration 281 startup configuration 281 connecting to AP SSH 270 copper port configuring 93 country codes 98 D DCF as related to QoS 164 default settings list 215 resetting to 206 DNS name setting 88 DTIM period configuring 147 Dynamic Host Control Protocol DHCP understanding in relation to self managed APs 23 E EAP PEAP 360 configuring on IEEE 802 1x client 227 configuring on WPA WPA2 Enterprise RADIUS client 236 EDCA parameters configuring 171 encryption in different security modes 107 Ethernet wired settings 87 event log configuring 186 events monitoring 186 extended service set with WDS bridging 174 external RADIUS server configuring 248 F factory defaults 40 reverting to from CLI 281 reverting to from Web UI 206 firmware upgrading 207 209 fragmentation threshold configuring 147 frequency radio 148 G guest access enabling or disabling 90 guest interface configuring 135 described 134 explanation 134 VLANs 135 guest network accessing 137 wireless settings configuring 103 H HTTP timeout 204 l IAPP map table 129 IEEE 802 11a Turb
293. ou provide If you use the embedded RADIUS server use the management software on the access point to set up and manage user accounts If you are using an external RADIUS server you will need to set up and manage user accounts on the Administrative interface for that server On the User Management page you can create edit remove and view client user accounts Each user account consists of a user name and password The set of users specified here represent approved clients that can log in and use one or more access points to access local and possibly external networks via your wireless network Note Users specified here are clients of the access point s that use the access points as a connectivity hub not administrators of the wireless network Only those with the administrator username and password and knowledge of the administration URL can log in as an administrator and view or modify configuration settings This chapter contains the following sections O Adding a User on page 58 o Editing a User Account on page 60 o Backing Up and Restoring a User Database on page 62 57 Chapter 4 Managing User Accounts Adding a User To add a new user perform the following procedure 1 From the main menu select Cluster gt User Management The User Management page is shown in Figure 21 Clustered User Accounts 2 To edit a user account click a user name REECE Fa Points To enable or
294. ovided for me automatically Disable this option click to uncheck the box 3 On the Authentication tab configure the following parameter Enable IEEE 802 1x authentication for this network Make sure that IEEE 802 1x authentication is disabled box should be unchecked Setting the encryption mode to WEP should automatically disable authentication 4 Click OK on the Wireless Network Properties dialog box to close it and save your changes Connecting to the Wireless Network with a Static WEP Client 226 Configuring IEEE 802 1x Security on a Client AT WA7400 Management Software User s Guide Static WEP clients should now be able to associate and authenticate with the access point As a client you will not be prompted for a WEP key The WEP key configured on the client security settings is automatically used when you connect IEEE 802 1x is the standard defining port based authentication and infrastructure for doing key management Extensible Authentication Protocol EAP messages sent over an IEEE 802 11 wireless network using a protocol called EAP Encapsulation Over LANs EAPOL IEEE 802 1x provides dynamically generated keys that are periodically refreshed An RC4 stream cipher is used to encrypt the frame body and cyclic redundancy checking CRC of each 802 11 frame IEEE 802 1x Client Using EAP PEAP The built in authentication server on the AT WA7400 Wireless Access Point uses Protected Extensible Authentication
295. ow non WPA clients This provides the benefit of IEEE 802 1x key management for non WPA clients along with even better data protection of TKIP and CCMP AES key management and encryption algorithms for your WPA and WPA2 clients If you have an external RADIUS server on your network Allied Telesyn recommends that you use it rather than the using the embedded RADIUS server on the access point An external RADIUS server provides better security than the local authentication server For information on how to configure IEEE 802 1x security mode see IEEE 802 1x on page 121 109 Chapter 10 Configuring Security 110 When to Use WPA WPAZ Personal PSK Wi Fi Protected Access 2 WPA2 Personal Pre Shared Key PSK is an implementation of the Wi Fi Alliance IEEE 802 11 standard which includes Advanced Encryption Algorithm AES Counter mode CBC MAC Protocol CCMP and Temporal Key Integrity Protocol TKIP mechanisms This mode offers the same encryption algorithms as WPA 2 with RADIUS but without the ability to integrate a RADIUS server for user authentication This security mode is backwards compatible for wireless clients that support only the original WPA IEEE 802 1x mode supports a variety of authentication methods like certificates Kerberos and public key authentication with a RADIUS server You have a choice of using the RADIUS server embedded in the AT WA7400 Wireless Access Point or an external RADIUS server The
296. ow size is reached retries will continue until a maximum number of retries allowed is reached Valid values for the cwmax are 1 3 7 15 31 63 127 255 511 or 1024 The value for cwmax must be higher than the value for cwmin For more information see Random Backoff and Minimum Maximum Contention Windows on page 165 Max Burst Length AP EDCA Parameter Only The Max Burst Length applies only to traffic flowing from the access point to the client station This value specifies in milliseconds the Maximum Burst Length allowed for packet bursts on the wireless network A packet burst is a collection of multiple frames transmitted without header information The decreased overhead results in higher throughput and better performance Valid values for maximum burst length are 0 0 through 999 9 For more information see Packet Bursting for Better Performance on page 166 2 Click Update to save the settings By default Wi Fi MultiMedia WMM is enabled on the access point With WMM enabled QoS prioritization and coordination of wireless medium access is on With WMM enabled QoS settings on the AT WA7400 Wireless Access Point control downstream traffic flowing from the access point to client station AP EDCA parameters and the upstream traffic flowing from the station to the access point station EDCA parameters Disabling WMM deactivates QoS control of station EDCA parameters on upstream traffic flowing from th
297. page 74 Viewing the Last Proposed Set of Changes on page 74 OdQ0Q0Q0Q0 0 Configuring Advanced Settings Customizing and Scheduling Channel Plans on page 75 By default automatic channel assignment is disabled off To start or stop channel management perform the following procedure 1 From the main menu select Cluster gt Channel Management The Channels page is displayed as shown in Figure 27 on page 72 2 Click Start to resume automatic channel assignment When automatic channel assignment is enabled the Channel Manager periodically maps radio channels used by clustered access points and if necessary reassigns channels on clustered access points to reduce interference with cluster members or other access points outside the cluster Note Channel Management overrides the default cluster behavior which is to synchronize radio channels of all access points across a cluster When Channel Management is enabled the radio Channel is not synchronized across the cluster to other access points See the note under Radio Settings in Settings Shared in the Cluster Configuration on page 45 3 Click Stop to stop automatic channel assignment No channel usage maps or channel reassignments are made Only manual updates affect the channel assignment The Current Channel Assignments section displays a list of all access points in the cluster by IP address The display provides the following information
298. points type get detected ap AT WA7400 get detected ap Field Value mac 00 e0 b8 76 28 e0 type AP privacy On ssid Purina channel 6 Signal 2 mac 00 0e 81 01 01 62 type AP privacy Off ssid Internal AT wA7400 Network channel 6 Signal 1 mac 00 e0 b8 76 1a f6 300 Ethernet Wired Interface type privacy ssid channel Signal mac type privacy ssid channel Signal AT WA7400 Management Software User s Guide AP off domani 6 3 value 00 e0 b8 76 28 c0 AP off domani 6 4 Note Before configuring this feature make sure you are familiar with the names of the interfaces as described in Understanding Interfaces as Presented in the CLI on page 278 The interface name you reference in a command determines whether a setting applies to a wired or wireless interface the internal or guest network or on a two radio access point to radio one or radio two Table 9 provides a quick view of commands for getting and setting values for the Wired interface and links to detailed examples Table 9 Wired Interface Commands Function Command Get Summary View of Internal and Guest Interfaces Get the DNS Name get bss get host id Set the DNS Name set host id HostName For example set host id vicky ap 301 Appendix D Command Line Interface CLI for Access Point Configuration Table 9 Wired Interface Commands Continued Function
299. ption is Allied Telesyn recommends that you use the default interval Enable RADIUS Accounting Click Enable RADIUS Accounting if you want to track and measure the resources a particular user has consumed such system time amount of data transmitted and received and so on 2 Click Update to save your settings Wi Fi Protected Access 2 WPA2 with Pre Shared Key PSK is a Wi Fi Alliance IEEE 802 11 standard which includes Advanced Encryption Algorithm AES Counter mode CBC MAC Protocol CCMP and Temporal Key Integrity Protocol TKIP mechanisms The Personal version of WPA2 employs a pre shared key instead of using IEEE 802 1x and EAP as is used in the Enterprise WPA2 security mode The PSK is used for an initial check of credentials only This security mode is backwards compatible for wireless clients that support the original WPA When you select the WPA WPA2 Personal PSK security mode the settings in Figure 38 are displayed 123 Chapter 10 Configuring Security 124 1 Security Mode WPA Yersions Both isal Cipher Suites TKIP Key Figure 38 WPA WPA2 Personal PSK Security Mode Settings Configure the following settings WPA Versions Select the types of client stations you want to support WPA If all client stations on the network support the original WPA but none support the newer WPA2 then select WPA WPA2 If all client stations on the network support WPA2 we suggest using W
300. queue data2 to 0 5 AT WA7400 set tx queue wlan0 with queue data2 to burst 0 5 View the results of this configuration update bold in the command output highlights the modified value AT WA7400 get tx queue name queue aifs cwmin cwmax burst wlanO data0 13 3 7 1 5 wlanO datal 1 15 31 3 0 343 Appendix D Command Line Interface CLI for Access Point Configuration 344 Wireless Distribution System wlanO data2 3 15 63 0 5 wlanO data3 7 15 1023 0 Set Transmission Opportunity Limit txop limit for WMM client stations The Transmission Opportunity Limit txop 1imit specifies an interval of time in milliseconds when a WMM client station has the right to initiate transmissions on the wireless network The txop 1limit applies only to the client stations station to access point traffic To set the txop 1limit on station to access point traffic set wme queue wlanO with queue Queue Name to txop limit txop Timit_Value Where Queuve_Name is the queue on the station to which you want the setting to apply and txop 7im7t_va ue is the value you want to specify for the txop limit For example this command sets the txop 1imit on the station Voice queue vo to 49 AT WA7400 set wme queue wlan0 with queue vo to txop limit 49 View the results of this configuration update bold in the command output highlights the modified value AT WA7400 get wme queue name queue aifs cwmin cwmax txop limit wlan0O vo 14 3
301. r from current channel assignments if manual channel modifications have been made Advanced Figure 27 Channel Management Page The Channel Management page shows previous current and planned channel assignments for clustered access points By default automatic channel assignment is disabled You can start channel management to optimize channel usage across the cluster on a scheduled interval From this page you can view channel assignments for all access points in the cluster stop start automatic channel management and manually update the current channel map access points to channels When you do a manual update the Channel Manager assesses channel usage and if necessary reassigns access points to new channels to reduce interference based on the current Advanced settings Using the Advanced settings you can modify the interference reduction potential that triggers channel reassignment change the schedule for automatic updates and reconfigure the channel set used for assignments AT WA7400 Management Software User s Guide Configuring the Channel Management Settings Stopping or Starting Automatic Channel Assignment Viewing Current Channel Assignments and Setting Locks This section contains the following procedures Stopping or Starting Automatic Channel Assignment next Viewing Current Channel Assignments and Setting Locks on page 73 Updating the Current Channel Settings Manually on
302. r network you can disable the broadcast SSID so that your network name is not advertised If the network is sufficiently isolated from access to sensitive information this may offer enough protection in some situations This level of protection is the only one offered for guest networks and also may be the right trade off for other scenarios where the priority is making it as easy as possible for clients to connect See Does Prohibiting the Broadcast SSID Enhance Security on page 113 Following is a brief discussion of what factors make one mode more secure than another a description of each mode offered and when to use each mode Comparison of Security Modes for Key Management Authentication and Encryption Algorithms AT WA7400 Management Software User s Guide Three major factors that determine the effectiveness of a security protocol are o How the protocol manages keys O Presence or absence of integrated user authentication in the protocol o Encryption algorithm or formula the protocol uses to encode decode the data Following are the security modes available in the AT WA7400 Wireless Access Point along with a description of the key management authentication and encryption algorithms used in each mode and include some suggestions as to when one mode is more appropriate than another Plain text Static WEP IEEE 802 1x WPA WPA2 Personal PSK WPA WPAZ2 Enterprise RADIUS OQ 000 When to Use Plain Te
303. rd 240 WPA WPA2 Enterprise RADIUS Client Using EAP TLS Certificate AT WA7400 Management Software User s Guide 9 Click OK in all dialog boxes starting with the EAP MSCHAP v2 Properties dialog to close and save your changes WPA WPA2 Enterprise RADIUS PEAP clients should now be able to associate with the access point Client users will be prompted for a user name and password to authenticate with the network Extensible Authentication Protocol EAP Transport Layer Security TLS or EAP TLS is an authentication protocol that supports the use of smart cards and certificates You have the option of using EAP TLS with both WPA WPA2 Enterprise RADIUS and IEEE 802 1x modes if you have an external RADIUS server on the network to support it Note If you want to use IEEE 802 1x mode with EAP TLS certificates for authentication and authorization of clients you must have an external RADIUS server and a Public Key Authority Infrastructure PKI including a Certificate Authority CA server configured on your network It is beyond the scope of this document to describe these configuration of the RADIUS server PKI and CA server Consult the documentation for those products Some good starting points available on the web for the Microsoft Windows PKI software are How to Install Uninstall a Public Key Certificate Authority for Windows 2000 at http support microsoft com default aspx scid kb EN US 231881 and How t
304. re 96 Figure 97 Figure 98 Figure 99 Figure 100 Figure 101 Figure 102 Figure 103 Figure 104 Figure 105 Figure 106 Figure 107 WDS Bridge Yiri ee e ia aaia deanna sias a ia iseia 175 Wireless Distribution System Page cc ceeeceeeeeeceeeneeeeeeeeeneeeceeaeeceneeeesneeeeeeaeeeseeeeeeaeeeseaeeesneeeeneneeeseaeeenneeeees 179 Interfaces Page ices 25 25 ewe Meche eet Soe E A E sds cay teas ssa cet adapbdacdtndadadendeebieattad E dba dceteceashinats 184 Events Page camia ae r ear Meas Paaud nea ease Shea Saou leg tee bab toe cau a us plbe ar ednesesaeh 186 Transmit Receive Statistics Page oiiccec cc fcc neat aa E aE a aE aE E E a Ea EAE A ERE ee iaa Erai epaiei Enin 190 Client Associations Page ss csioean iae aa ae Eana Aaaa Enta A EA A AE ERE E Ea AE Ea NEO AAEE aaa RN a Aa REETA aE 192 Neighboring Access Points Page ssrin eeeceeceeseeeeeeeeenneeeeeeeeeeeaeeeeeaaeeeeeaaeesaeeeeeaaeeseeaeeeseeeesaeeseeaeeeseeeeennaeeeeeaas 193 System Information Page rnanan Ria elena A ends be 197 Basic Settings Page s vieiwiciin Mia ee ea i E ee ee E 200 Time Protocol PAGE sretha p aee naerad arnan a eds edhech cadet aces ducts Pi aee aaa ara Aat pao ataa edia etes aaeei 202 FD TEP TIMEO t aa a n a e and ia ai i ae aaae 204 RebOOt Page ispiciai a a ae a eaa Seale tee a ea sind a a aa 205 Reset Configuration Page sisnrsnirsapii apne a a E E E E Ea RE iaaa 206 Uere eeo CA NE A ee eE TE T E T T E E T 208 Configure SNMP Firmware Upgrade Pag
305. resents the internal interface for the access point To telnet or ssh into the access point use the IP address for this interface brO consists of e eth0 or vlansSomeNumber if you have VLANs configured e wlan0 e wlan1 if the access point is a two radio access point The IP address of the access point is provided in the output detail for brO So a useful command is get interface This gives you common information on all interfaces From the output results you can find the IP address for br0O Use this IP address to connect to the access point brguest brvwnl1 The guest bridge which consists of eth1 and wlanOguest The bridge interface for virtual wireless network VWN 1 On a one radio access point the bridge interface for VWN1 consists of e wlan0Ovwnl e vlanVLANID where VLANIDis a four digit VLAN ID that you provided For example if you provided a VLAN ID of 1234 the VLAN interface would be vlan1234 On a two radio access point the bridge interface for VWN1 consists of e wlanOvwnl e wlanlvwnl e vlanVLANID where VLANIDis a four digit VLAN ID that you provided For example if you provided a VLAN ID of 1234 the VLAN interface would be vlan1234 279 Appendix D Command Line Interface CLI for Access Point Configuration Table 4 Interfaces in the CLI Interface Description brvwn2 This is for the second virtual wireless network VWN 2 On a one radio access point the
306. ring VLANs on page 140 0 Configuring the Management VLAN on page 143 139 Chapter 12 VLANs Configuring VLANs Note To configure additional networks on VLANs you must first enable virtual wireless networks on the Ethernet wired interface See Enabling or Disabling Virtual Wireless Networks on the Access Point on page 90 A Caution If you configure VLANs you may lose connectivity to the access point First be sure to verify that the switch and DHCP server you are using can support VLANs per the IEEE 802 1Q standard After configuring VLANs physically reconnect the Ethernet cable on the switch to the tagged packet VLAN port Then reconnect using the web pages to the new IP address If necessary check with the infrastructure support administrator regarding the VLAN and DHCP configurations To configure a VLAN perform the following procedure 1 From the main menu select Advanced gt Virtual Wireless Networks The Virtual Wireless Networks page is shown in Figure 43 Modify Virtual Wireless Network settings Virtual Wireless Network One y Status On Off Wireless Network Name SSID LAN ID Broadcast SSID Allow Prohibit Security Mode Figure 43 Virtual Wireless Networks Page 2 Configure the following settings as necessary 140 AT WA7400 Management Software User s Guide Virtual Wireless Network Choose one of the following from the list to iden
307. ring the Wireless Settings Configuring Internal Wireless LAN Settings 102 The Internal Settings describe the MAC address read only and Network Name also known as the SSID for the internal wireless LAN WLAN To configure the internal settings perform the following procedure 1 From the main menu select Advanced gt Wireless Settings The Wireless Settings page opens as shown in Figure 31 on page 98 Configure the following settings MAC Address Shows the MAC address es for internal interface for this access point This is a read only field that you cannot change Although this access is point is physically a single device it can be represented on the network as two or more nodes each with a unique MAC Address You can do this by using multiple Basic Service Set Identifiers BSSIDs for a single access point The MAC address es shown for the internal access point is the BSSID s for the internal interface For the two radio access point two MAC addresses are shown one for each radio on the internal interface Wireless Network Name SSID Enter the SSID for the internal WLAN The Service Set Identifier SSIS is an alphanumeric string of up to 32 characters that uniquely identifies a wireless local area network It is also referred to as the Network Name There are no restrictions on the characters that may be used in an SSID 3 Click Update to save your settings AT WA7400 Management Software User s Guid
308. rity queue Interactive data in the queues labeled Data 0 and Data 1 is always sent first best effort data in Data 2 is sent next and Background bulk data in Data 3 is sent last Each lower priority queue class of traffic gets bandwidth that is left over after the higher classes of traffic have been sent At an extreme end if you have enough interactive data to keep the access point busy all the time low priority traffic would never get sent Using the QoS settings on the web UI you can configure Enhanced Distributed Channel Access EDCA parameters that determine how each queue is treated when it is sent by the access point to the client or by the client to the access point Note Wireless traffic travels Downstream from the access point to the client station Upstream from client station to access point Upstream from access point to network Downstream from network to access point With WMM enabled QoS settings on the AT WA7400 Wireless Access Point affect the first two of these downstream traffic flowing from the access point to client station AP EDCA parameters and the upstream traffic flowing from the station to the access point station EDCA parameters With WMM disabled you can still set some parameters on the downstream traffic flowing from the access point to the client station AP EDCA parameters The other phases of the traffic flow to and from the network are not under control of the QoS settings on
309. rprise RADIUS client 236 plain text security mode client configuration 223 compared 107 configuring 115 for wireless client 223 progress bar for cluster auto synch 47 Q QoS Quality of Service configuring 167 described 162 queues configuring for QoS 167 R radar detection 101 radio bands 357 beacon interval 147 AT WA7400 Management Software User s Guide configuring 147 configuring one or two radio AP 147 DTIM period 147 fragmentation threshold 147 IEEE 802 11 mode 147 maximum stations 147 rate sets 147 RTS threshold 147 SuperAG 147 transmit power 147 turning on or off 147 radio frequencies 148 radio interface configuring 100 radio settings configuring 147 described 146 RADIUS server configuring to acknowledge access points 248 described 219 See also authentication server rate sets 152 regulatory domain 98 reset access point to factory defaults 206 RTS threshold configuring 147 running configuration 281 S security authentication server 248 certificates on client 253 comparison of modes 107 configuring on the access point 114 default setting 216 IEEE 802 1x 121 plain text 115 pros and cons of different modes 106 static WEP 116 WEP 116 WPA WPA2 Enterprise RADIUS 125 WPA WPA2 Personal PSK 123 security modes configuring 114 described 107 session definition 65 described 65 monitoring 66 specific information viewing 67 session information sorting 68 SNMP firmware upgrade 209 SNMP configur
310. rrresrene 334 Remove a Client Station s MAC Address from the Filtering List eee eeeeceeeeneeeeneeeeeeeeeseaeeeeeaeeeeneeeeseeeeeeaas 334 Getting Current MAC Filtering Settings i is center see ee eeaeeeeeaaeeeseeeeesaeeeenaeeseeeaeesneeeeeeeeseeeeenneeeee 335 Get the Type of MAC Filtering List Currently Set Accept or Deny ee eeeeeeeeeeeeeeeteeenneeeeeneeeeeaeeeeneeeee 335 Get MAC Filtering List ecrin rea aa a E aE EE Ee R atv ssnnwess ecaphuecesvonmeesesttesdudaduoundesteanedguocesstbes 335 UOC Bala nGinig EEEE E EE E A O r r e E 335 Q ality of SEVICE tecet naaa a T a eatin Sd A Gane ae 336 Enable Disable Wi Fi Multimedia sidinniisdrsnstep i E E E E a A 338 About Access Point and Station EDCA Parameters 0 0 0 cecceeeseeeeneeeeeeeeeeeeeeeesaeeseeeaeeeaeeensaeeeeeneeeeeneeeeneeeeneaees 338 Understanding the Queues for Access Point and Station ee eececeseeeecereeeeeneeeeeaeeeeeeeeesaeeseeaeeseeaeensaeeeeeaas 339 Distinguishing between Access Point and Station Settings in QOS CommandS eeeeereeereenenn 339 Get QoS Settings on the Access Point oo eee eeeeeeceneeeenneeeeeeeeeseaaeeeaaeeeeeaaeeeesaaeeceneeeeeaeeeeeaaeeeeeeeeseneeseenaeeeeenees 339 Get QoS Settings on the Client Station eee eeeeeeeeeee cence eeeeaeeseeeeeeeneeeessaeeeeeaaeeceneeeesaeeeeeeaeeeseeeseeeeeenaeeeenaees 340 Set Arbitration Interframe Spaces aifS 0 eee eeee cence eeeeeeeeeaeeeeeeaeeceeeeeeaaeeeeeaaeeseneeeesaeeseeaeeeeeeeeesseeeeenaeeeeeeees 340
311. rtificate has been successfully installed Figure 36 Certificate Installed Confirmation Window 258 Appendix C Troubleshooting This appendix provides information about how to solve common problems you might encounter in the course of updating network configurations on networks served by multiple clustered access points This appendix includes the following sections o Wireless Distribution System WDS Problems and Solutions on page 260 0 Cluster Recovery on page 261 259 Appendix C Troubleshooting Wireless Distribution System WDS Problems and Solutions If you are having trouble configuring a WDS link read the following list of guidelines for configuring WDS The most common problem Administrators encounter with WDS setups is forgetting to set both access points in the link to the same radio channel and IEEE 802 11 mode The following list summarizes some critical guidelines regarding WDS configuration O The only security mode available on the WDS link is Static WEP which is not particularly secure Therefore Allied Telesyn recommends that you use WDS to bridge the guest network only for this release Do not use WDS to bridge access points on the internal network unless you are not concerned about the security risk for data traffic on that network O When you use WDS be sure to configure WDS settings on both access points participating in the WDS link o You can have only one WDS
312. ryption Algorithm User Authentication IEEE 802 1x provides dynamically generated keys that are periodically refreshed There are different Unicast keys for each station An RC4 stream cipher is used to encrypt the frame body and cyclic redundancy checking CRC of each 802 11 frame EEE 802 1x mode supports a variety of authentication methods like certificates Kerberos and public key authentication with a RADIUS server You have a choice of using the embedded RADIUS server or an external RADIUS server The embedded RADIUS server supports Protected EAP PEAP and MSCHAP V2 IEEE 802 1x mode is a better choice than Static WEP because keys are dynamically generated and changed periodically However the encryption algorithm used is the same as that of Static WEP and is therefore not as reliable as the more advanced encryption methods such as TKIP and SCMP AES used in Wi Fi Protected Access WPA or WPA2 Additionally compatibility issues may be cumbersome because of the variety of authentication methods supported and the lack of a standard implementation method Therefore IEEE 802 1x mode is not as secure a solution as Wi Fi Protected Access WPA or WPA2 If you cannot use WPA because some of your client stations do not have WPA then a better solution than using IEEE 802 1x mode is to use WPA WPA2 Enterprise RADIUS mode instead and check the Allow non WPA IEEE 802 1x clients checkbox to all
313. s on page 102 Note Before configuring this feature make sure you are familiar with the names of the interfaces as described in Understanding Interfaces as Presented in the CLI on page 278 The interface name you reference in a command determines whether a setting applies to a wired or wireless interface the internal or guest network or on a two radio access point to radio one or radio two The following sections show examples of how to use the CLI to view and configure security settings on the access point These settings correspond to those available from the web UI on the Advanced gt Security page Fora detailed discussion of concepts and configuration options see Chapter 10 Configuring Security on page 105 This section focuses on configuring security on the internal network Security on the guest network defaults to plain text See Plain Text on page 115 Table 10 shows a quick view of Security commands and links to detailed examples Table 10 Security Commands Function Command Get the Current Security Mode get interface wlanO security Get Detailed Description of get bss wlanObssInternal detail Current Security Settings get interface wlanO detail Set the Broadcast SSID Allow or Prohibit set radio wlanO ignore broadcast ssid on set radio wlanO ignore broadcast ssid off 304 AT WA7400 Management Software User s Guide Table 10 Securit
314. s Access Point s embedded RADIUS server supports Protected EAP PEAP and MSCHAP V2 If you use your own RADIUS server you have the option of using any of a variety of authentication methods that the IEEE 802 1x mode supports including certificates Kerberos and public key authentication Keep in mind however that the client stations must be configured to use the same authentication method being used by the access point When you select IEEE 802 1x Security Mode the settings shown in Figure 37 are displayed at the bottom of the page 121 Chapter 10 Configuring Security Security Mode EEI Authentication Server Built in Radius IP Radius Port 1812 Range 0 65535 Radius Key WPA Group Rekey Interval 13800 Range 30 1800 Enable radius accounting 122 1 Figure 37 IEEE 802 1x Security Mode Settings Configure the following settings Authentication Server Select one of the following from the list Built in To use the authentication server provided with the AT WA7400 Wireless Access Point If you choose this option you do not need to provide the Radius IP and Radius Key they are automatically provided External To use an external authentication server If you choose this option you must supply a Radius IP and Radius Key of the server you want to use Note The RADIUS server is identified by its IP address and UDP port numbers for the different services it provides With firmware v
315. s on the Authentication tab Enable IEEE 802 1x authentication for this network Enable click to check this option EAP Type Choose Smart Card or other Certificate 243 Appendix B Configuring Security on Wireless Clients 244 9 Click Properties to open the Smart Card or other Certificate Properties dialog and enable the Validate server certificate option as shown in Figure 18 Validate Server Certificate Enable this option click to check the box Certificates In the certificate list shown select the certificate for this client Smart Card or other Certificate Properties PR When connecting Use my smart card Use a certificate on this computer Use simple certificate selection Recommended Enable click to check Validate server certificate Validate server certificate Fi Connect to these servers Trusted Root Certification Authorities ad lt C Class 2 Public Primary Certification Authority C Class 3 Primary CA C Class 3 Public Primary Certification Authority Class 3P Primary CA Class 3TS Primary CA DC02 Select check the name of certificate Deutsche Telekom Root CA 1 on this client downloaded from C Deutsche Telekom Root CA 2 RADIUS server in a prerequisite procedure gt View Certificate C Use a different user name for the connection 10 11 OK Cancel Figure 18 Smart Card or other Certificate Properties
316. sc ssesecccceccesedeesesunesstcestescedeecbeeceteeesededeesecuevedtedeceesedthedsaevectedsdueceidensetesedteessdene 81 Neighbor Details Informations gining Bava ln vd hia anata eins a a aatas 84 Ethernet Wired Settings Page v 52 c0 ca cle nein aE E ENE ETE A 88 Wireless SettingS Pag e a a a aaa aa T vee chen tat aE A aE Aaa a aa raa a a a a aa aa a aa aea eai tae 98 Security PAGS rriena a e A Eee a A e daea 114 Static WEP Security Mode Settings 0 cccccccceecsecececeeeceeeeeeeeeceeaeeeeeeeeeaeeeeeesecaeeeeeeseesaaaeeeseseeaeeeeseeeeeeeeeneeeaees 117 Setting the AP Transfer Key on the Access Point 0 eee eecceceeeeeeneeeeeeeeeeeeeeeeaeeeeeeeeeeaaeeeeeaeeeneaeeseaeeeseaeeseeaees 119 Providing a Wireless Client with a WEP Key c cc eeccceeeeceeeeeeeceneeeeeneeeeeaaeeseeeeeesneeeseaeeseeeaeeneeeeesaeeesnaeeeeneeeee 120 Example of Using Multiple WEP Keys and Transfer Key Index on Client Stations 0 cece eeeeeeeeneeee 121 IEEE 802 1x Security Mode SettingS ccccecccccceeceseeceeeeeeeeeeeeeeeeaaeeeececeeaaeeseeseceaeeeeeeseqaaeeeeseseaeeeeenseneeeess 122 WPA WPA2 Personal PSK Security Mode Settings 0 eee eeeececeseeeeeeeeeeeeaeeeeeeaeeeeneeeesaeeseeaeeseeeeeesneeeenaas 124 WPA WPAZ Enterprise RADIUS Security Mode Settings eeeseeeeeceeenneeeceneeeeeneeeeeaeeseeeeeseneeeesneeeenaas 126 APP Map Tableiatdsp ssn a eae Mire a tel iia dias is Ate eG oan ne oo Eo hate 129 SNMP Configuration Pages nsista apin
317. sdgnecece 301 Get Summary View of Internal and Guest Interfaces eeieceeecee ence eenneeeseeeeeeeeeeeeaaeeseeeaeesneeeeeeesenaeeenneeeee 302 Get the DNS Name Set the DNS Name Get Wired Internal Interface Settings 2 0 eee eenee centr tener eset ee eeeeeeeeeeeenaaeeeseeaeessaeeeeeaaeeseeeaeeeeeeeneeeesnaeeenneeeee 302 Get Wired Guest Interface Settings lt 0 4 Sisson eve eende Sheree cee E NAET E G eee 302 Set DNS Nameservers to Use Static IP Addresses Dynamic to Manual Mode eeseeeeeeeeeeeeeeenneeenneeeees 303 Set DNS Nameservers to Use DHCP IP Addressing Manual to Dynamic Mode 303 setting Up the Wireless Interface iiini nio a a a a aa aariaa 304 Contents Setting Up Sec rity sensin a een bed aac scene aa a aa Eaa sdeteebain ai sdechs ate aaen ne ie taedas 304 Get the Current Security Modes ciscicessseeetecneesetecessiegecodceneccneedactassbotersunsewenghieescteeetiteerevdededseodaeunttensauensteonecvdbnede 305 Get Detailed Description of Current Security Settings eee eeeeeeeeneeeeeeeeeeeaeeeeeeaeeeneeeeenaeeeeeeeeesneeeeseeeenenees 305 Set the Broadcast SSID Allow or Prohibit 20 0 cece ececeeesneeeeeeceeeaeeeeeeaeeeeeeeeeaaeeeeeeaeeenaeeeseaeeeeeeeeenneeeeeneeeeneaees 306 Enable Disable Station Isolation c ccsscccceseteeeeceeeeeeececsdeeneseceeeneeeeseneeeennieececeegnduccesecdsaeespeeetanersedecesuseeestuuneee 306 Set Security to Plain Textinn e e ar aea bees e A Ta E A a AE E e Aa a A aea
318. security configured on a client for properties of an unsecure network the security settings actually can prevent successful access to the network because of the mismatch between client and access point security configurations To configure the client to not use any security perform the following procedure 1 Open the clients Network Properties dialog box 2 Configure the following settings as shown in Figure 5 223 Appendix B Configuring Security on Wireless Clients a For Network Authentication choose Open b For Data encryption choose Disabled Wireless network properties Association Authentication Set Network Authentication to Open Network name SSID My AP Wireless network key This network requires a key for the following Network Authentication Open v Data encryption Disabled 7 Set Data Encryption to Disabled C This is a computer to computer ad hoc network wireless access points are not used Figure 3 Wireless Network Properties Dialog Box Configuring Static Wired Equivalent Privacy WEP encrypts data moving across a Static WEP Wireless network based on a static non changing key The encryption algorithm is a stream cipher called RC4 The access point uses a key to transmit data to the client stations Each client must use that same key to Client decrypt data it receives from the access point Different clients can use different keys to transmit data to the access point Or they c
319. seeeeeeeeeeeeeeeeeaeeeeeeeeeesneeeeeeeeeeeees 223 Configuring Static WEP Security On a ClONt oie eeeeeeesnee cence eeeaeeceeeeeeceeeeesaaeeeeeaeeeceeeeeesaeeeseaaeseeeeeesiaeeeseaeeeeneaees 224 Connecting to the Wireless Network with a Static WEP Client eee cesses eeneeeeeneeeeeeeeeeeaeeseeaeeseeeeeneeeenaas 226 Configuring IEEE 802 1x Security on a CHEM eee eee eeeeeeneeeeeeaeeeeeeaeeceeeeeeaaeeseeaaeeceeeeesaeeeseaaeeseeeeeesnaeeeeeeeeseeeees 227 IEEE 802 1x Client Using EAP PEAP scc 20 s nennu dg eerie nib enna in ae dies 227 IEEE 802 1x Client Using EAP TLS Certificate 0 ee cecceeeeeeeeeneeeeeeeeeeseaeesesaaeeceeeeeesaaeeeesaeeseneeeesseeeseneeeeneaees 231 Configuring WPA WPA2 Enterprise RADIUS Security on a Cliente eee eeeecee cence eeeneeeseeeeeeeaeeeeeaaeeseeeeeseeeseaeeseenees 236 WPA WPAZ Enterprise RADIUS Client Using EAP PEAP eeeecceeeseeeseeeeeeeneeeeeeaeeceneeeesaeeseaaeeeseeeeesnaeeeeeaeeeeaees 236 WPA WPAZ Enterprise RADIUS Client Using EAP TLS Certificate 0 eee ce eeeeeeeeeeeeneeeeeeaeeeseeeeensaeeseenaeeseeeees 241 Configuring WPA WPA2 Personal PSK Security on a Client oo cece eeeneeeeeeeee ence eeeaaeeceeeeeesaaeeeeeaeeeeeeaeesseeenenneeeneaees 245 Configuring an External RADIUS Server to Recognize the AT WA7400 Wireless Access Point 248 Obtaining a TLS EAP Certificate for a ClIONt eee cece cenee center cee eeeeaeeeeeaaeeseeeeeesaaeeeeeaaeeceeeeeeseeeeseaeeeseeaeesseeeensaeeseenaes 253 Appendix C
320. seh aE st pale bend eaa a ae E soubech haces seed sboceaves 209 Chapter 18 Backing Up and Restoring a Configuration 0 000 eee cece erent ee eneeeeeaaeeeseeeeeesneeesnaeeeseaeesnneeeneas 211 Backing up the Configuration Settings for an Access PONE eee eecceeeeeeeeneee eee eeeeeaeeeeeaaeeeeeeeeeeeaeeesnaaeeeeeeeesneeeneeeeeneaees 212 Restoring Access Point Settings to a Previous Configuration eee ceecceeeeeeeeeereeeeeneeeeeeeeseeeeeeeeeesnaeeseeeeesneeeneeeeeneaees 213 Appendix A Management Software Default Settings 20 0 0 ec eeeeee cent eeeeeeeeeaaeeeeeeaeeeaeeeeeaaeeseeeeeesneeeeenaeeeneaeees 215 Appendix B Configuring Security on Wireless Clients 00 0 0 cece eceneeeeeeeeeeeaaeeeeeeeeeeaeeeeeaaeesseeeeeseeeeeenaeeeeeaeees 217 Network Infrastructure and Choosing Between the Built in or External Authentication Server eeeeeeeeeeeenneeeeeees 219 Want to Use the Built in Authentication Server EAP PEAP 0 0 0 0 eeceeeeececeeneeeceeeeeeseeeeeaaeeeeeeeeenaeeeeeaaeeeeneeensaeeeeeaas 219 Want to Use an External RADIUS Server with EAP TLS Certificates or EAP PEAP eee 219 Make Sure the Wireless Client Software is Up to Daten ieee eeececeneeeeerneeeeeeeeeeaeeeeeaaeeseeeeeesaeeeseaeesseeeeenneeeseneeeeneaees 220 Accessing the Microsoft Windows Wireless Client Security Settings 0 0 2 ee eeeceeeeeeeeceeneeeeeeeeeeseeeeseaaeeeeeeeeeneeseeaneeeneaees 221 Configuring a Client to Access an Unsecure Network Plain Text MOde eecccees
321. ser ACCOUNTS 00 00 eee c cence aie aa EEEa a e aS 57 AGING 4 USC cast iots pat Nec E seacanne cece cd evaetdad E E capeeeawis ccevodenesidenseghed cuetd dp oe sh otcaascd es caligcanntersi termes 58 Editing a User ACCOUNT esi cccsscceeiacsdecccecbecdendcc bess cnden ence iR aa a r aa a n a aE AN EE rae aE 60 Enabling a User ACCO e a e E O05 suede a A eae a e E E a aa a a anaa 60 Disabling a User Acco t asiosio aeaaea a Ra e satus A Eea AN AAEE AE aaO E a NAE aaa A EERE AEREE AETR 61 Removing a User ACCOUN c cceccssconnpaseesssestneedeeseesnenrbenatecacenepineepesestatepensesacaesevoncnesedeenscnestoonedescoenpauerteseneneispeaeesneete 61 Backing Up and Restoring a User Database ou eee eecceceeeee cere eeeeeeeeeaaeeseeeeeeeeeeseaaeeeseaaeseaeeeneaeeeseeeesaeeeeseaeeesneeeessneeeeeaas 62 Backing Up the User Database ninii erena an sen cee seve lies delta divine EA E 62 Restoring a User Database from a Backup File oe ecececeeneceeeeeeeenneeeesaeeeeeeaeeeeaeeeesaaeeseeeeeeeneeeeeaeeseneeeesneeesenaeeeseeaees 63 Chapter 5 Session MOmitorimng 7c 2 2 0052 522 0 52 socek cae tactdeckcedek haces dase eteda kd dete jeged cee das Gdaeedeoek ta digeaed pdvade cea eeadie a decay shane 65 VIEWING SESSIONS Information inss eeessee eke beweee eee e aE chia caen tte ETa EE a aA T aa danse dati ia AAEE a AN aa AE aaae eaa aea 66 Viewing Specific Session Information esseesriessiiesiiresiinetinuttintt tt ttk knust un nEEAAEA AN AEAAAEEEANEEEANEEA
322. ss Distribution System WDS Understanding the Wireless Distribution System A wireless distribution system WDS is an 802 11f technology that wirelessly connects access points known as Basic Service Sets BSS to form what is known as an Extended Service Set ESS Note A BSS generally equates to an access point deployed as a single access point wireless network except in cases where multi BSSID features make a single access point look like two or more access points to the network In such cases the access point has multiple unique BSSIDs Using WDS to In an ESS a network of multiple access points each access point serves Bridge Distant part of an area which is too large for a single access point to cover You Wired LANs can use WDS to bridge distant Ethernets to create a single LAN For example suppose you have one access point which is connected to the network by Ethernet and serving multiple client stations in the Conference Room LAN Segment 1 and another Ethernet wired access point serving stations in the West Wing offices LAN Segment 2 You can bridge the Conference Room and West Wing access points with a WDS link to create a single network for clients in both areas as shown in Figure 50 LAN Segment 2 LAN Segment 1 Figure 50 Example Wireless Network Using WDS to An ESS can extend the reach of the network into areas where cabling Extend the would be difficult costly
323. ss of the RADIUS server The IP address of the AT WA7400 Wireless Access Point s internal authentication server is 127 0 0 1 If you have an external RADIUS server on your network we recommend using it rather than the using the embedded RADIUS server on the access point An external RADIUS server will provide better security than the local authentication server For information on setting up user accounts see Chapter 4 Managing User Accounts on page 57 RADIUS Port The default port number is 1812 You can change this if your application requires it RADIUS Key The RADIUS Key the shared secret key for the RADIUS server The text you enter will be displayed as characters to prevent others from seeing the RADIUS key as you type The IP address of the AT WA7400 Wireless Access Point s internal authentication server key is secret This value is never sent over the network WPA Group Rekey Interval The interval after which the WPA encryption key is automatically changed and authenticated between devices The shorter the interval is the stronger that the encryption is Allied Telesyn recommends that you use the default interval Enable RADIUS Accounting Click Enable RADIUS Accounting if you want to enforce authentication for WPA client stations with user names and passwords for each station See also Chapter 4 Managing User Accounts on page 57 2 Click Update to save your settings AT WA7400 Mana
324. ssword The administrator password controls access to the AT WA7400 Management Software web pages for the AT WA7400 Wireless Access Point This setting is also available on the Basic Settings administration page When you set the administration password in either place and apply the change the new password is updated and shared by all access points in the cluster To set the administrator password perform the following procedure 1 From the main menu select Basic Settings 199 Chapter 17 Maintenance and Monitoring The Basic Settings page is shown in Figure 59 Provide basic settings Clustered Review Description of this P o ele Access Point sok oints These fields show information specific to this access point 0 User Accounts IP Address 10 10 20 230 MAG 0c 46 f2 d7 Address 00 0c 46 f2 d7 64 Firmware wa7400 ver 1 11 06c_DUAL Version Jan 24 2006 10 45 53 Location not set gt Provide Network Settings These settings apply to this access point The same settings will apply to new access points joining the cluster if the policy for adding new access points is set to configure automatically Current Password New Password seeseeccece Confirm New Password eR0CCCR CREE Wireless Network Name 20_230a SSID 3 Set Configuration Policy for New Access Points If you choose configure automatically as the policy for adding new access points new access points wil
325. t You can use any of these methods to access the CLI for the access point or wireless network o Telnet Connection to the Access Point next O SSH Connection to the Access Point on page 270 If you know already have your network deployed and know the IP address of your access point you can use a remote Telnet connection to the access point to view the system console over the network Note The default Static IP address is 192 168 1 230 If there is no DHCP server on the network the access point retains this static IP address at first time startup You can use KickStart to find the IP address of the access point For more about IP addressing see Understanding Dynamic and Static IP Addressing on the AT WA7400 Management Software on page 23 To make a Telnet connection to the AT WA7400 Wireless Access Point perform the following procedure 1 2 Open a command window on your PC For example from the system tray on the desktop choose Start gt Run to bring up the Run dialog and type cmd in the Open field and click OK At the command prompt type the following telnet IPAddressofAccessPoint where IPAddressofAccessPoint is the address of the access point you want to monitor If your Domain Name Server is configured to map domain names to IP addresses via DHCP you can also telnet to the domain name of the access point You will be prompted for an Administrator user name and password for
326. t v ees See es E i en eee S 17 Emailtand Telephone Support a sning eeaeee na aee tea iee paa gaari a tat piatan nieda 17 Wa rainy ea e iei e e aae ae iaee sues ANEA a aa e e a a aa eens GOA ences 17 Returning Produets nissin a a eiae oaaae ea ae aa a a aaa a Googe aaa aiea 17 Sales of Corporat INFOrMAtiON ssie ena kann kne a aa E Anaan AAEE Ea DaKa aaa anA Eae Eia aa CAKES aE en aha 17 Management Software Updates 00 0 eeeecceeeneeeeeeeeeeeeeeeeaeeeceaeeeesaeeeseaaeesaeeeeeaeeeseeeeeseeeeseeeesneaeeesieeeeseaeeeseeeeensnnesenaas 17 Chapter 1 Preparing to Set Up the AT WA7400 Wireless Access Point cccccecesceceeeececceceeeeseeeeeeeeeeseeaeeeeees 19 Setting Up the Administrators Computer oo eee eeneeceeeeee cence eeeeaeeeeeeaeeeaeeeesaeeeeeeaaeesaeeeeeaaeeseeeeeeaeeeeeeeeseeaeeeseeeeessaeeeeaas 20 Setting Up the Wireless Client COMPUTELS 2000 ee cece ceeeeeeeeeeeeeeeaeeeceeeeeeeaeeeeaaeeeseaaeesaeeeeeaeeeseeaaeeeeeeeeseeeseeaeeesneeeeseaeeeeeaas 22 Understanding Dynamic and Static IP Addressing on the AT WA7400 Management Software eee eeeeeeeeeeeenneeeeneees 23 Dynamic IP Addressing asasine Ae Al ed nee dae eer ee ee ees hanes 23 Static IPAGGreSSING face cece E dope T ehagcgeesecedsccctaseneetdsssspoteaaduasteenbeqtadgecd E E 23 Recovering an IP Addressy joic cie csscseceoeccecbet ei E a ea i aa a bebe cv Aa T idbunecneccenesceneetbee 24 Chapter 2 Setting up the AT WA7400 Management Software 000 0000 eee e
327. t along the right side provides help related to the specific management software function for the menu item you chose Click one of the links within the help to display information about that topic To see all the help topics click the Help link at the top of the page 36 AT WA7400 Management Software User s Guide Configuring the Basic Settings and Starting the Wireless Network Configuring the Basic Settings Provide a minimal set of configuration information by defining the basic settings for your wireless network These settings are all available on the Basic Settings page in the AT WA7400 management software and are categorized into steps 1 4 on the web page To configure initial settings perform the following procedure 1 In the Review Description of this Access Point section configure the following parameters as necessary IP Address The IP address assigned to this access point You cannot edit this field because the IP address is already assigned either through DHCP or statically through the Ethernet wired settings as described in Enabling or Disabling Guest Access on page 90 MAC Address Shows the MAC address of the access point A MAC address is a permanent unique hardware address for any device that represents an interface to the network The MAC address is assigned by the manufacturer You cannot change the MAC address It is provided here for informational purposes as a unique identifier for an in
328. t authentication Stop Clustering Figure 37 Stop Clustering Page 2 Click Stop Clustering Repeat this stop clustering step for every access point in the cluster A Caution Do not proceed to the next step of resetting any access points until you have stopped clustering on all of them Make sure that you first stopping clustering on every access point on the subnet and only then perform the next part of the process of resetting each one to the factory defaults 3 Go to the web pages of the access point you want to reset by entering its URL into the address bar of your web browser http IPAddressofAccessPoint Where IPAddresOsofAccessPoint is the IP address of the access point you want to reset 4 From the main menu choose Advanced gt Reset Configuration AT WA7400 Management Software User s Guide The Reset Configuration page is shown in Figure 38 Restore Factory Default Configuration Figure 38 Reset Configuration Page 5 Click Reset to restore the factory defaults on the access point This will clear all of your previous settings including updated passwords 6 Repeat this reset step for every access point in the cluster Caution Do not proceed to the next step until you have stopped clustering on all of access points in the pre existing cluster 7 From the main menu of any access point select Cluster gt Access Points The Cluster Management page is sho
329. tation isolation and security Mode Station Isolation perform the following procedure and Security 4 From the main menu select Advanced gt Security Mode The Security page is shown in Figure 32 Modify security settings that apply to the Internal Networ Radio One Broadcast SSID Allow Prohibit Station Isolation off O on Security Mode Plain text v Figure 32 Security Page 114 AT WA7400 Management Software User s Guide 2 Configure the following settings Note Note you can also allow or prohibit the Broadcast SSID and enable disable Station Isolation as extra precautions as mentioned below Broadcast SSID Select the Broadcast SSID setting by clicking Allow or Prohibit By default the access point broadcasts allows the Service Set Identifier SSID in its beacon frames You can suppress prohibit this broadcast to discourage stations from automatically discovering your access point When the access point s broadcast SSID is suppressed the network name will not be displayed in the List of Available Networks on a client station Instead the client must have the exact network name configured in the supplicant before it will be able to connect Station Isolation Select Off to disable Station Isolation or On to enable it When Station Isolation is Off wireless clients can communicate with one another normally by sending traffic through the access point When Station Isolati
330. tched Remove a User Account remove radius user UserName Get All User Accounts To view all user names AT WA7400 get radius user all name name 287 Appendix D Command Line Interface CLI for Access Point Configuration 288 To view all user accounts AT WA7400 get radius user all name username disabled password realname David white Add Users In this example four new users are added 1 samantha 2 endora 3 darren and 4 wally and their user names real names and passwords are set up 1 Add username samantha AT WA7400 add radius user samantha Provide a real name Elizabeth Montgomery for this user AT WA7400 set radius user samantha realname Elizabeth Montgomery Set the user password for samantha to bewitched AT WA7400 set radius user samantha password bewitched Repeat this process to add some other users endora darren and wally AT wWA7400 add radius user endora AT WA7400 set radius user endora realname Agnes Moorhead AT WA7400 set radius user endora password scotch AT wWA7400 add radius user darren AT wA7400 set radius user darren realname Dick York AT WA7400 set radius user darren password martini AT WA7400 add radius user wally AT WA7400 set radius user wally realname Tony Dow AT WA7400 set radius user wally password sodapop After configuring these new accounts use the get command to view all users Passwords are always hid
331. ter Cluster members who are also neighbors are shown at the top of Neighbors list and identified by a heavy bar above the Network Name The colored bars and numbers to the right of each AP in the Neighbors list indicate signal strength for each neighbor AP as detected by the cluster member whose IP address is at the Display Neighboring APs O incluster O notin cluster Both Neighbors 44 not set Internal Instant8902 not set Internal Instant802 not set Internal Instant802 not set Internal Instant802 dom3 Internal Instant802 Internal Instant802 Cluster 10 10 50 242 10 10 50 241 10 10 50 240 10 10 50 250 10 10 50 249 Internal Instant802 henry Guest henryTest2 Brad Lab 10S wi fi a Clustered gt 5 Access Points 0 User Accounts Figure 28 Wireless Neighborhood Page The Wireless Neighborhood page displays the following information Display neighboring APs Click one of the following radio buttons to change the view In cluster Shows only neighbor access points that are members of the cluster Not in cluster Shows only neighbor access points that are not cluster members 81 Chapter 7 Wireless Neighborhoods 82 Both Shows all neighbor access points cluster members and nonmembers Cluster The Cluster list at the top of the table shows IP addresses for all access poin
332. ter configuration policy is in place when a new access point is deployed it attempts to rendezvous with an existing cluster If it is unable to locate a cluster then it establishes a new cluster on its own If it locates a cluster but is rejected because the cluster is full or the clustering policy is to ignore new access points then the access point deploys in standalone mode The upper limit of a cluster is eight access points The Cluster web administration pages provides a real time visual indicator of the number of access points in the current cluster and warn when the cluster has reached access point capacity If a cluster is present but is already full new access points are deployed in standalone mode To ensure that the security of the cluster as a whole is equivalent to the security of a single access point communication of certain data between access points in a cluster is done using Secure Sockets Layer with private key encryption Both the cluster configuration file and the user database are transmitted among access points using SSL If you are making changes to the access point configuration that require a relatively large amount of processing Such as adding several new users you may encounter a synchronization progress bar after clicking Update on any of the AT WA7400 Management Software web pages The progress bar indicates that the system is busy performing an auto synch of the updated configuration to all access
333. terface The address shown here is the MAC address for the bridge br0 This is the address by which the access point is known externally to other networks Firmware Version Version information about the firmware currently installed on the access point As new versions of the firmware become available you can upgrade the firmware on your access points to take advantages of new features and enhancements For instructions on how to upgrade the firmware see Upgrading the Firmware on page 207 Location Specify a location description for this access point In the Provide Network Settings section configure the following parameters as necessary Current Password As an immediate first step in securing your wireless network Allied 37 Chapter 2 Setting up the AT WA7400 Management Software 38 Telesyn recommends that you change the administrator password from the default which is friend Enter the current administrator password New Password Enter a new administrator password The characters you enter are displayed as characters to prevent others from seeing your password as you type The Administrator password must be an alphanumeric string of up to 8 characters Do not use special characters or spaces Confirm New Password Retype the new administrator password to confirm that you typed it as you intended Network Name SSID Enter a name for the wireless network as a character string This name
334. terfaces as Presented in the CLI on page 278 The interface name you reference in a command determines whether a setting applies to a wired or wireless interface the internal or guest network or on a two radio access point to radio one or radio two You can control access to AT WA7400 Wireless Access Point based on media access control MAC addresses Based on how you set the filter you can allow only client stations with a listed MAC address or prevent access to the stations listed Specify an Accept or Deny List To set up MAC filtering you first need to specify which type of list you want 333 Appendix D Command Line Interface CLI for Access Point Configuration 334 to configure The commands are shown in Table 29 Table 29 Accept and Deny List Commands Function Command Set up an Accept list set bss wlanObssInternal mac With this type of list client acl mode accept list stations whose MAC addresses are listed will be allowed access to the access point Set up a Deny list set bss wlanObssInternal mac With this type of list the acl mode deny list access point will prevent access to client stations whose MAC addresses are listed Add MAC Addresses of Client Stations to the Filtering List To add a MAC address to the list add mac acl wlanObssInternal mac MAC_Address_of_Client Where MAC_Address_of_Ci7entis the MAC address of a wireless client you want to add to the MAC filtering
335. the access point EDCF Control of Data Frames and Arbitration Interframe Spaces Data is transmitted over 802 11 wireless networks in frames A frame consists of a discrete portion of data along with some descriptive meta information packaged for transmission on a wireless network AT WA7400 Management Software User s Guide Note A frame is similar in concept to a packet The difference is that a packet operates on the network layer layer 3 in the OSI model whereas a frame operates on the data link layer layer 2 in the OSI model Each frame includes a source and destination MAC address a control field with protocol version frame type frame sequence number frame body with the actual information to be transmitted and frame check sequence for error detection The 802 11 standard defines various frame types for management and control of the wireless infrastructure and for data transmission The 802 11 frame types are 1 management frames 2 control frames and 3 data frames Management and control frames which manage and control the availability of the wireless infrastructure automatically have higher priority for transmission 802 11e uses interframe spaces to regulate which frames get access to available channels and to coordinate wait times for transmission of different types of data Management and control frames wait a minimum amount of time for transmission they wait a short interframe space SIF These w
336. the access point is set to prohibit the broadcast of its network name In this case the SSID will not show up in the list of Available Networks on the client Instead the client must have the exact network name configured in the network connection properties before it will be able to connect After an access point has been detected by the client and security is configured for it the access point remains in the client s list of networks but shows as either reachable or unreachable depending on the situation For each network access point you want to connect to configure security settings on the client to match the security mode being used by that network This appendix describes the security setup on a client that uses Microsoft Windows client software for wireless connectivity The Windows client software is used as the example because of its widespread availability on Windows computers and laptops These procedures will vary slightly if you use different software on the client such as Funk Odyssey but the configuration information you need to provide is the same The recommended sequence for security configuration is 1 set up security on the access point and 2 configure security on each of the wireless clients Initially you will connect to an access point that has no security set plain text mode from an unsecure wireless client With this initial connection you can go to the access point s web pages and configure a security
337. the cluster and if you specify automatic configuration for any new access points that you add later 34 AT WA7400 Management Software User s Guide Provide basic settings Clustered Review Description of this 0 Access Point Access RA Points These fields show information specific to this access point 0 User Accounts IP Address 10 10 20 230 MAC Address Firmware wa7400 ver 1 11 06c_DUAL Yersion Jan 24 2006 10 45 53 00 0c 46 f2 d7 64 Location not set p gt Provide Network Settings These settings apply to this access point The same settings will apply to new access points joining the cluster if the policy for adding new access points is set to configure automatically Current Password New Password seecccceece Confirm New Password kakatakot Wireless Network Name 20 _230a SSID Set Configuration Policy for New Access Points If you choose configure automatically as the policy for adding new access points new access points will join the cluster when they are powered up and inherit the settings specified on this page If you choose to ignore new access points you must configure them manually New Access Points e configured automaticall This access point is in standalone mode If you need to change these settings click the Access Points tab p Settings Click update to save the new settings Figure 13 Basic Settings P
338. the configuration process Click Next to continue Figure 3 KickStart Welcome Dialog Box 5 Click Next to search for access points Wait for the search to complete or until KickStart has found your new access points as shown in Figure 4 KickStart Allied Telesyn About KickStart AME Alied Telesyr ea IC ar iz KickStart found 2 Access Point s Location MAC Address Address e Reception 00 02 b3 02 02 02 192 168 3 14 e unset 00 02 d8 00 00 50 192 168 3 15 Click Next to configure your Access Points Figure 4 KickStart Search Results Dialog Box 28 AT WA7400 Management Software User s Guide Note The KickStart utility only finds other AT WA7400 Wireless Access Points If KickStart does not find the AT WA7400 Wireless Access Point you just installed an informational window is displayed with troubleshooting information about your LAN and power connections Review the list of access points that KickStart found as shown in the example in Figure 4 on page 28 The access points are listed with their locations media access control MAC addresses and IP addresses If you are installing the first access point on a single access point network only one entry is displayed on this page Verify the MAC addresses against the hardware labels for each access point This will be especially helpful later in providing or modifying the descriptive Location name for each access point Click Next
339. the embedded RADIUS server If you use an external RADIUS server you will need to set up and manage user accounts on the Administrative interface for that server SELECTED EDIT USERNAME REAL NAME STATUS v Edit samantha E Montgomery enabled Edit darren Dick York enabled Edit endora A Moorhead enabled Selected users Enable Disable Remove Figure 22 User Accounts Section A user account must be enabled for the user to log on as a client and use the access point You can enable or disable any user account With this feature you can maintain a set of user accounts and authorize or prevent users from accessing the network without having to remove or re create accounts This can come in handy in situations where users have an occasional need to access the network For example contractors who do work for your company on an intermittent but regular basis might need network access for 3 months at a time then be off for 3 months and back on for another assignment You can enable and disable these user accounts as needed and control access as appropriate To enable a user account perform the following procedure 1 From the main menu select Cluster gt User Management The User Management page is shown in Figure 21 on page 58 AT WA7400 Management Software User s Guide 2 Inthe User Accounts section click the checkbox next to the user name you want to enable 3 Click
340. the running configuration O Example 2 Type get TAB TAB including a space after get to see a list of all field options for the get command AT WA7400 get association Associated station basic rate Basic rates of radios 350 bridge port bss cluster cluster member config detected ap dhcp client dot11 host interface ip route klog entry log log entry mac acl ntp portal radio radius user ssh supported rate system telnet tx queue wme queue AT WA7400 Management Software User s Guide Bridge ports of bridge interfaces Basic Service Set of radios Clustering based configuration settings Member of a cluster of like configured accesspoints Configuration settings Detected access point DHCP client settings IEEE 802 11 all radios Internet host settings Network interface IP route entry Kernel log entry Log settings Log entry MAC address access list item Network Time Protocol client Guest captive portal Radio RADIUS user SSH access to the command line interface Supported rates of radios System settings Telnet access to the command line interface Transmission queue parameters Transmission queue parameters for stations Example 3 Type get system v TAB This will result in completion with the only matching field get system version Press ENTER to get the output results of the command AT WA7400 get system v 351 Appendix D Command Line Interface CLI for Access
341. these networks you want the data exchange to occur Specify the network to which you want to bridge this access point Oo Internal Network oO Guest Network WEP Wired Equivalent Privacy WEP is a data encryption protocol for 802 11 wireless networks Both access points on the WDS link must be configured with the same security settings For static WEP a static Example of Configuring a WDS Link AT WA7400 Management Software User s Guide 64 bit 40 bit secret key 24 bit initialization vector IV or 128 bit 104 bit secret key 24 bit IV Shared Key for data encryption Specify whether you want Wired Equivalent Privacy WEP encryption enabled for the WDS link o Enabled Oo Disabled Key Length If WEP is enabled specify the length of the WEP key 0 64 bits o 128 bits Key Type If WEP is enabled specify the WEP key type o ASCII oO Hex Characters Required Indicates the number of characters required in the WEP key The number of characters required updates automatically based on how you set Key Length and Key Type WEP Key Enter a string of characters If you selected ASCII enter any combination of 0 9 a z and A Z If you selected HEX enter hexadecimal digits any combination of 0 9 and a f or A F These are the RC4 encryption keys shared with the stations using the access point 3 Click Update to save your settings When you use WDS be sure to configure WDS settings on both access
342. tic IP Static IP indicates that all network settings are provided manually You must provide the IP address for the AT WA7400 Wireless Access Point its subnet mask the IP address of the default gateway and the IP address of at least one DNS nameserver If you select DHCP the AT WA7400 Wireless Access Point acquires its IP address subnet mask and DNS and gateway information from the DHCP Servers A Caution If you do not have a DHCP server on the internal network and do not plan to use one the first thing you must do after you deploy the first access point is to verify that the connection type is set to Static IP When you change the connection type to Static IP you can either assign a new static IP address to the AT WA7400 Wireless Access Point or continue using the default address Allied Telesyn recommends assigning a new address so that if later you bring up another AT WA7400 Access Point on the same network the IP addresses for the two access points will be unique If you need to recover the default Static IP address you can do so by resetting the access point to the factory defaults as described in Resetting the Configuration to Factory Defaults on page 206 If you selected Static IP configure the following settings Static IP Address The static IP address Subnet Mask The subnet mask Obtain this information from your ISP or network administrator Default Gateway The default gateway DNS Nameservers
343. tication Set the Broadcast SSID Allow or Prohibit To set the Broadcast SSID to on allow AT wWA7400 set radio wlan0 ignore broadcast ssid on To set the Broadcast SSID to off prohibit AT wA7400 set radio wlan0 ignore broadcast ssid off Enable Disable Station Isolation AT WA7400 get interface brO port isolation off AT WA7400 set radio wlan0 station isolation off AT WA7400 get radio wlan0 detail Field value status up description Radio 1 IEEE 802 11g mac max bss 4 channel policy static mode g static channel 6 AT WA7400 Management Software User s Guide channel tx power tx rx status beacon interval rts threshold fragmentation threshold load balance disassociation uti lization load balance disassociation stations load balance no association utilization ap detection station isolation frequency wme Set Security to Plain Text 100 up 100 2347 2346 off off 2437 on AT WA7400 set interface wlan0 security plain text Set Security to Static WEP Set the Security Mode AT WA7400 set interface wlan0 security static wep Set the Transfer Key Index The following commands set the Transfer Key Index to 4 AT WA7400 set interface wlan0 wep default key 1 AT WA7400 set interface wlan0 wep default key 2 AT WA7400 set interface wlan0 wep default key 3 AT WA7400 set interface wlan0 wep default key 4 Set the Key Length For the CLI valid values for Key Length are 40 bits
344. tify an additional network to configure o One 0 Two Status To enable the specified network click On To disable the specified network click Off Wireless Network Name SSID Enter a name for the wireless network as a character string This name applies to all access points on this network As you add more access points they will use this SSID The Service Set Identifier SSID is an alphanumeric string of up to 32 characters Note If you are connected as a wireless client to the same access point that you are administering resetting the SSID will cause you to lose connectivity to the access point You will need to reconnect to the new SSID after you save this new setting VLAN ID Provide a number between 1 and 4094 for the internal VLAN This will cause the access point to send DHCP requests with the VLAN tag The switch and the DHCP server must support VLAN IEEE 802 1Q frames The access point must be able to reach the DHCP server Check with the Administrator regarding the VLAN and DHCP configurations Broadcast SSID Select the Broadcast SSID setting by clicking Allow or Prohibit By default the access point broadcasts allows the Service Set Identifier SSID in its beacon frames You can suppress prohibit this broadcast to discourage stations from automatically discovering your access point When the access point s broadcast SSID is suppressed the network name will not be displayed in the List of
345. tion Isolation off on Security Mode Supported Client Stations WPA v Enable pre authentication Cipher Suites TKIP 4 Authentication Server Built in Radius IP Radius Key Enable radius accounting Allow non WPA IEEE 802 1x clients Figure 12 Security Settings Page 237 Appendix B Configuring Security on Wireless Clients 2 Setup user accounts on the access point Cluster gt User Management as shown in Figure 13 Clustered User Accounts To edit a user account click a user mame i i w ni 1 Access To enable or disable a user click the Enable or Disable button Likewise to Point remove a user click the remove button Ensure that you have selected at least one user prior to any of these actions Note These user accounts apply only when the security mode is set to IEEE 802 1x or WPA with RADIUS and the Built In authentication server is chosen See the Help 2 User panel for more information Accounts 3 6 fo SELECTED EDIT USERNAME REAL NAME STATUS go Edit samantha pamena enabled Fj Edit darren darren stevens enabled Figure 13 User Management Accounts Page 3 Then configure WPA security with PEAP authentication on each client as shown in Figure 14 238 AT WA7400 Management Software User s Guide Choose WPA Choose either TKIP or AES for the Choose Protected EAP PEAP Data Encryption mode then click Properties
346. tions on the characters that may be used in an SSID For the guest network provide an SSID that is different from the internal SSID and easily identifiable as the guest network 3 Click Update to save your settings 103 Chapter 9 Configuring the Wireless Settings 104 Chapter 10 Configuring Security The AT WA7400 Management Software provides a number of authentication and encryption schemes to ensure that your wireless infrastructure is accessed only by the intended users This chapter contains the following sections Understanding Security Issues on Wireless Networks on page 106 Configuring Security Settings on page 114 Configuring the IAPP Mapping Table on page 129 Oda 0 n Configuring SNMP on page 131 105 Chapter 10 Configuring Security Understanding Security Issues on Wireless Networks 106 How Do I Know Which Security Mode to Use Wireless mediums are inherently less secure than wired mediums For example an Ethernet NIC transmits its packets over a physical medium such as coaxial cable or twisted pair A wireless NIC broadcasts radio signals allowing a wireless LAN to be easily tapped without physical access or sophisticated equipment A hacker equipped with a laptop a wireless NIC and a bit of knowledge can easily attempt to compromise your wireless network One does not even need to be within normal range of the access point By using a sophisticated antenna on the cli
347. to set the Network Name SSID for the New Virtual Wireless Network AT WA7400 set interface wlanOvwnl ssid my vwn one Creating VWN Two on Radio One with WPA security To configure the second virtual wireless network repeat the previous procedures as with the following differences O Create a second VLAN ID from the web UI with a new SSID O In the CLI commands replace wlan0bssvwn1 with wlanObssvwn2 Note Before you configure this feature make sure you are familiar with the names of the interfaces as described in Understanding Interfaces as Presented in the CLI on page 278 The interface name you reference in a command determines whether a setting applies to a wired or wireless interface the internal or guest network or on a two radio access point to radio one or radio two Table 25 provides a quick view of Radio Settings commands Table 25 Radio Settings Commands Function Command Get Radio Settings get radio get radio wlanO get radio wlan0 detail Get IEEE 802 11 Radio Mode get radio wlanO mode Get Radio Channel get radio wlanO channel Get Basic Radio Settings get radio wlanO Get All Radio Settings get radio wlanO detail Get Supported Rate Set get supported rate Get Basic Rate Set get basic rate 326 Get IEEE 802 11 Radio Mode To get the current setting for radio Mode AT WA7400 get radio wlan0 mode g AT WA7400 Management S
348. to sort the sessions The display is refreshed to show the sessions in the order you chose Chapter 6 Channel Management This chapter contains the following sections o Understanding Channel Management on page 70 0 Displaying the Channel Management Settings on page 72 0 Configuring the Channel Management Settings on page 73 69 Chapter 6 Channel Management Understanding Channel Management 70 How it Works in a Nutshell Overlapping Channels When channel management is enabled the AT WA7400 Management Software automatically assigns radio channels used by clustered access points to reduce mutual interference or interference with other access points outside of its cluster This maximizes WiFi bandwidth and helps maintain the efficiency of communication over your wireless network Note You must start channel management to get automatic channel assignments it is disabled by default on a new access point See Stopping or Starting Automatic Channel Assignment on page 73 At a specified interval the default is one hour or on demand click Update the Channel Manager maps access points to channel use and measures interference levels in the cluster If significant channel interference is detected the Channel Manager automatically reassigns some or all of the access points to new channels per an efficiency algorithm or automated channel plan The radio frequency RF broadcast chan
349. to which you want the setting to apply and cwmin_value and cwmax_Vvalue are the values in milliseconds you want to specify for contention back off windows For example this command sets the client station Video queue vi cwmin value to 15 and cwmax value to 31 AT WA7400 Management Software User s Guide AT WA7400 set wme queue wlanO with queue vi cwmin 7 cwmax 15 View the results of this configuration update bold in the command output highlights the modified values AT WA7400 get wme queue name queue aifs cwmin cwmax txop limit wlanO vo 14 3 7 47 wlanO vi 2 7 15 94 wlanO be 3 15 1023 0 wlanO bk 7 15 1023 0 Set the Maximum Burst Length burst on the Access Point The Maximum Burst Length burst specifies in milliseconds the Maximum Burst Length allowed for packet bursts on the wireless network A packet burst is a collection of multiple frames transmitted without header information The burst applies only to the access point access point to station traffic Valid values for maximum burst length are 0 0 through 999 9 To set the maximum burst length on access point to station traffic set tx queue wlanO with queue Queue Name to burst burst_Value Where Queue_Name is the queue on the access point to which you want the setting to apply and burst_Vva ue is the wait time value you want to specify for maximum burst length For example this command sets the maximum packet burst length on the access point Best Effort
350. traffic is always queued together within each radio This is the case on both one radio and two radio access points QoS on the access point leverages existing information in the IP packet header related to Type of Service ToS The access point examines the ToS field in the headers of all packets that pass through the access point Based on the value in a packet s ToS field the access point prioritizes the packet for transmission by assigning it to one of the queues A different type of data is associated with each queue You can configure parameters that determine how each queue is treated when it is sent by the access point To configure QoS perform the following procedure 1 From the main menu select Advanced gt Quality of Service 167 Chapter 15 Configuring Quality of Service QoS 168 Configuring AP EDCA Parameters The Quality of Service page is shown in Figure 49 Queue AIFS cwMin cwMax Max Burst Data 0 Voice l 3 ml aa 15 Data 1 1 AP EDCA parameters Video 7 S5 a 3 0 Data 2 Best Effort 15 63 2 Data 3 Background 15 i 1023 0 0 Wi Fi Multimedia WMM Enabled Disabled Queue AIFS cwMin cwMax TXOP Limit nee 2 3 Bl wl ia Voice Data 1 3 Station EDCA parameters Video My 15 a 94 Data 2 Best Effort 15 1023 0 Data 3 Background 15 1023 0 Figure 49 Quality of Service Page The Quality of Service page has three sections o A
351. ts are not used Figure 10 Association and Authentication Tabs 7 Configure the following settings on the Association tab in the Network Properties dialog box Network Authentication Open Data Encryption WEP Note An RC4 stream cipher is used to encrypt the frame body and cyclic redundancy checking CRC of each IEEE 802 11 frame This is the same encryption algorithm as is used for Static WEP therefore the data encryption method configured on the client for this mode is WEP This key is provided for me automatically Enable click to check this option 8 Configure these settings on the Authentication tab 233 Appendix B Configuring Security on Wireless Clients 234 Enable IEEE 802 1x authentication for this network Enable click to check this option EAP Type Choose Smart Card or other Certificate Smart Card or other Certificate Properties PR When connecting Use my smart card Use a certificate on this computer V Use simple certificate selection Recommended Validate server certificate Enable click to check Validate server certificate gog Connect to these servers Trusted Root Certification Authorities C Class 3 Primary CA Class 3P Primary CA v DCO2 Class 2 Public Primary Certification Authority C Class 3 Public Primary Certification Authority Class 3TS Primary CA Deutsche Telekom Root CA
352. ts in the cluster This is the same list of cluster members shown in the Cluster gt Access Points page described in Understanding and Changing Access Point Settings on page 48 If there is only one access point in the cluster only a single IP address column is displayed here indicating that the access point is clustered with itself You can click on an IP address to view more details on a particular access point as shown in Figure 28 on page 81 Neighbors Access points which are neighbors of one or more of the clustered access points are listed in the left column by SSID Network Name An access point which is detected as a neighbor of a cluster member can also be a cluster member itself Neighbors who are also cluster members are always shown at the top of the list with a heavy bar above and include a location indicator The colored bars to the right of each access point in the Neighbors list shows the signal strength for each of the neighbor access points as detected by the cluster member whose IP address is shown at the top of the column This access point a cluster member can be seen by the access point whose IP address is 10 10 100 246 at a signal strength of 54 but not by the access point whose address if 10 10 100 223 Cluster 10 10 100 246 10 10 100 22 10 10 100 213 i et not set not set nots Internal Instag not set Internal Instant02 not set Internal Inst
353. ts to send pre authentication packet The pre authentication information will be relayed from the access point the client is currently using to the target access point Enabling this feature can help speed up authentication for roaming clients who connect to multiple access points This option does not apply if you selected WPA for WPA Versions because the original WPA does not support this feature AT WA7400 Management Software User s Guide Cipher Suites Select the cipher you want to use Temporal Key Integrity Protocol TKIP This is the default TKIP provides a more secure encryption solution than WEP keys The TKIP process more frequently changes the encryption key used and better ensures that the same key will not be re used to encrypt data a weakness of WEP TKIP uses a 128 bit temporal key shared by clients and access points The temporal key is combined with the client s MAC address and a 16 octet initialization vector to produce the key that will encrypt the data This ensures that each client station uses a different key to encrypt data TKIP uses RC4 to perform the encryption which is the same as WEP But TKIP changes temporal keys every 10 000 packets and distributes them thereby greatly improving the security of the network Counter mode CBC MAC Protocol CCMP CCMP is an encryption method for IEEE 802 11 that uses the Advanced Encryption Algorithm AES It uses a CCM combined with Cipher Block Chaining Counter mode C
354. uring WDS Settings EE aoetecuds ccs ccchazdgededte di evorchdssderap T jaeaaundcnececdeus ebasadgeeegeos tds ets 178 Example of Configuring a WDS LNK seserimi aa o dae saves eau deeds Decne jedvedien a ia erences 181 Chapter 17 Maintenance and Monitoring 0000 eee eeeseeeeee eee eeneeeeeeeeeeeaeeeeeaaeeseeeaeesaeeeeseeeseeeeeesneeeseaeeeenaeesnneeeeees 183 Monitoring Wired and Wireless LAN Settings 00 0 cece eeeeeeeeeeeeeneeeeeeeeeenneeeeeeaeeeseeaeeesaeeeseaaeeeeeeeeeseaeaeeaaeeseeeeeeeeeeeseaeeeeeeaees 184 Viewing the Event Logs nieis nsenun naaa a a a a a a danes 186 Log Relay Host for Kernel Messages scsinesdiroierernnek are A E E E a ea 187 Setting Up the Log Relay Host cc 5cdcccescacepntenshscdenecaeesesgnteenecedeassceescdqausecegedgederbsp ide Nagla aE tapaea aa Enae paias iaee RaT 187 Enabling or Disabling the Log Relay HOSt c ccccecececceceececeeaeceeeeseeaeeeeeesecaaeeeeeseeeaeeeeeeeeeaeeeeesecnaeeeeeeseeeeeeeenees 188 EVENS OG EPE A EE A E EA E EA AA A E EAE 188 Viewing the Transmit Receive Statistics ssimsirnioniniinen nnne en aoaia nEaN E aei an a Eaa ERa EErEE 190 Viewing the Associated Wireless Clients 00 0 eececeececenneeeeeneeeceeaeeenaeeeeeaaeeseaaeesaeeeeeaaeeseeaeeeseeaeeneeeseaaeesseeeeesneeeeeeeeeneaees 192 Link Integrity MoMtorihg scisma a e e E gneca bees araa a a a e a aoa deai 192 What is the Difference Between an Association and a Session 000 eeeececeeeeeeeneeeeeeeeeeeeeaeeeeaeeeeeaaeeeeeeee
355. ust retype the password Click Add Account to add the account The new user is then displayed in the User Accounts list The user account is enabled by default when you first create it Note A limit of 100 user accounts per access point is imposed by the web user interface Network usage may impose a more practical limit depending upon the demand from each user 59 Chapter 4 Managing User Accounts Editing a User Account 60 Enabling a User Account After you create a user account it is displayed in the User Accounts section at the top of the Cluster gt User Management page To edit an existing user account perform the following procedure 1 From the main menu select Cluster gt User Management The User Management page is shown in Figure 21 on page 58 2 Inthe User Accounts section click the checkbox next to the user name so that the box is checked as shown in Figure 22 User Accounts To edit a user account click a user name To enable or disable a user click the enable or disable button Likewise to remove a user click the remove button Ensure that you have selected at least one user prior to any of these actions Note The user accounts that you specify here are wireless clients of the access point s not Administrators Also note that these user management settings apply only if you set the security mode on the access point to IEEE 802 1 or WPA with RADIUS and choose
356. ware Yersion wa 400 ver 1 12c_DUAL Nov 3 2006 23 17 00 System Up Time 0 Days 00 25 18 hh mm ss Telnet timeout Times out after idling for 3 minutes HTTP timeout Times out after idling for 5 minutes System name WaA 7400 Figure 58 System Information Page The System Information page provides the following information about the access point Hardware Version The hardware version number Serial No The access point s serial number MAC Address The access point s MAC address Boot Code Version The version of the boot code currently loaded on the access point Firmware Version The version of the firmware that is currently installed on the access point 197 Chapter 17 Maintenance and Monitoring 198 System Up Time The length of time that the access point has been running since it was installed or last booted This is shown in days hours minutes and seconds Telnet Timeout Displays the length of time that a Telnet session is available before it times out You cannot change this parameter HTTP Timeout The length of time that an HTTP session is available before it times out from inactivity To change this parameter refer to Setting the HTTP Timeout on page 204 System Name The name for the system that you assigned on the SNMP Configuration page To change this setting refer to Configuring SNMP on page 131 AT WA7400 Management Software User s Guide Setting the Administrator Pa
357. wn in Figure 39 5 Clustered K Access Points Status connected to cluster 2 Access Points the list of Access Points LOCATION MAC ADDRESS IP ADDRESS 0 User Accounts not set 00 03 01 98 98 2c 10 10 5 213 go not set 00 0a 01 98 98 3b 10 10 5 235 the selected Access Points from the cluster Figure 39 Cluster Management Page 8 Click Refresh 263 Appendix C Troubleshooting 264 All previous cluster members are displayed in the list Before proceeding to the last step verify that the cluster has reformed by making sure all are access points are listed Review all configuration settings and make modifications as needed Pay special attention to the security settings because after a reset access points run without any security in place Appendix D Command Line Interface CLI for Access Point Configuration In addition to the web based user interface the AT WA7400 Wireless Access Point includes a command line interface CLI for administering the access point The CLI lets you view and modify status and configuration information From the client station perspective even a single deployed AT WA7400 Wireless Access Point broadcasting its network name to clients constitutes a wireless network Keep in mind that CLI configuration commands like web UI settings can affect a single access point running in standalone mode or automatically propagate to a network of clustered
358. xt Plain text mode by definition provides no security In this mode the data is not encrypted but rather sent as plain text across the network No key management data encryption or user authentication is used Plain text mode is not recommended for regular use on the internal network because it is not secure Plain text mode is the only mode in which you can run the guest network which is by definition an unsecure LAN always virtually or physically separated from any sensitive information on the internal LAN Therefore use plain text mode on the guest network and on the internal network for initial setup testing or problem solving only For information on how to configure plain text mode see Plain Text on page 115 When to Use Static WEP Static Wired Equivalent Privacy WEP is a data encryption protocol for 802 11 wireless networks All wireless stations and access points on the network are configured with a static 64 bit 40 bit secret key 24 bit initialization vector IV or 128 bit 104 bit secret key 24 bit IV Shared 107 Chapter 10 Configuring Security 108 Key for data encryption as described in Table 1 Table 1 Static WEP Configuration Key Management Encryption Algorithm User Authentication Static WEP uses a fixed key that is provided by the administrator WEP keys are indexed in different slots up to four on the AT WA7400 Wireless Access Point The client statio
359. y Commands Continued Function Command Enable Disable Station Isolation get interface brO port isolation off set radio wlan0O station isolation off Set Security to Plain Text set interface wlanO security plain text Set Security to Static WEP See detailed example in Set Security to Static WEP on page 307 Set Security to IEEE 802 1x Set Security to WPA WPA2 Personal PSK See detailed example in Set Security to IEEE 802 1x on page 312 See detailed example in Set Security to WPA WPA2 Personal PSK on page 315 Set Security to WPA WPA2 Enterprise RADIUS See detailed example in Set Security to WPA WPA2 Enterprise RADIUS on page 318 Get the Current Security Mode AT WA7400 get interface wlan0 security plain text Get Detailed Description of Current Security Settings AT WA7400 get bss wlanObssInternal detail Field Value status up description Internal radio wlan0O beacon interface wlanO mac 00 0C 41 16 DF A6 dtim period max stations ignore broadcast ssid off mac acl mode deny list mac acl name wlanObssiInternal radius accounting 305 Appendix D Command Line Interface CLI for Access Point Configuration 306 radius ip 127 0 0 1 radius key secret open system authentication shared key authentication wpa al low non wpa stations wpa cipher tkip wpa cipher ccmp wpa al lowed off wpa2 al lowed off rsn preauthen
360. y on Wireless Clients 2 Log on to the system hosting your RADIUS server and open the Internet Authentication Service window Figure 22 Internet Authentication Service Ee xi File Action Yiew Help e Amea e Internet Authentication Service Local Friendly Name Client Vendor BEF RADIUS Clients Jeffsap 55 46 30 RADIUS RADIUS Standard E Remote Access Logging SamsAP 7 6 13 2 RADIUS RADIUS Standard ay Remote Access Policies Connection Request Processing Figure 22 Internet Authentication Service Window 3 Inthe left panel right click on the RADIUS Clients node and choose New gt Radius Client from the menu 4 On the first dialog box of the New RADIUS Client wizard Figure 23 provide information about the AT WA7400 Wireless Access Point to which you want your clients to connect o A logical friendly name for the access point You might want to use DNS name or location o IP address for the access point 250 AT WA7400 Management Software User s Guide New RADIUS Client x Name and ddress Type a friendly name and either an IP Address or DNS name for the client Friendly name E ndora Client address IP or DNS fi 0 10 100 244 Verity EBER Cancel Figure 23 New RADIUS Client Dialog Box Name and Address Dialog Box 5 Click Next 6 For the Shared secret enter the RADIUS Key you provided to the acc
361. zone from the list Click Update to apply your changes and the time shown as the Local Time reflects the correct local time 203 Chapter 17 Maintenance and Monitoring Setting the HTTP Timeout You can set the length of time that an HTTP session is available before it times out from inactivity The default is 5 minutes To set the HTTP timeout perform the following procedure 1 From the main menu select Advanced gt HTTP timeout The HTTP timeout page is shown in Figure 61 HTTP Timeout HTTP Timeout 5 560 minutes Figure 61 HTTP Timeout 2 Change the timeout time and click Update 204 AT WA7400 Management Software User s Guide Rebooting the Access Point For maintenance purposes or as a troubleshooting measure you can reboot the AT WA7400 Wireless Access Point To reboot the access point perform the following procedure 1 From the main menu select Advanced gt Reboot The Reboot page is shown in Figure 62 Reboot Access Point Reboot Figure 62 Reboot Page 2 Click Reboot The access point reboots Note Another option is to press and release the Reset button on the back of the AT WA7400 Wireless Access Point 205 Chapter 17 Maintenance and Monitoring Resetting the Configuration to Factory Defaults 206 If the AT WA7400 Wireless Access Point is not functioning correctly and if you have tried all other troubleshooting measures use the
Download Pdf Manuals
Related Search