AP-3 Help Contents

[ Home ] [Avaya Web Site]

 


Advanced Configuration

  • Configuring the AP Using the HTTP/HTTPS Interface
  • System: Configure specific system information such as system name and contact information.
  • Network: Configure IP settings, DNS client, DHCP server, and Link Integrity.
  • Interfaces: Configure the Access Point’s interfaces: Wireless and Ethernet. Also describes configuring a Wireless Distribution System (WDS).
  • Management: Configure the Access Point’s management Passwords, IP Access Table, and Services such as configuring secure or restricted access to the AP via SNMPv3, HTTPS, or CLI. Set up Automatic Configuration for Static IP.
  • Filtering: Configure Ethernet Protocol filters, Static MAC Address filters, Advanced filters, and Port filters.
  • Alarms: Configure the Alarm (SNMP Trap) Groups, the Alarm Host Table, and the Syslog features.
  • Bridge: Configure the Spanning Tree Protocol, Storm Threshold protection, Intra BSS traffic, and Packet Forwarding.
  • Security: Configure security features such as MAC Access Control, WPA, WEP Encryption, and 802.1x. Configure Rogue Access Point Detection (RAD) and define the Scan Interval.
  • RADIUS: Configure RADIUS features such as RADIUS Access Control and Accounting.
  • VLAN/SSID: Configure VLAN IDs and SSIDs.

Configuring the AP Using the HTTP/HTTPS Interface

Follow these steps to configure an Access Point’s operating settings using the HTTP/HTTPS interface:

1.       Open a Web browser on a network computer.

The HTTP interface supports the following Web browser:

§         Microsoft Internet Explorer 6 with Service Pack 1 or later

§         Netscape 6.1 or later

2.       If necessary, disable the Internet proxy settings. For Internet Explorer users, follow these steps:

o        Select Tools > Internet Options....

o        Click the Connections tab.

o        Click LAN Settings....

o        If necessary, remove the check mark from the Use a proxy server box.

o        Click OK twice to save your changes and return to Internet Explorer.

3.       Enter the Access Point’s IP address in the browser’s Address field and press Enter.

o        Result: The Enter Network Password screen appears.

4.       Enter the HTTP password in the Password field and click OK. Leave the User Name field blank. (By default, the HTTP password is “public”).

o        Result: The System Status screen appears.

Enter Network Password Screen

1.       Click the Configure button located on the left-hand side of the screen.

Configure Main Screen

1.       Click the tab that corresponds to the parameter you want to configure. For example, click Network to configure the Access Point’s TCP/IP settings. The parameters contained in each of the configuration categories are described later in this chapter.

2.       Configure the Access Point’s parameters as necessary. After changing a configuration value, click OK to save the change.

3.       Reboot the Access Point for all of the changes to take effect.


System

You can configure and view the following parameters within the System Configuration screen:

  • Name: The name assigned to the AP.
  • Location: The location where the AP is installed.
  • Contact Name: The name of the person responsible for the AP.
  • Contact Email: The email address of the person responsible for the AP.
  • Contact Phone: The telephone number of the person responsible for the AP.
  • Object ID: This is a read-only field that displays the Access Point’s MIB definition; this information is useful if you are managing the AP using SNMP.
  • Ethernet MAC Address: This is a read-only field that displays the unique MAC (Media Access Control) address for the Access Point’s Ethernet interface. The MAC address is assigned at the factory.
  • Descriptor: This is a read-only field that reports the Access Point’s name, serial number, current image software version, and current bootloader software version.
  • Up Time: This is a read-only field that displays how long the Access Point has been running since its last reboot.

Network

The Network category contains three sub-categories.

IP Configuration

You can configure and view the following parameters within the IP Configuration screen:

You must reboot the Access Point in order for any changes to the Basic IP or DNS Client parameters take effect.

Basic IP Parameters
  • IP Address Assignment Type: Set this parameter to Dynamic to configure the Access Point as a Dynamic Host Configuration Protocol (DHCP) client; the Access Point will obtain IP settings from a network DHCP server automatically during boot-up. If you do not have a DHCP server or if you want to manually configure the Access Point’s IP settings, set this parameter to Static.
  • IP Address: The Access Point’s IP address. When IP Address Assignment Type is set to Dynamic, this field is read-only and reports the unit’s current IP address. The Access Point will default to 10.0.0.1 if it cannot obtain an address from a DHCP server.
  • Subnet Mask: The Access Point’s subnet mask. When IP Address Assignment Type is set to Dynamic, this field is read-only and reports the unit’s current subnet mask. The subnet mask will default to 255.0.0.0 if the unit cannot obtain one from a DHCP server.
  • Gateway IP Address: The IP address of the Access Point’s gateway. When IP Address Assignment Type is set to Dynamic, this field is read-only and reports the IP address of the unit’s gateway. The gateway IP address will default to 10.0.0.2 if the unit cannot obtain an address from a DHCP server.
DNS Client

If you prefer to use host names to identify network servers rather than IP addresses, you can configure the AP to act as a Domain Name Service (DNS) client. When this feature is enabled, the Access Point contacts the network’s DNS server to translate a host name to the appropriate network IP address. You can use this DNS Client functionality to identify RADIUS servers by host name. See RADIUS for details.

  • Enable DNS Client: Place a check mark in the box provided to enable DNS client functionality. Note that this option must be enabled before you can configure the other DNS Client parameters.
  • DNS Primary Server IP Address: The IP address of the network’s primary DNS server.
  • DNS Secondary Server IP Address: The IP address of a second DNS server on the network. The Access Point will attempt to contact the secondary server if the primary server is unavailable.
  • DNS Client Default Domain Name: The default domain name for the Access Point’s network (for example, “avaya.com”). Contact your network administrator if you need assistance setting this parameter.
Advanced
  • Default TTL (Time to Live): Time to Live (TTL) is a field in an IP packet that specifies how long in seconds the packet can remain active on the network. The Access Point uses the default TTL for packets it generates for which the transport layer protocol does not specify a TTL value. This parameter supports a range from 0 to 65535. By default, TTL is 64.

DHCP Server

If your network does not have a DHCP Server, you can configure the AP as a DHCP server to assign dynamic IP addresses to Ethernet nodes and wireless clients.

Make sure there are no other DHCP servers on the network and do not enable the DHCP server without checking with your network administrator first, as it could bring down the whole network. Also, the AP must be configured with a static IP address before enabling this feature.

When the DHCP Server functionality is enabled, you can create one or more IP address pools from which to assign addresses to network devices.

DHCP Server Configuration Screen

You can configure and view the following parameters within the DHCP Server Configuration screen:

  • Enable DHCP Server: Place a check mark in the box provided to enable DHCP Server functionality.

You cannot enable the DHCP Server functionality unless there is at least one IP Pool Table Entry configured.

  • Subnet Mask: This field is read-only and reports the Access Point’s current subnet mask. DHCP clients that receive dynamic addresses from the AP will be assigned this same subnet mask.
  • Gateway IP Address: The AP will assign the specified address to its DHCP clients.
  • Primary DNS IP Address: The AP will assign the specified address to its DHCP clients.
  • Secondary DNS IP Address: The AP will assign the specified address to its DHCP clients.
  • Number of IP Pool Table Entries: This is a read-only field that reports the number of IP address pools currently configured.
  • IP Pool Table Entry: This entry specifies a range of IP addresses that the AP can assign to its wireless clients. Click Add to create a new entry. Click Edit to change an existing entry. Each entry contains the following field:
    • Start IP Address
    • End IP Address
    • Default Lease Time (optional): The default time value for clients to retain the assigned IP address. DHCP automatically renews IP Addresses without client notification. This parameter supports a range between 0 and 86400 seconds. The default is 86400 seconds.
    • Maximum Lease Time (optional): The maximum time value for clients to retain the assigned IP address. DHCP automatically renews IP Addresses without client notification. This parameter supports a range between 0 and 86400 seconds. The default is 86400 seconds.
    • Comment (optional)
    • Status: IP Pools are enabled upon entry in the table. You can also disable or delete entries by changing this field’s value.

You must reboot the Access Point before changes to any of these DHCP server parameters take effect.

Link Integrity

The Link Integrity feature checks the link between the AP and the nodes on the Ethernet backbone. These nodes are listed by IP address in the Link Integrity IP Address Table. The AP periodically pings the nodes listed within the table. If the AP loses network connectivity (that is, the ping attempts fail), the AP disables its wireless interface until the connection is restored. This forces the unit’s wireless clients to switch to another Access Point that still has a network connection. Note that this feature does not affect WDS links (if applicable).

You can configure and view the following parameters within the Link Integrity Configuration screen:

  • Enable Link Integrity: Place a check mark in the box provided to enable Link Integrity.
  • Poll Interval (milliseconds): The interval between link integrity checks. Range is 500 - 15000 ms in increments of 500 ms; default is 500 ms.
  • Poll Retransmissions: The number of times a poll should be retransmitted before the link is considered down. Range is 0 to 255; default is 5.
  • Target IP Address Entry: This entry specifies the IP address of a host on the network that the AP will periodically poll to confirm connectivity. The table can hold up to five entries. By default, all five entries are set to 0.0.0.0. Click Edit to update one or more entries. Each entry contains the following field:
    • Target IP Address
    • Comment (optional)
    • Status: Set this field to Enable to specify that the Access Point should poll this device. You can also disable an entry by changing this field’s value to Disable.

Link Integrity Configuration Screen


Interfaces

From the Interfaces tab, you configure the Access Point’s operational mode, power control settings, wireless interface settings and Ethernet settings. You may also configure a Wireless Distribution System for AP-to-AP communications.

For the wireless interface configuration, refer to the wireless parameters below that correspond to your radio type.

Operational Mode

You can configure and view the following parameters within the Operational Mode screen.

  • Operational Mode: the mode of communication between the wireless clients and the Access Point:
    • 802.11b only
    • 802.11g only
    • 802.11bg
    • 802.11a (default)
    • 802.11g-wifi

TX Power Control

The TX Power Control feature lets the user configure the transmit power level of the card in the AP at one of four levels:

  • 100% of the maximum transmit power level of the card
  • 50%
  • 25%
  • 12.5%

Configuring TX Power Control

1.       Click Configure > Interfaces > Operational Mode (Operational Mode Screen - TX Power Control).

2.       Select Enable Transmit Power Control.

3.       Select the transmit power level for interface A from the Wireless-A: Transmit Power Level drop-down menu.Select the transmit power level for interface B from the Wireless-B: Transmit Power Level drop-down menu.

4.       Click OK.

Operational Mode Screen - TX Power Control

Wireless (802.11a)

You can configure and view the following parameters within the Wireless Interface Configuration screen for an 802.11a AP:

You must reboot the Access Point before any changes to these parameters take effect.

  • Physical Interface Type: For an 802.11a AP, this field reports: “802.11a (OFDM 5 GHz).” OFDM stands for Orthogonal Frequency Division Multiplexing; this is the name for the radio technology used by 802.11a devices.
  • MAC Address: This is a read-only field that displays the unique MAC (Media Access Control) address for the Access Point’s wireless interface. The MAC address is assigned at the factory.
  • Regulatory Domain: Reports the regulatory domain for which the AP is certified. Not all features or channels are available in all countries. The available regulatory domains include:
      • FCC - U.S./Canada, Mexico, and Australia
      • ETSI - Europe and the United Kingdom
      • MKK: Japan
      • SG: Singapore
      • ASIA: China, Hong Kong, and South Korea
      • TW: Taiwan
  • Network Name (SSID): Enter a Network Name (between 2 and 31 characters long) for the wireless network. You must configure each wireless client to use this name as well.
  • Auto Channel Select: The AP scans the area for other Access Points and selects a free or relatively unused communication channel. This helps prevent interference problems and increases network performance. By default this feature is enabled. See 802.11a Channel Frequencies for a list of Channels.

You cannot disable Auto Channel Select for 802.11a products in Europe (see Dynamic Frequency Selection (DFS) for details).

  • Frequency Channel: When Auto Channel Select is enabled, this field is read-only and displays the Access Point’s current operating Channel. When Auto Channel Select is disabled, you can specify the Access Point’s channel. If you decide to manually set the unit’s Channel, ensure that nearby devices do not use the same frequency. Available Channels vary based on regulatory domain. See 802.11a Channel Frequencies. Note that you cannot manually set the channel for 802.11a products in Europe (see Dynamic Frequency Selection (DFS) for details).
  • Transmit Rate: Use the drop-down menu to select a specific transmit rate for the AP. Choose between 6, 9, 12, 18, 24, 36, 48, 54 Mbits/s, and Auto Fallback. Auto Fallback is the default setting; it allows the AP unit to select the best transmit rate based on the cell size.
  • DTIM Period: The Deferred Traffic Indicator Map (DTIM) is used with clients that have power management enabled. DTIM should be left at 1, the default value, if any clients have power management enabled. This parameter supports a range between 1 and 255.
  • RTS/CTS Medium Reservation: This parameter affects message flow control and should not be changed under normal circumstances. Range is 0 to 2347. When set to a value between 0 and 2347, the Access Point uses the RTS/CTS mechanism for packets that are the specified size or greater. When set to 2347 (the default setting), RTS/CTS is disabled. See RTS/CTS Medium Reservation for more information.
  • Closed System: Check this box to allow only clients configured with the Access Point’s specific Network Name to associate with the Access Point. When enabled, a client configured with the Network Name “ANY” cannot connect to the AP. This option is disabled by default.

Dynamic Frequency Selection (DFS)

802.11a APs sold in Europe use a technique called Dynamic Frequency Selection (DFS) to automatically select an operating channel. During boot-up, the AP scans the available frequency and selects a channel that is free of interference. If the AP subsequently detects interference on its channel, it automatically reboots and selects another channel that is free of interference.

DFS only applies to 802.11a APs used in Europe (i.e., units whose regulatory domain is set to ETSI). The European Telecommunications Standard Institute (ETSI) requires that 802.11a devices use DFS to prevent interference with radar systems and other devices that already occupy the 5 GHz band.

If you are using an 802.11a AP in Europe, keep in mind the following:

    • DFS is not a configurable parameter. It is always enabled and cannot be disabled.
    • You cannot manually select the device’s operating channel; you must let DFS select the channel.
    • You cannot configure the Auto Channel Select option. Within the HTTP interface, this option always appears enabled.

RTS/CTS Medium Reservation

The 802.11 standard supports optional RTS/CTS communication based on packet size. Without RTS/CTS, a sending radio listens to see if another radio is already using the medium before transmitting a data packet. If the medium is free, the sending radio transmits its packet. However, there is no guarantee that another radio is not transmitting a packet at the same time, causing a collision. This typically occurs when there are hidden nodes (clients that can communicate with the Access Point but are out of range of each other) in very large cells.

When RTS/CTS occurs, the sending radio first transmits a Request to Send (RTS) packet to confirm that the medium is clear. When the receiving radio successfully receives the RTS packet, it transmits back a Clear to Send (CTS) packet to the sending radio. When the sending radio receives the CTS packet, it sends the data packet to the receiving radio. The RTS and CTS packets contain a reservation time to notify other radios (including hidden nodes) that the medium is in use for a specified period. This helps to minimize collisions. While RTS/CTS adds overhead to the radio network, it is particularly useful for large packets that take longer to resend after a collision occurs.

RTS/CTS Medium Reservation is an advanced parameter and supports a range between 0 and 2347 bytes. When set to 2347 (the default setting), the RTS/CTS mechanism is disabled. When set to 0, the RTS/CTS mechanism is used for all packets. When set to a value between 0 and 2347, the Access Point uses the RTS/CTS mechanism for packets that are the specified size or greater. You should not need to enable this parameter for most networks unless you suspect that the wireless cell contains hidden nodes.

Wireless (802.11b)

You can configure and view the following parameters within the Wireless Interface Configuration screen for an 802.11b AP:

You must reboot the Access Point before any changes to these parameters take effect.

  • Physical Interface Type: For 802.11b AP, this field reports: “802.11b (DSSS 2.4 GHz).” DSSS stands for Direct Sequence Spread Spectrum; this is the name for the radio technology used by 802.11b devices.
  • MAC Address: This is a read-only field that displays the unique MAC (Media Access Control) address for the Access Point’s wireless interface. The MAC address is assigned at the factory.
  • Regulatory Domain: Reports the regulatory domain for which the AP is certified. Not all features or channels are available in all countries. The available regulatory domains include:
      • FCC - U.S./Canada, Mexico, and Australia
      • ETSI - Most of Europe, including the United Kingdom, Ireland, Singapore, and Hong Kong
      • MKK: Japan
      • IL - Israel
  • Network Name (SSID): Enter a Network Name (between 2 and 31 characters long) for the wireless network. You must configure each wireless client to use this name as well.
  • Auto Channel Select: The AP scans the area for other Access Points and selects a free or relatively unused communication channel. This helps prevent interference problems and increases network performance. By default this feature is enabled; see 802.11b Channel Frequencies for a list of Channels. However, if you are setting up a Wireless Distribution System (WDS), it must be disabled. See Wireless Distribution System (WDS) for more information.
  • Frequency Channel: When Auto Channel Select is enabled, this field is read-only and displays the Access Point’s current operating channel. When Auto Channel Select is disabled, you can specify the Access Point’s operating channel. If you decide to manually set the unit’s channel, ensure that nearby devices do not use the same frequency (unless you are setting up a WDS). Available Channels vary based on regulatory domain. See 802.11b Channel Frequencies.
  • Distance Between APs: Set to Large, Medium, Small, Microcell, or Minicell depending on the site survey for your system. By default, this parameter is set to Large. The distance value is related to the Multicast Rate (described next). In general, a larger distance between APs means that your clients operate a slower data rates (on average). See Distance Between APs for more information.
  • Multicast Rate: Sets the rate at which Multicast messages are sent. This value is related to the Distance Between APs parameter (described previously). The table below displays the possible Multicast Rates based on the Distance between APs setting. By default, this parameter is set to 2 Mbits/sec. See Multicast Rate for more information.

Distance between APs

Multicast Rate

Large

1 and 2 Mbits/sec

Medium

1, 2, and 5.5 Mbits/sec

Small

1, 2, 5.5 and 11 Mbits/sec

Minicell

1, 2, 5.5 and 11 Mbits/sec

Microcell

1, 2, 5.5 and 11 Mbits/sec

  • DTIM Period: The Deferred Traffic Indicator Map (DTIM) is used with clients that have power management enabled. DTIM should be left at 1, the default value, if any clients have power management enabled. This parameter supports a range between 1 and 255.
  • RTS/CTS Medium Reservation: This parameter affects message flow control and should not be changed under normal circumstances. Range is 0 to 2347. When set to a value between 0 and 2347, the Access Point uses the RTS/CTS mechanism for packets that are the specified size or greater. When set to 2347 (the default setting), RTS/CTS is disabled. See RTS/CTS Medium Reservation for more information.
  • Interference Robustness: Enable this option if other electrical devices in the 2.4 GHz frequency band (such as a microwave oven or a cordless phone) may be interfering with the wireless signal. The AP will automatically fragment large packets into multiple smaller packets when interference is detected to increase the likelihood that the messages will be received in the presence of interference. The receiving radio reassembles the original packet once all fragments have been received. This option is disabled by default.
  • Closed System: Check this box to allow only clients configured with the Access Point’s specific Network Name to associate with the Access Point. When enabled, a client configured with the Network Name “ANY” cannot connect to the AP. This option is disabled by default.
  • Load Balancing: Enable this option so clients can evaluate which Access Point to associate with, based on current AP loads. This feature is enabled by default; it helps distribute the wireless load between APs. This feature is not available if you are using an Avaya 802.11a/b Platinum Card or a non-Avaya client with the AP.
  • Medium Density Distribution: When enabled, the Access Point automatically notifies wireless clients of its Distance Between APs, Interference Robustness, and RTS/CTS Medium Reservation settings. This feature is enabled by default and allows clients to automatically adopt the values used by its current Access Point (even if these values differ from the client’s default values or from the values supported by other Access Points). Note that this feature is not available if you are using an Avaya 802.11a/b Platinum Card or a non-Avaya client with the AP. Avaya recommends that you leave this parameter enabled, particularly if you have Avaya clients on your wireless network (leaving this parameter enabled should not adversely affect the performance of any Avaya 802.11a/b Platinum Card or non-Avaya cards on your network).

Distance Between APs

Distance Between APs defines how far apart (physically) your AP devices are located, which in turn determines the size of your cell. Cells of different sizes have different capacities and, therefore, suit different applications. For instance, a typical office has many stations that require high bandwidth for complex, high-speed data processing. In contrast, a typical warehouse has a few forklifts requiring low bandwidth for simple transactions.

This feature is not available if you are using an Avaya 802.11a/b Platinum Card or a non-Avaya client with the AP.

Cell capacities are compared in the following table, which shows that small cells suit most offices and large cells suit most warehouses:

Small Cell

Large Cell

Physically accommodates few stations

Physically accommodates many stations

High cell bandwidth per station

Lower cell bandwidth per station

High transmit rate

Lower transmit rate

Coverage

The number of Access Points in a set area determines the network coverage for that area. A large number of Access Points covering a small area is a high-density cell. A few Access Points, or even a single unit, covering the same small area would result in a low-density cell, even though in both cases the actual area did not change — only the number of Access Points covering the area changed.

In a typical office, a high density area consists of a number of Access Points installed every 20 feet and each Access Point generates a small radio cell with a diameter of about 10 feet. In contrast, a typical warehouse might have a low density area consisting of large cells (with a diameter of about 90 feet) and Access Points installed every 200 feet.

Low Density vs. Ultra High Density Network

The Distance Between Cells parameter supports five values: Large, Medium, Small, Minicell, and Microcell.

The distance between APs should not be approximated. It is calculated by means of a manual Site Survey, in which an AP is set up and clients are tested throughout the area to determine signal strength and coverage, and local limits such as physical interference are investigated. From these measurements the appropriate cell size and density is determined, and the optimum distance between APs is calculated to suit your particular business requirements. Contact your reseller for information on how to conduct a Site Survey.

Multicast Rate

The multicast rate determines the rate at which broadcast and multicast packets are transmitted by the Access Point to the wireless network.

Stations that are closer to the Access Point can receive multicast packets at a faster data rate than stations that are farther away from the AP.
Therefore, you should set the Multicast Rate based on the size of the Access Point’s cell. For example, if the Access Point’s cell is very small (e.g., Distance Between APs is set to Microcell), you can expect that all stations should be able to successfully receive multicast packets at 11 MBits/sec so you can set Multicast Rate to 11 Mbits/sec.

However, if the Access Point’s cell is large, you need to accommodate stations that may not be able to receive multicast packets at the higher rates; in this case, you should set Multicast Rate to 1 or 2 Mbits/sec.

1 Mbits/s and 11 Mbits/s Multicast Rates

There is an inter-dependent relationship between the Distance between APs and the Multicast Rate. In general, larger systems operate at a lower average transmit rate. The variation between Multicast Rate and Distance Between APs is presented in the following table:

 

 

1.0 Mbit/s

2.0 Mbits/s

5.5 Mbits/s

11 Mbits/s

Large

yes

yes

 

 

Medium

yes

yes

yes

 

Small

yes

yes

yes

yes

Minicell

yes

yes

yes

yes

Microcell

yes

yes

yes

yes

The Distance Between APs must be set before the Multicast Rate, because when you select the Distance Between APs, the appropriate range of Multicast values automatically populates the drop-down menu. This feature is not available if you are using an Avaya 802.11a/b Platinum Card or a non-Avaya client with the AP.

Wireless (802.11b/g)

You can configure the following radio parameters for an 802.11b/g AP:

You must reboot the Access Point before any changes to these parameters take effect.

·         Operational Mode: An 802.11b/g wireless interface can be configured to operate in the following modes:
o        802.11b mode only: The radio uses the 802.11b standard only.
o        802.11g mode only: The radio is optimized to communicate with 802.11g devices. This setting will provide the best results if this radio interface will only communicate with 802.11g devices.
o        802.11b/g mode: This is the default mode. Use this mode if you want to support a mix of 802.11b and 802.11g devices.
o        802.11g-wifi: This mode was developed for Wi-Fi compliance testing purposes. It is similar to 802.11g only mode.

In general, you should use either 802.11g only mode (if you want to support 802.11g devices only) or 802.11b/g mode to support a mix of 802.11b and 802.11g devices.

·         Physical Interface Type: Depending on the Operational Mode, this field reports:
o        For 802.11b mode only: "802.11b (CCK/DSSS 2.4 GHz)"
o        For 802.11g and 802.11g-wifi modes: "802.11g (OFDM/DSSS 2.4 GHz)"
o        For 802.11b/g mode: "802.11b/g (ERP-CCK/DSSS/OFDM 2.4 GHz)"

OFDM stands for Orthogonal Frequency Division Multiplexing; this is the name for the radio technology used by 802.11a devices. DSSS stands for Direct Sequence Spread Spectrum; this is the name for the radio technology used by 802.11b devices.

·         MAC Address: This is a read-only field that displays the unique MAC (Media Access Control) address for the Access Point’s wireless interface. The MAC address is assigned at the factory.
·         Regulatory Domain: Reports the regulatory domain for which the AP is certified. Not all features or channels are available in all countries. The available regulatory domains include:
§         FCC - U.S./Canada, Mexico, and Australia
§         ETSI - Europe, including the United Kingdom, China, and South Korea
§         MKK - Japan
§         IL - Israel
·         Network Name (SSID): Enter a Network Name (between 2 and 31 characters long) for the wireless network. You must configure each wireless client to use this name as well.
·         Auto Channel Select: The AP scans the area for other Access Points and selects a free or relatively unused communication channel. This helps prevent interference problems and increases network performance. By default this feature is enabled; see 802.11g Channel Frequencies for a list of Channels.
·         Frequency Channel: When Auto Channel Select is enabled, this field is read-only and displays the Access Point’s current operating channel. When Auto Channel Select is disabled, you can specify the Access Point’s operating channel. If you decide to manually set the unit’s channel, ensure that nearby devices do not use the same frequency (unless you are setting up a WDS). Available Channels vary based on regulatory domain. See 802.11g Channel Frequencies.
·         Transmit Rate: Select a specific transmit rate for the AP. The values available depend on the Operational Mode. Auto Fallback is the default setting; it allows the AP to select the best transmit rate based on the cell size.
§         For 802.11b only -- Auto Fallback, 1, 2, 5.5, 11 Mbits/sec
§         For 802.11g only -- Auto Fallback, 6, 9, 12, 18, 24, 36, 48, 54 Mbits/sec
§         For 802.11b/g and 802.11g-wifi -- Auto Fallback, 1, 2, 5.5, 6, 9, 11, 12, 18, 24, 36, 48, 54 Mbits/sec
·         DTIM Period: The Deferred Traffic Indicator Map (DTIM) is used with clients that have power management enabled. DTIM should be left at 1, the default value, if any clients have power management enabled. This parameter supports a range between 1 and 255.
·         RTS/CTS Medium Reservation: This parameter affects message flow control and should not be changed under normal circumstances. Range is 0 to 2347. When set to a value between 0 and 2347, the Access Point uses the RTS/CTS mechanism for packets that are the specified size or greater. When set to 2347 (the default setting), RTS/CTS is disabled. See RTS/CTS Medium Reservation for more information.
·         Closed System: Check this box to allow only clients configured with the Access Point’s specific Network Name to associate with the Access Point. When enabled, a client configured with the Network Name "ANY” cannot connect to the AP. This option is disabled by default.

Wireless (802.11a/g)

You can configure and view the following parameters within the Wireless Interface Configuration screen for an 802.11a/g AP:

You must reboot the Access Point before any changes to these parameters take effect.

·         Operational Mode: An 802.11b/g wireless interface can be configured to operate in the following modes:
o        802.11b mode only: The radio uses the 802.11b standard only.
o        802.11g mode only: The radio is optimized to communicate with 802.11g devices. This setting will provide the best results if this radio interface will only communicate with 802.11g devices.
o        802.11a mode only: The radio uses the 802.11a standard only.
o        802.11b/g mode: This is the default mode. Use this mode if you want to support a mix of 802.11b and 802.11g devices.
o        802.11g-wifi: This mode was developed for Wi-Fi compliance testing purposes. It is similar to 802.11g only mode.

In general, you should use either 802.11g only mode (if you want to support 802.11g devices only) or 802.11b/g mode to support a mix of 802.11b and 802.11g devices.

·         Physical Interface Type: Depending on the Operational Mode, this field reports:
o        For 802.11b mode only: "802.11b (CCK/DSSS 2.4 GHz)"
o        For 802.11g and 802.11g-wifi modes: "802.11g (OFDM/DSSS 2.4 GHz)"
o        For 802.11b/g mode: "802.11b/g (ERP-CCK/DSSS/OFDM 2.4 GHz)"
o        For 802.11a mode only, this field reports: “802.11a (OFDM 5 GHz).”

OFDM stands for Orthogonal Frequency Division Multiplexing; this is the name for the radio technology used by 802.11a devices. DSSS stands for Direct Sequence Spread Spectrum; this is the name for the radio technology used by 802.11b devices.

·         MAC Address: This is a read-only field that displays the unique MAC (Media Access Control) address for the Access Point’s wireless interface. The MAC address is assigned at the factory.
·         Regulatory Domain: Reports the regulatory domain for which the AP is certified. Not all features or channels are available in all countries. The available regulatory domains include:
§         FCC - U.S./Canada, Mexico, and Australia
§         ETSI - Europe and the United Kingdom
§         MKK: Japan
§         SG: Singapore
§         ASIA: China, Hong Kong, and South Korea
§         TW: Taiwan
·         Network Name (SSID): Enter a Network Name (between 2 and 31 characters long) for the wireless network. You must configure each wireless client to use this name as well.
·         Auto Channel Select: The AP scans the area for other Access Points and selects a free or relatively unused communication channel. This helps prevent interference problems and increases network performance. By default this feature is enabled. See 802.11a Channel Frequencies and 802.11g Channel Frequencies for a list of Channels.

You cannot disable Auto Channel Select for 802.11a products in Europe (see Dynamic Frequency Selection (DFS) for details).

·         Frequency Channel: When Auto Channel Select is enabled, this field is read-only and displays the Access Point’s current operating Channel. When Auto Channel Select is disabled, you can specify the Access Point’s channel. If you decide to manually set the unit’s Channel, ensure that nearby devices do not use the same frequency. Available Channels vary based on regulatory domain. See 802.11a Channel Frequencies and 802.11g Channel Frequencies. Note that you cannot manually set the channel for 802.11a products in Europe (see Dynamic Frequency Selection (DFS) for details).
·         Transmit Rate: Select a specific transmit rate for the AP. The values available depend on the Operational Mode. Auto Fallback is the default setting; it allows the AP to select the best transmit rate based on the cell size. Use the drop-down menu to select a specific transmit rate for the AP.
§         For 802.11b only -- Auto Fallback, 1, 2, 5.5, 11 Mbits/sec
§         For 802.11g only -- Auto Fallback, 6, 9, 12, 18, 24, 36, 48, 54 Mbits/sec
§         For 802.11b/g and 802.11g-wifi -- Auto Fallback, 1, 2, 5.5, 6, 9, 11, 12, 18, 24, 36, 48, 54 Mbits/sec
§         For 802.11a only -- Auto Fallback, 6, 9, 12, 18, 24, 36, 48, 54 Mbits/s, and . Auto Fallback is the default setting; it allows the AP unit to select the best transmit rate based on the cell size.
·         DTIM Period: The Deferred Traffic Indicator Map (DTIM) is used with clients that have power management enabled. DTIM should be left at 1, the default value, if any clients have power management enabled. This parameter supports a range between 1 and 255.
·         RTS/CTS Medium Reservation: This parameter affects message flow control and should not be changed under normal circumstances. Range is 0 to 2347. When set to a value between 0 and 2347, the Access Point uses the RTS/CTS mechanism for packets that are the specified size or greater. When set to 2347 (the default setting), RTS/CTS is disabled. See RTS/CTS Medium Reservation for more information.
·         Closed System: Check this box to allow only clients configured with the Access Point’s specific Network Name to associate with the Access Point. When enabled, a client configured with the Network Name “ANY” cannot connect to the AP. This option is disabled by default.

Wireless Distribution System (WDS)

A Wireless Distribution System (WDS) creates a link between two 802.11a, 802.11b, or 802.11b/g APs over their radio interfaces. This link relays traffic from one AP that does not have Ethernet connectivity to a second AP that has Ethernet connectivity. WDS allows you to configure up to six (6) point-to-point links between Access Points.

In the WDS Example below, AP 1 and AP 2 communicate over a WDS link (represented by the blue line). This link provides Client 1 with access to network resources even though AP 1 is not directly connected to the Ethernet network. Packets destined for or sent by the client are relayed between the Access Points over the WDS link.

WDS Example

Bridging WDS

Each WDS link is mapped to a logical WDS port on the AP. WDS ports behave like Ethernet ports rather than like standard wireless interfaces: on a BSS port, an Access Point learns by association and from frames; on a WDS or Ethernet port, an Access Point learns from frames only. When setting up a WDS, keep in mind the following:

·         The WDS link shares the communication bandwidth with the clients. Therefore, while the maximum data rate for the Access Point’s cell is still 11 Mb, client throughput will decrease when the WDS link is active.
·         If there is no partner MAC address configured in the WDS table, the WDS port remains disabled.
·         Each WDS port on a single AP should have a unique partner MAC address. Do not enter the same MAC address twice in an AP’s WDS port list.
·         Each Access Point that is a member of the WDS must have the same Channel setting to communicate with each other.
·         Each Access Point that is a member of the WDS must have the same network domain.
·         Each Access Point that is a member of the WDS must have the same WEP Encryption settings. WDS does not use 802.1x. Therefore, if you want to encrypt the WDS link, you must configure each Access Point to use WEP encryption (either WEP encryption only or Mixed Mode), and each Access Point must have the same Encryption Key(s). See Security.
·         If your network does not support spanning tree, be careful to avoid creating network loops between APs. For example, creating a WDS link between two Access Points connected to the same Ethernet network will create a network loop (if spanning tree is disabled). For more information, refer to the Spanning Tree section.
WDS Setup Procedure

You must disable Auto Channel Select to create a WDS. Each Access Point that is a member of the WDS must have the same Channel setting to communicate with each other.

To setup a wireless backbone follow the steps below for each AP that you wish to include in the Wireless Distribution System.

1.       Confirm that Auto Channel Select is disabled.
2.       Write down the MAC Address of the radio that you wish to include in the Wireless Distribution System.
3.       Open the Wireless Interface Configuration screen.
4.       Scroll down to the Wireless Distribution System heading.
5.       Click the Edit button to update the Wireless Distribution System (WDS) Table.
6.       Enter the MAC Address that you wrote down in Step 2 in one of the Partner MAC Address field of the Wireless Distribution Setup window.
7.       Set the Status of the device to Enable.
8.       Click OK.
9.       Reboot the AP.

WDS Configuration

To set up a Wireless Distribution System (WDS) with 802.1x, set each Access Point’s 802.1x Security Mode to Mixed and assign each unit in the WDS the same Encryption Key 1. See Security.

Ethernet

Select the desired speed and transmission mode from the drop-down menu. Half-duplex means that only one side can transmit at a time and full-duplex allows both sides to transmit. When set to auto-duplex, the AP negotiates with its switch or hub to automatically select the highest throughput option supported by both sides.

For best results, Avaya recommends that you configure the Ethernet setting to match the speed and transmission mode of the device the Access Point is connected to (such as a hub or switch). If in doubt, leave this setting at its default, auto-speed-auto-duplex. Choose between:

·         10 Mbit/s - half duplex, full duplex, or auto duplex
·         100 Mbit/s - half duplex or full duplex
·         auto speed - half duplex or auto duplex

Management

The Management category contains three sub-categories.

o        Passwords
o        IP Access Table
o        Services

Passwords

You can configure the following passwords:

·         SNMP Read Password: The password for read access to the AP using SNMP. Enter a password in both the Password field and the Confirm field. The default password is “public”.
·         SNMP Read/Write Password: The password for read and write access to the AP using SNMP. Enter a password in both the Password field and the Confirm field. The default password is “public”.
·         SNMPv3 Authentication Password: The password used when sending authenticated SNMPv3 messages. Enter a password in both the Password field and the Confirm field. The default password is “public”. Password length is recommended to be at least 8 characters. Secure Management (Services tab) must be enabled to configure SNMPv3.
·         SNMPv3 Privacy Password: The password used when sending encrypted SNMPv3 data. Enter a password in both the Password field and the Confirm field. The default password is “public”. Password length is recommended to be at least 8 characters. Secure Management (Services tab) must be enabled to configure SNMPv3.
·         Telnet (CLI) Password: The password for the CLI interface (via serial or Telnet). Enter a password in both the Password field and the Confirm field. The default password is “public”.
·         HTTP (Web) Password: The password for the Web browser HTTP interface. Enter a password in both the Password field and the Confirm field. The default password is “public”.

For security purposes Avaya recommends changing ALL PASSWORDS from the default “public” immediately, to restrict access to your network devices to authorized personnel. If you lose or forget your password settings, you can always perform the Reset to Factory Default Procedure.

IP Access Table

The Management IP Access table limits in-band management access to the IP addresses or range of IP addresses specified in the table. This feature applies to all management options (SNMP, HTTP, and CLI) except for CLI management over the serial port. To configure this table, click Add and set the following parameters:

·         IP Address: Enter the IP Address for the management station.
·         IP Mask: Enter a mask that will act as a filter to limit access to a range of IP Addresses based on the IP Address you already entered.
o        The IP mask 255.255.255.255 would authorize the single station defined by the IP Address to configure the Access Point. The AP would ignore commands from any other IP address. In contrast, the IP mask 255.255.255.0 would allow any device that shares the first three octets of the IP address to configure the AP. For example, if you enter an IP address of 10.20.30.1 with a 255.255.255.0 subnet mask, any IP address between 10.20.30.1 and 10.20.30.254 will have access to the AP’s management interfaces.
·         Comment: Enter an optional comment, such as the station name.

To edit or delete an entry, click Edit. Edit the information, or select Enable, Disable, or Delete from the Status pull-down menu.

Services

You can configure the following management services:

You must reboot the Access Point if you change the HTTP Port or Telnet Port.

Secure Management

Secure Management allows the use of encrypted and authenticated communication protocols such as SNMPv3, and Secure Socket Link (SSL), to manage the Access Point.

·         Enable Secure Management: Enables the further configuration of HTTPS Access, and SNMPv3. After enabling Secure Management, you can choose to configure HTTPS (SSL) access on the Services tab, and configure SNMPv3 passwords on the Passwords tab.

SNMP Settings

·         SNMP Interface Bitmask: Configure the interface or interfaces (Ethernet, Wireless, All Interfaces) from which you will manage the AP via SNMP. You can also select Disabled to prevent a user from accessing the AP via SNMP.

HTTP Access

·         HTTP Interface Bitmap: Configure the interface or interfaces (Ethernet, Wireless, All Interfaces) from which you will manage the AP via the Web interface. For example, to allow Web configuration via the Ethernet network only, set HTTP Interface Bitmask to Ethernet. You can also select Disabled to prevent a user from accessing the AP from the Web interface.
·         HTTP Port: Configure the HTTP port from which you will manage the AP via the Web interface. By default, the HTTP port is 80.
·         Enable HTTP Setup Wizard: The Setup Wizard appears automatically the first time you access the HTTP interface. If you exited out of the Setup Wizard and want to relaunch it, enable this option, click OK, and then close your browser or reboot the AP. The Setup Wizard will appear the next time you access the HTTP interface.

Management Services Configuration Screen

HTTPS Access (Secure Socket Layer)

The user can access the AP in a secure fashion using Secure Socket Layer (SSL) over port 443. The AP supports SSLv3 with a 128-bit encryption certificate maintained by the AP for secure communications between the AP and the HTTP client. All communications are encrypted using the server and the client-side certificate.

SSL requires Internet Explorer version 6, 128 bit encryption, Service Pack 1, and patch Q323308.

The AP comes pre-installed with all required SSL files: default certificate and private key installed.

Configuring Secure Socket Layer (SSL)

After enabling SSL, the only configurable parameter is the SSL passphrase. The default SSL passphrase is

If you decide to upload a new certificate and private key (using TFTP or HTTP File Transfer), you need to change the SSL Certificate Passphrase for the new SSL files.

·         Enable HTTPS (Secure Web): Check this box to enable SSL on the AP.

You need to reboot the AP after enabling or disabling SSL for the changes to take effect.

·         SSL Certificate Passphrase: Specifies the SSL Passphrase to use if Enable HTTPS has been checked. The user must change the SSL passphrase when uploading a new certificate/private key pair, which will have a corresponding passphrase.
Accessing the AP through the HTTPS interface

The user should use a SSL intelligent browser to access the AP through the HTTPS interface. After configuring SSL, access the AP using https:// followed by the AP’s management IP address.

Telnet Configuration Settings

·         Telnet Interface Bitmask: Select the interface (Ethernet, Wireless, All Interfaces) from which you can manage the AP via telnet. This parameter can also be used to Disable telnet management.
·         Telnet Port: The default port number for Telnet applications is 23. However, you can use this field if you want to change the Telnet port for security reasons (but your Telnet application also must support the new port number you select).
·         Login Idle Timeout (seconds): Enter the number of seconds the system will wait for a login attempt. The AP terminates the session when it times out. The range is 1 to 300 seconds; the default is 30 seconds.
·         Session Idle Timeout (seconds): Enter the number of seconds the system will wait during a session while there is no activity. The AP will terminate the session on timeout. The range is 1 to 36000 seconds; the default is 900 seconds.

Serial Configuration Settings

The serial port interface on the AP is enabled at all times. See Setting IP Address using Serial Port for information on how to access the CLI interface via the serial port. You can configure and view following parameters:

·         Baud Rate: Select the serial port speed (bits per second). Choose between 2400, 4800, 9600, 19200, 38400, or 57600; the default Baud Rate is 9600.
·         Flow Control: Select either None (default) or Xon/Xoff (software controlled) data flow control.

To avoid potential problems when communicating with the AP through the serial port, Avaya recommends that you leave the Flow Control setting at None (the default value).

·         Serial Data Bits: This is a read-only field and displays the number of data bits used in serial communication (8 data bits by default).
·         Serial Parity: This is a read-only field and displays the number of parity bits used in serial communication (no parity bits by default).
·         Serial Stop Bits: This is a read-only field that displays the number of stop bits used in serial communication (1 stop bit by default).

The serial port bit configuration is commonly referred to as 8N1.

Automatic Configuration

The Automatic Configuration feature which allows an AP to be automatically configured by downloading a specific configuration file from a TFTP server during the boot up process.

Automatic Configuration is disabled by default. The configuration process for Automatic Configuration varies depending on whether the AP is configured for dynamic or static IP.

When an AP is configured for dynamic IP, the Configuration filename and the TFTP server IP address are contained in the DHCP response when the AP gets its IP address dynamically from the DHCP server. When configured for static IP, these parameters are instead configured in the AP interface.

After setting up automatic configuration you must reboot the AP. When the AP reboots it receives the new configuration information and must reboot one additional time. If Syslog is configured, a Syslog message will appear indicating the success or failure of the Automatic Configuration.

Set up Automatic Configuration for Static IP

Perform the following procedure to enable and set up Automatic Configuration when you have a static IP address for the TFTP server.

1.       Click Configure > Management > AutoConfig.
The Automatic Configuration Screen appears.
2.       Check Enable Auto Configuration.
3.       Enter the Configuration Filename.
4.       Enter the IP address of the TFTP server in the TFTP Server Address field.

The default filename is “config”. The default TFTP IP address is “10.0.0.2” for AP-3.

5.       Click OK to save the changes.
6.       Reboot the AP. When the AP reboots it receives the new configuration information and must reboot one additional time. If a Syslog server was configured, the following messages can be observed on the Syslog server:
·          AutoConfig for Static IP
·          TFTP server address and configuration filename
·          AutoConfg Successful

Automatic Configuration Screen

Set up Automatic Configuration for Dynamic IP

Perform the following procedure to enable and set up Automatic Configuration when you have a dynamic IP address for the TFTP server via DHCP.

The Configuration filename and the TFTP server IP address are contained in the DHCP response when the AP gets its IP address dynamically from the DHCP server. A Syslog server address is also contained in the DHCP response, allowing the AP to send Auto Configuration success and failure messages to a Syslog server.

The configuration filename and TFTP server IP address are configured only when the AP is configured for Static IP. If the AP is configured for Dynamic IP these parameters are not used and obtained from DHCP.

1.       Click Configure > Management > AutoConfig.
The Automatic Configuration Screen appears.
2.       Check Enable Auto Configuration.

When the AP is Configured with Dynamic IP, the DHCP server should be configured with the TFTP Server IP address ("Boot Server Host Name", option 66) and Configuration file ("Bootfile name", option 67) as follows:

1.       Select DHCP Server > DHCP Option > Scope.
The DHCP Options: Scope Screen appears.

DHCP Options: Setting the Boot Server Host Name

1.       Add the Boot Server Hostname and Boot Filename parameters to the Active Options list.
2.       Set the value of the Boot Server Hostname Parameter to the hostname or IP Address of the TFTP server. For example: 11.0.0.7.

DHCP Options: Setting the Boot Server Host Name

1.       Set the value of the Bootfile Name parameter to the Configuration filename. For example: AP-Config
2.       If using Syslog, set the Log server IP address (option 7, Log Servers).
3.       Reboot the AP. When the AP reboots it receives the new configuration information and must reboot one additional time. If a Syslog server was configured, the following messages can be observed on the Syslog server:
4.       AutoConfig for Dynamic IP
5.       TFTP server address and configuration filename
6.       AutoConfg Successful

Filtering

The Access Point’s Packet Filtering features help control the amount of traffic exchanged between the wired and wireless networks. There are four sub-categories under the Filtering heading.

o        Ethernet Protocol
o        Static MAC
o        Advanced
o        TCP/UDP Port

Ethernet Protocol

The Ethernet Protocol Filter blocks or forwards packets based on the Ethernet protocols they support.

Follow these steps to configure the Ethernet Protocol Filter:

1.       Select the interface or interfaces that will implement the filter from the Ethernet Protocol Filtering drop-down menu.
o        Ethernet: Packets are examined at the Ethernet interface
o        Wireless: Packets are examined at the Wireless interface
o        All Interfaces: Packets are examined at both interfaces
o        Disabled: The filter is not used
2.       Select the Filter Operation Type.
o        If set to Passthru, only the enabled Ethernet Protocols listed in the Filter Table will pass through the bridge.
o        If set to Block, the bridge will block enabled Ethernet Protocols listed in the Filter Table.
3.       Configure the Ethernet Protocol Filter Table. This table is pre-populated with existing Ethernet Protocol Filters, however, you may enter additional filters by specifying the appropriate parameters.
o        To add an entry, click Add, and then specify the Protocol Number and a Protocol Name.
§         Protocol Number: Enter the protocol number. See http://www.iana.org/assignments/ethernet-numbers for a list of protocol numbers.
§         Protocol Name: Enter related information, typically the protocol name.
o        To edit or delete an entry, click Edit and change the information, or select Enable, Disable, or Delete from the Status drop-down menu.
o        An entry’s status must be enabled in order for the protocol to be subject to the filter.

Static MAC

The Static MAC Address filter optimizes the performance of a wireless (and wired) network. When this feature is properly configured, the AP can block traffic between wired devices and wireless devices based on MAC address.

For example, you can set up a Static MAC filter to prevent wireless clients from communicating with a specific server on the Ethernet network. You can also use this filter to block unnecessary multicast packets from being forwarded to the wireless network.

The Static MAC Filter is an advanced feature. You may find it easier to control wireless traffic via other filtering options, such as Ethernet Protocol Filtering.

Each static MAC entry contains the following fields:

·         Wired MAC Address
·         Wired Mask
·         Wireless MAC Address
·         Wireless Mask
·         Comment: This field is optional.

Each MAC Address or Mask is comprised of 12 hexadecimal digits (0-9, A-F) that correspond to a 48-bit identifier. (Each hexadecimal digit represents 4 bits (0 or 1).)

Taken together, a MAC Address/Mask pair specifies an address or a range of MAC addresses that the AP will look for when examining packets. The AP uses Boolean logic to perform an “AND” operation between the MAC Address and the Mask at the bit level. However, for most users, you do not need to think in terms of bits. It should be sufficient to create a filter using only the hexadecimal digits 0 and F in the Mask (where 0 is any value and F is the value specified in the MAC address). A Mask of 00:00:00:00:00:00 corresponds to all MAC addresses, and a Mask of FF:FF:FF:FF:FF:FF applies only to the specified MAC Address.

For example, if the MAC Address is 00:20:A6:12:54:C3 and the Mask is FF:FF:FF:00:00:00, the AP will examine the source and destination addresses of each packet looking for any MAC address starting with 00:20:A6. If the Mask is FF:FF:FF:FF:FF:FF, the AP will only look for the specific MAC address (in this case, 00:20:A6:12:54:C3).

When creating a filter, you can configure the Wired parameters only, the Wireless parameters only, or both sets of parameters. Which parameters to configure depends upon the traffic that you want block:

·         To prevent all traffic from a specific wired MAC address from being forwarded to the wireless network, configure only the Wired MAC Address and Wired Mask (leave the Wireless MAC Address and Wireless Mask set to all zeros).
·         To prevent all traffic from a specific wireless MAC address from being forwarded to the wired network, configure only the Wireless MAC address and Wireless Mask (leave the Wired MAC Address and Wired Mask set to all zeros).
·         To block traffic between a specific wired MAC address and a specific wireless MAC address, configure all four parameters.

To create an entry, click Add and enter the appropriate MAC addresses and Masks to setup a filter. The entry is enabled automatically when saved. To edit an entry, click Edit. To disable or remove an entry, click Edit and change the Status field from Enable to Disable or Delete.

Static MAC Configuration Screen

Static MAC Filter Examples

Consider a network that contains a wired server and three wireless clients. The MAC address for each unit is as follows:

o        Wired Server: 00:40:F4:1C:DB:6A
o        ireless Client 1: 00:02:2D:51:94:E4
o        Wireless Client 2: 00:02:2D:51:32:12
o        Wireless Client 3: 00:20:A6:12:4E:38
Prevent Two Specific Devices from Communicating

Configure the following settings to prevent the Wired Server and Wireless Client 1 from communicating:

o        Wired MAC Address: 00:40:F4:1C:DB:6A
o        Wired Mask: FF:FF:FF:FF:FF:FF
o        Wireless MAC Address: 00:02:2D:51:94:E4
o        Wireless Mask: FF:FF:FF:FF:FF:FF

Result: Traffic between the Wired Server and Wireless Client 1 is blocked. Wireless Clients 2 and 3 can still communicate with the Wired Server.

Prevent Multiple Wireless Devices From Communicating With a Single Wired Device

Configure the following settings to prevent Wireless Clients 1 and 2 from communicating with the Wired Server.

o        Wired MAC Address: 00:40:F4:1C:DB:6A
o        Wired Mask: FF:FF:FF:FF:FF:FF
o        Wireless MAC Address: 00:02:2D:51:94:E4
o        Wireless Mask: FF:FF:FF:00:00:00

Result: When a logical “AND” is performed on the Wireless MAC Address and Wireless Mask, the result corresponds to any MAC address beginning with the 00:20:2D prefix. Since Wireless Client 1 and Wireless Client 2 share the same prefix (00:02:2D), traffic between the Wired Server and Wireless Clients 1 and 2 is blocked. Wireless Client 3 can still communicate with the Wired Server since it has a different prefix (00:20:A6).

Prevent All Wireless Devices From Communicating With a Single Wired Device

Configure the following settings to prevent all three Wireless Clients from communicating with Wired Server 1.

o        Wired MAC Address: 00:40:F4:1C:DB:6A
o        Wired Mask: FF:FF:FF:FF:FF:FF
o        Wireless MAC Address: 00:00:00:00:00:00
o        Wireless Mask: 00:00:00:00:00:00

Result: The Access Point blocks all traffic between Wired Server 1 and all wireless clients.

Prevent A Wireless Device From Communicating With the Wired Network

Configure the following settings to prevent Wireless Client 3 from communicating with any device on the Ethernet.

o        Wired MAC Address: 00:00:00:00:00:00
o        Wired Mask: 00:00:00:00:00:00
o        Wireless MAC Address: 00:20:A6:12:4E:38
o        Wireless Mask: FF:FF:FF:FF:FF:FF

Result: The Access Point blocks all traffic between Wireless Client 3 and the Ethernet network.

Prevent Messages Destined for a Specific Multicast Group from Being Forwarded to the Wireless LAN

If there are devices on your Ethernet network that use multicast packets to communicate and these packets are not required by your wireless clients, you can set up a Static MAC filter to preserve wireless bandwidth. For example, if routers on your network use a specific multicast address (such as 01:00:5E:00:32:4B) to exchange information, you can set up a filter to prevent these multicast packets from being forwarded to the wireless network:

o        Wired MAC Address: 01:00:5E:00:32:4B
o        Wired Mask: FF:FF:FF:FF:FF:FF
o        Wireless MAC Address: 00:00:00:00:00:00
o        Wireless Mask: 00:00:00:00:00:00

Result: The Access Point does not forward any packets that have a destination address of 01:00:5E:00:32:4B to the wireless network.

Advanced

You can configure the following advanced filtering options:

·         Enable Proxy ARP: Place a check mark in the box provided to allow the Access Point to respond to Address Resolution Protocol (ARP) requests for wireless clients. When enabled, the AP answers ARP requests for wireless stations without actually forwarding them to the wireless network. If disabled, the Access Point will bridge ARP requests for wireless clients to the wireless LAN.
·         Enable IP/ARP Filtering: Place a check mark in the box provided to allow IP/ARP filtering based on the IP/ARP Filtering Address and IP Mask. Leave the box unchecked to prevent filtering. If enabled, you should also configure the IP/ARP Filtering Address and IP/ARP IP Mask.
o        IP/ARP Filtering Address: Enter the Network filtering IP Address.
o        IP/ARP IP Mask: Enter the Network Mask IP Address.

The following protocols are listed in the Advanced Filter Table:

·         Deny IPX RIP
·         Deny IPX SAP
·         Deny IPX LSP
·         Deny IP Broadcasts
·         Deny IP Multicasts

The AP can filter these protocols in the wireless-to-Ethernet direction, the Ethernet-to-wireless direction, or in both directions. Click Edit and use the Status field to Enable or Disable the filter.

TCP/UDP Port

Port-based filtering enables you to control wireless user access to network services by selectively blocking TCP/UDP protocols through the AP. A user specifies a Protocol Name, Port Number, Port Type (TCP, UDP, or TCP/UDP), and filtering interfaces (Wireless only, Ethernet only, all interfaces, or no interfaces) in order to block access to services, such as Telnet and FTP, and traffic, such as NETBIOS and HTTP.

For example, an AP with the following configuration would discard frames received on its Ethernet interface with a UDP destination port number of 137, effectively blocking NETBIOS Name Service packets.

Protocol Type
(TCP/UDP)

Destination
Port Number

Protocol Name

Interface

Status
(Enable/Disable)

UDP

137

NETBIOS
Name Service

Ethernet

Enable

Adding TCP/UDP Port Filters

1.       Place a check mark in the box labeled Enable TCP/UDP Port Filtering.

2.       Click Add under the TCP/UDP Port Filter Table heading.

3.       In the TCP/UDP Port Filter Table, enter the Protocol Names to filter.

4.       Set the destination Port Number (a value between 0 and 65535) to filter. See the IANA Web site at http://www.iana.org/assignments/port-numbers for a list of assigned port numbers and their descriptions.

5.       Set the Port Type for the protocol: TCP, UDP, or both (TCP/UDP).

6.       Set the Interface to filter:

o        Wireless

o        Ethernet

o        All interfaces

o        No interfaces

7.       Click OK.

Editing TCP/UDP Port Filters

1.       Click Edit under the TCP/UDP Port Filter Table heading.

2.       Make any changes to the Protocol Name or Port Number for a specific entry, if necessary.

3.       In the row that defines the port, set the Status to Enable, Disable, or Delete, as appropriate.

4.       Select OK.


Alarms

This category has three sub-categories.

o        Groups

o        Alarm Host Table

o        Syslog

Groups

There are seven alarm groups that can be enabled or disabled via the Web interface. Place a check mark in the box provided to enable a specific group. Remove the check mark from the box to disable the alarms. Alarm Severity Levels vary.

·         Configuration Alarm

Trap Name

Description

oriTrapDNSIPNotConfigured

This traps is generated when the DNS IP Address has not been configured.

Severity Level: Major

·         Security Alarms

Trap Name

Description

oriTrapAuthenticationFailure

This trap is generated when a client authentication failure occurs. The authentication failures can range from:

- MAC Access Control Table

- RADIUS MAC Authentication

- 802.1x Authentication specifying the EAP-Type

Severity Level: Major

oriTrapUnauthorizedManagerDetected

This trap is generated when an unauthorized manager has attempted to view and/or modify parameters.

Severity Level: Major

·         Wireless Alarms

Trap Name

Description

oriTrapWLCNotPresent

When you start the AP, this trap is generated when a wireless interface/card is not present in the AP.

Severity Level: Informational

oriTrapWLCFailure

This trap is generated when a general failure occurs with the wireless interface/card.

Severity Level: Critical

oriTrapWLCRemoval

This trap is generated when the wireless interface/card has been removed from the device.

Severity Level: Critical

oriTrapWLCIncompatibleFirmware

This trap is generated when the firmware of the wireless interface/card is incompatible with the AP.

Severity Level: Critical

oriTrapWLCVoltageDiscrepancy

The dual-radio AP supports 3.3 V and 5 V wireless cards.  This trap is generated when a wireless interface/card using a different voltage is inserted in the AP.

Severity Level: Critical

oriTrapWLCIncompatibleVendor

This trap is generated when an incompatible wireless vendor card is inserted or present in the AP.

Severity Level: Critical

oriTrapWLCFirmwareDownloadFailure

This trap is generated when a failure occurs during the firmware download process of the wireless interface/card.

Severity Level: Critical

·         Operational Alarms

Trap Name

Description

oriTrapWatchDogTimerExpired

This trap is generated when the software watch dog timer expires. This indicates that a problem has occurred with one or more software modules and the AP will reboot automatically.

Trap Severity Level: Critical

oriTrapRADIUSServerNotResponding

This trap is generated when no response is received from the

RADIUS server(s) for authentication requests sent from the RADIUS client in the AP.

Trap Severity Level: Major

oriTrapModuleNotInitialized

This trap is generated when a certain software or hardware module is not initialized or fails to initialize.

Trap Severity Level: Major

oriTrapDeviceRebooting

This trap is generated when the AP is rebooting.

Trap Severity Level: Informational

oriTrapTaskSuspended

This trap is generated when a software task in the AP is suspended.

Trap Severity Level: Critical

oriTrapBootPFailed

In bootloader mode, this trap is generated when the AP does not receive a response from the BootP server. The result is that the Access Point reverts to its static IP configuration and you will need to set reset configuration options.

Trap Severity Level: Major

oriTrapDHCPFailed

In operational mode, this trap is generated when the AP does not receive a response from the DHCP server. The result is that the Access Point reverts to its static IP configuration and you will need to set reset configuration options.

Trap Severity Level: Major

·         FLASH Memory Alarms

Trap Name

Description

oriTrapFlashMemoryEmpty

This trap is generated when an error occurs while downloading a file to the AP and no data is present in the flash memory.

Severity Level: Informational

oriTrapFlashMemoryCorrupted

This trap is generated when an error occurs while downloading a file to the AP and the data in the flash memory is invalid or corrupted.

Severity Level: Critical

·         TFTP Alarms

Trap Name

Description

oriTrapTFTPFailedOperation

This trap is generated when a failure occurs during a TFTP upload or download operation.

Severity Level: Major

oriTrapTFTPOperationInitiated

This trap is generated when a TFTP upload or download operation is started.

Severity Level: Informational

oriTrapTFTPOperationCompleted

This trap is generated when a TFTP operation is complete (upload or download).

Severity Level: Informational

·         Image Alarms

Trap Name

Description

oriTrapZeroSizeImage

This trap is generated when a zero size image is loaded on the AP.

Trap Severity Level: Major

oriTrapInvalidImage

This trap is generated when an invalid image is loaded in the Access Point.

Trap Severity Level: Major

oriTrapImageTooLarge

This trap is generated when the image loaded in the AP exceeds the size limitation of the flash memory.

Trap Severity Level: Major

oriTrapIncompatibleImage

This trap is generated when an incompatible image is loaded in the AP.

Trap Severity Level: Major

In addition, the AP supports these standard traps, which are always enabled:

·         RFC 1215-Trap

Trap Name

Description

coldStart

The AP has been turned on or rebooted.

Trap Severity Level: Informational

linkUp

The AP's Ethernet interface link is up (working).

Trap Severity Level: Informational

linkDown

The AP's Ethernet interface link is down (not working).

Trap Severity Level: Informational

·         Bridge MIB (RFC 1493) Alarms

Trap Name

Description

newRoot

This trap indicates that the AP has become the new root in the Spanning Tree network.

Trap Severity Level: Informational

topologyChange

This trap is sent by the AP when any of its configured ports transitions from the Learning state to the Forwarding state, or from the Forwarding state to the Blocking state.

This trap is not sent if a newRoot trap is sent for the same transition.

Trap Severity Level: Informational

All these alarm groups correspond to System Alarms that are displayed in the System Status screen, including the traps that are sent by the AP to the SNMP managers specified in the Alarm Host Table.

Severity Levels

There are three severity levels for system alarms:

o        Critical

o        Major

o        Informational

Critical alarms will often result in severe disruption in network activity or an automatic reboot of the AP

Major alarms are usually activated due to a breach in the security of the system. Clients cannot be authenticated or an attempt at unauthorized access into the AP has been detected.

Informational alarms are there to provide the network administrator with some general information about the activities the AP is performing.

Alarm Host Table

To add an entry and enable the AP to send SNMP trap messages to a Trap Host, click Add, and then specify the IP Address and Password for the Trap Host.

·         IP Address: Enter the Trap Host IP Address.

·         Password: Enter the password in the Password field and the Confirm field.

·         Comment: Enter an optional comment, such as the alarm (trap) host station name.

To edit or delete an entry, click Edit. Edit the information, or select Enable, Disable, or Delete from the Status drop-down menu.

Syslog

The Syslog messaging system enables the AP to transmit event messages to a central server for monitoring and troubleshooting. The AP can send messages to one Syslog server (it cannot send messages to more than one Syslog server). The access point logs “Session Start (Log-in)” and “Session Stop (Log-out)” events for each wireless client as an alternative to RADIUS accounting.

See RFC 3164 at http://www.rfc-editor.org for more information on the Syslog standard.

Syslog Configuration Screen

Setting Syslog Event Notifications

Syslog Events are logged according to the level of detail specified by the administrator. Logging only urgent system messages will create a far smaller, more easily read log then a log of every event the system encounters. Determine which events to log by selecting a priority defined by the following scale:

Event Priority Description

LOG_EMERG

0

system is unusable

LOG_ALERT

1

action must be taken immediately

LOG_CRIT

2

critical conditions

LOG_ERR

3

error conditions

LOG_WARNING

4

warning conditions

LOG_NOTICE

5

normal but significant condition

LOG_INFO

6

informational

LOG_DEBUG

7

debug-level messages

Configuring Syslog Event Notifications

You can configure the following Syslog settings from the HTTP interface:

·         Enable Syslog: Place a check mark in the box provided to enable system logging.

·         Syslog Port Number: This field is read-only and displays the port number (514) assigned for system logging.

·         Syslog Lowest Priority Logged: The AP will send event messages to the Syslog server that correspond to the selected priority and above. For example, if set to 6, the AP will transmit event messages labeled priority 0 to 6 to the Syslog server(s). This parameter supports a range between 1 and 7; 6 is the default.

·         Syslog Host Table: This table specifies the IP addresses of a network servers that the AP will send Syslog messages to. Click Add to create a new entry. Click Edit to change an existing entry. Each entry contains the following field:

o        IP Address: Enter the IP Address for the management host.

o        Comment: Enter an optional comment such as the host name.

o        Status: The entry is enabled automatically when saved (so the Status field is only visible when editing an entry). You can also disable or delete entries by changing this field’s value.


Bridge

The AP is a bridge between your wired and wireless networking devices. As a bridge, the functions performed by the AP include:

·         MAC address learning

·         Forward and filtering decision making

·         Spanning Tree protocol used for loop avoidance

Once the AP is connected to your network, it learns which devices are connected to it and records their MAC addresses in the Learn Table. The table can hold up to 10,000 entries. To view the Learn Table, click on the Monitor button in the web interface and select the Learn Table tab.

The Bridge tab has four sub-categories.

o        Spanning Tree

o        Storm Threshold

o        Intra BSS

o        Packet Forwarding

Spanning Tree

A Spanning Tree is used to avoid redundant communication loops in networks with multiple bridging devices. Bridges do not have any inherent mechanism to avoid loops, because having redundant systems is a necessity in certain networks. However, redundant systems can cause Broadcast Storms, multiple frame copies, and MAC address table instability problems.

Complex network structures can create multiple loops within a network. The Spanning Tree configuration blocks certain ports on AP devices to control the path of communication within the network, avoiding loops and following a spanning tree structure.

For more information on Spanning Tree protocol, please see Section 8.0 of the IEEE 802.1d standard. The Spanning Tree configuration options are advanced settings. Avaya recommends that you leave these parameters at their default values unless you are familiar with the Spanning Tree protocol.

Storm Threshold

Storm Threshold is an advanced Bridge setup option that you can use to protect the network against data overload by:

·         Specifying a maximum number of frames per second as received from a single network device (identified by its MAC address).

·         Specifying an absolute maximum number of messages per port.

The Storm Threshold parameters allow you to specify a set of thresholds for each port of the AP, identifying separate values for the number of broadcast messages/second and Multicast messages/second.

When the number of frames for a port or identified station exceeds the maximum value per second, the AP will ignore all subsequent messages issued by the particular network device, or ignore all messages of that type.

·         Address Threshold: Enter the maximum allowed number of packets per second.

·         Ethernet Threshold: Enter the maximum allowed number of packets per second.

·         Wireless Threshold: Enter the maximum allowed number of packets per second.

Intra BSS

The wireless clients (or subscribers) that associate with a certain AP form the Basic Service Set (BSS) of a network infrastructure. By default, wireless subscribers in the same BSS can communicate with each other. However, some administrators (such as wireless public spaces) may wish to block traffic between wireless subscribers that are associated with the same AP to prevent unauthorized communication and to conserve bandwidth. This feature enables you to prevent wireless subscribers within a BSS from exchanging traffic.

Although this feature is generally enabled in public access environments, Enterprise LAN administrators use it to conserve wireless bandwidth by limiting communication between wireless clients. For example, this feature prevents peer-to-peer file sharing or gaming over the wireless network.

To block Intra BSS traffic, set Intra BSS Traffic Operation to Block.

To allow Intra BSS traffic, set Intra BSS Traffic Operation to Passthru.

Packet Forwarding

The Packet Forwarding feature enables you to redirect traffic generated by wireless clients that are all associated to the same AP to a single MAC address. This filters wireless traffic without burdening the AP and provides additional security by limiting potential destinations or by routing the traffic directly to a firewall. You can redirect to a specific port (Ethernet or WDS) or allow the bridge’s learning process (and the forwarding table entry for the selected MAC address) to determine the optimal port.

The gateway to which traffic will be redirected should be node on the Ethernet network. It should not be a wireless client.

Configuring Interfaces for Packet Forwarding

Configure your AP to forward packets by specifying interface port(s) to which packets are redirected and a destination MAC address.

1.       Within the Packet Forwarding Configuration screen, check the box labeled Enable Packet Forwarding.

2.       Specify a destination Packet Forwarding MAC Address. The AP will redirect all unicast, multicast, and broadcast packets received from wireless clients to the address you specify.

3.       Select a Packet Forwarding Interface Port from the drop-down menu. You can redirect traffic to:

o        Ethernet

o        A WDS connection (see Wireless Distribution System (WDS) for details)

o        Any (traffic is redirected to a port based on the bridge learning process)

4.       Click OK to save your changes.


Security

The AP provides several security features to protect your network from unauthorized access.

·         Authentication and Encryption Modes

·         MAC Access

Authentication and Encryption Modes

The AP supports the following Security features:

·         WEP Encryption: The original encryption technique specified by the IEEE 802.11 standard.

·         802.1x Authentication: An IEEE standard for client authentication.

·         Wi-Fi Protected Access (WPA): A new standard that provides improved encryption security over WEP.

WEP Encryption

The IEEE 802.11 standards specify an optional encryption feature, known as Wired Equivalent Privacy or WEP, that is designed to provide a wireless LAN with a security level equal to what is found on a wired Ethernet network. WEP encrypts the data portion of each packet exchanged on an 802.11 network using an Encryption Key (also known as a WEP Key).

When Encryption is enabled, two 802.11 devices must have the same Encryption Keys and both devices must be configured to use Encryption in order to communicate. If one device is configured to use Encryption but a second device is not, then the two devices will not communicate, even if both devices have the same Encryption Keys.

·         An 802.11b AP supports 64-bit and 128-bit encryption:

o        For 64-bit encryption, an encryption key is 10 hexadecimal characters (0-9 and A-F) or 5 ASCII characters (see ASCII Character Chart).

o        For 128-bit encryption, an encryption key is 26 hexadecimal characters or 13 ASCII characters.

·         An 802.11a or 802.11b/g AP supports 64-bit, 128-bit, and 152-bit encryption:

o        For 64-bit encryption, an encryption key is 10 hexadecimal characters (0-9 and A-F) or 5 ASCII characters (see ASCII Character Chart).

o        For 128-bit encryption, an encryption key is 26 hexadecimal characters or 13 ASCII characters.

o        For 152-bit encryption, an encryption key is 32 hexadecimal characters or 16 ASCII characters.

64-bit encryption is sometimes referred to as 40-bit encryption; 128-bit encryption is sometimes referred to as 104-bit encryption.

802.1x Authentication

IEEE 802.1x is a standard that provides a means to authenticate and authorize network devices attached to a LAN port. A port in the context of IEEE 802.1x is a point of attachment to the LAN, either a physical Ethernet connection or a wireless link to an Access Point. 802.1x requires a RADIUS server and uses the Extensible Authentication Protocol (EAP) as a standards-based authentication framework, and supports automatic key distribution for enhanced security. The EAP-based authentication framework can easily be upgraded to keep pace with future EAP types.

Popular EAP types include:

·         EAP-Message Digest 5 (MD5): Username/Password-based authentication; does not support automatic key distribution

·         EAP-Transport Layer Security (TLS): Certificate-based authentication (a certificate is required on the server and each client); supports automatic key distribution

·         EAP-Tunneled Transport Layer Security (TTLS): Certificate-based authentication (a certificate is required on the server; a client’s username/password is tunneled to the server over a secure connection); supports automatic key distribution

·         PEAP - Protected EAP with MS-CHAP v2: Secure username/password-based authentication; supports automatic key distribution

Different servers support different EAP types and each EAP type provides different features. Refer to the documentation that came with your RADIUS server to determine which EAP types it supports.

The AP supports the following EAP types when Authentication Mode is set to 802.1x or WPA: EAP-TLS, PEAP, and EAP-TTLS. When Authentication Mode is set to Mixed, the AP supports the following EAP types: EAP-TLS, PEAP, EAP-TLLS, and EAP-MD5 (MD5 does not support automatic key distribution; therefore, if you choose this method you need to manually configure each client with the network's encryption key).

Authentication Process

There are three main components in the authentication process. The standard refers to them as:

1.       supplicant (client PC)

2.       authenticator (Access Point)

3.       authentication server (RADIUS server)

When using Authentication Mode is set to 802.1x, WPA, or Mixed mode (802.1x and WEP), you need to configure your RADIUS server for authentication purposes.

Prior to successful authentication, an unauthenticated client PC cannot send any data traffic through the AP device to other systems on the LAN. The AP inhibits all data traffic from a particular client PC until the client PC is authenticated. Regardless of its authentication status, a client PC can always exchange 802.1x messages in the clear with the AP (the client begins encrypting data after it has been authenticated).

RADIUS Authentication Illustrated

The AP acts as a pass-through device to facilitate communications between the client PC and the RADIUS server. The AP (2) and the client (1) exchange 802.1x messages using an EAPOL (EAP Over LAN) protocol (A). Messages sent from the client station are encapsulated by the AP and transmitted to the RADIUS (3) server using EAP extensions (B).

Upon receiving a reply EAP packet from the RADIUS, the message is typically forwarded to the client, after translating it back to the EAPOL format. Negotiations take place between the client and the RADIUS server. After the client has been successfully authenticated, the client receives an Encryption Key from the AP (if the EAP type supports automatic key distribution). The client uses this key to encrypt data after it has been authenticated.

For 802.11a and 802.11b/g clients that communicate with an AP, each client receives its own unique encryption key; this is known as Per User Per Session Encryption Keys.

Wi-Fi Protected Access (WPA)

Wi-Fi Protected Access (WPA) is a security standard designed by the Wi-Fi Alliance in conjunction with the Institute of Electrical and Electronics Engineers (IEEE). WPA is a sub-set of the forthcoming IEEE 802.11i security standard, currently in draft form. (IEEE 802.11i is also referred to as "WPA2" and will be available in 2004.)

For Dual-radio APs: WPA is available for APs with an 11a Upgrade Kit or 802.11b/g Kit. WPA is NOT available for APs with an 802.11b PC Card or a 5 GHz Upgrade Kit.

WPA is a replacement for Wired Equivalent Privacy (WEP), the encryption technique specified by the original 802.11 standard. WEP has several vulnerabilities that have been widely publicized. WPA addresses these weaknesses and provides a stronger security system to protect wireless networks.

WPA provides the following new security measures not available with WEP:

·         Improved packet encryption using the Temporal Key Integrity Protocol (TKIP) and the Michael Message Integrity Check (MIC).

·         Per-user, per-session dynamic encryption keys:

o        Each client uses a different key to encrypt and decrypt unicast packets exchanged with the AP

o        A client's key is different for every session; it changes each time the client associates with an AP

o        The AP uses a single global key to encrypt broadcast packets that are sent to all clients simultaneously

o        Encryption keys change periodically based on the Re-keying Interval parameter

o        WPA uses 128-bit encryption keys

·         Dynamic Key distribution

o        The AP generates and maintains the keys for its clients

o        The AP securely delivers the appropriate keys to its clients

·         Client/server mutual authentication

o        802.1x

o        Pre-shared key (for networks that do not have an 802.1x solution implemented)

For more information on WPA, see the Wi-Fi Alliance Web site at http://www.wi-fi.org.

The AP supports two WPA authentication modes:

·         WPA: The AP uses 802.1x to authenticate clients. You should only use an EAP that supports mutual authentication and session key generation, such as EAP-TLS, EAP-TTLS, and PEAP. See 802.1x Authentication for details.

·         WPA-PSK (Pre-Shared Key): For networks that do not have 802.1x implemented, you can configure the AP to authenticate clients based on a Pre-Shared Key. This is a shared secret that is manually configured on the AP and each of its clients. The Pre-Shared Key must be 256 bits long, which is either 64 hexadecimal digits. The AP also supports a PSK Pass Phrase option to facilitate the creation of the Pre-Shared Key (so a user can enter an easy-to-remember phrase rather than a string of characters).

Configuring Security Settings

You can configure each wireless interface to operate in one of the following Security modes:

1.       No Security: This is the default setting for an AP.

2.       Enable WEP Encryption: The AP and clients use the same static WEP keys to encrypt data.

3.       Enable 802.1x Security: The AP uses the 802.1x standard to communicate with a RADIUS server and authenticate clients. The AP generates and distributes dynamic, per user WEP Keys to each client following successful authentication.

4.       Enable Mixed Mode (802.1x and WEP Encryption): The AP uses 802.1x Mode for clients that support 802.1x (and have an 802.1x supplicant application installed). The AP uses static WEP Encryption for clients that do not use 802.1x.

5.       Enable WPA Mode: The AP uses 802.1x to communicate with a RADIUS server and authenticate clients. The AP generates and distributes dynamic, per user encryption keys (based on the Temporal Key Integrity Protocol (TKIP)) to each client following successful authentication. WPA mode provides message integrity checking to guard against replay type attacks. This mode is not available for all radio types.  

6.       Enable WPA-PSK Mode: The AP uses a Pre-shared Key (manually configured on both the AP and the clients) to authenticate clients. The AP generates and distributes dynamic, per user encryption keys (based on TKIP) to each client following successful authentication. This mode is for customers who want to use WPA but do not have a RADIUS server installed on their network. This mode is not available for all radio types.

You configure the AP to use a particular Security mode by setting the Authentication Mode parameter. The following table summarizes the Authentication Mode options available in the HTTP Interface's Configure > Security > Authentication screen and describes how each of these options correspond to the six Security Modes listed above:

Authentication Mode Setting

Authentication Method Employed

Encryption Method Employed

None

None

None or manually configured Static WEP settings (from Configure > Security > Encryption screen)

802.1x

802.1x

Dynamic WEP Keying

Mixed

802.1x or None (depends on a client's configuration)

Dynamic WEP Keying or Static WEP (depends on client's configuration)

WPA

802.1x

Dynamic TKIP Keying

WPA-PSK

Manually configured Pre-shared Key

Dynamic TKIP Keying

 

Before enabling the 802.1x, Mixed, or WPA mode, the 802.1x server should be configured. Set the encryption key in Mixed mode after the authentication is set to Mixed mode.

Enable WEP Encryption

Follow these steps to set up WEP encryption on an AP:

1.       Click Configure > Security > Authentication.
2.       Set Authentication Mode to None (if necessary).
3.       Click the Encryption tab.
4.       Place a check mark in the box labeled Enable Encryption (WEP).
5.       Enter one to four Encryption Keys in the fields provided. Keep in mind the following:
o        If entering more than one Key, use the same number of characters for each Key. All Keys need to be the same Key Size (64, 128, or 152-bit).
o        You can enter the Encryption Keys in either hexadecimal or ASCII format.
o        You need to configure your wireless clients to use the same Keys in order for the clients and the AP to communicate.
6.       Select the Key that the AP will use to encryption outgoing data from the Encrypt Data Transmissions Using drop-down menu. By default, this parameter is set to Key 1.
7.       Click OK.
Enable 802.1x Security

Follow these steps to enable 802.1x only:

1.       Click Configure > Security > Authentication.
2.       Set Authentication Mode to 802.1x.
3.       Select an Encryption Key Length.
o        An 802.11b AP supports 64-bit and 128-bit encryption.
o        An 802.11a or 802.11b/g AP supports 64-bit and 128-bit encryption.
4.       Enter a Re-keying Interval.
o        The Re-keying Interval determines how often a client’s encryption key is changed and can be set to any value between 60 - 65535 seconds. Rekeying frustrates hacking attempts without taxing system resources. Setting a fairly frequent rekey value (900 seconds=15 minutes) effectively protects against intrusion without disrupting network activities.
5.       Click OK to save the changes.
6.       If you have not already done so, configure the RADIUS authentication settings (see RADIUS Authentication with 802.1x for details).
7.       Reboot the Access Point.
Enable Mixed Mode (802.1x and WEP Encryption)

Follow these steps to use both 802.1x and WEP Encryption simultaneously (clients that do not support 802.1x use WEP Encryption for security purposes):

1.       Click Configure > Security > Authentication.
2.       Set Authentication Mode to Mixed.
3.       Enter a Re-keying Interval.
o        The Re-keying Interval determines how often a client’s encryption key is changed and can be set to any value between 60 - 65535 seconds. Rekeying frustrates hacking attempts without taxing system resources. Setting a fairly frequent rekey value (900 seconds=15 minutes) effectively protects against intrusion without disrupting network activities.
4.       Click OK to save the changes.
5.       Click the Encryption tab.
6.       Place a check mark in the box labeled Enable Encryption (WEP).
7.       Configure Encryption Key 1 only (i.e., do not configure Keys 2 through 4). Keep in mind the following:
o        For 64-bit encryption, an encryption key is 10 hexadecimal characters (0-9 and A-F) or 5 ASCII characters (see ASCII Character Chart).
o        For 128-bit encryption, an encryption key is 26 hexadecimal characters or 13 ASCII characters.
o        You can enter the Encryption Keys in either hexadecimal or ASCII format.
o        You need to manually configure your wireless clients that do not support 802.1x to use the same Encryption Key.
8.       Confirm that Key 1 is selected in the Encrypt Data Transmissions Using drop-down menu.
9.       Click OK.
10.    If you have not already done so, configure the RADIUS authentication settings (see RADIUS Authentication with 802.1x for details).
11.    Reboot the Access Point.
802.1x Security and Wireless Distribution Systems (WDS)

Wireless distribution systems (WDS) are configured using specific ports on an 802.11a, 802.11b, or 802.11b/g AP. To use 802.1x with WDS, you need to set the 802.1x Security Mode to Mixed (WEP and 802.1x) and confirm that the APs communicating in the WDS share the same encryption key (Key 1). See Wireless Distribution System (WDS) for more information.

Enable WPA Mode

For Dual-radio APs: WPA is available for APs with an 11a Upgrade Kit or 802.11b/g Kit. WPA is NOT available for APs with an 802.11b PC Card or a 5 GHz Upgrade Kit.

1.       Click Configure > Security > Authentication.
2.       Set Authentication Mode to WPA.
3.       Enter a Re-keying Interval.
o        The Re-keying Interval determines how often a client's encryption key is changed and can be set to any value between 60 and 65535 seconds. Rekeying frustrates hacking attempts without taxing system resources. Setting a fairly frequent rekey value (900 seconds=15 minutes) effectively protects against intrusion without disrupting network activities.
4.       Click OK.
5.       If you have not already done so, configure the RADIUS authentication settings (see RADIUS Authentication with 802.1x for details).
6.       Reboot the Access Point.
Enable WPA-PSK Mode

For Dual-radio APs: WPA is available for APs with an 11a Upgrade Kit or 802.11b/g Kit. WPA is NOT available for APs with an 802.11b PC Card or a 5 GHz Upgrade Kit.

1.       Click Configure > Security > Authentication.
2.       Set Authentication Mode to WPA-PSK.
3.       Enter a Re-keying Interval.
o        The Re-keying Interval determines how often a client's encryption key is changed and can be set to any value between 60 and 65535 seconds. Rekeying frustrates hacking attempts without taxing system resources. Setting a fairly frequent rekey value (900 seconds=15 minutes) effectively protects against intrusion without disrupting network activities.
4.       Configure the Pre-Shared Key.
o        You must also configure your clients to use this same key.
o        Do one of the following:
§         Enter 64 hexadecimal digits in the Pre-Shared Key field.
§         Enter a phrase in the PSK Pass Phrase field. The AP will automatically generate a Pre-Shared Key based on the phrase you enter. Enter between 8 and 63 characters; Avaya recommends using a pass phrase of at least 13 characters, including both numbers and upper and lower case letters, to ensure that the generated key cannot be easily deciphered by network infiltrators.
5.       Click OK.
6.       Reboot the Access Point.

MAC Access

The MAC Access tab allows you to build a list of stations, identified by their MAC addresses, authorized to access the network through the AP. The list is stored inside each AP within your network. Note that you must reboot the AP for any changes to the MAC Access Control Table to take effect.

·         Enable MAC Access Control: Check this box to enable the Control Table.
·         Operation Type: Choose between Passthru and Block. This determines how the stations identified in the MAC Access Control Table are filtered.
o        If set to Passthru, only the addresses listed in the Control Table will pass through the bridge.
o        If set to Block, the bridge will block traffic to or from the addresses listed in the Control Table.
·         MAC Access Control Table: Click Add to create a new entry. Click Edit to change an existing entry. Each entry contains the following field:
o        MAC Address: Enter the wireless client’s MAC address.
o        Comment: Enter an optional comment such as the client’s name.
o        Status: The entry is enabled automatically when saved (so the Status field is only visible when editing an entry). You can also disable or delete entries by changing this field’s value.

For larger networks that include multiple Access Points, you may prefer to maintain this list on a centralized location using the MAC Access Control Via RADIUS Authentication.

MAC Access Configuration Screen

Rogue Access Point Detection (RAD)

The Rogue AP Detection (RAD) feature provides an additional security level for wireless LAN deployments. Rogue AP detection provides a mechanism for detecting Rogue Access Points by utilizing the coverage of the trusted Access Point deployment.

The Rogue AP Scan employs background scanning using low-level 802.11 scanning functions for effective wireless detection of Access Points in its coverage area with minimal impact on the normal operation of the Access Point.

This RAD feature can be enabled on an Access Point via its HTTP, CLI, or SNMP Interfaces. The scan repetition duration is configurable. If the Access Point uses directional antennas to provide directional coverage, then the interface bitmask can be configured to maximize the scanning coverage area. The Access Point will periodically scan the wireless network and report all the available Access Points within its coverage area using SNMP traps. For additional reliability the results are stored in the Access Point in a table, which can be queried via SNMP. The BSSID and Channel number of the detected Access Points are provided in the scan results.

The RAD scan is done on a channel list initialized based on the regulatory domain of the device. The RAD Scan then performs background scanning on all the channels in this channel list using 802.11 MAC scanning functions. It will either actively scan the network by sending probe requests or passively scan by only listening for beacons. The access point information is then gathered from the probe responses and beacons.

To minimize traffic disruption and maximize the scanning efficiency, the RAD feature employs an enhanced background-scanning algorithm and uses the CTS to Self mechanism to keep the clients silent. The scanning algorithm allows traffic to be serviced between each channel scan. Before start of every scan (except scan on the working channel) the CTS to self-mechanism is used to set the NAV values of clients to keep them silent during the scanning period. In addition, the scan repetition duration can also be configured to reduce the frequency of RAD scan cycles to maximize Access Point performance.

RAD Configuration Requirements

The RAD feature can be configured/monitored via the HTTP, CLI, or SNMP management interfaces.

The following management options are provided:

·         The RAD feature can be enabled or disabled.
·         The repetition interval of RAD can be configured.
·         The interface on which RAD can operate can be configured.
·         SNMP Traps are sent after completion of a RAD scan cycle and also whenever a new Access Point is detected.
·         Additionally, the RAD scan results are maintained in a table that can be queried via SNMP.

The system administrator has to enable RAD on the Access Points in the wireless network and also configure the Trap Host on all these Access Points to the IP address of the management station. The Access Points on detecting a new Access Point sends a RAD Scan Result Trap to the management station.

Example Rogue AP Detection Deployment

An example network deployment is shown. The Trusted AP has Rogue Access Detection enabled and the trap host is configured to be the management station. The Trusted AP on detecting the Rogue AP will send a trap to the management station with the Channel and BSSID of the Rogue Access Point.

Configuring RAD

Perform this procedure to enable RAD and define the Scan Interval and Scan Interface.

The RAD screen also displays the time of the last scan and the number of new access points detected in the last scan.

1.       Enable the Security Alarm Group. Select the Security Alarm Group link from the RAD screen. Configure a Trap Host to receive the list of access points detected during the scan.
2.       Click Configure > Security > RAD.
3.       Enable RAD by checking Enable Rogue AP Detection.
4.       Enter the Scan Interval.
o        The Scan Interval specifies the time period in minutes between scans and can be set to any value between 15 and 1440 minutes.
5.       Select the Scan Interface as Slot A, Slot B, or both.
6.       Click OK.

The results of the RAD scan be be viewed in the Status page in the HTTP interface.

Rogue Access Point Detection Screen (AP-3)


RADIUS

The AP communicates with a network’s RADIUS server to provide the following features:

o        MAC Access Control Via RADIUS Authentication
o        RADIUS Authentication with 802.1x
o        RADIUS Accounting

The network administrator can configure multiple RADIUS Authentication Servers for different Authentication types. The current available authentication types are EAP/802.1x authentication and MAC-based authentication.You can configure two separate sets of Primary and Secondary RADIUS Servers for each of the two supported Authentication types, 802.1x EAP Based authentication and MAC based authentication.

You can configure the AP to communicate with up to six different RADIUS servers:

·         Primary Authentication Server (MAC-based authentication)
·         Back-up Authentication Server (MAC-based authentication)
·         Primary Authentication Server (EAP/802.1x authentication)
·         Back-up Authentication Server (EAP/802.1x authentication)
·         Primary Accounting Server
·         Back-up Accounting Server

You must have configured the settings for at least one Authentication server before configuring the settings for an Accounting server.

The back-up servers are optional, but when configured, the AP will communicate with the back-up server if the primary server is off-line. After the AP has switched to the backup server, it will periodically check the status of the primary RADIUS server every five (5) minutes. Once the primary RADIUS server is again online, the AP automatically reverts from the backup RADIUS server back to the primary RADIUS server. All subsequent requests are then sent to the primary RADIUS server.

You can view monitoring statistics for each of the configured RADIUS servers.

MAC Access Control Via RADIUS Authentication

If you want to control wireless access to the network and if your network includes a RADIUS Server, you can store the list of MAC addresses on the RADIUS server rather than configure each AP individually. From the RADIUS Authentication tab, you can define the IP Address of the server that contains a central list of MAC Address values that identify the authorized stations that may access the wireless network. You must specify information for at least the primary RADIUS server. The back-up RADIUS server is optional.

Contact your RADIUS server manufacturer if you have problems configuring the server or have problems using RADIUS authentication.

Follow these steps to enable RADIUS MAC Access Control:

1.       Within the RADIUS Auth screen, place a check mark in the box labeled Enable RADIUS MAC Access Control.
2.       Place a check mark in the box labeled Enable Primary RADIUS Authentication Server.
3.       If you want to configure a back-up RADIUS server, place a check mark in the box labeled Enable Back-up RADIUS Authentication Server.
4.       Enter the time, in seconds, each client session may be active before being automatically re-authenticated in the Authorization Lifetime field. This parameter supports a value between 900 and 43200 sec; the default is 900 sec.
5.       Select a MAC Address Format Type. This should correspond to the format in which the clients’ 12-digit MAC addresses are listed within the RADIUS server. Available options include:
o        Dash delimited: dash between each pair of digits: xx-yy-zz-aa-bb-cc
o        Colon delimited: colon between each pair of digits: xx:yy:zz:aa:bb:cc)
o        Single dash delimited: dash between the sixth and seventh digits: xxyyzz-aabbcc
o        No delimiters: No characters or spaces between pairs of hexadecimal digits: xxyyzzaabbcc
6.       Select a Server Addressing Format type (IP Address or Name).
o        If you want to identify RADIUS servers by name, you must configure the AP as a DNS Client. See DNS Client for details.
7.       Enter the server’s IP address or name in the field provided.
8.       Enter the port number which the AP and the server will use to communicate. By default, RADIUS servers communicate on port 1812.
9.       Enter the Shared Secret in the Shared Secret and Confirm Shared Secret field. This is a password shared by the RADIUS server and the AP. The same password must also be configured on the RADIUS server.
10.    Enter the maximum time, in seconds, that the AP should wait for the RADIUS server to respond to a request in the Response Time field. Range is 1-10 seconds; default is 3 seconds.
11.    Enter the maximum number of times an authentication request may be retransmitted in the Maximum Retransmissions field. Range is 1-4; default is 3.
12.    If you are configuring a back-up server, repeat Steps 6 through 11 for the back-up server.
13.    Click OK to save your changes.
14.    Reboot the AP for these changes to take effect.

RADIUS MAC-Based Access Control Screen

RADIUS Authentication with 802.1x

You must configure a primary EAP/802.1x Authentication server to use 802.1x security. A back-up server is optional.

Problems with RADIUS Server configuration or RADIUS Authentication should be referred to the RADIUS Server developer.

Follow these steps to enable a RADIUS Authentication server for 802.1x security:

1.       Click the RADIUS tab.
2.       Click the EAP/802.1x Auth sub-tab.
3.       Place a check mark in the box labeled Enable Primary EAP/802.1x Authentication Server.
4.       If you want to configure a back-up RADIUS server, place a check mark in the box labeled Enable Backup EAP/802.1x Authentication Server.
5.       Select a Server Addressing Format type (IP Address or Name).
o        If you want to identify RADIUS servers by name, you must configure the AP as a DNS Client. See DNS Client for details.
6.       Enter the server’s IP address or name in the field provided.
7.       Enter the port number which the AP and the server will use to communicate. By default, RADIUS servers communicate on port 1812.
8.       Enter the Shared Secret in the Shared Secret and Confirm Shared Secret field. This is a password shared by the RADIUS server and the AP. The same password must also be configured on the RADIUS server.
9.       Enter the maximum time, in seconds, that the AP should wait for the RADIUS server to respond to a request in the Response Time field. Range is 1-10 seconds; default is 3 seconds.
10.    Enter the maximum number of times an authentication request may be retransmitted in the Maximum Retransmissions field. Range is 1-4; default is 3.
11.    If you are configuring a back-up server, repeat Steps 7 through 12 for the back-up server.
12.    Click OK to save your changes.
13.    Reboot the AP device for these changes to take effect.

RADIUS EAP/802.1x Authentication Screen

RADIUS Accounting

Using an external RADIUS server, the AP can track and record the length of client sessions on the access point by sending RADIUS accounting messages per RFC2866. When a wireless client is successfully authenticated, RADIUS accounting is initiated by sending an “Accounting Start” request to the RADIUS server. When the wireless client session ends, an “Accounting Stop” request is sent to the RADIUS server.

Session Length

Accounting sessions continue when a client reauthenticates to the same AP. Sessions are terminated when:

·         A client disassociates.
·         A client does not transmit any data to the AP for a fixed amount of time.
·         A client is detected on a different interface.

If the client roams from one AP to another, one session is terminated and a new session is begun.

This feature requires RADIUS authentication using MAC Access Control or 802.1x. Wireless clients configured in the Access Point’s static MAC Access Control list are not tracked.

Configuring RADIUS Accounting

Follow these steps to enable RADIUS accounting on the AP:

1.       Within the RADIUS Accounting Configuration screen, place a check mark in the Enable RADIUS Accounting box to turn on this feature.
2.       Place a check mark in the box labeled Enable Primary RADIUS Accounting Server.
3.       If you want to configure a back-up RADIUS server, place a check mark in the box labeled Enable Back-up RADIUS Accounting Server.
4.       Enter the session timeout interval in minutes within the Accounting Inactivity Timer field. An accounting session automatically ends for a client that is idle for the period of time specified. Range is 1-60 minutes; default is 5 minutes.
5.       Select a Server Addressing Format type (IP Address or Name).
o        If you want to identify RADIUS servers by name, you must configure the Access Point as a DNS Client. See DNS Client for details.
6.       Enter the server’s IP address or name in the field provided.
7.       Enter the port number which the AP and the server will use to communicate. By default, RADIUS accounting uses port 1813.
8.       Enter the Shared Secret in the Shared Secret and Confirm Shared Secret field. This is a password shared by the RADIUS server and the AP. The same password must also be configured on the RADIUS server.
9.       Enter the maximum time, in seconds, that the AP should wait for the RADIUS server to respond to a request in the Response Time field. Range is 1-10 seconds; default is 3 seconds.
10.    Enter the maximum number of times an authentication request may be retransmitted in the Maximum Retransmissions field. Range is 1-4; default is 3.
11.    If you are configuring a back-up server, repeat Steps 5 through 10 for the back-up server.
12.    Click OK to save your changes.
13.    Reboot the AP device for these changes to take effect.

RADIUS Accounting Server Configuration


VLAN/SSID

The AP allows you to segment wireless networks into multiple sub-networks based on Network Name (SSID) and VLAN membership.

A Network Name (SSID) identifies a wireless network. Clients associate with Access Points that share its SSID. During installation, the Setup Wizard prompts you to configure one Network Name for each wireless interface. After initial setup, the AP can be configured to support up to 16 SSIDs per wireless interface to segment wireless networks based on VLAN membership.

16 VLAN/SSID pairs are available for 802.11b/g APs and APs with an 11a Upgrade Kit. 802.11b APs and APs with a 5 GHz Upgrade Kit only support one VLAN/SSID pair.

VLAN Overview

Virtual Local Area Networks (VLANs) are logical groupings of network hosts. Defined by software settings, other VLAN members or resources appear (to clients) to be on the same physical segment, no matter where they are attached on the logical LAN or WAN segment. They simplify traffic flow between clients and their frequently-used or restricted resources.

VLANs now extend as far as the reach of the access point signal. Clients can be segmented into wireless sub-networks via SSID and VLAN assignment. A Client can access the network by connecting to an AP configured to support its assigned SSID/VLAN.

AP devices are fully VLAN-ready; however, by default VLAN support is disabled. Before enabling VLAN support, certain network settings should be configured, and network resources such as a VLAN-aware switch, a RADIUS server, and possibly a DHCP server should be available.

Once enabled, VLANs are used to conveniently, efficiently, and easily manage your network in the following ways:

·         Manage adds, moves, and changes from a single point of contact
·         Define and monitor groups
·         Reduce broadcast and multicast traffic to unnecessary destinations
o        Improve network performance and reduce latency
·         Increase security
o        Secure network restricts members to resources on their own VLAN
o        Clients roam without compromising security

VLAN tagged data is collected and distributed through an AP's wireless interface(s) based on Network Name (SSID). An Ethernet port on the access point connects a wireless cell or network to a wired backbone. The access points communicate across a VLAN-capable switch that analyzes VLAN-tagged packet headers and directs traffic to the appropriate ports. On the wired network, a RADIUS server authenticates traffic and a DHCP server manages IP addresses for the VLAN(s). Resources like servers and printers may be present, and a hub may include multiple APs, extending the network over a larger area.

In this figure, the numbered items correspond to the following components:

1.       VLAN-enabled access point
2.       VLAN-aware switch (IEEE 802.1Q uplink)
3.       AP management via wired host (SNMP, Web interface or CLI)
4.       DHCP Server
5.       RADIUS Server
6.       VLAN 1
7.       VLAN 2

Components of a typical VLAN

VLAN Workgroups and Traffic Management

Access Points that are not VLAN-capable typically transmit broadcast and multicast traffic to all wireless Network Interface Cards (NICs). This process wastes wireless bandwidth and degrades throughput performance. In comparison, VLAN-capable AP is designed to efficiently manage delivery of broadcast, multicast, and unicast traffic to wireless clients.

The AP assigns clients to a VLAN based on a Network Name (SSID). The AP can support up to 16 VLAN/SSID pairs per radio (based on model type).

16 VLAN/SSID pairs are available for 802.11b/g APs and APs with an 11a Upgrade Kit. 802.11b APs and APs with a 5 GHz Upgrade Kit only support one VLAN/SSID pair.

The AP matches packets transmitted or received to a network name with the associated VLAN. Traffic received by a VLAN is only sent on the wireless interface associated with that same VLAN. This eliminates unnecessary traffic on the wireless LAN, conserving bandwidth and maximizing throughput.

Traffic Management

In addition to enhancing wireless traffic management, the VLAN-capable AP supports easy assignment of wireless users to workgroups. In a typical scenario, each user VLAN represents a workgroup; for example, one VLAN could be used for an EMPLOYEE workgroup and the other, for a GUEST workgroup.

In this scenario, the AP would assign every packet it accepted to a VLAN. Each packet would then be identified as EMPLOYEE or GUEST, depending on which wireless NIC received it. The AP would insert VLAN headers or “tags” with identifiers into the packets transmitted on the wired backbone to a network switch.

Finally, the switch would be configured to route packets from the EMPLOYEE workgroup to the appropriate corporate resources such as printers and servers. Packets from the GUEST workgroup could be restricted to a gateway that allowed access to only the Internet. A member of the GUEST workgroup could send and receive e-mail and access the Internet, but would be prevented from accessing servers or hosts on the local corporate network.

Typical User VLAN Configurations

VLANs segment network traffic into workgroups, which enable you to limit broadcast and multicast traffic. Workgroups enable clients from different VLANs to access different resources using the same network infrastructure. Clients using the same physical network are limited to those resources available to their workgroup.

The AP can segment users into a maximum of 16 different workgroups (32 if using two cards in a Dual-radio AP) based on an SSID/VLAN pair (also referred as a VLAN Workgroup or a Sub-network).

16 VLAN/SSID pairs are available for 802.11b/g APs and APs with an 11a Upgrade Kit. 802.11b APs and APs with a 5 GHz Upgrade Kit only support one VLAN/SSID pair.

The four primary scenarios for using VLAN workgroups are as follows:

1.       VLAN disabled: Your network does not use VLANs, but you can configure the AP to use multiple SSIDs.
2.       VLAN enabled, all VLAN Workgroups use the same VLAN ID Tag
3.       VLAN enabled, each VLAN workgroup uses a different VLAN ID Tag
4.       VLAN enabled, a mixture of Tagged and Untagged workgroups

Configure Multiple VLAN/SSID Pairs

You must reboot the AP before any changes to these parameters take effect.

1.       Click Configure > VLAN.
2.       Place a check mark in the Enable VLAN Protocol box to enable VLAN support.
3.       Click the tab for Wireless A or Wireless B (if applicable).
4.       Add one or more new SSID/VLAN entries. Follow these steps:

16 VLAN/SSID pairs are available for 802.11b/g APs and APs with an 11a Upgrade Kit. 802.11b APs and APs with a 5 GHz Upgrade Kit only support one VLAN/SSID pair.

1.       Click Add to create a new SSID/VLAN entry.
2.       Enter a Network Name (SSID), between 2 and 31 characters, in the field provided.
3.       Enter a VLAN ID in the field provided.
§         As defined by the 802.1Q standard, a VLAN ID is a number between 1 and 4094. A value of -1 means that an entry is "untagged".
§         You can use the same VLAN ID for all SSIDs if you want all wireless clients to be part of the same VLAN.
§         You can specify a different VLAN ID for each SSID.
§         The VLAN ID must match an ID used by your network; contact your network administrator if you need assistance defining the VLAN IDs.
§         You can set the VLAN ID to "-1" or "untagged" if you do not want clients that are using a specific SSID to be members of a VLAN workgroup.
4.       Click OK.
5.       Click the back arrow button to return to the previous screen.
5.       Click Edit if you want to modify an existing entry. You can also disable or delete an entry from the Edit screen.
6.       Click the tab for the second wireless interface (if applicable) and create/modify SSID/VLAN entries as necessary.
7.       Reboot the AP.

Typical VLAN Management Configurations

Control Access to the AP

Management access to the AP can easily be secured by making management stations or hosts and the AP itself members of a common VLAN. Simply configure a non-zero management VLAN ID and enable VLAN to restrict management of the AP to members of the same VLAN.

If a non-zero management VLAN ID is configured then management access to the AP is restricted to wired or wireless hosts that are members of the same VLAN. Ensure your management platform or host is a member of the same VLAN before attempting to manage the AP.

1.       Click Configure > VLAN.
2.       Set the VLAN Management ID to a value between 0 and 4094 (a value of 0 disables VLAN management).
3.       Place a check mark in the Enable VLAN Protocol box.

Provide Access to a Wireless Host in the Same Workgroup

The VLAN feature can allow wireless clients to manage the AP. If the VLAN Management ID matches a VLAN User ID, then those wireless clients who are members of that VLAN will have AP management access.

Once a VLAN Management ID is configured and is equivalent to one of the VLAN User IDs on the AP, all members of that User VLAN will have management access to the AP. Be careful to restrict VLAN membership to those with legitimate access to the AP.

1.       Click Configure > VLAN.
2.       Set the VLAN Management ID to use the same VLAN ID as one of the configured SSID/VLAN pairs. See Typical User VLAN Configurations for details.
3.       Place a check mark in the Enable VLAN Protocol box.

Disable VLAN Management

1.       Click Configure > VLAN.
2.       Remove the check mark from the Enable VLAN Protocol box (to disable all VLAN functionality) or set the VLAN Management ID to 0 (to disable VLAN Management only).