AP-3 Help Contents |
|
[ Home ] [Avaya Web Site] |
Advanced Configuration
Configuring the AP Using the HTTP/HTTPS Interface
Follow these steps to configure an Access Point’s operating settings using the HTTP/HTTPS interface: 1. Open a Web browser on a
network computer.
§
Microsoft Internet Explorer 6 with Service Pack 1 or later 2. If necessary, disable
the Internet proxy settings. For Internet Explorer users, follow these steps: o
Select Tools > Internet Options....
o
If necessary, remove the check mark from the Use
a proxy server box. o
Click OK twice to save your changes
and return to Internet Explorer. 3. Enter the
Access Point’s IP address in the browser’s Address
field and press Enter. o
Result: The Enter Network Password
screen appears. 4. Enter the HTTP password
in the Password field and click OK. Leave
the User Name field blank. (By default, the HTTP password is
“public”). o
Result: The System Status screen
appears. 1. Click the Configure button located on the left-hand side of
the screen. 1. Click the tab that
corresponds to the parameter you want to configure. For example, click Network to configure the Access Point’s TCP/IP
settings. The parameters contained in each of the configuration categories
are described later in this chapter. 2. Configure the
Access Point’s parameters as necessary. After changing a configuration
value, click OK to save the change. 3. Reboot
the Access Point for all of the changes to take effect. System
You can configure and view the following parameters within the System Configuration screen:
Network
The Network category contains three sub-categories. IP Configuration
You can configure and view the following parameters within the IP Configuration screen:
Basic IP
Parameters
DNS
Client
If you prefer to use host names to identify network servers rather than IP addresses, you can configure the AP to act as a Domain Name Service (DNS) client. When this feature is enabled, the Access Point contacts the network’s DNS server to translate a host name to the appropriate network IP address. You can use this DNS Client functionality to identify RADIUS servers by host name. See RADIUS for details.
Advanced
DHCP Server
If your network does not have a DHCP Server, you can configure the AP as a DHCP server to assign dynamic IP addresses to Ethernet nodes and wireless clients.
When the DHCP Server functionality is enabled, you can create one or more IP address pools from which to assign addresses to network devices. DHCP Server Configuration Screen You can configure and view the following parameters within the DHCP Server Configuration screen:
Link Integrity
The Link Integrity feature checks the link between the AP and the nodes on the Ethernet backbone. These nodes are listed by IP address in the Link Integrity IP Address Table. The AP periodically pings the nodes listed within the table. If the AP loses network connectivity (that is, the ping attempts fail), the AP disables its wireless interface until the connection is restored. This forces the unit’s wireless clients to switch to another Access Point that still has a network connection. Note that this feature does not affect WDS links (if applicable). You can configure and view the following parameters within the Link Integrity Configuration screen:
Link Integrity Configuration Screen Interfaces
From the Interfaces tab, you configure the Access Point’s operational mode, power control settings, wireless interface settings and Ethernet settings. You may also configure a Wireless Distribution System for AP-to-AP communications. For the wireless interface configuration, refer to the wireless parameters below that correspond to your radio type. Operational Mode
You can configure and view the following parameters within the Operational Mode screen. TX Power
Control
The TX Power Control feature lets the user configure the transmit power level of the card in the AP at one of four levels: Configuring TX Power Control
1. Click Configure > Interfaces > Operational Mode (Operational Mode Screen - TX Power Control). 2. Select Enable Transmit Power Control. 3. Select the transmit
power level for interface A from the Wireless-A: Transmit Power Level
drop-down menu.Select the transmit power level for interface B from the
Wireless-B: Transmit Power Level drop-down menu. Operational Mode Screen - TX Power Control Wireless (802.11a)
You can configure and view the following parameters within the Wireless Interface Configuration screen for an 802.11a AP:
Dynamic Frequency Selection
(DFS)
802.11a APs sold in Europe use a technique called Dynamic Frequency Selection (DFS) to automatically select an operating channel. During boot-up, the AP scans the available frequency and selects a channel that is free of interference. If the AP subsequently detects interference on its channel, it automatically reboots and selects another channel that is free of interference. DFS only applies to 802.11a APs used in Europe (i.e., units whose regulatory domain is set to ETSI). The European Telecommunications Standard Institute (ETSI) requires that 802.11a devices use DFS to prevent interference with radar systems and other devices that already occupy the 5 GHz band. If you are using an 802.11a AP in Europe, keep in mind the following: RTS/CTS Medium Reservation
The 802.11 standard supports optional RTS/CTS communication based on packet size. Without RTS/CTS, a sending radio listens to see if another radio is already using the medium before transmitting a data packet. If the medium is free, the sending radio transmits its packet. However, there is no guarantee that another radio is not transmitting a packet at the same time, causing a collision. This typically occurs when there are hidden nodes (clients that can communicate with the Access Point but are out of range of each other) in very large cells. When RTS/CTS occurs, the sending radio first transmits a Request to Send (RTS) packet to confirm that the medium is clear. When the receiving radio successfully receives the RTS packet, it transmits back a Clear to Send (CTS) packet to the sending radio. When the sending radio receives the CTS packet, it sends the data packet to the receiving radio. The RTS and CTS packets contain a reservation time to notify other radios (including hidden nodes) that the medium is in use for a specified period. This helps to minimize collisions. While RTS/CTS adds overhead to the radio network, it is particularly useful for large packets that take longer to resend after a collision occurs. RTS/CTS Medium Reservation is an advanced parameter and supports a range between 0 and 2347 bytes. When set to 2347 (the default setting), the RTS/CTS mechanism is disabled. When set to 0, the RTS/CTS mechanism is used for all packets. When set to a value between 0 and 2347, the Access Point uses the RTS/CTS mechanism for packets that are the specified size or greater. You should not need to enable this parameter for most networks unless you suspect that the wireless cell contains hidden nodes. Wireless (802.11b)
You can configure and view the following parameters within the Wireless Interface Configuration screen for an 802.11b AP:
Distance Between APs
Distance Between APs defines how far apart (physically) your AP devices are located, which in turn determines the size of your cell. Cells of different sizes have different capacities and, therefore, suit different applications. For instance, a typical office has many stations that require high bandwidth for complex, high-speed data processing. In contrast, a typical warehouse has a few forklifts requiring low bandwidth for simple transactions.
Cell capacities are compared in the following table, which shows that small cells suit most offices and large cells suit most warehouses: Coverage
The number of Access Points in a set area determines the network coverage for that area. A large number of Access Points covering a small area is a high-density cell. A few Access Points, or even a single unit, covering the same small area would result in a low-density cell, even though in both cases the actual area did not change — only the number of Access Points covering the area changed. In a typical office, a high density area consists of a number of Access Points installed every 20 feet and each Access Point generates a small radio cell with a diameter of about 10 feet. In contrast, a typical warehouse might have a low density area consisting of large cells (with a diameter of about 90 feet) and Access Points installed every 200 feet. Low Density vs. Ultra High Density Network The Distance Between Cells parameter supports five values: Large, Medium, Small, Minicell, and Microcell.
Multicast Rate
The multicast rate determines the rate at which broadcast and multicast packets are transmitted by the Access Point to the wireless network. Stations that are closer to the
Access Point can receive multicast packets at a faster data rate than
stations that are farther away from the AP. However, if the Access Point’s cell is large, you need to accommodate stations that may not be able to receive multicast packets at the higher rates; in this case, you should set Multicast Rate to 1 or 2 Mbits/sec. 1 Mbits/s and 11 Mbits/s Multicast Rates
The Distance Between APs must be set before the Multicast Rate, because when you select the Distance Between APs, the appropriate range of Multicast values automatically populates the drop-down menu. This feature is not available if you are using an Avaya 802.11a/b Platinum Card or a non-Avaya client with the AP. Wireless (802.11b/g)
You can configure the following radio parameters for an 802.11b/g AP:
·
Operational Mode: An
802.11b/g wireless interface can be configured to operate in the following
modes:
o
802.11b mode only: The
radio uses the 802.11b standard only.
o
802.11g mode only: The
radio is optimized to communicate with 802.11g devices. This setting will
provide the best results if this radio interface will only communicate with
802.11g devices.
o
802.11b/g mode: This
is the default mode. Use this mode if you want to support a mix of 802.11b
and 802.11g devices.
o
802.11g-wifi:
This mode was developed for Wi-Fi compliance testing purposes. It is similar
to 802.11g only mode.
In general, you should use either 802.11g only mode (if you want to support 802.11g devices only) or 802.11b/g mode to support a mix of 802.11b and 802.11g devices. ·
Physical Interface Type:
Depending on the Operational Mode, this field reports:
o
For 802.11b mode only: "802.11b
(CCK/DSSS 2.4 GHz)"
o
For 802.11g and 802.11g-wifi modes:
"802.11g (OFDM/DSSS 2.4 GHz)"
o
For 802.11b/g mode: "802.11b/g
(ERP-CCK/DSSS/OFDM 2.4 GHz)"
OFDM stands for Orthogonal Frequency Division Multiplexing; this is the name for the radio technology used by 802.11a devices. DSSS stands for Direct Sequence Spread Spectrum; this is the name for the radio technology used by 802.11b devices. ·
MAC Address: This
is a read-only field that displays the unique MAC (Media Access Control)
address for the Access Point’s wireless interface. The MAC address is
assigned at the factory.
·
Regulatory Domain: Reports
the regulatory domain for which the AP is certified. Not all features or
channels are available in all countries. The available regulatory domains
include:
§
FCC - U.S./Canada, Mexico, and Australia
§
ETSI - Europe, including the United Kingdom, China, and South Korea
§
MKK - Japan
§
IL - Israel
·
Network Name (SSID): Enter
a Network Name (between 2 and 31 characters long) for the wireless network.
You must configure each wireless client to use this name as well.
·
Auto Channel Select: The
AP scans the area for other Access Points and selects a free or relatively
unused communication channel. This helps prevent interference problems and
increases network performance. By default this feature is enabled; see 802.11g Channel Frequencies
for a list of Channels.
·
Frequency Channel: When
Auto Channel Select is enabled, this field is read-only and displays the
Access Point’s current operating channel. When Auto Channel Select is
disabled, you can specify the Access Point’s operating channel. If you decide
to manually set the unit’s channel, ensure that nearby devices do not use the
same frequency (unless you are setting up a WDS). Available Channels vary
based on regulatory domain. See 802.11g Channel Frequencies.
·
Transmit Rate:
Select a specific transmit rate for the AP. The values available depend on
the Operational Mode. Auto Fallback is the default setting; it allows the AP
to select the best transmit rate based on the cell size.
§
For 802.11b only -- Auto Fallback, 1, 2, 5.5,
11 Mbits/sec
§
For 802.11g only -- Auto Fallback, 6, 9, 12,
18, 24, 36, 48, 54 Mbits/sec
§
For 802.11b/g and 802.11g-wifi -- Auto
Fallback, 1, 2, 5.5, 6, 9, 11, 12, 18, 24, 36, 48, 54 Mbits/sec
·
DTIM Period: The
Deferred Traffic Indicator Map (DTIM) is used with clients that have power
management enabled. DTIM should be left at 1, the default value, if any
clients have power management enabled. This parameter supports a range
between 1 and 255.
·
RTS/CTS Medium Reservation:
This parameter affects message flow control and should not be changed under
normal circumstances. Range is 0 to 2347. When set to a value between 0 and
2347, the Access Point uses the RTS/CTS mechanism for packets that are the
specified size or greater. When set to 2347 (the default setting), RTS/CTS is
disabled. See RTS/CTS Medium Reservation for more information.
·
Closed System:
Check this box to allow only clients configured with the Access Point’s
specific Network Name to associate with the Access Point. When enabled, a
client configured with the Network Name "ANY” cannot connect to the AP.
This option is disabled by default.
Wireless (802.11a/g)
You can configure and view the following parameters within the Wireless Interface Configuration screen for an 802.11a/g AP:
·
Operational Mode: An
802.11b/g wireless interface can be configured to operate in the following
modes:
o
802.11b mode only: The
radio uses the 802.11b standard only.
o
802.11g mode only: The
radio is optimized to communicate with 802.11g devices. This setting will
provide the best results if this radio interface will only communicate with
802.11g devices.
o
802.11a mode only: The
radio uses the 802.11a standard only.
o
802.11b/g mode: This
is the default mode. Use this mode if you want to support a mix of 802.11b
and 802.11g devices.
o
802.11g-wifi:
This mode was developed for Wi-Fi compliance testing purposes. It is similar
to 802.11g only mode.
In general, you should use either 802.11g only mode (if you want to support 802.11g devices only) or 802.11b/g mode to support a mix of 802.11b and 802.11g devices. ·
Physical Interface Type: Depending
on the Operational Mode, this field reports:
o
For 802.11b mode only:
"802.11b (CCK/DSSS 2.4 GHz)"
o
For 802.11g and 802.11g-wifi modes:
"802.11g (OFDM/DSSS 2.4 GHz)"
o
For 802.11b/g mode: "802.11b/g
(ERP-CCK/DSSS/OFDM 2.4 GHz)"
o
For 802.11a mode only, this field reports:
“802.11a (OFDM 5 GHz).”
OFDM stands for Orthogonal Frequency Division Multiplexing; this is the name for the radio technology used by 802.11a devices. DSSS stands for Direct Sequence Spread Spectrum; this is the name for the radio technology used by 802.11b devices. ·
MAC Address: This
is a read-only field that displays the unique MAC (Media Access Control)
address for the Access Point’s wireless interface. The MAC address is
assigned at the factory.
·
Regulatory Domain: Reports
the regulatory domain for which the AP is certified. Not all features or
channels are available in all countries. The available regulatory domains
include:
§
FCC - U.S./Canada, Mexico, and Australia
§
ETSI - Europe and the United Kingdom
§
MKK: Japan
§
SG: Singapore
§
ASIA: China, Hong Kong, and South Korea
§
TW: Taiwan
·
Network Name (SSID): Enter
a Network Name (between 2 and 31 characters long) for the wireless network.
You must configure each wireless client to use this name as well.
·
Auto Channel Select: The AP
scans the area for other Access Points and selects a free or relatively
unused communication channel. This helps prevent interference problems and
increases network performance. By default this feature is enabled. See 802.11a Channel Frequencies
and 802.11g Channel
Frequencies for a list of Channels.
·
Frequency Channel: When
Auto Channel Select is enabled, this field is read-only and displays the
Access Point’s current operating Channel. When Auto Channel Select is
disabled, you can specify the Access Point’s channel. If you decide to
manually set the unit’s Channel, ensure that nearby devices do not use the
same frequency. Available Channels vary based on regulatory domain. See 802.11a Channel Frequencies
and 802.11g Channel
Frequencies. Note that you cannot manually set the channel for
802.11a products in Europe (see Dynamic Frequency Selection (DFS) for details).
·
Transmit Rate:
Select a specific transmit rate for the AP. The values available depend on
the Operational Mode. Auto Fallback is the default setting; it allows the AP
to select the best transmit rate based on the cell size. Use the drop-down
menu to select a specific transmit rate for the AP.
§
For 802.11b only -- Auto Fallback, 1, 2, 5.5,
11 Mbits/sec
§
For 802.11g only -- Auto Fallback, 6, 9, 12,
18, 24, 36, 48, 54 Mbits/sec
§
For 802.11b/g and 802.11g-wifi -- Auto
Fallback, 1, 2, 5.5, 6, 9, 11, 12, 18, 24, 36, 48, 54 Mbits/sec
§
For 802.11a only -- Auto Fallback, 6, 9, 12,
18, 24, 36, 48, 54 Mbits/s, and . Auto Fallback is the
default setting; it allows the AP unit to select the best transmit rate based
on the cell size.
·
DTIM Period: The Deferred Traffic
Indicator Map (DTIM) is used with clients that have power management enabled.
DTIM should be left at 1, the default value, if any clients have power
management enabled. This parameter supports a range between 1 and 255.
·
RTS/CTS Medium Reservation:
This parameter affects message flow control and should not be changed under
normal circumstances. Range is 0 to 2347. When set to a value between 0 and
2347, the Access Point uses the RTS/CTS mechanism for packets that are
the specified size or greater. When set to 2347 (the default setting),
RTS/CTS is disabled. See RTS/CTS
Medium Reservation for more information.
·
Closed System: Check
this box to allow only clients configured with the Access Point’s
specific Network Name to associate with the Access Point. When enabled,
a client configured with the Network Name “ANY” cannot connect to the AP.
This option is disabled by default.
Wireless Distribution System (WDS)
A Wireless Distribution System (WDS) creates a link between two 802.11a, 802.11b, or 802.11b/g APs over their radio interfaces. This link relays traffic from one AP that does not have Ethernet connectivity to a second AP that has Ethernet connectivity. WDS allows you to configure up to six (6) point-to-point links between Access Points. In the WDS Example below, AP 1 and AP 2 communicate over a WDS link (represented by the blue line). This link provides Client 1 with access to network resources even though AP 1 is not directly connected to the Ethernet network. Packets destined for or sent by the client are relayed between the Access Points over the WDS link. Bridging
WDS
Each WDS link is mapped to a logical WDS port on the AP. WDS ports behave like Ethernet ports rather than like standard wireless interfaces: on a BSS port, an Access Point learns by association and from frames; on a WDS or Ethernet port, an Access Point learns from frames only. When setting up a WDS, keep in mind the following: ·
The WDS link shares the communication
bandwidth with the clients. Therefore, while the maximum data rate for the
Access Point’s cell is still 11 Mb, client throughput will decrease when the WDS link is active.
·
If there is no partner MAC address configured
in the WDS table, the WDS port remains disabled.
·
Each WDS port on a single AP should have a
unique partner MAC address. Do not enter the same MAC address twice in an
AP’s WDS port list.
·
Each Access Point that is a member of
the WDS must have the same Channel setting to communicate with each other.
·
Each Access Point that is a member of the WDS
must have the same network domain.
·
Each Access Point that is a member of
the WDS must have the same WEP Encryption settings. WDS
does not use 802.1x. Therefore, if you want to encrypt the WDS link, you must
configure each Access Point to use WEP encryption (either WEP encryption
only or Mixed Mode), and each Access Point must have the same Encryption
Key(s). See Security.
·
If your network does not support spanning
tree, be careful to avoid creating network loops between APs. For example,
creating a WDS link between two Access Points connected to the same Ethernet network will create a network loop (if spanning
tree is disabled). For more information, refer to the Spanning Tree
section.
WDS
Setup Procedure
To setup a wireless backbone follow the steps below for each AP that you wish to include in the Wireless Distribution System. 1.
Confirm that Auto Channel Select is disabled.
2.
Write down the MAC Address of the radio that
you wish to include in the Wireless Distribution System.
3.
Open the Wireless
Interface Configuration screen.
4.
Scroll down to the Wireless Distribution
System heading.
5.
Click the Edit button
to update the Wireless Distribution System (WDS) Table.
6.
Enter the MAC Address that you wrote down in
Step 2 in one of the Partner MAC Address field
of the Wireless Distribution Setup window.
7.
Set the Status of
the device to Enable.
8.
Click OK.
9.
Reboot the AP.
Ethernet
Select the desired speed and transmission mode from the drop-down menu. Half-duplex means that only one side can transmit at a time and full-duplex allows both sides to transmit. When set to auto-duplex, the AP negotiates with its switch or hub to automatically select the highest throughput option supported by both sides. For best results, Avaya recommends that you configure the Ethernet setting to match the speed and transmission mode of the device the Access Point is connected to (such as a hub or switch). If in doubt, leave this setting at its default, auto-speed-auto-duplex. Choose between: ·
10 Mbit/s - half duplex, full duplex, or auto
duplex
·
100 Mbit/s - half duplex or full duplex
·
auto speed - half duplex or auto duplex
|
|
For
security purposes Avaya recommends changing ALL PASSWORDS from the default
“public” immediately, to restrict access to your network devices to
authorized personnel. If you lose or forget your password settings, you can
always perform the Reset
to Factory Default Procedure. |
The Management IP Access table limits in-band management access to the IP addresses or range of IP addresses specified in the table. This feature applies to all management options (SNMP, HTTP, and CLI) except for CLI management over the serial port. To configure this table, click Add and set the following parameters:
To edit or delete an entry, click Edit. Edit the information, or select Enable, Disable, or Delete from the Status pull-down menu.
You can configure the following management services:
|
You
must reboot the Access Point if you change the HTTP Port or Telnet
Port. |
Secure Management allows the use of encrypted and authenticated communication protocols such as SNMPv3, and Secure Socket Link (SSL), to manage the Access Point.
Management Services Configuration Screen
The user can access the AP in a secure fashion using Secure Socket Layer (SSL) over port 443. The AP supports SSLv3 with a 128-bit encryption certificate maintained by the AP for secure communications between the AP and the HTTP client. All communications are encrypted using the server and the client-side certificate.
|
SSL
requires Internet Explorer version 6, 128 bit encryption, Service Pack 1,
and patch Q323308. |
The AP comes pre-installed with all required SSL files: default certificate and private key installed.
After enabling SSL, the only configurable parameter is the SSL passphrase. The default SSL passphrase is
If you decide to upload a new certificate and private key (using TFTP or HTTP File Transfer), you need to change the SSL Certificate Passphrase for the new SSL files.
|
You
need to reboot the AP after enabling or disabling SSL for the changes to
take effect. |
The user should use a SSL intelligent browser to access the AP through the HTTPS interface. After configuring SSL, access the AP using https:// followed by the AP’s management IP address.
The serial port interface on the AP is enabled at all times. See Setting IP Address using Serial Port for information on how to access the CLI interface via the serial port. You can configure and view following parameters:
|
To
avoid potential problems when communicating with the AP through the serial
port, Avaya recommends that you leave the Flow Control setting at None
(the default value). |
|
The
serial port bit configuration is commonly referred to as 8N1. |
The Automatic Configuration feature which allows an AP to be automatically configured by downloading a specific configuration file from a TFTP server during the boot up process.
Automatic Configuration is disabled by default. The configuration process for Automatic Configuration varies depending on whether the AP is configured for dynamic or static IP.
When an AP is configured for dynamic IP, the Configuration filename and the TFTP server IP address are contained in the DHCP response when the AP gets its IP address dynamically from the DHCP server. When configured for static IP, these parameters are instead configured in the AP interface.
After setting up automatic configuration you must reboot the AP. When the AP reboots it receives the new configuration information and must reboot one additional time. If Syslog is configured, a Syslog message will appear indicating the success or failure of the Automatic Configuration.
Perform the following procedure to enable and set up Automatic Configuration when you have a static IP address for the TFTP server.
|
The
default filename is “config”. The default TFTP IP address is “10.0.0.2” for
AP-3. |
Automatic Configuration Screen
Perform the following procedure to enable and set up Automatic Configuration when you have a dynamic IP address for the TFTP server via DHCP.
The Configuration filename and the TFTP server IP address are contained in the DHCP response when the AP gets its IP address dynamically from the DHCP server. A Syslog server address is also contained in the DHCP response, allowing the AP to send Auto Configuration success and failure messages to a Syslog server.
|
The
configuration filename and TFTP server IP address are configured only when
the AP is configured for Static IP. If the AP is configured for Dynamic IP
these parameters are not used and obtained from DHCP. |
When the AP is Configured with Dynamic IP, the DHCP server should be configured with the TFTP Server IP address ("Boot Server Host Name", option 66) and Configuration file ("Bootfile name", option 67) as follows:
DHCP Options: Setting the Boot Server Host Name
DHCP Options: Setting the Boot Server Host Name
The Access Point’s Packet Filtering features help control the amount of traffic exchanged between the wired and wireless networks. There are four sub-categories under the Filtering heading.
The Ethernet Protocol Filter blocks or forwards packets based on the Ethernet protocols they support.
Follow these steps to configure the Ethernet Protocol Filter:
The Static MAC Address filter optimizes the performance of a wireless (and wired) network. When this feature is properly configured, the AP can block traffic between wired devices and wireless devices based on MAC address.
For example, you can set up a Static MAC filter to prevent wireless clients from communicating with a specific server on the Ethernet network. You can also use this filter to block unnecessary multicast packets from being forwarded to the wireless network.
|
The
Static MAC Filter is an advanced feature. You may find it easier to control
wireless traffic via other filtering options, such as Ethernet Protocol
Filtering. |
Each static MAC entry contains the following fields:
Each MAC Address or Mask is comprised of 12 hexadecimal digits (0-9, A-F) that correspond to a 48-bit identifier. (Each hexadecimal digit represents 4 bits (0 or 1).)
Taken together, a MAC Address/Mask pair specifies an address or a range of MAC addresses that the AP will look for when examining packets. The AP uses Boolean logic to perform an “AND” operation between the MAC Address and the Mask at the bit level. However, for most users, you do not need to think in terms of bits. It should be sufficient to create a filter using only the hexadecimal digits 0 and F in the Mask (where 0 is any value and F is the value specified in the MAC address). A Mask of 00:00:00:00:00:00 corresponds to all MAC addresses, and a Mask of FF:FF:FF:FF:FF:FF applies only to the specified MAC Address.
For example, if the MAC Address is 00:20:A6:12:54:C3 and the Mask is FF:FF:FF:00:00:00, the AP will examine the source and destination addresses of each packet looking for any MAC address starting with 00:20:A6. If the Mask is FF:FF:FF:FF:FF:FF, the AP will only look for the specific MAC address (in this case, 00:20:A6:12:54:C3).
When creating a filter, you can configure the Wired parameters only, the Wireless parameters only, or both sets of parameters. Which parameters to configure depends upon the traffic that you want block:
To create an entry, click Add and enter the appropriate MAC addresses and Masks to setup a filter. The entry is enabled automatically when saved. To edit an entry, click Edit. To disable or remove an entry, click Edit and change the Status field from Enable to Disable or Delete.
Static MAC Configuration Screen
Consider a network that contains a wired server and three wireless clients. The MAC address for each unit is as follows:
Configure the following settings to prevent the Wired Server and Wireless Client 1 from communicating:
Result: Traffic between the Wired Server and Wireless Client 1 is blocked. Wireless Clients 2 and 3 can still communicate with the Wired Server.
Configure the following settings to prevent Wireless Clients 1 and 2 from communicating with the Wired Server.
Result: When a logical “AND” is performed on the Wireless MAC Address and Wireless Mask, the result corresponds to any MAC address beginning with the 00:20:2D prefix. Since Wireless Client 1 and Wireless Client 2 share the same prefix (00:02:2D), traffic between the Wired Server and Wireless Clients 1 and 2 is blocked. Wireless Client 3 can still communicate with the Wired Server since it has a different prefix (00:20:A6).
Configure the following settings to prevent all three Wireless Clients from communicating with Wired Server 1.
Result: The Access Point blocks all traffic between Wired Server 1 and all wireless clients.
Configure the following settings to prevent Wireless Client 3 from communicating with any device on the Ethernet.
Result: The Access Point blocks all traffic between Wireless Client 3 and the Ethernet network.
If there are devices on your Ethernet network that use multicast packets to communicate and these packets are not required by your wireless clients, you can set up a Static MAC filter to preserve wireless bandwidth. For example, if routers on your network use a specific multicast address (such as 01:00:5E:00:32:4B) to exchange information, you can set up a filter to prevent these multicast packets from being forwarded to the wireless network:
Result: The Access Point does not forward any packets that have a destination address of 01:00:5E:00:32:4B to the wireless network.
You can configure the following advanced filtering options:
The following protocols are listed in the Advanced Filter Table:
The AP can filter these protocols in the wireless-to-Ethernet direction, the Ethernet-to-wireless direction, or in both directions. Click Edit and use the Status field to Enable or Disable the filter.
Port-based filtering enables you to control wireless user access to network services by selectively blocking TCP/UDP protocols through the AP. A user specifies a Protocol Name, Port Number, Port Type (TCP, UDP, or TCP/UDP), and filtering interfaces (Wireless only, Ethernet only, all interfaces, or no interfaces) in order to block access to services, such as Telnet and FTP, and traffic, such as NETBIOS and HTTP.
For example, an AP with the following configuration would discard frames received on its Ethernet interface with a UDP destination port number of 137, effectively blocking NETBIOS Name Service packets.
This category has three sub-categories.
There are seven alarm groups that can be enabled or disabled via the Web interface. Place a check mark in the box provided to enable a specific group. Remove the check mark from the box to disable the alarms. Alarm Severity Levels vary.
This traps is generated when the DNS IP Address has not been
configured. |
In addition, the AP supports these standard traps, which are always enabled:
All these alarm groups correspond to System Alarms that are displayed in the System Status screen, including the traps that are sent by the AP to the SNMP managers specified in the Alarm Host Table.
There are three severity levels for system alarms:
Critical alarms will often result in severe disruption in network activity or an automatic reboot of the AP
Major alarms are usually activated due to a breach in the security of the system. Clients cannot be authenticated or an attempt at unauthorized access into the AP has been detected.
Informational alarms are there to provide the network administrator with some general information about the activities the AP is performing.
To add an entry and enable the AP to send SNMP trap messages to a Trap Host, click Add, and then specify the IP Address and Password for the Trap Host.
To edit or delete an entry, click Edit. Edit the information, or select Enable, Disable, or Delete from the Status drop-down menu.
The Syslog messaging system enables the AP to transmit event messages to a central server for monitoring and troubleshooting. The AP can send messages to one Syslog server (it cannot send messages to more than one Syslog server). The access point logs “Session Start (Log-in)” and “Session Stop (Log-out)” events for each wireless client as an alternative to RADIUS accounting.
See RFC 3164 at http://www.rfc-editor.org for more information on the Syslog standard.
Syslog Events are logged according to the level of detail specified by the administrator. Logging only urgent system messages will create a far smaller, more easily read log then a log of every event the system encounters. Determine which events to log by selecting a priority defined by the following scale:
You can configure the following Syslog settings from the HTTP interface:
The AP is a bridge between your wired and wireless networking devices. As a bridge, the functions performed by the AP include:
Once the AP is connected to your network, it learns which devices are connected to it and records their MAC addresses in the Learn Table. The table can hold up to 10,000 entries. To view the Learn Table, click on the Monitor button in the web interface and select the Learn Table tab.
The Bridge tab has four sub-categories.
A Spanning Tree is used to avoid redundant communication loops in networks with multiple bridging devices. Bridges do not have any inherent mechanism to avoid loops, because having redundant systems is a necessity in certain networks. However, redundant systems can cause Broadcast Storms, multiple frame copies, and MAC address table instability problems.
Complex network structures can create multiple loops within a network. The Spanning Tree configuration blocks certain ports on AP devices to control the path of communication within the network, avoiding loops and following a spanning tree structure.
For more information on Spanning Tree protocol, please see Section 8.0 of the IEEE 802.1d standard. The Spanning Tree configuration options are advanced settings. Avaya recommends that you leave these parameters at their default values unless you are familiar with the Spanning Tree protocol.
Storm Threshold is an advanced Bridge setup option that you can use to protect the network against data overload by:
The Storm Threshold parameters allow you to specify a set of thresholds for each port of the AP, identifying separate values for the number of broadcast messages/second and Multicast messages/second.
When the number of frames for a port or identified station exceeds the maximum value per second, the AP will ignore all subsequent messages issued by the particular network device, or ignore all messages of that type.
The wireless clients (or subscribers) that associate with a certain AP form the Basic Service Set (BSS) of a network infrastructure. By default, wireless subscribers in the same BSS can communicate with each other. However, some administrators (such as wireless public spaces) may wish to block traffic between wireless subscribers that are associated with the same AP to prevent unauthorized communication and to conserve bandwidth. This feature enables you to prevent wireless subscribers within a BSS from exchanging traffic.
Although this feature is generally enabled in public access environments, Enterprise LAN administrators use it to conserve wireless bandwidth by limiting communication between wireless clients. For example, this feature prevents peer-to-peer file sharing or gaming over the wireless network.
To block Intra BSS traffic, set Intra BSS Traffic Operation to Block.
To allow Intra BSS traffic, set Intra BSS Traffic Operation to Passthru.
The Packet Forwarding feature enables you to redirect traffic generated by wireless clients that are all associated to the same AP to a single MAC address. This filters wireless traffic without burdening the AP and provides additional security by limiting potential destinations or by routing the traffic directly to a firewall. You can redirect to a specific port (Ethernet or WDS) or allow the bridge’s learning process (and the forwarding table entry for the selected MAC address) to determine the optimal port.
|
The
gateway to which traffic will be redirected should be node on the Ethernet
network. It should not be a wireless client. |
Configure your AP to forward packets by specifying interface port(s) to which packets are redirected and a destination MAC address.
The AP provides several security features to protect your network from unauthorized access.
The AP supports the following Security features:
The IEEE 802.11 standards specify an optional encryption feature, known as Wired Equivalent Privacy or WEP, that is designed to provide a wireless LAN with a security level equal to what is found on a wired Ethernet network. WEP encrypts the data portion of each packet exchanged on an 802.11 network using an Encryption Key (also known as a WEP Key).
When Encryption is enabled, two 802.11 devices must have the same Encryption Keys and both devices must be configured to use Encryption in order to communicate. If one device is configured to use Encryption but a second device is not, then the two devices will not communicate, even if both devices have the same Encryption Keys.
|
64-bit
encryption is sometimes referred to as 40-bit encryption; 128-bit
encryption is sometimes referred to as 104-bit encryption. |
IEEE 802.1x is a standard that provides a means to authenticate and authorize network devices attached to a LAN port. A port in the context of IEEE 802.1x is a point of attachment to the LAN, either a physical Ethernet connection or a wireless link to an Access Point. 802.1x requires a RADIUS server and uses the Extensible Authentication Protocol (EAP) as a standards-based authentication framework, and supports automatic key distribution for enhanced security. The EAP-based authentication framework can easily be upgraded to keep pace with future EAP types.
Different servers support different EAP types and each EAP type provides different features. Refer to the documentation that came with your RADIUS server to determine which EAP types it supports.
|
The
AP supports the following EAP types when Authentication Mode is set to 802.1x
or WPA: EAP-TLS, PEAP, and EAP-TTLS. When Authentication Mode is
set to Mixed, the AP supports the following EAP types: EAP-TLS, PEAP,
EAP-TLLS, and EAP-MD5 (MD5 does not support automatic key distribution;
therefore, if you choose this method you need to manually configure each
client with the network's encryption key). |
There are three main components in the authentication process. The standard refers to them as:
When using Authentication Mode is set to 802.1x, WPA, or Mixed mode (802.1x and WEP), you need to configure your RADIUS server for authentication purposes.
Prior to successful authentication, an unauthenticated client PC cannot send any data traffic through the AP device to other systems on the LAN. The AP inhibits all data traffic from a particular client PC until the client PC is authenticated. Regardless of its authentication status, a client PC can always exchange 802.1x messages in the clear with the AP (the client begins encrypting data after it has been authenticated).
RADIUS Authentication Illustrated
The AP acts as a pass-through device to facilitate communications between the client PC and the RADIUS server. The AP (2) and the client (1) exchange 802.1x messages using an EAPOL (EAP Over LAN) protocol (A). Messages sent from the client station are encapsulated by the AP and transmitted to the RADIUS (3) server using EAP extensions (B).
Upon receiving a reply EAP packet from the RADIUS, the message is typically forwarded to the client, after translating it back to the EAPOL format. Negotiations take place between the client and the RADIUS server. After the client has been successfully authenticated, the client receives an Encryption Key from the AP (if the EAP type supports automatic key distribution). The client uses this key to encrypt data after it has been authenticated.
For 802.11a and 802.11b/g clients that communicate with an AP, each client receives its own unique encryption key; this is known as Per User Per Session Encryption Keys.
Wi-Fi Protected Access (WPA) is a security standard designed by the Wi-Fi Alliance in conjunction with the Institute of Electrical and Electronics Engineers (IEEE). WPA is a sub-set of the forthcoming IEEE 802.11i security standard, currently in draft form. (IEEE 802.11i is also referred to as "WPA2" and will be available in 2004.)
|
For
Dual-radio APs: WPA is available for APs with an 11a Upgrade Kit or 802.11b/g Kit.
WPA is NOT available for APs with an 802.11b PC Card or a 5 GHz Upgrade
Kit. |
WPA is a replacement for Wired Equivalent Privacy (WEP), the encryption technique specified by the original 802.11 standard. WEP has several vulnerabilities that have been widely publicized. WPA addresses these weaknesses and provides a stronger security system to protect wireless networks.
WPA provides the following new security measures not available with WEP:
|
For more information on WPA, see the Wi-Fi
Alliance Web site at http://www.wi-fi.org. |
The AP supports two WPA authentication modes:
You can configure each wireless interface to operate in one of the following Security modes:
You configure the AP to use a particular Security mode by setting the Authentication Mode parameter. The following table summarizes the Authentication Mode options available in the HTTP Interface's Configure > Security > Authentication screen and describes how each of these options correspond to the six Security Modes listed above:
None or manually configured Static WEP settings (from Configure > Security > Encryption
screen) |
||
Dynamic WEP Keying or Static WEP (depends on client's
configuration) |
||
|
Before
enabling the 802.1x, Mixed, or WPA mode, the 802.1x server should be
configured. Set the encryption key in Mixed mode after the authentication
is set to Mixed mode. |
Follow these steps to set up WEP encryption on an AP:
Follow these steps to enable 802.1x only:
Follow these steps to use both 802.1x and WEP Encryption simultaneously (clients that do not support 802.1x use WEP Encryption for security purposes):
Wireless distribution systems (WDS) are configured using specific ports on an 802.11a, 802.11b, or 802.11b/g AP. To use 802.1x with WDS, you need to set the 802.1x Security Mode to Mixed (WEP and 802.1x) and confirm that the APs communicating in the WDS share the same encryption key (Key 1). See Wireless Distribution System (WDS) for more information.
|
For
Dual-radio APs: WPA is available for APs with an 11a Upgrade Kit or 802.11b/g Kit.
WPA is NOT available for APs with an 802.11b PC Card or a 5 GHz Upgrade
Kit. |
|
For
Dual-radio APs: WPA is available for APs with an 11a Upgrade Kit or 802.11b/g Kit.
WPA is NOT available for APs with an 802.11b PC Card or a 5 GHz Upgrade
Kit. |
The MAC Access tab allows you to build a list of stations, identified by their MAC addresses, authorized to access the network through the AP. The list is stored inside each AP within your network. Note that you must reboot the AP for any changes to the MAC Access Control Table to take effect.
|
For
larger networks that include multiple Access Points, you may prefer to
maintain this list on a centralized location using the MAC Access Control Via
RADIUS Authentication. |
MAC Access Configuration Screen
The Rogue AP Detection (RAD) feature provides an additional security level for wireless LAN deployments. Rogue AP detection provides a mechanism for detecting Rogue Access Points by utilizing the coverage of the trusted Access Point deployment.
The Rogue AP Scan employs background scanning using low-level 802.11 scanning functions for effective wireless detection of Access Points in its coverage area with minimal impact on the normal operation of the Access Point.
This RAD feature can be enabled on an Access Point via its HTTP, CLI, or SNMP Interfaces. The scan repetition duration is configurable. If the Access Point uses directional antennas to provide directional coverage, then the interface bitmask can be configured to maximize the scanning coverage area. The Access Point will periodically scan the wireless network and report all the available Access Points within its coverage area using SNMP traps. For additional reliability the results are stored in the Access Point in a table, which can be queried via SNMP. The BSSID and Channel number of the detected Access Points are provided in the scan results.
The RAD scan is done on a channel list initialized based on the regulatory domain of the device. The RAD Scan then performs background scanning on all the channels in this channel list using 802.11 MAC scanning functions. It will either actively scan the network by sending probe requests or passively scan by only listening for beacons. The access point information is then gathered from the probe responses and beacons.
To minimize traffic disruption and maximize the scanning efficiency, the RAD feature employs an enhanced background-scanning algorithm and uses the CTS to Self mechanism to keep the clients silent. The scanning algorithm allows traffic to be serviced between each channel scan. Before start of every scan (except scan on the working channel) the CTS to self-mechanism is used to set the NAV values of clients to keep them silent during the scanning period. In addition, the scan repetition duration can also be configured to reduce the frequency of RAD scan cycles to maximize Access Point performance.
The RAD feature can be configured/monitored via the HTTP, CLI, or SNMP management interfaces.
The following management options are provided:
The system administrator has to enable RAD on the Access Points in the wireless network and also configure the Trap Host on all these Access Points to the IP address of the management station. The Access Points on detecting a new Access Point sends a RAD Scan Result Trap to the management station.
Example Rogue AP Detection Deployment
An example network deployment is shown. The Trusted AP has Rogue Access Detection enabled and the trap host is configured to be the management station. The Trusted AP on detecting the Rogue AP will send a trap to the management station with the Channel and BSSID of the Rogue Access Point.
Perform this procedure to enable RAD and define the Scan Interval and Scan Interface.
The RAD screen also displays the time of the last scan and the number of new access points detected in the last scan.
The results of the RAD scan be be viewed in the Status page in the HTTP interface.
Rogue Access Point Detection Screen (AP-3)
The AP communicates with a network’s RADIUS server to provide the following features:
The network administrator can configure multiple RADIUS Authentication Servers for different Authentication types. The current available authentication types are EAP/802.1x authentication and MAC-based authentication.You can configure two separate sets of Primary and Secondary RADIUS Servers for each of the two supported Authentication types, 802.1x EAP Based authentication and MAC based authentication.
You can configure the AP to communicate with up to six different RADIUS servers:
|
You
must have configured the settings for at least one Authentication server
before configuring the settings for an Accounting server. |
The back-up servers are optional, but when configured, the AP will communicate with the back-up server if the primary server is off-line. After the AP has switched to the backup server, it will periodically check the status of the primary RADIUS server every five (5) minutes. Once the primary RADIUS server is again online, the AP automatically reverts from the backup RADIUS server back to the primary RADIUS server. All subsequent requests are then sent to the primary RADIUS server.
You can view monitoring statistics for each of the configured RADIUS servers.
If you want to control wireless access to the network and if your network includes a RADIUS Server, you can store the list of MAC addresses on the RADIUS server rather than configure each AP individually. From the RADIUS Authentication tab, you can define the IP Address of the server that contains a central list of MAC Address values that identify the authorized stations that may access the wireless network. You must specify information for at least the primary RADIUS server. The back-up RADIUS server is optional.
|
Contact
your RADIUS server manufacturer if you have problems configuring the server
or have problems using RADIUS authentication. |
Follow these steps to enable RADIUS MAC Access Control:
RADIUS MAC-Based Access Control Screen
You must configure a primary EAP/802.1x Authentication server to use 802.1x security. A back-up server is optional.
|
Problems
with RADIUS Server configuration or RADIUS Authentication should be
referred to the RADIUS Server developer. |
Follow these steps to enable a RADIUS Authentication server for 802.1x security:
RADIUS EAP/802.1x Authentication Screen
Using an external RADIUS server, the AP can track and record the length of client sessions on the access point by sending RADIUS accounting messages per RFC2866. When a wireless client is successfully authenticated, RADIUS accounting is initiated by sending an “Accounting Start” request to the RADIUS server. When the wireless client session ends, an “Accounting Stop” request is sent to the RADIUS server.
Accounting sessions continue when a client reauthenticates to the same AP. Sessions are terminated when:
If the client roams from one AP to another, one session is terminated and a new session is begun.
|
This
feature requires RADIUS authentication using MAC Access Control or 802.1x.
Wireless clients configured in the Access Point’s static MAC Access
Control list are not tracked. |
Follow these steps to enable RADIUS accounting on the AP:
RADIUS Accounting Server Configuration
The AP allows you to segment wireless networks into multiple sub-networks based on Network Name (SSID) and VLAN membership.
A Network Name (SSID) identifies a wireless network. Clients associate with Access Points that share its SSID. During installation, the Setup Wizard prompts you to configure one Network Name for each wireless interface. After initial setup, the AP can be configured to support up to 16 SSIDs per wireless interface to segment wireless networks based on VLAN membership.
|
16
VLAN/SSID pairs are available for 802.11b/g APs and APs with an 11a Upgrade
Kit. 802.11b APs and APs with a 5 GHz Upgrade Kit only support one
VLAN/SSID pair. |
Virtual Local Area Networks (VLANs) are logical groupings of network hosts. Defined by software settings, other VLAN members or resources appear (to clients) to be on the same physical segment, no matter where they are attached on the logical LAN or WAN segment. They simplify traffic flow between clients and their frequently-used or restricted resources.
VLANs now extend as far as the reach of the access point signal. Clients can be segmented into wireless sub-networks via SSID and VLAN assignment. A Client can access the network by connecting to an AP configured to support its assigned SSID/VLAN.
AP devices are fully VLAN-ready; however, by default VLAN support is disabled. Before enabling VLAN support, certain network settings should be configured, and network resources such as a VLAN-aware switch, a RADIUS server, and possibly a DHCP server should be available.
Once enabled, VLANs are used to conveniently, efficiently, and easily manage your network in the following ways:
VLAN tagged data is collected and distributed through an AP's wireless interface(s) based on Network Name (SSID). An Ethernet port on the access point connects a wireless cell or network to a wired backbone. The access points communicate across a VLAN-capable switch that analyzes VLAN-tagged packet headers and directs traffic to the appropriate ports. On the wired network, a RADIUS server authenticates traffic and a DHCP server manages IP addresses for the VLAN(s). Resources like servers and printers may be present, and a hub may include multiple APs, extending the network over a larger area.
In this figure, the numbered items correspond to the following components:
Access Points that are not VLAN-capable typically transmit broadcast and multicast traffic to all wireless Network Interface Cards (NICs). This process wastes wireless bandwidth and degrades throughput performance. In comparison, VLAN-capable AP is designed to efficiently manage delivery of broadcast, multicast, and unicast traffic to wireless clients.
The AP assigns clients to a VLAN based on a Network Name (SSID). The AP can support up to 16 VLAN/SSID pairs per radio (based on model type).
|
16
VLAN/SSID pairs are available for 802.11b/g APs and APs with an 11a Upgrade
Kit. 802.11b APs and APs with a 5 GHz Upgrade Kit only support one
VLAN/SSID pair. |
The AP matches packets transmitted or received to a network name with the associated VLAN. Traffic received by a VLAN is only sent on the wireless interface associated with that same VLAN. This eliminates unnecessary traffic on the wireless LAN, conserving bandwidth and maximizing throughput.
In addition to enhancing wireless traffic management, the VLAN-capable AP supports easy assignment of wireless users to workgroups. In a typical scenario, each user VLAN represents a workgroup; for example, one VLAN could be used for an EMPLOYEE workgroup and the other, for a GUEST workgroup.
In this scenario, the AP would assign every packet it accepted to a VLAN. Each packet would then be identified as EMPLOYEE or GUEST, depending on which wireless NIC received it. The AP would insert VLAN headers or “tags” with identifiers into the packets transmitted on the wired backbone to a network switch.
Finally, the switch would be configured to route packets from the EMPLOYEE workgroup to the appropriate corporate resources such as printers and servers. Packets from the GUEST workgroup could be restricted to a gateway that allowed access to only the Internet. A member of the GUEST workgroup could send and receive e-mail and access the Internet, but would be prevented from accessing servers or hosts on the local corporate network.
VLANs segment network traffic into workgroups, which enable you to limit broadcast and multicast traffic. Workgroups enable clients from different VLANs to access different resources using the same network infrastructure. Clients using the same physical network are limited to those resources available to their workgroup.
The AP can segment users into a maximum of 16 different workgroups (32 if using two cards in a Dual-radio AP) based on an SSID/VLAN pair (also referred as a VLAN Workgroup or a Sub-network).
|
16
VLAN/SSID pairs are available for 802.11b/g APs and APs with an 11a Upgrade
Kit. 802.11b APs and APs with a 5 GHz Upgrade Kit only support one
VLAN/SSID pair. |
The four primary scenarios for using VLAN workgroups are as follows:
|
You
must reboot the AP before any changes to these parameters take effect. |
|
16
VLAN/SSID pairs are available for 802.11b/g APs and APs with an 11a Upgrade
Kit. 802.11b APs and APs with a 5 GHz Upgrade Kit only support one
VLAN/SSID pair. |
Management access to the AP can easily be secured by making management stations or hosts and the AP itself members of a common VLAN. Simply configure a non-zero management VLAN ID and enable VLAN to restrict management of the AP to members of the same VLAN.
|
If a
non-zero management VLAN ID is configured then management access to the AP
is restricted to wired or wireless hosts that are members of the same VLAN.
Ensure your management platform or host is a member of the same VLAN before
attempting to manage the AP. |
The VLAN feature can allow wireless clients to manage the AP. If the VLAN Management ID matches a VLAN User ID, then those wireless clients who are members of that VLAN will have AP management access.
|
Once
a VLAN Management ID is configured and is equivalent to one of the VLAN
User IDs on the AP, all members of that User VLAN will have management
access to the AP. Be careful to restrict VLAN membership to those with
legitimate access to the AP. |