Fortress Security System Secure Wireless Bridge and Security Controller Software GUI Guide www.fortresstech.
Bridge GUI Guide Fortress Bridge and Controller version 5.4 Software GUI Guide [rev.1] 009-00035-00v5.4r1 Copyright © 2010 Fortress Technologies, Inc. All rights reserved. This document contains proprietary information protected by copyright.
Bridge GUI Guide BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
Bridge GUI Guide Customer may make backup or archival copies of Software and use Software on a backup processor temporarily in the event of a processor malfunction. Any full or partial copy of Software must include all copyright and other proprietary notices which appear on or in the Software. Control functions may be installed and enabled. Customer may not modify control utilities.
Bridge GUI Guide Term and Termination This Agreement and License shall remain in effect until terminated through one of the following circumstances: i.Agreement and License may be terminated by the Customer at any time by destroying all copies of the Software and any Documentation. ii.Agreement and License may be terminated by Fortress due to Customer non-compliance with any provision of the Agreement.
Bridge GUI Guide Fortress]. Date of shipment is established per the shipping document (packing list) for the Product that is shipped from Fortress location. Customer shall provide Fortress with access to the Product to enable Fortress to diagnose and correct any errors or defects. If the Product is found defective by Fortress, Fortress' sole obligation under this warranty is to remedy such defect at Fortress' option through repair, upgrade or replacement of product.
Bridge GUI Guide the defense of all such claims, lawsuits, and other proceedings. If, as a result of any claim of infringement against any U.S. patent or copyright, Fortress is enjoined from using the Product, or if Fortress believes the Product is likely to become the subject of a claim of infringement, Fortress at its option and expense may procure the right for Customer to continue to use the Product, or replace or modify the Product so as to make it noninfringing.
Bridge GUI Guide This frequency range is owned and operated by the U.S. Department of Defense and its use is restricted to users with proper authorization. By accepting this agreement, user acknowledges that proper authorization to operate in this frequency has been obtained and user accepts full responsibility for any unauthorized use. User agrees to indemnify and hold harmless Fortress Technologies, Inc.
Bridge GUI Guide: Table of Contents Table of Contents 1 Introduction 1 This Document . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1 Related Documents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1 Network Security Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2 Fortress Security Systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Bridge GUI Guide: Table of Contents Administrative Accounts and Access . . . . . . . . . . . . . . . . . . . . . . . . . .19 Global Administrator Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .20 Maximum Failed Logon Attempts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Failed Logon Timeout . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Lockout Behavior . . . . . . . . . . .
Bridge GUI Guide: Table of Contents Radio Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .57 Advanced Global Radio Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .58 Radio Frequency Kill . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Radio Distance Units . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Bridge GUI Guide: Table of Contents Basic Network Settings Configuration . . . . . . . . . . . . . . . . . . . . . . . . .91 Hostname, Domain and DNS Client Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . .91 IP Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .93 IPv4 Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93 IPv6 Configuration . . . . . . . . . .
Bridge GUI Guide: Table of Contents Encrypted Interface Cleartext Traffic . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 121 Encrypted Interface Management Access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 122 Guest Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 122 Cached Authentication Credentials . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 123 Fortress Beacon Interval . . . . .
Bridge GUI Guide: Table of Contents 5 System and Network Monitoring FIPS Indicators . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Administrative Account Details . . . . . . . . . . . . . . . . . . . . . . . . . . . . . System Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Topology View . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 166 166 167 167 168 Uploading a Background Image . . . . . .
Bridge GUI Guide: Table of Contents Digital Certificates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 200 Generating CSRs and Key Pairs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 200 Managing Local Certificates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 202 Importing and Deleting Signed Certificates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Bridge GUI Guide: Introduction Chapter 1 Introduction 1.1 This Document This user guide covers configuring, managing and monitoring any current-model Fortress Bridge (or Controller) through the Bridge GUI. It also presents the most detailed descriptions of supported network topologies and overall Bridge software functions and operation available among the full set of user guides that cover Fortress Bridges. WARNING: can cause physical injury or death and/or severely damage your equipment.
Bridge GUI Guide: Introduction Each software version of the Fortress Secure Client is covered in a separate Fortress Secure Client user guide. 1.2 Network Security Overview Network security measures take a variety of forms; key components include: Confidentiality or privacy implementations prevent information from being derived from intercepted traffic. Integrity checking guards against deliberate or accidental changes to data transmitted on the network.
Bridge GUI Guide: Introduction The term Bridge is used consistently throughout user guidance to refer to both ES- and FC-series Fortress hardware devices. Fortress Bridges provide network security by authenticating access to the bridged network and bridging encrypted wireless transmissions to the wired Local Area Network (and/or wired communication within the LAN) and by authenticating and encrypting Wireless Distribution System (WDS) links. Fortress Bridges are variously equipped for network connectivity.
Bridge GUI Guide: Introduction You can find the full model number for any ES-series Bridge on the Administration Settings screen under System Info. Figure 1. ES-Series Product Model Number Explication The number of digits after the hyphen corresponds to the number of radios installed in the Bridge. The value of each digit indicates the frequency band(s) that radio supports, as shown in Table 1.2. CAUTION: Use of 4.4 GHz radios is strictly forbidden outside of U.S. Department of Defense authority.
Bridge GUI Guide: Introduction Information Bases (MIBs) are included on the Bridge CD and can be downloaded from the Fortress Technologies web site: www.fortresstech.com/. Configuring SNMP through the Bridge GUI is covered in this guide; configuring it through the Bridge CLI is covered in Secure Wireless Bridge and Security Controller CLI Software Guide. Chassis Indicators and Controls Fortress Bridges are variously equipped with LED indicators and chassis controls.
Bridge GUI Guide: Introduction devices it connects, routing network traffic on the fastest, most efficient path to its destination. FastPath Mesh supports standard network DHCP (Dynamic Host Control Protocol) and DNS (Domain Name System) servers and static or dynamic IPv4 and IPv6 addressing. In addition, FastPath Mesh itself automatically generates a Unique Local IPv6 Unicast Address (defined in IETF RFC2 4193) for each MP and provides internal name resolution. 1.4.1.
Bridge GUI Guide: Introduction Create a bridging BSS on (one of) the radio(s) with: an SSID in common with the bridging BSSs on the rest of the MPs a Wireless Bridge setting of Enabled on Configure -> Radio Settings -> ADD BSS If the current MP will connect NMPs to the network, create an Access BSS on (one of) the radio(s) with: an SSID for NMP devices to connect to a Wireless Bridge setting of Disabled on Configure -> Radio Settings -> ADD BSS A BSSs bridging setting also determines its FP
Bridge GUI Guide: Introduction If a DHCP server internal to one of the MPs is enabled to configure the IP addresses of network NMPs, all NMPs will have the correct default gateway address and IPv6 prefix to automatically configure themselves without further manual configuration. To create a FastPath Mesh network and attach it to a conventional hierarchical network, as shown in Figure 1.
Bridge GUI Guide: Introduction In addition to the RFC-4193 IPv6 address FP Mesh automatically generates, the MBG is provided with a global prefix by the network IPv6 router. If a DHCP server internal to one of the MPs is enabled, each IPv6 node in the network can then be reached by the public address so provided. You can attach an FP Mesh network to a hierarchical network by more than one MBG to provide path redundancy between the mesh and the LAN or WAN.
Bridge GUI Guide: Introduction separated from the MBG will be temporarily disconnected from the hierarchical network. Multiple MBGs can enable parts of the mesh temporarily separated from each other to remain connected to a hierarchical network, as long as there is an MBG present among the separated group of nodes. 1.4.1.4 Bridging Loops in FastPath Mesh Networks Bridging loops can form only when FastPath Mesh Points are connected over both Core and Access interfaces.
Bridge GUI Guide: Introduction on the Access interfaces on which the loop has been detected. Only the MP so chosen as the forwarder will advertise NMPs discovered on these Access interfaces. Because only one MBG in a given FP Mesh network will actively pass traffic to and from the hierarchical network, multiple MBGs can be present in multiple FP Mesh networks attached to the same LAN, as shown in Figure 1.5.
Bridge GUI Guide: Introduction VHQGHU WDUJHW LAN 2 LAN 1 Mesh A MBG A2 MBG B2 MBG A1 03 Mesh B MBG B1 03 03 03 03 0HVK 3RLQW MBG 0HVK %RUGHU *DWHZD\ 0HVK &RUH &RQQHFWLRQ 0HVKļ+LHUDUFKLFDO &RQQHFWLRQ $FFHVV ,QWHUIDFH 'XSOLFDWH 7UDIILF 03 03 Figure 1.6. Traffic Duplication in Two FP Mesh Networks Attached to Separate Access Networks Avoid such configurations if traffic duplication is undesirable in your environment. 1.4.
Bridge GUI Guide: Introduction Bridges configured to be able to connect to one another automatically form mesh networks. WLAN WLAN LAN ...rear-panel grounding stud to earth ground mastmounted ES520 WAN port ...to PoE power STP Root (implementation dependent on lightning arrestor) PoE adapter Figure 1.7. STP Mesh Network Deployment At their default settings, the Bridge with the lowest MAC address will serve as the STP root.
Bridge GUI Guide: Introduction 1.4.3 Point-to-Point Bridging Deployments The Bridge can be deployed as a conventional wireless Bridge to connect two separately located LANs (local area networks), for example, or to link remotely located hardware to the local network for system management and data upload, as shown in Figure 1.8). wireless bridging link Ethernet Ethernet ...to power remote hardware satellite uplink management laptop modem Figure 1.8.
Bridge GUI Guide: Introduction 1.5 Compatibility The Fortress Bridge is fully compatible with WPA and WPA2 enterprise and pre-shared key modes and with Fortress Secure Client versions 2.5.6 and later. In addition or as an alternative to the Bridge’s native authentication service, the Bridge can be used with an external RADIUS server. Supported services include: Microsoft® Windows Server 2003 Internet Authentication Service® (IAS) freeRADIUS version 2.
Bridge GUI Guide: Administrative Access Chapter 2 Bridge GUI and Administrative Access 2.1 Bridge GUI The Fortress Secure Wireless Bridge’s graphical user interface provides access to Bridge administrative and monitoring functions. 2.1.1 System Requirements To display properly, the Bridge GUI requires a monitor resolution of at least 1024 × 768 pixels and the following (or later) browser versions: Microsoft® Internet Explorer 7.0 Mozilla Firefox™ 2.0 2.1.
Bridge GUI Guide: Administrative Access agreement, click to accept them. (Once accepted the agreement does not display.) or If an administrative logon banner has been configured (Section 2.2.1.9)—click to accept its terms. (There is no administrator logon banner by default.) 3 On the Logon to Fortress Security System screen, enter a valid Username and Password. 4 Click LOGON.
Bridge GUI Guide: Administrative Access Two administrators with Administrator-level privileges (refer to Section 2.2.2.3) cannot be logged on the Bridge at the same time. If you are trying to log on to an Administrator-level account when another such session is active, you will have the option of forcibly ending the active session and proceeding with the logon, or choosing Cancel Logon from the dropdown to preserve the first session. Click CONTINUE to execute your choice. Figure 2.2.
Bridge GUI Guide: Administrative Access (refer to Section 2.2.2.3 for more information on account roles and access). On a screen common to both views, you can toggle between the two views of the screen. If you are viewing a screen exclusive to the Advanced View and you click SIMPLE VIEW, the Bridge GUI will return the main page for the function or, if no such page exists in Simple View, the Monitor -> Connections screen. 2.1.
Bridge GUI Guide: Administrative Access predetermined user names: admin, maintenance, and logviewer, respectively. Administrative roles are described in greater detail in Section 2.2.2.3. Default passwords for preconfigured accounts are the same as their user names. The first time you log on to the admin account, you will be forced to enter a new password of at least 15 characters. Administrative password requirements are global and configurable: refer to Section 2.2.1.8.
Bridge GUI Guide: Administrative Access configured lockout behavior. Numbers from 1 to 9 are accepted; 3 is the default. 2.2.1.2 Failed Logon Timeout The Failed Logon Timeout setting specifies the number of seconds that must elapse after a failed logon attempt before the same administrator can successfully log on with valid credentials.
Bridge GUI Guide: Administrative Access log-ons and Monitor -> Event Log when Log Viewer accounts first access the Bridge GUI). The feature is Disabled by default. Show Previous Logon is present only in Advanced View (refer to Section 2.1.4). 2.2.1.
Bridge GUI Guide: Administrative Access 1 Log on to the Bridge GUI through an Administrator-level account and select ADVANCED VIEW in the upper right corner of the page, then Configure -> RADIUS Settings from the menu on the left. 2 Click to access the Local Server tab, and in the Local Authentication Server frame: In Administrative State, click to select Enabled. In Administrator Auth, click to select Enabled. For help with other settings on this screen refer to Section 4.3.2. Figure 2.5.
Bridge GUI Guide: Administrative Access 7 Select Configure -> RADIUS Settings from the menu on the left. 8 Click to access the Local Server tab and in the User Entries frame, click NEW USER. 9 In the Edit Local Authentication screen’s User Database Entry frame: In Username, enter a user name of at least one (1) alphanumeric characters. In New Password/Confirm Password, enter a password that confirms to current password requirements (Section 2.2.1.8).
Bridge GUI Guide: Administrative Access Consult your RADIUS server documentation for information on configuring the service. You must additionally configure an entry for the server on the Bridge’s Authentication Servers list (Configure -> RADIUS Settings-> Server List), specifying 3rd Party RADIUS as its Server Type and Admin as a supported Auth Type for the service (refer to Section 4.3.1 for more information on configuring external authentication servers for the Bridge.). 2.2.1.
Bridge GUI Guide: Administrative Access 2.2.1.8 Password Requirements The Bridge will not accept new passwords that do not meet specified requirements. If you specify new requirements that existing passwords do not meet, nonconforming passwords are treated according to the Expire Nonconforming Passwords setting (described in Section 2.2.1.7). NOTE: Passwords do not need to be unique.
Bridge GUI Guide: Administrative Access Pass. Dictionary - Passwords can/cannot match words in the dictionary. When Pass. Dictionary is Enabled, passwords are checked against a list of English words, and the password is rejected if a match is found. When it is Disabled (the default), passwords can contain the words on the list. You can view but not edit the word list: Configuration -> Admin Users -> EDIT|NEW USER -> Pass. Dictionary -> VIEW. Pass.
Bridge GUI Guide: Administrative Access Table 2.1. Global Administrator Logon Settings Simple & Advanced Views Max Failed Logon Tries Failed Logon Timeout Permanent Lockout Lockout Duration Session Idle Timeout Pass. Expire Pass. Expiration Pass. Expire Warning 2.2.1.9 Advanced View Only Show Previous Logon Authentication Method Authentication Failback Expire Nonconforming Pass. Pass. Min. Length Pass. Min. Capitals Pass. Min. Lowercase Pass. Min. Numbers Pass. Min. Punctuation Pass. Min. Delta Pass.
Bridge GUI Guide: Administrative Access Figure 2.9. Logon Banner on the Bridge GUI Logon Screen screen, all platforms To configure a comment or administrator logon banner: 1 Log on to the Bridge GUI through an Administrator-level account and select Configure -> Administration from the menu on the left. 2 Scroll down to the System Messages frame and: Optionally enter information into the Comment field.
Bridge GUI Guide: Administrative Access To eliminate an existing logon banner, delete all content from the Warning Banner field and APPLY the change. 2.2.2 Individual Administrator Accounts Up to thirteen usable administrative accounts can be present on the Bridge’s local administrator database at one time. Three of these are preconfigured with the fixed user names: admin, maintenance and logviewer, reflecting the default administrative Role of each account.
Bridge GUI Guide: Administrative Access 2.2.2.1 Administrator User Names At the time a new administrative account is created, you must provide a Username. Once established, the Username associated with an administrative account cannot be changed. Administrator user names must be unique on the Bridge. They are case sensitive, can be from 1 to 32 characters long, and can include spaces and any of the symbols in the set: ~ ! @ # $ % ^ & *( ) _ - + = { } [ ] | \ : ; < > , .
Bridge GUI Guide: Administrative Access to configuration changes. Log Viewer-level accounts have no execution privileges on the Bridge. Only one Administrator-level account can be active on the Bridge at one time. Their limited permissions allow multiple Maintenance-level and Log Viewer-level accounts to be active on the Bridge at the same time. Only one active session per administrative account is supported, regardless of Role.
Bridge GUI Guide: Administrative Access Console - The account can access the Bridge CLI through a direct, physical connection to the Bridge’s Console port (refer to the CLI Software Guide). Web - The account can access the Bridge GUI through a browser connected to the Bridge’s IP address (refer to Section 2.1.3). SSH - The account can access the Bridge CLI through a Secure Shell terminal session (refer to the CLI Software Guide). Interfaces are independently selectable in any combination.
Bridge GUI Guide: Administrative Access The same message will be returned for an Administrator-level account if the administrator tries to change the password when the password is locked. Because Administrator-level accounts can change the Password is Locked setting for any account, it is impossible to effectively lock passwords on these accounts (although the administrator will have to select No for Password is Locked and APPLY the reconfiguration before changing the password).
Bridge GUI Guide: Administrative Access of the page, then Configure -> Administration from the menu on the left. 2 In the Administration screen’s Administrator Settings frame, click NEW USER. Figure 2.12. creating a new administrator account, all platforms 3 In the Account Information frame, enter at least a Username and optionally a Full Name and/or Description, and configure any additional settings for the account. (Your options are described in detail in sections 2.2.2.1through 2.2.2.6.
Bridge GUI Guide: Administrative Access You can optionally view current password complexity requirements by clicking More Information in the upper right of the Edit Password screen and then Password Complexity Settings. Click APPLY in the upper right of the screen (or CANCEL the creation of the new account). The new account will be listed, in Advanced View, in Administrator Settings on Configure -> Administration.
Bridge GUI Guide: Administrative Access Click APPLY in the upper right of the screen (or CANCEL the conversion of the account). The newly converted account will be listed, in Advanced View, on Configure -> Administration with Learned state of No, and the associated administrator will be allowed to log on (with valid credentials). 3 Learned user names and passwords need not meet the Bridge’s configured requirements for local administrative accounts. 2.2.2.
Bridge GUI Guide: Administrative Access 4 Click OK in the confirmation dialog (or CANCEL the deletion). Figure 2.14. deleting an administrator account, all platforms The account will be removed from the Advanced View Administrator Settings frame (Configure -> Administration). 2.2.2.11 Changing Administrative Passwords Administrators with Administrator-level accounts can change the password of any account, including their own, as described in sections 2.2.2.7 and 2.2.2.9.
Bridge GUI Guide: Administrative Access entry failed the check and cannot be used. If the Password Dictionary check is not in effect it is labeled (disabled). Click APPLY in the upper right of the screen (or CANCEL the change). Role configuration options for administrative accounts are described in detail in Section 2.2.2.3. 3 2.2.2.12 Unlocking Administrator Accounts You can unlock administrator accounts in Advanced View only. Figure 2.16.
Bridge GUI Guide: Administrative Access 2 In the resulting screen’s Admin IP Access Control Whitelist frame, click NEW IP. Figure 2.17. Advanced View Add an IP ACL Entry dialog, all platforms 3 In the resulting Add an IP ACL Entry dialog, enter the IP Address of the computer from which you are currently logged on and, optionally, a Description for the entry. Then click APPLY (or CANCEL the addition). The IP address you added will be listed on the Admin IP Access Control Whitelist.
Bridge GUI Guide: Administrative Access A dialog will also warn you if you are deleting your current IP address from the list when it is already enabled (after you have cleared the usual confirmation dialog). Unless you want to prevent management access to the Bridge from your current IP address, Cancel these changes. The Admin IP Access Control Whitelist is Disabled by default, and no IP addresses are listed.
Bridge GUI Guide: Administrative Access The settings that configure SNMP on the Bridge include: SNMP v3 Support - enables/disables SNMP v3 user access. When SNMP v3 Support is Enabled, the preconfigured SNMP v3 user is permitted to access the Bridge, and new passphrases should be configured in the SNMP v3 User frame: Username - identifies the v3 user, FSGSnmpAdmin. Username cannot be changed.
Bridge GUI Guide: Administrative Access In New Privacy Passphrase and Confirm Privacy Passphrase, enter a privacy passphrase for the user (10–32 alphanumeric characters without spaces). In the same frame, optionally enter: an E-mail address to serve as the SNMP System Contact a description of the System Location a System Description 4 5 2.2.4.2 Click APPLY in the upper right of the screen (or RESET screen settings to cancel your changes).
Bridge GUI Guide: Administrative Access To create trap destinations: 1 Log on to the Bridge GUI through an Administrator-level account and select ADVANCED VIEW in the upper right corner of the page, then Configure -> Administration from the menu on the left. Scroll down to the SNMP frame, and click NEW DESTINATION. 3 In the Add SNMP Trap Destination dialog: In Trap Destination IP: enter the network address of an SNMP network management system.
Bridge GUI Guide: Administrative Access To delete a trap destinations: 1 Log on to the Bridge GUI through an Administrator-level account and select ADVANCED VIEW in the upper right corner of the page, then Configure -> Administration from the menu on the left. 2 Scroll down to the SNMP frame and: If you want to delete one or more selected destinations, click to check the box(es) for those you want delete.
Bridge GUI Guide: Network Configuration Chapter 3 Network and Radio Configuration 3.1 Network Interfaces Multiple Bridges can be connected through their wired and/or wireless interfaces to form fixed or mobile tactical mesh networks and to bridge or extend the reach and availability of conventional hierarchical networks. Different models of Fortress Bridge chassis feature varying numbers of user-configurable Ethernet ports.
Bridge GUI Guide: Network Configuration In Fortress Bridges equipped with any number of radios, the standard-equipment Radio 1 is a dual-band 802.11a/g (or 802.11a/g/n) radio. Radio 1’s 802.11g capability typically indicates its use to provide wireless access to devices within range. You can configure the Bridge's network interfaces to meet various deployment and security requirements. Ethernet port configuration is covered in Section 3.7.
Bridge GUI Guide: Network Configuration support the mesh network and user controls to configure and tune it. Table 3.1. STP Networks Compared to FastPath Mesh function STP FP Mesh self-forming supported supported self-healing supporteda supported end-to-end encryption supported supported all paths available at all times not supported supported optimal path selection not supported supported automatic IPv6 mesh addressing not supported supported independent DNS and .ftimesh.
Bridge GUI Guide: Network Configuration inherent in layer-2 networks, including advance ARP resolution and streamlined broadcast and multicast handling to significantly reduce broadcast traffic. FP Mesh enables each node to use all mesh network links and to route traffic on the optimal path by computing per-hop costs, based on link conditions, and end-to-end costs, based on cumulative per-hop costs. System and neighbor cost weighting are user configurable (refer to sections 3.2.1.5 and 3.2.1.6).
Bridge GUI Guide: Network Configuration Additionally, FastPath Mesh functionality itself provides automatic IPv6 addressing without the need for a DHCP server and name distribution within the network without the need for a DNS server. To provide independent IPv6 addressing and facilitate optimal network traffic routing, FP Mesh generates an RFC-4193 Unique Local IPv6 Unicast Address (a.k.a.
Bridge GUI Guide: Network Configuration between FastPath MPs. When Enabled (the default), traffic between MPs is subject to Fortress’s Mobile Security Protocol (MSP), as configured on the Bridge itself (refer to Section 4.1). 3.2.1.3 Mobility Factor To facilitate node mobility in the FP Mesh network, Mobility Factor adjusts the frequency at which the costs of data paths to neighbor nodes are sampled so that cost changes can be transmitted to the network.
Bridge GUI Guide: Network Configuration U - is the user defined per-interface cost offset, which allows you to configure one link to be more costly than another. Any non-negative integer between 0 (zero) and 4,294,967,295 can be defined (for configuration information, refer to Section 3.3.4.4 for wireless and Section 3.7.3 for Ethernet interface controls). a and b - are device-wide user defined constants that correspond to throughput and latency, respectively.
Bridge GUI Guide: Network Configuration You can also force MPs to join or leave specific multicast groups, if you need to support non-IP multicast groups or a device on an Access interface that doesn’t implement IGMP/ MLD, or for testing/debugging purposes. To subscribe to a multicast group, you must identify the FP Mesh interface for the stream and specify the multicast address for the group by MAC or IP address. MPs can subscribe as multicast listeners, talkers or both (the default).
Bridge GUI Guide: Network Configuration 1 Log on to the Bridge GUI through an Administrator-level account. 2 If you are configuring any setting beyond Bridging Mode, click ADVANCED VIEW in the upper right corner of the page. (If not, skip this step.
Bridge GUI Guide: Network Configuration If you want to subscribe to a new multicast group: Click NEW MULTICAST GROUP. In the Add a Multicast Group dialog, specify the Access interface on which the current MP will subscribe to the multicast group: From the Interface dropdown, select a BSS currently configured on (one of) the MP’s radio(s) or one of the MP’s Ethernet ports.
Bridge GUI Guide: Network Configuration 3.2.2 STP Bridging When STP is used for link management, the Fortress Bridge can connect to other Fortress Bridges to form mesh networks and, on separate BSSs, simultaneously serve as access points (APs) to connect compatibly configured wireless devices to a wireless LAN (WLAN). STP is selected for Bridging Mode by default.
Bridge GUI Guide: Network Configuration Figure 3.3. Simple View Bridging Configuration frame, Administration screen, all platforms 3.2.2.1 3.3 Configuring STP Bridging: 1 Log on to the Bridge GUI through an Administrator-level account and select Configure -> Administration from the menu on the left. 2 In the Bridging Configuration frame: In Bridging Mode: select STP to enable Spanning Tree Protocol. In Bridge Priority: optionally enter a new STP root numbers between 0 and 65535 are valid.
Bridge GUI Guide: Network Configuration Each radio installed in a Fortress Bridge can be configured with up to four BSSs, which can serve either as bridging interfaces networked with other Fortress Bridges or as access interfaces for connecting wireless client devices. Refer to Section 3.3.4 for details on radio BSS configuration. Alternatively, an ES210 Bridge can be dedicated to act as a wireless client by configuring a single station (STA) interface on its single internal radio. Refer to Section 3.3.
Bridge GUI Guide: Network Configuration When Country is licensed on the Bridge (Section 6.3), additional countries are available for selection. To allocate bandwidth and prevent interference, radio transmission is a regulated activity, and different countries specify hardware configurations and restrict the strength of signals broadcast on particular frequencies according to different rules.
Bridge GUI Guide: Network Configuration In many regulatory domains, including the Bridge’s FCC domain, additional channels are available for selection (Section 3.3.2.3) when Environment is set to Indoors. Figure 3.4. Advanced View Advanced Global Radio Settings frame, all radio-equipped platforms 3.3.1.
Bridge GUI Guide: Network Configuration In addition, the Bridge uses your entries for Network Type and Antenna Gain (refer to sections 3.3.2.4 and 3.3.2.5, respectively) to calculate allowable TxPower settings. These settings are therefore also subject to regulatory compliance requirements. When Advanced Radio operation has not been licensed on the Bridge (the default), transmission by the Bridge’s 802.11a radio(s) is restricted to channels in the UNII-3/ISM4 band of the 5 GHz bands.
Bridge GUI Guide: Network Configuration 5 GHz and 2.4 GHz Options Radios installed as Radio 1 in radio-equipped Fortress Bridges (refer to Table 3.3, above) can operate in either the 5 GHz 802.11a frequency band or the 802.11g 2.4 GHz band of the radio spectrum, according to your selection in the Band field. By default, a dual-band radio installed as Radio 1 in a multiradio Bridge is configured to operate in the 2.4 GHz 802.11g band.
Bridge GUI Guide: Network Configuration and block acknowledgement (block ACK), and smaller frame headers and inter-frame gaps. On 802.11n-capable radios, there are three possible highthroughput (ht) 802.11n options for each frequency band supported on the radio: three for the 5 GHz 802.11na band and three for the 2.4 GHz 802.11ng band, when present: 3.3.2.3 ht20 - 802.
Bridge GUI Guide: Network Configuration Table 3.4 shows all channels available for selection on military band Bridge radios, with their corresponding frequencies. Table 3.4. 4.4 GHz Military Band Radio Channels Channel Frequency (GHz) Channel Frequency (GHz) 4100 4.476 4128 4.616 4104 4.496 4132 4.636 4108 4.516 4136 4.656 4112 4.536 4140 4.676 4116 4.556 4144 4.696 4120 4.576 4148 4.716 4124 4.
Bridge GUI Guide: Network Configuration 3.3.2.6 Tx Power Mode and Tx Power Settings The default transmit power level for all radios is Auto, which directs the Bridge to automatically set the transmit power at the maximum allowed for the selected Band, Channel, Network Type and Antenna Gain (refer to sections 3.3.2.2 through 3.3.2.5) by the regulatory domain established in Country Code (Section 3.3.1.3). Alternatively, you can specify a transmit power level for the radio.
Bridge GUI Guide: Network Configuration Figure 3.7. Bridge network deployment with radio Distance settings of 3 kilometers You can configure Distance only in Advanced View. 3.3.2.8 Beacon Interval Bridge radios transmit beacons at regular intervals to announce their presence on their network, the strength of their RF signals and, when Advertise SSID is enabled (Section 3.3.4.2), the SSIDs of their basic service sets (BSSs).
Bridge GUI Guide: Network Configuration 3.3.2.9 Short Preamble The short preamble is used by virtually all wireless devices currently being produced. The Short Preamble is therefore the most likely requirement for new network implementations and is Enabled by default. The setting applies only to 802.11g band operation; it is greyed out for Radio 2 and for Radio 1 when it is configured to use the 802.11a band.
Bridge GUI Guide: Network Configuration 4 Click APPLY in the upper right of the screen (or RESET screen settings to cancel your changes). Figure 3.8. Advanced View RADIO 1 Radio Settings frame, all radio-equipped platforms 3.3.3 DFS Operation and Channel Exclusion Most regulatory domains, including the Bridge’s default FCC domain, require that certain channels in the 5 GHz 801.11a frequency band operate as DFS (Dynamic Frequency Selection) channels.
Bridge GUI Guide: Network Configuration signal the impending change and transmit the new channel number to the network, before switching its bridging radio to the new channel. Bridges receiving this transmission will do the same, until the new channel has been propagated to every Bridge in the network and all are all connected over the new channel. If you manually change the Channel setting on a bridging radio (Section 3.3.2.
Bridge GUI Guide: Network Configuration You can observe the channels currently excluded from each radio’s use, in Advanced View only, on the Channel Exclusions list on Configure -> Radio Settings. Figure 3.10.
Bridge GUI Guide: Network Configuration Bridges or serve as a WLAN access point (AP). Refer to Section 3.2.2 for more detail. You can view the BSSs configured for each radio, under the radio’s entry on Configure -> Radio Settings. No BSSs are configured on Bridge radios by default. To create a BSS you need only specify a unique name (Section 3.3.4.1) and SSID (Section 3.3.4.2). Sections 3.3.4.1 through 3.3.4.
Bridge GUI Guide: Network Configuration 3.3.4.3 Wireless Bridge and Minimum RSS In a Fortress FastPath Mesh network, the Wireless Bridge setting, in conjunction with FastPath Mesh Mode (below), determines whether the BSS will provide network connections to other Fortress Bridge Mesh Points (Enabled) or connect other Non-Mesh Points to the FastPath Mesh (Disabled). FastPath Mesh bridging is described in Section 3.2.1.
Bridge GUI Guide: Network Configuration Because of its dependency on the BSSs Wireless Bridge function, the FastPath Mesh Mode of a wireless interface on the Bridge is not among the user controls provided. When FastPath Mesh is enabled and the BSS is configured as bridging interface (Wireless Bridge: Enabled), the BSS is automatically configured as an FP Mesh Core interface, allowing it to connect to other FP Mesh-enabled Fortress Mesh Points (MPs).
Bridge GUI Guide: Network Configuration function is Disabled by default, at which setting the BSS accepts connections from both 802.11g and 802.11b devices. Enabling G Band Only prevents 802.11b wireless devices from connecting to the BSSs. The older 802.11b is the slower of the two 2.4 GHz wireless standards and most new devices support 802.11g. Consult the connecting device’s documentation to determine which standard(s) it supports. The G Band Only setting does not apply to BSSs on 802.11a radios.
Bridge GUI Guide: Network Configuration 3.3.4.9 BSS RTS and Fragmentation Thresholds The RTS Threshold allows you to configure the maximum size of the frames the BSS sends without using the RTS/CTS protocol. Frame sizes over the specified threshold cause the BSS to first send a Request to Send message and then receive a Clear to Send message from the destination device before transmitting the frame. The RTS Threshold is measured in bytes.
Bridge GUI Guide: Network Configuration 3.3.4.10 BSS Unicast Rate Mode and Maximum Rate When a BSS is configured to use a Unicast Rate Mode setting of auto (the default), the interface dynamically adjusts the bit rate at which it transmits unicast data frames—throttling between the configured Unicast Maximum Rate and the minimum rate—to provide the optimal data rate for the connection.
Bridge GUI Guide: Network Configuration which is appropriate for a BSS using the 5 GHz frequency band, typically for network bridging. Fortress recommends leaving BSSs in the 802.11a band, including all 802.11na options, at the default of 6. If the BSS will provide mesh network bridging in the 5 GHz 802.11a band, Fortress recommends a Multicast Rate of 6 Mbps.
Bridge GUI Guide: Network Configuration BSSs enabled for bridging (Section 3.3.4.3) must be Enabled for Fortress Security. You cannot apply Wi-Fi Security to bridging-enabled BSSs. A Wi-Fi Security setting of None requires no further configuration. Figure 3.13. Advanced View New BSS settings frame, all radio-equipped platforms WPA, WPA2 and WPA2-Mixed Security WPA (Wi-Fi Protected Access) and WPA2 are the enterprise modes of WPA (as distinguished from the pre-shared key modes described below).
Bridge GUI Guide: Network Configuration On the New/Edit BSS screens, these additional settings apply to WPA, WPA2 and WPA2-Mixed selections: WPA Rekey Period - specifies the interval at which new pairwise transient keys (PTKs) are negotiated or 0 (zero), which disables the rekeying function: the interface will use the same key for the duration of each session seconds. Specify a new interval in whole seconds between 0 and 2147483647, inclusive. No WPA Rekey Period is specified by default.
Bridge GUI Guide: Network Configuration New Preshared Key and Confirm Preshared Key - specify the preshared key itself, as: a plaintext passphrase between 8 and 63 characters in length, when ASCII is selected for Preshared Key Type, above. a 64-digit hexadecimal string, when Hex is selected for Preshared Key Type, above. You can configure WPA2-PSK security in either Bridge GUI view. WPA-PSK and WPA2-Mixed-PSK security are available for selection only in Advanced View. 3.3.4.
Bridge GUI Guide: Network Configuration 3.3.5 4 In the Radio Settings screen’s New/Edit BSS frame, enter new values for the settings you want to change (described in sections 3.3.4.1 through 3.3.4.14, above). 5 Click APPLY in the upper right of the screen (or CANCEL your changes).
Bridge GUI Guide: Network Configuration Refer to the relevant step-by-step instructions in Section 3.3.5.11, Establishing an ES210 Bridge STA Interface Connection, for preconfiguring the interface or creating it through the ES210 Bridge’s scanning function. 3.3.5.1 Station Administrative State Admin State simply determines whether the interface is Disabled or Enabled. A newly created STA Interface is Enabled by default. 3.3.5.
Bridge GUI Guide: Network Configuration In a WMM-enabled association, packets sent from the Bridge include WMM tags that permit traffic from the Bridge to be prioritized according to the information contained in those tags. You can configure WMM for the STA Interface only in Advanced View. 3.3.5.6 Station Fragmentation and RTS Thresholds The RTS Threshold allows you to configure the maximum size of the frames the STA Interface sends without using the RTS/ CTS protocol.
Bridge GUI Guide: Network Configuration The default Unicast Maximum Rate for a new STA interface is 54 Mbps, which specifies the highest setting possible in either frequency band. You can configure Unicast Rate Mode and Unicast Maximum Rate only in Advanced View. 3.3.5.8 NOTE: Radio Band settings are covered in detail in Section 3.3.2.2). Station Multicast Rate The bit rate at which a wireless interface sends multicast frames is negotiated per connection.
Bridge GUI Guide: Network Configuration peer and at least one CA (Certificate Authority) certificate must be present in the local certificate store. Refer to Section 6.2.1 for guidance on configuring an EAP-TLS key pair and digital certificate.
Bridge GUI Guide: Network Configuration PSK or WPA2-PSK be used exclusively by the STA Interface, or you can configure it to be able to use either by selecting WPA2Mixed-PSK. Pre-shared key mode differs from enterprise mode in that PSK bases initial key generation on a user-specified key or passphrase instead of through digital certificates. Like enterprise-mode, PSK mode generates encryption keys dynamically and exchange keys automatically with connected devices at user-specified intervals.
Bridge GUI Guide: Network Configuration Table 3.9. STA Interface Settings Simple & Advanced Views Admin State STA Name SSID BSSID Wi-Fi Security Key Type Rekey Period WPA Key/Key Confirm Advanced View Only Description WMM Frag.
Bridge GUI Guide: Network Configuration 6 In the Radio screen’s Add Station Mode frame, click the SCAN button to detect and display available networks. Figure 3.18. selecting a network for the STA Interface to connect to, ES210 7 Click to select the network you want the Bridge to connect to: Click the network SSID to capture only the network SSID and Wi-Fi security requirement.
Bridge GUI Guide: Network Configuration additional security options described under WPA, WPA2 and WPA2-Mixed Security in Section 3.3.5.10. and Optionally configure any additional interface settings, as described in sections 3.3.5.2 through 3.3.5.8. Click APPLY in the upper right of the screen (or CANCEL the action).
Bridge GUI Guide: Network Configuration To edit or delete the STA Interface: 1 Log on to the Bridge GUI through an Administrator-level account and select Configure -> Radio Settings from the menu on the left. 2 If you are reconfiguring the existing STA Interface, on the Radio screen: If you are reconfiguring one or more Advanced View settings (see Table 3.8), click ADVANCED VIEW in the upper right corner of the page. (If not, skip this step.) Click the EDIT STATION button.
Bridge GUI Guide: Network Configuration 3.4 Basic Network Settings Configuration The basic settings that establish the Bridge’s presence on the network are configured in the Network Configuration frame on Configure -> Administration, described in sections 3.4.1 and 3.4.2, below. The Bridge’s system clock and, optionally, NTP (network time protocol) configuration are set in the Time Configuration frame of the same screen, as described in Section 3.4.3.
Bridge GUI Guide: Network Configuration Configure these settings on the Bridge GUI’s Network Configuration screen. Figure 3.20. Advanced View Network Configuration frame, all platforms Preferred DNS and Alternate DNS- provide addresses of external Domain Name System servers on the network or specifies no network DNS server with any, which maps to an IP address of 0.0.0.0, the default for both settings. Leaving both settings at their defaults (or later specifying 0.0.0.
Bridge GUI Guide: Network Configuration 3.4.2 IP Configuration The Bridge supports Internet Protocol version 4 (IPv4) and Internet Protocol version 6 (IPv6). IPv4 is enabled by default. When it is disabled, the Bridge's management IP address neither accepts or sends IPv4 packets. IPv6 is always enabled on the Bridge, a state which is not user configurable. 3.4.2.
Bridge GUI Guide: Network Configuration Auto Addressing - configures the Bridge to learn IPv6 global prefixes from network routers (Enabled, the default) or to use only a locally established global address (Disabled). Configurable Global Address - manually establishes an IPv6 global network address—which must be within the IPv6 global scope—for the Bridge’s management interface. Configurable Gateway - manually provides the IP address of the default gateway for the Bridge’s IPv6 subnet.
Bridge GUI Guide: Network Configuration Table 3.11. IPv6 Network Configuration Settings Configurable Settings Configurable Global Address Auto Addressing Configurable Gateway Configurable GW Metric View-Only Settings Configured Global Address/prefix length Local Address/prefix length Other Addresses/prefix lengths Default Gateways (metrics) To configure IP settings: 3.4.
Bridge GUI Guide: Network Configuration 3.4.3.2 NTP Client Configuration In Advanced View, after you have set the Bridge’s internal clock to within 1000 seconds of the current time on the network, you can enable the Bridge to synchronize its clock with the time disseminated by up to three configured NTP servers.
Bridge GUI Guide: Network Configuration To configure system clock and NTP: 1 3.5 Log on to the Bridge GUI through an Administrator-level account and select Configure -> Administration from the menu on the left. 2 If you are configuring NTP client settings, select ADVANCED VIEW in the upper right corner of the page. If not, skip this step. 3 In the Administration screen’s Time Configuration frame, select/enter new values for the settings you want to configure (described above).
Bridge GUI Guide: Network Configuration Latitude and Longitude - specify the Bridge’s global coordinates in degrees, minutes and seconds, north/south or east/west in the format: DD:MM:SS.ss N/S/E/W, with no spaces You need only specify whole seconds. You can optionally specify the Bridge’s coordinates to the 100th second. Altitude - specifies the Bridge’s altitude in whole meters above sea level. No manual Location is set by default. To enable GPS or manually configure the Bridge’s location: 3.
Bridge GUI Guide: Network Configuration an IP address, the Bridge will forward the request to up to two network DNS servers. When FastPath Mesh is used for bridging and the FastPath Mesh network is attached to a conventional hierarchical network, internal DHCP services obtain default gateway and DNS server settings from locally configured values.
Bridge GUI Guide: Network Configuration If Auto Addressing will be left at its default of Enabled (see below), you should leave these settings at their defaults (::). If you opt to disable Auto Addressing, you must enter IPv6 addresses in the usual format. The Bridge’s IPv6 DHCP server has an additional setting: Auto Addressing - configures the IPv6 DHCP server to automatically define its address pool. When Auto Addressing is Enabled (the default), the IPv6 server’s manually configured IP Range Min.
Bridge GUI Guide: Network Configuration The Bridge GUI’s DNS Host to IP Map shows all mappings, which you can sort by ascending or descending Hostname or IP Address. Each entry is identified by Type, which can be: self - a mapping for the current Bridge dynamic - a mapping supplied by a DHCP service or obtained from other Mesh Points in a FastPath Mesh network static - a manually established mapping Figure 3.26.
Bridge GUI Guide: Network Configuration 5 In the same frame, if you want to remove manually configured name-to-IP address mappings: If you want to delete one or a selected group of manual mappings, click to place a check in the box beside each entry you want to delete; then the DELETE button above the list. or If you want to delete all manual mappings, click All to place a check in the boxes of all manually configured entries; then click the DELETE button above the list.
Bridge GUI Guide: Network Configuration chassis and in the GUI, and each port’s default Fortress Security setting. Bridge Ethernet ports can be configured per port, according to the requirements of your implementation. Access per-port settings through Configure -> Ethernet Settings. Figure 3.28. Simple View Ethernet Settings screen, ES210, ES440, ES820 Software labels cannot be changed. Ethernet Settings screens display each port’s view-only Name. 3.7.1 Port Administrative State Admin.
Bridge GUI Guide: Network Configuration Figure 3.29. Advanced View Ethernet Port Settings screen, wan port, ES210, ES440, ES820 3.7.4 Port Fortress Security When Fortress Security is Enabled on a port, traffic on that port is subject to Fortress’s Mobile Security Protocol (MSP), as configured on the Bridge itself (refer to Section 4.1). Such a port is also known as an encrypted port. When Fortress Security is Disabled, traffic on the port is exempt from Fortress’s MSP.
Bridge GUI Guide: Network Configuration Trunk - configures the port to accept incoming packets with any VLAN tag in the VLAN ID table and to send packets with their VLAN tagging information unchanged, including 802.1p priority tags, provided that the port’s QoS override function is disabled (see QoS, below). Refer to Section 3.9 and to Table 3.14 for a complete description of VLAN handling on the Bridge. There is only one VLAN trunk per Bridge, used by all Trunk ports.
Bridge GUI Guide: Network Configuration Ethernet devices that do not support PoE, or non-Powered Devices, can use a PSE-enabled port with no effect on such devices or on PSE operation. If you are powering a PoE Class 3 or Class 0 device on a given port, you may want to leave PSE Disabled on the port above/ below it. Vertically stacked ports share a fuse that can bear only a single PoE Class 0/3 device.
Bridge GUI Guide: Network Configuration 3.8 QoS Implementation The Bridge supports Quality of Service (QoS) expediting for wireless traffic according to the WMM® (Wi-Fi Multimedia) subset of the IEEE standard 802.11e, QoS for Wireless LAN, and for Ethernet traffic according to the IEEE standard 802.1p, Traffic Class Expediting. The Bridge marks traffic that contains 802.1p user-priority tags with the associated QoS priority level.
Bridge GUI Guide: Network Configuration WMM is enabled by default on new BSSs (refer to Section 3.3.4.7). Wireless packets can convey QoS priority tags directly in their 802.11 headers. When no VLAN tags are present, the Bridge sorts wireless traffic into QoS priority queues according to these tags. If a wireless packet also contains a VLAN tag, the Bridge applies the user-priority tag conveyed in the VLAN tag, rather than in the 802.11 header. On ES210 Bridges in Station Mode (refer to Section 3.3.
Bridge GUI Guide: Network Configuration To reconfigure QoS priority tag-to-queue mapping: 3.9 1 Log on to the Bridge GUI through an Administrator-level account and select ADVANCED VIEW in the upper right corner of the page, then Configure -> Ethernet Settings from the menu on the left. 2 In the Ethernet Settings screen’s 802.1p QoS Tag Priorities frame, use the pull down menus to change how 802.1p priority tags are assigned to QoS priority queues.
Bridge GUI Guide: Network Configuration External switches running in port-based VLAN modes require that the Bridge use the VLAN mode Disabled. VLAN Mode: Normal In Normal VLAN Mode, the Bridge passes the VLAN tag’s VLAN ID exactly as it is received, while encrypting/decrypting the rest of the data normally. The same tags are passed to and from the clear and encrypted interfaces. Per port VLAN settings are applied. The Bridge can support up to 48 VLANs in Normal mode.
Bridge GUI Guide: Network Configuration you configure for each VLAN that the Bridge secures. The routable VLAN IDs received on clear interfaces are translated, according to the routing map, into non-routable IDs and transmitted on an encrypted interface, and vice versa (nonroutable VLAN IDs received on encrypted interfaces are translated into routable IDs and transmitted on a clear interface).
Bridge GUI Guide: Network Configuration 3.9.3 VLAN ID Table The VLAN IDs you use on your network, for the native VLAN and for translate-mode mapping, are stored in the VLAN ID Table. The contents of the table determine the VLANs available for assignment to the Bridge’s interfaces. The VLAN ID Table defines the VLAN trunk for the Bridge, as used by all interfaces on the Bridge configured as Trunk ports.
Bridge GUI Guide: Network Configuration In the resulting dialog, enter the ID number of the VLAN you want to add to the configuration and click OK. The ID number of VLAN you added will be listed in the VLAN Active ID Table. 3 You cannot delete a VLAN ID from the Bridge configuration while it is in use, as indicated by a red asterisk to the right of the ID number. The marked VLAN ID may be in use by one of the Bridge’s Ethernet interfaces (Section 3.7.6), radio BSS interfaces (Section 3.3.4.
Bridge GUI Guide: Network Configuration 2 In the VLAN Translate Map Records frame, click NEW RECORD. 3 On the resulting Edit VLAN screen, in VLAN Map Record : In Record Name: enter a descriptive name for the mapping record. In Routable ID: enter the routable VLAN ID for packets passed through the clear zone (to the wired LAN). In Non-Routable ID: enter the corresponding nonroutable VLAN ID for packets passed through the encrypted zone (to the WLAN).
Bridge GUI Guide: Network Configuration 3.10 ES210 Bridge Serial Port Settings The serial port on the front panel of the ES210 Bridge is configured by default to be used for Console port access to the Bridge CLI, as other Bridge model serial ports are used. On the ES210 Bridge, you can reconfigure the serial port to instead connect the Bridge to an external third-party Serial Sensor, or another serial device.
Bridge GUI Guide: Network Configuration automatic setting for the Console port), 19200, or 38400 (the default when Serial Sensor Settings are Enabled). Parity - specifies whether the parity bit used for error checking results in an Even or Odd number of bits per byte or, with a setting of None (the default), that no parity bit should be added. Stop Bits - specifies whether the port should use a stop bit of 1 (the default) or 2.
Bridge GUI Guide: Security Configuration Chapter 4 Security, Access, and Auditing Configuration 4.1 Fortress Security The Security Settings frame provides controls for various aspects of the Bridge’s overall network security provisions: Fortress MSP (Mobile Security Protocol) functions including key establishment, data encryption and network Access ID; FIPS operation; global session timeouts; and several additional management and network access settings.
Bridge GUI Guide: Security Configuration all networked environments that are not required to comply with FIPS. As of this writing, FIPS operating mode in the current version of Bridge software is in the process of being validated as compliant with FIPS 140-2 Security Level 2.
Bridge GUI Guide: Security Configuration 4.1.3 MSP Key Establishment You can configure the method that the Bridge and its Secure Clients (and other connecting controller devices) use to establish data encryption keys. In Normal operating mode (Section 4.1.
Bridge GUI Guide: Security Configuration 4.1.4 MSP Re-Key Interval Fortress Bridges generate new keys at defined intervals, renegotiating dynamic keys with their Secure Clients whenever those Clients are logged on. You can specify the re-key interval, in hours, at values between 1 and 24. The default is 4.
Bridge GUI Guide: Security Configuration 4.1.8 FIPS Self-Test Settings The Bridge runs a number of self-tests described in FIPS 1402, (Federal Information Processing Standards’ Security Requirements for Cryptographic Modules). FIPS tests run—and self-test failures are logged—regardless of whether it is in FIPS or Normal operating mode. When the Bridge is in FIPS operating mode, it will additionally shut down and reboot upon the failure of any FIPS self-test, as required by FIPS 140-2 (refer to Section 4.
Bridge GUI Guide: Security Configuration Encrypted-interface cleartext traffic must be enabled to support AP management rules on the Bridge and Trusted Device access to the Bridge’s encrypted zone. In FIPS terminology, when clear text is enabled on the Bridge’s encrypted interfaces, the Bridge is in FIPS Bypass Mode. Disabling cleartext traffic on encrypted interfaces after AP management rules or Trusted Devices have been configured will not remove them from the configuration.
Bridge GUI Guide: Security Configuration on any encrypted interface, including by configured cleartext devices, regardless of the Guest Management setting. You can enable/disable Guest Management only in Advanced View. 4.1.13 Cached Authentication Credentials When a device’s session times out, the device is required to renegotiate encryption keys in order to reconnect to the network. When Cached Auth.
Bridge GUI Guide: Security Configuration Figure 4.2. Advanced View, Fortress Security Settings frame, all platforms 4.1.16 Changing Basic Security Settings: Table 4.1 shows which settings can be configured only in Advanced View. Table 4.1. Security Settings Simple & Advanced Views Operating Mode Encryption Algorithm GUI Access SSH Access Re-key Interval Blackout Mode Key Establishment Access ID Advanced View Only FIPS Reseed Interval FIPS Test Interval FIPS Periodic Tests FIPS Cont. RNG Tests Enc.
Bridge GUI Guide: Security Configuration 4.1.17 Fortress Access ID The Access ID provides network authentication for the Fortress Security System. This 16- or 32-digit hexadecimal ID is established during installation, after which the same Access ID must be specified for all of the Bridge’s Secure Clients (and other connecting Fortress controller devices). Likewise, if you change the Bridge’s Access ID, you must subsequently make the same change to all of its Secure Clients’ Access IDs.
Bridge GUI Guide: Security Configuration or If you want to manually enter a 16-digit or a 32-digit hexadecimal Access ID of your own composition: 3 4.2 In New Access ID and Confirm Access ID, enter the 16or 32-digit hexadecimal Access ID to be used by the Bridge and its Secure Clients. Record the Access ID in a safe place. Once you have left the screen on which it was initially established, the Access ID can never again be displayed.
Bridge GUI Guide: Security Configuration devices, using its own IP address as the IPsec peer address and conducting IKE transactions on behalf of (and transparently to) the devices it secures. IPsec can be used alone or in conjunction with the Fortress Security settings described in Section 4.1. 4.2.1 Global IPsec Settings IPsec is globally disabled by default.
Bridge GUI Guide: Security Configuration Suites - selects the cryptographic algorithm suite(s) that the Bridge will accept when acting as an IKE responder and will offer when acting as an IKE initiator.
Bridge GUI Guide: Security Configuration How traffic defined by an SPD entry will be handled is determined by the Action specified in the entry, as shown in Table 4.2. Table 4.2.
Bridge GUI Guide: Security Configuration Action - determines how packets selected by the local and remote subnet parameters specified above will be handled: Drop - drop packets without further processing (default selection) Bypass - receive and send only packets unprotected by IPsec Apply - receive and send only packets protected by IPsec Peer Address - if the Action to be applied by the SPD entry is Apply, you must identify the IP address of the remote device to and from which IPsec-protected
Bridge GUI Guide: Security Configuration 4.2.3 IPsec Pre-Shared Keys As an alternative to using a digital certificate, the identity a given IPsec peer can be authenticated by a static pre-shared key (PSK), as configured on both parties to the initial ISAKMP transaction. PSKs on the Bridge can be specified as a string of ASCII characters or a series of hex bytes (hexadecimal pairs). Alternatively, you can generate a random key, of a specified length, expressed in hex bytes. Figure 4.6.
Bridge GUI Guide: Security Configuration To delete IPsec peer PSKs: 1 Log on to the Bridge GUI through an Administrator-level account and select Configure -> IPsec from the menu on the left. 2 In the IPsec Settings screen’s Pre-Shared Keys frame: If you want to delete the PSK for a single or selected IPsec peers, click to place a checkmark in the box(es) beside the IP address(es) of the peer(s) for which you want to delete the PSK(s).
Bridge GUI Guide: Security Configuration matches the DN: C=US, ST=Florida, O="Fortress Technologies” OU=Engineering but does not match the DNs: C=US, ST=Florida, OU=Engineering C=US, ST=Florida, L=Oldsmar, O="Fortress Technologies” Priority - establishes the order in which the ACL entry will be applied, from 1 to 100, relative to other configured ACL entries. Priority values must be unique. Entries with lower Priority numbers take precedence over those with higher Priority numbers.
Bridge GUI Guide: Security Configuration Authentication is enabled on the Bridge when at least one authentication server is configured and enabled on the Bridge. You can configure two types of authentication server for the network, depending on the network configuration: NOTE: If you are using an external RADIUS server, configure user timeouts in that service. Fortress Auth.
Bridge GUI Guide: Security Configuration Role, Fortress-Password-Expired) and administrators must be configured on the server. Fortress Vendor-Specific Attributes are provided in the dictionary.fortress configuration file included on the Bridge software CD and are available for download at www.fortresstech.com/support/.
Bridge GUI Guide: Security Configuration relevant server and failed credentials are not forwarded to any other server. If the server with first priority for a given authentication type becomes unavailable, the next server in the priority sequence that has also been configured to support that authentication type will be used. In Advanced View, where you can configure up to four RADIUS servers, you can specify the priority number of each. In Simple View, RADIUS Server 1 has priority over RADIUS Server 2.
Bridge GUI Guide: Security Configuration 4.3.1.3 Server Type and Authentication Types The Server Type setting identifies the type of authentication service running on the configured server, while Auth Types selections specify which type(s) of authentication credentials will be sent to the server. Refer to the description at the beginning of this section (Section 4.3) on page 133 for more detail. 4.3.1.
Bridge GUI Guide: Security Configuration Table 4.4. External Authentication Server Settings Simple & Advanced Views Advanced View Only Admin. State Priority IP Address Max Retries Server Name Retry Interval Port Auth Types Server Type New/Confirmed Shared Key To configure a RADIUS server in Simple View: 1 Log on to the Bridge GUI through an Administrator-level account and select Configure -> RADIUS Settings from the menu on the left.
Bridge GUI Guide: Security Configuration 4.3.2.2 Local Authentication Server Port and Shared Key The Port setting configures the port to be used to communicate with the local authentication server. The default authentication server port is 1812, as assigned by the IANA (Internet Assigned Numbers Authority) for RADIUS server authentication. Use the New Shared Key and Confirm Shared Key fields to establish the shared key for the Bridge’s internal authentication server.
Bridge GUI Guide: Security Configuration (Section 4.1.13), the user will be prompted to re-enter a valid username and password. Set Default Idle Timeout in minutes, between 1 and 720. The default is 30 minutes. The Default Session Timeout - setting determines the amount of time a device can be present on the network before the current session is ended and the associated Device ID and/or user credentials must be reauthenticated and keys renegotiated before the connection can be re-established.
Bridge GUI Guide: Security Configuration 4.3.2.7 Local 802.1X Authentication Settings The Bridge’s internal RADIUS server can be configured to authenticate 802.1X supplicant credentials using two possible EAP (Extensible Authentication Protocol) types. EAP-MD5 verifies an MD5 (Message-Digest algorithm 5) hash of each user’s password, which requires a user’s credentials to be present in the Bridge’s local user authentication service before the local 802.1X service can authenticate that user.
Bridge GUI Guide: Security Configuration In EAP-TLS, the authentication server selects the cipher suite to use from the list of supported suites sent by the client device (or rejects the authentication request if none of the proposed suites are acceptable). TLS Cipher does not apply to EAP-MD5 authentication. EAP Protocols - specifies the EAP type(s) the Bridge can use to authenticate 802.
Bridge GUI Guide: Security Configuration 4.3.3 Local User and Device Authentication You can configure user and device authentication settings even when the Bridge’s local authentication is disabled (the default). The settings will only be applied when the local RADIUS server is enabled (refer to Section 4.3.2). 4.3.3.1 Local User Authentication Accounts Locally authenticating users are displayed on the User Entries list on Configure -> RADIUS Settings -> Local Server.
Bridge GUI Guide: Security Configuration Individual User Authentication Settings User authentication on the Fortress Bridge requires the usual settings to identify, track and manage access for each user on the Bridge-secured network. Figure 4.11. Advanced View User Database Entry frame, all platforms Administrative State - determines whether user access to the account is Enabled (the default) or Disabled. Username - identifies the user on the network—from 1 to 16 alphanumeric characters—required.
Bridge GUI Guide: Security Configuration default, the Session Timeout value in the User Authentication Setting frame will be 20 minutes. You can add and edit locally authenticated users only in Advanced View.
Bridge GUI Guide: Security Configuration Click the User Entries frame’s DELETE button. Click OK in the confirmation dialog. Deleted accounts are removed from the User Entries list. 4 4.3.3.2 Local Device Authentication Fortress’s device authentication assigns each Fortress device, including those running the Fortress Secure Client, a unique Device ID subsequently used to authenticate the device for access to the Fortress-secured network.
Bridge GUI Guide: Security Configuration In Authentication Method, simultaneously enable device authentication and configure the default user authentication setting, by selecting one of: Device auth with user auth by default - enables user authentication for new devices by default. Device auth without user auth by default - disables user authentication for new devices by default. Click APPLY in the upper right of the screen (or RESET screen settings to cancel your changes).
Bridge GUI Guide: Security Configuration for instance), that hostname is included for the device when it is first added to the DEVICE AUTHENTICATION screen. If no hostname is associated with the device, it will be added without one. You can edit an existing hostname or add one for a device that has no hostname.
Bridge GUI Guide: Security Configuration 2 3 of the page, then Configure -> RADIUS Settings from the menu on the left. On the RADIUS Settings screen, click the Local Server tab. In the Device Entries frame: If you are adding a device, click NEW DEVICE and enter valid values (described above) into the Device Database Entry frame. or If you are editing an existing account, click the EDIT button for the account you want to reconfigure and enter new values for the settings you want to change.
Bridge GUI Guide: Security Configuration device’s session is idle timed out by the Bridge in this way, the device must re-establish its connection; if it is re-accessing an encrypted zone it must also reauthenticate. Idle timeouts can be configured for two types of devices: Secure Client devices - are the devices running the Fortress Secure Client to connect to the Bridge’s encrypted zone. Host devices - are devices in the Bridge’s clear zone.
Bridge GUI Guide: Security Configuration The remaining access Access Control functions are covered below. These prevent, or define limits for, overall network access, whether by administrators or users. 4.5.1 MAC Address Access Control The Bridge allows you to create and maintain an ACL of MAC (Media Access Control) addresses permitted to access the Bridge-secured network.
Bridge GUI Guide: Security Configuration Figure 4.16. Advanced View MAC Access Whitelist frame, all platforms 5 When you have finished adding permitted MAC addresses, in the MAC Access Whitelist frame, in Administrative State, click Enabled. 6 Click APPLY on the right of the frame. If you navigate away from the screen without clicking APPLY, the Administrative State will not be changed. The MAC ACL reflects your changes.
Bridge GUI Guide: Security Configuration To edit the description of an existing MAC address entry: 1 Log on to the Bridge GUI through an Administrator-level account and select ADVANCED VIEW in the upper right corner of the page, then Configure -> Access Control from the menu on the left.
Bridge GUI Guide: Security Configuration Allow - (the default) auto-populating controller devices will be allowed to connect. Pending - auto-populating controller devices require an administrator to change their individual Auth State settings to Allow before they can connect. Deny - auto-populating controller devices are not allowed to connect. You can also manually add controller devices to the Bridge’s Authorized Controller Devices list.
Bridge GUI Guide: Security Configuration In the Edit a Controller entry dialog, edit the MAC address or Auth State (you cannot change the Device ID). Click APPLY in the dialog (or CLOSE it to cancel the action). When you have finished adding and/or editing Controller entries, click APPLY in the upper right of the screen (or RESET screen settings to cancel your changes). The Controller Access List reflects your changes. 4 Figure 4.19.
Bridge GUI Guide: Security Configuration the smallest effective set of accessible ports is specified for each 3 cleartext device access is enabled only when needed Once cleartext access to encrypted interfaces has been established for a device, the Bridge uses the device’s MAC address, IP address and port number to authenticate it on the network.
Bridge GUI Guide: Security Configuration having no means to decrypt/encrypt Fortress MSP traffic). To do so, you must configure cleartext access for the AP. Cleartext access configured to permit direct communication with APs can represent a security risk: APs’ MAC addresses are necessarily transmitted in clear text and could be spoofed.
Bridge GUI Guide: Security Configuration Well Known Trusted Device Ports Well Known TD Ports - specifies accessible groups of well known ports, grouped by function. Well Known TD Ports options are available only when Device Type (Section 4.5.3) is Trusted Device. Figure 4.22. Advanced View Well Known TD Ports frame, all platforms Access Control functions are available only in Advanced View.
Bridge GUI Guide: Security Configuration To delete cleartext access for APs and Trusted Device: You can delete cleartext access to the Bridge’s encrypted zone for a single device or for all devices. 1 Log on to the Bridge GUI through an Administrator-level account and select ADVANCED VIEW in the upper right corner of the page, then Configure -> Access Control from the menu on the left.
Bridge GUI Guide: Security Configuration of the page, then Configure -> Logging/Auditing from the menu on the left. 2 In the Logging/Auditing screen’s Global Logging Settings frame: In Auditing - click Enabled to turn audit logging on. In Remote Log Storage - click Enabled to direct the Bridge to use the network syslog server. In Remote Log Host - enter the IP address of the syslog server.
Bridge GUI Guide: Security Configuration Figure 4.24. Advanced View Global Auditing Settings frame, radio-equipped platforms 4.6.2.1 Logging Administrative Activity by Event Type You can specify which events can be sent to the audit log by three broad types: Login - When Enabled, logon activity by subject administrators can be sent to the audit log. When Login is Disabled, the logon activity of subject administrators will not be sent.
Bridge GUI Guide: Security Configuration through and whether the interface is encrypted or clear, wired or wireless: Audit by User Interface - There are four ways an administrator can access the Bridge: Console - a serial connection to the chassis Console port SSH - a Secure Shell connection to the Bridge CLI GUI - an HTTPS (Hypertext Transfer Protocol Secure) connection to the Bridge GUI SNMP - Simple Network Management Protocol transactions Audit by Fortress Security - All remote management
Bridge GUI Guide: Security Configuration To configure audit logging by event type, Fortress security status and interface: 4.6.2.3 1 Log on to the Bridge GUI through an Administrator-level account and select ADVANCED VIEW in the upper right corner of the page, then Configure -> Logging/Auditing from the menu on the left. 2 In the Logging/Auditing screen’s Global Auditing Settings frame, enter new values for the controls you want to configure. (Your options are described in sections 4.6.2.1 and 4.6.2.
Bridge GUI Guide: Security Configuration 2 In the Logging/Auditing screen’s Mac Auditing Settings frame, click NEW MAC ENTRY. 3 In the resulting screen’s MAC Auditing Entry frame, enter the MAC address you want to configure for audit logging and, optionally, a description of up to 250 alphanumeric characters, symbols and/or spaces. 4 In the same frame, enter new values for the Audit by... controls you want to configure (described above).
Bridge GUI Guide: Security Configuration To configure learned device audit logging: 1 Log on to the Bridge GUI through an Administrator-level account and select Configure -> Logging/Auditing from the menu on the left.
Bridge GUI Guide: Monitoring Chapter 5 System and Network Monitoring The Bridge GUI provides access to an array of system and operating information on Configure -> Administration and under Monitor on the main menu and displays the FIPS indicators described below on every screen. 5.1 FIPS Indicators In the upper left of Bridge GUI screens, above the main menu, the Bridge reports three pieces of information relevant to Federal Information Processing Standards (FIPS) 140-2 Security Level 2. Figure 5.1.
Bridge GUI Guide: Monitoring these fields displays the basic FIPS state; the text output can reiterate or augment the indicator: Green - Healthy Yellow - The Bridge passed the last FIPS tests. - Testing - The Bridge is running FIPS self tests. Red - Critical - The Bridge is in FIPS failed state and will reboot (refer to Section 4.1.1). A Bridge in Normal operating mode always displays a Status of Healthy. 5.
Bridge GUI Guide: Monitoring System Information displays: 5.4 Unencrypted MAC - the MAC address of the Bridge’s management interface Device ID - the Fortress Device ID, as uniquely generated for each device on a Fortress-secured network and used, when applicable, for device authentication.
Bridge GUI Guide: Monitoring (No Lines). The legend in the top right corner of the screen shows what the lines depict and the relative ranges indicated by Green, Yellow, and Red status colors. By default, Bridges in the Topology View are labeled with their IPv4 addresses. Alternatively, you can change the OPTIONS to label network Bridges by Hostname, IPv6 Address, MAC Address, Device ID, or No Labels. Figure 5.5.
Bridge GUI Guide: Monitoring 5.4.1 Uploading a Background Image You can upload a JPEG (.jpg) image file of up to 1 MB, typically a map or satellite image, to use as the Topology View background. 1 Log on to the Bridge GUI through an Administrator-level account and select Monitor -> Topology View from the menu on the left. 2 On the Topology View screen, click OPTIONS. 3 On the resulting screen, click Browse. 4 On the resulting screen, navigate to the image file you want to upload and click OK.
Bridge GUI Guide: Monitoring configured (as APs or FP Mesh Access interfaces) to provide network access to wireless devices within range. Figure 5.7. Connections screen, Associations tab, all radio-equipped platforms Radio - identifies the radio to which the device is connected. BSS - shows the name of the Basic Service Set through which the device is connected. MAC Address - displays the Media Access Control address of the associated device. Wi-Fi Security - displays the IEEE 802.
Bridge GUI Guide: Monitoring shows current connections to any BSS the Bridge configured as the bridging interface in a network of Fortress Bridges. Figure 5.8. Connections screen, Bridge Links tab, all radio-equipped platforms radio N - identifies the radio on which the BSS forming the bridging link is configured. Signal Strength - dynamically displays the strength of the RF signal forming the link, measured in real time at onesecond intervals, in decibels referenced to milliwatts.
Bridge GUI Guide: Monitoring Because of the radio enhancements and traffic handling efficiencies defined in the newer standard, bridging links formed between radios configured to use 802.11n (refer to Section 3.3.2.2) can show Rate values higher than the Maximum Rate configured for either individual interface (refer to Section 3.3.4.10). 5.5.3 Secure Client and WPA2 Device Connections Fortress Secure Clients connect to an encrypted interface on the Bridge using Fortress’s Mobile Security Protocol (MSP).
Bridge GUI Guide: Monitoring Auth State - the state of the device’s network authentication process. Possible values include: Unknown - connected, not yet ready to proceed Initial - ready to proceed, waiting for Client to respond Started - response received, authentication in process Success - authentication succeeded: network access permitted Locked - authentication failed: network access blocked Conn. State - the state of the device’s network connection.
Bridge GUI Guide: Monitoring The controls at the upper left of the tab and individual checkboxes for connected Clients permit you to: 5.5.4 RESET selected sessions: end their current sessions and force them to reauthenticate on the Bridge. When Allow Cached Credentials is Enabled (the default), locally authenticated users are reauthenticated transparently, using cached user credentials; when the function is Disabled, locally authenticated users are prompted for their login credentials (Section 4.1.13).
Bridge GUI Guide: Monitoring Update Access ID - Access ID push in progress for the device Date Learned - the start date/time of the controller device’s current session The controls at the upper left of the tab and individual checkboxes for connected controller devices permit you to: 5.5.5 selected sessions: end their current sessions and force them to reauthenticate on the Bridge.
Bridge GUI Guide: Monitoring Success - authentication succeeded: network access permitted Locked - authentication failed: network access blocked Auth State does not apply to hosts connected through a clear interface on the current Bridge. 5.5.6 Date Learned - the start date/time of the current session with the host device AP and Trusted Devices Connections Trusted Devices or 3rd-Party access points (APs) can be configured on the Bridge for encrypted interface access (Section 4.5.3).
Bridge GUI Guide: Monitoring The MAC Address, IP Address and Hostname of the DHCP client device are displayed, followed by the date and time the lease Expires. Figure 5.12. Connections screen, DHCP Leases tab, all platforms11 Configuration and operation of the Bridge’s DHCP services are described in Section 3.6.1. 5.6 Statistics Monitoring Traffic Statistics at the top of the Monitor -> Statistics screen displays statistics for overall encrypted-interface traffic.
Bridge GUI Guide: Monitoring Bad Packets - malformed packet received (Packets can be malformed for a number of reasons, such as version incompatibility or a failed hash check.) Bad Keys - bad key packets—malformed key exchange packets Bad Decrypted - key packets the Bridge was unable to decrypt 5.6.2 Interface Statistics Bridge interfaces displayed on the Monitor -> Statistics screen are grouped by type.
Bridge GUI Guide: Monitoring Duplex - displays whether the device’s transmission mode is Full Duplex or Half Duplex (or displays n/a if the duplex setting does not apply. State - the bridging status of the node from which the link is made: Possible values and meanings depend on the Bridge’s current Bridging Mode setting (Section 3.
Bridge GUI Guide: Monitoring 5.6.2.3 MAC Address - the Media Access Control address of the virtual interface the BSS provides Bridge Link Interface Statistics BSSs that are acting as nodes in a mesh network of Fortress Bridges (i.e., those performing a network bridging function) are shown in their own frame. Figure 5.16. Statistics screen, Bridge Link Interface Statistics frame, all radio-equipped platforms In addition to the Status and basic interface statistics (described in Section 5.3.
Bridge GUI Guide: Monitoring 5.6.3 VLAN Statistics The Bridge tracks VLAN traffic and displays the information, by VLAN ID, for each configured VLAN ID, in Monitoring -> Statistics -> VLAN Statistics. Figure 5.17. Statistics screen, VLAN Statistics frame, all platforms For each of packets received (RX) and packets sent (TX) on each VLAN configured on the Bridge, the screen displays: Clear - unencrypted packets received/sent Encrypted - encrypted packets received/sent Config.
Bridge GUI Guide: Monitoring Peer Address - identifies the remote IPsec peer participating in the SA by IP address. Remote Address and Remote Mask - identify the subnet of remote IP addresses defined in the SPD entry used by the SA (the inbound source subnet or outbound destination subnet). Crypto Suite - shows the cryptographic algorithm suite in use by the SA. Figure 5.18. IPsec Status screen, all platforms 5.8 FastPath Mesh Monitoring When FastPath Mesh is licensed (Section 6.
Bridge GUI Guide: Monitoring Global Settings are displayed in the Bridging Configuration frame and described in detail in sections 3.2.1.1 through 3.2.1.5. Figure 5.19. Mesh Status screen, Bridging Configuration frame, all platforms 5.8.2 FastPath Mesh Statistics When FP Mesh is licensed and enabled, the Fortress Bridge gathers statistics on mesh network operations for display in the FastPath Mesh Statistics frame. Statistics can be cleared manually (see below) or by a reboot. Figure 5.20.
Bridge GUI Guide: Monitoring received by the current MP since Statistics were last cleared. Adds - NMP information added by network peers Deletes - NMP information deleted by network peers Access Rx Ctl - count of the number of FP Mesh control packets received on the current MP’s Access interfaces (refer to Section 3.2.1) since Statistics were last cleared. In a correctly configured FP Mesh network these counts should always be 0 (zero).
Bridge GUI Guide: Monitoring 5.8.3 FastPath Mesh Peers and Neighbors All MP nodes on the FP Mesh network, including the current MP, are shown in the Peers frame of the Mesh Status screen. MPs directly connected to the current MP are shown in Neighbors.
Bridge GUI Guide: Monitoring and previous hop—are shown in the first three columns of the Multicast/Broadcast Forwarding frame, along with local interface and mode information. Figure 5.23. Mesh Status screen, Multicast/Broadcast Forwarding frame, all platforms Dest. MAC - the destination MAC address of the multicast Source MAC - the MAC address of the MP from which the multicast originated (The actual source may be an NMP behind the MP.) Prev.
Bridge GUI Guide: Monitoring current multicast subscriptions are shown in the Multicast Groups frame. Figure 5.24.
Bridge GUI Guide: Monitoring 5.8.7 listed in ascending order of cost, with the lowest cost path listed first.) Routes - possible routes to the destination MP in descending order of preference FastPath Mesh Loops FP Mesh prevents bridging loops from forming on Core interfaces, which connect MPs to one another. A network loop can form, however, when MPs can also detect one another on their FP Mesh Access interfaces.
Bridge GUI Guide: Monitoring when the cryptographic processor is restarted system and communication errors when FP Mesh neighbors are discovered and lost (when Fortress’s FastPath Mesh is licensed and enabled) The log is allocated 256 Kbytes of memory and can contain a maximum of approximately 2,000 log messages (approximate because record sizes vary somewhat). When the log is full, the oldest records are overwritten as new messages are added to the log. Figure 5.27.
Bridge GUI Guide: Monitoring When remote audit logging is enabled (Section 4.6.1), log messages sent to the external audit log are identified as AUDIT messages. Internally generated audit events are flagged AUDIT internal. Audit events generated by administrative action additionally identify the account and interface the administrator was logged onto at the time of the event.
Bridge GUI Guide: Maintenance Chapter 6 System and Network Maintenance The Bridge GUI provides access to a number of administrative and diagnostic functions under Maintenance on the main menu. Only Bridge GUI Advanced View displays the Licensing link. 6.1 System Maintenance The administrative functions you can access through Maintain -> System vary according to whether you are in Bridge GUI Simple View or Advanced View, as shown in Table 6.1 Table 6.1.
Bridge GUI Guide: Maintenance You can reset sessions only in Advanced View. Figure 6.1. Advanced View Reset Clients frame, all platforms To reset connections: 6.1.2 1 Log on to the Bridge GUI through an Administrator-level or Maintenance-level account and select ADVANCED VIEW in the upper right corner of the page, then Maintain -> System from the menu on the left. 2 In the System screen’s Reset Clients frame, click EXECUTE.
Bridge GUI Guide: Maintenance 6.1.4 Booting Selectable Software Images The Bridge stores two, user-selectable copies (or images) of the Bridge software on separate partitions of the internal flash memory. When the Bridge’s software is upgraded (Section 6.1.5), the new software is first written to the non-running boot partition, overwriting any version stored there.
Bridge GUI Guide: Maintenance The Bridge flash memory is partitioned into two, bootable image areas. The software upgrade file is written to the nonrunning partition—i.e., the partition that does not contain the software currently running on the Bridge. The upgrade does not therefore take effect until the Bridge is rebooted (as described in Section 6.1.2), and the currently running software is retained on the partition it was originally written to.
Bridge GUI Guide: Maintenance how quickly each completes, you may not see every operation. When upgrade operations are Finished, the dialog Note instructs you to restart the controller device to activate the newly upgraded software image. 4 Click to CLOSE the Upgrade Status dialog. The Version frame on the System screen shows the nonrunning image number as the Image for Next Boot. 5 In the System screen’s Restart Controller Device frame, click EXECUTE.
Bridge GUI Guide: Maintenance Most Bridge configuration settings are saved to the backup file. The only exceptions are the Bridge’s System Time and System Date settings (Configure -> Administration -> Time Configuration). When you restore from the backup file, the rest of the settings in the current configuration are overwritten by those in the backup file.
Bridge GUI Guide: Maintenance To restore the Bridge configuration from a backup file: 1 Log on to the Bridge GUI through an Administrator-level account and select Maintain -> System from the menu on the left. 2 In the System screen’s Restore System Settings frame, in Restore System File, enter the pathname or browse to the location of the Bridge backup configuration file. 3 In the same frame, enter the Restore System Password (the Backup System Password from the backup procedure above).
Bridge GUI Guide: Maintenance To run FIPS tests manually: 6.1.8 1 Log on to the Bridge GUI through an Administrator-level account and select ADVANCED VIEW in the upper right corner of the page, then Maintain -> System from the menu on the left. 2 In the System screen’s FIPS Retest frame, click EXECUTE. Restoring Default Settings With the exceptions of any special features it has been licensed to use, the Fortress Bridge’s factory default configuration settings can be restored in their entirety.
Bridge GUI Guide: Maintenance If you want to restore the default configuration on both of the Bridge’s flash memory partitions, reopen your browser. 6 Log back on to the Bridge GUI (at the default IP address: 192.168.254.254) through an Administrator-level account and select Tools -> System Tools from the menu on the left. 7 In the Version frame’s Image For Next Boot field, select the non-running software image. 8 On the same screen, in the Restart Controller Device frame button click EXECUTE.
Bridge GUI Guide: Maintenance The generated key pair is saved for use by the Bridge’s certificate management function. The PEM-formatted CSR generated is suitable for cutting and pasting for submission to a Certificate Authority (CA). It is not retained in the Bridge’s configuration, but you can open (or save) it at the time you generate the CSR, or reconstruct it later with the GET CSR button associated with its entry in the X.509 Keys list.
Bridge GUI Guide: Maintenance 3 In the resulting Generate KeyPair frame, enter values into the fields provided (described above) and click APPLY (or CANCEL the addition). The generation of the CSR will be recorded in the X.509 Keys frame, with the associated key pair displayed by Name, with fields indicating the key Type and whether a certificate corresponding to the key pair is present in the local store (Valid displays yes) or no certificate has yet been imported for the key pair (Valid displays no).
Bridge GUI Guide: Maintenance an intermediate CA certificate an end certificate corresponding to a public key manually generated on the Bridge with the GENERATE KEY/CSR button (described above) or Bridge CLI generate command (refer to the CLI Software Guide). Figure 6.11. X.
Bridge GUI Guide: Maintenance Issuer - identifies the issuer X.500 DN. Valid As Of / Valid Until - define the time span during which the certificate is valid by start and end times. In Use - identifies the Bridge function to which the certificate is assigned. Use - provides controls for assigning the certificate for use by specific Bridge functions. Section 6.2.2.2 (below) covers the possible values of In Use and instructions for the buttons under Use.
Bridge GUI Guide: Maintenance 6.2.2.2 Assigning Stored Certificates to Bridge Functions Locally stored signed certificates can have any of three applications on the Bridge, as indicated in the In Use column of the X.509 Certificates list: ssl - the Secure Socket Layer certificate is used by the Bridge GUI to secure browser connections to the management interface via https (refer to Section 2.1.2). By default, the Bridge GUI uses the automatically generated self-signed certificate for SSL.
Bridge GUI Guide: Maintenance The specified function will be listed for that certificate in the X.509 Certificates frame, under In Use. Figure 6.13. X.509 Certificates frame, all platforms 6.2.2.3 Changing and Clearing Certificate Assignments You can change the SSL certificate assignment from the default, automatically generated, self-signed certificate, but you cannot configure the Bridge to use no digital certificate for SSL.
Bridge GUI Guide: Maintenance The CLEAR IPSEC CERTIFICATE button likewise returns the Bridge’s IPsec function to the default state, in which no certificate is assigned and only PSK is used to authenticate IPsec peers (if pre-shared keys have been configured). Refer to Section 4.2 for more information on IPsec operation and configuration. To clear certificate assignments: 1 Log on to the Bridge GUI through an Administrator-level account and select Maintain -> Certificates from the menu on the left.
Bridge GUI Guide: Maintenance performance at that level, with no more than the maximum number of active connections shown in Table 6.2. Table 6.2. Performance Levels Encrypted Throughput Maximum Active Devicesa FC-250: 250 Mbps 500 FC-500: 500 Mbps 1000 FC-1500: 1.5 Gbps 3000 Configuration a. concurrently connected Secure Clients, Trusted Devices and APs This feature applies only to FC-X model Fortress Controllers. Figure 6.14.
Bridge GUI Guide: Maintenance must upload the file—or paste the entire file into the field provided—on each Bridge it applies to. (Refer to Section 6.3.2 for detailed instructions.) If you have not yet obtained a license key or group license for feature(s) you want to enable on Bridge(s) already in your possession, you will need to give Fortress Technologies the serial number of each Bridge on which you wish to enable a new feature.
Bridge GUI Guide: Maintenance field provided. (Group licensing files include a digital signature and must be used intact.) Figure 6.17. Advanced View Enter License Group dialog, all platforms UPLOAD LICENSE GROUP - to browse to the location of a group licensing file and select it for upload. Figure 6.18. Advanced View Upload License Group dialog, all platforms 6.4 3 In the resulting dialog, enter the license key or group license file, or browse to and select the group license file, and click Apply.
Bridge GUI Guide: Maintenance 6.5 1 Log on to the Bridge GUI through an Administrator-level or a Maintenance-level account and select Maintain -> Network from the menu on the left. 2 In the Network screen’s Operation frame, use the Type radio buttons to select the tool you want to use: Ping, Traceroute or Mesh Path. 3 In the same frame, in Hostname/IP Address, enter the IP address (IPv4 or IPv6) or hostname of the device you want to ping or trace a route to.
Bridge GUI Guide: Maintenance Record the password in a secure place; Fortress Technical Support will need it to decrypt the support package file. 3 Click DOWNLOAD, and, if your browser is set to block popups/file downloads, take the necessary actions to allow the file to download. The progress of file generation is displayed. 4 When the download completes, Save the file, support.pkg, to the location of your choice. Support package file passwords can be 1–20 alphanumeric characters and/or symbols.
Bridge GUI Guide: Index Index Numerics 3rd-party AP management 155–159 4.4 GHz radio see military band radio 802.11a/b/g see radios 802.11i authentication BSS Wi-Fi security 77–80 STA interface Wi-Fi security 84–86 802.11n 62–63, 76 802.
Bridge GUI Guide: Index boot image 194, 196 BPM see FIPS, bypass mode Bridge GUI see GUI bridging 5–14, 47–57 FastPath Mesh 5–12, 47–55 monitoring 183–189 network topologies 6–12 interfaces 72 FastPath Mesh 48, 73 received signal strength setting 72 monitoring bridging links 171–173 point-to-point 14 Spanning Tree Protocol 12–13, 56–57 browser support 16 BSS see Basic Service Sets C cached user credentials 123 configuration steps 124 channel exclusion 69–70 channel settings 59, 60 configuration steps 67 c
Bridge GUI Guide: Index DTIM period 74 dynamic frequency selection see DFS operation E EAP-TLS 141–142 BSS WPA 78–79 digital certificate 205–207 local authentication server 141–142 STA interface WPA 84–85, 89 encrypted interfaces 77–80, 102, 104 BSSs 77–80 cleartext traffic 121–122 Ethernet 102, 104 FastPath Mesh 47 management access 122 encryption algorithm 118 configuration steps 124 default 118 in Secure Clients 118 environment setting 59 Ethernet ports 102–106 F FastPath Mesh 5–12, 47–55 interfaces 5
Bridge GUI Guide: Index L LAN settings see network settings latitude and longitude see location settings LEDs blackout mode 120 configuration steps 124 licensed features 207–210 adding 209–210 location settings 97–98 logging on/off global logon settings 20–25 logging on/off 16–19 logon message 28 configuration steps 29 see also administrative accounts M MAC addresses ACL filtering 151–153 cleartext device MAC addresses 156, 157 viewing 177 controller device MAC addresses 154 viewing 175 Secure Client MAC
Bridge GUI Guide: Index ports authentication server ports 136, 139 Ethernet 102–106 for AP management rules 157 for Trusted Devices 158 serial port 115–116 public key certificate see digital certificates Q QoS 107–108 BSS WMM 74 Ethernet port override 105 STA interface WMM 82 quality of service see QoS R radios 3, 46, 57–90 channel exclusion 69–70 DFS operation 68–69 military band radio 3–4, 46, 57 channels 63 DFS 69 EULA addendum vi regulation 59 monitoring bridging links 171–173 monitoring BSS associat
Bridge GUI Guide: Index sessions monitoring 173–177 resetting 192 timeout settings 123–124, 139–140, 144–145 SNMP 4, 41–45 MIB 41 SNMP traps 43–45 software upgrades 194–196 reverting 196 upgrade file password 195 software version boot image 194 restoring previous version 196 upgrading 194–196 viewing 193 Spanning Tree Protocol see STP SSH 120 SSIDs 71 see also Basic Service Sets STA interface 81–90 scanning for networks 87–89 WPA/WPA2 authentication 84–86 station mode see STA interface statistics 178–180 i
ES520 Bridge: Glossary Glossary Triple Data Encryption Standard—a FIPS-approved NIST standard for data encryption using 192-bits (168-bit encryption, 24 parity bits) for protecting sensitive (unclassified) 3DES U.S. government (and related) data. NIST amended and re-approved 3DES for FIPS in May, 2004. 802.11 The IEEE standard that specifies technologies for wireless networks. 802.11i The amendment to the 802.11 standard that describes security for wireless networks, or Robust Security Networks.
ES520 Bridge: Glossary ATM Asynchronous Transfer Mode—a technology for transferring data over a network in packets or cells of a fixed size. BGP Border Gateway Protocol—a protocol, defined by RFC 1771, for interautonomous system routing; the interdomain routing protocol used by TCP/IP. BPM In FIPS, bypass mode—state in which cleartext is allowed to pass on an encrypted interface. bridge A network device that connects two networks or two segments of the same network.
ES520 Bridge: Glossary Dynamic Host Configuration Protocol—an Internet protocol describing a method for flexibly assigning device IP addresses from a defined pool of available addresses as DHCP each networked device comes online, through a client-server architecture. DHCP is an alternative to a network of fixed IP addresses.
ES520 Bridge: Glossary Fortress Security System The secure network deployment of one or more Fortress Bridges and the Fortress Secure Clients and/or Secure Client Bridges that will communicate with the Bridge(s). Fortress Secure Bridge Fortress’s ES300 model network device for securing communications between wireless devices and a LAN, or between devices within a LAN, or in a networked configuration.
ES520 Bridge: Glossary IPsec Internet Protocol security—a set of protocols developed by the IETF to support secure exchange of packets at the IP layer, deployed widely to implement VPNs. IPv4 Internet Protocol version 4—the first widely implemented and still the most prevalent version of IP. IPv6 Internet Protocol version 6—the next version of IP slated for wide implementation, intended to overcome the limitations of, and to eventually replace, IPv4.
ES520 Bridge: Glossary MRP Mesh Radio Port—in Fortress Secure Wireless Bridges, a pair-wise network link formed between WDS-enabled BSSs configured on the Bridges. MSI The Microsoft installer system written by Microsoft for Windows platforms. The Fortress protocol that provides authentication and encryption at the Media Access MSP Control (MAC) sublayer, within the Data Link Layer (Layer 2) of the Open System Interconnection (OSI) networking model.
ES520 Bridge: Glossary QoS Quality of Service RSA SecurID® An authentication method created and owned by RSA Security. Remote Authentication Dial-In User Service—an authentication service design that issues challenges to connecting users for their usernames and passwords and authentiRADIUS cates their responses against a database of valid usernames and passwords; described in RFC 2865.
ES520 Bridge: Glossary SWLAN Secure Wireless Local Area Network symmetric key encryption Tactical Mesh Point A class of cryptographic algorithm in which a shared secret between two or more parties is used to maintain a private connection between or among them. In Fortress Secure Wireless Bridges, alternative name for the ES210 Secure Wireless Bridge. Transmission Control Protocol—defines a method for reliable (i.e.
ES520 Bridge: Glossary Worldwide Interoperability for Microwave Access—the IEEE 802.16 specification for fixed, broadband, wireless MANs that use a point-to-multipoint architecture, defining WiMAX bandwidth use in the licensed frequency range of 10GHz–66GHz and the licensed and unlicensed frequency range of 2GHZ–11GHz. WIDS Wireless Intrusion Detection System—a means for detecting and preventing unauthorized or unwelcome connections to a network. WLAN Wireless Local Area Network.